Categories
210-255 Dumps

210-255 Real Exam Dumps Questions and answers 51-60

Get Full Version of the Exam
http://www.EnsurePass.com/210-255.html

Question No.51

Which type of analysis allows you to see how likely an exploit could affect your network?

A.

descriptive

B.

casual

C.

probabilistic

D.

inferential

Correct Answer: C

Question No.52

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary code on the site visitor machine. The malicous code is on an external site that is being visited by hosts on your network. Which user agent in the HTTP headers in the requests from your internal hosts warrants further investigation?

A.

Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)

B.

Mozilla/5.0 (XII; Linux i686; rv: 1.9.2.20) Gecko/20110805

C.

Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 4O0) Gecko/20100101

D.

Opera/9.80 (XII; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16

Correct Answer: A

Question No.53

Which statement about threat actors is true?

A.

They are any company assets that are threatened.

B.

They are any assets that are threatened.

C.

They are perpetrators of attacks.

D.

They are victims of attacks.

Correct Answer: C

Question No.54

What is accomplished in the identification phase of incident handling?

A.

determining the responsible user

B.

identifying source and destination IP addresses

C.

defining the limits of your authority related to a security event

D.

determining that a security event has occurred

Correct Answer: D

Question No.55

Refer to the exhibit. Which type of log is this an example of?

image

A.

IDS log

B.

proxy log

C.

NetFlow log

D.

syslog

Correct Answer: C

Question No.56

Which option creates a display filter on Wireshark on a host IP address or name?

A.

ip.address == lt;addressgt; or ip.network == lt;networkgt;

B.

[tcp|udp] ip.[src|dst] port lt;portgt;

C.

ip.addr == lt;addrgt; or ip.name == lt;namegt;

D.

ip.addr == lt;addrgt; or ip.host == lt;hostgt;

Correct Answer: D

Question No.57

During which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data?

A.

examination

B.

reporting

C.

collection

D.

investigation

Correct Answer: A

Question No.58

A CMS plugin creates two files that are accessible from the Internet myplugin.html and exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific variables to exploitable.php. You see traffic to your webserver that consists of only HTTP GET requests to myplugin.html. Which category best describes this activity?

A.

weaponization

B.

exploitation

C.

installation

D.

reconnaissance

Correct Answer: D

Question No.59

Which data element must be protected with regards to PCI?

A.

past health condition

B.

geographic location

C.

full name / full account number

D.

recent payment amount

Correct Answer: C

Question No.60

Refer to the exhibit. What can be determined from this ping result?

image

A.

The public IP address of cisco.com is 2001:420:1101:1::a.

B.

The Cisco.com website is down.

C.

The Cisco.com website is responding with an internal IP.

D.

The public IP address of cisco.com is an IPv4 address.

Correct Answer: A

Get Full Version of 210-255 Dumps

Categories
210-255 Dumps

210-255 Real Exam Dumps Questions and answers 21-30

Get Full Version of the Exam
http://www.EnsurePass.com/210-255.html

Question No.21

What information from HTTP logs can be used to find a threat actor?

A.

referer

B.

IP address

C.

user-agent

D.

URL

Correct Answer: B

Question No.22

Which two HTTP header fields relate to intrusion analysis? (Choose two).

A.

user-agent

B.

host

C.

connection

D.

language

E.

handshake type

Correct Answer: AB

Question No.23

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

A.

collection

B.

examination

C.

reporting

D.

investigation

Correct Answer: A

Question No.24

A user on your network receives an email in their mailbox that contains a malicious attachment. There is no indication that the file was run. Which category as defined in the Diamond Model of Intrusion does this activity fall under?

A.

reconnaissance

B.

weaponization

C.

delivery

D.

installation

Correct Answer: C

Question No.25

Which stakeholder group is responsible for containment, eradication, and recovery in incident handling?

A.

facilitators

B.

practitioners

C.

leaders and managers

D.

decision makers

image

Correct Answer: D

Question No.26

DRAG DROP

Drag and drop the elements of incident handling from the left into the correct order on the right.

image

Correct Answer:

image

Question No.27

Which Security Operations Center#39;s goal is to provide incident handling to a country?

A.

Coordination Center

B.

Internal CSIRT

C.

National CSIRT

D.

Analysis Center

Correct Answer: C

Question No.28

An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. Which term defines the initial event in the NIST SP800- 61 r2?

A.

instigator

B.

precursor

C.

online assault

D.

trigger

image

Correct Answer: B

Question No.29

Refer to the exhibit. Which application protocol is in this PCAP file?

image

A.

TCP

B.

SSH

C.

HTTP

D.

SSL

Correct Answer: D

Question No.30

Which string matches the regular expression r(ege) x?

A.

rx

B.

regeegex

C.

r(ege)x

D.

rege x

Correct Answer: B

Get Full Version of 210-255 Dumps

Categories
210-255 Dumps

210-255 Real Exam Dumps Questions and answers 31-40

Get Full Version of the Exam
http://www.EnsurePass.com/210-255.html

Question No.31

Which regular expression matches quot;colorquot; and quot;colourquot;?

A.

col[0-9] our

B.

colo?ur

C.

colou?r

D.

]a-z]{7}

Correct Answer: C

Question No.32

Which option is a misuse variety per VERIS enumerations?

A.

snooping

B.

hacking

C.

theft

D.

assault

Correct Answer: B

Question No.33

When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point?

A.

HTTPS traffic

B.

TCP traffic

C.

HTTP traffic

D.

UDP traffic

Correct Answer: D

Question No.34

Which kind of evidence can be considered most reliable to arrive at an analytical assertion?

A.

direct

B.

corroborative

C.

indirect

D.

circumstantial

E.

textual

Correct Answer: A

Question No.35

Which element is part of an incident response plan?

A.

organizational approach to incident response

B.

organizational approach to security

C.

disaster recovery

D.

backups

image

Correct Answer: A

Question No.36

In Microsoft Windows, as files are deleted the space they were allocated eventually is considered available for use by other files. This creates alternating used and unused areas of various sizes. What is this called?

A.

network file storing

B.

free space fragmentation

C.

alternate data streaming

D.

defragmentation

Correct Answer: B

Question No.37

DRAG DROP

Drag and drop the type of evidence from the left onto the correct descnption(s) of that evidence on the right.

image

Correct Answer:

image

Question No.38

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

A.

preparation

B.

detection and analysis

C.

containment, eradication, and recovery

D.

post-incident analysis

Correct Answer: D

image

Question No.39

Which source provides reports of vulnerabilities in software and hardware to a Security Operations Center?

A.

Analysis Center

B.

National CSIRT

C.

Internal CSIRT

D.

Physical Security

Correct Answer: C

Question No.40

You see confidential data being exfiltrated to an IP address that is attributed to a known Advanced Persistent Threat group. Assume that this is part of a real attach and not a network misconfiguration. Which category does this event fall under as defined in the Diamond Model of Intrusion?

A.

reconnaissance

B.

weaponization

C.

delivery

D.

action on objectives

Correct Answer: D

Get Full Version of 210-255 Dumps

Categories
210-255 Dumps

210-255 Real Exam Dumps Questions and answers 41-50

Get Full Version of the Exam
http://www.EnsurePass.com/210-255.html

Question No.41

Which process is being utilized when IPS events are removed to improve data integrity?

A.

data normalization

B.

data availability

C.

data protection

D.

data signature

Correct Answer: A

Question No.42

Which description of a retrospective malvare detection is true?

A.

You use Wireshark to identify the malware source.

B.

You use historical information from one or more sources to identify the affected host or file.

C.

You use information from a network analyzer to identify the malware source.

D.

You use Wireshark to identify the affected host or file.

Correct Answer: B

Question No.43

Which option filters a LibPCAP capture that used a host as a gateway?

A.

tcp|udp] [src|dst] port lt;portgt;

B.

[src|dst] net lt;netgt; [{mask lt;maskgt;}|{len lt;lengt;}]

C.

ether [src|dst] host lt;ehostgt;

D.

gateway host lt;hostgt;

image

Correct Answer: D

Question No.44

Which goal of data normalization is true?

A.

Reduce data redundancy.

B.

Increase data redundancy.

C.

Reduce data availability.

D.

Increase data availability

Correct Answer: A

Question No.45

Which network device creates and sends the initial packet of a session?

A.

source

B.

origination

C.

destination

D.

network

Correct Answer: A

Question No.46

Which option is generated when a file is run through an algorithm and generates a string specific to the contents of that file?

A.

URL

B.

hash

C.

IP address

D.

destination port

Correct Answer: B

Question No.47

Which option allows a file to be extracted from a TCP stream within Wireshark?

A.

File gt; Export Objects

B.

Analyze gt; Extract

C.

Tools gt; Export gt; TCP

D.

View gt; Extract

Correct Answer: A

image

Question No.48

Which identifies both the source and destination location?

A.

IP address

B.

URL

C.

ports

D.

MAC address

Correct Answer: A

Question No.49

You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two.)

A.

file size

B.

domain names

C.

dropped files

D.

signatures

E.

host IP addresses

Correct Answer: BC

Question No.50

Which element can be used by a threat actor to discover a possible opening into a target network and can also be used by an analyst to determine the protocol of the malicious traffic?

A.

TTLs

B.

ports

C.

SMTP replies

D.

IP addresses

Correct Answer: B

Get Full Version of 210-255 Dumps

Categories
210-255 Dumps

210-255 Real Exam Dumps Questions and answers 1-10

Get Full Version of the Exam
http://www.EnsurePass.com/210-255.html

Question No.1

Refer to the exhibit. We have performed a malware detection on the Cisco website. Which statement about the result is true?

image

A.

The website has been marked benign on all 68 checks.

B.

The threat detection needs to run again.

C.

The website has 68 open threats.

D.

The website has been marked benign on 0 checks.

Correct Answer: A

Question No.2

Which information must be left out of a final incident report?

A.

server hardware configurations

B.

exploit or vulnerability used

C.

impact and/or the financial loss

D.

how the incident was detected

Correct Answer: A

Question No.3

Refer to the exhibit. Which type of log is this an example of?

image

A.

syslog

B.

NetFlow log

C.

proxy log

D.

IDS log

Correct Answer: D

Question No.4

Refer to the Exhibit. A customer reports that they cannot access your organization#39;s website. Which option is a possible reason that the customer cannot access the website?

image

A.

The server at 10.33.1.5 is using up too much bandwidth causing a denial- of-service.

B.

The server at 10.67.10.5 has a virus.

C.

A vulnerability scanner has shown that 10.67.10.5 has been compromised.

D.

Web traffic sent from 10.67.10.5 has been identified as malicious by Internet sensors.

Correct Answer: D

Question No.5

DRAG DROP

Refer to the exhibit. Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.

image

Correct Answer:

image

Question No.6

Which CVSSv3 metric captures the level of access that is required for a successful attack?

A.

attack vector

B.

attack complexity

C.

privileges required

D.

user interaction

Correct Answer: C

Question No.7

Refer to the exhibit. Which packet contains a file that is extractable within Wireshark?

image

A.

1986

B.

2318

C.

2542

D.

2317

Correct Answer: C

Question No.8

Which CVSSv3 metric value increases when the attacker is able to modify all files protected by the vulnerable component?

A.

confidentiality

B.

integrity

C.

availability

D.

complexity

Correct Answer: B

Question No.9

What mechanism does the Linux operating system provide to control access to files?

A.

privileges required

B.

user interaction

C.

file permissions

D.

access complexity

Correct Answer: C

Question No.10

DRAG DROP

Refer to the exhibit. Drag and drop the element name from the left onto the correct piece of the NetFlow v5 record from a security event on the right.

image

Correct Answer:

image

Get Full Version of 210-255 Dumps

Categories
210-255 Dumps

210-255 Real Exam Dumps Questions and answers 11-20

Get Full Version of the Exam
http://www.EnsurePass.com/210-255.html

Question No.11

Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or manipulate the vulnerable component?

A.

local

B.

physical

C.

network

D.

adjacent

Correct Answer: B

Question No.12

Which option has a drastic impact on network traffic because it can cause legitimate traffic to be blocked?

A.

true positive

B.

true negative

C.

false positive

D.

false negative

Correct Answer: C

Question No.13

In the context of incident handling phases, which two activities fall under scoping? (Choose two.)

A.

determining the number of attackers that are associated with a security incident

B.

ascertaining the number and types of vulnerabilities on your network

C.

identifying the extent that a security incident is impacting protected resources on the network

D.

determining what and how much data may have been affected

E.

identifying the attackers that are associated with a security incident

Correct Answer: CE

Question No.14

Which feature is used to find possible vulnerable services running on a server?

A.

CPU utilization

B.

security policy

C.

temporary internet files

D.

listening ports

Correct Answer: D

Question No.15

Which element is included in an incident response plan?

A.

organization mission

B.

junior analyst approval

C.

day-to-day firefighting

D.

siloed approach to communications

Correct Answer: A

Question No.16

Which option can be addressed when using retrospective security techniques?

A.

if the affected host needs a software update

B.

how the malware entered our network

C.

why the malware is still in our network

D.

if the affected system needs replacement

image

Correct Answer: B

Question No.17

From a security perspective, why is it important to employ a clock synchronization protocol on a network?

A.

so that everyone knows the local time

B.

to ensure employees adhere to work schedule

C.

to construct an accurate timeline of events when responding to an incident

D.

to guarantee that updates are pushed out according to schedule

Correct Answer: C

Question No.18

Which CVSSv3 metric value increases when attacks consume network bandwidth, processor cycles, or disk space?

A.

confidentiality

B.

integrity

C.

availability

D.

complexity

Correct Answer: C

Question No.19

In VERIS, an incident is viewed as a series of events that adversely affects the information assets of an organization. Which option contains the elements that every event is comprised of according to VERIS incident model#39;?

A.

victim demographics, incident description, incident details, discovery amp; response

B.

victim demographics, incident details, indicators of compromise, impact assessment

C.

actors, attributes, impact, remediation

D.

actors, actions, assets, attributes

Correct Answer: D

Question No.20

Which two options can be used by a threat actor to determine the role of a server? (Choose two.)

A.

PCAP

B.

tracert

C.

running processes

D.

hard drive configuration

E.

applications

Correct Answer: CE

image

Get Full Version of 210-255 Dumps