What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
A.
Untampered images are used in the security investigation process
B.
Tampered images are used in the security investigation process
C.
The image is tampered if the stored hash and the computed hash match
D.
Tampered images are used in the incident recovery process
E.
The image is untampered if the stored hash and the computed hash match
Tampered images are used in the security investigation process
The image is untampered if the stored hash and the computed hash match
Refer to the exhibit.
Which type of log is displayed?
A.
proxy
B.
NetFlow
C.
IDS
D.
sys
NetFlow
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions.
Which identifier tracks an active program?
A.
application identification number
B.
process identification number
C.
runtime identification number
D.
process identification number
process identification number
Which metric is used to capture the level of access needed to launch a successful attack?
A.
privileges required
B.
user interaction
C.
attack complexity
D.
attack vector
privileges required
Which IETF standard technology is useful to detect and analyze a potential security incident by recording
session flows that occurs between hosts?
A.
SFlow
B.
NetFlow
C.
NFlow
D.
IPFIX
IPFIX
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
A.
MAC is controlled by the discretion of the owner and DAC is controlled by an
administrator
B.
MAC is the strictest of all levels of control and DAC is object-based access
C.
DAC is controlled by the operating system and MAC is controlled by an administrator
D.
DAC is the strictest of all levels of control and MAC is object-based access
MAC is the strictest of all levels of control and DAC is object-based access
Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?
A.
NetScout
B.
tcpdump
C.
SolarWinds
D.
netsh
tcpdump
Which security principle is violated by running all processes as root or administrator?
A.
principle of least privilege
B.
role-based access control
C.
separation of duties
D.
trusted computing base
principle of least privilege
What are the two characteristics of the full packet captures? (Choose two.)
A.
Identifying network loops and collision domains.
B.
Troubleshooting the cause of security and performance issues.
C.
Reassembling fragmented traffic from raw data.
D.
Detecting common hardware faults and identify faulty assets.
E.
Providing a historical record of a network transaction.
Reassembling fragmented traffic from raw data.
Providing a historical record of a network transaction.
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)
A.
signatures
B.
host IP addresses
C.
file size
D.
dropped files
E.
domain namesanalysis report shows that outbound callouts were made post infection.
host IP addresses
domain namesanalysis report shows that outbound callouts were made post infection.
Refer to the exhibit.
Which event is occurring?
A.
A binary named "submit" is running on VM cuckoo1.
B.
A binary is being submitted to run on VM cuckoo1
C.
A binary on VM cuckoo1 is being submitted for evaluation
D.
A URL is being evaluated to see if it has a malicious binary
A binary on VM cuckoo1 is being submitted for evaluation
What is the virtual address space for a Windows process?
A.
physical location of an object in memory
B.
Bset of pages that reside in the physical memory
C.
system-level memory protection feature built into the operating system
D.
set of virtual memory addresses that can be used
set of virtual memory addresses that can be used
| Page 3 out of 16 Pages |
| Previous |