312-97 시험 - EC-Council실제시험문제와 답 - 500문항

Question No : 1

A security team is tasked with improving password management across an organization. They need to implement a policy that forces users to reset their passwords every 90 days while ensuring that old passwords cannot be reused.
What steps should they take to configure the password management system?

A.Force users to change their passwords annually and allow the reuse of old passwords if they are reset through a password recovery mechanism.
B.Enforce password rotation every 90 days, implement password history to prevent reuse, and require a minimum complexity level for new passwords to include special characters, numbers, and uppercase letters.
C.Allow password reuse after three password changes and enforce a password expiration policy every 120 days with optional password complexity.
D.Set no expiration for passwords but require users to reset their passwords manually after a security incident.

정답:
Explanation:
Enforcing password rotation every 90 days ensures that compromised passwords are replaced regularly, reducing the risk of long-term credential abuse. Requiring that old passwords cannot be reused ensures that users create new, strong passwords each time, enhancing overall security.

Question No : 2

During the deployment of an application that stores sensitive data, which configuration should be used to enable encryption at rest using AWS S3 bucket encryption?

A.Enable server-side encryption with customer-provided keys (SSE-C) for the S3 bucket.
B.Enable S3 object encryption using a custom-built encryption algorithm stored in the application layer.
C.Apply server-side encryption using AES-256 keys managed by AWS KMS for the S3 bucket.
D.Enable encryption using MD5 hash functions with no specific key rotation plan for S3 data.

정답:
Explanation:
Server-side encryption with AES-256 managed by AWS Key Management Service (KMS) ensures that data at rest in the S3 bucket is protected by strong encryption standards. AWS KMS automates the encryption and key management process, ensuring that sensitive data remains secure without manual intervention.

Question No : 3

A security team is tasked with enhancing API security.
What command correctly implements an HMAC-based authorization header for API requests?

A.ssh -i api_key.pem [email protected] "cat /var/log/api_access.log"
B.curl -H "Authorization: hmac username,nonce,signature" https://api.example.com/data
C.openssl dgst -sha256 -hmac "secretkey" -out digest.txt data_to_protect.txt
D.curl -H "Authorization: hmac username,nonce,signature" https://api.example.com/data

정답:
Explanation:
HMAC (Hash-based Message Authentication Code) provides a secure way to authenticate API requests. The command shown creates an authorization header using HMAC, where the signature is generated through a secure hash algorithm, ensuring that the API request is from a verified user.

Question No : 4

In mobile DevSecOps, what command should be used to encrypt sensitive data before storing it in a shared preferences file on Android?

A.openssl rsa -in private.pem -outform PEM -pubout -out public.pem
B.openssl enc -aes-256-cbc -salt -in plaintextfile -out encryptedfile.key -k password
C.gpg --symmetric --cipher-algo AES256 plaintextfile
D.mcrypt -u -a rijndael-256 -m ecb -k passKey

정답:
Explanation:
Using OpenSSL to encrypt sensitive data with AES-256-CBC before storing it in shared preferences provides a high level of security by ensuring that data cannot be read if accessed unauthorized. This method encrypts files securely using a robust algorithm, which is crucial for protecting sensitive information in mobile applications.

Question No : 5

Fill in the blank: To mitigate cross-site scripting (XSS) through input validation, it is essential to sanitize user inputs, especially in fields that accept HTML content. One effective method is to use _____ to encode input before it is rendered in the browser.

A.Base64 encoding.
B.URL parameter encoding.
C.HTML character entity encoding.
D.JavaScript Object Notation (JSON) encoding.

정답:
Explanation:
HTML character entity encoding converts potentially harmful characters into their respective HTML entities, which browsers interpret as display text rather than executable HTML or JavaScript, thus preventing XSS attacks.

Question No : 6

In a Jenkins pipeline, how should you securely handle API keys to avoid hardcoding them into the Jenkinsfile?

A.def apiKey = 'hardcoded-api-key'; echo "Using API key: $apiKey"
B.parameters { string(name: 'API_KEY', defaultValue: 'your-key') } // globally accessible
C.environment { API_KEY = 'insert-your-api-key-here' } // in pipeline script
D.withCredentials([string(credentialsId: 'api-key-id', variable: 'API_KEY')]) { // use $API_KEY }

정답:
Explanation:
Using the withCredentials step in Jenkins securely injects the API key into the build environment, exposing it only where necessary and preventing it from being logged or stored in a way that is accessible after the process completes, thus adhering to best practices for sensitive data handling.

Question No : 7

What command would you use in Docker to securely pass secrets to a running container without leaving traces on the filesystem?

A.docker run --name app-container -v /path/to/secrets:/secrets:ro myapp
B.docker run --name app --secret source=api_key,target=/run/secrets/api_key,readonly myapp
C.docker create --name secure-app -e API_KEY=$(cat /tmp/apikey) myapp
D.docker exec -it app echo "export API_KEY=your_api_key_here" > /root/.bashrc

정답:
Explanation:
The --secret option in Docker securely provides access to a secret within a container without writing it to disk, thereby ensuring that sensitive data is not exposed on the host filesystem or within the containerâ??s writable layers, significantly enhancing the security of containerized applications.

Question No : 8

A DevOps team needs to update their CI/CD pipeline to integrate with Vault for secrets management.
What is a crucial first step they should take to secure API keys?

A.Implement a manual process where developers must request access to Vault via IT support each time.
B.Set up an automated script to regularly rotate API keys and update them in Vault without policy constraints.
C.Directly embed Vault's API key into the CI/CD pipeline script for quick integration and setup.
D.Configure Vault policies that restrict access based on minimum necessary privileges and roles.

정답:
Explanation:
Configuring Vault with strict access policies before integrating it into the CI/CD pipeline ensures that the security of secrets is controlled and that only authorized entities have access based on defined roles, significantly reducing the risk of unauthorized access to sensitive data.

Question No : 9

In a simulated environment, an application developer implemented an input validation function. However, they reported unexpected crashes when certain inputs were processed. Analyze the scenario and identify the potential cause.

A.The input data is being validated against an outdated or incorrect regular expression pattern.
B.The crash is due to a misconfiguration in the application’s exception handling routines, not related to input validation.
C.The input validation function may lack proper error handling and boundary checks, causing buffer overflow.
D.There might be an infinite loop in the validation logic, consuming all available memory resources.

정답:
Explanation:
Lack of error handling and boundary checks in input validation can lead to buffer overflows, especially if input exceeds expected limits or contains unexpected characters, leading to application crashes.

Question No : 10

A DevSecOps engineer plans to integrate OWASP ZAP with their CI/CD pipeline.
Which setup would ensure that ZAP properly scans pull requests before merging?

A.Utilizing the ZAP Docker container to initiate scans triggered by pull request events in the CI/CD pipeline.
B.Implementing a gateway step in the pipeline that halts all builds until ZAP scans are manually approved.
C.Using a scheduled nightly build to perform scans irrespective of code changes or pull requests.
D.Configuring a manual trigger within the CI/CD pipeline that requires developer input to start the ZAP scan.

정답:
Explanation:
Incorporating OWASP ZAP into the CI/CD pipeline using its Docker container allows for automated and consistent security testing. This setup ensures that every pull request is automatically scanned for vulnerabilities before it is merged, significantly improving the security audit process and maintaining code quality throughout the development lifecycle.

Question No : 11

Fill in the blank: To prevent unauthorized access to data in transit, the best practice is to use ____ to encrypt data transmitted between applications over a network.

A.Transport Layer Security (TLS) version 1.3.
B.Internet Protocol Security (IPsec) tunneling.
C.Secure Shell (SSH) version 2.
D.Datagram Transport Layer Security (DTLS) version 1.2.

정답:
Explanation:
Transport Layer Security (TLS) version 1.3 is recommended for encrypting data in transit. It provides strong encryption and enhanced security features compared to older protocols, protecting data from eavesdropping and tampering during transmission.

Question No : 12

Fill in the blank: To comply with data privacy regulations such as GDPR, personal data in transit must be encrypted using secure protocols like ____ to prevent unauthorized access.

A.Internet Protocol Security (IPSec) tunneling.
B.Hypertext Transfer Protocol Secure (HTTPS) version 1.1.
C.Secure Shell (SSH) protocol version 2.
D.Transport Layer Security (TLS) version 1.3.

정답:
Explanation:
Transport Layer Security (TLS) version 1.3 is a widely recognized protocol for encrypting data in transit. It offers improved security features over earlier versions, ensuring that personal data is protected during transmission between client and server.

Question No : 13

When configuring rate limits on API endpoints to mitigate DoS attacks, which of the following strategies ensures optimal performance while preventing misuse?

A.Using a server-wide fixed threshold for all users, with no differentiation based on individual usage patterns.
B.Setting a global timeout for all API requests to limit the processing time and reduce the risk of overload.
C.Applying a user-specific and IP-specific request cap that adjusts based on typical user behavior.
D.wget --header="Authorization: Bearer $(echo -n username | base64)" https://api.example.com/data

정답:
Explanation:
User-specific and IP-specific caps adjust based on behavior and provide flexible control, which balances usability and security by adapting to real usage patterns. This prevents abuse while maintaining accessibility for legitimate users.

Question No : 14

In a serverless architecture, what is the primary security benefit of segregating sensitive operations into dedicated Lambda functions?

A.It allows for more granular logging and monitoring of actions performed by different functions.
B.This approach minimizes the attack surface by isolating sensitive operations, which reduces the potential impact of security breaches.
C.Dedicated functions can leverage AWS’s built-in security features like AWS Shield for enhanced protection.
D.It simplifies the codebase by consolidating multiple operations into single, multi-purpose functions.

정답:
Explanation:
By isolating sensitive operations in dedicated Lambda functions, any compromise only affects that limited part of the system, significantly reducing the breachâ??s impact by containing any potential damage to a confined area, enhancing overall security.

Question No : 15

Fill in the blank: In an IAST configuration, the security team must ensure that the __________ is capable
of handling real-time analysis and reporting.

A.load balancer
B.central monitoring dashboard
C.security policy manager
D.application performance manager

정답:
Explanation:
A central monitoring dashboard is fundamental in an IAST setup to handle real-time data analysis and report on vulnerabilities efficiently. It centralizes security data, making it easier for teams to quickly assess and address security issues across applications.

EC-Council 312-97 시험