CFR-410 Questions and Answers

Which of the following are well-known methods that are used to protect evidence during the forensics process? (Choose three.)

A security administrator needs to review events from different systems located worldwide. Which of the

following is MOST important to ensure that logs can be effectively correlated?

A security operations center (SOC) analyst observed an unusually high number of login failures on a particular database server. The analyst wants to gather supporting evidence before escalating the observation to management. Which of the following expressions will provide login failure data for 11/24/2015?

What is the correct order of the DFIR phases?

A company help desk is flooded with calls regarding systems experiencing slow performance and certain Internet sites taking a long time to load or not loading at all. The security operations center (SOC) analysts who receive these calls take the following actions:

-Running antivirus scans on the affected user machines

-Checking department membership of affected users

-Checking the host-based intrusion prevention system (HIPS) console for affected user machine alerts

-Checking network monitoring tools for anomalous activities

Which of the following phases of the incident response process match the actions taken?

An employee discovered the default credentials in DB servers, which were found by using a word list of commonly used and default passwords in Hydra, the tool behind the Brute functionality. The use of the word list in Hydra is an example of what type of password cracking?

While planning a vulnerability assessment on a computer network, which of the following is essential? (Choose two.)

In which of the following attack phases would an attacker use Shodan?

Where are log entries written for auditd in Linux?

According to company policy, all accounts with administrator privileges should have suffix _ja. While reviewing Windows workstation configurations, a security administrator discovers an account without the suffix in the administrator’s group. Which of the following actions should the security administrator take?

An incident responder has collected network capture logs in a text file, separated by five or more data fields.

Which of the following is the BEST command to use if the responder would like to print the file (to terminal/ screen) in numerical order?

A security investigator has detected an unauthorized insider reviewing files containing company secrets.

Which of the following commands could the investigator use to determine which files have been opened by this user?

Windows Server 2016 log files can be found in which of the following locations?

Which of the following could be useful to an organization that wants to test its incident response procedures without risking any system downtime?

A security professional discovers a new ransomware strain that disables antivirus on the endpoint during an

infection. Which location would be the BEST place for the security professional to find technical information about this malware?

Which of the following types of attackers would be MOST likely to use multiple zero-day exploits executed against high-value, well-defended targets for the purposes of espionage and sabotage?

A network administrator has determined that network performance has degraded due to excessive use of

social media and Internet streaming services. Which of the following would be effective for limiting access to these types of services, without completely restricting access to a site?

An incident responder discovers that the CEO logged in from their New York City office and then logged in from a location in Beijing an hour later. The incident responder suspects that the CEO’s account has been

compromised. Which of the following anomalies MOST likely contributed to the incident responder’s suspicion?

Which of the following tools can be used as an intrusion detection system (IDS)? (Choose three.)

Which of the following are components of Security Content Automation Protocol (SCAP)?

A secretary receives an email from a friend with a picture of a kitten in it. The secretary forwards it to the

~COMPANYWIDE mailing list and, shortly thereafter, users across the company receive the following message:

“You seem tense. Take a deep breath and relax!”

The incident response team is activated and opens the picture in a virtual machine to test it. After a short analysis, the following code is found in C:

\Temp\chill.exe:Powershell.exe –Command “do {(for /L %i in (2,1,254) do shutdown /r /m Error! Hyperlink reference not valid.> /f /t / 0 (/c “You seem tense. Take a deep breath and relax!”);Start-Sleep –s 900) } while(1)”

Which of the following BEST represents what the attacker was trying to accomplish?

An administrator believes that a system on VLAN 12 is Address Resolution Protocol (ARP) poisoning clients on the network. The administrator attaches a system to VLAN 12 and uses Wireshark to capture traffic. After

reviewing the capture file, the administrator finds no evidence of ARP poisoning. Which of the following actions should the administrator take next?

A Linux administrator is trying to determine the character count on many log files. Which of the following command and flag combinations should the administrator use?

Which term best describes an asset's susceptibility to damage or loss due to a threat?

The statement of applicability (SOA) document forms a fundamental part of which framework?

According to Payment Card Industry Data Security Standard (PCI DSS) compliance requirements, an organization must retain logs for what length of time?

What are three examples of incident response? (Choose three.)

An incident response team is concerned with verifying the integrity of security information and event

management (SIEM) events after being written to disk. Which of the following represents the BEST option for addressing this concern?

An organization was recently hit with a ransomware attack that encrypted critical documents and files that were stored on the corporate file server.

Which of the following provides the organization with the BEST chance for recovering their data?

What is the definition of a security breach?

Which two answer options are the BEST reasons to conduct post-incident reviews after an incident occurs in an organization? (Choose two.)

Which of the following is susceptible to a cache poisoning attack?

Which common source of vulnerability should be addressed to BEST mitigate against URL redirection attacks?

Which of the following is the GREATEST risk of having security information and event management (SIEM) collect computer names with older log entries?

During a security investigation, a suspicious Linux laptop is found in the server room. The laptop is processing information and indicating network activity. The investigator is preparing to launch an investigation to

determine what is happening with this laptop. Which of the following is the MOST appropriate set of Linux commands that should be executed to conduct the investigation?

When attempting to determine which system or user is generating excessive web traffic, analysis of which of

the following would provide the BEST results?

Which of the following is BEST suited to prevent piggybacking into a sensitive or otherwise restricted area of a facility?

During the forensic analysis of a compromised computer image, the investigator found that critical files are missing, caches have been cleared, and the history and event log files are empty. According to this scenario, which of the following techniques is the suspect using?

If an organization suspects criminal activity during the response to an incident, when should they notify law enforcement authorities?

Which of the following security best practices should a web developer reference when developing a new web- based application?

To minimize vulnerability, which steps should an organization take before deploying a new Internet of Things (IoT) device? (Choose two.)

Which three answer options are password attack methods and techniques? (Choose three.)

Which of the following is an automated password cracking technique that uses a combination of uppercase and lowercase letters, 0-9 numbers, and special characters?

When performing a vulnerability assessment from outside the perimeter, which of the following network devices is MOST likely to skew the scan results?

An organization wants to deploy a network security tool to alert them but not block malicious activity and network traffic. Which of the following tools would BEST meet the organization's needs?

Which of the following sources is best suited for monitoring threats and vulnerabilities?

After imaging a disk as part of an investigation, a forensics analyst wants to hash the image using a tool that supports piecewise hashing. Which of the following tools should the analyst use?

During which phase of a vulnerability assessment would a security consultant need to document a requirement to retain a legacy device that is no longer supported and cannot be taken offline?

Which approach to cybersecurity involves a series of defensive mechanisms that are layered to protect valuable data and information?