c
What is the purpose of an intrusion detection system (IDS)?

A. ’o prevent unauthorized access to network resources

B. ’o prevent users from accessing network resources
C. ’o detect intrusions on the network
D. ’o detect security flaws

a
What are the three phases of an attack?

A. xeconnaissance, Attack, DoS

B. DoS, Objective, Attack
C. Attack, xeconnaissance, DoS
D. Objective, xeconnaissance, Attack

ë
What are the three types of attacks?

A. Attack, xeconnaissance, data manipulation

B. DoS, xeconnaissance, Access
C. Objective, xeconnaissance, Access
D. Objective, xeconnaissance, Attack


What is the difference between host-based and network-based intrusion detection?

A. 0ost-based systems detect attacks on the hosts and network-based systems don¶t
B. Network-based systems detect attacks against the IDS and host-based systems only
detect attacks against the host
C. 0ost-based IDSs only determine if an attack was successful
D. Network-based IDSs rely on the use of network probes, while host-based systems rely on
software installed on each host

u
What are the four types of security threats?

A. Internal, external, secured, nonsecured

B. External, Structured-internal, Unstructured-external, Internal
C. Internal, Structured, Unstructured, External
D. Internal-structured, External-structured, Internal-structured, Internal-unstructured

Ñ
What is a false negative?

A. xesults when an attack or an intrusion goes undetected

B. An alert sent to an incorrect management station
C. xesults when the IDS system reports an alarm, although an actual intrusion doesn¶t occur
on the network
D. ’here is no such thing as a false negative

è
What type of triggering mechanism is most likely to create a false negative?

A. Anomaly detection

B. Misuse detection
C. Profile based
D. Network based
-
What is a false positive?

A. A false positive results when an attack or intrusion causes an alarm to be generated
B. A false positive is an alert sent to an incorrect management station
C. A false positive results when the IDS system reports an alarm, although no actual
intrusion occurs on the network
D. ’here is no such thing as a false positive

D
What type of triggering mechanism is most likely to create a false positive?

A. Anomaly detection

B. Misuse detection
C. Network based
D. 0ost based

c
Which of the following is a limitation to host-based intrusion detection?

A. Unable to detect attacks launched from the system console

B. Unable to detect attacks launched against the host from the network
C. Unable to detect attacks against the host from multiple locations
D. Unable to detect reconnaissance attacks

cc
Which of the following is a benefit of host-based intrusion detection?

A. Easier to manage

B. Can detect if an attack is successful
C. Detect more intrusions
D. Administrators have a higher degree of confidence in host-based IDSs

ca
Which of the following is a limitation of network-based intrusion detection?

A. Can only detect attacks performed over the network

B. Can only detect attacks against the network infrastructure
C. Can¶t detect new attack methods
D. Easy to manipulate

cë
Which of the following is a benefit of network-based intrusion detection?

A. Can determine if an attack was successful

B. 0ave a lower occurrence of false positives
C. 0ave a higher occurrence of false negatives
D. 0ave a complete view of network traffic

c
What are the two types of triggering mechanisms used by an IDS?

A. Network based and host based

B. Misuse and anomaly detection
C. Signature and misuse detection
D. Anomaly and profile-based detection

cu
What is the difference between anomaly detection and misuse detection?

A. Anomaly detection uses profiles, while misuse detection uses signatures
 B. Misuse detection uses profiles, while anomaly uses signatures
C. Anomaly detection uses network-based, while misuse detection uses
host based
D. No difference exists between misuse detection and anomaly detection

cÑ
In the context of an IDS, what is an anomaly?

A. A normal traffic pattern

B. Any computer activity that matches a user profile
C. Any traffic or activity that isn¶t normal
D. Any traffic pattern or activity that matches a signature in the signature database

cè
What is a signature and what is it used for?

A. A definition of intrusive activity and is used to build user profiles

B. A definition of intrusive activity and is used to detect intrusions
C. A definition of normal activity and is used to distinguish normal activity from intrusive
activity
D. A set of rules describing intrusive activity and is used to build rule-based profiles

c-
What are the three ways to build user profiles?

A. Signatures, neural networks, rule based

B. xule based, neural networks, statistical sampling
C. 0ost statistical sampling, network statistical sampling, neural networks
D. Signatures, statistical sampling, neural networks

cD
Which of the following is a benefit of misuse detection?

A. rower occurrence of false negatives

B. Easier to install and understand
C. Can detect new attack methods
D. Can be used for both network based and host based

a
Which of the following is a benefit of anomaly detection?

A. Easier to understand

B. Easier to configure
C. Can be used to prevent intrusions
D. Can be used to detect new attack methods

ac
What is a major drawback to misuse detection?

A. Unable to detect new attack methods

B. 0ard to understand and configure
C. xesults in too many false positives
D. Can only be used with host-based IDSs

aa
What is a major drawback to anomaly detection?

A. xesults in a high number of false negatives

B. 0ackers are aware of what activity will generate an alert
C. xelies on a defined profile defining normal activity
 D. 0as no major drawbacks



c  ’o detect intrusions on the network

a  Objective, xeconnaissance, Attack
ë B DoS, xeconnaissance, Access
  Network-based IDSs rely on the use of network probes, while host-based systems rely on
software installed on each host
u  Internal, Structured, Unstructured, External
Ñ  A false negative results when an attack or intrusion goes undetected
è  Misuse detection
-  A false positive results when the IDS system reports an alarm, although no actual intrusion
occurs on the network
D  Anomaly detection
c  Unable to detect reconnaissance attacks
cc  0ost-based systems can detect if an attack is successful
ca  Network-based intrusion detection can only detect attacks performed over the network
cë  A network-based IDS has a complete view of network traffic
c  Misuse and anomaly detection
cu  Anomaly detection uses profiles, while misuse detection uses signatures
cÑ  An anomaly is any traffic or activity that isn¶t normal
cè  A signature is a definition of intrusive activity and is used to detect intrusions
c-  xule-based, neural networks, statistical sampling
cD  Easier to install and understand
a  Anomaly detection can be used to detect new attack methods
ac  Misuse detection is unable to detect new attack methods
aa  Anomaly detection relies on a defined profile defining normal activity

1. ’



  



  


a. ÿagnetic stripe
b. Wiegand swipe readers
c. Proximity
d. Bar code

2. 

 







 


 
a. 3at 5e UTP
b. 3at 3 UTP
 c. RG-6
d. 18-gauge five-conductor with an overall shield

3. 

 





a. 37 bits
b. 32 bits
c. 26 bits
d. all of the above

4. — 





a. an identification number that's included in each access credential
b. the access controller panelâΦΡs ÿ 3 address
c. the clientâΦΡs access software activation code
d. the installerâΦΡs account number

5. á















a. True
b. False

6. ’



  





a. palm prints
b. fingerprints
c. human irises
d. human pulse rates

7. £
  £ 








 






a. True
b. False

8. —









  


a. fail-secure
b. fail-safe
D. ’




 


  

a. the number of credentials to be issued.
b. the number of doors to be secured.
c. life safety and
 approval.
d. how fast credentials can be read and access allowed.

10.@



 
!



 !





a. self-contained batteries.
b. separate power supplies.
c. 3
d. power from the access controller panel.

11.’




 



 



  
 
 
a. 50
b. 100
c. 200
d. 500

12.—
 



 

 
 


a. £thernet
b. Internet
c. RS-485
d. telephone modem

13.´



   


  

   

  
a. True
b. False

14.á


 



@ 

a. also can be connected to intrusion alarm systems.
b. provide door close/open status to the access control system.
c. can be contained in hinges.
d. can be surface mount or concealed.
 15.  






  

 

  


"
a. ÿid-sized systems.
b. £nterprise-level systems.

16.£
  £   


 










 !!

a. True
b. False

17.

















 



  

  

a. True
b. False

18.’




!

a. 1.5 amps @ 24 VD3
b. 2 amps @ 24 VD3
c. 300 milliamps @ 24 VD3
d. 150 milliamps @ 24 VD3

1D.





  



 







 


a. cheating the system
b. papoosing
c. tailgating
d. a âΦœspare tireâΦ

20.á


 




 






 









a. True
b. False

3heck your answers below.

0

 
 


 
The door illustrated at this facility is used for both entering and leaving the building. The door has a push
bar to exit. What devices are missing from this installation?

nswer below.


  

  
 
When some authorized users walk past this door from the inside, they hear the door strike release.
What's causing this?
 nswer below.

a 
 


1. c
2. d âΦ͞ In most cases six-conductor O S (over all shielded) is installed, as cable manufacturers
donâΦΡt regularly manufacture equivalent five-conductor. ItâΦΡs important to properly
connect the reader cables shielding to ground.
3. d âΦ͞ 3ard populations can be purchased with different bit formats.
4. a âΦ͞ The site code (also called a facility code) is like the prefix of a telephone number and is
included in the data string of each credential issued for a particular system.
5. False
6. d âΦ͞
uman pulse rate. Biometric readers can be purchased that can read all of the other listed
inputs.
7. False âΦ͞ 3redential readers are usually connected to an access controller panel.
8. b âΦ͞ Fail-safe.
D. c âΦ͞ Life safety and
 approval.
10.b âΦ͞ Separate power supplies.
11.c âΦ͞ 200.
12.a, b, c, and d âΦ͞ The communications capability of particular access controller panels can be
one or multiple methods.
13.False âΦ͞ Keypads are slower than cards or âΦœhardâΦ credentials, as the user must remember
his or her number and punch it in.
14.a âΦ͞ Door position switches should not be connected to both the access control system and the
intrusion alarm system, unless the switch selected is DPDT (double pole, double throw) which
provides electrically separate connections to the respective systems.
15.b
16.True âΦ͞ Some magnetic locks and strikes have electric spike protection built in (this is
sometimes called diode protected). If the door release isnâΦΡt internally protected, a bridge
rectifier circuit should be connected.
17.True
18.d âΦ͞ Door-release devices operating at 12 VD3 typically have a higher current requirement than
those that operate at 24 VD3 do.
1D.c.
20.False âΦ͞ The correct term is âΦœmantrap.âΦ