EC-Council - ECIH

¡Supera tus tareas y exámenes ahora con Quizwiz!

How will you define qualitative risk analysis? (Attack Success + Criticality) - (Countermeasures) (Countermeasures) + (Criticality - Attack Success) (Attack Success + Countermeasures) - (Criticality) (Attack Success) + (Criticality - Countermeasures)

(Attack Success + Criticality) - (Countermeasures)

Which of the following is a set of specific strategies, guidelines, and processes that aids recovery from an incident? Contingency plan Incident recovery testing Business impact analysis Temporary plan analysis

Contingency plan

Sarah is a hacker who is using a method called __________ on victim systems to analyze users' surfing habits and sell that information to other attackers or to launch various attacks on the victims' web applications. Cookie/ Session Poisoning Cross-Site Forgery Web Services Attacks Cookie Snooping

Cookie Snooping (C7,P774)

_________ can contain session-specific data such as user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs. Threats Ticket Tools Cookies Brownies

Cookies (C7,P783)

System time refers to the exact date and time of the day when the incident happened, as per the ________. This will assist in developing an accurate timeline of events that have occurred on the system. Ordinary Civil Time (OCT) Coordinated Universal Time (UTC) Local Sidereal Time (LST) Julian Date

Coordinated Universal Time (UTC)

Lucas is an incident responder who wants to monitor the integrity of critical files. What steps could he take? Create a database of cryptographic checksums of critical files. Use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire. Use an isolated test network to host your test bed. Create a database of cryptographic checksums of critical files and use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire.

Create a database of cryptographic checksums of critical files and use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire.

Which is NOT an objective of computer forensics? Identify, gather, and preserve the evidence of a cyber crime Find vulnerabilities and security loopholes Create weak authentication and authorization controls Recover deleted and hidden files

Create weak authentication and authorization controls (C3,P284)

In live system analysis, which of the following tools is used to monitor the scheduled tasks? Runscope CronitorCLI Sonar AlertSite

CronitorCLI

Which method is an attack in which an authenticated user is made to perform certain tasks on the web application that an attacker chooses? For example, a user clicking on a link sent through an email or chat Cookie/ Session Poisoning Cross-Site Forgery Web Services Attacks Cookie Snooping

Cross-Site Forgery (C7,P774)

________ attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users. Denial-of-Service (DoS) Cross-site scripting ('XSS' or 'CSS') SQL injection Man-in-the-Middle (MitM)

Cross-site scripting ('XSS' or 'CSS')

Insecure or obsolete encryption makes cloud services susceptible to what type of attack? SQL Injection Cryptanalysis Wrapping DoS

Cryptanalysis (C8,P934)

_______ refers to a contract between the organization and an insurer to protect related individuals from different threats and risks Cyber Insurance IPsec Secure Shell Security Policy

Cyber Insurance (C2,P212)

There are four types of Domain Name System (DNS) attacks. Which type Involves conducting phishing scams by registering a domain name that is similar to that of a cloud service provider? Domain Snipping Domain Hijacking DNS Poisoning Cybersquatting

Cybersquatting (C8,P933)

Email crimes can be categorized in two ways either by sending emails or supported by emails. Which of the following is a crime supported by Emails? Spamming Storming Cyberstalking Malware Distribution

Cyberstalking (C4,P523)

Digital evidence is circumstantial that makes it very easy for the forensics investigator to differentiate the system's activity. False True

False

Even when the root level access is achieved by the attacker, it is an easy task to determine the action performed by the attackers. False True

False

Inappropriate usage incidents directed at outside parties may cause more loss to organizations in the form of money but they do not cause damage to reputation and legal liabilities. True False

False

Inappropriate usage incidents, aimed at external agencies/organizations, like an internal user changing the content of another organization's public website, are the liability of the user but not liability concerns for the organization he/she is working for. True False

False

The incident response team should handle the incident whenever an incident is identified by only a trusted person in the organization. True False

False

There is no need to write a detailed report after an incident, as long as the information is recorded in the ticketing system of the company. True False

False

Trojans are executable programs that install horse racing games when a file is opened and activated. True False

False

Federal law requires federal agencies to report incidents to the which Incident Response Center? National Energy Regulatory Consortium Federal Computer Incident Repsonse Center Federal Cybersecurity Incident Response Center National Cybersecurity Center for Incident Response

Federal Computer Incident Repsonse Center (C1,P142)

This type of identity theft occurs when a victim's bank account and credit card information are stolen and used illegally by a thief. Criminal Tax Financial Identity Cloning

Financial (C5,P538)

What refers to the first action performed after occurrence of a security incident? First Reaction First Response Documenting Testifying

First Response (C3,P291)

What is the process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value? Forensic Data Acquisition First Response Snapshot Response Forensic Evidence Collection

Forensic Data Acquisition (C3,P358)

________ is a process of analyzing and reviewing the data gathered from computer systems such as log files, system files, web history files, emails, and installed applications. Asset identification BOTH incident investigation AND forensic analysis Forensic analysis Evidence protection Incident investigation

Forensic analysis

Which of the following is the practice of identifying the infected systems by looking for evidence of recent infections? Forensic identification Active identification UManual identification Passive identification

Forensic identification

Viruses, worms, trojan horses, logic bombs, trap doors, nano machines and microbes, electronic jamming, and penetration exploits and tools are all weapons for ________? InfoAttacks InfoWars InfoBattles InfoDefense

InfoWars

Which one of the following is the intangible cost for an incident? Lost productivity hours Investigation and recovery efforts Loss of business Loss of reputation

Loss of reputation

Loss of personal password, failure to download antivirus signatures, and unsuccessful scans and probes in the networks are considered incidents at a _______ Low Level Middle Level High Level None of the above

Low Level (C2,P229)

Marie wants to find a natural way to represent her information that she has gathered during a network test, but she also wants to be able to extract that data and present it in a table/list. Which website tool would be the most beneficial for her to use? MagicTree Tomboy KeepNote Microsoft Onenote

MagicTree

What is the most common type of attacks against computer systems? SQL injection Zero-day Malware Phishing

Malware (C4,P426)

There are a ton of indications of malware incidents. Which of the following techniques are important for users, tech support, administrators, and incident responders to help be able to identify? Memory Dump/Static Analysis Descriptive Analysis Quantitative Analysis Predictive Analysis

Memory Dump/Static Analysis (C4,P451)

Responders can figure out who is leaking information to the public or to another entity by giving a person a piece of data and waiting to see if the information makes it way to the public domain. What is the name of this technique? Profiling Mole Detection Insider Detection None of the above

Mole Detection (C9,P1002)

There are several indicators of insider threats. The most common indicator of an insider threat is lack of awareness of employees against security measures. Examples of this may include which of the following? No Changes in Network Usage Patterns No Temporal Changes in Revenue Multiple Failed Login Attempts All the above

Multiple Failed Logon Attempts (C9,P999)

Based on incident prioritization, which one of the following incidents should have first priority (Priority 1)? ELearning is down but during spring break; AP Pay cycle will not run during the beginning of a pay period. MyUFL is down; hacking/compromise of critical UF system leading to service unavailability/disclosure of restricted data. Videoconferencing via Polycom is unavailable for a specific conference. Multifunction printer / fax / scanner servicing a department stops functioning. GatorLink account compromised and being used to send spam.

MyUFL is down; hacking/compromise of critical UF system leading to service unavailability/disclosure of restricted data.

Kailey wants to see real-time log monitoring, system behavior, and unusual activity on her work computer. What website could she use to accomplish this? Service+ Nagios XI Loggly SMART Utility

Nagios XI

The incident responder should collect information regarding network connections to and from the affected system, immediately after the report of any incident. What is a tool that can help gather this information? Netstat Net-gain Ndtstat NetIDS

Netstat (C3,P385)

What does Netstat do? Netstat analyzes the logs and alerts of intrusion detection systems, SIEMs, and firewalls for the detection of malware. Netstat corrupts the system and open system input/output ports to establish connections with remote systems, networks, or servers. Netstat is a monitoring tool for Windows that shows real-time file system, registry, and process/thread activity. Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.

Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.

Analyzing log files help incident handlers to detect the perpetrator. Analyzing _______ logs will help incident handler in understanding established connections, uploads, downloads, and requested URLs. Network Server Database SIEM

Network (C9,P1005)

Which group is responsible for examining the computer network traffic for signs of incidents or attacks such as DoS, DDoS, firewall breach, or other malicious code? Threat Researchers System Administrators Network Administrators Forensic Investigators

Network Administrators (C2,P187)

Michael is a forensic expert in an organization based in New York City. As a part of his analysis, he sniffed the data packets that are trying to communicate with the server of the organization while recording and analyzing the event logs. Which type of forensic analysis did Michael perform? Network Forensics Data Forensics Internet Forensics Source-code forensics

Network Forensics

DNS and ARP Poisoning is what type of Information Security Threat Category? Host Threats System Threats Network Threats Application Threats

Network Threats (C1,P22)

In a DoS attack, attackers flood the victim system with ___________ or traffic to overload its resources. Legitimate Service Requests Non-legitimate Service Requests System Resources Websites

Non-legitimate Service Requests (C6,P674)

Attackers use __________ (e.g., Wireshark, Cain and Abel) to capture sensitive data such as passwords, session cookies, and other web service-related security configurations Cloud Computing Websites Phishing Websites CSP's Packet Sniffers

Packet Sniffers (C8,P932)

What can be the result of Sender Policy Framework (SPF) protocol when the SPF record cannot be verified due to syntax or format errors in the record? TempError Neutral Pass PermError

PermError

Which of the following is the appropriate process flow in the computer forensics process? Preparation -> Collection -> Examination -> Analysis -> Reporting Examination -> Analysis -> Preparation -> Collection -> Reporting Analysis -> Preparation -> Collection -> Reporting -> Examination Preparation -> Analysis -> Collection -> Examination -> Reporting

Preparation -> Collection -> Examination -> Analysis -> Reporting

A successful backup strategy must have two of the following features: Limited Security & Data Limited Space & Data Security & Real-Time Offsite Backup Real-Time Offsite Backup & No Notifications

Security & Real-Time Offsite Backup (C2,P210)

There are four main common types of reconnaissance attacks that are attempted by the attackers in order to exploit the networks. Which type tricks people into revealing sensitive information? Ping Sweeping Port Scanning DNS Footprinting Social Engineering

Social Engineering (C6,P629)

What crime refers to the unsolicited or undesired emails used to distribute malicious links and attachments, cause network congestion, perform phishing and financial frauds, and so on? Storming Bombing Phishing Spamming

Spamming (C5,P524)

Which following malware pretends to be a program that offers useful applications, but acquires the information of your computer and sends it to a remote attacker? Spyware Worm Virus Rootkit

Spyware

Security policies are the foundation of the security infrastructure that defines the basic security requirements and rules to be implemented in order to protect and secure an organization's information systems. Which of the following is NOT something security policies can accomplish? They protect confidential and proprietary information from theft, misuse, unauthorized disclosure, or modification. They reduce or eliminate legal liability of employees and third parties. They can still be effective when added as an afterthought. They prevent wastage of the company's computing resources.

They can still be effective when added as an afterthought.

A person or entity that is responsible for the incidents or has the potential to impact the security of an organization's network is what type of actor? Host Threat Access Actor Threat Actor Infiltration Actor

Threat Actor (C1,P24)

Script Kiddies, Organized Hackers and State Sponsored Attackers are all part of what? Threat Actors System Threats Access Actors Both A & B

Threat Actors (C1,P25)

ManageEngine ServiceDesk Plus and AlienVault OSSIM are both websites used as Intrusion Detection Systems Email Attacks Content Filtering Cites Ticketing Tools

Ticketing Tools (C2,P222)

Temporary shutdown and restoration of the infected system are two of the common techniques in the containment stage of the incident response and handling step. False True

True

Unauthorized access is a condition where a person gains access to system and network resources which they are not authorized to have. True False

True

Well-trained members of the organization can prevent an incident or limit the resulting damage. True False

True

Which one of the following is NOT a guideline for detecting and preventing insider threats with respect to human resources? Conduct background checks on all users and employees who are in sensitive positions. Conduct background checks on all users and employees who are in sensitive positions AND trust every employee of the organization as they are hardworking people ARE NOT THE GUIDELINES. Call the FBI immediately when an employee attacks or damages a system. Trust every employee of the organization as they are hardworking people AND call the FBI immediately when an employee attacks or damages a system ARE NOT THE GUIDELINES. Trust every employee of the organization as they are hardworking people.

Trust every employee of the organization as they are hardworking people AND call the FBI immediately when an employee attacks or damages a system ARE NOT THE GUIDELINES.

Exabeam Advanced Analytics, LogRhythm, Dtex Systems, and ZoneFox are all ________ tools. active monitoring DLP SIEM UBA/UEBA

UBA/UEBA

Which of the following incidents refers to a person gaining access to a system and network resources that he or she was not authorized to access? Handling Inappropriate Usage Incidents Unauthorized Access Incident Handling Multiple Component Incidents Authorized Access Incident

Unauthorized Access Incident

Reconnaissance attacks, sniffing and spoofing attacks, firewall attacks, and brute forcing attacks are all types of _______. Unauthorized Access Incidents Inappropriate Usage Incidents Denial-of-Service Incidents Wireless Network Incidents

Unauthorized Access Incidents (C6,P623)

If the victim computer has an internet connection, the first responder must? Keep all of the cords and devices connected to the computer plugged in Use the computer for evidence search Unplug the network cable from the router and modem If the computer is turned OFF turn it ON to search the device

Unplug the network cable from the router and modem (C3,P342)

Which of the following is an indication of unauthorized use of a standard user account? Use of a secret account Alert of network and host IDS Misplaced hardware parts Increase in the usage of resource

Use of a secret account

What is NOT a guideline to prevent spam? Avoid giving email ID to unnecessary or unsecured websites Use unsubscribed links in email messages Do not use or subscribe to sites that access email contact list Use long email ID with numbers and underscore to prevent spammers

Use unsubscribed links in email messages (C5,P579)

Greg is trying to find a free service that analyzes suspicious files and URLs, and facilitates the detection of viruses, worms, and trojans. What could he use for this? AFICK Md5deep VirusTotal Tools4noobs

VirusTotal

Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system? Vulnerability Patch Attack Incident

Vulnerabiltiy

If a hacker is identifying the kinds of websites a target company is frequently surfing and injecting malicious code that redirects the page to downloading malware, what kind of attack are they pursuing? Email Attacks DoS Attacks Watering Hole Attacks Session Fixation Attacks

Watering Hole Attacks (C7,P780)

What is the name of the primary tool placed on the edge of a network and assists in filtering or blocking malicious content from entering or leaving web applications? Web Application Firewall (WAF) Forensic Explorer OSSIM Buck-Security

Web Application Firewall (WAF) (C7,P796)

There are several types of phishing that can occur. Which type targets high profile executives like CEO, CFO, politicians, and celebrities? Whaling Spear Phishing Puddle Phishing Pharming

Whaling (C5,P530)

Dhru is an incident handler who needs to perform a network traffic analysis. Which website will help him in detecting established malicious connections, the type and number of devices accessed, and exfiltrated data? Microsoft Baseline Security Analyzer (MBSA) Wireshark MagicTree KeepNote

Wireshark (C9,P1010)

Which of the following malware takes advantage of a file or information transport features on the system to propagate across systems and networks without any human interactions? Worms Virus Trojan Spyware

Worms

From the following, identify the character that specifies the hex equivalent of O character in a regular expression. \%3C \%4F \%42 \%62

\%4F

Amber, a networking student, is trying to write a regex for the detection of logs that contain traces of a directory traversal attack involving characters '../'. Which of the following characters should she use to specify the hex equivalent for backward slash? \%2F \%5C \%3E \%2E

\%5C

Among the following causes of an insider attack, identify the one where a competitor may approach and lure employees to corrupt the organization's data in return for huge amounts of money. work-related grievance hacktivism financial gain corporate espionage

corporate espionage

Which of the following malware detection techniques is employed in intrusion analysis to identify the transfer of any unwanted traffic to malicious or unknown external entities? kernel filter drivers covert C&C communication SSDT patching covert malware beaconing

covert C&C communication

What type of insider attack creates and spreads misleading information to spur dissonance within the employees of the organization? intimidating the existing employees wiretapping theft of devices creation of false dossiers

creation of false dossiers

John is an incident response manager at XYZ Inc. As a part of IH&R policy of his organization, he signed a contract between the organization and a third-party insurer to protect organization individuals from different threats and risks.What is the contract signed by John called? disclosure agreement cyber insurance escrow agreement ROE agreement

cyber insurance

Which of the following is NOT a step in the recovery stage? rebuilding the system by installing new OS examining security patches and system logging information restoring user's data from trusted backups extracting static evidence stored as media and other resources

extracting static evidence stored as media and other resources

A/An ________ policy defines a standard to handle application traffic, such as web or email. network-connection firewall-management access-control remote-access

firewall-management

Techniques used to evade ________ include packet fragmentation, IP address decoy, ICMP tunneling, and banner grabbing. firewalls IDS sniffing network

firewalls

What is one way you can check to see if an attacker has tampered with the email header after the incident? examine the files examine the logs examine the notes examine the email

examine the logs

An incident handler working in XYZ organization was assigned a task of detecting insider threats using behavioral analysis. Which of the following steps should be preformed first in the behavioral analysis? discover outliers in each group build profiles of each group compare behaviors across multiple users extract behavioral patterns

extract behavioral patterns

Maximizing an environment's ability to collect credible digital evidence and minimizing the cost of forensics during an incident response are the main objectives of: forensic analysis forensic readiness forensics investigation All of these choices are correct.

forensic readiness

Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? expert testimony forensic readiness data acquisition first response

forensic readiness

Which term refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? forensic readiness planning forensic analysis forensic policy forensic readiness

forensic readiness

Computer forensics plays an important role in tracking cyber criminals. Which of the following is NOT a role of computer forensics? guide users to follow security policy of the organization save organizations from legal liabilities and lawsuits help determine the exact cause of an incident help generate a timeline for the incident help tracking the perpetrators of the crime or incident

guide users to follow security policy of the organization

What does \%27 indicate in the following regular expression?/((\%27)|(\'))union/ix hex equivalent of single-quote character hex equivalent of hash character hex equivalent of r character hex equivalent of O character

hex equivalent of single-quote character

A particular mobile phone might be offered for $1000 on an e-commerce website, but the hacker, by altering some of the hidden text in its price field, purchases it for only $10. What type of attack would this be? hidden field manipulation cookie poisoning XML poisoning footprinting attack

hidden field manipulation

Which of the following forensic readiness procedures helps an incident responder in gathering useful information about the system behavior through file integrity monitoring? evidence assessment host monitoring risk assessment network monitoring

host monitoring

In the cloud deployment models, which of the following is the composition of two or more clouds that remain as unique entities but are bound together, offering the benefits of multiple deployment models? community cloud public cloud hybrid cloud private cloud

hybrid cloud

When discussing cloud brokers and services, what is the primary use of service intermediation? to verify adherence to standards through review of objective evidence improves a given function by a specific capability and provides value-added services to cloud customers to act as an intermediary that provides connectivity and transport services between CSPs and cloud consumers combines and integrates multiple services into one or more new services

improves a given function by a specific capability and provides value-added services to cloud customers

In which of the following stages of incident handling does the classification and prioritization of incidents take place? post-incident activities incident recording and assignment incident triage incident containment

incident triage

Identify the email crime in which a flurry of junk mail is sent by accident without human intervention. identity theft mail storming mail bombing malware distribution

mail storming

Heidi is a hacker who is trying to avoid detection by using Unicode, UTF-8, Base64, & URL encoding. What type of web application threat is she using? cookie snooping directory traversal DMZ protocol attacks obfuscation application

obfuscation application

Which of the following malware components is a program that conceals its code and intended purpose via various techniques, making it hard for security mechanisms to detect or remove it? packer injector exploit obfuscator

obfuscator

Jason is an incident handler at The Rolls Inc. One day his organization encounters a massive cyberattack, and he identifies a virus called "XYZ@ZYX" spreading among the computers in the network. He has started investigating the issue; however, as an incident handler, within how much time from detection of such malicious code attacks should he report to the authorities? one hour one week three hours one fortnight

one hour

Which of the following is the most important aspect that allows you to respond to an incident before it occurs? incident management preparation incident containment and response strategy incident response plan

preparation

Which type of cloud has an infrastructure that operates solely for a single organization? hybrid community private public

private

Digital evidence is defined as "any information of ________ value that is either stored or transmitted in a digital form." monetary psychological probative marketing

probative

When dealing with IH&R it is important to determine the funding requirements based on empirical assumptions of various components. Which of the following is NOT considered an IH&R component that incurs cost? team staffing toolkits space procedures

procedures

Identify the security policy that doesn't keep any restrictions on the usage of system resources. promiscuous policy permissive policy paranoid policy prudent policy

promiscuous policy

Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in packets per second (pps). protocol attack volumetric attack application layer attack transport layer attack

protocol attack

What kind of policy contains a set of rules that defines authorized connections? special-access password remote-access user-account

remote-access

Identify the metric that is used to measure the magnitude of application layer attacks. packets per second (pps) requests per second (rps) bits per second (bps) cycles per second (cps)

requests per second (rps)

What type of cloud computing threat affects the working of automated tasks? For example, if the cloud computing devices do not have synchronized or matched times, then due to the inaccuracy of the time stamps the network administrator would be unable to analyze the log files for any malicious activity accurately. unsynchronized system clocks insufficient due diligence unknown risk profile shared technology issues

unsynchronized system clocks

Injection flaws are web application vulnerabilities that allow what type of data to be interpreted and executed as part of a command or query? untrusted trusted used new

untrusted

Bethany is an attacker who sends emails containing a rewrite link to trick victims into disclosing passwords and other sensitive information. What is the name of this method? unvalidated redirect unvalidated forward validated redirect validated forward

unvalidated redirect

VirtualBox, VMware vSphere Hypervisor, and Microsoft Virtual Server are all examples of? network simulation software virtualization software debugging tools PE analysis tools

virtualization software

John is creating a statement that reflects his organization's mid-term and long-term goals for incident management capabilities. What type of statement is he creating? imperative statement declarative statement mission statement vision statement

vision statement

Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in bits per second (bps). protocol attack application layer attack volumetric attack transport layer attack

volumetric attack

Which of the following phishing attacks targets high-profile executives, like CEOs, CFOs, politicians, and celebrities, who have complete access to confidential and highly valuable information? spear phishing spimming whaling pharming

whaling

A/An ________, which is really a tool for risk management, is a method of identifying vulnerabilities and threats, as well as assessing the possible impacts to determine where to implement security controls. threat mitigation threat analysis impact analysis None of these choices are correct. risk assessment

risk assessment

Which of the following activities is performed by an incident handler during the pre-investigation phase of computer forensics? search and seizure data acquisition risk assessment evidence assessment

risk assessment

Which phase of the risk management process includes a strategical approach to prepare for handling risks and to reduce its impact on organizations? This phase addresses and treats the risk according to its severity level. risk management plan evaluation risk determination risk assessment risk mitigation

risk mitigation

What is the name of the process that converts object data such as "name, age, city, & EmpID" into a linear format such as "Rinni26Nevada" insecure deserialization deserialization serialization insecure serialization

serialization

Analyzing ________ logs will help the incident handler to determine the applications the suspicious user has accessed and file changes made if any. database All of these choices are correct. server network

server

Will is an attacker who is trying to craft an input string to gain shell access to a web server. What type of command injection attack is Will pursuing? None of these choices are correct. file injection shell injection HTML embedding

shell injection

What is one of the most common mistakes a first responder makes when dealing with a computer crime incident? leaving the computer turned on None of these choices are correct. shutting down the computer collecting data while the computer is running

shutting down the computer

Ping method, DNS method, & promiscuous mode are all considered what type of detection technique? sniffing firewall IDS snort

sniffing

An act of tricking people to reveal sensitive information is involved in which type of reconnaissance technique? ping sweeping social engineering port scanning DNS footprinting

social engineering

Which of the following terms refers to an art of manipulating people to divulge sensitive information to perform some malicious action? pod slurping social engineering privilege escalation tailgating

social engineering

Which of the following sources of evidence helps an incident responder to collect information that guides him or her in building the timeline of attack? job services financial services online location tracking social networks

social networks

When a user deletes mail from folders such as Inbox, Drafts, Sent Items, and Contacts, Outlook moves them into Deleted Items folder. What category of data deletion is this? easy deletion hard deletion soft deletion medium deletion

soft deletion

The first response to an incident may involve one of three different groups of people, each having different tasks based on the circumstance of the incident. Which of the following is NOT one of those people? system administrator laboratory forensics staff special jurisdiction police non-forensic staff

special jurisdiction police

Which of the following phishing attacks exploits instant-messaging platforms to flood spam across the networks? CEO scam spimming pharming puddle phishing

spimming

File fingerprinting, local and online malware scanning, performing strings search, identifying packing/obfuscation methods, finding the portable executables (PE) information, and identifying file dependencies are all considered what type of malware analysis technique? memory dynamic code static

static

In a cloud, ________ refers to databases holding the data, virtual machines, operating systems, and so on. network file storage server

storage

Which of the following is NOT a common cause for system vulnerabilities? software bugs use of broken algorithms strong passwords complexity of the system

strong passwords

High resource utilization happens when attackers perform malicious attempts like DoS and DDoS attacks on the networks in order to overwhelm the network resources. Which indication may include the following sign? database logs showing attempts to access sensitive data unauthorized access attempts to the important files creation of new files or directories with unusual names sudden increase in log messages of the operating system and application

sudden increase in log messages of the operating system and application

From the following scenarios, identify the scenario that indicates "insufficient transport layer protection" under security misconfiguration vulnerability. giving insight into source code such as logic flaws and default accounts input from a client is not validated before being processed by web applications and backend servers supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft manipulation of parameters exchanged between client and server to modify application data

supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft

Which of the following is NOT considered a type of phishing? spear whaling pharming swimming

swimming

Emily notices that her computer performance is slower than usual, she is experiencing random crashes and reboots, and she notices unusual graphic displays. What type of intrusion is Emily experiencing? file systems network None of these choices are correct. system

system

Which of the following Wireshark filters is used to view the packets with FIN, PSH, and URG TCP flags set for detecting Xmas scan attempts? TCP.flags==0x000 tcp.dstport==25 tcp.dstport==7 tcp.flags==0X029

tcp.flags==0X029

Forensic readiness consists of the following two actions that maximize an organization's capability to use digital evidence. fast and analytical None of these choices are correct. major and minor technical and non-technical

technical and non-technical

What does the term "phishing" mean? the flurry of junk mail sent by accident the psychological manipulation attack technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user's personal or account information unsolicited or undesired emails used to distribute malicious links and attachments, and cause network congestion the process of repeatedly sending an email message to an address

the psychological manipulation attack technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user's personal or account information

Which of the following is NOT a static malware analysis technique? file fingerprinting malware disassembly local and online malware scanning windows services monitoring

windows services monitoring

Access control attacks, integrity attacks, confidentiality attacks, availability attacks, and authentication attacks are all considered ________. DoS incidents inappropriate usage incidents wireless network incidents unauthorized access incidents

wireless network incidents

Which of the following is NOT a challenge in handling and responding to cloud security incidents when specifically discussing logs? timestamp synchronization decentralization of logs evaporation of logs multiple layers and tiers

timestamp synchronization

What is the primary use of an email dossier? to add a digital signature to the outgoing emails for better authentication to check the validity of an email address to make email headers human readable by parsing them according to RFC 822 to prevent email spoofing

to check the validity of an email address

What is the purpose of strings? to communicate information from the program to its user to analyze suspicious files to calculate various hash values to clean out unneeded files and data

to communicate information from the program to its user

What is the primary purpose of PromqryUI? to detect network interfaces that are running in promiscuous mode to monitor the network for strange packets such as packets with spoofed addresses to check if the MAC address of certain machines has changed to send a non-broadcast ARP to all the nodes in the network

to detect network interfaces that are running in promiscuous mode

What is the purpose of Microsoft Baseline Security Analyzer (MBSA)? to generate efficient reports on detected incidents during incident handling and response process to determine their security state in accordance with Microsoft security recommendations to detect and access the malware present in the network and then eliminate it to determine the email origin by matching the domain name for an IP address

to determine their security state in accordance with Microsoft security recommendations

What is the purpose of the CloudPassage quarantine application? to monitor /v1/events endpoint in the Halo API, to look for specific events All of these options are correct. to recover data marked as deleted, as it may get overwritten by another user sharing the same cloud to detect a malicious act by identifying a series of small changes made across many systems and applications

to monitor /v1/events endpoint in the Halo API, to look for specific events

Which of the following is NOT a driving force behind insider attacks? to take revenge to become a future competitor to pass any future exams to steal confidential data

to pass any future exams

What is the purpose of activity monitoring tools? All of these choices are correct. to build custom queries, generate alerts, retrieve data from multiple data sources, and enhance the potential analytical capability to prevent, detect, and respond to various insider threats to record all the user activity on the organizational networks, systems, and other IT resources to scan the network traffic to find exfiltration of sensitive data and alert the administrators

to record all the user activity on the organizational networks, systems, and other IT resources

Classification of incidents is defined based on their severity and potential targets. True False

True

Computer forensic investigators must have knowledge of general computer skills such as hardware, software, OS, applications, etc. True False

True

During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently. False True

True

Insider attacks can be detected manually by identifying the behavior of the users. True False

True

Installing IDS, email content filtering software, and security control tools to identify certain types of activities like spam and file sharing are important steps to handle inappropriate incidents. False True

True

Malicious code can cause irreparable harm to important files and records. False True

True

John, a security professional working for Xdoc Corporation, is implementing a security strategy that uses multilayered protection throughout an information system to help minimize any adverse impact from attacks on organizational assets.Identify the security strategy John has implemented. three-way handshake likelihood analysis covert channel defense-in-depth

defense-in-depth

Identify the character set that is used for replacing the suspicious characters to bypass the filtering mechanism in a path traversal attack. ../ / > \..

../

While investigating Microsoft Exchange Server for email crimes, an incident handler should primarily focus on which of the following files? temporary files, .doc files, & pdf files .edb database files, .stm database files, checkpoint files, & temporary files .stm database files, .html files, & .lzh files .jpeg files, checkpoint files, pdf files, & .svg files

.edb database files, .stm database files, checkpoint files, & temporary files

Identify the regular expression that is used for detecting SQL injection attacks on an MS SQL Server. /(\')|(\%27)|(\-\-)|(#)|(\%23)/ix /((\%27)|(\'))union/ix /exec(\s|\+)+(s|x)p\w+/ix /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix

/exec(\s|\+)+(s|x)p\w+/ix

What is a main difference between a hybrid cloud and a community cloud? With a community cloud it is more difficult to achieve data compliance. A community cloud is composed of two or more clouds that remain unique entities and a hybrid cloud is only one cloud. A community cloud is a multi-tenant infrastructure shared among organizations versus a hybrid cloud which is composed of two or more clouds. Community clouds are more secure than hybrid clouds.

A community cloud is a multi-tenant infrastructure shared among organizations versus a hybrid cloud which is composed of two or more clouds.

What would be considered an advantage and a disadvantage when comparing a private cloud to a public cloud? A private cloud is less secure but has a greater performance A private cloud is more expensive but is also more secure A private cloud has a lack of control but a greater performance A private cloud has less control over resources but is less expensive

A private cloud is more expensive but is also more secure (C8,P905)

In the DoS containment strategy, at what point will you ask your ISP to implement filtering? After correcting the vulnerability or weakness that is being exploited After relocating the affected target After determining the method of attack After identifying the attackers

After determining the method of attack

Organizations must implement several security controls. Which security control ensures that only selected or eligible employees have access to sensitive data, critical devices, and other necessary resources required to accomplish the assigned tasks? Honeypot Encryption Access Controls Intrusion Detection Systems (IDS)

Access Controls (C2,P209)

A cloud broker is an entity that manages cloud services in terms of use, performance, and delivery, and maintains the relationship between CSPs and cloud consumers. What service is provided by a cloud broker? All of these choices are correct. service aggregation service arbitrage service intermediation