EC-COUNCIL EC-COUNCIL Certifications 312-38 Questions & Answers

• Question 381:

  Which of the following honeypots provides an attacker access to the real operating system without any restriction and collects a vast amount of information about the attacker?

  A. High-interaction honeypot

  B. Medium-interaction honeypot

  C. Honeyd

  D. Low-interaction honeypot

  Correct Answer: A

  A high-interaction honeypot offers a vast amount of information about attackers. It provides an attacker access to the real operating system without any restriction. A high-interaction honeypot is a powerful weapon that provides opportunities to discover new tools, to identify new vulnerabilities in the operating system, and to learn how blackhats communicate with one another. Answer option D is incorrect. A low-interaction honeypot captures limited amounts of information that are mainly transactional data and some limited interactive information. Because of simple design and basic functionality, low-interaction honeypots are easy to install, deploy, maintain, and configure. A low-interaction honeypot detects unauthorized scans or unauthorized connection attempts. A low-interaction honeypot is like a one-way connection, as the honeypot provides services that are limited to listening ports. Its role is very passive and does not alter any traffic. It generates logs or alerts when incoming packets match their patterns. Answer option B is incorrect. A medium-interaction honeypot offers richer interaction capabilities than a low-interaction honeypot, but does not provide any real underlying operating system target. Installing and configuring a medium- interaction honeypot takes more time than a low-interaction honeypot. It is also more complicated to deploy and maintain as compared to a low-interaction honeypot. A medium-interaction honeypot captures a greater amount of information but comes with greater risk. Answer option C is incorrect. Honeyd is an example of a low-interaction honeypot.

• Question 382:

  Which of the following is a standard protocol for interfacing external application software with an information server, commonly a Web server?

  A. DHCP

  B. IP

  C. CGI

  D. TCP

  Correct Answer: C

  The Common Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server, commonly a Web server. The task of such an information server is to respond to requests (in the case of web servers, requests from client web browsers) by returning output. When a user requests the name of an entry, the server will retrieve the source of that entry's page (if one exists), transform it into HTML, and send the result. Answer option A is incorrect. DHCP is a Dynamic Host Configuration Protocol that allocates unique (IP) addresses dynamically so that they can be used when no longer needed. A DHCP server is set up in a DHCP environment with the appropriate configuration parameters for the given network. The key parameters include the range or "pool" of available IP addresses, correct subnet masks, gateway, and name server addresses. Answer option B is incorrect. The Internet Protocol (IP) is a protocol used for communicating data across a packet-switched inter-network using the Internet Protocol Suite, also referred to as TCP/IP.IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has the task of delivering distinguished protocol datagrams (packets) from the source host to the destination host solely based on their addresses. For this purpose, the Internet Protocol defines addressing methods and structures for datagram encapsulation. The first major version of addressing structure, now referred to as Internet Protocol Version 4 (IPv4), is still the dominant protocol of the Internet, although the successor, Internet Protocol Version 6 (IPv6), is being deployed actively worldwide. Answer option D is incorrect. Transmission Control Protocol (TCP) is a reliable, connection-oriented protocol operating at the transport layer of the OSI model. It provides a reliable packet delivery service encapsulated within the Internet Protocol (IP). TCP guarantees the delivery of packets, ensures proper sequencing of data, and provides a checksum feature that validates both the packet header and its data for accuracy. If the network corrupts or loses a TCP packet during transmission, TCP is responsible for retransmitting the faulty packet. It can transmit large amounts of data. Application layer protocols, such as HTTP and FTP, utilize the services of TCP to transfer files between clients and servers.

• Question 383:

  Which of the following devices allows wireless communication devices to connect to a wireless network using Wi-Fi, Bluetooth, or related standards?

  A. Express card

  B. WAP

  C. WNIC

  D. Wireless repeater

  E. None

  Correct Answer: B

  A wireless access point (WAP) is a device that allows wireless communication devices to connect to a wireless network using Wi-Fi, Bluetooth, or related standards. The WAP usually connects to a wired network, and it can transmit data between wireless devices and wired devices on the network. Each access point can serve multiple users within a defined network area. As people move beyond the range of one access point, they are automatically handed over to the next one. A small WLAN requires a single access point. The number of access points in a network depends on the number of network users and the physical size of the network. Answer option C is incorrect. A wireless network interface card (WNIC) is a network card that connects to a radio-based computer network, unlike a regular network interface controller (NIC) that connects to a wire-based network such as token ring or ethernet. A WNIC, just like a NIC, works on the Layer 1 and Layer 2 of the OSI Model. A WNIC is an essential component for wireless desktop computer. This card uses an antenna to communicate through microwaves. A WNIC in a desktop computer is usually connected using the PCI bus. Answer option A is incorrect. ExpressCard, a new standard introduced by PCMCIA, is a thinner, faster, and lighter modular expansion for desktops and laptops. Users can add memory, wired or wireless communication cards, and security devices by inserting these modules into their computers. ExpressCard slots are designed to accommodate modules that use either Universal Serial Bus (USB) 2.0 or the PCI Express standard. ExpressCard modules are available in two sizes, i.e., 34 mm wide (ExpressCard/34) and 54 mm wide (ExpressCard/54). Both modules are 75 mm long and 5 mm high. An ExpressCard/34 module can be inserted in either a 54 mm slot or a 34 mm slot, but an ExpressCard/54 requires a Universal (54 mm) slot. However, an extender can be used with ExpressCard/34 slot to connect the ExpressCard/54 module from outside of the computer. Both the modules are identical in performance. They take full advantage of the features of the PCI Express or USB 2.0 interfaces. The only difference between them is that the ExpressCard/54 form-factor, due to its larger surface area, allows for greater thermal dissipation than does an ExpressCard/34. As the performance does not vary with module size, module developers usually prefer to fit their applications into the smaller ExpressCard/34 form factor. But some applications, such as SmartCard readers, and CompactFlash readers, require the extra width of an ExpressCard/54 module. Answer option D is incorrect. A wireless repeater is a networking device that works as a repeater between a wireless router and computers. It is used to connect a client to the network when the client is out of the service area of the access point. If the wireless repeater is configured properly, it extends the range of the wireless LAN network.

• Question 384:

  Which of the following protocols uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets?

  A. PPTP

  B. ESP

  C. LWAPP

  D. SSTP

  Correct Answer: A

  The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. The PPTP specification does not describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality. However, the most common PPTP implementation, shipping with the Microsoft Windows product families, implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide similar levels of security and remote access as typical VPN products. Answer option B is incorrect. Encapsulating Security Payload (ESP) is an IPSec protocol that provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone or in combination with Authentication Header (AH). It can also be nested with the Layer Two Tunneling Protocol (L2TP). ESP does not sign the entire packet unless it is being tunneled. Usually, only the data payload is protected, not the IP header. Answer option D is incorrect. Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key- negotiation, encryption, and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers. SSTP servers must be authenticated during the SSL phase. SSTP clients can optionally be authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP. SSTP is available in Windows Server 2008, Windows Vista SP1, and later operating systems. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with Winlogon or smart card authentication, remote access policies, and the Windows VPN client. Answer option C is incorrect. LWAPP (Lightweight Access Point Protocol) is a protocol used to control multiple Wi-Fi wireless access points at once. This can reduce the amount of time spent on configuring, monitoring, or troubleshooting a large network. This also allows network administrators to closely analyze the network.

• Question 385:

  Which of the following TCP commands are used to allocate a receiving buffer associated with the specified connection?

  A. Send

  B. Close

  C. None

  D. Receive

  E. Interrupt

  Correct Answer: D

  The Receive command is used to allocate a receiving buffer associated with the specified connection. An error is returned if no OPEN precedes this command or the calling process is not authorized to use this connection. Answer option A is

  incorrect. The Send command causes the data contained in the indicated user buffer to be sent to the indicated connection.

  Answer option C is incorrect. The Abort command causes all pending SENDs and RECEIVES to be aborted.

  Answer option B is incorrect. The Close command causes the connection specified to be closed.

• Question 386:

  Which of the following procedures is designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial-of-service, or unauthorized changes to system hardware, software, or data?

  A. Cyber Incident Response Plan

  B. Crisis Communication Plan

  C. Disaster Recovery Plan

  D. Occupant Emergency Plan

  Correct Answer: A

  The Cyber Incident Response Plan is used to address cyber attacks against an organization's IT system through various procedures. These procedures enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as denial-of-service attacks, unauthorized accessing of a system or data, or unauthorized changes to system hardware, software, or data. Answer option C is incorrect. A disaster recovery plan should contain data, hardware, and software that can be critical for a business. It should also include the plan for sudden loss such as hard disc crash. The business should use backup and data recovery utilities to limit the loss of data. Answer option D is incorrect. The Occupant Emergency Plan (OEP) is used to reduce the risk to personnel, property, and other assets while minimizing work disorders in the event of an emergency. It is the response procedure for occupants of a facility on the occurrence of a situation, which is posing a potential threat to the health and safety of personnel, the environment, or property. OEPs are developed at the facility level, specific to the geographic site and structural design of the building. Answer option B is incorrect. The crisis communication plan can be broadly defined as the plan for the exchange of information before, during, or after a crisis event. It is considered as a sub-specialty of the public relations profession that is designed to protect and defend an individual, company, or organization facing a public challenge to its reputation. The aim of crisis communication plan is to assist organizations to achieve continuity of critical business processes and information flows under crisis, disaster or event driven circumstances.

• Question 387:

  Which of the following layers of the TCP/IP model maintains data integrity by ensuring that messages are delivered in the order in which they are sent and that there is no loss or duplication?

  A. Transport layer

  B. Link layer

  C. Internet layer

  D. Application layer

  Correct Answer: A

  The transport layer ensures that messages are delivered in the order in which they are sent and that there is no loss or duplication. Transport layer maintains data integrity. Answer option C is incorrect. The Internet Layer of the TCP/IP model solves the problem of sending packets across one or more networks. Internetworking requires sending data from the source network to the destination network. This process is called routing. IP can carry data for a number of different upper layer protocols. Answer option B is incorrect. The Link Layer of TCP/IP model is the networking scope of the local network connection to which a host is attached. This is the lowest component layer of the Internet protocols, as TCP/IP is designed to be hardware independent. As a result, TCP/IP has been implemented on top of virtually any hardware networking technology in existence. The Link Layer is used to move packets between the Internet Layer interfaces of two different hosts on the same link. The processes of transmitting and receiving packets on a given link can be controlled both in the software device driver for the network card, as well as on firmware or specialized chipsets. Answer option D is incorrect. The Application Layer of TCP/IP model refers to the higher-level protocols used by most applications for network communication. Examples of application layer protocols include the File Transfer Protocol (FTP) and the Simple Mail Transfer Protocol (SMTP). Data coded according to application layer protocols are then encapsulated into one or more transport layer protocols, which in turn use lower layer protocols to affect actual data transfer.

• Question 388:

  You work as a professional Computer Hacking Forensic Investigator for DataEnet Inc. You want to investigate e-mail information of an employee of the company. The suspected employee is using an online e-mail system such as Hotmail or Yahoo. Which of the following folders on the local computer will you review to accomplish the task? Each correct answer represents a complete solution. Choose all that apply.

  A. History folder

  B. Temporary Internet Folder

  C. Cookies folder

  D. Download folder

  Correct Answer: CAB

  Online e-mail systems such as Hotmail and Yahoo leave files containing e-mail message information on the local computer. These files are stored in a number of folders, which are as follows: Cookies folder Temp folder History folder Cache folder Temporary Internet Folder Forensic tools can recover these folders for the respective e-mail clients. When folders are retrieved, e-mail files can be accessed. If the data is not readable, various tools are available to decrypt the information such as a cookie reader used with cookies. Answer option D is incorrect. Download folder does not contain any e-mail message information.

• Question 389:

  Which of the following policies is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly?

  A. Information protection policy

  B. Remote access policy

  C. Group policy

  D. Password policy

  Correct Answer: D

  A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. Password policies are account policies that are related to the users' accounts. Such policies are password-related settings that provide different constraints for the password's usage. Password policies can be configured to enforce users to provide passwords only in a specific way when they try to log on to their computers. These policies increase the effectiveness of the user's computers. Answer option C is incorrect. A group policy specifies how programs, network resources, and the operating system work for users and computers in an organization. Answer option A is incorrect. An information protection policy ensures that information is appropriately protected from modification or disclosure. Answer option B is incorrect. Remote access policy is a document that outlines and defines acceptable methods of remotely connecting to the internal network.

• Question 390:

  Which of the following biometric devices is used to take impressions of the friction ridges of the skin on the underside of the tip of the fingers?

  A. Facial recognition device

  B. Iris camera

  C. Voice recognition voiceprint

  D. Fingerprint reader

  Correct Answer: D

  A fingerprint reader is used to take impressions of the friction ridges of the skin on the underside of the tip of the fingers. Fingerprints help in identifying users and are unique and different to everyone and do not change over time. Even identical twins who share their DNA do not have the same fingerprints. Police and Government agencies have used these modes in order to identify humans for many years, but other agencies are starting to use biometric fingerprint readers for identification in many different applications. A fingerprint is created when the friction ridges of the skin come in contact with a surface that is receptive to a print by means of an agent to form the print like perspiration, oil, ink, grease, and many more. The agent is then transferred to the surface and leaves an impression which creates the fingerprint. Answer option B is incorrect. An iris camera is used to perform recognition detection of a user's identity by mathematical analysis of the random patterns that are visible within the iris of an eye from some distance. It is used to combine computer vision, pattern recognition, statistical inference, and optics. Answer option A is incorrect. A facial recognition device helps in viewing an image or video of a person and compares it to one that is in the database. It performs facial recognition by comparing the following: Structure, shape, and proportions of the face Distance between the eyes, nose, mouth, and jaw Upper outlines of the eye sockets The sides of the mouth Location of the nose and eyes The area surrounding the check bones. Answer option C is incorrect. A voice recognition voiceprint is a spectrogram, which is a graph that shows a sound's frequency on the vertical axis and time on the horizontal axis. Different speech sounds help in creating different shapes on the graph. Spectrograms also use color or shades of gray to represent the acoustical qualities of sound.