258. Intrusion detection systems can do which of the following?

a. Analyze all the traffic on a busy network

b. Deal with problems involving packet-level attacks

c. Recognize a known type of attack

d. Deal with high-speed asynchronous transfer mode networks

258. c. Intrusion detection systems (IDS) can recognize when a known type of attack is perpetrated on a system. However, IDS cannot do the following: (i) analyze all the traffic on a busy network, (ii) compensate for receiving faulty information from system sources, (iii) always deal with problems involving packet-level attacks (e.g., an intruder using fabricated packets that elude detection to launch an attack or multiple packets to jam the IDS itself), and (iv) deal with high-speed asynchronous transfer mode networks that use packet fragmentation to optimize bandwidth.

259. What is the most risky part of the primary nature of access control?

a. Configured or misconfigured

b. Enabled or disabled

c. Privileged or unprivileged

d. Encrypted or decrypted

259. b. Access control software can be enabled or disabled, meaning security function can be turned on or off. When disabled, the logging function does not work. The other three choices are somewhat risky but not as much as enabled or disabled.

260. Intrusion detection refers to the process of identifying attempts to penetrate a computer system and gain unauthorized access. Which of the following assists in intrusion detection?

a. Audit records

b. Access control lists

c. Security clearances

d. Host-based authentication

260. a. If audit records showing trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Usually, audit records contain pertinent data (e.g., date, time, status of an action, user IDs, and event ID), which can help in intrusion detection.

Access control lists refer to a register of users who have been given permission to use a particular system resource and the types of access they have been permitted. Security clearances are associated with a subject (e.g., person and program) to access an object (e.g., files, libraries, directories, and devices). Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. The other three choices have no facilities to record access activity and therefore cannot assist in intrusion detection.

261. Which of the following is the technique used in anomaly detection in intrusion detection systems where user and system behaviors are expressed in terms of counts?

a. Parametric statistics

b. Threshold detection measures

c. Rule-based measures

d. Nonparametric statistics

261. b. Anomaly detectors identify abnormal, unusual behavior (anomalies) on a host or network. In threshold detection measures, certain attributes of user and system behavior are expressed in terms of counts, with some level established as permissible. Such behavior attributes can include the number of files accessed by a user in a given period of time.

Statistical measures include parametric and nonparametric. In parametric measures the distribution of the profiled attributes is assumed to fit a particular pattern. In the nonparametric measures the distribution of the profiled attributes is “learned” from a set of historical data values, observed over time.

Rule-based measures are similar to nonparametric statistical measures in that observed data defines acceptable usage patterns but differs in that those patterns are specified as rules, not numeric quantities.

262. Which of the following is best to replace the use of personal identification numbers (PINs) in the world of automated teller machines (ATMs)?

a. Iris-detection technology

b. Voice technology

c. Hand technology

d. Fingerprint technology

262. a. An ATM customer can stand within three feet of a camera that automatically locates and scans the iris in the eye. The scanned bar code is then compared against previously stored code in the bank’s file. Iris-detection technology is far superior for accuracy compared to the accuracy of voice, face, hand, and fingerprint identification systems. Iris technology does not require a PIN.

263. Which of the following is true about biometrics?

a. Least expensive and least secure

b. Most expensive and least secure

c. Most expensive and most secure

d. Least expensive and most secure

263. c. Biometrics tends to be the most expensive and most secure. In general, passwords are the least expensive authentication technique and generally the least secure. Memory tokens are less expensive than smart tokens but have less functionality. Smart tokens with a human interface do not require reading equipment but are more convenient to use.

264. Which of the following is preferable for environments at high risk of identity spoofing?

a. Digital signature

b. One-time passwords

c. Digital certificate

d. Mutual authentication

264. d. If a one-way method is used to authenticate the initiator (typically a road warrior) to the responder (typically an IPsec gateway), a digital signature is used to authenticate the responder to the initiator. One-way authentication, such as one-time passwords or digital certificates on tokens is well suited for road warrior usage, whereas mutual authentication is preferable for environments at high risk of identity spoofing, such as wireless networks.

265. Which of the following is not a substitute for logging out of the information system?

a. Previous logon notification

b. Concurrent session control

c. Session lock

d. Session termination

265. c. Both users and the system can initiate session lock mechanisms. However, a session lock is not a substitute for logging out of the information system because it is done at the end of the workday. Previous logon notification occurs at the time of login. Concurrent session control deals with either allowing or not allowing multiple sessions at the same time. Session termination can occur when there is a disconnection of the telecommunications link or other network operational problems.

266. Which of the following violates a user’s privacy?

a. Freeware

b. Firmware

c. Spyware

d. Crippleware

266. c. Spyware is malicious software (i.e., malware) intended to violate a user’s privacy because it is invading many computer systems to monitor personal activities and to conduct financial fraud.