| Question 1 | Which of the following IDS forms uses known attack signatures to identify unauthorized access attempts? -
A. Knowledge-based IDS -
B. Behavior-based IDS -
C. Network-based IDS -
D. Host-based IDS |
| A1: | Answer A is correct. Knowledge-based IDS solutions use known attack signatures to identify network attacks. Answer B is incorrect because behavior-based IDS solutions measure access patterns against known baselines to identify attacks. Answers C and D are incorrect because either might include knowledge-based or behavior-based IDS solutions, so neither one is the best answer here. |
| Question 2 | Which of the following IDS forms is subject to common false positive attack indications ? -
A. Knowledge-based IDS -
B. Behavior-based IDS -
C. Network-based IDS -
D. Host-based IDS |
| A2: | Answer B is correct. Behavior-based IDS solutions measure patterns of access against known security baselines. As a result, any variation from the previous baseline may be detected as a possible attack. Answer A is incorrect because knowledge-based IDS solutions use known attack signatures to identify attacks and therefore are not often subject to false positives. Answers C and D are incorrect because either might include knowledge-based or behavior-based IDS solutions, so neither one is the best answer here. |
| Question 3 | Which type of IDS is slow to identify new forms of attack? -
A. Network-based IDS -
B. Knowledge-based IDS -
C. Client-based IDS -
D. Behavior-based IDS |
| A3: | Answer B is correct. Because knowledge-based IDS solutions require identification of known attack signatures, new forms of attack may go undetected until the new attack signatures are added to the IDS's library. Answers A and C are incorrect because they are IDS configurations, not behaviors. Answer D is incorrect because behavior-based IDS looks for anything out of the baseline norm. New attacks are likely to be outside the norm, so behavior-based IDS finds these fairly easily. |
| Question 4 | Which of the following IDS forms are relatively platform independent? [Choose the two best answers.] -
A. Knowledge-based IDS -
B. Behavior-based IDS -
C. Network-based IDS -
D. Host-based IDS |
| A4: | Answers B and C are correct. Behavior-based IDS solutions and network-based solutions operate on patterns of access and data packet transfer to identify attacks. As a result, both are able to evolve to meet changes in the network technologies in use. Answers A and D are incorrect because knowledge-based IDS solutions must be able to identify known attack signatures directed at the protected technologies, whereas host-based IDS solutions involve client agents running on the monitored hosts ; therefore, both are strongly affected by changes to the protected technologies. |
| Question 5 | You have deployed a packet-monitoring system to sniff packets passing through your organization's DMZ. Which of the following types of IDS is this solution? -
A. Knowledge-based IDS -
B. Behavior-based IDS -
C. Network-based IDS -
D. Host-based IDS |
| A5: | Answer C is correct. This is a common network-based IDS solution, where packet data is monitored for unauthorized access patterns. Answers A and B are incorrect because the proposed solution might use either knowledge-based or behavior-based IDS, so neither is the best answer here. Answer D is incorrect because a host-based IDS solution would utilize client agents operating on the monitored hosts rather than sniffing the network traffic. |
| Question 6 | You have installed a custom monitoring service on a Web server that reviews Web service logs to watch for the URLs used by the Code Red worm to propagate itself. When this custom service detects an attack, it raises an alert via email. Which of the following types of IDS is this solution? [Choose the two best answers.] -
A. Knowledge-based IDS -
B. Behavior-based IDS -
C. Network-based IDS -
D. Host-based IDS |
| A6: | Answers A and D are correct. This scenario describes a host-based solution identifying a known attack signature. Answer B is incorrect because no baselining is required for this solution. Answer C is incorrect because the agent does not attempt to capture packet datait only reviews the Web service logs on the local system. |
| Question 7 | Which of the following terms describes a host configured to expose a specific service to a public network while hardening all other resource access to restrict access within an organization's secure network? -
A. Honeypot -
B. Honeynet -
C. Bastion -
D. War-driving |
| A7: | Answer C is correct. A bastion host exposes a service or port while protecting against other forms of exploit. Answers A and B are incorrect because honeypots and honeynets are used to distract attackers or to monitor their access methods . Answer D is incorrect because the process of war-driving involves driving around with a wireless card in promiscuous mode, attempting to detect open wireless access points. |
| Question 8 | Monitoring a network during the creation of a new performance baseline is critical because __________________________________________________. -
A. new systems being added may generate false positives -
B. false positives are less likely to occur later if monitoring is on during the baseline process -
C. you must ensure that an attack is not made part of the baseline -
D. monitoring allows you to set the traffic patterns that are considered normal |
| A8: | Answer C is correct. It is most important to monitor for attacks during regular baseline update cycles to avoid an attacker's actions being considered typical behavior within the network. Adding new workstations won't generate false positives; therefore, answer A is incorrect. The IDS is looking at the network traffic, but the monitoring station is not doing anything; therefore, answer B is incorrect. Setting the baselines is the job of the IDS, and a monitoring application would have nothing to do with the IDS baseline; therefore, answer D is incorrect. |
| Question 9 | You have configured your Web server to use Windows NTFS partitions and the Microsoft System Update Service (SUS) to regularly apply new Windows 2000 hotfixes and patches. Which of the following forms of hardening are specified in this solution? -
A. Application -
B. Baseline -
C. Operating system -
D. Network |
| A9: | Answer C is correct. The tasks of selecting a secure file system, such as NTFS, and regularly applying operating system updates fall within the considerations for operating system hardening. Answer A is incorrect because application hardening involves the security of user applications and services. Answer B is incorrect because a baseline establishes the normal operating levels of a network and is not itself hardened . Answer D is incorrect because network hardening involves the security of network access. |
| Question 10 | Which of the following servers may be overcome by a denial of service (DoS) type of attack? [Choose the best answers.] -
A. Web servers -
B. FTP servers -
C. DNS servers -
D. NNTP servers -
E. DNS Servers |
| A10: | Answers A, B, C, D, and E are correct. All these services may be overcome by a DoS-style attack if the attacker can overload the available processing and bandwidth resources available to each service. When multiple services are loaded onto a single system, this problem can be compounded. |
