112-51 Network Defense Essentials (NDE) Exam Question and Answers

Unauthorized access signatures were identified by Kalley through the installed monitoring system. Unauthorized access signatures are designed to detect attempts to gain unauthorized access to a system or network by exploiting vulnerabilities, misconfigurations, or weak credentials. Password cracking, sniffing, and brute-forcing are common techniques used by attackers to obtain or guess the passwords of legitimate users or administrators and gain access to their accounts or privileges. These techniques generate suspicious traffic patterns that can be detected by traffic monitoring systems, such as Snort, using signature-based detection. Signature-based detection is based on the premise that abnormal or malicious network traffic fits a distinct pattern, whereas normal or benign traffic does not. Therefore, by installing a traffic monitoring system and capturing and reporting suspicious traffic signatures, Kalley can identify and prevent unauthorized access attempts and protect the security of her organization’s network.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-33 to 3-34
• Detecting Suspicious Traffic via Signatures - Intrusion Detection with Snort, O’Reilly, 2003
• Threat Signature Categories - Palo Alto Networks, Palo Alto Networks, 2020

The loT communication model that serves as an analyzer for a company to track monthly or yearly energy consumption is the device-to-cloud model. The device-to-cloud model is a loT communication model where the loT devices, such as smart meters, sensors, or thermostats, send data directly to the cloud platform, such as AWS, Azure, or Google Cloud, over the internet. The cloud platform then processes, analyzes, and stores the data, and provides feedback, control, or visualization to the users or applications. The device-to-cloud model enables the company to monitor and optimize the energy consumption of the loT devices in real time, and to leverage the cloud services, such as machine learning, big data analytics, or artificial intelligence, to perform advanced energy management and demand response.The device-to-cloud model also reduces the complexity and cost of the loT infrastructure, as it does not require intermediate gateways or servers to connect the loT devices to the cloud123.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-38 to 3-39
• loT Communication Models: Device-to-Device, Device-to-Cloud, Device-to-Gateway, and Back-End Data-Sharing, DZone, July 9, 2018
• loT Communication Models: Device-to-Device, Device-to-Cloud, Device-to-Gateway, and Back-End Data-Sharing, Medium, March 26, 2019

WPA2 (Wi-Fi Protected Access 2) is an encryption technology that secures wireless networks using the IEEE 802.11i standard. WPA2 uses a four-way handshake to authenticate the client and the access point, and to generate a pairwise transient key (PTK) for encrypting the data. The PTK is derived from the password pairwise master key (PMK), which is a shared secret between the client and the access point. The PMK can be obtained either by using a pre-shared key (PSK) or by using an 802.1X authentication server. In the above scenario, George performed password cracking on WPA2, as he used sniffing tools to capture the PMK associated with the handshake authentication process. Then, using the PMK, he was able to derive the PTK and decrypt the data exchanged between the client and the access point.References:

• WPA2- Wikipedia
• How WPA2-PSK encryption works?- Cryptography Stack Exchange
• WPA2 Encryption and Configuration Guide- Cisco Meraki Documentation

The object of the container network model (CNM) that contains the configuration files of a container’s network stack, such as routing table, container’s interfaces, and DNSsettings, is the Sandbox. A Sandbox is a logical entity that encapsulates the network configuration and state of a container. A Sandbox can contain one or more endpoints from different networks, and provides isolation and security for the container’s network stack. A Sandbox can be implemented using various technologies, such as Linux network namespaces, FreeBSD jails, or Windows compartments.A Sandbox allows the container to have its own view and control of the network resources, such as interfaces, addresses, routes, and DNS settings123.References:

• The Container Networking Model | Training, Training, 2020
• A Comprehensive Guide To Docker Networking - KnowledgeHut, KnowledgeHut, September 27, 2023
• Design - GitHub: Let’s build from here, GitHub, 2020

The network defense approach that was employed by Alice on her laptop was the preventive approach. The preventive approach aims to stop or deter potential attacks before they happen by implementing security measures that reduce the attack surface and increase the difficulty of exploitation. Biometric authentication is an example of a preventive measure that uses a physical characteristic, such as a fingerprint, iris, or face, to verify the identity of the user and grant access to the device or system. Biometric authentication is more secure than traditional methods, such as passwords or PINs, because it is harder to forge, guess, or steal. By locking her laptop and using biometric authentication, Alice prevented Bob from accessing her laptop and her confidential files without her permission.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 1-7 to 1-8
• What is Biometric Authentication?, Norton, July 29, 2020
• An introduction to network defense basics, Enable Sysadmin, November 26, 2019

WPA3 is the latest standard of Wi-Fi Protected Access, which was released in 2018 by the Wi-Fi Alliance. WPA3 uses a new handshake protocol called Simultaneous Authentication of Equals (SAE), which is based on a zero-knowledge proof known as dragonfly. Dragonfly is a key exchange algorithm that uses discrete logarithm cryptography to derive a shared secret between two parties, without revealing any information about their passwords or keys. Dragonfly is resistant to offline dictionary attacks, where an attacker tries to guess the password by capturing the handshake and testing different combinations. Dragonfly is also resistant to key recovery attacks, where an attacker tries to recover the encryption key by exploiting weaknesses in the algorithm or implementation. Dragonfly provides forward secrecy, which means that even if an attacker manages to compromise the password or key in the future, they cannot decrypt the past communication. WPA3 also supports other features such as increased key sizes, opportunistic wireless encryption, and protected management frames, which enhance the security and privacy of wireless networks.References:

• WPA3 Dragonfly Handshake
• WPA3 Encryption and Configuration Guide
• Dragon Fly - Zero Knowledge Proof
• What is SAE (Simultaneous Authentication of Equals)?
• Dragonfly - people.scs.carleton.ca

A combination lock is a type of physical locking system that requires a sequence of numbers and letters to unlock. The user has to dial or enter the correct combination to open the lock. Combination locks are commonly used for securing luggage, safes, lockers, etc.In the scenario, Alice locked her zip-based document bag with a combination lock that requires a sequence of numbers and letters to unlock12.References:Network Defense Essentials - EC-Council Learning,Understanding the Various Types of Physical Security Controls

ISO/IEC 27018 is the ISO standard that provides guidance to ensure that cloud service providers offer appropriate information security controls to protect the privacy of their customer’s clients by securing personally identifiable information entrusted to them. ISO/IEC 27018 is a code of practice for protecting personal information in cloud storage. The term for the personal data it covers is Personally Identifiable Information or PII. ISO/IEC 27018 is an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process PII to assess riskand implement controls for protecting PII. ISO/IEC 27018 was created in 2014 and updated in 2019. It has the following objectives:

• Help the public cloud service provider to comply with applicable obligations when acting as a PII processor, whether such obligations fall on the PII processor directly or through contract.
• Enable the public cloud PII processor to be transparent in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services.
• Assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement.
• Provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multiparty, virtualized server (cloud) environment can be impractical technically and can increase risks to those physical and logical network security controls in place123.

References:

• ISO/IEC 27018: Protecting PII in Public Clouds - ISMS.online, ISMS.online, 2019
• ISO/IEC 27018 - Wikipedia, Wikipedia, 2021
• ISO/IEC 27018:2019 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, ISO, 2019

Sharing confidential data on an unsecured network is a security risk associated with mobile usage policies. Mobile devices are often used to access and transmit sensitive information over public or untrusted networks, such as WiFi hotspots, cellular networks, or Bluetooth connections. This exposes the data to interception, modification, or redirection by malicious actors who may exploit mobile security vulnerabilities or use network-based attacks, such as man-in-the-middle, spoofing, or sniffing. To prevent this risk, mobile users should follow best practices such as using encryption, VPN, certificate pinning, and secure protocols to protect the data in transit. They should also avoid sending or receiving sensitive data over unsecured networks or applications, and verify the identity and integrity of the endpoint servers before establishing a connection.References:

• The 9 Most Common Security Threats to Mobile Devices in 2021, Auth0, June 25, 2021
• 7 Mobile App Security Risks and How to Mitigate Them, Cypress Data Defense, July 10, 2020
• The Latest Mobile Security Threats and How to Prevent Them, Security Intelligence, February 19, 2019

A firewall is a software or a hardware device on a network or host that filters the incoming and outgoing traffic to prevent unauthorized access to private networks. A firewall can use various criteria, such as IP addresses, ports, protocols, or application rules, to allow or deny the traffic. A firewall can also perform other functions, such as logging, auditing, encryption, or proxy services.A firewall can be deployed at different levels of a network, such as network perimeter, network segment, or host level12.References:Network Defense Essentials - EC-Council Learning,Firewall (computing) - Wikipedia

Atomic-signature-based analysis is a type of attack signature analysis technique that uses a single characteristic or attribute of a packet header to identify malicious traffic. Atomic signatures are simple and fast to match, but they can also generate false positives or miss some attacks. Some examples of atomic signatures are source and destination IP addresses, port numbers, protocol types, and TCP flags. Atomic-signature-based analysis is the technique performed by Joseph in the above scenario, as he analyzed packet headers to check whether any indications of source and destination IP addresses and port numbers are being changed during transmission.References:

• [Understanding the Network Traffic Signatures] - Module 12: Network Traffic Monitoring
• Network Defense Essentials (NDE) | Coursera- Week 12: Network Traffic Monitoring
• [Network Defense Essentials Module 12 (Network Traffic Monitoring) - Quizlet] - Flashcards: What are Network Traffic Signatures?

The correct sequence of steps involved in the creation of a data retention policy is 3 -> 1 -> 4 -> 5 -> 2. This is based on the following description of the data retention policy creation process from the web search results:

• Build a team: To design a data retention policy, you need a team of industry experts, such as legal, IT, compliance, and business representatives, who can contribute their knowledge and perspectives to the policy.The team should have a clear leader who can coordinate the tasks and communicate the goals and expectations1.
• Determine legal requirements: The team should research and understand the applicable legal and regulatory requirements for data retention that affect the organization, such as GDPR, HIPAA, PCI DSS, etc.The team should also consider any contractual obligations or industry standards that may influence the data retention policy2134.
• Identify and classify the data: The team should inventory and categorize all the data that the organization collects, stores, and processes, based on their function, subject, or type.The team should also assess the value, risk, and sensitivity of each data category, and determine the appropriate retention period, format, and location for each data category2134.
• Develop the data retention policy: The team should draft the data retention policy document that outlines the purpose, scope, roles, responsibilities, procedures, and exceptions of the data retention policy. The policy should be clear, concise, and consistent, and should reflect the legal and business requirements of the organization.The policy should also include a data retention schedule that specifies the retention period and disposition method for each data category2134.
• Ensure that all employees understand the organization’s data retention policy: The team should communicate and distribute the data retention policy to all the relevant employees and stakeholders, and provide training and guidance on how to comply with the policy.The team should also monitor and enforce the policy, and review and update the policy regularly to reflect any changes in the legal or business environment2134.

References:

• How to Create a Data Retention Policy | Smartsheet, Smartsheet, July 17, 2019
• What Is a Data Retention Policy? Best Practices + Template, Drata, November 29, 2023
• Data Retention Policy: What It Is and How to Create One - SpinOne, SpinOne, 2020
• How to Develop and Implement a Retention Policy - SecureScan, SecureScan, 2020

Dtex Systems is the UBA tool that collects user activity details from multiple sources and uses artificial intelligence and machine learning algorithms to perform user behavior analysis to prevent and detect various threats before the fraud is perpetrated. Dtex Systems is a user and entity behavior analytics (UEBA) platform that provides visibility, detection, and response capabilities for insider threats, compromised accounts, data loss, and fraud. Dtex Systems collects user activity data from endpoints, servers, cloud applications, and network traffic, and applies advanced analytics and machine learning to establish baselines of normal user behavior, identify anomalies, and assign risk scores. Dtex Systems also provides contextual information, such as user intent, motivation, and sentiment, to help security teams understand and respond to the threats.Dtex Systems can integrate with other security tools, such as SIEM, DLP, or IAM, to enhance the security posture of the organization123.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-35 to 3-36
• Dtex Systems - Wikipedia, Wikipedia, March 16, 2021
• Dtex Systems - User and Entity Behavior Analytics (UEBA), Dtex Systems, 2020

The Sarbanes-Oxley Act (SOX) is a US law that was enacted in 2002 in response to the corporate scandals involving Enron, WorldCom, and others. The SOX aims to protect the public and investors by increasing the accuracy and reliability of corporate disclosures, such as financial statements, audit reports, and internal controls.The SOX also establishes the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing of public companies and imposes criminal penalties for fraud and non-compliance12.References:Network Defense Essentials - EC-Council Learning,Sarbanes-Oxley Act of 2002 (SOX) | U.S. Department of Labor

Biometric authentication is a type of authentication that uses the physical or behavioral characteristics of a person to verify their identity. Biometric authentication is more secure and convenient than other methods such as passwords or tokens, as biometric traits are unique, hard to forge, and easy to use. Some examples of biometric authentication techniques are retina scanner, DNA, and voice recognition. Retina scanner uses a low-intensity light beam to scan the pattern of blood vessels at the back of the eye, which is unique for each individual. DNA uses the genetic code of a person to match their identity, which is the most accurate and reliable biometric technique. Voice recognition uses the sound and pitch of a person’s voice to verify their identity, which is influenced by factors such as anatomy, physiology, and psychology. These techniques fall under biometric authentication, as they use the physical or behavioral traits of a person to authenticate them.References:

• Biometric Authentication- Week 2: Identification, Authentication, and Authorization
• Biometric Authentication: What You Need To Know
• Biometric Authentication Techniques