You're Reading a Free Preview Show
Table of Contents
An intruder can also be referred to as a hacker or cracker.Activists are either individuals or members of an organized crime group with a goal of financial rewardRunning a packet sniffer on a workstation to capture usernames and passwords is an example of intrusionThose who hack into computers do so for the thrill of it or for statusIntruders typically use steps from a common attack methodologyThe IDS component responsible for collecting data is the user interface.Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified.The primary purpose of an IDS is to detect intrusions, log suspicious events, and send alerts.Signature-based approaches attempt to define normal, or expected, behavior, whereas anomaly approaches attempt to define proper behaviorAnomaly detection is effective against misfeasorsTo be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the deviceA common location for a NIDS sensor is just inside the external firewall.Network-based intrusion detection makes use of signature detection and anomaly detectionSnort can perform intrusion prevention but not intrusion detection.A _________ is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so. A. intrusion detection B. IDS C. criminal enterprise D. security intrusionA _________ monitors the characteristics of a single host and the events occurring within that host for suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detectionA ________ monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. A. host-based IDS B. security intrusion C. network-based IDS D. intrusion detectionThe ________ is responsible for determining if an intrusion has occurred. A. analyzer B. host C. user interface D. sensor__________ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detection_________ involves the collection of data relating to the behavior of legitimate users over a period of time. A. Profile based detection B. Signature detection C. Threshold detection D. Anomaly detectionThe _________ module analyzes LAN traffic and reports the results to the central manager. A. LAN monitor agent B. host agent C. central manager agent D. architecture agentA(n) ________ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. A. passive sensor B. analysis sensor C. LAN sensor D. inline sensorA(n) ________ event is an alert that is generated when the gossip traffic enables a platform to conclude that an attack is under way. A. PEP B. DDI C. IDEP D. IDME_________ is a document that describes the application level protocol for exchanging data between intrusion detection entities. A. RFC 4767 B. RFC 4766 C. RFC 4765 D. RFC 4764The rule _______ tells Snort what to do when it finds a packet that matches the rule criteria. A. protocol B. direction C. action D. destination portThe _______ is the ID component that analyzes the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator. A. data source B. sensor C. operator D. analyzerWhat is responsible for determining if an intrusion has occurred?+ Analyzer: receiving input from one or more sensors, responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred and may include evidence supporting the conclusion that an intrusion has occurred.
Is running a packet sniffer an example of intrusion?Running a packet sniffer on a workstation to capture usernames and passwords is an example of intrusion.
Is inserted into a network segment so that the traffic that is monitoring must pass through the sensor?An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor. One way to achieve an inline sensor is to combine NIDS sensor logic with another network device, such as a firewall or a LAN switch.
Is a security event that constitutes a security incident in which an intruder gains access to a system without having authorization to do so?Definition(s): A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.
|