Chapter 4

Question 1

Intrusion detection systems (IDSs) monitor:

Answer 1

a network and send alerts

when they detect suspicious events on a system or network.

Question 2

Intrusion
prevention systems (IPSs) react:

Answer 2

to attacks in progress and prevent them from

reaching systems and networks.

Question 3

A host-based intrusion detection system (HIDS) is:

Answer 3

additional software

installed on a system such as a workstation or server.

Question 4

A host-based intrusion detection system (HIDS) provides:

Answer 4

protection to
the individual host and can detect potential attacks and protect critical
operating system files.

Question 5

The primary goal of any IDS is to

Answer 5

monitor traffic.

Question 6

For a HIDS, traffic passes through:

Answer 6

the network interface card (NIC).

Question 7

Many host-based IDSs have expanded to:

Answer 7

monitor application activity on
the system.

monitor the server application

Question 8

You can install a HIDS on different:

Answer 8

Internet facing servers, such as web servers, mail servers, and database servers.

Question 9

A HIDS can help detect:

Answer 9

malicious software

(malware)that traditional antivirus software might miss.

Question 10

A network-based intrusion detection system (NIDS) monitors:

Answer 10

activity

on the network.

Question 11

An administrator installs NIDS sensors or collectors on:

Answer 11

network devices such as routers and firewalls.

Question 12

NIDS sensors or collectors gather:

Answer 12

information and report to a central monitoring server hosting a NIDS console.

Question 13

A NIDS is not able to:

Answer 13

detect anomalies on individual systems or
workstations unless the anomaly causes a significant difference in network traffic.

decrypt encrypted traffic.

Question 14

The NIDS provides overall:

Answer 14

monitoring and

analysis and can detect attacks on the network.

Question 15

Most

switches support:

Answer 15

port mirroring, allowing administrators to configure the switch to send all traffic received by the switch to a single port.

Question 16

After configuring a port mirror, you can use it as a:

Answer 16

tap to send all switch data to a sensor or collector, and forward this to a NIDS.

Question 17

it’s possible to

configure taps on routers to:

Answer 17

capture all traffic sent through the switch and

send it to the IDS.

Question 18

The decision on where you want to place the sensors depends on:

Answer 18

what you want to measure.

Question 19

If you want to see all attacks on your network, put a sensor on:

Answer 19

the Internet side

Question 20

If you only want to see what gets through your network, put sensors:

Answer 20

internally only.

Question 21

If you want to see both attacks on and through your network, put sensors in:

Answer 21

both places.

Question 22

An IDS can only:

Answer 22

detect an attack.

Question 23

An IPS prevents attacks by:

Answer 23

detecting them and stopping them before they

reach the target.

Question 24

An attack is:

Answer 24

any attempt to compromise confidentiality,

integrity, or availability.

Question 25

The two primary methods of detection are:

Answer 25

signature-based heuristic- or behavioral- based (also called anomaly-based).

Question 26

Any type of IDS can detect:

Answer 26

attacks based on signatures, anomalies, or both.

Question 27

The HIDS monitors:

Answer 27

the network traffic reaching its NIC and the NIDS monitors the traffic on the network.

Question 28

Signature-based IDSs (also called definition-based) use:

Answer 28

a database of known vulnerabilities or known attack patterns.

Question 29

Heuristic/behavioral-based detection (also called anomaly-based detection) starts by:

Answer 29

identifying normal operation or normal behavior of the | network

Question 30

Heuristic/behavioral-based detection (also called anomaly-based detection) identifies normal operation by:

Answer 30

creating a performance baseline under normal | operating conditions.

Question 31

The IDS provides continuous monitoring:

Answer 31

by constantly comparing | current network behavior against the baseline.

Question 32

``` When the IDS detects abnormal activity (outside normal boundaries as identified in the baseline), it: ```

Answer 32

gives an alert indicating a potential attack.

Question 33

Both heuristic-based antivirus software examine:

Answer 33

activity and detect abnormal activity that is beyond the capability of signature based detection.

Question 34

The SYN flood attack is a:

Answer 34

common denial-of-service | (DoS) attack

Question 35

in a SYN flood attack, the attacker:

Answer 35

sends multiple SYN packets but never completes the third part of the TCP handshake with the last ACK packet.

Question 36

Many firewalls include a | SYN flood guard that can:

Answer 36

detect SYN flood attacks and take steps to close the open sessions.

Question 37

In some usage, administrators define a zero-day exploit as:

Answer 37

one where the vendor has not released a patch.

Question 38

Any time administrators make any significant changes to a system or network that cause the normal behavior to change, they should:

Answer 38

re-create the baseline.

Question 39

Any type of IDS will use:

Answer 39

various raw data sources to collect information | on activity including a wide variety of logs, such as firewall logs, system logs, and application logs.

Question 40

Logs can be analyzed to provide:

Answer 40

insight on trends.

Question 41

Trends can detect:

Answer 41

a pattern of attacks and provide insight into how to better protect a network

Question 42

IDSs report on:

Answer 42

events of interest based on rules configured within the IDS. All events aren’t attacks or actual issues, but instead, they provide a report indicating an event might be an alert or an alarm.

Question 43

Systems use an alarm for:

Answer 43

a potentially serious issue

Question 44

Systems use an alert as:

Answer 44

a relatively minor issue.

Question 45

Administrators configure the rules within the IDS based on:

Answer 45

the needs of the organization.

Question 46

While IDSs use advanced analytics to examine traffic, they are susceptible to:

Answer 46

both false positives and false negatives.

Question 47

A false positive is:

Answer 47

an alert or alarm on an event that is nonthreatening, benign, or harmless.

Question 48

A false negative is:

Answer 48

when an attacker is actively attacking the network, but the system does not detect it.