Principles of Information Security 6th

Edition Whitman Solutions Manual

Visit to Download in Full: https://testbankdeal.com/download/principles-of-information-
security-6th-edition-whitman-solutions-manual/
Chapter 7, Principles of Information Security, Sixth Edition

Chapter 7 Answers to Review Questions and Exercises

Review Questions
1. What common security system is an IDPS most like? In what ways are these
systems similar?
IDPSs are much like burglar alarms. Both monitor an area for actions that may
represent a threat and sound an alarm when such actions are detected.
2. How does a false positive alarm differ from a false negative alarm? From a
security perspective, which is less desirable?
A false positive is an alert or alarm that occurs as a false reaction to routine
activity. A false negative is the failure of a security device to react to an actual
attack event. From a security viewpoint, false positives are just a nuisance, but
false negatives are a failure of the system.
3. How does a network-based IDPS differ from a host-based IDPS?
A network-based IDPS monitors network traffic on a specified network segment.
A host-based IDPS monitors a single host system for changes.
4. How does a signature-based IDPS differ from a behavior-based IDPS?
A signature-based system looks for patterns of behavior that match a library of
known behaviors. A behavior-based system watches for activities that suggest an
alert-level activity is occurring, based on sequences of actions or the timing
between otherwise unrelated events.
5. What is a monitoring (or SPAN) port? What is it used for?
A switched-port analysis port is a data port on a switched device that replicates all
designated traffic from the device so that the traffic can be captured, stored, or
analyzed by an IDPS or for other purposes.
6. List and describe the three control strategies proposed for IDPSs.
The three common control strategies are centralized, partially distributed, and fully
distributed. With a centralized IDPS control strategy, all IDPS control functions
are implemented and managed in a central location. A fully distributed IDPS
control strategy is the opposite of the centralized strategy. Each monitoring site
uses its own paired sensors to perform its own controls and achieve the necessary
detection, reaction, and response functions. Thus, each sensor/agent is best
configured to deal with its own environment. In a partially distributed IDPS
control strategy, the better parts of the other two strategies are combined. While
Chapter 7, Principles of Information Security, Sixth Edition

individual agents can still analyze and respond to local threats, their reporting to a
hierarchical central facility enables the organization to detect widespread attacks.
This blended approach to reporting is one of the more effective methods of
detecting intelligent attackers, especially those who probe an organization through
multiple points of entry, searching the systems’ configurations and weaknesses
before launching a concerted attack.
7. What is a honeypot? How is it different from a honeynet?
Honeypots are decoy systems designed to deceive potential attackers by luring
them away from critical systems and encouraging attacks against themselves. In
the industry, honeypots are also known as decoys, lures, and flytraps. When a
collection of honeypot systems are connected on a subnet, it may be called a
honeynet.
8. How does a padded cell system differ from a honeypot?
A padded cell is a honeypot that has been protected and cannot be easily
compromised. In other words, a padded cell is a hardened honeypot. In addition to
attracting attackers with tempting data, a padded cell operates in tandem with a
traditional IDPS. When the IDPS detects attackers, it seamlessly transfers them to
a special simulated environment where they can cause no harm—hence the name
padded cell.
9. What is network footprinting?
Footprinting is organized research of the Internet addresses owned or controlled
by a target organization. The attacker uses public Internet data sources to perform
keyword searches that identify the network addresses of the organization. This
research is augmented by browsing the organization’s Web pages. Web pages
usually contain information about internal systems, the people who develop the
Web pages, and other tidbits that can be used for social engineering attacks.
10. What is network fingerprinting?
The second phase of most attack protocols is a data-gathering process called
fingerprinting. This is a systematic survey of all of the target organization’s
Internet addresses to ascertain the network services offered by the hosts in that
range.
11. How are network footprinting and network fingerprinting related?
The fingerprinting phase uses the TCP/IP address ranges that were collected
during the footprinting phase.
Chapter 7, Principles of Information Security, Sixth Edition

12. Why do many organizations ban port scanning activities on their internal
networks?
There are few legitimate business reasons for port scanning; also, it is a high-
impact and highly intensive use of network resources.
13. Why would ISPs ban outbound port scanning by their customers?
Port scanning is most often used by attackers as a prelude to a concerted attack.
ISPs do not want to be liable for the actions of attackers who may use their
network resources.
14. What is an open port? Why is it important to limit the number of open ports to
those that are absolutely essential?
An open port is a TCP or UDP service port that accepts traffic and responds with
services at that port address. Ports that are not required are often poorly
configured and subject to misuse. Only essential services should be offered on
secure networks.
15. What is a system’s attack surface? Why should it be minimized when possible?
The attack surface represents all functions and features that a system makes
available to unauthenticated users. To minimize the risk of loss from unintended
use or unforeseen vulnerabilities, all functions and features that are not required
for business purposes should be disabled and uninstalled.
16. What is a vulnerability scanner? How is it used to improve security?
A vulnerability scanner is a software program or network appliance that scans a
range of network addresses and port numbers for open services. When a service
port is found, the scanner attempts to identify the service being offered and
evaluates its security, perhaps by compromising the service. When an improperly
configured or weak service port is found, it can be removed or repaired to reduce
risk.
17. What is the difference between active and passive vulnerability scanners?
An active scanner initiates network traffic to find and evaluate service ports. A
passive scanner uses traffic from the target network segment to evaluate the
service ports available from hosts on that segment.
18. What is Metasploit Framework? Why is it considered riskier to use than other
vulnerability scanning tools?
Metasploit Framework is one of a class of scanners that exploit a remote machine
and allow a vulnerability analyst to create an account, modify a Web page, or
Chapter 7, Principles of Information Security, Sixth Edition

view data. These tools can be very dangerous and should be used only when
absolutely necessary.
19. What kind of data and information can be found using a packet sniffer?
A packet sniffer can find all visible traffic on the network connection where the
sniffer is installed. If the data in such packets is not encrypted, all their contents
are also viewable.
20. What capabilities should a wireless security toolkit include?
A wireless security toolkit should include the ability to sniff wireless traffic, scan
wireless hosts, and assess the level of privacy or confidentiality afforded on the
wireless network.

Exercises
1. A key feature of hybrid IDPS systems is event correlation. After researching
event correlation online, define the following terms as they are used in this
process: compression, suppression, and generalization.
Compression is the degree to which redundant or inconsequential data can be
removed to compress the resulting dataset. Suppression is the ability of a
correlation engine to suppress false positive triggers from raising an unwarranted
alarm. Generalization is the ability to extrapolate a known exploit signature into a
general-purpose alert.
2. ZoneAlarm is a PC-based firewall and IDPS tool. Visit the product manufacturer
at www.zonelabs.com and find the product specification for the IDPS features of
ZoneAlarm. Which ZoneAlarm products offer these features?
ZoneAlarm Pro and ZoneAlarm Security Suite include IDPS features, as of
December 2004.
3. Using the Internet, search for commercial IDPS systems. What classification
systems and descriptions are used, and how can they be used to compare the
features and components of each IDPS? Create a comparison spreadsheet to
identify the classification systems you find.
Answers will vary for each student.
4. Use the Internet to search for “live DVD security toolkit.” Read a few Web sites
to learn about this class of tools and their capabilities. Write a brief description of
a live DVD security toolkit.
Answers will vary for each student, but each answer should refer to the bootable
Chapter 7, Principles of Information Security, Sixth Edition

nature of the toolset, contain a list of popular open-source tools, and mention that
the tools provide significant capabilities to an experienced analyst.
5. Several online passphrase generators are available. Locate at least two on the
Internet and try them. What did you observe?
Answers will vary for each student.