Chapter 8: Intrusion Detection

Question 1

Intrustion is what?

A. Any attack that aims to compromise the security goals of an organization
B. Any attack that is hidden from a user
C. A form of detection which users are able to see everyone on the network
D. A form of encryption which allows end to end security

Answer 1

Answer: A

Question 2

(T/F) Intrustion detection systems are part of the defense in depth strategy

Answer 2

Answer: True

Question 3

Defense in depth strategies should include the following except what?

A. Encrypting sensitive information
B. Intrustion detection systems
C. Detailed audit trails
D. Strong authentication and authorization controls
E. Zero-day exploits
F. Active management of operating systems
G. Application security

Answer 3

Answer: E

Question 4

What is the correct order for how an attacker behaves during intrustion?

A. Marinating Access: this is important because an attack may not be a onetime action. They may install backdoors or other malicious software on a target system so they can continue to access.

B. Information Gathering System Exploit: this is when an attacker has already gained sufficient privilege on a system and he or she can find out more about the network and the organization or even move to another target system to further exploit on the network

C. Covering Tracks: this is when the user makes sure there is no evidence of them on the system this can be done by
disabling or even editing the system audit logs to remove evidence of attack activities. Alternatively, the user can install a root kit to hide the installed malware

D. Privilege Escalation this is taken after initial access ad the attacker will try to use a local exploit to escalate its privilege form from normal user to root on target system.

E. Initial Access this is accomplished by exploiting a remote network vulnerability.

F. Target acquisition and information gathering this is when the attacker identifies the target system using publicly available information both technical and non-technical and they also use network tools to analyze target resources.

Answer 4

Correct Order: F, E, D, B, A, C

Question 5

(T/F) The key design elements for an intrustion detection system is examining network and group activities

Answer 5

Answer: False

The key design elements is examining network and USER activities

Question 6

(T/F) From an algorithmic perspective, models capture intrustion evidence. Features piece evidence together.

Answer 6

Answer: False

Features capture intrustion evidence while models piece evidence together.

Question 7

Which of the components is not part of an intrusion detection system?

A.  Data preprocessor
B.  Detection models
C.  Detection engines
D.  Decision table
E.  Reporting and analytics
F.  Decision engine

Answer 7

Answer: E

Question 8

(T/F) Anomaly detection tries to detect what is normal and is using machine learning. Signature detection uses a database to identify virus patterns

Answer 8

Answer: True

Question 9

(T/F) Another name for an intruder is a hacker or cracker

Answer 9

Answer: True

Question 10

An IDS is comprised of three logical components. Which of the following is NOT a component?

A. Analyzers
B. User interface
C. Deep learning
D. Sensors

Answer 10

Answer: C

Text p. 256

Question 11

(T/F) Analyzers are responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. But the output doesn’t include evidence supporting the conclusion that an intrusion has occurred

Answer 11

Answer: False
The analyzer output may include evidence supporting the conclusion that an intrusion has occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion

Question 12

(T/F) Intrusion detection systems are only allowed to use a single sensor

Answer 12

Answer: False
IDS can use multiple sensors across a range of host and network devices sending information to a centralized analyzer and user interface in a distributed architecture

Question 13

(T/F) One of the many intruder behaviors is maintaining access. This is done by adding a machine code backdoor that is hard to detect. Detection is difficult because the backdoor modifies machine level code

Answer 13

Answer: True

Question 14

Match the appropriate intrusion detection classification to it’s correct value:

i. Monitors characteristics of a single host and the events occurring within the host
ii. Monitors network traffic for particular network segments or devices
iii. Combines information from multiple sensors often both host and network based then dumps the info into a central analyzer

A. i = Network Based, ii = Host Based, iii = Distributed or Hybrid Based
B. i = Host Based, ii = Network Based, iii = Distributed
C. i = Network Based, ii = Distributed, iii = Host Based
D. There are no IDS architectures aside from Host Based

Answer 14

Answer: B

Text p. 257

Question 15

(T/F) In the context of IDS systems, a false negative is when an authorized user is identified as an intruder and a false positive is when intruders are not identified as intruders

Answer 15

Answer: False
Statement is the reverse - false negative is when an intruder is not properly identified and a false positive is when an authorized user is identified as an intruder

Question 16

(T/F) The base-rate fallacy of IDS states that if the number of intrusions are low compared to the number of legitimate users of a system then the false alarm rate will be high unless the test is extremely discriminating

Answer 16

Answer: True

Text p. 258

Question 17

Anomaly detection involves the collection of data relating to a behavior over a period of time. Once the data is collected, it is analyzed to determine whether or not the behavior is legitimate or not. An issue with anomaly detection can be what?

A. High false positive rate
B. High false negative rate
C. Low false positive rate
D. Both A and B

Answer 17

Answer: A

Text p. 259

Question 18

(T/F) Signature or heuristic detection uses a set of pre-defined malicious data patterns or attack rules which are compared with current behavior to decide if it is that of an intruder

Answer 18

Answer: True

Text p. 259

Question 19

The disadvantages of locating a honeypot in an internal network are:

A. It has little or no ability to trap internal attackers and cannot detect a misconfigured firewall
B. If it is compromised, it can attack other internal systems. Its location requires the outer firewall to permit traffic through its filters
C. It puts more load on the external firewall and on the resources of the internal system
D. It leads to honey files, which are malicious byproducts of the prolonged use of the honeypot
E. It leads to a honey-do list, which can ruin a Saturday

Answer 19

Answer: B

Text p. 279

Question 20

Which of the following is not listed as a desired quality of an IDS?