212-89 Practice Exam Questions and Answers

Nervous Nat often sends emails with screenshots of what he thinks are serious incidents, but they always turn out to be false positives. Today, he sends another screenshot, suspecting a nation-state attack. As usual, you go through your list of questions, check your resources for information to determine whether the screenshot shows a real attack, and determine the condition of your network. Which step of IR did you just perform?

Darwin is an attacker residing within the organization and is performing network

sniffing by running his system in promiscuous mode. He is capturing and viewing all

the network packets transmitted within the organization. Edwin is an incident handler

in the same organization.

In the above situation, which of the following Nmap commands Edwin must use to

detect Darwin’s system that is running in promiscuous mode?

Malicious downloads that result from malicious office documents being manipulated are caused by which of the following?

Stanley works as an incident responder at a top MNC based out of Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company.

While investigating the crime, he collected the evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of

jury so that the evidence explains the facts clearly and further helps in obtaining an expert opinion on the same to confirm the investigation process.

In the above scenario, what is the characteristic of the digital evidence Stanley tried to preserve?

For analyzing the system, the browser data can be used to access various credentials.

Which of the following tools is used to analyze the history data files in Microsoft Edge browser?

Eric works as a system administrator at ABC organization and previously granted several users with access privileges to the organizations systems with unlimited permissions. These privileged users could prospectively misuse their rights unintentionally, maliciously, or could be deceived by attackers that could trick them to perform malicious activities. Which of the following guidelines would help incident handlers eradicate insider attacks by privileged users?

Stenley is an incident handler working for Texa Corp. located in the United States. With the growing concern of increasing emails from outside the organization, Stenley was

asked to take appropriate actions to keep the security of the organization intact. In the process of detecting and containing malicious emails, Stenley was asked to check the

validity of the emails received by employees.

Identify the tools he can use to accomplish the given task.

Smith employs various malware detection techniques to thoroughly examine the

network and its systems for suspicious and malicious malware files. Among all

techniques, which one involves analyzing the memory dumps or binary codes for the

traces of malware?

Which of the following risk management processes identifies the risks, estimates the impact, and determines sources to recommend proper mitigation measures?

Clark is investigating a cybercrime at TechSoft Solutions. While investigating the case,

he needs to collect volatile information such as running services, their process IDs,

startmode, state, and status.

Which of the following commands will help Clark to collect such information from

running services?

Shiela is working at night as an incident handler. During a shift, servers were affected by a massive cyberattack. After she classified and prioritized the incident, she must report the incident, obtain necessary permissions, and perform other incident response functions. What list should she check to notify other responsible personnel?

You are a systems administrator for a company. You are accessing your file server remotely for maintenance. Suddenly, you are unable to access the server. After contacting others in your department, you find out that they cannot access the file server either. You can ping the file serverbut not connect to it via RDP. You check the Active Directory Server, and all is well. You check the email server and find that emails are sent and received normally. What is the most likely issue?

Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To acccomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plain text secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.

What is the most recent NIST standard for incident response?

Which of the following are malicious software programs that infect computers and corrupt or deletethe data on them?

Shally, an incident handler, is working for a company named Texas Pvt. Ltd. based in

Florida. She was asked to work on an incident response plan. As part of the plan, she

decided to enhance and improve the security infrastructure of the enterprise. She has

incorporated a security strategy that allows security professionals to use several

protection layers throughout their information system. Due to multiple layer protection,

this security strategy assists in preventing direct attacks against the organization’s

information system as a break in one layer only leads the attacker to the next layer.

Identify the security strategy Shally has incorporated in the incident response plan.

Richard is analyzing a corporate network. After an alert in the network’s IPS. he identified that allthe servers are sending huge amounts of traffic to the website abc.xyz. What type of information security attack vectors have affected the network?

Otis is an incident handler working in Delmont organization. Recently, the organization is facing several setbacks in the business and thereby its revenues are going down. Otis

was asked to take the charge and look into the matter. While auditing the enterprise security, he found the traces of an attack, where the proprietary information was stolen

from the enterprise network and was passed onto the competitors.

Which of the following information security incidents Delmont organization faced?

Which of the following processes is referred to as an approach to respond to the

security incidents that occurred in an organization and enables the response team by

ensuring that they know exactly what process to follow in case of security incidents?

Which one of the following is the correct flow of the stages in an incident handling and response (IH&R) process?

Which of the following terms refers to the personnel that the incident handling and response (IH&R) team must contact to report the incident and obtain the necessary permissions?

An attacker traced out and found the kind of websites a target company/individual is

frequently surfing and tested those particular websites to identify any possible

vulnerabilities. When the attacker detected vulnerabilities in the website, the attacker

started injecting malicious script/code into the web application that can redirect the

webpage and download the malware onto the victim’s machine. After infecting the

vulnerable web application, the attacker waited for the victim to access the infected web

application.

Identify the type of attack performed by the attacker.

Which of the following types of digital evidence is temporarily stored in a digital device that requires constant power supply and is deleted if the power supply is interrupted?

Which of the following has been used to evade IDS and IPS?

Identify Sarbanes–Oxley Act (SOX) Title, which consists of only one section, that includes measures designed to help restore investor confidence in the reporting of

securities analysts.

Alex is an incident handler in QWERTY Company. He identified that an attacker created a backdoor inside the company's network by installing a fake AP inside a firewall. Which of the following attack types did the attacker use?

Which of the following is a technique used by attackers to make a message difficult to understand through the use of ambiguous language?

Which of the following terms refers to vulnerable account management functions, including account update, recovery of forgotten or lost passwords, and password reset, that might weaken valid authentication schemes?

In which of the following confidentiality attacks attackers try to lure users by posing themselves as authorized AP by beaconing the WLAN's SSID?

Which of the following is NOT part of the static data collection process?

ZYX company experienced a DoS/DDoS attack on their network. Upon investigating the incident, they concluded that the attack is an application-layer attack. Which of the following attacks did the attacker use?

Your company holds a large amount of customer PH. and you want to protect those data from theft or unauthorized modification. Among other actions, you classify and encrypt the data. In this process, which of the following OWASP security risks are you guarding against?

An attack on a network is BEST blocked using which of the following?

Drake is an incident handler in Dark CLoud Inc. He is intended to perform log analysis

in order to detect traces of malicious activities within the network infrastructure.

Which of the following tools Drake must employ in order to view logs in real time and

identify malware propagation within the network?

A US Federal Agency network was the target of a DoS attack that prevented and

impaired the normal authorized functionality of the networks. According to agency’s

reporting timeframe guidelines, this incident should be reported within 2 h of

discovery/detection if the successful attack is still ongoing and the agency is unable to

successfully mitigate the activity.

Which incident category of US Federal Agency does this incident belong to?

Ikeo Corp, hired an incident response team to assess the enterprise security. As part of the incident handling and response process, the IR team is reviewing the current security policies implemented by the enterprise. The IR team finds that employees of the organization do not have any restrictions on Internet access: they are allowed to visit any site, download any application, and access a computer or network from a remote location. Considering this as the main security threat, the IR team plans to change this policy as it can be easily exploited by attackers. Which of the following security policies is the IR team planning to modify?

Allan performed a reconnaissance attack on his corporate network as part of a red-team activity. He scanned the IP range to find live host IP addresses. What type of technique did he use to exploit the network?

If the browser does not expire the session when the user fails to logout properly, which of the following OWASP Top 10 web vulnerabilities is caused?

A malicious, security-breaking program is disguised as a useful program. Such executable programs, which are installed when a file is opened, allow others to control a user's system. What is this type of program called?

Jason is setting up a computer forensics lab and must perform the following steps: 1. physical location and structural design considerations; 2. planning and budgeting; 3. work area considerations; 4. physical security recommendations; 5. forensic lab licensing; 6. human resource considerations. Arrange these steps in the order of execution.

Which of the following terms refers to an organization’s ability to make optimal use of digital evidence in a limited period of time and with minimal investigation costs?

Which of the following is an attack that attempts to prevent the use of systems, networks, or applications by the intended users?

Which of the following is a volatile evidence collecting tool?

Which of the following tools helps incident handlers to view the file system, retrieve deleted data, perform timeline analysis, web artifacts, etc., during an incident response process?

Stanley works as an incident responder at a top MNC based in Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company. While investigating the incident, he collected evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of a jury so that the evidence clarifies the facts and further helps in obtaining an expert opinion on the incident to confirm the investigation process. In the above scenario, which of the following characteristics of the digital evidence did Stanley attempt to preserve?

Which of the following details are included in the evidence bags?

Jason is an incident handler dealing with malware incidents. He was asked to perform memory dump analysis in order to collect the information about the basic functionality of any program. As a part of his assignment, he needs to perform string search analysis to search for the malicious stringthat could determine harmful actions that a program

can perform. Which of the following string-searching tools Jason needs to use to do the intended task?

During the vulnerability assessment phase, the incident responders perform various

steps as below:

1. Run vulnerability scans using tools

2. Identify and prioritize vulnerabilities

3. Examine and evaluate physical security

4. Perform OSINT information gathering to validate the vulnerabilities

5. Apply business and technology context to scanner results

6. Check for misconfigurations and human errors

7. Create a vulnerability scan report

Identify the correct sequence of vulnerability assessment steps performed by the

incident responders.

According to NITS, what are the 5 main actors in cloud computing?

Otis is an incident handler working in an organization called Delmont. Recently, the organization faced several setbacks in business, whereby its revenues are decreasing. Otis was asked to take charge and look into the matter. While auditing the enterprise security, he found traces of an attack through which proprietary information was stolen from the enterprise network and passed onto their competitors. Which of the following information security incidents did Delmont face?