Unformatted Document Excerpt
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
True/False whether the statement is true or false. ____ ____ ____ 1. IDPS responses can be classified as active or passive. 2. A passive response is one in which a definitive action is initiated when certain types of alerts are triggered. 3. The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the SNMP management console to indicate that a certain threshold has been crossed, either positively or negatively. 4. An IDPS can be configured to trigger a specific event when it detects specific types of activity. 5. To determine which IDPS would best meet the needs of a specific organizations environment, first consider that environment, in technical, physical, and political terms. 6. Your organizations operational goals, constraints, and culture should not affect the selection of the IDPS and other security tools and technologies to protect your systems. 7. All IDPS vendors target users with the same levels of technical and security expertise. 8. Intrusion detection and prevention systems perform monitoring and analysis of system events and user behaviors. 9. Intrusion detection and prevention systems can deal effectively with switched networks.
____ ____ ____ ____ ____ ____
____ 10. A fully distributed IDPS control strategy is the opposite of the centralized strategy. ____ 11. Intrusion detection consists of procedures and systems that are created and operated to detect system intrusions and protect against attack. ____ 12. A false positive is the failure of an IDPS system to react to an actual attack event. ____ 13. HIDPSs are also known as system integrity verifiers. ____ 14. An HIDPS can detect local events on host systems and also detect attacks that may elude a network-based IDPS. ____ 15. In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information. This corrupts the servers answers to routine DNS queries from other systems on the network. ____ 16. NIDPSs can reliably ascertain if an attack was successful or not. ____ 17. A HIDPS can monitor systems logs for predefined events. ____ 18. A HIDPS is optimized to detect multi-host scanning, and is it able to detect the scanning of non-host network devices, such as routers or switches. ____ 19. Once the OS is known, all of the vulnerabilities to which a system is susceptible can easily be determined. ____ 20. The statistical anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal. ____ 21. A strategy based on the concept of defense in depth is likely to include intrusion detection systems, active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers.
____ 22. Sam Spade is an enhanced Web scanner that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses. ____ 23. Services using the TCP/IP protocol can run only on port 80. ____ 24. Nmap uses incrementing Time-To-Live packets to determine the path into a network as well as the default firewall policy. ____ 25. A starting scanner is one that initiates traffic on the network in order to determine security holes. ____ 26. The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to automate the custom exploitation of vulnerable systems. ____ 27. A sniffer cannot be used to eavesdrop on network traffic. ____ 28. Strong authentication requires at least one of the forms of authentication to authenticate the supplicants identity. ____ 29. A password is a series of characters from which a virtual password is derived. ____ 30. Most of the technologies that scan human characteristics convert these images to some form of minutiae. Modified True/False Indicate whether the statement is true or false. If false, change the identified word or phrase to make the statement true. ____ 31. Alert or intrusion is an indication that a system has just been attacked and/or continues to be under attack. _________________________ ____ 32. The confidence value, which is a type of false logic, provides an additional piece of information to assist the administrator in determining whether an attack alert is indicating that an actual attack in progress, or whether the IDS is reacting to false attack stimuli and creating a false positive. _________________________ ____ 33. Alarm filtering is alarm clustering that is based on frequency, similarity in attack signature, similarity in attack target, or other similarities. _________________________ ____ 34. The set of activities, which involves gathering information about the organization and its network activities and the subsequent process of identifying network assets, is called fingerprinting. _________________________ ____ 35. A(n) server-based IDPS is focused on protecting the server or hosts information assets. _________________________ ____ 36. In the process of protocol application verification, the NIDPSs look for invalid data packets. _________________________ ____ 37. A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. _________________________ ____ 38. Preconfigured, predetermined attack patterns are called signatures. _________________________ ____ 39. A(n) log file monitor is an approach to IDPS that is similar to the NIDPS. _________________________ ____ 40. The IDPS console includes the management software, which collects information from the remote sensors, analyzes the systems or networks monitored, and makes the determination as to whether the current situation has deviated from the preconfigured baseline. _________________________
____ 41. A(n) partially distributed IDPS control strategy combines the best of the other two strategies. _________________________ ____ 42. The trace usually consists of a honey pot or padded cell and an alarm. _________________________ ____ 43. The trap is a process by which the organization attempts to determine the identity of someone discovered in unauthorized areas of the network or systems. _________________________ ____ 44. When a collection of honey pots connects several honey pot systems on a subnet, it may be called a honey net. _________________________ ____ 45. A padded cell is a hardened honey net. _________________________ ____ 46. Enticement is the action of luring an individual into committing a crime to get a conviction. _________________________ ____ 47. Fingerprinting is the organized research of Internet addresses owned or controlled by a target organization. _________________________ ____ 48. For Linux or BSD systems, there is a tool called scanner that allows a remote individual to mirror entire Web sites. _________________________ ____ 49. Port fingers are tools used by both attackers and defenders to identify (or fingerprint) the computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. _________________________ ____ 50. A(n) port is a network channel or connection point in a data communications system. _________________________ ____ 51. A(n) listener vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. _________________________ ____ 52. When a prospective user, referred to in the area of access control as a(n) supplicant, seeks to use a protected system, logically access a protected service, or physically enter a protected space, he or she must engage in authentication and authorization activities to establish his or her identity and verify that he or she has permission to complete the requested activity. _________________________ ____ 53. Synchronous tokens use a challenge-response system, in which the server challenges the supplicant during login with a numerical sequence. _________________________ ____ 54. Minutiae are unique points of reference that are digitized and stored in an encrypted format when the users system access credentials are created. _________________________ ____ 55. The false detect rate is the percentage of identification instances in which unauthorized users are allowed access to systems or areas as a result of a failure in the biometric device. _________________________ Multiple Choice Identify the choice that best completes the statement or answers the question. ____ 56. A(n) ____ works like a burglar alarm in that it detects a violation of its configuration (analogous to an opened or broken window) and activates an alarm. a. IDS c. ITS b. IIS d. SIS ____ 57. ____ is an event that triggers alarms and causes a false positive when no actual attacks are in progress. a. False Positive c. False Negative b. False Attack Stimulus d. Noise
____ 58. ____ is the process of classifying the attack alerts that an IDS produces in order to distinguish/sort false positives from actual attacks more efficiently. a. Alarm filtering c. Alarm compaction b. Alarm clustering d. Alarm attenuation ____ 59. The set of activities, in which network locales are scanned for active systems, and then the network services offered by the host systems on that network are identified, is called ____. a. filtering c. footprinting b. doorknob rattling d. fingerprinting ____ 60. A(n) ____ IDPS is focused on protecting network information assets. a. network-based c. application-based b. host-based d. server-based ____ 61. ____ is a specially configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device a. NIDPS c. DPS b. SPAN d. IDSE ____ 62. NIDPSs must look for attack patterns by comparing measured activity to known ____ in their knowledge base. a. fingernails c. signatures b. fingerprints d. footprints ____ 63. ____ are usually passive devices and can be deployed into existing networks with little or no disruption to normal network operations. a. NIDPSs c. AppIDPSs b. HIDPSs d. SIDPSs ____ 64. ____ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or deletes monitored files. a. NIDPSs c. AppIDPSs b. HIDPSs d. SIDPSs ____ 65. Using ____, the system reviews the log files generated by servers, network devices, and even other IDPSs. a. LFM c. AppIDPS b. stat IDPS d. HIDPS ____ 66. Each TCP session consists of a(n) ____. a. FIN packet, a series of data, and ACK packets b. SYN packet, a series of data, and FIN packets c. SYN packet and ACK packets d. SYN packet, a series of data, ACK packets, and FIN packets ____ 67. ____ are decoy systems designed to lure potential attackers away from critical systems and attacks encourage against themselves. a. Honey pots c. Padded cells b. Honey cells d. Padded nets ____ 68. IDPS researchers have used padded cell and honey pot systems since the late ____. a. 1960s c. 1980s b. 1970s d. 1990s ____ 69. An extension of attractant-based honey pot technologies, trap and trace applications are growing in popularity. These systems are often simply referred to as ____. a. trace and treat c. treat and trap b. trap and trace d. trace and clip ____ 70. ____ is the action of luring an individual into committing a crime to get a conviction. a. Entrapment c. Intrusion b. Enticement d. Padding
____ 71. In TCP/IP networking, port ____ is not used. a. 0 c. 13 b. 1 d. 1023 ____ 72. Which of the following ports is commonly used for the HTTP protocol? a. 20 c. 53 b. 25 d. 80 ____ 73. ____ testing is a straightforward testing technique that looks for vulnerabilities in a program or protocol by feeding random input to the program or a network running the protocol. a. Buzz c. Spike b. Fuzz d. Black ____ 74. A(n) ____ is a network tool that collects copies of packets from the network and analyzes them. a. packet scanner c. honey pot b. packet sniffer d. honey packet ____ 75. ____ is the validation of a supplicants identity. a. Authentication c. Password b. Authorization d. Passphrase ____ 76. Once ____ tokens are synchronized with a server, both devices (server and token) use the same time or a time-based database to generate a number that is displayed and entered during the user login phase. a. synchronous c. symmetric b. asynchronous d. asymmetric ____ 77. Among all possible biometrics, only ____ is(are) considered truly unique. a. faces c. voice b. fingerprints d. All of the above ____ 78. The ____ is the level at which the number of false rejections equals the false acceptances, also known as the equal error rate. a. BIOM c. IIS b. REC d. CER ____ 79. Which of the following is the most secure Biometric Authentication system? a. Retina pattern recognition c. Handprint recognition b. Voice recognition d. Signature recognition ____ 80. Which of the following is the most accepted Biometric Authentication System? a. Keystroke pattern recognition c. Voice pattern recognition b. Retina recognition d. Handprint recognition Completion Complete each statement. 81. A(n) ____________________ occurs when an attacker attempts to gain entry or disrupt the normal operations of an information system, almost always with the intent to do harm. 82. The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called the ____________________. 83. Alarm ____________________ is a consolidation of almost identical alarms that happen at close to the same time into a single higher-level alarm. 84. The initial estimation of the defensive state of an organizations networks and systems is called doorknob ____________________.
85. All IDPSs use one of three detection methods: ____________________-based, statistical anomaly-based or a stateful packet inspection approach. 86. The ____________________ port is also known as a switched port analysis port or mirror port. 87. In ____________________ protocol verification, the higher-order protocols are examined for unexpected packet behavior, or improper use. 88. HIDPSs are also known as system ____________________ verifiers. 89. A ____________________-based IDPS resides on a particular computer or server and monitors activity only on that system. 90. A signature-based IDPS is sometimes called a(n) ____________________-based IDS. 91. When the measured activity is outside the baseline parameters, it is said to exceed the ____________________ level. 92. With a(n) ____________________ IDPS control strategy all IDPS control functions are implemented and managed in a central location. 93. ____________________ are decoy systems designed to lure potential attackers away from critical systems and encourage attacks against the themselves. 94. When a collection of honey pots connects several honey pot systems on a subnet, it may be called a(n) ____________________. 95. A(n) ____________________ is a honey pot that has been protected so that it cannot be easily compromised. 96. Under the guise of justice, some less scrupulous administrators may be tempted to ____________________, or hack into a hackers system to find out as much as possible about the hacker. 97. ____________________ is the process of attracting attention to a system by placing tantalizing bits of information in key locations. 98. The attack ____________________ is a series of steps or processes used by an attacker, in a logical sequence, to launch an attack against a target system or network. 99. ____________________ is a systematic survey of all of the target organizations Internet addresses. 100. Nmap is a utility that performs ____________________ scanning. 101. A(n) ____________________ scanner is one that initiates traffic on the network in order to determine security holes. 102. A packet ____________________ is a network tool that collects copies of packets from the network and analyzes them. 103. A(n) ____________________ is a private word or combination of characters that only the user should know. 104. A device called a(n) ____________________ card contains a computer chip that can verify and validate a number of pieces of information instead of just a PIN 105. The ____________________ error rate is the level at which the number of false rejections equals the false acceptances, also known as the equal error rate. Essay 106. List and describe at least four reasons to acquire and use an IDPS.
107. List and describe the three advantages of NIDPSs.
108. List and describe the four advantages of HIDPSs.
07 Answer Section
TRUE/FALSE 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: Register to View AnswerF T T T F F T F T F F T T T F T F T T T T F F F T F F F T PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 303 303 304 303 306 308 309 311 311 313 289 290 298 300 295 296 299 301 328 301 323 325 326 327 328 332 335 338 339 341
MODIFIED TRUE/FALSE 31. Register to View Answeralarm PTS: 1 32. Register to View Answerfuzzy REF: 290
PTS: 1 REF: 290 33. Register to View Answercompaction
PTS: 1 REF: 291 34. Register to View Answerfootprinting PTS: 1 REF: 292 35. Register to View Answerhost-based PTS: 1 36. Register to View Answerstack PTS: 1 37. Register to View AnswerHIDPS 38. 39. 40. 41. 42. PTS: ANS: ANS: ANS: ANS: ANS: 1 T T T T F, trap REF: 293 REF: 294 REF: 300 PTS: PTS: PTS: PTS: REF: 322 REF: 322 PTS: 1 REF: 320 1 1 1 1 REF: REF: REF: REF: 301 303 312 314
PTS: 1 43. Register to View Answertrace PTS: 1 44. Register to View Answer45. Register to View Answerpot
PTS: 1 REF: 321 46. Register to View AnswerEntrapment PTS: 1 REF: 323 47. Register to View AnswerFootprinting PTS: 1 48. Register to View Answerwget PTS: 1 49. Register to View Answerscanners PTS: 1 50. Register to View Answer51. Register to View Answerpassive REF: 324 REF: 325 REF: 326 PTS: 1 REF: 326
PTS: 1 REF: 333 52. Register to View Answer53. Register to View AnswerAsynchronous PTS: 1 54. Register to View AnswerREF: 339
55. Register to View Answeraccept PTS: 1 REF: 341
MULTIPLE CHOICE 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: Register to View AnswerB A D A B C A B A D A C B A A D B B A A B D A C PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 289 290 290-291 292 293 294 294 296 298 303 320 320 321 322 323 326 327 330 335 338 339 340 342 342 342
COMPLETION 81. ANS: intrusion PTS: 1 82. ANS: noise PTS: 1 83. ANS: clustering PTS: 1 84. ANS: rattling PTS: 1 85. ANS: signature REF: 289 REF: 290 REF: 291 REF: 292
PTS: 1 86. ANS: monitoring PTS: 1 87. ANS: application PTS: 1 88. ANS: integrity PTS: 1 89. ANS: host PTS: 1 90. ANS: knowledge PTS: 1 91. ANS: clipping PTS: 1 92. ANS: centralized PTS: 1 93. ANS: Honey pots Honeypots PTS: 1 94. ANS: honey net honeynet PTS: 1 95. ANS: padded cell PTS: 1 96. ANS: back hack PTS: 1 97. ANS: Enticement PTS: 1 98. ANS: protocol
REF: 301 REF: 294 REF: 295 REF: 298 REF: 298 REF: 301 REF: 301 REF: 312
REF: 320 REF: 321 REF: 322 REF: 323
PTS: 1 REF: 324 99. ANS: Fingerprinting PTS: 1 100. ANS: Idle REF: 325
PTS: 1 101. ANS: active active vulnerability PTS: 1 102. ANS: sniffer PTS: 1 103. ANS: password PTS: 1 104. ANS: smart PTS: 1 105. ANS: crossover PTS: 1 ESSAY
REF: 328 REF: 335 REF: 338 REF: 339 REF: 342
106. ANS: 1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system 2. To detect attacks and other security violations that are not prevented by other security measures 3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other doorknob rattling activities) 4. To document the existing threat to an organization 5. To act as quality control for security design and administration, especially of large and complex enterprises 6. To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors PTS: 1 REF: 291 107. ANS: 1. Good network design and placement of NIDPS devices can enable an organization to use a few devices to monitor a large network. 2. NIDPSs are usually passive devices and can be deployed into existing networks with little or no disruption to normal network operations. 3. NIDPSs are not usually susceptible to direct attack and, in fact, may not be detectable by attackers. PTS: 1 REF: 296 108. ANS: 1. A HIDPS can detect local events on host systems and also detect attacks that may elude a network-based IDS. 2. A HIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. 3. The use of switched network protocols does not affect a HIDPS.
4. A HIDPS can detect inconsistencies in how applications and systems programs were used by examining the records stored in audit logs. This can enable it to detect some types of attacks, including Trojan Horse programs. PTS: 1 REF: 300