Operation and Incident Response

Question 1

Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6.

A. Denial of Service attack targeting 10.10.3.6.
B. Port Scanning targeting 10.10.3.2
C. Port Scanning targeting 10.10.3.6.
D. Fragmentation Attack targeting 10.10.3.6.

Answer 1

C. Port Scanning targeting 10.10.3.6.

OBJ-4.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.

Question 2

Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company’s biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server’s hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy’s data integrity matches that of the original web server’s hard disk?

A. RSA
B. SHA-256
C. AES
D. 3DES

Answer 2

B. SHA-256

Question 3

(Sample Simulation – On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company’s network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?

A. Isolate infected server
B. Conduct a system server
C. Capture Network Traffic
D. Immediately remove service

Answer 3

C. Capture Network Traffic

Question 4

A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized?

A. Document Matching
B. Exact Data Matching
C. Statistical Matching
D. Classification

Answer 4

B. Exact Data Matching

Question 5

You are notified by an external organization that an IP address associated with your company’s email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor’s email account was only used from one workstation. You analyze Connor’s workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario?

A. Isolate the network
B. Unplug the workstation
C. Request disciplinary action
D. Isolate workstation computer

Answer 5

D. Isolate workstation computer

Question 6

A user reports that every time they try to access https://www.diontraining.com, they receive an error stating “Invalid or Expired Security Certificate.” The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user’s workstation to fix the “Invalid or Expired Security Certificate” error?

A. User Access Control
B. Date and Time
C. UEFI Boot Mode
D. Logos Time

Answer 6

B. Date and Time

Question 7

Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?

A. Lockhard Martin Kill Chain
B. MITRE Attack Framework
C. OpenIOc
D. Diamond Model of Intrusion Model

Answer 7

D. Diamond Model of Intrusion Model

Question 8

An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker located several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?

A. Nmap
B. Nessus
C. Netcat
D. Cain and Abel

Answer 8

D. Cain and Abel

Question 9

After reviewing the packet above, you discovered there is an unauthorized service running on the host. Which of the following ACL entries should be implemented to prevent further access to the unauthorized service while maintaining full access to the approved services running on this host?

A. Deny IP Host 86.18.10.3 EQ3389
B. Deny TCP any HOST 71.168.10.45 EQ3389
C. Deny TCP any HOST 86.18.10.3 EQ 25
D. Deny IP Host 71.168.10.45 EQ 25

Answer 9

B. Deny TCP any HOST 71.168.10.45 EQ3389

OBJ-4.4: Since the question asks you to prevent unauthorized service access, we need to block port 3389 from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port 3389).

Question 10

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital’s enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital’s elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend?

A. Recommended Isolation
B. Conduct Penetration Test
C. Recommend Immediate Replacement
D. Recommend Immediate Disconnection

Answer 10

A. Recommended Isolation

Question 11

Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this?

A. Enable NAC
B. Application Blocklisting
C. Application Allow Listing
D. Mac Filtering

Answer 11

B. Application Blocklisting

Question 12

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don’t have the answers to the CIO’s questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?

A. A robust method of incident detection
B. A call list/escalation list
C. An establish incident response
D. An offline incident response jump bag or kit

Answer 12

B. A call list/escalation list

Question 13

You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee’s laptop according to your company’s procedures and are waiting to give it to law enforcement authorities. What should you do when turning over the laptop to the police?

A. Qurentain the System
B. Document the changes
C. Maintain the chain of custody
D. Preserve the evidence

Answer 13

C. Maintain the chain of custody

Question 14

You are troubleshooting an issue with a Windows desktop and need to display the machine’s active TCP connections. Which of the following commands should you use?

A. Netstat
B. Ping
C. Ipconfig
D. Net use

Answer 14

A. Netstat

Question 15

Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement?

A. Forensic Analysis Report
B. Lessons Learned Report
C. Chain of Custody report
D. Trend Analysis Report

Answer 15

B. Lessons Learned Report

Question 16

If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use?

A. Traceroute
B. Broadcast Ping
C. Ptunnel
D. Hping

Answer 16

D. Hping

Question 17

A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and flooding destroyed all of the hardware associated with the small business. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan?

A. Local backups should be conducted
B. Backups should be conducted to cloud based
C. Locals backups should be verified
D. Purchase waterproof devices

Answer 17

C. Locals backups should be verified

Question 18

(Sample Simulation – On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.)

A. Hard Drive or USB Drive, Swap File, Random Access Memory, Processor Cache
B. Processor Cache, Random Access Memory, Swap Files, Hard Drive or USB Drive

Answer 18

B. Processor Cache, Random Access Memory, Swap Files, Hard Drive or USB Drive

OBJ-4.5: The correct order for evidence collection based on the order of volatility is the Processor Cache, Random Access Memory, Swap File, and then the Hard Drive or USB Drive. Since the Processor Cache is the most volatile and changes the most frequently, it should be captured first. Random Access Memory (RAM) is temporary storage on a computer. It can quickly change or be overwritten, and the information stored in RAM is lost when power is removed from the computer, so it should be collected second. Swap files are temporary files on a hard disk used as virtual memory, and therefore, they should be collected third. The files on a hard disk or USB drive are the least volatile of the four options presented since they are used for long-term storage of data and are not lost when the computer loses power.

Question 19

What tool can be used as an exploitation framework during your penetration tests?

A. Autopsy
B. Nmap
C. Metasploit
D. Nessus

Answer 19

C. Metasploit

Question 20

Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?

A. HIPS
B. Anti- Maware
C. GPO
D. Patch Management

Answer 20

C. GPO

Question 21

You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?

A. NIDS
B. Firewall Logs
C. Syslog
D. Network Mapping

Answer 21

C. Syslog

Question 22

You have run a vulnerability scan and received the following output: Which of the following categories should this be classified as?

A. VPN Visibility
B. Active Directory Encryption vulnerability
C. Web Application cryptography vulnerability
D. PKI Transfer

Answer 22

C. Web Application cryptography vulnerability

OBJ-4.3: This vulnerability should be categories as a web application cryptographic vulnerability. This is shown by the weak SSLv3.0/TLSv1.0 protocol being used in cipher block chaining (CBC) mode. Specifically, the use of the 3DES and DES algorithms during negotiation is a significant vulnerability. A stronger protocol should be used, such as forcing the use of AES.

Question 23

What containment technique is the strongest possible response to an incident?

A. Isolating the Attacker
B. Isolating affected systems
C. Segmentation
D. Enumeration

Answer 23

B. Isolating affected systems

Question 24

A cybersecurity analyst is attempting to classify network traffic within an organization. The analyst runs the tcpdump command and receives the following output: Which of the following statements is true based on this output?

A. 10.10.19.121 is under attack
B. 10.10.19.121 is client
C. 11.54.12.121 is under ataack
D. 11.54.12.121 is client

Answer 24

B. 10.10.19.121 is client

Explanation
OBJ-4.1: This output from the tcpdump command is displaying three packets in a larger sequence of events. Based solely on these three packets, we can only be certain that the server (11.154.12.121) runs an SSH server over port 22. This is based on the first line of the output. The second and third lines are the server responding to the request and sending data back to the client (10.0.19.121) over port 52497. There is no evidence of an attack against either the server or the client based on this output since we can only see the headers and not the content being sent between the client and server.

Question 25

Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?

A. Autopsy
B. Memdump
C. dd
D. FTK Imager

Answer 25

D. FTK Imager

Question 26

A penetration tester has issued the following command on a victimized host: nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command?

A. Netcat will listen to port 8080 received on remote connection
B. Netcat will listen for connection from 192.168.1..76
C. Netcat will listen to port 8080 than output
D. Netcat will listen on the 192.168.1..76

Answer 26

A. Netcat will listen to port 8080 received on remote connection

Question 27

What type of weakness is John the Ripper used to test during a technical assessment?

A. File Permission
B. Passwords
C. Usernames
D. Firewall Rulesets

Answer 27

B. Passwords

Question 28

What problem can you solve by using Wireshark?

A. Resetting the admin password
B. Validating the creation dates
C. Performing packet capture
D. Tracking source code

Answer 28

C. Performing packet capture

Question 29

A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred?

A. Propriety Breach
B. Privacy Breach
C. Financial Breach
D. Integrity Breach

Answer 29

B. Privacy Breach

Question 30

Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?

A. SIEM event log monitoring
B. Full packet capture
C. Software Design documentation review
D. Net Flow Capture

Answer 30

B. Full packet capture

Question 31

You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it?

A. Data Sanitazation
B. Data Correlation
C. Data Retation
D. Data Recovery

Answer 31

B. Data Correlation

Question 32

Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment?

A. DLP
B. SEIM
C. SOAR
D. MDM

Answer 32

C. SOAR

Question 33

During which incident response phase is the preservation of evidence performed?

A. Detection & Analysis
B. Preparation
C. Containment, Eradication, Recovery
D. Post Incident Activity

Answer 33

C. Containment, Eradication, Recovery

Question 34

You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you should take to assist them in developing a disaster recovery plan?

A. Identify the organization assets
B. Develop a data retention policy
C. Conduct a risk assessment
D. Conduct a vulnerability scan

Answer 34

A. Identify the organization assets

Question 35

Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach?

A. PII
B. PHI
C. Credit Card Information
D. Trade Secret Information

Answer 35

B. PHI

Question 36

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?

A. Malicious Process
B. Failed Login
C. Off Hour Usage
D. Unauthorized Sessions

Answer 36

A. Malicious Process

Question 37

Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?

A. Encrypt the source guide to ensure it cant be modified
B. Digitally sign the image file to provide non-repudiation
C. Encrypt the image file to ensure it maintains data integrity
D. Create a hash digest of the source drive and the image file to ensure they match.

Answer 37

A. Encrypt the source guide to ensure it cant be modified

Question 38

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts?

A. Notification to Federal Law Enforcement
B. Notification to Local Law Enforcement
C. Notification to VISA and Mastercard
D. Notification to credit card holder

Answer 38

C. Notification to VISA and Mastercard

Question 39

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers?

A. locate type=ns
B. request type=ns
C. set type=ns
D. transfer type=ns

Answer 39

C. set type=ns

Question 40

(Sample Simulation – On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) What is the correct order of the Incident Response process?

A. Identification, Containment, Eradication, Preparation, Recovery, and Lesson Learned
B. Containment, Eradication, Identification, Lesson Learned, Preparation, and Recovery
C. Preparation, Identification, Containment, Eradication, Recovery and Lesson Learned
D. Containment, Recovery, Identification, Lesson Learned, Preparation, and Eradication

Answer 40

C. Preparation, Identification, Containment, Eradication, Recovery and Lesson Learned

Question 41

What popular open-source port scanning tool is commonly used for host discovery and service identification?

A. service.msc
B. nmap
C. Nessus
D. dd

Answer 41

B. nmap

Question 42

You are troubleshooting a network connectivity issue and need to determine the packet’s flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems?

A. ipconfig
B. nbstat
C. netstat
D. tracert

Answer 42

D. tracert

Question 43

What information should be recorded on a chain of custody form during a forensic investigation?

A. The law enforcement agent who was first on the scene
B. The list of former owner/operators of the workstation involved in the investigation
C. the list of individuals who made contact with files leading to the investigation.
D. Any individual who worked with evidence during the investigation

Answer 43

D. Any individual who worked with evidence during the investigation

Question 44

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: Based on your review, what does this scan indicate?

A. 192.168.3.145 might be infected with malware
B. 192.168.3.145 might be infected with malware and beaconing to a C2 sever
C. This appears to be a normal network
D. 173.12.15.23 might be infected with malware and beaconing to a C2 sever
E. 173.12.15.23 might be infected with malware

Answer 44

C. This appears to be a normal network

OBJ-4.1: This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host’s firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Question 45

You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization’s operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system?

A. Scope the scan based on IP subnets
B. Conduct a Nmap scan of the network to determine the OS of each system
C. Review the assets inventory and BCP
D. Ask the CEO for a list of critical systems

Answer 45

C. Review the assets inventory and BCP

Question 46

Which of the following is required for evidence to be admissible in a court of law?

A. Right to Audit
B. Chain of Custody
C. Legal Hold
D. Order of Volatility

Answer 46

B. Chain of Custody

Question 47

The incident response team leader has asked you to perform a forensic examination on a workstation suspected of being infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation?

A. Hard drive, Swap, CPU Cache, RAM
B. CPU Cache, RAM, Hard Drive, Swap
C. Swap, CPU Cache, Hard Drive, RAM
D. RAM, Swap, CPU Cache Hard Drive

Answer 47

B. CPU Cache, RAM, Hard Drive, Swap

Question 48

Dion Training requires that the staff simulate their response to a potential data breach. During this simulation, the staff gathers in the conference room and discusses each action they would take as part of their response. This information is then analyzed to ensure the company’s data breach response playbook is up to date and would work properly when needed. Which of the following best describes what the staff did?

A. Incident Response
B. Disaster Recovery Planning
C. Tabletop Exercise
D. Business Impact Analysis

Answer 48

C. Tabletop Exercise

Question 49

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?

A. Metasploit
B. BeEF
C. Nmap
D. Nessus

Answer 49

D. Nessus

Question 50

Which of the following tools is useful for capturing Windows memory data for forensic analysis?

A. Nessus
B. Memdump
C. dd
D. Wireshark

Answer 50

B. Memdump

Question 51

Which analysis framework makes no allowance for an adversary retreat in its analysis?

A. MITRE ATTACK Framework
B. Lockhead Martin Cyber Kill Chain
C. Diamond Model Intrusion Analysis
D. AT&T Cybersecurity

Answer 51

B. Lockhead Martin Cyber Kill Chain

Question 52

During which phase of the incident response process does an organization assemble an incident response toolkit?

A. Post Incident Activity
B. Detection and Analysis
C. Preparation
D. Cointainment

Answer 52

C. Preparation

Question 53

Your coworker is creating a script to run on a Windows server using PowerShell. Which of the following file formats should the script use?

A. .sh
B. .ps1
C. .bet
D. ,py

Answer 53

B. .ps1

Question 54

You are in the recovery steps of an incident response. Throughout the incident, your team never successfully determined the root cause of the network compromise. Which of the following options would you LEAST likely perform as part of your recovery and remediation actions?

A. Restricted host access to peripheral protocols
B. Review and enhance patch management polices
C. Proactively sanitize and reimage all the router and switches
D. Disable unused user accounts

Answer 54

C. Proactively sanitize and reimage all the router and switches

Question 55

Which command would be used to display the network address and subnet mask for the wired network connection on a Linux system?

A. ipconfig
B. ip
C. nslookup
D. netstat

Answer 55

B. ip

Question 56

You are analyzing the logs of a forensic analysts workstation and see the following: What does the bs=1M signify in the command list above?

A. Set the beginner sector
B. Send output to a blank sector
C. REmove error messages
D. Set the Block Size

Answer 56

D. Set the Block Size

OBJ-4.1: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 57

Dion Training wants to implement technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?

A. Host Based Firewall
B. Intrusion Detection Systems
C. Application allow list
D. Anti Malware Solution

Answer 57

C. Application allow list

Question 58

Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?

A. MITRE ATTACK
B. Diamond Model
C. Lockheed Martin cyber kill chain
D. OpenIOC

Answer 58

A. MITRE ATTACK

Question 59

Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation?

A. Containment
B. Application Block List
C. URL Filter
D. Quarantine

Answer 59

C. URL Filter

Question 60

Due to a worldwide pandemic in 2020 caused by the COVID-19 virus, Dion Training Solutions instituted teleworking for all of its employees. This was part of a preplanned response so that the company’s students could continue to learn and receive support throughout the pandemic. Which of the following plans should contain the company’s pandemic response plan?

A. Rollback Plan
B. Incident Response Plan
C. Disaster recovery Plan
D. Business Continuity Plan

Answer 60

D. Business Continuity Plan

Question 61

Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?

A. Wireshark
B. netstat
C. ping
D. nmap

Answer 61

D. nmap

Question 62

Your company has created a baseline image for all of its workstations using Windows 10. Unfortunately, the image included a copy of Solitaire, and the CIO has created a policy to prevent anyone from playing the game on the company’s computers. You have been asked to create a technical control to enforce the policy (administrative control) that was recently published. What should you implement?

A. Application Hardening
B. Application Block List
C. Application Allow List
D. Disable Removable Media

Answer 62

B. Application Block List

Question 63

Which of the following elements is LEAST likely to be included in an organization’s data retention policy?

A. Description of information that need to be retained
B. Minimum Retention Period
C. Maximum Retention Period
D. Classification of Information

Answer 63

D. Classification of Information

Question 64

An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?

A. File Format
B. The attack widely fragmented
C. You will need to roll back to a early snapshot
D. All log files are stored within the VM

Answer 64

B. The attack widely fragmented

Question 65

An analyst just completed a port scan and received the following results of open ports: Based on these scan results, which of the following services are NOT currently operating?

A. Web
B. Database
C. SSH
D. RDP

Answer 65

C. SSH

OBJ-4.3: Based on the port numbers shown as open in the nmap scan results, SSH is not currently operating. SSH operates over port 22. Web servers use port 80 for HTTP and 443 for HTTPS. Database servers run on port 1433 (Microsoft SQL) or 3306 (MySQL). Remote Desktop Protocol runs on port 3389.

Question 66

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3?

A. ip.dst
B. ip.proto
C. http.request
D. http.request.method==”POST”

Answer 66

C. http.request

Question 67

You are reviewing the logs in your HIDS and see that entries were showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?

A. The remote host cannot find the right service port
B. Port Scan
C. SYN Flood
D. UDP Probe

Answer 67

B. Port Scan

Question 68

Which command is used in the Linux terminal to change the permissions of a file?

A. chmod
B. pwd
C. chown
D. sudo

Answer 68

A. chmod

Question 69

You are working as a security administrator and need to respond to an ongoing spearphishing campaign against your organization. Which of the following should be used as a checklist of actions to perform to detect and respond to this particular incident?

A. Playbook
B. Disaster Recovery Plan
C. Incident Response Plan
D. Runbook

Answer 69

A. Playbook

Question 70

What command should a forensic analyst use to make a forensic disk image of a hard drive?

A. rm
B. dd
C. touch
D. wget

Answer 70

B. dd