CertiGuide to Security+  9  Chapter 7:  Practice Exam Answers

Answers to Questions 36-40 1 Answers to Questions 46-50

41. What technology is being used to detect anomalies?

A. IDS

B. FRR

C. Sniffing

D. Capturing

Explanation: Intrusion Detection is a quickly evolving domain of expertise. In the past year we have seen giant steps forward in this area. We are now seeing IDS engines that will detect anomalies, and that have some built-in intelligence. It is no longer a simple game of matching signatures in your network traffic.

& Section 2.3.3.3: Packet Sniffing

& Section 3.1.9: IDS (Intrusion Detection System)

& Section 3.4: Intrusion Detection

42. IDSs can be described in terms of what fundamental functional components?

A. Information Sources

B. Analysis

C. Response

D. No Answer is Correct

Explanation: Many IDSs can be described in terms of three fundamental functional components:

• Information Sources: The different sources of event information used to determine whether an intrusion has taken place. These sources can be drawn from different levels of the system, with network, host, and application monitoring most common.
  
  
• Analysis: The part of intrusion detection systems that actually organizes and makes sense of the events derived from the information sources, deciding when those events indicate that intrusions are occurring or have already taken place. The most common analysis approaches are misuse detection and anomaly detection.
  
  
• Response: The set of actions that the system takes once it detects intrusions. These are typically grouped into active and passive measures, with active measures involving some automated intervention on the part of the system, and passive measures involving reporting IDS findings to humans, who are then expected to take action based on those reports.

& Section 2.3.3.3: Packet Sniffing

& Section 3.1.9: IDS (Intrusion Detection System)

& Section 3.4: Intrusion Detection

43. Host-based IDSs normally utilize information from which of the following sources?

A. Operating system audit trails and system logs

B. Operating system audit trails and network packets

C. Network packets and system logs

D. Operating system alarms and system logs

Explanation: Host-based IDSs normally utilize information sources of two types, operating system audit trails, and system logs. Operating system audit trails are usually generated at the innermost (kernel) level of the operating system, and are therefore more detailed and better protected than system logs. However, system logs are much less obtuse and much smaller than audit trails, and are furthermore far easier to comprehend. Some host-based IDSs are designed to support a centralized IDS management and reporting infrastructure that can allow a single management console to track many hosts. Others generate messages in formats that are compatible with network management systems.

Host-based systems do not generally use network packets (although some may inspect all packets destined for the particular host in question). Similarly, they traditionally rely on logs rather than on real-time alarms.

& Section 2.3.3.3: Packet Sniffing

& Section 3.1.9: IDS (Intrusion Detection System)

& Section 3.4: Intrusion Detection

& Section 3.4.2: Host Based (Intrusion Detection)

44. What is known as decoy system designed to lure a potential attacker away from critical systems?

A. Vulnerability Analysis Systems

B. Honey Pots

C. Padded Cells

D. File Integrity Checker

Explanation: Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems. Honey pots are designed to:

Divert an attacker from accessing critical systems,

Collect information about the attacker's activity, and encourage the attacker to stay on the system long enough for administrators to respond.

Vulnerability analysis systems measure a system or network's vulnerability to attack, not whether or not an attack has occurred. File Integrity Checkers are used to see if system files have been altered by an attacker.

& Section 3.4.3: Honey Pots

45. A simple firewall screening method is to screen requests and ensure that they come from:

A. Acceptable domain name and IP addresses

B. Acceptable domain name and IGMP addresses

C. Acceptable domain name and phone numbers

D. Acceptable IP addresses and CA

Explanation: There is a number of firewall screening methods. A simple one is to screen requests to make sure they come from acceptable (previously identified) domain name and Internet Protocol addresses. For mobile users, firewalls allow remote access in to the private network by the use of secure logon procedures and authentication certificates.

IGMP is a routing protocol, not an addressing scheme. Phone numbers are not directly related to IP addresses.

& Section 3.1.1: Firewalls

Answers to Questions 36-40 1 Answers to Questions 46-50