Section 5: Quiz 63 - Security Monitoring Tools and Techniques
To prevent the installation of a rootkit on a web server hosting an application, which of the following should be installed? A. packet filtering B. a network-based IDS C. the latest operating system patch D. A host-based IPS.
Ans: D. A host-based IPS. Explanation: The most effective method is to install a host-based IPS. A host- based IPS will prevent activities on the host computer or server, such as the deletion of files and the modification of programs. A network-based IDS will be able to detect irregular traffic, but if signatures are not updated or traffic is encrypted, it may bypass the IDS. Regular operating system patch updates will address the vulnerabilities. However, host IPSes are more effective at preventing unauthorized installation, and are unable to prevent rootkit installation.
A major concern for an auditor verifying an IDS is: A. the number of false alarms B. not being able to identify the intrusion activity C. the use of automated tools for log capturing and monitoring D. the fact that an IDS is placed between an internal network and a firewall
Answer B. Not able to identify the intrusion activity. Explanation: If an IDS is not able to identify and detect the intrusion activity, this will be an area of most concern. It defeats the core purpose of installing the IDS. Attacks will remain unnoticed if not identified by the IDS and so no corrective and preventive action can be taken in relation to such attacks. The number of false alarms is not as significant as the IDS not being able to detect the intrusion attack. Options C and D are not areas of concern.
Which of the following helps to capture information for proactively strengthening security controls? A. A honeypot B. A proxy server C. An IDS D. An IPS
Answer: A. A honeypot. Explanation: A honey pot is a decoy system set up to attract the hacker and intruders. The purpose of setting a honey pot is to capture the details of intruders in order to proactively strengthen the security controls.
An IDS that observes the general pattern of activities and updates its database is a: A. A neural network-based IDS. B. statistical-based IDS C. signature-based IDS D. role-based IDS
Answer: A. A neural network-based IDS. Explanation: Neural networks work on the same principle as statistical-based IDSes. However, they possess the advanced functionality of self-learning. Neural networks keep updating the database by monitoring the general pattern of activities.
Which of the following systems can block a hacking attempt? A. An IPS. B. A router C. A switch D. An IDS
Answer: A. An IPS. Explanation: IPSes have the ability to not only detect intrusion attempts, but also to prevent the impact of intrusion attacks. IDSes only monitor, record, and provide alarms relating to intrusion activity, whereas IPSes also prevent intrusion activities. Routers and switches are devices used for network routing.
An organization whose aim is to protect the public-facing website on its server should install the network IDS: A. in a demilitarized zone B. on the same web server where the website is hosted C. between a firewall and an external network D. in the organization's internal network
Answer: A. In a demilitarized zone Explanation: Public-facing websites are placed in a demilitarized zone to safeguard the internal network from external attacks. IDSes should be placed in the same demilitarized zone. An IDS monitors the network traffic to detect any intrusion. Network-based intrusion would not be installed in a web server just like a host-based IDS. Placing the IDS outside the firewall would not be helpful in protecting the website specifically. Placing an IDS in an internal network is a good way of ensuring that the website is not prone to internal attacks.
Which of the following is the most important concern with respect to IDS? A. Many false alarms generated by statistical-based IDS B. A firewall is installed between the IDS and the external network C. The IDS is used to detect encrypted traffic D. Zero-day threats are not identified by signature-based IDSes
Answer: A. Many false alarms generated by statistical-based IDSes. Explanation: High instances of false alarms indicate that the IDS configuration needs to be further tuned. The major impacts of poorly configured IDS would be on business processes or systems that need to be closed due to false alarms. This could have an adverse impact on business profitability. An IDS cannot read the encrypted traffic. However, it can be compensated by the next-generation firewall. The other options are not as important as the blocking of critical services and systems.
Which of the following is the first action to be performed when preparing a system attack? A. Capture information B. Erase evidence C. Initiate access D. Launch a DoS attack
Answer: A. To capture information. Explanation: The first step that an intruder takes is to capture and gather relevant information about the target environment. On the basis of this information, they attempt various techniques to gain access and once the objective is accomplished, they try to evade the evidence.
A characteristic of an IDS is: A. to collect evidence relating to intrusion activity B. to route traffic as per defined rules C. to block restricted websites D. to act as access control software
Answer: A. To collect evidence relating to intrusion activity. Explanation: An IDS helps to monitor a network (network-based IDS) or a single system (host-based IDS) with the aim of recognizing and detecting an intrusion activity. The function of an IDS is to analyze the data and determine the intrusion activity. An IDS does not provide features in the same way as the other options.
The IDS with the highest number of false alarms is: A. the neural network-based IDS B. A statistical-based IDS. C. the signature-based IDS D. the host-based IDS
Answer: B. A statistical-based IDS. Explanation: A statistical-based IDS attempts to identify abnormal behavior by analyzing the statistical algorithm. Any abnormal activity is flagged as an intrusion. For example, if normal logon hours are between 7 a.m. and 5 p.m. and if logon is performed at 11 p.m., it will raise this as an intrusion. Statistical IDSes generate the most false positives compared with other types of IDS.
The best place to incorporate an intrusion detection system to detect an intrusion that bypasses the firewall is: A. between a firewall and an external network B. Between a firewall and an internal network. C. between an external network and an internal network D. alongside a firewall
Answer: B. Between a firewall and an internal network. Explanation: If an IDS is installed between a firewall and an internal network, it will be able to detect only those attempts that bypassed the firewall rules. If an IDS is installed between a firewall and an external network, it will be able to identify all the intrusion attempts irrespective of whether intrusion packets bypassed the firewall.
A major concern for a poorly configured IPS is the fact that: A. an administrator has to verify high instances of alarms B. critical services or systems are blocked due to false alarms C. the network slows down D. the IPS is expensive
Answer: B. Critical services or systems are blocked due to false alarms. Explanation: A major impact of poorly configured firewalls would be on business processes or systems that need to be closed due to false alarms. This could have an adverse impact on business profitability. The other options are not as important as the blocking of critical services and systems.
Which of the following parts of an IDS collects the data? A. Console B. Sensor C. Analyzer D. Interface
Answer: B. Sensor. Explanation: The function of sensors is to collect data. Data can be in the form of network packets, log files, and suchlike. The function of an analyzer is to analyze the data and determine the intrusion activity. An administration console helps the administrator to control and monitor IDS rules and functions. A user interface supports the user to view the results and carry out the requisite tasks.
The most important factor impacting the effectiveness of the neural network is: A. A neural network detects all known types of intrusion B. A neural network flags all activities that are not normal C. A neural network monitors the general pattern of activities and creates a database and attacks problems that require consideration of a large number of input variables. D. A neural network solves the problem where a large database is not required
Answer: C. A neural network monitors the general pattern of activities and creates a database and attacks problems that require consideration of a large number of input variables. Explanation: Neural networks work on the same principle as statistical-based IDSes. However, they possess the advanced functionality of self-learning. Neural networks keep updating the database by monitoring the general pattern of activities. Neural networks are most effective in addressing problems that require consideration of a large number of input variables.
The most frequently encountered problem with respect to an IDS is: A. a false rejection rate B. a false acceptance rate C. False positives D. DDoS attacks
Answer: C. False positives. Explanation: The identification of false positives is one of the routine and frequent issues in the implementation of an IDS. An IDS operates on the basis of policy definition. Weakness of policy definitions weakens the function of an IDS. False acceptance and rejection rates are associated with biometric implementation. DDoS is a type of attack and is not an issue in the operation of an IDS.
Which of the following is the most important control in terms of detecting the intrusion? A. access control procedures B. automatic logoff of inactive computers C. The monitoring of unsuccessful login attempts. D. account lockout following a specified number of unsuccessful login attempts
Answer: C. The monitoring of unsuccessful login attempts. Explanation: The most important control in identifying and detecting the intrusion is to actively monitor the unsuccessful login attempts. The other options will not directly assist in detecting the intrusion.
After a firewall, which of the following is regarded as the next line of defense for network security? A. Anti-malware software B. A router C. A switch D. An IDS
Answer: D. An IDS. Explanation: A network-based IDS is regarded as the next line of defense after a firewall. IDSes monitor, record, and provide alarms relating to intrusion activity that bypasses the firewall. IDSes have a greater capability to identify abnormal traffic as compared with anti-malware software. Routers and switches are devices used for network routing.
The risk of intrusion attacks and network penetration can be detected on the basis of unusual system behavior by: A. a hub B. packet filters C. a switch D. an IDS
Answer: D. An IDS. Explanation: An IDS attempts to identify abnormal behavior by analyzing the statistical algorithm. Any abnormal activity is flagged as an intrusion. Hubs and switches are the networking devices for routing. A packet filter is a type of firewall to restrict blocked traffic.
Most important concern for an IS auditor reviewing installation of intrusion detection system is A. Frequent instances of false positive alarms B. Low coverage of network traffic C. Slow network performance D. Default settings not changed
B. If IDS is not configured to cover all network traffic, then it may not able to timely identify the intrusion. This defeats the purpose of installation of IDS.
