A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
Drag and drop the access control models from the left onto the correct descriptions on the right.
Which type of verification consists of using tools to compute the message digest of the original and copied data, then comparing the similarity of the digests?
Refer to the exhibit.
This request was sent to a web application server driven by a database. Which type of web server attack is represented?
Which HTTP header field is used in forensics to identify the type of browser used?
An organization is cooperating with several third-party companies. Data exchange is on an unsecured channel using port 80 Internal employees use the FTP service to upload and download sensitive data An engineer must ensure confidentiality while preserving the integrity of the communication. Which technology must the engineer implement in this scenario'?
What is the practice of giving employees only those permissions necessary to perform their specific role within an organization?
Refer to the exhibit.
Which field contains DNS header information if the payload is a query or a response?
Which security model assumes an attacker within and outside of the network and enforces strict verification before connecting to any system or resource within the organization?
Drag and drop the security concept on the left onto the example of that concept on the right.
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
What describes the concept of data consistently and readily being accessible for legitimate users?
Refer to the exhibit.
An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?
A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in the requests contains PHP code that, if executed, creates and writes to a new PHP file on the webserver. Which event category is described?
An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the reason for this discrepancy?
Which type of evidence supports a theory or an assumption that results from initial evidence?
One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context?
Drag and drop the elements from the left into the correct order for incident handling on the right.
A company encountered a breach on its web servers using IIS 7 5 Dunng the investigation, an engineer discovered that an attacker read and altered the data on a secure communication using TLS 1 2 and intercepted sensitive information by downgrading a connection to export-grade cryptography. The engineer must mitigate similar incidents in the future and ensure that clients and servers always negotiate with the most secure protocol versions and cryptographic parameters. Which action does the engineer recommend?
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
What specific type of analysis is assigning values to the scenario to see expected outcomes?
Which evasion method involves performing actions slower than normal to prevent detection?
An automotive company provides new types of engines and special brakes for rally sports cars. The company has a database of inventions and patents for their engines and technical information Customers can access the database through the company's website after they register and identify themselves. Which type of protected data is accessed by customers?
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
Refer to the exhibit.
An attacker scanned the server using Nmap.
What did the attacker obtain from this scan?
Refer to the exhibit.
A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error. What is occurring?
Refer to the exhibit.
A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted What is occurring?
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?
Which event artifact is used to identify HTTP GET requests for a specific file?
Refer to the exhibit.
An engineer is reviewing a Cuckoo report of a file. What must the engineer interpret from the report?
An engineer must compare NIST vs ISO frameworks The engineer deeded to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison
The engineer tried to watch the video, but there 'was an audio problem with OS so the engineer had to troubleshoot it At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved Which two components of the OS did the engineer touch? (Choose two)
Which signature impacts network traffic by causing legitimate traffic to be blocked?
Refer to the exhibit.
A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?
Refer to the exhibit.
An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data Which two elements can an attacker identify from the scan? (Choose two.)
Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?
An engineer received an alert affecting the degraded performance of a critical server Analysis showed a heavy CPU and memory load What is the next step the engineer should take to investigate this resource usage7
What is the impact of false positive alerts on business compared to true positive?
What is the difference between statistical detection and rule-based detection models?
Which type of data consists of connection level, application-specific records generated from network traffic?
A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of evidence is this file?
According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?
A security incident occurred with the potential of impacting business services. Who performs the attack?
An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group.
What is the initial event called in the NIST SP800-61?
An engineer is working on a ticket for an incident from the incident management team A week ago. an external web application was targeted by a DDoS attack Server resources were exhausted and after two hours it crashed. An engineer was able to identify the attacker and technique used Three hours after the attack, the server was restored and the engineer recommended implementing mitigation by Blackhole filtering and transferred the incident ticket back to the IR team According to NIST SP800-61, at which phase of the incident response did the engineer finish work?
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?
What is the difference between indicator of attack (loA) and indicators of compromise (loC)?
Refer to the exhibit.
What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?
What is the practice of giving an employee access to only the resources needed to accomplish their job?
Refer to the exhibit.
A suspicious IP address is tagged by Threat Intelligence as a brute-force attempt source After the attacker produces many of failed login entries, it successfully compromises the account. Which stakeholder is responsible for the incident response detection step?
Exhibit.
An engineer received a ticket about a slowdown of a web application, Drug analysis of traffic, the engineer suspects a possible attack on a web server. How should the engineer interpret the Wiresharat traffic capture?
What are two differences between tampered disk images and untampered disk images'? (Choose two.)
Drag and drop the technology on the left onto the data type the technology provides on the right.
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?