Chapter 7 Principles of Information Security 1-14

Principles of Information Security, 4th Edition

Chapter 7

Review Questions

1. What common security system is an IDPS most like? In what ways are these systems similar?

IDPSs are much like burglar alarms. They both will monitor an area for actions that may represent a threat and sound an alarm when those actions are detected.

2. How does a false positive alarm differ from a false negative one? From a security perspective, which is least desirable?

A false positive seems like an alert, but is in fact, routine activity. A false negative seems like normal activity and is in fact an alert-level action. From a security viewpoint, false positives are just a nuisance but false negatives are a failure in the mission of the system.

3. How does a network-based IDPS differ from a host-based IDPS?

A network-based IDPS monitors network traffic on a specified network segment. A host-based IDPS monitors a single host system for changes.

4. How does a signature-based IDPS differ from a behavior-based IDPS?

A signature-based system looks for patterns of behavior that match a library of known behaviors. A behavior-based system watches for activities that suggest an alert-level activity is occurring based on sequences of actions or the timing between otherwise unrelated events.

5. What is a monitoring (or SPAN) port? What is it used for?

A switched-port analysis port is a data port on a switched device that replicates all designated traffic from the switch device so that the traffic can be captured, stored or analyzed for IDPS or other purposes.

6. List and describe the three control strategies proposed for IDPS control.

The three commonly utilized control strategies are centralized, partially distributed, and fully distributed. With a centralized IDPS control strategy all IDPS control functions are implemented and managed in a central location. Using a fully distributed IDPS control strategy is the opposite of the centralized strategy. Each monitoring site...