L12 - Intrusion Detection

Question 1

A system that tries to stop intrusion from happening

a) Firewalls
b) Intrusion Detection System (IDS)

Answer 1

a) Firewalls

Question 2

A system that tries to evaluate an intrusion after it has happened

a) Firewalls
b) Intrusion Detection System (IDS)

Answer 2

b) Intrusion Detection System (IDS)

Question 3

A system that watches for intrusions that start within the system

a) Firewalls
b) Intrusion Detection System (IDS)

Answer 3

b) Intrusion Detection System (IDS)

Question 4

A system that limits access between networks to prevent intrusion

a) Firewalls
b) Intrusion Detection System (IDS)

Answer 4

a) Firewalls

Question 5

An intruder can also be referred to as a hacker or cracker

a) True
b) False

Answer 5

a) True

Question 6

Activists are either individuals or members of an organized crime group with a goal of financial reward

a) True
b) False

Answer 6

b) False

Question 7

Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion

a) True
b) False

Answer 7

a) True

Question 8

Those who hack into computers do so for the thrill of it or for status

a) True
b) False

Answer 8

b) False

Question 9

Intruders typically use steps from a common attack methodology

a) True
b) False

Answer 9

a) True

Question 10

Which describes the following backdoor: Compiler backdoors

a) This backdoor is hard to detect because it modifies machine code
b) This backdoor can only be used by the person who created it, even if it is discovered by others
c) This backdoor inserts backdoors into other programs during compilation

Answer 10

c) This backdoor inserts backdoors into other programs during compilation

Question 11

Which describes the following backdoor: Object Code backdoors

a) This backdoor is hard to detect because it modifies machine code
b) This backdoor can only be used by the person who created it, even if it is discovered by others
c) This backdoor inserts backdoors into other programs during compilation

Answer 11

a) This backdoor is hard to detect because it modifies machine code

Question 12

Which describes the following backdoor: Asymmetric backdoors

a) This backdoor is hard to detect because it modifies machine code
b) This backdoor can only be used by the person who created it, even if it is discovered by others
c) This backdoor inserts backdoors into other programs during compilation

Answer 12

b) This backdoor can only be used by the person who created it, even if it is discovered by others

Question 13

For Anomaly detection systems, the longer the system is in use, the more it learns about network activity

a) True
b) False

Answer 13

a) True

Question 14

For Anomaly detection systems, if malicious activity looks like normal traffic to the system, it will not detect an attack

a) True
b) False

Answer 14

a) True

Question 15

For Anomaly detection systems, false positives can become a problem, normal usage can be mistaken for an attack

a) True
b) False

Answer 15

a) True

Question 16

For Signature Based detection systems, new threats can be detected immediately

a) True
b) False

Answer 16

b) False

Question 17

For Signature Based detection systems, when a new virus is identified, it must be added to the signature databases

a) True
b) False

Answer 17

a) True

Question 18

For Signature Based detection systems, it can only detect an intrusion attempt if it matches a pattern that is in the database

a) True
b) False

Answer 18

a) True

Question 19

Could the following be considered an anomaly to typical network traffic: IP address

a) True
b) False

Answer 19

a) True

If an IP address is not normally accessed by users (or is unknown) then it can be considered an anomaly

Question 20

Could the following be considered an anomaly to typical network traffic: Port Address

a) True
b) False

Answer 20

a) True

If a port address is not normally accessed by users (or is unknown) then it can be considered an anomaly

Question 21

Could the following be considered an anomaly to typical network traffic: Packet Length

a) True
b) False

Answer 21

a) True

If the length is unusually long

Question 22

Could the following be considered an anomaly to typical network traffic: Flag setting

a) True
b) False

Answer 22

a) True

If a flag is not normally seen in normal traffic conditions, then it can be considered an anomaly

Question 23

Any action that does not fit the normal behavior profile is considered an attack in a:

a) Statistical approach
b) Knowledge based approach

Answer 23

a) Statistical approach

Question 24

Any action that does not classified as normal is considered an attack in a:

a) Statistical approach
b) Knowledge based approach

Answer 24

b) Knowledge based approach

Question 25

Which describes the Machine Learning approach for Intruder detection

a) Detects new and novel attacks
b) Detects attacks similar to past attacks

Answer 25

b) Detects attacks similar to past attacks

Question 26

In the thriving zero day attack marketplace hackers sell information on software vulnerabilities. Who are some of the buyers?

a) Apple
b) Google
c) Microsoft
d) US Government

Answer 26

All of the above

Question 27

An attacker sends various kinds of packets to probe a system or network for vulnerability that can be exploited. This is an example of

a) Scanning Attack
b) DOS
c) Penetration Attack

Answer 27

a) Scanning Attack

Question 28

Attempts to slow down or completely shut down a target so as to disrupt the service for legitimate users. This is an example of

a) Scanning Attack
b) DOS
c) Penetration Attack

Answer 28

b) DOS

Question 29

An attacker gains an unauthorized control of a system. This is an example of

a) Scanning Attack
b) DOS
c) Penetration Attack

Answer 29

c) Penetration Attack

Question 30

Can you think of a way to reduce the impact of excessive reporting on a system administrator?

Answer 30

Prioritization.

Add security levels associated with each alert. The admin can focus on high priority issues.

Question 31

Intrusion Detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified

a) True
b) False

Answer 31

a) True

Question 32

The primary purpose of an IDS is to detect intrusions, log suspicious events and send alerts

a) True
b) False

Answer 32

a) True

Question 33

Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behavior

a) True
b) False

Answer 33

b) False

Signature-based approaches are typically used to represent known intrusion patterns

Question 34

A network IDS sensor monitors a copy of network traffic; the actual traffic does not pass through the device.

a) True
b) False

Answer 34

a) True

Question 35

Network-based intrusion detection makes use of signature detection and anomaly detection

a) True
b) False

Answer 35

a) True

Question 36

When using NIDS (Network Intrusion Detection System), it is good practice to set the IDS level to the highest sensitivity to detect every attack

a) True
b) False

Answer 36

b) False

Will lead to a lot of false alarms

Question 37

When using NIDS (Network Intrusion Detection System), it is good practice to monitor both outbound and inbound traffic

a) True
b) False

Answer 37

a) True

Question 38

When using NIDS (Network Intrusion Detection System), it is good practice to use a shared network resource to gather NIDS data

a) True
b) False

Answer 38

b) False

Attacker can disable IDS or modify alerts

Question 39

In a NIDS (Network Intrusion Detection System), NIDS sensors are not turnkey solutions, system administrators must interpret alerts

a) True
b) False

Answer 39

a) True

NIDS can produce many false positives

Question 40

Who can write rules for SNORT?

a) Users of SNORT
b) The SNORT community
c) Talos Security Intelligence and Research Team

Answer 40

All of the above

SNORT is open source

Question 41

A common location for a NIDS sensor is just inside the external firewall

a) True
b) False

Answer 41

a) True

Question 42

A Honeypot can be a workstation that a user uses for work

a) True
b) False

Answer 42

b) False

A Honeypot is not a real system, used by any user

Question 43

There is no benefit of deploying a NIDS or Honeypot outside of the external firewall

a) True
b) False

Answer 43

b) False

Setting up a Honeypot outside the external firewall will allow us to see what attacks are coming from the internet

Question 44

To improve performance, an IDS should reduce false alarm rate while detecting as many intrusions as possible

a) True
b) False

Answer 44

a) True

Question 45

To improve performance, an IDS should apply detection models at all unfiltered packet data directly

a) True
b) False

Answer 45

b) False

Question 46

To improve performance, an IDS should apply detection models at processed event data that has higher base rate

a) True
b) False

Answer 46

a) True

Question 47

An attacker can defeat an IDS by sending a huge amount of traffic

a) True
b) False

Answer 47

a) True

Question 48

An attacker can defeat an IDS by sending traffic that purposely matches detection rules

a) True
b) False

Answer 48

a) True

Question 49

An attacker can defeat an IDS by embedding attack packets that cause non-uniform processing by different OS (bad checksum, overlapping fragments)

a) True
b) False

Answer 49

a) True

Question 50

An attacker can defeat an IDS by sending a packet that would trigger a buffer-overflow in the IDS code

a) True
b) False

Answer 50

a) True