EC-Council 312-38 시험

Question No : 1

Malone is finishing up his incident handling plan for IT before giving it to his boss for review. He is outlining the incident response methodology and the steps that are involved.
Which step should Malone list as the last step in the incident response methodology?

• A.Malone should list a follow-up as the last step in the methodology
• B.Recovery would be the correct choice for the last step in the incident response methodology
• C.He should assign eradication to the last step.
• D.Containment should be listed on Malone's plan for incident response.

답을 확인하기

정답:
Explanation:
In the context of incident response methodology, the last step is typically referred to as ‘Post-Incident Activity’ or ‘Lessons Learned’. This step involves reviewing the incident to understand what happened, how it was handled, and how similar incidents can be prevented or mitigated in the future. It’s a critical phase where the organization can improve its security posture and response strategies. The follow-up step ensures that any residual risk is addressed, and that all documentation is completed. It also provides an opportunity for the incident response team to reflect on their actions and improve the incident handling plan for future responses.
Reference: The importance of the follow-up step as the last phase in the incident response methodology is supported by well-respected frameworks developed by NIST and SANS, which outline ‘Post-Incident Activity’ or ‘Lessons Learned’ as the final step123. These steps align with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program.

Question No : 2

Frank is a network technician working for a medium-sized law firm in Memphis. Frank and two other IT employees take care of all the technical needs for the firm. The firm's partners have asked that a secure wireless network be implemented in the office so employees can move about freely without being tied to a network cable. While Frank and his colleagues are familiar with wired Ethernet technologies, 802.3, they are not familiar with how to setup wireless in a business environment.
What IEEE standard should Frank and the other IT employees follow to become familiar with wireless?

• A.The IEEE standard covering wireless is 802.9 and they should follow this.
• B.802.7 covers wireless standards and should be followed
• C.They should follow the 802.11 standard
• D.Frank and the other IT employees should follow the 802.1 standard.

답을 확인하기

정답:
Explanation:
The correct IEEE standard for wireless networking in a business environment is 802.11. This series of standards defines the protocols for implementing wireless local area network (WLAN) communications in various frequencies, including 2.4, 5, and 60 GHz bands. The 802.11 standards are widely used worldwide and form the basis of wireless network products that are marketed under the Wi-Fi brand. Frank and his colleagues should familiarize themselves with the 802.11 standards to set up a secure wireless network for their firm.
Reference: The information is based on the IEEE 802.11 series of standards, which are the foundation for Wi-Fi wireless networks. These standards have been developed to ensure interoperability between wireless devices and to provide a secure and reliable means of communication12.

Question No : 3

Which of the following Event Correlation Approach checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields?

• A.Automated Field Correlation
• B.Field-Based Approach
• C.Rule-Based Approach
• D.Graph-Based Approach

답을 확인하기

정답:
Explanation:
The Field-Based Approach in event correlation involves systematically checking and comparing all fields for both positive and negative correlations to determine the relationships across one or multiple fields. This approach is methodical and intentional, examining the data within each field and across fields to identify patterns and connections that may indicate security events or incidents.
Reference: The explanation is based on the principles of event correlation as described in network security literature and aligns with the Certified Network Defender (CND) objectives that focus on identifying and analyzing security events through various correlation methods.

Question No : 4

Identify the correct statements regarding a DMZ zone:

• A.It is a file integrity monitoring mechanism
• B.It is a Neutral zone between a trusted network and an untrusted network
• C.It serves as a proxy
• D.It includes sensitive internal servers such as database servers

답을 확인하기

정답:
Explanation:
A DMZ, or demilitarized zone, is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, usually the internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN): an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network. The term ‘neutral zone’ refers to the fact that the DMZ is separated from both the internal network and the untrusted network, which helps prevent attackers from directly accessing internal servers and data. It is not a file integrity monitoring mechanism, does not serve as a proxy, and typically does not include sensitive internal servers like database servers, which are kept inside the trusted network for security reasons123.
Reference: Fortinet’s explanation of a DMZ network1.
EC-Council’s Certified Network Defender (CND) course outline2.
An article on strengthening network security with DMZ3.

Question No : 5

Which phase of vulnerability management deals with the actions taken for correcting the discovered vulnerability?

• A.Mitigation
• B.Assessment
• C.Remediation
• D.Verification

답을 확인하기

정답:
Explanation:
The phase of vulnerability management that deals with the actions taken for correcting the discovered vulnerability is known as Remediation. This phase involves the actual fixing or patching of the vulnerabilities to reduce the risk of exploitation. Remediation can include applying patches, making configuration changes, or implementing compensating controls. It is a critical step in the vulnerability management lifecycle, which ensures that the identified vulnerabilities are addressed to protect the network from potential attacks.
Reference: The concept of remediation as a phase in vulnerability management is supported by various cybersecurity frameworks and is a standard practice in the industry. It is also a part of the vulnerability management lifecycle which typically includes identifying, assessing, prioritizing, remediating, and verifying vulnerabilities1.

Question No : 6

Stephanie is currently setting up email security so all company data is secured when passed through email. Stephanie first sets up encryption to make sure that a specific user's email is protected. Next, she needs to ensure that the incoming and the outgoing mail has not been modified or altered using digital signatures.
What is Stephanie working on?

• A.Usability
• B.Data Integrity
• C.Availability
• D.Confidentiality

답을 확인하기

정답:
Explanation:
Stephanie is working on ensuring Data Integrity, which is a critical aspect of information security. It involves maintaining and assuring the accuracy and consistency of data over its entire lifecycle. By setting up digital signatures, Stephanie ensures that the data, in this case, the email content, has not been altered or tampered with during transit. This process provides a means to verify the origin of the message and confirms that the message received is the same as the message sent, thereby safeguarding the integrity of the data.
Reference: The EC-Council’s Certified Network Defender (CND) program covers key topics related to data security, including data encryption at rest and in transit, data masking, data backup, data retention, data destruction, data loss prevention (DLP), and specifically, data integrity12.

Question No : 7

As a network administrator, you have implemented WPA2 encryption in your corporate wireless network. The WPA2's_________integrity check mechanism provides security against a replay attack

• A.CBC-32
• B.CRC-MAC
• C.CRC-32
• D.CBC-MAC

답을 확인하기

정답:
Explanation:
WPA2 uses the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which employs the Advanced Encryption Standard (AES) block cipher for data encryption. The integrity check mechanism within WPA2 that provides security against replay attacks is the Cipher Block Chaining Message Authentication Code (CBC-MAC). CBC-MAC is used to authenticate packets and ensure their integrity, preventing the data from being altered, spoofed, or resent by attackers.
Reference: The information is consistent with the security protocols defined in the IEEE 802.11i standard for WPA2, which includes the use of CBC-MAC for packet authentication and integrity
checks as part of the CCMP1234.

Question No : 8

------------is a group of broadband wireless communications standards for Metropolitan Area
Networks (MANs)

• A.802.15
• B.802.16
• C.802.15.4
• D.802.12

답을 확인하기

정답:
Explanation:
The IEEE 802.16 is a series of wireless broadband standards, also known as Wireless MAN, that are designed for Metropolitan Area Networks (MANs). This standard specifies the air interface, including the medium access control layer (MAC) and physical layer (PHY), of combined fixed and mobile point-to-multipoint broadband wireless access systems. It supports multiple services and enables the deployment of interoperable multivendor broadband wireless access products.
Reference: The information is based on the IEEE Standard for Local and metropolitan area networks Part 16: Air Interface for Broadband Wireless Access Systems, which is detailed in the IEEE 802.16-2009 document1. Additionally, the Wikipedia page for IEEE 802.16 provides an overview of the standard’s purpose for broadband wireless metropolitan area networks2.

Question No : 9

Alex is administrating the firewall in the organization's network.
What command will he use to check all the remote addresses and ports in numerical form?

• A.Netstat -o
• B.Netstat -a
• C.Netstat -ao
• D.Netstat -an

답을 확인하기

정답:
Explanation:
The netstat -an command is used to display all active connections and listening ports with addresses and port numbers in numerical form. This is particularly useful for administrators who need to quickly identify connections without resolving the hostnames, which can save time and resources, especially when dealing with a large number of connections.
Reference: The usage of the netstat -an command aligns with the objectives and documents of the Certified Network Defender (CND) course, which emphasizes the importance of understanding and utilizing network commands for effective network security management. The -an switch combines two options: -a displays all connections and listening ports, and -n displays addresses and port numbers in numerical form1.

Question No : 10

Blake is working on the company's updated disaster and business continuity plan. The last section of the plan covers computer and data incidence response. Blake is outlining the level of severity for each type of incident in the plan.
Unsuccessful scans and probes are at what severity level?

• A.High severity level
• B.Extreme severity level
• C.Mid severity level
• D.Low severity level

답을 확인하기

정답:
Explanation:
In the context of incident response, unsuccessful scans and probes are typically considered a low severity level. This is because they often indicate an attempted reconnaissance or mapping of systems rather than a successful compromise or disruption of services. While they should be monitored and analyzed to improve defenses and detect patterns of malicious activity, they do not usually signify an immediate threat to the integrity, availability, or confidentiality of systems.
Reference: The classification of unsuccessful scans and probes as low severity is consistent with standard practices in incident response and is supported by various cybersecurity frameworks and guidelines, including those from the EC-Council’s Certified Network Defender (CND) program.

Question No : 11

John wants to implement a firewall service that works at the session layer of the OSI model. The firewall must also have the ability to hide the private network information.
Which type of firewall service is John thinking of implementing?

• A.Application level gateway
• B.Circuit level gateway
• C.Stateful Multilayer Inspection
• D.Packet Filtering

답을 확인하기

정답:
Explanation:
A circuit level gateway operates at the session layer of the OSI model, which is responsible for establishing, maintaining, and terminating connections between network nodes. It is designed to provide security by verifying the Transmission Control Protocol (TCP) handshaking between packets to ensure that the session is legitimate and by monitoring the state of the connection. Unlike application-level gateways, circuit level gateways do not inspect the packet’s contents but rather the header information to ensure that the traffic conforms to the established rules. This type of firewall is particularly effective at hiding the private network information because it only allows traffic from established sessions and does not expose the details of the network’s internal structure.
Reference: The information about the operation of circuit level gateways at the session layer and their ability to hide private network information is supported by the definitions and explanations provided in the sources from the web search results123. These sources align with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program.

Question No : 12

Management asked Adam to implement a system allowing employees to use the same credentials to access multiple applications. Adam should implement the--------------------------authentication technique to satisfy the management request.

• A.Two-factor Authentication
• B.Smart Card Authentication
• C.Single-sign-on
• D.Biometric

답을 확인하기

정답:
Explanation:
Single-sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. This is particularly useful in an environment where employees need to access a variety of systems and applications, as it simplifies the user experience and reduces the need for multiple passwords. SSO is designed to alleviate the administrative burden of managing multiple sets of credentials and to improve security by reducing the likelihood of password fatigue, which can lead to weak password practices.
Reference: The concept of SSO is covered in the Certified Network Defender (CND) course, which includes understanding various types of authentication methods. SSO is mentioned as a type of authentication that allows users to be authenticated once and gain access to multiple systems without being prompted to log in again for each system1.

Question No : 13

Bryson is the IT manager and sole IT employee working for a federal agency in California. The agency was just given a grant and was able to hire on 30 more employees for a new extended project. Because of this, Bryson has hired on two more IT employees to train up and work. Both of his new hires are straight out of college and do not have any practical IT experience. Bryson has spent the last two weeks teaching the new employees the basics of computers, networking, troubleshooting techniques etc. To see how these two new hires are doing, he asks them at what layer of the OSI model do Network Interface Cards (NIC) work on.
What should the new employees answer?

• A.NICs work on the Session layer of the OSI model.
• B.The new employees should say that NICs perform on the Network layer.
• C.They should tell Bryson that NICs perform on the Physical layer
• D.They should answer with the Presentation layer.

답을 확인하기

정답:
Explanation:
Network Interface Cards (NICs) operate at the Physical layer of the OSI model. This layer is responsible for the actual physical connection between devices. It transmits individual bits from one node to the next and is involved in the electrical, mechanical, procedural, and functional aspects of activating, maintaining, and deactivating physical connections. It’s also where hardware like cables, switches, and NICs come into play.
Reference: The information provided aligns with the OSI model’s definition and the role of the Physical layer as described in networking literature and resources such as GeeksforGeeks and freeCodeCamp articles on the OSI model12.

Question No : 14

A network administrator is monitoring the network traffic with Wireshark.
Which of the following filters will she use to view the packets moving without setting a flag to detect TCP Null Scan attempts?

• A.TCRflags==0x000
• B.Tcp.flags==0X029
• C.Tcp.dstport==7
• D.Tcp.flags==0x003

답을 확인하기

정답:
Explanation:
In Wireshark, to detect TCP Null Scan attempts, the filter used is tcp.flags==0. This filter will show packets where no TCP flags are set, which is indicative of a TCP Null Scan. A TCP Null Scan is a type of
network reconnaissance technique where the attacker sends TCP packets with no flags set to the target system. If the target system responds with a RST packet, it indicates that the port is closed, while no response suggests that the port is open or filtered. This method is used because some systems do not log these null packets, allowing the scan to go unnoticed.
Reference: The information provided is based on standard network security practices for monitoring and analyzing network traffic using Wireshark, as well as the specific details of TCP Null Scans and their detection as outlined in network security resources1.

Question No : 15

Malone is finishing up his incident handling plan for IT before giving it to his boss for review. He is outlining the incident response methodology and the steps that are involved.
What is the last step he should list?

• A.Containment
• B.Assign eradication
• C.A follow-up
• D.Recovery

답을 확인하기

정답:
Explanation:
The last step in the incident response methodology, according to the Network Defender (CND) guidelines, is a follow-up. This step is crucial as it involves reviewing and analyzing the incident to understand what happened, how it was handled, and how similar incidents can be prevented in the future. It includes updating incident response plans, improving security measures, and providing training to prevent future incidents.
Reference: The information aligns with the EC-Council’s Certified Network Defender (CND) program, which emphasizes an incident response life cycle that includes preparation, detection and analysis, containment, eradication and recovery, and post-event activity, where the follow-up is a critical component of post-event activity123.