Question 1

An loT sensor in an organization generated an emergency alarm indicating a security breach. The
servers hosted in an loT layer accepted, stored, and processed the sensor data received from loT
gateways and created dashboards for monitoring, analyzing, and implementing proactive decisions
to tackle the issue.
Which of the following layers in the loT architecture performed the above activities after receiving an
alert from the loT sensor?

Accepted Answer

B

Explanation: The cloud layer of IoT architecture is the layer that hosts the servers that accept, store, and process the sensor data received from IoT gateways. The cloud layer also creates dashboards for monitoring, analyzing, and implementing proactive decisions to tackle the issue. The cloud layer provides scalability, reliability, and security for the IoT system. The cloud layer can use various cloud computing models, such as public, private, hybrid, or community clouds12. Reference: Network Defense Essentials - EC-Council Learning, IoT Architecture: The 4 Layers of an IoT System

Question 2

Kalley, a network administrator of an organization, has installed a traffic monitoring system to
capture and report suspicious traffic signatures. In this process, she detects traffic containing
password cracking, sniffing, and brute-forcing attempts.Which of the following categories of
suspicious traffic signature were identified by Kalley through the installed monitoring system?

Accepted Answer

B

Explanation: Unauthorized access signatures were identified by Kalley through the installed monitoring system. Unauthorized access signatures are designed to detect attempts to gain unauthorized access to a system or network by exploiting vulnerabilities, misconfigurations, or weak credentials. Password cracking, sniffing, and brute-forcing are common techniques used by attackers to obtain or guess the passwords of legitimate users or administrators and gain access to their accounts or privileges. These techniques generate suspicious traffic patterns that can be detected by traffic monitoring systems, such as Snort, using signature-based detection. Signature-based detection is based on the premise that abnormal or malicious network traffic fits a distinct pattern, whereas normal or benign traffic does not. Therefore, by installing a traffic monitoring system and capturing and reporting suspicious traffic signatures, Kalley can identify and prevent unauthorized access attempts and protect the security of her organization’s network. Reference: Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-33 to 3-34 Detecting Suspicious Traffic via Signatures - Intrusion Detection with Snort, O’Reilly, 2003 Threat Signature Categories - Palo Alto Networks, Palo Alto Networks, 2020

Question 3

Mary was surfing the Internet, and she wanted to hide her details and the content she was surfing
over the web. She employed a proxy tool that makes his online activity untraceable.
Identify the type of proxy employed by John in the above scenario.

Accepted Answer

B

Explanation: anonymous proxy is a type of proxy that hides the user’s IP address and other identifying information from the web servers they access. An anonymous proxy acts as an intermediary between the user and the internet, and it modifies the HTTP headers to prevent the web servers from tracking the user’s location, browser, or device. An anonymous proxy can help the user bypass geo-restrictions, censorship, and online surveillance. However, an anonymous proxy does not encrypt the user’s traffic, and it may still leak some information to the proxy provider or other third parties. An anonymous proxy is the type of proxy employed by Mary in the above scenario, as she used a proxy tool that makes her online activity untraceable. Reference: What is a Proxy Server and How Does it Work? 13 Best Proxy Tools for PC [2024 Reviewed] - Section: Anonymous proxies The Fastest Free Proxy

Question 4

Alice was working on her major project; she saved all her confidential files and locked her laptop.
Bob wanted to access Alice's laptop for his personal use but was unable to access the laptop due to
biometric authentication.
Which of the following network defense approaches was employed by Alice on her laptop?

Accepted Answer

B

Explanation: The network defense approach that was employed by Alice on her laptop was the preventive approach. The preventive approach aims to stop or deter potential attacks before they happen by implementing security measures that reduce the attack surface and increase the difficulty of exploitation. Biometric authentication is an example of a preventive measure that uses a physical characteristic, such as a fingerprint, iris, or face, to verify the identity of the user and grant access to the device or system. Biometric authentication is more secure than traditional methods, such as passwords or PINs, because it is harder to forge, guess, or steal. By locking her laptop and using biometric authentication, Alice prevented Bob from accessing her laptop and her confidential files without her permission. Reference: Network Defense Essentials Courseware, EC-Council, 2020, pp. 1-7 to 1-8 What is Biometric Authentication?, Norton, July 29, 2020 An introduction to network defense basics, Enable Sysadmin, November 26, 2019

Question 5

Joseph, a security professional, was instructed to secure the organization's network. In this process,
he began analyzing packet headers to check whether any indications of source and destination IP
addresses and port numbers are being changed during transmission.
Identify the attack signature analysis technique performed by Joseph in the above scenario.

Accepted Answer

D

Explanation: Atomic-signature-based analysis is a type of attack signature analysis technique that uses a single characteristic or attribute of a packet header to identify malicious traffic. Atomic signatures are simple and fast to match, but they can also generate false positives or miss some attacks. Some examples of atomic signatures are source and destination IP addresses, port numbers, protocol types, and TCP flags. Atomic-signature-based analysis is the technique performed by Joseph in the above scenario, as he analyzed packet headers to check whether any indications of source and destination IP addresses and port numbers are being changed during transmission. Reference: [Understanding the Network Traffic Signatures] - Module 12: Network Traffic Monitoring Network Defense Essentials (NDE) | Coursera - Week 12: Network Traffic Monitoring [Network Defense Essentials Module 12 (Network Traffic Monitoring) - Quizlet] - Flashcards: What are Network Traffic Signatures?

Question 6

Which of the following IDS components analyzes the traffic and reports if any suspicious activity is detected?

Accepted Answer

B

Explanation: The IDS component that analyzes the traffic and reports if any suspicious activity is detected is the network sensor. A network sensor is a device or software application that is deployed at a strategic point or points within the network to monitor and capture the network traffic to and from all devices on the network. A network sensor can operate in one of two modes: promiscuous or inline. In promiscuous mode, the network sensor passively listens to the network traffic and copies the packets for analysis. In inline mode, the network sensor actively intercepts and filters the network traffic and can block or modify the packets based on predefined rules. A network sensor analyzes the network traffic using various detection methods, such as signature-based, anomaly-based, or reputation-based, and compares the traffic patterns with a database of attack signatures or a model of normal behavior. If the network sensor detects any suspicious or malicious activity, such as a reconnaissance scan, an unauthorized access attempt, or a denial-of-service attack, it generates an alert and reports it to the IDS manager or the operator. A network sensor can also integrate with a response system to take appropriate actions, such as logging, notifying, or blocking, in response to the detected activity123. Reference: Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-33 to 3-34 Intrusion Detection System (IDS) - GeeksforGeeks, GeeksforGeeks, 2020 Intrusion detection system - Wikipedia, Wikipedia, March 16, 2021

Question 7

Which of the following objects of the container network model (CNM) contains the configuration files of a container's network stack, such as routing table, container's interfaces, and DNS settings?

Accepted Answer

B

Explanation: The object of the container network model (CNM) that contains the configuration files of a container’s network stack, such as routing table, container’s interfaces, and DNS settings, is the Sandbox. A Sandbox is a logical entity that encapsulates the network configuration and state of a container. A Sandbox can contain one or more endpoints from different networks, and provides isolation and security for the container’s network stack. A Sandbox can be implemented using various technologies, such as Linux network namespaces, FreeBSD jails, or Windows compartments. A Sandbox allows the container to have its own view and control of the network resources, such as interfaces, addresses, routes, and DNS settings123. Reference: The Container Networking Model | Training, Training, 2020 A Comprehensive Guide To Docker Networking - KnowledgeHut, KnowledgeHut, September 27, 2023 Design - GitHub: Let’s build from here, GitHub, 2020

Question 8

Which of the following actors in the NIST cloud deployment reference architecture acts as an intermediary for providing connectivity and transport services between cloud consumers and providers?

Accepted Answer

D

Explanation: :

Question 9

Kevin, a security team member, was instructed to share a policy document with the employees. As it
was supposed to be shared within the network, he used a simple algorithm to encrypt the document
that just rearranges the same characters to produce the ciphertext.
Identify the type of cipher employed by Kevin in the above scenario.

Accepted Answer

C

Explanation: A transposition cipher is a type of cipher that encrypts a document by rearranging the same characters to produce the ciphertext. A transposition cipher does not change the identity or frequency of the characters, but only their position. A transposition cipher can use various methods to permute the characters, such as writing them in a grid and reading them in a different order, or shifting them along a rail fence pattern. A transposition cipher is a simple and fast algorithm, but it can be easily broken by frequency analysis or anagramming. A transposition cipher is the type of cipher employed by Kevin in the above scenario, as he used a simple algorithm to encrypt the document that just rearranges the same characters to produce the ciphertext. Reference: Transposition cipher - Wikipedia Network Security: Transposition Cipher Techniques - Coding Streets Network Defense Essentials (NDE) | Coursera - Module 4: Cryptography Techniques Columnar Transposition Cipher - GeeksforGeeks

Question 10

George, a professional hacker, targeted a bank employee and tried to crack his password while he
was attempting to log on to the remote server to perform his regular banking operations. In this
process, George used sniffing tools to capture the password pairwise master key (PMK) associated
with the handshake authentication process. Then, using the PMK, he gained unauthorized access to
the server to perform malicious activities.
Identify the encryption technology on which George performed password cracking.

Accepted Answer

C

Explanation: WPA2 (Wi-Fi Protected Access 2) is an encryption technology that secures wireless networks using the IEEE 802.11i standard. WPA2 uses a four-way handshake to authenticate the client and the access point, and to generate a pairwise transient key (PTK) for encrypting the data. The PTK is derived from the password pairwise master key (PMK), which is a shared secret between the client and the access point. The PMK can be obtained either by using a pre-shared key (PSK) or by using an 802.1X authentication server. In the above scenario, George performed password cracking on WPA2, as he used sniffing tools to capture the PMK associated with the handshake authentication process. Then, using the PMK, he was able to derive the PTK and decrypt the data exchanged between the client and the access point. Reference: WPA2 - Wikipedia How WPA2-PSK encryption works? - Cryptography Stack Exchange WPA2 Encryption and Configuration Guide - Cisco Meraki Documentation

Question 11

Which of the following protocols uses TLS/SSL to ensure secure transmission of data over the Internet?

Accepted Answer

A

Explanation: HTTPS (Hypertext Transfer Protocol Secure) is a protocol that uses TLS/SSL to ensure secure transmission of data over the Internet. HTTPS is an extension of HTTP, which is the standard protocol for transferring data between web servers and browsers. HTTPS encrypts the data exchanged between the client and the server, preventing anyone from intercepting, modifying, or stealing the data. HTTPS also verifies the identity of the server using digital certificates, preventing spoofing or phishing attacks. HTTPS is widely used for web applications that handle sensitive information, such as online banking, e-commerce, or social media. Reference: HTTPS - Week 7: Email Security How does SSL work? | SSL certificates and TLS | Cloudflare SSL and TLS: A Beginners Guide | SANS Institute

Question 12

Which of the following techniques is referred to as a messaging feature that originates from a server
and enables the delivery of data or a message from an application to a mobile device without any
explicit request from the user?

Accepted Answer

A

Explanation: :

Question 13

Peter, a security professional, was hired by an organization and was instructed to secure the
application and its content from unauthorized access. In this process, Peter implemented a public-
key cryptosystem that uses modular arithmetic and elementary number theory for Internet
encryption and user authentication.
Which of the following algorithms was employed by Peter in the above scenario?

Accepted Answer

A

Explanation: RSA is a public-key cryptosystem that uses modular arithmetic and elementary number theory for Internet encryption and user authentication. RSA stands for Rivest-Shamir-Adleman, the names of the inventors of the algorithm. RSA allows users to generate a pair of keys, one public and one private, that are mathematically related. The public key can be used to encrypt messages or verify digital signatures, while the private key can be used to decrypt messages or create digital signatures. RSA is based on the difficulty of factoring large numbers, which makes it secure and widely used12. Reference: What is Public-Key Cryptosystem in Information Security?, Network Defense Essentials (NDE) | Coursera

Question 14

Below are the various steps involved in the creation of a data retention policy.
1.Understand and determine the applicable legal requirements of the organization
2.Ensure that all employees understand the organization's data retention policy
3.Build a data retention policy development team
4.ldentify and classify the data to be included in the data retention policy
5.Develop the data retention policy
Identify the correct sequence of steps involved.

Accepted Answer

B

Explanation: The correct sequence of steps involved in the creation of a data retention policy is 3 -> 1 -> 4 -> 5 -> 2. This is based on the following description of the data retention policy creation process from the web search results: Build a team: To design a data retention policy, you need a team of industry experts, such as legal, IT, compliance, and business representatives, who can contribute their knowledge and perspectives to the policy. The team should have a clear leader who can coordinate the tasks and communicate the goals and expectations1. Determine legal requirements: The team should research and understand the applicable legal and regulatory requirements for data retention that affect the organization, such as GDPR, HIPAA, PCI DSS, etc. The team should also consider any contractual obligations or industry standards that may influence the data retention policy2134. Identify and classify the data: The team should inventory and categorize all the data that the organization collects, stores, and processes, based on their function, subject, or type. The team should also assess the value, risk, and sensitivity of each data category, and determine the appropriate retention period, format, and location for each data category2134. Develop the data retention policy: The team should draft the data retention policy document that outlines the purpose, scope, roles, responsibilities, procedures, and exceptions of the data retention policy. The policy should be clear, concise, and consistent, and should reflect the legal and business requirements of the organization. The policy should also include a data retention schedule that specifies the retention period and disposition method for each data category2134. Ensure that all employees understand the organization’s data retention policy: The team should communicate and distribute the data retention policy to all the relevant employees and stakeholders, and provide training and guidance on how to comply with the policy. The team should also monitor and enforce the policy, and review and update the policy regularly to reflect any changes in the legal or business environment2134. Reference: How to Create a Data Retention Policy | Smartsheet, Smartsheet, July 17, 2019 What Is a Data Retention Policy? Best Practices + Template, Drata, November 29, 2023 Data Retention Policy: What It Is and How to Create One - SpinOne, SpinOne, 2020 How to Develop and Implement a Retention Policy - SecureScan, SecureScan, 2020

Question 15

Jay, a network administrator, was monitoring traffic flowing through an IDS. Unexpectedly, he
received an event triggered as an alarm, although there is no active attack in progress.
Identify the type of IDS alert Jay has received in the above scenario.

Accepted Answer

B

Explanation: A false positive alert is a type of IDS alert that occurs when the IDS mistakenly identifies benign or normal traffic as malicious or suspicious, and triggers an alarm, although there is no active attack in progress. A false positive alert can be caused by various factors, such as misconfigured IDS rules, outdated signatures, network anomalies, or legitimate traffic that resembles attack patterns. A false positive alert can waste the time and resources of the security team, as they have to investigate and verify the alert, and also reduce the trust and confidence in the IDS. A false positive alert can be reduced by tuning and updating the IDS, filtering out irrelevant traffic, and using multiple detection methods. A false positive alert is the type of IDS alert Jay has received in the above scenario, as he received an event triggered as an alarm, although there is no active attack in progress. Reference: False Positive Alert - Week 10: Intrusion Detection and Prevention Systems What is a False Positive in Cybersecurity? How to Reduce False Positives in Intrusion Detection Systems

Free Eccouncil 112-51 Actual Exam Questions