CFR-410 CyberSec First Responder (CFR) Exam Questions and Answers

What describes the BEST approach for developing a plan to continuously assess and track vulnerabilities on all organizational assets and infrastructure in order to remediate and minimize the opportunity for attacks?

Which of the following is the FIRST step taken to maintain the chain of custody in a forensic investigation?

Which of the following should normally be blocked through a firewall?

A government organization responsible for critical infrastructure is being attacked and files on the server been deleted. Which of the following are the most immediate communications that should be made regarding the incident? (Choose two.)

The Key Reinstallation Attack (KRACK) vulnerability is specific to which types of devices? (Choose two.)

A secretary receives an email from a friend with a picture of a kitten in it. The secretary forwards it to the

~COMPANYWIDE mailing list and, shortly thereafter, users across the company receive the following message:

“You seem tense. Take a deep breath and relax!”

The incident response team is activated and opens the picture in a virtual machine to test it. After a short analysis, the following code is found in C:

\Temp\chill.exe:Powershell.exe –Command “do {(for /L %i in (2,1,254) do shutdown /r /m Error! Hyperlink reference not valid.> /f /t / 0 (/c “You seem tense. Take a deep breath and relax!”);Start-Sleep –s 900) } while(1)”

Which of the following BEST represents what the attacker was trying to accomplish?

A forensic analyst has been tasked with analyzing disk images with file extensions such as .001, .002, etc. Which of the following disk imaging tools was MOST LIKELY used to create these image files?

A security engineer is setting up security information and event management (SIEM). Which of the following log sources should the engineer include that will contain indicators of a possible web server compromise? (Choose two.)

Which of the following characteristics of a web proxy strengthens cybersecurity? (Choose two.)

How does encryption work to protect information on remote workers' computers?

While reviewing some audit logs, an analyst has identified consistent modifications to the sshd_config file for an organization’s server. The analyst would like to investigate and compare contents of the current file with

archived versions of files that are saved weekly. Which of the following tools will be MOST effective during the investigation?

An organization that recently suffered a ransomware attack found that its backups were faulty. Which of the following steps could BEST ensure reliable backups in the future?

An incident at a government agency has occurred and the following actions were taken:

-Users have regained access to email accounts

-Temporary VPN services have been removed

-Host-based intrusion prevention system (HIPS) and antivirus (AV) signatures have been updated

-Temporary email servers have been decommissioned

Which of the following phases of the incident response process match the actions taken?

An incident responder has collected network capture logs in a text file, separated by five or more data fields.

Which of the following is the BEST command to use if the responder would like to print the file (to terminal/ screen) in numerical order?

Which of the following is a method of reconnaissance in which a ping is sent to a target with the expectation of receiving a response?

According to company policy, all accounts with administrator privileges should have suffix _ja. While reviewing Windows workstation configurations, a security administrator discovers an account without the suffix in the administrator’s group. Which of the following actions should the security administrator take?

Which answer option is a tactic of social engineering in which an attacker engages in an attack performed by phone?

According to SANS, when should an incident retrospective be performed?

The incident response team has completed root cause analysis for an incident. Which of the following actions should be taken in the next phase of the incident response process? (Choose two.)

Which of the following describes United States federal government cybersecurity policies and guidelines?

A suspicious script was found on a sensitive research system. Subsequent analysis determined that proprietary data would have been deleted from both the local server and backup media immediately following a specific administrator’s removal from an employee list that is refreshed each evening. Which of the following BEST describes this scenario?

When attempting to determine which system or user is generating excessive web traffic, analysis of which of

the following would provide the BEST results?

A security investigator has detected an unauthorized insider reviewing files containing company secrets.

Which of the following commands could the investigator use to determine which files have been opened by this user?

Which of the following actions should be done by the incident response team after completing the recovery phase of the cyber incident caused by malware?

Network infrastructure has been scanned and the identified issues have been remediated. What is the next step in the vulnerability assessment process?

A digital forensics investigation requires analysis of a compromised system's physical memory. Which of the following tools should the forensics analyst use to complete this task?

Which three of the following are included in encryption architecture? (Choose three.)

In which of the following attack phases would an attacker use Shodan?

During a malware-driven distributed denial of service attack, a security researcher found excessive requests to a name server referring to the same domain name and host name encoded in hexadecimal. The malware author used which type of command and control?

Which of the following represents a front-end security capability that addresses cyber resiliency?

Which of the following security best practices should a web developer reference when developing a new web- based application?

What is the primary purpose of the "information security incident triage and processing function" in the (CSIRT) Computer Security Incident Response Team Services Framework?

Which standard was implemented in the United States to protect the privacy of patient medical information through restricted access to medical records and regulations for sharing medical records?

During which of the following attack phases might a request sent to port 1433 over a whole company network be seen within a log?

Which of the following, when exposed together, constitutes PII? (Choose two.)

Which of the following are components of Security Content Automation Protocol (SCAP)?

A Windows system administrator has received notification from a security analyst regarding new malware that executes under the process name of “armageddon.exe” along with a request to audit all department workstations for its presence. In the absence of GUI-based tools, what command could the administrator execute to complete this task?

During a security investigation, a suspicious Linux laptop is found in the server room. The laptop is processing information and indicating network activity. The investigator is preparing to launch an investigation to

determine what is happening with this laptop. Which of the following is the MOST appropriate set of Linux commands that should be executed to conduct the investigation?

Which of the following does the command nmap –open 10.10.10.3 do?

When performing an investigation, a security analyst needs to extract information from text files in a Windows operating system. Which of the following commands should the security analyst use?

A Linux system administrator found suspicious activity on host IP 192.168.10.121. This host is also establishing a connection to IP 88.143.12.123. Which of the following commands should the administrator use to capture only the traffic between the two hosts?

Tcpdump is a tool that can be used to detect which of the following indicators of compromise?

Which three disk image formats are used for evidence collection and preservation? (Choose three.)

The statement of applicability (SOA) document forms a fundamental part of which framework?

Which of the following enables security personnel to have the BEST security incident recovery practices?

Senior management has stated that antivirus software must be installed on all employee workstations. Which

of the following does this statement BEST describe?

Which of the following are part of the hardening phase of the vulnerability assessment process? (Choose two.)

Which of the following types of digital evidence is considered the MOST volatile?

A company has noticed a trend of attackers gaining access to corporate mailboxes. Which of the following

would be the BEST action to take to plan for this kind of attack in the future?

An organization recently suffered a breach due to a human resources administrator emailing employee names and Social Security numbers to a distribution list. Which of the following tools would help mitigate this risk from recurring?

Which of the following attack vectors capitalizes on a previously undisclosed issue with a software application?