According to CISA Review Manual 27th,5.15.1 Intrusion Detection System, In contrast to IDSs, which rely on signature files to identify an attack as it happens (or after),an intrusion prevention system (IPS) predicts an attack before it can take effect. It does this by monitoring key areas of a computer system and looking for bad behavior, such as worms,Trojans, spyware, malware and hackers. It complements firewall, antivirus and antispyware tools to provide complete protection from emerging threats. It is able to block new (zero-day) threats that bypass traditional security measures, because it is not reliant on identifying and distributing threat signatures or patches.
indeed, that's what ISACA has in their manual even if I do not agree with ISACA on the difference they make between IDS and IPS, I'll answer D if I'm getting that question in my exam
From CRM: In contrast to IDSs, which rely on signature files to identify an attack as it happens (or after),an intrusion prevention system (IPS) predicts an attack before it can take effect. It does this by monitoring key areas of a computer system and looking for bad behavior, such as worms,Trojans, spyware, malware and hackers. It complements firewall, antivirus and antispyware tools to provide complete protection from emerging threats. It is able to block new (zero-day) threats that bypass traditional security measures, because it is not reliant on identifying and distributing threat signatures or patches.
Q: Which of the following BEST facilitates detection?
Answer: C
IDS are focused on detecting suspicious activities or anomalies in network traffic and system behavior without necessarily taking immediate action to block them. IDS can be more effective in identifying zero-day exploits because they rely on detecting abnormal patterns or behaviors that may indicate the presence of an attack, even if the specific exploit is unknown. Therefore, in the context of detecting zero-day exploits, an IDS would be a more suitable choice than an IPS.
Zero-day exploits tend to be very difficult to detect. Anti-malware software, some Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are often ineffective because attack signatures do not yet exist. For this reason, the best way to detect zero-day attacks is to analyze user behavior.
Option B
Since other methods depends on known signatures. However CISA is stating that IPS detects attacks by leveraging on its ability to monitor and identify behavioral disparities within the system. This now make it quite tricky.
To be safe, I’d stick to user behavior analysis
I would advise you not to follow your technical skills in the context of ISACA exam, questions seems to be made to check if the candide read ISACA book more than assess a real situation understanding.
B. User behavior analytics
User behavior analytics is the best option for facilitating the detection of zero-day exploits. Zero-day exploits are vulnerabilities that are not known to the vendor or to the general public and therefore have not yet been patched. They can be difficult to detect because they are not detected by traditional security controls. User behavior analytics involves analyzing user activity in order to identify unusual or suspicious behavior that may indicate an attempted zero-day exploit. Options A, C, and D may also help to detect zero-day exploits, but they are not as effective as user behavior analytics.
Zero-day exploits tend to be very difficult to detect. Antimalware software and some intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) are often ineffective because no attack signature yet exists. This is why the best way to detect a zero-day attack is user behavior analytics.
Answer looks like D based on manual : In contrast to IDSs, which rely on signature files to identify an attack as it happens (or after), an intrusion prevention system (IPS) predicts an attack before it can take effect. It does this by monitoring key areas of a computer system and looking for bad behavior, such as worms, Trojans, spyware, malware and hackers. It complements firewall, antivirus and antispyware tools to provide complete protection from emerging threats. It is able to block new (zero-day) threats that bypass traditional security measures, because it is not reliant on identifying and distributing threat signatures or patches.
Why is the correct answer D, if IPS and IDS do work on signatures these are not valid options to detect zero-days. Instead behavior based solutions should be a better option
This section is not available anymore. Please use the main Exam Page.CISA Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
i91290
Highly Voted 1 year, 3 months agoChaBum
7 months, 4 weeks agoyukli1998
Most Recent 3 weeks agoa84n
6 months agoMJORGER
6 months, 3 weeks agoSwallows
6 months, 3 weeks agolingtianx1127
6 months, 4 weeks agonecoll007
1 year, 3 months agoChaBum
7 months, 4 weeks agoPakawat
1 year, 5 months ago007Georgeo
1 year, 5 months agoMohamedAbdelaal
1 year, 6 months agomissH
1 year, 6 months agoObaidMan
1 year, 9 months agonickchen
1 year, 10 months agoMOHAMMADSALTI
1 year, 10 months agoStaanlee
1 year, 10 months agouser173681972
1 year, 11 months agoForever25
2 years ago