Chapter 4 Flashcards

1
Q

Intrusion detection systems (IDSs) monitor:

A

a network and send alerts

when they detect suspicious events on a system or network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
Intrusion
prevention systems (IPSs) react:
A

to attacks in progress and prevent them from

reaching systems and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A host-based intrusion detection system (HIDS) is:

A

additional software

installed on a system such as a workstation or server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A host-based intrusion detection system (HIDS) provides:

A

protection to
the individual host and can detect potential attacks and protect critical
operating system files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The primary goal of any IDS is to

A

monitor traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

For a HIDS, traffic passes through:

A

the network interface card (NIC).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Many host-based IDSs have expanded to:

A

monitor application activity on
the system.

monitor the server application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You can install a HIDS on different:

A

Internet facing servers, such as web servers, mail servers, and database servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A HIDS can help detect:

A

malicious software

(malware)that traditional antivirus software might miss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A network-based intrusion detection system (NIDS) monitors:

A

activity

on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An administrator installs NIDS sensors or collectors on:

A

network devices such as routers and firewalls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

NIDS sensors or collectors gather:

A

information and report to a central monitoring server hosting a NIDS console.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A NIDS is not able to:

A

detect anomalies on individual systems or
workstations unless the anomaly causes a significant difference in network traffic.

decrypt encrypted traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The NIDS provides overall:

A

monitoring and

analysis and can detect attacks on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Most

switches support:

A

port mirroring, allowing administrators to configure the switch to send all traffic received by the switch to a single port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

After configuring a port mirror, you can use it as a:

A

tap to send all switch data to a sensor or collector, and forward this to a NIDS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

it’s possible to

configure taps on routers to:

A

capture all traffic sent through the switch and

send it to the IDS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The decision on where you want to place the sensors depends on:

A

what you want to measure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

If you want to see all attacks on your network, put a sensor on:

A

the Internet side

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

If you only want to see what gets through your network, put sensors:

A

internally only.

21
Q

If you want to see both attacks on and through your network, put sensors in:

A

both places.

22
Q

An IDS can only:

A

detect an attack.

23
Q

An IPS prevents attacks by:

A

detecting them and stopping them before they

reach the target.

24
Q

An attack is:

A

any attempt to compromise confidentiality,

integrity, or availability.

25
Q

The two primary methods of detection are:

A

signature-based

heuristic- or behavioral- based (also called anomaly-based).

26
Q

Any type of IDS can detect:

A

attacks based on signatures, anomalies, or both.

27
Q

The HIDS monitors:

A

the network traffic reaching its NIC and the NIDS monitors the traffic on the network.

28
Q

Signature-based IDSs (also called definition-based) use:

A

a database of known vulnerabilities or known attack patterns.

29
Q

Heuristic/behavioral-based detection (also called anomaly-based
detection) starts by:

A

identifying normal operation or normal behavior of the

network

30
Q

Heuristic/behavioral-based detection (also called anomaly-based
detection) identifies normal operation by:

A

creating a performance baseline under normal

operating conditions.

31
Q

The IDS provides continuous monitoring:

A

by constantly comparing

current network behavior against the baseline.

32
Q
When the IDS detects
abnormal activity (outside normal boundaries as identified in the baseline), it:
A

gives an alert indicating a potential attack.

33
Q

Both heuristic-based antivirus software examine:

A

activity and detect abnormal activity that is beyond the capability of signature based detection.

34
Q

The SYN flood attack is a:

A

common denial-of-service

(DoS) attack

35
Q

in a SYN flood attack, the attacker:

A

sends multiple SYN packets but never completes the third part
of the TCP handshake with the last ACK packet.

36
Q

Many firewalls include a

SYN flood guard that can:

A

detect SYN flood attacks and take steps to close the open sessions.

37
Q

In some usage, administrators define a zero-day exploit as:

A

one where the vendor has not released a patch.

38
Q

Any time administrators make any significant changes to a system or
network that cause the normal behavior to change, they should:

A

re-create the baseline.

39
Q

Any type of IDS will use:

A

various raw data sources to collect information

on activity including a wide variety of logs, such as firewall logs, system logs, and application logs.

40
Q

Logs can be analyzed to provide:

A

insight on trends.

41
Q

Trends can detect:

A

a pattern of attacks and provide insight into how to better protect a network

42
Q

IDSs report on:

A

events of interest based on rules configured within the
IDS. All events aren’t attacks or actual issues, but instead, they provide a
report indicating an event might be an alert or an alarm.

43
Q

Systems use an alarm for:

A

a potentially serious issue

44
Q

Systems use an alert as:

A

a relatively minor issue.

45
Q

Administrators configure the rules within the IDS based on:

A

the needs of the organization.

46
Q

While IDSs use advanced analytics to examine traffic, they are susceptible to:

A

both false positives and false negatives.

47
Q

A false positive is:

A

an alert or alarm on an event that is nonthreatening, benign, or harmless.

48
Q

A false negative is:

A

when an attacker is actively attacking the network, but the system does not detect it.