Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
29 Cards in this Set
- Front
- Back
|
Name 4 type of IDS.
|
Passive IDS
> NIDS - Networked-based IDS > HIDS - Host-based IDS Active IDS > NIPS - Networked-based IPS > HIPS - Host-based IPS |
|
|
How is HIDS provided?
|
HIDS software is installed on each server and workstation.
|
|
|
How is NIDS provided?
|
NIDS uses a Management server on an internal segment.
NIDS agents are located on network devices and are located on different network segments. |
|
|
An IDS triggers an alert when an event reaches a specific threshold.
TRUE or FALSE? |
TRUE.
There is no magic number to set your threshold at but most admins would rather have some false positives rather than be under attack without knowing about it. |
|
|
NIDS agents (or nodes) monitors the traffic and reports its finding to where?
|
NIDS management server.
|
|
|
There are 3 drawbacks associated with HIDS. What are they?
|
1.) Software is very processor-intensive.
2.) It can be quite expensive to install on all hosts. 3.) Manay attackers can detect a HIDS, then disable it or erase the HIDS logs. |
|
|
Installing HIDS on each system protects against an attack launched where?
|
Internally!
Protects from an internal attacker or From malware released on the internal network. |
|
|
IPS has the capability of modifying the ACL on a router for what reason?
|
To block attacks or take other steps to close the connection .
Example: If a port scan is detected from a specific IP address, the IPS can modify the router so that the port scan is blocked. |
|
|
What can an IPS do if it detects a SYN flood attack?
|
The IPS can detect this attack and not only block any more traffic from the attacker, it can also close all the half-open connections on the targeted servers.
|
|
|
There are 3 types of detection methods for all IDSs and IPSs. What are they?
|
1.) Signature-based
2.) Anomaly-based 3.) Hybrid of the 2 |
|
|
Signature-based detection method is also called what?
|
Knowledge-based detection
This method is similar in concept to AV signatures. Both the vendor supplying the IDS and the organization using the IDS must update these signature files regularly to detect newer attacks. |
|
|
Anomaly-based systems can go by many names. Name 2 other names.
|
1.) Behavior-based
2.) Heuristics-based |
|
|
What is the disadvantage of an anomaly-based system compared to signature-based system?
|
It often has a higher level of false positives than a signature-based system.
|
|
|
What can an Anomaly-based system do?
|
Ti can attempt to document normal behavior in the form of a baseline. If the current activity differs significantly from the baseline, the IDS/IPS will issue an alert to the activity.
|
|
|
What detection method can be used as an alternative to HIDS and HIPS?
|
Whitelisting
The application whitelist identifies approved software. Any software that attempts to run but is not on the list is blocked. |
|
|
How can IDS support Integrity?
|
One of the ways that an IDS can detect an attack is by detecting unauthorized changes.
|
|
|
What method is used on many IDSs and Antivirus applications to detect unauthorized changes to critical system files?
|
Hashing techniques can detect such changes.
A File Integrity Checker calculates hashes on files to establish a baseline. If the hashes are modified, it detect the change and sends an alert. |
|
|
What is SEM?
|
System Event Manager
|
|
|
What is SIM?
|
Security information Management
|
|
|
What is SIEM?
|
Security information and event management
|
|
|
If an organization must comply with specific laws, a SEM could have components to monitor systems for compliance with the laws and report if a system is no longer compliant.
TRUE or FALSE |
TRUE
|
|
|
Many organizations perform regular security assessments. The most common type of security assessment is what?
|
Vulnerability assessment.
Note: Security audits is also a form of a security assessment. |
|
|
Vulnerability assessments can be classified based on the individuals performing the test. What 3 type of tests can be used?
|
1.) White box or internal testing - Full Knowledge
2.) black box or external testing - Zero Knowledge 3.) Gray box testing - - Partial knowledge Testers have at least some level of knowledge about the network. |
|
|
A log scrubber is a process that examines applications and system logs for evidence of system misuse. What detection method is used?
|
HIDS
|
|
|
A log management infrastructure typically is comprised of what three components?
|
1.) Log Generation
2.) Log Analysis and Storage 3.) Log Monitoring |
|
|
The Steps for processing events in SEMS are what?
|
1.) Parsing
2.) Categorization 3.) Prioritization 4.) Aggregation |
|
|
Which of the following are indicators of security-centric log entries?
I. System Hardware and Software errors II. Low-level host information III. Database checkpoint record IV.High-level host information 1.) I and III 2.) I, II, and IV 3.) I, II, and III 4.) II and III |
2.) I, II, and IV
|
|
|
What best identifies what is found in an audit log entry?
|
1.) Who
2.) What 3.) When 4.) Where |
|
|
A vulnerability assessment scanned a system and did not report any vulnerabilities. However, you know that the system is vulnerable because it does not have a specific patch installed.
What is this called? A.) A false positive B.) A false negative C.) A penetration test failure D.) A penetration test success |
B.) A false negative
|
