Eccouncil Network Defense Essentials Exam 112-51 NDE Exam Practice Test

Page: 1 / 14
Total 75 questions
Question 1

Jamie wants to send a confidential file to her friend Alice. For this purpose, they installed an application for securely sharing the file. The application employs an encryption algorithm that uses the same shared secret key for encryption and decryption of data.

Identify the type of cryptography employed by the application used by Alice and Jamie for file sharing.



Answer : A


Question 2

Below are the various steps involved in establishing a network connection using the shared key

authentication process.

1.The AP sends a challenge text to the station.

2.The station connects to the network.

3.The station encrypts the challenge text using its configured 128-bit key and sends the encrypted text to the AP.

4.The station sends an authentication frame to the AP.

5.The AP uses its configured WEP key to decrypt the encrypted text and compares it with the original challenge text.

What is the correct sequence of steps involved in establishing a network connection using the shared key authentication process?



Answer : B

The correct sequence of steps involved in establishing a network connection using the shared key authentication process is 4 -> 1 -> 3 -> 5 -> 2. This is based on the following description of the shared key authentication process from the Network Defense Essentials courseware:

The station sends an authentication frame to the AP, indicating that it wants to use shared key authentication.

The AP responds with an authentication frame containing a challenge text, which is a random string of bits.

The station encrypts the challenge text using its configured WEP key, which is derived from the shared secret key (password) that is also known by the AP. The station sends the encrypted text back to the AP in another authentication frame.

The AP decrypts the encrypted text using its configured WEP key and compares it with the original challenge text. If they match, the AP sends a positive authentication response to the station. If they do not match, the AP sends a negative authentication response to the station.

The station connects to the network if the authentication is successful.


Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-18 to 3-19

Shared Key Authentication - Techopedia, Techopedia, June 15, 2017

Question 3

Barbara, a security professional, was monitoring the loT traffic through a security solution. She identified that one of the infected devices is trying to connect with other loT devices and spread malware onto the network. Identify the port number used by the malware to spread the infection to other loT devices.



Answer : D

Port 48101 is the port number used by the malware to spread the infection to other loT devices. This port is associated with the Mirai botnet, which is one of the most notorious loT malware that targets vulnerable loT devices and turns them into a network of bots that can launch distributed denial-of-service (DDoS) attacks. Mirai scans the internet for loT devices that use default or weak credentials and infects them by logging in via Telnet or SSH. Once infected, the device connects to a command and control (C&C) server on port 48101 and waits for instructions. The C&C server can then direct the botnet to attack a target by sending TCP, UDP, or HTTP requests. Mirai has been responsible for some of the largest DDoS attacks in history, such as the one that disrupted Dyn DNS in 2016 and affected major websites like Twitter, Netflix, and Reddit. Reference:

Mirai (malware), Wikipedia, March 16, 2021

Mirai Botnet: A History of the Largest loT Botnet Attacks, Imperva, December 10, 2020

Mirai Botnet: How loT Devices Almost Brought Down the Internet, Cloudflare, March 17, 2021


Question 4

Jacob, an attacker, targeted container technology to destroy the reputation of an organization. To achieve this, he initially compromised a single container exploiting weak network defaults, overloaded the rest of the containers in the local domain, and restricted them from providing services to legitimate users.

Identify the type of attack initiated by Jacob in the above scenario.



Answer : A

The type of attack initiated by Jacob in the above scenario is a cross-container attack. A cross-container attack is a type of attack that targets container technology and exploits the shared resources and network connections between containers. A cross-container attack can compromise the security and availability of multiple containers and the underlying host by performing actions such as stealing data, executing commands, consuming resources, or spreading malware. A cross-container attack can be launched by an external attacker who gains access to a container through a network vulnerability, or by a malicious insider who runs a rogue container on the same host or cluster. A cross-container attack can be prevented or mitigated by implementing security best practices for container technology, such as isolating containers, limiting privileges, enforcing policies, scanning images, and monitoring network traffic123. Reference:

Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-37 to 3-38

6 Common Kubernetes and Container Attack Techniques and How to Prevent Them - Palo Alto Networks, Palo Alto Networks, March 2, 2022

The evolution of a matrix: How ATT&CK for Containers was built - Microsoft, Microsoft, July 21, 2021


Question 5

Which of the following IDS components analyzes the traffic and reports if any suspicious activity is

detected?



Answer : B

The IDS component that analyzes the traffic and reports if any suspicious activity is detected is the network sensor. A network sensor is a device or software application that is deployed at a strategic point or points within the network to monitor and capture the network traffic to and from all devices on the network. A network sensor can operate in one of two modes: promiscuous or inline. In promiscuous mode, the network sensor passively listens to the network traffic and copies the packets for analysis. In inline mode, the network sensor actively intercepts and filters the network traffic and can block or modify the packets based on predefined rules. A network sensor analyzes the network traffic using various detection methods, such as signature-based, anomaly-based, or reputation-based, and compares the traffic patterns with a database of attack signatures or a model of normal behavior. If the network sensor detects any suspicious or malicious activity, such as a reconnaissance scan, an unauthorized access attempt, or a denial-of-service attack, it generates an alert and reports it to the IDS manager or the operator. A network sensor can also integrate with a response system to take appropriate actions, such as logging, notifying, or blocking, in response to the detected activity123. Reference:

Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-33 to 3-34

Intrusion Detection System (IDS) - GeeksforGeeks, GeeksforGeeks, 2020

Intrusion detection system - Wikipedia, Wikipedia, March 16, 2021


Question 6

Identify the backup mechanism that is performed within the organization using external devices such as hard disks and requires human interaction to perform the backup operations, thus, making it suspectable to theft or natural disasters.



Answer : B

Onsite data backup is the backup mechanism that is performed within the organization using external devices such as hard disks and requires human interaction to perform the backup operations, thus, making it susceptible to theft or natural disasters. Onsite data backup means storing the backup data on a local storage device, such as an external hard drive, a USB flash drive, a CD/DVD, or a tape drive, that is physically located in the same premises as the original data source. Onsite data backup has some advantages, such as fast backup and restore speed, easy access, and low cost. However, it also has some disadvantages, such as requiring manual intervention, occupying physical space, and being vulnerable to damage, loss, or theft. If a disaster, such as a fire, flood, earthquake, or power outage, occurs in the organization, both the original data and the backup data may be destroyed or inaccessible. Therefore, onsite data backup is not a reliable or secure way to protect the data from unforeseen events. Reference:

Should I Use an External Hard Drive for Backup in 2024?, Cloudwards, February 8, 2024

How to Back Up a Computer to an External Hard Drive, Lifewire, April 1, 2022

Best Way to Backup Multiple Computers to One External Drive, AOMEI, December 29, 2020


Question 7

Finch, a security auditor, was assigned the task of providing devices to all the employees to enable work from remote locations. Finch restricted the devices to work only for organization-related tasks, and not for personal use.

Which of the following mobile usage policies has Finch implemented in the above scenario?



Answer : B

Finch has implemented the COBO (Corporate-Owned, Business-Only) mobile usage policy in the above scenario. COBO is a policy where the organization provides mobile devices to the employees and restricts them to use the devices only for work-related purposes. The organization has full control over the devices and can enforce security measures, such as encryption, password protection, remote wipe, and application whitelisting or blacklisting. The employees are not allowed to use the devices for personal use, such as browsing the internet, making personal calls, or installing personal apps. COBO is a policy that aims to maximize security and minimize distractions and risks for the organization and the employees. Reference:

Mobile usage policy in office - sample, cell phone policy in companies and organization, HR Help Board, 2020

Employee Cell Phone Policy Template, Workable, 2020

How Employers Enforce Cell Phone Policies in the Workplace, Indeed, 2022


Page:    1 / 14   
Total 75 questions