CHAPTER 8

Question 1

An intruder can also be referred to as a hacker or cracker.

Answer 1

T

Question 2

Activists are either individuals or members of an organized crime
group with a goal of financial reward

Answer 2

F

Question 3

Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion

Answer 3

T

Question 4

Those who hack into computers do so for the thrill of it or for status

Answer 4

T

Question 5

Intruders typically use steps from a common attack methodology

Answer 5

T

Question 6

The IDS component responsible for collecting data is the user interface.

Answer 6

F

Question 7

Intrusion detection is based on the assumption that the behavior of the
intruder differs from that of a legitimate user in ways that can be quantified.

Answer 7

T

Question 8

The primary purpose of an IDS is to detect intrusions, log suspicious
events, and send alerts.

Answer 8

T

Question 9

Signature-based approaches attempt to define normal, or expected,
behavior, whereas anomaly approaches attempt to define proper behavior

Answer 9

F

Question 10

Anomaly detection is effective against misfeasors

Answer 10

F

Question 11

To be of practical use an IDS should detect a substantial percentage of
intrusions while keeping the false alarm rate at an acceptable level.

Answer 11

T

Question 12

An inline sensor monitors a copy of network traffic; the actual traffic
does not pass through the device

Answer 12

F

Question 13

A common location for a NIDS sensor is just inside the external
firewall.

Answer 13

T

Question 14

Network-based intrusion detection makes use of signature detection
and anomaly detection

Answer 14

T

Question 15

Snort can perform intrusion prevention but not intrusion detection.

Answer 15

F

Question 16

1. _________ are either individuals or members of a larger group of outsider attackers who are motivated by social or political causes.
   A. State-sponsored organizations B. Activists
   C. Cyber criminals D. Others

Answer 16

Activists

Question 17

A _________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so.
A. intrusion detection B. IDS
C. criminal enterprise D. security intrusion

Answer 17

security intrusion

Question 18

A _________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
A. host-based IDS B. security intrusion
C. network-based IDS D. intrusion detection

Answer 18

host-based IDS

Question 19

A ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
A. host-based IDS B. security intrusion
C. network-based IDS D. intrusion detection

Answer 19

network-based IDS

Question 20

The ________ is responsible for determining if an intrusion has occurred.
A. analyzer B. host
C. user interface D. sensor

Answer 20

analyzer

Question 21

__________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
A. Profile based detection B. Signature detection
C. Threshold detection D. Anomaly detection

Answer 21

Signature detection

Question 22

_________ involves the collection of data relating to the behavior of legitimate users over a period of time.
A. Profile based detection B. Signature detection
C. Threshold detection D. Anomaly detection

Answer 22

Anomaly detection

Question 23

A (n) __________ is a hacker with minimal technical skill who primarily uses existing attack toolkits.
A. Master B. Apprentice
C. Journeyman D. Activist

Answer 23

Apprentice

Question 24

The _________ module analyzes LAN traffic and reports the results to the central manager.
A. LAN monitor agent B. host agent
C. central manager agent D. architecture agent

Answer 24

LAN monitor agent

Question 25

The purpose of the ________ module is to collect data on security related events on the host and transmit these to the central manager.
A. central manager agent B. LAN monitor agent
C. host agent D. architecture agent

Answer 25

host agent

Question 26

A(n) ________ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
A. passive sensor B. analysis sensor
C. LAN sensor D. inline sensor

Answer 26

inline sensor

Question 27

A(n) ________ event is an alert that is generated when the gossip traffic enables a platform to conclude that an attack is under way.
A. PEP B. DDI
C. IDEP D. IDME

Answer 27

DDI

Question 28

_________ is a document that describes the application level protocol for exchanging data between intrusion detection entities.
A. RFC 4767 B. RFC 4766
C. RFC 4765 D. RFC 4764

Answer 28

RFC 4767

Question 29

The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria.
A. protocol B. direction
C. action D. destination port

Answer 29

action

Question 30

The _______ is the ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
A. data source B. sensor
C. operator D. analyzer

Answer 30

analyzer