Test Bank For Principles of Information Security 6th Edition Michael e Whitman Herbert J Mattord

Test Bank for Principles of Information Security, 6th Edition, Michael E. Whitman Herbert J.
Test Bank for Principles of Information Security, 6th

Edition, Michael E. Whitman Herbert J. Mattord
To download the complete and accurate content document, go to:

https://testbankbell.com/download/test-bank-for-principles-of-information-security-6th-
edition-michael-e-whitman-herbert-j-mattord/
Visit TestBankBell.com to get complete for all chapters

Name: Class: Date:
Chapter 07: Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools
True / False
1. A false positive is the failure of an IDPS system to react to an actual attack event.
a. True
b. False
ANSWER: False
POINTS: 1
REFERENCES: IDPS Terminology
QUESTION TYPE: True / False
HAS VARIABLES: False
DATE CREATED: 9/14/2016 10:44 AM
DATE MODIFIED: 9/14/2016 10:44 AM
2. Intrusion detection consists of procedures and systems that identify system intrusions and take action when an intrusion
is detected.
a. True
b. False
ANSWER: False
POINTS: 1
REFERENCES: Intrusion Detection and Prevention Systems
3. The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS
is known as a false attack stimulus.
a. True
b. False
ANSWER: False
POINTS: 1
4. In DNS cache poisoning, valid packets exploit poorly configured DNS servers to inject false information and corrupt
the servers’ answers to routine DNS queries from other systems on the network.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: Types of IDPSs
Copyright Cengage Learning. Powered by Cognero. Page 1
Name: Class: Date:

DATE MODIFIED: 3/8/2017 10:25 PM
5. NIDPSs can reliably ascertain whether an attack was successful.

a. True
b. False
ANSWER: False
POINTS: 1
6. HIDPSs are also known as system integrity verifiers.

a. True
b. False
ANSWER: True
POINTS: 1
7. An HIDPS can monitor system logs for predefined events.

a. True
b. False
ANSWER: True
POINTS: 1
8. An HIDPS can detect local events on host systems and detect attacks that may elude a network-based IDPS.
a. True
b. False
ANSWER: True
POINTS: 1
Name: Class: Date:

9. An HIDPS is optimized to detect multihost scanning, and it is able to detect the scanning of non-host network devices,
such as routers or switches.
a. True
b. False
ANSWER: False
POINTS: 1
10. The anomaly-based IDPS collects statistical summaries by observing traffic that is known to be normal.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: IDPS Detection Methods
11. IDPS responses can be classified as active or passive.

a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: IDPS Response Behavior
12. A passive IDPS response is a definitive action automatically initiated when certain types of alerts are triggered.
a. True
b. False

Name: Class: Date:
ANSWER: False
POINTS: 1
13. The Simple Network Management Protocol contains trap functions, which allow a device to send a message to the
SNMP management console indicating that a certain threshold has been crossed, either positively or negatively.
a. True
b. False
ANSWER: True
POINTS: 1
14. An IDPS can be configured to dial a phone number and produce an alphanumeric page or other type of signal or
message.
a. True
b. False
ANSWER: True
POINTS: 1
15. In order to determine which IDPS best meets an organization’s needs, first consider the organizational environment in
technical, physical, and political terms.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: Selecting IDPS Approaches and Products

Name: Class: Date:
16. Your organization’s operational goals, constraints, and culture should not affect the selection of the IDPS and other
security tools and technologies to protect your systems.
a. True
b. False
ANSWER: False
POINTS: 1
17. All IDPS vendors target users with the same levels of technical and security expertise.
a. True
b. False
ANSWER: False
POINTS: 1
18. Intrusion detection and prevention systems perform monitoring and analysis of system events and user behaviors.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: Strengths and Limitations of IDPSs
19. Intrusion detection and prevention systems can deal effectively with switched networks.
a. True
b. False
ANSWER: False
POINTS: 1
REFERENCES: Strengths and Limitations of IDPSs
Name: Class: Date:
20. A fully distributed IDPS control strategy is an IDPS implementation approach in which all control
functions are applied at the physical location of each IDPS component.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: Deployment and Implementation of an IDPS
21. Security tools that go beyond routine intrusion detection include honeypots, honeynets, and padded cell systems.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: Honeypots, Honeynets, and Padded Cell Systems
22. A strategy based on the concept of defense in depth is likely to include intrusion detection systems, active
vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: Scanning and Analysis Tools
23. To assist in footprint intelligence collection, attackers may use an enhanced Web scanner that, among other things, can
scan entire Web sites for valuable pieces of information, such as server names and e-mail addresses.
a. True
b. False
ANSWER: True
POINTS: 1
Name: Class: Date:

24. Services using the TCP/IP protocol can run only on their commonly used port number as specified in their original
Internet standard.
a. True
b. False
ANSWER: False
POINTS: 1
REFERENCES: Port Scanners
25. Administrators who are wary of using the same tools that attackers use should remember that a tool that can help close
an open or poorly configured firewall will not help the network defender minimize the risk from attack.
a. True
b. False
ANSWER: False
POINTS: 1
REFERENCES: Firewall Analysis Tools
26. Once the OS is known, all of the vulnerabilities to which a system is susceptible can easily be determined.
a. True
b. False
ANSWER: True
POINTS: 1
REFERENCES: Operating System Detection Tools
27. A passive vulnerability scanner is one that initiates traffic on the network in order to determine security holes.
a. True
b. False

Name: Class: Date:
ANSWER: False
POINTS: 1
REFERENCES: Vulnerability Scanners
28. The Metasploit Framework is a collection of exploits coupled with an interface that allows the penetration tester to
automate the custom exploitation of vulnerable systems.
a. True
b. False
ANSWER: True
POINTS: 1
29. Passive scanners are advantageous in that they require vulnerability analysts to get approval prior to testing.
a. True
b. False
ANSWER: False
POINTS: 1
30. To use a packet sniffer legally, an administrator only needs permission of the organization's top computing executive.
a. True
b. False
ANSWER: False
POINTS: 1
REFERENCES: Packet Sniffers
Modified True / False

Name: Class: Date:
31. Alarm filtering may be based on combinations of frequency, similarity in attack signature, similarity in attack target,
or other criteria that are defined by the system administrators. _________________________
ANSWER: False - clustering
POINTS: 1
QUESTION TYPE: Modified True / False
32. A(n) event is an indication that a system has just been attacked or is under attack. _________________________
ANSWER: False - alert, alarm
POINTS: 1
33. Alarm events that are accurate and noteworthy but do not pose significant threats to information security are called
noise. _________________________
ANSWER: True
POINTS: 1
34. The process of entrapment occurs when an attacker changes the format and/or timing of activities to avoid being
detected by an IDPS. _________________________
ANSWER: False - evasion
POINTS: 1
35. The integrity value, which is based upon fuzzy logic, helps an administrator determine how likely it is that an IDPS
alert or alarm indicates an actual attack in progress. _________________________
ANSWER: False - confidence
POINTS: 1
Name: Class: Date:

36. A(n) known vulnerability is a published weakness or fault in an information asset or its protective systems that may be
exploited and result in loss. _________________________
ANSWER: True
POINTS: 1
REFERENCES: Why Use an IDPS?
37. The activities that gather public information about the organization and its network activities and assets is called
fingerprinting. _________________________
ANSWER: False - footprinting
POINTS: 1
38. A(n) server-based IDPS protects the server or host’s information assets. _________________________
ANSWER: False - host-based
POINTS: 1
39. In the process of protocol application verification, the NIDPSs look for invalid data packets.
_________________________
ANSWER: False - stack
POINTS: 1

Name: Class: Date:
40. A(n) NIDPS functions on the host system, where encrypted traffic will have been decrypted and is available for
processing. _________________________
ANSWER: False - HIDPS
POINTS: 1
41. Preconfigured, predetermined attack patterns are called signatures. _________________________

ANSWER: True
POINTS: 1
42. A(n) log file monitor is similar to an NIDPS. _________________________

ANSWER: True
POINTS: 1
REFERENCES: Log File Monitors
43. The primary advantages of a centralized IDPS control strategy are cost and ease of use.
_________________________
ANSWER: False - control
POINTS: 1
44. A(n) partially distributed IDPS control strategy combines the best of other IDPS strategies.
_________________________
ANSWER: True
POINTS: 1
Name: Class: Date:

45. When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n) honeynet.
_________________________
ANSWER: True
POINTS: 1
46. The disadvantages of using the honeypot or padded cell approach include the fact that the technical implications of
using such devices are not well understood. _________________________
ANSWER: False - legal
POINTS: 1
47. A padded cell is a hardened honeynet. _________________________

ANSWER: False - honeypot
POINTS: 1
48. When using trap-and-trace, the trace usually consists of a honeypot or padded cell and an alarm.
_________________________
ANSWER: False - trap
POINTS: 1
REFERENCES: Trap-and-Trace Systems
49. Enticement is the action of luring an individual into committing a crime to get a conviction.
Name: Class: Date:
_________________________
ANSWER: False - Entrapment
POINTS: 1
50. Fingerprinting is the organized research of the Internet addresses owned or controlled by a target organization.
_________________________
ANSWER: False - Footprinting
POINTS: 1
51. For Linux or BSD systems, a tool called “Snow White” allows a remote individual to “mirror” entire Web sites.
_________________________
ANSWER: False - wget
POINTS: 1
52. Port explorers are tools used both by attackers and defenders to identify (or fingerprint) the computers that are active
on a network, as well as the ports and services active on those computers, the functions and roles the machines are
fulfilling, and other useful information. _________________________
ANSWER: False - scanners
POINTS: 1
53. A(n) port is the equivalent of a network channel or connection point in a data communications system.
_________________________
ANSWER: True
POINTS: 1
Name: Class: Date:

54. A(n) monitoring vulnerability scanner is one that listens in on the network and determines vulnerable versions of both
server and client software. _________________________
ANSWER: False - passive
POINTS: 1
55. A wireless security toolkit should include the ability to sniff wireless traffic, scan wireless hosts, and assess the level
of privacy or confidentiality afforded on the wireless network. _________________________
ANSWER: True
POINTS: 1
REFERENCES: Wireless Security Tools
Multiple Choice
56. A(n) __________ works like a burglar alarm in that it detects a violation (some system activities analogous to an
opened or broken window) and activates an alarm.
a. IDPS b. WiFi
c. UDP d. DoS
ANSWER: a
POINTS: 1
QUESTION TYPE: Multiple Choice
57. Intrusion __________ activities finalize the restoration of operations to a normal state and seek to identify the source
and method of the intrusion in order to ensure that the same type of attack cannot occur again.
a. prevention b. reaction
c. detection d. correction
Name: Class: Date:
ANSWER: d
POINTS: 1
58. A(n) __________ is an event that triggers an alarm when no actual attack is in progress.
a. false neutral b. false attack stimulus
c. false negative d. noise
ANSWER: b
POINTS: 1
59. __________ is the process of classifying IDPS alerts so that they can be more effectively managed.
a. Alarm filtering b. Alarm clustering
c. Alarm compaction d. Alarm attenuation
ANSWER: a
POINTS: 1
60. Activities that scan network locales for active systems and then identify the network services offered by the host
systems are known as __________.
a. port knocking b. doorknob rattling
c. footprinting d. fingerprinting
ANSWER: d
POINTS: 1
61. A(n) __________ IDPS is focused on protecting network information assets.

Name: Class: Date:
a. network-based b. host-based
c. application-based d. server-based
ANSWER: a
POINTS: 1
62. A(n) __________ port, also known as a monitoring port, is a specially configured connection on a network device that
is capable of viewing all of the traffic that moves through the entire device.
a. NIDPS b. SPAN
c. DPS d. IDSE
ANSWER: b
POINTS: 1
63. To determine whether an attack has occurred or is underway, NIDPSs compare measured activity to known
__________ in their knowledge base.
a. vulnerabilities b. fingerprints
c. signatures d. footprints
ANSWER: c
POINTS: 1
64. __________ are usually passive devices and can be deployed into existing networks with little or no disruption to
normal network operations.
a. NIDPSs b. HIDPSs
c. AppIDPSs d. SIDPSs
ANSWER: a
POINTS: 1

Name: Class: Date:

65. Most network behavior analysis system sensors can be deployed in __________ mode only, using the same
connection methods as network-based IDPSs.
a. passive b. active
c. reactive d. dynamic
ANSWER: a
POINTS: 1
66. Network behavior analysis system __________ sensors are typically intended for network perimeter use, so they are
deployed in close proximity to the perimeter firewalls, often between the firewall and the Internet border router to limit
incoming attacks that could overwhelm the firewall.
a. inline b. offline
c. passive d. bypass
ANSWER: a
POINTS: 1
67. __________ benchmark and monitor the status of key system files and detect when an intruder creates, modifies, or
deletes monitored files.
a. NIDPSs b. HIDPSs
c. AppIDPSs d. SIDPSs
ANSWER: b
POINTS: 1
68. Using __________, the system reviews the log files generated by servers, network devices, and even other IDPSs.
a. LFM b. stat IDPS
c. AppIDPS d. HIDPS
ANSWER: a
Name: Class: Date:
POINTS: 1
REFERENCES: Log File Monitors
69. Which of the following is NOT a described IDPS control strategy?

a. centralized b. fully distributed
c. partially distributed d. decentralized
ANSWER: c
POINTS: 1
70. __________ are decoy systems designed to lure potential attackers away from critical systems.
a. Honeypots b. Bastion hosts
c. Wasp nests d. Designated targets
ANSWER: a
POINTS: 1
71. __________ applications use a combination of techniques to detect an intrusion and then trace it back to its source.
a. Honeynet b. Trap-and-trace
c. HIDPS d. Packet sniffer
ANSWER: b
POINTS: 1
72. __________ is the action of luring an individual into committing a crime to get a conviction.
a. Entrapment b. Enticement
c. Intrusion d. Padding
Name: Class: Date:
ANSWER: a
POINTS: 1
73. In TCP/IP networking, port __________ is not used.

a. 0 b. 1
c. 13 d. 1023
ANSWER: a
POINTS: 1
74. Which of the following ports is commonly used for the HTTP protocol?
a. 20 b. 25
c. 53 d. 80
ANSWER: d
POINTS: 1
75. The ability to detect a target computer’s __________ is very valuable to an attacker.
a. manufacturer b. operating system
c. peripherals d. BIOS
ANSWER: b
POINTS: 1
REFERENCES: Operating System Detection Tools
76. __________ testing is a straightforward testing technique that looks for vulnerabilities in a program or protocol by
feeding random input to the program or a network running the protocol.
Name: Class: Date:
a. Buzz b. Fuzz
c. Spike d. Black
ANSWER: b
POINTS: 1
77. Some vulnerability scanners feature a class of attacks called _________, that are so dangerous they should only be
used in a lab environment.
a. aggressive b. divisive
c. destructive d. disruptive
ANSWER: c
POINTS: 1
78. A __________ vulnerability scanner listens in on the network and identifies vulnerable versions of both server and
client software.
a. passive b. aggressive
c. active d. secret
ANSWER: a
POINTS: 1
79. A(n) __________ is a software program or hardware appliance that can intercept, copy, and interpret network traffic.
a. packet scanner b. packet sniffer
c. honeypot d. honey packet
ANSWER: b
POINTS: 1
Name: Class: Date:
80. To use a packet sniffer legally, the administrator must __________.

a. be on a network that the organization owns b. be under direct authorization of the network’s
owners
c. have knowledge and consent of the content’s d. All of the above
creators
ANSWER: d
POINTS: 1
Completion
81. A(n) ____________________ occurs when an attacker attempts to gain entry or disrupt the normal operations of an
information system, almost always with the intent to do harm.
ANSWER: intrusion
POINTS: 1
QUESTION TYPE: Completion
82. The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially
successful attacks is called ____________________.
ANSWER: noise
POINTS: 1
83. Alarm ____________________ and compaction is a consolidation of almost identical alarms that happen at close to
the same time into a single higher-level alarm.
ANSWER: clustering
POINTS: 1

Name: Class: Date:

84. A(n) ____________________ IDPS can adapt its reactions in response to administrator guidance over time and
circumstances of the current local environment.
ANSWER: smart
POINTS: 1
85. IDPSs can help the organization protect its assets when its networks and systems are exposed to
____________________ vulnerabilities or are unable to respond to a rapidly changing threat environment.
ANSWER: known
POINTS: 1
86. The ____________________ port is also known as a switched port analysis (SPAN) port or mirror port.
ANSWER: monitoring
POINTS: 1
87. In ____________________ protocol verification, the higher-order protocols are examined for unexpected packet
behavior or improper use.
ANSWER: application
POINTS: 1
88. HIDPSs are also known as system ____________________ verifiers.

ANSWER: integrity
Name: Class: Date:
POINTS: 1
89. A(n) ____________________-based IDPS resides on a particular computer or server and monitors activity only on
that system.
ANSWER: host
POINTS: 1
90. Three methods dominate IDPS detection methods: the ____________________-based approach, the statistical
anomaly-based approach, and the stateful packet inspection approach.
ANSWER: signature
POINTS: 1
91. A signature-based IDPS is sometimes called a(n) ____________________-based IDPS.

ANSWER: knowledge
POINTS: 1
92. When the measured activity is outside the baseline parameters, it is said to exceed the ____________________ level.
ANSWER: clipping
POINTS: 1

Name: Class: Date:
93. With a(n) ____________________ IDPS control strategy, all IDPS control functions are implemented and managed in
a central location.
ANSWER: centralized
POINTS: 1
94. A(n) ____________________ system contains pseudo-services that emulate well-known services, but is configured in
ways that make it look vulnerable to attacks.
ANSWER: honeypot
POINTS: 1
95. When a collection of honeypots connects several honeypot systems on a subnet, it may be called a(n)
____________________.
ANSWER: honeynet
POINTS: 1
96. A(n) ____________________ is a honeypot that has been protected so that it cannot be easily compromised.
ANSWER: padded cell
POINTS: 1
97. Under the guise of justice, some less scrupulous administrators may be tempted to ____________________, or hack
into a hacker’s system to find out as much as possible about the hacker.
ANSWER: back hack
Name: Class: Date:
POINTS: 1
98. ____________________ is the process of attracting attention to a system by placing tantalizing bits of information in
key locations.
ANSWER: Enticement
POINTS: 1
99. The attack ____________________ is a series of steps or processes used by an attacker, in a logical sequence, to
launch an attack against a target system or network.
ANSWER: protocol
POINTS: 1
100. ____________________ is a systematic survey of all of the target organization’s Internet addresses.
ANSWER: Fingerprinting
POINTS: 1
101. ____________________ scanning will allow an Nmap user to bounce a scan across a firewall by using one of the
idle DMZ hosts as the initiator of the scan.
ANSWER: Idle
POINTS: 1
REFERENCES: Firewall Analysis Tools
Name: Class: Date:
102. A(n) ____________________ vulnerability scanner is one that initiates traffic on the network in order to determine
security holes.
ANSWER: active
POINTS: 1
103. A ____________________ vulnerability scanner listens in on the network and identifies vulnerable versions of both
server and client software.
ANSWER: passive
POINTS: 1
104. A packet ____________________ is a software program or hardware appliance that can intercept, copy, and interpret
network traffic.
ANSWER: sniffer
POINTS: 1
105. To secure data in transit across any network, organizations must use ____________________ to be assured of
content privacy.
ANSWER: encryption
POINTS: 1
Essay

Name: Class: Date:
106. List and describe at least four reasons to acquire and use an IDPS.
ANSWER: 1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for
those who would attack or otherwise abuse the system
2. To detect attacks and other security violations that are not prevented by other security measures
3. To detect and deal with the preambles to attacks (commonly experienced as network probes and
other "doorknob rattling" activities)
4. To document the existing threat to an organization
5. To act as quality control for security design and administration, especially of large and complex
enterprises
6. To provide useful information about intrusions that do take place, allowing improved diagnosis,
recovery, and correction of causative factors
POINTS: 1
QUESTION TYPE: Essay
107. List and describe the three advantages of NIDPSs.

ANSWER: 1. Good network design and placement of NIDPS devices can enable an organization to use a few
devices to monitor a large network.
2. NIDPSs are usually passive devices and can be deployed into existing networks with little or no
disruption to normal network operations.
3. NIDPSs are not usually susceptible to direct attack and may not be detectable by attackers.
POINTS: 1
108. List and describe the four advantages of HIDPSs.

ANSWER: 1. An HIDPS can detect local events on host systems and detect attacks that may elude a network-
based IDS.
2. An HIDPS functions on the host system, where encrypted traffic will have been decrypted and is
available for processing.
3. The use of switched network protocols does not affect an HIDPS.
4. An HIDPS can detect inconsistencies in how applications and systems programs were used by
examining the records stored in audit logs. This can enable it to detect some types of attacks,
including Trojan horse programs.
POINTS: 1

Test Bank for Principles of Information Security, 6th Edition, Michael E. Whitman Herbert J.
Name: Class: Date:
Visit TestBankBell.com to get complete for all chapters

Test Bank For Principles of Information Security 6th Edition Michael e Whitman Herbert J Mattord

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Test Bank For Principles of Information Security 6th Edition Michael e Whitman Herbert J Mattord

Uploaded by

Copyright:

Available Formats

Test Bank for Principles of Information Security, 6th Edition, Michael E. Whitman Herbert J.

Test Bank for Principles of Information Security, 6th

To download the complete and accurate content document, go to:

Visit TestBankBell.com to get complete for all chapters

QUESTION TYPE: True / False

5. NIDPSs can reliably ascertain whether an attack was successful.

6. HIDPSs are also known as system integrity verifiers.

7. An HIDPS can monitor system logs for predefined events.

REFERENCES: Types of IDPSs

11. IDPS responses can be classified as active or passive.

Copyright Cengage Learning. Powered by Cognero. Page 3

Copyright Cengage Learning. Powered by Cognero. Page 4

DATE MODIFIED: 9/14/2016 10:44 AM

QUESTION TYPE: True / False

Copyright Cengage Learning. Powered by Cognero. Page 7

Modified True / False

QUESTION TYPE: Modified True / False

Copyright Cengage Learning. Powered by Cognero. Page 10

41. Preconfigured, predetermined attack patterns are called signatures. _________________________

42. A(n) log file monitor is similar to an NIDPS. _________________________

HAS VARIABLES: False

47. A padded cell is a hardened honeynet. _________________________

REFERENCES: Port Scanners

61. A(n) __________ IDPS is focused on protecting network information assets.

Copyright Cengage Learning. Powered by Cognero. Page 16

DATE CREATED: 9/14/2016 10:45 AM

69. Which of the following is NOT a described IDPS control strategy?

73. In TCP/IP networking, port __________ is not used.

DATE MODIFIED: 3/8/2017 10:42 PM

80. To use a packet sniffer legally, the administrator must __________.

Copyright Cengage Learning. Powered by Cognero. Page 21

DATE CREATED: 9/14/2016 10:45 AM

88. HIDPSs are also known as system ____________________ verifiers.

91. A signature-based IDPS is sometimes called a(n) ____________________-based IDPS.

Copyright Cengage Learning. Powered by Cognero. Page 23

DATE MODIFIED: 9/14/2016 10:45 AM

DATE MODIFIED: 3/8/2017 10:45 PM

Copyright Cengage Learning. Powered by Cognero. Page 26

107. List and describe the three advantages of NIDPSs.

108. List and describe the four advantages of HIDPSs.

Copyright Cengage Learning. Powered by Cognero. Page 27

Name: Class: Date:

Copyright Cengage Learning. Powered by Cognero. Page 28

Visit TestBankBell.com to get complete for all chapters

You might also like