What are two denial of service attacks? (Choose two.)
A.
MITM
B.
TCP connections
C.
ping of death
D.
UDP flooding
E.
code red
ping of death
UDP flooding
Which security monitoring data type requires the largest storage space?
A.
transaction data
B.
statistical data
C.
session data
D.
full packet capture
full packet capture
An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?
A.
Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
B.
Run "ps -u" to find out who executed additional processes that caused a high load on a server.
C.
Run "ps -ef" to understand which processes are taking a high amount of resources.
D.
Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.
Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
A.
context
B.
session
C.
laptop
D.
firewall logs
E.
threat actor
context
threat actor
An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?
A.
Firepower
B.
Email Security Appliance
C.
Web Security Appliance
D.
Stealthwatch
Web Security Appliance
Which attack method intercepts traffic on a switched network?
A.
denial of service
B.
ARP cache poisoning
C.
DHCP snooping
D.
command and control
ARP cache poisoning
Explanation: An ARP-based MITM attack is achieved when an attacker poisons the ARP
cache of two devices with the MAC address of the attacker's network interface card (NIC).
Once the ARP caches have been successfully poisoned, each victim device sends all its
packets to the attacker when communicating to the other device and puts the attacker in
the middle of the communications path between the two victim devices. It allows an
attacker to easily monitor all communication between victim devices. The intent is to
intercept and view the information being passed between the two victim devices and
potentially introduce sessions and traffic between the two victim devices
Refer to the exhibit.
An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?
A.
indirect
B.
circumstantial
C.
corroborative
D.
best
circumstantial
Explanation: The alert from the Cisco ASA device and the numerous activity logs are examples of circumstantial evidence. Circumstantial evidence is evidence that relies on an inference or deduction to connect it to a conclusion of fact, such as a security incident or an attack. Circumstantial evidence does not directly prove the fact in question, but rather suggests or implies it. In this case, the alert and the logs indicate that a TCP connection attempt was denied by an access group, but they do not directly prove that an attack occurred or who was behind it. There could be other explanations for the denied connection, such as a misconfiguration, a network error, or a legitimate request. Therefore, this type of evidence is circumstantial and requires further investigation and analysis to confirm or rule out the possibility of an attack.
What is indicated by an increase in IPv4 traffic carrying protocol 41 ?
A.
additional PPTP traffic due to Windows clients
B.
unauthorized peer-to-peer traffic
C.
deployment of a GRE network on top of an existing Layer 3 network
D.
attempts to tunnel IPv6 traffic through an IPv4 network
attempts to tunnel IPv6 traffic through an IPv4 network
An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?
A.
digital certificates
B.
static IP addresses
C.
signatures
D.
cipher suite
cipher suite
An engineer needs to discover alive hosts within the 192.168.1.0/24 range without
triggering intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?
A.
nmap --top-ports 192.168.1.0/24
B.
nmap –sP 192.168.1.0/24
C.
nmap -sL 192.168.1.0/24
D.
nmap -sV 192.168.1.0/24
nmap -sL 192.168.1.0/24
An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning How should the analyst collect the traffic to isolate the suspicious host?
A.
by most active source IP
B.
by most used ports
C.
based on the protocols used
D.
based on the most used applications
based on the protocols used
A company is using several network applications that require high availability and
responsiveness, such that milliseconds of latency on network traffic is not acceptable. An engineer needs to analyze the network and identify ways to improve traffic movement to minimize delays. Which information must the
engineer obtain for this analysis?
A.
total throughput on the interface of the router and NetFlow records
B.
output of routing protocol authentication failures and ports used
C.
running processes on the applications and their total network usage
D.
deep packet captures of each application flow and duration
running processes on the applications and their total network usage
| Page 12 out of 34 Pages |
| Previous |