Deck 7: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools

An HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.

HIDPSs are also known as system integrity verifiers.

Your organization's operational goals, constraints, and culture should not affect the selection of the IDPS and other security tools and technologies to protect your systems.

Intrusion detection and prevention systems perform monitoring and analysis of system events and user behaviors.

An HIDPS can monitor system logs for predefined events.

IDPS responses can be classified as active or passive.

Intrusion detection consists of procedures and systems that identify system intrusions and take action when an intrusion is detected.

A false positive is the failure of an IDPS system to react to an actual attack event.

A fully distributed IDPS control strategy is an IDPS implementation approach in which all controlfunctions are applied at the physical location of each IDPS component.

NIDPSs can reliably ascertain whether an attack was successful.

The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed, either positively or negatively.

All IDPS vendors target users with the same levels of technical and security expertise.

An HIDPS is optimized to detect multihost scanning, and it is able to detect the scanning of non-host network devices, such as routers or switches.

The anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal.

A passive IDPS response is a definitive action automatically initiated when certain types of alerts are triggered.

In order to determine which IDPS best meets an organization's needs, first consider the organizational environment in technical, physical, and political terms.

An IDPS can be configured to dial a phone number and produce an alphanumeric page or other type of signal or message.

In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information and corrupt the servers' answers to routine DNS queries from other systems on the network.

The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS is known as a false attack stimulus.

Services using the TCP/IP protocol can run only on their commonly used port number as specified in their original Internet standard.

Security tools that go beyond routine intrusion detection include honeypots, honeynets, and padded cell systems.

A strategy based on the concept of defense in depth is likely to include intrusion detection systems, active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers.

Once the OS is known, all of the vulnerabilities to which a system is susceptible can easily be determined.

In the process of protocol application verification, the NIDPSs look for invalid data packets. _________________________

To assist in footprint intelligence collection, attackers may use an enhanced Web scanner that, among other things, can scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses.

Preconfigured, predetermined attack patterns are called signatures. _________________________

Alarm events that are accurate and noteworthy but do not pose significant threats to information security are called noise. _________________________

Administrators who are wary of using the same tools that attackers use should remember that a tool that can help close an open or poorly configured firewall will not help the network defender minimize the risk from attack.

The process of entrapment occurs when an attacker changes the format and/or timing of activities to avoid being detected by an IDPS. _________________________

The activities that gather public information about the organization and its network activities and assets is called fingerprinting. _________________________

A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be exploited and result in loss. _________________________

A passive vulnerability scanner is one that initiates traffic on the network in order to determine security holes.

A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for processing. _________________________

The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to automate the custom exploitation of vulnerable systems.

A(n) server-based IDPS protects the server or host's information assets. _________________________

A(n) event is an indication that a system has just been attacked or is under attack. _________________________

The integrity value, which is based upon fuzzy logic, helps an administrator determine how likely it is that an IDPS alert or alarm indicates an actual attack in progress. _________________________

Passive scanners are advantageous in that they require vulnerability analysts to get approval prior to testing.

Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators. _________________________

When using trap-and-trace, the trace usually consists of a honeypot or padded cell and an alarm. _________________________

For Linux or BSD systems, a tool called "Snow White" allows a remote individual to "mirror" entire Web sites. _________________________

A(n) partially distributed IDPS control strategy combines the best of other IDPS strategies. _________________________

When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n) honeynet. _________________________

A(n) log file monitor is similar to an NIDPS. _________________________

A padded cell is a hardened honeynet. _________________________

The disadvantages of using the honeypot or padded cell approach include the fact that the technical ​implications of using such devices are not well understood. _________________________

A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level of privacy or confidentiality afforded on the wireless network. _________________________

A(n) port is the equivalent of a network channel or connection point in a data communications system. _________________________

Enticement is the action of luring an individual into committing a crime to get a conviction. _________________________

The primary advantages of a centralized IDPS control strategy are cost and ease of use. _________________________

A(n) monitoring vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software. _________________________

Port explorers are tools used both by attackers and defenders to identify (or fingerprint) the computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. _________________________

Fingerprinting is the organized research of the Internet addresses owned or controlled by a target organization. _________________________

A(n) ____________________ occurs when an attacker attempts to gain entry or disrupt the normal operations of an information system, almost always with the intent to do harm.