Take Assessment - Module 1 Exam - Network Security 2 (Version 2.

0)

1.- Which term describes signatures based on multiple packets?

amoebic signatures
complex signatures
ok compound signatures
session signatures
atomic signatures

2.- A network administrator wishes to deploy an intrusion detection application that will not depend
upon vendor-provided information to identify the latest type of network attacks. Which type of
intrusion detection system should be implemented?
a policy-based system
an identity-based system
ok an anomaly-based system
a signature-based system

3.- Which Cisco product is a standalone appliance that protects multiple network subnets and offers
embedded web-based management?
Cisco IDS Network Module
Cisco IDSM-2
ok Cisco IPS 4240
Cisco IOS IDS

4.- A network administrator reviewed the IDS log after receiving an alarm and noticed a number of
port sweeps from an unknown external device. What type of IDS signature would have triggered
that alarm?
virus
ok info
inspection
attack

5.- A Cisco PIX Security Appliance configured for signature-based intrusion detection identifies a
series of five suspicious packets and sends an alarm to a syslog server. Which signature
classification triggered the alarm?
ok compound
atomic
multivector
multipacket

6.- Which two statements are true concerning IDS services? (Choose two.)
An IDS should replace a packet-filtering firewall if latency is not a concern.
An IDS should be used with a stateful firewall so that packet session inspection is only
performed once.
ok An IDS enhances the security services of a firewall by taking action on packets that violate
the security policy.
ok An IDS may track the session qualities of a communication channel independent of a
firewall's session tracking.

7.- Which first-generation technology sends log entries after damage from a network attack has
occurred?
ok HIDS
HIPS
NIDS
IDSM
IDSP
8.- Which type of alarm is generated by an intrusion detection system, based on normal network
activity?
true positive
true negative
ok false positive
false negative

9.- A situation in which a specific attack does not generate the appropriate alarm usually represents
a software bug. What should be done before the apparent bug is reported to the software vendor?
ok Make sure that the false negative was not generated because the intrusion detection
system is saturated with traffic and dropping packets.
Simulate the specific attack against the network repeatedly to verify the situation was not a
one-time anomaly.
Install the latest service packs and patches from Microsoft and test to see if the problem is
corrected.
Scan the latest CERT advisories and other web resources to see if a similar problem has
been reported.

10.- Which two actions are recommended to be used together by IPS to terminate attacks? (Choose
two.)
alarm
block
ok drop
flood
log
ok reset