EC-COUNCIL EC-COUNCIL Certifications 312-50V9 Questions & Answers

• Question 311:

  During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?

  A. Identify and evaluate existing practices

  B. Create a procedures document

  C. Conduct compliance testing

  D. Terminate the audit

  Correct Answer: A Section: (none)

  The auditor should first evaluated existing policies and practices to identify problem areas and opportunities.

• Question 312:

  Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message. The technique provides 'security through obscurity'.

  What technique is Ricardo using?

  A. Steganography

  B. Public-key cryptography

  C. RSA algorithm

  D. Encryption

  Correct Answer: A Section: (none)

  Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video.

  References: https://en.wikipedia.org/wiki/Steganography

• Question 313:

  Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a back-up plan, and testing the plans for an organization?

  A. Preparation phase

  B. Containment phase

  C. Identification phase

  D. Recovery phase

  Correct Answer: A Section: (none)

  There are several key elements to have implemented in preparation phase in order to help mitigate any

  potential problems that may hinder one's ability to handle an incident. For the sake of brevity, the following

  should be performed:

  Policy ?a policy provides a written set of principles, rules, or practices within an Organization.

  Response Plan/Strategy ?after establishing organizational policies, now it is time to create a plan/strategy to handle incidents. This would include the creation of a backup plan.

  Communication ?having a communication plan is necessary, due to the fact that it may be necessary to contact specific individuals during an incident.

  Documentation ?it is extremely beneficial to stress that this element is particularly necessary and can be a substantial life saver when it comes to incident response.

  References: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

• Question 314:

  Which of the following types of firewalls ensures that the packets are part of the established session?

  A. Stateful inspection firewall

  B. Circuit-level firewall

  C. Application-level firewall

  D. Switch-level firewall

  Correct Answer: A Section: (none)

  A stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection (session) are allowed to pass the firewall.

  References: https://en.wikipedia.org/wiki/Stateful_firewall

• Question 315:

  You work as a Security Analyst for a retail organization. In securing the company's network, you set up a firewall and an IDS. However, hackers are able to attack the network. After investigating, you discover that your IDS is not configured properly and therefore is unable to trigger alarms when needed. What type of alert is the IDS giving?

  A. False Negative

  B. False Positive

  C. True Negative

  D. True Positive

  Correct Answer: A Section: (none)

  A false negative error, or in short false negative, is where a test result indicates that a condition failed, while it actually was successful. I.e. erroneously no effect has been assumed.

  References: https://en.wikipedia.org/wiki/False_positives_and_false_negatives#False_negative_error

• Question 316:

  What does a firewall check to prevent particular ports and applications from getting packets into an organization?

  A. Transport layer port numbers and application layer headers

  B. Presentation layer headers and the session layer port numbers

  C. Network layer headers and the session layer port numbers

  D. Application layer port numbers and the transport layer headers

  Correct Answer: A Section: (none)

  Newer firewalls can filter traffic based on many packet attributes like source IP address, source port,

  destination IP address or transport layer port, destination service like WWW or FTP. They can filter based

  on protocols, TTL values, netblock of originator, of the source, and many other attributes.

  Application layer firewalls are responsible for filtering at 3, 4, 5, 7 layer. Because they analyze the

  application layer headers, most firewall control and filtering is performed actually in the software.

  References: https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters

  http://howdoesinternetwork.com/2012/application-layer-firewalls

• Question 317:

  You are the Systems Administrator for a large corporate organization. You need to monitor all network traffic on your local network for suspicious activities and receive notifications when an attack is occurring. Which tool would allow you to accomplish this goal?

  A. Network-based IDS

  B. Firewall

  C. Proxy

  D. Host-based IDS

  Correct Answer: A Section: (none)

  A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats. A NIDS reads all inbound packets and searches for any suspicious patterns. When threats are discovered, based on its severity, the system can take action such as notifying administrators, or barring the source IP address from accessing the network.

  References: https://www.techopedia.com/definition/12941/network-based-intrusion-detection-system-nids

• Question 318:

  Which of the following tools can be used for passive OS fingerprinting?

  A. tcpdump

  B. nmap

  C. ping

  D. tracert

  Correct Answer: A Section: (none)

  The passive operating system fingerprinting is a feature built into both the pf and tcpdump tools.

  References: http://geek00l.blogspot.se/2007/04/tcpdump-privilege-dropping-passive-os.html

• Question 319:

  Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, smallsized packets to the target computer, making it very difficult for an IDS to detect the attack signatures.

  Which tool can be used to perform session splicing attacks?

  A. Whisker

  B. tcpsplice

  C. Burp

  D. Hydra

  Correct Answer: A Section: (none)

  One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.

  References: https://en.wikipedia.org/wiki/ Intrusion_detection_system_evasion_techniques#Fragmentation_and_small_packets

• Question 320:

  Which of the following tools is used to detect wireless LANs using the 802.11a/b/g/n WLAN standards on a linux platform?

  A. Kismet

  B. Nessus

  C. Netstumbler

  D. Abel

  Correct Answer: A Section: (none)

  Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs.

  Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a,

  802.11b, 802.11g, and 802.11n traffic.

  The program runs under Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X.

  References: https://en.wikipedia.org/wiki/Kismet_(software)