CompTIA Security Plus Mock Test Q652

The security team would like to gather intelligence about the types of attacks being launched against the organization. Which of the following would provide them with the MOST information?

A. Implement a honeynet
B. Perform a penetration test
C. Examine firewall logs
D. Deploy an IDS

Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker’s activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and “trap” people who attempt to penetrate other people’s computer systems. Although the primary purpose of a honeynet is to gather information about attackers’ methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets.
In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn’t actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as “Finances” or “Human Services” to make them sound appealing to the attacker.
A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.

Incorrect Answers:
B: Penetration testing evaluates an organization’s ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. You perform a penetration test by attempting to gain access to the system. However, to do this, you are trying to exploit weaknesses that you know about. An attacker might use a different method. To view all methods used by attackers, you need to set up a honeynet.
C: The firewall logs will provide information about network connections that are allowed or blocked. However, an attacker would connect to the network by using an allowed port.
Therefore, the firewall logs will not provide information about methods of attack.
D: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
An IDS can monitor malicious activities. However, an attacker may use a method that is not detected by the IDS as an intrusion attempt. This question is asking for the BEST answer.
A honeypot is a better answer because it is designed to be attacked to enable you to view the methods used for the attacks.

References:
http://searchsecurity.techtarget.com/definition/honeynet
http://en.wikipedia.org/wiki/Intrusion_detection_system