L12 - Intrusion Detection Flashcards
A system that tries to stop intrusion from happening
a) Firewalls
b) Intrusion Detection System (IDS)
a) Firewalls
A system that tries to evaluate an intrusion after it has happened
a) Firewalls
b) Intrusion Detection System (IDS)
b) Intrusion Detection System (IDS)
A system that watches for intrusions that start within the system
a) Firewalls
b) Intrusion Detection System (IDS)
b) Intrusion Detection System (IDS)
A system that limits access between networks to prevent intrusion
a) Firewalls
b) Intrusion Detection System (IDS)
a) Firewalls
An intruder can also be referred to as a hacker or cracker
a) True
b) False
a) True
Activists are either individuals or members of an organized crime group with a goal of financial reward
a) True
b) False
b) False
Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion
a) True
b) False
a) True
Those who hack into computers do so for the thrill of it or for status
a) True
b) False
b) False
Intruders typically use steps from a common attack methodology
a) True
b) False
a) True
Which describes the following backdoor: Compiler backdoors
a) This backdoor is hard to detect because it modifies machine code
b) This backdoor can only be used by the person who created it, even if it is discovered by others
c) This backdoor inserts backdoors into other programs during compilation
c) This backdoor inserts backdoors into other programs during compilation
Which describes the following backdoor: Object Code backdoors
a) This backdoor is hard to detect because it modifies machine code
b) This backdoor can only be used by the person who created it, even if it is discovered by others
c) This backdoor inserts backdoors into other programs during compilation
a) This backdoor is hard to detect because it modifies machine code
Which describes the following backdoor: Asymmetric backdoors
a) This backdoor is hard to detect because it modifies machine code
b) This backdoor can only be used by the person who created it, even if it is discovered by others
c) This backdoor inserts backdoors into other programs during compilation
b) This backdoor can only be used by the person who created it, even if it is discovered by others
For Anomaly detection systems, the longer the system is in use, the more it learns about network activity
a) True
b) False
a) True
For Anomaly detection systems, if malicious activity looks like normal traffic to the system, it will not detect an attack
a) True
b) False
a) True
For Anomaly detection systems, false positives can become a problem, normal usage can be mistaken for an attack
a) True
b) False
a) True
For Signature Based detection systems, new threats can be detected immediately
a) True
b) False
b) False
For Signature Based detection systems, when a new virus is identified, it must be added to the signature databases
a) True
b) False
a) True
For Signature Based detection systems, it can only detect an intrusion attempt if it matches a pattern that is in the database
a) True
b) False
a) True
Could the following be considered an anomaly to typical network traffic: IP address
a) True
b) False
a) True
If an IP address is not normally accessed by users (or is unknown) then it can be considered an anomaly
Could the following be considered an anomaly to typical network traffic: Port Address
a) True
b) False
a) True
If a port address is not normally accessed by users (or is unknown) then it can be considered an anomaly
Could the following be considered an anomaly to typical network traffic: Packet Length
a) True
b) False
a) True
If the length is unusually long
Could the following be considered an anomaly to typical network traffic: Flag setting
a) True
b) False
a) True
If a flag is not normally seen in normal traffic conditions, then it can be considered an anomaly
Any action that does not fit the normal behavior profile is considered an attack in a:
a) Statistical approach
b) Knowledge based approach
a) Statistical approach
Any action that does not classified as normal is considered an attack in a:
a) Statistical approach
b) Knowledge based approach
b) Knowledge based approach
Which describes the Machine Learning approach for Intruder detection
a) Detects new and novel attacks
b) Detects attacks similar to past attacks
b) Detects attacks similar to past attacks
In the thriving zero day attack marketplace hackers sell information on software vulnerabilities. Who are some of the buyers?
a) Apple
b) Google
c) Microsoft
d) US Government
All of the above
An attacker sends various kinds of packets to probe a system or network for vulnerability that can be exploited. This is an example of
a) Scanning Attack
b) DOS
c) Penetration Attack
a) Scanning Attack
Attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users. This is an example of
a) Scanning Attack
b) DOS
c) Penetration Attack
b) DOS
An attacker gains an unauthorized control of a system. This is an example of
a) Scanning Attack
b) DOS
c) Penetration Attack
c) Penetration Attack
Can you think of a way to reduce the impact of excessive reporting on a system administrator?
Prioritization.
Add security levels associated with each alert. The admin can focus on high priority issues.
Intrusion Detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified
a) True
b) False
a) True
The primary purpose of an IDS is to detect intrusions, log suspicious events and send alerts
a) True
b) False
a) True
Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior
a) True
b) False
b) False
Signature-based approaches are typically used to represent known intrusion patterns
A network IDS sensor monitors a copy of network traffic; the actual traffic does not pass through the device.
a) True
b) False
a) True
Network-based intrusion detection makes use of signature detection and anomaly detection
a) True
b) False
a) True
When using NIDS (Network Intrusion Detection System), it is good practice to set the IDS level to the highest sensitivity to detect every attack
a) True
b) False
b) False
Will lead to a lot of false alarms
When using NIDS (Network Intrusion Detection System), it is good practice to monitor both outbound and inbound traffic
a) True
b) False
a) True
When using NIDS (Network Intrusion Detection System), it is good practice to use a shared network resource to gather NIDS data
a) True
b) False
b) False
Attacker can disable IDS or modify alerts
In a NIDS (Network Intrusion Detection System), NIDS sensors are not turnkey solutions, system administrators must interpret alerts
a) True
b) False
a) True
NIDS can produce many false positives
Who can write rules for SNORT?
a) Users of SNORT
b) The SNORT community
c) Talos Security Intelligence and Research Team
All of the above
SNORT is open source
A common location for a NIDS sensor is just inside the external firewall
a) True
b) False
a) True
A Honeypot can be a workstation that a user uses for work
a) True
b) False
b) False
A Honeypot is not a real system, used by any user
There is no benefit of deploying a NIDS or Honeypot outside of the external firewall
a) True
b) False
b) False
Setting up a Honeypot outside the external firewall will allow us to see what attacks are coming from the internet
To improve performance, an IDS should reduce false alarm rate while detecting as many intrusions as possible
a) True
b) False
a) True
To improve performance, an IDS should apply detection models at all unfiltered packet data directly
a) True
b) False
b) False
To improve performance, an IDS should apply detection models at processed event data that has higher base rate
a) True
b) False
a) True
An attacker can defeat an IDS by sending a huge amount of traffic
a) True
b) False
a) True
An attacker can defeat an IDS by sending traffic that purposely matches detection rules
a) True
b) False
a) True
An attacker can defeat an IDS by embedding attack packets that cause non-uniform processing by different OS (bad checksum, overlapping fragments)
a) True
b) False
a) True
An attacker can defeat an IDS by sending a packet that would trigger a buffer-overflow in the IDS code
a) True
b) False
a) True
