Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

Previous Topic/Section
3.7  Success Questions
Previous Page
Pages in Current Topic/Section
Next Page
Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)
Next Topic/Section

3.8  Success Answers

1. IDSes can be described in terms of what fundamental functional components?

A. Information Sources

B. Analysis

C. Response

D. No Answer is Correct

Explanation: Many IDSs can be described in terms of three fundamental functional components:

  • Information Sources: The different sources of event information used to determine whether an intrusion has taken place. These sources can be drawn from different levels of the system, with network, host, and application monitoring most common.

  • Analysis: The part of intrusion detection systems that actually organizes and makes sense of the events derived from the information sources, deciding when those events indicate that intrusions are occurring or have already taken place. The most common analysis approaches are misuse detection and anomaly detection.

  • Response: The set of actions that the system takes once it detects intrusions. These are typically grouped into active and passive measures, with active measures involving some automated intervention on the part of the system, and passive measures involving reporting IDS findings to humans, who are then expected to take action based on those reports.


2. The majority of commercial intrusion detection systems are:

A. Network-based

B. Host-based

C. Identity-based

D. Signature-based

Explanation: The majority of commercial intrusion detection systems are network-based. These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts.

Historically, IDS started out as host-based, which is the other major type of IDS. Identity-based and signature-based are not types of IDS.


3. Which of the following is a drawback of Network-based IDSs?

A. It cannot analyze encrypted information.

B. It is very costly to set up.

C. It is very costly to manage.

D. It is not effective

Explanation: Network-based IDSs cannot analyze encrypted information. This problem is increasing as more organizations (and attackers) use virtual private networks. Most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated.


4. Host-based IDSs normally utilize information from which of the following sources?

A. Operating system audit trails and system logs

B. Operating system audit trails and network packets

C. Network packets and system logs

D. Operating system alarms and system logs

Explanation: Host-based IDSs normally utilize information sources of two types, operating system audit trails, and system logs. Operating system audit trails are usually generated at the innermost (kernel) level of the operating system, and are therefore more detailed and better protected than system logs. However, system logs are much less obtuse and much smaller than audit trails, and are furthermore far easier to comprehend. Some host-based IDSs are designed to support a centralized IDS management and reporting infrastructure that can allow a single management console to track many hosts. Others generate messages in formats that are compatible with network management systems.

Host-based systems do not generally use network packets (although some may inspect all packets destined for the particular host in question). Similarly, they traditionally rely on logs rather than on real-time alarms.


5. What is known as a decoy system designed to lure a potential attacker away from critical systems?

A. Vulnerability Analysis System

B. Honey Pot

C. Padded Cell

D. File Integrity Checker

Explanation: Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems. Honey pots are designed to:

  • Divert an attacker from accessing critical systems,

  • Collect information about the attacker's activity, and encourage the attacker to stay on the system long enough for administrators to respond.

Vulnerability analysis systems measure a system or network's vulnerability to attack, not whether or not an attack has occurred. File Integrity Checkers are used to see if system files have been altered by an attacker.


6. Which of the following attacks can force a browser to come to your WWW server instead of the real site?

A. DNS spoofing

B. Hijacking

C. Man in the middle

D. Land attack

Explanation: There are vulnerabilities in the Netscape and Internet Explorer browsers. Using DNS spoofing to force a browser to come to your WWW server instead of the real site can demonstrate the ability to attack web clients.

Hijacking can be used behind the scenes to accomplish the same results in some circumstances but requires more work on the attacker's part and does not necessarily involve redirection to a separate site. MITM attacks generally do not involve browser redirection. Land attacks are network-level attacks.


7. A PBX with a maintained modem attached should

A. Be turned off except during actual maintenance periods

B. Have strong authentication for use

C. Be left on for high priority updates to the PBX software

D. PBXes don't use modems

Explanation: All but the smallest PBX systems can be updated by a modem. It is very easy to get default passwords and syntax for most PBX systems. Leaving the maintenance modem on is like leaving the key to the front door in the lock when going home at night.


8. When backing up using tape the administrator needs to

A. Periodically confirm the tape is still valid

B. Clean the tape drive

C. Store the tape off-site in a secured area

D. All of these choices are correct

E. No choice is correct

Explanation: More than one company has found that storing tape in a high security area off site still needs to check the tapes. In one case a freezer running in an adjoining security area erased the tapes. The motor running the compressor created enough EMI to erase the tapes in the adjoining area.


9. Choose the technology that enables the use of one-time passwords or pass phrases.

A. Biometrics

B. Smartcards

C. Genius cards

D. USB hub

E. No choice is correct

Explanation: Smart cards and other access tokens rely on one-time-only passwords, challenge-response phrases or public-key security to dramatically increase authentication strength.

Biometrics involves unique physical characteristics, not passwords or tokens. USB hubs do not require passwords.


10. Classic ON/NOS hardening includes

A. Disabling unneeded protocols and services

B. Applying patches

C. Monitoring email and web sites for new issues

D. All choices are correct

Explanation: This one is pretty self-explanatory. Some good web links for different operating systems include:

Previous Topic/Section
3.7  Success Questions
Previous Page
Pages in Current Topic/Section
Next Page
Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.