Deck 7: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools

All IDPS vendors target users with the same levels of technical and security expertise.

The statistical anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal.

Your organization's operational goals,constraints,and culture should not affect the selection of the IDPS and other security tools and technologies to protect your systems.

The Simple Network Management Protocol contains trap functions,which allow a device to send a message to the SNMP management console indicating that a certain threshold has been crossed,either positively or negatively.

NIDPSs can reliably ascertain if an attack was successful or not.

A false positive is the failure of an IDPS system to react to an actual attack event.

A HIDPS is optimized to detect multihost scanning,and it is able to detect the scanning of non-host network devices,such as routers or switches.

In DNS cache poisoning,valid packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on the network.

A passive response is a definitive action automatically initiated when certain types of alerts are triggered.

In order to determine which IDPS best meets an organization's needs,first consider the organizational environment in technical,physical,and political terms.

An HIDPS can detect local events on host systems and also detect attacks that may elude a network-based IDPS.

IDPS responses can be classified as active or passive.

Intrusion detection consists of procedures and systems that identify system intrusions and take action when an intrusion is detected.

A HIDPS can monitor systems logs for predefined events.

An IDPS can be configured to dial a phone number and produce an alphanumeric page or a modem noise.

Intrusion detection and prevention systems can deal effectively with switched networks.

The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS is known as a false attack stimulus.

A fully distributed IDPS control strategy is the opposite of the centralized strategy.

HIDPSs are also known as system integrity verifiers.

Services using the TCP/IP protocol can run only on port 80.

The confidence value,which is based upon false logic,helps an administrator determine how likely it is that an IDPS alert or alarm indicates an actual attack in progress._________________________

The activities that gather information about the organization and its network activities and assets is called fingerprinting._________________________

Nmap uses incrementing Time-To-Live packets to determine the path into a network as well as the default firewall policy.

A strategy based on the concept of defense in depth is likely to include intrusion detection systems,active vulnerability scanners,passive vulnerability scanners,automated log analyzers,and protocol analyzers.

An alert or intrusion is an indication that a system has just been attacked or is under attack._________________________

The IDPS console includes the management software,which collects information from the remote sensors,analyzes the systems or networks,and determines whether the current situation has deviated from the preconfigured baseline._________________________

The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to automate the custom exploitation of vulnerable systems.

A sniffer cannot be used to eavesdrop on network traffic.

Most of the technologies that scan human characteristics convert these images to some form of minutiae.

A(n)NIDPS functions on the host system,where encrypted traffic will have been decrypted and is available for processing._________________________

Preconfigured,predetermined attack patterns are called signatures._________________________

To assist in the footprint intelligence collection process,you can use an enhanced Web scanner that,among other things,can scan entire Web sites for valuable pieces of information,such as server names and e-mail addresses.

A(n)server-based IDPS protects the server or host's information assets._________________________

In the process of protocol application verification,the NIDPSs look for invalid data packets._________________________

Passive scanners are advantageous in that they require vulnerability analysts to get approval prior to testing.

Alarm filtering is alarm clustering that may be based on combinations of frequency,similarity in attack signature,similarity in attack target,or other criteria that are defined by the system administrators._________________________

Once the OS is known,all of the vulnerabilities to which a system is susceptible can easily be determined.

A(n)log file monitor is similar to a NIDPS._________________________

A starting scanner is one that initiates traffic on the network in order to determine security holes.

A padded cell is a hardened honeynet._________________________

The false detect rate is the percentage of identification instances in which unauthorized users are allowed access to systems or areas as a result of a failure in the biometric device._________________________

Enticement is the action of luring an individual into committing a crime to get a conviction._________________________

A(n)partially distributed IDPS control strategy combines the best of the other two strategies._________________________

A wireless security toolkit should include the ability to sniff wireless traffic,scan wireless hosts,and assess the level of privacy or confidentiality afforded on the wireless network._________________________

Minutiae are unique points of reference that are digitized and stored in an encrypted format when the user's system access credentials are created._________________________

The trace usually consists of a honeypot or padded cell and an alarm._________________________

For Linux or BSD systems,there is a tool called "scanner" that allows a remote individual to "mirror" entire Web sites._________________________

When a collection of honeypots connects several honeypot systems on a subnet,it may be called a(n)honeynet._________________________

Fingerprinting is the organized research of the Internet addresses owned or controlled by a target organization._________________________

The trap is a process by which the organization attempts to identify an entity discovered in unauthorized areas of the network or systems._________________________

Port fingers are tools used by both attackers and defenders to identify (or fingerprint)the computers that are active on a network,as well as the ports and services active on those computers,the functions and roles the machines are fulfilling,and other useful information._________________________

A(n)listener vulnerability scanner is one that listens in on the network and determines vulnerable versions of both server and client software._________________________

A(n)port is a network channel or connection point in a data communications system._________________________

The false error rate is the percentage of identification instances in which authorized users are denied access a result of a failure in the biometric device._________________________