112-51 Network Defense Essentials (NDE) Exam Questions and Answers

A device-to-cloud model is a type of IoT communication model that connects the IoT devices directly to the cloud platform, where the data is stored, processed, and analyzed. The device-to-cloud model enables remote access, real-time monitoring, and scalability of IoT applications. The device-to-cloud model requires the IoT devices to have internet connectivity and cloud compatibility. In the above scenario, John used a device-to-cloud model to monitor his grandfather’s health condition, as he placed a smart wearable ECGon his grandfather’s wrist that sent the data to the cloud platform, where John could access it from his mobile phone and receive alerts periodically.References:

• Communication Models in IoT (Internet of Things)- Section: Device-to-Cloud Model
• IoT Communication Models - IoTbyHVM- Section: Device to Cloud Communication Model
• Logical Design of IoT | Communication Models | APIs | Functional Blocks- Section: Device-to-Cloud Communication Model

Hot and cold aisles are a type of environmental control that saves the hardware from humidity and heat, increases hardware performance, and maintains consistent room temperature. Hot and cold aisles are a layout design for data centers, where the server racks are arranged in alternating rows of cold air intake and hot air exhaust. The cold aislefaces the air conditioner output ducts and provides cool air to the front of the servers. The hot aisle faces the air conditioner return ducts and collects the hot air from the back of the servers. This way, the hot and cold air streams are separated and do not mix, resulting in better cooling efficiency, lower energy consumption, and longer hardware lifespan.References:

• Hot and cold aisles- Week 4: Network Security Controls: Physical Controls
• Hot and Cold Aisles: The Basics of Data Center Cooling
• Hot Aisle vs. Cold Aisle Containment: Which One is Best for Your Data Center?

Dtex Systems is the UBA tool that collects user activity details from multiple sources and uses artificial intelligence and machine learning algorithms to perform user behavior analysis to prevent and detect various threats before the fraud is perpetrated. Dtex Systems is a user and entity behavior analytics (UEBA) platform that provides visibility, detection, and response capabilities for insider threats, compromised accounts, data loss, and fraud. Dtex Systems collects user activity data from endpoints, servers, cloud applications, and network traffic, and applies advanced analytics and machine learning to establish baselines of normal user behavior, identify anomalies, and assign risk scores. Dtex Systems also provides contextual information, such as user intent, motivation, and sentiment, to help security teams understand and respond to the threats.Dtex Systems can integrate with other security tools, such as SIEM, DLP, or IAM, to enhance the security posture of the organization123.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-35 to 3-36
• Dtex Systems - Wikipedia, Wikipedia, March 16, 2021
• Dtex Systems - User and Entity Behavior Analytics (UEBA), Dtex Systems, 2020

Two-factor authentication (2FA) is a type of authentication that requires users to provide two or more forms of verification to access an online account. 2FA is a multi-layered security measure designed to prevent hackers from accessing user accounts using stolen or shared credentials. 2FA typically combines something the user knows (such as a password or PIN), something the user has (such as a phone or a token), and/or something the user is (such as a fingerprint or a face scan). In the above scenario, the banking application employs 2FA by asking Kevin to enter his registered credentials (something he knows) and an OTP sent to his mobile (something he has) before transferring the amount to Flora’s account.References:

• Improve Your Cybersecurity with Password MFA - Defense.com™
• What Is Two-Factor Authentication (2FA)? | Microsoft Security
• Selecting Secure Multi-factor Authentication Solutions

Sharing confidential data on an unsecured network is a security risk associated with mobile usage policies. Mobile devices are often used to access and transmit sensitive information over public or untrusted networks, such as WiFi hotspots, cellular networks, or Bluetooth connections. This exposes the data to interception, modification, or redirection by malicious actors who may exploit mobile security vulnerabilities or use network-based attacks, such as man-in-the-middle, spoofing, or sniffing. To prevent this risk, mobile users should follow best practices such as using encryption, VPN, certificate pinning, and secure protocols to protect the data in transit. They should also avoid sending or receiving sensitive data over unsecured networks or applications, and verify the identity and integrity of the endpoint servers before establishing a connection.References:

• The 9 Most Common Security Threats to Mobile Devices in 2021, Auth0, June 25, 2021
• 7 Mobile App Security Risks and How to Mitigate Them, Cypress Data Defense, July 10, 2020
• The Latest Mobile Security Threats and How to Prevent Them, Security Intelligence, February 19, 2019

The Sarbanes-Oxley Act (SOX) is a US law that was enacted in 2002 in response to the corporate scandals involving Enron, WorldCom, and others. The SOX aims to protect the public and investors by increasing the accuracy and reliability of corporate disclosures, such as financial statements, audit reports, and internal controls.The SOX also establishes the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing of public companies and imposes criminal penalties for fraud and non-compliance12.References:Network Defense Essentials - EC-Council Learning,Sarbanes-Oxley Act of 2002 (SOX) | U.S. Department of Labor

The PKI component that verified Ben as being legitimate to receive the certificate is the registration authority (RA). An RA is an entity that is responsible for identifying and authenticating certificate applicants, approving or rejecting certificate applications, and initiating certificate revocations or suspensions under certain circumstances. An RA acts as an intermediary between the certificate authority (CA) and the certificate applicant, and performs the necessary checks and validations before forwarding the request to the CA. The CA is the entity that signs and issues the certificates, and maintains the certificate directory and the certificate revocation list. A certificate directory is a repository of issued certificates that can be accessed by users or applications to verify the validity and status of a certificate.A validation authority (VA) is an entity that provides online certificate validation services, such as OCSP or SCVP, to verify the revocation status of a certificate in real time123.References:

• Public key infrastructure - Wikipedia, Wikipedia, March 16, 2021
• Components of a PKI - The National Cyber Security Centre, NCSC, 2020
• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-26 to 3-27

Data encryption is the technique that can be used to protect the data in a portable storage device. Data encryption is the process of transforming data into an unreadable format using a secret key or algorithm. Only authorized parties who have the correct key or algorithm can decrypt and access the data. Data encryption provides security and privacy for the data stored on a portable storage device, such as a USB flash drive or an external hard drive, by preventing unauthorized access, modification, or disclosure. If the device is lost or stolen, the data will remain protected and inaccessible to the unauthorized user. Data encryption can be implemented using software or hardware solutions, such as BitLocker, VeraCrypt, or encrypted USB drives.Data encryption is one of the best practices for securely storing data on portable devices123.References:

• 7 Ways to Secure Sensitive Data on a USB Flash Drive, UpGuard, August 17, 2022
• How to Protect Data on Portable Drives, PCWorld, January 10, 2011
• Securely Storing Data, Security.org, December 20, 2022

A hot backup is a type of backup mechanism that dynamically backs up the data even if the system or application resources are being used. A hot backup does not require the system or application to be shut down or paused during the backup process, and it allows the users to access the data while the backup is in progress. A hot backup ensures that the backup is always up to date and consistent with the current state of the data, and it minimizes the downtime and disruption of the system or application services. A hot backup is suitable for systems or applications that have high availability and performance requirements, such as databases, web servers, or email servers. A hot backup is the type of backup mechanism that Clark implemented in the above scenario, as he performed a backup that dynamically backs up the data even if the system or application resources are being used.References:

• Hot Backup- Week 5: Data Security
• Hot Backup vs. Cold Backup: What’s the Difference?
• Network Defense Essentials (NDE) | Coursera- Module 5: Data Security

A private cloud is a cloud deployment model that is exclusively used by a single organization and is hosted either on-premises or off-premises by a third-party provider. A private cloud offers the highest level of security and control over the data and resources, as the organization can customize the cloud infrastructure and services according to its needs and policies. A private cloud also ensures better performance and availability, as the organization does not share the cloud resources with other users. A private cloud is suitable for organizations that have sensitive or confidential data, strict compliance requirements, or high demand for scalability and flexibility. A private cloud can help Kelly secure the corporate data and retain full control over the data in the above scenario.References:

• Private Cloud- Week 6: Virtualization and Cloud Computing
• Private Cloud vs Public Cloud vs Hybrid Cloud
• Private Cloud Security: Challenges and Best Practices

Unauthorized access signatures were identified by Kalley through the installed monitoring system. Unauthorized access signatures are designed to detect attempts to gain unauthorized access to a system or network by exploiting vulnerabilities, misconfigurations, or weak credentials. Password cracking, sniffing, and brute-forcing are common techniques used by attackers to obtain or guess the passwords of legitimate users or administrators and gain access to their accounts or privileges. These techniques generate suspicious traffic patterns that can be detected by traffic monitoring systems, such as Snort, using signature-based detection. Signature-based detection is based on the premise that abnormal or malicious network traffic fits a distinct pattern, whereas normal or benign traffic does not. Therefore, by installing a traffic monitoring system and capturing and reporting suspicious traffic signatures, Kalley can identify and prevent unauthorized access attempts and protect the security of her organization’s network.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-33 to 3-34
• Detecting Suspicious Traffic via Signatures - Intrusion Detection with Snort, O’Reilly, 2003
• Threat Signature Categories - Palo Alto Networks, Palo Alto Networks, 2020

Anomaly-based IDS is a type of IDS that detects intrusions by comparing the observed network events with a baseline of normal behavior and identifying any deviation from it. Anomaly-based IDS can detect unknown or zero-day attacks that do not match any known signature, but they can also generate false positives due to legitimate changes in network behavior. Anomaly-based IDS can use various techniques to model the normal behavior, such as statistical analysis, machine learning, or artificial intelligence. Anomaly-based IDS is the type of IDS employed by Messy in the above scenario, as he deployed an IDS that depends on observing and comparing the observed events with the normal behavior and then detecting any deviation from it.References:

• Anomaly-Based Intrusion Detection System- Chapter 2: Anomaly-Based Intrusion Detection System
• Network Defense Essentials (NDE) | Coursera- Week 10: Intrusion Detection and Prevention Systems
• A systematic literature review for network intrusion detection system (IDS)- Section 3.2: Anomaly-based IDS

FTP traffic does not provide encryption in the data transfer process, and the data transfer between the sender and receiver is in plain text. FTP stands for File Transfer Protocol, and it is a standard network protocol for transferring files between a client and a server over a TCP/IP network. FTP uses two separate channels for communication: a control channel for sending commands and receiving responses, and a data channel for transferring files. However, FTP does not encrypt any of the data that is sent or received over these channels, which means that anyone who can intercept the network traffic can read or modify the contents of the files, as well as the usernames and passwords used for authentication. This poses a serious security risk for the confidentiality, integrity, and availability of the data and the systems involved in the file transfer. Therefore, FTP is not a secure way to transfer sensitive or confidential data over the network.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-31 to 3-32
• What is FTP, and Why Does It Matter in 2021?, Kinsta, January 4, 2021
• FTP Security, Wikipedia, February 9, 2021

The object of the container network model (CNM) that contains the configuration files of a container’s network stack, such as routing table, container’s interfaces, and DNSsettings, is the Sandbox. A Sandbox is a logical entity that encapsulates the network configuration and state of a container. A Sandbox can contain one or more endpoints from different networks, and provides isolation and security for the container’s network stack. A Sandbox can be implemented using various technologies, such as Linux network namespaces, FreeBSD jails, or Windows compartments.A Sandbox allows the container to have its own view and control of the network resources, such as interfaces, addresses, routes, and DNS settings123.References:

• The Container Networking Model | Training, Training, 2020
• A Comprehensive Guide To Docker Networking - KnowledgeHut, KnowledgeHut, September 27, 2023
• Design - GitHub: Let’s build from here, GitHub, 2020

A false positive alert is a type of IDS alert that occurs when the IDS mistakenly identifies benign or normal traffic as malicious or suspicious, and triggers an alarm, although there is no active attack in progress. A false positive alert can be caused by various factors, such as misconfigured IDS rules, outdated signatures, network anomalies, or legitimate traffic that resembles attack patterns. A false positive alert can waste the time and resources of the security team, as they have to investigate and verify the alert, and also reduce the trust and confidence in the IDS. A false positive alert can be reduced by tuning and updating the IDS, filtering out irrelevant traffic, and using multiple detection methods. A false positive alert is the type of IDS alert Jay has received in the above scenario, as he received an event triggered as an alarm, although there is no active attack in progress.References:

• False Positive Alert- Week 10: Intrusion Detection and Prevention Systems
• What is a False Positive in Cybersecurity?
• How to Reduce False Positives in Intrusion Detection Systems

Deterrent controls are a type of physical security controls that use warning messages and signs to notify legal consequences and discourage hackers from making intrusion attempts. Deterrent controls aim to reduce the likelihood of an attack by creating a perception of risk or fear in the potential attackers.Deterrent controls can include fences, locks, alarms, cameras, guards, or security policies12.References:Network Defense Essentials - EC-Council Learning,Understanding the Various Types of Physical Security Controls

ISO/IEC 27018 is the ISO standard that provides guidance to ensure that cloud service providers offer appropriate information security controls to protect the privacy of their customer’s clients by securing personally identifiable information entrusted to them. ISO/IEC 27018 is a code of practice for protecting personal information in cloud storage. The term for the personal data it covers is Personally Identifiable Information or PII. ISO/IEC 27018 is an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process PII to assess riskand implement controls for protecting PII. ISO/IEC 27018 was created in 2014 and updated in 2019. It has the following objectives:

• Help the public cloud service provider to comply with applicable obligations when acting as a PII processor, whether such obligations fall on the PII processor directly or through contract.
• Enable the public cloud PII processor to be transparent in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services.
• Assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement.
• Provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multiparty, virtualized server (cloud) environment can be impractical technically and can increase risks to those physical and logical network security controls in place123.

References:

• ISO/IEC 27018: Protecting PII in Public Clouds - ISMS.online, ISMS.online, 2019
• ISO/IEC 27018 - Wikipedia, Wikipedia, 2021
• ISO/IEC 27018:2019 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, ISO, 2019