Intrusion Detection and Intrusion Prevention
INFA 630 -Intrusion Detection and Intrusion Prevention-Final Exam
You are to take this test during the week. Work alone. You may not confer with other class members, or anyone else, directly or by e-mail or otherwise, regarding the questions, issues, or your answers. You may use your notes, textbooks, other published materials, and Internet sources, keeping in mind your responsibility to give proper attribution to sources of material you use in your responses. Avoid using personal blogs and dotcom sites. The material on these sites generally is not peer reviewed.
The test is scored on the basis of 100 points for the test.
For the short answer section, bear in mind that a clear concise response that directly answers the question asked is always preferable to providing large volumes of potentially irrelevant information in the hope that the “right” answer will somehow be included. Too much extraneous information may cause negative impact on grade for the exam.
When composing your answers to the essay questions, be thorough. Do not simply examine one alternative if two or more alternatives exist. The more complete your answer, the higher your score will be. Be sure to identify any assumptions you are making in developing your answers, and describe how your answer would change if the assumptions were different. Use paragraph for different points
While composing your answers to the essay questions, be very careful to cite your sources with page numbers for the book. It is easy to get careless and forget to footnote a source. Remember, failure to cite sources constitutes an academic integrity violation. Use APA style for citations and references. So far I haven’t penalized for not using APA style but it may not be so for the final.
In preparing your exam for submission, please follow these instructions precisely:
1. Use this document as a template, i.e., fill in your answers in the indicated locations.
2. Modify the header to show your name.
3. Submit your completed exam as a Microsoft Word or RTF document via your LEO Assignments folder no later than 11:59 p.m. Eastern Standard Time.. Late submissions are subject to a grade penalty. But let me know if you difficulty in submitting on time.
4. Include Self Certification; failure may cause negative impact (small) on the grade.
Please submit questions regarding the exam to your instructor at [email protected] If questions submitted via email are generic, your instructor will post them in a LEO Q&A conference area, without revealing their source.
Part 1: True or False Questions. (10 questions at 1 point each) Add reason
- T F To have a Snort rule match on both inbound and outbound traffic, the rule should use the flow:to_server,from_client,established;option. Answer: _____
- T F Host-based IDS can be used to monitor compliance with corporate policies such as acceptable use of computer resources. Answer: _____
- T F An on-demand operational IDS model is not suitable if legally admissible data collection is required. Answer: _____
- T F Current criminal and civil procedure laws and rules of evidence do not provide clear guidance on digital and electronic forms of evidence such as IDS logs. Answer: _____
- T F Snort unified output plug-ins can be used to off-load computing tasks from the core Snort program to improve overall performance. Answer: _____
- T F Thresholds used in Snort alert rules can cause false negatives if the attacker works slowly enough. Answer: _____
- T F Network-based IDS provides no protection against internal threats. Answer: _____
- T F When a “pass” rule is matched in Snort, no other rules are evaluated. Answer: _____
- T F To ensure proper execution of Snort rules using the “uricontent” option the HTTP Inspect preprocessor must be installed and configured in Snort. Answer: _____
- T F There are no monitoring situations that justify real-time intrusion response. Answer: _____
Part 2: Short Answer Questions. (10 questions at 6 points each)
- False positive and False negative
- Define and differentiate false positive and false negative.
- Which is worse, and why?
- Give one example of each, drawn from any context that demonstrates your understanding of the terms.
- Snort rule
- Describe the components of the following Snort rule.
alert ip any any -> any any (msg:”BAD-TRAFFIC same SRC/DST”; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
a. What sort of attack is it intended to detect?
b. What network traffic pattern information is it looking for?
- User-centric and target-centric monitoring:
- What are the key differences between user-centric and target-centric monitoring in behavioral data forensics?
- Is one perspective preferred over the other?
- If so, what are some of the advantages of the preferred choice, or disadvantages of the non-preferred choice?
- Write a rule using Snort syntax to detect an internal user executing a Windows “tracert” command to identify the network path to an external destination. What changes, if any, would you need to make to this rule to make it also work for a Unix/Linux “traceroute”?
- As Trost noted, most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks.
- Describe at least two intrusion detection scenarios where specialized types of monitoring and analysis are called for
- what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.
- Multi-event signature
- What is a multi-event signature?
- Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.
- Anomaly-based intrusion detection
- What are the operational requirements necessary to perform anomaly-based intrusion detection?
- How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?
- Many people perceive intrusion detection to be a constant, all-the-time security function.
- Identify and describe at least two “part-time” intrusion detection operational models,
- and for each give an example of a usage scenario that would call for part-time monitoring.
- Are organizations legally obligated to use intrusion detection capabilities? Why or why not?
- Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels.
- What are the limitations of using intrusion detection systems in this environment?
- What methods would you employ to accomplish this task?
Part 3: Essay Questions. Maximum length: 2 pages each, excluding references. (Two questions at 15 points each)
- In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear, and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Last week, U.S. cyber security czar Howard Schmidt publicly called for enterprise network intrusion detection, and asked, “Why haven’t we done this already?” (http://fcw.com/articles/2010/04/14/irmco-cyber-security-issues-initiatives-howard-schmidt.aspx?s=fcwdaily_150410) Clearly, the obsolescence of IDS tools by 2005 did not occur as Gartner predicted.
- What factors have been most important in the continued viability of the IDS market?
- Based on what you have learned about IDS and IPS tools, do you think these tools will continue to be used as a key security component? Why or why not?
- In early 2008, the U.S. Department of Homeland Security stated publicly that it wanted more intrusion detection capabilities, in particular citing a need to move to mandatory real-time intrusion detection for federal government networks, as an expansion of current passive, voluntary monitoring. The current manifestation of this goal is the Einstein program, which while officially in a pilot phase is likely to be expanded significantly soring in 2011. (See http://fcw.com/articles/2010/03/19/einstein-3-test-intrusion-prevention-system.aspx)
- Using what we have learned in this course and your own knowledge of IDS operational models, requirements, and other characteristics associated with selecting and using the most appropriate types of intrusion detection and prevention, what is your response to the proposal to implement comprehensive intrusion detection and prevention for all network traffic to or from U.S. government agencies?
- What are some of the key obstacles faced in rolling out an intrusion detection capability of this sort?
- Identify and describe at least three (3) challenges that DHS should consider when planning the Einstein deployment.