Question 1

What must you do in order to sniff the traffic on all ports on a switch?&#10;A)Nothing;you can see all the traffic on a switch by default.&#10;B)Nothing;a switch does not allow you do see all traffic.&#10;C)Enable port mirroring.&#10;D)Run a cable to each port.

Accepted Answer

To sniff the traffic on all ports on a switch, you need to enable port mirroring. This feature allows you to copy or mirror the traffic that is going through one or more ports to another port where you can capture or analyze it. Without port mirroring, you would only be able to see the traffic that is addressed to or originates from your own device or broadcast traffic. Options A and B are incorrect because they are contradictory and do not reflect the actual behavior of a switch. Option D is impractical and unlikely to work in most scenarios.

Question 2

The difference between misuse and anomaly IDS models is&#10;A)Misuse models require knowledge of normal activity,whereas anomaly models don't.&#10;B)Anomaly models require knowledge of normal activity,whereas misuse models don't.&#10;C)Anomaly models are based on patterns of suspicious activity.&#10;D)Anomaly model-based systems suffer from many false negatives.

Accepted Answer

Anomaly models require knowledge of normal activity to identify deviations that may indicate a security incident, whereas misuse models (also known as signature-based models) detect attacks based on patterns or signatures of known threats, without the need to understand what constitutes normal activity.

Question 3

Your boss is concerned about employees viewing in appropriate or illegal web sites in the workplace.Which device would be the best at addressing this concern?&#10;A)Antivirus&#10;B)Firewall&#10;C)Protocol analyzer&#10;D)Internet content filter

Accepted Answer

An Internet content filter can block access to inappropriate or illegal websites, thereby addressing the concern of employees accessing such sites in the workplace. Antivirus and firewall are important for network and device security, but may not directly address this particular concern. A protocol analyzer is used for network troubleshooting and analysis, and would not necessarily prevent access to inappropriate or illegal websites.

Question 4

Which of the following is NOT an advantage of network-based IDS?&#10;A)It takes fewer systems to provide IDS coverage.&#10;B)They can reduce false positive rates.&#10;C)Development,maintenance,and upgrade costs are usually lower.&#10;D)Visibility into all network traffic and can correlate attacks among multiple systems.

Accepted Answer

All of the other choices are advantages of network-based IDS. However, network-based IDS can sometimes generate more false positives than host-based IDS, as it may not have access to all of the underlying system information.

Question 5

Which of the following is NOT a component of an IDS?&#10;A)Traffic collector&#10;B)Signature database&#10;C)Expert knowledge database&#10;D)User interface and reporting

Accepted Answer

Expert knowledge database is not typically considered a standard component of an Intrusion Detection System (IDS). IDS components usually include traffic collectors to monitor data, a signature database to identify known threats, and a user interface for reporting and management, but not an expert knowledge database, which is more associated with expert systems or artificial intelligence applications.

Question 6

Which of the following is NOT a disadvantage of host-based IDS?&#10;A)The IDS uses local system resources.&#10;B)The IDS can have a high cost of ownership and maintenance.&#10;C)The IDS must have a process on every system you want to watch.&#10;D)The IDS is ineffective when traffic is encrypted.

Accepted Answer

This statement is not a disadvantage of host-based IDS since it is a limitation that applies to all IDS, both host-based and network-based.

Question 7

The nuisance of web pages that automatically appear on top of your current web page can be remedied with&#10;A)Antivirus&#10;B)Antispam&#10;C)Pop-up blockers&#10;D)Firewalls

Accepted Answer

Pop-up blockers are designed to prevent web pages or windows from automatically appearing on top of your current web page. Antivirus, antispam, and firewalls are not effective solutions for this particular nuisance.

Question 8

Your boss would like you to implement a network device that will monitor traffic and turn off processes and reconfigure permissions as necessary.To do this you would use&#10;A)A firewall&#10;B)A sniffer&#10;C)A passive HIDS&#10;D)An active HIDS

Accepted Answer

An active HIDS (Host-based Intrusion Detection System) would be the best choice as it not only monitors network traffic but can also take actions such as turning off processes and reconfiguring permissions as necessary. A firewall only controls access to a network or certain applications, a sniffer captures network traffic but does not take action based on the data, and a passive HIDS only monitors and alerts on suspicious activities but does not actively prevent them.

Question 9

What does a host-based IDS monitor?&#10;A)A single system&#10;B)Networks&#10;C)Physical intrusions into facilities&#10;D)A system and all its surrounding systems

Accepted Answer

A host-based IDS monitors a single system, not networks or physical intrusions into facilities. It may also monitor some surrounding systems, but the main focus is on the system it is installed on.

Question 10

One of the advantages of HIDS is that&#10;A)They can reduce false-positive rates&#10;B)Their signatures are broader&#10;C)They can examine data before it has been decrypted&#10;D)They are inexpensive to maintain in the enterprise

Accepted Answer

HIDS can reduce false-positive rates as they only detect activity on the host they are installed on, reducing the chance of detecting harmless network traffic.

Question 11

What device would you use to attract potential attacks,so that you could safely monitor the activity and discover the intentions of the attacker?&#10;A)Firewall&#10;B)Antivirus&#10;C)IDS&#10;D)Honeypot

Accepted Answer

The answer of What device would you use to attract...

Question 12

According to SANS Internet Storm Center,the average survival time of an unpatched Windows PC on the Internet is&#10;A)Less than two minutes&#10;B)Less than two hours&#10;C)Less than two days&#10;D)Less than two weeks

Accepted Answer

The answer of According to SANS Internet Storm Center,the average...

Question 13

The main purpose of a honeypot is&#10;A)To identify hackers so they can be tracked down by the FBI&#10;B)To slow hackers down by providing an additional layer of security that they must pass before accessing the actual network&#10;C)To distract hackers away from attacking an organization's live network&#10;D)To help security professionals better understand and protect against threats to the system

Accepted Answer

The answer of The main purpose of a honeypot is&#10;A)To...

Question 14

Antispam does all of the following EXCEPT:&#10;A)Blacklisting&#10;B)Malicious code detection&#10;C)Language filtering&#10;D)Trapping

Accepted Answer

The answer of Antispam does all of the following EXCEPT:&#10;A)Blacklisting&#10;B)Malicious...

Question 15

Windows Defender does all of the following EXCEPT:&#10;A)Spyware detection and removal&#10;B)Real-time malware protection&#10;C)Spam filtering&#10;D)Examine programs running on your computer

Accepted Answer

The answer of Windows Defender does all of the following...

Question 16

Zone Alarm,Windows ICF,and iptables are all examples of&#10;A)Antivirus&#10;B)Antispyware&#10;C)Antispam&#10;D)Personal firewalls

Accepted Answer

The answer of Zone Alarm,Windows ICF,and iptables are all examples...

Question 17

The model that most modern intrusion detection systems use is largely based upon a model created by Dorothy Denning and Peter Neumann called:&#10;A)Intrusion Detection Interface System (IDIS)&#10;B)Intrusion Response Interdiction system (IRIS)&#10;C)Intrusion Detection Expert System (IDES)&#10;D)Discovery,Haystack,Multics Intrusion Detection and Alerting System (MIDAS)

Accepted Answer

The answer of The model that most modern intrusion detection...

Question 18

Antivirus products do all of the following EXCEPT:&#10;A)Automated updates&#10;B)Media scanning&#10;C)Block network traffic based on policies&#10;D)Scan e-mail for malicious code and attachments

Accepted Answer

The answer of Antivirus products do all of the following...

Question 19

A new breed of IDS that is designed to identify and prevent malicious activity from harming a system.&#10;A)Dynamic IDS&#10;B)Preventive IDS&#10;C)Active IDS&#10;D)HIPS

Accepted Answer

The answer of A new breed of IDS that is...

Question 20

Egress filtering&#10;A)Scans incoming mail to catch spam&#10;B)Scans outgoing mail to catch spam&#10;C)Messages are scan for specific words or phrases&#10;D)Filters out POP traffic

Accepted Answer

The answer of Egress filtering&#10;A)Scans incoming mail to catch spam&#10;B)Scans...

Question 21

Hostile activity that does not match an IDS signature and goes undetected is called a false positive.

Accepted Answer

The answer of Hostile activity that does not match an...

Question 22

Simple rule sets that are applied to port number and IP addresses are called&#10;A)Network address translation&#10;B)Stateful packet filtering&#10;C)Access control lists&#10;D)Basic packet filtering

Accepted Answer

The answer of Simple rule sets that are applied to...

Question 23

A(n)_______________ is a network device with the purpose of enforcing a security policy across its connection,by allowing or denying traffic to pass into or out of the network.

Accepted Answer

The answer of A(n)_______________ is a network device with the...

Question 24

How does stateful packet filtering differ from basic packet filtering?&#10;A)Stateful packet filtering looks only at each packet individually.&#10;B)Stateful packet filtering looks at the packets in relation to other packets.&#10;C)Stateful packet filtering looks at the destination address.&#10;D)Stateful packet filtering looks at the source address.

Accepted Answer

The answer of How does stateful packet filtering differ from...

Question 25

The security tool that will hide information about the requesting system and make the browsing experience secret is a&#10;A)Web proxy&#10;B)Reverse proxy&#10;C)Anonymizing proxy&#10;D)Open proxy

Accepted Answer

The answer of The security tool that will hide information...

Question 26

Only active intrusion detection systems (IDS)can aggressively respond to suspicious activity,whereas passive IDS cannot.

Accepted Answer

The answer of Only active intrusion detection systems (IDS)can aggressively...

Question 27

Network-based IDS examines activity on a system such,as a mail server or web server.

Accepted Answer

The answer of Network-based IDS examines activity on a system...

Question 28

A(n)_______________ monitors network traffic for malicious or unwanted behavior and can block,reject,or redirect traffic in real time.

Accepted Answer

The answer of A(n)_______________ monitors network traffic for malicious or...

Question 29

Deploying,maintaining,and upgrading host-based IDSs in a large network is cheaper than NIDSs.

Accepted Answer

The answer of Deploying,maintaining,and upgrading host-based IDSs in a large...

Question 30

Content-based signatures detect character patterns and TCP flag settings.

Accepted Answer

The answer of Content-based signatures detect character patterns and TCP...

Question 31

How does IPS differ from an IDS?&#10;A)IPS is passive and IDS is active.&#10;B)IPS uses heuristics and IDS is signature based.&#10;C)IPS will block,reject,or redirect unwanted traffic;an IDS will only alert.&#10;D)IDS will block,reject,or redirect unwanted traffic;an IPS will only alert.

Accepted Answer

The answer of How does IPS differ from an IDS?&#10;A)IPS...

Question 32

Which component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity?&#10;A)Traffic collector&#10;B)Analysis engine&#10;C)Signature database&#10;D)Examination collector

Accepted Answer

The answer of Which component of an IDS examines the...

Question 33

_______________ detection looks for things that are out of the ordinary,such as a user logging in when he's not supposed to,or unusually high network traffic into and out of a workstation.

Accepted Answer

The answer of _______________ detection looks for things that are...

Question 34

A(n)_______________ server can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile web sites.

Accepted Answer

The answer of A(n)_______________ server can be used to filter...

Question 35

The misuse detection IDS model is more difficult to implement than the anomaly detection model,and is not as popular as a result.

Accepted Answer

The answer of The misuse detection IDS model is more...

Question 36

A sniffer must use a NIC in promiscuous mode;otherwise it will not see all the network traffic coming into the NIC.

Accepted Answer

The answer of A sniffer must use a NIC in...

Question 37

While NIDS are able to detect activities such as port scans and brute force attacks,it is unable to detect tunneling.

Accepted Answer

The answer of While NIDS are able to detect activities...

Question 38

The NIDS signature database is usually much larger than that of a host-based system.

Accepted Answer

The answer of The NIDS signature database is usually much...

Question 39

A signature database contains a list of the contents of the IP packet header's signature block,for every type of packet the IDS monitors.

Accepted Answer

The answer of A signature database contains a list of...

Question 40

_______________ signatures are designed to match large patterns of activity,and examine how certain types of activity fit into the other activities going on around them.

Accepted Answer

The answer of _______________ signatures are designed to match large...

Question 41

_______________ are host-based protective mechanisms that monitor and control traffic passing into and out of a single system.

Accepted Answer

The answer of _______________ are host-based protective mechanisms that monitor...

Question 42

What are content- and context-based signatures?

Accepted Answer

The answer of What are content- and context-based signatures?...

Question 43

A(n)_______________ is an artificial environment where attackers can be contained and observed,without putting real systems at risk.

Accepted Answer

The answer of A(n)_______________ is an artificial environment where attackers...

Question 44

What was wrong with the first host-based IDSs?

Accepted Answer

The answer of What was wrong with the first host-based...

Question 45

_______________ scanning typically looks for commands or instructions that are not normally found in application programs,such as attempts to access a reserved memory register.

Accepted Answer

The answer of _______________ scanning typically looks for commands or...

Question 46

List three approaches that antispam software uses to filter out junk e-mail.

Accepted Answer

The answer of List three approaches that antispam software uses...

Question 47

What are the advantages and disadvantages of HIDSs?

Accepted Answer

The answer of What are the advantages and disadvantages of...

Question 48

A(n)_______________ is also known as a packet sniffer and network sniffer.

Accepted Answer

The answer of A(n)_______________ is also known as a packet...

Question 49

_______________ products filter out the junk e-mail.

Accepted Answer

The answer of _______________ products filter out the junk e-mail....

Deck 13: Intrusion Detection Systems and Network Security