Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 58

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 58

Amol Waghmare
Hi,
If i read the question carefully the sentence says "Which of the following outlines the possibilities of not
doing this activity
properly?"


My answer would be C is proper setting and rest all options are are improper setting.

Reason: If the threshold is high false positivies will be high and false negative will be low




From:        [hidden email]
To:        [hidden email]
Date:        25-06-2013 13:52
Subject:        CISSPstudy Digest, Vol 60, Issue 58
Sent by:        "CISSPstudy" <[hidden email]>




Send CISSPstudy mailing list submissions to
                [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
               
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
                [hidden email]

You can reach the person managing the list at
                [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CISSPstudy digest..."


Today's Topics:

  1. Re: CISSPstudy Digest, Vol 60, Issue 57
     (Maynard, David C - GMRT-EST)
  2. Re: CISSPstudy Digest, Vol 60, Issue 57 ([hidden email])
  3. Re: CISSPstudy Digest, Vol 60, Issue 57 (Amlan Deb)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Jun 2013 16:21:11 +0000
From: "Maynard, David C - GMRT-EST" <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57
Message-ID:
                <[hidden email]>
Content-Type: text/plain; CHARSET=US-ASCII

What book are you looking at?

Answer is A.


AIO 6th Edition. Access Control Monitoring

>From the book
If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, some malicious activities won't be identified (false negatives).



Regards,
David Maynard - MCSE, CCNA, CCNA Security, Security+, A+


-----Original Message-----
From: CISSPstudy [
[hidden email]] On Behalf Of [hidden email]
Sent: Monday, June 24, 2013 11:00 AM
To: [hidden email]
Subject: CISSPstudy Digest, Vol 60, Issue 57

Send CISSPstudy mailing list submissions to
                [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
               
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
                [hidden email]

You can reach the person managing the list at
                [hidden email]

When replying, please edit your Subject line so it is more specific than "Re: Contents of CISSPstudy digest..."


Today's Topics:

  1. Doubt relating to IDS threshold (Amlan Deb)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Jun 2013 03:18:32 -0700 (PDT)
From: Amlan Deb <[hidden email]>
To: [hidden email]
Subject: [CCCure CISSP] Doubt relating to IDS threshold
Message-ID:
                <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hello everyone,

Here's a doubt I had in a question in Shon Harris AIO regarding IDS threshold.

George is responsible for setting and tuning the thresholds for his company?s behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly?

A. If the threshold is set too low, nonintrusive activities are considered attacks(false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).

C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives).

D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).


As per the book, option 'C' is the correct answer.

Isn't option 'A' the right answer: the lower we decide to keep the threshold of 'normal' activity - the more alerts we'll get and the higher the threshold of 'normal' activity - the more malicious attacks will go unidentified?
?
Thanks,
Amlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130624/1adebc80/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
You can search through the mailing list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


------------------------------

End of CISSPstudy Digest, Vol 60, Issue 57
******************************************

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at
http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.



------------------------------

Message: 2
Date: Mon, 24 Jun 2013 15:06:55 -0400
From: "[hidden email]" <[hidden email]>
To: [hidden email]
Subject: Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57
Message-ID:
                <[hidden email]>
Content-Type: text/plain; charset="iso-8859-1"

It depends on what "low" and "high" means, and what sort of metric you're
setting a threshold on.  In this scenario, I'm leaning towards the answer
of 'A' as well... I'd love to hear any opposing arguments.

Here is my thought process:

Thinking about behavior-based IDSs and how they work, if a threshold being
too high means that it is looking at a deviation of 5 (but it should be 3),
and too low is a deviation of 1, then 'A' should be the right answer.
Setting the threshold to a deviation of 5 means that traffic with a
deviation of 3-4.99 (which should be malicious but is being miscategorized)
is not being detected, therefore a false negative.  Conversely, if the
threshold is too low (1) and should be 3, then traffic which is 'good'
(1-2.99) is being categorized as malicious, and therefore a false positive.



- Jon Zeolla
[hidden email]


On Mon, Jun 24, 2013 at 12:00 PM, <[hidden email]> wrote:

> Send CISSPstudy mailing list submissions to
>         [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> or, via email, send a message with subject or body 'help' to
>         [hidden email]
>
> You can reach the person managing the list at
>         [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CISSPstudy digest..."
>
>
> Today's Topics:
>
>    1. Doubt relating to IDS threshold (Amlan Deb)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 24 Jun 2013 03:18:32 -0700 (PDT)
> From: Amlan Deb <[hidden email]>
> To: [hidden email]
> Subject: [CCCure CISSP] Doubt relating to IDS threshold
> Message-ID:
>         <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> Hello everyone,
>
> Here's a doubt I had in a question in Shon Harris AIO regarding IDS
> threshold.
>
> George is responsible for setting and tuning the thresholds for his
> company?s
> behavior-based IDS. Which of the following outlines the possibilities of
> not
> doing this activity properly?
>
> A. If the threshold is set too low, nonintrusive activities are considered
> attacks(false positives). If the threshold is set too high, then malicious
> activities are not identified (false negatives).
>
> B. If the threshold is set too low, nonintrusive activities are considered
> attacks (false negatives). If the threshold is set too high, then malicious
> activities are not identified (false positives).
>
> C. If the threshold is set too high, nonintrusive activities are considered
> attacks (false positives). If the threshold is set too low, then malicious
> activities are not identified (false negatives).
>
> D. If the threshold is set too high, nonintrusive activities are considered
> attacks (false positives). If the threshold is set too high, then malicious
> activities are not identified (false negatives).
>
>
> As per the book, option 'C' is the correct answer.
>
> Isn't option 'A' the right answer: the lower we decide to keep the
> threshold of 'normal' activity - the more alerts we'll get and the higher
> the threshold of 'normal' activity - the more malicious attacks will go
> unidentified?
> ?
> Thanks,
> Amlan
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
>
http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130624/1adebc80/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> You can search through the mailing list archive at:
>
http://cissp-study.3965.n7.nabble.com/
>
> CISSPstudy mailing list
> [hidden email]
>
> To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
>
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> ------------------------------
>
> End of CISSPstudy Digest, Vol 60, Issue 57
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130624/d6865d70/attachment.html>

------------------------------

Message: 3
Date: Tue, 25 Jun 2013 01:20:34 -0700 (PDT)
From: Amlan Deb <[hidden email]>
To: The CISSP Study Mailing list <[hidden email]>,
                [hidden email], [hidden email]
Subject: Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57
Message-ID:
                <[hidden email]>
Content-Type: text/plain; charset="iso-8859-1"

Hi Jon / David,
?
Yes, I was looking at it at the same way on a scale of 1 to 10, 1 being the most harmless traffic and 10 being the most harmful traffic and 5 being considered as normal traffic. So if we set our threshold as 2 (too low) we would get false alerts for normal traffic?between 3 to?5 & if we set our threshold as 8 (too high) we would not get any alerts for not normal traffic between 6 to 8.
?
David - Yes, I found this question on Shon Harris AIO 6th Edition as well (Qs.21 of Access Control). But the book mentions the below as the explanation of the answer on pg293(opposite of what you mentioned). Could you let me know the page number where you came across the line which you mentioned?
?
21. C. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too low, then malicious
activities are not identified (false negatives).
?
I put this question on the forum of the website as well and James explained that option C is correct because we should cosnder high threshold = high sensitivty which will generate more false alarms. That makes sense as well, but the word "threshold" immediately makes me think of the 1 to 10 scale and instinctively lean towards option A as the answer.
?
Thanks,
Amlan
?
?


--- On Tue, 6/25/13, [hidden email] <[hidden email]> wrote:


From: [hidden email] <[hidden email]>
Subject: Re: [CCCure CISSP] CISSPstudy Digest, Vol 60, Issue 57
To: [hidden email]
Date: Tuesday, June 25, 2013, 12:36 AM



It depends on what "low" and "high" means, and what sort of metric you're setting a threshold on. ?In this scenario, I'm leaning towards the answer of 'A' as well... I'd love to hear any opposing arguments. ?


Here is my thought process:


Thinking about behavior-based IDSs and how they work, if a threshold being too high means that it is looking at a deviation of 5 (but it should be 3), and too low is a deviation of 1, then 'A' should be the right answer. ?Setting the threshold to a deviation of 5 means that traffic with a deviation of 3-4.99 (which should be malicious but is being miscategorized) is not being detected, therefore a false negative. ?Conversely, if the threshold is too low (1) and should be 3, then traffic which is 'good' (1-2.99) is being categorized as malicious, and therefore a false positive. ?



- Jon Zeolla
[hidden email]


On Mon, Jun 24, 2013 at 12:00 PM, <[hidden email]> wrote:

Send CISSPstudy mailing list submissions to
? ? ? ? [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
? ? ? ?
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
? ? ? ? [hidden email]

You can reach the person managing the list at
? ? ? ? [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CISSPstudy digest..."


Today's Topics:

? ?1. Doubt relating to IDS threshold (Amlan Deb)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Jun 2013 03:18:32 -0700 (PDT)
From: Amlan Deb <[hidden email]>
To: [hidden email]
Subject: [CCCure CISSP] Doubt relating to IDS threshold
Message-ID:
? ? ? ? <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hello everyone,

Here's a doubt I had in a question in Shon Harris AIO regarding IDS threshold.

George is responsible for setting and tuning the thresholds for his company?s
behavior-based IDS. Which of the following outlines the possibilities of not
doing this activity properly?

A. If the threshold is set too low, nonintrusive activities are considered attacks(false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).

C. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too low, then malicious
activities are not identified (false negatives).

D. If the threshold is set too high, nonintrusive activities are considered
attacks (false positives). If the threshold is set too high, then malicious
activities are not identified (false negatives).


As per the book, option 'C' is the correct answer.

Isn't option 'A' the right answer: the lower we decide to keep the threshold of 'normal' activity - the more alerts we'll get and the higher the threshold of 'normal' activity - the more malicious attacks will go unidentified?
?
Thanks,
Amlan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130624/1adebc80/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
You can search through the mailing list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


------------------------------

End of CISSPstudy Digest, Vol 60, Issue 57
******************************************


-----Inline Attachment Follows-----


_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://cccure.org/mailman/private/cisspstudy_cccure.org/attachments/20130625/a8e99971/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
You can search through the mailing list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org


------------------------------

End of CISSPstudy Digest, Vol 60, Issue 58
******************************************







******************************************************************************************************************************************
Disclaimer: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
******************************************************************************************************************************************

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org