112-51 Network Defense Essentials (NDE) Exam Questions and Answers

WPA2 (Wi-Fi Protected Access 2) is an encryption technology that secures wireless networks using the IEEE 802.11i standard. WPA2 uses a four-way handshake to authenticate the client and the access point, and to generate a pairwise transient key (PTK) for encrypting the data. The PTK is derived from the password pairwise master key (PMK), which is a shared secret between the client and the access point. The PMK can be obtained either by using a pre-shared key (PSK) or by using an 802.1X authentication server. In the above scenario, George performed password cracking on WPA2, as he used sniffing tools to capture the PMK associated with the handshake authentication process. Then, using the PMK, he was able to derive the PTK and decrypt the data exchanged between the client and the access point.References:

• WPA2- Wikipedia
• How WPA2-PSK encryption works?- Cryptography Stack Exchange
• WPA2 Encryption and Configuration Guide- Cisco Meraki Documentation

Deterrent controls are a type of physical security controls that use warning messages and signs to notify legal consequences and discourage hackers from making intrusion attempts. Deterrent controls aim to reduce the likelihood of an attack by creating a perception of risk or fear in the potential attackers.Deterrent controls can include fences, locks, alarms, cameras, guards, or security policies12.References:Network Defense Essentials - EC-Council Learning,Understanding the Various Types of Physical Security Controls

A VPN protocol is a component of VPN that is used to manage tunnels and encapsulate private data. A VPN protocol defines the rules and standards for establishing and maintaining a secure connection between the VPN client and the VPN server. A VPN protocol also specifies how the data is encrypted, authenticated, and transmitted over the tunnel.Some common VPN protocols are IPSec, SSL/TLS, PPTP, L2TP, and OpenVPN12.References:Network Defense Essentials - EC-Council Learning,VPN Protocols Explained & Compared: OpenVPN, IPSec, PPTP, IKEv2

The type of attack initiated by Jacob in the above scenario is a cross-container attack. A cross-container attack is a type of attack that targets container technology and exploits the shared resources and network connections between containers. A cross-container attack can compromise the security and availability of multiple containers and the underlying host by performing actions such as stealing data, executing commands, consuming resources, or spreading malware. A cross-container attack can be launched by an external attacker who gains access to a container through a network vulnerability, or by a malicious insider who runs a rogue container on the same host or cluster.A cross-container attack can be prevented or mitigated by implementing security best practices for container technology, such as isolating containers, limiting privileges, enforcing policies, scanning images, and monitoring network traffic123.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-37 to 3-38
• 6 Common Kubernetes and Container Attack Techniques and How to Prevent Them - Palo Alto Networks, Palo Alto Networks, March 2, 2022
• The evolution of a matrix: How ATT&CK for Containers was built - Microsoft, Microsoft, July 21, 2021

Dtex Systems is the UBA tool that collects user activity details from multiple sources and uses artificial intelligence and machine learning algorithms to perform user behavior analysis to prevent and detect various threats before the fraud is perpetrated. Dtex Systems is a user and entity behavior analytics (UEBA) platform that provides visibility, detection, and response capabilities for insider threats, compromised accounts, data loss, and fraud. Dtex Systems collects user activity data from endpoints, servers, cloud applications, and network traffic, and applies advanced analytics and machine learning to establish baselines of normal user behavior, identify anomalies, and assign risk scores. Dtex Systems also provides contextual information, such as user intent, motivation, and sentiment, to help security teams understand and respond to the threats.Dtex Systems can integrate with other security tools, such as SIEM, DLP, or IAM, to enhance the security posture of the organization123.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-35 to 3-36
• Dtex Systems - Wikipedia, Wikipedia, March 16, 2021
• Dtex Systems - User and Entity Behavior Analytics (UEBA), Dtex Systems, 2020

Two-factor authentication (2FA) is a type of authentication that requires users to provide two or more forms of verification to access an online account. 2FA is a multi-layered security measure designed to prevent hackers from accessing user accounts using stolen or shared credentials. 2FA typically combines something the user knows (such as a password or PIN), something the user has (such as a phone or a token), and/or something the user is (such as a fingerprint or a face scan). In the above scenario, the banking application employs 2FA by asking Kevin to enter his registered credentials (something he knows) and an OTP sent to his mobile (something he has) before transferring the amount to Flora’s account.References:

• Improve Your Cybersecurity with Password MFA - Defense.com™
• What Is Two-Factor Authentication (2FA)? | Microsoft Security
• Selecting Secure Multi-factor Authentication Solutions

WPA3 is the latest standard of Wi-Fi Protected Access, which was released in 2018 by the Wi-Fi Alliance. WPA3 uses a new handshake protocol called Simultaneous Authentication of Equals (SAE), which is based on a zero-knowledge proof known as dragonfly. Dragonfly is a key exchange algorithm that uses discrete logarithm cryptography to derive a shared secret between two parties, without revealing any information about their passwords or keys. Dragonfly is resistant to offline dictionary attacks, where an attacker tries to guess the password by capturing the handshake and testing different combinations. Dragonfly is also resistant to key recovery attacks, where an attacker tries to recover the encryption key by exploiting weaknesses in the algorithm or implementation. Dragonfly provides forward secrecy, which means that even if an attacker manages to compromise the password or key in the future, they cannot decrypt the past communication. WPA3 also supports other features such as increased key sizes, opportunistic wireless encryption, and protected management frames, which enhance the security and privacy of wireless networks.References:

• WPA3 Dragonfly Handshake
• WPA3 Encryption and Configuration Guide
• Dragon Fly - Zero Knowledge Proof
• What is SAE (Simultaneous Authentication of Equals)?
• Dragonfly - people.scs.carleton.ca

System-based risk is a type of mobile device security risk that arises from the vulnerabilities or flaws in the operating system or firmware of the device. System-based risk can expose the device to malware, spyware, ransomware, or other malicious attacks that can compromise the data, functionality, or privacy of the device. System-based risk can be mitigated by applying regular security updates and patches from the manufacturer or vendor, as well as using antivirus or anti-malware software. In the above scenario, Stella’s device faced a system-based risk, as it ran with an obsolete OS version that had vulnerabilities that allowed the files to be replaced. She ignored the messages from the manufacturer for updates, which could have prevented the risk.References:

• Mobile Device Security Risks- Week 8: Mobile Device Security
• Is It Safe to Use an Old or Used Phone? Here’s What You Should Know
• Obsolete products - The National Cyber Security Centre

The cloud layer of IoT architecture is the layer that hosts the servers that accept, store, and process the sensor data received from IoT gateways. The cloud layer also creates dashboards for monitoring, analyzing, and implementing proactive decisions to tackle the issue. The cloud layer provides scalability, reliability, and security for the IoT system.The cloud layer can use various cloud computing models, such as public, private, hybrid, or community clouds12.References:Network Defense Essentials - EC-Council Learning,IoT Architecture: The 4 Layers of an IoT System

A hot backup is a type of backup mechanism that dynamically backs up the data even if the system or application resources are being used. A hot backup does not require the system or application to be shut down or paused during the backup process, and it allows the users to access the data while the backup is in progress. A hot backup ensures that the backup is always up to date and consistent with the current state of the data, and it minimizes the downtime and disruption of the system or application services. A hot backup is suitable for systems or applications that have high availability and performance requirements, such as databases, web servers, or email servers. A hot backup is the type of backup mechanism that Clark implemented in the above scenario, as he performed a backup that dynamically backs up the data even if the system or application resources are being used.References:

• Hot Backup- Week 5: Data Security
• Hot Backup vs. Cold Backup: What’s the Difference?
• Network Defense Essentials (NDE) | Coursera- Module 5: Data Security

A gateway is a component of IoT architecture that collects data from IoT devices and performs data pre-processing. A gateway acts as a bridge between the IoT devices and the cloud platform, and it can filter, aggregate, compress, encrypt, or transform the data before sending it to the cloud for storage and analysis. A gateway can also perform edge computing, which means processing the data locally and providing real-time feedback or actions. A gateway can support various communication protocols, such as WiFi, Bluetooth, Zigbee, or cellular, and it can enhance the security and reliability of the IoT system.A gateway is the component that matches the description given in the question123

Unauthorized access signatures were identified by Kalley through the installed monitoring system. Unauthorized access signatures are designed to detect attempts to gain unauthorized access to a system or network by exploiting vulnerabilities, misconfigurations, or weak credentials. Password cracking, sniffing, and brute-forcing are common techniques used by attackers to obtain or guess the passwords of legitimate users or administrators and gain access to their accounts or privileges. These techniques generate suspicious traffic patterns that can be detected by traffic monitoring systems, such as Snort, using signature-based detection. Signature-based detection is based on the premise that abnormal or malicious network traffic fits a distinct pattern, whereas normal or benign traffic does not. Therefore, by installing a traffic monitoring system and capturing and reporting suspicious traffic signatures, Kalley can identify and prevent unauthorized access attempts and protect the security of her organization’s network.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-33 to 3-34
• Detecting Suspicious Traffic via Signatures - Intrusion Detection with Snort, O’Reilly, 2003
• Threat Signature Categories - Palo Alto Networks, Palo Alto Networks, 2020

Finch has implemented the COBO (Corporate-Owned, Business-Only) mobile usage policy in the above scenario. COBO is a policy where the organization provides mobile devices to the employees and restricts them to use the devices only for work-related purposes. The organization has full control over the devices and can enforce security measures, such as encryption, password protection, remote wipe, and application whitelisting or blacklisting. The employees are not allowed to use the devices for personal use, such as browsing the internet, making personal calls, or installing personal apps. COBO is a policy that aims to maximize security and minimize distractions and risks for the organization and the employees.References:

• Mobile usage policy in office - sample, cell phone policy in companies and organization, HR Help Board, 2020
• Employee Cell Phone Policy Template, Workable, 2020
• How Employers Enforce Cell Phone Policies in the Workplace, Indeed, 2022

A firewall is a software or a hardware device on a network or host that filters the incoming and outgoing traffic to prevent unauthorized access to private networks. A firewall can use various criteria, such as IP addresses, ports, protocols, or application rules, to allow or deny the traffic. A firewall can also perform other functions, such as logging, auditing, encryption, or proxy services.A firewall can be deployed at different levels of a network, such as network perimeter, network segment, or host level12.References:Network Defense Essentials - EC-Council Learning,Firewall (computing) - Wikipedia

The loT communication model that serves as an analyzer for a company to track monthly or yearly energy consumption is the device-to-cloud model. The device-to-cloud model is a loT communication model where the loT devices, such as smart meters, sensors, or thermostats, send data directly to the cloud platform, such as AWS, Azure, or Google Cloud, over the internet. The cloud platform then processes, analyzes, and stores the data, and provides feedback, control, or visualization to the users or applications. The device-to-cloud model enables the company to monitor and optimize the energy consumption of the loT devices in real time, and to leverage the cloud services, such as machine learning, big data analytics, or artificial intelligence, to perform advanced energy management and demand response.The device-to-cloud model also reduces the complexity and cost of the loT infrastructure, as it does not require intermediate gateways or servers to connect the loT devices to the cloud123.References:

• Network Defense Essentials Courseware, EC-Council, 2020, pp. 3-38 to 3-39
• loT Communication Models: Device-to-Device, Device-to-Cloud, Device-to-Gateway, and Back-End Data-Sharing, DZone, July 9, 2018
• loT Communication Models: Device-to-Device, Device-to-Cloud, Device-to-Gateway, and Back-End Data-Sharing, Medium, March 26, 2019

A device-to-cloud model is a type of IoT communication model that connects the IoT devices directly to the cloud platform, where the data is stored, processed, and analyzed. The device-to-cloud model enables remote access, real-time monitoring, and scalability of IoT applications. The device-to-cloud model requires the IoT devices to have internet connectivity and cloud compatibility. In the above scenario, John used a device-to-cloud model to monitor his grandfather’s health condition, as he placed a smart wearable ECGon his grandfather’s wrist that sent the data to the cloud platform, where John could access it from his mobile phone and receive alerts periodically.References:

• Communication Models in IoT (Internet of Things)- Section: Device-to-Cloud Model
• IoT Communication Models - IoTbyHVM- Section: Device to Cloud Communication Model
• Logical Design of IoT | Communication Models | APIs | Functional Blocks- Section: Device-to-Cloud Communication Model