The Certified Network Defender (CND) (312-38)

When a Trojan is suspected to have infected a computer, the first course of action should be to contain the damage to prevent the malware from spreading or causing further harm.  This involves disconnecting the infected device from the network to isolate it and prevent the Trojan from communicating with potential command and control servers or infecting other systems 1 2 3 .

While informing the Incident Response Team (IRT) and other members of the organization is also important, these actions come after the immediate threat has been contained.  Therefore, the correct answer is to contain the damage (A), which aligns with the Certified Network Defender (CND) objectives that prioritize immediate containment to minimize the impact of security incidents 4 5 6 7 8 .

References : The response is based on best practices for dealing with Trojans as outlined in network security and incident response guidelines, including those from the EC-Council’s Certified Network Defender (CND) program.  The CND framework emphasizes the importance of quick containment to protect network integrity and prevent further damage 4 5 6 7 8 .

Application whitelisting is a security approach that allows only pre-approved applications to execute within a system or network. This method operates on a ‘default deny’ principle, meaning if an application is not explicitly listed as approved, it will not be allowed to run. This is in contrast to application blacklisting, which operates on a ‘default allow’ principle where all applications are allowed to run unless they have been specifically identified as malicious or undesirable and added to a blacklist. Whitelisting is generally considered more secure because it prevents any unapproved applications from running, which can include new or unknown threats. However, it can be more challenging to maintain as it requires a comprehensive understanding of all the necessary applications for business operations.

References : The concept of application whitelisting and its differentiation from blacklisting is well-documented in cybersecurity literature and aligns with the guidelines provided by the EC-Council’s Certified Network Defender (CND) program. It is also supported by various cybersecurity frameworks and best practices, including those from authoritative sources such as the National Institute of Standards and Technology (NIST).

Circuit-level gateway firewall technology operates at the session layer of the OSI model. This type of firewall validates TCP or UDP sessions before allowing traffic through, without inspecting the contents of the data packets. It acts as a handshaking device between trusted clients or servers and untrusted hosts, ensuring that the session packets adhere to established rules for a connection.  The session layer, which is Layer 5 in the OSI model, is responsible for setting up, managing, and terminating the connections between applications 1 2 3 4 .

References : The information about the operation of circuit-level gateways at the session layer is supported by networking resources and documentation 1 2 3 4 .

The control of internet bandwidth consumption by employees falls under the Network Services Specific Security Policy. This category of policy is designed to manage and secure the services that are provided over the network, which includes internet access and usage. It encompasses the rules and procedures that govern how network services, such as bandwidth, are allocated and used within an organization. By implementing such policies, GMT enterprise aims to ensure that the network’s bandwidth is utilized effectively and in alignment with the company’s operational requirements and objectives.

References : The answer is derived from the understanding of network security policies as outlined in the Certified Network Defender (CND) course by EC-Council, which emphasizes the importance of specific policies for managing network services and resources.

 A circuit level gateway operates at the session layer of the OSI model, which is responsible for establishing, maintaining, and terminating connections between network nodes. It is designed to provide security by verifying the Transmission Control Protocol (TCP) handshaking between packets to ensure that the session is legitimate and by monitoring the state of the connection. Unlike application-level gateways, circuit level gateways do not inspect the packet’s contents but rather the header information to ensure that the traffic conforms to the established rules. This type of firewall is particularly effective at hiding the private network information because it only allows traffic from established sessions and does not expose the details of the network’s internal structure.

References : The information about the operation of circuit level gateways at the session layer and their ability to hide private network information is supported by the definitions and explanations provided in the sources from the web search results 1 2 3 . These sources align with the objectives and documents of the EC-Council’s Certified Network Defender (CND) program.

 The Encrypting File System (EFS) is a feature of the NTFS file system that provides encryption at the file system level. It is designed to work specifically with NTFS and does not support the FAT file system. When files encrypted with EFS are copied or backed up to a volume that uses the FAT file system, the encryption is lost because FAT does not support EFS encryption. This is why David found that the backup files were not encrypted after transferring them to a system that supports the FAT file system.

References : The explanation is based on the operational characteristics of EFS and its compatibility with different file systems as described in the Certified Network Defender (CND) course materials and further supported by information from reliable sources on EFS and file system encryption 1 2 3 4 .

S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol implements the Rivest-Shamir-Adleman (RSA) encryption algorithm for digital signatures in emails. Digital signatures are a key component of S/MIME, providing authentication, message integrity, and non-repudiation. RSA is a widely used public-key cryptosystem that facilitates secure data transmission and is known for its role in digital signatures. It works on the principle of asymmetric cryptography, where a pair of keys is used: a public key, which is shared openly, and a private key, which is kept secret by the owner. In the context of S/MIME, the sender’s email client uses the sender’s private key to create a digital signature, and the recipient’s email client uses the sender’s public key to verify the signature.

References : The information provided is based on the S/MIME protocol’s use of RSA encryption for digital signatures, as detailed in industry-standard documentation and resources like Microsoft Learn 1  and the S/MIME Wikipedia page 2 .

Business Impact Analysis (BIA) is the process that determines the potential impacts of business function disruptions and gathers information needed to develop recovery strategies. A critical part of BIA is examining Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs) for a disaster recovery strategy. RPOs define the maximum age of files that must be recovered from backup storage for normal operations to resume after a disaster, while RTOs specify the maximum amount of time that a resource can remain unavailable after a disaster.

References : The role of BIA in examining RPOs and RTOs is a fundamental concept in disaster recovery and business continuity planning, which is covered in the EC-Council’s Certified Network Defender (CND) curriculum.  The importance of BIA in disaster recovery is also supported by industry best practices and guidelines 1 2 .

 In the context of VPNs, when both the header and payload of traffic are encapsulated, it indicates the use of Tunnel Mode. This mode is typically employed in site-to-site VPNs where the entire IP packet is wrapped with a new IP header. Tunnel Mode is designed to secure traffic between different networks over the internet, making it suitable for connecting multiple sites of an organization. Unlike Transport Mode, which only encrypts the payload and leaves the original IP header intact, Tunnel Mode encrypts the entire IP packet and adds a new header, which allows for the secure passage of the traffic through untrusted networks.

References : The explanation provided aligns with standard VPN implementations and the principles outlined in network security documents and study guides related to Certified Network Defender (CND) objectives.