EC-Council - ECIH
How will you define qualitative risk analysis? (Attack Success + Criticality) - (Countermeasures) (Countermeasures) + (Criticality - Attack Success) (Attack Success + Countermeasures) - (Criticality) (Attack Success) + (Criticality - Countermeasures)
(Attack Success + Criticality) - (Countermeasures)
Which of the following is a set of specific strategies, guidelines, and processes that aids recovery from an incident? Contingency plan Incident recovery testing Business impact analysis Temporary plan analysis
Contingency plan
Sarah is a hacker who is using a method called __________ on victim systems to analyze users' surfing habits and sell that information to other attackers or to launch various attacks on the victims' web applications. Cookie/ Session Poisoning Cross-Site Forgery Web Services Attacks Cookie Snooping
Cookie Snooping (C7,P774)
_________ can contain session-specific data such as user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs. Threats Ticket Tools Cookies Brownies
Cookies (C7,P783)
System time refers to the exact date and time of the day when the incident happened, as per the ________. This will assist in developing an accurate timeline of events that have occurred on the system. Ordinary Civil Time (OCT) Coordinated Universal Time (UTC) Local Sidereal Time (LST) Julian Date
Coordinated Universal Time (UTC)
Lucas is an incident responder who wants to monitor the integrity of critical files. What steps could he take? Create a database of cryptographic checksums of critical files. Use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire. Use an isolated test network to host your test bed. Create a database of cryptographic checksums of critical files and use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire.
Create a database of cryptographic checksums of critical files and use checksum calculators such as HashCalc or automated integrity monitoring tools such as Tripwire.
Which is NOT an objective of computer forensics? Identify, gather, and preserve the evidence of a cyber crime Find vulnerabilities and security loopholes Create weak authentication and authorization controls Recover deleted and hidden files
Create weak authentication and authorization controls (C3,P284)
In live system analysis, which of the following tools is used to monitor the scheduled tasks? Runscope CronitorCLI Sonar AlertSite
CronitorCLI
Which method is an attack in which an authenticated user is made to perform certain tasks on the web application that an attacker chooses? For example, a user clicking on a link sent through an email or chat Cookie/ Session Poisoning Cross-Site Forgery Web Services Attacks Cookie Snooping
Cross-Site Forgery (C7,P774)
________ attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users. Denial-of-Service (DoS) Cross-site scripting ('XSS' or 'CSS') SQL injection Man-in-the-Middle (MitM)
Cross-site scripting ('XSS' or 'CSS')
Insecure or obsolete encryption makes cloud services susceptible to what type of attack? SQL Injection Cryptanalysis Wrapping DoS
Cryptanalysis (C8,P934)
_______ refers to a contract between the organization and an insurer to protect related individuals from different threats and risks Cyber Insurance IPsec Secure Shell Security Policy
Cyber Insurance (C2,P212)
There are four types of Domain Name System (DNS) attacks. Which type Involves conducting phishing scams by registering a domain name that is similar to that of a cloud service provider? Domain Snipping Domain Hijacking DNS Poisoning Cybersquatting
Cybersquatting (C8,P933)
Email crimes can be categorized in two ways either by sending emails or supported by emails. Which of the following is a crime supported by Emails? Spamming Storming Cyberstalking Malware Distribution
Cyberstalking (C4,P523)
Digital evidence is circumstantial that makes it very easy for the forensics investigator to differentiate the system's activity. False True
False
Even when the root level access is achieved by the attacker, it is an easy task to determine the action performed by the attackers. False True
False
Inappropriate usage incidents directed at outside parties may cause more loss to organizations in the form of money but they do not cause damage to reputation and legal liabilities. True False
False
Inappropriate usage incidents, aimed at external agencies/organizations, like an internal user changing the content of another organization's public website, are the liability of the user but not liability concerns for the organization he/she is working for. True False
False
The incident response team should handle the incident whenever an incident is identified by only a trusted person in the organization. True False
False
There is no need to write a detailed report after an incident, as long as the information is recorded in the ticketing system of the company. True False
False
Trojans are executable programs that install horse racing games when a file is opened and activated. True False
False
Federal law requires federal agencies to report incidents to the which Incident Response Center? National Energy Regulatory Consortium Federal Computer Incident Repsonse Center Federal Cybersecurity Incident Response Center National Cybersecurity Center for Incident Response
Federal Computer Incident Repsonse Center (C1,P142)
This type of identity theft occurs when a victim's bank account and credit card information are stolen and used illegally by a thief. Criminal Tax Financial Identity Cloning
Financial (C5,P538)
What refers to the first action performed after occurrence of a security incident? First Reaction First Response Documenting Testifying
First Response (C3,P291)
What is the process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value? Forensic Data Acquisition First Response Snapshot Response Forensic Evidence Collection
Forensic Data Acquisition (C3,P358)
________ is a process of analyzing and reviewing the data gathered from computer systems such as log files, system files, web history files, emails, and installed applications. Asset identification BOTH incident investigation AND forensic analysis Forensic analysis Evidence protection Incident investigation
Forensic analysis
Which of the following is the practice of identifying the infected systems by looking for evidence of recent infections? Forensic identification Active identification UManual identification Passive identification
Forensic identification
Viruses, worms, trojan horses, logic bombs, trap doors, nano machines and microbes, electronic jamming, and penetration exploits and tools are all weapons for ________? InfoAttacks InfoWars InfoBattles InfoDefense
InfoWars
Which one of the following is the intangible cost for an incident? Lost productivity hours Investigation and recovery efforts Loss of business Loss of reputation
Loss of reputation
Loss of personal password, failure to download antivirus signatures, and unsuccessful scans and probes in the networks are considered incidents at a _______ Low Level Middle Level High Level None of the above
Low Level (C2,P229)
Marie wants to find a natural way to represent her information that she has gathered during a network test, but she also wants to be able to extract that data and present it in a table/list. Which website tool would be the most beneficial for her to use? MagicTree Tomboy KeepNote Microsoft Onenote
MagicTree
What is the most common type of attacks against computer systems? SQL injection Zero-day Malware Phishing
Malware (C4,P426)
There are a ton of indications of malware incidents. Which of the following techniques are important for users, tech support, administrators, and incident responders to help be able to identify? Memory Dump/Static Analysis Descriptive Analysis Quantitative Analysis Predictive Analysis
Memory Dump/Static Analysis (C4,P451)
Responders can figure out who is leaking information to the public or to another entity by giving a person a piece of data and waiting to see if the information makes it way to the public domain. What is the name of this technique? Profiling Mole Detection Insider Detection None of the above
Mole Detection (C9,P1002)
There are several indicators of insider threats. The most common indicator of an insider threat is lack of awareness of employees against security measures. Examples of this may include which of the following? No Changes in Network Usage Patterns No Temporal Changes in Revenue Multiple Failed Login Attempts All the above
Multiple Failed Logon Attempts (C9,P999)
Based on incident prioritization, which one of the following incidents should have first priority (Priority 1)? ELearning is down but during spring break; AP Pay cycle will not run during the beginning of a pay period. MyUFL is down; hacking/compromise of critical UF system leading to service unavailability/disclosure of restricted data. Videoconferencing via Polycom is unavailable for a specific conference. Multifunction printer / fax / scanner servicing a department stops functioning. GatorLink account compromised and being used to send spam.
MyUFL is down; hacking/compromise of critical UF system leading to service unavailability/disclosure of restricted data.
Kailey wants to see real-time log monitoring, system behavior, and unusual activity on her work computer. What website could she use to accomplish this? Service+ Nagios XI Loggly SMART Utility
Nagios XI
The incident responder should collect information regarding network connections to and from the affected system, immediately after the report of any incident. What is a tool that can help gather this information? Netstat Net-gain Ndtstat NetIDS
Netstat (C3,P385)
What does Netstat do? Netstat analyzes the logs and alerts of intrusion detection systems, SIEMs, and firewalls for the detection of malware. Netstat corrupts the system and open system input/output ports to establish connections with remote systems, networks, or servers. Netstat is a monitoring tool for Windows that shows real-time file system, registry, and process/thread activity. Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.
Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.
Analyzing log files help incident handlers to detect the perpetrator. Analyzing _______ logs will help incident handler in understanding established connections, uploads, downloads, and requested URLs. Network Server Database SIEM
Network (C9,P1005)
Which group is responsible for examining the computer network traffic for signs of incidents or attacks such as DoS, DDoS, firewall breach, or other malicious code? Threat Researchers System Administrators Network Administrators Forensic Investigators
Network Administrators (C2,P187)
Michael is a forensic expert in an organization based in New York City. As a part of his analysis, he sniffed the data packets that are trying to communicate with the server of the organization while recording and analyzing the event logs. Which type of forensic analysis did Michael perform? Network Forensics Data Forensics Internet Forensics Source-code forensics
Network Forensics
DNS and ARP Poisoning is what type of Information Security Threat Category? Host Threats System Threats Network Threats Application Threats
Network Threats (C1,P22)
In a DoS attack, attackers flood the victim system with ___________ or traffic to overload its resources. Legitimate Service Requests Non-legitimate Service Requests System Resources Websites
Non-legitimate Service Requests (C6,P674)
Attackers use __________ (e.g., Wireshark, Cain and Abel) to capture sensitive data such as passwords, session cookies, and other web service-related security configurations Cloud Computing Websites Phishing Websites CSP's Packet Sniffers
Packet Sniffers (C8,P932)
What can be the result of Sender Policy Framework (SPF) protocol when the SPF record cannot be verified due to syntax or format errors in the record? TempError Neutral Pass PermError
PermError
Which of the following is the appropriate process flow in the computer forensics process? Preparation -> Collection -> Examination -> Analysis -> Reporting Examination -> Analysis -> Preparation -> Collection -> Reporting Analysis -> Preparation -> Collection -> Reporting -> Examination Preparation -> Analysis -> Collection -> Examination -> Reporting
Preparation -> Collection -> Examination -> Analysis -> Reporting
A successful backup strategy must have two of the following features: Limited Security & Data Limited Space & Data Security & Real-Time Offsite Backup Real-Time Offsite Backup & No Notifications
Security & Real-Time Offsite Backup (C2,P210)
There are four main common types of reconnaissance attacks that are attempted by the attackers in order to exploit the networks. Which type tricks people into revealing sensitive information? Ping Sweeping Port Scanning DNS Footprinting Social Engineering
Social Engineering (C6,P629)
What crime refers to the unsolicited or undesired emails used to distribute malicious links and attachments, cause network congestion, perform phishing and financial frauds, and so on? Storming Bombing Phishing Spamming
Spamming (C5,P524)
Which following malware pretends to be a program that offers useful applications, but acquires the information of your computer and sends it to a remote attacker? Spyware Worm Virus Rootkit
Spyware
Security policies are the foundation of the security infrastructure that defines the basic security requirements and rules to be implemented in order to protect and secure an organization's information systems. Which of the following is NOT something security policies can accomplish? They protect confidential and proprietary information from theft, misuse, unauthorized disclosure, or modification. They reduce or eliminate legal liability of employees and third parties. They can still be effective when added as an afterthought. They prevent wastage of the company's computing resources.
They can still be effective when added as an afterthought.
A person or entity that is responsible for the incidents or has the potential to impact the security of an organization's network is what type of actor? Host Threat Access Actor Threat Actor Infiltration Actor
Threat Actor (C1,P24)
Script Kiddies, Organized Hackers and State Sponsored Attackers are all part of what? Threat Actors System Threats Access Actors Both A & B
Threat Actors (C1,P25)
ManageEngine ServiceDesk Plus and AlienVault OSSIM are both websites used as Intrusion Detection Systems Email Attacks Content Filtering Cites Ticketing Tools
Ticketing Tools (C2,P222)
Temporary shutdown and restoration of the infected system are two of the common techniques in the containment stage of the incident response and handling step. False True
True
Unauthorized access is a condition where a person gains access to system and network resources which they are not authorized to have. True False
True
Well-trained members of the organization can prevent an incident or limit the resulting damage. True False
True
Which one of the following is NOT a guideline for detecting and preventing insider threats with respect to human resources? Conduct background checks on all users and employees who are in sensitive positions. Conduct background checks on all users and employees who are in sensitive positions AND trust every employee of the organization as they are hardworking people ARE NOT THE GUIDELINES. Call the FBI immediately when an employee attacks or damages a system. Trust every employee of the organization as they are hardworking people AND call the FBI immediately when an employee attacks or damages a system ARE NOT THE GUIDELINES. Trust every employee of the organization as they are hardworking people.
Trust every employee of the organization as they are hardworking people AND call the FBI immediately when an employee attacks or damages a system ARE NOT THE GUIDELINES.
Exabeam Advanced Analytics, LogRhythm, Dtex Systems, and ZoneFox are all ________ tools. active monitoring DLP SIEM UBA/UEBA
UBA/UEBA
Which of the following incidents refers to a person gaining access to a system and network resources that he or she was not authorized to access? Handling Inappropriate Usage Incidents Unauthorized Access Incident Handling Multiple Component Incidents Authorized Access Incident
Unauthorized Access Incident
Reconnaissance attacks, sniffing and spoofing attacks, firewall attacks, and brute forcing attacks are all types of _______. Unauthorized Access Incidents Inappropriate Usage Incidents Denial-of-Service Incidents Wireless Network Incidents
Unauthorized Access Incidents (C6,P623)
If the victim computer has an internet connection, the first responder must? Keep all of the cords and devices connected to the computer plugged in Use the computer for evidence search Unplug the network cable from the router and modem If the computer is turned OFF turn it ON to search the device
Unplug the network cable from the router and modem (C3,P342)
Which of the following is an indication of unauthorized use of a standard user account? Use of a secret account Alert of network and host IDS Misplaced hardware parts Increase in the usage of resource
Use of a secret account
What is NOT a guideline to prevent spam? Avoid giving email ID to unnecessary or unsecured websites Use unsubscribed links in email messages Do not use or subscribe to sites that access email contact list Use long email ID with numbers and underscore to prevent spammers
Use unsubscribed links in email messages (C5,P579)
Greg is trying to find a free service that analyzes suspicious files and URLs, and facilitates the detection of viruses, worms, and trojans. What could he use for this? AFICK Md5deep VirusTotal Tools4noobs
VirusTotal
Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system? Vulnerability Patch Attack Incident
Vulnerabiltiy
If a hacker is identifying the kinds of websites a target company is frequently surfing and injecting malicious code that redirects the page to downloading malware, what kind of attack are they pursuing? Email Attacks DoS Attacks Watering Hole Attacks Session Fixation Attacks
Watering Hole Attacks (C7,P780)
What is the name of the primary tool placed on the edge of a network and assists in filtering or blocking malicious content from entering or leaving web applications? Web Application Firewall (WAF) Forensic Explorer OSSIM Buck-Security
Web Application Firewall (WAF) (C7,P796)
There are several types of phishing that can occur. Which type targets high profile executives like CEO, CFO, politicians, and celebrities? Whaling Spear Phishing Puddle Phishing Pharming
Whaling (C5,P530)
Dhru is an incident handler who needs to perform a network traffic analysis. Which website will help him in detecting established malicious connections, the type and number of devices accessed, and exfiltrated data? Microsoft Baseline Security Analyzer (MBSA) Wireshark MagicTree KeepNote
Wireshark (C9,P1010)
Which of the following malware takes advantage of a file or information transport features on the system to propagate across systems and networks without any human interactions? Worms Virus Trojan Spyware
Worms
From the following, identify the character that specifies the hex equivalent of O character in a regular expression. \%3C \%4F \%42 \%62
\%4F
Amber, a networking student, is trying to write a regex for the detection of logs that contain traces of a directory traversal attack involving characters '../'. Which of the following characters should she use to specify the hex equivalent for backward slash? \%2F \%5C \%3E \%2E
\%5C
Among the following causes of an insider attack, identify the one where a competitor may approach and lure employees to corrupt the organization's data in return for huge amounts of money. work-related grievance hacktivism financial gain corporate espionage
corporate espionage
Which of the following malware detection techniques is employed in intrusion analysis to identify the transfer of any unwanted traffic to malicious or unknown external entities? kernel filter drivers covert C&C communication SSDT patching covert malware beaconing
covert C&C communication
What type of insider attack creates and spreads misleading information to spur dissonance within the employees of the organization? intimidating the existing employees wiretapping theft of devices creation of false dossiers
creation of false dossiers
John is an incident response manager at XYZ Inc. As a part of IH&R policy of his organization, he signed a contract between the organization and a third-party insurer to protect organization individuals from different threats and risks.What is the contract signed by John called? disclosure agreement cyber insurance escrow agreement ROE agreement
cyber insurance
Which of the following is NOT a step in the recovery stage? rebuilding the system by installing new OS examining security patches and system logging information restoring user's data from trusted backups extracting static evidence stored as media and other resources
extracting static evidence stored as media and other resources
A/An ________ policy defines a standard to handle application traffic, such as web or email. network-connection firewall-management access-control remote-access
firewall-management
Techniques used to evade ________ include packet fragmentation, IP address decoy, ICMP tunneling, and banner grabbing. firewalls IDS sniffing network
firewalls
What is one way you can check to see if an attacker has tampered with the email header after the incident? examine the files examine the logs examine the notes examine the email
examine the logs
An incident handler working in XYZ organization was assigned a task of detecting insider threats using behavioral analysis. Which of the following steps should be preformed first in the behavioral analysis? discover outliers in each group build profiles of each group compare behaviors across multiple users extract behavioral patterns
extract behavioral patterns
Maximizing an environment's ability to collect credible digital evidence and minimizing the cost of forensics during an incident response are the main objectives of: forensic analysis forensic readiness forensics investigation All of these choices are correct.
forensic readiness
Which of the following terms refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? expert testimony forensic readiness data acquisition first response
forensic readiness
Which term refers to an organization's ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs? forensic readiness planning forensic analysis forensic policy forensic readiness
forensic readiness
Computer forensics plays an important role in tracking cyber criminals. Which of the following is NOT a role of computer forensics? guide users to follow security policy of the organization save organizations from legal liabilities and lawsuits help determine the exact cause of an incident help generate a timeline for the incident help tracking the perpetrators of the crime or incident
guide users to follow security policy of the organization
What does \%27 indicate in the following regular expression?/((\%27)|(\'))union/ix hex equivalent of single-quote character hex equivalent of hash character hex equivalent of r character hex equivalent of O character
hex equivalent of single-quote character
A particular mobile phone might be offered for $1000 on an e-commerce website, but the hacker, by altering some of the hidden text in its price field, purchases it for only $10. What type of attack would this be? hidden field manipulation cookie poisoning XML poisoning footprinting attack
hidden field manipulation
Which of the following forensic readiness procedures helps an incident responder in gathering useful information about the system behavior through file integrity monitoring? evidence assessment host monitoring risk assessment network monitoring
host monitoring
In the cloud deployment models, which of the following is the composition of two or more clouds that remain as unique entities but are bound together, offering the benefits of multiple deployment models? community cloud public cloud hybrid cloud private cloud
hybrid cloud
When discussing cloud brokers and services, what is the primary use of service intermediation? to verify adherence to standards through review of objective evidence improves a given function by a specific capability and provides value-added services to cloud customers to act as an intermediary that provides connectivity and transport services between CSPs and cloud consumers combines and integrates multiple services into one or more new services
improves a given function by a specific capability and provides value-added services to cloud customers
In which of the following stages of incident handling does the classification and prioritization of incidents take place? post-incident activities incident recording and assignment incident triage incident containment
incident triage
Identify the email crime in which a flurry of junk mail is sent by accident without human intervention. identity theft mail storming mail bombing malware distribution
mail storming
Heidi is a hacker who is trying to avoid detection by using Unicode, UTF-8, Base64, & URL encoding. What type of web application threat is she using? cookie snooping directory traversal DMZ protocol attacks obfuscation application
obfuscation application
Which of the following malware components is a program that conceals its code and intended purpose via various techniques, making it hard for security mechanisms to detect or remove it? packer injector exploit obfuscator
obfuscator
Jason is an incident handler at The Rolls Inc. One day his organization encounters a massive cyberattack, and he identifies a virus called "XYZ@ZYX" spreading among the computers in the network. He has started investigating the issue; however, as an incident handler, within how much time from detection of such malicious code attacks should he report to the authorities? one hour one week three hours one fortnight
one hour
Which of the following is the most important aspect that allows you to respond to an incident before it occurs? incident management preparation incident containment and response strategy incident response plan
preparation
Which type of cloud has an infrastructure that operates solely for a single organization? hybrid community private public
private
Digital evidence is defined as "any information of ________ value that is either stored or transmitted in a digital form." monetary psychological probative marketing
probative
When dealing with IH&R it is important to determine the funding requirements based on empirical assumptions of various components. Which of the following is NOT considered an IH&R component that incurs cost? team staffing toolkits space procedures
procedures
Identify the security policy that doesn't keep any restrictions on the usage of system resources. promiscuous policy permissive policy paranoid policy prudent policy
promiscuous policy
Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in packets per second (pps). protocol attack volumetric attack application layer attack transport layer attack
protocol attack
What kind of policy contains a set of rules that defines authorized connections? special-access password remote-access user-account
remote-access
Identify the metric that is used to measure the magnitude of application layer attacks. packets per second (pps) requests per second (rps) bits per second (bps) cycles per second (cps)
requests per second (rps)
What type of cloud computing threat affects the working of automated tasks? For example, if the cloud computing devices do not have synchronized or matched times, then due to the inaccuracy of the time stamps the network administrator would be unable to analyze the log files for any malicious activity accurately. unsynchronized system clocks insufficient due diligence unknown risk profile shared technology issues
unsynchronized system clocks
Injection flaws are web application vulnerabilities that allow what type of data to be interpreted and executed as part of a command or query? untrusted trusted used new
untrusted
Bethany is an attacker who sends emails containing a rewrite link to trick victims into disclosing passwords and other sensitive information. What is the name of this method? unvalidated redirect unvalidated forward validated redirect validated forward
unvalidated redirect
VirtualBox, VMware vSphere Hypervisor, and Microsoft Virtual Server are all examples of? network simulation software virtualization software debugging tools PE analysis tools
virtualization software
John is creating a statement that reflects his organization's mid-term and long-term goals for incident management capabilities. What type of statement is he creating? imperative statement declarative statement mission statement vision statement
vision statement
Identify the type of DoS/DDoS incident in which the magnitude of attack is measured in bits per second (bps). protocol attack application layer attack volumetric attack transport layer attack
volumetric attack
Which of the following phishing attacks targets high-profile executives, like CEOs, CFOs, politicians, and celebrities, who have complete access to confidential and highly valuable information? spear phishing spimming whaling pharming
whaling
A/An ________, which is really a tool for risk management, is a method of identifying vulnerabilities and threats, as well as assessing the possible impacts to determine where to implement security controls. threat mitigation threat analysis impact analysis None of these choices are correct. risk assessment
risk assessment
Which of the following activities is performed by an incident handler during the pre-investigation phase of computer forensics? search and seizure data acquisition risk assessment evidence assessment
risk assessment
Which phase of the risk management process includes a strategical approach to prepare for handling risks and to reduce its impact on organizations? This phase addresses and treats the risk according to its severity level. risk management plan evaluation risk determination risk assessment risk mitigation
risk mitigation
What is the name of the process that converts object data such as "name, age, city, & EmpID" into a linear format such as "Rinni26Nevada" insecure deserialization deserialization serialization insecure serialization
serialization
Analyzing ________ logs will help the incident handler to determine the applications the suspicious user has accessed and file changes made if any. database All of these choices are correct. server network
server
Will is an attacker who is trying to craft an input string to gain shell access to a web server. What type of command injection attack is Will pursuing? None of these choices are correct. file injection shell injection HTML embedding
shell injection
What is one of the most common mistakes a first responder makes when dealing with a computer crime incident? leaving the computer turned on None of these choices are correct. shutting down the computer collecting data while the computer is running
shutting down the computer
Ping method, DNS method, & promiscuous mode are all considered what type of detection technique? sniffing firewall IDS snort
sniffing
An act of tricking people to reveal sensitive information is involved in which type of reconnaissance technique? ping sweeping social engineering port scanning DNS footprinting
social engineering
Which of the following terms refers to an art of manipulating people to divulge sensitive information to perform some malicious action? pod slurping social engineering privilege escalation tailgating
social engineering
Which of the following sources of evidence helps an incident responder to collect information that guides him or her in building the timeline of attack? job services financial services online location tracking social networks
social networks
When a user deletes mail from folders such as Inbox, Drafts, Sent Items, and Contacts, Outlook moves them into Deleted Items folder. What category of data deletion is this? easy deletion hard deletion soft deletion medium deletion
soft deletion
The first response to an incident may involve one of three different groups of people, each having different tasks based on the circumstance of the incident. Which of the following is NOT one of those people? system administrator laboratory forensics staff special jurisdiction police non-forensic staff
special jurisdiction police
Which of the following phishing attacks exploits instant-messaging platforms to flood spam across the networks? CEO scam spimming pharming puddle phishing
spimming
File fingerprinting, local and online malware scanning, performing strings search, identifying packing/obfuscation methods, finding the portable executables (PE) information, and identifying file dependencies are all considered what type of malware analysis technique? memory dynamic code static
static
In a cloud, ________ refers to databases holding the data, virtual machines, operating systems, and so on. network file storage server
storage
Which of the following is NOT a common cause for system vulnerabilities? software bugs use of broken algorithms strong passwords complexity of the system
strong passwords
High resource utilization happens when attackers perform malicious attempts like DoS and DDoS attacks on the networks in order to overwhelm the network resources. Which indication may include the following sign? database logs showing attempts to access sensitive data unauthorized access attempts to the important files creation of new files or directories with unusual names sudden increase in log messages of the operating system and application
sudden increase in log messages of the operating system and application
From the following scenarios, identify the scenario that indicates "insufficient transport layer protection" under security misconfiguration vulnerability. giving insight into source code such as logic flaws and default accounts input from a client is not validated before being processed by web applications and backend servers supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft manipulation of parameters exchanged between client and server to modify application data
supporting weak algorithms and using expired or invalid certificates, which exposes a user's data to untrusted third parties and can lead to account theft
Which of the following is NOT considered a type of phishing? spear whaling pharming swimming
swimming
Emily notices that her computer performance is slower than usual, she is experiencing random crashes and reboots, and she notices unusual graphic displays. What type of intrusion is Emily experiencing? file systems network None of these choices are correct. system
system
Which of the following Wireshark filters is used to view the packets with FIN, PSH, and URG TCP flags set for detecting Xmas scan attempts? TCP.flags==0x000 tcp.dstport==25 tcp.dstport==7 tcp.flags==0X029
tcp.flags==0X029
Forensic readiness consists of the following two actions that maximize an organization's capability to use digital evidence. fast and analytical None of these choices are correct. major and minor technical and non-technical
technical and non-technical
What does the term "phishing" mean? the flurry of junk mail sent by accident the psychological manipulation attack technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user's personal or account information unsolicited or undesired emails used to distribute malicious links and attachments, and cause network congestion the process of repeatedly sending an email message to an address
the psychological manipulation attack technique in which an attacker sends an email or provides a link falsely claiming to be from a legitimate site to acquire a user's personal or account information
Which of the following is NOT a static malware analysis technique? file fingerprinting malware disassembly local and online malware scanning windows services monitoring
windows services monitoring
Access control attacks, integrity attacks, confidentiality attacks, availability attacks, and authentication attacks are all considered ________. DoS incidents inappropriate usage incidents wireless network incidents unauthorized access incidents
wireless network incidents
Which of the following is NOT a challenge in handling and responding to cloud security incidents when specifically discussing logs? timestamp synchronization decentralization of logs evaporation of logs multiple layers and tiers
timestamp synchronization
What is the primary use of an email dossier? to add a digital signature to the outgoing emails for better authentication to check the validity of an email address to make email headers human readable by parsing them according to RFC 822 to prevent email spoofing
to check the validity of an email address
What is the purpose of strings? to communicate information from the program to its user to analyze suspicious files to calculate various hash values to clean out unneeded files and data
to communicate information from the program to its user
What is the primary purpose of PromqryUI? to detect network interfaces that are running in promiscuous mode to monitor the network for strange packets such as packets with spoofed addresses to check if the MAC address of certain machines has changed to send a non-broadcast ARP to all the nodes in the network
to detect network interfaces that are running in promiscuous mode
What is the purpose of Microsoft Baseline Security Analyzer (MBSA)? to generate efficient reports on detected incidents during incident handling and response process to determine their security state in accordance with Microsoft security recommendations to detect and access the malware present in the network and then eliminate it to determine the email origin by matching the domain name for an IP address
to determine their security state in accordance with Microsoft security recommendations
What is the purpose of the CloudPassage quarantine application? to monitor /v1/events endpoint in the Halo API, to look for specific events All of these options are correct. to recover data marked as deleted, as it may get overwritten by another user sharing the same cloud to detect a malicious act by identifying a series of small changes made across many systems and applications
to monitor /v1/events endpoint in the Halo API, to look for specific events
Which of the following is NOT a driving force behind insider attacks? to take revenge to become a future competitor to pass any future exams to steal confidential data
to pass any future exams
What is the purpose of activity monitoring tools? All of these choices are correct. to build custom queries, generate alerts, retrieve data from multiple data sources, and enhance the potential analytical capability to prevent, detect, and respond to various insider threats to record all the user activity on the organizational networks, systems, and other IT resources to scan the network traffic to find exfiltration of sensitive data and alert the administrators
to record all the user activity on the organizational networks, systems, and other IT resources
Classification of incidents is defined based on their severity and potential targets. True False
True
Computer forensic investigators must have knowledge of general computer skills such as hardware, software, OS, applications, etc. True False
True
During the investigation of the crime scene, if the computer is turned off, the data which is not saved can be lost permanently. False True
True
Insider attacks can be detected manually by identifying the behavior of the users. True False
True
Installing IDS, email content filtering software, and security control tools to identify certain types of activities like spam and file sharing are important steps to handle inappropriate incidents. False True
True
Malicious code can cause irreparable harm to important files and records. False True
True
John, a security professional working for Xdoc Corporation, is implementing a security strategy that uses multilayered protection throughout an information system to help minimize any adverse impact from attacks on organizational assets.Identify the security strategy John has implemented. three-way handshake likelihood analysis covert channel defense-in-depth
defense-in-depth
Identify the character set that is used for replacing the suspicious characters to bypass the filtering mechanism in a path traversal attack. ../ / > \..
../
While investigating Microsoft Exchange Server for email crimes, an incident handler should primarily focus on which of the following files? temporary files, .doc files, & pdf files .edb database files, .stm database files, checkpoint files, & temporary files .stm database files, .html files, & .lzh files .jpeg files, checkpoint files, pdf files, & .svg files
.edb database files, .stm database files, checkpoint files, & temporary files
Identify the regular expression that is used for detecting SQL injection attacks on an MS SQL Server. /(\')|(\%27)|(\-\-)|(#)|(\%23)/ix /((\%27)|(\'))union/ix /exec(\s|\+)+(s|x)p\w+/ix /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
/exec(\s|\+)+(s|x)p\w+/ix
What is a main difference between a hybrid cloud and a community cloud? With a community cloud it is more difficult to achieve data compliance. A community cloud is composed of two or more clouds that remain unique entities and a hybrid cloud is only one cloud. A community cloud is a multi-tenant infrastructure shared among organizations versus a hybrid cloud which is composed of two or more clouds. Community clouds are more secure than hybrid clouds.
A community cloud is a multi-tenant infrastructure shared among organizations versus a hybrid cloud which is composed of two or more clouds.
What would be considered an advantage and a disadvantage when comparing a private cloud to a public cloud? A private cloud is less secure but has a greater performance A private cloud is more expensive but is also more secure A private cloud has a lack of control but a greater performance A private cloud has less control over resources but is less expensive
A private cloud is more expensive but is also more secure (C8,P905)
In the DoS containment strategy, at what point will you ask your ISP to implement filtering? After correcting the vulnerability or weakness that is being exploited After relocating the affected target After determining the method of attack After identifying the attackers
After determining the method of attack
Organizations must implement several security controls. Which security control ensures that only selected or eligible employees have access to sensitive data, critical devices, and other necessary resources required to accomplish the assigned tasks? Honeypot Encryption Access Controls Intrusion Detection Systems (IDS)
Access Controls (C2,P209)
A cloud broker is an entity that manages cloud services in terms of use, performance, and delivery, and maintains the relationship between CSPs and cloud consumers. What service is provided by a cloud broker? All of these choices are correct. service aggregation service arbitrage service intermediation
All of these choices are correct.
Determination of risk for a particular threat/vulnerability pair can be expressed as a function of ________. the adequacy of planned or existing security controls for reducing or eliminating risk the impact of a threat-source when it successfully exercises the vulnerability All of these choices are correct. the likelihood of a given threat-source's attempting to exercise a given vulnerability
All of these choices are correct.
Electronic evidence resides in which one of the following locations? All of these choices are correct. backup tapes (system-wide, personal, disaster recovery) other media sources (tape archives, replaced drives, floppy diskettes) data files (workstations, file servers, palmtop)
All of these choices are correct.
First responders must label all the available evidence and create a list with details, including location of the crime, status of the system, and connected network devices. What are some other things first responders should label? All of these choices are correct. PDAs network access storage media
All of these choices are correct.
How does an audit trial and log monitoring help in detecting an insider threat? It enforces account and password policies and procedures AND periodic logging, monitoring, and auditing processes help the organization to identify and investigate suspicious insider actions ONLY. All of these choices are correct. Periodic logging, monitoring, and auditing processes help the organization to identify and investigate suspicious insider actions. It enforces account and password policies and procedures. Audit trails should be configured for network devices, operating systems, commercial software, and custom applications.
All of these choices are correct.
Jocelyn would like to find out more information about the emails she receives at work such as the IP address, the sender's identity, and the mail server. What website could Jocelyn use to help her find this information? Yesware eMailTrackerPro All of these choices are correct. PoliteMail
All of these choices are correct.
Nicho is new at incident handling so he is worried about making a mistake when handling malware because he knows it can cause major damage to the host computer he's working on. What are some steps Nicho could take to handle the malware safely? Use secure channels & secure USB drives for transferring malware files. Zip and password protect the malware files & store the malware files in an isolated storage facility. All of these choices are correct. Exclude the malware file with invalid file extension from the antivirus scan & also exclude the directory where the malware files are stored from the antivirus scans.
All of these choices are correct.
Step 6 of the IH&R process explains that to gather evidence effectively, the organization must perform which of following? train employees in first responder services enable login on all network devices and security systems create and implement forensic readiness policy and procedures All of these choices are correct.
All of these choices are correct.
What are the various techniques used to respond to an insider threat? blocking malicious user accounts and physically restricting them from entering access control areas placing malicious users in a quarantine network so that attack cannot be spread All of these choices are correct. preventing malicious users from accessing sensitive information disabling the computer systems from network connection
All of these choices are correct.
What is a common type of identity theft? cloning child All of these choices are correct. synthetic
All of these choices are correct.
What major factors need to be considered while recommending risk controls? All of these choices are correct. effectiveness of recommended options operational impact legislation and regulation organizational policy
All of these choices are correct.
What type of information can be gathered by an attacker from improper error handling? All of these choices are correct. network timeout system call failure database information
All of these choices are correct.
Which of the following MUST be included in the incident recording step? who has reported the incident the date and time the incident happened None of these choices are correct. All of these choices are correct. the date and time at which the incident was detected
All of these choices are correct.
Which of the following are containment strategies to stop unauthorized access? enhance physical security measures All of these choices are correct. disable the user accounts used in the attack isolate affected systems
All of these choices are correct.
Which of the following are examples of Denial-of-Service attacks? flooding the network with illegitimate traffic crashing the OS and applications by sending malformed requests All of these choices are correct. increasing the server load by creating many server requests establishing login sessions simultaneously when the legitimate user logs in
All of these choices are correct.
Which of the following are important elements of any security awareness and training program? measuring the effectiveness of the program and updating it implementation of the program All of these choices are correct. development of the materials designing and planning
All of these choices are correct.
Which of the following are indications for a network-based DoS attack? log entries of the operating system All of these choices are correct. undefined connection losses increase in utilization of the network's bandwidth reports of the users regarding system and service unavailability
All of these choices are correct.
Which of the following are the types of computer security incidents? unauthorized access malicious code attack All of these choices are correct. fraud and theft
All of these choices are correct.
Which of the following help in detecting inappropriate usage incidents? unauthorized service usage access to inappropriate materials All of these choices are correct. attack against external party
All of these choices are correct.
Which of the following is a way an incident handler could potentially eradicate insider threats? All of these choices are correct. data encryption isolate the storage change passwords regularly
All of these choices are correct.
Which of the following is considered a data loss issue? data is erased, modified, or decoupled All of these choices are correct. encryption keys are lost, misplaced, or stolen misuse of data by CSP
All of these choices are correct.
Which one of the following are guidelines for detecting and preventing insider threats with respect to administrators and privileged users? Ensure that administrators use a unique account during installation process. Implement a non-repudiation technique to view all the actions performed by administrators and privileged users. All of these choices are correct. Use encryption methods to prevent administrators and privileged users from accessing backup tapes and sensitive information. Monitor the activities of system administrators and privileged users who have permissions to access sensitive information.
All of these choices are correct.
Which one of the following is a negative impact of an insider attack? website defacement stealing personnel information of clients, other employees, and customers posting confidential information on the public website forwarding a human resource department email that consists of the private information All of these choices are correct.
All of these choices are correct.
Which one of the following is caused by the lack of forensic readiness? system downtime data manipulation, deletion, and theft loss of clients by damaging the organization's reputation All of these choices are correct.
All of these choices are correct.
Volatile data is fragile and lost when the system loses power or the user switches it off. Where can this data be found? Registries Cache RAM All the above
All the above (C3,P358)
Jose is an incident responder who wants to eradicate malware security incidents. What steps should he include? Content Filtering Tools & Network Security Devices Blacklist & Antivirus Manual Scan & Fixing Devices All the above
All the above (C4,P505)
What would be considered a limitation of cloud computing? Security, privacy, and compliance issues Prone to outages and other technical issues Contracts and lock-ins All the above
All the above (C8,P900)
Incident handlers can employ tools such as ________________to monitor, collect, detect, and analyze different activities of users on the network User Behavior Analytics (UBA) SIEM DLP Technologies All the above
All the above (C9,P1003)
Titus is an incident responder who wants to gather volatile database information such as user's login sessions and user transactions to find evidence of an attack. What tool could he use to accomplish this task? ApexSQL DBA's ApexSQL audit application Notepad Database Consistency Checker (DBCC) SQL Server Profiler
ApexSQL DBA's ApexSQL audit application
Motive (Goal) + Method + Vulnerability = Attacks Security Policy Defense-in-depth Access Control
Attacks
Which type of malware is access the victim's computer or a network without the user's knowledge? Trojan Horse Ransomware Rootkit Backdoor
Backdoor (C4,P428)
Which of the following steps do you implement as a part of DoS attack prevention? Disable Intrusion Detection Systems Enable Remote Desktop Connection Install and run packet sniffer on the workstation Block traffic from unassigned IP address ranges
Block traffic from unassigned IP address ranges
What is considered a huge network of compromised systems used by attackers to perform denial-of-service (DoS) attacks? Ransomware Botnet Crypter Spyware
Botnet (C4,P430)
Which of the following is a methodology to create and validate a plan for maintaining continuous business operations before, during, and after incidents and disruptive events? Incident response plan Incident recovery plan Business continuity planning Business impact analysis
Business continuity planning
Which of the following activities identifies the effects of uncontrolled and unspecific events in the business process? Business impact analysis Support plan analysis Temporary plan analysis Threat Analysis
Business impact analysis
What following incident response action focuses on limiting the scope and extent of an incident? Identification Containment Eradication Formulating a response strategy
Containment
Carl is trying to violate the acceptable use of a network and computer use policy. Under which category of the incident handling criteria does this scenario fall? CAT 2 CAT 4 CAT 1 CAT 3
CAT 4
Identify the phishing attack in which an attacker imitates the email writing style and other content to make his or her activities seem legitimate. puddle phishing pharming CEO scam spimming
CEO scam
________ is a portable network analyzer app for both LANs and WLANs, which performs real-time packet capturing, 24/7 network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. Caspa AFICK Netwrix Auditor SysAnalyzer
Caspa
Which of the following is a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized? Penetration testing Computer forensics Certification and Accreditation (C&A) Incident handling
Certification and Accreditation (C&A)
What actions must take place in restoring email services after a malware incident? Block the sender and then type in old password Disable scanning of links and attachments Change passwords and enable scanning of links and attachments Disable two-factor authentication
Change passwords and enable scanning of links and attachments (C4,P512)
There are many indications of unauthorized access incidents. Which indication would be applicable if there are suspicious tools or exploits and unpredicted open ports? Physical Intrusion Changes in network Changes in system configuration Changes in administrator settings
Changes in system configuration (C6,P625)
Resource pooling, rapid elasticity, distributed storage, and broad network access are all characteristics of which of the following? One Drives Cloud Computing USB Ports The Internet
Cloud Computing (C8,P898)
________ is the cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds CloudPassage Halo Tripwire Splunk Light Logic CloudPassage
CloudPassage Halo (C8,P972)
Which of the following refers to the process of identifying, labeling, recording, and acquiring data from all possible sources? Collection Preservation Examination Analysis
Collection
________ is a designated location for conducting computer-based investigations of the collected evidence in order to solve the case and find the culprit. Cloud Computing Lab Computer Forensics Lab (CFL) Crime Scene Investigation Lab There is not actually a designated place as long as you have a secure network.
Computer Forensics Lab (CFL)
The major points in guidelines for detecting and preventing insider threats with respect to network security include: Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services AND create rules to reduce the outbound transfer of files to an authorized set of users and systems AND prevent file sharing, instant messaging, and other features among employees that allow unauthorized access to corporate networks. Create rules to reduce the outbound transfer of files to an authorized set of users and systems. Prevent file sharing, instant messaging, and other features among employees that allow unauthorized access to corporate networks. Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services. Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services AND create rules to reduce the outbound transfer of files to an authorized set of users and systems ONLY.
Computer networks should be secured by configuring firewalls and monitoring outbound traffic to HTTP and HTTPS services AND create rules to reduce the outbound transfer of files to an authorized set of users and systems AND prevent file sharing, instant messaging, and other features among employees that allow unauthorized access to corporate networks.
Which of the following information security elements ensures that the information is accessible only to those who are authorized to have access? availability confidentiality authenticity integrity
Confidentiality
There are four types of Domain Name System (DNS) attacks. Which type involves registering an elapsed domain name? Domain Snipping Domain Hijacking DNS Poisoning Cybersquatting
Domain Snipping (C8,P933)
A type of Trojan that downloads other malware (or) malicious code and files from the internet on to the PC or device? Dropper Obfuscator Downloader Injector
Downloader (C4,P432)
The ________ is a semi-trusted network zone that separates the untrusted internet from the company's trusted internal network. DMZ ("demilitarized zone") buffer zone CAPTCHA zone hidden field zone
DMZ ("demilitarized zone")
Kevin is an attacker who is exploiting vulnerabilities by performing an XSS attack. What are two types of exploitations that he can perform? Data Theft and Data Manipulation Data Theft and Network Timeout Data Manipulation and Bypassing Access Controls and Network Timeout
Data Theft and Data Manipulation (C7,P763)
What command may give the incident responder valuable insight into what is happening within the server system? This command allows the incident handler to view and retrieve the active transaction log files for a specific database. Uname Database Consistency Checker (DBCC) PsInfo Executed Console
Database Consistency Checker (DBCC) (C9,P1020)
________ is a security strategy in which several protection layers are placed throughout an information system. Non-repudiation Information security Offense-in-depth Defense-in-depth
Defense-in-depth
When discussing common network security incidents, these threats prevent the authorized users from accessing network resources. Unauthorized Access Incidents Inappropriate Usage Incidents Denial-of-Service Incidents Wireless Network Incidents
Denial-of-Service Incidents (C6,P600)
Which one of the following is a guideline for network security measures to prevent an unauthorized access incident? Prepare the appropriate password policy Implement strong authentication for accessing critical resources Design the network in such a way that it blocks the suspicious traffic Create and implement a password policy
Design the network in such a way that it blocks the suspicious traffic (C6,P658)
Crashing a service by interacting with it in an unexpected way and Hanging a system by causing it to go into an infinite loop are examples of? DoS attacks Email attacks IH&R attacks Internet attacks
DoS attacks (C6,P674)
Organizations must be able to handle and respond to various email attacks by developing and implementing proper incident response plan against the known attacks. This includes email filtering, email monitoring tools, and ________. Developing an acceptable email usage policy Deletion of emails from the folders Changing email template and signature Bouncing back emails
Developing an acceptable email usage policy (C5,P544)
In which attack does an attacker(s) infect multiple systems called "zombies", and uses them to attack a particular target? Denial of Service Distributed denial of service Identity Spoofing Man-in-the-Middle
Distributed denial of service
HDBC's online banking website was knocked offline. In result, customers were unable to login and make online transactions. After a few hours, the bank authorities identified that a cyber attacker had kept their server busy by establishing simultaneous login sessions which restricted their customers from logging into the bank website. Identify the attack that the cyber attacker has used to draw the bank server offline. DoS attack Session Hijacking Man-in-the-Middle Cross-Site-Scripting
DoS attack
Hexagon, a leading IT company in the USA received a lot of malformed TCP/IP packets, which led to the crashing of the main server's operating system. This rendered the organization's information resources inaccessible to its employees. Which attack did the adversary use in the above situation? DoS attack Session Hijacking Man-in-the-Middle Cross-Site-Scripting
DoS attack
_________ refers to ability of a single cloud to handle data, accounts, systems, and applications of various organizations Elasticity Virtualization Legal Requirements Clock Synchronization
Elasticity (C8,P950)
James is a part of an incident response team that wants to ensure proper reaction against any mishap. Being forensically ready will allow him and his team to: Eliminate the threat of repeated incidents Lose clients by damaging the organization's reputation Create system downtime Experience data manipulation and deletion
Eliminate the threat of repeated incidents (C3,P297)
Unavailability of the email server, sudden increase of advertising and spam emails, and change in email template and signature are all indicators of what? Cyberstalking Email Attacks SIGVERIF All the above
Email Attacks (C5,P545)
Which of the following is an investigation platform that collects digital data, performs analysis, reports on findings, and preserves them in a court validated, forensically sound format? It gives investigators the ability to image a drive and preserve it in a forensic manner using an evidence file format called LEF or E0 1. None of these choices are correct. The Farmer's Boot CD (FBCD) Helix3 Pro The Coroner's Toolkit (TCT) EnCase Forensic
EnCase Forensic
Removing malware, isolating the critical systems infected with malware, blocking the compromised email accounts, and performing other email security hardening measures are all a part of _____. Detection Recovery Eradication Preparation
Eradication (C5,P574)
Jenny works on an Incident Response team for her organization. After a major incident, she is asked to check and verify as much as possible to get a positive confirmation from each party that in their opinion, everything is operating normally again. What Practice is Jenny taking part in? Final Classification Incident Report Eradication and Recovery Workflow
Eradication and Recovery (C1,P116)
The most common way of networking computers is through a _______ Ethernet USB Port Email Ticketing Tool
Ethernet (C6,P638)
The best way to detect brute force attacks over enterprise networks or applications is to analyze logs in ________ for identifying multiple failed login attempts from the same IP address. Activity Viewer Chrome Event Viewer Safari
Event Viewer
Steve is an incident responder who wants to use an open-sourced phishing toolkit to help him conduct real-world phishing simulations. What could he use to do this? lllllllllllll SPAMfighter Gophish Gpg4win
Gophish
________ is an email service platform by the Novell NetWare. It stores the user's messages in almost 25 proprietary databases. GroupWise NovelWise GroupSmart Yesware
GroupWise
Charles is an incident handler who wants to eradicate insecure deserialization attacks. Which measure should he take? Guard sensitive data during deserialization Avoid filtering untrusted serial data Avoid re-architecting his applications Ignore security permissions
Guard sensitive data during deserialization (C7,P863)
Joe is an employee who attacked his company to make a political statement by publicizing the company's sensitive information. What is the driving force behind this insider attack? Hacktivism Corporate Espionage Work-Related Grievance Curiosity
Hacktivism (C9,985)
Abiding laws are important while dealing with the incident since an organization can face legal issues if it does not maintain legality while dealing with security incidents. Sometimes, incident handling also involves investigating private information of individuals, which hampers their right to privacy. Which legal compliance act protects this type of information? Freedom of Information Act (FOIA) Health Insurance Portability and Accountability Act (HIPAA) Occupational Safety and Health Act (OSHA) Resource Conservation and Recovery Act (RCRA)
Health Insurance Portability and Accountability Act (HIPAA)
Andrea is a first responder and she wants to use forensics analysis tools to help her with collecting, managing, transferring, and storing necessary information required during forensics investigation. Which would be a beneficial tool for her to use? Scriptkid Helix3 NTFS file system MD5 tool
Helix3 (C3,393)
Denial-of-Service attacks, the presence of harmful viruses, worms, and Trojan horse, or Suspected break-in in any computer of a company are all considered incidents at a _______ Low Level Middle Level High Level None of the above
High Level (C2,P230)
Which of the following reports contains logs, records, documents, and any other information that is found on a system? Incident preparation report Incident response report Host-based evidence report Network-based evidence report
Host-based evidence report
Chris is a forensic expert and was hired by a major financial company for his services supporting computer incidents and crimes. Chris must perform many day-to-day activities as a forensic expert. What duties from the list below are aligned with the role of a forensic expert? I. Uncovering the reason an incident occurred II. Determining the status of the system by analyzing it III. Establishing secure network measures to avoid incidents IV. Preserve, analyze and submit evidence in a court of law I, II, and III II, III, and IV I, II, and IV I, II, III, and IV
I, II, and IV
Identify all reasons below that cause organizations to not report computer crimes to law enforcement. I. Fear of negative publicity II. The organization is unaware of the attack III. The organization has the capability to handle the incident internally IV. Potential loss of customers I, II, II and IV I and II I, II, and III I, II, and IV
I, II, and IV
In memory dump analysis, which of the following tools is used for disassembling and debugging malware? IDA Pro FLOSS ASPack Hakiri
IDA Pro
Which of the following terms defines the purpose and scope of the planned incident handling and response capabilities? IH&R team models IH&R vision IH&R mission IH&R staffing
IH&R mission
Which of the following statements is NOT true when it comes to Incident handling and response (IH&R)? The IH&R process provides a focused and structured approach for restoring normal business operations as quickly as possible after an incident The decision to establish IH&R process is affected by inputs, complaints, and queries from all the stakeholders involved in the organization's business processes IH&R processes is the same from organization to organization according to their business and operating environment IH&R processes differ from organization to organization according to their business and operating environment
IH&R processes is the same from organization to organization according to their business and operating environment (C2,P163)
Which of the following terms reflects an organization's mid-term and long-term goals for incident management capabilities? IH&R staffing IH&R vision IH&R mission IH&R team models
IH&R vision
Proxy Servers act as doorways between the user and the web application that are browsed by the user. What are they used to prevent? Cookie/ Session Poisoning Maintain Anonymity IP blocking IP blocking and Maintain Anonymity.
IP blocking and Maintain Anonymity. (C7,P844)
Organizations must secure the network communications by implementing Packet Filters, IPsec, Virtual Private Network, and Secure Shell. Which is responsible for authenticating and validating the packets during transmission? Packer Filters IPsec Virtual Private Network Secure Shell
IPsec (C2,P209)
Which standard specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization? ISO/IEC 27001:2013 ISO/IEC 27002 ISO/IEC 27001:2015 None of the Above
ISO/IEC 27001:2013 (C1,P124)
Which phase of incident response involves reporting and assessment, event identity and severity level assignment, and incident task force member selection? Incident Classification Containment Data collection Identification
Identification
What does the character 'x' indicate in the following regular expression? /(\')|(\%27)|(\-\-)|(#)|(\%23)/ix case-insensitive or Ignore white spaces in the pattern. and
Ignore white spaces in the pattern.
Which of the following incidents refers to a user performing actions that violate the acceptable computing use policies? Inappropriate usage incident Unauthorized access incident Multiple Component incident Distributed Denial-of-Service (DDoS) incident
Inappropriate usage incident
________ occurs when a user performs actions that violate the acceptable computing use policies. Unauthorized access Inappropriate usage incident DoS incident Unauthorized access AND inappropriate usage incident All of these choices are correct.
Inappropriate usage incident
Which of the following personnel in incident response team focuses on the incident and handles it from a management and technical point of view? Incident Manager (IM) Incident Coordinator (IC) Incident Analyst (IA) Technical Expert
Incident Manager (IM)
Which of the following activity involves all of the processes, logistics, communications, coordination, and planning to respond and overcome an incident efficiently? Incident investigation Incident recovery Incident handling Incident reporting
Incident handling
________ is a process of accurately storing the details of occurrence of an incident. Incident recording Incident handling Data collection Incident documentation
Incident recording
What is the process of rebuilding and restoring computer systems affected by an incident to the normal operational stage? Incident reporting Incident handling Incident recovery Incident preparation
Incident recovery
Which of the following is defined as an organized approach to address and manage the aftermath of a security breach or attack? Threat Risk assessment Vulnerability assessment Incident response
Incident response
This cloud computing service enables subscribers to use on demand fundamental IT resources such as computing power, virtualization, data storage, network, and so on. Some of the advantages from this service include global accessibility, policy-based services, and guaranteed uptime. Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS) None of the above
Infrastructure-as-a-Service (IaaS) (C8,P900)
Which of the following types of risk is defined by the formula (Threats x Vulnerability)? Residual risk Qualitative risk Inherent risk Quantitative risk
Inherent risk
Megan is a disgruntled employee who wants to take her companies secrets and send the data to competitors by using a steganography. Which type of attack would she be committing? SQL injection DoS Attack Insider Attack Employee Attack
Insider Attack (C9,P982)
ObserveIT, Ekran System and DataRobot are both important tools that detect ______. Outsider Threats Data Breaches Insider Threats Cybersquatting
Insider Threats (C9,P1024)
Which of the following is a preparation step for a cloud service provider (CSP)? Clearly mention privileges of employees accessing the cloud. Mention the critical services and application that need most attention to the CSP in order to have a priority list for containment and recovery. Audit and prepare a list of all the systems and accounts that have access to the cloud. Install database activity monitoring (DAM), data leak prevention (DLP), log analysis, and SIEM tools to simplify detection of incidents.
Install database activity monitoring (DAM), data leak prevention (DLP), log analysis, and SIEM tools to simplify detection of incidents.
When discussing insider threat prevention tools, what ability does Security Incident and Event Management (SIEM) solutions provide? the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services the ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs It draws patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks. the ability to build custom queries, generate alerts, retrieve data from multiple data sources, and enhance the potential analytical capability to prevent, detect, and respond to various insider threats
It draws patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks.
Which of the following is NOT true about incident handling? It saves time, investment, and effort. NEITHER it saves time, investment, and effort NOR it has no value when it comes to saving the organization from legal consequences ARE TRUE. It equips the organization with the procedures that can be followed in case of an incident. It has no value when it comes to saving the organization from legal consequences. It helps to determine the patterns in incidents, to handle them more efficiently.
It has no value when it comes to saving the organization from legal consequences.
Terry is managing a web server that runs a PHP-based web service. An incident was reported to Terry, where users were not able to access the service. During the investigation, he discovered that the webserver was live and there were no alerts from the anti-malware system. However, in the Task Manager, he discovered a large number of php-cgi processes that were consuming up to ninety-nine percent of the CPU. What can Terry infer from the above observation? It indicates a DoS attack It indicates an unauthorized access attack It indicates a Trojan attack It indicates a php-cgi injection attack
It indicates a DoS attack
Which of the following is NOT an advantage of an Incident Response Orchestration? It includes automated alarms that detect the incident and alert the response personnel with details It allows responders to remotely assess the incident analysis results and manage the actions It allows responders to configure different solutions to interact and streamline incident response action It provides attackers more time to contain information
It provides attackers more time to contain information (C1,P111)
________ is a PC system utility software that works by cleaning out unneeded files and data, cleaning the Windows registry, automatically fixing system errors, and applying optimization to your system. p- Protocol TPCView Jv16 Power Tools Process Monitor
Jv16 Power Tools
Flora is an incident handler at an organization that is implementing forensic readiness procedures to handle evolving cyber threats. As part of this process, she decided to use an advanced authentication protocol to secure the organizational network resources.Which of the following protocols must Flora employ? FTP/HTTP ICMP/UDP Kerberos/IPSec TCP/IP
Kerberos/IPSec
Which of the following is NOT considered one of the best practices recommended to avoid insider threats? Monitor employee behaviors and the computer systems used by employees Implement secure backup and disaster recovery processes for business continuity Disable remote access and screen sharing activities for all the users Leave business details over voice mail or email broadcast message
Leave business details over voice mail or email broadcast message (C9,P1044)
The first responder needs to prepare and check several prerequisites such as the availability of tools, reporting requirement, and ______ in order to conduct a successful investigation Legal clearances Availability of internet Time and date Registries
Legal clearances (C3,398)
What is a common technique that incident responders can use to secure the confidential data of a company from spies and eradicate different insider threats? Store passwords in a folder Limiting and controlling access Only encrypting data thats in use Store sensitive data on a networked computer
Limiting and controlling access (C9,P1029)
The NERC 1300 Cyber Security standard stands for what? North American Electric Reliability Corporation National Electric Regultions for Cybersecurity National Energy Regulatory Consortium National European Response Consortium
North American Electric Reliability Corporation (C1,P134)
What tool is used by incident handlers to detect data exfiltration attacks performed by insiders? Microsoft Baseline Security Telnet Connection Nuix Adaptive Security Wireshark
Nuix Adaptive Security
Recovery, Process Review and Practice are all part of which Incident Management guidelines? OWCIA OWASSP ENISA OWASP
OWASP (C1,P113)
________ is an international organization that provides top 10 vulnerabilities and flaws of web applications. OWASP ROYGBIV NRPNC SIGVERIF
OWASP (C7,P741)
What is the name of the tool that is an insider threat management solution that provides organizations with "eyes on the endpoint" and the ability to continuously monitor user behavior? DataRobot ObserveIT Ekran System KeepNote
ObserveIT
What is another name for Cross-Site Request Forgery (CSRF)? Zero-click Attack One-click Attack Two-click Attack Three-click Attack
One-click Attack (C7,P781)
Riya received the following email: Dear user, Due to an unexpected software glitch, we have lost all our customer details and left with only email IDs. In order to continue our services, we request you provide your username and password in the below fields and revert back. If not, your balance amount will be lost and account will be deleted permanently. Username: _____________ Password: ______________ Click reply and send. Note: Please Forward this mail to all the HDBC users you know. Sorry for the inconvenience. Thank you for your cooperation HDBC Bank Admin Copyright © 2017 Service Providers administrator All rights reserved. After seeing the message, Riya got startled and immediately responded to the sender with her username and password. Later she discovered that her account had been hacked. Which trick did the attacker use to trap Riya? Phishing technique Sniffing technique Pharming technique Keylogger technique
Phishing technique
Netcraft,and PhishTank are tools for detecting _____&_____? Bombing/Phishing Spam/Storming Phishing/Spam Storming/Bombing
Phishing/Spam (C5,P549)
Permanent DoS, also known as ________, refers to attacks that cause irreversible damage to system hardware Bricking Sabotages Phlashing Fraudulent hardware updates
Phlashing (C6,P678)
Insecure Coding, Configuration Errors, Platform Vulnerabilities, and Logic Errors are all causes of what? Phlashing Port Scanning Computer Incidents Web Incidents
Phlashing (C7,738)
Which category of unauthorized access is associated with changes in system status? Physical Intruder Unauthorized Data Access Unauthorized Usage of Standard User Account Unauthorized Data Modification
Physical Intruder
User reports regarding network or system unavailability, System status changes, Misplaced hardware parts, and Unauthorized hardware found are all indications of _____. Physical Intrusion Unauthorized Data Modification Changes in Network Resource High Utilization
Physical Intrusion (C6,P626)
Which of the following policies controls access to facilities and computers? Information Security Policy Personnel Security Policy Physical Security Policy Evidence Collection Policy
Physical Security Policy
A ______ is a basic network scanning technique that is employed to determine which range of IP addresses map to live hosts (computers). Ping Sweeping Port Scanning DNS Footprinting Social Engineering
Ping Sweeping (C6,P630)
Which of the following techniques do you implement to respond to an insider attack? Place all the users in a quarantine network Place malicious users in a quarantine network Allow malicious users to access sensitive information Leave the insider's computer open in the network
Place malicious users in a quarantine network
Which one of the following is the correct flow of stages during incident response? Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up Identification -> Preparation -> Containment -> Recovery -> Follow-up -> Eradication Containment -> Identification -> Preparation -> Recovery -> Follow-up -> Eradication Eradication -> Containment -> Identification -> Preparation -> Recovery -> Follow-up
Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up
The _____ ensure that the evidence is stored, examined, preserved, and examined in a way that protects the reliability and correctness of the evidence. Principles of anti- forensic techniques Principles of digital evidence collection Principles of computer forensics Principles of NERC 1300 Cyber Security
Principles of digital evidence collection (C3,P331)
How will you define quantitative risk analysis? Probability of loss X value of loss Value of loss/ Probability of loss Probability of loss + value of loss Probability of loss - value of loss
Probability of loss X value of loss
Which of the following would be considered a harmful insider who uses their technical knowledge to identify the weaknesses and vulnerabilities of the company's network and sell the confidential information to the competitors or black-market bidders? Malicious Negligent Professional Compromised
Professional (C9,P983)
IH&R mission statements define the ____ and _____ of the planned incident handling and response capabilities Purpose and Scope Time and Date Scope and Policies Ethics and Purpose
Purpose and Scope (C2,P173)
Which is NOT a tool used to calculate the hash value? HashCalc MD5 Calculator R-Drive Image HashMyFiles
R-Drive Image (C3,P360)
Which of the following CSIRT services include alerts and warnings, incident handling, vulnerability handling, and artifact handling activities? Reactive Services Proactive Services Security Quality Management Services Vulnerability Management Services
Reactive Services
Which of the following elements of an email header shows a detailed log of a message's history, such as the origin of an email and information on forgeries? Received X-Mailer Subject Message-Id
Received
When it comes to email incidents changing passwords, informing banks, contacting law enforcement, and making an insurance claim are all a part of which step? Recovery Detection Preparation Eradication
Recovery (C5,P583)
What is a residual risk? Risk remaining after implementation of all the possible controls Risk caused due to a threat exercising vulnerability Risk resolved with the implementation of possible controls Risk within the acceptable level of threshold
Risk remaining after implementation of all the possible controls
Which of the following strategies focuses on minimizing the probability of risks and losses by searching vulnerabilities in the system and appropriate controls? Risk planning Research and acknowledgment Risk avoidance Risk limitation
Research and acknowledgment
Identity theft occurs when someone uses your personal information in a malicious way. What is the best way to avoid identity theft from happening? Keep all personal documents on your computer Only give away personal information on the phone Review your credit card reports regularly Never empty your mailbox
Review your credit card reports regularly (C5,P580)
________ is the probability of a threat agent exploiting a vulnerability and the associated impact. (Note: Remember that a threat agent is defined as an entity that can exploit a vulnerability, and vulnerability is defined as a weakness or a lack of countermeasures.) Risk policy Attack Risk Incident
Risk
Which of the following determines the level of risk and the resulting security requirements for each system? Risk assessment Contingency planning Risk mitigation Residual risk
Risk assessment
Which of the following risk mitigation strategy makes an organization absorb minor risks while preparing to respond to major ones? Risk avoidance Risk limitation Risk assumption Risk planning
Risk assumption
Jennifer wants to be able to detect and remove generic malware and advanced threats like rootkits, rogues, and worms. She also wants to be able to detect PUPs and PUMs. What could Jennifer use to help her? VirusTotal RogueKiller Wireshark CapLoader
RogueKiller
Roy is a software employee working at Nexawave, a leading IT firm. One day Roy downloaded a few files from the internet and referred to them within a current project. While developing the project document, Roy observed that his MS Word application started crashing frequently. What could be the reason for the above situation? Roy's system has infected by boot-record infectors Roy's system has infected by Macro virus Roy's system has infected by Micro virus Roy's system has infected through phishing
Roy's system has infected by Macro virus
________ is a built-in Windows tool that comes inbuilt in Windows 10/8/7 and searches for unsigned drivers on a system. ROYGBIV CRYPTER NERC SIGVERIF
SIGVERIF (C4,P472)
What is a spam filter tool that can be used to automatically remove spam and phishing emails from an inbox? Gpg4win SPAMfighter Ekran System ObserveIT
SPAMfighter
Limiting the length of user input, using custom error messages, and disabling commands like xp_cmdshell are all different ways to eradicate _______. DoS attacks Webservice Attacks SQL Injection Attacks Cookie Attacks
SQL Injection Attacks (C7,P851)
When building a testbed there are some tools required for testing. Which one of the following choices represents an important tool for testing? Adobe Creative Cloud Content Filtering Spyware Sandbox
Sandbox (C4,P422)
Instant messenger applications, network propagation, email attachments, and decoy applications are all common ways attackers can _____? Send a malware into a system Let the user know they are attacking Malvertise Recover files
Send a malware into a system (C4,P434)
________ is an email validation protocol used by domain owners for preventing spoofing of emails. MxToolbox NetCraft email dossier Sender Policy Framework
Sender Policy Framework
Which of the following statements defines a risk policy? Estimating the damage caused due to occurrence of a disaster Finding the level of the risk Set of ideas implemented to overcome risks Defined probability of the occurrence of an inciden
Set of ideas implemented to overcome risks
Accurately detecting and assessing incidents are the most challenging and essential part of... Cost of an Incident Intangible Cost Tangible Cost Signs of an Incident
Signs of an Incident (C1,P34)
Which of the following is a technical threat? Incorrect data entry Shoulder surfing Sniffing and scanning of the network traffic Password guessing
Sniffing and scanning of the network traffic
Incident response procedures, also referred to as ___________, provide detailed processes to implement guidelines defined by IH&R plan and policy Current security procedures (CSPs) Implemented data policies (IDPs) Developed automated procedures (DAPs) Standard operating procedures (SOPs)
Standard operating procedures (SOPs) (C2,P179)
Documentation, impact assessment, and incident disclosure are all part of which step? Step 7: eradication Step 6: evidence gathering Step 9: post-incident activities Step 8: recovery
Step 9: post-incident activities
There are various threats to be aware of when dealing with cloud computing. Which type of threat arises because of incomplete and non-transparent terms of use, hidden dependency created by cross-cloud applications, inappropriate CSP selection, and lack of supplier redundancy? Data Breach Insecure Interfaces Supply Chain Failure Isolation Failure
Supply Chain Failure (C8,P929)
________ is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline pcap processing. Suricata engine Snort Gophish Ntopng
Suricata engine
In which Risk Assessment Methodology step do you identify the boundaries of the IT system and characterize it in order to establish the scope of the risk assessment effort. Threats Identification Threat Characterization System Identification System Characterization
System Characterization
Which of the following is NOT an Information Security Threat Category? Host Threats System Threats Network Threats Application Threats
System Threats (C1,P22)
Which of the following is an appropriate process flow of incident recovery steps? System restoration -> System validation -> System operations -> System monitoring System operations -> System restoration -> System validation -> System monitoring System validation -> System operations -> System monitoring -> System restoration System operations -> System validation -> System monitoring -> System restoration
System restoration -> System validation -> System operations -> System monitoring
Antivirus and antispyware software can identify the infected files but some of the infected files cannot be recovered. True False
True
From the following, identify the Wireshark filter that is used to view the packets moving without a flag set while performing the null scan attempts. tcp.flags==0X029 TCP.flags==0x000 tcp.dstport==7 tcp.dstport==25
TCP.flags==0x000
Loss of productive hours, loss of business, and loss of theft of resources are considered... Business Costs Intangible Costs Tangible Costs Hardware Costs
Tangible Costs (C1,P37)
Rob, an incident manager, was informed about an incident where a suspicious application was found residing in the active memory of multiple systems on a network. Upon investigating, he learned that the application was self-replicating and degrading the systems performance, but it did not affect the files in those systems.What application is this? The application is a Worm The application is a Virus The application is a Trojan The application is a Backdoor
The application is a Worm
What does the neutral result on the Domain Keys Identified Mail (DKIM) protocol indicate? The email is signed, and some part of signature is not acceptable by administrative management domains (ADMD). The email is signed and the signature passes the verification tests. The email is signed, but the signature has syntax errors, so it cannot be processed. The email is signed and the signature does not pass the verification tests.
The email is signed, but the signature has syntax errors, so it cannot be processed.
Which is an important guideline for building an investigation team? To avoid asking help from external investigation teams To avoid adding IT professionals To create a large team To appoint a person as a technical lead among the team members
To appoint a person as a technical lead among the team members (C3,P303)
What is the purpose of proactive services offered by a CERT? To find the cost of fixing a problem To develop the infrastructure and security processes To provide services to the constituency None of the above
To develop the infrastructure and security processes
John prefers using tools such as Mirekusoft and SysAnalyzer to help him at work. What is the primary use of these tools? To monitor his employees' screens To monitor installation of malicious executables To monitor Botnet's None of the above
To monitor installation of malicious executables (C4,P467)
Chad is an incident responder who wants to monitor user and network activities, changes in files, and registry entries. What tool should he use to accomplish these tasks? OSSIM Splunk Light Tripwire MBSA
Tripwire (C8,P963)
Which type of Malware is used to trick the victim into performing predefined action? Trojan Horse Ransomware Rootkit Backdoor
Trojan Horse (C4,P428)
A computer worm is a self-replicating computer program, spreads automatically by infecting one system after the other in a network, and even spreading further to other networks. False True
True
What is file fingerprinting? a process of computing the hash value for a given binary code to identify and track data across a network the process of superseding the manual IR actions with automatic IR actions using machines and tools a process flow of evidence gathering and forensics analysis, concepts of evidence gathering and forensics analysis, and evidence handling All of these choices are correct.
a process of computing the hash value for a given binary code to identify and track data across a network
When an employee is terminated, the organization should disable all his or her ________ to the company's physical locations, networks, systems, applications, and data. security awareness program access rights All of these choices are correct. human resources backup
access rights
Which of the following are examples of insider threats? an employee stealing sensitive information and modifying or utilizing it for personal gain AND stealing trade secrets or client information and selling it to other firms for business advantage AND performing technical crimes that disrupt the organization's data, systems, or network stealing trade secrets or client information and selling it to other firms for business advantage employees showing up late to work an employee stealing sensitive information and modifying or utilizing it for personal gain performing technical crimes that disrupt the organization's data, systems, or network
an employee stealing sensitive information and modifying or utilizing it for personal gain AND stealing trade secrets or client information and selling it to other firms for business advantage AND performing technical crimes that disrupt the organization's data, systems, or network
Which is the definition of digital evidence? any information of probative value that is either stored or transmitted in a digital form evidence that is real and related to the incident in a proper way evidence that is clear and understandable by judges information that does not cast doubt on the authenticity of evidence
any information of probative value that is either stored or transmitted in a digital form
Which of the following commands helps in finding the manipulated system functions while performing memory dump analysis using Volatility Framework? filescan idt apihooks threads
apihooks
Jeff is experiencing a loss of services when trying to use his email and network resources because an attacker is exploiting weaknesses in the programming source code. What type of DoS attack is Jeff experiencing? protocol volumetric permanent application layer
application layer
David is an incident handler and wants to determine the email origin by matching the domain name for an IP address. Which website would he use? arin.net toolbar.netcraft.com hg.org phishtank.com
arin.net (C5,P562)
Which of the following Wireshark filters is used to locate duplicate IP address traffic? tcp.duplicate-traffic-detected tcp.duplicate-address-detected arp.duplicate-address-detected arp.duplicate-traffic-detected
arp.duplicate-address-detected
Which of the following is NOT an indicator of cloud security incidents? creation of new accounts or duplication of the existing ones authorized privilege escalation inability to log into the account increase/decrease of used cloud space
authorized privilege escalation
James is a part of the IH&R team who is currently in the process of collecting evidence. What should he avoid in this process? All of these choices are correct. avoid collecting volatile data while the computer is running avoid affecting the integrity of the evidence avoid extraction of static evidence
avoid affecting the integrity of the evidence
What is another name for live system / dynamic analysis? descriptive analysis predictive analysis behavioral analysis static analysis
behavioral analysis
In eradicating malware incidents, what is the name of the method used to block the harmful URLs, IP addresses, and email IDs that have acted as a source for spreading malware? updating the malware database fixing devices manual scan blacklist
blacklist
In this structure, a single team handles all the incident response functions of a small organization. It is most effective for quickly responding to incidents. This structure is best suited for organizations operating from a single location. distributed incident response team operational teams centralized incident response team coordination teams
centralized incident response team
Which of the following terms refers to a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory? forensic policy forensic readiness plan promiscuous policy chain of custody
chain of custody
The web application architecture comprises of three layers: client, business, & database insecure, configuration, & logic graduated, stacked, & wedge platform, business, & logic
client, business, & database
According to the NIST cloud deployment reference architecture, which of the following acts as an intermediary for providing connectivity and transport services between cloud consumers and providers? cloud broker cloud carrier cloud provider cloud auditor
cloud carrier
PKI: Public Key Infrastructure, SDL: Security Development Lifecycle, WAF: Web Application Firewall, FW: Firewall, RTG: Real Traffic Grabber, IAM: Identity and Access Management, & ENC: Encryption are all considered what? Windows controls identification controls server controls cloud security controls
cloud security controls
What type of injection flaw involves the injection of malicious code through a web application? command injection LDAP injection All of these choices are correct. SQL injection
command injection
A forensics investigator is able to show that an attacker was logged into a system at the time of a cyber-crime incident. He also has information of who else was logged into the system at the time of the incident and is able to prove the attacker's actions. What is the characteristic of the digital evidence he is presenting? reliable complete admissible authentic believable
complete
What is a disadvantage of using a Platform-as-a-Service (PaaS)? All of these choices are correct. scalability prebuilt business functionality data privacy
data privacy
Accurately ________ and ________ incidents are the most challenging and essential parts of the incident response process. transferring/analyzing detecting/assessing mitigating / analyzing AND transferring / analyzing are correct. All of these choices are correct. mitigating/analyzing
detecting/assessing
Riane's company recently had an incident that compromised critical files and sensitive information. As part of the IH&R team, what are the next steps Riane should do? shut down the system disconnect the network continue the operations to contain the attack disconnect the network and shut down the system
disconnect the network and shut down the system
What is NOT considered a part of the investigation stage? collect the evidence documenting and reporting search and seizure data acquisition
documenting and reporting
Jamie is an incident responder who wants to see a list of recently executed commands performed by a remote or local user within an established command shell or terminal. What command should Jamie use? continents.txt doskey/history ~/.bash_profile $ cd Desktop/
doskey/history
Which of the following malware distribution techniques involves exploiting flaws in browser software to install malware just by visiting a webpage? compromised legitimate websites drive-by downloads spear-phishing sites social engineered click-jacking
drive-by downloads
Port monitoring, process monitoring, registry monitoring, Windows services monitoring, startup programs monitoring, event logs monitoring/analysis, installation monitoring, and files & folder monitoring are all considered what type of malware analysis technique? memory static code dynamic
dynamic
Identify an insider attack where a person surreptitiously overhears confidential conversations at boardrooms, meeting halls, and corridors. shoulder surfing eavesdropping impersonation pod slurping
eavesdropping
Yolanda is currently in the process of getting rid of the compromised cloud networks and applications that can represent attacks or malfunctioning in the networks, servers, systems, and applications related to the cloud. What is the name of this process? analyzation detection eradication interaction
eradication
Which one of the following is NOT a recommendation to handle malicious code incidents? using antivirus software studying antivirus bulletins establishing malicious code security policy installing network based IDS on critical hosts users must be aware of the malicious code issues
installing network based IDS on critical hosts
Which of the following cloud computing threats refers to the ignorance of the CSP's cloud environment and poses risks in operational responsibilities such as security, encryption, and architectural issues? data breach/loss abuse and nefarious use of cloud services insufficient due diligence unsynchronized system clocks
insufficient due diligence
The scenario where the detection software either does not record the malicious event or ignores the important details about the event is referred to as ________. cross-site scripting (XSS) attacks using components with known vulnerabilities insufficient logging and monitoring insecure deserialization
insufficient logging and monitoring
Which type of security misconfiguration vulnerability supports weak algorithms and uses expired or invalid certificates, exposing user's data to untrusted third parties? parameter / form tampering improper error handling unvalidated inputs insufficient transport layer protection
insufficient transport layer protection
Identify the information security element that determines the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. integrity authenticity non-repudiation availability
integrity
Which element of information security includes the trustworthiness of data or resources in terms of preventing improper and unauthorized changes? confidentiality availability integrity authenticity
integrity
Which type of analysis involves analyzing the logs and alerts of intrusion detection systems, SIEMs, and firewalls for the detection of malware? intrusion analysis memory dump / static analysis All of these choices are correct. live system / dynamic analysis
intrusion analysis
James, an incident responder at Trinity Inc., is investigating a cybercrime. In the process, he collected the evidence data from the victim systems and started analyzing the collected data.Identify the computer forensics investigation phase James is currently in. post-investigation phase pre-investigation phase investigation phase risk assessment phase
investigation phase
Which of the following phases of the computer forensics investigation process involves acquisition, preservation, and analysis of evidentiary data to identify the source of a crime and the culprit behind it? post-investigation phase pre-investigation phase vulnerability assessment phase investigation phase
investigation phase
Report writing tools help incident handlers to generate efficient reports on detected incidents during incident handling and response process. Which of the following websites is considered a note taking application that works on Windows, Linux, and MacOS X? arin.net keepnote.org toolbar.netcraft.com notekeepers.net
keepnote.org (C2,P268)
Jane is an incident responder who wants to detect and access the malware present in the network and then eliminate it. Which website could she use to view logs in real time and identify malware propagation? arin.net kiwisyslog.com applelog.com logviewer.net
kiwisyslog.com (C6,P666)
Which of the following is NOT included in the structure of an incident response team? coordinating team law enforcement team distributed incident response team None of these choices are correct. central response team
law enforcement team
Which of the following characteristics of cloud computing is employed by the cloud systems and works on a "pay-per-use" metering method? measured service rapid elasticity on-demand self-service resource pooling Save
measured service
There are four types of insider threats. Which type refers to people who are uneducated on potential security threats? professional negligent compromised malicious
negligent
Which of the following cloud security incidents deal with suspicious IP addresses, MAC addresses, user accounts, systems, applications, services, and other attack vectors? network related incidents servers related incidents virtualization related incidents storage related incidents
network related incidents
Spoofing, session hijacking, DoS attacks, firewall and IDS attacks are all considered what type of information security threat? host threat network threat system threat application threat
network threat
There are several different phases of IH&R. In the ________ phase, the incident information will be informed to various stakeholders, including management, third-party vendors, and clients. forensic analysis notification incident triage containment
notification
Which of the following backup strategies provides daily status of the backup situation, such as successful, unsuccessful, not run, out of space, etc.? guarantee notifications security data availability
notifications
Applications such as Tcpdump and Cain & Abel are used to intercept and log traffic passing through a network. What type of applications are they? network traffic log analysis packet sniffer host analysis
packet sniffer
Non-volatile evidence refers to the ________ data stored on secondary storage devices, such as hard disks and memory cards. temporary dark permanent open
permanent
Anna created her company's security policy to accept the majority of internet traffic, excluding several known dangerous services and attacks. Which type of security policy did Anna put into place? prudent policy promiscuous policy paranoid policy permissive policy
permissive policy
Which of the following phishing attacks is also known as "phishing without a lure"? spear phishing pharming spimming whaling
pharming
Dwayne wants to acquire account information from a competitor company, so he sends an illegitimate email to the payroll specialist claiming to be the CEO. What type of security attack would this be? ransomware phishing web application threats IoT threats
phishing
Which of the following is not a Denial-of-Service response strategy? physical security shutting down services absorbing the attack degrading services AND physical security degrading services
physical security
Which of the following terms is considered as a process of scanning an IP range to detect live hosts? DNS footprinting port scanning ping sweeping social engineering
ping sweeping
David wants to steal sensitive data from his current company so he has copied software tools on the storage devices so that it will automatically run when connected to a device. What type of insider attack has David committed? pod slurping tailgating planting keyloggers privilege escalation
pod slurping
Which of the following is NOT a common symptom of an information system security incident? modified files or folders number of packets received are more than expected ports that are closed or filtered the IDS generates an alarm suspicious log entries
ports that are closed or filtered
Julie is a computer forensic investigator and she is currently setting up a computer forensics lab, building a forensics workstation, investigation toolkit, the investigation team, and getting approval from the relevant authority. Which phase in the investigation process is Julie working through? investigation pre-investigation post-investigation None of these choices are correct.
pre-investigation
Which of the following is an advantage of the Platform-as-a-Service (PaaS)? vendor lock-in prebuilt business functionality integration with the rest of the system applications data privacy
prebuilt business functionality
