Principles of Incident Response And Disaster Recovery By Michael E. Whitman – Test Bank

Complete Test Bank With Answers

Sample Questions Posted Below

Chapter 5: Incidence Response: Detection and Decision Making

TRUE/FALSE

1.According the to NIST definition of  an event as “any observable occurrence in a system or network,” all events are computer or network oriented.

ANS: F PTS: 1 REF: 167

2.To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite.

ANS: T PTS: 1 REF: 168

3.Most modern antivirus/anti-malware utilities cannot detect rootkits.

ANS: F PTS: 1 REF: 171

4.The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers.

ANS: F PTS: 1 REF: 176

5.Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks.

ANS: T PTS: 1 REF: 197

MULTIPLE CHOICE

1.The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.

ANS: B PTS: 1 REF: 167

2.A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.

ANS: C PTS: 1 REF: 168

3.A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.

ANS: A PTS: 1 REF: 168

4.A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots.

ANS: D PTS: 1 REF: 170

5.In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately.

ANS: B PTS: 1 REF: 172

6.Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.

ANS: D PTS: 1 REF: 173

7.The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.

ANS: D PTS: 1 REF: 184

8.A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.

ANS: C PTS: 1 REF: 185

9.The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.

ANS: A PTS: 1 REF: 189

10.The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.

ANS: B PTS: 1 REF: 190

11.Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.

ANS: D PTS: 1 REF: 191

12.In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers’ answers to routine DNS queries from other systems on that network.

ANS: B PTS: 1 REF: 192

13.The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.

ANS: C PTS: 1 REF: 205

14.When the measured activity is outside the baseline parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator).

ANS: C PTS: 1 REF: 205

15.A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.

ANS: D PTS: 1 REF: 206

16.New systems can respond to an incident threat autonomously, based on preconfigured options that go beyond simple defensive actions usually associated with IDPS and IPS systems. These systems, referred to as ____, use a combination of resources to detect an intrusion and then to trace the intrusion back to its source.

ANS: A PTS: 1 REF: 206

17.____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation.

ANS: B PTS: 1 REF: 207

18.A(n) ____ is any system resource that is placed onto a functional system but has no normal use for that system. If it attracts attention, it is from unauthorized access and will trigger a notification or response.

ANS: A PTS: 1 REF: 207

19.The ____ is a federal law that creates a general prohibition on the realtime monitoring of traffic data relating to communications.

ANS: C PTS: 1 REF: 208

20.The task of monitoring file systems for unauthorized change is best performed by using a(n) ____.

ANS: B PTS: 1 REF: 214

21.If an intruder can ____ a device, then no electronic protection can deter the loss of information.

ANS: D PTS: 1 REF: 214

COMPLETION

1.NIST defines an event as “any observable occurrence in a system or network” and defines a(n) ____________________ event as “an event with negative consequences.”

ANS: adverse

PTS: 1 REF: 167

2.____________________ is the process of evaluating the circumstances around organizational events, determining which events are possible incidents and whether a particular event constitutes an actual incident.

ANS: Incident classification

PTS: 1 REF: 167

3.A(n) ____________________ is a software program or module of code that enables ongoing privileged access to a computer while actively hiding its presence from the system kernel as well as human administrators.

ANS: rootkit

PTS: 1 REF: 170

4.IDPS, an acronym for ____________________ System, is a network burglar alarm.

ANS: Intrusion Detection and Prevention

PTS: 1 REF: 174

5.The failure of an IDPS system to react to an actual attack event is called a(n) ____________________.

ANS: false negative

PTS: 1 REF: 184

MATCHING

Match each item with a statement below.

1.A possible indicator of an incident

2.A probable indicator of an incident

3.A definite indicator of an incident

4.A form of alarm clustering that is based on frequency or similarities

5.The process of classifying the attack alerts an IDPS detects

6.Examines data traffic in search of patterns that match predetermined attack patterns

7.Monitors traffic on a segment of an organization’s network

8.Collects statistical summaries of normal traffic to establish a baseline

9.Works on the principle of configuration or change management

1.ANS:DPTS:1REF:168

2.ANS:HPTS:1REF:169

3.ANS:BPTS:1REF:172

4.ANS:APTS:1REF:183

5.ANS:GPTS:1REF:184

6.ANS:FPTS:1REF:188

7.ANS:CPTS:1REF:188

8.ANS:IPTS:1REF:205

9.ANS:EPTS:1REF:200

SHORT ANSWER

1.Although any threat category could instigate an incident, NIST provides a five-category incident classification scheme for network-based incidents. Briefly describe the five categories.

ANS:

Denial of service—An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources

Malicious code—A virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host

Unauthorized access—When a person, without permission, gains logical or physical access to a network, system, application, data, or other IT resource

Inappropriate usage—When a person violates acceptable use of any network or computer policies

Multiple component—A single incident that encompasses two or more incidents

PTS: 1 REF: 167-168

2.Define the term “intrusion” and discuss the usual intent behind an intrusion event.

ANS:

An intrusion is a type of attack on information assets in which the instigator attempts to gain unauthorized entry into a system or network or disrupt the normal operations of a system or network. Whether or not this is done with the intent to steal or do harm, it remains outside the intended use of the system or network. Even when such attacks are automated or self-propagating, as in the case of viruses and distributed denial-of-service attacks, they are almost always instigated by an individual whose purpose is to harm an organization.

PTS: 1 REF: 174

3.IPS technologies can respond to a detected threat by attempting to prevent it from succeeding. Briefly describe the three groups of response techniques they use.

ANS:

The IPS stops the attack itself. Examples of how this could be done are as follows:

1) Terminate the network connection or user session that is being used for the attack

2) Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute

3) Block all access to the targeted host, service, application, or other resource.

The IPS changes the security environment. The IPS could change the configuration of other security controls to disrupt an attack. Common examples are reconfiguring a network device (e.g., firewall, router, switch) to block access from the attacker or to the target, and altering a host-based firewall on a target to block incoming attacks. Some IPSs can even cause patches to be applied to a host if the IPS detects that the host has vulnerabilities.

The IPS changes the attack’s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. A simple example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned email to reach its recipient. A more complex example is an IPS that acts as a proxy and normalizes incoming requests, which means that the proxy repackages the payloads of the requests, discarding header information. This might cause certain attacks to be discarded as part of the normalization process.

PTS: 1 REF: 183

4.What does the term “tuning” mean with respect to an IDPS?

ANS:

Tuning is the process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing both false positives and false negatives. This process may include grouping almost identical alarms that happen at close to the same time into a single higher-level alarm. This consolidation reduces the number of alarms generated, thereby reducing administrative overhead, and also identifies a relationship among multiple alarms. This type of clustering may be based on combinations of frequency, similarity in attack signature, similarity in attack target, or other criteria that are defined by the system administrators.

PTS: 1 REF: 185

5.According to NIST’s documentation of industry best practices, there are several compelling reasons to acquire and use an IDPS. What are these reasons?

ANS:

1. To prevent problem behaviors by increasing the perceived risk of discovery and punishment for those who would attack or otherwise abuse the system

2. To detect attacks and other security violations that are not prevented by other security measures

3. To detect and deal with the preambles to attacks (commonly experienced as network probes and other “doorknob-rattling” activities)

4. To document the existing threat to an organization

5. To act as quality control for security design and administration, especially of large and complex enterprises

6.To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors

PTS: 1 REF: 185

6.When selecting an IDPS from a resource standpoint, what two key items do we need to understand?

ANS:

1. The total cost of ownership of IDPSs well exceeds acquisition costs. Other costs may be associated with acquiring systems on which to run software components, deploying additional networks, providing sufficient storage for IDPS data, obtaining specialized assistance in installing and configuring the system, and training personnel.

2. Some IDPSs are designed under the assumption that personnel will be available to monitor and maintain them around the clock. If evaluators do not anticipate having such personnel available, they may wish to explore those systems that accommodate less than full-time attendance or are designed for unattended use, or they could consider the possibility of outsourcing the monitoring and possibly also the maintenance of the IDPS.

PTS: 1 REF: 187-188

7.Signature matching can be accomplished by the comparison of captured network traffic using a special implementation of the TCP/IP stack that reassembles the packets and applies protocol stack verification. Briefly describe how protocol stack verification works.

ANS:

In the process of protocol stack verification, the NIDPS looks for invalid data packets—that is, packets that are malformed under the rules of the TCP/IP protocol. A data packet is defined as invalid when its configuration does not match what is defined as valid by the various Internet protocols, such as TCP, UDP, and IP. The elements of the protocols in use (IP, TCP, UDP, and application layers such as HTTP) are combined in a complete set called the protocol stack when the software is implemented in an operating system or application. Many types of intrusions, especially denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, rely on the creation of improperly formed packets to take advantage of weaknesses in the protocol stack in certain operating systems or applications.

PTS: 1 REF: 191-192

8.Briefly describe the two general types of honeypots.

ANS:

There are two general types of honeypots:

1. Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations.

2. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

PTS: 1 REF: 207

9.What protections does the Electronic Communications Protection Act provide? What exceptions are allowed for under this act?

ANS:

The Electronic Communications Protection Act prohibits recording of wire-based or cable-based communications unless an exception applies. These exceptions include:

Interception required as part of the course of normal work operations—by a systems administrator for an ISP, say, or an employee of a telephone company

If authorized by court order

If performed by one of the parties involved, or with the permission of one of the

parties involved

If the transmission is readily accessible to the general public

If the transmission is radio based and designed for use by the general public, including

amateur or citizen’s band radios

(Other exceptions are defined in the act.)

PTS: 1 REF: 208

10.When one of the data sources used for incident decision making is coming from individual or aggregated log files, the management of those sources becomes critical. What are some of the key activities associated with managing logs?

ANS:

Be prepared to handle the amount of data generated by logging —Some systems may result in literally gigabytes of data that must be stored or otherwise managed.

Rotate logs on a schedule—As indicated, some systems overwrite older log entries with newer entries to comply with the space limitations of the system. Ensure that the rotation of log entries is acceptable, rather than accepting system defaults.

Archive logs—Log systems can copy logs periodically to remote storage locations. There is a debate among security administrators as to how long log files should be maintained. Some argue that log files may be subpoenaed during legal proceedings and thus should be routinely destroyed to prevent unwanted disclosure during this process. Others argue that the information to be gained from analyzing legacy and archival logs outweighs the risk. Still others take the middle ground and aggregate the log information, then destroy the individual entries. Regardless of the method employed, some plan must be in place to handle these files or risk loss.

Encrypt logs —If the organization does decide to archive logs, the logs should be encrypted in storage. Should the log file system be compromised, this prevents unwanted disclosure.

Dispose of logs—Once log files have outlived their usefulness, they should be routinely and securely disposed.

PTS: 1 REF: 212-213