ECIHv3

Which of the following terms may be defined as "a measure of possible inability to achieve a goal, objective, or target within a defined security, cost plan and technical limitations that adversely affects the organization's operation and revenues?. Risk. Vulnerability. Threat. Incident Response.

A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as: Trojans. Zombies. Spyware. Worms.

The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost. Which of the following does NOT constitute a goal of incident response?. Dealing with human resources department and various employee conflict behaviors. Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data. Helping personal to recover quickly and efficiently from security incidents, minimizing loss or theft and disruption of services. Dealing properly with legal issues that may arise during incidents.

An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization's incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incident?. High level incident. Middle level incident. Ultra-High level incident. Low level incident.

Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is mandatory part of a business continuity plan?. Forensics Procedure Plan. Business Recovery Plan. Sales and Marketing plan. New business strategy plan.

The flow chart gives a view of different roles played by the different personnel of CSIRT. Identify the incident response personnel denoted by A, B, C, D, E, F and G. A-Incident Analyst, B- Incident Coordinator, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager. A- Incident Coordinator, B-Incident Analyst, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager. A- Incident Coordinator, B- Constituency, C-Administrator, D-Incident Manager, E- Human Resource, F-Incident Analyst, G-Public relations. A- Incident Manager, B-Incident Analyst, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Coordinator.

Which of the following is an appropriate flow of the incident recovery steps?. System Operation-System Restoration-System Validation-System Monitoring. System Validation-System Operation-System Restoration-System Monitoring. System Restoration-System Monitoring-System Validation-System Operations. System Restoration-System Validation-System Operations-System Monitoring.

A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is NOT part of the computer risk policy?. Procedure to identify security funds to hedge risk. Procedure to monitor the efficiency of security controls. Procedure for the ongoing training of employees authorized to access the system. Provisions for continuing support if there is an interruption in the system or if the system crashes.

Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with high volume of traffic that consumes all existing network resources. URL Manipulation. XSS Attack. SQL Injection. Denial of Service Attack.

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focus on limiting the scope and extent of an incident?. Eradication. Containment. Identification. Data collection.

Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user's information and system. These programs may unleash dangerous programs that may erase the unsuspecting user's disk and send the victim's credit card numbers and passwords to a stranger. Cookie tracker. Worm. Trojan. Virus.

Quantitative risk is the numerical determination of the probability of an adverse event and the extent of the losses due to the event. Quantitative risk is calculated as: (Probability of Loss) X (Loss). (Loss) / (Probability of Loss). (Probability of Loss) / (Loss). Significant Risks X Probability of Loss X Loss.

An incident recovery plan is a statement of actions that should be taken before, during or after an incident. Identify which of the following is NOT an objective of the incident recovery plan?. Creating new business processes to maintain profitability after incident. Providing a standard for testing the recovery plan. Avoiding the legal liabilities arising due to incident. Providing assurance that systems are reliable.

Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event's occurrence, the harm it may cause and is usually denoted as Risk = (Events) × (Probability of occurrence) × ?. Magnitude. Probability. Consequences. Significance.

An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, application or user activities. Which of the following statements is NOT true for an audit trail policy: It helps calculating intangible losses to the organization due to incident. It helps tracking individual actions and allows users to be personally accountable for their actions. It helps in compliance to various regulatory laws, rules,and guidelines. It helps in reconstructing the events after a problem has occurred.

Computer forensics is methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and or digital media that can be presented in a course of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process: Examination> Analysis > Preparation > Collection > Reporting. Preparation > Analysis > Collection > Examination > Reporting. Analysis > Preparation > Collection > Reporting > Examination. Preparation > Collection > Examination > Analysis > Reporting.

Multiple component incidents consist of a combination of two or more attacks in a system. Which of the following is not a multiple component incident?. An insider intentionally deleting files from a workstation. An attacker redirecting user to a malicious website and infects his system with Trojan. An attacker infecting a machine to launch a DDoS attack. An attacker using email with malicious code to infect internal workstation.

Computer Forensics is the branch of forensic science in which legal evidence is found in any computer or any digital media device. Of the following, who is responsible for examining the evidence acquired and separating the useful evidence?. Evidence Supervisor. Evidence Documenter. Evidence Manager. Evidence Examiner/ Investigator.

The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/ services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service attack?. SAM service. POP3 service. SMTP service. Echo service.

A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency's reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of the US Federal Agency does this incident belong to?. CAT 5. CAT 1. CAT 2. CAT 6.

US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 Federal Agency category?. Weekly. Within four (4) hours of discovery/detection if the successful attack is still ongoing and agency is unable to successfully mitigate activity. Within two (2) hours of discovery/detection. Monthly.

Identify a standard national process which establishes a set of activities, general tasks and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site. NIASAP. NIAAAP. NIPACP. NIACAP.

Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?. Access control policy. Audit trail policy. Logging policy. Documentation policy.

When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?. All access rights of the employee to physical locations, networks, systems, applications and data should be disabled. The organization should enforce separation of duties. The access requests granted to an employee should be documented and vetted by the supervisor. The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information.

A threat source does not present a risk if NO vulnerability that can be exercised for a particular threat source. Identify the step in which different threat sources are defined: Identification Vulnerabilities. Control analysis. Threat identification THR. System characterization.

In the Control Analysis stage of the NIST's risk assessment methodology, technical and none technical control methods are classified into two categories. What are these two control categories?. Preventive and Detective controls. Detective and Disguised controls. Predictive and Detective controls. Preventive and predictive controls.

Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify the reaction of the procedures that are implemented to handle such situations?. Scenario testing. Facility testing. Live walk-through testing. Procedure testing.

An incident is analyzed for its nature, intensity and its effects on the network and systems. Which stage of the incident response and handling process involves auditing the system and network log files?. Incident recording. Reporting. Containment. Identification.

Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?. NET-CERT. DFN-CERT. Funet CERT. SURFnet-CERT.

One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT's incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?. Protection. Preparation. Detection. Triage.

Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC. How many primary steps does NIST's risk assessment methodology involve?. Twelve. Four. Six. Nine.

Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the technique that helps in detecting insider threats: Correlating known patterns of suspicious and malicious behavior. Protecting computer systems by implementing proper controls. Making is compulsory for employees to sign a none disclosure agreement. Categorizing information according to its sensitivity and access rights.

Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution plan?. To restore the original site, tests systems to prevent the incident and terminates operations. To define the notification procedures, damage assessments and offers the plan activation. To provide the introduction and detailed concept of the contingency plan. To provide a sequence of recovery activities with the help of recovery procedures.

The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that: If the insider's technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant. If the insider's technical literacy and process knowledge are high, the risk posed by the threat will be insignificant. If the insider's technical literacy is high and process knowledge is low, the risk posed by the threat will be high. If the insider's technical literacy and process knowledge are high, the risk posed by the threat will be high.

Which policy recommends controls for securing and tracking organizational resources: Access control policy. Administrative security policy. Acceptable use policy. Asset control policy.

Which one of the following is the correct sequence of flow of the stages in an incident response: Containment - Identification - Preparation - Recovery - Follow-up - Eradication. Preparation - Identification - Containment - Eradication - Recovery - Follow-up. Eradication - Containment - Identification - Preparation - Recovery - Follow-up. Identification - Preparation - Containment - Recovery - Follow-up - Eradication.

Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage: Network and host log records. Chain-of-Custody. Forensic analysis report. Chain-of-Precedence.

Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?. Links the appropriate technology to the incident to ensure that the foundation's offices are returned to normal operations as quickly as possible. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management. Applies the appropriate technology and tries to eradicate and recover from the incident. Focuses on the incident and handles it from management and technical point of view.

The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?. Containment. Eradication. Incident recording. Incident investigation.

In a qualitative risk analysis, risk is calculated in terms of: (Attack Success + Criticality ) / (Countermeasures). (Asset criticality assessment) / (Risks and Associated Risk Levels). (Probability of Loss) x (Loss). (Countermeasures + Magnitude of Impact) / (Reports from prior risk assessments).

Which of the following is a key principle of the incident response process that ensures all actions taken during an incident are legally defensible and admissible in court?. Incident Escalation. Chain of Custody. Incident Prioritization. Data Encryption.

During a security incident, an organization discovers that an attacker has exploited a zero-day vulnerability. What is the BEST immediate action to take to limit further damage?. Shut down all affected systems immediately. Apply a patch to the vulnerability. Isolate the affected systems from the network. Notify law enforcement.

Which of the following tools is commonly used by incident responders to capture volatile data from a system’s memory during an investigation?. Wireshark. FTK Imager. Volatility. Nessus.

An organization’s incident response plan includes a step to notify stakeholders after an incident is contained. Which of the following stakeholders should NOT typically be notified unless legally required?. Internal IT staff. Senior management. General public. Regulatory authorities.

In the context of the NIST SP 800-61 Incident Handling process, which phase involves documenting the incident and preparing a report for lessons learned?. Preparation. Detection and Analysis. Containment, Eradication, and Recovery. Post-Incident Activity.

Which type of attack involves an attacker sending fraudulent emails that appear to come from a legitimate source to trick users into providing sensitive information?. Phishing. Man-in-the-Middle. SQL Injection. Buffer Overflow.

What is the primary purpose of conducting a vulnerability assessment as part of the incident preparation process?. To exploit weaknesses in the system. To identify and prioritize potential security weaknesses before they can be exploited. To recover systems after an incident. To monitor real-time network traffic.

Which of the following is an indicator of a potential insider threat?. Regular software updates. Unusual login attempts from an employee’s account outside normal hours. Implementation of two-factor authentication. Routine system maintenance.

When performing a forensic investigation, what is the first step to ensure the integrity of digital evidence?. Analyze the evidence. Create a bit-by-bit copy of the original media. Document the findings. Secure the physical crime scene.

Which of the following frameworks provides a structured approach to managing cybersecurity risk and is often used by organizations to align their incident response strategies?. ISO 27001. NIST Cybersecurity Framework. COBIT. ITIL.

Which of the following best describes the role of a Computer Security Incident Response Team (CSIRT) within an organization?. Developing software patches for vulnerabilities. Coordinating and managing responses to security incidents. Conducting routine employee training on phishing. Performing penetration testing on network systems.

An attacker uses a technique that floods a server with TCP connection requests without completing the handshake process. What type of attack is this?. SYN Flood Attack. Smurf Attack. Ping of Death. HTTP Flood Attack.

During the eradication phase of incident response, which action is most critical to ensure the threat is completely removed from the affected systems?. Restoring systems from a clean backup. Applying security patches to all systems. Removing malware and closing exploited vulnerabilities. Rebooting all affected systems.

Which of the following log types is most useful for identifying unauthorized access attempts to a network?. Application logs. System logs. Security logs. Network traffic logs.

What is the primary goal of the Business Impact Analysis (BIA) in the context of a Business Continuity Plan (BCP)?. To identify critical business functions and their dependencies. To assess the effectiveness of incident response teams. To calculate the financial cost of a security breach. To prioritize employee training programs.

Which of the following is NOT a common method used by attackers to escalate privileges on a compromised system?. Exploiting misconfigured permissions. Using stolen administrator credentials. Performing a brute-force attack on user passwords. Installing a firewall to block external access.

In a forensic investigation, why is it important to use write blockers when accessing storage devices?. To increase the speed of data analysis. To prevent accidental modification of original evidence. To encrypt the data during collection. To compress the data for storage.

Which of the following is a key component of an Incident Response Policy?. Employee vacation schedules. Defined roles and responsibilities for the response team. Software development lifecycle guidelines. Marketing campaign strategies.

An organization detects a ransomware attack that has encrypted critical files. What should be the FIRST step in the response process?. Pay the ransom to recover the files. Identify and isolate the affected systems. Restore files from backup. Analyze the ransomware strain.

Which of the following regulations mandates incident reporting for organizations handling personal data in the European Union?. PCI DSS. GDPR. HIPAA. SOX.

Which of the following is a critical step in the preparation phase of incident response to ensure an organization is ready to handle security incidents?. Conducting a full system shutdown drill. Establishing an incident response team and plan. Installing antivirus software on all systems. Encrypting all network traffic.

An attacker uses social engineering to trick an employee into installing a malicious application that records keystrokes. What type of malware is this?. Trojan. Keylogger. Worm. Ransomware.

Which of the following is a common technique used to preserve volatile evidence during a live system forensic analysis?. Powering off the system immediately. Capturing a memory dump. Copying files to an external drive. Running a full antivirus scan.

In the context of incident response, what does the term "Mean Time to Respond" (MTTR) measure?. The average time taken to detect an incident. The average time taken to resolve an incident after it is reported. The average time taken to recover data from backups. The average time taken to train incident responders.

Which of the following is a primary benefit of conducting a post-incident review?. Identifying weaknesses in the incident response process. Installing new security software. Rebooting all affected systems. Encrypting all sensitive data.

An organization discovers that an attacker has gained access to a system via a phishing email. Which incident response phase involves tracing the email’s origin to identify the attacker?. Containment. Eradication. Identification. Post-Incident Activity.

Which of the following is an example of a physical security control that can prevent unauthorized access to a data center?. Firewall configuration. Biometric authentication. Intrusion detection system. Data encryption.

During a Distributed Denial of Service (DDoS) attack, which mitigation technique involves redirecting malicious traffic to a separate infrastructure designed to handle it?. Blackholing. Rate limiting. Scrubbing. IP filtering.

Which of the following standards provides guidelines for establishing an Information Security Management System (ISMS) that includes incident response processes?. ISO/IEC 27001. PCI DSS. NIST SP 800-53. ITIL.

What is the primary purpose of maintaining an audit trail in the context of incident response?. To track employee performance metrics. To reconstruct events and provide evidence for investigations. To monitor real-time network bandwidth usage. To schedule regular system updates.

Which of the following is a common indicator of a potential data exfiltration attempt by an insider?. Regular software updates being applied. Large volumes of data being transferred to an external device. Installation of a new firewall. Routine employee training sessions.

During an incident, an attacker uses a technique that modifies a legitimate website to redirect users to a malicious site. What is this attack called?. Pharming. Phishing. Cross-Site Scripting (XSS). SQL Injection.

Which of the following actions should be taken immediately after identifying that a system has been compromised by a virus?. Update the antivirus software. Isolate the infected system from the network. Run a full system scan. Reboot the system to clear the virus.

In the NIST risk management framework, which step involves determining the likelihood and impact of a risk occurring?. System Characterization. Risk Assessment. Control Implementation. Monitoring.

Which of the following is a key characteristic of a worm compared to other types of malware?. It requires user interaction to spread. It encrypts files for ransom. It self-replicates and spreads without user intervention. It hides within legitimate software.

What is the purpose of a sandbox environment in the context of incident response?. To store sensitive data securely. To analyze malware in an isolated environment. To train employees on security practices. To simulate a full network shutdown.

Which of the following is a legal consideration that incident responders must address when collecting evidence?. Ensuring all evidence is admissible in court. Encrypting all collected data immediately. Deleting logs after analysis. Sharing evidence with the media.

An organization implements a Security Information and Event Management (SIEM) system. What is its primary function in incident response?. To encrypt network traffic. To collect and analyze security event logs in real-time. To block all incoming connections. To perform automated backups.

Which of the following is a common method to mitigate a brute-force attack on a login system?. Disabling all user accounts. Implementing account lockout after failed attempts. Removing all password requirements. Allowing unlimited login attempts.

Which phase of the incident response process involves validating that systems are fully operational and secure after an incident?. Containment. Eradication. Recovery. Detection.

Which of the following is a primary reason for maintaining a detailed incident response log during an investigation?. To schedule employee shifts. To provide a timeline of actions for legal and auditing purposes. To update software configurations. To monitor network bandwidth usage.

An attacker uses a malicious script embedded in a web page to steal user session cookies. What type of attack is this?. Cross-Site Scripting (XSS). Cross-Site Request Forgery (CSRF). SQL Injection. Directory Traversal.

Which of the following should be included in an incident response communication plan to ensure effective coordination?. A list of all employee birthdays. Contact information for key stakeholders and escalation procedures. Details of the company’s marketing strategy. A schedule for routine system maintenance.

In a forensic investigation, what is the purpose of hashing digital evidence?. To compress the data for storage. To verify the integrity and authenticity of the evidence. To encrypt the data for security. To speed up the analysis process.

Which of the following is a key difference between a vulnerability and a threat?. A vulnerability is a weakness, while a threat is a potential danger exploiting that weakness. A vulnerability is an attack, while a threat is a defense mechanism. A vulnerability is a malicious actor, while a threat is a software bug. A vulnerability is a risk, while a threat is a control.

During a ransomware incident, an organization decides not to pay the ransom. What should be the next step after containment?. Analyze the ransomware to identify its source. Eradicate the ransomware and restore systems from backups. Notify all employees via email. Reboot all systems to remove the infection.

Which of the following is a common tool used to analyze network packets during an incident investigation?. Microsoft Excel. Wireshark. Notepad. Windows Defender.

What is the primary purpose of a Disaster Recovery Plan (DRP) compared to a Business Continuity Plan (BCP)?. To ensure ongoing business operations during an incident. To restore IT systems and data after a disaster. To train employees on security awareness. To prevent all security incidents.

Which of the following is a key metric to evaluate the effectiveness of an incident response process?. Number of employees in the IT department. Time to detect and contain an incident. Amount of data stored in the cloud. Frequency of software updates.

Which of the following regulations requires organizations in the healthcare sector to report security incidents involving protected health information (PHI)?. GDPR. PCI DSS. HIPAA. SOX.

Which of the following is a common technique used by attackers to hide their presence in a compromised system?. Encrypting all network traffic. Installing rootkits to manipulate system logs. Running regular antivirus scans. Updating system software.

During an incident, an attacker exploits a weakness in a web application to inject malicious code into a database. What type of attack is this?. SQL Injection. Cross-Site Scripting (XSS). Buffer Overflow. Phishing.

Which of the following should be the FIRST step when developing an incident response plan?. Conduct a risk assessment to identify potential threats. Purchase forensic analysis tools. Train all employees on the plan. Implement network firewalls.

In the context of incident response, what does the acronym SLA stand for, and what is its purpose?. System Log Analysis - To analyze system performance. Service Level Agreement - To define response time expectations. Security Lockout Agreement - To restrict access during incidents. Software License Agreement - To manage software usage.

Which of the following is a key benefit of using an Intrusion Detection System (IDS) in an organization?. It prevents all security incidents. It detects suspicious activity and alerts administrators. It encrypts all network traffic. It automatically patches vulnerabilities.

During a security incident, an organization identifies that sensitive data was leaked due to a misconfigured cloud storage bucket. Which phase of incident response involves correcting this misconfiguration?. Detection. Containment. Eradication. Recovery.

Which of the following is a common method to protect evidence integrity when transporting it to a forensic lab?. Storing it in a shared network drive. Using tamper-evident packaging and documenting chain of custody. Copying it to multiple USB drives. Emailing it to the forensic team.

What is the primary goal of the containment phase in incident response?. To fully restore affected systems. To limit the scope and impact of the incident. To identify the attacker’s identity. To analyze the root cause of the incident.

Which of the following tools is commonly used to create forensic images of hard drives?. Microsoft Word. FTK Imager. Windows Task Manager. Adobe Acrobat.

Which of the following is a key requirement of the Payment Card Industry Data Security Standard (PCI DSS) related to incident response?. Encrypting all employee emails. Establishing and maintaining an incident response plan. Conducting annual employee satisfaction surveys. Installing biometric locks on all doors.

Which of the following is a common social engineering technique used to manipulate individuals into revealing confidential information?. Installing a rootkit. Pretexting. Running a vulnerability scan. Encrypting network traffic.

An attacker floods a network with ICMP packets using spoofed source addresses to overwhelm a target system. What type of attack is this?. SYN Flood. Smurf Attack. HTTP Flood. Buffer Overflow.

Which of the following should be performed during the recovery phase to ensure systems are secure before returning to normal operation?. Conduct a vulnerability scan and apply patches. Reinstall all software from scratch. Notify all employees of the incident. Delete all system logs.

In the context of incident response, what is the purpose of a "lessons learned" meeting?. To assign blame to team members. To identify improvements for future incident handling. To update employee contact information. To schedule routine maintenance.

Which of the following is a key characteristic of a Distributed Denial of Service (DDoS) attack?. It targets a single system with encrypted traffic. It uses multiple compromised systems to overwhelm a target. It steals sensitive data from a database. It requires physical access to the target.

During a forensic investigation, why is it important to document the chain of custody?. To increase the speed of evidence analysis. To ensure evidence remains admissible in court by tracking its handling. To encrypt the evidence for storage. To reduce the size of evidence files.

Which of the following is a common mitigation strategy for preventing phishing attacks?. Disabling all email services. Implementing email filtering and user awareness training. Removing all network firewalls. Allowing all email attachments.

What is the primary role of a forensic examiner in an incident response team?. To develop new security policies. To collect, preserve, and analyze digital evidence. To manage network firewalls. To train employees on security practices.

Which of the following is a key requirement for an effective incident response tabletop exercise?. Simulating a realistic incident scenario with key stakeholders. Shutting down all systems during the exercise. Focusing only on technical staff participation. Conducting the exercise without prior planning.

Which of the following standards provides a framework for managing IT governance, including incident response processes?. ISO/IEC 27001. COBIT. NIST SP 800-61. PCI DSS.

Which of the following is a common indicator of a potential Advanced Persistent Threat (APT) in an organization?. Regular software updates being applied. Unusual outbound network traffic over an extended period. Installation of new security patches. Routine employee logins during business hours.

An attacker uses a technique that intercepts communication between two parties to steal sensitive data. What type of attack is this?. Phishing. Man-in-the-Middle (MitM). SQL Injection. Denial of Service.

Which of the following should be the FIRST action taken when a system is suspected of being infected with malware?. Run a full antivirus scan. Disconnect the system from the network. Reboot the system. Update the operating system.

In the NIST SP 800-61 incident handling process, which phase involves collecting data to determine the scope and impact of an incident?. Preparation. Detection and Analysis. Containment, Eradication, and Recovery. Post-Incident Activity.

Which of the following is a key difference between a virus and a Trojan?. A virus self-replicates, while a Trojan disguises itself as legitimate software. A virus steals data, while a Trojan encrypts files. A virus requires no user interaction, while a Trojan spreads automatically. A virus is harmless, while a Trojan is malicious.

During an incident response, what is the purpose of creating a system image before performing analysis?. To speed up the investigation process. To preserve the original evidence in an unaltered state. To delete unnecessary files. To install security updates.

Which of the following is a common technique to mitigate the risk of insider threats?. Granting all employees administrator privileges. Implementing least privilege access controls. Disabling all audit logs. Allowing unrestricted USB device usage.

What is the primary purpose of a Security Operations Center (SOC) in incident response?. To develop new software applications. To monitor and respond to security incidents in real-time. To conduct employee performance reviews. To manage physical security cameras.

Which of the following is a key consideration when deciding whether to notify law enforcement after a security incident?. The number of employees in the IT department. The severity of the incident and legal reporting requirements. The cost of new hardware. The time of day the incident occurred.

Which of the following tools is commonly used to analyze memory dumps during a forensic investigation?. Microsoft Paint. Volatility. Windows Explorer. Notepad.

Which of the following is a common method used by attackers to maintain persistence in a compromised system?. Running regular antivirus scans. Creating scheduled tasks or backdoors. Updating system firmware. Disabling network connectivity.

An attacker sends a crafted packet that exceeds a system’s buffer capacity, causing it to crash. What type of attack is this?. Buffer Overflow. SYN Flood. Phishing. Man-in-the-Middle.

Which of the following should be included in an incident response kit to assist with forensic analysis?. A collection of office supplies. Write blockers, forensic imaging tools, and evidence bags. A company handbook. Employee training manuals.

In the context of risk management, what does the term "residual risk" refer to?. The risk eliminated by security controls. The risk remaining after security controls are applied. The initial risk before any controls are implemented. The risk caused by employee negligence.

Which of the following is a key characteristic of ransomware compared to other malware types?. It self-replicates across networks. It encrypts files and demands payment for decryption. It hides within legitimate software. It records user keystrokes.

During an incident, what is the purpose of performing a root cause analysis?. To assign blame to the responsible party. To identify the underlying reason for the incident. To restore systems to full operation. To notify external stakeholders.

Which of the following is a common physical security measure to protect against unauthorized access to server rooms?. Installing a firewall. Using keycard access controls. Encrypting network traffic. Running antivirus software.

What is the primary purpose of conducting a penetration test as part of incident preparation?. To monitor real-time network traffic. To identify vulnerabilities before they are exploited. To encrypt sensitive data. To train employees on phishing awareness.

Which of the following is a key requirement of the General Data Protection Regulation (GDPR) regarding data breaches?. Reporting breaches to authorities within 72 hours of discovery. Encrypting all data within 24 hours. Notifying employees only after one month. Deleting all affected data immediately.

Which of the following tools is commonly used to monitor network traffic and detect anomalies during an incident?. Microsoft Excel. Wireshark. Adobe Photoshop. Windows Calculator.

Which of the following is a common technique used by attackers to bypass authentication mechanisms?. Updating system software. Credential stuffing using stolen passwords. Running antivirus scans. Encrypting all user data.

An attacker exploits a vulnerability in a web application to forge a request on behalf of an authenticated user. What type of attack is this?. SQL Injection. Cross-Site Request Forgery (CSRF). Phishing. Buffer Overflow.

Which of the following is a critical step to take during the containment phase of a ransomware incident?. Pay the ransom immediately. Isolate affected systems and preserve evidence. Reboot all systems to remove the infection. Delete all encrypted files.

In the context of incident response, what does the term "false positive" refer to?. A confirmed security incident. An alert that indicates a threat but is not an actual incident. A successful mitigation of an attack. A backup restoration error.

Which of the following is a key feature of a worm that distinguishes it from a virus?. It requires user interaction to execute. It attaches to legitimate files. It spreads independently across networks. It encrypts data for ransom.

During an incident, what is the purpose of using a network tap or span port?. To encrypt network traffic. To capture network traffic for analysis without disrupting operations. To block all incoming connections. To update firewall rules.

Which of the following is a common method to prevent unauthorized physical access to sensitive equipment?. Disabling all security logs. Using locked cabinets or server racks. Allowing unrestricted visitor access. Removing all authentication systems.

What is the primary goal of the eradication phase in incident response?. To detect the initial breach. To remove the threat and eliminate vulnerabilities. To restore systems to normal operation. To document the incident timeline.

Which of the following is a key requirement of the Health Insurance Portability and Accountability Act (HIPAA) regarding incident response?. Reporting all incidents to the public within 24 hours. Implementing safeguards and responding to breaches of protected health information. Encrypting all data within one week. Conducting annual employee performance reviews.

Which of the following tools is commonly used to perform static analysis of malware without executing it?. Wireshark. IDA Pro. Volatility. FTK Imager.

Which of the following is a common method used by attackers to exploit trust relationships between systems?. Installing regular software updates. Pass-the-hash attacks. Running system diagnostics. Encrypting all sensitive files.

An attacker uses a malicious USB device to deliver malware to a system when plugged in. What type of attack vector is this?. Phishing. Physical attack. Network-based attack. SQL Injection.

Which of the following should be the FIRST step when responding to a suspected data breach involving customer information?. Notify all customers immediately. Confirm the breach and assess its scope. Delete all affected data. Update all system passwords.

In the context of incident response, what does the term "triage" refer to?. The process of restoring systems after an incident. The initial assessment and prioritization of incidents. The encryption of sensitive data. The deployment of new security software.

Which of the following is a key characteristic of a botnet?. It encrypts files for ransom. It consists of a network of compromised devices controlled remotely. It requires user interaction to spread. It hides within legitimate software.

During an incident, what is the purpose of using a sandbox to analyze a suspicious file?. To permanently delete the file. To execute the file in an isolated environment and observe its behavior. To encrypt the file for storage. To share the file with law enforcement.

Which of the following is a common technique to mitigate the risk of SQL injection attacks?. Allowing all user inputs without validation. Using parameterized queries and input validation. Disabling all database access. Removing all web applications.

What is the primary purpose of a Business Continuity Plan (BCP) in the event of a security incident?. To identify the attacker’s identity. To ensure critical business functions continue during and after an incident. To analyze malware behavior. To document the chain of custody.

Which of the following is a key requirement of the Sarbanes-Oxley Act (SOX) related to incident response?. Encrypting all customer data within 48 hours. Maintaining accurate records and controls to protect financial data. Notifying all employees within 24 hours. Conducting daily vulnerability scans.

Which of the following tools is commonly used to automate incident response tasks, such as blocking malicious IP addresses?. Microsoft Word. SOAR platforms (e.g., Splunk SOAR). Windows Paint. Notepad.

Which of the following is a common technique used by attackers to evade detection by antivirus software?. Running system updates. Using polymorphic malware that changes its code. Encrypting all network traffic. Disabling all user accounts.

An attacker uses a technique that tricks a user into clicking a link that executes malicious code in their browser. What type of attack is this?. Drive-by Download. Phishing. SQL Injection. Man-in-the-Middle.

Which of the following should be the FIRST step when an organization detects a potential insider threat?. Terminate the suspected employee immediately. Gather evidence and monitor the insider’s activities. Notify all employees of the threat. Shut down all systems.

In the context of incident response, what does the term "attack surface" refer to?. The physical location of servers. All potential points where an attacker could exploit a system. The total number of employees in an organization. The encryption strength of a network.

Which of the following is a key characteristic of a zero-day exploit?. It targets well-known vulnerabilities. It exploits a vulnerability unknown to the vendor or public. It requires physical access to the system. It only affects outdated software.

During an incident, what is the purpose of performing a backup of affected systems before eradication?. To speed up the recovery process. To preserve evidence for forensic analysis. To delete all traces of the attack. To update system software.

Which of the following is a common technique to mitigate the risk of a Distributed Denial of Service (DDoS) attack?. Disabling all network traffic. Using rate limiting and traffic filtering. Allowing unlimited connections. Removing all firewalls.

What is the primary purpose of a vulnerability management program in incident preparation?. To monitor real-time network traffic. To identify and remediate weaknesses before exploitation. To encrypt all sensitive data. To train employees on physical security.

Which of the following is a key requirement of the Payment Card Industry Data Security Standard (PCI DSS) for incident response?. Conducting daily employee training sessions. Monitoring and responding to security alerts promptly. Encrypting all data within 12 hours. Notifying customers within 24 hours.

Which of the following tools is commonly used to detect and analyze network intrusions during an incident?. Microsoft PowerPoint. Snort. Windows Media Player. Notepad.

Which of the following is a common method used by attackers to escalate privileges on a compromised system?. Running system diagnostics. Exploiting unpatched software vulnerabilities. Encrypting all user files. Disabling network firewalls.

An attacker uses a technique that floods a web server with HTTP requests to exhaust its resources. What type of attack is this?. SYN Flood. HTTP Flood. Smurf Attack. Phishing.

Which of the following should be the FIRST step when responding to a suspected phishing email received by an employee?. Delete the email without investigation. Investigate the email’s source and isolate the affected user. Notify all employees immediately. Reboot the employee’s computer.

In the context of incident response, what does the term "mean time to detect" (MTTD) measure?. The time taken to recover systems after an incident. The average time taken to identify a security incident. The time required to train incident responders. The duration of a system backup.

Which of the following is a key characteristic of spyware?. It encrypts files and demands ransom. It collects user data without consent. It self-replicates across networks. It requires physical access to install.

During an incident, what is the purpose of conducting a system integrity check?. To encrypt all system files. To verify that system files have not been altered by the attacker. To delete temporary files. To update the operating system.

Which of the following is a common technique to mitigate the risk of a man-in-the-middle (MitM) attack?. Disabling all encryption. Using HTTPS and validating certificates. Allowing unverified connections. Removing all network monitoring.

What is the primary purpose of a post-incident report?. To schedule employee training. To document the incident details and lessons learned. To encrypt sensitive data. To monitor network traffic.

Which of the following is a key requirement of ISO/IEC 27001 for managing security incidents?. Conducting annual employee satisfaction surveys. Establishing processes to identify, respond to, and recover from incidents. Encrypting all data within 24 hours. Notifying the public within 48 hours.

Which of the following tools is commonly used to generate forensic hashes of digital evidence?. Microsoft Excel. HashCalc. Windows Task Manager. Notepad.

Which of the following is a common method used by attackers to exfiltrate data from a compromised network?. Running system backups. Using encrypted tunnels like DNS tunneling. Updating antivirus definitions. Disabling all network adapters.

An attacker uses a technique that manipulates a system’s DNS records to redirect traffic to a malicious server. What type of attack is this?. Phishing. DNS Spoofing. SQL Injection. Buffer Overflow.

Which of the following should be the FIRST step when responding to a detected Distributed Denial of Service (DDoS) attack?. Shut down all servers. Identify the attack source and implement traffic filtering. Notify all customers immediately. Reboot the network routers.

In the context of incident response, what does the term "chain of custody" ensure?. The speed of system recovery. The integrity and legal admissibility of evidence. The encryption of all data. The monitoring of network traffic.

Which of the following is a key characteristic of a rootkit?. It encrypts files for ransom. It hides its presence by modifying system processes. It spreads automatically across networks. It requires user interaction to install.

During an incident, what is the purpose of isolating a compromised system from the network?. To speed up forensic analysis. To prevent the spread of the threat to other systems. To update the system software. To delete all system logs.

Which of the following is a common technique to mitigate the risk of credential theft?. Allowing password reuse across systems. Implementing multi-factor authentication (MFA). Disabling all user accounts. Removing all password policies.

What is the primary purpose of conducting a risk assessment as part of incident preparation?. To monitor real-time network traffic. To identify potential threats and vulnerabilities. To encrypt all sensitive data. To train employees on physical security.

Which of the following is a key requirement of the NIST SP 800-61 guidelines for incident response?. Conducting annual employee performance reviews. Documenting and analyzing incidents to improve response processes. Encrypting all data within 48 hours. Notifying the public within 24 hours.

Which of the following tools is commonly used to perform live forensic analysis on a running system?. Microsoft Word. Memoryze. Windows Calculator. Notepad.

Which of the following is a common method used by attackers to deliver malware via email attachments?. Sending encrypted system logs. Disguising malicious files as legitimate documents. Running antivirus scans on attachments. Disabling email servers.

An attacker uses a technique that sends fraudulent ARP messages to associate their MAC address with a legitimate IP. What type of attack is this?. ARP Spoofing. DNS Spoofing. Phishing. SQL Injection.

Which of the following should be the FIRST step when responding to a detected ransomware infection?. Pay the ransom to recover files. Isolate the infected system from the network. Delete all encrypted files. Notify the media immediately.

In the context of incident response, what does the term "indicators of compromise" (IoCs) refer to?. The total number of employees affected. Evidence or artifacts that suggest a system has been breached. The encryption level of a network. The speed of system recovery.

Which of the following is a key characteristic of a Trojan horse?. It self-replicates across networks. It masquerades as legitimate software to trick users. It encrypts files for ransom. It spreads without user interaction.

During an incident, what is the purpose of documenting all actions taken by the response team?. To speed up system restoration. To provide a record for analysis, auditing, and legal purposes. To encrypt response data. To delete unnecessary logs.

Which of the following is a common technique to mitigate the risk of cross-site scripting (XSS) attacks?. Allowing all scripts to run without restriction. Implementing input sanitization and output encoding. Disabling all web browsers. Removing all user authentication.

What is the primary purpose of a Computer Security Incident Response Team (CSIRT)?. To develop new software applications. To coordinate and manage responses to security incidents. To encrypt all network traffic. To conduct employee performance reviews.

Which of the following is a key requirement of the General Data Protection Regulation (GDPR) for incident notification?. Notifying all employees within 12 hours. Reporting breaches to the data protection authority within 72 hours. Encrypting all data within 24 hours. Conducting daily system backups.

Which of the following tools is commonly used to analyze log files during an incident investigation?. Microsoft Paint. Splunk. Windows Media Player. Notepad.

Which of the following is the first step in the incident handling process?. Containment. Preparation. Eradication. Recovery.

What is the primary goal of incident response?. To minimize damage and reduce recovery time and cost. To punish the attackers. To ignore the incident and continue normal operations. To publicize the incident to gain public sympathy.

Which of the following is NOT a phase in the incident response process?. Detection and Analysis. Prevention. Containment, Eradication, and Recovery. Post-Incident Activity.

In which stage of the incident response process is the impact of the incident assessed?. Detection and Analysis. Containment. Eradication. Recovery.

Which of the following activities is part of the containment phase?. Identifying the source of the incident. Isolating affected systems. Restoring systems to normal operation. Documenting lessons learned.

What is the purpose of eradication in the incident response process?. To limit the spread of the incident. To remove the cause of the incident. To restore affected systems to normal operation. To document the incident.

Which of the following is a key activity in the recovery phase?. Identifying affected systems. Isolating the incident. Restoring systems and data. Analyzing the incident.

What is the purpose of post-incident activity?. To detect the incident. To learn from the incident and improve security. To contain the incident. To eradicate the incident.

Which of the following is a critical aspect of incident response preparation?. Ignoring potential threats. Establishing incident response policies and procedures. Delaying incident response training. Avoiding communication with stakeholders.

What is the importance of documenting incident details?. To erase evidence of the incident. To provide a record for analysis, legal purposes, and future improvement. To avoid dealing with the incident. To blame individuals for the incident.

Which of the following is a common type of malware that replicates itself and spreads to other computers?. Virus. Trojan. Spyware. Adware.

What is the primary purpose of a firewall?. To encrypt data. To block unauthorized access to a network. To detect and remove malware. To manage network traffic.

Which of the following is a social engineering technique used to trick individuals into revealing sensitive information?. Denial of Service (DoS). Phishing. SQL Injection. Cross-Site Scripting (XSS).

What is the purpose of encryption?. To delete data. To convert data into a format that is unreadable without a key. To compress data. To organize data.

Which of the following is a method used to verify the integrity of a file?. Hashing. Encryption. Compression. Duplication.

What is the purpose of a VPN (Virtual Private Network)?. To increase internet speed. To create a secure, encrypted connection over a less secure network. To block all internet access. To replace antivirus software.

Which of the following is a type of attack that floods a network with traffic to prevent legitimate users from accessing it?. Phishing. Denial of Service (DoS). SQL Injection. Cross-Site Scripting (XSS).

What is the purpose of an Intrusion Detection System (IDS)?. To prevent all network traffic. To monitor a network or system for malicious activity. To encrypt network traffic. To provide antivirus protection.

Which of the following is a security measure that restricts access to resources based on the identity of the user?. Encryption. Access Control. Firewall. VPN.

What is the purpose of a security audit?. To install new software. To assess the security posture of an organization. To provide employee training. To manage network traffic.

Which of the following is a security practice that involves regularly backing up data?. Data Encryption. Data Backup. Firewall Protection. Intrusion Detection.

What is the purpose of a DMZ (Demilitarized Zone)?. To encrypt all network traffic. To provide a buffer zone between a private network and the internet. To block all internet access. To replace antivirus software.

Which of the following is a type of attack that exploits vulnerabilities in software code?. Phishing. SQL Injection. Denial of Service (DoS). Social Engineering.

What is the purpose of a password policy?. To make passwords easy to guess. To enforce strong password requirements. To share passwords with all employees. To avoid using passwords.

Which of the following is a method used to authenticate users?. Encryption. Biometrics. Firewall. VPN.

What is the purpose of vulnerability scanning?. To install new software. To identify security weaknesses in a system. To provide employee training. To manage network traffic.

Which of the following is a type of malware that is designed to steal sensitive information?. Virus. Spyware. Trojan. Worm.

What is the purpose of an Intrusion Prevention System (IPS)?. To prevent all network traffic. To detect and block malicious activity. To encrypt network traffic. To provide antivirus protection.

Which of the following is a security measure that involves educating employees about security threats and best practices?. Encryption. Security Awareness Training. Firewall. VPN.

What is the purpose of a risk assessment?. To install new software. To identify and evaluate potential security risks. To provide employee training. To manage network traffic.

Which of the following is a key component of a strong incident response plan?. Ignoring security alerts. Clear roles and responsibilities. Delaying communication with stakeholders. Avoiding documentation.

What is the purpose of a Security Information and Event Management (SIEM) system?. To install new software. To collect, analyze, and correlate security logs. To provide employee training. To manage network traffic.

Which of the following is a type of attack that involves intercepting and altering communication between two parties?. Phishing. Man-in-the-Middle (MitM). SQL Injection. Denial of Service (DoS).

What is the purpose of a security policy?. To make security decisions without rules. To provide a framework for security practices. To share sensitive information publicly. To avoid using security measures.

Which of the following is a method used to protect data at rest?. Data Encryption. Firewall. VPN. Intrusion Detection.

What is the purpose of a penetration test?. To install new software. To simulate a cyberattack to identify vulnerabilities. To provide employee training. To manage network traffic.

Which of the following is a type of malware that is designed to hold a computer system hostage until a ransom is paid?. Virus. Ransomware. Trojan. Worm.

What is the purpose of a security patch?. To prevent all network traffic. To fix security vulnerabilities in software. To encrypt network traffic. To provide antivirus protection.

Which of the following is a security measure that involves implementing a least privilege access model?. Encryption. Access Control. Firewall. VPN.

What is the purpose of a disaster recovery plan?. To install new software. To restore IT systems and data after a disaster. To provide employee training. To manage network traffic.

Which of the following is a security practice that involves regularly updating software and systems?. Patch Management. Firewall Protection. Intrusion Detection. Data Encryption.

What is the purpose of a honeypot?. To encrypt network traffic. To attract and detect attackers. To block all internet access. To replace antivirus software.

Which of the following is a type of attack that exploits vulnerabilities in web applications?. Phishing. Cross-Site Scripting (XSS). Denial of Service (DoS). Social Engineering.

What is the purpose of a data loss prevention (DLP) system?. To make data easy to access. To detect and prevent data exfiltration. To share data with all employees. To avoid using data security measures.

Which of the following is a method used to protect data in transit?. Data Encryption. Firewall. VPN. Intrusion Detection.

What is the purpose of a vulnerability assessment?. To install new software. To identify and prioritize security vulnerabilities. To provide employee training. To manage network traffic.

Which of the following is a type of malware that spreads across networks by exploiting vulnerabilities in operating systems or applications?. Virus. Worm. Trojan. Spyware.

What is the purpose of a web application firewall (WAF)?. To prevent all network traffic. To protect web applications from attacks. To encrypt network traffic. To provide antivirus protection.

Which of the following is a security measure that involves implementing multi-factor authentication?. Encryption. Authentication. Firewall. VPN.

What is the purpose of a business continuity plan?. To install new software. To ensure business operations continue during disruptions. To provide employee training. To manage network traffic.

Which of the following is a security measure that involves implementing network segmentation?. Encryption. Network Security. Firewall. VPN.

What is the purpose of a security operations center (SOC)?. To install new software. To monitor and respond to security incidents. To provide employee training. To manage network traffic.

Which of the following is a type of attack that exploits vulnerabilities in operating systems?. Phishing. Buffer Overflow. Denial of Service (DoS). Social Engineering.

What is the purpose of a security policy review?. To make security decisions without rules. To ensure policies are up-to-date and effective. To share sensitive information publicly. To avoid using security measures.

Which of the following is a method used to protect data during transmission?. Data Encryption. Firewall. VPN. Intrusion Detection.

What is the purpose of a security risk assessment?. To install new software. To identify, analyze, and evaluate security risks. To provide employee training. To manage network traffic.

Which of the following is a type of malware that infects files?. Virus. Worm. Trojan. Spyware.

What is the purpose of a security incident response plan?. To prevent all network traffic. To provide a structured approach to handling security incidents. To encrypt network traffic. To provide antivirus protection.

Which of the following is a security measure that involves implementing security best practices?. Encryption. Security Hardening. Firewall. VPN.

What is the purpose of a security awareness program?. To install new software. To educate users about security threats and best practices. To provide employee training. To manage network traffic.

Which of the following is a type of attack that exploits vulnerabilities in web browsers?. Phishing. Cross-Site Scripting (XSS). Denial of Service (DoS). Social Engineering.

Which of the following is a security measure that involves implementing a defense-in-depth strategy?. Encryption. Security Architecture. Firewall. VPN.

Total cost of disruption of an incident is the sum of. Recovery costs and lost revenue. Recovery costs and legal fees. Lost revenue and legal fees. Recovery costs, lost revenue and legal fees.

Incident prioritization must be based on: Number of affected users. Potential damage to the organization. Type of attack. All of the above.

Which of the following is a security measure that involves implementing a zero-trust security model?. Encryption. Network Security. Firewall. VPN.

Which of the following can be considered synonymous: Threat and Vulnerability. Risk and Vulnerability. Threat and Risk. Threat, Risk and Vulnerability.

A payroll system has a vulnerability that cannot be exploited by current technology. Which of the following is correct about this scenario: The system is not at risk. The system is at risk. The system is potentially at risk. The system is definitely at risk.

Overall Likelihood rating of a Threat to Exploit a Vulnerability is driven by : Asset Value. Vulnerability Severity. Threat Capability. Vulnerability Severity and Threat Capability.

The left over risk after implementing a control is called: Residual Risk. Control Risk. Inherent Risk. Identified Risk.

Adam calculated the total cost of a control to protect 10,000 $ worth of data as 20,000 $. What do you advise Adam to do?. Implement the control. Do not implement the control. Implement the control partially. Implement an alternative control.

Which of the following is a risk management activity: Risk Assessment. Risk Mitigation. Risk Evaluation. All of the above.

Which of the following is a risk assessment tool: Nessus. Nmap. OCTAVE. Wireshark.

In NIST risk assessment/ methodology; the process of identifying the boundaries of an IT system along with the resources and information that constitute the system is known as: Asset Identification. System Characterization. Threat Identification. Vulnerability Identification.

Performing Vulnerability Assessment is an example of a: Risk Assessment. Risk Mitigation. Risk Evaluation. Risk Identification.

The correct sequence of Incident Response and Handling is: Preparation, Identification, Containment, Eradication, Recovery, Follow-up. Preparation, Identification, Containment, Recovery, Eradication, Follow-up. Preparation, Identification, Recovery, Containment, Eradication, Follow-up. Preparation, Identification, Recovery, Eradication, Containment, Follow-up.

Preventing the incident from spreading and limiting the scope of the incident is known as: Eradication. Recovery. Containment. Preparation.

The process of restoring the systems to normal operations is known as: Recovery. Eradication. Containment. Preparation.

The correct sequence of incident management process is: Identification, Detection, Response, Mitigation, Reporting and Recovery. Detection, Identification, Response, Reporting, Mitigation and Recovery. Detection, Identification, Response, Mitigation, Recovery and Reporting. Identification, Detection, Response, Reporting, Recovery and Mitigation.

Incident response team must adhere to the following: Policies and procedures. Laws and regulations. Organizational guidelines. All of the above.

Which of the following is an incident tracking, reporting and handling tool: Nessus. ServiceNow. Nmap. Wireshark.

Removing or eliminating the root cause of the incident is called: Eradication. Recovery. Containment. Preparation.

The process of dealing with security incidents in a structured and systematic manner is known as: Incident management, handling and response. Incident management and handling. Incident handling and response. Incident management and response.

Incident Response Plan requires -. Well defined Incident Response Team. Up-to-date contact information for all stakeholders. Step-by-step guidance on how to handle different types of incidents. All of the above.

The service organization that provides 24x7 computer security incident response services to any user, company, government agency, or organization is known as: US-CERT. SANS Institute. NIST. ISO.

The main feature offered by PGP Desktop Email is: Antivirus. Firewall. Encryption. Intrusion Detection.

Which of the following service(s) is provided by the CSIRT: Incident Response. Vulnerability Handling. Artifacts Handling. All of the above.

The role that applies appropriate technology and tries to eradicate and recover from the incident is known as: Incident Manager. Incident Handler. Incident Analyst. Incident Responder.

The role that is responsible for stakeholder communications is known as: Incident Manager. Incident Handler. Public Relations. Incident Responder.

The role that is responsible for defining the incident response process and setting policies is known as: Incident Manager. Incident Handler. Public Relations. Incident Responder.

Which of the following is a function of the CSIRT: Incident Analysis. Vulnerability Analysis. Artifacts Analysis. All of the above.

The role that is responsible for performing the initial triage of the incident is known as: Incident Manager. Incident Handler. Incident Analyst. Incident Responder.

Which of the following is a key component of an Incident Response Plan: Roles and Responsibilities. Communication Plan. Step-by-step guidance. All of the above.

Which of the following is an example of an incident handling tool: ServiceNow. Jira. Remedy. All of the above.

The role that is responsible for performing the technical analysis of the incident is known as: Incident Manager. Incident Handler. Incident Analyst. Incident Responder.

Which of the following is a phase in the incident response process: Preparation. Detection and Analysis. Containment, Eradication, and Recovery. All of the above.

The role that is responsible for coordinating the incident response effort is known as: Incident Manager. Incident Handler. Incident Analyst. Incident Responder.

Which of the following is a type of incident: Malware Infection. Unauthorized Access. Denial of Service (DoS). All of the above.

The role that is responsible for communicating with the media is known as: Incident Manager. Incident Handler. Public Relations. Incident Responder.

Which of the following is a key responsibility of the Incident Manager: Technical Analysis. Policy Definition. Media Communication. Initial Triage.

Which of the following is a key responsibility of the Incident Handler: Technical Analysis. Eradication and Recovery. Media Communication. Initial Triage.

Which of the following is a key responsibility of the Incident Analyst: Technical Analysis. Policy Definition. Media Communication. Initial Triage.

Which of the following is a key responsibility of the Incident Responder: Technical Analysis. Policy Definition. Media Communication. Initial Triage.

Which of the following is a key responsibility of Public Relations: Technical Analysis. Policy Definition. Media Communication. Initial Triage.

Which of the following is a key component of an Incident Response Team: Incident Manager. Incident Handler. Incident Analyst. All of the above.

Which of the following is a key component of an Incident Handling Tool: Incident Tracking. Reporting. Handling. All of the above.

Which of the following is a key phase in the incident response process: Preparation. Detection and Analysis. Containment, Eradication, and Recovery. All of the above.

Which of the following is a key type of incident: Malware Infection. Unauthorized Access. Denial of Service (DoS). All of the above.

Which of the following is a key tool for incident tracking and reporting: ServiceNow. Jira. Remedy. All of the above.

Which of the following is a key tool for vulnerability scanning: Nessus. Nmap. OpenVAS. All of the above.

Which of the following is a key tool for network monitoring: Wireshark. tcpdump. Snort. All of the above.

Which of the following is a key tool for log analysis: Splunk. ELK Stack. Graylog. All of the above.

Which of the following is a key tool for malware analysis: Cuckoo Sandbox. VirusTotal. PE Studio. All of the above.

Which of the following is a key tool for forensic analysis: Autopsy. The Sleuth Kit (TSK). EnCase. All of the above.

Which of the following is a key tool for penetration testing: Metasploit. Burp Suite. Nessus Essentials. All of the above.

Which of the following is a key tool for security information and event management (SIEM): Splunk. IBM QRadar. AlienVault USM. All of the above.

Which of the following is a key tool for security orchestration, automation, and response (SOAR): Phantom. Demisto. Swimlane. All of the above.

Which of the following is a key tool for threat intelligence: ThreatConnect. Recorded Future. Anomali ThreatStream. All of the above.

Which of the following is a key tool for wireless network analysis: Aircrack-ng. Kismet. Wireshark. All of the above.

Which of the following is a key tool for web application security testing: Burp Suite. OWASP ZAP. Nikto. All of the above.

Which of the following is a key tool for database security testing: SQLMap. SqlNinja. BBQSQL. All of the above.

Which of the following is a key tool for cloud security monitoring: AWS CloudTrail. Azure Monitor. Google Cloud Logging. All of the above.

Which of the following is a key tool for mobile security testing: MobSF. QARK. Drozer. All of the above.

Which of the following is a key tool for IoT security testing: Shodan. Firmware Analysis Toolkit (FACT). PRET. All of the above.

Which of the following is a key tool for ICS/SCADA security testing: Modbus Scan. DNP3 Scan. EtherNet/IP Scan. All of the above.

Which of the following is a key tool for security compliance monitoring: Nessus Professional. QualysGuard. Tripwire IP360. All of the above.

Which of the following is a key tool for security automation: Ansible. Chef. Puppet. All of the above.

Which of the following is a key tool for security orchestration: Demisto. Swimlane. Siemplify. All of the above.

Which of the following is a key tool for security hardening: Lynis. OpenSCAP. CIS Benchmarks. All of the above.

Which of the following is a key tool for security auditing: Nessus Professional. QualysGuard. Tripwire IP360. All of the above.

Which of the following is a key tool for security logging: Syslog-ng. Rsyslog. NXLog. All of the above.

Which of the following is a key tool for security monitoring: Nagios. Zabbix. Icinga. All of the above.

Which of the following is a key tool for security analysis: Security Onion. REMnux. SANS SIFT Workstation. All of the above.

Which of the following is a key tool for security reporting: Dradis. MagicTree. CutyCapt. All of the above.

Which of the following is a key tool for security response: TheHive. Cortex. Shuffle. All of the above.

Which of the following is a key tool for security intelligence: MISP. OpenCTI. ThreatIngestor. All of the above.

Which of the following best describes the primary goal of a security incident response plan?. To prevent all security incidents. To minimize the impact of security incidents. To identify and punish the perpetrators of security incidents. To replace all compromised systems immediately.

What is the purpose of a honeypot in network security?. To encrypt network traffic. To detect and analyze unauthorized access attempts. To prevent denial-of-service attacks. To improve network performance.

Which of the following is a common method for mitigating the risk of SQL injection attacks?. Using strong passwords. Implementing input validation and parameterized queries. Encrypting database backups. Disabling remote access to the database.

What does the term "least privilege" mean in the context of information security?. Granting all users full access to all systems and data. Granting users only the minimum necessary access to perform their job functions. Restricting access to all systems and data for all users. Regularly changing user passwords.

Which of the following is a key component of a strong password policy?. Allowing users to reuse old passwords. Requiring passwords to be changed only when a security breach occurs. Enforcing the use of complex passwords with a mix of character types. Storing passwords in plain text for easy recovery.

What is the primary purpose of a firewall in network security?. To encrypt network traffic. To filter and control network traffic based on predefined rules. To detect and remove malware from network devices. To improve network bandwidth.

Which of the following best describes the purpose of a VPN (Virtual Private Network)?. To block all internet access. To create a secure, encrypted connection over a public network. To speed up internet browsing. To replace a physical network.

What is the primary goal of vulnerability scanning?. To exploit vulnerabilities in a system. To identify potential security weaknesses in a system. To encrypt sensitive data. To prevent unauthorized access to a network.

Which of the following is a common method for preventing cross-site scripting (XSS) attacks?. Using strong encryption. Implementing input validation and output encoding. Regularly updating antivirus software. Disabling JavaScript in the browser.

What is the purpose of a security information and event management (SIEM) system?. To encrypt network traffic. To collect and analyze security logs from various sources. To prevent denial-of-service attacks. To improve network performance.

What is the primary purpose of a security audit?. To prevent all security incidents. To evaluate the effectiveness of security controls. To develop new security policies. To punish employees who violate security policies.

Which of the following is a common method for mitigating the risk of buffer overflow attacks?. Using strong passwords. Implementing input validation and bounds checking. Encrypting network traffic. Disabling remote access to the system.

What is the purpose of a security baseline?. To define the minimum security requirements for a system or network. To identify all security vulnerabilities in a system. To encrypt sensitive data. To prevent unauthorized access to a network.

Which of the following is a key principle of secure coding practices?. Trusting all user inputs. Using hardcoded credentials. Sanitizing user inputs to prevent code injection. Storing sensitive data in plain text.

What is the primary purpose of intrusion detection systems (IDS)?. To encrypt network traffic. To detect and alert on malicious activity. To prevent denial-of-service attacks. To improve network performance.

Which of the following best describes the purpose of a security policy?. To block all internet access. To define the rules and guidelines for protecting an organization's assets. To speed up internet browsing. To replace a physical network.

What is the primary goal of penetration testing?. To exploit vulnerabilities in a system. To identify and validate security weaknesses in a system. To encrypt sensitive data. To prevent unauthorized access to a network.

Which of the following is a common method for preventing session hijacking attacks?. Using strong encryption. Implementing session timeouts and regenerating session IDs. Regularly updating antivirus software. Disabling JavaScript in the browser.

During an incident response, an attacker is found to be using a technique that involves injecting malicious code into a legitimate process to hide their activities. What is this technique called?. Process Hollowing. Buffer Overflow. Code Signing. Stack Pivoting.

Which of the following is a critical consideration when deciding whether to disconnect a compromised system from the network during an active incident?. The system's processing speed. The potential loss of volatile evidence. The system's operating system version. The number of users currently logged in.

An organization detects a data breach involving sensitive customer information. According to the ECIH methodology, which phase involves notifying affected parties and regulatory bodies?. Preparation. Containment. Recovery. Post-Incident Activity.

Which of the following tools is specifically designed to analyze memory dumps for evidence of advanced persistent threats (APTs)?. Netcat. Volatility. Nmap. John the Ripper.

An attacker uses a method that involves sending specially crafted packets to crash a system by exceeding its resource limits. What type of attack is this?. Ping of Death. HTTP Flood. SYN Flood. ARP Spoofing.

During a forensic investigation, what is the purpose of calculating hash values for collected evidence?. To compress the evidence files. To verify the integrity and authenticity of the evidence. To encrypt the evidence for secure storage. To speed up the analysis process.

Which of the following is a recommended practice to prevent lateral movement by an attacker within a network?. Using a single administrator account for all systems. Implementing network segmentation and least privilege access. Allowing unrestricted ICMP traffic. Disabling all firewalls.

In the context of incident response, what does the acronym "TTP" stand for, and why is it important?. Tactics, Techniques, and Procedures; it helps identify attacker behavior. Threat, Target, and Protection; it prioritizes system defenses. Time, Type, and Place; it tracks incident timelines. Tools, Testing, and Performance; it evaluates response tools.

Which of the following is a key requirement of the Health Insurance Portability and Accountability Act (HIPAA) for incident response?. Notifying all employees within 24 hours. Conducting a risk assessment and reporting breaches involving protected health information (PHI). Encrypting all data within 48 hours of an incident. Shutting down all affected systems immediately.

An organization receives an alert about unusual outbound traffic from a server. Which of the following should be the FIRST step in investigating this potential incident?. Reboot the server to clear the traffic. Analyze network logs and traffic patterns. Update the server’s antivirus software. Notify senior management.

Which of the following is a common indicator of a compromised system that an incident responder should look for during the identification phase?. Increased CPU usage by unknown processes. Regular software updates being applied. Scheduled backups running on time. Decreased network latency.

What is the primary purpose of using a sandbox environment during an incident investigation?. To encrypt sensitive data. To safely execute and analyze suspicious files. To restore affected systems. To monitor live network traffic.

An attacker uses a technique that involves sending a malicious email with a disguised link to steal user credentials. What is the BEST immediate response to mitigate this threat?. Shut down the email server. Block the sender’s domain and warn users. Delete all emails in the inbox. Update the email client software.

Which of the following standards provides guidelines for handling incidents involving payment card data breaches?. ISO/IEC 27001. PCI DSS. GDPR. NIST SP 800-53.

During an incident, an attacker is found to be using a compromised user account to exfiltrate data. What should be the FIRST containment action?. Delete the user account. Disable the user account. Change the user’s password. Monitor the account activity.

Which of the following is a key benefit of maintaining an up-to-date asset inventory in the preparation phase of incident response?. It reduces the need for backups. It helps identify critical systems and prioritize response efforts. It eliminates all vulnerabilities. It speeds up network performance.

An attacker uses a method that involves crafting a malicious USB device to install malware when plugged into a system. What is this attack commonly called?. USB Drop Attack. Drive-by Download. Watering Hole Attack. Man-in-the-Middle Attack.

Which of the following log sources is most useful for detecting a brute-force attack on a web application?. System event logs. Web server access logs. Firewall logs. Database transaction logs.

In the ECIH incident handling process, which phase involves applying lessons learned to improve future responses?. Containment. Eradication. Recovery. Follow-up.

Which of the following is a recommended practice for securing evidence during a forensic investigation?. Storing evidence on the original device. Using a write blocker when accessing storage media. Modifying files to simplify analysis. Copying evidence to a shared network drive.

Which of the following is NOT a common step in the incident handling process as per the ECIH methodology?. Identification. Containment. Penetration Testing. Recovery.

Which tool can be used to capture live network traffic during an incident investigation?. Wireshark. Autopsy. FTK Imager. HashCalc.

An incident handler discovers a ransomware infection. What should be the FIRST action?. Pay the ransom to recover files. Isolate the affected system from the network. Reboot the system to remove the malware. Run an antivirus scan.

Which of the following is a characteristic of a Distributed Denial of Service (DDoS) attack?. Stealing sensitive data. Overwhelming a target with traffic from multiple sources. Installing malware on a single system. Exploiting a software vulnerability.

In the ECIH framework, which phase involves removing the root cause of an incident?. Preparation. Identification. Eradication. Lessons Learned.

Which regulation requires organizations to report a data breach within 72 hours of discovery?. PCI DSS. GDPR. HIPAA. SOX.

What type of evidence includes data stored in RAM that is lost when a system is powered off?. Persistent Evidence. Volatile Evidence. Digital Evidence. Physical Evidence.

Which of the following is a best practice for preserving the chain of custody?. Allowing multiple team members to handle evidence freely. Documenting every step of evidence handling. Storing evidence on a shared drive. Modifying evidence to simplify analysis.

An attacker uses social engineering to trick an employee into revealing their login credentials. What type of attack is this?. Phishing. Brute Force. SQL Injection. Buffer Overflow.

Which of the following is a key component of an Incident Response Plan (IRP) as recommended by the ECIH framework?. List of employee birthdays. Escalation procedures and contact lists. Software update schedules. Network bandwidth limits.

What is the purpose of performing a risk assessment during the preparation phase of incident handling?. To install new software patches. To identify potential threats and vulnerabilities. To train employees on email usage. To monitor network traffic.

An incident handler observes multiple failed login attempts from an unknown IP address. What type of attack might this indicate?. SQL Injection. Brute Force Attack. Cross-Site Scripting (XSS). Man-in-the-Middle (MitM).

Which of the following tools is BEST suited for creating a forensic image of a hard drive?. Wireshark. FTK Imager. Nessus. Metasploit.

What should an incident handler do if they suspect an insider threat is responsible for a security breach?. Immediately terminate the employee. Collect evidence discreetly and follow organizational policy. Publicly announce the suspicion. Ignore the suspicion unless confirmed.

Which phase of the ECIH incident handling process involves restoring systems to normal operation?. Identification. Containment. Recovery. Eradication.

Under which regulation must an organization notify affected individuals if their personal data is breached?. ISO 27001. GDPR. PCI DSS. SOX.

Which of the following is a recommended step to prevent data loss during evidence collection?. Powering off the system immediately. Using a write blocker on storage devices. Copying files to a USB drive. Editing logs to remove irrelevant data.

What is the primary purpose of maintaining a detailed incident log during an investigation?. To track employee performance. To document actions for legal and audit purposes. To schedule future maintenance. To monitor network bandwidth.

What is the FIRST step an incident handler should take when responding to a suspected data breach?. Notify law enforcement. Confirm the incident by analyzing logs and alerts. Shut down all affected systems. Restore backups immediately.

Which of the following tools is primarily used for analyzing malware behavior in a controlled environment?. Nmap. Cuckoo Sandbox. John the Ripper. Netstat.

According to the ECIH methodology, which phase involves analyzing the root cause of an incident?. Preparation. Identification. Eradication. Lessons Learned.

Which of the following is a sign of a potential phishing attack?. Emails with urgent requests and suspicious links. Regular software update notifications. Increased server performance. Routine system backups.

What is the purpose of hashing evidence files during a forensic investigation?. To compress the files for storage. To verify the integrity of the evidence. To decrypt encrypted data. To speed up the analysis process.

Which regulation mandates encryption of sensitive data both at rest and in transit?. SOX. PCI DSS. ISO 27001. NIST 800-53.

During an incident response, which of the following should be preserved FIRST to ensure forensic integrity?. Hard drive data. Volatile memory contents. Network configuration files. System logs.

Which of the following is a common technique for detecting unauthorized access in network traffic?. Packet filtering. Intrusion Detection System (IDS) monitoring. Port scanning. Bandwidth throttling.

In the context of incident handling, what does the acronym SLA stand for?. System Logging Agreement. Service Level Agreement. Security Lifecycle Assessment. Standard Loss Analysis.

Which of the following is a key indicator of a potential SQL injection attack in web server logs?. Multiple successful login attempts. Unusual strings like 'OR 1=1' in URL parameters. High bandwidth usage. Regular file downloads.

What is the primary purpose of the 'Lessons Learned' phase in the ECIH incident handling process?. To contain the incident. To improve future incident response efforts. To eradicate malware. To notify stakeholders.

Which of the following tools can an incident handler use to recover deleted files from a compromised system?. Wireshark. Recuva. Nmap. Snort.

During an incident, an attacker uses stolen credentials to access a privileged account. What is the BEST containment action?. Delete the account immediately. Disable the account and reset credentials. Monitor the account without intervention. Reboot the system.

Which of the following is a characteristic of a zero-day exploit?. It targets outdated software. It exploits a vulnerability unknown to the vendor. It uses social engineering tactics. It requires physical access to the system.

What should an incident handler do to ensure evidence admissibility in a court of law?. Modify evidence to clarify findings. Maintain a documented chain of custody. Store evidence on the original device. Share evidence publicly for validation.

Which of the following regulations focuses on protecting healthcare-related data?. GDPR. PCI DSS. HIPAA. SOX.

An attacker floods a network with ICMP packets to disrupt service. What type of attack is this?. Phishing. Ping Flood. SQL Injection. Cross-Site Scripting.

Which of the following should be included in an incident report after a security breach?. Employee vacation schedules. Timeline of events and actions taken. Network bandwidth usage. Software license details.

What is the primary benefit of using an Intrusion Prevention System (IPS) during incident response?. It recovers deleted files. It blocks malicious traffic in real-time. It encrypts sensitive data. It scans for vulnerabilities.

Which of the following is a recommended action during the eradication phase of incident handling?. Restoring systems from backups. Removing malware and closing vulnerabilities. Notifying external stakeholders. Monitoring network traffic.

What is the primary purpose of using a Security Information and Event Management (SIEM) system in incident response?. To encrypt network traffic. To collect and analyze logs for detecting incidents. To recover deleted files. To patch software vulnerabilities.

Which of the following tools is BEST suited for examining the file system of a compromised Linux system?. Sleuth Kit. Wireshark. Nessus. Metasploit.

An attacker uses a technique that involves modifying registry keys to execute malicious code at system startup. What is this technique called?. Rootkit Installation. Registry Persistence. Process Injection. Buffer Overflow.

Which of the following is a potential indicator of a data exfiltration attempt?. Unusual outbound traffic to an unknown IP. Regular system updates. Increased user logins. Scheduled backups.

What should an incident handler do if a system cannot be immediately isolated during an active attack?. Shut down the system. Implement short-term containment measures like blocking IPs. Ignore the incident until isolation is possible. Restore the system from backup.

Which standard provides a framework for incident response and recovery from cybersecurity incidents?. ISO/IEC 27035. PCI DSS. GDPR. HIPAA.

An attacker sends a crafted packet that exceeds the maximum allowable size, causing a system crash. What is this attack known as?. SYN Flood. Ping of Death. HTTP Flood. Smurf Attack.

Which of the following should be included in the preparation phase of incident handling?. Deleting old logs. Establishing an incident response team. Rebooting all systems. Disabling firewalls.

What is the primary goal of forensic analysis during an incident response?. To restore system functionality. To identify the attack source and gather evidence. To update security policies. To train employees.

Which of the following is a common sign of a worm infection on a network?. Increased email traffic. Rapid spread of malicious code across systems. Single system rebooting repeatedly. Reduced CPU usage.

What is the BEST initial response to a detected Distributed Denial of Service (DDoS) attack?. Reboot all servers. Contact the ISP to mitigate traffic. Update antivirus software. Delete suspicious files.

Which of the following tools is used to analyze Windows event logs during an incident investigation?. Event Viewer. Wireshark. Autopsy. Nmap.

An attacker uses a technique that involves tricking a user into clicking a malicious link embedded in a legitimate-looking website. What is this attack called?. Watering Hole Attack. Phishing. SQL Injection. Drive-by Download.

Which of the following should be performed during the recovery phase of incident handling?. Identifying the attacker. Restoring systems and validating functionality. Collecting volatile evidence. Blocking malicious IPs.

What is the purpose of a chain of custody form in a forensic investigation?. To summarize the incident. To document the handling and transfer of evidence. To list software vulnerabilities. To schedule system updates.

Which regulation requires organizations to implement a written incident response plan for financial data?. GDPR. SOX. HIPAA. PCI DSS.

An attacker uses a malicious script embedded in a webpage to steal session cookies. What type of attack is this?. Cross-Site Scripting (XSS). SQL Injection. Man-in-the-Middle. Brute Force.

Which of the following is a critical step in the preparation phase to ensure effective incident response?. Deleting unused accounts. Conducting regular security awareness training. Disabling all logging. Opening additional ports.

What is the primary function of a honeypot in an incident response strategy?. To encrypt sensitive data. To detect and study attacker behavior. To restore compromised systems. To block all incoming traffic.

Which of the following is a common technique used by attackers to hide their command-and-control (C2) communications?. Using plaintext emails. Encrypting traffic with HTTPS. Sending large attachments. Disabling network logs.

What is the FIRST step an incident handler should take when a ransomware infection is confirmed?. Pay the ransom. Isolate the affected system. Reboot the system. Notify the media.

Which of the following tools can be used to analyze a memory dump for signs of malicious activity?. Volatility. Nmap. Snort. Burp Suite.

An attacker uses a method that involves sending fake ARP messages to redirect traffic. What is this attack called?. ARP Spoofing. DNS Poisoning. Session Hijacking. Smurf Attack.

Which of the following should be monitored to detect a potential insider threat?. Regular software updates. Unusual access patterns or data transfers. System performance metrics. Scheduled maintenance logs.

During which phase of the ECIH incident handling process is evidence collected and preserved?. Preparation. Identification. Containment. Eradication.

Which regulation requires organizations to protect cardholder data during a breach?. GDPR. HIPAA. PCI DSS. SOX.

An attacker uses a technique that floods a server with half-open TCP connections. What is this attack known as?. Ping Flood. SYN Flood. HTTP Flood. Smurf Attack.

Which of the following is a best practice for securing backups during incident preparation?. Storing backups on the same server. Encrypting backups and storing them offsite. Disabling backup encryption. Sharing backup access publicly.

What is the primary purpose of conducting a post-incident review?. To assign blame to team members. To identify weaknesses and improve processes. To update software licenses. To monitor employee performance.

Which of the following is a common indicator of a botnet infection on a system?. Improved system performance. Unusual outbound traffic to multiple IPs. Regular software updates. Decreased network latency.

What is the BEST action to take when a critical system must remain operational during an active incident?. Shut it down immediately. Implement short-term containment like firewall rules. Restore it from backup. Ignore the incident.

Which of the following tools is used to create a bit-by-bit copy of a storage device for forensic analysis?. EnCase. Wireshark. Nessus. Netcat.

An attacker uses a technique that involves injecting malicious code into a running process. What is this technique called?. Process Injection. Buffer Overflow. Privilege Escalation. Rootkit Deployment.

Which of the following should be monitored to detect a potential phishing campaign targeting employees?. System memory usage. Suspicious emails with unusual sender domains. Network bandwidth. Scheduled backups.

During which phase of the ECIH process is the effectiveness of containment measures evaluated?. Identification. Containment. Recovery. Lessons Learned.

Which regulation requires a risk assessment following a data breach involving personal information?. PCI DSS. GDPR. SOX. ISO 27001.

An attacker uses a method that exploits a vulnerability in a web application to upload a malicious file. What is this attack known as?. File Inclusion Attack. Cross-Site Scripting. SQL Injection. Directory Traversal.

Which of the following is a recommended practice for hardening systems during incident preparation?. Disabling unused services and ports. Enabling all default accounts. Storing passwords in plain text. Allowing unrestricted ICMP traffic.

What is the primary purpose of a digital forensic investigation following an incident?. To update security patches. To determine the scope and source of the breach. To monitor live traffic. To train the IT team.

Which of the following is a common sign of a rootkit infection on a system?. Increased system performance. Hidden processes or files not visible to standard tools. Regular antivirus updates. Decreased network traffic.

What is the BEST initial action when detecting a malware outbreak across multiple systems?. Reboot all infected systems. Isolate affected systems from the network. Run a full system scan. Notify all employees.

Which of the following tools is used to examine network packets for evidence of an attack?. Autopsy. Wireshark. FTK Imager. John the Ripper.

An attacker uses a technique that involves exploiting a trusted relationship between systems to gain access. What is this attack called?. Pass-the-Hash. Trusted Path Exploitation. Kerberoasting. Lateral Movement.

Which of the following is a key step in the identification phase of incident handling?. Restoring backups. Analyzing logs to confirm an incident. Removing malware. Updating security policies.

What should an incident handler do to preserve volatile evidence on a live system?. Shut down the system immediately. Capture memory contents before shutdown. Delete temporary files. Restart the system in safe mode.

Which regulation mandates notifying affected individuals within a specific timeframe after a healthcare data breach?. GDPR. HIPAA. PCI DSS. SOX.

An attacker uses a method that sends excessive UDP packets to overwhelm a target. What is this attack known as?. SYN Flood. UDP Flood. Ping of Death. HTTP Flood.

Which of the following is a recommended practice for incident documentation?. Recording only successful actions. Maintaining a detailed timeline of events. Deleting logs after resolution. Sharing details publicly.

What is the primary purpose of using a sandbox during malware analysis?. To encrypt malware files. To execute malware in an isolated environment. To remove malware from systems. To monitor network bandwidth.

Which of the following is a common method attackers use to escalate privileges on a compromised system?. Deleting log files. Exploiting unpatched vulnerabilities. Sending phishing emails. Disabling firewalls.

What is the BEST response to detecting a brute force attack on a web server?. Restart the server. Block the attacking IP and implement rate limiting. Update the server software. Delete all user accounts.

Which of the following tools is used to perform a forensic analysis of a mobile device?. Cellebrite UFED. Wireshark. Nmap. Volatility.

An attacker uses a technique that involves impersonating a legitimate DNS server to redirect traffic. What is this attack called?. DNS Spoofing. ARP Spoofing. Session Hijacking. Phishing.

Which of the following is a critical step in the containment phase of incident handling?. Restoring backups. Limiting the spread of the incident. Identifying the attacker. Updating security policies.

What should an incident handler do to ensure the integrity of a forensic image?. Modify the image to remove irrelevant data. Calculate and verify hash values. Store the image on the original device. Share the image publicly.

Which regulation requires organizations to maintain an audit trail for financial transactions?. HIPAA. GDPR. SOX. PCI DSS.

An attacker uses a method that sends crafted HTTP requests to exhaust server resources. What is this attack known as?. SYN Flood. HTTP Flood. Ping Flood. UDP Flood.

Which of the following is a recommended practice for securing evidence storage?. Keeping evidence in an unlocked room. Using access controls and encryption. Storing evidence on a shared network drive. Allowing multiple users to edit evidence.

What is the primary benefit of conducting regular vulnerability assessments in incident preparation?. To monitor employee performance. To identify and mitigate weaknesses before exploitation. To encrypt network traffic. To restore compromised systems.

Which of the following is a common indicator of a Trojan infection on a system?. Improved system boot time. Unexpected network connections to unknown servers. Regular antivirus scans. Decreased disk usage.

What is the BEST initial action when detecting a data breach involving sensitive customer information?. Notify the media. Contain the breach to prevent further data loss. Reboot all systems. Delete affected files.

Which of the following tools is used to analyze email headers for signs of phishing?. MX Toolbox. Wireshark. FTK Imager. Nessus.

An attacker uses a technique that involves stealing authentication tickets to access network resources. What is this attack called?. Pass-the-Ticket. SQL Injection. Phishing. Buffer Overflow.

Which of the following should be performed during the eradication phase of incident handling?. Collecting volatile evidence. Removing malicious code and patching systems. Notifying external stakeholders. Monitoring network traffic.

What is the purpose of maintaining a detailed incident response log?. To track software licenses. To provide a record for legal and audit purposes. To schedule maintenance tasks. To monitor employee attendance.

Which regulation requires encryption of personal data during transmission?. SOX. GDPR. HIPAA. ISO 27001.

An attacker uses a method that exploits a vulnerability to execute arbitrary code on a system. What is this attack known as?. Buffer Overflow. Cross-Site Scripting. Phishing. Man-in-the-Middle.

Which of the following is a recommended practice for preparing an incident response team?. Conducting regular tabletop exercises. Disabling all security alerts. Storing passwords in plain text. Allowing unrestricted network access.

What is the primary goal of network segmentation in an incident response strategy?. To increase network speed. To limit the spread of an attack. To monitor employee activity. To simplify backups.

Which of the following is a common sign of a keylogger infection on a system?. Increased disk space. Unexplained outbound traffic capturing keystrokes. Faster system performance. Regular software updates.

What is the BEST initial response to detecting a phishing email campaign targeting employees?. Delete all emails. Warn employees and block the sender domain. Reboot all workstations. Update email client software.

Which of the following tools is used to detect anomalies in network traffic during an incident?. Snort. FTK Imager. John the Ripper. Autopsy.

An attacker uses a technique that involves exploiting a weakness in a cryptographic algorithm to gain access. What is this attack called?. Cryptanalysis. Brute Force. Phishing. Man-in-the-Middle.

Which of the following should be included in the recovery phase of incident handling?. Identifying the attack source. Testing systems to ensure they are secure. Collecting volatile evidence. Blocking malicious IPs.

What is the purpose of a write blocker in forensic evidence collection?. To speed up data copying. To prevent changes to the original evidence. To encrypt the evidence. To compress the evidence files.

Which regulation requires organizations to report breaches of payment card data?. HIPAA. GDPR. PCI DSS. SOX.

An attacker uses a method that sends crafted packets to amplify traffic via vulnerable servers. What is this attack known as?. SYN Flood. Smurf Attack. HTTP Flood. Ping of Death.

Which of the following is a recommended practice for securing a network during incident preparation?. Enabling all ports by default. Implementing strong access controls. Disabling intrusion detection. Storing logs in plain text.

What is the primary benefit of using a Security Operations Center (SOC) in incident response?. To develop software patches. To provide continuous monitoring and rapid response. To train employees. To encrypt all data.

Which of the following is a common indicator of a spyware infection on a system?. Increased system speed. Unusual pop-ups or browser redirects. Regular system updates. Decreased network usage.

What is the BEST initial action when detecting a compromised privileged account?. Delete the account. Disable the account and investigate. Monitor the account without action. Reboot the system.

Which of the following tools is used to analyze logs and detect security incidents in real-time?. Splunk. Autopsy. Wireshark. Metasploit.

An attacker uses a technique that involves intercepting communication between two parties to steal data. What is this attack called?. Phishing. Man-in-the-Middle (MitM). SQL Injection. Buffer Overflow.

Which of the following should be performed during the lessons learned phase of incident handling?. Collecting evidence. Reviewing the incident to improve future responses. Isolating affected systems. Removing malware.

What is the purpose of using a hash function in forensic investigations?. To compress evidence files. To verify the authenticity and integrity of evidence. To decrypt encrypted data. To speed up evidence analysis.

Which regulation requires organizations to protect personally identifiable information (PII) across the EU?. HIPAA. PCI DSS. GDPR. SOX.

An attacker uses a method that floods a network with broadcast traffic to overwhelm it. What is this attack known as?. SYN Flood. Smurf Attack. UDP Flood. HTTP Flood.

Which of the following is a recommended practice for incident containment?. Allowing the attack to continue for monitoring. Disconnecting affected systems from the network. Deleting all logs. Restoring systems immediately.

What is the primary benefit of using an Intrusion Detection System (IDS) in incident response?. To encrypt sensitive data. To detect unauthorized activity in real-time. To restore compromised systems. To train employees.

Which of the following is a common indicator of a backdoor installed on a system?. Improved application performance. Unusual open ports or network connections. Regular system backups. Decreased CPU usage.

What is the BEST initial action when detecting a ransomware attack on a file server?. Pay the ransom. Disconnect the server from the network. Delete encrypted files. Run an antivirus scan.

Which of the following tools is used to perform disk imaging for forensic analysis?. DD. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a vulnerability in a web application to access the underlying server. What is this attack called?. Directory Traversal. Cross-Site Scripting. Phishing. SQL Injection.

Which of the following should be performed during the identification phase of incident handling?. Restoring affected systems. Determining the scope and impact of the incident. Removing malware. Notifying regulators.

What is the purpose of using a forensic duplicator during evidence collection?. To modify evidence files. To create an exact copy of storage media. To encrypt the original evidence. To delete temporary files.

Which regulation requires organizations to implement safeguards for protecting health information?. GDPR. HIPAA. PCI DSS. SOX.

An attacker uses a method that sends excessive TCP SYN packets to exhaust server resources. What is this attack known as?. SYN Flood. UDP Flood. Smurf Attack. HTTP Flood.

Which of the following is a recommended practice for managing logs during an incident?. Deleting logs to free up space. Preserving logs in a secure location. Disabling all logging. Sharing logs publicly.

What is the primary benefit of conducting regular penetration testing in incident preparation?. To monitor network traffic. To identify vulnerabilities before they are exploited. To encrypt sensitive data. To restore backups.

Which of the following is a common sign of a Distributed Denial of Service (DDoS) attack?. Improved server response time. Sudden increase in traffic from multiple sources. Regular user logins. Decreased bandwidth usage.

What is the BEST initial action when detecting an SQL injection attempt on a web application?. Restart the web server. Block the attacking IP and sanitize inputs. Delete the database. Update the application software.

Which of the following tools is used to extract metadata from files during a forensic investigation?. ExifTool. Wireshark. Nmap. Snort.

An attacker uses a technique that involves manipulating a user into running malicious code via a crafted email attachment. What is this attack called?. Spear Phishing. SQL Injection. Drive-by Download. Buffer Overflow.

Which of the following should be performed during the containment phase of incident handling?. Restoring systems from backups. Isolating affected systems to limit damage. Identifying the attacker. Patching vulnerabilities.

What is the purpose of a forensic chain of custody?. To summarize the incident. To ensure evidence remains unaltered and admissible. To encrypt evidence files. To delete irrelevant data.

Which regulation requires organizations to conduct regular security risk assessments?. PCI DSS. SOX. HIPAA. ISO 27001.

An attacker uses a method that sends excessive ICMP echo requests to overwhelm a target. What is this attack known as?. Ping Flood. SYN Flood. UDP Flood. HTTP Flood.

Which of the following is a recommended practice for securing sensitive data during incident preparation?. Storing data in plain text. Implementing encryption at rest and in transit. Disabling access controls. Sharing data publicly.

What is the primary benefit of using a vulnerability scanner in incident preparation?. To monitor live traffic. To identify and prioritize security weaknesses. To encrypt network data. To restore compromised systems.

Which of the following is a common indicator of a worm propagating through a network?. Decreased network traffic. Rapid infection of multiple systems. Improved server uptime. Regular user logouts.

What is the BEST initial action when detecting unauthorized access to a database?. Delete the database. Restrict access and investigate the breach. Reboot the database server. Notify all users.

Which of the following tools is used to analyze network traffic for signs of a data exfiltration attempt?. NetFlow Analyzer. Autopsy. FTK Imager. John the Ripper.

An attacker uses a technique that involves stealing cached credentials to impersonate a user. What is this attack called?. Pass-the-Hash. Phishing. SQL Injection. Directory Traversal.

What is the purpose of documenting every step during an incident response?. To reduce system downtime. To ensure accountability and support legal action. To speed up recovery. To train new employees.

Which regulation requires organizations to notify individuals within 72 hours of a data breach?. HIPAA. GDPR. PCI DSS. SOX.

An attacker uses a method that exploits a vulnerability in a browser to download malware without user interaction. What is this attack known as?. Drive-by Download. Phishing. SQL Injection. Man-in-the-Middle.

Which of the following is a recommended practice for securing backups during incident preparation?. Storing backups on the same system. Testing backups regularly for integrity. Disabling backup encryption. Sharing backups publicly.

What is the primary benefit of using a firewall in an incident response strategy?. To recover deleted files. To block malicious traffic and limit attack spread. To encrypt sensitive data. To monitor employee activity.

Which of the following is a common indicator of a botnet infection on a network?. Decreased network latency. Unusual outbound traffic to multiple command servers. Regular system updates. Improved application performance.

What is the BEST initial action when detecting a compromised email account sending spam?. Delete the account. Change the password and enable two-factor authentication. Reboot the email server. Notify all contacts immediately.

Which of the following tools is used to analyze volatile memory for evidence of an attack?. Volatility. Wireshark. Nessus. FTK Imager.

An attacker uses a technique that involves exploiting a trusted third-party site to distribute malware. What is this attack called?. Watering Hole Attack. Phishing. SQL Injection. Drive-by Download.

What is the purpose of maintaining an asset inventory in incident preparation?. To track employee performance. To identify critical systems and prioritize protection. To schedule software updates. To monitor network bandwidth.

Which regulation requires organizations to protect financial data and report incidents to regulators?. GDPR. SOX. HIPAA. PCI DSS.

An attacker uses a method that sends excessive HTTP requests to overwhelm a web server. What is this attack known as?. SYN Flood. HTTP Flood. Ping Flood. UDP Flood.

Which of the following is a recommended practice for securing evidence during an incident?. Storing evidence on the affected system. Using tamper-proof storage and access logs. Allowing unrestricted access to evidence. Deleting duplicate evidence files.

What is the primary benefit of using an Incident Response Plan (IRP)?. To monitor network performance. To provide a structured approach to handling incidents. To encrypt all data. To train employees on software use.

What is the BEST initial action when detecting a malware infection spreading across a network?. Reboot all systems. Isolate infected systems from the network. Run an antivirus scan on all devices. Notify the media.

Which of the following tools is used to analyze a hard drive for deleted files during a forensic investigation?. Recuva. Wireshark. Nmap. Snort.

An attacker uses a technique that involves sending fake SMS messages to trick users into providing credentials. What is this attack called?. Smishing. Phishing. Vishing. Spear Phishing.

What is the purpose of using a digital signature in forensic evidence?. To compress evidence files. To verify the authenticity and integrity of data. To decrypt evidence. To speed up analysis.

Which regulation requires organizations to protect cardholder data with specific security controls?. GDPR. HIPAA. PCI DSS. SOX.

An attacker uses a method that floods a network with spoofed packets to disrupt services. What is this attack known as?. SYN Flood. Smurf Attack. UDP Flood. Ping of Death.

Which of the following is a recommended practice for securing a system during incident preparation?. Enabling all default accounts. Applying the principle of least privilege. Disabling patch management. Allowing unrestricted access.

What is the primary benefit of conducting a risk assessment in incident preparation?. To monitor live traffic. To identify and prioritize potential threats. To encrypt sensitive data. To train employees.

What is the BEST initial action when detecting a data exfiltration attempt?. Reboot the affected system. Block outbound traffic to suspicious destinations. Delete all affected files. Notify all employees.

Which of the following tools is used to perform a forensic analysis of a Windows registry?. RegRipper. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a vulnerability in a network protocol to gain access. What is this attack called?. Protocol Exploitation. Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of using a forensic workstation during an investigation?. To monitor live traffic. To analyze evidence in an isolated environment. To encrypt sensitive data. To restore compromised systems.

Which regulation requires organizations to implement a formal incident response plan?. GDPR. HIPAA. PCI DSS. ISO 27001.

An attacker uses a method that sends crafted packets to exploit a system’s TCP stack. What is this attack known as?. SYN Flood. Ping of Death. UDP Flood. HTTP Flood.

Which of the following is a recommended practice for securing logs during an incident?. Deleting logs to avoid confusion. Storing logs in a tamper-proof system. Disabling log collection. Sharing logs publicly.

What is the primary benefit of using a Security Information and Event Management (SIEM) system?. To encrypt all network traffic. To centralize log analysis and detect incidents. To recover deleted files. To train employees.

Which of the following is a common indicator of a phishing attack targeting an organization?. Improved email server performance. Suspicious emails with urgent requests. Regular system updates. Decreased network traffic.

What is the BEST initial action when detecting a ransomware infection on a workstation?. Pay the ransom. Disconnect the workstation from the network. Delete encrypted files. Run a full system scan.

Which of the following tools is used to create a forensic image of a USB drive?. FTK Imager. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a vulnerability in a web application to execute commands on the server. What is this attack called?. Remote Code Execution (RCE). Phishing. SQL Injection. Cross-Site Scripting.

What is the purpose of using a timeline analysis in a forensic investigation?. To compress evidence files. To reconstruct the sequence of events. To encrypt sensitive data. To speed up evidence collection.

Which regulation requires organizations to encrypt sensitive data both at rest and in transit?. SOX. PCI DSS. GDPR. ISO 27001.

An attacker uses a method that sends excessive UDP packets to overwhelm a target system. What is this attack known as?. SYN Flood. UDP Flood. Ping Flood. HTTP Flood.

What is the primary benefit of conducting tabletop exercises in incident preparation?. To monitor network traffic. To test and improve response capabilities. To encrypt sensitive data. To restore backups.

Which of the following is a common indicator of a Distributed Denial of Service (DDoS) attack on a network?. Improved server response time. Unusually high traffic from multiple sources. Regular user logins. Decreased bandwidth usage.

What is the BEST initial action when detecting unauthorized access to a privileged account?. Delete the account. Lock the account and investigate. Reboot the system. Notify all employees.

Which of the following tools is used to analyze network packets for signs of malicious activity?. Wireshark. Autopsy. FTK Imager. Nessus.

An attacker uses a technique that involves injecting malicious code into a legitimate process to avoid detection. What is this attack called?. Process Injection. Phishing. SQL Injection. Buffer Overflow.

What is the purpose of using a hash value in forensic evidence collection?. To compress evidence files. To ensure evidence integrity. To decrypt evidence. To speed up analysis.

Which regulation requires organizations to notify affected individuals within a specific timeframe after a breach?. SOX. GDPR. PCI DSS. ISO 27001.

An attacker uses a method that sends crafted packets to exploit a vulnerability in a system’s memory. What is this attack known as?. Buffer Overflow. SYN Flood. UDP Flood. Ping of Death.

What is the primary benefit of using an Intrusion Prevention System (IPS) in incident response?. To recover deleted files. To block malicious activity in real-time. To encrypt sensitive data. To monitor employee activity.

What is the BEST initial action when detecting a brute force attack on a login system?. Reboot the server. Implement account lockout and block the attacking IP. Delete all user accounts. Notify all users.

Which of the following tools is used to analyze logs from multiple sources during an incident?. Splunk. Wireshark. FTK Imager. Nmap.

An attacker uses a technique that involves tricking a user into calling a fake support number to steal credentials. What is this attack called?. Vishing. Phishing. Smishing. Spear Phishing.

What is the purpose of using a write blocker in forensic investigations?. To speed up data copying. To prevent modifications to original evidence. To encrypt evidence files. To compress evidence data.

Which regulation requires organizations to maintain an audit trail for security events?. GDPR. HIPAA. SOX. PCI DSS.

An attacker uses a method that sends excessive ICMP packets to disrupt network services. What is this attack known as?. SYN Flood. Ping Flood. UDP Flood. HTTP Flood.

What is the primary benefit of using a sandbox in malware analysis?. To encrypt malware files. To safely observe malware behavior. To remove malware from systems. To monitor network traffic.

Which of the following is a common indicator of a backdoor on a system?. Improved system performance. Unexplained open ports or connections. Regular antivirus scans. Decreased CPU usage.

What is the BEST initial action when detecting a phishing campaign targeting employees?. Delete all emails. Educate users and block malicious domains. Reboot all systems. Update email software.

Which of the following tools is used to examine file systems for forensic evidence?. Sleuth Kit. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a vulnerability to gain higher access levels. What is this attack called?. Privilege Escalation. Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of maintaining a chain of custody during a forensic investigation?. To speed up evidence analysis. To document evidence handling for legal validity. To encrypt evidence files. To delete irrelevant data.

Which regulation requires organizations to protect personally identifiable information (PII)?. SOX. GDPR. PCI DSS. ISO 27001.

An attacker uses a method that sends spoofed packets to amplify traffic against a target. What is this attack known as?. SYN Flood. Smurf Attack. UDP Flood. Ping of Death.

What is the primary benefit of using a honeypot in an incident response strategy?. To encrypt sensitive data. To detect and analyze attacker behavior. To restore compromised systems. To monitor employee activity.

Which of the following is a common indicator of a worm infection on a network?. Improved network performance. Rapid spread across multiple systems. Regular user logins. Decreased bandwidth usage.

What is the BEST initial action when detecting a data breach involving customer information?. Notify the media. Contain the breach and assess the scope. Delete affected data. Reboot all systems.

Which of the following tools is used to analyze email headers for evidence of spoofing?. MX Toolbox. Wireshark. FTK Imager. Nmap.

An attacker uses a technique that involves stealing session cookies to impersonate a user. What is this attack called?. Cross-Site Scripting (XSS). Session Hijacking. Phishing. SQL Injection.

What is the purpose of using a forensic duplicator in evidence collection?. To modify evidence for analysis. To create an exact replica of storage media. To encrypt evidence files. To delete temporary data.

Which regulation requires organizations to implement safeguards for health information?. GDPR. HIPAA. PCI DSS. SOX.

An attacker uses a method that sends excessive TCP SYN packets to overwhelm a server. What is this attack known as?. SYN Flood. UDP Flood. Ping Flood. HTTP Flood.

What is the primary benefit of using a vulnerability management program in incident preparation?. To monitor employee activity. To proactively identify and mitigate risks. To encrypt network traffic. To restore compromised systems.

Which of the following is a common indicator of a ransomware infection on a system?. Increased system speed. Files encrypted with ransom notes. Regular software updates. Decreased disk usage.

What is the BEST initial action when detecting a SQL injection attack on a web application?. Restart the web server. Block the attacking IP and validate inputs. Delete the database. Notify all users.

Which of the following tools is used to extract metadata from digital files during a forensic investigation?. ExifTool. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a trusted website to deliver malware to visitors. What is this attack called?. Watering Hole Attack. Phishing. SQL Injection. Drive-by Download.

What is the purpose of using a forensic hash during evidence analysis?. To compress evidence files. To verify evidence has not been altered. To decrypt evidence data. To speed up evidence collection.

Which regulation requires organizations to report breaches involving payment card data?. GDPR. HIPAA. PCI DSS. SOX.

An attacker uses a method that sends excessive HTTP requests to exhaust a web server’s resources. What is this attack known as?. SYN Flood. HTTP Flood. Ping Flood. UDP Flood.

What is the primary benefit of conducting regular security awareness training?. To monitor network traffic. To reduce human error and phishing success. To encrypt sensitive data. To restore compromised systems.

Which of the following is a common indicator of a keylogger infection on a system?. Improved system performance. Unusual outbound traffic capturing keystrokes. Regular antivirus updates. Decreased memory usage.

What is the BEST initial action when detecting a compromised VPN account?. Delete the account. Disable the account and reset credentials. Reboot the VPN server. Notify all employees.

Which of the following tools is used to analyze volatile memory dumps during a forensic investigation?. Volatility. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a vulnerability in a browser to execute malicious code. What is this attack called?. Drive-by Download. Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of using a forensic workstation in evidence analysis?. To monitor live traffic. To provide an isolated analysis environment. To encrypt evidence files. To speed up system recovery.

Which regulation requires organizations to conduct risk assessments for data security?. SOX. GDPR. PCI DSS. HIPAA.

An attacker uses a method that sends crafted packets to exploit a system’s TCP stack vulnerabilities. What is this attack known as?. SYN Flood. Ping of Death. UDP Flood. HTTP Flood.

Which of the following is a recommended practice for securing logs during incident preparation?. Deleting logs regularly. Storing logs in a centralized, secure system. Disabling log collection. Allowing public access to logs.

Which of the following tools is used to perform forensic analysis on mobile devices?. Cellebrite UFED. Wireshark. Nmap. Snort.

An attacker uses a technique that involves sending fake SMS messages to steal sensitive information. What is this attack called?. Smishing. Phishing. Vishing. Spear Phishing.

What is the purpose of documenting the chain of custody in a forensic investigation?. To speed up evidence analysis. To ensure evidence admissibility in court. To encrypt evidence files. To delete redundant data.

Which regulation requires organizations to notify affected individuals within 72 hours of a data breach?. HIPAA. GDPR. PCI DSS. SOX.

An attacker uses a method that floods a network with broadcast traffic to disrupt services. What is this attack known as?. SYN Flood. Smurf Attack. UDP Flood. HTTP Flood.

Which of the following is a common indicator of a rootkit infection on a system?. Increased system speed. Hidden processes not visible to standard tools. Regular antivirus scans. Decreased disk usage.

What is the BEST initial action when detecting a data exfiltration attempt on a network?. Reboot all systems. Block outbound traffic to suspicious IPs. Delete affected files. Notify all employees.

Which of the following tools is used to analyze network traffic for signs of an attack?. Snort. Autopsy. FTK Imager. Nessus.

An attacker uses a technique that involves exploiting a vulnerability to execute arbitrary code remotely. What is this attack called?. Remote Code Execution (RCE). Phishing. SQL Injection. Buffer Overflow.

What is the purpose of using a forensic image in an investigation?. To modify original data. To preserve original evidence for analysis. To encrypt sensitive files. To delete temporary data.

Which regulation requires organizations to protect cardholder data with encryption?. GDPR. HIPAA. PCI DSS. SOX.

An attacker uses a method that sends excessive UDP packets to disrupt a target system. What is this attack known as?. SYN Flood. UDP Flood. Ping Flood. HTTP Flood.

What is the BEST initial action when detecting a phishing email targeting employees?. Delete all emails. Warn employees and block the sender. Reboot all systems. Update email clients.

Which of the following tools is used to create a bit-for-bit copy of a hard drive for forensic analysis?. DD. Wireshark. Nmap. Snort.

An attacker uses a technique that involves stealing authentication tickets to access resources. What is this attack called?. Pass-the-Ticket. Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of using a write blocker during forensic evidence collection?. To speed up data copying. To prevent changes to the original media. To encrypt evidence files. To compress evidence data.

What is the primary benefit of conducting penetration testing in incident preparation?. To monitor network traffic. To identify vulnerabilities before exploitation. To encrypt sensitive data. To restore backups.

Which of the following is a common indicator of a Distributed Denial of Service (DDoS) attack?. Improved server response time. Sudden spike in traffic from multiple sources. Regular user logins. Decreased network latency.

What is the BEST initial action when detecting a ransomware infection spreading across a network?. Pay the ransom. Isolate affected systems immediately. Delete encrypted files. Run an antivirus scan.

Which of the following tools is used to analyze Windows event logs during a forensic investigation?. Event Log Explorer. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a weakness in a cryptographic system to decrypt data. What is this attack called?. Cryptanalysis. Phishing. SQL Injection. Man-in-the-Middle.

What is the primary benefit of using a sandbox environment in incident response?. To encrypt sensitive data. To safely analyze malware behavior. To recover deleted files. To monitor employee activity.

Which of the following tools is used to analyze network traffic for evidence of an attack?. Wireshark. Autopsy. FTK Imager. Nessus.

An attacker uses a technique that involves injecting malicious scripts into a web page to steal data. What is this attack called?. Cross-Site Scripting (XSS). Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of using a forensic hash value during evidence collection?. To compress evidence files. To verify the integrity of collected data. To decrypt evidence. To speed up analysis.

What is the BEST initial action when detecting a brute force attack on a system?. Reboot the system. Implement account lockout and block the source. Delete all accounts. Notify all users.

Which of the following tools is used to analyze logs from multiple systems during an incident?. Splunk. Wireshark. FTK Imager. Nmap.

An attacker uses a technique that involves tricking users into revealing credentials via a phone call. What is this attack called?. Vishing. Phishing. Smishing. Spear Phishing.

What is the BEST initial action when detecting a malware infection on a critical server?. Reboot the server. Isolate the server from the network. Delete infected files. Run an antivirus scan.

Which of the following tools is used to recover deleted files from a storage device during a forensic investigation?. Recuva. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a vulnerability to gain elevated access rights. What is this attack called?. Privilege Escalation. Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of maintaining a forensic chain of custody?. To speed up evidence analysis. To ensure evidence remains admissible. To encrypt evidence files. To delete redundant data.

What is the BEST initial action when detecting a data breach involving sensitive customer data?. Notify the media. Contain the breach and assess damage. Delete affected data. Reboot all systems.

What is the purpose of using a forensic hash during evidence collection?. To compress evidence files. To ensure evidence integrity. To decrypt evidence data. To speed up analysis.

What is the BEST initial action when detecting a SQL injection attempt on a web application?. Restart the web server. Block the attacker’s IP and sanitize inputs. Delete the database. Notify all users.

Which of the following tools is used to extract metadata from digital files in a forensic investigation?. ExifTool. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a trusted site to distribute malware. What is this attack called?. Watering Hole Attack. Phishing. SQL Injection. Drive-by Download.

What is the purpose of using a forensic workstation during evidence analysis?. To monitor live traffic. To provide an isolated environment for analysis. To encrypt evidence files. To speed up system recovery.

An attacker uses a method that sends crafted packets to exploit a system’s memory vulnerabilities. What is this attack known as?. Buffer Overflow. SYN Flood. UDP Flood. Ping of Death.

Which of the following tools is used to analyze volatile memory for signs of an attack?. Volatility. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a browser vulnerability to deliver malware. What is this attack called?. Drive-by Download. Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of using a digital signature in forensic evidence handling?. To compress evidence files. To ensure authenticity and integrity. To decrypt evidence data. To speed up evidence collection.

An attacker uses a method that sends excessive ICMP packets to disrupt services. What is this attack known as?. SYN Flood. Ping Flood. UDP Flood. HTTP Flood.

Which of the following tools is used to create a forensic image of a storage device?. FTK Imager. Wireshark. Nmap. Snort.

An attacker uses a technique that involves injecting malicious code into a legitimate process. What is this attack called?. Process Injection. Phishing. SQL Injection. Buffer Overflow.

Which regulation requires organizations to encrypt sensitive data at rest and in transit?. SOX. PCI DSS. GDPR. ISO 27001.

Which of the following tools is used to analyze file systems for forensic evidence?. Sleuth Kit. Wireshark. Nmap. Snort.

An attacker uses a technique that involves stealing authentication tickets to access systems. What is this attack called?. Pass-the-Ticket. Phishing. SQL Injection. Man-in-the-Middle.

What is the purpose of using a forensic hash value during evidence analysis?. To compress evidence files. To verify evidence has not been tampered with. To decrypt evidence data. To speed up analysis.

Which regulation requires organizations to notify affected individuals within 72 hours of a breach?. HIPAA. GDPR. PCI DSS. SOX.

Which of the following is a common indicator of a phishing attack targeting employees?. Improved email server performance. Suspicious emails with urgent requests. Regular software updates. Decreased network traffic.

Which of the following tools is used to capture and analyze network packets during an investigation?. Wireshark. Autopsy. FTK Imager. Nessus.

An attacker uses a technique that involves injecting malicious scripts into a web page. What is this attack called?. Cross-Site Scripting (XSS). Phishing. SQL Injection. Man-in-the-Middle.

Which of the following is a common indicator of a backdoor infection on a system?. Improved system performance. Unexplained open ports or services. Regular antivirus updates. Decreased memory usage.

What is the BEST initial action when detecting a malware outbreak on multiple systems?. Reboot all systems. Isolate affected systems from the network. Delete infected files. Run an antivirus scan.

Which of the following tools is used to recover deleted files during a forensic investigation?. Recuva. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a vulnerability to gain higher access rights. What is this attack called?. Privilege Escalation. Phishing. SQL Injection. Man-in-the-Middle.

What is the BEST initial action when detecting unauthorized access to a critical server?. Reboot the server. Isolate the server and preserve evidence. Delete compromised files. Notify all employees.

What is the BEST initial action when detecting a SQL injection attack on a database?. Restart the database server. Block the source IP and sanitize inputs. Delete the database. Notify all users.

Which of the following tools is used to extract metadata from files in a forensic investigation?. ExifTool. Wireshark. Nmap. Snort.

An attacker uses a technique that involves exploiting a trusted website to distribute malware. What is this attack called?. Watering Hole Attack. Phishing. SQL Injection. Drive-by Download.

What is the purpose of maintaining a chain of custody in forensic investigations?. To speed up evidence analysis. To ensure evidence remains admissible in court. To encrypt evidence files. To delete redundant data.

What is the BEST initial action when detecting a compromised email account sending phishing emails?. Delete the account. Change credentials and enable MFA. Reboot the email server. Notify all contacts.

Which of the following tools is used to analyze volatile memory during a forensic investigation?. Volatility. Wireshark. Nmap. Snort.

An attacker uses a technique that involves sending fake SMS messages to steal credentials. What is this attack called?. Smishing. Phishing. Vishing. Spear Phishing.

What is the BEST initial action when detecting a ransomware infection on multiple systems?. Pay the ransom. Isolate affected systems immediately. Delete encrypted files. Run an antivirus scan.

Which of the following tools is used to create a bit-for-bit copy of a hard drive?. DD. Wireshark. Nmap. Snort.

Which of the following is a common indicator of a ransomware infection on a network?. Improved network performance. Encrypted files with ransom demands. Regular user logins. Decreased bandwidth usage.

Which of the following tools is used to analyze network packets during an incident investigation?. Wireshark. Autopsy. FTK Imager. Nessus.

What is the BEST initial action when detecting a data breach involving customer data?. Notify the media. Contain the breach and assess damage. Delete affected data. Reboot all systems.

Which one of the following is the correct flow of the stages in an incident handling and response (IH&R) process?. Containment -> Incident recording -> Incident triage -> Preparation -> Recovery -> Eradication -> Post-incident activities. Preparation -> Incident recording -> Incident triage -> Containment -> Eradication -> Recovery -> Post-incident activities. Incident recording -> Preparation -> Containment -> Incident triage -> Recovery > Eradication -> Post-incident activities. Incident triage -> Eradication -> Containment -> Incident recording -> Preparation -> Recovery -> Post-incident activities.

Shall y, an incident handler, is working for a company named Texas Pvt.Ltd.based in Florida. She was asked to work on an incident response plan. As part of the plan, she decided to enhance and improve the security infrastructure of the enterprise. She has incorporated a security strategy that allows security professionals to use several protection layers throughout their information system. Due to multiple layer protection, this security strategy assists in preventing direct attacks against the organization's information system as a break in one layer only leads the attacker to the next layer. Identify the security strategy Shall y has incorporated in the incident response plan. Covert channels. Three-way handshake. Defense-in-depth. Exponential back off algorithm.

During the process of detecting and containing malicious emails, incident responders should examine the originating IP address of the emails. The steps to examine the originating IP address are as follow: 1. Search for the IP in the WHOIS database 2. Open the email to trace and find its header 3. Collect the IP address of the sender from the header of the received mail 4. Look for the geographic address of the sender in the WHOIS database Identify the correct sequence of steps to be performed by the incident responders to examine originating IP address of the emails. 4-->1-->2-->3. 2-->1-->4-->3. 1-->3-->2-->4. 2-->3-->1-->4.

Eric works as a system administrator in ABC organization. He granted privileged users with unlimited permissions to access the systems. These privileged users can misuse their rights unintentionally or maliciously or attackers can trick them to perform malicious activities. Which of the following guidelines helps incident handlers to eradicate insider attacks by privileged users?. Do not control the access to administrators and privileged users. Do not allow administrators to use unique accounts during the installation process. Do not use encryption methods to prevent administrators and privileged users from accessing backup tapes and sensitive information. Do not enable the default administrative accounts to ensure accountability.

They type of attack that prevents the authorized users to access networks, systems, or applications by exhausting the network resources and sending illegal requests to an application is known as: Session Hijacking attack. SQL injection attack. Denial of Service attack. Man in the Middle attack.

Which of the following is an attack that occurs when a malicious program causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated?. Cross-site scripting. Cross-site request forgery. Insecure direct object references. SQL injection.

Which of the following types of digital evidence is temporarily stored in a digital device that requires constant power supply and is deleted if the power supply is interrupted?. Process memory. Slack space. Event logs. Swap file.

Which of the following are malicious software programs that infect computers and corruptor delete the data on them?. Trojans. Worms. Spyware. Virus.

The Linux command used to make binary copies of computer media and as a disk imaging tool if given a raw disk device as its input is: "dd" command. "netstat" command. "nslookup" command. "find" command.

An estimation of the expected losses after an incident helps organization in prioritizing and formulating their incident response. The cost of an incident can be categorized as a tangible and intangible cost. Identify the tangible cost associated with virus outbreak?. Loss of goodwill. Lost productivity damage. Psychological damage. Damage to corporate reputation.

Any information of probative value that is either stored or transmitted in a digital form during a computer crime is called: Digital investigation. Digital evidence. Digital Forensic Examiner. Computer Emails.

Stanley works as an incident responder at a top MNC based in Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company. While investigating the incident, he collected evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of a jury so that the evidence clarifies the facts and further helps in obtaining an expert opinion on the incident to confirm the investigation process. In the above scenario, which of the following characteristics of the digital evidence did Stanley attempt to preserve?. Believability. Completeness. Admissibility. Authenticity.

Which of the following does NOT reduce the success rate of SQL injection?. Constrain legitimate characters to exclude special characters. Close unnecessary application services and ports on the server. Automatically lock a user account at era predefined number of invalid login attempts within a predefined interval. Limit the length of the input field.

Which of the following risk mitigation strategies involves the execution of controls to reduce the risk factor and bring it to an acceptable level, or accepts the potential risk and continues operating the IT system?. Risk avoidance. Risk planning. Risk assumption. Risk transference.

An adversary attacks the information resources to gain undue advantage is called: Offensive Information Warfare. Conventional Warfare. Electronic Warfare. Defensive Information Warfare.

Jason is setting up a computer forensics lab and must perform the following steps: 1. physical location and structural design considerations; 2. planning and budgeting; 3. work area considerations; 4. physical security recommendations; 5. forensic lab licensing; 6. human resource considerations. Arrange these steps in the order of execution. 5->2->1->3->4->6. 2->3->1->4->6->5. 3->2->1->4->6->5. 2->1->3->6->4->5.

The free utility which quickly scans Systems running Windows OS to find settings that may have been changed by spyware, malware, or other unwanted programs is called: Stinger. Tripwire. F-Secure Anti-virus. HijackThis.

The individual who recovers, analyzes, and preserves computer and related materials to be presented as evidence in a court of law and identifies the evidence, estimates the potential impact of the malicious activity on the victim, and assesses the intent and identity of the perpetrator is called: Computer Forensic Investigator. Computer Hacking Forensic Investigator. Digital Forensic Examiner. All the above.