Which statement below is the MOST accurate about insider threat controls?
A. Classification of information assets helps identify data to protect.
B. Security awareness programs have a minimal impact on reducing the insider threat.
C. Both detective and preventative controls prevent insider attacks.
D. Rotation of duties makes an insider threat more likely.
E. Separation of duties encourages one employee to control a great deal of information.
A company needs to classify its information as a key step in valuing it and knowing where to focus its
Rotation of duties and separation of duties are both key elements in reducing the scope of
information access and the ability to conceal malicious behavior.
Separation of duties helps minimize empire building within a company, keeping one individual
from controlling a great deal of information, reducing the insider threat.
Security awareness programs can help other employees notice the signs of an insider attack and thus
reduce the insider threat.
Detection is a reactive method and only occurs after an attack occurs. Only preventative methods can
stop or limit an attack.
Which tool keeps a backup of all deleted items, so that they can be restored later if need be?
E. Hijack This
After selecting fix it! with Hijack This you can always restore deleted items, because Hijack This
keeps a backup of them.
A compromised router is reconfigured by an attacker to redirect SMTP email traffic to the attackers
server before sending packets on to their intended destinations. Which IP header value would help
expose anomalies in the path outbound SMTP/Port 25 traffic takes compared to outbound packets
sent to other ports?
B. Acknowledgement number
C. Time to live
D. Fragment offset
In a case study of a redirect tunnel set up on a router, some anomalies were noticed while watching
network traffic with the TCPdump packet sniffer.
Packets going to port 25 (Simple Mail Transfer Protocol [SMTP] used by mail servers and other Mail
Transfer Agents [MTAs] to send and receive e-mail) were apparently taking a different network path.
The TLs were consistently three less than other destination ports, indicating another three network
hops were taken.
Other IP header values listed, such as fragment offset. The acknowledgement number is a TCP, not IP,
What is needed to be able to use taskkill to end a process on remote system?
A. Svchost.exe running on the remote system
B. Domain login credentials
C. Port 445 open
D. Windows 7 or higher on both systems
Domain login credentials are needed to kill a process on a remote system using taskkill.
What are Browser Helper Objects (BHO)s used for?
A. To provide multi-factor authentication support for Firefox
B. To provide a more feature-rich interface for Internet Explorer
C. To allow Internet Explorer to process multi-part URLs
When scanning your system, you may notice many BHOs since they are widely used by software
developers to provide a more feature rich interface for Microsoft Internet Explorer.
What information would the Wireshark filter in the screenshot list within the display window?
What would the output of the following command help an incident handler determine?
cscript manage-bde . wsf status
Which of the following is a major problem that attackers often encounter when attempting to
develop or use a kernel mode rootkit?
Which of the following is an SNMPv3 security feature that was not provided by earlier versions of the
What is the BEST sequence of steps to remove a bot from a system?