Certified Network Defender 312-38 Updated Dumps Questions

Text Material Preview

312-38 Certified Network Defender exam dumps questions are the best material
for you to test all the related EC-Council exam topics. By using the 312-38 exam
dumps questions and practicing your skills, you can increase your confidence
and chances of passing the 312-38 exam.
Features of Dumpsinfo’s products
Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support
Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.
Certified Network Defender 312-38 exam free dumps questions are
available below for you to study. 
Full version: 312-38 Exam Dumps Questions
1.Ivan needs to pick an encryption method that is scalable even though it might be slower. He has
settled on a method that works where one key is public and the other is private.
What encryption method did Ivan settle on?
A. Ivan settled on the private encryption method.
B. Ivan settled on the symmetric encryption method.
C. Ivan settled on the asymmetric encryption method
D. Ivan settled on the hashing encryption method
Answer: C
Explanation:
Asymmetric encryption, also known as public-key cryptography, involves two keys: a public key,
which can be shared widely, and a private key, which is kept confidential. The public key is used for
encryption, and the private key is used for decryption. This method is scalable because it allows for
secure communication over an open network without the need for the parties to share secret keys in
 1 / 23
https://www.dumpsinfo.com/unlimited-access/
https://www.dumpsinfo.com/exam/312-38
advance. While asymmetric encryption is generally slower than symmetric encryption due to the
complex mathematical computations involved, it provides a high level of security and is essential for
tasks such as digital signatures and establishing secure connections over the internet1234.
Reference: GeeksforGeeks provides a detailed explanation of asymmetric key cryptography,
including its characteristics and how it addresses key distribution and digital signatures1.
Dashlane’s blog offers a complete guide to asymmetric encryption, its definition, uses, and how it
works2.
Kiteworks explains the difference between public and private key encryption and the use of
asymmetric encryption on the internet3.
Cloudflare discusses asymmetric encryption and its role in securing web communications through
protocols like TLS4.
2.Michael decides to view the-----------------to track employee actions on the organization's network.
A. Firewall policy
B. Firewall log
C. Firewall settings
D. Firewall rule set
Answer: B
Explanation:
Michael would view the firewall log to track employee actions on the organization’s network. Firewall
logs are records of events that are captured by the firewall. They typically include details about
allowed and denied traffic, network connections, and other transactions through the firewall. By
analyzing these logs, network administrators can monitor network usage, detect unusual patterns of
activity, and identify potential security threats or breaches.
Reference: The importance of monitoring firewall logs is emphasized in the EC-Council’s Certified
Network Defender (C|ND) program. It is part of the network traffic monitoring and analysis, which is
crucial for detecting and responding to incidents on the network123.
3.John is the Vice-President of a BPO. He wants to implement a policy allowing employees to use
and manage devices purchased by the organization but restrict the use of the device for business use
only.
Which among the following policies does John want to implement?
A. COBO policy
B. CYOD policy
C. BYOD policy
D. COPE policy
Answer: B
Explanation:
John wants to implement a policy that allows employees to use and manage devices purchased by
the organization but restricts the use of the device for business use only. This is known as a COBO
(Company Owned, Business Only) policy. Under a COBO policy, the company provides the devices
to the employees and maintains control over them, ensuring that they are used solely for business
purposes123.
Reference: The concept of COBO is well-documented in enterprise mobility and device management
literature, where it is described as a policy where the organization owns the devices and restricts their
use to business activities only123. This approach is in contrast to BYOD (Bring Your Own Device),
CYOD (Choose Your Own Device), and COPE (Company Owned, Personally Enabled) policies,
which offer varying degrees of personal use456789.
 2 / 23
https://www.dumpsinfo.com/
4.Identify the password cracking attempt involving precomputed hash values stored as plaintext and
using these to crack the password.
A. Bruteforce
B. Rainbow table
C. Dictionary
D. Hybrid
Answer: B
Explanation:
The password cracking attempt described involves the use of Rainbow tables. A Rainbow table is a
precomputed table for reversing cryptographic hash functions, primarily for cracking password
hashes. These tables store a mapping between the hash of a password and the correct password for
that hash, allowing for quick retrieval of the plaintext password if the hash is known. This method is
efficient for cracking passwords because it avoids the time-consuming process of computing hashes
on the fly during an attack.
Reference: Rainbow tables are a well-known tool in password cracking that leverage precomputed
hash values to expedite the cracking process1. They are particularly useful when dealing with
standard hashing algorithms where salting is not used, as they can significantly reduce the time
needed to crack a password by avoiding the need for real-time hash calculations23. This technique is
distinct from brute force attacks, which try all possible combinations, dictionary attacks, which use a
list of likely passwords, and hybrid attacks, which combine elements of brute force and dictionary
methods4.
5.Who offers formal experienced testimony in court?
A. Incident analyzer
B. Evidence documenter
C. Expert witness
D. Attorney
Answer: C
Explanation:
The individual who offers formal experienced testimony in court is known as an Expert Witness. This
person is typically engaged due to their specialized knowledge, skills, or experience in a particular
field, which is relevant to the case at hand. They provide informed opinions and insights to help the
court understand complex matters that are beyond the general knowledge of the layperson. Unlike
other witnesses, an expert witness is allowed to offer opinions and draw conclusions based on the
facts presented in the case.
Reference: The role and qualifications of an expert witness are well-documented within legal
frameworks and align with the Certified Network Defender (CND) program’s objectives, which include
understanding the legal and ethical implications of network security.
6.An insider in Hexagon, a leading IT company in USA, was testing a packet crafting tool. This tool
generated a lot of malformed TCP/IP packets which crashed the main server’s operating system
leading
to restricting the employees’ accesses.
Which attack did the insider use in the above situation?
A. DoS attack
B. Session Hijacking
C. Man-in-the-Middle
D. Cross-Site-Scripting
Answer: A
Explanation:
 3 / 23
https://www.dumpsinfo.com/
The situation described involves an insider using a packet crafting tool that generated malformed
TCP/IP packets, resulting in the crash of the main server’s operating system and restricting
employee access. This scenario is indicative of a Denial of Service (DoS) attack. A DoS attack aims
to make a machine or network resource unavailable to its intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet. Malformed packets can cause systems to
crash, thereby denying service to legitimate users.
Reference: The reference to a DoS attack is based on standard cybersecurity practices and the
objectives of the Certified Network Defender(CND) program, which includes understanding and
protecting against such attacks1. The information aligns with the CND’s emphasis on network
security and threat mitigation.
7.Which among the following is used to limit the number of cmdlets or administrative privileges of
administrator, user, or service accounts?
A. Just Enough Administration (EA)
B. User Account Control (UAC)
C. Windows Security Identifier (SID)
D. Credential Guard
Answer: A
Explanation:
Just Enough Administration (JEA) is a security technology that enables delegated administration for
anything managed by PowerShell. JEA helps in reducing the number of administrators on your
machines by using virtual accounts or group-managed service accounts to perform privileged actions
on behalf of regular users. It limits what users can do by specifying which cmdlets, functions, and
external commands they can run. This ensures that users have just enough access to perform their
jobs without having unnecessary administrative privileges, which aligns with the principle of least
privilege123.
Reference: The information about JEA and its role in limiting cmdlets and administrative privileges is
detailed in the Microsoft documentation and training modules on Just Enough Administration (JEA),
as well as in the PowerShell-Docs on GitHub123. These sources provide comprehensive guidance on
how JEA is used to control administrative privileges and are aligned with the objectives and
documents of the EC-Council’s Certified Network Defender (CND) program.
8.Docker provides Platforms-a-Service (PaaS) through __________ and deliver*; containerized
software packages
A. Storage-level virtualization
B. Network level virtualization
C. OS level visualization
D. Server-level visualization
Answer: C
Explanation:
Docker provides Platform-as-a-Service (PaaS) through OS-level virtualization. This form of
virtualization allows for the deployment of software in packages called containers. Containers are
isolated from each other and bundle their own software, libraries, and configuration files; they can
communicate with each other through well-defined channels. OS-level virtualization is lightweight
compared to other forms of virtualization because it does not require a hypervisor to create virtual
machines. Instead, the Docker Engine enables the containers to run directly within the host
machine’s operating system but with separate namespaces, which is why it’s considered OS-level.
Reference: The information provided is consistent with the Certified Network Defender (CND)
course’s objectives regarding understanding different types of virtualization and their purposes in
network security. Docker’s use of OS-level virtualization is a fundamental concept covered in the
 4 / 23
https://www.dumpsinfo.com/
study materials12.
9.Maximus Tech Is a multinational company that uses Cisco ASA Firewalls for their systems. Jason is
the one of the members of the team that checks the logs at Maximus Tech. As a part of his job. he is
going through me logs and he came across a firewall log that looks like this:
May 06 2018 21:27:27 asa 1: % ASA -6-11008: User enable_16' executed the 'configure term'
command
Based on the security level mentioned in the log, what did Jason understand about the description of
this message?
A. Normal but significant message
B. Informational message
C. Critical condition message
D. Warning condition message
Answer: B
Explanation:
The log entry %ASA-6-11008 indicates that the message is of a severity level 6, which corresponds to
an informational message. In the context of Cisco ASA Firewall logs, severity levels range from 0
(emergency) to 7 (debugging), with lower numbers indicating higher severity. A severity level of 6 is
used for messages that provide information about normal but significant events. In this case, the log
indicates that a user named ‘enable_16’ executed the ‘configure term’ command, which is a
noteworthy event but does not indicate an error or critical condition.
Reference: This interpretation is based on the Cisco Secure Firewall ASA Series Syslog Messages
documentation, which outlines the different severity levels and their meanings1.
10.If there is a fire incident caused by an electrical appliance short-circuit, which fire suppressant
should be used to control it?
A. Water
B. Wet chemical
C. Dry chemical
D. Raw chemical
Answer: C
Explanation:
For a fire caused by an electrical appliance short-circuit, the appropriate fire suppressant is a dry
chemical extinguisher. This type of extinguisher is effective because it can smother the fire without
conducting electricity, which is crucial for electrical fires. Dry chemical extinguishers typically contain
agents like mono-ammonium phosphate or sodium bicarbonate, which help to interrupt the chemical
reaction of the fire, effectively putting it out. It’s important not to use water or wet chemicals on
electrical fires, as they can conduct electricity and exacerbate the situation.
Reference: The use of dry chemical fire extinguishers for electrical fires is a standard safety protocol,
as they provide a non-conductive means to extinguish the fire, aligning with the safety measures
outlined in the EC-Council’s Certified Network Defender (CND) program12.
11.Which technique is used in RAID level 0 where the data is split into blocks and written evenly
across multiple disks?
A. Disk mirroring
B. Disk stripping
C. Data splitting
D. Disk partition
Answer: B
 5 / 23
https://www.dumpsinfo.com/
Explanation:
RAID level 0 employs a technique known as disk stripping, which involves splitting data into blocks
and distributing them evenly across multiple disks. This method enhances performance by allowing
simultaneous read and write operations on multiple drives. However, it does not provide redundancy,
meaning if one drive fails, all data on the array could be lost. The primary advantage of disk stripping
is the improved I/O performance due to the parallel processing of data across the drives.
Reference: This explanation is based on standard RAID technology descriptions, which are part of the
Certified Network Defender (CND) curriculum that covers various data storage strategies, including
RAID configurations1234.
12.John wants to implement a packet filtering firewall in his organization's network.
What TCP/IP layer does a packet filtering firewall work on?
A. Application layer
B. Network Interface layer
C. TCP layer
D. IP layer
Answer: D
Explanation:
A packet filtering firewall operates at the network layer of the TCP/IP model. It analyzes the headers
of IP packets, which include source and destination IP addresses, protocol information, and port
numbers, to determine whether to allow or block the packets based on predefined rules and access
control lists (ACLs). This type of firewall does not perform deep packet inspection but rather checks
the packet headers against the ACLs to make decisions1234.
Reference: The explanation aligns with the core functions of packet filtering firewalls as described in
various sources, including the Enterprise Networking Planet and NordLayer articles, which detail how
these firewalls interact with the IP layer to filter traffic12. GeeksforGeeks also confirms that packet
filtering firewalls work at the network layer of the OSI model, which corresponds to the IP layer in the
TCP/IP model4.
13.Which type of wireless network attack is characterized by an attacker using a high gain amplifier
from a nearby location to drown out the legitimate access point signal?
A. Jamming signal attack
B. Ad Hoc Connection attack
C. Rogue access point attack
D. Unauthorized association
Answer: A
Explanation:
The type of wireless network attack characterized by an attacker using a high gain amplifier to drown
out the legitimate access point signal is known as a jamming signal attack. This attack involves the
deliberate transmission of radio signals at the same frequency as the access point, thereby
overwhelming and interferingwith the legitimate signal. High gain amplifiers can be used to increase
the strength of the jamming signal, making it more effective at disrupting the wireless communication.
Reference: This explanation is consistent with general network security knowledge regarding the
behavior of wireless signals and the impact of amplification on signal strength and interference. While
specific references to the EC-Council’s Certified Network Defender (CND) course materials cannot
be provided here, the information aligns with the principles of wireless network attacks and defense
strategies.
14.Which type of risk treatment process Includes not allowing the use of laptops in an organization to
 6 / 23
https://www.dumpsinfo.com/
ensure its security?
A. Risk avoidance
B. Mitigate the risk
C. Eliminate the risk
D. Reduce the risk
Answer: A
Explanation:
The risk treatment process that includes not allowing the use of laptops in an organization to ensure
its security is known as risk avoidance. Risk avoidance is a strategy that involves identifying a
potential risk and making the decision to not engage in the activity that presents the risk. In the
context of information security, this could mean choosing not to use certain technologies or systems
that could pose a security threat. By not using laptops, an organization can avoid the risks associated
with loss, theft, or unauthorized access that laptops, being portable, are particularly susceptible to.
Reference: The answer aligns with the principles of risk management in network security, as outlined
in the Certified Network Defender (CND) course by EC-Council, which emphasizes understanding
and applying the appropriate risk treatment strategies, including avoidance, mitigation, transfer, and
acceptance.
15.Identify the network topology in which the network devices are connected such that every device
has a point-to-point link to all the other devices.
A. Star Topology
B. Hybrid Topology
C. Mesh Topology
D. Bus Topology
Answer: C
Explanation:
The network topology where every device is connected to every other device through a point-to-point
link is known as Mesh Topology. In this arrangement, devices have a dedicated link to each other,
ensuring a unique path for data to travel between any two devices. This setup enhances the reliability
of the network, as there are multiple paths for data transfer, and if one link fails, the system can
continue to operate using alternative paths. Mesh topology is characterized by its robustness and is
commonly used in applications where reliability is critical, such as military communications and
internet service provider networks.
Reference: The explanation aligns with the characteristics of Mesh Topology as described in network
topology resources, including the detailed descriptions provided by GeeksforGeeks1 and confirmed
by other authoritative sources on network topologies23. For the most accurate and detailed reference,
it is recommended to consult the official documents and study guides from the Certified Network
Defender (CND) course by the EC-Council.
16.The GMT enterprise is working on their internet and web usage policies. GMT would like to control
internet bandwidth consumption by employees.
Which group of policies would this belong to?
A. Enterprise Information Security Policy
B. System Specific Security Policy
C. Network Services Specific Security Policy
D. Issue Specific Security Policy
Answer: C
Explanation:
The control of internet bandwidth consumption by employees falls under the Network Services
Specific Security Policy. This category of policy is designed to manage and secure the services that
 7 / 23
https://www.dumpsinfo.com/
are provided over the network, which includes internet access and usage. It encompasses the rules
and procedures that govern how network services, such as bandwidth, are allocated and used within
an organization. By implementing such policies, GMT enterprise aims to ensure that the network’s
bandwidth is utilized effectively and in alignment with the company’s operational requirements and
objectives.
Reference: The answer is derived from the understanding of network security policies as outlined in
the Certified Network Defender (CND) course by EC-Council, which emphasizes the importance of
specific policies for managing network services and resources.
17.Emmanuel works as a Windows system administrator at an MNC. He uses PowerShell to enforce
the script execution policy. He wants to allow the execution of the scripts that are signed by a trusted
publisher.
Which of the following script execution policy setting this?
A. AllSigned
B. Restricted
C. RemoteSigned
D. Unrestricted
Answer: A
Explanation:
The AllSigned execution policy in PowerShell requires that all scripts and configuration files be signed
by a trusted publisher, including scripts that you write on the local computer. This setting is used
when you want to ensure that only scripts that have been examined and signed by a trusted authority
are run on your systems, which helps protect against the execution of unauthorized or malicious
scripts. When using the AllSigned execution policy, PowerShell will prompt the user to confirm that
they trust the signer before running any script.
Reference: This information aligns with the PowerShell documentation and best practices for script
execution policies, which recommend the AllSigned policy for environments that require a high level
of security12.
18.Which of the following helps in viewing account activity and events for supported services made by
AWS?
A. AWS CloudFormation
B. AWS Certificate Manager
C. AWS CloudHSM
D. AWS CloudTrial
Answer: D
Explanation:
AWS CloudTrail is the service that enables governance, compliance, operational auditing, and risk
auditing of your AWS account. It allows you to log, continuously monitor, and retain account activity
related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS
account activity, including actions taken through the AWS Management Console, AWS SDKs,
command line tools, and other AWS services. This event history simplifies security analysis, resource
change tracking, and troubleshooting. It is specifically designed for reviewing account activity and
events for supported services made by AWS.
Reference: The information about AWS CloudTrail as a service for viewing account activity and
events is detailed in the AWS CloudTrail user guide and is a fundamental aspect of AWS security
best practices1.
19.Heather has been tasked with setting up and implementing VPN tunnels to remote offices. She will
 8 / 23
https://www.dumpsinfo.com/
most likely be implementing IPsec VPN tunnels to connect the offices.
At what layer of the OSI model does an IPsec tunnel function on?
A. They work on the session layer.
B. They function on either the application or the physical layer.
C. They function on the data link layer
D. They work on the network layer
Answer: D
Explanation:
IPsec VPN tunnels operate at the network layer of the OSI model. This is because IPsec is designed
to secure IP communications by authenticating and encrypting each IP packet of a communication
session. IPsec includes protocols for establishing mutual authentication between agents at the
beginning of a session and negotiation of cryptographic keys to be used during the session. IPsec
can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a host (network-to-host). By functioning at
the network layer, IPsec VPNs are able to secure all traffic that passes through them, not just specific
applications or sessions.
Reference: The information provided is based on standard networking protocols and the OSI model
as covered in the EC-Council’s Certified Network Defender (CND) program, which includes a
comprehensive understanding of network security measures like IPsec123.20.Which encryption algorithm does S/MIME protocol implement for digital signatures in emails?
A. Rivest-Shamir-Adleman encryption
B. Digital Encryption Standard
C. Triple Data Encryption Standard
D. Advanced Encryption Standard
Answer: A
Explanation:
S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol implements the Rivest-Shamir-
Adleman (RSA) encryption algorithm for digital signatures in emails. Digital signatures are a key
component of S/MIME, providing authentication, message integrity, and non-repudiation. RSA is a
widely used public-key cryptosystem that facilitates secure data transmission and is known for its role
in digital signatures. It works on the principle of asymmetric cryptography, where a pair of keys is
used: a public key, which is shared openly, and a private key, which is kept secret by the owner. In
the context of S/MIME, the sender’s email client uses the sender’s private key to create a digital
signature, and the recipient’s email client uses the sender’s public key to verify the signature.
Reference: The information provided is based on the S/MIME protocol’s use of RSA encryption for
digital signatures, as detailed in industry-standard documentation and resources like Microsoft Learn1
and the S/MIME Wikipedia page2.
21.Sean has built a site-to-site VPN architecture between the head office and the branch office of his
company. When users in the branch office and head office try to communicate with each other, the
traffic is encapsulated. As the traffic passes though the gateway, it is encapsulated again. The header
and payload both are encapsulated. This second encapsulation occurs only in the
__________implementation of a VPN.
A. Full Mesh Mode
B. Point-to-Point Mode
C. Transport Mode
D. Tunnel Mode
Answer: D
Explanation:
 9 / 23
https://www.dumpsinfo.com/
In the context of VPNs, when both the header and payload of traffic are encapsulated, it indicates the
use of Tunnel Mode. This mode is typically employed in site-to-site VPNs where the entire IP packet
is wrapped with a new IP header. Tunnel Mode is designed to secure traffic between different
networks over the internet, making it suitable for connecting multiple sites of an organization. Unlike
Transport Mode, which only encrypts the payload and leaves the original IP header intact, Tunnel
Mode encrypts the entire IP packet and adds a new header, which allows for the secure passage of
the traffic through untrusted networks.
Reference: The explanation provided aligns with standard VPN implementations and the principles
outlined in network security documents and study guides related to Certified Network Defender (CND)
objectives.
22.Which among the following options represents professional hackers with an aim of attacking
systems for profit?
A. Script kiddies
B. Organized hackers
C. Hacktivists
D. Cyber terrorists
Answer: B
Explanation:
Organized hackers are professional cybercriminals who often work in groups and are motivated by
financial gain. They are known for their skills and the ability to carry out sophisticated attacks on
systems for profit. Unlike script kiddies, who lack advanced skills and typically use readily available
tools, organized hackers use custom-developed tools and methods. Hacktivists are motivated by
political or social causes, and cyber terrorists aim to use cyber attacks to create fear or political
change, not necessarily for profit.
Reference: The EC-Council’s Certified Network Defender (CND) program covers various types of
cyber threats and the motivations behind them, including the distinction between different types of
hackers and their objectives. The CND curriculum includes understanding the threat landscape, which
encompasses organized hackers and their profit-driven attacks12.
23.Harry has successfully completed the vulnerability scanning process and found serious
vulnerabilities exist in the organization's network. Identify the vulnerability management phases
through which he will proceed to ensure all the detected vulnerabilities are addressed and eradicated.
(Select all that apply)
A. Mitigation
B. Assessment
C. Verification
D. Remediation
Answer: A, C, D
Explanation:
After completing the vulnerability scanning process and identifying serious vulnerabilities, Harry will
proceed through several phases of vulnerability management to address and eradicate these
vulnerabilities. The phases include:
Mitigation: This phase involves taking steps to reduce the impact of the detected vulnerabilities.
Mitigation strategies may include applying patches, adjusting configurations, or implementing
compensating controls to lower the risk associated with the vulnerabilities.
Verification: In this phase, Harry will verify that the vulnerabilities have been successfully mitigated or
remediated. This typically involves re-scanning the network to ensure that the vulnerabilities are no
longer present or that their risk has been sufficiently reduced.
Remediation: This is the phase where Harry will take action to fix the vulnerabilities. Remediation can
 10 / 23
https://www.dumpsinfo.com/
involve patching software, closing unnecessary ports, changing passwords, or other actions that
directly address the identified security issues.
These phases are part of a broader vulnerability management lifecycle, which also includes
assessing vulnerabilities and reassessing the network after remediation efforts to ensure continuous
protection.
Reference: The explanation provided is based on the standard vulnerability management lifecycle,
which includes assessment, prioritization, action (mitigation and remediation), reassessment, and
improvement as outlined in cybersecurity resources123.
24.Which antenna's characteristic refer to the calculation of radiated in a particular direction.
It is generally the ratio of radiation intensity in a given direction to the average radiation intensity?
A. Radiation pattern
B. Polarization
C. Directivity
D. Typical gain
Answer: C
Explanation:
Directivity of an antenna refers to the measure of how concentrated the radiation emitted is in a single
direction. It is defined as the ratio of the radiation intensity in a given direction from the antenna to the
radiation intensity averaged over all directions. In simpler terms, it is the calculation of radiated power
in a particular direction compared to the average radiated power in all directions. This characteristic is
crucial for antennas designed to transmit or receive signals in a specific direction, making it an
essential parameter for many communication systems.
Reference: The concept of directivity and its importance in antenna design is covered in the EC-
Council’s Certified Network Defender (CND) course materials, which include discussions on various
antenna characteristics and their impact on network security12.
25.Which of the following Wireshark filters can a network administrator use to view the packets
without any flags set in order to detect TCP Null Scan attempts?
A. TCP.flags==0x000
B. tcp.flags==0X029
C. tcp.flags==0x003
D. tcp.dstport==7
Answer: A
Explanation:
In Wireshark, a TCP Null Scan can be detected by setting a filter to show packets where no TCP flags
are set. This is because a TCP Null Scan is characterized by sending TCP packets with no flags set
in an attempt to identify open ports on the target system. The correct filter to use in Wireshark to
detect such packets is TCP.flags==0x000, which will display only those packets where all flags are
unset.
Reference: The information provided here is consistent with standard network security practices for
detecting TCP Null Scans using Wireshark, as described in various educational resources on network
security and penetration testing1.
26.Which of the following indicators refers to potential risk exposures that attackers can use to breach
the security of an organization?
A. Indicators of attack
B. Key risk indicators
C. Indicators of exposure
 11 / 23
https://www.dumpsinfo.com/D. Indicators of compromise
Answer: C
Explanation:
The term “Indicators of Exposure” (IoE) refers to potential risk exposures that attackers can exploit to
breach the security of an organization. IoEs are vulnerabilities or weaknesses in an organization’s
security posture that, if left unaddressed, could be leveraged by attackers to gain unauthorized
access or cause harm. These indicators help network defenders identify areas that require attention
and remediation to prevent potential security incidents. Unlike Indicators of Compromise (IoC), which
signal that a breach has already occurred, IoEs are forward-looking and are concerned with
identifying and mitigating potential risks before they are exploited1.
Reference: Information on the Certified Network Defender (CND) certification and its focus on
identifying and mitigating potential risks, including IoEs1.
27.What is composite signature-based analysis?
A. Multiple packet analysis is required to detect attack signatures
B. Attack signatures are contained in packet headers
C. Attack signatures are contained in packet payloads
D. Single Packet analysis is enough to identify attack signatures
Answer: A
Explanation:
Composite signature-based analysis refers to a method of intrusion detection where multiple packets
are analyzed to detect an attack signature. Unlike single-packet analysis, which may only require one
packet to identify an attack, composite signature-based analysis looks for patterns across several
packets to determine whether an attack is underway. This method is particularly useful for detecting
complex attacks that cannot be identified by a single packet’s header or payload alone.
Reference: The concept of composite signature-based analysis is part of the broader network
defense strategy that includes protecting, detecting, responding, and predicting network security
incidents. It aligns with the Certified Network Defender (CND) program’s focus on understanding
network traffic signatures and analysis as part of designing network security policies and incident
response plans123.
28.Which scan attempt can penetrate through a router and a firewall that filter incoming packets with
particular flags set and is not supported by Windows?
A. ARP scan attempt
B. TCP full connect scan attempt
C. TCP null scan attempt
D. PINC sweep attempt
Answer: C
Explanation:
A TCP null scan attempt is a technique used in network scanning where the TCP packet sent has no
flags set. This type of scan can sometimes penetrate through routers and firewalls that filter incoming
packets based on certain flags because the absence of flags can prevent the packet from being
filtered out. The TCP null scan is particularly useful for identifying open ports on a target system. If a
port is open, the target system will not respond to the null scan, but if the port is closed, the system
will send a TCP RST packet in response. This scanning method is not supported by Windows
because Windows systems typically respond with a RST packet regardless of whether the port is
open or closed, making it ineffective for distinguishing between the two states on those systems.
Reference: The TCP null scan’s ability to bypass certain types of filters and its behavior in response
to open and closed ports are documented in various network security resources, including the Nmap
documentation and other network security analysis articles12. These sources confirm the
 12 / 23
https://www.dumpsinfo.com/
effectiveness of TCP null scans in penetrating through filters set up by routers and firewalls and their
unsupported status on Windows systems.
29.You are tasked to perform black hat vulnerability assessment for a client. You received official
written permission to work with: company site, forum, Linux server with LAMP, where this site is
hosted.
Which vulnerability assessment tool should you consider using?
A. OpenVAS
B. hping
C. wireshark
D. dnsbrute
Answer: A
Explanation:
OpenVAS stands out as the most suitable tool for conducting a vulnerability assessment on a Linux
server with LAMP. It is a full-featured vulnerability scanner that’s actively maintained and updated,
capable of detecting thousands of vulnerabilities in network services and software. For a black hat
vulnerability assessment, which implies testing from the perspective of a potential attacker, OpenVAS
can simulate attacks on the network services running on the LAMP stack and identify vulnerabilities
that could be exploited.
Reference: The choice of OpenVAS is supported by its inclusion in various lists of top vulnerability
assessment tools for Linux servers. It is specifically designed to perform comprehensive scans and is
frequently updated to include the latest vulnerability checks12.
30.A company wants to implement a data backup method which allows them to encrypt the data
ensuring its security as well as access at any time and from any location.
What is the appropriate backup method that
should be implemented?
A. Onsite backup
B. Hot site backup
C. Offsite backup
D. Cloud backup
Answer: D
Explanation:
The most appropriate backup method for a company that wants to ensure data encryption and
accessibility from any location at any time is cloud backup. Cloud backup solutions provide remote,
offsite storage that can be accessed over the internet, which is ideal for ensuring data availability and
security. These solutions often include robust encryption protocols to secure data during transfer and
while at rest on the cloud servers. This aligns with the need for a backup method that not only
encrypts data but also allows for easy access regardless of the user’s location.
Reference: The explanation is based on standard practices in data backup and security, which are
consistent with the objectives and documentation of the Certified Network Defender (CND) course.
Cloud backup is widely recognized for its encryption capabilities and remote accessibility, making it a
suitable choice for companies looking to secure their data backups.
31.Ryan is a network security administrator, who wants to implement local security policies for
privileges granted to users and groups, system security audit settings, user authentication, and want
to send security audit messages to the Event Log.
Which Windows security component fulfills Ryan’s requirement?
A. Security Reference Monitor (SRM)
 13 / 23
https://www.dumpsinfo.com/
B. The Security Account Manager (SAM)
C. The Local Security Authority Subsystem (LSASS)
D. WinLogon and NetLogon
Answer: C
Explanation:
The Local Security Authority Subsystem (LSASS) is the correct answer because it is responsible for
enforcing the security policy on the system. It verifies users logging on to a Windows computer or
server, handles password changes, and creates access tokens. LSASS also writes to the Windows
Security Log, which is essential for auditing and compliance. Therefore, it fulfills Ryan’s requirements
for implementing local security policies, managing system security audit settings, user authentication,
and sending security audit messages to the Event Log123.
Reference: The role of LSASS in Windows security is detailed in Microsoft’s documentation and
aligns with the Certified Network Defender (CND) course’s objectives, which include understanding
the functions of various Windows security components in maintaining the integrity and security of
networked systems123.
32.What should a network administrator perform to execute/test the untrusted or untested programs
or code from untrusted or unverified third-parties without risking the host system or OS?
A. Application Whitelisting
B. Application Blacklisting
C. Deployment of WAFs
D. Application Sandboxing
Answer: D
Explanation:
Application sandboxing is a security technique that allows untrusted or untested programs or code to
be executed in a separate, restricted environment known as a sandbox. This environment is isolated
from the host system and operating system, ensuring that any potentialmalicious behavior contained
within the code cannot affect the host. It’s a way to test and execute third-party applications without
risking the integrity or security of the main system. Sandboxing provides a tightly controlled set of
resources for guest programs to run in, such as scratch space on disk and memory, which prevents
the programs from affecting other processes and data on the host system.
Reference: The concept of application sandboxing is covered in the EC-Council’s Certified Network
Defender (CND) program, which includes key topics such as application whitelisting, blacklisting, and
sandboxing. The hands-on lab exercises in the CND program help demonstrate skills in these areas,
including application sandboxing1.
33.Larry is responsible for the company's network consisting of 300 workstations and 25 servers.
After using a hosted email service for a year, the company wants to control the email internally. Larry
likes this idea because it will give him more control over the email. Larry wants to purchase a server
for email but does not want the server to be on the internal network due to the potential to cause
security risks. He decides to place the server outside of the company's internal firewall. There is
another firewall connected directly to the Internet that will protect traffic from accessing the email
server. The server will be placed between the two firewalls.
What logical area is Larry putting the new email server into?
A. He is going to place the server in a Demilitarized Zone (DMZ)
B. He will put the email server in an IPsec zone.
C. Larry is going to put the email server in a hot-server zone.
D. For security reasons, Larry is going to place the email server in the company's Logical Buffer Zone
(LBZ).
Answer: A
 14 / 23
https://www.dumpsinfo.com/
Explanation:
Larry is placing the new email server in a Demilitarized Zone (DMZ). A DMZ is a physical or logical
subnetwork that contains and exposes an organization’s external-facing services to an untrusted
network, usually the internet. The purpose of a DMZ is to add an additional layer of security to an
organization’s local area network (LAN); an external attacker only has access to equipment in the
DMZ, rather than any other part of the network. The email server placed in the DMZ can be accessed
from the internet, but it does not have direct access to the internal network, which reduces the risk of
an internal security breach if the email server is compromised.
Reference: The concept of a DMZ is covered in the EC-Council’s Certified Network Defender (C|ND)
program, which teaches network administrators how to secure their networks against threats. The
C|ND program includes strategies for protecting network infrastructure and creating secure
architectures, which involves the use of DMZs123.
34.Which of the following helps prevent executing untrusted or untested programs or code from
untrusted or unverified third-parties?
A. Application sandboxing
B. Deployment of WAFS
C. Application whitelisting
D. Application blacklisting
Answer: A
Explanation:
Application sandboxing is a security mechanism that helps prevent the execution of untrusted or
untested programs or code from untrusted or unverified third-parties. It does this by running such
programs in a restricted environment, known as a sandbox, where they have limited access to files
and system resources. This containment ensures that any malicious code or behavior is isolated from
the host system, thereby protecting it from potential harm. Sandboxing is a proactive security
measure that can significantly reduce the attack surface and mitigate the risk of security breaches.
Reference: The concept of application sandboxing is covered in the Certified Network Defender
(CND) course, which discusses various strategies for protecting networks and systems, including the
use of sandboxing to contain and control the execution of potentially harmful code12.
35.Identify the virtualization level that creates a massive pool of storage areas for different virtual
machines running on the hardware.
A. Fabric virtualization
B. Storage device virtualization
C. Server virtualization
D. File system virtualization
Answer: B
Explanation:
Storage device virtualization is the correct answer because it involves abstracting physical storage
resources into a pool of storage that can be managed centrally and allocated to different virtual
machines. This level of virtualization allows for the creation of a massive pool of storage areas that
are not tied to a single physical device, providing flexibility and scalability in managing storage
resources for various virtual machines running on the hardware.
Reference: The information aligns with the objectives and documents of the EC-Council’s Certified
Network Defender (CND) program, which covers various aspects of network security, including
virtualization and storage strategies as part of a comprehensive defense approach12.
36.Blake is working on the company's updated disaster and business continuity plan. The last section
 15 / 23
https://www.dumpsinfo.com/
of the plan covers computer and data incidence response. Blake is outlining the level of severity for
each type of incident in the plan.
Unsuccessful scans and probes are at what severity level?
A. Extreme severity level
B. Low severity level
C. Mid severity level
D. High severity level
Answer: B
Explanation:
In the context of incident response, unsuccessful scans and probes are typically considered a low
severity level. This is because they often indicate an attempted reconnaissance rather than a
successful breach or compromise. These activities are usually automated and widespread, affecting
many networks, not just the targeted one. They are often the preliminary steps of an attack, trying to
find vulnerabilities but not yet exploiting them. Therefore, while they should be monitored and logged,
they do not usually signify an immediate threat to the network’s integrity or the confidentiality of the
data.
Reference: The EC-Council’s Certified Network Defender (C|ND) program emphasizes a defense-in-
depth security strategy, which includes continuous threat monitoring and incident response. The
program outlines that not all incidents require the same level of response, and categorizing the
severity of incidents is crucial for effective prioritization and resource allocation1.
37.Which of the following attack surface increase when you keep USB ports enabled on your laptop
unnecessarily?
A. Human attack surface
B. Network attack surface
C. Physical attack surface
D. Software attack surface
Answer: C
Explanation:
Keeping USB ports enabled on a laptop when not necessary increases the physical attack surface.
This is because USB ports can be used to connect devices that may be malicious or compromised,
such as USB drives containing malware or tools designed to exploit vulnerabilities in the system’s
hardware or software. By leaving USB ports enabled, an attacker with physical access to the laptop
could potentially use these ports to launch an attack, bypass security measures, or steal data.
Reference: The concept of physical attack surfaces includes all the physical means through which an
attacker can gain unauthorized access to a system or network. This aligns with the cybersecurity best
practices that recommend disabling unnecessary ports and services to minimize the attack surface,
as detailed in various security frameworks and guidelines, including those from the EC-Council’s
Certified Network Defender (CND) program123.
38.Which wireless networking topology setup requires same channel name and SSID?
A. Ad-Hoc standalone network architecture
B. Infrastructure network topology
C. Hybrid topology
D. Mesh topology
Answer: B
Explanation:
In an infrastructure network topology, all wireless devices communicate through an access point/base
station. The access point serves as the central transmitter and receiver of wireless radio signals.
Mainstreamwireless APs support the configuration of the same channel name (frequency) and SSID
 16 / 23
https://www.dumpsinfo.com/
(Service Set Identifier) to facilitate seamless communication between devices. This setup is essential
for devices to identify and connect to the correct network, especially in environments where multiple
networks may overlap.
Reference: The information aligns with standard networking practices and the objectives of the EC-
Council’s Certified Network Defender (CND) program, which emphasizes understanding and
implementing network security controls and protocols.
39.Which of the following information security standards defines security policies, technologies and
ongoing processes for organizations that handle cardholder information for debit, credit, prepaid,
epurse, ATM, and POS cards?
A. Health Insurance Portability and Accountability Act (HIPAA)
B. Payment Card Industry Data Security Standard (PCI-DSS)
C. Information Security Acts: Gramm-Leach-Bliley Act (GLBA)
D. Information Security Acts: Sarbanes Oxley Act (SOX)
Answer: B
Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is the information security standard
that defines security policies, technologies, and ongoing processes for organizations that handle
cardholder information for various types of cards, including debit, credit, prepaid, e-purse, ATM, and
POS cards. PCI-DSS was developed by major credit card companies to create a secure environment
for processing, storing, and transmitting cardholder data. Compliance with PCI-DSS involves adhering
to a set of requirements that ensure the secure handling, storage, and transmission of cardholder
information.
Reference: The significance and requirements of PCI-DSS are detailed in resources such as the
Cloud Security Alliance’s guide on “Understanding PCI DSS: A Guide to the Payment Card Industry
Data Security Standard” and the official PCI Security Standards Council documentation12.
40.Which of the following network monitoring techniques requires extra monitoring software or
hardware?
A. Non-router based
B. Switch based
C. Hub based
D. Router based
Answer: B
Explanation:
Switch-based network monitoring requires additional monitoring software or hardware because
switches operate at the data link layer of the OSI model and do not inherently provide monitoring
capabilities. To monitor traffic through a switch, network administrators must use port mirroring or a
network tap, which involves configuring the switch to send a copy of the network packets to a
monitoring device. This allows the monitoring device to analyze the traffic passing through the switch
without interfering with the network’s normal operation. This technique is essential for deep packet
inspection, intrusion detection systems, and for gaining visibility into the traffic between devices in a
switched network.
Reference: The need for extra monitoring software or hardware in switch-based network monitoring is
consistent with the Certified Network Defender (CND) curriculum, which emphasizes the importance
of implementing robust network monitoring practices to detect and respond to security threats12.
Additionally, the use of port mirroring and network taps as methods to monitor switch-based networks
is a standard practice in network security, aligning with the CND’s focus on technical network security
measures34.
 17 / 23
https://www.dumpsinfo.com/
41.David is working in a mid-sized IT company. Management asks him to suggest a framework that
can be used effectively to align the IT goals to the business goals of the company. David suggests
the______framework, as it provides a set of controls over IT and consolidates them to form a
framework.
A. RMIS
B. ITIL
C. ISO 27007
D. COBIT
Answer: D
Explanation:
COBIT (Control Objectives for Information and Related Technologies) is a framework designed to
help organizations develop, implement, monitor, and improve IT governance and management
practices. It is recognized for its comprehensive approach to aligning IT goals with business
objectives, ensuring that IT investments support the overall strategic direction of the company. COBIT
provides a set of controls over IT and consolidates them into a framework that helps organizations
ensure that their IT infrastructure is secure, reliable, and efficient, while also being aligned with their
business goals12.
Reference: ISACA’s “Connecting Business and IT Goals Through COBIT 5” article provides insights
into how COBIT 5 connects business goals with IT goals using non-technical, business language1.
The Interface Technical Training blog post on “Aligning IT goals using the COBIT5 Goals Cascade”
explains the process of translating stakeholder needs into enterprise goals, IT-related goals, and
enabler goals, which is key to supporting alignment between an enterprise’s needs and IT solutions
and services2.
42.James wants to implement certain control measures to prevent denial-of-service attacks against
the organization.
Which of the following control measures can help James?
A. Strong passwords
B. Reduce the sessions time-out duration for the connection attempts
C. A honeypot in DMZ
D. Provide network-based anti-virus
Answer: C
Explanation:
Implementing a honeypot in the Demilitarized Zone (DMZ) can be an effective control measure
against denial-of-service (DoS) attacks. A honeypot is a decoy system designed to attract attackers
and divert them from legitimate targets. By deploying a honeypot in the DMZ, James can monitor and
analyze incoming traffic to identify and mitigate DoS attacks. This proactive security measure allows
the organization to detect and respond to malicious activities before they impact critical systems and
services.
Reference: The Certified Network Defender (CND) course by EC-Council includes strategies for
defending against DoS attacks, which cover the use of honeypots as a part of a layered security
approach1. Additionally, industry best practices suggest that honeypots can serve as an early
warning system and a means to study attacker behavior, which aligns with the objectives of the CND
curriculum2.
43.USB ports enabled on a laptop is an example of____
A. System Attack Surface
B. Network Attack Surface
C. Physical Attack Surface
 18 / 23
https://www.dumpsinfo.com/
D. Software attack Surface
Answer: C
Explanation:
The term “attack surface” refers to the sum of all possible points where an unauthorized user can try
to enter data to or extract data from an environment. The enabled USB ports on a laptop are
considered a part of the physical attack surface because they allow for physical interaction with the
device. This includes the potential for unauthorized devices to be connected, which could be used to
compromise security, such as through the introduction of malware or the unauthorized copying of
sensitive data.
Reference: This explanation aligns with the definitions provided in network security resources, which
categorize attack surfaces based on the nature of the interaction?physical, network, or software12.
The reference to the physical attack surface includes any physical means by which data can be
compromised, which encompasses USB ports on a laptop1.
44.An organization needs to adhere to the______________rules for safeguarding and protecting the
electronically stored health information of employees.
A. HIPAA
B. PCI DSS
C. ISEC
D. SOX
Answer: A
Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting
sensitive patient data. Organizations that deal with protected health information (PHI) must have
physical, network, and process security measures in place and follow them to ensure HIPAA
Compliance. Covered entities (which include healthcare providers, health plans, and healthcare
clearinghouses) and business associates that conduct certain health care transactions electronically
must comply with the HIPAA Privacy Rule, which protects theprivacy of individually identifiable health
information, and the HIPAA Security Rule, which sets standards for the security of electronic
protected health information (e-PHI).
Reference: The information is based on the standards established by the HIPAA Privacy Rule and the
HIPAA Security Rule, which are designed to protect the privacy and security of certain health
information1234.
45.Which of the following defines the extent to which an interruption affects normal business
operations and the amount of revenue lost due to that interruption?
A. RPO
B. RFO
C. RSP
D. RTO
Answer: D
Explanation:
The term that defines the extent to which an interruption affects normal business operations and the
amount of revenue lost due to that interruption is the Recovery Time Objective (RTO). RTO is a
critical metric in business continuity and disaster recovery planning. It refers to the maximum
acceptable length of time that a service, product, or activity can be offline after a disaster before
significantly impacting the organization. This metric helps businesses determine the amount of time
they can afford to be without their critical functions before the loss becomes unacceptable.
Reference: The concept of RTO is widely recognized in business continuity planning and is a
fundamental part of the disaster recovery strategy, ensuring that businesses can continue to operate
 19 / 23
https://www.dumpsinfo.com/
or quickly resume key operations after an interruption12345.
46.Which of the following attack signature analysis techniques are implemented to examine the
header information and conclude that a packet has been altered?
A. Context-based signature analysis
B. Content-based signature analysis
C. Atomic signature-based analysis
D. Composite signature-based analysis
Answer: D
Explanation:
Composite signature-based analysis is a technique used in intrusion detection systems to examine
multiple attributes or behaviors over time to identify potential threats. This method can analyze packet
headers to detect anomalies that may indicate a packet has been altered. It looks at a series of
packets or fragments to determine if they are part of a legitimate session or if they have been
manipulated as part of an attack, such as overlapping fragments which cannot be reassembled
properly. This approach is more comprehensive than atomic signature-based analysis, which
examines single events or packets in isolation, and provides a more contextual understanding
compared to context-based or content-based analyses.
Reference: The concept of composite signature-based analysis and its application in examining
packet headers for alterations is supported by industry-standard practices in network security and
intrusion detection systems123.
47.John has successfully remediated the vulnerability of an internal application that could have
caused a threat to the network. He is scanning the application for the existence of a remediated
vulnerability, this process is called a________and it has to adhere to the_________
A. Verification, Security Policies
B. Mitigation, Security policies
C. Vulnerability scanning, Risk Analysis
D. Risk analysis, Risk matrix
Answer: A
Explanation:
The process of scanning an application for the existence of a remediated vulnerability is known as
verification. This step is crucial to ensure that the vulnerability has been properly addressed and that
the application is no longer susceptible to the previously identified threat. Verification must adhere to
the organization’s security policies, which provide the framework and guidelines for all security-
related activities. These policies ensure that the verification process is conducted in a manner that is
consistent with the organization’s overall security posture and compliance requirements.
Reference: The Certified Network Defender (CND) program emphasizes the importance of adhering
to security policies during all stages of network defense, including the verification of remediated
vulnerabilities. This ensures that the network remains secure and that all defense measures are in
line with the established security protocols123.
48.Mark is monitoring the network traffic on his organization's network. He wants to detect a TCP and
UDP ping sweep on his network.
Which type of filter will be used to detect this on the network?
A. Tcp.srcport==7 and udp.srcport==7
B. Tcp.srcport==7 and udp.dstport==7
C. Tcp.dstport==7 and udp.srcport==7
D. Tcp.dstport==7 and udp.dstport==7
 20 / 23
https://www.dumpsinfo.com/
Answer: D
Explanation:
To detect TCP and UDP ping sweeps on a network, the appropriate filter would be one that checks
for packets directed at port 7, which is commonly used for the ‘echo’ service. This service is
associated with ping functionality for both TCP and UDP protocols. Therefore, the correct filter to use
would be Tcp.dstport==7 and udp.dstport==7, which checks for incoming packets where the
destination port is 7 for both TCP and UDP traffic. This allows Mark to identify ping sweep attempts,
as these would typically send packets to this port to elicit a response from the network.
Reference: The Certified Network Defender (CND) course material outlines the importance of
understanding and utilizing network filters to detect various types of network scans and sweeps,
including TCP and UDP ping sweeps1. This is further supported by industry practices and
discussions on network security monitoring and defense1.
49.Identity the method involved in purging technique of data destruction.
A. Incineration
B. Overwriting
C. Degaussing
D. Wiping
Answer: B
Explanation:
The purging technique of data destruction is aimed at making data recovery infeasible using logical
methods, which directly target the data at the memory level. Overwriting is a prevalent technique for
purging, where data is destroyed by being overwritten with unintelligible characters like 0s and 1s.
This method ensures that the original data cannot be recovered.
Reference: The explanation is based on the understanding of data destruction methods, where
overwriting is identified as a logical method of purging data to prevent its recovery123. 12.
50.An organization’s web server was recently compromised triggering its admin team into action to
defend the network. The admin team wants to place the web server in such a way that, even if it is
attacked, the other network resources will be unavailable to the attacker. Moreover, the network
monitoring will easily detect the future attacks.
How can the admin team implement this plan?
A. They can place the web server outside of the organization in a remote place
B. They can remove the web server from their organization
C. They can place it in a separate DMZ area behind the firewall
D. They can place it beside the firewall
Answer: C
Explanation:
Placing the web server in a separate Demilitarized Zone (DMZ) behind the firewall is a security best
practice that allows an organization to isolate its public-facing services from the internal network. This
setup ensures that if the web server is compromised, the attacker would not have direct access to the
internal network resources. Additionally, the DMZ provides a controlled environment where network
traffic to and from the web server can be monitored effectively, facilitating the detection of any future
attacks. The firewall serves as a barrier, with specific rules that only allow necessary communication
to and from the DMZ, thereby enhancing the overall security posture of the organization.
Reference: The best practice of using a DMZ is widely recognized in the field of network security and
is supported by various security resources, including those provided by the EC-Council’s Certified
Network Defender (CND) course and other industry-standard documentation on network security and
architecture123.
 21 / 23
https://www.dumpsinfo.com/
51.Which subdirectory in /var/log directory stores information related to Apache web server?A. /var/log/maillog/
B. /var/log/httpd/
C. /var/log/apachelog/
D. /var/log/lighttpd/
Answer: B
Explanation:
The Apache web server typically stores its log files in the /var/log/httpd/ directory on Unix-based
systems. This directory contains various log files, including access_log and error_log, which record all
requests processed by the server and any errors encountered, respectively. The location of these
logs can be configured in the Apache configuration files, but /var/log/httpd/ is the default directory
used by many Linux distributions.
Reference: The information is consistent with the official Apache documentation and common
Unix/Linux filesystem practices as described in the Apache HTTP Server documentation1, and
corroborated by multiple sources including Stack Overflow discussions2 and other educational
resources345.
52.The IR team and the network administrator have successfully handled a malware incident on the
network. The team is now preparing countermeasure guideline to avoid a future occurrence of the
malware incident.
Which of the following countermeasure(s) should be added to deal with future malware incidents?
(Select all that apply)
A. Complying with the company's security policies
B. Implementing strong authentication schemes
C. Implementing a strong password policy
D. Install antivirus software
Answer: A B C D
Explanation:
The countermeasures to deal with future malware incidents involve a multi-layered approach that
includes:
Complying with the company’s security policies: Ensuring that all security policies are followed can
prevent malware incidents by maintaining a secure network environment.
Implementing strong authentication schemes: Strong authentication can prevent unauthorized
access, reducing the risk of malware being introduced by attackers.
Implementing a strong password policy: Robust password policies can deter attackers by making it
more difficult to gain access through brute force or other password-related attacks.
Install antivirus software: Antivirus software is essential for detecting, preventing, and removing
malware from the network.
These measures align with the Certified Network Defender (CND) program’s emphasis on a defense-
in-depth strategy, which includes protecting endpoints, data, and networks, as well as continuous
threat monitoring and response123.
Reference: Certified Network Defender (CND) course material and study guide.
EC-Council’s official Certified Network Defender (CND) resources123.
53.Which type of attack is used to hack an IoT device and direct large amounts of network traffic
toward a web server, resulting in overloading the server with connections and preventing any new
connections?
A. XSS
B. DDoS
 22 / 23
https://www.dumpsinfo.com/
C. XCRF
D. Sniffing
Answer: B
Explanation:
The type of attack that is used to hack an IoT device and direct large amounts of network traffic
toward a web server, causing it to overload with connections and preventing any new connections, is
known as a Distributed Denial of Service (DDoS) attack. In a DDoS attack, multiple compromised
computer systems, which can include IoT devices, are used to target a single system causing a
Denial of Service (DoS) attack. These attacks can overwhelm the target with a flood of internet traffic,
which can lead to the server being unable to process legitimate requests, effectively taking it offline.
Reference: The concept of DDoS attacks utilizing IoT devices to flood targets with traffic is well-
documented in cybersecurity literature. Such attacks exploit the connectivity and processing power of
IoT devices to launch large-scale assaults on web servers and other online services, leading to the
overloading of these systems123. This aligns with the objectives and documents of the EC-Council’s
Certified Network Defender (CND) program, which includes understanding and defending against
such network security threats.
Powered by TCPDF (www.tcpdf.org)
 23 / 23
https://www.dumpsinfo.com/
http://www.tcpdf.org