Question 1

Jason has set a firewall policy that allows only a specific list of network services and deny everything else. This strategy is known as a____________.

Accepted Answer

B

Explanation: The strategy Jason has set up is known as a Default Deny policy. This approach to network security is designed to block all access by default, only allowing services that are explicitly permitted. This is a more secure posture compared to the Default Allow policy, which allows all traffic unless it is specifically blocked. The Default Deny strategy aligns with the principle of least privilege, ensuring that only the minimum necessary access is granted, thereby reducing the attack surface and potential for unauthorized access. Reference: The concept of Default Deny is a fundamental security posture that is widely recognized and implemented in various cybersecurity frameworks and guidelines. It is also a key feature of the Zero Trust security model, which does not inherently trust any user or device inside or outside the network perimeter and requires continuous verification and authorization for any access attempt.

Question 2

------------is a group of broadband wireless communications standards for Metropolitan Area Networks (MANs)

Accepted Answer

B

Explanation: The IEEE 802.16 is a series of wireless broadband standards, also known as WirelessMAN, that are designed for Metropolitan Area Networks (MANs). This standard specifies the air interface, including the medium access control layer (MAC) and physical layer (PHY), of combined fixed and mobile point- to-multipoint broadband wireless access systems. It supports multiple services and enables the deployment of interoperable multivendor broadband wireless access products. Reference: The information is based on the IEEE Standard for Local and metropolitan area networks Part 16: Air Interface for Broadband Wireless Access Systems, which is detailed in the IEEE 802.16- 2009 document1. Additionally, the Wikipedia page for IEEE 802.16 provides an overview of the standard’s purpose for broadband wireless metropolitan area networks2.

Question 3

Which of the following is true regarding any attack surface?

Accepted Answer

A

Explanation: The attack surface of a system refers to the sum of all potential points where an unauthorized user can try to enter or extract data from that system. It encompasses all the vulnerabilities, including software flaws, unsecured network ports, and unprotected system endpoints. Therefore, when vulnerabilities are decreased, the attack surface is reduced because there are fewer opportunities for an attacker to exploit. This is a fundamental concept in network security, as reducing the attack surface is a critical step in protecting systems against unauthorized access and potential breaches. Reference: The explanation aligns with the definitions and concepts of attack surfaces as described in network security literature and the Certified Network Defender (CND) course, which emphasizes the importance of minimizing vulnerabilities to reduce the overall attack surface123.

Question 4

Disaster Recovery is a _________.

Accepted Answer

D

Explanation: Disaster Recovery (DR) is a subset of business continuity planning which focuses on the IT systems and operations of a business after a disaster. It’s a comprehensive approach that ensures all critical business functions can be resumed quickly and effectively in the event of a crisis. DR is not just about data or security; it encompasses all aspects of the business that are necessary to continue operations and protect the interests of stakeholders. Reference: The explanation aligns with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program, which emphasizes the importance of business continuity and disaster recovery as part of a defense-in-depth security strategy. This includes protecting endpoints, data, and networks, as well as continuous threat monitoring and response12345.

Question 5

How is application whitelisting different from application blacklisting?

Accepted Answer

D

Explanation: Application whitelisting is a security approach that allows only pre-approved applications to execute within a system or network. This method operates on a ‘default deny’ principle, meaning if an application is not explicitly listed as approved, it will not be allowed to run. This is in contrast to application blacklisting, which operates on a ‘default allow’ principle where all applications are allowed to run unless they have been specifically identified as malicious or undesirable and added to a blacklist. Whitelisting is generally considered more secure because it prevents any unapproved applications from running, which can include new or unknown threats. However, it can be more challenging to maintain as it requires a comprehensive understanding of all the necessary applications for business operations. Reference: The concept of application whitelisting and its differentiation from blacklisting is well- documented in cybersecurity literature and aligns with the guidelines provided by the EC-Council’s Certified Network Defender (CND) program. It is also supported by various cybersecurity frameworks and best practices, including those from authoritative sources such as the National Institute of Standards and Technology (NIST).

Question 6

Which among the following tools can help in identifying IoEs to evaluate human attack surface?

Accepted Answer

D

Explanation: The tool that can help in identifying Indicators of Exposure (IoEs) to evaluate the human attack surface is the Social-Engineer Toolkit (SET). SET is designed for social engineering penetration tests and is effective in simulating phishing attacks, which are a common method to evaluate the human aspect of security. It helps in identifying the potential human vulnerabilities that could be exploited in an organization. Reference: The EC-Council’s Certified Network Defender (CND) program includes discussions on various tools and methods for assessing and improving the security of an organization, including the human attack surface and the use of tools like SET for this purpose12.

Question 7

On which layer of the OSI model does the packet filtering firewalls work?

Accepted Answer

A

Explanation: Packet filtering firewalls operate at the Network Layer of the OSI model. This layer is responsible for the transmission of data packets across network boundaries, which is a fundamental function of packet filtering firewalls. They analyze incoming and outgoing packets and make decisions based on set rules, such as IP addresses, protocols, and ports, to allow or block traffic. This is crucial for protecting the network from unauthorized access and potential threats. Reference: The information aligns with standard networking principles and the functionalities of packet filtering firewalls as they are commonly understood in the field of network security123.

Question 8

Identity the correct order for a successful black hat operation.

Accepted Answer

B

Explanation: The correct sequence for a black hat operation follows a structured approach that begins with Reconnaissance, where the attacker gathers preliminary data or intelligence on the target. Next is Scanning, where the attacker uses technical tools to understand the network and system vulnerabilities. Gaining Access is the phase where the vulnerabilities are exploited to enter the system or network. Maintaining Access involves establishing a persistent presence within the system, often for data exfiltration or additional exploitation. Finally, Covering Tracks is the phase where the attacker erases evidence of the intrusion to avoid detection. Reference: This answer aligns with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program, which outlines the phases of cyber attacks in the context of network security and defense strategies.

Question 9

Which of the following commands can be used to disable unwanted services on Debian, Ubuntu and other Debian-based Linux distributions?

Accepted Answer

D

Explanation: In Debian-based Linux distributions, such as Ubuntu, the update-rc.d command is used to add and remove services from the startup sequence. To disable a service, the -f option (which stands for ‘force’) is used along with the remove parameter to remove the service from the startup sequence. This prevents the service from starting automatically during the system boot. Reference: The use of update-rc.d for disabling services is documented in various Linux guides and resources. For example, Tecmint’s guide on “How to Stop and Disable Unwanted Services from Linux System” provides a practical example of using update-rc.d -f apache2 remove to disable the Apache service at system startup1. Additionally, the Linux Consultant website also mentions the use of systemctl followed by the disable argument for fully disabling services2.

Question 10

Which mobile-use approach allows an organization’s employees to use devices that they are comfortable with and best fits their preferences and work purposes?

Accepted Answer

A

Explanation: The mobile-use approach that allows an organization’s employees to use devices they are comfortable with and that best fit their p

Question 11

Which of the following Wireshark filters allows an administrator to detect SYN/FIN DDoS attempt on the network?

Accepted Answer

B

Explanation: The correct Wireshark filter to detect a SYN/FIN DDoS attempt is tcp.flags==0X029. This filter is designed to capture packets where both the SYN and FIN flags are set, which is an unusual combination and indicative of a SYN/FIN attack. In a typical three-way TCP handshake, the SYN and FIN flags are not set in the same TCP segment. A SYN flag is used to initiate a connection, and a FIN flag is used to politely close a connection. Therefore, seeing both flags set in the same packet suggests a possible SYN/FIN DDoS attack. Reference: The answer is based on the standard behavior of TCP flags in network communications and the detection of anomalous flag combinations that signify potential DDoS attacks. While specific

Question 12

Which scan attempt can penetrate through a router and a firewall that filter incoming packets with particular flags set and is not supported by Windows?

Accepted Answer

C

Explanation: A TCP null scan attempt is a technique used in network scanning where the TCP packet sent has no flags set. This type of scan can sometimes penetrate through routers and firewalls that filter incoming packets based on certain flags because the absence of flags can prevent the packet from being filtered out. The TCP null scan is particularly useful for identifying open ports on a target system. If a port is open, the target system will not respond to the null scan, but if the port is closed, the system will send a TCP RST packet in response. This scanning method is not supported by Windows because Windows systems typically respond with a RST packet regardless of whether the port is open or closed, making it ineffective for distinguishing between the two states on those systems. Reference: The TCP null scan’s ability to bypass certain types of filters and its behavior in response to open and closed ports are documented in various network security resources, including the Nmap documentation and other network security analysis articles12. These sources confirm the effectiveness of TCP null scans in penetrating through filters set up by routers and firewalls and their unsupported status on Windows systems.

Question 13

How is the chip-level security of an loT device achieved?

Accepted Answer

C

Explanation: Chip-level security for IoT devices is achieved by implementing security measures directly into the hardware, such as secure boot, secure firmware updates, and device authentication. This involves storing cryptographic keys in a tamper-resistant environment within the chip, ensuring that sensitive information remains secure even in the event of physical attacks on the device. Closing insecure network services is part of a broader security strategy that includes chip-level measures to protect against cyberattacks. It’s important to note that while changing passwords and encrypting interfaces are also security measures, they do not pertain specifically to chip-level security. Reference: The information provided is based on industry best practices and insights from sources such as EE Times1 and Semiconductor Digest2, which discuss the importance of establishing a root of trust and securing IoT devices from chip to cloud. These sources emphasize the need for a focus on endpoint devices and the implementation of security mechanisms and techniques depending on their specific function and security requirements. Additionally, they highlight the role of public key infrastructure (PKI) in providing strong identities for IoT devices, which is a critical element of chip- level security.

Question 14

Which of the following attack signature analysis techniques are implemented to examine the header information and conclude that a packet has been altered?

Accepted Answer

D

Explanation: Composite signature-based analysis is a technique used in intrusion detection systems to examine multiple attributes or behaviors over time to identify potential threats. This method can analyze packet headers to detect anomalies that may indicate a packet has been altered. It looks at a series of packets or fragments to determine if they are part of a legitimate session or if they have been manipulated as part of an attack, such as overlapping fragments which cannot be reassembled properly. This approach is more comprehensive than atomic signature-based analysis, which examines single events or packets in isolation, and provides a more contextual understanding compared to context-based or content-based analyses. Reference: The concept of composite signature-based analysis and its application in examining packet headers for alterations is supported by industry-standard practices in network security and intrusion detection systems123.

Question 15

Frank is a network technician working for a medium-sized law firm in Memphis. Frank and two other
IT employees take care of all the technical needs for the firm. The firm's partners have asked that a
secure wireless
network be implemented in the office so employees can move about freely without being tied to a
network cable. While Frank and his colleagues are familiar with wired Ethernet technologies, 802.3,
they are not familiar
with how to setup wireless in a business environment. What IEEE standard should Frank and the
other IT employees follow to become familiar with wireless?

Accepted Answer

C

Explanation: The correct IEEE standard for wireless networking in a business environment is 802.11. This series of standards defines the protocols for implementing wireless local area network (WLAN) communications in various frequencies, including 2.4, 5, and 60 GHz bands. The 802.11 standards are widely used worldwide and form the basis of wireless network products that are marketed under the Wi-Fi brand. Frank and his colleagues should familiarize themselves with the 802.11 standards to set up a secure wireless network for their firm. Reference: The information is based on the IEEE 802.11 series of standards, which are the foundation for Wi-Fi wireless networks. These standards have been developed to ensure interoperability between wireless devices and to provide a secure and reliable means of communication12.

Free ECcouncil 312-38 Actual Exam Questions