Chapter 8: Intrusion Detection Flashcards

1
Q

Intrustion is what?

A. Any attack that aims to compromise the security goals of an organization
B. Any attack that is hidden from a user
C. A form of detection which users are able to see everyone on the network
D. A form of encryption which allows end to end security

A

Answer: A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

(T/F) Intrustion detection systems are part of the defense in depth strategy

A

Answer: True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Defense in depth strategies should include the following except what?

A. Encrypting sensitive information
B. Intrustion detection systems
C. Detailed audit trails
D. Strong authentication and authorization controls
E. Zero-day exploits
F. Active management of operating systems
G. Application security

A

Answer: E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the correct order for how an attacker behaves during intrustion?

A. Marinating Access: this is important because an attack may not be a onetime action. They may install backdoors or other malicious software on a target system so they can continue to access.

B. Information Gathering System Exploit: this is when an attacker has already gained sufficient privilege on a system and he or she can find out more about the network and the organization or even move to another target system to further exploit on the network

C. Covering Tracks: this is when the user makes sure there is no evidence of them on the system this can be done by
disabling or even editing the system audit logs to remove evidence of attack activities. Alternatively, the user can install a root kit to hide the installed malware

D. Privilege Escalation this is taken after initial access ad the attacker will try to use a local exploit to escalate its privilege form from normal user to root on target system.

E. Initial Access this is accomplished by exploiting a remote network vulnerability.

F. Target acquisition and information gathering this is when the attacker identifies the target system using publicly available information both technical and non-technical and they also use network tools to analyze target resources.

A

Correct Order: F, E, D, B, A, C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

(T/F) The key design elements for an intrustion detection system is examining network and group activities

A

Answer: False

The key design elements is examining network and USER activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

(T/F) From an algorithmic perspective, models capture intrustion evidence. Features piece evidence together.

A

Answer: False

Features capture intrustion evidence while models piece evidence together.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the components is not part of an intrusion detection system?

A.  Data preprocessor
B.  Detection models
C.  Detection engines
D.  Decision table
E.  Reporting and analytics
F.  Decision engine
A

Answer: E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

(T/F) Anomaly detection tries to detect what is normal and is using machine learning. Signature detection uses a database to identify virus patterns

A

Answer: True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

(T/F) Another name for an intruder is a hacker or cracker

A

Answer: True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An IDS is comprised of three logical components. Which of the following is NOT a component?

A. Analyzers
B. User interface
C. Deep learning
D. Sensors

A

Answer: C

Text p. 256

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

(T/F) Analyzers are responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. But the output doesn’t include evidence supporting the conclusion that an intrusion has occurred

A

Answer: False
The analyzer output may include evidence supporting the conclusion that an intrusion has occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

(T/F) Intrusion detection systems are only allowed to use a single sensor

A

Answer: False
IDS can use multiple sensors across a range of host and network devices sending information to a centralized analyzer and user interface in a distributed architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

(T/F) One of the many intruder behaviors is maintaining access. This is done by adding a machine code backdoor that is hard to detect. Detection is difficult because the backdoor modifies machine level code

A

Answer: True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Match the appropriate intrusion detection classification to it’s correct value:

i. Monitors characteristics of a single host and the events occurring within the host
ii. Monitors network traffic for particular network segments or devices
iii. Combines information from multiple sensors often both host and network based then dumps the info into a central analyzer

A. i = Network Based, ii = Host Based, iii = Distributed or Hybrid Based
B. i = Host Based, ii = Network Based, iii = Distributed
C. i = Network Based, ii = Distributed, iii = Host Based
D. There are no IDS architectures aside from Host Based

A

Answer: B

Text p. 257

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

(T/F) In the context of IDS systems, a false negative is when an authorized user is identified as an intruder and a false positive is when intruders are not identified as intruders

A

Answer: False
Statement is the reverse - false negative is when an intruder is not properly identified and a false positive is when an authorized user is identified as an intruder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

(T/F) The base-rate fallacy of IDS states that if the number of intrusions are low compared to the number of legitimate users of a system then the false alarm rate will be high unless the test is extremely discriminating

A

Answer: True

Text p. 258

17
Q

Anomaly detection involves the collection of data relating to a behavior over a period of time. Once the data is collected, it is analyzed to determine whether or not the behavior is legitimate or not. An issue with anomaly detection can be what?

A. High false positive rate
B. High false negative rate
C. Low false positive rate
D. Both A and B

A

Answer: A

Text p. 259

18
Q

(T/F) Signature or heuristic detection uses a set of pre-defined malicious data patterns or attack rules which are compared with current behavior to decide if it is that of an intruder

A

Answer: True

Text p. 259

19
Q

The disadvantages of locating a honeypot in an internal network are:

A. It has little or no ability to trap internal attackers and cannot detect a misconfigured firewall
B. If it is compromised, it can attack other internal systems. Its location requires the outer firewall to permit traffic through its filters
C. It puts more load on the external firewall and on the resources of the internal system
D. It leads to honey files, which are malicious byproducts of the prolonged use of the honeypot
E. It leads to a honey-do list, which can ruin a Saturday

A

Answer: B

Text p. 279

20
Q

Which of the following is not listed as a desired quality of an IDS?

A