Friday, August 26, 2005

Quiz: An IDS/IPS interrogation

SEARCHSECURITY.COM
This Week
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

A newsletter from TechTarget
August 26, 2005

IN THIS ISSUE:
> Quiz: Intrusion detection and prevention systems
> Site Highlights: Get free security training

QUIZ
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Intrusion detection and prevention systems

Intrusion detection and prevention systems come with a hefty price
tag. And once installed, either one can drain your resources if you
didn't make a knowledgeable buying decision or don't know how to
operate it efficiently. Test your IDS/IPS know-how and improve your
knowledge with this quiz.

1.) Which of the following is an advantage of anomaly detection?
a. Rules are easy to define.
b. Custom protocols can be easily analyzed.
c. The engine can scale as the rule set grows.
d. Malicious activity that falls within normal usage patterns is
detected.
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer1

2.) A false positive can be defined as...
a. an alert that indicates nefarious activity on a system that, upon
further inspection, turns out to represent legitimate network traffic
or behavior.
b. an alert that indicates nefarious activity on a system that is not
running on the network.
c. the lack of an alert for nefarious activity.
d. Both a. and b.
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer2

3.) One of the most obvious places to put an IDS sensor is near the
firewall. Where exactly in relation to the firewall is the most
productive placement?
a. Inside the firewall
b. Outside the firewall
c. Both
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer3

4.) What is the purpose of a shadow honeypot?
a. To flag attacks against known vulnerabilities.
b. To help reduce false positives in a signature-based IDS.
c. To randomly check suspicious traffic identified by an anomaly
detection system.
d. To enhance the accuracy of a traditional honeypot.
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer4

5.) At which two traffic layers do most commercial IDSes generate
signatures?
a. application layer
b. network layer
c. session layer
d. transport layer
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer5

6.) An IDS follows a two-step process consisting of a passive
component and an active component. Which of the following is part of
the active component?
a. Inspection of password files to detect inadvisable passwords
b. Mechanisms put in place to reenact known methods of attack and
record system responses
c. Inspection of system to detect policy violations
d. Inspection of configuration files to detect inadvisable settings
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer6

7.) When discussing IDS/IPS, what is a signature?
a. An electronic signature used to authenticate the identity of a
user on the network
b. Attack-definition file
c. It refers to "normal," baseline network behavior
d. None of the above
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer7

8.) "Semantics-aware" signatures automatically generated by Nemean
are based on traffic at which two layers?
a. application layer
b. network layer
c. session layer
d. transport layer
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer8

9.) Which of the following is used to provide a baseline measure for
comparison of IDSes?
a. crossover error rate
b. false negative rate
c. false positive rate
d. bit error rate
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer9

10.) Which of the following is true of signature-based IDSes?
a. They alert administrators to deviations from "normal" traffic
behavior.
b. They identify previously unknown attacks.
c. The technology is mature and reliable enough to use on production
networks.
d. They scan network traffic or packets to identify matches with
attack-definition files.
Answer:
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1119565,00.html?track=NL-105&ad=526845#answer10

CHECK YOUR SCORE
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

How'd you score?
9-10 correct: You are IDS/IPS intelligent
6-8 correct: You are IDS/IPS conversant
3-5 correct: You're an IDS/IPS novice
0-2 correct: You're IDS/IPS ignorant


SITE HIGHLIGHTS
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Earn CPE credits in Web Security School
Learn how to harden a Web server and apply countermeasures to prevent
hackers from breaking into a network. Study at your own pace and
learn how to implement security policies and test a Web site's
security, as well as how to handle a breach should the unspeakable
happen. CISSPs and SSCPs can earn one CPE credit for each school
webcast.
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1080309,00.html?track=NL-105&ad=526845

Secure your e-mail systems
Attend E-mail Security School, where you'll learn tactics for
securing your e-mail systems, beginning with the essentials, moving
on to spam and virus defense, and wrapping up with policy control.
CISSPs and SSCPs can earn one CPE credit for each school webcast.
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1062768,00.html?track=NL-105&ad=526845

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

CONTACT US:

Sales
For sales inquiries, please contact us at:
mailto:gderussy@techtarget.com

Editorial
For feedback about any of our articles or to send us your article
ideas, please contact us at:
mailto:cferraro@techtarget.com

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

ABOUT THIS E-NEWSLETTER

This e-newsletter is published by SearchSecurity.com, a targeted Web
site from TechTarget, the most targeted IT media and events company.
TechTarget offers magazines, Web sites, e-newsletters, Webcasts and
conferences for enterprise IT professionals.
Copyright 2005 TechTarget. All rights reserved.

_____________________________________________________________________

To unsubscribe from "Updates on new site content":

Go to unsubscribe: http://SearchSecurity.com/u?em=pet.computter%40gmail.com&uid=3058509&cid=526845&track=NL-105

Please note, unsubscribe requests may take up to 24 hours to process;
you may receive additional mailings during that time. A confirmation
e-mail will be sent when your request has been successfully
processed.

Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494