Page 811 - StudyBook.pdf
P. 811

Self Test Appendix • Appendix  795

                 8.  Which security control can best be described by the following? Because normal user behavior
                    can change easily and readily, this security control system is prone to false positives where
                    attacks may be reported based on changes to the norm that are “normal,” rather than repre-
                    senting real attacks.
                      A. Anomaly based IDS
                      B. Signature based IDS
                      C. Honeypot
                      D. Honeynet
                  A. Because normal user behavior can change easily and readily, these anomaly based IDSes are
                    prone to false positives where attacks may be reported based on changes to the norm that are
                    “normal,” rather than representing real attacks.
                  Answers B, C, and D are incorrect because a signature IDS does not suffer from this weakness.
                    Both honeypots and honeynets are used to lure attackers and hold them captive so that the
                    attackers are detected before real targets are attacked.

                  9.  Your network is configured to use an IDS to monitor for attacks.The IDS is network-based
                      and has several sensors located in the internal network and the DMZ. No alarm has sounded.
                      You have been called in on a Friday night because someone is claiming their computer has
                      been hacked.What can you surmise?

                      A.The misconfigured IDS recorded a positive event
                      B.The misconfigured IDS recorded a negative event
                      C.The misconfigured IDS recorded a false positive event
                      D.The misconfigured IDS recorded a false negative event
                  D.This situation indicates that a false negative occurred.This means that no alarm sounded yet
                    that an attack occurred.
                  Answers A, B, and C are incorrect because a positive event would have triggered an alarm.A
                    negative event would mean that no attack occurred.A false positive alert would mean that an
                    alert sounded but no attack occurred.

                 10. You have installed an IDS that is being used to actively match incoming packets against known
                    attacks.Which of the following technologies is being used?
                      A. Stateful inspection
                      B. Protocol analysis
                      C.Anomaly detection
                      D. Pattern matching
                  D. Pattern matching is the act of matching packets against known signatures.
                  Answers A, B, and C are incorrect because protocol analysis analyzes the packets to determine
                    if they are following established rules.Anomaly detection looks for patterns of behavior that are
                    out of the ordinary. Stateful inspection is used in firewalls.





                                                                              www.syngress.com
   806   807   808   809   810   811   812   813   814   815   816