Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57

Maynard, David C - GMRT-EST
What book are you looking at?

Answer is A.


AIO 6th Edition. Access Control Monitoring

From the book
If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, some malicious activities won't be identified (false negatives).



Regards,
David Maynard - MCSE, CCNA, CCNA Security, Security+, A+


-----Original Message-----
From: CISSPstudy [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Monday, June 24, 2013 11:00 AM
To: [hidden email]
Subject: CISSPstudy Digest, Vol 60, Issue 57

Send CISSPstudy mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific than "Re: Contents of CISSPstudy digest..."


Today's Topics:

   1. Doubt relating to IDS threshold (Amlan Deb)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Jun 2013 03:18:32 -0700 (PDT)
From: Amlan Deb <[hidden email]>
To: [hidden email]
Subject: [CCCure CISSP] Doubt relating to IDS threshold
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hello everyone,

Here's a doubt I had in a question in Shon Harris AIO regarding IDS threshold.

George is responsible for setting and tuning the thresholds for his company?s behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly?

A. If the threshold is set too low, nonintrusive activities are considered attacks(false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).

C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives).

D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).


As per the book, option 'C' is the correct answer.

Isn't option 'A' the right answer: the lower we decide to keep the threshold of 'normal' activity - the more alerts we'll get and the higher the threshold of 'normal' activity - the more malicious attacks will go unidentified?
?
Thanks,
Amlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130624/1adebc80/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
You can search through the mailing list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


------------------------------

End of CISSPstudy Digest, Vol 60, Issue 57
******************************************

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57

Zeolla@GMail.com
It depends on what "low" and "high" means, and what sort of metric you're setting a threshold on.  In this scenario, I'm leaning towards the answer of 'A' as well... I'd love to hear any opposing arguments.  

Here is my thought process:

Thinking about behavior-based IDSs and how they work, if a threshold being too high means that it is looking at a deviation of 5 (but it should be 3), and too low is a deviation of 1, then 'A' should be the right answer.  Setting the threshold to a deviation of 5 means that traffic with a deviation of 3-4.99 (which should be malicious but is being miscategorized) is not being detected, therefore a false negative.  Conversely, if the threshold is too low (1) and should be 3, then traffic which is 'good' (1-2.99) is being categorized as malicious, and therefore a false positive.  


- Jon Zeolla
[hidden email]


On Mon, Jun 24, 2013 at 12:00 PM, <[hidden email]> wrote:
Send CISSPstudy mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CISSPstudy digest..."


Today's Topics:

   1. Doubt relating to IDS threshold (Amlan Deb)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Jun 2013 03:18:32 -0700 (PDT)
From: Amlan Deb <[hidden email]>
To: [hidden email]
Subject: [CCCure CISSP] Doubt relating to IDS threshold
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hello everyone,

Here's a doubt I had in a question in Shon Harris AIO regarding IDS threshold.

George is responsible for setting and tuning the thresholds for his company?s
behavior-based IDS. Which of the following outlines the possibilities of not
doing this activity properly?

A. If the threshold is set too low, nonintrusive activities are considered attacks(false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).

C. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too low, then malicious
activities are not identified (false negatives).

D. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too high, then malicious
activities are not identified (false negatives).


As per the book, option 'C' is the correct answer.

Isn't option 'A' the right answer: the lower we decide to keep the threshold of 'normal' activity - the more alerts we'll get and the higher the threshold of 'normal' activity - the more malicious attacks will go unidentified?
?
Thanks,
Amlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130624/1adebc80/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
You can search through the mailing list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


------------------------------

End of CISSPstudy Digest, Vol 60, Issue 57
******************************************


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57

Amlan Deb
Hi Jon / David,
 
Yes, I was looking at it at the same way on a scale of 1 to 10, 1 being the most harmless traffic and 10 being the most harmful traffic and 5 being considered as normal traffic. So if we set our threshold as 2 (too low) we would get false alerts for normal traffic between 3 to 5 & if we set our threshold as 8 (too high) we would not get any alerts for not normal traffic between 6 to 8.
 
David - Yes, I found this question on Shon Harris AIO 6th Edition as well (Qs.21 of Access Control). But the book mentions the below as the explanation of the answer on pg293(opposite of what you mentioned). Could you let me know the page number where you came across the line which you mentioned?
 
21. C. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too low, then malicious
activities are not identified (false negatives).
 
I put this question on the forum of the website as well and James explained that option C is correct because we should cosnder high threshold = high sensitivty which will generate more false alarms. That makes sense as well, but the word "threshold" immediately makes me think of the 1 to 10 scale and instinctively lean towards option A as the answer.
 
Thanks,
Amlan
 
 


--- On Tue, 6/25/13, [hidden email] <[hidden email]> wrote:

From: [hidden email] <[hidden email]>
Subject: Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57
To: [hidden email]
Date: Tuesday, June 25, 2013, 12:36 AM

It depends on what "low" and "high" means, and what sort of metric you're setting a threshold on.  In this scenario, I'm leaning towards the answer of 'A' as well... I'd love to hear any opposing arguments.  

Here is my thought process:

Thinking about behavior-based IDSs and how they work, if a threshold being too high means that it is looking at a deviation of 5 (but it should be 3), and too low is a deviation of 1, then 'A' should be the right answer.  Setting the threshold to a deviation of 5 means that traffic with a deviation of 3-4.99 (which should be malicious but is being miscategorized) is not being detected, therefore a false negative.  Conversely, if the threshold is too low (1) and should be 3, then traffic which is 'good' (1-2.99) is being categorized as malicious, and therefore a false positive.  


- Jon Zeolla
[hidden email]


On Mon, Jun 24, 2013 at 12:00 PM, <cisspstudy-request@...> wrote:
Send CISSPstudy mailing list submissions to
        cisspstudy@...

To subscribe or unsubscribe via the World Wide Web, visit
        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
        cisspstudy-request@...

You can reach the person managing the list at
        cisspstudy-owner@...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CISSPstudy digest..."


Today's Topics:

   1. Doubt relating to IDS threshold (Amlan Deb)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Jun 2013 03:18:32 -0700 (PDT)
From: Amlan Deb <amlan_deb999@...>
To: cisspstudy@...
Subject: [CCCure CISSP] Doubt relating to IDS threshold
Message-ID:
        <1372069112.74208.YahooMailClassic@...>
Content-Type: text/plain; charset="utf-8"

Hello everyone,

Here's a doubt I had in a question in Shon Harris AIO regarding IDS threshold.

George is responsible for setting and tuning the thresholds for his company?s
behavior-based IDS. Which of the following outlines the possibilities of not
doing this activity properly?

A. If the threshold is set too low, nonintrusive activities are considered attacks(false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).

C. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too low, then malicious
activities are not identified (false negatives).

D. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too high, then malicious
activities are not identified (false negatives).


As per the book, option 'C' is the correct answer.

Isn't option 'A' the right answer: the lower we decide to keep the threshold of 'normal' activity - the more alerts we'll get and the higher the threshold of 'normal' activity - the more malicious attacks will go unidentified?
?
Thanks,
Amlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130624/1adebc80/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
You can search through the mailing list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
CISSPstudy@...

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


------------------------------

End of CISSPstudy Digest, Vol 60, Issue 57
******************************************


-----Inline Attachment Follows-----

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
CISSPstudy@...

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org