EC-Council - ECIH

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

How will you define qualitative risk analysis? (Attack Success + Criticality) - (Countermeasures) (Countermeasures) + (Criticality - Attack Success) (Attack Success + Countermeasures) - (Criticality) (Attack Success) + (Criticality - Countermeasures)

(Attack Success + Criticality) - (Countermeasures)

Which of the following is a set of specific strategies, guidelines, and processes that aids recovery from an incident? Contingency plan Incident recovery testing Business impact analysis Temporary plan analysis

Contingency plan

Sarah is a hacker who is using a method called __________ on victim systems to analyze users' surfing habits and sell that information to other attackers or to launch various attacks on the victims' web applications. Cookie/ Session Poisoning Cross-Site Forgery Web Services Attacks Cookie Snooping

Cookie Snooping (C7,P774)

_________ can contain session-specific data such as user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs. Threats Ticket Tools Cookies Brownies

Cookies (C7,P783)

System time refers to the exact date and time of the day when the incident happened, as per the ________. This will assist in developing an accurate timeline of events that have occurred on the system. Ordinary Civil Time (OCT) Coordinated Universal Time (UTC) Local Sidereal Time (LST) Julian Date

Coordinated Universal Time (UTC)

Lucas is an incident responder who wants to monitor the integrity of critical files. What steps could he take? Create a database of cryptographic checksums of critical files. Use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire. Use an isolated test network to host your test bed. Create a database of cryptographic checksums of critical files and use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire.

Create a database of cryptographic checksums of critical files and use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire.

Which is NOT an objective of computer forensics? Identify, gather, and preserve the evidence of a cyber crime Find vulnerabilities and security loopholes Create weak authentication and authorization controls Recover deleted and hidden files

Create weak authentication and authorization controls (C3,P284)

In live system analysis, which of the following tools is used to monitor the scheduled tasks? Runscope CronitorCLI Sonar AlertSite

CronitorCLI

Which method is an attack in which an authenticated user is made to perform certain tasks on the web application that an attacker chooses? For example, a user clicking on a link sent through an email or chat Cookie/ Session Poisoning Cross-Site Forgery Web Services Attacks Cookie Snooping

Cross-Site Forgery (C7,P774)

________ attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users. Denial-of-Service (DoS) Cross-site scripting ('XSS' or 'CSS') SQL injection Man-in-the-Middle (MitM)

Cross-site scripting ('XSS' or 'CSS')

Insecure or obsolete encryption makes cloud services susceptible to what type of attack? SQL Injection Cryptanalysis Wrapping DoS

Cryptanalysis (C8,P934)

_______ refers to a contract between the organization and an insurer to protect related individuals from different threats and risks Cyber Insurance IPsec Secure Shell Security Policy

Cyber Insurance (C2,P212)

There are four types of Domain Name System (DNS) attacks. Which type Involves conducting phishing scams by registering a domain name that is similar to that of a cloud service provider? Domain Snipping Domain Hijacking DNS Poisoning Cybersquatting

Cybersquatting (C8,P933)

Email crimes can be categorized in two ways either by sending emails or supported by emails. Which of the following is a crime supported by Emails? Spamming Storming Cyberstalking Malware Distribution

Cyberstalking (C4,P523)

Digital evidence is circumstantial that makes it very easy for the forensics investigator to differentiate the system's activity. False True

False

Even when the root level access is achieved by the attacker, it is an easy task to determine the action performed by the attackers. False True

False

Inappropriate usage incidents directed at outside parties may cause more loss to organizations in the form of money but they do not cause damage to reputation and legal liabilities. True False

False

Inappropriate usage incidents, aimed at external agencies/organizations, like an internal user changing the content of another organization's public website, are the liability of the user but not liability concerns for the organization he/she is working for. True False

False

The incident response team should handle the incident whenever an incident is identified by only a trusted person in the organization. True False

False

There is no need to write a detailed report after an incident, as long as the information is recorded in the ticketing system of the company. True False

False

Trojans are executable programs that install horse racing games when a file is opened and activated. True False

False

Federal law requires federal agencies to report incidents to the which Incident Response Center? National Energy Regulatory Consortium Federal Computer Incident Repsonse Center Federal Cybersecurity Incident Response Center National Cybersecurity Center for Incident Response

Federal Computer Incident Repsonse Center (C1,P142)

This type of identity theft occurs when a victim's bank account and credit card information are stolen and used illegally by a thief. Criminal Tax Financial Identity Cloning

Financial (C5,P538)

What refers to the first action performed after occurrence of a security incident? First Reaction First Response Documenting Testifying

First Response (C3,P291)

What is the process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value? Forensic Data Acquisition First Response Snapshot Response Forensic Evidence Collection

Forensic Data Acquisition (C3,P358)

________ is a process of analyzing and reviewing the data gathered from computer systems such as log files, system files, web history files, emails, and installed applications. Asset identification BOTH incident investigation AND forensic analysis Forensic analysis Evidence protection Incident investigation

Forensic analysis

Which of the following is the practice of identifying the infected systems by looking for evidence of recent infections? Forensic identification Active identification UManual identification Passive identification

Forensic identification

Viruses, worms, trojan horses, logic bombs, trap doors, nano machines and microbes, electronic jamming, and penetration exploits and tools are all weapons for ________? InfoAttacks InfoWars InfoBattles InfoDefense

InfoWars

Which one of the following is the intangible cost for an incident? Lost productivity hours Investigation and recovery efforts Loss of business Loss of reputation

Loss of reputation

Loss of personal password, failure to download antivirus signatures, and unsuccessful scans and probes in the networks are considered incidents at a _______ Low Level Middle Level High Level None of the above

Low Level (C2,P229)

Marie wants to find a natural way to represent her information that she has gathered during a network test, but she also wants to be able to extract that data and present it in a table/list. Which website tool would be the most beneficial for her to use? MagicTree Tomboy KeepNote Microsoft Onenote

MagicTree

What is the most common type of attacks against computer systems? SQL injection Zero-day Malware Phishing

Malware (C4,P426)

There are a ton of indications of malware incidents. Which of the following techniques are important for users, tech support, administrators, and incident responders to help be able to identify? Memory Dump/Static Analysis Descriptive Analysis Quantitative Analysis Predictive Analysis

Memory Dump/Static Analysis (C4,P451)

Responders can figure out who is leaking information to the public or to another entity by giving a person a piece of data and waiting to see if the information makes it way to the public domain. What is the name of this technique? Profiling Mole Detection Insider Detection None of the above

Mole Detection (C9,P1002)

There are several indicators of insider threats. The most common indicator of an insider threat is lack of awareness of employees against security measures. Examples of this may include which of the following? No Changes in Network Usage Patterns No Temporal Changes in Revenue Multiple Failed Login Attempts All the above

Multiple Failed Logon Attempts (C9,P999)

Based on incident prioritization, which one of the following incidents should have first priority (Priority 1)? ELearning is down but during spring break; AP Pay cycle will not run during the beginning of a pay period. MyUFL is down; hacking/compromise of critical UF system leading to service unavailability/disclosure of restricted data. Videoconferencing via Polycom is unavailable for a specific conference. Multifunction printer / fax / scanner servicing a department stops functioning. GatorLink account compromised and being used to send spam.

MyUFL is down; hacking/compromise of critical UF system leading to service unavailability/disclosure of restricted data.

Kailey wants to see real-time log monitoring, system behavior, and unusual activity on her work computer. What website could she use to accomplish this? Service+ Nagios XI Loggly SMART Utility

Nagios XI

The incident responder should collect information regarding network connections to and from the affected system, immediately after the report of any incident. What is a tool that can help gather this information? Netstat Net-gain Ndtstat NetIDS

Netstat (C3,P385)

What does Netstat do? Netstat analyzes the logs and alerts of intrusion detection systems, SIEMs, and firewalls for the detection of malware. Netstat corrupts the system and open system input/output ports to establish connections with remote systems, networks, or servers. Netstat is a monitoring tool for Windows that shows real-time file system, registry, and process/thread activity. Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.

Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.

Analyzing log files help incident handlers to detect the perpetrator. Analyzing _______ logs will help incident handler in understanding established connections, uploads, downloads, and requested URLs. Network Server Database SIEM

Network (C9,P1005)

Which group is responsible for examining the computer network traffic for signs of incidents or attacks such as DoS, DDoS, firewall breach, or other malicious code? Threat Researchers System Administrators Network Administrators Forensic Investigators

Network Administrators (C2,P187)

Michael is a forensic expert in an organization based in New York City. As a part of his analysis, he sniffed the data packets that are trying to communicate with the server of the organization while recording and analyzing the event logs. Which type of forensic analysis did Michael perform? Network Forensics Data Forensics Internet Forensics Source-code forensics

Network Forensics

DNS and ARP Poisoning is what type of Information Security Threat Category? Host Threats System Threats Network Threats Application Threats

Network Threats (C1,P22)

In a DoS attack, attackers flood the victim system with ___________ or traffic to overload its resources. Legitimate Service Requests Non-legitimate Service Requests System Resources Websites

Non-legitimate Service Requests (C6,P674)

Attackers use __________ (e.g., Wireshark, Cain and Abel) to capture sensitive data such as passwords, session cookies, and other web service-related security configurations Cloud Computing Websites Phishing Websites CSP's Packet Sniffers

Packet Sniffers (C8,P932)

What can be the result of Sender Policy Framework (SPF) protocol when the SPF record cannot be verified due to syntax or format errors in the record? TempError Neutral Pass PermError

PermError

Which of the following is the appropriate process flow in the computer forensics process? Preparation -> Collection -> Examination -> Analysis -> Reporting Examination -> Analysis -> Preparation -> Collection -> Reporting Analysis -> Preparation -> Collection -> Reporting -> Examination Preparation -> Analysis -> Collection -> Examination -> Reporting

Preparation -> Collection -> Examination -> Analysis -> Reporting

A successful backup strategy must have two of the following features: Limited Security & Data Limited Space & Data Security & Real-Time Offsite Backup Real-Time Offsite Backup & No Notifications

Security & Real-Time Offsite Backup (C2,P210)

There are four main common types of reconnaissance attacks that are attempted by the attackers in order to exploit the networks. Which type tricks people into revealing sensitive information? Ping Sweeping Port Scanning DNS Footprinting Social Engineering

Social Engineering (C6,P629)

What crime refers to the unsolicited or undesired emails used to distribute malicious links and attachments, cause network congestion, perform phishing and financial frauds, and so on? Storming Bombing Phishing Spamming

Spamming (C5,P524)

Which following malware pretends to be a program that offers useful applications, but acquires the information of your computer and sends it to a remote attacker? Spyware Worm Virus Rootkit

Spyware

Security policies are the foundation of the security infrastructure that defines the basic security requirements and rules to be implemented in order to protect and secure an organization's information systems. Which of the following is NOT something security policies can accomplish? They protect confidential and proprietary information from theft, misuse, unauthorized disclosure, or modification. They reduce or eliminate legal liability of employees and third parties. They can still be effective when added as an afterthought. They prevent wastage of the company's computing resources.

They can still be effective when added as an afterthought.

A person or entity that is responsible for the incidents or has the potential to impact the security of an organization's network is what type of actor? Host Threat Access Actor Threat Actor Infiltration Actor

Threat Actor (C1,P24)

Script Kiddies, Organized Hackers and State Sponsored Attackers are all part of what? Threat Actors System Threats Access Actors Both A & B

Threat Actors (C1,P25)

ManageEngine ServiceDesk Plus and AlienVault OSSIM are both websites used as Intrusion Detection Systems Email Attacks Content Filtering Cites Ticketing Tools

Ticketing Tools (C2,P222)

Temporary shutdown and restoration of the infected system are two of the common techniques in the containment stage of the incident response and handling step. False True

True

Unauthorized access is a condition where a person gains access to system and network resources which they are not authorized to have. True False

True

Well-trained members of the organization can prevent an incident or limit the resulting damage. True False

True

Which one of the following is NOT a guideline for detecting and preventing insider threats with respect to human resources? Conduct background checks on all users and employees who are in sensitive positions. Conduct background checks on all users and employees who are in sensitive positions AND trust every employee of the organization as they are hardworking people ARE NOT THE GUIDELINES. Call the FBI immediately when an employee attacks or damages a system. Trust every employee of the organization as they are hardworking people AND call the FBI immediately when an employee attacks or damages a system ARE NOT THE GUIDELINES. Trust every employee of the organization as they are hardworking people.

Trust every employee of the organization as they are hardworking people AND call the FBI immediately when an employee attacks or damages a system ARE NOT THE GUIDELINES.

Exabeam Advanced Analytics, LogRhythm, Dtex Systems, and ZoneFox are all ________ tools. active monitoring DLP SIEM UBA/UEBA

UBA/UEBA

Which of the following incidents refers to a person gaining access to a system and network resources that he or she was not authorized to access? Handling Inappropriate Usage Incidents Unauthorized Access Incident Handling Multiple Component Incidents Authorized Access Incident

Unauthorized Access Incident

Reconnaissance attacks, sniffing and spoofing attacks, firewall attacks, and brute forcing attacks are all types of _______. Unauthorized Access Incidents Inappropriate Usage Incidents Denial-of-Service Incidents Wireless Network Incidents

Unauthorized Access Incidents (C6,P623)

If the victim computer has an internet connection, the first responder must? Keep all of the cords and devices connected to the computer plugged in Use the computer for evidence search Unplug the network cable from the router and modem If the computer is turned OFF turn it ON to search the device

Unplug the network cable from the router and modem (C3,P342)

Which of the following is an indication of unauthorized use of a standard user account? Use of a secret account Alert of network and host IDS Misplaced hardware parts Increase in the usage of resource

Use of a secret account

What is NOT a guideline to prevent spam? Avoid giving email ID to unnecessary or unsecured websites Use unsubscribed links in email messages Do not use or subscribe to sites that access email contact list Use long email ID with numbers and underscore to prevent spammers

Use unsubscribed links in email messages (C5,P579)

Greg is trying to find a free service that analyzes suspicious files and URLs, and facilitates the detection of viruses, worms, and trojans. What could he use for this? AFICK Md5deep VirusTotal Tools4noobs

VirusTotal

Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system? Vulnerability Patch Attack Incident

Vulnerabiltiy

If a hacker is identifying the kinds of websites a target company is frequently surfing and injecting malicious code that redirects the page to downloading malware, what kind of attack are they pursuing? Email Attacks DoS Attacks Watering Hole Attacks Session Fixation Attacks

Watering Hole Attacks (C7,P780)

What is the name of the primary tool placed on the edge of a network and assists in filtering or blocking malicious content from entering or leaving web applications? Web Application Firewall (WAF) Forensic Explorer OSSIM Buck-Security

Web Application Firewall (WAF) (C7,P796)

There are several types of phishing that can occur. Which type targets high profile executives like CEO, CFO, politicians, and celebrities? Whaling Spear Phishing Puddle Phishing Pharming

Whaling (C5,P530)

Dhru is an incident handler who needs to perform a network traffic analysis. Which website will help him in detecting established malicious connections, the type and number of devices accessed, and exfiltrated data? Microsoft Baseline Security Analyzer (MBSA) Wireshark MagicTree KeepNote

Wireshark (C9,P1010)

Which of the following malware takes advantage of a file or information transport features on the system to propagate across systems and networks without any human interactions? Worms Virus Trojan Spyware

Worms

From the following, identify the character that specifies the hex equivalent of O character in a regular expression. \%3C \%4F \%42 \%62

\%4F

Amber, a networking student, is trying to write a regex for the detection of logs that contain traces of a directory traversal attack involving characters '../'. Which of the following characters should she use to specify the hex equivalent for backward slash? \%2F \%5C \%3E \%2E

\%5C

Among the following causes of an insider attack, identify the one where a competitor may approach and lure employees to corrupt the organization's data in return for huge amounts of money. work-related grievance hacktivism financial gain corporate espionage

corporate espionage

Which of the following malware detection techniques is employed in intrusion analysis to identify the transfer of any unwanted traffic to malicious or unknown external entities? kernel filter drivers covert C&C communication SSDT patching covert malware beaconing

covert C&C communication

What type of insider attack creates and spreads misleading information to spur dissonance within the employees of the organization? intimidating the existing employees wiretapping theft of devices creation of false dossiers

creation of false dossiers

John is an incident response manager at XYZ Inc. As a part of IH&R policy of his organization, he signed a contract between the organization and a third-party insurer to protect organization individuals from different threats and risks.What is the contract signed by John called? disclosure agreement cyber insurance escrow agreement ROE agreement

cyber insurance

Which of the following is NOT a step in the recovery stage? rebuilding the system by installing new OS examining security patches and system logging information restoring user's data from trusted backups extracting static evidence stored as media and other resources

extracting static evidence stored as media and other resources

A/An ________ policy defines a standard to handle application traffic, such as web or email. network-connection firewall-management access-control remote-access

firewall-management

Techniques used to evade ________ include packet fragmentation, IP address decoy, ICMP tunneling, and banner grabbing. firewalls IDS sniffing network

firewalls

What is one way you can check to see if an attacker has tampered with the email header after the incident? examine the files examine the logs examine the notes examine the email

examine the logs

An incident handler working in XYZ organization was assigned a task of detecting insider threats using behavioral analysis. Which of the following steps should be preformed first in the behavioral analysis? discover outliers in each group build profiles of each group compare behaviors across multiple users extract behavioral patterns

extract behavioral patterns

Maximizing an environment's ability to collect credible digital evidence and minimizing the cost of forensics during an incident response are the main objectives of: forensic analysis forensic readiness forensics investigation All of these choices are correct.

forensic readiness

Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? expert testimony forensic readiness data acquisition first response

forensic readiness

Which term refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? forensic readiness planning forensic analysis forensic policy forensic readiness

forensic readiness

Computer forensics plays an important role in tracking cyber criminals. Which of the following is NOT a role of computer forensics? guide users to follow security policy of the organization save organizations from legal liabilities and lawsuits help determine the exact cause of an incident help generate a timeline for the incident help tracking the perpetrators of the crime or incident

guide users to follow security policy of the organization

What does \%27 indicate in the following regular expression?/((\%27)|(\'))union/ix hex equivalent of single-quote character hex equivalent of hash character hex equivalent of r character hex equivalent of O character

hex equivalent of single-quote character

A particular mobile phone might be offered for $1000 on an e-commerce website, but the hacker, by altering some of the hidden text in its price field, purchases it for only $10. What type of attack would this be? hidden field manipulation cookie poisoning XML poisoning footprinting attack

hidden field manipulation

Which of the following forensic readiness procedures helps an incident responder in gathering useful information about the system behavior through file integrity monitoring? evidence assessment host monitoring risk assessment network monitoring

host monitoring

In the cloud deployment models, which of the following is the composition of two or more clouds that remain as unique entities but are bound together, offering the benefits of multiple deployment models? community cloud public cloud hybrid cloud private cloud

hybrid cloud

When discussing cloud brokers and services, what is the primary use of service intermediation? to verify adherence to standards through review of objective evidence improves a given function by a specific capability and provides value-added services to cloud customers to act as an intermediary that provides connectivity and transport services between CSPs and cloud consumers combines and integrates multiple services into one or more new services

improves a given function by a specific capability and provides value-added services to cloud customers

In which of the following stages of incident handling does the classification and prioritization of incidents take place? post-incident activities incident recording and assignment incident triage incident containment

incident triage

Identify the email crime in which a flurry of junk mail is sent by accident without human intervention. identity theft mail storming mail bombing malware distribution

mail storming

Heidi is a hacker who is trying to avoid detection by using Unicode, UTF-8, Base64, & URL encoding. What type of web application threat is she using? cookie snooping directory traversal DMZ protocol attacks obfuscation application

obfuscation application

Which of the following malware components is a program that conceals its code and intended purpose via various techniques, making it hard for security mechanisms to detect or remove it? packer injector exploit obfuscator

obfuscator

Jason is an incident handler at The Rolls Inc. One day his organization encounters a massive cyberattack, and he identifies a virus called "XYZ@ZYX" spreading among the computers in the network. He has started investigating the issue; however, as an incident handler, within how much time from detection of such malicious code attacks should he report to the authorities? one hour one week three hours one fortnight

one hour

Which of the following is the most important aspect that allows you to respond to an incident before it occurs? incident management preparation incident containment and response strategy incident response plan

preparation

Which type of cloud has an infrastructure that operates solely for a single organization? hybrid community private public

private

Digital evidence is defined as "any information of ________ value that is either stored or transmitted in a digital form." monetary psychological probative marketing

probative

When dealing with IH&R it is important to determine the funding requirements based on empirical assumptions of various components. Which of the following is NOT considered an IH&R component that incurs cost? team staffing toolkits space procedures

procedures

Identify the security policy that doesn't keep any restrictions on the usage of system resources. promiscuous policy permissive policy paranoid policy prudent policy

promiscuous policy

Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in packets per second (pps). protocol attack volumetric attack application layer attack transport layer attack

protocol attack

What kind of policy contains a set of rules that defines authorized connections? special-access password remote-access user-account

remote-access

Identify the metric that is used to measure the magnitude of application layer attacks. packets per second (pps) requests per second (rps) bits per second (bps) cycles per second (cps)

requests per second (rps)

What type of cloud computing threat affects the working of automated tasks? For example, if the cloud computing devices do not have synchronized or matched times, then due to the inaccuracy of the time stamps the network administrator would be unable to analyze the log files for any malicious activity accurately. unsynchronized system clocks insufficient due diligence unknown risk profile shared technology issues

unsynchronized system clocks

Injection flaws are web application vulnerabilities that allow what type of data to be interpreted and executed as part of a command or query? untrusted trusted used new

untrusted

Bethany is an attacker who sends emails containing a rewrite link to trick victims into disclosing passwords and other sensitive information. What is the name of this method? unvalidated redirect unvalidated forward validated redirect validated forward

unvalidated redirect

VirtualBox, VMware vSphere Hypervisor, and Microsoft Virtual Server are all examples of? network simulation software virtualization software debugging tools PE analysis tools

virtualization software

John is creating a statement that reflects his organization's mid-term and long-term goals for incident management capabilities. What type of statement is he creating? imperative statement declarative statement mission statement vision statement

vision statement

Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in bits per second (bps). protocol attack application layer attack volumetric attack transport layer attack

volumetric attack

Which of the following phishing attacks targets high-profile executives, like CEOs, CFOs, politicians, and celebrities, who have complete access to confidential and highly valuable information? spear phishing spimming whaling pharming

whaling

A/An ________, which is really a tool for risk management, is a method of identifying vulnerabilities and threats, as well as assessing the possible impacts to determine where to implement security controls. threat mitigation threat analysis impact analysis None of these choices are correct. risk assessment

risk assessment

Which of the following activities is performed by an incident handler during the pre-investigation phase of computer forensics? search and seizure data acquisition risk assessment evidence assessment

risk assessment

Which phase of the risk management process includes a strategical approach to prepare for handling risks and to reduce its impact on organizations? This phase addresses and treats the risk according to its severity level. risk management plan evaluation risk determination risk assessment risk mitigation

risk mitigation

What is the name of the process that converts object data such as "name, age, city, & EmpID" into a linear format such as "Rinni26Nevada" insecure deserialization deserialization serialization insecure serialization

serialization

Analyzing ________ logs will help the incident handler to determine the applications the suspicious user has accessed and file changes made if any. database All of these choices are correct. server network

server

Will is an attacker who is trying to craft an input string to gain shell access to a web server. What type of command injection attack is Will pursuing? None of these choices are correct. file injection shell injection HTML embedding

shell injection

What is one of the most common mistakes a first responder makes when dealing with a computer crime incident? leaving the computer turned on None of these choices are correct. shutting down the computer collecting data while the computer is running

shutting down the computer

Ping method, DNS method, & promiscuous mode are all considered what type of detection technique? sniffing firewall IDS snort

sniffing

An act of tricking people to reveal sensitive information is involved in which type of reconnaissance technique? ping sweeping social engineering port scanning DNS footprinting

social engineering

Which of the following terms refers to an art of manipulating people to divulge sensitive information to perform some malicious action? pod slurping social engineering privilege escalation tailgating

social engineering

Which of the following sources of evidence helps an incident responder to collect information that guides him or her in building the timeline of attack? job services financial services online location tracking social networks

social networks

When a user deletes mail from folders such as Inbox, Drafts, Sent Items, and Contacts, Outlook moves them into Deleted Items folder. What category of data deletion is this? easy deletion hard deletion soft deletion medium deletion

soft deletion

The first response to an incident may involve one of three different groups of people, each having different tasks based on the circumstance of the incident. Which of the following is NOT one of those people? system administrator laboratory forensics staff special jurisdiction police non-forensic staff

special jurisdiction police

Which of the following phishing attacks exploits instant-messaging platforms to flood spam across the networks? CEO scam spimming pharming puddle phishing

spimming

File fingerprinting, local and online malware scanning, performing strings search, identifying packing/obfuscation methods, finding the portable executables (PE) information, and identifying file dependencies are all considered what type of malware analysis technique? memory dynamic code static

static

In a cloud, ________ refers to databases holding the data, virtual machines, operating systems, and so on. network file storage server

storage

Which of the following is NOT a common cause for system vulnerabilities? software bugs use of broken algorithms strong passwords complexity of the system

strong passwords

High resource utilization happens when attackers perform malicious attempts like DoS and DDoS attacks on the networks in order to overwhelm the network resources. Which indication may include the following sign? database logs showing attempts to access sensitive data unauthorized access attempts to the important files creation of new files or directories with unusual names sudden increase in log messages of the operating system and application

sudden increase in log messages of the operating system and application

From the following scenarios, identify the scenario that indicates "insufficient transport layer protection" under security misconfiguration vulnerability. giving insight into source code such as logic flaws and default accounts input from a client is not validated before being processed by web applications and backend servers supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft manipulation of parameters exchanged between client and server to modify application data

supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft

Which of the following is NOT considered a type of phishing? spear whaling pharming swimming

swimming

Emily notices that her computer performance is slower than usual, she is experiencing random crashes and reboots, and she notices unusual graphic displays. What type of intrusion is Emily experiencing? file systems network None of these choices are correct. system

system

Which of the following Wireshark filters is used to view the packets with FIN, PSH, and URG TCP flags set for detecting Xmas scan attempts? TCP.flags==0x000 tcp.dstport==25 tcp.dstport==7 tcp.flags==0X029

tcp.flags==0X029

Forensic readiness consists of the following two actions that maximize an organization's capability to use digital evidence. fast and analytical None of these choices are correct. major and minor technical and non-technical

technical and non-technical

What does the term "phishing" mean? the flurry of junk mail sent by accident the psychological manipulation attack technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user's personal or account information unsolicited or undesired emails used to distribute malicious links and attachments, and cause network congestion the process of repeatedly sending an email message to an address

the psychological manipulation attack technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user's personal or account information

Which of the following is NOT a static malware analysis technique? file fingerprinting malware disassembly local and online malware scanning windows services monitoring

windows services monitoring

Access control attacks, integrity attacks, confidentiality attacks, availability attacks, and authentication attacks are all considered ________. DoS incidents inappropriate usage incidents wireless network incidents unauthorized access incidents

wireless network incidents

Which of the following is NOT a challenge in handling and responding to cloud security incidents when specifically discussing logs? timestamp synchronization decentralization of logs evaporation of logs multiple layers and tiers

timestamp synchronization

What is the primary use of an email dossier? to add a digital signature to the outgoing emails for better authentication to check the validity of an email address to make email headers human readable by parsing them according to RFC 822 to prevent email spoofing

to check the validity of an email address

What is the purpose of strings? to communicate information from the program to its user to analyze suspicious files to calculate various hash values to clean out unneeded files and data

to communicate information from the program to its user

What is the primary purpose of PromqryUI? to detect network interfaces that are running in promiscuous mode to monitor the network for strange packets such as packets with spoofed addresses to check if the MAC address of certain machines has changed to send a non-broadcast ARP to all the nodes in the network

to detect network interfaces that are running in promiscuous mode

What is the purpose of Microsoft Baseline Security Analyzer (MBSA)? to generate efficient reports on detected incidents during incident handling and response process to determine their security state in accordance with Microsoft security recommendations to detect and access the malware present in the network and then eliminate it to determine the email origin by matching the domain name for an IP address

to determine their security state in accordance with Microsoft security recommendations

What is the purpose of the CloudPassage quarantine application? to monitor /v1/events endpoint in the Halo API, to look for specific events All of these options are correct. to recover data marked as deleted, as it may get overwritten by another user sharing the same cloud to detect a malicious act by identifying a series of small changes made across many systems and applications

to monitor /v1/events endpoint in the Halo API, to look for specific events

Which of the following is NOT a driving force behind insider attacks? to take revenge to become a future competitor to pass any future exams to steal confidential data

to pass any future exams

What is the purpose of activity monitoring tools? All of these choices are correct. to build custom queries, generate alerts, retrieve data from multiple data sources, and enhance the potential analytical capability to prevent, detect, and respond to various insider threats to record all the user activity on the organizational networks, systems, and other IT resources to scan the network traffic to find exfiltration of sensitive data and alert the administrators

to record all the user activity on the organizational networks, systems, and other IT resources

Classification of incidents is defined based on their severity and potential targets. True False

True

Computer forensic investigators must have knowledge of general computer skills such as hardware, software, OS, applications, etc. True False

True

During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently. False True

True

Insider attacks can be detected manually by identifying the behavior of the users. True False

True

Installing IDS, email content filtering software, and security control tools to identify certain types of activities like spam and file sharing are important steps to handle inappropriate incidents. False True

True

Malicious code can cause irreparable harm to important files and records. False True

True

John, a security professional working for Xdoc Corporation, is implementing a security strategy that uses multilayered protection throughout an information system to help minimize any adverse impact from attacks on organizational assets.Identify the security strategy John has implemented. three-way handshake likelihood analysis covert channel defense-in-depth

defense-in-depth

Identify the character set that is used for replacing the suspicious characters to bypass the filtering mechanism in a path traversal attack. ../ / > \..

../

While investigating Microsoft Exchange Server for email crimes, an incident handler should primarily focus on which of the following files? temporary files, .doc files, & pdf files .edb database files, .stm database files, checkpoint files, & temporary files .stm database files, .html files, & .lzh files .jpeg files, checkpoint files, pdf files, & .svg files

.edb database files, .stm database files, checkpoint files, & temporary files

Identify the regular expression that is used for detecting SQL injection attacks on an MS SQL Server. /(\')|(\%27)|(\-\-)|(#)|(\%23)/ix /((\%27)|(\'))union/ix /exec(\s|\+)+(s|x)p\w+/ix /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix

/exec(\s|\+)+(s|x)p\w+/ix

What is a main difference between a hybrid cloud and a community cloud? With a community cloud it is more difficult to achieve data compliance. A community cloud is composed of two or more clouds that remain unique entities and a hybrid cloud is only one cloud. A community cloud is a multi-tenant infrastructure shared among organizations versus a hybrid cloud which is composed of two or more clouds. Community clouds are more secure than hybrid clouds.

A community cloud is a multi-tenant infrastructure shared among organizations versus a hybrid cloud which is composed of two or more clouds.

What would be considered an advantage and a disadvantage when comparing a private cloud to a public cloud? A private cloud is less secure but has a greater performance A private cloud is more expensive but is also more secure A private cloud has a lack of control but a greater performance A private cloud has less control over resources but is less expensive

A private cloud is more expensive but is also more secure (C8,P905)

In the DoS containment strategy, at what point will you ask your ISP to implement filtering? After correcting the vulnerability or weakness that is being exploited After relocating the affected target After determining the method of attack After identifying the attackers

After determining the method of attack

Organizations must implement several security controls. Which security control ensures that only selected or eligible employees have access to sensitive data, critical devices, and other necessary resources required to accomplish the assigned tasks? Honeypot Encryption Access Controls Intrusion Detection Systems (IDS)

Access Controls (C2,P209)

A cloud broker is an entity that manages cloud services in terms of use, performance, and delivery, and maintains the relationship between CSPs and cloud consumers. What service is provided by a cloud broker? All of these choices are correct. service aggregation service arbitrage service intermediation

All of these choices are correct.

Determination of risk for a particular threat/vulnerability pair can be expressed as a function of ________. the adequacy of planned or existing security controls for reducing or eliminating risk the impact of a threat-source when it successfully exercises the vulnerability All of these choices are correct. the likelihood of a given threat-source's attempting to exercise a given vulnerability

All of these choices are correct.

Electronic evidence resides in which one of the following locations? All of these choices are correct. backup tapes (system-wide, personal, disaster recovery) other media sources (tape archives, replaced drives, floppy diskettes) data files (workstations, file servers, palmtop)

All of these choices are correct.

First responders must label all the available evidence and create a list with details, including location of the crime, status of the system, and connected network devices. What are some other things first responders should label? All of these choices are correct. PDAs network access storage media

All of these choices are correct.

How does an audit trial and log monitoring help in detecting an insider threat? It enforces account and password policies and procedures AND periodic logging, monitoring, and auditing processes help the organization to identify and investigate suspicious insider actions ONLY. All of these choices are correct. Periodic logging, monitoring, and auditing processes help the organization to identify and investigate suspicious insider actions. It enforces account and password policies and procedures. Audit trails should be configured for network devices, operating systems, commercial software, and custom applications.

All of these choices are correct.

Jocelyn would like to find out more information about the emails she receives at work such as the IP address, the sender's identity, and the mail server. What website could Jocelyn use to help her find this information? Yesware eMailTrackerPro All of these choices are correct. PoliteMail

All of these choices are correct.

Nicho is new at incident handling so he is worried about making a mistake when handling malware because he knows it can cause major damage to the host computer he's working on. What are some steps Nicho could take to handle the malware safely? Use secure channels & secure USB drives for transferring malware files. Zip and password protect the malware files & store the malware files in an isolated storage facility. All of these choices are correct. Exclude the malware file with invalid file extension from the antivirus scan & also exclude the directory where the malware files are stored from the antivirus scans.

All of these choices are correct.

Step 6 of the IH&R process explains that to gather evidence effectively, the organization must perform which of following? train employees in first responder services enable login on all network devices and security systems create and implement forensic readiness policy and procedures All of these choices are correct.

All of these choices are correct.

What are the various techniques used to respond to an insider threat? blocking malicious user accounts and physically restricting them from entering access control areas placing malicious users in a quarantine network so that attack cannot be spread All of these choices are correct. preventing malicious users from accessing sensitive information disabling the computer systems from network connection

All of these choices are correct.

What is a common type of identity theft? cloning child All of these choices are correct. synthetic

All of these choices are correct.

What major factors need to be considered while recommending risk controls? All of these choices are correct. effectiveness of recommended options operational impact legislation and regulation organizational policy

All of these choices are correct.

What type of information can be gathered by an attacker from improper error handling? All of these choices are correct. network timeout system call failure database information

All of these choices are correct.

Which of the following MUST be included in the incident recording step? who has reported the incident the date and time the incident happened None of these choices are correct. All of these choices are correct. the date and time at which the incident was detected

All of these choices are correct.

Which of the following are containment strategies to stop unauthorized access? enhance physical security measures All of these choices are correct. disable the user accounts used in the attack isolate affected systems

All of these choices are correct.

Which of the following are examples of Denial-of-Service attacks? flooding the network with illegitimate traffic crashing the OS and applications by sending malformed requests All of these choices are correct. increasing the server load by creating many server requests establishing login sessions simultaneously when the legitimate user logs in

All of these choices are correct.

Which of the following are important elements of any security awareness and training program? measuring the effectiveness of the program and updating it implementation of the program All of these choices are correct. development of the materials designing and planning

All of these choices are correct.

Which of the following are indications for a network-based DoS attack? log entries of the operating system All of these choices are correct. undefined connection losses increase in utilization of the network's bandwidth reports of the users regarding system and service unavailability

All of these choices are correct.

Which of the following are the types of computer security incidents? unauthorized access malicious code attack All of these choices are correct. fraud and theft

All of these choices are correct.

Which of the following help in detecting inappropriate usage incidents? unauthorized service usage access to inappropriate materials All of these choices are correct. attack against external party

All of these choices are correct.

Which of the following is a way an incident handler could potentially eradicate insider threats? All of these choices are correct. data encryption isolate the storage change passwords regularly

All of these choices are correct.

Which of the following is considered a data loss issue? data is erased, modified, or decoupled All of these choices are correct. encryption keys are lost, misplaced, or stolen misuse of data by CSP

All of these choices are correct.

Which one of the following are guidelines for detecting and preventing insider threats with respect to administrators and privileged users? Ensure that administrators use a unique account during installation process. Implement a non-repudiation technique to view all the actions performed by administrators and privileged users. All of these choices are correct. Use encryption methods to prevent administrators and privileged users from accessing backup tapes and sensitive information. Monitor the activities of system administrators and privileged users who have permissions to access sensitive information.

All of these choices are correct.

Which one of the following is a negative impact of an insider attack? website defacement stealing personnel information of clients, other employees, and customers posting confidential information on the public website forwarding a human resource department email that consists of the private information All of these choices are correct.

All of these choices are correct.

Which one of the following is caused by the lack of forensic readiness? system downtime data manipulation, deletion, and theft loss of clients by damaging the organization's reputation All of these choices are correct.

All of these choices are correct.

Volatile data is fragile and lost when the system loses power or the user switches it off. Where can this data be found? Registries Cache RAM All the above

All the above (C3,P358)

Jose is an incident responder who wants to eradicate malware security incidents. What steps should he include? Content Filtering Tools & Network Security Devices Blacklist & Antivirus Manual Scan & Fixing Devices All the above

All the above (C4,P505)

What would be considered a limitation of cloud computing? Security, privacy, and compliance issues Prone to outages and other technical issues Contracts and lock-ins All the above

All the above (C8,P900)

Incident handlers can employ tools such as ________________to monitor, collect, detect, and analyze different activities of users on the network User Behavior Analytics (UBA) SIEM DLP Technologies All the above

All the above (C9,P1003)

Titus is an incident responder who wants to gather volatile database information such as user's login sessions and user transactions to find evidence of an attack. What tool could he use to accomplish this task? ApexSQL DBA's ApexSQL audit application Notepad Database Consistency Checker (DBCC) SQL Server Profiler

ApexSQL DBA's ApexSQL audit application

Motive (Goal) + Method + Vulnerability = Attacks Security Policy Defense-in-depth Access Control

Attacks

Which type of malware is access the victim's computer or a network without the user's knowledge? Trojan Horse Ransomware Rootkit Backdoor

Backdoor (C4,P428)

Which of the following steps do you implement as a part of DoS attack prevention? Disable Intrusion Detection Systems Enable Remote Desktop Connection Install and run packet sniffer on the workstation Block traffic from unassigned IP address ranges

Block traffic from unassigned IP address ranges

What is considered a huge network of compromised systems used by attackers to perform denial-of-service (DoS) attacks? Ransomware Botnet Crypter Spyware

Botnet (C4,P430)

Which of the following is a methodology to create and validate a plan for maintaining continuous business operations before, during, and after incidents and disruptive events? Incident response plan Incident recovery plan Business continuity planning Business impact analysis

Business continuity planning

Which of the following activities identifies the effects of uncontrolled and unspecific events in the business process? Business impact analysis Support plan analysis Temporary plan analysis Threat Analysis

Business impact analysis

What following incident response action focuses on limiting the scope and extent of an incident? Identification Containment Eradication Formulating a response strategy

Containment

Carl is trying to violate the acceptable use of a network and computer use policy. Under which category of the incident handling criteria does this scenario fall? CAT 2 CAT 4 CAT 1 CAT 3

CAT 4

Identify the phishing attack in which an attacker imitates the email writing style and other content to make his or her activities seem legitimate. puddle phishing pharming CEO scam spimming

CEO scam

________ is a portable network analyzer app for both LANs and WLANs, which performs real-time packet capturing, 24/7 network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. Caspa AFICK Netwrix Auditor SysAnalyzer

Caspa

Which of the following is a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized? Penetration testing Computer forensics Certification and Accreditation (C&A) Incident handling

Certification and Accreditation (C&A)

What actions must take place in restoring email services after a malware incident? Block the sender and then type in old password Disable scanning of links and attachments Change passwords and enable scanning of links and attachments Disable two-factor authentication

Change passwords and enable scanning of links and attachments (C4,P512)

There are many indications of unauthorized access incidents. Which indication would be applicable if there are suspicious tools or exploits and unpredicted open ports? Physical Intrusion Changes in network Changes in system configuration Changes in administrator settings

Changes in system configuration (C6,P625)

Resource pooling, rapid elasticity, distributed storage, and broad network access are all characteristics of which of the following? One Drives Cloud Computing USB Ports The Internet

Cloud Computing (C8,P898)

________ is the cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds CloudPassage Halo Tripwire Splunk Light Logic CloudPassage

CloudPassage Halo (C8,P972)

Which of the following refers to the process of identifying, labeling, recording, and acquiring data from all possible sources? Collection Preservation Examination Analysis

Collection

________ is a designated location for conducting computer-based investigations of the collected evidence in order to solve the case and find the culprit. Cloud Computing Lab Computer Forensics Lab (CFL) Crime Scene Investigation Lab There is not actually a designated place as long as you have a secure network.

Computer Forensics Lab (CFL)

The major points in guidelines for detecting and preventing insider threats with respect to network security include: Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services AND create rules to reduce the outbound transfer of files to an authorized set of users and systems AND prevent file sharing, instant messaging, and other features among employees that allow unauthorized access to corporate networks. Create rules to reduce the outbound transfer of files to an authorized set of users and systems. Prevent file sharing, instant messaging, and other features among employees that allow unauthorized access to corporate networks. Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services. Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services AND create rules to reduce the outbound transfer of files to an authorized set of users and systems ONLY.

Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services AND create rules to reduce the outbound transfer of files to an authorized set of users and systems AND prevent file sharing, instant messaging, and other features among employees that allow unauthorized access to corporate networks.

Which of the following information security elements ensures that the information is accessible only to those who are authorized to have access? availability confidentiality authenticity integrity

Confidentiality

There are four types of Domain Name System (DNS) attacks. Which type involves registering an elapsed domain name? Domain Snipping Domain Hijacking DNS Poisoning Cybersquatting

Domain Snipping (C8,P933)

A type of Trojan that downloads other malware (or) malicious code and files from the internet on to the PC or device? Dropper Obfuscator Downloader Injector

Downloader (C4,P432)

The ________ is a semi-trusted network zone that separates the untrusted internet from the company's trusted internal network. DMZ ("demilitarized zone") buffer zone CAPTCHA zone hidden field zone

DMZ ("demilitarized zone")

Kevin is an attacker who is exploiting vulnerabilities by performing an XSS attack. What are two types of exploitations that he can perform? Data Theft and Data Manipulation Data Theft and Network Timeout Data Manipulation and Bypassing Access Controls and Network Timeout

Data Theft and Data Manipulation (C7,P763)

What command may give the incident responder valuable insight into what is happening within the server system? This command allows the incident handler to view and retrieve the active transaction log files for a specific database. Uname Database Consistency Checker (DBCC) PsInfo Executed Console

Database Consistency Checker (DBCC) (C9,P1020)

________ is a security strategy in which several protection layers are placed throughout an information system. Non-repudiation Information security Offense-in-depth Defense-in-depth

Defense-in-depth

When discussing common network security incidents, these threats prevent the authorized users from accessing network resources. Unauthorized Access Incidents Inappropriate Usage Incidents Denial-of-Service Incidents Wireless Network Incidents

Denial-of-Service Incidents (C6,P600)

Which one of the following is a guideline for network security measures to prevent an unauthorized access incident? Prepare the appropriate password policy Implement strong authentication for accessing critical resources Design the network in such a way that it blocks the suspicious traffic Create and implement a password policy

Design the network in such a way that it blocks the suspicious traffic (C6,P658)

Crashing a service by interacting with it in an unexpected way and Hanging a system by causing it to go into an infinite loop are examples of? DoS attacks Email attacks IH&R attacks Internet attacks

DoS attacks (C6,P674)

Organizations must be able to handle and respond to various email attacks by developing and implementing proper incident response plan against the known attacks. This includes email filtering, email monitoring tools, and ________. Developing an acceptable email usage policy Deletion of emails from the folders Changing email template and signature Bouncing back emails

Developing an acceptable email usage policy (C5,P544)

In which attack does an attacker(s) infect multiple systems called "zombies", and uses them to attack a particular target? Denial of Service Distributed denial of service Identity Spoofing Man-in-the-Middle

Distributed denial of service

HDBC's online banking website was knocked offline. In result, customers were unable to login and make online transactions. After a few hours, the bank authorities identified that a cyber attacker had kept their server busy by establishing simultaneous login sessions which restricted their customers from logging into the bank website. Identify the attack that the cyber attacker has used to draw the bank server offline. DoS attack Session Hijacking Man-in-the-Middle Cross-Site-Scripting

DoS attack

Hexagon, a leading IT company in the USA received a lot of malformed TCP/IP packets, which led to the crashing of the main server's operating system. This rendered the organization's information resources inaccessible to its employees. Which attack did the adversary use in the above situation? DoS attack Session Hijacking Man-in-the-Middle Cross-Site-Scripting

DoS attack

_________ refers to ability of a single cloud to handle data, accounts, systems, and applications of various organizations Elasticity Virtualization Legal Requirements Clock Synchronization

Elasticity (C8,P950)

James is a part of an incident response team that wants to ensure proper reaction against any mishap. Being forensically ready will allow him and his team to: Eliminate the threat of repeated incidents Lose clients by damaging the organization's reputation Create system downtime Experience data manipulation and deletion

Eliminate the threat of repeated incidents (C3,P297)

Unavailability of the email server, sudden increase of advertising and spam emails, and change in email template and signature are all indicators of what? Cyberstalking Email Attacks SIGVERIF All the above

Email Attacks (C5,P545)

Which of the following is an investigation platform that collects digital data, performs analysis, reports on findings, and preserves them in a court validated, forensically sound format? It gives investigators the ability to image a drive and preserve it in a forensic manner using an evidence file format called LEF or E0 1. None of these choices are correct. The Farmer's Boot CD (FBCD) Helix3 Pro The Coroner's Toolkit (TCT) EnCase Forensic

EnCase Forensic

Removing malware, isolating the critical systems infected with malware, blocking the compromised email accounts, and performing other email security hardening measures are all a part of _____. Detection Recovery Eradication Preparation

Eradication (C5,P574)

Jenny works on an Incident Response team for her organization. After a major incident, she is asked to check and verify as much as possible to get a positive confirmation from each party that in their opinion, everything is operating normally again. What Practice is Jenny taking part in? Final Classification Incident Report Eradication and Recovery Workflow

Eradication and Recovery (C1,P116)

The most common way of networking computers is through a _______ Ethernet USB Port Email Ticketing Tool

Ethernet (C6,P638)

The best way to detect brute force attacks over enterprise networks or applications is to analyze logs in ________ for identifying multiple failed login attempts from the same IP address. Activity Viewer Chrome Event Viewer Safari

Event Viewer

Steve is an incident responder who wants to use an open-sourced phishing toolkit to help him conduct real-world phishing simulations. What could he use to do this? lllllllllllll SPAMfighter Gophish Gpg4win

Gophish

________ is an email service platform by the Novell NetWare. It stores the user's messages in almost 25 proprietary databases. GroupWise NovelWise GroupSmart Yesware

GroupWise

Charles is an incident handler who wants to eradicate insecure deserialization attacks. Which measure should he take? Guard sensitive data during deserialization Avoid filtering untrusted serial data Avoid re-architecting his applications Ignore security permissions

Guard sensitive data during deserialization (C7,P863)

Joe is an employee who attacked his company to make a political statement by publicizing the company's sensitive information. What is the driving force behind this insider attack? Hacktivism Corporate Espionage Work-Related Grievance Curiosity

Hacktivism (C9,985)

Abiding laws are important while dealing with the incident since an organization can face legal issues if it does not maintain legality while dealing with security incidents. Sometimes, incident handling also involves investigating private information of individuals, which hampers their right to privacy. Which legal compliance act protects this type of information? Freedom of Information Act (FOIA) Health Insurance Portability and Accountability Act (HIPAA) Occupational Safety and Health Act (OSHA) Resource Conservation and Recovery Act (RCRA)

Health Insurance Portability and Accountability Act (HIPAA)

Andrea is a first responder and she wants to use forensics analysis tools to help her with collecting, managing, transferring, and storing necessary information required during forensics investigation. Which would be a beneficial tool for her to use? Scriptkid Helix3 NTFS file system MD5 tool

Helix3 (C3,393)

Denial-of-Service attacks, the presence of harmful viruses, worms, and Trojan horse, or Suspected break-in in any computer of a company are all considered incidents at a _______ Low Level Middle Level High Level None of the above

High Level (C2,P230)

Which of the following reports contains logs, records, documents, and any other information that is found on a system? Incident preparation report Incident response report Host-based evidence report Network-based evidence report

Host-based evidence report

Chris is a forensic expert and was hired by a major financial company for his services supporting computer incidents and crimes. Chris must perform many day-to-day activities as a forensic expert. What duties from the list below are aligned with the role of a forensic expert? I. Uncovering the reason an incident occurred II. Determining the status of the system by analyzing it III. Establishing secure network measures to avoid incidents IV. Preserve, analyze and submit evidence in a court of law I, II, and III II, III, and IV I, II, and IV I, II, III, and IV

I, II, and IV

Identify all reasons below that cause organizations to not report computer crimes to law enforcement. I. Fear of negative publicity II. The organization is unaware of the attack III. The organization has the capability to handle the incident internally IV. Potential loss of customers I, II, II and IV I and II I, II, and III I, II, and IV

I, II, and IV

In memory dump analysis, which of the following tools is used for disassembling and debugging malware? IDA Pro FLOSS ASPack Hakiri

IDA Pro

Which of the following terms defines the purpose and scope of the planned incident handling and response capabilities? IH&R team models IH&R vision IH&R mission IH&R staffing

IH&R mission

Which of the following statements is NOT true when it comes to Incident handling and response (IH&R)? The IH&R process provides a focused and structured approach for restoring normal business operations as quickly as possible after an incident The decision to establish IH&R process is affected by inputs, complaints, and queries from all the stakeholders involved in the organization's business processes IH&R processes is the same from organization to organization according to their business and operating environment IH&R processes differ from organization to organization according to their business and operating environment

IH&R processes is the same from organization to organization according to their business and operating environment (C2,P163)

Which of the following terms reflects an organization's mid-term and long-term goals for incident management capabilities? IH&R staffing IH&R vision IH&R mission IH&R team models

IH&R vision

Proxy Servers act as doorways between the user and the web application that are browsed by the user. What are they used to prevent? Cookie/ Session Poisoning Maintain Anonymity IP blocking IP blocking and Maintain Anonymity.

IP blocking and Maintain Anonymity. (C7,P844)

Organizations must secure the network communications by implementing Packet Filters, IPsec, Virtual Private Network, and Secure Shell. Which is responsible for authenticating and validating the packets during transmission? Packer Filters IPsec Virtual Private Network Secure Shell

IPsec (C2,P209)

Which standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization? ISO/IEC 27001:2013 ISO/IEC 27002 ISO/IEC 27001:2015 None of the Above

ISO/IEC 27001:2013 (C1,P124)

Which phase of incident response involves reporting and assessment, event identity and severity level assignment, and incident task force member selection? Incident Classification Containment Data collection Identification

Identification

What does the character 'x' indicate in the following regular expression? /(\')|(\%27)|(\-\-)|(#)|(\%23)/ix case-insensitive or Ignore white spaces in the pattern. and

Ignore white spaces in the pattern.

Which of the following incidents refers to a user performing actions that violate the acceptable computing use policies? Inappropriate usage incident Unauthorized access incident Multiple Component incident Distributed Denial-of-Service (DDoS) incident

Inappropriate usage incident

________ occurs when a user performs actions that violate the acceptable computing use policies. Unauthorized access Inappropriate usage incident DoS incident Unauthorized access AND inappropriate usage incident All of these choices are correct.

Inappropriate usage incident

Which of the following personnel in incident response team focuses on the incident and handles it from a management and technical point of view? Incident Manager (IM) Incident Coordinator (IC) Incident Analyst (IA) Technical Expert

Incident Manager (IM)

Which of the following activity involves all of the processes, logistics, communications, coordination, and planning to respond and overcome an incident efficiently? Incident investigation Incident recovery Incident handling Incident reporting

Incident handling

________ is a process of accurately storing the details of occurrence of an incident. Incident recording Incident handling Data collection Incident documentation

Incident recording

What is the process of rebuilding and restoring computer systems affected by an incident to the normal operational stage? Incident reporting Incident handling Incident recovery Incident preparation

Incident recovery

Which of the following is defined as an organized approach to address and manage the aftermath of a security breach or attack? Threat Risk assessment Vulnerability assessment Incident response

Incident response

This cloud computing service enables subscribers to use on demand fundamental IT resources such as computing power, virtualization, data storage, network, and so on. Some of the advantages from this service include global accessibility, policy-based services, and guaranteed uptime. Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS) None of the above

Infrastructure-as-a-Service (IaaS) (C8,P900)

Which of the following types of risk is defined by the formula (Threats x Vulnerability)? Residual risk Qualitative risk Inherent risk Quantitative risk

Inherent risk

Megan is a disgruntled employee who wants to take her companies secrets and send the data to competitors by using a steganography. Which type of attack would she be committing? SQL injection DoS Attack Insider Attack Employee Attack

Insider Attack (C9,P982)

ObserveIT, Ekran System and DataRobot are both important tools that detect ______. Outsider Threats Data Breaches Insider Threats Cybersquatting

Insider Threats (C9,P1024)

Which of the following is a preparation step for a cloud service provider (CSP)? Clearly mention privileges of employees accessing the cloud. Mention the critical services and application that need most attention to the CSP in order to have a priority list for containment and recovery. Audit and prepare a list of all the systems and accounts that have access to the cloud. Install database activity monitoring (DAM), data leak prevention (DLP), log analysis, and SIEM tools to simplify detection of incidents.

Install database activity monitoring (DAM), data leak prevention (DLP), log analysis, and SIEM tools to simplify detection of incidents.

When discussing insider threat prevention tools, what ability does Security Incident and Event Management (SIEM) solutions provide? the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services the ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs It draws patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks. the ability to build custom queries, generate alerts, retrieve data from multiple data sources, and enhance the potential analytical capability to prevent, detect, and respond to various insider threats

It draws patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks.

Which of the following is NOT true about incident handling? It saves time, investment, and effort. NEITHER it saves time, investment, and effort NOR it has no value when it comes to saving the organization from legal consequences ARE TRUE. It equips the organization with the procedures that can be followed in case of an incident. It has no value when it comes to saving the organization from legal consequences. It helps to determine the patterns in incidents, to handle them more efficiently.

It has no value when it comes to saving the organization from legal consequences.

Terry is managing a web server that runs a PHP-based web service. An incident was reported to Terry, where users were not able to access the service. During the investigation, he discovered that the webserver was live and there were no alerts from the anti-malware system. However, in the Task Manager, he discovered a large number of php-cgi processes that were consuming up to ninety-nine percent of the CPU. What can Terry infer from the above observation? It indicates a DoS attack It indicates an unauthorized access attack It indicates a Trojan attack It indicates a php-cgi injection attack

It indicates a DoS attack

Which of the following is NOT an advantage of an Incident Response Orchestration? It includes automated alarms that detect the incident and alert the response personnel with details It allows responders to remotely assess the incident analysis results and manage the actions It allows responders to configure different solutions to interact and streamline incident response action It provides attackers more time to contain information

It provides attackers more time to contain information (C1,P111)

________ is a PC system utility software that works by cleaning out unneeded files and data, cleaning the Windows registry, automatically fixing system errors, and applying optimization to your system. p- Protocol TPCView Jv16 Power Tools Process Monitor

Jv16 Power Tools

Flora is an incident handler at an organization that is implementing forensic readiness procedures to handle evolving cyber threats. As part of this process, she decided to use an advanced authentication protocol to secure the organizational network resources.Which of the following protocols must Flora employ? FTP/HTTP ICMP/UDP Kerberos/IPSec TCP/IP

Kerberos/IPSec

Which of the following is NOT considered one of the best practices recommended to avoid insider threats? Monitor employee behaviors and the computer systems used by employees Implement secure backup and disaster recovery processes for business continuity Disable remote access and screen sharing activities for all the users Leave business details over voice mail or email broadcast message

Leave business details over voice mail or email broadcast message (C9,P1044)

The first responder needs to prepare and check several prerequisites such as the availability of tools, reporting requirement, and ______ in order to conduct a successful investigation Legal clearances Availability of internet Time and date Registries

Legal clearances (C3,398)

What is a common technique that incident responders can use to secure the confidential data of a company from spies and eradicate different insider threats? Store passwords in a folder Limiting and controlling access Only encrypting data thats in use Store sensitive data on a networked computer

Limiting and controlling access (C9,P1029)

The NERC 1300 Cyber Security standard stands for what? North American Electric Reliability Corporation National Electric Regultions for Cybersecurity National Energy Regulatory Consortium National European Response Consortium

North American Electric Reliability Corporation (C1,P134)

What tool is used by incident handlers to detect data exfiltration attacks performed by insiders? Microsoft Baseline Security Telnet Connection Nuix Adaptive Security Wireshark

Nuix Adaptive Security

Recovery, Process Review and Practice are all part of which Incident Management guidelines? OWCIA OWASSP ENISA OWASP

OWASP (C1,P113)

________ is an international organization that provides top 10 vulnerabilities and flaws of web applications. OWASP ROYGBIV NRPNC SIGVERIF

OWASP (C7,P741)

What is the name of the tool that is an insider threat management solution that provides organizations with "eyes on the endpoint" and the ability to continuously monitor user behavior? DataRobot ObserveIT Ekran System KeepNote

ObserveIT

What is another name for Cross-Site Request Forgery (CSRF)? Zero-click Attack One-click Attack Two-click Attack Three-click Attack

One-click Attack (C7,P781)

Riya received the following email: Dear user, Due to an unexpected software glitch, we have lost all our customer details and left with only email IDs. In order to continue our services, we request you provide your username and password in the below fields and revert back. If not, your balance amount will be lost and account will be deleted permanently. Username: _____________ Password: ______________ Click reply and send. Note: Please Forward this mail to all the HDBC users you know. Sorry for the inconvenience. Thank you for your cooperation HDBC Bank Admin Copyright © 2017 Service Providers administrator All rights reserved. After seeing the message, Riya got startled and immediately responded to the sender with her username and password. Later she discovered that her account had been hacked. Which trick did the attacker use to trap Riya? Phishing technique Sniffing technique Pharming technique Keylogger technique

Phishing technique

Netcraft,and PhishTank are tools for detecting _____&_____? Bombing/Phishing Spam/Storming Phishing/Spam Storming/Bombing

Phishing/Spam (C5,P549)

Permanent DoS, also known as ________, refers to attacks that cause irreversible damage to system hardware Bricking Sabotages Phlashing Fraudulent hardware updates

Phlashing (C6,P678)

Insecure Coding, Configuration Errors, Platform Vulnerabilities, and Logic Errors are all causes of what? Phlashing Port Scanning Computer Incidents Web Incidents

Phlashing (C7,738)

Which category of unauthorized access is associated with changes in system status? Physical Intruder Unauthorized Data Access Unauthorized Usage of Standard User Account Unauthorized Data Modification

Physical Intruder

User reports regarding network or system unavailability, System status changes, Misplaced hardware parts, and Unauthorized hardware found are all indications of _____. Physical Intrusion Unauthorized Data Modification Changes in Network Resource High Utilization

Physical Intrusion (C6,P626)

Which of the following policies controls access to facilities and computers? Information Security Policy Personnel Security Policy Physical Security Policy Evidence Collection Policy

Physical Security Policy

A ______ is a basic network scanning technique that is employed to determine which range of IP addresses map to live hosts (computers). Ping Sweeping Port Scanning DNS Footprinting Social Engineering

Ping Sweeping (C6,P630)

Which of the following techniques do you implement to respond to an insider attack? Place all the users in a quarantine network Place malicious users in a quarantine network Allow malicious users to access sensitive information Leave the insider's computer open in the network

Place malicious users in a quarantine network

Which one of the following is the correct flow of stages during incident response? Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up Identification -> Preparation -> Containment -> Recovery -> Follow-up -> Eradication Containment -> Identification -> Preparation -> Recovery -> Follow-up -> Eradication Eradication -> Containment -> Identification -> Preparation -> Recovery -> Follow-up

Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up

The _____ ensure that the evidence is stored, examined, preserved, and examined in a way that protects the reliability and correctness of the evidence. Principles of anti- forensic techniques Principles of digital evidence collection Principles of computer forensics Principles of NERC 1300 Cyber Security

Principles of digital evidence collection (C3,P331)

How will you define quantitative risk analysis? Probability of loss X value of loss Value of loss/ Probability of loss Probability of loss + value of loss Probability of loss - value of loss

Probability of loss X value of loss

Which of the following would be considered a harmful insider who uses their technical knowledge to identify the weaknesses and vulnerabilities of the company's network and sell the confidential information to the competitors or black-market bidders? Malicious Negligent Professional Compromised

Professional (C9,P983)

IH&R mission statements define the ____ and _____ of the planned incident handling and response capabilities Purpose and Scope Time and Date Scope and Policies Ethics and Purpose

Purpose and Scope (C2,P173)

Which is NOT a tool used to calculate the hash value? HashCalc MD5 Calculator R-Drive Image HashMyFiles

R-Drive Image (C3,P360)

Which of the following CSIRT services include alerts and warnings, incident handling, vulnerability handling, and artifact handling activities? Reactive Services Proactive Services Security Quality Management Services Vulnerability Management Services

Reactive Services

Which of the following elements of an email header shows a detailed log of a message's history, such as the origin of an email and information on forgeries? Received X-Mailer Subject Message-Id

Received

When it comes to email incidents changing passwords, informing banks, contacting law enforcement, and making an insurance claim are all a part of which step? Recovery Detection Preparation Eradication

Recovery (C5,P583)

What is a residual risk? Risk remaining after implementation of all the possible controls Risk caused due to a threat exercising vulnerability Risk resolved with the implementation of possible controls Risk within the acceptable level of threshold

Risk remaining after implementation of all the possible controls

Which of the following strategies focuses on minimizing the probability of risks and losses by searching vulnerabilities in the system and appropriate controls? Risk planning Research and acknowledgment Risk avoidance Risk limitation

Research and acknowledgment

Identity theft occurs when someone uses your personal information in a malicious way. What is the best way to avoid identity theft from happening? Keep all personal documents on your computer Only give away personal information on the phone Review your credit card reports regularly Never empty your mailbox

Review your credit card reports regularly (C5,P580)

________ is the probability of a threat agent exploiting a vulnerability and the associated impact. (Note: Remember that a threat agent is defined as an entity that can exploit a vulnerability, and vulnerability is defined as a weakness or a lack of countermeasures.) Risk policy Attack Risk Incident

Risk

Which of the following determines the level of risk and the resulting security requirements for each system? Risk assessment Contingency planning Risk mitigation Residual risk

Risk assessment

Which of the following risk mitigation strategy makes an organization absorb minor risks while preparing to respond to major ones? Risk avoidance Risk limitation Risk assumption Risk planning

Risk assumption

Jennifer wants to be able to detect and remove generic malware and advanced threats like rootkits, rogues, and worms. She also wants to be able to detect PUPs and PUMs. What could Jennifer use to help her? VirusTotal RogueKiller Wireshark CapLoader

RogueKiller

Roy is a software employee working at Nexawave, a leading IT firm. One day Roy downloaded a few files from the internet and referred to them within a current project. While developing the project document, Roy observed that his MS Word application started crashing frequently. What could be the reason for the above situation? Roy's system has infected by boot-record infectors Roy's system has infected by Macro virus Roy's system has infected by Micro virus Roy's system has infected through phishing

Roy's system has infected by Macro virus

________ is a built-in Windows tool that comes inbuilt in Windows 10/8/7 and searches for unsigned drivers on a system. ROYGBIV CRYPTER NERC SIGVERIF

SIGVERIF (C4,P472)

What is a spam filter tool that can be used to automatically remove spam and phishing emails from an inbox? Gpg4win SPAMfighter Ekran System ObserveIT

SPAMfighter

Limiting the length of user input, using custom error messages, and disabling commands like xp_cmdshell are all different ways to eradicate _______. DoS attacks Webservice Attacks SQL Injection Attacks Cookie Attacks

SQL Injection Attacks (C7,P851)

When building a testbed there are some tools required for testing. Which one of the following choices represents an important tool for testing? Adobe Creative Cloud Content Filtering Spyware Sandbox

Sandbox (C4,P422)

Instant messenger applications, network propagation, email attachments, and decoy applications are all common ways attackers can _____? Send a malware into a system Let the user know they are attacking Malvertise Recover files

Send a malware into a system (C4,P434)

________ is an email validation protocol used by domain owners for preventing spoofing of emails. MxToolbox NetCraft email dossier Sender Policy Framework

Sender Policy Framework

Which of the following statements defines a risk policy? Estimating the damage caused due to occurrence of a disaster Finding the level of the risk Set of ideas implemented to overcome risks Defined probability of the occurrence of an inciden

Set of ideas implemented to overcome risks

Accurately detecting and assessing incidents are the most challenging and essential part of... Cost of an Incident Intangible Cost Tangible Cost Signs of an Incident

Signs of an Incident (C1,P34)

Which of the following is a technical threat? Incorrect data entry Shoulder surfing Sniffing and scanning of the network traffic Password guessing

Sniffing and scanning of the network traffic

Incident response procedures, also referred to as ___________, provide detailed processes to implement guidelines defined by IH&R plan and policy Current security procedures (CSPs) Implemented data policies (IDPs) Developed automated procedures (DAPs) Standard operating procedures (SOPs)

Standard operating procedures (SOPs) (C2,P179)

Documentation, impact assessment, and incident disclosure are all part of which step? Step 7: eradication Step 6: evidence gathering Step 9: post-incident activities Step 8: recovery

Step 9: post-incident activities

There are various threats to be aware of when dealing with cloud computing. Which type of threat arises because of incomplete and non-transparent terms of use, hidden dependency created by cross-cloud applications, inappropriate CSP selection, and lack of supplier redundancy? Data Breach Insecure Interfaces Supply Chain Failure Isolation Failure

Supply Chain Failure (C8,P929)

________ is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing. Suricata engine Snort Gophish Ntopng

Suricata engine

In which Risk Assessment Methodology step do you identify the boundaries of the IT system and characterize it in order to establish the scope of the risk assessment effort. Threats Identification Threat Characterization System Identification System Characterization

System Characterization

Which of the following is NOT an Information Security Threat Category? Host Threats System Threats Network Threats Application Threats

System Threats (C1,P22)

Which of the following is an appropriate process flow of incident recovery steps? System restoration -> System validation -> System operations -> System monitoring System operations -> System restoration -> System validation -> System monitoring System validation -> System operations -> System monitoring -> System restoration System operations -> System validation -> System monitoring -> System restoration

System restoration -> System validation -> System operations -> System monitoring

Antivirus and antispyware software can identify the infected files but some of the infected files cannot be recovered. True False

True

From the following, identify the Wireshark filter that is used to view the packets moving without a flag set while performing the null scan attempts. tcp.flags==0X029 TCP.flags==0x000 tcp.dstport==7 tcp.dstport==25

TCP.flags==0x000

Loss of productive hours, loss of business, and loss of theft of resources are considered... Business Costs Intangible Costs Tangible Costs Hardware Costs

Tangible Costs (C1,P37)

Rob, an incident manager, was informed about an incident where a suspicious application was found residing in the active memory of multiple systems on a network. Upon investigating, he learned that the application was self-replicating and degrading the systems performance, but it did not affect the files in those systems.What application is this? The application is a Worm The application is a Virus The application is a Trojan The application is a Backdoor

The application is a Worm

What does the neutral result on the Domain Keys Identified Mail (DKIM) protocol indicate? The email is signed, and some part of signature is not acceptable by administrative management domains (ADMD). The email is signed and the signature passes the verification tests. The email is signed, but the signature has syntax errors, so it cannot be processed. The email is signed and the signature does not pass the verification tests.

The email is signed, but the signature has syntax errors, so it cannot be processed.

Which is an important guideline for building an investigation team? To avoid asking help from external investigation teams To avoid adding IT professionals To create a large team To appoint a person as a technical lead among the team members

To appoint a person as a technical lead among the team members (C3,P303)

What is the purpose of proactive services offered by a CERT? To find the cost of fixing a problem To develop the infrastructure and security processes To provide services to the constituency None of the above

To develop the infrastructure and security processes

John prefers using tools such as Mirekusoft and SysAnalyzer to help him at work. What is the primary use of these tools? To monitor his employees' screens To monitor installation of malicious executables To monitor Botnet's None of the above

To monitor installation of malicious executables (C4,P467)

Chad is an incident responder who wants to monitor user and network activities, changes in files, and registry entries. What tool should he use to accomplish these tasks? OSSIM Splunk Light Tripwire MBSA

Tripwire (C8,P963)

Which type of Malware is used to trick the victim into performing predefined action? Trojan Horse Ransomware Rootkit Backdoor

Trojan Horse (C4,P428)

A computer worm is a self-replicating computer program, spreads automatically by infecting one system after the other in a network, and even spreading further to other networks. False True

True

What is file fingerprinting? a process of computing the hash value for a given binary code to identify and track data across a network the process of superseding the manual IR actions with automatic IR actions using machines and tools a process flow of evidence gathering and forensics analysis, concepts of evidence gathering and forensics analysis, and evidence handling All of these choices are correct.

a process of computing the hash value for a given binary code to identify and track data across a network

When an employee is terminated, the organization should disable all his or her ________ to the company's physical locations, networks, systems, applications, and data. security awareness program access rights All of these choices are correct. human resources backup

access rights

Which of the following are examples of insider threats? an employee stealing sensitive information and modifying or utilizing it for personal gain AND stealing trade secrets or client information and selling it to other firms for business advantage AND performing technical crimes that disrupt the organization's data, systems, or network stealing trade secrets or client information and selling it to other firms for business advantage employees showing up late to work an employee stealing sensitive information and modifying or utilizing it for personal gain performing technical crimes that disrupt the organization's data, systems, or network

an employee stealing sensitive information and modifying or utilizing it for personal gain AND stealing trade secrets or client information and selling it to other firms for business advantage AND performing technical crimes that disrupt the organization's data, systems, or network

Which is the definition of digital evidence? any information of probative value that is either stored or transmitted in a digital form evidence that is real and related to the incident in a proper way evidence that is clear and understandable by judges information that does not cast doubt on the authenticity of evidence

any information of probative value that is either stored or transmitted in a digital form

Which of the following commands helps in finding the manipulated system functions while performing memory dump analysis using Volatility Framework? filescan idt apihooks threads

apihooks

Jeff is experiencing a loss of services when trying to use his email and network resources because an attacker is exploiting weaknesses in the programming source code. What type of DoS attack is Jeff experiencing? protocol volumetric permanent application layer

application layer

David is an incident handler and wants to determine the email origin by matching the domain name for an IP address. Which website would he use? arin.net toolbar.netcraft.com hg.org phishtank.com

arin.net (C5,P562)

Which of the following Wireshark filters is used to locate duplicate IP address traffic? tcp.duplicate-traffic-detected tcp.duplicate-address-detected arp.duplicate-address-detected arp.duplicate-traffic-detected

arp.duplicate-address-detected

Which of the following is NOT an indicator of cloud security incidents? creation of new accounts or duplication of the existing ones authorized privilege escalation inability to log into the account increase/decrease of used cloud space

authorized privilege escalation

James is a part of the IH&R team who is currently in the process of collecting evidence. What should he avoid in this process? All of these choices are correct. avoid collecting volatile data while the computer is running avoid affecting the integrity of the evidence avoid extraction of static evidence

avoid affecting the integrity of the evidence

What is another name for live system / dynamic analysis? descriptive analysis predictive analysis behavioral analysis static analysis

behavioral analysis

In eradicating malware incidents, what is the name of the method used to block the harmful URLs, IP addresses, and email IDs that have acted as a source for spreading malware? updating the malware database fixing devices manual scan blacklist

blacklist

In this structure, a single team handles all the incident response functions of a small organization. It is most effective for quickly responding to incidents. This structure is best suited for organizations operating from a single location. distributed incident response team operational teams centralized incident response team coordination teams

centralized incident response team

Which of the following terms refers to a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory? forensic policy forensic readiness plan promiscuous policy chain of custody

chain of custody

The web application architecture comprises of three layers: client, business, & database insecure, configuration, & logic graduated, stacked, & wedge platform, business, & logic

client, business, & database

According to the NIST cloud deployment reference architecture, which of the following acts as an intermediary for providing connectivity and transport services between cloud consumers and providers? cloud broker cloud carrier cloud provider cloud auditor

cloud carrier

PKI: Public Key Infrastructure, SDL: Security Development Lifecycle, WAF: Web Application Firewall, FW: Firewall, RTG: Real Traffic Grabber, IAM: Identity and Access Management, & ENC: Encryption are all considered what? Windows controls identification controls server controls cloud security controls

cloud security controls

What type of injection flaw involves the injection of malicious code through a web application? command injection LDAP injection All of these choices are correct. SQL injection

command injection

A forensics investigator is able to show that an attacker was logged into a system at the time of a cyber-crime incident. He also has information of who else was logged into the system at the time of the incident and is able to prove the attacker's actions. What is the characteristic of the digital evidence he is presenting? reliable complete admissible authentic believable

complete

What is a disadvantage of using a Platform-as-a-Service (PaaS)? All of these choices are correct. scalability prebuilt business functionality data privacy

data privacy

Accurately ________ and ________ incidents are the most challenging and essential parts of the incident response process. transferring/analyzing detecting/assessing mitigating / analyzing AND transferring / analyzing are correct. All of these choices are correct. mitigating/analyzing

detecting/assessing

Riane's company recently had an incident that compromised critical files and sensitive information. As part of the IH&R team, what are the next steps Riane should do? shut down the system disconnect the network continue the operations to contain the attack disconnect the network and shut down the system

disconnect the network and shut down the system

What is NOT considered a part of the investigation stage? collect the evidence documenting and reporting search and seizure data acquisition

documenting and reporting

Jamie is an incident responder who wants to see a list of recently executed commands performed by a remote or local user within an established command shell or terminal. What command should Jamie use? continents.txt doskey/history ~/.bash_profile $ cd Desktop/

doskey/history

Which of the following malware distribution techniques involves exploiting flaws in browser software to install malware just by visiting a webpage? compromised legitimate websites drive-by downloads spear-phishing sites social engineered click-jacking

drive-by downloads

Port monitoring, process monitoring, registry monitoring, Windows services monitoring, startup programs monitoring, event logs monitoring/analysis, installation monitoring, and files & folder monitoring are all considered what type of malware analysis technique? memory static code dynamic

dynamic

Identify an insider attack where a person surreptitiously overhears confidential conversations at boardrooms, meeting halls, and corridors. shoulder surfing eavesdropping impersonation pod slurping

eavesdropping

Yolanda is currently in the process of getting rid of the compromised cloud networks and applications that can represent attacks or malfunctioning in the networks, servers, systems, and applications related to the cloud. What is the name of this process? analyzation detection eradication interaction

eradication

Which one of the following is NOT a recommendation to handle malicious code incidents? using antivirus software studying antivirus bulletins establishing malicious code security policy installing network based IDS on critical hosts users must be aware of the malicious code issues

installing network based IDS on critical hosts

Which of the following cloud computing threats refers to the ignorance of the CSP's cloud environment and poses risks in operational responsibilities such as security, encryption, and architectural issues? data breach/loss abuse and nefarious use of cloud services insufficient due diligence unsynchronized system clocks

insufficient due diligence

The scenario where the detection software either does not record the malicious event or ignores the important details about the event is referred to as ________. cross-site scripting (XSS) attacks using components with known vulnerabilities insufficient logging and monitoring insecure deserialization

insufficient logging and monitoring

Which type of security misconfiguration vulnerability supports weak algorithms and uses expired or invalid certificates, exposing user's data to untrusted third parties? parameter / form tampering improper error handling unvalidated inputs insufficient transport layer protection

insufficient transport layer protection

Identify the information security element that determines the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. integrity authenticity non-repudiation availability

integrity

Which element of information security includes the trustworthiness of data or resources in terms of preventing improper and unauthorized changes? confidentiality availability integrity authenticity

integrity

Which type of analysis involves analyzing the logs and alerts of intrusion detection systems, SIEMs, and firewalls for the detection of malware? intrusion analysis memory dump / static analysis All of these choices are correct. live system / dynamic analysis

intrusion analysis

James, an incident responder at Trinity Inc., is investigating a cybercrime. In the process, he collected the evidence data from the victim systems and started analyzing the collected data.Identify the computer forensics investigation phase James is currently in. post-investigation phase pre-investigation phase investigation phase risk assessment phase

investigation phase

Which of the following phases of the computer forensics investigation process involves acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit behind it? post-investigation phase pre-investigation phase vulnerability assessment phase investigation phase

investigation phase

Report writing tools help incident handlers to generate efficient reports on detected incidents during incident handling and response process. Which of the following websites is considered a note taking application that works on Windows, Linux, and MacOS X? arin.net keepnote.org toolbar.netcraft.com notekeepers.net

keepnote.org (C2,P268)

Jane is an incident responder who wants to detect and access the malware present in the network and then eliminate it. Which website could she use to view logs in real time and identify malware propagation? arin.net kiwisyslog.com applelog.com logviewer.net

kiwisyslog.com (C6,P666)

Which of the following is NOT included in the structure of an incident response team? coordinating team law enforcement team distributed incident response team None of these choices are correct. central response team

law enforcement team

Which of the following characteristics of cloud computing is employed by the cloud systems and works on a "pay-per-use" metering method? measured service rapid elasticity on-demand self-service resource pooling Save

measured service

There are four types of insider threats. Which type refers to people who are uneducated on potential security threats? professional negligent compromised malicious

negligent

Which of the following cloud security incidents deal with suspicious IP addresses, MAC addresses, user accounts, systems, applications, services, and other attack vectors? network related incidents servers related incidents virtualization related incidents storage related incidents

network related incidents

Spoofing, session hijacking, DoS attacks, firewall and IDS attacks are all considered what type of information security threat? host threat network threat system threat application threat

network threat

There are several different phases of IH&R. In the ________ phase, the incident information will be informed to various stakeholders, including management, third-party vendors, and clients. forensic analysis notification incident triage containment

notification

Which of the following backup strategies provides daily status of the backup situation, such as successful, unsuccessful, not run, out of space, etc.? guarantee notifications security data availability

notifications

Applications such as Tcpdump and Cain & Abel are used to intercept and log traffic passing through a network. What type of applications are they? network traffic log analysis packet sniffer host analysis

packet sniffer

Non-volatile evidence refers to the ________ data stored on secondary storage devices, such as hard disks and memory cards. temporary dark permanent open

permanent

Anna created her company's security policy to accept the majority of internet traffic, excluding several known dangerous services and attacks. Which type of security policy did Anna put into place? prudent policy promiscuous policy paranoid policy permissive policy

permissive policy

Which of the following phishing attacks is also known as "phishing without a lure"? spear phishing pharming spimming whaling

pharming

Dwayne wants to acquire account information from a competitor company, so he sends an illegitimate email to the payroll specialist claiming to be the CEO. What type of security attack would this be? ransomware phishing web application threats IoT threats

phishing

Which of the following is not a Denial-of-Service response strategy? physical security shutting down services absorbing the attack degrading services AND physical security degrading services

physical security

Which of the following terms is considered as a process of scanning an IP range to detect live hosts? DNS footprinting port scanning ping sweeping social engineering

ping sweeping

David wants to steal sensitive data from his current company so he has copied software tools on the storage devices so that it will automatically run when connected to a device. What type of insider attack has David committed? pod slurping tailgating planting keyloggers privilege escalation

pod slurping

Which of the following is NOT a common symptom of an information system security incident? modified files or folders number of packets received are more than expected ports that are closed or filtered the IDS generates an alarm suspicious log entries

ports that are closed or filtered

Julie is a computer forensic investigator and she is currently setting up a computer forensics lab, building a forensics workstation, investigation toolkit, the investigation team, and getting approval from the relevant authority. Which phase in the investigation process is Julie working through? investigation pre-investigation post-investigation None of these choices are correct.

pre-investigation

Which of the following is an advantage of the Platform-as-a-Service (PaaS)? vendor lock-in prebuilt business functionality integration with the rest of the system applications data privacy

prebuilt business functionality


Ensembles d'études connexes

MGT3200 SmartBook Assignment | Chapter 11: Motivational People

View Set

Chapter 3: ADVERTISING ETHICS & SOCIAL RESPONSIBILITY

View Set

Principles of Persuasion: Robert Cialdini

View Set

Chapter 6, Chapter 5: bioenergetics, Quiz 4, Beckers World of the Cell: chapter 3, Cell Biology Beckers World of the Cell Chapter 5

View Set

Chapter Exam: Louisiana Laws and Rules

View Set