★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 312-50 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/312-50-dumps.html


Q321. John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module. 

What does this mean in the context of Linux Security? 

A. Loadable Kernel Modules are a mechanism for adding functionality to a file system without requiring a kernel recompilation. 

B. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel after it has been recompiled and the system rebooted. 

C. Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel recompilation. 

D. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation. 

Answer: D

Explanation: Loadable Kernel Modules, or LKM, are object files that contain code to extend the running kernel, or so-called base kernel, without the need of a kernel recompilation. Operating systems other than Linux, such as BSD systems, also provide support for LKM's. However, the Linux kernel generally makes far greater and more versatile use of LKM's than other systems. LKM's are typically used to add support for new hardware, filesystems or for adding system calls. When the functionality provided by an LKM is no longer required, it can be unloaded, freeing memory. 


Q322. A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information? 

A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system 

C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number 

D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and Seq 0 

Answer: B


Q323. A Company security System Administrator is reviewing the network system log files. He notes the following: 

-Network log files are at 5 MB at 12:00 noon. 

-At 14:00 hours, the log files at 3 MB. 

What should he assume has happened and what should he do about the situation? 

A. He should contact the attacker’s ISP as soon as possible and have the connection disconnected. 

B. He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy. 

C. He should log the file size, and archive the information, because the router crashed. 

D. He should run a file system check, because the Syslog server has a self correcting file system problem. 

E. He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place. 

Answer: B

Explanation: You should never assume a host has been compromised without verification. Typically, disconnecting a server is an extreme measure and should only be done when it is confirmed there is a compromise or the server contains such sensitive data that the loss of service outweighs the risk. Never assume that any administrator or automatic process is making changes to a system. Always investigate the root cause of the change on the system and follow your organizations security policy. 


Q324. You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why? 

A. A firewall is blocking port 23 

B. You cannot spoof + TCP 

C. You need an automated telnet tool 

D. The OS does not reply to telnet even if port 23 is open 

Answer: A

Explanation: The question is not telling you what state the port is being reported by the scanning utility, if the program used to conduct this is nmap, nmap will show you one of three states – “open”, “closed”, or “filtered” a port can be in an “open” state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for bsd). C and D to make any sense for this question, their bogus, and B, “You cannot spoof + TCP”, well you can spoof + TCP, so we strike that out. 


Q325. Which of the following tools can be used to perform a zone transfer? 

A. NSLookup 

B. Finger 

C. Dig 

D. Sam Spade 

E. Host 

F. Netcat 

G. Neotrace 

Answer: ACDE

Explanation: There are a number of tools that can be used to perform a zone transfer. Some of these include: NSLookup, Host, Dig, and Sam Spade. 


Q326. Exhibit: 

Study the following log extract and identify the attack. 

A. Hexcode Attack 

B. Cross Site Scripting 

C. Multiple Domain Traversal Attack 

D. Unicode Directory Traversal Attack 

Answer: D

Explanation: The “Get /msadc/……/……/……/winnt/system32/cmd.exe?” shows that a Unicode Directory Traversal Attack has been performed. 


Q327. What does the this symbol mean? 

A. Open Access Point 

B. WPA Encrypted Access Point 

C. WEP Encrypted Access Point 

D. Closed Access Point 

Answer: A

Explanation: This symbol is a “warchalking” symbol for a open node (open circle) with the SSID tsunami and the bandwidth 2.0 Mb/s 


Q328. How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network? 

A. Covert Channel 

B. Crafted Channel 

C. Bounce Channel 

D. Deceptive Channel 

Answer:

Explanation: A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." 

Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information. 


Q329. SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or False) 

A. True 

B. False 

Answer: A

Explanation: TCP and UDP provide transport services. But UDP was preferred. This is due to TCP characteristics, it is a complicate protocol and it consume to many memory and CPU resources. Where as UDP is easy to build and run. Into devices (repeaters and modems) vendors have built simple version of IP and UDP. 


Q330. You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion? 

A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account 

B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer 

C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques 

D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account 

Answer: C