EC-COUNCIL EC-COUNCIL Certifications 312-50V9 Questions & Answers

• Question 411:

  Nation-state threat actors often discover vulnerabilities and hold on to them until they want to launch a sophisticated attack. The Stuxnet attack was an unprecedented style of attack because it used four types of vulnerability.

  What is this style of attack called?

  A. zero-day

  B. zero-hour

  C. zero-sum D. no-day

  Correct Answer: A Section: (none)

  Stuxnet is a malicious computer worm believed to be a jointly built American-Israeli cyber weapon. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software.

  References: https://en.wikipedia.org/wiki/Stuxnet

• Question 412:

  A medium-sized healthcare IT business decides to implement a risk management strategy.

  Which of the following is NOT one of the five basic responses to risk?

  A. Delegate

  B. Avoid

  C. Mitigate

  D. Accept

  Correct Answer: A Section: (none)

  There are five main ways to manage risk: acceptance, avoidance, transference, mitigation or exploitation.

  References: http://www.dbpmanagement.com/15/5-ways-to-manage-risk

• Question 413:

  Your company was hired by a small healthcare provider to perform a technical assessment on the network.

  What is the best approach for discovering vulnerabilities on a Windows-based computer?

  A. Use a scan tool like Nessus

  B. Use the built-in Windows Update tool

  C. Check MITRE.org for the latest list of CVE findings

  D. Create a disk image of a clean Windows installation

  Correct Answer: A Section: (none)

  Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and

  Exposures architecture for easy cross-linking between compliant security tools. The Nessus server is

  currently available for Unix, Linux and FreeBSD. The client is available for Unix- or Windows-based

  operating systems.

  Note: Significant capabilities of Nessus include:

  Compatibility with computers and servers of all sizes.

  Detection of security holes in local or remote hosts.

  Detection of missing security updates and patches.

  Simulated attacks to pinpoint vulnerabilities.

  Execution of security tests in a contained environment.

  Scheduled security audits.

  References: http://searchnetworking.techtarget.com/definition/Nessus

• Question 414:

  Which of the following is a component of a risk assessment?

  A. Administrative safeguards

  B. Physical security

  C. DMZ

  D. Logical interface

  Correct Answer: A Section: (none)

  Risk assessment include: The total process of identifying, measuring, and minimizing uncertain events affecting AIS resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test and evaluation, safeguard implementation, and systems

  review.

  The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect

  system resources. lt includes risk analysis, cost benefit analysis, selection, implementation and test,

  security evaluation of

  safeguards, and overall security review.

  References: https://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment

• Question 415:

  It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description?

  A. HIPAA

  B. ISO/IEC 27002

  C. COBIT

  D. FISMA

  Correct Answer: A Section: (none)

  The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)[15] By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates".

  References: https://en.wikipedia.org/wiki/ Health_Insurance_Portability_and_Accountability_Act#Privacy_Rule

• Question 416:

  Under the "Post-attack Phase and Activities", it is the responsibility of the tester to restore the systems to a pre-test state.

  Which of the following activities should not be included in this phase? (see exhibit)

  Exhibit:

  

  A. III

  B. IV

  C. III and IV

  D. All should be included.

  Correct Answer: A Section: (none)

  The post-attack phase revolves around returning any modified system(s) to the pretest state. Examples of such activities: Removal of any files, tools, exploits, or other test-created objects uploaded to the system during testing

  Removal or reversal of any changes to the registry made during system testing

  References: Computer and Information Security Handbook, John R. Vacca (2012), page 531

• Question 417:

  What is the benefit of performing an unannounced Penetration Testing?

  A. The tester will have an actual security posture visibility of the target network.

  B. Network security would be in a "best state" posture.

  C. It is best to catch critical infrastructure unpatched.

  D. The tester could not provide an honest analysis.

  Correct Answer: A Section: (none)

  Real life attacks will always come without expectation and they will often arrive in ways that are highly creative and very hard to plan for at all. This is, after all, exactly how hackers continue to succeed against network security systems, despite the billions invested in the data protection industry. A possible solution to this danger is to conduct intermittent "unannounced" penentration tests whose scheduling and occurrence is only known to the hired attackers and upper management staff instead of every security employee, as would be the case with "announced" penetration tests that everyone has planned for in advance. The former may be better at detecting realistic weaknesses.

  References: http://www.sitepronews.com/2013/03/20/the-pros-and-cons-of-penetration-testing/

• Question 418:

  You have successfully compromised a machine on the network and found a server that is alive on the same network. You tried to ping it but you didn't get any response back.

  What is happening?

  A. ICMP could be disabled on the target server.

  B. The ARP is disabled on the target server.

  C. TCP/IP doesn't support ICMP.

  D. You need to run the ping command with root privileges.

  Correct Answer: A Section: (none)

  The ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages.

  Note: The Internet Control Message Protocol (ICMP) is one of the main protocols of the internet protocol

  suite. It is used by network devices, like routers, to send error messages indicating, for example, that a

  requested service is not available or that a host or router could not be reached.

  References: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

• Question 419:

  You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration?

  alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)

  A. An Intrusion Detection System

  B. A firewall IPTable

  C. A Router IPTable

  D. FTP Server rule

  Correct Answer: A Section: (none)

  Snort is an open source network intrusion detection system (NIDS) for networks .

  Snort rule example:

  This example is a rule with a generator id of 1000001.

  alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1; rev:1;)

  References: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node31.html

• Question 420:

  You have successfully gained access to a linux server and would like to ensure that the succeeding outgoing traffic from this server will not be caught by a Network Based Intrusion Detection Systems (NIDS).

  What is the best way to evade the NIDS?

  A. Encryption

  B. Protocol Isolation

  C. Alternate Data Streams

  D. Out of band signalling

  Correct Answer: A Section: (none)

  When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis, since the application layer contents are inaccessible. Given that exploits against today's networks are primarily targeted against network services (application layer entities), packet level analysis ends up doing very little to protect our core business assets.

  References: http://www.techrepublic.com/article/avoid-these-five-common-ids-implementation-errors/