ECCouncil 312-38 Certified Network Defender (CND) Exam Prep PDF
Document Details
ECCouncil
Tags
Summary
This document contains practice questions and answers for the ECCouncil 312-38 Certified Network Defender (CND) exam. It covers topics such as Wireshark filters, security incidents, packet filtering firewalls, RAID storage techniques, and Man-in-the-Middle attacks.
Full Transcript
ECCouncil 312-38 Certified Network Defender (CND) Version: 12.0 [ Total Questions: 362] Web: www.examout.co Email: [email protected] IM...
ECCouncil 312-38 Certified Network Defender (CND) Version: 12.0 [ Total Questions: 362] Web: www.examout.co Email: [email protected] IMPORTANT NOTICE Feedback We have developed quality product and state-of-art service to ensure our customers interest. If you have any suggestions, please feel free to contact us at [email protected] Support If you have any questions about our product, please provide the following items: exam code screenshot of the question login id/email please contact us at [email protected] and our technical experts will provide support within 24 hours. Copyright The product of each order has its own encryption code, so you should use it independently. Any unauthorized changes will inflict legal punishment. We reserve the right of final explanation for this statement. Exam Preparation ECCouncil - 312-38 Question #:1 James is working as a Network Administrator in a reputed company situated in California. He is monitoring his network traffic with the help of Wireshark. He wants to check and analyze the traffic against a PING sweep attack. Which of the following Wireshark filters will he use? A. lcmp.type==0 and icmp.type==16 B. lcmp.type==8 or icmp.type==16 C. lcmp.type==8 and icmp.type==0 D. lcmp.type==8 or icmp.type==0 Answer: D Explanation James should use the Wireshark filter icmp.type==8 or icmp.type==0 to detect a PING sweep attack. This filter will capture both ICMP echo requests and echo replies, which are used in PING sweeps to discover active hosts on a network. When conducting a PING sweep, an attacker sends ICMP echo requests (type 8) to multiple hosts and listens for echo replies (type 0). By monitoring for both types, James can effectively identify a PING sweep attack. References: The use of this filter for detecting PING sweeps is documented in various network security resources, including the InfosecMatter guide on detecting network attacks with Wireshark1, which specifically lists icmp.type==8 or icmp.type==0 as the filter for ICMP ping sweeps. This approach is consistent with standard practices for network monitoring and intrusion detection. Question #:2 Individuals in the organization using system resources against acceptable usage policies indicates which of the following security incident: A. Malicious Code B. Denial-of-Service ( DoS ) C. Improper Usage D. Unauthorized Access Answer: C Explanation The term ‘Improper Usage’ refers to instances where individuals use system resources in a manner that is not Pass with Authority Use Examout.co 1 of 223 Exam Preparation ECCouncil - 312-38 compliant with the organization’s acceptable usage policies. This could involve a range of activities, from excessive personal use of the internet during work hours to the installation of unauthorized software. It is differentiated from ‘Unauthorized Access,’ which implies gaining access to resources one is not permitted to use, and ‘Malicious Code,’ which relates to software designed to harm or exploit systems. ‘Denial-of-Service’ refers to attacks intended to disrupt service availability. References: The Certified Network Defender (CND) program by EC-Council covers the protect, detect, respond, and predict approach to network security, which includes understanding and identifying improper usage as a security incident12. The CND curriculum is designed to help network defenders understand and mitigate risks in the network, including those arising from improper usage2. Question #:3 John wants to implement a packet filtering firewall in his organization's network. What TCP/IP layer does a packet filtering firewall work on? A. Application layer B. Network Interface layer C. TCP layer D. IP layer Answer: D Explanation A packet filtering firewall operates at the network layer of the TCP/IP model. It analyzes the headers of IP packets, which include source and destination IP addresses, protocol information, and port numbers, to determine whether to allow or block the packets based on predefined rules and access control lists (ACLs). This type of firewall does not perform deep packet inspection but rather checks the packet headers against the ACLs to make decisions1234. References: The explanation aligns with the core functions of packet filtering firewalls as described in various sources, including the Enterprise Networking Planet and NordLayer articles, which detail how these firewalls interact with the IP layer to filter traffic12. GeeksforGeeks also confirms that packet filtering firewalls work at the network layer of the OSI model, which corresponds to the IP layer in the TCP/IP model4. Question #:4 Which of the following RAID storage techniques divides the data into multiple blocks, which are further written across the RAID system? A. Mirroring B. Striping C. None of these Pass with Authority Use Examout.co 2 of 223 Exam Preparation ECCouncil - 312-38 D. Parity Answer: B Explanation In RAID storage, striping is the technique that divides data into blocks and spreads them across multiple drives in the RAID array. This method enhances performance by allowing the drives to read and write data simultaneously, effectively increasing throughput and speed. Unlike mirroring, which duplicates data across drives, or parity, which provides redundancy, striping solely focuses on performance by distributing data across the RAID system without redundancy. References: The concept of striping is associated with various RAID levels, particularly RAID 0, which is known for its striping technique without redundancy1. This information aligns with the objectives and documents of the Certified Network Defender (CND) course, which covers RAID storage techniques as part of its curriculum. Question #:5 Arman transferred some money to his friend’s account using a net banking service. After a few hours, his friend informed him that he hadn’t received the money yet. Arman logged on to the bank’s website to investigate and discovered that the amount had been transferred to an unknown account instead. The bank, upon receiving Arman’s complaint, discovered that someone had established a station between Arman’s and the bank server’s communication system. The station intercepted the communication and inserted another account number replacing his friend’s account number. What is such an attack called? A. Privilege Escalation B. DNS Poisoning C. Man-in-the-Middle Attack D. DNS Cache Poisoning Answer: C Explanation The scenario described is a classic example of a Man-in-the-Middle (MitM) attack. In this type of cyberattack, the attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. The attacker has inserted themselves between the two parties, in this case, Arman and the bank’s server, and has intercepted the communication to redirect the funds to a different account. This type of attack can occur in various forms, such as eavesdropping on or altering the communication over an insecure network service, but it is characterized by the attacker’s ability to intercept and modify the data being exchanged without either legitimate party noticing. References: The definition and explanation of a Man-in-the-Middle attack are based on standard cybersecurity Pass with Authority Use Examout.co 3 of 223 Exam Preparation ECCouncil - 312-38 knowledge and documented instances of such attacks123456. Question #:6 Blake is working on the company's updated disaster and business continuity plan. The last section of the plan covers computer and data incidence response. Blake is outlining the level of severity for each type of incident in the plan. Unsuccessful scans and probes are at what severity level? A. High severity level B. Extreme severity level C. Mid severity level D. Low severity level Answer: D Explanation In the context of incident response, unsuccessful scans and probes are typically considered a low severity level. This is because they often indicate an attempted reconnaissance or mapping of systems rather than a successful compromise or disruption of services. While they should be monitored and analyzed to improve defenses and detect patterns of malicious activity, they do not usually signify an immediate threat to the integrity, availability, or confidentiality of systems. References: The classification of unsuccessful scans and probes as low severity is consistent with standard practices in incident response and is supported by various cybersecurity frameworks and guidelines, including those from the EC-Council’s Certified Network Defender (CND) program. Question #:7 Chris is a senior network administrator. Chris wants to measure the Key Risk Indicator (KRI) to assess the organization. Why is Chris calculating the KRI for his organization? It helps Chris to: A. Identifies adverse events B. Facilitates backward C. Facilitates post Incident management D. Notifies when risk has reached threshold levels Answer: D Explanation Key Risk Indicators (KRIs) are crucial metrics used in risk management to measure the likelihood of potential Pass with Authority Use Examout.co 4 of 223 Exam Preparation ECCouncil - 312-38 risks and their impact on an organization. They are designed to provide an early warning signal to notify management when a risk has reached a level that may exceed the organization’s risk appetite and could have a profoundly negative impact on its ability to succeed. KRIs are not typically used to identify adverse events, which is more the role of Key Performance Indicators (KPIs), nor are they used to facilitate backward or post-incident management directly. Instead, KRIs are forward-looking indicators that help in predicting and preventing risks before they materialize into significant threats. References: The explanation provided is based on industry-standard practices for Key Risk Indicators as outlined in resources such as TechTarget and SafetyCulture, which align with the objectives and documents of the Certified Network Defender (CND) program12. Question #:8 The--------------protocol works in the network layer and is responsible for handling the error codes during the delivery of packets. This protocol is also responsible for providing communication in the TCP/IP stack. A. RARP B. ICMP C. DHCP D. ARP Answer: B Explanation The Internet Control Message Protocol (ICMP) operates at the network layer and is integral to the Internet Protocol suite. It is utilized primarily for error handling during packet delivery, such as informing senders of a failed delivery due to unreachable destinations or other path-related issues. ICMP is also used for diagnostic purposes, with tools like ping and traceroute relying on ICMP messages to test connectivity and trace packet routes. Unlike transport layer protocols like TCP or UDP, ICMP does not establish a connection before sending messages, making it a connectionless protocol. This characteristic allows ICMP to quickly relay error messages and network information without the overhead of establishing a session. References: The role and functions of ICMP are well-documented in resources such as GeeksforGeeks, ExploringBits, and IBM’s TCP/IP concepts, which align with the ECCouncil’s Network Defender (CND) objectives and documents123. Question #:9 Which RAID level does not provide data redundancy? A. RAID level 0 B. RAID level 1 C. RAID level 50 Pass with Authority Use Examout.co 5 of 223 Exam Preparation ECCouncil - 312-38 D. RAID level 10 Answer: A Explanation RAID level 0, also known as striping, involves splitting data evenly across two or more disks without parity information, redundancy, or fault tolerance. This means that if one drive fails, the entire array fails, resulting in total data loss. RAID 0 is typically used to increase performance, as it allows for faster read and write operations by using multiple disks simultaneously. However, because it does not duplicate data across the disks, it does not provide any form of data redundancy1. References: The explanation aligns with the standard definitions and functionalities of RAID levels as described in various authoritative sources on computer storage and network security, including materials from the EC-Council’s Certified Network Defender (CND) course. For the most accurate and detailed information, please refer to the latest CND study materials and documents available through the EC-Council and other reputable sources on RAID technology. Question #:10 HexCom, a leading IT Company in the USA, realized that their employees were having trouble accessing multiple servers with different passwords. Due to this, the centralized server was also being overburdened by avoidable network traffic. To overcome the issue, what type of authentication can be given to the employees? A. Two-Factor Authentication B. Biometric Authentication C. Single Sign-on (SSO) D. Smart Card Authentication Answer: C Explanation Single Sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials, thereby reducing the need for multiple passwords. This not only simplifies the user experience but also reduces the load on the centralized server by decreasing the network traffic caused by repeated authentication requests. SSO is particularly beneficial in an environment like HexCom’s, where employees need to access various servers and systems, as it streamlines the login process and improves security by minimizing the chances of password fatigue and the resultant poor password practices. References: The explanation aligns with the principles of network security and access management, which are core components of the Certified Network Defender (CND) curriculum. The benefits of SSO in reducing network traffic and improving user experience are well-documented in network security literature12. Pass with Authority Use Examout.co 6 of 223 Exam Preparation ECCouncil - 312-38 Question #:11 Oliver is a Linux security administrator at an MNC. An employee named Alice has resigned from his organization and Oliver wants to disable this user in Ubuntu. Which of the following commands can be used to accomplish this? A. usermod -3 alice B. uscrmod- K alice C. usermod- L alice D. usermod- M alice Answer: C Explanation In Linux, to disable a user account, the usermod command is used with the -L option. This option locks the user’s password, effectively disabling the account by preventing the user from logging in. The command usermod -L alice will lock the user ‘alice’ by adding an exclamation mark (!) in front of the encrypted password in the /etc/shadow file, which is the standard method for disabling an account in Linux. References: This information is consistent with standard Linux administration practices and is also in line with the objectives of the EC-Council’s Certified Network Defender (CND) program, which includes understanding and managing user accounts and permissions as part of network security1. Question #:12 A company wants to implement a data backup method which allows them to encrypt the data ensuring its security as well as access at any time and from any location. What is the appropriate backup method that should be implemented? A. Onsite backup B. Hot site backup C. Offsite backup D. Cloud backup Answer: D Explanation The most appropriate backup method for a company that wants to ensure data encryption and accessibility from any location at any time is cloud backup. Cloud backup solutions provide remote, offsite storage that can be accessed over the internet, which is ideal for ensuring data availability and security. These solutions often include robust encryption protocols to secure data during transfer and while at rest on the cloud servers. This Pass with Authority Use Examout.co 7 of 223 Exam Preparation ECCouncil - 312-38 aligns with the need for a backup method that not only encrypts data but also allows for easy access regardless of the user’s location. References: The explanation is based on standard practices in data backup and security, which are consistent with the objectives and documentation of the Certified Network Defender (CND) course. Cloud backup is widely recognized for its encryption capabilities and remote accessibility, making it a suitable choice for companies looking to secure their data backups. Question #:13 Which of the following is an example of MAC model? A. Chinese Waterfall model B. Clark-Beason integrity model C. Access control matrix model D. Bell-LaPadula model Answer: D Explanation The Bell-LaPadula model is an example of a Mandatory Access Control (MAC) model. It is designed to maintain the confidentiality of information by enforcing access controls based on security classification levels. This model ensures that subjects (users) with a certain clearance level cannot read data at a higher classification level (no read-up) and cannot write data to a lower classification level (no write-down), thus preventing unauthorized access and information flow not permitted by the policy. References: The Bell-LaPadula model is a foundational concept in computer security, particularly within the context of government and military applications where data classification and confidentiality are paramount12. Question #:14 To provide optimum security while enabling safe/necessary services, blocking known dangerous services, and making employees accountable for their online activity, what Internet Access policy would Brian, the network administrator, have to choose? A. Prudent policy B. Paranoid policy C. Promiscuous policy D. Permissive policy Answer: A Pass with Authority Use Examout.co 8 of 223 Exam Preparation ECCouncil - 312-38 Explanation The Prudent policy is the most appropriate choice for Brian, the network administrator, to provide optimum security while enabling necessary services and blocking known dangerous ones. This policy strikes a balance between security and usability, allowing safe and necessary services to operate while preventing potentially harmful activities. It also includes measures to make employees accountable for their online activity, which is essential for maintaining a secure network environment. References: The EC-Council’s Certified Network Defender (CND) program emphasizes the importance of implementing a prudent Internet Access policy as part of a defense-in-depth security strategy. This approach is critical for protecting the network, data, and ensuring that the organization’s security policies are enforced effectively12. Question #:15 Which type of attack is used to hack an IoT device and direct large amounts of network traffic toward a web server, resulting in overloading the server with connections and preventing any new connections? A. XSS B. DDoS C. XCRF D. Sniffing Answer: B Explanation The type of attack that is used to hack an IoT device and direct large amounts of network traffic toward a web server, causing it to overload with connections and preventing any new connections, is known as a Distributed Denial of Service (DDoS) attack. In a DDoS attack, multiple compromised computer systems, which can include IoT devices, are used to target a single system causing a Denial of Service (DoS) attack. These attacks can overwhelm the target with a flood of internet traffic, which can lead to the server being unable to process legitimate requests, effectively taking it offline. References: The concept of DDoS attacks utilizing IoT devices to flood targets with traffic is well-documented in cybersecurity literature. Such attacks exploit the connectivity and processing power of IoT devices to launch large-scale assaults on web servers and other online services, leading to the overloading of these systems123. This aligns with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program, which includes understanding and defending against such network security threats. Question #:16 The GMT enterprise is working on their internet and web usage policies. GMT would like to control internet bandwidth consumption by employees. Which group of policies would this belong to? Pass with Authority Use Examout.co 9 of 223 Exam Preparation ECCouncil - 312-38 A. Enterprise Information Security Policy B. System Specific Security Policy C. Network Services Specific Security Policy D. Issue Specific Security Policy Answer: C Explanation The control of internet bandwidth consumption by employees falls under the Network Services Specific Security Policy. This category of policy is designed to manage and secure the services that are provided over the network, which includes internet access and usage. It encompasses the rules and procedures that govern how network services, such as bandwidth, are allocated and used within an organization. By implementing such policies, GMT enterprise aims to ensure that the network’s bandwidth is utilized effectively and in alignment with the company’s operational requirements and objectives. References: The answer is derived from the understanding of network security policies as outlined in the Certified Network Defender (CND) course by EC-Council, which emphasizes the importance of specific policies for managing network services and resources. Question #:17 What can be the possible number of IP addresses that can be assigned to the hosts present in a subnet having 255.255.255.224 subnet mask? A. 62 B. 30 C. 14 D. 126 Answer: B Explanation A subnet with a mask of 255.255.255.224 (or /27 in CIDR notation) allows for 32 IP addresses in total. However, the first address is reserved for the network address, and the last is reserved for the broadcast address. This leaves 30 usable IP addresses for hosts within the subnet. References: This explanation is based on standard IP addressing rules and subnetting practices that are part of the foundational knowledge for network security and are covered in the EC-Council’s Certified Network Defender (CND) program. The subnetting concept is also supported by resources such as IP subnet calculators and networking cheat sheets12. Pass with Authority Use Examout.co 10 of 223 Exam Preparation ECCouncil - 312-38 Question #:18 Who is responsible for conveying company details after an incident? A. PR specialist B. IR officer C. IR manager D. IR custodians Answer: A Explanation In the context of incident response (IR), the PR specialist is typically responsible for conveying company details after an incident. Their role involves managing communications with the media, stakeholders, and the public to maintain the organization’s reputation. While IR officers, managers, and custodians play crucial roles in handling and responding to the incident itself, the PR specialist is the one who communicates with external parties about the incident. References: The information aligns with the responsibilities outlined for a PR specialist in incident response scenarios, as per the Certified Network Defender (CND) course by EC-Council12. Question #:19 Which of the following network security protocols protects from sniffing attacks by encrypting entire communication between the clients and server including user passwords? A. TACACS+ B. RADIUS C. CHAP D. PAP Answer: A Explanation TACACS+ (Terminal Access Controller Access-Control System Plus) is a network security protocol that provides centralized authentication for users who are attempting to gain access to the network. It is designed to protect against sniffing attacks by encrypting the entire packet, which includes both the authentication credentials and the subsequent communication after the credentials have been accepted. This encryption ensures that sensitive information such as user passwords is not transmitted in plain text where it could be intercepted by unauthorized individuals. Unlike RADIUS, which only encrypts the password, TACACS+ encrypts the entire authentication process, providing a higher level of security. References: The information provided here is based on my training data up to September 2021, which includes Pass with Authority Use Examout.co 11 of 223 Exam Preparation ECCouncil - 312-38 knowledge of network security protocols and their functionalities. For the most current and detailed explanations, please refer to the latest Network Defender (CND) documents and study guides from the EC-Council and other authoritative sources on network security. Question #:20 You are monitoring your network traffic with the Wireshark utility and noticed that your network is experiencing a large amount of traffic from a certain region. You suspect a DoS incident on the network. What will be your first reaction as a first responder? A. Avoid Fear, Uncertainty and Doubt B. Communicate the incident C. Make an initial assessment D. Disable Virus Protection Answer: C Explanation As a first responder to a suspected DoS incident, the initial reaction should be to make an initial assessment. This involves quickly evaluating the situation to understand the scope and impact of the incident. An initial assessment helps in determining whether the unusual traffic is indeed a DoS attack or a false positive. It also aids in deciding the next steps, such as whether to escalate the incident, what resources are required, and how to communicate the issue to relevant stakeholders. References: The approach aligns with best practices for incident response, which emphasize the importance of an initial assessment to understand the nature and extent of a security incident before proceeding with further actions123. Question #:21 What defines the maximum time period an organization is willing to lose data during a major IT outage event? A. BC B. RTO C. DR D. RPO Answer: D Explanation Pass with Authority Use Examout.co 12 of 223 Exam Preparation ECCouncil - 312-38 The term that defines the maximum time period an organization is willing to lose data during a major IT outage event is known as the Recovery Point Objective (RPO). RPO is a critical concept in business continuity and disaster recovery planning. It represents the maximum age of the files that an organization must recover from backup storage for normal operations to resume after a disaster. In other words, it’s the maximum amount of data loss an organization can tolerate. For instance, if an RPO is set to one hour, the system must be backed up at least every hour so that in case of a system failure, no more than one hour’s worth of data is lost. References: The explanation provided is based on standard definitions and practices within the field of IT disaster recovery, as outlined in resources like the EC-Council’s Certified Network Defender (CND) course and other industry-standard documentation on business continuity and disaster recovery planning. Question #:22 Peter works as a network administrator at an IT company. He wants to avoid exploitation of the cloud, particularly Azure services. Which of the following is a group of PowerShell scripts designed to help the network administrator understand how attacks happen and help them protect the cloud? A. MicroBurst B. POSH -Sysmon C. SecurityPolicyDsc D. Sysmon Answer: A Explanation MicroBurst is a collection of PowerShell scripts designed to help network administrators understand how attacks occur and to protect cloud environments, particularly Azure services. These scripts aid in detecting vulnerabilities, simulating attacks, and implementing defensive measures to secure the cloud infrastructure. POSH-Sysmon: A set of PowerShell scripts for managing Sysmon configurations. SecurityPolicyDsc: A module for managing security policies through Desired State Configuration (DSC). Sysmon: A Windows system service and device driver that logs system activity to the Windows event log, not specifically focused on cloud protection. References: EC-Council Certified Network Defender (CND) Study Guide Azure security documentation and MicroBurst resources Question #:23 Pass with Authority Use Examout.co 13 of 223 Exam Preparation ECCouncil - 312-38 Assume that you are working as a network defender at the head office of a bank. One day a bank employee informed you that she is unable to log in to her system. At the same time, you get a call from another network administrator informing you that there is a problem connecting to the main server. How will you prioritize these two incidents? A. Based on the type of response needed for the incident B. Based on a potential technical effect of the incident C. Based on a first come first served basis D. Based on approval from management Answer: B Explanation Prioritizing incidents based on their potential technical effect ensures that the most critical issues are addressed first, minimizing the impact on the organization's operations. In this scenario: An inability to connect to the main server could indicate a network-wide issue that affects many users and services, potentially disrupting key operations. A single employee unable to log in, while important, is typically less critical compared to a network-wide server issue. By assessing the potential technical effect, Byron can determine that resolving the main server connectivity issue should take precedence over the individual login problem. This approach helps maintain the overall health and functionality of the network. References: EC-Council Certified Network Defender (CND) Study Guide Incident Management Best Practices Question #:24 Which encryption algorithm h used by WPA5 encryption? A. RC4.TKIP B. RC4 C. AES-GCMP 256 D. AES-CCMP Answer: C Pass with Authority Use Examout.co 14 of 223 Exam Preparation ECCouncil - 312-38 Explanation WPA5 is not a standard term used in the industry, and there seems to be a confusion or typo in the question. However, based on the context of Wi-Fi security and encryption, the closest relevant standard is WPA3, which uses AES-GCMP 256 as its encryption algorithm. WPA3 is the successor to WPA2 and provides enhanced security features. It uses the Advanced Encryption Standard (AES) with Galois/Counter Mode Protocol (GCMP) 256-bit encryption, which offers a higher level of security than the previous encryption methods used in WPA2, such as AES-CCMP. AES-GCMP 256 provides robust protection against various attacks and is designed to work efficiently on a wide range of devices, including those with limited processing capabilities. References: The information provided is based on the current understanding of Wi-Fi security protocols, specifically the WPA3 standard, which is known to use AES-GCMP 256-bit encryption123. Question #:25 Management asked Adam to implement a system allowing employees to use the same credentials to access multiple applications. Adam should implement the--------------------------authentication technique to satisfy the management request. A. Two-factor Authentication B. Smart Card Authentication C. Single-sign-on D. Biometric Answer: C Explanation Single-sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. This is particularly useful in an environment where employees need to access a variety of systems and applications, as it simplifies the user experience and reduces the need for multiple passwords. SSO is designed to alleviate the administrative burden of managing multiple sets of credentials and to improve security by reducing the likelihood of password fatigue, which can lead to weak password practices. References: The concept of SSO is covered in the Certified Network Defender (CND) course, which includes understanding various types of authentication methods. SSO is mentioned as a type of authentication that allows users to be authenticated once and gain access to multiple systems without being prompted to log in again for each system1. Question #:26 Byron, a new network administrator at FBI, would like to ensure that Windows PCs there are up-to-date and have less internal security flaws. What can he do? A. Install antivirus software and turn off unnecessary services Pass with Authority Use Examout.co 15 of 223 Exam Preparation ECCouncil - 312-38 B. Centrally assign Windows PC group policies C. Download and install latest patches and enable Windows Automatic Updates D. Dedicate a partition on HDD and format the disk using NTFS Answer: C Explanation To ensure that Windows PCs are up-to-date and have fewer internal security flaws, Byron should focus on regularly applying the latest security patches and updates. This can be achieved by: Downloading and installing the latest patches: Ensures that any vulnerabilities identified in the operating system and applications are fixed promptly. Enabling Windows Automatic Updates: Automates the process of checking for and installing updates, ensuring that PCs are always protected with the most current security measures. Regularly updating the system helps in closing security loopholes that could be exploited by attackers. Antivirus software and turning off unnecessary services (Option A) are also important, but they do not address the critical need for regular patching. Centrally assigning group policies (Option B) is useful for managing security settings but does not directly address updating and patching. Dedicating a partition and formatting with NTFS (Option D) is unrelated to keeping systems up-to-date. References: EC-Council Certified Network Defender (CND) Study Guide Microsoft Windows Update Documentation Question #:27 During the recovery process, RTO and RPO should be the main parameters of your disaster recovery plan. What does RPO refer to? A. The hot plugging technique used to replace computer components B. The interval after which the data quality is lost C. The encryption feature, acting as add-on security to the data D. The duration required to restore the data Answer: B Explanation Pass with Authority Use Examout.co 16 of 223 Exam Preparation ECCouncil - 312-38 Recovery Point Objective (RPO) refers to the maximum tolerable period in which data might be lost from an IT service due to a major incident. It is a critical parameter in disaster recovery and business continuity planning. RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the point in time to which data must be recovered after an outage to resume business operations and avoid unacceptable consequences associated with a break in business continuity. References: EC-Council’s Certified Network Defender (CND) training materials. Business Continuity and Disaster Recovery Planning definitions and best practices as outlined in the CND curriculum1. Question #:28 James is a network administrator working at a student loan company in Minnesota. This company processes over 20,000 student loans a year from colleges all over the state. Most communication between the company schools, and lenders is carried out through emails. Much of the email communication used at his company contains sensitive information such as social security numbers. For this reason, James wants to utilize email encryption. Since a server-based PKI is not an option for him, he is looking for a low/no cost solution to encrypt emails. What should James use? A. James could use PGP as a free option for encrypting the company's emails. B. James should utilize the free OTP software package. C. James can use MD5 algorithm to encrypt all the emails D. James can enforce mandatory HTTPS in the email clients to encrypt emails Answer: A Explanation James should opt for PGP (Pretty Good Privacy) as it is a widely recognized method for encrypting emails. PGP provides a cost-effective solution for securing email communication, which is essential for the sensitive information handled by his company. It uses a combination of data compression, symmetric-key cryptography, and public key cryptography to secure emails. Each user has a pair of keys: a public key that is shared with others to encrypt emails to the user, and a private key that is kept secret by the user to decrypt emails they receive. This method ensures that even if the email is intercepted, without the corresponding private key, the contents remain unreadable. References: The choice of PGP is supported by its longstanding reputation for providing secure email communication. It is designed to be used in scenarios where secure communication is necessary, and it’s a practical option for James since it doesn’t require a server-based PKI system. The other options listed do not provide the same level of security for email encryption. OTP (One-Time Password) systems are not typically used for email encryption, MD5 is a hashing algorithm Pass with Authority Use Examout.co 17 of 223 Exam Preparation ECCouncil - 312-38 Question #:29 Assume that you are a network administrator and the company has asked you to draft an Acceptable Use Policy (AUP) for employees. Under which category of an information security policy does AUP fall into? A. System Specific Security Policy (SSSP) B. Incident Response Policy (IRP) C. Enterprise Information Security Policy (EISP) D. Issue Specific Security Policy (ISSP) Answer: D Explanation An Acceptable Use Policy (AUP) is a type of Issue Specific Security Policy (ISSP) that outlines the constraints and practices that users must agree to in order to access the corporate network, endpoints, applications, and the internet. It is designed to provide guidelines for the appropriate use of an organization’s IT resources, including employee conduct, data usage, system access privileges, and the handling of confidential information. The AUP is a crucial part of the security policy framework as it directly addresses specific issues related to the acceptable use of IT resources by employees. References: The categorization of AUP as an ISSP is consistent with standard information security policy frameworks and best practices123. Question #:30 According to standard loT security practice, loT Gateway should be connected to a ------------- A. Border router B. Secure router C. Pouter that is connected to internal servers D. Router that is connected to other subnets Answer: A Explanation According to standard IoT security practices, an IoT Gateway should be connected to a border router. This setup is recommended because a border router acts as a gateway between different networks, managing the traffic between these networks and the internet. It provides an additional layer of security, ensuring that the IoT devices and the internal network are protected from external threats. The border router can implement security measures such as firewalls, intrusion detection systems, and data encryption to safeguard the IoT ecosystem. Pass with Authority Use Examout.co 18 of 223 Exam Preparation ECCouncil - 312-38 References: The standard practice of connecting an IoT Gateway to a border router is supported by security guidelines that emphasize the importance of segregating IoT devices from internal networks to prevent potential cyber threats from spreading across networks123. Question #:31 Eric is receiving complaints from employees that their systems are very slow and experiencing odd issues including restarting automatically and frequent system hangs. Upon investigating, he is convinced the systems are infected with a virus that forces systems to shut down automatically after period of time. What type of security incident are the employees a victim of? A. Scans and probes B. Malicious Code C. Denial of service D. Distributed denial of service Answer: B Explanation The symptoms described by the employees, such as systems being very slow, restarting automatically, and experiencing frequent hangs, are indicative of a security incident involving malicious code. Malicious code refers to software or scripts designed to cause harm to a computer system, network, or server. In this case, the virus that forces systems to shut down automatically after a period of time is a type of malicious code. It disrupts the normal functioning of the system, leading to decreased performance and unexpected behavior. References: The classification of this type of security incident aligns with the Certified Network Defender (CND) curriculum, which includes understanding and identifying various types of security threats, including those caused by viruses and other forms of malicious code12. The CND program emphasizes the importance of recognizing the signs of malware infection, which can include system slowdowns, crashes, and other erratic behaviors that impact system availability and performance1. Question #:32 As a network administrator, you have implemented WPA2 encryption in your corporate wireless network. The WPA2's _________integrity check mechanism provides security against a replay attack A. CRC-32 B. CRC-MAC C. CBC-MAC D. CBC-32 Pass with Authority Use Examout.co 19 of 223 Exam Preparation ECCouncil - 312-38 Answer: C Explanation The integrity check mechanism used by WPA2 to provide security against replay attacks is the Cipher Block Chaining Message Authentication Code (CBC-MAC). This mechanism is part of the protocol suite that ensures data integrity and authenticity by using a combination of cipher block chaining (CBC) and message authentication code (MAC) to produce a secure and unique code for each data packet. References: This information is consistent with the security protocols outlined in WPA2 standards, which specify the use of CBC-MAC for integrity checks12. Question #:33 John, the network administrator and he wants to enable the NetFlow feature in Cisco routers to collect and monitor the IP network traffic passing through the router. Which command will John use to enable NetFlow on an interface? A. Router(Config-if) # IP route - cache flow B. Router# Netmon enable C. Router IP route D. Router# netflow enable Answer: A Explanation To enable NetFlow on a Cisco router interface, the correct command is ip route-cache flow, which is entered in interface configuration mode. This command enables NetFlow switching on the specified interface. NetFlow is a feature that captures IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things like the source and destination of traffic, class of service, and the causes of congestion1. References: The information provided aligns with the Cisco documentation for configuring NetFlow on Cisco routers, which specifies the command to enable NetFlow on an interface1. Question #:34 Identify the attack signature analysis technique carried out when attack signatures are contained in packet headers. A. Atomic signature-based analysis B. Context-based signature analysis Pass with Authority Use Examout.co 20 of 223 Exam Preparation ECCouncil - 312-38 C. Composite signature-based analysis D. Content-based signature analysis Answer: A Explanation Atomic signature-based analysis is a technique that examines individual packets for attack signatures contained in packet headers. This method focuses on specific, identifiable patterns or anomalies within single packets that may indicate malicious activity. Since the attack signatures are within the packet headers, the analysis does not need to consider the broader context of multiple packets or sessions, making it an atomic-level inspection. References: EC-Council Certified Network Defender (CND) Study Guide Intrusion Detection System (IDS) and attack signature analysis documentation Question #:35 Blake is working on the company's updated disaster and business continuity plan. The last section of the plan covers computer and data incidence response. Blake is outlining the level of severity for each type of incident in the plan. Unsuccessful scans and probes are at what severity level? A. Extreme severity level B. Low severity level C. Mid severity level D. High severity level Answer: B Explanation In the context of incident response, unsuccessful scans and probes are typically considered a low severity level. This is because they often indicate an attempted reconnaissance rather than a successful breach or compromise. These activities are usually automated and widespread, affecting many networks, not just the targeted one. They are often the preliminary steps of an attack, trying to find vulnerabilities but not yet exploiting them. Therefore, while they should be monitored and logged, they do not usually signify an immediate threat to the network’s integrity or the confidentiality of the data. References: The EC-Council’s Certified Network Defender (C|ND) program emphasizes a defense-in-depth security strategy, which includes continuous threat monitoring and incident response. The program outlines that not all incidents require the same level of response, and categorizing the severity of incidents is crucial for Pass with Authority Use Examout.co 21 of 223 Exam Preparation ECCouncil - 312-38 effective prioritization and resource allocation1. Question #:36 Liza was told by her network administrator that they will be implementing IPsec VPN tunnels to connect the branch locations to the main office. What layer of the OSI model do IPsec tunnels function on? A. The data link layer B. The session layer C. The network layer D. The application and physical layers Answer: C Explanation IPsec VPN tunnels function at the network layer of the OSI model. This layer is responsible for the logical transmission of data across a network and includes routing through different network paths. IPsec enhances the security at this layer by providing features such as data integrity, encryption, and authentication. These features are crucial for establishing a secure and encrypted connection across the internet, which is essential for VPN tunnels that connect different network segments, such as branch locations to a main office. References: The role of IPsec at the network layer is well-established in network security literature and is consistent with the Certified Network Defender (CND) program’s teachings on secure network architecture12. The network layer’s involvement in routing and data transmission makes it the appropriate layer for IPsec’s operation, aligning with the CND’s emphasis on understanding and implementing network security protocols34. Question #:37 Which IEEE standard does wireless network use? A. 802.11 B. 802.18 C. 802.9 D. 802.10 Answer: A Explanation The IEEE 802.11 standard is the set of protocols that defines the implementation of wireless local area network (WLAN) communication in the medium access control (MAC) and physical layer (PHY) Pass with Authority Use Examout.co 22 of 223 Exam Preparation ECCouncil - 312-38 specifications. It is the foundational standard for wireless networking technologies, commonly known as Wi-Fi. This standard allows for wireless communication between devices by establishing common frequencies and methods of data transmission. References: The information aligns with the IEEE 802.11-2020 standard, which specifies technical corrections, clarifications, and enhancements to the existing MAC and PHY functions for WLANs1. Additional details about the IEEE 802 wireless standards can be found in resources provided by the IEEE Standards Association and other technical documentation23. Question #:38 Identity the correct order for a successful black hat operation. A. Reconnaissance. Scanning, Gaining Access. Maintaining Access, and Covering Tracks B. Scanning, Reconnaissance, Gaining Access. Maintaining Access and Covering Tracks C. Reconnaissance. Gaming Access, Scanning. Maintaining Access, and Covering Tracks D. Reconnaissance, Scanning, Gaining Access, Covering Tracks, and Maintaining Access Answer: B Explanation The correct sequence for a black hat operation follows a structured approach that begins with Reconnaissance , where the attacker gathers preliminary data or intelligence on the target. Next is Scanning, where the attacker uses technical tools to understand the network and system vulnerabilities. Gaining Access is the phase where the vulnerabilities are exploited to enter the system or network. Maintaining Access involves establishing a persistent presence within the system, often for data exfiltration or additional exploitation. Finally, Covering Tracks is the phase where the attacker erases evidence of the intrusion to avoid detection. References: This answer aligns with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program, which outlines the phases of cyber attacks in the context of network security and defense strategies. Question #:39 An enterprise recently moved to a new office and the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job? A. Install a CCTV with cameras pointing to the entrance doors and the street B. Use fences in the entrance doors C. Use lights in all the entrance doors and along the company's perimeter D. Use an IDS in the entrance doors and install some of them near the corners Answer: A Explanation Pass with Authority Use Examout.co 23 of 223 Exam Preparation ECCouncil - 312-38 The best option for 24-hour monitoring of the physical perimeter and entrance doors is to install a CCTV system. CCTV cameras serve as both a deterrent to unauthorized entry and a means of surveillance to monitor activities. They can be positioned to cover the entrance doors and the street, providing a broad view of the area that needs to be secured. This aligns with the principles of intrusion detection and prevention, which include deterrence through visible security measures like cameras, and detection through continuous monitoring. References: The information aligns with the core principles of intrusion detection systems, which include deterrence and detection, as outlined in the resources related to Physical Intrusion Detection Systems (PIDS) and Certified Network Defender (CND) training materials12. Question #:40 Your company is planning to use an uninterruptible power supply (UPS) to avoid damage from power fluctuations. As a network administrator, you need to suggest an appropriate UPS solution suitable for specific resources or conditions. Match the type of UPS with the use and advantage: A. 1-v,2-iv,3-iii,4-i B. 1-v,2-iii,3-i,4-ii C. 1-iii,2-iv,3-v,4-iv D. 1-i,2-iv,3-ii,4-v Answer: A Explanation To provide an accurate answer, I would need to know the specific types of UPS and their corresponding uses and advantages as they relate to the options provided (i.e., 1-v, 2-iv, etc.). However, based on general knowledge, the three main types of UPS systems are: Standby UPS (Offline UPS): Provides basic protection and is suitable for less critical equipment or environments with fewer power fluctuations. Line-Interactive UPS: Offers a moderate level of protection with the ability to correct minor power fluctuations without switching to battery, making it suitable for business environments. Online UPS (Double Conversion UPS): Delivers the highest level of protection by continuously converting incoming AC power to DC and back to AC, ensuring a consistent and clean power supply suitable for critical and sensitive equipment. Without the specific context or details provided in the question, it’s challenging to match these types to the given options accurately. Typically, the selection of a UPS type would depend on the criticality of the systems it’s protecting, the environment, and the budget available. References: The general descriptions of the UPS types are based on industry-standard practices and can be found in various educational resources on UPS systems123. Pass with Authority Use Examout.co 24 of 223 Exam Preparation ECCouncil - 312-38 Question #:41 John, a network administrator, is configuring Amazon EC2 cloud service for his organization. Identify the type of cloud service modules his organization adopted. A. Software-as-a-Service (SaaS) B. Infrastructure-as-a-Service (IaaS) C. Platform-as-a-Service (PaaS) D. Storage-as-a-Service (SaaS) Answer: B Explanation Amazon EC2 (Elastic Compute Cloud) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. EC2’s simple web service interface allows you to obtain and configure capacity with minimal friction. It provides you with complete control of your computing resources and lets you run on Amazon’s proven computing environment. Amazon EC2 reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change. Hence, Amazon EC2 is an example of Infrastructure-as-a-Service (IaaS), which provides virtualized computing resources over the internet. References: The classification of Amazon EC2 as an IaaS is based on its characteristics and functionalities as described in the official AWS documentation Question #:42 Which encryption algorithm does S/MIME protocol implement for digital signatures in emails? A. Rivest-Shamir-Adleman encryption B. Digital Encryption Standard C. Triple Data Encryption Standard D. Advanced Encryption Standard Answer: A Explanation S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol implements the Rivest-Shamir-Adleman (RSA) encryption algorithm for digital signatures in emails. Digital signatures are a key component of S/MIME, providing authentication, message integrity, and non-repudiation. RSA is a widely used public-key cryptosystem that facilitates secure data transmission and is known for its role in digital signatures. It works on the principle of asymmetric cryptography, where a pair of keys is used: a public key, which is shared openly, Pass with Authority Use Examout.co 25 of 223 Exam Preparation ECCouncil - 312-38 and a private key, which is kept secret by the owner. In the context of S/MIME, the sender’s email client uses the sender’s private key to create a digital signature, and the recipient’s email client uses the sender’s public key to verify the signature. References: The information provided is based on the S/MIME protocol’s use of RSA encryption for digital signatures, as detailed in industry-standard documentation and resources like Microsoft Learn1 and the S/MIME Wikipedia page2. Question #:43 Sophie has been working as a Windows network administrator at an MNC over the past 7 years. She wants to check whether SMB1 is enabled or disabled. Which of the following command allows Sophie to do so? A. Get-WindowsOptionalFeatures -Online -FeatureNames SMB1Protocol B. Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol C. Get-WindowsOptionalFeature -Online -FeatureNames SMB1Protocol D. Get-WindowsOptionalFeatures -Online -FeatureName SMB1Protocol Answer: B Explanation To check if SMB1 is enabled or disabled, the correct PowerShell command is Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol. This command queries the status of the SMB1Protocol feature in the running instance of Windows. If SMB1 is enabled, the command will return its status as ‘Enabled’, and if it is disabled, it will return ‘Disabled’. References: The correct syntax for the command is documented in various official Windows resources, including Microsoft’s own documentation on managing SMB protocols1. It is also aligned with the objectives of the EC-Council’s Certified Network Defender (CND) program, which includes knowledge of managing Windows network protocols and features. Question #:44 Patrick wants to change the file permission of a file with permission value 755 to 744. He used a Linux command chmod [permission Value] [File Name] to make these changes. What will be the change in the file access? A. He changed the file permission from rwxr-xr-x to rwx-r--r-- B. He changes the file permission from rwxr-xr-x to rw-rw-rw- C. He changed the file permission from rw------- to rw-r--r-- Pass with Authority Use Examout.co 26 of 223 Exam Preparation ECCouncil - 312-38 D. He changed the file permission from rwxrwxrwx to rwx------ Answer: A Explanation In Linux file permissions, the numerical value 755 represents the permissions rwxr-xr-x, where ‘r’ stands for read, ‘w’ for write, and ‘x’ for execute. The first digit ‘7’ corresponds to the file owner’s permissions, allowing read, write, and execute. The second and third digits ‘5’ and ‘5’ correspond to the group and others’ permissions, allowing read and execute. Changing the permission to 744 changes the group and others’ permissions to read only (r–), removing the execute permission. References: This explanation is based on standard Linux permission conventions and the use of the chmod command to change file permissions1. Question #:45 Sam wants to implement a network-based IDS in the network. Sam finds out the one IDS solution which works is based on patterns matching. Which type of network-based IDS is Sam implementing? A. Behavior-based IDS B. Anomaly-based IDS C. Stateful protocol analysis D. Signature-based IDS Answer: D Explanation Sam is implementing a Signature-based Intrusion Detection System (IDS). This type of IDS uses predefined patterns of traffic, known as signatures, to identify and flag potential security threats. These signatures are based on known attack patterns and anomalies that have been identified from past incidents. When network traffic matches a signature within the IDS, an alert is generated, indicating a possible security event or breach. Signature-based IDS is effective in detecting known threats but may not be as effective in identifying new, previously unknown attacks. References: The information aligns with the Certified Network Defender (CND) objectives and documents, which describe the role and function of signature-based IDS within network security. The CND training materials emphasize the importance of understanding various IDS types, including signature-based systems, which are critical for detecting known threats and maintaining network security1. Question #:46 David, a network and system admin, encrypted all the files in a Windows system that supports NTFS file system using Encrypted File Systems (EFS). He then backed up the same files into another Windows Pass with Authority Use Examout.co 27 of 223 Exam Preparation ECCouncil - 312-38 system that supports FAT file system. Later, he found that the backup files were not encrypted. What could be the reason for this? A. EFS could only encrypt the files that follow NTFS B. FAT files cannot be encrypted C. EFS is not the encryption system used in Windows D. Copied files loses their encryption Answer: A Explanation The Encrypting File System (EFS) is a feature of the NTFS file system that provides encryption at the file system level. It is designed to work specifically with NTFS and does not support the FAT file system. When files encrypted with EFS are copied or backed up to a volume that uses the FAT file system, the encryption is lost because FAT does not support EFS encryption. This is why David found that the backup files were not encrypted after transferring them to a system that supports the FAT file system. References: The explanation is based on the operational characteristics of EFS and its compatibility with different file systems as described in the Certified Network Defender (CND) course materials and further supported by information from reliable sources on EFS and file system encryption1234. Question #:47 Steven is a Linux system administrator at an IT company. He wants to disable unnecessary services in the system, which can be exploited by the attackers. Which among the following is the correct syntax for disabling a service? A. $ sudo system-ctl disable [service] B. $ sudo systemctl disable [service] C. $ sudo system.ctl disable [service] D. $ sudo system ctl disable [service] Answer: B Explanation The correct syntax to disable a service in Linux using the systemctl command is sudo systemctl disable [service-name]. This command is used to prevent a service from starting automatically at boot. The systemctl command is part of the systemd system and service manager, which is used by many Linux distributions to bootstrap the user space and manage system processes after booting. This is the standard way to manage services on systems that use systemd. Pass with Authority Use Examout.co 28 of 223 Exam Preparation ECCouncil - 312-38 References: The information is consistent with the usage of the systemctl command as described in various Linux documentation and resources, including the official ECCouncil Network Defender (CND) course materials. It is also corroborated by authoritative sources on Linux service management12. Question #:48 ------------is a group of broadband wireless communications standards for Metropolitan Area Networks (MANs) A. 802.15 B. 802.16 C. 802.15.4 D. 802.12 Answer: B Explanation The IEEE 802.16 is a series of wireless broadband standards, also known as WirelessMAN, that are designed for Metropolitan Area Networks (MANs). This standard specifies the air interface, including the medium access control layer (MAC) and physical layer (PHY), of combined fixed and mobile point-to-multipoint broadband wireless access systems. It supports multiple services and enables the deployment of interoperable multivendor broadband wireless access products. References: The information is based on the IEEE Standard for Local and metropolitan area networks Part 16: Air Interface for Broadband Wireless Access Systems, which is detailed in the IEEE 802.16-2009 document1. Additionally, the Wikipedia page for IEEE 802.16 provides an overview of the standard’s purpose for broadband wireless metropolitan area networks2. Question #:49 Martin is a professional hacker. He is performing reconnaissance on an organization to hack a few target systems. As a part of this method, he needs to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls, etc. To obtain such information, Martin decided to use automated tools. Which of the following tool must be employed by Martin? A. Burp Suite B. FOCA C. Nmap Pass with Authority Use Examout.co 29 of 223 Exam Preparation ECCouncil - 312-38 D. Zendio Answer: C Explanation Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network, thus building a “map” of the network. It is designed to scan large networks rapidly, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It is highly flexible, allowing for a wide range of advanced techniques, such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Therefore, for the reconnaissance purposes described in the question, Nmap is the appropriate tool for Martin to employ. References: The information about Nmap and its capabilities aligns with the objectives and documents of the EC-Council’s Certified Network Defender (CND) course, which includes understanding and utilizing various network security tools and techniques for defense, including reconnaissance and scanning tools like Nmap12. Question #:50 On which layer of the OSI model does the packet filtering firewalls work? A. Network Layer B. Application Layer C. Session Layer D. Physical Layer Answer: A Explanation Packet filtering firewalls operate at the Network Layer of the OSI model. This layer is responsible for the transmission of data packets across network boundaries, which is a fundamental function of packet filtering firewalls. They analyze incoming and outgoing packets and make decisions based on set rules, such as IP addresses, protocols, and ports, to allow or block traffic. This is crucial for protecting the network from unauthorized access and potential threats. References: The information aligns with standard networking principles and the functionalities of packet filtering firewalls as they are commonly understood in the field of network security123. Question #:51 Stephanie is currently setting up email security so all company data is secured when passed through email. Stephanie first sets up encryption to make sure that a specific user's email is protected. Next, she needs to Pass with Authority Use Examout.co 30 of 223 Exam Preparation ECCouncil - 312-38 ensure that the incoming and the outgoing mail has not been modified or altered using digital signatures. What is Stephanie working on? A. Usability B. Data Integrity C. Availability D. Confidentiality Answer: B Explanation Stephanie is working on ensuring Data Integrity, which is a critical aspect of information security. It involves maintaining and assuring the accuracy and consistency of data over its entire lifecycle. By setting up digital signatures, Stephanie ensures that the data, in this case, the email content, has not been altered or tampered with during transit. This process provides a means to verify the origin of the message and confirms that the message received is the same as the message sent, thereby safeguarding the integrity of the data. References: The EC-Council’s Certified Network Defender (CND) program covers key topics related to data security, including data encryption at rest and in transit, data masking, data backup, data retention, data destruction, data loss prevention (DLP), and specifically, data integrity12. Question #:52 Which of the information below can be gained through network sniffing? (Select all that apply) A. Telnet Passwords B. Syslog traffic C. DNS traffic D. Programming errors Answer: A B C Explanation Network sniffing is a technique used to capture and analyze packets traveling across a network. Through network sniffing, one can potentially gain access to a variety of sensitive information, depending on the protocols being used and the security measures in place. Telnet Passwords (A): Telnet is an older protocol that transmits data, including login credentials, in clear text. This makes Telnet passwords particularly vulnerable to network sniffing1. Syslog Traffic (B): Syslog is a standard for message logging. If not properly secured, syslog traffic can be intercepted, revealing system messages and metadata about network activities1. Pass with Authority Use Examout.co 31 of 223 Exam Preparation ECCouncil - 312-38 DNS Traffic ©: DNS traffic includes queries and responses that can be captured to reveal which domains are being requested by users on the network. This can provide insights into user behavior and network structure1. Programming Errors (D): While network sniffing can capture packets that may contain the results of programming errors, such as error messages or malformed packets, it does not directly reveal the programming errors themselves. Sniffing tools capture the traffic but do not analyze the code within the applications generating that traffic. References: The information has been verified from the EC-Council’s resources on network sniffing and network defense strategies, which discuss the types of data that can be captured through sniffing and the implications for network security123. Question #:53 Daniel is monitoring network traffic with the help of a network monitoring tool to detect any abnormalities. What type of network security approach is Daniel adopting? A. Preventative B. Reactive C. Retrospective D. Defense-in-depth Answer: B Explanation Daniel is adopting a Reactive network security approach. This approach involves monitoring network traffic to detect any abnormalities or intrusions as they occur. The goal of reactive security is to identify and respond to threats in real-time. It is a part of the broader defense strategy that includes Protect, Detect, Respond, and Predict, where ‘Detect’ aligns with the reactive approach. By using network monitoring tools, Daniel is able to observe the network for any signs of compromise or unusual activity and then take appropriate action to mitigate the threat. References: The Certified Network Defender (CND) program by EC-Council emphasizes the importance of a continual/adaptive security strategy, which includes the ability to detect ongoing threats as a critical component of network defense12. This strategy is further detailed in the CND course outline, which covers key topics such as network traffic monitoring and analysis, indicating the reactive nature of such activities1. Question #:54 Which of the Windows security component is responsible for controlling access of a user to Windows resources? A. Network Logon Service (Netlogon) Pass with Authority Use Examout.co 32 of 223 Exam Preparation ECCouncil - 312-38 B. Security Accounts Manager (SAM) C. Security Reference Monitor (SRM) D. Local Security Authority Subsystem (LSASS) Answer: C Explanation The Security Reference Monitor (SRM) is the core component in Windows operating systems responsible for controlling access to resources. It enforces security policies and checks whether a user’s request to access a resource is allowed by the system’s security policy. SRM operates in the kernel mode and ensures that access rights and permissions are properly enforced, making it a critical part of the Windows security architecture for resource access control. References: The role of SRM in Windows security is well-documented and aligns with the information provided in Microsoft’s official documentation and security model, which describes SRM as the component that enforces access controls and security policies within the system12. Question #:55 Frank is a network technician working for a medium-sized law firm in Memphis. Frank and two other IT employees take care of all the technical needs for the firm. The firm's partners have asked that a secure wireless network be implemented in the office so employees can move about freely without being tied to a network cable. While Frank and his colleagues are familiar with wired Ethernet technologies, 802.3, they are not familiar with how to setup wireless in a business environment. What IEEE standard should Frank and the other IT employees follow to become familiar with wireless? A. The IEEE standard covering wireless is 802.9 and they should follow this. B. 802.7 covers wireless standards and should be followed C. They should follow the 802.11 standard D. Frank and the other IT employees should follow the 802.1 standard. Answer: C Explanation The correct IEEE standard for wireless networking in a business environment is 802.11. This series of standards defines the protocols for implementing wireless local area network (WLAN) communications in Pass with Authority Use Examout.co 33 of 223 Exam Preparation ECCouncil - 312-38 various frequencies, including 2.4, 5, and 60 GHz bands. The 802.11 standards are widely used worldwide and form the basis of wireless network products that are marketed under the Wi-Fi brand. Frank and his colleagues should familiarize themselves with the 802.11 standards to set up a secure wireless network for their firm. References: The information is based on the IEEE 802.11 series of standards, which are the foundation for Wi-Fi wireless networks. These standards have been developed to ensure interoperability between wireless devices and to provide a secure and reliable means of communication12. Question #:56 Which type of antenna is based on the principle of a satellite dish and can pick up Wi-Fi signals from a distance of ten miles of more? A. Yagi antenna B. Directional antenna C. Omnidirectional antenna D. Parabolic Grid antenna Answer: D Explanation The Parabolic Grid antenna is designed based on the principle of a satellite dish. This type of antenna can focus the radio waves onto a particular direction and is capable of picking up Wi-Fi signals from very long distances, often ten miles or more, depending on the specific design and conditions. It is highly directional and has a narrow focus, making it ideal for point-to-point communication in long-range Wi-Fi networks. References: The EC-Council’s Certified Network Defender (CND) course materials include information on various types of antennas and their uses in network defense. The Parabolic Grid antenna is mentioned as a type of antenna that can pick up signals from a great distance, which aligns with the principles of satellite dishes as described in the CND study guide1. Question #:57 What is the IT security team responsible for effectively managing the security of the organization’s IT infrastructure, called? A. Grey Team B. Red Team C. Blue Team D. Yellow Team Answer: C Pass with Authority Use Examout.co 34 of 223 Exam Preparation ECCouncil - 312-38 Explanation In the context of cybersecurity, the Blue Team refers to the group responsible for defending an organization’s IT infrastructure. This team’s primary focus is on internal security measures, maintaining defensive protocols, and ensuring that the organization’s systems and data are protected against cyber threats. They are tasked with the effective management of security controls, incident response, and the overall maintenance of the organization’s cybersecurity posture. References: The Certified Network Defender (CND) course by EC-Council includes modules that cover network security controls, protocols, perimeter appliances, secure IDS, VPN, and firewall configuration, which are all relevant to the functions of a Blue Team. The CND curriculum also emphasizes the importance of understanding and responding to cyber threats, which aligns with the Blue Team’s role in an organization’s IT security framework. Question #:58 Jason has set a firewall policy that allows only a specific list of network services and denies everything else. This strategy is known as a ____________. A. Default allow B. Default access C. Default accept D. Default deny Answer: D Explanation The strategy described is known as a “default deny” firewall policy. This approach means that the firewall is configured to deny all traffic by default, except for the network services that are explicitly allowed. It is a restrictive security stance where only specified services are permitted, and everything else is blocked. This is considered a best practice in firewall configuration because it minimizes the attack surface by ensuring that only necessary services are accessible, thereby reducing the potential vectors for attack. References: The concept of a default deny policy is a fundamental principle in network security and is advocated by various cybersecurity authorities, including the EC-Council’s Certified Network Defender (CND) program. It is also detailed in cybersecurity literature and aligns with best practices from organizations such as the National Institute of Standards and Technology (NIST)123. Question #:59 An US-based organization decided to implement a RAID storage technology for their data backup plan. John Pass with Authority Use Examout.co 35 of 223 Exam Preparation ECCouncil - 312-38 wants to setup a RAID level that require a minimum of six drives but will meet high fault tolerance and with a high speed for the data read and write operations. What RAID level is John considering to meet this requirement? A. RAID level 1 B. RAID level 10 C. RAID level 5 D. RAID level 50 Answer: D Explanation RAID level 50, also known as RAID 5+0, combines the features of RAID 5 and RAID 0. It requires a minimum of six drives and offers high fault tolerance and high speed for data read and write operations. RAID 50 arrays are created by striping data across RAID 5 arrays, which are themselves striped sets with distributed parity. This configuration provides both the speed of RAID 0 and the redundancy of RAID 51. References: The TechTarget article on “RAID 50: How to select the right RAID level” explains that RAID 50 is suitable for applications that require high reliability and can handle high request rates and high data transfer, with a lower cost of disks than RAID 101. The DNSChecker RAID Calculator mentions that RAID 50 requires a minimum of six disks2. Question #:60 Which wireless networking topology setup requires same channel name and SSID? A. Ad-Hoc standalone network architecture B. Infrastructure network topology C. Hybrid topology D. Mesh topology Answer: B Explanation In an infrastructure network topology, all wireless devices communicate through an access point/base station. The access point serves as the central transmitter and receiver of wireless radio signals. Mainstream wireless Pass with Authority Use Examout.co 36 of 223 Exam Preparation ECCouncil - 312-38 APs support the configuration of the same channel name (frequency) and SSID (Service Set Identifier) to facilitate seamless communication between devices. This setup is essential for devices to identify and connect to the correct network, especially in environments where multiple networks may overlap. References: The information aligns with standard networking practices and the objectives of the EC-Council’s Certified Network Defender (CND) program, which emphasizes understanding and implementing network security controls and protocols. Question #:61 James, a network admin in a large US based IT firm, was asked to audit and implement security controls over all network layers to achieve Defense-in-Depth. While working on this assignment, James has implemented both blacklisting and whitelisting ACLs. Which layer of defense-in-depth architecture is Jason working on currently? A. Application Layer B. Host Layer C. Internal Network Layer D. Perimeter Layer Answer: D Explanation James is working on the Perimeter Layer of the Defense-in-Depth architecture. This layer is responsible for protecting the network’s boundaries from unauthorized access and attacks. The implementation of blacklisting and whitelisting Access Control Lists (ACLs) is a common practice at this layer. Blacklisting ACLs block known malicious entities, while whitelisting ACLs allow only approved entities to access the network. These measures are part of the perimeter defenses that include firewalls, intrusion detection systems, and other boundary security mechanisms designed to prevent attackers from gaining initial access to the network infrastructure1234. References: Defense in depth explained: Layering tools and processes for better security1. What is a whitelist and a blacklist? - National Cybersecurity Society2. Blacklisting vs Whitelisting: What’s the Difference? - Instasafe3. Whitelisting, blacklisting, and your security strategy: It’s not either/or4. Question #:62 Pass with Authority Use Examout.co 37 of 223 Exam Preparation ECCouncil - 312-38 Richard has been working as a Linux system administrator at an MNC. He wants to maintain a productive and secure environment by improving the performance of the systems through Linux patch management. Richard is using Ubuntu and wants to patch the Linux systems manually. Which among the following command installs updates (new ones) for Debun based Linux OSes? A. sudo apt-get dist-upgrade B. sudo apt-get update C. sudo apt-get dist-update D. sudo apt-get upgrate Answer: A Explanation The command sudo apt-get dist-upgrade is used to install updates for Debian-based Linux operating systems, which includes Ubuntu. This command intelligently handles changes with new versions of packages and will install the newest versions of all packages currently installed on the system. It also handles changing dependencies with new versions of packages and will attempt to upgrade the most important packages at the expense of less important ones if necessary. The dist-upgrade command, therefore, will install or remove packages as necessary to complete the full update. References: This information is consistent with the best practices for maintaining a Debian-based system, as outlined in the Debian and Ubuntu documentation. The apt-get command is a powerful package management tool used in Debian-based systems for handling packages, and dist-upgrade is a specific option within apt-get that is designed for an intelligent system-wide upgrade12. Question #:63 Which among the following filter is used to detect a SYN/FIN attack? A. tcp.flags==0x002 B. tcp.flags==0x004 C. tcp.flags==0x003 D. tcp.flags==0x001 Answer: C Explanation The filter tcp.flags==0x003 is used to detect SYN/FIN attacks. This filter is designed to identify packets where both the SYN and FIN flags are set, which is an unusual combination and indicative of a potential Pass with Authority Use Examout.co 38 of 223 Exam Preparation ECCouncil - 312-38 SYN/FIN attack. In a typical TCP communication, a SYN flag is used to initiate a connection, and a FIN flag is used to gracefully close a connection. Therefore, seeing both flags set in a single packet suggests a malformed or malicious packet, which is characteristic of a SYN/FIN attack. References: The use of the filter tcp.flags==0x003 for detecting SYN/FIN attacks is discussed in various cybersecurity resources and aligns with the knowledge required for the Certified Network Defender (CND) certification. This specific filter is mentioned in discussions about network security and intrusion detection techniques1. Question #:64 Which category of suspicious traffic signatures includes SYN flood attempts? A. Informational B. Denial of Service C. Reconnaissance D. Unauthorized access Answer: B Explanation SYN flood attempts are a type of Denial of Service (DoS) attack. They are designed to exploit the TCP handshake process by sending a large number of SYN packets to a target server, which can overwhelm the server’s resources and prevent legitimate users from establishing a connection. The goal of a SYN flood is not to gain unauthorized access or gather information, but rather to disrupt the normal operation of a service, making it a Denial of Service attack. References: The categorization of SYN flood attempts as a Denial of Service attack is consistent with the information provided in various cybersecurity resources, including those related to the Certified Network Defender (CND) course, which outlines the different types of network attacks and their characteristics123. Question #:65 Who is an IR custodian? A. An individual responsible for conveying company details after an incident B. An individual who receives the initial IR alerts and leads the IR team in all the IR activities C. An individual who makes a decision on the classifications and the severity of the incident identified D. An individual responsible for the remediation and resolution of the incident that occurred Answer: C Pass with Authority Use Examout.co 39 of 223 Exam Preparation ECCouncil - 312-38 Explanation An IR custodian is typically responsible for making decisions on the classifications and the severity of the incident identified. This role involves determining the impact of the incident, categorizing its severity, and guiding the appropriate response according to the organization’s incident response plan. The custodian plays a critical role in the incident response process by ensuring that incidents are properly identified, classified, and escalated to the relevant parties for further action. References: The information provided aligns with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program, which includes understanding the roles and responsibilities within an incident response team. For more detailed information, refer to the official CND study guide and materials provided by the EC-Council. Question #:66 John is the Vice-President of a BPO. He wants to implement a policy allowing employees to use and manage devices purchased by the organization but restrict the use of the device for business use only. Which among the following policies does John want to implement? A. COBO policy B. CYOD policy C. BYOD policy D. COPE policy Answer: B Explanation John wants to implement a policy that allows employees to use and manage devices purchased by the organization but restricts the use of the device for business use only. This is known as a COBO (Company Owned, Business Only) policy. Under a COBO policy, the company provides the devices to the employees and maintains control over them, ensuring that they are used solely for business purposes123. References: The concept of COBO is well-documented in enterprise mobility and device management literature, where it is described as a policy where the organization owns the devices and restricts their use to business activities only123. This approach is in contrast to BYOD (Bring Your Own Device), CYOD (Choose Your Own Device), and COPE (Company Owned, Personally Enabled) policies, which offer varying degrees of personal use456789. Question #:67 Alex is administrating the firewall in the organization's network. What command will he use to check all the remote addresses and ports in numerical form? A. Netstat -o B. Pass with Authority Use Examout.co 40 of 223 Exam Preparation ECCouncil - 312-38 B. Netstat -a C. Netstat -ao D. Netstat -an Answer: D Explanation The netstat -an command is used to display all active connections and listening ports with addresses and port numbers in numerical form. This is particularly useful for administrators who need to quickly identify connections without resolving the hostnames, which can save time and resources, especially when dealing with a large number of connections. References: The usage of the netstat -an command aligns with the objectives and documents of the Certified Network Defender (CND) course, which emphasizes the importance of understanding and utilizing network commands for effective network security management. The -an switch combines two options: -a displays all connections and listening ports, and -n displays addresses and port numbers in numerical form1. Question #:68 Which of the following connects the SDN controller and SDN networking devices and relays information from network services to network devices such as switches and routers? A. Eastbound API B. Northbound API C. Southbound API D. Westbound API Answer: C Explanation In Software Defined Networking (SDN), APIs are used to manage the communication between different components of the network. The Southbound API connects the SDN controller to the networking devices such as switches and routers, enabling the controller to send instructions to the network devices and gather data from them. This API is essential for the controller to enforce policies and ensure the proper functioning of the network infrastructure. The other APIs are: Northbound AP