EC-COUNCIL EC-COUNCIL Certifications 312-50V9 Questions & Answers

• Question 351:

  An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.

  What is the most likely cause?

  A. The network devices are not all synchronized.

  B. Proper chain of custody was not observed while collecting the logs.

  C. The attacker altered or erased events from the logs.

  D. The security breach was a false positive.

  Correct Answer: A Section: (none)

  Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.

  References: http://ieeexplore.ieee.org/xpl/login.jsp?tp=andarnumber=5619315andurl=http%3A%2F% 2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5619315

• Question 352:

  Which of the following is the greatest threat posed by backups?

  A. A backup is the source of Malware or illicit information.

  B. A backup is unavailable during disaster recovery.

  C. A backup is incomplete because no verification was performed.

  D. An un-encrypted backup can be misplaced or stolen.

  Correct Answer: D Section: (none)

  If the data written on the backup media is properly encrypted, it will be useless for anyone without the key.

  References: http://resources.infosecinstitute.com/backup-media-encryption/

• Question 353:

  Which of the following is assured by the use of a hash?

  A. Integrity

  B. Confidentiality

  C. Authentication

  D. Availability

  Correct Answer: A Section: (none)

  An important application of secure hashes is verification of message integrity. Determining whether any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event).

  References: https://en.wikipedia.org/wiki/ Cryptographic_hash_function#Verifying_the_integrity_of_files_or_messages

• Question 354:

  Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

  A. ESP transport mode

  B. AH permiscuous

  C. ESP confidential

  D. AH Tunnel mode

  Correct Answer: A Section: (none)

  When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header. Encapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP payload.

  Incorrect Answers:

  B: Authentication Header (AH) provides authentication, integrity, and anti-replay protection for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means that it does not encrypt the data.

  References: https://technet.microsoft.com/en-us/library/cc739674(v=ws.10).aspx

• Question 355:

  Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?

  A. Service Oriented Architecture

  B. Object Oriented Architecture

  C. Lean Coding

  D. Agile Process

  Correct Answer: A Section: (none)

  A service-oriented architecture (SOA) is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network.

  References: https://en.wikipedia.org/wiki/Service-oriented_architecture

• Question 356:

  Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?

  A. PKI

  B. single sign on

  C. biometrics

  D. SOA

  Correct Answer: A Section: (none)

  A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates[1] and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.

  References: https://en.wikipedia.org/wiki/Public_key_infrastructure

• Question 357:

  Which of the following is an extremely common IDS evasion technique in the web world?

  A. unicode characters

  B. spyware

  C. port knocking

  D. subnetting

  Correct Answer: A Section: (none)

  Unicode attacks can be effective against applications that understand it. Unicode is the international standard whose goal is to represent every character needed by every written human language as a single integer number. What is known as Unicode evasion should more correctly be referenced as UTF-8 evasion. Unicode characters are normally represented with two bytes, but this is impractical in real life. One aspect of UTF-8 encoding causes problems: non-Unicode characters can be represented encoded. What is worse is multiple representations of each character can exist. Non-Unicode character encodings are known as overlong characters, and may be signs of attempted attack.

  References: http://books.gigatux.nl/mirror/apachesecurity/0596007248/apachesc-chp-10-sect-8.html

• Question 358:

  The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive.

  Which of the following is being described?

  A. promiscuous mode

  B. port forwarding

  C. multi-cast mode

  D. WEM

  Correct Answer: A Section: (none)

  Promiscuous mode refers to the special mode of Ethernet hardware, in particular network interface cards (NICs), that allows a NIC to receive all traffic on the network, even if it is not addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it, which is done by comparing the destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of the device. While this makes perfect sense for networking, non-promiscuous mode makes it difficult to use network monitoring and analysis software for diagnosing connectivity issues or traffic accounting.

  References: https://www.tamos.com/htmlhelp/monitoring/

• Question 359:

  Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

  A. tcpdump

  B. nessus

  C. etherea

  D. Jack the ripper

  Correct Answer: A Section: (none)

  tcpdump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

  References: https://en.wikipedia.org/wiki/Tcpdump

• Question 360:

  You are using NMAP to resolve domain names into IP addresses for a ping sweep later.

  Which of the following commands looks for IP addresses?

  A. >host -t a hackeddomain.com

  B. >host -t soa hackeddomain.com

  C. >host -t ns hackeddomain.com

  D. >host -t AXFR hackeddomain.com

  Correct Answer: A Section: (none)

  The A record is an Address record. It returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host.

  References: https://en.wikipedia.org/wiki/List_of_DNS_record_types