Question 1

The term ____ refers to an event that triggers alarms and causes an IDS to react as if a real attack is in progress.&#10;A)True Attack Stimulus&#10;B)false positive&#10;C)Confidence Value&#10;D)Alarm Compaction

Accepted Answer

True Attack Stimulus refers to an event that triggers alarms in an Intrusion Detection System (IDS), making it react as if a real attack is happening.

Question 2

A(n)____ is designed to be placed in a network to determine whether or not the network is being used in ways that are out of compliance with the policy of the organization.&#10;A)alert&#10;B)security policy&#10;C)intrusion detection system&#10;D)DNS cache

Accepted Answer

An intrusion detection system (IDS) is designed to monitor network traffic and identify any suspicious activity or behavior that might indicate a security threat. It can detect a variety of attacks, including attempts to exploit vulnerabilities, unauthorized access attempts, and denial of service (DoS) attacks. IDS may be placed in different parts of the network, from the network perimeter to the endpoints, and can operate in a variety of modes, including signature-based, anomaly-based, and hybrid detection. IDS is an important tool for ensuring network security and compliance.

Question 3

A(n)____ is a type of attack on information assets in which the instigator attempts to gain unauthorized entry into a system or network or disrupt the normal operations of a system or network.&#10;A)intrusion&#10;B)alert&#10;C)event&#10;D)honeypot

Accepted Answer

An intrusion is a deliberate attack by an individual or group to gain unauthorized access to information systems, networks or databases or to disrupt the normal functioning of a network or system. Intrusion attempts can be passive (e.g. gathering information through eavesdropping) or active (e.g. transmitting malicious code or disrupting network connectivity).

Question 4

A(n)____ is an indication that a system has just been attacked or continues to be under attack.&#10;A)event&#10;B)alert&#10;C)stimulus&#10;D)honeypot

Accepted Answer

An alert is a warning or notification that a system has been or is currently under attack. It signifies that some security event or breach has occurred, and that remedial action may be necessary to address the issue.

Question 5

A data packet is defined as invalid when its configuration matches what is defined as valid by the various Internet protocols (TCP,UDP,IP).

Accepted Answer

This statement is incorrect. A data packet is defined as invalid when it does not conform to the various Internet protocols (TCP, UDP, IP), which define what constitutes a valid packet.

Question 6

Many types of intrusions,especially DoS and DDoS attacks,rely on the creation of improperly formed packets to take advantage of weaknesses in the protocol stack in certain operating systems or applications.

Accepted Answer

DoS and DDoS attacks are often executed by exploiting vulnerabilities in the protocol stack of certain operating systems or applications, which can be achieved through the creation of improperly formed packets.

Question 7

The failure of an IDS system to react to an actual attack event is known as a ____.&#10;A)false positive&#10;B)false negative&#10;C)Confidence Value&#10;D)site policy

Accepted Answer

A false negative is the failure of an IDS system to detect and respond to an actual attack event, indicating that the system failed to identify a real threat. False positives, on the other hand, refer to situations where the system triggers an alarm even though no actual attack is taking place. Confidence value is a measure of the reliability of the IDS system's decision-making process. Site policy refers to the organization's security policies and guidelines that govern the use of IDS and other security measures.

Question 8

A(n)____ is an event that triggers alarms and causes a false positive when no actual attacks are in progress.&#10;A)alert&#10;B)false negative&#10;C)false attack stimulus&#10;D)True Attack Stimulus

Accepted Answer

A false attack stimulus is an event that triggers alarms and causes a false positive. A false negative refers to a failure to detect an actual attack. An alert can be a legitimate warning of an attack, or it could be a false positive triggered by a false attack stimulus. "True Attack Stimulus" is not a commonly used term in cybersecurity.

Question 9

The purpose of a NIDS is to look for patterns within network traffic that indicate an intrusion event is underway or about to begin.

Accepted Answer

A NIDS (Network Intrusion Detection System) is designed to detect potential security threats by examining network traffic and looking for suspicious patterns or behaviors that may indicate a threat is present or an attack is underway. It works by analyzing data packets as they move across the network, and comparing them to a set of known threat signatures or behavioral patterns to identify potential threats in real-time. Once a threat is detected, the NIDS can alert security teams, log the event, or even take automated actions to stop the attack and minimize its impact.

Question 10

Using a process known as ____,Network IDSs must look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be underway.

A)clipping
B)cache poisoning
C)scanning
D)signature matching

Accepted Answer

The process described in the question, where Network IDSs compare measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be underway, is called signature matching. Option A, clipping, is not a term commonly associated with IDS. Option B, cache poisoning, refers to a specific type of attack and is not the name of a process for detecting attacks. Option C, scanning, refers to the process of systematically examining a network or system for vulnerabilities or weaknesses and is not specific to the identification of attacks.

Question 11

The only time a HIDS produces a false positive alert is when an authorized change occurs for a monitored file.

Accepted Answer

The answer of The only time a HIDS produces a...

Question 12

The ____ contains the rules and configuration guidelines governing the implementation and operation of IDSs within the organization.&#10;A)security policy&#10;B)honeypot&#10;C)log file&#10;D)site policy

Accepted Answer

The answer of The ____ contains the rules and configuration...

Question 13

The term ____ refers to a value associated with an IDS' ability to detect and identify an attack correctly.&#10;A)True Attack Stimulus&#10;B)false positive&#10;C)Confidence Value&#10;D)Alarm Compaction

Accepted Answer

The answer of The term ____ refers to a value...

Question 14

A ____ is an alarm or alert that indicates that an attack is in progress or that an attack has successfully occurred when in fact there was no such attack.&#10;A)false positive&#10;B)false negative&#10;C)Confidence Value&#10;D)site policy

Accepted Answer

The answer of A ____ is an alarm or alert...

Question 15

When placed next to a hub,switch,or other key networking device,the NIDS may use that device's monitoring port,also known as a(n)____ port or mirror port.&#10;A)SWAN&#10;B)HID&#10;C)SPAN&#10;D)IDS

Accepted Answer

The answer of When placed next to a hub,switch,or other...

Question 16

____ occurs when valid packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.&#10;A)Signature matching&#10;B)DNS cache poisoning&#10;C)Clipping&#10;D)Clustering

Accepted Answer

The answer of ____ occurs when valid packets exploit poorly...

Question 17

____ are also known as system integrity verifiers.&#10;A)Alarm filters&#10;B)Honeypot Farms&#10;C)HIDSs&#10;D)Scanning utilities

Accepted Answer

The answer of ____ are also known as system integrity...

Question 18

____ is an IDS's ability to dynamically modify its site policies in reaction or response to environmental activity.&#10;A)Alarm Compaction&#10;B)Site policy awareness&#10;C)True Attack Stimulus&#10;D)Confidence Value

Accepted Answer

The answer of ____ is an IDS's ability to dynamically...

Question 19

____ is an ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks.&#10;A)Alarm compaction&#10;B)Cache poisoning&#10;C)Noise&#10;D)Alarm Clustering

Accepted Answer

The answer of ____ is an ongoing activity from alarm...

Question 20

The smart systems administrator backs up system logs but not system data.

Accepted Answer

The answer of The smart systems administrator backs up system...

Question 21

Match each statement with an item below.

-Triggers an alert or alarm when one of the following changes occurs: file attributes change,new files are created,or existing files are deleted.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -Triggers...

Question 22

A(n)____________________ can adapt its reaction activities based on both guidance learned over time from the administrator as well as circumstances present in the local environment.

Accepted Answer

The answer of A(n)____________________ can adapt its reaction activities based...

Question 23

Match each statement with an item below.

-A widely used port scanner.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -A...

Question 24

_________________________ is the process of evaluating circumstances around organizational events,determining which events are possible incidents,or incident candidates,and then determining whether or not the event constitutes an actual incident.

Accepted Answer

The answer of _________________________ is the process of evaluating circumstances...

Question 25

The task of monitoring file systems for unauthorized change is best performed by using a(n)____.&#10;A)cache&#10;B)honeypot&#10;C)SPAN&#10;D)HIDS

Accepted Answer

The answer of The task of monitoring file systems for...

Question 26

The term ____________________ refers to a consolidation of almost identical alarms into a single higher-level alarm.

Accepted Answer

The answer of The term ____________________ refers to a consolidation...

Question 27

Match each statement with an item below.

-Looks for indications of ongoing or successful attacks and resides on a computer or appliance connected to that network segment.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -Looks...

Question 28

Match each statement with an item below.

-Network burglar alarm.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -Network...

Question 29

Match each statement with an item below.

-Tool used to identify which computers are active on a network,as well as which ports and services are active on the computers,what function or role the machines may be fulfilling,and so on.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -Tool...

Question 30

Match each statement with an item below.

-The action of luring an individual into committing a crime to get a conviction.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -The...

Question 31

A ____ is a computer server configured to resemble a production system,containing rich information just begging to be hacked.&#10;A)smart IDS&#10;B)DNS cache&#10;C)network cluster&#10;D)honeypot

Accepted Answer

The answer of A ____ is a computer server configured...

Question 32

A ____ is a high-interaction honeypot designed to capture extensive information on threats.&#10;A)DNS cache&#10;B)honeypot Farm&#10;C)DNS farm&#10;D)network-based IDS

Accepted Answer

The answer of A ____ is a high-interaction honeypot designed...

Question 33

Match each statement with an item below.

-Examines data traffic in search of patterns that match known signatures - that is,preconfigured,predetermined attack patterns.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -Examines...

Question 34

Match each statement with an item below.

-The process of attracting attention to a system by placing tantalizing bits of information in key locations.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -The...

Question 35

A ____ is a type of IDS that is similar to the NIDS,reviews the log files generated by servers,network devices,and even other IDSs.&#10;A)honeypot&#10;B)alarm cluster&#10;C)log file monitor&#10;D)DNS cache

Accepted Answer

The answer of A ____ is a type of IDS...

Question 36

____ are tools used to identify which computers are active on a network,as well as which ports and services are active on the computers,what function or role the machines may be fulfilling,and so on.&#10;A)Triggers&#10;B)Clusters&#10;C)Scanning utilities&#10;D)Filters

Accepted Answer

The answer of ____ are tools used to identify which...

Question 37

Match each statement with an item below.

-Can indicate if a relationship exists between the individual alarm elements when they have specific similar attributes.

A)Intrusion detection system
B)HIDS
C)Signature-based IDS
D)Enticement
E)Entrapment
F)Alarm clustering
G)NIDS
H)Nmap
I)Scanning utility

Accepted Answer

The answer of Match each statement with an item below. -Can...

Question 38

A(n)____________________ monitors traffic on a segment of an organization's network.

Accepted Answer

The answer of A(n)____________________ monitors traffic on a segment of...

Question 39

The term ____ refers to the level at which the IDS triggers an alert to notify the administrator.&#10;A)clipping level&#10;B)cache level&#10;C)signature matching&#10;D)Alarm Filtering

Accepted Answer

The answer of The term ____ refers to the level...

Question 40

____________________ is the process of classifying the attack alerts that an IDS detects in order to distinguish or sort false positives from actual attacks more efficiently.

Accepted Answer

The answer of ____________________ is the process of classifying the...

Question 41

What are the steps involved in monitoring networks for signs of intrusion?

Accepted Answer

The answer of What are the steps involved in monitoring...

Question 42

What are the advantages and disadvantages of HIDS?

Accepted Answer

The answer of What are the advantages and disadvantages of...

Question 43

What are honeypots? Briefly describe each of the two general types.

Accepted Answer

The answer of What are honeypots? Briefly describe each of...

Question 44

List five reasons why you would acquire and use an IDS.

Accepted Answer

The answer of List five reasons why you would acquire...

Question 45

What are the advantages and disadvantages of NIDS?

Accepted Answer

The answer of What are the advantages and disadvantages of...

Question 46

The Electronic Communications Protection Act prohibits the recording of wire- or cable-based communications unless an exception applies.Briefly discuss four of these exceptions.

Accepted Answer

The answer of The Electronic Communications Protection Act prohibits the...

Question 47

According to Pipkin,what are the four types of incident candidates that are probable indicators of actual incidents? Provide a brief description of each incident candidate.

Accepted Answer

The answer of According to Pipkin,what are the four types...

Question 48

Briefly describe the tasks involved in managing logs.

Accepted Answer

The answer of Briefly describe the tasks involved in managing...

Question 49

Discuss two weaknesses of the signature-based IDS technology.

Accepted Answer

The answer of Discuss two weaknesses of the signature-based IDS...

Deck 4: Incident Response: Detection and Decision Making