Page 812 - StudyBook.pdf
P. 812

796    Appendix • Self Test Appendix

             11. You have been reading about the ways in which a network-based IDS can be attacked.Which
                 of these methods would you describe as an attack where an attacker attempts to deliver the
                 payload over multiple packets over long periods of time?
                  A. Evasion
                  B. IP Fragmentation
                  C. Session splicing
                  D. Session hijacking
              C. Session splicing is one way that attackers can attempt to bypass network-based IDS systems.
                 Session splicing is accomplished by delivering the payload of the attack over multiple packets,
                 thus defeating simple pattern matching without session reconstruction.
              Answers A, B, and D are incorrect because evasion is a technique that may attempt to flood
                 the IDS to evade it. IP fragmentation is a general term that describes how IP handles traffic
                 when faced with smaller maximum transmission units (MTU’s). Session hijacking is a type of
                 MITM attack that is used to take over an established session.

             12. You have been asked to explore what would be the best type of IDS to deploy at your com-
                 pany site.Your company is deploying a new program that will be used internally for data
                 mining.The IDS will need to access the data mining application’s log files and needs to be able
                 to identify many types of attacks or suspicious activity.Which of the following would be the
                 best option?
                  A. Network-based that is located in the internal network
                  B. Host-based IDS
                  C. Application-based IDS
                  D. Network-based IDS that has sensors in the DMZ
              C.An application-based IDS would best meet the requirements specified in the question.
                 Application-based IDSes concentrate on events occurring within some specific application.
                 They often detect attacks through analysis of application log files and can usually identify many
                 types of attacks or suspicious activity. Sometimes an application-based IDS can track unautho-
                 rized activity from individual users.They can also work with encrypted data, using application-
                 based encryption/decryption services.
              Answers A, B, and D are incorrect.A network-based IDS that has sensors on the internal net-
                 work or the DMZ would not meet the requirements.A host-based IDS would meet some of
                 the requirements but is not as well suited as an application IDS.

             13. You are about to install WinDump on your Windows computer.Which of the following should
                 be the first item you install?













          www.syngress.com
   807   808   809   810   811   812   813   814   815   816   817