Kiri2 CFR 210

Questions & Answers PDF P-1
Logical Operations
CFR-210 Exam
Logical Operations CyberSec First Responder Exam
https://www.braindumps2go.com
Product Questions: 100

Version: 8.0
Question: 1
An attacker performs reconnaissance on a Chief Executive Officer (CEO) using publicity available
resources to gain access to the CEO’s office. The attacker was in the CEO’s office for less than five
minutes, and the attack left no traces in any logs, nor was there any readily identifiable cause for the
exploit. The attacker in then able to use numerous credentials belonging to the CEO to conduct a
variety of further attacks. Which of the following types of exploit is described?
A. Pivoting
B. Malicious linking
C. Whaling
D. Keylogging
Answer: C
Question: 2
Which of the following is an automated password cracking technique that uses a combination of
upper and lower case letters, 0-9 numbers, and special characters?
A. Dictionary attack
B. Password guessing
C. Brute force attack
D. Rainbow tables
Answer: C
Question: 3
A zero-day vulnerability is discovered on a company’s network. The security analyst conducts a log
review, schedules an immediate vulnerability scan, and quarantines the infected system, but cannot
determine the root cause of the vulnerability. Which of the following is a source of information that
can be used to identify the cause of the vulnerability?
A. www.virustotal.com
B. Security RSS feeds
C. Security software websites
D. Government websites
Answer: C
Question: 4
The Chief Information Officer (CIO) of a company asks the incident responder to update the risk
management plan. Which of the following methods can BEST help the incident responder identify
the risks that require in-depth analysis?
A. Qualitative analysis
B. Targeted risk analysis
C. Non-targeted risk analysis
D. Quantitative analysis
Answer: D
Question: 5
A security analyst for a financial services firm is monitoring blogs and reads about a zero-day
vulnerability being exploited by a little-known group of hackers. The analyst wishes to independently
validate and corroborate the blog’s posting. Whichof the following sources of information will
provide the MOST credible supporting threat intelligence in this situation?
A. Similar cybersecurity blogs

B. Threat intelligence sharing groups
C. Computer emergency response team press release
D. Internet searches on zero-day exploits
Answer: C
Question: 6
Which of the following could an attacker use to perpetrate a social engineering attack? (Choose two.)
A. Keylogger
B. Yagi
C. Company uniform
D. Blackdoor
E. Phone call
Answer: A,E
Question: 7
During review of a company’s web server logs, the following items are discovered:
2015-03-01 03:32:11 www.example.com/index.asp?id=-999 or 1=convert(int,@@version)—
2015-03-01 03:35:33 www.example.com/index.asp?id=-999 or 1=convert(int,db_name())—
2015-03-01 03:38:25 www.example.com/index.asp?id=-999 or 1=convert(int,user_name())—

Which of the following is depicted in the log example above?
A. An administrator using the web interface for application maintenance

B. Normal web application traffic
C. A web application scan
D. An attempt at enumeration via SQL injection
Answer: D
Question: 8
An attacker has exfiltrated the SAM file from a Windows workstation. Which of the following attacks
is MOST likely being perpetrated?
A. user enumeration
B. Brute forcing
C. Password sniffing
D. Hijacking/rooting
Answer: C
Question: 9
Which of the following describes the MOST important reason for capturing post-attack metadata?
A. To assist in updating the Business Continuity Plan

B. To assist in writing a security magazine article
C. To assist in fortification of defenses to prevent future attacks
D. To assist in improving security awareness training
Answer: C
Question: 10
DRAG DROP
Drag and drop the following steps to perform a successful social engineering attack in the correct
order, from first (1) to last (6).
Answer:
Question: 11
A malicious actor sends a crafted email to the office manager using personal information collected
from social media. This type of social engineering attack is known as:
A. spear phishing
B. vishing
C. phishing
D. whaling
Answer: C
Question: 12
A computer attacker has compromised a system by implanting a script that will send 10B packages
over port 150. This port is also used for sending heartbeat messages to a central monitoring server.
Which of the following BEST describes the tactic used to execute this attack?
A. Covert channels
B. Logic bomb
C. Backdoors
D. ICMP redirect
Answer: A
Question: 13
Which of the following techniques allows probing firewall rule sets and finding entry points into a
targeted system or network?
A. Distributed checksum clearinghouse

B. Firewall fingerprinting
C. Network enumeration
D. Packet crafting
Answer: D
Question: 14
A security professional has been tasked with the protection of a specific set of information essential
to a corporation’s livelihood, the exposure of which could cost the company billions of dollars in
long-term revenue. The professional is interested in obtaining advice for preventing the theft of this
type of information. Which of the following is the BEST resource for finding this material?
A. Law enforcement information sharing groups

B. National Threat Assessment Center
C. Vendor web pages that provide intelligence feeds and advisories
D. Blogs concerning the theft of PII
Answer: A
Question: 15
When determining the threats/vulnerabilities to migrate, it is important to identify which are

applicable. Which of the following is the FIRST step to determine applicability?
A. Review online vulnerability database

B. Limit and control network ports, protocols, and services.
C. Continuously assess and remediate vulnerabilities.
D. Conduct an assessment of the system infrastructure.
Answer: D
Question: 16
Which of the following describes pivoting?
A. Copying captured data to a hacker’s system

B. Performing IP packet inspection
C. Generating excessive network traffic
D. Accessing another system from a compromised system
Answer: D
Question: 17
A malicious attacker has compromised a database by implementing a Python-based script that will
automatically establish an SSH connection daily between the hours of 2:00 am and 5:00 am. Which of
the following is the MOST common motive for the attack vector that was used?
A. Pivoting
B. Persistence/maintaining access
C. Exfiltration
D. Lateral movement
Answer: D
Question: 18
DRAG DROP
When perpetrating an attack, there are often a number of phases attackers will undertake,
sometimes taking place over a long period of time. Place the following phases in the correct
chronological order from first (1) to last (5).
Answer:
Question: 19
Which of the following tools can be used to identify open ports and services?
A. netstat
B. tcpdump
C. nmap
D. recon-ng
Answer: A
Question: 20
A high-level government official uses anonymous bank accounts to transfer a requested amount of
funds to individuals in another country. These individuals are known for defacing government
websites and exfiltrating sensitive data. Which of the following BEST describes the involved threat
actors?
A. State-sponsored hackers
B. Gray hat hackers
C. Hacktivists
D. Cyber terrorists
Answer: D
Question: 21
Which of the following are reasons that a hacker would execute a DoS or a DDoS attack? (Choose
two.)
A. To determine network bandwidth

B. To distract the incident response team
C. To distract the remediation team
D. To promote business operations
E. To compromise a system and reuse the IP address
Answer: A,B
Question: 22
A hacker’s end goal is to target the Chief Financial Officer (CFO) of a bank. Which of the following
describes this social engineering tactic?
A. Vishing
B. Pharming
C. Spear phishing
D. Whaling
Answer: D
Question: 23
Which of the following can hackers use to gain access to a system over the network without knowing
the actual password?
A. User enumeration
B. Pass the hash
C. Port scanning
D. Password cracking
Answer: D
Question: 24
Which of the following protocols can be used for data extension?
A. SNMP
B. DNS
C. ARP
D. DHCP
Answer: D
Question: 25
Click the exhibit button. After reviewing captured network traffic logs, a security auditor suspects a
violation of the organization’s computer use policy. Which of the following is the likely indicator of
the violation?
A. Unauthorized programs
B. Malicious software
C. Service disruption
D. Registry entries
E. New user account
Answer: A
Question: 26
A Windows system user reports seeing a command prompt window pop up briefly during each login.
In which of the following locations would an incident responder check to explain this activity?
A. rc.d
B. HKLM “RunOnce” key
C. c:\temp
D. /etc/init.d/
Answer: C
Question: 27
An incident responder is asked to create a disk image of a compromised Linux server. Which of the
following commands should be used to do this?
A. dd
B. Isof
C. gzip
D. fdisk
E. mbr
Answer: D
Question: 28
An intruder gains physical access to a company’s headquarters. The intruder is able to access the
company’s network via a visitor’s office. The intruder sets up an attack device, under the visitor’s
office desk, that impersonates the corporate wireless network. Users at headquarters begin to notice
slow browsing speeds from their company laptops. Which of the following attacks is MOST likely
occurring?
A. Man-in-the-middle
B. Denial of service
C. Social engineering
D. ARP table poisoning
Answer: D
Question: 29
An alert has been triggered identifying a new application running on a Windows server. Which of the
following tools can be used to identify the application? (Choose two.)
A. traceroute
B. nbstat
C. Hex editor
D. Task manager
E. Process explorer
Answer: D,E
Question: 30
When performing an investigation, a security analyst needs to extract information from text files in a
Windows operating system. Which of the following commands should the security analyst use?
A. findstr
B. grep
C. awk
D. sigverif
Answer: C
Question: 31
An outside organization has reported to the Chief Information Officer (CIO) of a company that it has
received attack from a Linux system in the company’s DMZ. Which of the following commands
should an incident responder use to review a list of currently running programs on the potentially
compromised system?
A. task manager
B. tlist
C. who
D. top
Answer: D
Question: 32
While performing standard maintenance on a UNIX server, a system administrator notices a set of
large files with .tar .gz file extensions in the /tmp folder. The system administrator reports this to a
security analyst. Performing further research, the analyst has found the .tar .gz files contain
information normally housed on one of the bank’s data servers. Given this scenario, which of the
following is MOST likely occurring?
A. A malicious actor, having breached the system, is staging collected data for exfiltration.
B. Having nearly exhausted the capacity of the home directory, a user is moving files to make room.
C. An error on the .hosts file has resultedin the data being backed up to the wrong server.
D. One of the newly hired system administrators has inadvertently backed up data to the wrong
server.
Answer: B
Question: 33
A security auditor has been asked to analyze event logs to look for signs of suspicious behavior. The
company operated on a normal workday schedule (e.g., Monday through Friday, 8 am – 5 pm) and
has implemented stringent access control policies (e.g. password complexity, failed login attempts).
Which of the following provides the MOST reason for concern?
A. 15 failed login attempts taking place at 9 am.

B. Regularly occurring system calls taking place every day at midnight.
C. Two failed login attempts followed by a successful login in short succession.
D. A single instance of failed read attempts on a protected directory structure.
Answer: A
Question: 34
A forensics analyst is analyzing an executable and thinks it may have some text of interest hidden
within it. Which of the following tools can the analyst use to assist in validating the suspicion?
A. Isof
B. cat command
C. hex editor
D. more
Answer: C
Question: 35
A system administrator is informed that a user received an email containing a suspicious attachment.
Which of the following methods is the FASTEST way to determine whether the file is suspicious or
not?
A. Reverse engineering
B. Virus scanning
C. Virtualization
D. Sandboxing
Answer: D
Question: 36
A user reports a pop-up error when starting a Windows machine. The error states that the machine
has been infected with a virus and instructs the user to download a new antivirus client. In which of
the following locations should the incidentresponder check to find what is generating the error
message? (Choose two.)
A. Auto-start registry keys

B. Device Manager
C. Event Viewer
D. Programs and Features
E. Browser history
Answer: A,C
Question: 37
A file is discovered in the /etc directory of an internal server by an automated file integrity checker. A
security analyst determines the file is a bash script. The contents are as follows:
---
#/bin/bash
IFS=:
[[-f/etc/passwd]] && cat/etc/passwd |
while read a b c d e f g
do
echo “$e ($a)”
done
---
Which of the following was the author of the script attempting to gather?
A. Home directory and shell

B. Username and password hash
C. User’s name and username
D. UID and GID
Answer: B
Question: 38
During a malware outbreak, a security analyst has been asked to capture network traffic in hourly
increments for analysis by the incident response team. Which of the following tcpdump commands
would generate hourly pcap files?
A. tcpdump –nn –i eth0 –w output.pcap –C 100 –W 10

B. tcpdump –nn –i eth0 –w output.pcap –W 24
C. tcpdump –nn –i eth0 –w output.pcap –G 3600 –W 14
D. tcpdump –nn –i eth0 –w output.pcap
Answer: B
Question: 39
From a compromised system, an attacker bypasses a proxy server and sends a large amount of data
to a remote location. A security analyst is tasked with finding the conduit that was used by the
attacker to bypass the proxy. Which of the following Windows tools should be used to find the
conduit?
A. net
B. fport
C. nbstat
D. netstat
Answer: D
Question: 40
An attack was performed on a company’s web server, disabling the company’s website. The incident
response team’s investigation produced the following:
1. Presence of malicious code installed on employees’ workstations.
2. Excessive UDP datagrams sent to a single address.
3. Web server received excessive UDP datagrams from multiple internal hosts.
4. Network experienced high traffic after 3:00 pm.
5. Employee workstations sent large traffic bursts when employees accessed the internal timecard
application.
Which of the following BEST describes the attack tool used to perform the attack?
A. KeyLogger
B. Logic bomb
C. Nessus
D. Metasploit
Answer: D
Question: 41
An organization needs to determine of any systems on its network (10.0.25.0/24) have web services
running on port 80 or 443. Which of the following is the BEST command to do this?
A. netstat –p 80-443 10.0.25.0/24

B. nmap –v 80,443 10.0.25.0/24
C. netstat –v 80,443 10.0.25.0/24
D. nmap –p 80,443 10.0.25.0/24
Answer: C
Question: 42
An incident responder is investigating a Linux server reported to be “behaving strangely”. Which of
the following commands should the incident responder use to identify any users currently logged
into the system? (Choose two.)
A. Isof
B. Is
C. id
D. w
E. lastlog
Answer: D
Question: 43
A suspicious laptop is found in a datacenter. The laptop is on and processing data, although there is
no application open on the screen. Which of the following BEST describes a Windows tool and
technique that an investigator should use to analyze the laptop’s RAM for working applications?
A. Net start and Network analysis

B. Regedit and Registry analysis
C. Task manager and Application analysis
D. Volatility and Memory analysis
Answer: B
Question: 44
A system administrator needs to analyze a PCAP file on a Linux workstation where the use of GUI-
based applications is restricted. Which of the following command line tools can the administrator use
to analyze the PCAP?
A. nfdump
B. cryptcat
C. tshark
D. netstat
Answer: A
Question: 45
A company website was hacked via the SQL query below:
Which of the following did the hackers perform?
A. Cleared tracks ofattacker@somewhere.comentries

B. Deleted the entirememberstable
C. Deleted the email password and login details
D. Performed an XSS attack
Answer: D
Question: 46
Malicious code that can replicate itself using various techniques is referred to as a:
A. downloader
B. rootkit
C. launcher
D. worm
Answer: D
Question: 47
While a network administrator is monitoring the company network, an unknown local IP address is
starting to release high volumes of anonymous traffic to an unknown external IP address. Which of
the following would indicate to the network administrator potential compromise?
A. Packet losses
B. Excessive bandwidth usage
C. Service disruption
D. Off-hours usage
Answer: B
Question: 48
Click the exhibit button. Which of the following Windows tools is executed?
A. nmap
B. netstat
C. tracert
D. traceroute
Answer: D
Question: 49
A malware analyst has been assigned the task of reverse engineering malicious code. To conduct the
analysis safely, which of the following could the analyst implement?
A. Honeypot
B. VLAN
C. Lock box
D. Sandbox
Answer: D
Question: 50
An attacker has decided to attempt a brute force attack on a UNIX server. In order to accomplish this,
which of the following steps must be performed?
A. Exfiltrate the shadow and SAM, run unshadow, and then runa password cracking utility on the
output file.
B. Exfiltrate the shadow and passwd, and then run a password cracking utility on both files.
C. Exfiltrate the shadow and SAM, and then run a password cracking utility on both files.
D. Exfiltrate the shadowand passwd, run unshadow, and then run a password cracking utility on the
output file.
Answer: C
Question: 51
Which of the following resources BEST supports malware analysis?
A. Internet service providers

B. Government websites
C. Crowdsourced intelligence feed
D. Internal network management team
Answer: C
Question: 52
An incident responder has captured packets associated with malware. The source port is 8765 and
the destination port is 7653. Which of the following commands should be used on the source
computer to help determine which program is responsible for the connection?
A. services.msc
B. psexec
C. msconfig
D. fport
Answer: D
Question: 53
A UNIX workstation has been compromised. The security analyst discovers high CPU usage during
off-hours on the workstation. Which of the following UNIX programs can be used to detect the rogue
process? (Choose two.)
A. arp
B. ps
C. who
D. dd
E. top
Answer: C,E
Question: 54
A forensics investigator has been assigned the task of investigating a system user for suspicion of
using a company-owned workstation to view unauthorized content. Which of the following would be
a proper course of action for the investigator to take?
A. Notify the user that their workstation is being confiscated to perform an investigation, providing
no details as to the reasoning.

B. Confiscate the workstation while the suspected employee is out of the office, andperform a search
on the asset.
C. Confiscate the workstation while the suspected employee is out of the office, and perform the
search on bit-for-bit image of the hard drive.
D. Notify the user that the workstation is being confiscated to perform an investigation, providing
complete transparency as to the suspicions.
Answer: B
Question: 55
Log review shows that large amounts of data are being sent to an IP address unassociated with the
company. Which of the following migration techniques should be implemented?
A. DNS filtering
B. System hardening
C. Proxy
D. IPS
Answer: A
Question: 56
During the course of an investigation, an incident responder discovers illegal material on a user’s
hard drive. Which of the following is the incident responder’s MOST important next step?
A. Notify management
B. Place the hard drive in an evidence bag
C. Image the hard drive
D. Restrict the user’s access
Answer: A
Question: 57
Which of the following is the reason that out-of-band communication is used during a security
incident?
A. The SMTP server may be compromised.

B. The incident response systems may be busy.
C. Other communication methods are unreliable.
D. An attacker could be monitoring network traffic.
Answer: C
Question: 58
An organization’s public information website has been defaced. The incident response team is
actively engaged in the following actions:
- Installing patches on the web server
- Turning off unnecessary services on web server
- Adding new ACL rules to the WAF
- Changing all passwords on web server accounts
Which of the following incident response phases is the team MOST likely conducting?
A. Respond
B. Recover
C. Contain
D. Identify
Answer: B
Question: 59
A SOC analyst reviews vendor security bulletins and security blog articles against the company’s
deployed system and software base. Based on current attack patterns, three vulnerabilities, including
a zero-day vulnerability, have been upgraded to high priority. Which of the following should the SOC
analyst recommend? (Choose two.)
A. Reboot affected servers

B. Implement DNS filtering
C. Update IPS rules
D. Implement application whitelisting
E. Patch affected systems
Answer: B,E
Question: 60
DRAG DROP
Drag and drop the following steps in the correct order from first (1) to last (7) that a forensic expert
would follow based on data analysis in a Windows system.
Answer:
Question: 61
Organizations should exercise their Incident Response (IR) plan following initial creation. The primary
objective for this first IR plan exercise is to identify:
A. deficiencies in cyber security incident response team skills.

B. gaps or overlaps in supporting processes and procedures.
C. critical steps required in the case of an incident.
D. capabilities required to improve response time.
Answer: D
Question: 62
During an annual penetration test, several rootkit-enabled systems are found to be exfiltrating data.
The penetration test team and the internal incident response team work to begin cleanup. The
company’s operations team offers a new emails server to use for communications during the
incident. As cleanup continues, the attackers seem to know exactly what the incident response plan
is. Which of the following will prevent the attackers from compromising cleanup activities?
A. Check the DNS server for rootkits placed by the attackers.

B. Disconnect the Internet router until all systems can be checked and cleaned.
C. Use out-of-band communication until the end of the incident.
D. Disconnect the old emails server until they can be checked and cleaned.
Answer: A
Question: 63
During the identification phase, it is discovered that port 23 is being used maliciously. Which of the
following system hardening techniques should be used to remediate the issue?
A. Disable unnecessary services

B. Patch the system
C. Configure blackhole routing
D. Configure DNS filtering
Answer: B
Question: 64
A security analyst discovers a zero-day vulnerability affecting Windows, which has not been publicly
identified. The security analyst assumes this vulnerability is present on millions of computer system
and feels an obligation to share this information with other security professionals. Which of the
following would be the MOST adverse consequences of the analyst sharing this information?
A. Public exposure of the vulnerability, including to potential attackers

B. Unexpected media coverage of the discovery
C. Potential distribution of misinformation
D. Possible legal consequences for the analyst
Answer: A
Question: 65
Network engineering has reported low bandwidth during working hours. The incident response team
is currently investigating several anomalous activities that may be related. Which of the following is
the MOST appropriate method to further investigate this problem?
A. Collecting and analyzing computer logs

B. Imaging hard disk drives of computers on the network
C. Capturing network traffic and packet analysis
D. Penetration testing and port scanning
Answer: C
Question: 66
An administrator wants to block Java exploits that were not detected by the organization’s antivirus
product. Which of the following mitigation methods should an incident responder perform? (Choose
two.)
A. Utilize DNS filtering

B. Send binary to AV vendor for analysis
C. Create a custom IPS signature
D. Implement an ACL
E. Block the port on the firewall
Answer: C,E
Question: 67
Which of the following are legally compliant forensics applications that will detect ADS or a file with
an incorrect file extension? (Choose two.)
A. Regedit
B. EnCase
C. dd
D. FTK
E. Procmon
Answer: A,C
Question: 68
A network administrator has been asked to configure a new network. It is the company’s policy to
segregate network functions using different Virtual LANs (VLANs). On which of the following is this
configuration MOST likely to occur?
A. Network switch
B. Virtual Machine
C. Virtual Private Network
D. Network firewall
Answer: A
Question: 69
Which of the following mitigations will remain intact, regardless of the underlying network protocol?
A. DNS filtering
B. Application whitelisting
C. IP address blocking D Proxy ACL
Answer: A
Question: 70
Which of the following enables security personnel to have the BEST security incident recovery
practices?
A. Crisis communication plan

B. Disaster recovery plan
C. Occupant emergency plan
D. Cyber incident response plan
Answer: D
Question: 71
As part of an incident response effort, data has been collected and analyzed, and a malware infection
has been contained. Which of the following is the NEXT step the incident response team should take
within the incident response process?
A. Begin recovering all infected systems to return the organization to normal operations as soon as
possible.
B. Ensure every instance of the malware has been removed across the organization.
C. Discuss lessons learned before proceeding with other steps.
D. Start writing the report to ensure a quality product is delivered by the end of the project.
Answer: B
Question: 72
A security analyst would like to parse through several SQL logs for indicators of compromise. The
analyst is aware that none of the fields should contain a string of text longer than 30 characters;
however, the analyst is unaware if there are any implemented controls to prevent such an overflow.
Which of the following BEST describes the regular expression the analyst should use to find any
alphanumeric character string?
A. /^[a-zA-Z0-9]{5,30}$/
B. /^[a-zA-Z-9]{30}$/
C. /^[a-zA-Z]{5,30}$/
D. /^[a-Z0-9]{5,30}$/
Answer: A
Question: 73
An incident responder needs to quickly locate specific data in a large data repository. Which of the
following Linux tool should be used?
A. cat
B. find
C. grep
D. man
Answer: C
Question: 74
An attacker has sent malicious macro-enabled Office files. Which of the following regular expressions
will return a list of macro-enabled files?
A. ^.*?\.(?:xls|ppt|doc)m
B. ^.*(?:xls|ppt|doc)m.*
C. ^.*?\.(?:xls|ppt|doc)m$
D. ^.*(?:xls|ppt|doc)m
Answer: B
Question: 75
A SOC analyst has been tasked with checking all files in every employee home directory for any
mention of a new product code named PitViper. Which of the following commands will return all
requested data?
A. grep –i “pitviper” /home

B. grep –r “PitViper” /home
C. grep –r –v “pitviper” /home
D. grep –r –i “pitviper” /home
Answer: A
Question: 76
Which of the following is the BEST way to capture all network traffic between hosts on a segmented
network?
A. HIPS
B. Firewall
C. Router
D. Protocol analyzer
Answer: A
Question: 77
Customers are reporting issues connecting to a company’s Internet server. Which of the following
device logs should a technician review in order to help identify the issue?
A. WIPS
B. SSH
C. WAP
D. WAF
Answer: A
Question: 78
An unauthorized network scan may be detected by parsing network sniffer data for:
A. IPtraffic from a single IP address to multiple IP addresses.

B. IP traffic from a single IP address to a single IP address.
C. IP traffic from multiple IP addresses to a single IP address.
D. IP traffic from multiple IP addresses to other networks.
Answer: A
Question: 79
When investigating a wireless attack, which of the following can be obtained from the DHCP server?
A. MAC address of the attacker

B. Operating system of the attacker
C. IP traffic between the attacker and victim
D. Effectiveness of the VLAN terminator
Answer: A
Question: 80
An incident responder suspects that a host behind a firewall is infected with malware. Which of the
following should the responder use to find the IP address of the infected machine?
A. NAT table
B. ARP cache
C. DNS cache
D. CAM cable
Answer: C
Question: 81
To redact or obfuscate sensitive data, a company requires its name be changed throughout a port-
incident report. Using a Linux sed command, which of the following will replace the company’s name
with “Acme”?
A. /Orange/Acme/g
B. s/Acme/Orange/g
C. /Acme/Orange/g
D. s/Orange/Acme/g
Answer: D
Question: 82
An organization performs regular updates to its network devices to alert and prevent access to
streaming media sites by the employees. Each device will send logs and alerts to a centralized server
for storage, archive, and analysis. Which of the following BEST describes the system that is
correlating the data found in all alerts and logs?
A. SIEM
B. NIDS
C. HIPS
D. WIPS
Answer: A
Question: 83
The incident response team needs to track which user last connected to a specific Windows domain
controller. Which of the following is the BEST way to identify that specific user?
A. Check Systems Event Log on the user’s computer

B. Check Systems Event Log on the domain controller
C. Check Security Log on the user’s computer
D. Check SecurityLog on the domain controller
Answer: D
Question: 84
During an investigation on Windows 10 system, a system administrator needs to analyze Windows

event logs related to CD/DVD-burning activities. In which of the following paths will the system
administrator find these logs?
A. \Windows\Systems32\winevt\logs\System.evt
B. \Windows\System32\winevt\Logs\System.evtx
C. \Windows\Systems\winevt\Evtlogs\System.evtx
D. \Windows\System\winevt\Logs\System.evt
Answer: B
Question: 85
During a network-based attack, which of the following data sources will provide the BEST data to
quickly determine the attacker’s point of origin? (Choose two.)
A. DNS logs
B. System logs
C. WIPS logs
D. Firewall logs
E. IDS/IPS logs
Answer: A,D
Question: 86
Which of the following commands should be used to print out ONLY the second column of items in
the following file?
Source_File,txt
Alpha Whiskey
Bravo Tango
Charlie Foxtrot
Echo Oscar
Delta Roger
A. cut –d “ “ –f2 source_file.txt

B. cut –b7-15 source_file.txt
C. cut –d “ “ –f2 Source_File.txt
D. cut –c6-12 Source_File.txt
Answer: D
Question: 87
An alert on user account activity outside of normal business hours returns Windows even IDs 540
and 4624. In which of the following locations will these events be found?
A. Application event log

B. System event log
C. Setup event log
D. Security event log
Answer: D
Question: 88
The above Linux command is used to search for:
A. MAC addresses.
B. memory addresses.
C. IPv4 addresses.
D. IPv6 addresses.
Answer: A
Question: 89
An incident responder is asked to work with the IT department to address patch management issues
with the company servers. Which of the following is the BEST source for the incident responder to
obtain the CVEs for the latest industry-recognized patches?
A. Vulnerabilities database
B. Intelligence feeds
C. Security journals
D. Security blogs
Answer: A
Question: 90
An organization’s firewall has recently been bombarded with an excessive amount of failed requests.
A security analyst has been tasked with providing metrics on any failed attempts to ports above
1000. Which of the following regular expressions will work BEST to identify an IP address with the
desired port range?
A. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):({4,5}\d+)\b/
B. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):([4]\D+)\b/
C. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):([4]\d+)\b/
D. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\b/
Answer: C
Question: 91
Why is it important to update system clocks from a single time source?
A. For backup data timestamps

B. To ensure device data integrity
C. For log data correlation
D. To assist in network data packet capture
Answer: B
Question: 92
A network engineer has collected a packet capture using Wireshark and given it to the team for
analysis. The team is looking for activity based on the internal IP address of 10.0.25.123. Which of
the following filters should the team use to look at only traffic for this IP?
A. source.ip == 10.0.25.123 && destination.ip == 10.0.25.123

B. source tcp = 10.0.25.123 and destination tcp = 10.0.25.123
C. src.ip == 10.0.25.123 or dst.ip == 10.0.25.123
D. src.ip = 10.0.25.123 or dst.ip = 10.0.25.123
Answer: D
Question: 93
An analyst would like to search for a specific text string at the beginning of a line that begins with
four capital alphabetic characters. Which of the following search operators should be used?
A. /\b\w{4}\b
B. /\b[A-Z]{4}\g
C. /^\w{4}\b
D. /B[A-Z]{4}\b\g
Answer: B
Question: 94
Which of the following logs should be checked to determine if an internal user connected to a
potentially malicious website? (Choose two.)
A. FTP logs
B. Email logs
C. Firewall logs
D. Proxy logs
E. HTTP logs
Answer: D,E
Question: 95
While reviewing some audit logs, an analyst has identified consistent modification of the sshd_config
file for an organization’s server. The analyst would like to investigate and compare contents of the
current file with archived versions of files that are saved weekly. Which of the following tools will be
MOST effective during the investigation?
A. cat <beginning of filename>* | cut –d ‘,’ –f 2,5,7

B. more <beginning of filename>* | grep <string of characters>
C. diff <filename> <filename 2>
D. sort <beginning of filename>*
Answer: B
Question: 96
A logfile generated from a Windows server was moved to a Linux system for further analysis. A
system administrator is now making edits to the file with vi and notices the file contains numerous
instances of Ctrl-M (^M) characters. Which of the following command line tools is the administrator
MOST likely to use to remove these characters from the logfile? (Choose two.)
A. tr
B. cut
C. cat
D. unix2dos
E. awk
Answer: A,C
Question: 97
Which of the following technologies is used as mitigation to XSS attacks?
A. Intrusion prevention
B. Proxy filtering
C. Web application firewall
D. Intrusion detection
Answer: C
Question: 98
An incident responder notices many entries in an apache access log file that contain semicolons.
Which of the following attacks is MOST likely being attempted?
A. SQL injection
B. Remote file inclusion
C. Account brute force
D. Cross-site scripting
Answer: A
Question: 99
A DMZ web server has been compromised. During the log review, the incident responder wants to
parse all common internal Class A addresses from the log. Which of the following commands should
the responder use to accomplish this?
A. grep –x”(10.[0-9]+.[0-9]+.[0-9]+)” etc/rc.d/apache2/access.log | output.txt

B. grep –x”(192.168.[0.9]+[0-9])” bin/apache2/access.log | output.txt
C. grep –v”(10.[0-9]+.[0-9]+.[0-9]+)” /var/log/apache2/access.log > output.txt
D. grep –v”(192.168.[0.9]+[0-9]+)” /var/log/apache2/access.log > output.txt
Answer: C
Question: 100
Which of the following types of logs is shown below, and what can be discerned from its contents?
2015-07-19 12:33:31 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:35 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:35 reject UDP 123.56.71.145 192.141.173.72 1234 80
A. Firewall log showing a possible web server attack

B. Proxy log showing a possible DoS attack
C. Firewall log showing a possible DoS attack

D. Proxy log showing a possible web server attack
Answer: C
Thank You for Purchasing CFR-210 PDF
Test Your Preparation with

Practice Exam Software
Use Coupon “20OFF” for extra 20% discount on purchase of
Practice Test Software. Practice Exam Software helps you validate
your preparation in simulated exam environment.
Download Free Practice Test Demo from Here:
https://www.braindumps2go.com/CFR-210.html

Kiri2 CFR 210

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kiri2 CFR 210

Uploaded by

Copyright:

Available Formats

Questions & Answers PDF P-1

Product Questions: 100

A. Similar cybersecurity blogs

2015-03-01 03:38:25 www.example.com/index.asp?id=-999 or 1=convert(int,user_name())—

A. An administrator using the web interface for application maintenance

A. To assist in updating the Business Continuity Plan

A. Distributed checksum clearinghouse

A. Law enforcement information sharing groups

When determining the threats/vulnerabilities to migrate, it is important to identify which are

A. Review online vulnerability database

Which of the following describes pivoting?

A. Copying captured data to a hacker’s system

A. To determine network bandwidth

Which of the following protocols can be used for data extension?

A. 15 failed login attempts taking place at 9 am.

A. Auto-start registry keys

A. Home directory and shell

A. tcpdump –nn –i eth0 –w output.pcap –C 100 –W 10

A. netstat –p 80-443 10.0.25.0/24

An incident responder is investigating a Linux server reported to be “behaving strangely”. Which of

A. Net start and Network analysis

A company website was hacked via the SQL query below:

Which of the following did the hackers perform?

A. Cleared tracks ofattacker@somewhere.comentries

Which of the following resources BEST supports malware analysis?

A. Internet service providers

no details as to the reasoning.

A. The SMTP server may be compromised.

A. Reboot affected servers

A. deficiencies in cyber security incident response team skills.

A. Check the DNS server for rootkits placed by the attackers.

A. Disable unnecessary services

A. Public exposure of the vulnerability, including to potential attackers

A. Collecting and analyzing computer logs

A. Utilize DNS filtering

A. Crisis communication plan

A. grep –i “pitviper” /home

A. IPtraffic from a single IP address to multiple IP addresses.

A. MAC address of the attacker

A. Check Systems Event Log on the user’s computer

During an investigation on Windows 10 system, a system administrator needs to analyze Windows

A. cut –d “ “ –f2 source_file.txt

A. Application event log

The above Linux command is used to search for:

Why is it important to update system clocks from a single time source?

A. For backup data timestamps

A. source.ip == 10.0.25.123 && destination.ip == 10.0.25.123

A. cat <beginning of filename>* | cut –d ‘,’ –f 2,5,7

Which of the following technologies is used as mitigation to XSS attacks?

A. grep –x”(10.[0-9]+.[0-9]+.[0-9]+)” etc/rc.d/apache2/access.log | output.txt

A. Firewall log showing a possible web server attack

C. Firewall log showing a possible DoS attack

Thank You for Purchasing CFR-210 PDF

Test Your Preparation with

Download Free Practice Test Demo from Here:

You might also like