EC-COUNCIL EC-COUNCIL Certifications 312-50V12 Questions & Answers

• Question 361:

  Which regulation defines security and privacy controls for Federal information systems and organizations?

  A. HIPAA

  B. EU Safe Harbor

  C. PCI-DSS

  D. NIST-800-53

  Correct Answer: D

  NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost-effective programs to protect their information and information systems.

• Question 362:

  Which among the following is the best example of the hacking concept called "clearing tracks"?

  A. After a system is breached, a hacker creates a backdoor to allow re-entry into a system.

  B. During a cyberattack, a hacker injects a rootkit into a server.

  C. An attacker gains access to a server through an exploitable vulnerability.

  D. During a cyberattack, a hacker corrupts the event logs on all machines.

  Correct Answer: D

• Question 363:

  During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network. What is this type of DNS configuration commonly called?

  A. DynDNS

  B. DNS Scheme

  C. DNSSEC

  D. Split DNS

  Correct Answer: D

• Question 364:

  An Internet Service Provider (ISP) has a need to authenticate users connecting via analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network. Which AAA protocol is the most likely able to handle this requirement?

  A. TACACS+

  B. DIAMETER

  C. Kerberos

  D. RADIUS

  Correct Answer: D

  https://en.wikipedia.org/wiki/RADIUS

  Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS is a client/

  server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS

  is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.

  Authentication and authorization

  The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol--for example, Pointto-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form. In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via

  the RADIUS protocol. This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about

  the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS. The RADIUS server checks that the information is correct using authentication schemes such as PAP,

  CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges.

  Historically, RADIUS servers checked the user's information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources--commonly SQL, Kerberos, LDAP, or Active Directory servers--to

  verify the user's credentials.

  

  Shape

  Description automatically generated with medium confidence

  The RADIUS server then returns one of three responses to the NAS:

  1) Access-Reject,

  2) Access-Challenge,

  3) Access-Accept.

  Access-Reject

  The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.

  Access-Challenge

  Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and

  the Radius Server in a way that the access credentials are hidden from the NAS.

  Access-Accept

  The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its

  VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.

• Question 365:

  Ricardo has discovered the username for an application in his targets environment. As he has a limited amount of time, he decides to attempt to use a list of common passwords he found on the Internet. He compiles them into a list and then feeds that list as an argument into his password-cracking application, what type of attack is Ricardo performing?

  A. Known plaintext

  B. Password spraying

  C. Brute force

  D. Dictionary

  Correct Answer: D

  A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a

  variety of Brute Force Attack.

  The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

  How is it done?

  Basically, it's attempting each single word that's already ready. it's done victimization machine-controlled tools that strive all the possible words within the dictionary.

  Some password Cracking Software:

  1.

  John the ripper

  2.

  L0phtCrack

  3.

  Aircrack-ng

• Question 366:

  Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization?

  A. Preparation phase

  B. Containment phase

  C. Identification phase

  D. Recovery phase

  Correct Answer: A

• Question 367:

  Jack, a disgruntled ex-employee of Incalsol Ltd., decided to inject fileless malware into Incalsol's systems. To deliver the malware, he used the current employees' email IDs to send fraudulent emails embedded with malicious links that seem to be legitimate. When a victim employee clicks on the link, they are directed to a fraudulent website that automatically loads Flash and triggers the exploit. What is the technique used byjack to launch the fileless malware on the target systems?

  A. In-memory exploits

  B. Phishing

  C. Legitimate applications

  D. Script-based injection

  Correct Answer: B

• Question 368:

  Joel, a professional hacker, targeted a company and identified the types of websites frequently visited by its employees. Using this information, he searched for possible loopholes in these websites and injected a malicious script that can redirect users from the web page and download malware onto a victim's machine. Joel waits for the victim to access the infected web application so as to compromise the victim's machine. Which of the following techniques is used by Joel in the above scenario?

  A. DNS rebinding attack

  B. Clickjacking attack

  C. MarioNet attack

  D. Watering hole attack

  Correct Answer: B

  https://en.wikipedia.org/wiki/Clickjacking

  Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive

  information, transfer money, or purchase products online.

  Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the

  additional page transposed on top of it.

• Question 369:

  Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key. Suppose a malicious user Rob tries to get access to the account of a

  benign user Ned.

  Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?

  A. "GET /restricted/goldtransfer?to=Robandfrom=1 or 1=1' HTTP/1.1Host: westbank.com"

  B. "GET /restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com"

  C. "GET /restricted/accounts/?name=Ned HTTP/1.1 Host westbank.com"

  D. "GET /restricted/ HTTP/1.1 Host: westbank.com

  Correct Answer: C

  This question shows a classic example of an IDOR vulnerability. Rob substitutes Ned's name in the "name" parameter and if the developer has not fixed this vulnerability, then Rob will gain access to Ned's account. Below you will find more detailed information about IDOR vulnerability.

  Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. For example, an IDOR vulnerability would happen if the URL of a transaction could be changed through client-side user input to show unauthorized data of another transaction. Most web applications use simple IDs to reference objects. For example, a user in a database will usually be referred to via the user ID. The same user ID is the primary key to the database column containing user information and is generated automatically. The database key generation algorithm is very simple: it usually uses the next available integer. The same database ID generation mechanisms are used for all other types of database records. The approach described above is legitimate but not recommended because it could enable the attacker to enumerate all users. If it's necessary to maintain this approach, the developer must at least make absolutely sure that more than just a reference is needed to access resources. For example, let's say that the web application displays transaction details using the following URL: https://www.example.com/transaction.php?id=74656 A malicious hacker could try to substitute the id parameter value 74656 with other similar values, for example: https://www.example.com/transaction.php?id=74657 The 74657 transaction could be a valid transaction belonging to another user. The malicious hacker should not be authorized to see it. However, if the developer made an error, the attacker would see this transaction and hence we would have an insecure direct object reference vulnerability.

• Question 370:

  Based on the below log, which of the following sentences are true?

  Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

  A. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server.

  B. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the client.

  C. SSH communications are encrypted; it's impossible to know who is the client or the server.

  D. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.

  Correct Answer: D

  Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip Let's just disassemble this entry. Mar 1, 2016, 7:33:28 AM - time of the request

  10.240.250.23 - 54373 - client's IP and port

  10.249.253.15 - server IP - 22 - SSH port