Intrusion Detection System

Which item describes the following UEFI boot process phase? (The phase of EFI consisting of clearing the UEFI program from memory, transferring the UEFI program to the OS, and updating the OS calls for the run time service using a small part of the memory.)

• RT (Run Time) Phase
• PEI (Pre-EFI Initialization) Phase
• BDS (Boot Device Selection) Phase
• DXE (Driver Execution Environment) Phase

Involves the collection of data relating to the behavior of legitimate users over a period of time. Then current observed behavior is analyzed to determine with a high level of confidence whether this behavior is that of a legitimate user or an intruder.

• Anomaly Detection

Because they use a lot of Dynamic Link Libraries (DLL) as an intermediary between process requests and the system call interface.

• Why don't Windows systems use anomaly based HIDS?

Actions such as the installation of backdoors or other malicious software, or through the addition of covert authentication credentials or other configuration changes to the system, to enable continued access by the attacker after the initial attack.

• Maintaining Access

Develop a model with sets of states, some possibly hidden, interconnected by transition probabilities.

• Markov Models

A ______ based IDS monitors all traffic moving across a segment

• Network

ARMs are ____ based, and can be general or specific.

• Rule

Situation where an authorized user is identified as an intruder.

• False Positive

Which of the following Federal Rules of Evidence governs proceedings in the courts of the United States?

• Rule 105
• Rule 102
• Rule 103
• Rule 101

What partition holds the information regarding the operating system, system area, and other information required for booting?

• Extended partition
• Tertiary partition
• Primary partition
• Secondary partition

A record of the sequence of systems calls by processes on a system is widely acknowledged as the preferred data source of HIDS. Doesn't work well on Windows due to the extensive use of DLLs that obscure which processes make specific system calls.

• System call traces

What must an investigator do in order to offer a good report to a court of law and ease the prosecution?

• Prosecute the evidence
• Obfuscate the evidence
• Authorize the evidence
• Preserve the evidence

Apprentice, Journeyman, Master

• Skill Levels of Hackers/Crackesr

Which field type refers to the volume descriptor as a partition descriptor?

• Number 2
• Number 0
• Number 3
• Number 1

Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results to the central manager.

• LAN monitor agent module

T/F Host based IDSs cannot see into encrypted traffic

• F (They can)

Which type of IDS monitors activities on a single host or device?

• Network-based IDS (NIDS)
• Host-based IDS (HIDS)
• Application-based IDS (AIDS)
• Behavior-based IDS (BIDS)

Intrusion detection message exchange requirements, intrusion detection message exchange format, intrusion detection exchange protocol

• Intrusion Detection Exchange Format RFCs

Signature and Anomaly

• NIDS detection techniques

Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity.

• Host-based IDS

What is the last addressable block where negative addressing of the logical blocks starts from the end of the volume in GPT?

• -255
• -1
• 0
• 255

An ___ is any system that tries to detect potential attacks launched against a host or network

• IDS

What are the six components of an intrusion systems

• detection devices, annunciation devices, control panel, control units, communication devices, power supplies (primary and back up)

What is heuristic-based detection in an IDS?

• To detect known patterns or signatures of known threats
• To monitor network traffic for known vulnerabilities
• To detect new and unknown threats
• To identify abnormal patterns or behaviors that may indicate an intrusion

When mirroring a port for a network IDS, you should mirror to the ________ router or ______

• boundary, firewall

T/F A network IDS can determine if an attack will succeed or fail.

• F (can generate lots of irrelevant alerts)

Denial of Service, Scanning, Worms

• Attacks that are suitable for NIDS anomaly detection

A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

• Intrusion Detection

Hackers with motivations other than those listed above, including classic hackers/crackers motivated by technical challenge or peer-group esteem and reputation. "Hobby hackers"

• Others

Which of the following is NOT a digital data storage type?

• Magnetic storage devices
• Optical storage devices
• Flash memory devices
• Quantum storage devices

An approach used on Windows systems is used to monitor access to the registry, given the amount of information and access to it used by programs on these systems.

• Registry Access

Bayesian networks, Markov models, Neural networks, fuzzy logic, genetic algorithms, clustering and outlier detection

• Examples of machine-learning approaches

In MS-DOS and earlier versions of Microsoft Windows, which partition must be first and a primary partition?

• (C:)
• (B:)
• (A:)
• (D:)

First, these tools may not recognize new threats or radical modifications of existing threatsSecond, it is difficult to update schemes rapidly enough to deal with quickly spreading attacks.

• Two problems of distributed/hybrid IDS

Which of the following is unique to SSDs?

• Spindle
• NAND chips
• Read/write heads
• Platters

What is the purpose of the "logging" phase in the operation of an IDS?

• To identify and respond to intrusions
• To generate alerts
• To record information about events for analysis and reporting
• To store data about network activity

T/F An IDS prevents network penetration.

• F (Detects, does not prevent)

Addressable intrusion detection systems

• have device specified identifiers

Anomaly detection.

• Which analysis approach can detect zero-day attacks?

When a network based IDS is established, its interface is placed in _________ mode

• promiscuous

What is the purpose of a decoy in the context of network security?

• To mislead and confuse attackers
• To analyze network traffic
• To generate alerts for suspicious activities
• To slow down network traffic

Which of the following is TRUE regarding Enterprise Theory of Investigation (ETI)?

• It adopts an approach toward criminal activity as a criminal act.
• It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal activity.
• It differs from traditional investigative methods and is less complex and less time- consuming.
• It encourages reactive action on the structure of the criminal enterprise.

Reside on trusted, self-defending platforms and intelligent IDSs. These systems correlate distributed information, local decisions, and individual device actions to detect intrusions that may not be evident at the host level.

• PEP Events

Which of the following Windows operating systems powers on and starts up using only the traditional BIOS-MBR method?

• Windows 7
• Windows 8
• Windows 9
• Windows 10

The raw data that an IDS uses to detect unauthorized/undesired activity. Things like network packets, OS audit logs, application audit logs, and system-generated checksum data.

• Data Sources

Designed to aid countering threats, specifically against known, less-sophisticated attacks by activist groups, large email scams, etc.

• Intrusion Detection Systems (IDS) and intrusion prevention systems (IPS)

Host based IDSs are _____ based analyzers, integrating into the host __ stack

• stack, IP

Is a real system, with a full OS, services and applications, which are instrumented and deployed where they can be accessed by attackers.

• High Interaction Honeypot

Describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model. An implementation of the data model in the Extensive Markup Language (XML) is presented, an XML document type definition is developed, and examples are provided.

• Intrusion Detection Message Exchange Format

The ID component/process for which the operator manages the various components of the ID system. Management functions typically include sensor configuration, analyzer configuration, event notification management, data consolidation, and reporting

• Manager

NIDSs analyze TCP and UDP traffic and perhaps other protocols. Examples of attacks are unusual packet fragmentation, scans for vulnerable ports, and TCP-specific attacks such as SYN floods.

• Transport Layer reconnaissance and attacks

Signature and Rule-based heuristic identification

• Approaches to Signature/Heuristic Detection

An audit collection module operating as a background process on a monitored system. Its purpose is to collect data on security related events on the host and transmit these to the central manager.

• Host Agent Module

Which of the following is a potential limitation of using anomaly-based detection in an IDS?

• It can generate false positives for unusual but legitimate activities
• It is resource-intensive and slows down network performance
• It is ineffective against known threats
• It cannot detect new or zero-day attacks

System call traces, audit (log file) records, file integrity checksums, registry access

• Data Sources and Sensors for a Host-Based Intrusion System

Anomaly Detection, Signature/Heuristic Detection

• Analysis Approaches

IDSs check for patterns of known ______ and activities indicating malicious ______

• malware, intent

Anti-virus/anti-malware software.

• What kind of products are signature/heuristic HIDS used in?

What is the meaning of the acronym POST?

• Power-on self-test
• Power-off system-test
• Power-on system-test
• Power-off self-test

Which of the following is TRUE of civil crimes?

• The initial reporting of the evidence is generally informal.
• Law enforcement agencies are responsible for collecting and analyzing evidence.
• The standards of proof need to be very high.
• A formal investigation report is required.

Which of the following is the correct number of bytes reserved at the beginning of a CD-ROM for booting a computer?

• 16,384
• 32,768
• 512
• 256

Open source, highly configurable and portable host-based or network-based IDS. Often referred to as a lightweight IDS

• SNORT

Combines information from a number of sensors, other both host and network-based, in a central analyzer that is able to better identify and respond to the intrusion activity.

• Distributed/Hybrid IDS

Which of the following describes when a user plugs in a computer and starts it from a fully off condition?

• Warm booting
• Soft booting
• Hot booting
• Cold booting

T/F A Network IDS cannot protect form local attacks or copying

• T

Consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of these services/systems.

• Low Interaction Honeypot

How large is the partition table structure that stores information about the partitions present on the hard disk?

• 32-bit
• 32-byte
• 64-bit
• 64-byte

What is the main drawback of using only signature-based detection in an IDS?

• It requires a large amount of computational resources.
• It cannot detect new or zero-day attacks.
• It is ineffective against known threats.
• It generates too many false positives.

Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior. Advantages are that that they are super robust and customizable, but its disadvantages are that it's hard and takes time to develop knowledge from data/come up with good rules. You have to have human analysis.

• Knowledge Based Approach

Sensors, Analyzers, User Interface

• 3 Logical Components of an IDS

T/F Placing a network IDS outside the firewall may overwhelm it due to the amount of traffic

• T

T/F A host based IDS can limit outgoing traffic if a system is compromised.

• T

An interior sensor that provides narrow or wide detection for high traffic areas uses

• a trap

What is the primary purpose of MAC filtering in network security?

• To control access to the network based on the device's hardware address
• To analyze network traffic
• To generate alerts for suspicious activities
• To encrypt network traffic

Which of the following is NOT a legitimate authorizer of a search warrant?

• Magistrate
• Court of law
• First responder
• Concerned authority

Which of the following is a data structure situated at sector 1 in the volume boot record of a hard disk to explain the physical layout of a disk volume?

• Boot Parameter Block (BPB)
• BIOS Parameter Block (BPB)
• Primary Sequential Sector (PSS)
• Primary Reserved Sector (PRS)

The purpose of recording loop resistance during testing is to aid in

• future trouble shooting

T/F Active screening does not cause performance issues.

• F (Can case serious issues)

Anomaly, Signature/Heuristic, Distributed

• Types of HIDS

What is the primary purpose of a honeypot in network security?

• To attract and study malicious activity
• to improve security measures
• To encrypt network traffic
• To generate alerts for suspicious activities
• To slow down network traffic

Describes the Intrusion Detection Exchange Protocol (IDXP), an application level protocol for exchanging data between intrusion detection entities. IDXP supports mutual-authentication, integrity, and confidentiality over a connection-oriented protocol.

• Intrusion Detection Exchange Protocol

A response module can ___ attacks, send a real-time _____ to the admin, or actively ____ traffic.

• Log, alert, block

Encode probabilistic relationships among observed metrics.

• Bayesian Netwroks

Simulate human brain operation with neurons and synapses between them that classify observed data.

• Neutral Netwroks

What is the primary purpose of an Intrusion Detection System (IDS)?

• To prevent all network attacks
• To detect and alert on suspicious activities and potential security breaches
• To encrypt all network traffic
• To improve network performance

In the GUID Partition Table, which Logical Block Address contains the Partition Entry Array?

• LBA 2
• LBA 0
• LBA 3
• LBA 1

Which of the following is TRUE regarding computer forensics?

• Computer forensics deals with the monetary cost of finding evidence related to a crime to find the culprits and initiate legal action against them.
• Computer forensics deals with the search for evidence related to a digital crime, but the forensics specialist does not need to be concerned about the legal admissibility of the evidence he or she finds.
• Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
• Computer forensics deals only with the process of finding evidence related to a digital crime and does not try to estimate the monetary damages caused by that crime.

Sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities; or to focus on different target groups. May be able to locate new vulnerabilities to exploit. A number at this skill level found in all classes.

• Journeyman

inserted into a network segment so that the traffic it is monitoring must pass through the sensors. Commonly done by combining a NIDS sensors with something traffic already flows through, like a firewall or switch. It can be a standalone device though. The goal of these is to block an attack when one is detected.

• Inline Sensors

Uses fuzzy set theory where reasoning is approximate, and can accommodate uncertainty.

• Fuzzy Logic

Which of the following basic partitioning tools displays details about GPT partition tables in Windows OS?

• DiskPart
• Gparted
• Disk Utility
• Fdisk

Every alarm system must have standby power sufficient to operate the system in a non-alarm status for a minimum of

• four hours

Cyber criminals, activists, state-sponsored organization's, others

• Classes of Intruders:

To be of practical use, an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level. That's hard. Most users are legitimate, after all. This issue is referred to as?

• The Base-Rate Fallacy

What is the role of the analyzer component in an IDS?

• To collect and store event data
• To generate alerts based on collected data
• To analyze network traffic for anomalies
• To correlate data and determine if an intrusion has occurred

What is the primary purpose of a firewall in network security?

• To monitor and control incoming and outgoing network traffic based on predetermined security rules
• To analyze network traffic
• To generate alerts for suspicious activities
• To slow down network traffic

Which of the following applies to installations of outdoor active infrared pulsed multi-beam photoelectric units?

• clearance for objects on either side of a beam must be 2 to 3 feet

Which of the following is NOT a recommended practice when deploying an IDS?

• Hiding the presence of the IDS to catch attackers off guard
• Placing the IDS at the edge of the network
• Regularly updating and tuning the IDS rules
• Monitoring IDS alerts and logs

What does the term "baseline" refer to in the context of IDS?

• The normal or expected behavior of a network or system
• A known pattern of a specific attack
• A list of known vulnerabilities
• The rate of false positives generated by the IDS

Which position does the protective MBR occupy in the GPT at Logical Block Address 0?

• Second
• First
• Last
• Third

T/F placing the IDS on a shared network segment can result in performance issues

• T

T/F A Tap that copies traffic crossing it is a two way connection

• F (One way only)

Statistical, Knowledge-Based, Machine Learning

• Classification of anomaly detection approaches

T/F A network IDS is capable of capturing traffic that may be filtered out at the host.

• T

Distributed IDS developed by Intel. Has each host and each network device considered to be a potential sensor that you can install the sensor software module on. The sensors in this distributed configuration can exchange information to corroborate the state of the network.

• Autonomic Enterprise Security

In an advanced IDS system, one could redirect traffic to a _______ and analyze the pattern of attack

• Honeypot

Which type of IDS uses statistical models and machine learning algorithms to detect anomalies?

• Host-based IDS (HIDS)
• Behavior-based IDS (BIDS)
• Network-based IDS (NIDS)
• Signature-based IDS (SIDS)

The agent captures each audit record produced by the native audit collection system. A filter is applied that retains only those records that are of security interest. These records are then reformatted into a standardized format

• Host Audit Record (HARD)

What is the primary purpose of an anomaly-based IDS?

• To detect deviations from normal behavior and flag potential intrusions
• To detect known patterns or signatures of known threats
• To analyze network traffic for known vulnerabilities
• To encrypt network traffic

How many bytes is each logical block in GPT?

• 256
• 128
• 512
• 1,024

Which of the following should be considered before planning and evaluating the budget for the forensic investigation case?

• Breakdown of costs into daily and annual expenditure
• Current media coverage of high-profile computer crimes
• Past success rate as a measure of value
• Use of outdated, but trusted, technologies

Which field is the standard identifier set to CD001 for a CD-ROM compliant to the ISO 9660 standard?

• Third
• Fourth
• Second
• First

Collects data from data source, forwards to analyzer.

• Sensors (DMX)

A material that neither absorbs nor reflects microwave energy is

• glass

Target Acquisition and Information Gathering, Initial Access, Privilege Escalation, Covering Tracks

• Intruder Behaviors

Which of the following is NOT a common phase in the operation of an IDS?

• Evasion
• Detection
• Alerting
• Logging

Uses a set of known malicious data patterns (signatures) or attack rules (heuristics) that are compared with current behavior to decide if it is of an intruder. Also known as misuse detection. Only can identify known attacks for which it has patterns/rules.

• Signature/Heuristic Detection

MBR almost always refers to the partition sector of a disk also known as:

• Primary Boot Record (PBR)
• 512-byte boot sector
• 256-byte boot sector
• First Boot Record (FBR)

Which LBA stores the protective MBR?

• LBA 2
• LBA 3
• LBA 0
• LBA 1

What is the main difference between Intrusion Detection Systems (IDS) and antivirus software?

• IDS monitors and detects suspicious activities and potential security breaches, while antivirus software detects and removes malicious software
• IDS encrypts network traffic, while antivirus software monitors host-based activities
• IDS can block all incoming network traffic, while antivirus software cannot
• IDS only detects known threats, while antivirus software detects both known and unknown threats

Which of the following is an advantage of using a host-based IDS (HIDS)?

• It can monitor network traffic for suspicious activities.
• It can provide detailed information about activities on a specific host.
• It can detect network-based attacks.
• It can analyze behavior patterns across the entire network.

Which of the following is a potential limitation of using MAC filtering in network security?

• MAC addresses can be spoofed or changed by attackers
• It is resource-intensive and slows down network performance
• It generates too many false positives
• It is difficult to configure and maintain

A visual evaluation to verify or confirm that something appears as desired is a(n)

• inspection

An intrusion system that allows multiple signals from several sensors to be sent and received over a single communications line is a(n)

• multiplex system

In a wet or corrosive environment, and exterior wall and any security systems equipment must be separated by at least

• 1/4 inch

What is the primary purpose of an Intrusion Detection and Prevention System (IDPS)?

• To detect and respond to suspicious activities and potential security breaches
• To encrypt network traffic
• To monitor network traffic for known vulnerabilities
• To improve network performance

Which of the following ISO 9660–compliant portions of a compact disc describes the location of the contiguous root directory similar to the super block of the UNIX file system?

• The primary track sector
• The secondary volume descriptor
• The primary volume descriptor
• The secondary track sector

What is the main limitation of using encryption to bypass IDS detection?

• It generates too many false positives.
• It is not effective against known threats.
• It can hide the content of network traffic from the IDS.
• It requires extensive computational resources.

A NFM can create problems if bad traffic is being ______ to look like good traffic

• spoofed

A _______ _____ determines what action to take given a specific attack

• Response module

T/F IDSs don't have false positives or negatives

• F (Susceptible to the same problem as a regular security system)

Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics. Good because they are simple/low computation cost, but are difficult to pick which metrics you should use and you can't determine all kinds of behaviors.

• Statistical Approach

Which of the following is NOT used in the calculation of HDD density?

• Area density
• Bit density
• Block density
• Track density

Situation where an intruder is not identified as an intruder.

• False Negative

What does the term "false positive" mean in the context of IDS?

• An alert generated by the IDS for normal network activity
• An alert generated by the IDS for a confirmed intrusion
• An alert generated by the IDS for a known threat
• An alert generated by the IDS for a false alarm

Which of the following is not a common type of IDS?

• Host-based IDS (HIDS)
• Network-based IDS (NIDS)
• Internet-based IDS (IBIDS)
• Application-based IDS (AIDS)

The human that is the primary user of the IDS manager. The operator often monitors the output of the IDS and initiates or recommends further action.

• Operator

A _____ _____ ______ filters out all known safe traffic, reducing the load on more detailed filters

• Network Filter Module

What does the term "zero-day vulnerability" refer to in the context of network security?

• To monitor network traffic for suspicious activities
• To analyze network traffic for known vulnerabilities
• A security vulnerability that is unknown to the vendor or public and has no available fix
• To generate alerts for suspicious activities

Application Layer and reconnaissance attacks, Transport Layer reconnaissance and attacks, Network Layer Reconnaissance and attacks, Unexpected application services, and policy violations

• Types of attacks that are suitable for NIDS signature detection

Which of the following statements is correct with regard to piezoelectric sensor installation?

• the detector is mounted 6 to 8 feet from floor

Either individuals or members of an organized crime group with a goal of financial award. To achieve this, their activities may include identity theft, theft of financial credentials, corporate espionage, data theft, or data ransoming. Meet in underground forums to coordinate attacks.

• Cyber Criminals

UL local Grade B control panels have how many seconds of attack resistance?

• 45 seconds

Which of the following sets the standard for companies that install certificated burglar and fire alarm systems?

• UL (underwriters laboratory)

A characteristic of a motor-driven bell is that it

• is not susceptible to electrical interference

Packet Decoder, Detection Engine, Logger, Alerter

• Four Logical Components of SNORT

Which of the following is a passive IDS?

• Snort
• Suricata
• Bro
• Zeek

T/F A strength of host based IDSs is that they reduce false positives

• T

A ____ based IDS is limited to a single system, and verify what HAS happened rather than what MIGHT have happened

• Host

Which of the following is NOT a consideration during a cybercrime investigation?

• Presentation of admissible evidence
• Value or cost to the victim
• Collection of clues and forensic evidence
• Analysis of digital evidence

A Host based IDS has more ________ than network IDSs; they closely target malicious activity for single OSs

• resolution

What is the primary goal of an IDS evasion technique?

• To make the IDS generate fewer false positives
• To make the IDS generate more alerts
• To bypass or avoid detection by the IDS
• To slow down network traffic

alerts that are generated when the gossip traffic enables a platform to conclude that an attack is underway.

• DDI Events

Where the attacker disables or edits audit logs, to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code.

• Covering Tracks

T/F Taps only allow monitoring

• T

Which of the following is a common technique used in a SYN Flood attack?

• To analyze network traffic
• Sending a flood of SYN packets to exhaust server resources
• Generating alerts for suspicious activities
• Slowing down network traffic

Most modern operating systems include accounting software that collects information on user activity. The advantage of using this information is that no additional collection software is needed. The disadvantages are that the audit records may not contain the needed information or may not contain it in a convenient form, and that intruders may attempt to manipulate these records to hide their actions.

• Audit (log file) records

Which of the following is a potential drawback of using honeypots for network security?

• False positives can occur if legitimate users interact with the honeypot.
• It is difficult to set up and configure.
• It requires extensive computational resources.
• Honeypots are easily detected by attackers.

Where the attacker identifies and characterizes the target systems using publicly available information, both technical/non- technical and the use of network exploration tools to map target resources.

• Target Acquisition and Information Gathering

What is the main difference between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?

• IDS only detect and alert, while IPS can detect and actively block intrusions.
• IPS only detect and alert, while IDS can detect and actively block intrusions.
• IDS only detect and alert, while IPS cannot block intrusions.
• IPS only detect and alert, while IDS cannot block intrusions.

Most Network based IDSs are ______ in nature

• modular

Network IDSs are best deployed in places that they can see _____ of interest

• traffic

ID component or process that analyzes the data collected by the sensor for signs of unauthorized/undesired activity or for events that may be of interest to the security admin. Sometimes the sensor/analyzer can be part of the same component.

• Analyzer (DMX)

Which Windows operating system powers on and starts up using either the traditional BIOS-MBR method or the newer UEFI-GPT method?

• Windows 10
• Windows 7
• Windows Vista
• Windows XP

Which of the following is important to consider when installing a bell?

• use large gauge wire to prevent weak output from line loss

Which of the following is NOT a common evasion technique used to bypass IDS?

• Multifactor authentication
• Encryption
• Obfuscation
• Fragmentation

Which of these conditions are a vulnerability factor for a magnetic switch sensors?

• vibration sensitive

Software that exists that can import and analyze data from a variety of sources, sensors, and products. May rely on standardized protocols.

• Security information and event management (SIEM)

What is a common evasion technique used to bypass signature-based IDS?

• Polymorphic malware
• Heuristic analysis
• Behavior analysis
• Encryption

IDS systems in the late 1980s used automated ___ _______

• log parsers

T/F Host based IDSs require no additional hardware or network infrastructure

• T

Which field type refers to the volume descriptor as a primary?

• Number 3
• Number 1
• Number 2
• Number 0

Which item describes the following UEFI boot process phase? (The phase of EFI consisting of initialization code the system executes after powering the system on, manages platform reset events, and sets the system state.)

• BDS (Boot Device Selection) Phase
• PEI (Pre-EFI Initialization) Phase
• DXE (Driver Execution Environment) Phase
• SEC (Security) Phase

In ______ Net IDS screening, the IDS is implemented in promiscuous mode to monitor traffic to all hosts. It may be hidden so as to not send traffic.

• Passive

Which of the following specifications is used as a standard to define the use of file systems on CD-ROM and DVD media?

• ISO 9431
• ISO 6990
• ISO 1349
• ISO 9660

Which of the following is an example of a well-known NIDS tool?

• Snort
• Wireshark
• SELinux
• Nmap

NIDs typically analyze IPv4, IPv6, ICMP, and IGMP at this level. Examples of attacks are spoofed IP addresses and illegal IP header values.

• Network Layer reconnaissance and attacks

Group the observed data into clusters based on some similarity or distance measure, and then identify subsequent data as either belonging to a cluster or as an outlier.

• Clustering and outlier detection

Which of the following is NOT a type of flash-based memory?

• Double-level cell (DLC)
• Single-level cell (SLC)
• Multi-level cell (MLC)
• Triple-level cell (TLC)

Either individuals, usually working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes. Known as hacktivists. Often of a low skill level. Aim of attack is to promote/publicize their cause, typically through website defacement, DoS, or theft of data.

• Activists

Which LBA will be the first usable sector?

• LBA 36
• LBA 33
• LBA 35
• LBA 34

What does the term "false negative" mean in the context of IDS?

• An alert generated by the IDS for normal network activity
• An alert generated by the IDS for a confirmed intrusion
• A failure of the IDS to detect a real intrusion
• An alert generated by the IDS for a false alarm

Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.

• Network-based IDS

Receive input from one or more sensors or from other of themselves. Responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred.

• Analyzers

Which of the following is NOT part of the Computer Forensics Investigation Methodology?

• Secure the evidence.
• Collect the evidence.
• Destroy the evidence.
• Assess the evidence.

What is a standard partitioning scheme for hard disks and part of the Unified Extensible Firmware Interface (UEFI)?

• UEFI Partition Table (UPT)
• Universal Partition Table (UPT)
• General Partition Table (GPT)
• GUID Partition Table (GPT)

What does the term "payload" refer to in the context of network traffic?

• To monitor network traffic for suspicious activities
• To generate alerts for suspicious activities
• The actual data or information being transmitted in the network
• To analyze behavior patterns across the entire network

A tap has ___ interfaces representing the traffic crossing it

• two

Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion.

• Central manager module

Uses techniques inspired by evolutionary biology, including inheritance, mutation, selection and recombination, to develop classification rules.

• Genetic Algorithms

Which type of IDS is typically used to monitor web applications and protect against web-based attacks?

• Host-based IDS (HIDS)
• Web Application Firewall (WAF)
• Network-based IDS (NIDS)
• Behavior-based IDS (BIDS)

Which of the following is NOT an element of cybercrime?

• Fast-paced speed
• Smaller evidence in size
• Anonymity through masquerading
• Volatile evidence

The initial access to a target system, typically by exploiting a remote network vulnerability, by guessing weak authentication credentials used in a remote service, or via the installation of malware on the system using some form of social engineering or drive-by download.

• Initial Access

Spread among hosts can be detected in more than one way. Some worms propagate quickly and use large amounts of bandwidth. Worms can also be detected because they can cause hosts to communicate with each other that typically do not, and they can also cause hosts to use ports which they normally don't' use. Many worms also perform scanning.

• Worms

GUIDs are displayed as how many hexadecimal digits with groups separated by hyphens?

• 64
• 128
• 32
• 256

Which component of an IDS is responsible for collecting data and network traffic?

• Console
• Sensor
• Analyzer
• Logger

A local intrusion detection system alerts

• only the occupants of a secured area

What is the primary function of a network-based IDS (NIDS)?

• To monitor and protect individual hosts
• To monitor network traffic for suspicious activities and threats
• To encrypt network traffic
• To analyze application-layer data

Most NIDS technologies analyze several dozen application protocols, such as DHCP, DNS, FTP, HTTP, IMAP, IRC, NFS, POP, RSH, Remote Procedure Call, SIP, Server Message Block, SMTP, SNMP, Telnet., as well as database protocols, IM applications, and peer-to-peer file sharing software. The NIDS is looking for attack patterns that have been identified as targeting these protocols. Attack examples include buffer overflows, password guessing, and malware transmission.

• Application Layer reconnaissance and attacks:

What is the primary goal of obfuscation in the context of IDS evasion?

• To slow down network traffic
• To make malicious code or traffic appear benign or non-malicious
• To generate more alerts in the IDS
• To encrypt network traffic

The danger of a short transmission link on an outdoor microwave installation is the signal will be too

• strong preventing intruders from reflecting a significant signal

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

• Security Intrusion

A control panel output that is taken directly from a transistor is a(n)

• open collector outputs

Approaches automatically determine a suitable classification model from the training data using data mining techniques. Disadvantage is that this process typically requires significant time and computational resources, but once it's done, it has a good analysis. Uses data mining techniques.

• Machine Learning Approach

A common approach to detecting intruder activity on a system is to periodically scan critical files for changes from the desired baseline, by comparing a current cryptographic checksums for these files, with a record of known good values. Disadvantages include the needed to generate and protect the checksums using known good files, and the difficulty monitoring changing files. Tripwire is an example.

• File integrity checksums

A Host based IDS contains automated log parsers that check system and application logs for ________

• anomalies

Leakage current is drained by the intrusion control

• grounding system

Which of these is a major requirement of an outdoor microwave installation?

• prevent undesirable spread of a microwave beams

The NIDS attempts to determine if the activity on a transport connection is consistent with the expected application protocol. An example is a host running an unauthorized application service.

• Unexpected application services

Which of the following is NOT a common type of denial-of-service (DoS) attack?

• Phishing
• Distributed Denial of Service (DDoS)
• Smurf Attack
• SYN Flood

Alarm wires and power, lighting, or Class 1 circuits must be separated by at least

• 2 inches

What is the purpose of the "correlation" phase in the operation of an IDS?

• To generate alerts
• To analyze data from multiple sources and determine if an intrusion has occurred
• To collect and store event data
• To record information about events for analysis and reporting

Which of the following UNIX/Linux commands can be used to help back up and restore the MBR?

• BB
• FDISK
• DD
• CP

Enables a user to view output from the system or control the behavior of the system. May be the manager/director/console component.

• User Interface

Data sources, sensor, analyzer, administrator, manager, operator

• Components of the model on which the intrusion detection messsage exchange is based

What is the primary advantage of behavior-based IDS?

• It can detect previously unknown threats and zero-day attacks.
• It is easy to configure and maintain.
• It has a low rate of false positives.
• It relies on known patterns or signatures.

More common than inline sensors. They monitor a copy of network traffic; the actual traffic does not pass through the device. From the point of view of traffic flow, the passive sensor is more efficient than an inline sensor, because it does not add an extra handling step that contributes to packet delay.

• Passive Sensors

The human with overall responsibility for setting the security policy of the organization, and thus, for decisions about deploying and configuring the IDS.

• Administrator

High level tech skills capable of discovering brand new categories of vulnerabilities, or writing new powerful attack toolkits.

• Master

Which of the following Federal Rules of Evidence contains Rulings on Evidence?

• Rule 105
• Rule 101
• Rule 102
• Rule 103

Such attacks involve either significantly increased packet traffic or significantly increase connection attempts, in an attempt to overwhelm the target system.

• Denial of Service Attack

Groups of hackers sponsored by governments to conduct espionage or sabotage activities. Known also as Advanced Persistent Threats due to covert nature and persistence over extended periods involved with many attacks in this class.

• State-sponsored organizations

T/F IDSs are Operating System independent.

• T

Which of the following is NOT where potential evidence may be located?

• Thumb drive
• Digital camera
• Smart card
• Processor

Actions taken on the system, typically via a local access vulnerability, to increase the privileges available to the attacker to enable their desired goals on the target system.

• Privilege Escalation

Occurs when an attacker probes a target network/system by sending different kinds of packets. Using the responses received from the target, the attacker can learn many of the system's characteristics and vulnerabilities. Thus acts as a target identification tool for an attacker. Scanning can be detected by atypical flow patterns at the application layer, transport layer, and network layer.

• Scanning

On Macintosh computers, which architecture utilizes EFI to initialize the hardware interfaces after the BootROM performs POST?

• PowerPC
• Intel
• SPARC
• ARM

Network IDSs are usually limited in scope by __________ to external attacks

• architecture

Which of the following basic partitioning tools displays details about GPT partition tables in Linux OS?

• Fdisk
• GNU Parted
• Disk Utility
• DiskPart

Which of the following is a potential advantage of using IDS in a cloud environment?

• Scalability to adapt to dynamic cloud workloads
• Improved network encryption
• Reduced need for regular updates and maintenance
• Decreased risk of false positives

This document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF) and the requirements for a communication protocol for communicating IDMEF.

• Intrusion Detection Message Exchange Requirements

Responsible for collecting data. The input may be any part of a system that could contain evidence of an intrusion. Types of input to these includes network packets, log files, and system call traces.

• Sensors

In ______ Net IDS screening, the IDS is installed in-line with the traffic flow so all traffic must pass through the IDS system.

• Active

Minimal technical skill who primarily use existing attack toolkits. Likely comprise the largest number of attackers, including many criminal and activist hackers. "script-kiddies"

• Apprentice

The type of magnetic switch that is most difficult for an intruder to defeat is

• balanced magnetic reed

Examples include use of inappropriate websites and use of forbidden application protocols.

• Policy Violations

Events from various sources are collected by intermediate collection points such as firewalls, IDSs, or servers that serve a specific segment of a network. These events are summarized for delivery to the central policy system.

• Summary Events

Decoy systems that are designed to lure a potential attacker away from critical systems. designed to:Divert an attacker from accessing critical systems.Collect information about the attacker's activity.Encourage the attacker to stay on the system long enough for administrators to respond.

• Honeypot

An _____ __________ ______ determines if remaining traffic represents an attack, as well as the severity of the attack.

• Attack recognition module

T/F A host based IDS can provide coverage for multiple machines

• F (Only a single host)

Host-based, Network-based, Distributed/Hybrid

• Types of IDSs

T/F A Network IDS can protect system specific files

• F (cannot)

What does the term "honeypot" refer to in the context of network security?

• A decoy system or network designed to lure and monitor attackers
• A type of IDS sensor
• A form of encryption
• A tool for analyzing network traffic

Match a large collection of known patterns of malicious data against data stored on a system or in transit over a network. The signatures need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data. This approach is widely used in anti-virus products.

• Signature Approaches

Inline or Passive Mode

• 2 types of network sensors

Which of the following is one of the five UEFI boot process phases?

• PAI Phase
• PEI Phase
• BSD Phase
• PIE Phase

When blocking traffic, one can close the connection by sending a TCP ___ flag to both ends

• FIN

Which of the following is a common technique used to detect covert channels in network traffic?

• Traffic analysis
• Port scanning
• MAC filtering
• IP address randomization

What is the purpose of signature-based detection in an IDS?

• To identify new and unknown threats
• To detect known patterns or signatures of known threats
• To analyze network traffic for anomalies
• To block all incoming network traffic

Statistic Packet Anomaly Detection Engine (SPADE)

• Popular NIDS product

Which of these is vulnerable to false alarms from large pets and are easily circumvented if an intruder steps over them

• pressured mats

Summary events, DDI events, PEP events

• Types of input that guide the actions of a SIEM central System

Which of the following is a potential drawback of using an Intrusion Detection and Prevention System (IDPS)?

• False positives can disrupt legitimate network traffic and operations
• It generates too many false negatives
• It cannot detect known threats
• It requires extensive computational resources

Which of these electric field sensors is considered the most reliable?

• triple wire

Host agent module, LAN monitor agent module, central manager module

• 3 Main Components of the UC-Davis distributed HIDS

The means by which programs access core kernel functions, providing a wide range of interactions with the low-level operating systems functions.

• Systems Calls

Which cmdlet can investigators use in Windows PowerShell to parse GPTs of both types of hard disks, including the ones formatted with either UEFI or MBR?

• Get-GPT
• Get-MBR
• Get-BootSector
• Get-PartitionTable

Which of the following is true with regard to magnetic switch sensor installation?

• mounted door on ill fitting door may lead to premature failure of the sensor

Which item describes the UEFI boot process phase in which the majority of the initialization occurs?

• PEI (Pre-EFI Initialization) Phase
• DXE (Driver Execution Environment) Phase
• BDS (Boot Device Selection) Phase
• RT (Run Time) Phase

Data is transmitted from the keypad to a decoder through twisted pair or shielded twisted pair cable in a(n)

• serial data

A notification device that uses a clapper to strike a gong is a

• bell

What is the primary goal of a Distributed Denial of Service (DDoS) attack?

• To analyze network traffic
• To overwhelm a system or network, making it unavailable to users
• To use multiple compromised devices to flood a target with traffic
• To generate alerts for suspicious activities

Which group of value is needed to compute standby battery capacity?

• total normal amps, total alarm amps, de-rating factor

What is the primary purpose of a Intrusion Detection System (IDS) in a cloud environment?

• To analyze network traffic
• To improve network performance
• To generate alerts for suspicious activities
• To monitor and detect potential intrusions and security threats in the cloud environment

Low Interaction or High Interaction

• Honeypots Classified As Either

A weakness of Host based IDS systems is that each host must maintain its own ___

• IDS

Involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses. Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage. Typically the rules are specific to the machine/OS.

• Rule-based heuristic identification

What is the primary goal of a denial-of-service (DoS) attack?

• To analyze network traffic
• To overwhelm a system or network, making it unavailable to users
• To generate alerts for suspicious activities
• To slow down network traffic

Building control circuits that are powered and controlled by a fire alarm system are governed by

• NEC 760

Because individual hosts must maintain host IDSs, there is increased ___________ and reduced system _________.

• administration, performance

Which of the following is a potential drawback of using a firewall in network security?

• It generates too many false positives
• It is ineffective against known threats
• It can create a single point of failure in the network
• It requires extensive computational resources