Eccouncil Certified Network Defender 312-38 CND Exam Questions

Answer : D

The Windows Event Log audit configurations are recorded in the registry key pathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog. This key contains subkeys for each of the event logs on the system, including the Application, Security, and System logs, among others. Each of these subkeys can contain a number of values that determine how events are logged, which can include the maximum size of the log, the retention method, and the file path where the log is stored. Audit policies can be configured to determine which events are recorded in these logs, and the configurations are reflected in the registry under this key.

Answer : D

The Paranoid Policy is a type of Internet access policy that is characterized by initially blocking all services and then selectively enabling only those that are necessary. This approach is often taken as a security measure following a severe external breach, as it allows the network administrator to ensure that only essential and secure services are accessible, minimizing potential vulnerabilities.

Answer : A

Anomaly detection in network-based Intrusion Detection Systems (IDS) involves establishing a baseline of normal behavior for the network or system and then monitoring for deviations from this baseline. The IDS analyzes traffic patterns, system performance, user behavior, and other metrics to detect anomalies that could indicate a potential security breach. This method is particularly effective for identifying new or unknown threats that do not match any known signatures or definitions. By focusing on irregular patterns rather than predefined signatures, anomaly detection can provide early warnings of malicious activities that might otherwise go unnoticed.

Answer : D

A multi-homed firewall is designed with three or more network interfaces. This type of firewall allows an organization to create multiple subnets, each serving different security objectives. The multi-homed firewall can enforce security policies and control traffic flow between these subnets, effectively segmenting the network based on the organization's specific needs. This segmentation enhances security by isolating different parts of the network, reducing the risk of widespread network compromise in the event of a security breach.

Answer : B

The correct Wireshark filter to detect a SYN/FIN DDoS attempt istcp.flags==0X029. This filter is designed to capture packets where both the SYN and FIN flags are set, which is an unusual combination and indicative of a SYN/FIN attack. In a typical three-way TCP handshake, the SYN and FIN flags are not set in the same TCP segment. A SYN flag is used to initiate a connection, and a FIN flag is used to politely close a connection. Therefore, seeing both flags set in the same packet suggests a possible SYN/FIN DDoS attack.

Answer : D

The last step Malone should list in his incident handling plan is 'A follow-up'. This step is crucial as it involves analyzing the incident to understand how it occurred and what can be done to prevent similar incidents in the future. It often includes a review of the effectiveness of the response, identification of lessons learned, updating policies and procedures accordingly, and conducting training sessions if necessary. This step ensures that the organization improves its security posture and is better prepared for future incidents.

Answer : A

The eradication stage in incident handling is responsible for removing the root cause of the incident. This stage involves identifying and eliminating the threats that caused the incident, such as malware or unauthorized access. It also includes patching vulnerabilities and strengthening security controls to prevent similar incidents in the future. The goal of eradication is to ensure that the incident is completely resolved and cannot recur.

The information about the eradication phase aligns with best practices in incident response, as detailed in various cybersecurity resources12.