SSCP : System Security Certified Practitioner (SSCP) : Part 42

SSCP : System Security Certified Practitioner (SSCP) : Part 42

  1. As a result of a risk assessment, your security manager has determined that your organization needs to implement an intrusion detection system that can detect unknown attacks and can watch for unusual traffic behavior, such as a new service appearing on the network. What type of intrusion detection system would you select?

    • Protocol anomaly based
    • Pattern matching
    • Stateful matching
    • Traffic anomaly-based

    Explanation:

    Traffic anomaly-based is the correct choice. An anomaly based IDS can detect unknown attacks. A traffic anomaly based IDS identifies any unacceptable deviation from expected behavior based on network traffic.

    Protocol anomaly based is not the best choice as while a protocol anomaly based IDS can identify unknown attacks, this type of system is more suited to identifying deviations from established protocol standards such as HTTP. This type of IDS faces problems in analyzing complex or custom protocols.

    Pattern matching is not the best choice as a pattern matching IDS cannot identify unknown attacks. This type of system can only compare packets against signatures of known attacks.

    Stateful matching is not the best choice as a statful matching IDS cannot identify unknown attacks. This type of system works by scanning traffic streams for patterns or signatures of attacks.

    Reference:
    Official guide to the CISSP CBK. pages 198 to 201

  2. Which of the following is NOT a characteristic of a host-based intrusion detection system?

    • A HIDS does not consume large amounts of system resources
    • A HIDS can analyse system logs, processes and resources
    • A HIDS looks for unauthorized changes to the system
    • A HIDS can notify system administrators when unusual events are identified
    Explanation:

    A HIDS does not consume large amounts of system resources is the correct choice. HIDS can consume inordinate amounts of CPU and system resources in order to function effectively, especially during an event.

    All the other answers are characteristics of HIDSes

    A HIDS can:

    scrutinize event logs, critical system files, and other auditable system resources;
    look for unauthorized change or suspicious patterns of behavior or activity
    can send alerts when unusual events are discovered

    Reference:
    Official guide to the CISSP CBK. Pages 197 to 198.

  3. Network-based Intrusion Detection systems:

    • Commonly reside on a discrete network segment and monitor the traffic on that network segment.
    • Commonly will not reside on a discrete network segment and monitor the traffic on that network segment.
    • Commonly reside on a discrete network segment and does not monitor the traffic on that network segment.
    • Commonly reside on a host and and monitor the traffic on that specific host.
    Explanation:

    Network-based ID systems:
    – Commonly reside on a discrete network segment and monitor the traffic on that network segment
    – Usually consist of a network appliance with a Network Interface Card (NIC) that is operating in promiscuous mode and is intercepting and analyzing the network packets in real time

    “A passive NIDS takes advantage of promiscuous mode access to the network, allowing it to gain visibility into every packet traversing the network segment. This allows the system to inspect packets and monitor sessions without impacting the network, performance, or the systems and applications utilizing the network.”

    NOTE FROM CLEMENT:
    A discrete network is a synonym for a SINGLE network. Usually the sensor will monitor a single network segment, however there are IDS today that allow you to monitor multiple LAN’s at the same time.

    References used for this question:

    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 62.
    and
    Official (ISC)2 Guide to the CISSP CBK, Hal Tipton and Kevin Henry, Page 196
    and
    Additional information on IDS systems can be found here: http://en.wikipedia.org/wiki/Intrusion_detection_system

  4. Which of the following is required in order to provide accountability?

    • Authentication
    • Integrity
    • Confidentiality
    • Audit trails
    Explanation:

    Accountability can actually be seen in two different ways:

    1) Although audit trails are also needed for accountability, no user can be accountable for their actions unless properly authenticated.

    2) Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and network. Audit trails can be used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in accordance with the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted.

    The point is that unless you employ an appropriate auditing mechanism, you don’t have accountability. Authorization only gives a user certain permissions on the network. Accountability is far more complex because it also includes intrusion detection, unauthorized actions by both unauthorized users and authorized users, and system faults. The audit trail provides the proof that unauthorized modifications by both authorized and unauthorized users took place. No proof, No accountability.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 50.

    The Shon Harris AIO book, 4th Edition, on Page 243 also states:

    Auditing Capabilities ensures users are accountable for their actions, verify that the secutiy policies are enforced,
    and can be used as investigation tools. Accountability is tracked by recording user, system, and application activities.
    This recording is done through auditing functions and mechanisms within an operating sytem or application.
    Audit trail contain information about operating System activities, application events, and user actions.

  5. Which of the following is NOT a valid reason to use external penetration service firms rather than corporate resources?

    • They are more cost-effective
    • They offer a lack of corporate bias
    • They use highly talented ex-hackers
    • They ensure a more complete reporting
    Explanation:

    Two points are important to consider when it comes to ethical hacking: integrity and independence.

    By not using an ethical hacking firm that hires or subcontracts to ex-hackers of others who have criminal records, an entire subset of risks can be avoided by an organization. Also, it is not cost-effective for a single firm to fund the effort of the ongoing research and development, systems development, and maintenance that is needed to operate state-of-the-art proprietary and open source testing tools and techniques.

    External penetration firms are more effective than internal penetration testers because they are not influenced by any previous system security decisions, knowledge of the current system environment, or future system security plans. Moreover, an employee performing penetration testing might be reluctant to fully report security gaps.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Appendix F: The Case for Ethical Hacking (page 517).

  6. Several analysis methods can be employed by an IDS, each with its own strengths and weaknesses, and their applicability to any given situation should be carefully considered. There are two basic IDS analysis methods that exists. Which of the basic method is more prone to false positive?

    • Pattern Matching (also called signature analysis)
    • Anomaly Detection
    • Host-based intrusion detection
    • Network-based intrusion detection
    Explanation:

    Several analysis methods can be employed by an IDS, each with its own strengths and weaknesses, and their applicability to any given situation should be carefully considered.

    There are two basic IDS analysis methods:

    1. Pattern Matching (also called signature analysis), and
    2. Anomaly detection

    PATTERN MATCHING
    Some of the first IDS products used signature analysis as their detection method and simply looked for known characteristics of an attack (such as specific packet sequences or text in the data stream) to produce an alert if that pattern was detected. If a new or different attack vector is used, it will not match a known signature and, thus, slip past the IDS.

    ANOMALY DETECTION
    Alternately, anomaly detection uses behavioral characteristics of a system’s operation or network traffic to draw conclusions on whether the traffic represents a risk to the network or host. Anomalies may include but are not limited to:

    Multiple failed log-on attempts
    Users logging in at strange hours
    Unexplained changes to system clocks
    Unusual error messages
    Unexplained system shutdowns or restarts
    Attempts to access restricted files

    An anomaly-based IDS tends to produce more data because anything outside of the expected behavior is reported. Thus, they tend to report more false positives as expected behavior patterns change. An advantage to anomaly-based IDS is that, because they are based on behavior identification and not specific patterns of traffic, they are often able to detect new attacks that may be overlooked by a signature-based system. Often information from an anomaly-based IDS may be used to create a pattern for a signature-based IDS.

    Host Based Intrusion Detection (HIDS)
    HIDS is the implementation of IDS capabilities at the host level. Its most significant difference from NIDS is that related processes are limited to the boundaries of a single-host system. However, this presents advantages in effectively detecting objectionable activities because the IDS process is running directly on the host system, not just observing it from the network. This offers unfettered access to system logs, processes, system information, and device information, and virtually eliminates limits associated with encryption. The level of integration represented by HIDS increases the level of visibility and control at the disposal of the HIDS application.

    Network Based Intrustion Detection (NIDS)
    NIDS are usually incorporated into the network in a passive architecture, taking advantage of promiscuous mode access to the network. This means that it has visibility into every packet traversing the network segment. This allows the system to inspect packets and monitor sessions without impacting the network or the systems and applications utilizing the network.

    Below you have other ways that instrusion detection can be performed:

    Stateful Matching Intrusion Detection
    Stateful matching takes pattern matching to the next level. It scans for attack signatures in the context of a stream of traffic or overall system behavior rather than the individual packets or discrete system activities. For example, an attacker may use a tool that sends a volley of valid packets to a targeted system. Because all the packets are valid, pattern matching is nearly useless. However, the fact that a large volume of the packets was seen may, itself, represent a known or potential attack pattern. To evade attack, then, the attacker may send the packets from multiple locations with long wait periods between each transmission to either confuse the signature detection system or exhaust its session timing window. If the IDS service is tuned to record and analyze traffic over a long period of time it may detect such an attack. Because stateful matching also uses signatures, it too must be updated regularly and, thus, has some of the same limitations as pattern matching.

    Statistical Anomaly-Based Intrusion Detection
    The statistical anomaly-based IDS analyzes event data by comparing it to typical, known, or predicted traffic profiles in an effort to find potential security breaches. It attempts to identify suspicious behavior by analyzing event data and identifying patterns of entries that deviate from a predicted norm. This type of detection method can be very effective and, at a very high level, begins to take on characteristics seen in IPS by establishing an expected baseline of behavior and acting on divergence from that baseline. However, there are some potential issues that may surface with a statistical IDS. Tuning the IDS can be challenging and, if not performed regularly, the system will be prone to false positives. Also, the definition of normal traffic can be open to interpretation and does not preclude an attacker from using normal activities to penetrate systems. Additionally, in a large, complex, dynamic corporate environment, it can be difficult, if not impossible, to clearly define “normal” traffic. The value of statistical analysis is that the system has the potential to detect previously unknown attacks. This is a huge departure from the limitation of matching previously known signatures. Therefore, when combined with signature matching technology, the statistical anomaly-based IDS can be very effective.

    Protocol Anomaly-Based Intrusion Detection
    A protocol anomaly-based IDS identifies any unacceptable deviation from expected behavior based on known network protocols. For example, if the IDS is monitoring an HTTP session and the traffic contains attributes that deviate from established HTTP session protocol standards, the IDS may view that as a malicious attempt to manipulate the protocol, penetrate a firewall, or exploit a vulnerability. The value of this method is directly related to the use of well-known or well-defined protocols within an environment. If an organization primarily uses well-known protocols (such as HTTP, FTP, or telnet) this can be an effective method of performing intrusion detection. In the face of custom or nonstandard protocols, however, the system will have more difficulty or be completely unable to determine the proper packet format. Interestingly, this type of method is prone to the same challenges faced by signature-based IDSs. For example, specific protocol analysis modules may have to be added or customized to deal with unique or new protocols or unusual use of standard protocols. Nevertheless, having an IDS that is intimately aware of valid protocol use can be very powerful when an organization employs standard implementations of common protocols.

    Traffic Anomaly-Based Intrusion
    Detection A traffic anomaly-based IDS identifies any unacceptable deviation from expected behavior based on actual traffic structure. When a session is established between systems, there is typically an expected pattern and behavior to the traffic transmitted in that session. That traffic can be compared to expected traffic conduct based on the understandings of traditional system interaction for that type of connection. Like the other types of anomaly-based IDS, traffic anomaly-based IDS relies on the ability to establish “normal” patterns of traffic and expected modes of behavior in systems, networks, and applications. In a highly dynamic environment it may be difficult, if not impossible, to clearly define these parameters.

    Reference(s) used for this question:

    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3664-3686). Auerbach Publications. Kindle Edition.
    and
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3711-3734). Auerbach Publications. Kindle Edition.
    and
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3694-3711). Auerbach Publications. Kindle Edition.

  7. In order to enable users to perform tasks and duties without having to go through extra steps it is important that the security controls and mechanisms that are in place have a degree of?

    • Complexity
    • Non-transparency
    • Transparency
    • Simplicity
    Explanation:

    The security controls and mechanisms that are in place must have a degree of transparency.

    This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls. Transparency also does not let the user know too much about the controls, which helps prevent him from figuring out how to circumvent them. If the controls are too obvious, an attacker can figure out how to compromise them more easily.

    Security (more specifically, the implementation of most security controls) has long been a sore point with users who are subject to security controls. Historically, security controls have been very intrusive to users, forcing them to interrupt their work flow and remember arcane codes or processes (like long passwords or access codes), and have generally been seen as an obstacle to getting work done. In recent years, much work has been done to remove that stigma of security controls as a detractor from the work process adding nothing but time and money. When developing access control, the system must be as transparent as possible to the end user. The users should be required to interact with the system as little as possible, and the process around using the control should be engineered so as to involve little effort on the part of the user.

    For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person is authorized to enter a room. However, implementing a technology (such as RFID) that will automatically scan the badge as the user approaches the door is more transparent to the user and will do less to impede the movement of personnel in a busy area.

    In another example, asking a user to understand what applications and data sets will be required when requesting a system ID and then specifically requesting access to those resources may allow for a great deal of granularity when provisioning access, but it can hardly be seen as transparent. A more transparent process would be for the access provisioning system to have a role-based structure, where the user would simply specify the role he or she has in the organization and the system would know the specific resources that user needs to access based on that role. This requires less work and interaction on the part of the user and will lead to more accurate and secure access control decisions because access will be based on predefined need, not user preference.

    When developing and implementing an access control system special care should be taken to ensure that the control is as transparent to the end user as possible and interrupts his work flow as little as possible.

    The following answers were incorrect:
    All of the other detractors were incorrect.

    Reference(s) used for this question:

    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th edition. Operations Security, Page 1239-1240

    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 25278-25281). McGraw-Hill. Kindle Edition.

    Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Access Control ((ISC)2 Press) (Kindle Locations 713-729). Auerbach Publications. Kindle Edition.

  8. Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished:

    • through access control mechanisms that require identification and authentication and through the audit function.
    • through logical or technical controls involving the restriction of access to systems and the protection of information.
    • through logical or technical controls but not involving the restriction of access to systems and the protection of information.
    • through access control mechanisms that do not require identification and authentication and do not operate through the audit function.
    Explanation:
    Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization’s security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

  9. Which of the following tools is less likely to be used by a hacker?

    • l0phtcrack
    • Tripwire
    • OphCrack
    • John the Ripper
    Explanation:

    Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or configuration files) are modified.

    This is a tool that is not likely to be used by hackers, other than for studying its workings in order to circumvent it.

    Other programs are password-cracking programs and are likely to be used by security administrators as well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site.
    NOTE:
    The biggest competitor to the commercial version of Tripwire is the freeware version of Tripwire. You can get the Open Source version of Tripwire at the following URL: http://sourceforge.net/projects/tripwire/

  10. Which of the following statements pertaining to ethical hacking is incorrect?

    • An organization should use ethical hackers who do not sell auditing, hardware, software, firewall, hosting, and/or networking services.
    • Testing should be done remotely to simulate external threats.
    • Ethical hacking should not involve writing to or modifying the target systems negatively.
    • Ethical hackers never use tools that have the potential of affecting servers or services.
    Explanation:

    This means that many of the tools used for ethical hacking have the potential of exploiting vulnerabilities and causing disruption to IT system. It is up to the individuals performing the tests to be familiar with their use and to make sure that no such disruption can happen or at least shoudl be avoided.

    The first step before sending even one single packet to the target would be to have a signed agreement with clear rules of engagement and a signed contract. The signed contract explains to the client the associated risks and the client must agree to them before you even send one packet to the target range. This way the client understand that some of the test could lead to interruption of service or even crash a server. The client signs that he is aware of such risks and willing to accept them.

    The following are incorrect answers:
    An organization should use ethical hackers who do not sell auditing, hardware, software, firewall, hosting, and/or networking services. An ethical hacking firm’s independence can be questioned if they sell security solutions at the same time as doing testing for the same client. There has to be independance between the judge (the tester) and the accuse (the client).

    Testing should be done remotely to simulate external threats Testing simulating a cracker from the Internet is often time one of the first test being done, this is to validate perimeter security. By performing tests remotely, the ethical hacking firm emulates the hacker’s approach more realistically.

    Ethical hacking should not involve writing to or modifying the target systems negatively. Even though ethical hacking should not involve negligence in writing to or modifying the target systems or reducing its response time, comprehensive penetration testing has to be performed using the most complete tools available just like a real cracker would.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Appendix F: The Case for Ethical Hacking (page 520).

  11. The viewing of recorded events after the fact using a closed-circuit TV camera is considered a

    • Preventative control.
    • Detective control
    • Compensating control
    • Corrective control
    Explanation:

    Detective security controls are like a burglar alarm. They detect and report an unauthorized or undesired event (or an attempted undesired event). Detective security controls are invoked after the undesirable event has occurred. Example detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection.

    Visual surveillance or recording devices such as closed circuit television are used in conjunction with guards in order to enhance their surveillance ability and to record events for future analysis or prosecution.

    When events are monitored, it is considered preventative whereas recording of events is considered detective in nature.

    Below you have explanations of other types of security controls from a nice guide produce by James Purcell (see reference below):

    Preventive security controls are put into place to prevent intentional or unintentional disclosure, alteration, or destruction (D.A.D.) of sensitive information. Some example preventive controls follow:

    Policy – Unauthorized network connections are prohibited.
    Firewall – Blocks unauthorized network connections.
    Locked wiring closet – Prevents unauthorized equipment from being physically plugged into a network switch.

    Notice in the preceding examples that preventive controls crossed administrative, technical, and physical categories discussed previously. The same is true for any of the controls discussed in this section.

    Corrective security controls are used to respond to and fix a security incident. Corrective security controls also limit or reduce further damage from an attack. Examples follow:

    Procedure to clean a virus from an infected system
    A guard checking and locking a door left unlocked by a careless employee
    Updating firewall rules to block an attacking IP address

    Note that in many cases the corrective security control is triggered by a detective security control.
    Recovery security controls are those controls that put a system back into production after an incident. Most Disaster Recovery activities fall into this category. For example, after a disk failure, data is restored from a backup tape.

    Directive security controls are the equivalent of administrative controls. Directive controls direct that some action be taken to protect sensitive organizational information. The directive can be in the form of a policy, procedure, or guideline.

    Deterrent security controls are controls that discourage security violations. For instance, “Unauthorized Access Prohibited” signage may deter a trespasser from entering an area. The presence of security cameras might deter an employee from stealing equipment. A policy that states access to servers is monitored could deter unauthorized access.

    Compensating security controls are controls that provide an alternative to normal controls that cannot be used for some reason. For instance, a certain server cannot have antivirus software installed because it interferes with a critical application. A compensating control would be to increase monitoring of that server or isolate that server on its own network segment.

    Note that there is a third popular taxonomy developed by NIST and described in NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems.” NIST categorizes security controls into 3 classes and then further categorizes the controls within the classes into 17 families. Within each security control family are dozens of specific controls. The NIST taxonomy is not covered on the CISSP exam but is one the CISSP should be aware of if you are employed within the US federal workforce.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 340).
    and
    CISSP Study Guide By Eric Conrad, Seth Misenar, Joshua Feldman, page 50-52
    and
    Security Control Types and Operational Security, James E. Purcell, http://www.giac.org/cissp-papers/207.pdf

  12. Knowledge-based Intrusion Detection Systems (IDS) are more common than:

    • Network-based IDS
    • Host-based IDS
    • Behavior-based IDS
    • Application-Based IDS
    Explanation:

    Knowledge-based IDS are more common than behavior-based ID systems.

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 63.

    Application-Based IDS – “a subset of HIDS that analyze what’s going on in an application using the transaction log files of the application.” Source: Official ISC2 CISSP CBK Review Seminar Student Manual Version 7.0 p. 87

    Host-Based IDS – “an implementation of IDS capabilities at the host level. Its most significant difference from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the host.” Source: Official ISC2 Guide to the CISSP CBK – p. 197

    Network-Based IDS – “a network device, or dedicated system attached to the network, that monitors traffic traversing the network segment for which it is integrated.” Source: Official ISC2 Guide to the CISSP CBK – p. 196

    CISSP for dummies a book that we recommend for a quick overview of the 10 domains has nice and concise coverage of the subject:

    Intrusion detection is defined as real-time monitoring and analysis of network activity and data for potential vulnerabilities and attacks in progress. One major limitation of current intrusion detection system (IDS) technologies is the requirement to filter false alarms lest the operator (system or security administrator) be overwhelmed with data. IDSes are classified in many different ways, including active and passive, network-based and host-based, and knowledge-based and behavior-based:
    Active and passive IDS

    An active IDS (now more commonly known as an intrusion prevention system — IPS) is a system that’s configured to automatically block suspected attacks in progress without any intervention required by an operator. IPS has the advantage of providing real-time corrective action in response to an attack but has many disadvantages as well. An IPS must be placed in-line along a network boundary; thus, the IPS itself is susceptible to attack. Also, if false alarms and legitimate traffic haven’t been properly identified and filtered, authorized users and applications may be improperly denied access. Finally, the IPS itself may be used to effect a Denial of Service (DoS) attack by intentionally flooding the system with alarms that cause it to block connections until no connections or bandwidth are available.

    A passive IDS is a system that’s configured only to monitor and analyze network traffic activity and alert an operator to potential vulnerabilities and attacks. It isn’t capable of performing any protective or corrective functions on its own. The major advantages of passive IDSes are that these systems can be easily and rapidly deployed and are not normally susceptible to attack themselves.
    Network-based and host-based IDS

    A network-based IDS usually consists of a network appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.

    A host-based IDS requires small programs (or agents) to be installed on individual systems to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. A host-based IDS can only monitor the individual host systems on which the agents are installed; it doesn’t monitor the entire network.
    Knowledge-based and behavior-based IDS

    A knowledge-based (or signature-based) IDS references a database of previous attack profiles and known system vulnerabilities to identify active intrusion attempts. Knowledge-based IDS is currently more common than behavior-based IDS.

    Advantages of knowledge-based systems include the following:

    It has lower false alarm rates than behavior-based IDS.

    Alarms are more standardized and more easily understood than behavior-based IDS.
    Disadvantages of knowledge-based systems include these:
    Signature database must be continually updated and maintained.
    New, unique, or original attacks may not be detected or may be improperly classified.

    A behavior-based (or statistical anomaly–based) IDS references a baseline or learned pattern of normal system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an alarm to be triggered.

    Advantages of behavior-based systems include that they
    Dynamically adapt to new, unique, or original attacks.
    Are less dependent on identifying specific operating system vulnerabilities.

    Disadvantages of behavior-based systems include
    Higher false alarm rates than knowledge-based IDSes.
    Usage patterns that may change often and may not be static enough to implement an effective behavior-based IDS.

  13. Which of the following types of Intrusion Detection Systems uses behavioral characteristics of a system’s operation or network traffic to draw conclusions on whether the traffic represents a risk to the network or host?

    • Network-based ID systems.
    • Anomaly Detection.
    • Host-based ID systems.
    • Signature Analysis.
    Explanation:

    There are two basic IDS analysis methods: pattern matching (also called signature analysis) and anomaly detection.

    Anomaly detection uses behavioral characteristics of a system’s operation or network traffic to draw conclusions on whether the traffic represents a risk to the network or host. Anomalies may include but are not limited to:

    Multiple failed log-on attempts
    Users logging in at strange hours
    Unexplained changes to system clocks
    Unusual error messages

    The following are incorrect answers:
    Network-based ID Systems (NIDS) are usually incorporated into the network in a passive architecture, taking advantage of promiscuous mode access to the network. This means that it has visibility into every packet traversing the network segment. This allows the system to inspect packets and monitor sessions without impacting the network or the systems and applications utilizing the network.

    Host-based ID Systems (HIDS) is the implementation of IDS capabilities at the host level. Its most significant difference from NIDS is that related processes are limited to the boundaries of a single-host system. However, this presents advantages in effectively detecting objectionable activities because the IDS process is running directly on the host system, not just observing it from the network. This offers unfettered access to system logs, processes, system information, and device information, and virtually eliminates limits associated with encryption. The level of integration represented by HIDS increases the level of visibility and control at the disposal of the HIDS application.

    Signature Analysis Some of the first IDS products used signature analysis as their detection method and simply looked for known characteristics of an attack (such as specific packet sequences or text in the data stream) to produce an alert if that pattern was detected. For example, an attacker manipulating an FTP server may use a tool that sends a specially constructed packet. If that particular packet pattern is known, it can be represented in the form of a signature that IDS can then compare to incoming packets. Pattern-based IDS will have a database of hundreds, if not thousands, of signatures that are compared to traffic streams. As new attack signatures are produced, the system is updated, much like antivirus solutions. There are drawbacks to pattern-based IDS. Most importantly, signatures can only exist for known attacks. If a new or different attack vector is used, it will not match a known signature and, thus, slip past the IDS. Additionally, if an attacker knows that the IDS is present, he or she can alter his or her methods to avoid detection. Changing packets and data streams, even slightly, from known signatures can cause an IDS to miss the attack. As with some antivirus systems, the IDS is only as good as the latest signature database on the system.

    For additional information on Intrusion Detection Systems – http://en.wikipedia.org/wiki/Intrusion_detection_system

    Reference(s) used for this question:
    Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3623-3625, 3649-3654, 3666-3686). Auerbach Publications. Kindle Edition.

  14. Which of the following are additional terms used to describe knowledge-based IDS and behavior-based IDS?

    • signature-based IDS and statistical anomaly-based IDS, respectively
    • signature-based IDS and dynamic anomaly-based IDS, respectively
    • anomaly-based IDS and statistical-based IDS, respectively
    • signature-based IDS and motion anomaly-based IDS, respectively.
    Explanation:
    The two current conceptual approaches to Intrusion Detection methodology are knowledge-based ID systems and behavior-based ID systems, sometimes referred to as signature-based ID and statistical anomaly-based ID, respectively.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 63.

  15. Which of the following Intrusion Detection Systems (IDS) uses a database of attacks, known system vulnerabilities, monitoring current attempts to exploit those vulnerabilities, and then triggers an alarm if an attempt is found?

    • Knowledge-Based ID System
    • Application-Based ID System
    • Host-Based ID System
    • Network-Based ID System
    Explanation:

    Knowledge-based Intrusion Detection Systems use a database of previous attacks and known system vulnerabilities to look for current attempts to exploit their vulnerabilities, and trigger an alarm if an attempt is found.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.

    Application-Based ID System – “a subset of HIDS that analyze what’s going on in an application using the transaction log files of the application.” Source: Official ISC2 CISSP CBK Review Seminar Student Manual Version 7.0 p. 87

    Host-Based ID System – “an implementation of IDS capabilities at the host level. Its most significant difference from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the host.” Source: Official ISC2 Guide to the CISSP CBK – p. 197

    Network-Based ID System – “a network device, or dedicated system attached to teh network, that monitors traffic traversing teh network segment for which it is integrated.” Source: Official ISC2 Guide to the CISSP CBK – p. 196

  16. Which of the following is most likely to be useful in detecting intrusions?

    • Access control lists
    • Security labels
    • Audit trails
    • Information security policies
    Explanation:
    If audit trails have been properly defined and implemented, they will record information that can assist in detecting intrusions.
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 186).

  17. Which conceptual approach to intrusion detection system is the most common?

    • Behavior-based intrusion detection
    • Knowledge-based intrusion detection
    • Statistical anomaly-based intrusion detection
    • Host-based intrusion detection
    Explanation:
    There are two conceptual approaches to intrusion detection. Knowledge-based intrusion detection uses a database of known vulnerabilities to look for current attempts to exploit them on a system and trigger an alarm if an attempt is found. The other approach, not as common, is called behaviour-based or statistical analysis-based. A host-based intrusion detection system is a common implementation of intrusion detection, not a conceptual approach.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 63).
    Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 193-194).

  18. What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system?

    • Accountability controls
    • Mandatory access controls
    • Assurance procedures
    • Administrative controls
    Explanation:
    Controls provide accountability for individuals accessing information. Assurance procedures ensure that access control mechanisms correctly implement the security policy for the entire life cycle of an information system.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).

  19. What IDS approach relies on a database of known attacks?

    • Signature-based intrusion detection
    • Statistical anomaly-based intrusion detection
    • Behavior-based intrusion detection
    • Network-based intrusion detection
    Explanation:
    A weakness of the signature-based (or knowledge-based) intrusion detection approach is that only attack signatures that are stored in a database are detected. Network-based intrusion detection can either be signature-based or statistical anomaly-based (also called behavior-based).
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 49).

  20. Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS) ?

    • signature-based IDS
    • statistical anomaly-based IDS
    • event-based IDS
    • inferent-based IDS
    Explanation:
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments