A security device processes the first packet from 10.62.34.12 destined to 10.23.10.7 and recognizes a malicious anomaly. The first packet makes it to 10.23.10.7 before the security devices sends a TCP RST to 10.62.34.12. What type of security device is this?

A. Host IDS

B. Active response

C. Intrusion prevention

D. Network access control

A company estimates a loss of $2,374 per hour in sales if their website goes down. Their webserver hosting site's documented downtime was 7 hours each quarter over the last two years. Using the information, what can the analyst determine?

A. Annualized loss expectancy

B. CVSS risk score

C. Total cost of ownership

D. Qualitative risk posture

A legacy server on the network was breached through an OS vulnerability with no patch available. The server is used only rarely by employees across several business units. The theft of information from the server goes unnoticed until the company is notified by a third party that sensitive information has been posted on the Internet. Which control was the first to fail?

A. Security awareness

B. Access control

C. Data classification

D. Incident response

On which layer of the OSI Reference Model does the FWSnort utility function?

A. Physical Layer

B. Data Link Layer

C. Transport Layer

D. Session Layer

E. Application Layer

Which tasks would a First Responder perform during the Identification phase of Incident Response?

A. Verify the root cause of the incident and apply any missing security patches.

B. Install or reenable host-based firewalls and anti-virus software on suspected systems.

C. Search for sources of data and information that may be valuable in confirming and containing an incident.

D. Disconnect network communications and search for malicious executables or processes.

Which control would BEST help detect a potential insider threat?

A. Mandatory approval process for executive and administrative access requests.

B. Providing the same access to all employees and monitoring sensitive file access.

C. Multiple scheduled log reviews of all employee access levels throughout the year

D. Requiring more than one employee to be trained on each task or job duty.

You have been tasked with searching for Alternate Data Streams on the following collection of Windows partitions; 2GB FAT16, 6GB FAT32, and 4GB NTFS. How many total Gigabytes and partitions will you need to search?

A. 4GBs of data, the NTFS partition only.

B. 12GBs of data, the FAT16, FAT32, and NTFS partitions.

C. 6GBs of data, the FAT32 partition only.

D. 10GBs of data, both the FAT32 and NTFS partitions.

Following a Digital Forensics investigation, which of the following should be included in the final forensics report?

A. An executive summary that includes a list of all forensic procedures performed.

B. A summary of the verified facts of the incident and the analyst's unverified opinions.

C. A summary of the incident and recommended disciplinary actions to apply internally.

D. An executive summary that includes high level descriptions of the overall findings.

An incident response team investigated a database breach, and determined it was likely the result of an internal user who had a default password in place. The password was changed. A week later, they discover another loss of database records. The database admin provides logs that indicate the attack came from the front-end web interface. Where did the incident response team fail?

A. They did not eradicate tools left behind by the attacker

B. They did not properly identify the source of the breach

C. They did not lock the account after changing the password

D. They did not patch the database server after the event

Enabling port security prevents which of the following?

A. Using vendors other than Cisco for switching equipment as they don't offer port security

B. Spoofed MAC addresses from being used to cause a Denial of Service condition

C. Legitimate MAC addresses from being used to cause a Denial of Service condition

D. Network Access Control systems from functioning properly