network-based IDS

A network-based IDS usually provides reliable, real-time information without
consuming network or host resources.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

 hyper text transport protocol

Open Shortest Path First, Internet Protocol, and Routing Information Protocol
are all protocols implemented in the Network Layer.
Domain: Telecommunications and Network Security
References: AIO 3rd edition. Page 429
Official Guide to the CISSP CBK. Page 411

They are more cost-effective

Two points are important to consider when it comes to ethical hacking:
integrity and independence.
By not using an ethical hacking firm that hires or subcontracts to ex-hackers of others who
have criminal records, an entire subset of risks can be avoided by an organization. Also, it
is not cost-effective for a single firm to fund the effort of the ongoing research and
development, systems development, and maintenance that is needed to operate state-ofthe-
art proprietary and open source testing tools and techniques.
External penetration firms are more effective than internal penetration testers because they
are not influenced by any previous system security decisions, knowledge of the current
system environment, or future system security plans. Moreover, an employee performing
penetration testing might be reluctant to fully report security gaps.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Appendix F: The Case for
Ethical Hacking (page 517).

network-based IDS

This type of IDS is called a network-based IDS because monitors network
traffic in real time.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 48.

The process of reporting incidents is centralized.

The reporting process should be centralized else employees won't bother.
The other answers are incorrect because :
They are afraid of being pulled into something they don't want to be involved with is
incorrect as most of the employees fear of this and this would prevent them to report an
incident.
They are afraid of being accused of something they didn't do is also incorrect as this also
prevents them to report an incident.
They are unaware of the company's security policies and procedures is also incorrect as
mentioned above.
Reference : Shon Harris AIO v3 , Ch-10 : Laws , Investigatio & Ethics , Page : 675.

Displayed the contents of a folder

Displaying the directory contents of a folder can alter the last access time on
each listed file.
Using a write blocker is wrong because using a write blocker ensure that you cannot modify
the data on the host and it prevent the host from writing to its hard drives.
Made a full-disk image is wrong because making a full-disk image can preserve all data on
a hard disk, including deleted files and file fragments.
Created a message digest for log files is wrong because creating a message digest for log
files. A message digest is a cryptographic checksum that can demonstrate that the integrity
of a file has not been compromised (e.g. changes to the content of a log file)
Domain: LEGAL, REGULATIONS, COMPLIANCE AND INVESTIGATIONS
References:
AIO 3rd Edition, page 783-784
NIST 800-61 Computer Security Incident Handling guide page 3-18 to 3-20

Because normal patterns of user and system behavior can vary wildly.

Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS)
based on them often produce a large number of false alarms, as normal patterns of user
and system behavior can vary wildly. Being only able to identify correctly attacks theyalready know about is a characteristic of misuse detection (signature-based) IDSs.
Application-based IDSs are a special subset of host-based IDSs that analyze the events
transpiring within a software application. They are more vulnerable to attacks than hostbased
IDSs. Not being able to identify abnormal behavior would not cause false positives,
since they are not identified.
Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study
Guide, version 1.0, march 2002 (page 92).

It can be very invasive to the host operating system

The biggest drawback of HIDS, and the reason many organizations resist its
use, is that it can be very invasive to the host operating system. HIDS must have the
capability to monitor all processes and activities on the host system and this can
sometimes interfere with normal system processing.
HIDS versus NIDS
A host-based IDS (HIDS) can be installed on individual workstations and/ or servers to
watch for inappropriate or anomalous activity. HIDSs are usually used to make sure users
do not delete system files, reconfigure important settings, or put the system at risk in any
other way.
So, whereas the NIDS understands and monitors the network traffic, a HIDS’s universe is
limited to the computer itself. A HIDS does not understand or review network traffic, and a
NIDS does not “look in” and monitor a system’s activity. Each has its own job and stays out
of the other’s way.
The ISC2 official study book defines an IDS as: An intrusion detection system (IDS) is a technology that alerts organizations to adverse or
unwanted activity. An IDS can be implemented as part of a network device, such as a
router, switch, or firewall, or it can be a dedicated IDS device monitoring traffic as it
traverses the network. When used in this way, it is referred to as a network IDS, or NIDS.
IDS can also be used on individual host systems to monitor and report on file, disk, and
process activity on that host. When used in this way it is referred to as a host-based IDS, or
HIDS.
An IDS is informative by nature and provides real-time information when suspicious
activities are identified. It is primarily a detective device and, acting in this traditional role, is
not used to directly prevent the suspected attack.
What about IPS?
In contrast, an intrusion prevention system (IPS), is a technology that monitors activity like
an IDS but will automatically take proactive preventative action if it detects unacceptable
activity. An IPS permits a predetermined set of functions and actions to occur on a network
or system; anything that is not permitted is considered unwanted activity and blocked. IPS
is engineered specifically to respond in real time to an event at the system or network layer.
By proactively enforcing policy, IPS can thwart not only attackers, but also authorized users
attempting to perform an action that is not within policy. Fundamentally, IPS is considered
an access control and policy enforcement technology, whereas IDS is considered network
monitoring and audit technology.
The following answers were incorrect:
All of the other answer were advantages and not drawback of using HIDS
TIP FOR THE EXAM:
Be familiar with the differences that exists between an HIDS, NIDS, and IPS. Know that
IDS's are mostly detective but IPS are preventive. IPS's are considered an access control
and policy enforcement technology, whereas IDS's are considered network monitoring and
audit technology.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
5817-5822). McGraw-Hill. Kindle Edition.
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press), Domain1, Page 180-188 or on the kindle version look for
Kindle Locations 3199-3203. Auerbach Publications.

 Statistical Anomaly-Based ID

Explanation: Statistical Anomaly-Based ID - With this method, an IDS acquires data and
defines a "normal" usage profile for the network or host that is being monitored.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

signature-based IDS and statistical anomaly-based IDS, respectively

The two current conceptual approaches to Intrusion Detection methodology
are knowledge-based ID systems and behavior-based ID systems, sometimes referred to
as signature-based ID and statistical anomaly-based ID, respectively.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 63.

Only previously identified attack signatures are detected.

An issue with signature-based ID is that only attack signatures that are
stored in their database are detected.
New attacks without a signature would not be reported. They do require constant updates
in order to maintain their effectiveness.
Reference used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

Anomaly Detection.

There are two basic IDS analysis methods: pattern matching (also called
signature analysis) and anomaly detection. Anomaly detection uses behavioral characteristics of a system’s operation or network traffic
to draw conclusions on whether the traffic represents a risk to the network or host.
Anomalies may include but are not limited to:
Multiple failed log-on attempts
Users logging in at strange hours
Unexplained changes to system clocks
Unusual error messages
The following are incorrect answers:
Network-based ID Systems (NIDS) are usually incorporated into the network in a passive
architecture, taking advantage of promiscuous mode access to the network. This means
that it has visibility into every packet traversing the network segment. This allows the
system to inspect packets and monitor sessions without impacting the network or the
systems and applications utilizing the network.
Host-based ID Systems (HIDS) is the implementation of IDS capabilities at the host level.
Its most significant difference from NIDS is that related processes are limited to the
boundaries of a single-host system. However, this presents advantages in effectively
detecting objectionable activities because the IDS process is running directly on the host
system, not just observing it from the network. This offers unfettered access to system logs,
processes, system information, and device information, and virtually eliminates limits
associated with encryption. The level of integration represented by HIDS increases the
level of visibility and control at the disposal of the HIDS application.
Signature Analysis Some of the first IDS products used signature analysis as their
detection method and simply looked for known characteristics of an attack (such as specific
packet sequences or text in the data stream) to produce an alert if that pattern was
detected. For example, an attacker manipulating an FTP server may use a tool that sends
a specially constructed packet. If that particular packet pattern is known, it can be
represented in the form of a signature that IDS can then compare to incoming packets.
Pattern-based IDS will have a database of hundreds, if not thousands, of signatures that
are compared to traffic streams. As new attack signatures are produced, the system is
updated, much like antivirus solutions. There are drawbacks to pattern-based IDS. Most
importantly, signatures can only exist for known attacks. If a new or different attack vector
is used, it will not match a known signature and, thus, slip past the IDS. Additionally, if an
attacker knows that the IDS is present, he or she can alter his or her methods to avoid
detection. Changing packets and data streams, even slightly, from known signatures can
cause an IDS to miss the attack. As with some antivirus systems, the IDS is only as good as the latest signature database on the system.
For additional information on Intrusion Detection Systems -
http://en.wikipedia.org/wiki/Intrusion_detection_system
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 3623-3625, 3649-3654, 3666-3686). Auerbach
Publications. Kindle Edition.