Module 2: Security Technology: Intrusion Detection and Prevention Systems

Question 1

These operate by monitoring network traffic, analyzing it and providing remediation tactics when malicious behavior is detected;

Answer 1

intrusion detection and prevention systems (IDPS)

Question 2

They look for matching behavior or characteristics that would indicate malicious traffic, send out alerts and block attacks.

Answer 2

intrusion detection and prevention systems (IDPS)

Question 3

These tools can detect malware, socially engineered attacks and other web-based threats, including DDoS attacks.

Answer 3

intrusion detection and prevention systems (IDPS) tools

Question 4

These can provide preemptive intrusion prevention capabilities for internal threats and potentially compromised systems.

Answer 4

intrusion detection and prevention systems (IDPS)

Question 5

The primary functions of IDPS solutions can be broken down into four main categories, what are these?

Answer 5

• monitoring
• alerts
• remediation
• maintenance

Question 6

Category of IDPS primary functions

IDPS ____ IT systems using either signature-based or anomaly-based intrusion detection to identify abnormal behavior and signature malicious activity.

Answer 6

monitoring

Question 7

Category of IDPS primary functions

After identifying potential threats, IDPS software will log and send out ____ to Inform administrators of abnormal activity.

Answer 7

alerts

Question 8

Category of IDPS primary functions

IDPS tools provide blocking mechanisms for malicious threats, giving administrators time to take action. In some cases, IT teams may not be required to take action at all after an attack is blocked.

Answer 8

remediation

Question 9

Category of IDPS primary functions

Besides monitoring for abnormal behavior, IDPS tools can also monitor the performance of IT hardware and security components with health checks. This ensures a security infrastructure is operating properly at all times.

Answer 9

maintenance

Question 10

These are detection and monitoring tools. They do not take action on their own. This requires a human or another system to look at the results.

Answer 10

intrusion detection systems (IDS)

Question 11

This is a controlled system. The control system accepts and rejects a packet based on the ruleset. This requires that the database gets regularly updated with new threat data.

Answer 11

intrusion prevention system (IPS)

Question 12

What is the similarity of IDS and IPS?

Answer 12

They both read network packets and compare the contents to a database of known threats.

Question 13

This sits between the firewall and switch.

Answer 13

intrusion prevention system (IPS)

Question 14

This interacts and plugged in directly with the switch.

Answer 14

intrusion detection system (IDS)

Question 15

The types of IDPS can be classified according to ____.

Answer 15

The types of IDPS can be classified according to what they are designed to protect.

Question 16

What are the types of IDPS?

Answer 16

network-based ID/PS and host-based ID/PS

Question 17

This monitors the inbound and outbound network traffic and the text and prevents intrusions by analyzing network protocol activities.

Answer 17

netword-based ID/PS

Question 18

This is a software package installed in a host. It monitors the activities of a single host and the text and prevents malicious activities.

Answer 18

host-based ID/PS

Question 19

These systems identify potential threats based on built-in rules and profiles.

Answer 19

intrusion detection systems (IDS) and intrusion prevention systems (IPS)

Question 20

Intrusion detection systems primarily use two key intrusion detection methods. What are these?

Answer 20

signature-based intrusion detection and anomaly-based intrusion detection

Question 21

This is used for threats we already know and have encountered in the past.

Answer 21

signature-based intrusion detection

Question 22

This is used to detect changes in behavior.

Answer 22

anomaly-based intrusion detection

Question 23

Designed to detect possible threats by comparing given network traffic and log data to existing attack patterns.

Answer 23

signature-based intrusion detection

Question 24

These patterns are called ____ (hence the name) and could include byte ____, known as ____.

Answer 24

These patterns are called sequences (hence the name) and could include byte sequences, known as malicious instruction sequences.

Question 25

This enables you to accurately detect and identify possible known attacks.

Answer 25

signature-based intrusion detection

Question 26

Designed to pinpoint unknown attacks, such as new malware, and adapt to them on the fly using machine learning.

Answer 26

anomaly-based intrusion detection

Question 27

Machine learning techniques enable an intrusion detection system (IDS) to create baselines of trustworthy activity—known as a ____—then compare new behavior to verified ____.

Answer 27

Machine learning techniques enable an intrusion detection system (IDS) to create baselines of trustworthy activity—known as a trust model—then compare new behavior to verified trust models.

Question 28

False alarms can occur when using this IDS, since previously unknown yet legitimate network traffic could be falsely identified as malicious activity.

Answer 28

False alarms can occur when using anomaly-based IDS, since previously unknown yet legitimate network traffic could be falsely identified as malicious activity.