EC-COUNCIL EC-COUNCIL Certifications 312-38 Questions & Answers

• Question 411:

  Network security is the specialist area, which consists of the provisions and policies adopted by the Network Administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources. For which of the following reasons is network security needed? Each correct answer represents a complete solution. Choose all that apply.

  A. To protect information from loss and deliver it to its destination properly

  B. To protect information from unwanted editing, accidentally or intentionally by unauthorized users

  C. To protect private information on the Internet

  D. To prevent a user from sending a message to another user with the name of a third person

  Correct Answer: CBAD

  Network security is needed for the following reasons: To protect private information on the Internet To protect information from unwanted editing, accidentally or intentionally by unauthorized users To protect information from loss and deliver it to its destination properly To prevent a user from sending a message to another user with the name of a third person

• Question 412:

  With which of the following flag sets does the Xmas tree scan send a TCP frame to a remote device? Each correct answer represents a part of the solution. Choose all that apply.

  A. PUSH

  B. RST

  C. FIN

  D. URG

  Correct Answer: DAC

  With the URG, PUSH, and FIN flag sets, the Xmas tree scan sends a TCP frame to a remote device. The Xmas tree scan is called an Xmas tree scan because the alternating bits are turned on and off in the flags byte (00101001), much like the lights of a Christmas tree. Answer option B is incorrect. The RST flag is not set when the Xmas tree scan sends a TCP frame to a remote device.

• Question 413:

  Which of the following is a non-profit organization that oversees the allocation of IP addresses, management of the DNS infrastructure, protocol parameter assignment, and root server system management?

  A. ANSI

  B. IEEE

  C. ITU

  D. ICANN

  Correct Answer: D

  ICANN stands for Internet Corporation for Assigned Names and Numbers. ICANN is responsible for managing the assignment of domain names and IP addresses. ICANN's tasks include responsibility for IP address space allocation, protocol identifier assignment, top-level domain name system management, and root server system management functions. Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization that oversees the allocation of IP addresses, management of the DNS infrastructure, protocol parameter assignment, and root server system management. Answer option B is incorrect. Institute of Electrical and Electronics Engineers (IEEE) is an organization of engineers and electronics professionals who develop standards for hardware and software. Answer option C is incorrect. The International Telecommunication Union is an agency of the United Nations which regulates information and communication technology issues. ITU coordinates the shared global use of the radio spectrum, promotes international cooperation in assigning satellite orbits, works to improve telecommunication infrastructure in the developing world and establishes worldwide standards. ITU is active in areas including broadband Internet, latest- generation wireless technologies, aeronautical and maritime navigation, radio astronomy, satellite-based meteorology, convergence in fixed-mobile phone, Internet access, data, voice, TV broadcasting, and next-generation networks. Answer option A is incorrect. ANSI (American National Standards Institute) is the primary organization for fostering the development of technology standards in the United States. ANSI works with industry groups and is the U.S. member of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Long-established computer standards from ANSI include the American Standard Code for Information Interchange (ASCII) and the Small Computer System Interface (SCSI).

• Question 414:

  Which of the following policies helps in defining what users can and should do to use network and organization's computer equipment?

  A. General policy

  B. Remote access policy

  C. IT policy

  D. User policy

  Correct Answer: D

  A user policy helps in defining what users can and should do to use network and organization's computer equipment. It also defines what limitations are put on users for maintaining the network secure such as whether users can install

  programs on their workstations, types of programs users are using, and how users can access data.

  Answer option C is incorrect. IT policy includes general policies for the IT department. These policies are intended to keep the network secure and stable. It includes the following:

  Virus incident and security incident

  Backup policy

  Client update policies

  Server configuration, patch update, and modification policies (security)

  Firewall policies Dmz policy, email retention, and auto forwarded email policy

  Answer option A is incorrect. It defines the high level program policy and business continuity plan.

  Answer option B is incorrect. Remote access policy is a document that outlines and defines acceptable methods of remotely connecting to the internal network.

• Question 415:

  Which of the following are the responsibilities of the disaster recovery team? Each correct answer represents a complete solution. Choose all that apply.

  A. To monitor the execution of the disaster recovery plan and assess the results

  B. To modify and update the disaster recovery plan according to the lessons learned from previous disaster recovery efforts

  C. To notify management, affected personnel, and third parties about the disaster

  D. To initiate the execution of the disaster recovery procedures

  Correct Answer: ABCD

  The responsibilities of the disaster recovery team are as follows: To develop, deploy, and monitor the implementation of appropriate disaster recovery plans after analysis of business objectives and threats to organizations To notify management, affected personnel, and third parties about the disaster To initiate the execution of the disaster recovery procedures To monitor the execution of the disaster recovery plan and assess the results To return operations to normal conditions To modify and update the disaster recovery plan according to the lessons learned from previous disaster recovery efforts To increase the level of the organization's disaster recovery preparedness by conducting mock drills, regular DR systems testing, and threat analysis to create awareness among various stakeholders of the organization by conducting training and awareness sessions

• Question 416:

  Which of the following is a credit card-sized device used to securely store personal information and used in conjunction with a PIN number to authenticate users?

  A. Proximity card

  B. Java card

  C. SD card

  D. Smart card

  Correct Answer: D

  A smart card is a credit card-sized device used to securely store personal information such as certificates, public and private keys, passwords, etc. It is used in conjunction with a PIN number to authenticate users. In Windows, smart cards are used to enable certificate-based authentication. To use smart cards, Extensible Authentication Protocol (EAP) must be configured in Windows. Answer option B is incorrect. Java Card is a technology that allows Java-based applications to be run securely on smart cards and small memory footprint devices. Java Card gives a user the ability to program devices and make them application specific. It is widely used in SIM cards and ATM cards. Java Card products are based on the Java Card Platform specifications developed by Sun Microsystems, a supplementary of Oracle Corporation. Many Java card products also rely on the global platform specifications for the secure management of applications on the card. The main goals of the Java Card technology are portability and security. Answer option A is incorrect. Proximity card (or Prox Card) is a generic name for contactless integrated circuit devices used for security access or payment systems. It can refer to the older 125 kHz devices or the newer 13.56 MHz contactless RFID cards, most commonly known as contactless smartcards. Modern proximity cards are covered by the ISO/IEC 14443 (Proximity Card) standard. There is also a related ISO/IEC 15693 (Vicinity Card) standard. Proximity cards are powered by resonant energy transfer and have a range of 0-3 inches in most instances. The user will usually be able to leave the card inside a wallet or purse. The price of the cards is also low, usually US$2-$5, allowing them to be used in applications such as identification cards, keycards, payment cards and public transit fare cards. Answer option C is incorrect. Secure Digital (SD) card is a non-volatile memory card format used in portable devices such as mobile phones, digital cameras, and handheld computers. SD cards are based on the older MultiMediaCard (MMC) format, but they are a little thicker than MMC cards. Generally an SD card offers a write-protect switch on its side. SD cards generally measure 32 mm x 24 mm x 2.1 mm, but they can be as thin as 1.4 mm. The devices that have SD card slots can use the thinner MMC cards, but the standard SD cards will not fit into the thinner MMC slots. Some SD cards are also available with a USB connector. SD card readers allow SD cards to be accessed via many connectivity ports such as USB, FireWire, and the common parallel port.

• Question 417:

  In an Ethernet peer-to-peer network, which of the following cables is used to connect two computers, using RJ-45 connectors and Category-5 UTP cable?

  A. Loopback

  B. Serial

  C. Parallel

  D. Crossover

  Correct Answer: D

  In an Ethernet peer-to-peer network, a crossover cable is used to connect two computers, using RJ-45 connectors and Category-5 UTP cable. Answer options C and B are incorrect. Parallel and serial cables do not use RJ-45 connectors and

  Category-5 UTP cable. Parallel cables are used to connect printers, scanners etc., to computers, whereas serial cables are used to connect modems, digital cameras etc., to computers.

  Answer option A is incorrect. A loopback cable is used for testing equipments.

• Question 418:

  In which of the following attacks does an attacker use software that tries a large number of key combinations in order to get a password?

  A. Buffer overflow

  B. Brute force attack

  C. Zero-day attack

  D. Smurf attack

  Correct Answer: B

  In a brute force attack, an attacker uses software that tries a large number of key combinations in order to get a password. To prevent such attacks, users should create passwords that are more difficult to guess, i.e., by using a minimum of six characters, alphanumeric combinations, and lower-upper case combinations. Answer option D is incorrect. Smurf is an attack that generates significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages. In such attacks, a perpetrator sends a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, which multiplies the traffic by the number of hosts responding. Answer option A is incorrect. Buffer overflow is a condition in which an application receives more data than it is configured to accept. It helps an attacker not only to execute a malicious code on the target system but also to install backdoors on the target system for further attacks. All buffer overflow attacks are due to only sloppy programming or poor memory management by the application developers. The main types of buffer overflows are: Stack overflow Format string overflow Heap overflow Integer overflow Answer option C is incorrect. A zero-day attack, also known as zero-hour attack, is a computer threat that tries to exploit computer application vulnerabilities which are unknown to others, undisclosed to the software vendor, or for which no security fix is available. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software vendor knows about the mvulnerability. User awareness training is the most effective technique to mitigate such attacks.

• Question 419:

  Which of the following OSI layers establishes, manages, and terminates the connections between the local and remote applications?

  A. Data Link layer

  B. Network layer

  C. Application layer

  D. Session layer

  Correct Answer: D

  The session layer of the OSI/RM controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for graceful close of sessions, which is a property of the Transmission Control Protocol, and also for session checkpointing and recovery, which is not usually used in the Internet Protocol Suite. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls. Answer option C is incorrect. The Application Layer of TCP/IP model refers to the higher-level protocols used by most applications for network communication. Examples of application layer protocols include the File Transfer Protocol (FTP) and the Simple Mail Transfer Protocol (SMTP). Data coded according to application layer protocols are then encapsulated into one or more transport layer protocols, which in turn use lower layer protocols to affect actual data transfer. Answer option A is incorrect. The Data Link Layer is Layer 2 of the seven-layer OSI model of computer networking. It corresponds to or is part of the link layer of the TCP/IP reference model. The Data Link Layer is the protocol layer which transfers data between adjacent network nodes in a wide area network or between nodes on the same local area network segment. The Data Link Layer provides the functional and procedural means to transfer data between network entities and might provide the means to detect and possibly correct errors that may occur in the Physical Layer. Examples of data link protocols are Ethernet for local area networks (multi-node), the Point-to-Point Protocol (PPP), HDLC, and ADCCP for point-to-point (dual-node) connections. Answer option B is incorrect. The network layer controls the operation of subnet, deciding which physical path the data should take, based on network conditions, priority of service, and other factors. Routers work on the Network layer of the OSI stack.

• Question 420:

  Adam, a malicious hacker, is sniffing an unprotected Wi-FI network located in a local store with Wireshark to capture hotmail e-mail traffic. He knows that lots of people are using their laptops for browsing the Web in the store. Adam wants to sniff their e-mail messages traversing the unprotected Wi-Fi network. Which of the following Wireshark filters will Adam configure to display only the packets with hotmail email messages?

  A. (http = "login.pass.com") andand (http contains "SMTP")

  B. (http contains "email") andand (http contains "hotmail")

  C. (http contains "hotmail") andand (http contains "Reply-To")

  D. (http = "login.passport.com") andand (http contains "POP3")

  Correct Answer: C

  Adam will use (http contains "hotmail") andand (http contains "Reply-To") filter to display only the packets with hotmail email messages. Each Hotmail message contains the tag Reply-To: and "xxxx-xxx- xxx.xxxx.hotmail.com" in the received tag.

  Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but it has a graphical front-end,

  and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network interface into promiscuous

  mode. Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap. It has the following features: Data can be captured "from the wire" from a live network connection or read from a file that

  records the already-captured packets. Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback. Captured network data can be browsed via a GUI, or via the terminal (command line)

  version of the utility, tshark. Captured files can be programmatically edited or converted via command-line switches to the "editcap" program. Data display can be refined using a display filter. Plugins can be created for dissecting new

  protocols.

  Answer options B, A, and D are incorrect. These are invalid tags.