EC-COUNCIL 312-38 Online Practice
Questions and Exam Preparation
312-38 Exam Details
Exam Code
:312-38
Exam Name
:EC-Council Certified Network Defender (CND)
Certification
:EC-COUNCIL Certifications
Vendor
:EC-COUNCIL
Total Questions
:653 Q&As
Last Updated
:May 29, 2026
EC-COUNCIL 312-38 Online Questions &
Answers
Question 531:
Which of the following conditions cannot enter the system ROM monitor mode? Each correct answer represents a complete solution. Choose all that apply.
A. The router does not find a valid operating system image. B. The router does not have the configuration file. C. The user interrupts the boot sequence. D. It is necessary to set the operating parameters.
A. The router does not find a valid operating system image. C. The user interrupts the boot sequence.
Question 532:
Which of the following procedures is intended to provide security personnel to identify, mitigate, and recover from malware events, such as unauthorized access to systems or data, denial-of-service or unauthorized changes to the system hardware, software, or information?
A. None B. disaster survival plan C. Cyber Incident Response Plan D. A resident of the emergency plan E. Crisis communications guidelines
C. Cyber Incident Response Plan
Question 533:
Which of the following statements best describes the consequences of the disaster recovery plan test?
A. The plan should not be changed no matter what the results of the test would be. B. The results of the test should be kept secret. C. If no deficiencies were found during the test, then the test was probably flawed. D. If no deficiencies were found during the test, then the plan is probably perfect.
C. If no deficiencies were found during the test, then the test was probably flawed.
Explanation/Reference:
The chief objective of a disaster recovery plan is to provide a planned way to make decisions if a disruptive event occurs. The reason behind the disaster recovery plan test is to find flaws in the plan. Every plan has some weak points. After the test has been conducted, all parties are informed of the results and the plan is updated to reflect the new information.
Question 534:
Which of the following IP addresses is the loopback address in IPv6?
A. 0:0:0:0:0:0:0:1 B. 0:0:0:1:1:0:0:0 C. 0:0:0:0:0:0:0:0 D. 1:0:0:0:0:0:0:0
A. 0:0:0:0:0:0:0:1
Question 535:
Which of the following is an open source implementation of the syslog protocol for Unix?
A. syslog-os B. syslog Unix C. syslog-ng D. Unix-syslog
C. syslog-ng
Question 536:
Fill in the blank with the appropriate term. The layer establishes, manages, and terminates the connections between the local and remote application.
session
Explanation/Reference:
The session layer of the OSI/RM controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for graceful close of sessions, which is a property of the Transmission Control Protocol, and also for session check pointing and recovery, which is not usually used in the Internet Protocol Suite. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls.
Question 537:
Maximus Tech Is a multinational company that uses Cisco ASA Firewalls for their systems. Jason is the one of the members of the team that checks the logs at Maximus Tech. As a part of his job. he is going through me logs and he came across a firewall log that looks like this:
May 06 2018 21:27:27 asa 1: % ASA -6-11008: User enable_16' executed the 'configure term' command
Based on the security level mentioned in the log, what did Jason understand about the description of this message?
A. Normal but significant message B. Informational message C. Critical condition message D. Warning condition message
D. Warning condition message
Question 538:
Which of the following honeypots provides an attacker access to the real operating system without any restriction and collects a vast amount of information about the attacker?
A. High-interaction honeypot B. Medium-interaction honeypot C. Honeyd D. Low-interaction honeypot
A. High-interaction honeypot
Explanation/Reference:
A high-interaction honeypot offers a vast amount of information about attackers. It provides an attacker access to the real operating system without any restriction. A high-interaction honeypot is a powerful weapon that provides opportunities to discover new tools, to identify new vulnerabilities in the operating system, and to learn how blackhats communicate with one another. Answer option D is incorrect. A low-interaction honeypot captures limited amounts of information that are mainly transactional data and some limited interactive information. Because of simple design and basic functionality, low-interaction honeypots are easy to install, deploy, maintain, and configure. A low-interaction honeypot detects unauthorized scans or unauthorized connection attempts. A low-interaction honeypot is like a one-way connection, as the honeypot provides services that are limited to listening ports. Its role is very passive and does not alter any traffic. It generates logs or alerts when incoming packets match their patterns. Answer option B is incorrect. A medium-interaction honeypot offers richer interaction capabilities than a low-interaction honeypot, but does not provide any real underlying operating system target. Installing and configuring a medium- interaction honeypot takes more time than a low-interaction honeypot. It is also more complicated to deploy and maintain as compared to a low-interaction honeypot. A medium-interaction honeypot captures a greater amount of information but comes with greater risk. Answer option C is incorrect. Honeyd is an example of a low-interaction honeypot.
Question 539:
How many layers are present in the TCP/IP model?
A. 10 B. 5 C. 4 D. 7
B. 5
Question 540:
Adam, a malicious hacker, has just succeeded in stealing a secure cookie via a XSS attack. He is able to replay the cookie even while the session is valid on the server. Which of the following is the most likely reason of this cause?
A. No encryption is applied. B. Two way encryption is applied. C. Encryption is performed at the network layer (layer 1 encryption). D. Encryption is performed at the application layer (single encryption key).
D. Encryption is performed at the application layer (single encryption key).
Explanation/Reference:
Single key encryption uses a single word or phrase as the key. The same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver initially need to have a secure way of passing the key from one to the other. With TLS or SSL this would not be possible. Symmetric encryption is a type of encryption that uses a single key to encrypt and decrypt data. Symmetric encryption algorithms are faster than public key encryption. Therefore, it is commonly used when a message sender needs to encrypt a large amount of data. Data Encryption Standard (DES) uses the symmetric encryption key algorithm to encrypt data.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only EC-COUNCIL exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your 312-38 exam preparations
and EC-COUNCIL certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.