Black Friday Biggest Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

CertNexus CFR-410 Dumps

Page: 1 / 10
Total 100 questions

CyberSec First Responder Questions and Answers

Question 1

A security investigator has detected an unauthorized insider reviewing files containing company secrets.

Which of the following commands could the investigator use to determine which files have been opened by this user?

Options:

A.

ls

B.

lsof

C.

ps

D.

netstat

Question 2

A government organization responsible for critical infrastructure is being attacked and files on the server been deleted. Which of the following are the most immediate communications that should be made regarding the incident? (Choose two.)

Options:

A.

Notifying law enforcement

B.

Notifying the media

C.

Notifying a national compute emergency response team (CERT) or cybersecurity incident response team (CSIRT)

D.

Notifying the relevant vendor

E.

Notifying a mitigation expert

Question 3

An unauthorized network scan may be detected by parsing network sniffer data for:

Options:

A.

IP traffic from a single IP address to multiple IP addresses.

B.

IP traffic from a single IP address to a single IP address.

C.

IP traffic from multiple IP addresses to a single IP address.

D.

IP traffic from multiple IP addresses to other networks.

Question 4

A security administrator notices a process running on their local workstation called SvrsScEsdKexzCv.exe.

The unknown process is MOST likely:

Options:

A.

Malware

B.

A port scanner

C.

A system process

D.

An application process

Question 5

While performing routing maintenance on a Windows Server, a technician notices several unapproved Windows Updates and that remote access software has been installed. The technician suspects that a malicious actor has gained access to the system. Which of the following steps in the attack process does this activity indicate?

Options:

A.

Expanding access

B.

Covering tracks

C.

Scanning

D.

Persistence

Question 6

An incident responder discovers that the CEO logged in from their New York City office and then logged in from a location in Beijing an hour later. The incident responder suspects that the CEO’s account has been

compromised. Which of the following anomalies MOST likely contributed to the incident responder’s suspicion?

Options:

A.

Geolocation

B.

False positive

C.

Geovelocity

D.

Advanced persistent threat (APT) activity

Question 7

An incident responder has collected network capture logs in a text file, separated by five or more data fields.

Which of the following is the BEST command to use if the responder would like to print the file (to terminal/ screen) in numerical order?

Options:

A.

cat | tac

B.

more

C.

sort –n

D.

less

Question 8

An incident at a government agency has occurred and the following actions were taken:

-Users have regained access to email accounts

-Temporary VPN services have been removed

-Host-based intrusion prevention system (HIPS) and antivirus (AV) signatures have been updated

-Temporary email servers have been decommissioned

Which of the following phases of the incident response process match the actions taken?

Options:

A.

Containment

B.

Post-incident

C.

Recovery

D.

Identification

Question 9

Which of the following types of attackers would be MOST likely to use multiple zero-day exploits executed against high-value, well-defended targets for the purposes of espionage and sabotage?

Options:

A.

Cybercriminals

B.

Hacktivists

C.

State-sponsored hackers

D.

Cyberterrorist

Question 10

Which of the following methods are used by attackers to find new ransomware victims? (Choose two.)

Options:

A.

Web crawling

B.

Distributed denial of service (DDoS) attack

C.

Password guessing

D.

Phishing

E.

Brute force attack

Question 11

A Linux system administrator found suspicious activity on host IP 192.168.10.121. This host is also establishing a connection to IP 88.143.12.123. Which of the following commands should the administrator use to capture only the traffic between the two hosts?

Options:

A.

# tcpdump -i eth0 host 88.143.12.123

B.

# tcpdump -i eth0 dst 88.143.12.123

C.

# tcpdump -i eth0 host 192.168.10.121

D.

# tcpdump -i eth0 src 88.143.12.123

Question 12

An administrator believes that a system on VLAN 12 is Address Resolution Protocol (ARP) poisoning clients on the network. The administrator attaches a system to VLAN 12 and uses Wireshark to capture traffic. After

reviewing the capture file, the administrator finds no evidence of ARP poisoning. Which of the following actions should the administrator take next?

Options:

A.

Clear the ARP cache on their system.

B.

Enable port mirroring on the switch.

C.

Filter Wireshark to only show ARP traffic.

D.

Configure the network adapter to promiscuous mode.

Question 13

An automatic vulnerability scan has been performed. Which is the next step of the vulnerability assessment process?

Options:

A.

Hardening the infrastructure

B.

Documenting exceptions

C.

Assessing identified exposures

D.

Generating reports

Question 14

A suspicious script was found on a sensitive research system. Subsequent analysis determined that proprietary data would have been deleted from both the local server and backup media immediately following a specific administrator’s removal from an employee list that is refreshed each evening. Which of the following BEST describes this scenario?

Options:

A.

Backdoor

B.

Rootkit

C.

Time bomb

D.

Login bomb

Question 15

A company website was hacked via the following SQL query:

email, passwd, login_id, full_name FROM members

WHERE email = “attacker@somewhere.com”; DROP TABLE members; –”

Which of the following did the hackers perform?

Options:

A.

Cleared tracks of attacker@somewhere.com entries

B.

Deleted the entire members table

C.

Deleted the email password and login details

D.

Performed a cross-site scripting (XSS) attack

Page: 1 / 10
Total 100 questions