My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 47 - Question 2

Question: What is the main purpose of an Intrusion Detection System (IDS)?
  • A. Prevent intrusions
  • B. Detect intrusions
  • C. Provide a secure network
  • D. None of the above
Correct Answer: B. Detect intrusions
Understanding Intrusion Detection Systems
In the CISSP framework, an Intrusion Detection System (IDS) is classified as a Detective Technical Control.  Its primary role is visibility. Think of it as the "smoke detector" or "security camera" of your digital environment. It watches, it listens, and it alarms, but it does not physically interfere with the event in progress.   
1. Detect Intrusions (The Primary Purpose)
An IDS monitors network traffic or system logs to identify patterns that indicate a security breach or a policy violation.  
  •  Passive Nature: An IDS typically operates out-of-band.  It receives a copy of network traffic via a SPAN (Switched Port Analyzer) port or a Network TAP.  Because it is not sitting directly in the flow of traffic, it can analyze data without causing network latency. 
  •  The Output: When a match is found, the IDS generates an alert.  It is then up to the Security Operations Center (SOC) or a system administrator to respond.  
2. IDS vs. IPS (Option A)
The most common mistake on the exam is confusing the IDS with the Intrusion Prevention System (IPS).
  • The IPS (Active): An IPS is an active control.  It sits "in-line," meaning all traffic must pass through it to reach its destination. If it detects a threat, it can drop the malicious packets or reset the connection immediately 
  • The IDS (Passive): An IDS is passive.  By the time the IDS generates an alert, the malicious packet has likely already reached its destination.  
3. Network-Based (NIDS) vs. Host-Based (HIDS)
For the CISSP, you must also know where these sensors live:
  • NIDS: Monitors network traffic for an entire segment. It sees the "big picture" but cannot see encrypted traffic.
  • HIDS: Installed on a specific server or workstation. It can see encrypted data once it is decrypted on the host and can monitor local system calls and file integrity.  
The "CISSP Rule of Thumb"
  • IDS = Passive, Out-of-band, Detective, Alert-only.
  •  IPS = Active, In-line, Preventive, Blocks traffic.   
  • Signature = Best for known "bad" things.
  • Anomaly = Best for unknown "weird" things.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel