Deck 7: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools

The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed, either positively or negatively.

Your organization's operational goals, constraints, and culture should not affect the selection of the IDPS and other security tools and technologies to protect your systems.

The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS is known as a false attack stimulus.

All IDPS vendors target users with the same levels of technical and security expertise.

HIDPSs are also known as system integrity verifiers.

An HIDPS can monitor system logs for predefined events.

A false positive is the failure of an IDPS system to react to an actual attack event.

IDPS responses can be classified as active or passive.

A passive IDPS response is a definitive action automatically initiated when certain types of alerts are triggered.

NIDPSs can reliably ascertain whether an attack was successful.

The anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal.

An HIDPS is optimized to detect multihost scanning, and it is able to detect the scanning of non-host network devices, such as routers or switches.

An IDPS can be configured to dial a phone number and produce an alphanumeric page or other type of signal or message.

In order to determine which IDPS best meets an organization's needs, first consider the organizational environment in technical, physical, and political terms.

An HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.

In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information and corrupt the servers' answers to routine DNS queries from other systems on the network.

Intrusion detection consists of procedures and systems that identify system intrusions and take action when an intrusion is detected.

Intrusion detection and prevention systems perform monitoring and analysis of system events and user behaviors.

A fully distributed IDPS control strategy is an IDPS implementation approach in which all control
functions are applied at the physical location of each IDPS component.

Alarm events that are accurate and noteworthy but do not pose significant threats to information security are called noise. _________________________

A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. _________________________

In the process of protocol application verification, the NIDPSs look for invalid data packets. _________________________

To use a packet sniffer legally, an administrator only needs permission of the organization's top computing executive.

The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to automate the custom exploitation of vulnerable systems.

Once the OS is known, all of the vulnerabilities to which a system is susceptible can easily be determined.

The integrity value, which is based upon fuzzy logic, helps an administrator determine how likely it is that an IDPS alert or alarm indicates an actual attack in progress. _________________________

A(n) event is an indication that a system has just been attacked or is under attack. _________________________

Administrators who are wary of using the same tools that attackers use should remember that a tool that can help close an open or poorly configured firewall will not help the network defender minimize the risk from attack.

Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators. _________________________

A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss. _________________________

A(n) server-based IDPS protects the server or host's information assets. _________________________

To assist in footprint intelligence collection, attackers may use an enhanced Web scanner that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses.

The process of entrapment occurs when an attacker changes the format and/or timing of activities to avoid being detected by an IDPS. _________________________

Services using the TCP/IP protocol can run only on their commonly used port number as specified in their original Internet standard.

The activities that gather public information about the organization and its network activities and assets is called fingerprinting. _________________________

A passive vulnerability scanner is one that initiates traffic on the network in order to determine security holes.

Security tools that go beyond routine intrusion detection include honeypots, honeynets, and padded cell systems.

A strategy based on the concept of defense in depth is likely to include intrusion detection systems, active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers.

Passive scanners are advantageous in that they require vulnerability analysts to get approval prior to testing.

A(n) partially distributed IDPS control strategy combines the best of other IDPS strategies. _________________________

A(n) port is the equivalent of a network channel or connection point in a data communications system. _________________________

When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n) honeynet. _________________________

A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network. _________________________

Enticement is the action of luring an individual into committing a crime to get a conviction. _________________________

Port explorers are tools used both by attackers and defenders to identify (or fingerprint) the computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. _________________________

A padded cell is a hardened honeynet. _________________________

The primary advantages of a centralized IDPS control strategy are cost and ease of use. _________________________

A(n) monitoring vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. _________________________

A(n) log file monitor is similar to an NIDPS. _________________________

For Linux or BSD systems, a tool called "Snow White" allows a remote individual to "mirror" entire Web sites. _________________________

Preconfigured, predetermined attack patterns are called signatures. _________________________

The disadvantages of using the honeypot or padded cell approach include the fact that the technical ​implications of using such devices are not well understood. _________________________

Fingerprinting is the organized research of the Internet addresses owned or controlled by a target organization. _________________________

When using trap-and-trace, the trace usually consists of a honeypot or padded cell and an alarm. _________________________