EC-COUNCIL EC-COUNCIL Certifications 312-38 Questions & Answers

• Question 241:

  You are an IT security consultant working on a contract for a large manufacturing company to audit their entire network. After performing all the tests and building your report, you present a number of recommendations to the company and what they should implement to become more secure. One recommendation is to install a network-based device that notifies IT employees whenever malicious or questionable traffic is found. From your talks with the company, you know that they do not want a device that actually drops traffic completely, they only want notification. What type of device are you suggesting?

  A. A NIDS device would work best for the company.

  B. A HIPS device would best suite this company.

  C. The best solution to cover the needs of this company would be a HIDS device.

  D. You are suggesting a NIPS device.

  Correct Answer: A

• Question 242:

  Cindy is the network security administrator for her company. She just got back from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. She is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connection is established, she sends RST packets to those hosts to stop the session. She has done this to see how her intrusion detection system will log the traffic. What type of scan is Cindy attempting here?

  A. The type of scan she is using is called a NULL scan.

  B. Cindy is attempting to find live hosts on her company's network by using a XMAS scan.

  C. Cindy is using a half-open scan to find live hosts on her network.

  D. She is utilizing a RST scan to find live hosts that are listening on her network.

  Correct Answer: C

• Question 243:

  An attacker uses different types of password cracking techniques to crack the password and gain unauthorized access to a system. An attacker uses a file containing a list of commonly used passwords. They then upload this file into the cracking application that runs against the user accounts. Which of the following password cracking techniques is the attacker trying?

  A. Hybrid

  B. Rainbow table

  C. Dictionary

  D. Bruteforce

  Correct Answer: C

• Question 244:

  The SOC manager is reviewing logs in AlienVault USM to investigate an intrusion on the network. Which CND approach is being used?

  A. Retrospective

  B. Reactive

  C. Deterrent

  D. Preventive

  Correct Answer: A

• Question 245:

  Which of the following is a mechanism that helps in ensuring that only the intended and authorized recipients are able to read data?

  A. Integrity

  B. Data availability

  C. Confidentiality

  D. Authentication

  Correct Answer: C

  Confidentiality is a mechanism that ensures that only the intended and authorized recipients are able to read data. The data is so encrypted that even if an unauthorized user gets access to it, he will not get any meaning out of it. Answer option A is incorrect. In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on. There are many ways in which integrity could be violated without malicious intent. In the simplest case, a user on a system could mistype someone's address. On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised. Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity. Answer option B is incorrect. Data availability is one of the security principles that ensures that the data and communication services will be available for use when needed (expected). It is a method of describing products and services availability by which it is ensured that data continues to be available at a required level of performance in situations ranging from normal to disastrous. Data availability is achieved through redundancy, which depends upon where the data is stored and how it can be reached. Answer option D is incorrect. Authentication is the act of establishing or confirming something (or someone) as authentic, i.e., the claims made by or about the subject are true ("authentification" is a variant of this word).

• Question 246:

  This is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of these tools are as follows:

  It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.

  It is commonly used for the following purposes:

  A. War driving

  B. Detecting unauthorized access points

  C. Detecting causes of interference on a WLAN

  D. WEP ICV error tracking

  E. Making Graphs and Alarms on 802.11 Data, including Signal Strength This tool is known as __________.

  F. Kismet

  G. Absinthe

  H. THC-Scan

  I. NetStumbler

  Correct Answer: D

  NetStumbler is a Windows-based tool that is used for the detection of wireless LANs using the IEEE 802.11a, 802.11b, and 802.11g standards. The main features of NetStumbler are as follows:

  It displays the signal strength of a wireless network, MAC address, SSID, channel details, etc.

  It is commonly used for the following purposes:

  a.War driving

  b.Detecting unauthorized access points

  c.Detecting causes of interference on a WLAN

  d.WEP ICV error tracking

  e.Making Graphs and Alarms on 802.11 Data, including Signal Strength

  Answer option A is incorrect. Kismet is an IEEE 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.

  Answer option C is incorrect. THC-Scan is a war-dialing tool.

  Answer option B is incorrect. Absinthe is an automated SQL injection tool.

• Question 247:

  Which of the following steps will NOT make a server fault tolerant? Each correct answer represents a complete solution. (Choose two.)

  A. Adding a second power supply unit

  B. Performing regular backup of the server

  C. Adding one more same sized disk as mirror on the server

  D. Implementing cluster servers' facility

  E. Encrypting confidential data stored on the server

  Correct Answer: BE

  Encrypting confidential data stored on the server and performing regular backup will not make the server fault tolerant.

  Fault tolerance is the ability to continue work when a hardware failure occurs on a system. A fault-tolerant system is designed from the ground up for reliability by building multiples of all critical components, such as CPUs, memories, disks

  and power supplies into the same computer. In the event one component fails, another takes over without skipping a beat.

  Answer options A, C, and D are incorrect. The following steps will make the server fault tolerant:

  Adding a second power supply unit

  Adding one more same sized disk as a mirror on the server implementing cluster servers facility

• Question 248:

  Which of the following help in estimating and totaling up the equivalent money value of the benefits and costs to the community of projects for establishing whether they are worthwhile? Each correct answer represents a complete solution. Choose all that apply.

  A. Business Continuity Planning

  B. Benefit-Cost Analysis

  C. Disaster recovery

  D. Cost-benefit analysis

  Correct Answer: DB

  Cost-benefit analysis is a process by which business decisions are analyzed. It is used to estimate and total up the equivalent money value of the benefits and costs to the community of projects for establishing whether they are worthwhile. It is a term that refers both to: helping to appraise, or assess, the case for a project, program, or policy proposal; an approach to making economic decisions of any kind. Under both definitions, the process involves, whether explicitly or implicitly, weighing the total expected costs against the total expected benefits of one or more actions in order to choose the best or most profitable option. The formal process is often referred to as either CBA (Cost-Benefit Analysis) or BCA (Benefit-Cost Analysis). Answer option A is incorrect. Business Continuity Planning (BCP) is the creation and validation of a practiced logistical plan that defines how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a Business Continuity Plan. Answer option C is incorrect. Disaster recovery is the process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery planning is a subset of a larger process known as business continuity planning and should include planning for resumption of applications, data, hardware, communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.

• Question 249:

  Which of the following are the common security problems involved in communications and email? Each correct answer represents a complete solution. Choose all that apply.

  A. False message

  B. Message digest

  C. Message replay

  D. Message repudiation

  E. Message modification

  F. Eavesdropping

  G. Identity theft

  Correct Answer: ACDEFG

  Following are the common security problems involved in communications and email:

  Eavesdropping: It is the act of secretly listening to private information through telephone lines, e-mail, instant messaging, and any other method of communication considered private. Identity theft: It is the act of obtaining someone's username

  and password to access his/her email servers for reading email and sending false email messages. These credentials can be obtained by eavesdropping on SMTP, POP, IMAP, or Webmail connections.

  Message modification: The person who has system administrator permission on any of the SMTP servers can visit anyone's message and can delete or change the message before it continues on to its destination. The recipient has no way

  of telling that the email message has been altered.

  False message: It the act of constructing messages that appear to be sent by someone else.

  Message replay: In a message replay, messages are modified, saved, and re-sent later.

  Message repudiation: In message repudiation, normal email messages can be forged. There is no way for the receiver to prove that someone had sent him/her a particular message. This means that even if someone has sent a message, he/

  she can successfully deny it.

  Answer option B is incorrect. A message digest is a number that is created algorithmically from a file and represents that file uniquely.

• Question 250:

  Which of the following are the six different phases of the Incident handling process? Each correct answer represents a complete solution. Choose all that apply.

  A. Containment

  B. Identification

  C. Post mortem review

  D. Preparation

  E. Lessons learned

  F. Recovery

  G. Eradication

  Correct Answer: ABDEFG

  Following are the six different phases of the Incident handling process: 1.Preparation: Preparation is the first step in the incident handling process. It includes processes like backing up copies of all key data on a regular basis, monitoring and updating software on a regular basis, and creating and implementing a documented security policy. To apply this step a documented security policy is formulated that outlines the responses to various incidents, as a reliable set of instructions during the time of an incident. The following list contains items that the incident handler should maintain in the preparation phase i.e. before an incident occurs: Establish applicable policies Build relationships with key players Build response kit Create incident checklists Establish communication plan Perform threat modeling Build an incident response team Practice the demo incidents 2.Identification: The Identification phase of the Incident handling process is the stage at which the Incident handler evaluates the critical level of an incident for an enterprise or system. It is an important stage where the distinction between an event and an incident is determined, measured and tested. 3.Containment: The Containment phase of the Incident handling process supports and builds up the incident combating process. It helps in ensuring the stability of the system and also confirms that the incident does not get any worse. 4.Eradication: The Eradication phase of the Incident handling process involves the cleaning-up of the identified harmful incidents from the system. It includes the analyzing of the information that has been gathered for determining how the attack was committed. To prevent the incident from happening again, it is vital to recognize how it was conceded out so that a prevention technique is applied. 5.Recovery: Recovery is the fifth step of the incident handling process. In this phase, the Incident Handler places the system back into the working environment. In the recovery phase the Incident Handler also works with the questions to validate that the system recovery is successful. This involves testing the system to make sure that all the processes and functions are working normal. The Incident Handler also monitors the system to make sure that the systems are not compromised again. It looks for additional signs of attack. 6.Lessons learned: Lessons learned is the sixth and the final step of incident handling process. The Incident Handler utilizes the knowledge and experience he learned during the handling of the incident to enhance and improve the incident-handling process. This is the most ignorant step of all incident handling processes. Many times the Incident Handlers are relieved to have systems back to normal and get busy trying to catch up other unfinished work. The Incident Handler should make documents related to the incident or look for ways to improve the process. Answer option C is incorrect. The post mortem review is one of the phases of the Incident response process.