Chapter 8: Intrusion Detection Flashcards
Intrustion is what?
A. Any attack that aims to compromise the security goals of an organization
B. Any attack that is hidden from a user
C. A form of detection which users are able to see everyone on the network
D. A form of encryption which allows end to end security
Answer: A
(T/F) Intrustion detection systems are part of the defense in depth strategy
Answer: True
Defense in depth strategies should include the following except what?
A. Encrypting sensitive information
B. Intrustion detection systems
C. Detailed audit trails
D. Strong authentication and authorization controls
E. Zero-day exploits
F. Active management of operating systems
G. Application security
Answer: E
What is the correct order for how an attacker behaves during intrustion?
A. Marinating Access: this is important because an attack may not be a onetime action. They may install backdoors or other malicious software on a target system so they can continue to access.
B. Information Gathering System Exploit: this is when an attacker has already gained sufficient privilege on a system and he or she can find out more about the network and the organization or even move to another target system to further exploit on the network
C. Covering Tracks: this is when the user makes sure there is no evidence of them on the system this can be done by
disabling or even editing the system audit logs to remove evidence of attack activities. Alternatively, the user can install a root kit to hide the installed malware
D. Privilege Escalation this is taken after initial access ad the attacker will try to use a local exploit to escalate its privilege form from normal user to root on target system.
E. Initial Access this is accomplished by exploiting a remote network vulnerability.
F. Target acquisition and information gathering this is when the attacker identifies the target system using publicly available information both technical and non-technical and they also use network tools to analyze target resources.
Correct Order: F, E, D, B, A, C
(T/F) The key design elements for an intrustion detection system is examining network and group activities
Answer: False
The key design elements is examining network and USER activities
(T/F) From an algorithmic perspective, models capture intrustion evidence. Features piece evidence together.
Answer: False
Features capture intrustion evidence while models piece evidence together.
Which of the components is not part of an intrusion detection system?
A. Data preprocessor B. Detection models C. Detection engines D. Decision table E. Reporting and analytics F. Decision engine
Answer: E
(T/F) Anomaly detection tries to detect what is normal and is using machine learning. Signature detection uses a database to identify virus patterns
Answer: True
(T/F) Another name for an intruder is a hacker or cracker
Answer: True
An IDS is comprised of three logical components. Which of the following is NOT a component?
A. Analyzers
B. User interface
C. Deep learning
D. Sensors
Answer: C
Text p. 256
(T/F) Analyzers are responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. But the output doesn’t include evidence supporting the conclusion that an intrusion has occurred
Answer: False
The analyzer output may include evidence supporting the conclusion that an intrusion has occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion
(T/F) Intrusion detection systems are only allowed to use a single sensor
Answer: False
IDS can use multiple sensors across a range of host and network devices sending information to a centralized analyzer and user interface in a distributed architecture
(T/F) One of the many intruder behaviors is maintaining access. This is done by adding a machine code backdoor that is hard to detect. Detection is difficult because the backdoor modifies machine level code
Answer: True
Match the appropriate intrusion detection classification to it’s correct value:
i. Monitors characteristics of a single host and the events occurring within the host
ii. Monitors network traffic for particular network segments or devices
iii. Combines information from multiple sensors often both host and network based then dumps the info into a central analyzer
A. i = Network Based, ii = Host Based, iii = Distributed or Hybrid Based
B. i = Host Based, ii = Network Based, iii = Distributed
C. i = Network Based, ii = Distributed, iii = Host Based
D. There are no IDS architectures aside from Host Based
Answer: B
Text p. 257
(T/F) In the context of IDS systems, a false negative is when an authorized user is identified as an intruder and a false positive is when intruders are not identified as intruders
Answer: False
Statement is the reverse - false negative is when an intruder is not properly identified and a false positive is when an authorized user is identified as an intruder