Special Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

CFR-410 CyberSec First Responder (CFR) Exam Questions and Answers

Questions 4

What describes the BEST approach for developing a plan to continuously assess and track vulnerabilities on all organizational assets and infrastructure in order to remediate and minimize the opportunity for attacks?

Options:

A.

Establish and maintain a risk-based remediation strategy.

B.

Establish and maintain detailed enterprise asset inventory.

C.

Establish and maintain a data classification scheme.

D.

Establish and maintain a data management process.

Buy Now
Questions 5

Which of the following is the FIRST step taken to maintain the chain of custody in a forensic investigation?

Options:

A.

Security and evaluating the electronic crime scene.

B.

Transporting the evidence to the forensics lab

C.

Packaging the electronic device

D.

Conducting preliminary interviews

Buy Now
Questions 6

Which of the following should normally be blocked through a firewall?

Options:

A.

SNMP

B.

SMTP

C.

NTP

D.

POP3

Buy Now
Questions 7

A government organization responsible for critical infrastructure is being attacked and files on the server been deleted. Which of the following are the most immediate communications that should be made regarding the incident? (Choose two.)

Options:

A.

Notifying law enforcement

B.

Notifying the media

C.

Notifying a national compute emergency response team (CERT) or cybersecurity incident response team (CSIRT)

D.

Notifying the relevant vendor

E.

Notifying a mitigation expert

Buy Now
Questions 8

The Key Reinstallation Attack (KRACK) vulnerability is specific to which types of devices? (Choose two.)

Options:

A.

Wireless router

B.

Switch

C.

Firewall

D.

Access point

E.

Hub

Buy Now
Questions 9

A secretary receives an email from a friend with a picture of a kitten in it. The secretary forwards it to the

~COMPANYWIDE mailing list and, shortly thereafter, users across the company receive the following message:

“You seem tense. Take a deep breath and relax!”

The incident response team is activated and opens the picture in a virtual machine to test it. After a short analysis, the following code is found in C:

\Temp\chill.exe:Powershell.exe –Command “do {(for /L %i in (2,1,254) do shutdown /r /m Error! Hyperlink reference not valid.> /f /t / 0 (/c “You seem tense. Take a deep breath and relax!”);Start-Sleep –s 900) } while(1)”

Which of the following BEST represents what the attacker was trying to accomplish?

Options:

A.

Taunt the user and then trigger a shutdown every 15 minutes.

B.

Taunt the user and then trigger a reboot every 15 minutes.

C.

Taunt the user and then trigger a shutdown every 900 minutes.

D.

Taunt the user and then trigger a reboot every 900 minutes.

Buy Now
Questions 10

A forensic analyst has been tasked with analyzing disk images with file extensions such as .001, .002, etc. Which of the following disk imaging tools was MOST LIKELY used to create these image files?

Options:

A.

Encase

B.

ExifTool

C.

SIFT

D.

FTK

E.

dd

Buy Now
Questions 11

A security engineer is setting up security information and event management (SIEM). Which of the following log sources should the engineer include that will contain indicators of a possible web server compromise? (Choose two.)

Options:

A.

NetFlow logs

B.

Web server logs

C.

Domain controller logs

D.

Proxy logs

E.

FTP logs

Buy Now
Questions 12

Which of the following characteristics of a web proxy strengthens cybersecurity? (Choose two.)

Options:

A.

Increases browsing speed

B.

Filters unwanted content

C.

Limits direct connection to Internet

D.

Caches frequently-visited websites

E.

Decreases wide area network (WAN) traffic

Buy Now
Questions 13

How does encryption work to protect information on remote workers' computers?

Options:

A.

It is difficult to set up, so an unskilled attacker won't be able to figure it out.

B.

Without the proper key, an attacker won't be able to unscramble the encrypted information.

C.

Using encryption requires advanced training in mathematics, which is beyond the capabilities of most attackers.

D.

Information can be encrypted but it can never be decrypted leaving an attacker unable to read the information

Buy Now
Questions 14

While reviewing some audit logs, an analyst has identified consistent modifications to the sshd_config file for an organization’s server. The analyst would like to investigate and compare contents of the current file with

archived versions of files that are saved weekly. Which of the following tools will be MOST effective during the investigation?

Options:

A.

cat * | cut –d ‘,’ –f 2,5,7

B.

more * | grep

C.

diff

D.

sort *

Buy Now
Questions 15

An organization that recently suffered a ransomware attack found that its backups were faulty. Which of the following steps could BEST ensure reliable backups in the future?

Options:

A.

Storing backups at an offsite location.

B.

Implementing periodic tests of backups.

C.

Backing up all data to solid-state storage.

D.

Conducting a full asset inventory assessment.

Buy Now
Questions 16

An incident at a government agency has occurred and the following actions were taken:

-Users have regained access to email accounts

-Temporary VPN services have been removed

-Host-based intrusion prevention system (HIPS) and antivirus (AV) signatures have been updated

-Temporary email servers have been decommissioned

Which of the following phases of the incident response process match the actions taken?

Options:

A.

Containment

B.

Post-incident

C.

Recovery

D.

Identification

Buy Now
Questions 17

An incident responder has collected network capture logs in a text file, separated by five or more data fields.

Which of the following is the BEST command to use if the responder would like to print the file (to terminal/ screen) in numerical order?

Options:

A.

cat | tac

B.

more

C.

sort –n

D.

less

Buy Now
Questions 18

Which of the following is a method of reconnaissance in which a ping is sent to a target with the expectation of receiving a response?

Options:

A.

Active scanning

B.

Passive scanning

C.

Network enumeration

D.

Application enumeration

Buy Now
Questions 19

According to company policy, all accounts with administrator privileges should have suffix _ja. While reviewing Windows workstation configurations, a security administrator discovers an account without the suffix in the administrator’s group. Which of the following actions should the security administrator take?

Options:

A.

Review the system log on the affected workstation.

B.

Review the security log on a domain controller.

C.

Review the system log on a domain controller.

D.

Review the security log on the affected workstation.

Buy Now
Questions 20

Which answer option is a tactic of social engineering in which an attacker engages in an attack performed by phone?

Options:

A.

Smishing

B.

Pretexting

C.

Vishing

D.

Phishing

Buy Now
Questions 21

According to SANS, when should an incident retrospective be performed?

Options:

A.

After law enforcement has identified the perpetrators of the attack.

B.

Within six months following the end of the incident.

C.

No later than two weeks from the end of the incident.

D.

Immediately concluding eradication of the root cause

Buy Now
Questions 22

The incident response team has completed root cause analysis for an incident. Which of the following actions should be taken in the next phase of the incident response process? (Choose two.)

Options:

A.

Providing a briefing to management

B.

Updating policies and procedures

C.

Training staff for future incidents

D.

Investigating responsible staff

E.

Drafting a recovery plan for the incident

Buy Now
Questions 23

Which of the following describes United States federal government cybersecurity policies and guidelines?

Options:

A.

NIST

B.

ANSI

C.

NERC

D.

GDPR

Buy Now
Questions 24

A suspicious script was found on a sensitive research system. Subsequent analysis determined that proprietary data would have been deleted from both the local server and backup media immediately following a specific administrator’s removal from an employee list that is refreshed each evening. Which of the following BEST describes this scenario?

Options:

A.

Backdoor

B.

Rootkit

C.

Time bomb

D.

Login bomb

Buy Now
Questions 25

When attempting to determine which system or user is generating excessive web traffic, analysis of which of

the following would provide the BEST results?

Options:

A.

Browser logs

B.

HTTP logs

C.

System logs

D.

Proxy logs

Buy Now
Questions 26

A security investigator has detected an unauthorized insider reviewing files containing company secrets.

Which of the following commands could the investigator use to determine which files have been opened by this user?

Options:

A.

ls

B.

lsof

C.

ps

D.

netstat

Buy Now
Questions 27

Which of the following actions should be done by the incident response team after completing the recovery phase of the cyber incident caused by malware?

Options:

A.

Eradicate the malware.

B.

Conduct lessons learned.

C.

Isolate the malware from the system.

D.

Collect evidence for the lawsuit.

E.

Analyze the behavior of the malware.

Buy Now
Questions 28

Network infrastructure has been scanned and the identified issues have been remediated. What is the next step in the vulnerability assessment process?

Options:

A.

Generating reports

B.

Establishing scope

C.

Conducting an audit

D.

Assessing exposures

Buy Now
Questions 29

A digital forensics investigation requires analysis of a compromised system's physical memory. Which of the following tools should the forensics analyst use to complete this task?

Options:

A.

Autopsy

B.

FTK

C.

Volatility

D.

Wire shark

E.

CAINE

Buy Now
Questions 30

Which three of the following are included in encryption architecture? (Choose three.)

Options:

A.

Certificate

B.

Encryption keys

C.

Encryption engine

D.

Database encryption

E.

Data

Buy Now
Questions 31

In which of the following attack phases would an attacker use Shodan?

Options:

A.

Scanning

B.

Reconnaissance

C.

Gaining access

D.

Persistence

Buy Now
Questions 32

During a malware-driven distributed denial of service attack, a security researcher found excessive requests to a name server referring to the same domain name and host name encoded in hexadecimal. The malware author used which type of command and control?

Options:

A.

Internet Relay Chat (IRC)

B.

Dnscat2

C.

Custom channel

D.

File Transfer Protocol (FTP)

Buy Now
Questions 33

Which of the following represents a front-end security capability that addresses cyber resiliency?

Options:

A.

Multi-factor authentication

B.

Immutability of backups

C.

Key management

D.

Physical separation of backups

Buy Now
Questions 34

Which of the following security best practices should a web developer reference when developing a new web- based application?

Options:

A.

Control Objectives for Information and Related Technology (COBIT)

B.

Risk Management Framework (RMF)

C.

World Wide Web Consortium (W3C)

D.

Open Web Application Security Project (OWASP)

Buy Now
Questions 35

What is the primary purpose of the "information security incident triage and processing function" in the (CSIRT) Computer Security Incident Response Team Services Framework?

Options:

A.

To analyze and gain an understanding of a confirmed information security incident.

B.

To initially review, categorize, prioritize, and process a reported information security incident.

C.

To receive and process reports of potential information security incidents from constituents, Information Security Event Management services, or third parties.

D.

To accept or receive information about an information security incident, as reported from constituents or third parties.

Buy Now
Questions 36

Which standard was implemented in the United States to protect the privacy of patient medical information through restricted access to medical records and regulations for sharing medical records?

Options:

A.

NIST

B.

GLBA

C.

SOX

D.

HIPAA

Buy Now
Questions 37

During which of the following attack phases might a request sent to port 1433 over a whole company network be seen within a log?

Options:

A.

Reconnaissance

B.

Scanning

C.

Gaining access

D.

Persistence

Buy Now
Questions 38

Which of the following, when exposed together, constitutes PII? (Choose two.)

Options:

A.

Full name

B.

Birth date

C.

Account balance

D.

Marital status

E.

Employment status

Buy Now
Questions 39

Which of the following are components of Security Content Automation Protocol (SCAP)?

Options:

A.

CVM, NVD, and OSVDB

B.

CVE, CVSS, and OSVDB

C.

CVE, CVSS, and OVAL

D.

CWE, CWSS, and OVAL

Buy Now
Questions 40

A Windows system administrator has received notification from a security analyst regarding new malware that executes under the process name of “armageddon.exe” along with a request to audit all department workstations for its presence. In the absence of GUI-based tools, what command could the administrator execute to complete this task?

Options:

A.

ps -ef | grep armageddon

B.

top | grep armageddon

C.

wmic process list brief | find “armageddon.exe”

D.

wmic startup list full | find “armageddon.exe”

Buy Now
Questions 41

During a security investigation, a suspicious Linux laptop is found in the server room. The laptop is processing information and indicating network activity. The investigator is preparing to launch an investigation to

determine what is happening with this laptop. Which of the following is the MOST appropriate set of Linux commands that should be executed to conduct the investigation?

Options:

A.

iperf, traceroute, whois, ls, chown, cat

B.

iperf, wget, traceroute, dc3dd, ls, whois

C.

lsof, chmod, nano, whois, chown, ls

D.

lsof, ifconfig, who, ps, ls, tcpdump

Buy Now
Questions 42

Which of the following does the command nmap –open 10.10.10.3 do?

Options:

A.

Execute a scan on a single host, returning only open ports.

B.

Execute a scan on a subnet, returning detailed information on open ports.

C.

Execute a scan on a subnet, returning all hosts with open ports.

D.

Execute a scan on a single host, returning open services.

Buy Now
Questions 43

When performing an investigation, a security analyst needs to extract information from text files in a Windows operating system. Which of the following commands should the security analyst use?

Options:

A.

findstr

B.

grep

C.

awk

D.

sigverif

Buy Now
Questions 44

A Linux system administrator found suspicious activity on host IP 192.168.10.121. This host is also establishing a connection to IP 88.143.12.123. Which of the following commands should the administrator use to capture only the traffic between the two hosts?

Options:

A.

# tcpdump -i eth0 host 88.143.12.123

B.

# tcpdump -i eth0 dst 88.143.12.123

C.

# tcpdump -i eth0 host 192.168.10.121

D.

# tcpdump -i eth0 src 88.143.12.123

Buy Now
Questions 45

Tcpdump is a tool that can be used to detect which of the following indicators of compromise?

Options:

A.

Unusual network traffic

B.

Unknown open ports

C.

Poor network performance

D.

Unknown use of protocols

Buy Now
Questions 46

Which three disk image formats are used for evidence collection and preservation? (Choose three.)

Options:

A.

RAW(DD)

B.

E01

C.

AFF

D.

APFS

E.

EXT4

Buy Now
Questions 47

The statement of applicability (SOA) document forms a fundamental part of which framework?

Options:

A.

Generally Accepted Privacy Principles (GAPP)

B.

HIPAA

C.

NIST Privacy Framework

D.

ISO/IEC 27000 series

Buy Now
Questions 48

Which of the following enables security personnel to have the BEST security incident recovery practices?

Options:

A.

Crisis communication plan

B.

Disaster recovery plan

C.

Occupant emergency plan

D.

Incident response plan

Buy Now
Questions 49

Senior management has stated that antivirus software must be installed on all employee workstations. Which

of the following does this statement BEST describe?

Options:

A.

Guideline

B.

Procedure

C.

Policy

D.

Standard

Buy Now
Questions 50

Which of the following are part of the hardening phase of the vulnerability assessment process? (Choose two.)

Options:

A.

Installing patches

B.

Updating configurations

C.

Documenting exceptions

D.

Conducting audits

E.

Generating reports

Buy Now
Questions 51

Which of the following types of digital evidence is considered the MOST volatile?

Options:

A.

Data on a hard disk

B.

Temporary file space

C.

Swap file

D.

Random access memory

Buy Now
Questions 52

A company has noticed a trend of attackers gaining access to corporate mailboxes. Which of the following

would be the BEST action to take to plan for this kind of attack in the future?

Options:

A.

Scanning email server for vulnerabilities

B.

Conducting security awareness training

C.

Hardening the Microsoft Exchange Server

D.

Auditing account password complexity

Buy Now
Questions 53

An organization recently suffered a breach due to a human resources administrator emailing employee names and Social Security numbers to a distribution list. Which of the following tools would help mitigate this risk from recurring?

Options:

A.

Data loss prevention (DLP)

B.

Firewall

C.

Web proxy

D.

File integrity monitoring

Buy Now
Questions 54

Which of the following attack vectors capitalizes on a previously undisclosed issue with a software application?

Options:

A.

Zero-Day Exploit

B.

Brute Force

C.

Misconfiguration

D.

Ransomware

E.

Phishing

Buy Now
Exam Code: CFR-410
Exam Name: CyberSec First Responder (CFR) Exam
Last Update: Mar 30, 2025
Questions: 180

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now CFR-410 testing engine

PDF (Q&A)

$36.75  $104.99
buy now CFR-410 pdf