EMT Practice Test

1. Question Content...


Question List

Question1: Your company holds a large amount of customer Pll, and you want to protect those data from theft or unauthorized modification. Among other actions, you classify and encrypt the data.
In this process, which of the following OWASP security risks are you guarding against?

Question2: Shiela is working at night as an incident handler. During a shit, servers were affected by a massive cyber-attack. After she classified and prioritized the incident, she must report the incident, obtain necessary permissions, and perform other incident response functions.
What list should she check to notify other responsible personnel?

Question3: Rose is an incident-handler and is responsible for detecting and eliminating any kind of scanning attempts over the network by malicious threat actors. Rose uses Wire shark to sniff the network and detect any malicious activities going on.
Which of the following Wireshark filters can be used by her to detect TCP Xmas scan attempt by the attacker?

Question4: Mr.Smith is a lead incident responder of a small financial enterprise, which has a few branches in Australia. Recently, the company suffered a massive attack, losing$5M through an inter-banking system After an in-depth investigation, it was found that the incident occurred because the attackers penetrated the network through a minor vulnerability 6 months ago and maintained access without being detected by any user. They then tried to delete user fingerprints and performed a lateral movement to the computer of a person with privileges in the inter-banking system. The attackers finally gained access and performed fraudulent transactions.
In the above scenario, which of the following most accurately describes the type of attack?

Question5: Which of the following are malicious software programs that infect computers and corruptor delete the data on them?

Question6: Sam, an employee from a multinational company, send se-mails to third-party organizations with a spoofed email address of his organization.
How can you categorize this type of incident?

Question7: Which of the following GPG 18 and Forensic readiness planning (SPF) principles states that "organizations should adopt a scenario based Forensic Readiness Planning approach that learns from experience gained within the business"?

Question8: Tom received a phishing email and accidentally opened its attachment. This resulted in the redirection of all traffic to a fraudulent website.
What type of phishing attack occurred in this scenario?

Question9: Marley was asked by his incident handing and response (IH&R) team lead to collect volatile data such as system information and network information present in the registries, cache, and RAM of victim's system.
Identify the data acquisition method Marley must employ to collect volatile data.

Question10: Which of the following DOES NOT expose a cloud application to hacking?

Question11: Jacobi san employee in Dolphin Investment firm. While he was on his duty, he identified that his computer is facing some problems and he wanted to convey the issue to the respective authority in his organization.
But currently this organization does not have a ticketing system to address such types of issues.
In the above scenario, which of the following ticketing systems can be employed by the Dolphin Investment firm to allow Jacob to raise the issue in order to tell the respective team about the incident?

Question12: Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit.
To accomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plaintext secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.

Question13: Which of the following is not the responsibility of first responders?

Question14: XYZ Inc. was affected by a malware attack and James, being the incident handling and response (IH&R) team personnel handling the incident, found out that the root cause of the incident is a backdoor that has bypassed the security perimeter due to an existing vulnerability in the deployed firewall. James had contained the spread of the infection and removed the malware completely. Now the organization asked him to perform an incident impact assessment to identify the impact of the incident over the organization and he was also asked to prepare a detailed report of the incident.
Which of the following stages in IH&R process is James working on?

Question15: You area systems administrator for a company. You are accessing your fileserver remotely for maintenance. Suddenly, you are unable to access the server. After contacting others in your department, you find out that they cannot access the file server either. You can ping the file server but not connect to it via RD. You check the Active Directory Server, and all is well. You check the email server and find that emails are sent and received normally.
What is the most likely issue?

Question16: Deleting malicious code and disabling breached user accounts are examples of which of the following?

Question17: Rossi san incident manager (IM) at an organization, and his team provides support to all users in the
organization who are affected by threats or attacks. David, who is the organization's intemal auditor, is also part of Ross's incident response team.
Which of the following is David's responsibility?

Question18: Rinni is an incident handler and she is performing memory dump analysis.
Which of following tools she can use in order to perform a memory dump analysis?

Question19: Which of the following is an inappropriate usage incident?

Question20: In which of the following phases of the incident handling and response (IH&R) process is the identified security incidents analyzed, validated, categorized, and prioritized?

Question21: Malicious software programs that infect computers and com up to r delete the data on them.
The above-mentioned statement defines which of the following terms?

Question22: Adam is an incident handler who intends to use DBCCLOG command to analyze a database and retrieve the active transaction logfiles for the specified database. The syntax of DBCC LG command is DBCC LOG (<database name>, <output>), where the output parameter specifies the level of information an incident handler wants to retrieve.
If Adam wants to retrieve the full information on each operation along with the hex dump of a current transaction row, which of the following output parameters should Adam use?

Question23: Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket submitted regarding a critical incident and Mike was assigned to handle the incident. During the process of incident handling, at one stage, he performed incident analysis and validation to check whether the incident is a genuine incident or a false positive.
Identify the stage he is currently in.

Question24: Michael is an incident handler at CyberTech Solutions. He is performing detection and analysis of a cloud security incident. He is also analyzing the file systems, slack spaces, and metadata within the storage units to find hidden malware and evidence of malice.
Identify the cloud security incident handled by Michael:

Question25: During the vulnerability assessment phase, the incident responders perform various steps as below:
1. Run vulnerability scans using tools
2. Identify and prioritize vulnerabilities
3. Examine and evaluate physical security
4. Perform OSINT information gathering to validate the vulnerabilities
5. Apply business and technology context to scanner results
6. Check for misconfigurations and human errors
7. Create a vulnerability scan report
Identify the correct sequence of vulnerability assessment steps performed by the incident responders.

Question26: Which of the following methods help incident responders to reduce the false positive alert rates and further provide ben efts of focusing on top priority issues, thereby reducing potential risk and corporate liabilities?

Question27: Stanley works as an incident responder at a top MNC based in Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company. While investigating the incident, he collected evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of a jury so that the evidence clarifies the facts and further helps in obtaining an expert opinion on the incident to conf rm the investigation process.
In the above scenario, which of the following characteristics of the digital evidence did Stanley attempt to preserve?

Question28: Introduction of malicious programs on to the device connected to the campus network (Trojan Horse, email bombs, virus, etc.) is called?

Question29: Eric works as a system administrator at ABC organization and previously granted several users with access privileges to the organizations systems with unlimited permissions. These privileged users could prospectively misuse their rights unintentionally, maliciously, or could be deceived by attackers that could trick them to perform malicious activities.
Which of the following guidelines would help incident handlers eradicate insider at tacks by privileged users?

Question30: Dan is a newly appointed information security professional in a renowned organization. He is supposed to follow multiple security strategies to eradicate malware incidents.
Which of the following is not considered as a good practice for maintaining information security and eradicating malware incidents?

Question31: Mr.Smith is a lead incident responder of a small financial enterprise, which has a few branches in Australia. Recently, the company suffered a massive attack losing$5MM through an inter-banking system.
After an in-depth investigation, it was found that the incident occurred because 6 months ago the attackers penetrated the network through a minor vulnerability and maintained the access without any user being aware of it. They then tried to delete users' fingerprints and performed a lateral movement to the computer of a person with privileges in the inter-banking system. The attackers finally gained access and performed the fraudulent transactions.
Based on the above scenario, identify the most accurate kind of attack.

Question32: Which of the following types of insider threats involves an insider who is uneducated on potential security threats or simply bypasses general security procedures to meet workplace efficiency?

Question33: You area systems administrator for a company. You are accessing your fileserver remotely for maintenance.
Suddenly, you are unable to access the server. After contacting others in your department, you find out that they cannot access the file server either.
You can ping the file server but not connect to it via RD. You check the Active Directory Server, and all is well.
You check the email server and find that emails are sent and received normally.
What is the most likely issue?

Question34: Malicious Micky has moved from the delivery stage to the exploitation stage of the kill chain. This malware wants to find and report to the command center any useful services on the system.
Which of the following recon attacks is the MOST LIKELY to provide this information?

Question35: Bonney's system has been compromised by a gruesome malware.
What is the primary step that is advisable to Bonney in order to contain the malware incident from spreading?
What is the cause of this issue?

Question36: Which of the following techniques against insider threats identifies events that are related to suspicious activity?

Question37: Eric works as an incident handler at Erinol software systems. He was assigned a task to protect the organization from any kind of DoS/DDoS attacks.
Which of the following tools can be used by Eric to achieve his objective?

Question38: Multiple component incidents consist of a combination of two or more attacks in a system.
Which of the following is not a multiple component incident?

Question39: Which of the following best describes an email issued as an attack medium, in which several messages are sent to a mailbox to cause over fi ow?

Question40: Ikeo Corp.hired an incident response team to assess the enterprise security. As part of the incident handling and response process, the IR team is reviewing the current se cunty policies implemented by the enterprise. The IR team finds that employees of the organization do not have any restrictions on Internet access: they are allowed to visit any site, download any appl cation, and access a computer or network from a remote location. Considering this as the main security threat, the IR team plans to change this policy as it can be easily exploited by attackers.
Which of the following security policies is the IR team planning to modify?

Question41: In which of the following stages of the incident handling and response (IH&R) process do the incident handlers try to find the root cause of the incident along with the threat actors behind the incidents, threat vectors, etc.?

Question42: identify the network security incident where intended or authorized users are prevented from using system, network, or applications by flooding the network with a high volume of traffic that consumes all existing network resources.

Question43: Which of the following is a type of malicious code or software that appears legitimate but can take control of your computer?

Question44: After malware is removed from a system and a clean scan is returned, which of the following steps should be taken for the affected device?

Question45: Chandler is a professional hacker who is targeting an organization called Technote. He wants to obtain important organizational information that is being transmitted between different hierarchies. In the process, he sniffs the data packets transmitted through the network and then analyzes them to gather packet details such as network, ports, protocols, devices, issues in network transmission, and other network specifications.
Which of the following tools can Chandler employ to perform packet analysis?

Question46: Eric is an incident responder working on developing incident-handling plans and procedures. As part of this process, he is analyzing the organizational network to generate a report and develop policies based on the acquired results.
Which of the following tools will help him in analyzing his network and the related traffic?

Question47: A self-replicating virus does not alter files but resides inactive memory and duplicates itself. It takes advantage of file or information transport features on the system to travel independently.
What is this type of object called?

Question48: Frederick is in the eradication process in one of the incidents he is handing.
Which of the following is NOT an eradication process?

Question49: Jacobi san employee at a firm called Dolphin Investment. While he was on duty, he identified that his computer was facing some problems, and he wanted to convey the issue to the c once med authority in his organization. However, this organization currently does not have a ticketing system to address such types of issues.
In the above scenario, which of the following ticketing systems can be employed by Dolphin Investment to allow Jacob to inform the c once med team about the incident?

Question50: Which of the following options describes common characteristics of phishing emails?

Question51: Which of the following confidentiality attacks do attackers try to lure users by posing themselves as authorized AP by beaconing the WLAN's SSID?

Question52: Qual Tech Solutions is a leading security services enterprise. Dickson, who works as an incident responder with this firm, is performing a vulnerability assessment to identify the security problems in the network by using automated tools for identifying the hosts, services, and vulnerabilities in the enterprise network.
In the above scenario, which of the following types of vulnerability assessment is Dickson performing?

Question53: Which of the following terms refers to vulnerable account management functions, including account update, recovery of forgotten or lost passwords, and password reset, that might weaken valid authentication schemes?

Question54: John is a professional hacker who is performing an attack on the target organization where he tries to redirect the connection between the IP address and its target server such that when the users type in the Internet address, it redirects them to a rogue website that resembles the original website. He tries this attack using cache poisoning technique.
Identify the type of attack John is performing on the target organization.

Question55: James has been appointed as an incident handing and response (IH&R) team lead and was assigned to build an IH&R plan and his own team in the company. Identify the IH&R process step James is currently working on.

Question56: Which of the following is NOT a network forensic tool?

Question57: Khai was tasked with examining the logs from a Linux email server. The server uses Sendmail to execute the command to send emails and Syslog to maintain logs.
To validate the data within email headers, which of the following directories should Khai check for information such as source and destination IP addresses, dates, and timestamps?

Question58: An attacker uncovered websites a target individual was frequently Suring. The attacker then tested those particular websites to identify possible vulnerabilities. After detecting vulnerabilities within a website, the attacker started injecting malicious script/code into the web application that would redirect the webpage and download the malware on to the victim's machine. After infecting the vulnerable web application, the attacker waited for the victim to access the infected web application. Identify the type of attack performed by the attacker.

Question59: Smith employs various malware detection techniques to thoroughly examine the network and its systems for suspicious and malicious malware files.
Among all techniques, which one involves analyzing the memory dumps or binary codes for the traces of malware?

Question60: An insider threat response plan help san organization minimize the damage caused by malicious insiders.
One of the approaches to mitigate these threats is setting up controls from the human resources department.
Which of the following guidelines can the human resources department use?

Question61: Adam is an attacker who along with his team launched multiple attacks on target organization for financial benefits. Worried about getting caught, he decided to forge his identity. To do so, he created a new identity by obtaining information from different victims.
Identify the type of identity theft Adam has performed.

Question62: Elizabeth, working for OBC organization as an incident responder, is assessing the risks facing the organizational security. During the assessment process, she calculates the probability of a threat source exploiting an existing system vulnerability.
Identify the risk assessment step Elizabeth is currently in.

Question63: The following steps describe the key activities in forensic readiness planning:
1. Train the staff to handle the incident and preserve the evidence
2. Create a special process for documenting the procedure
3. Identify the potential evidence required for an incident
4. Determine the source of the evidence
5. Establish a legal advisory board to guide the investigation process
6. Identify if the incident requires full or formal investigation
7. Establish a policy for securely handing and storing the collected evidence
8. Define a policy that determines the pathway to legally extract electronic evidence with minimal disruption
Identify the correct sequence of steps involved in forensic readiness planning.

Question64: Clark, a professional hacker, successfully exploited the web application of a target organization by tampering the form and parameter values. In result, Clark gained access to the information assets of the organization. Identify the vulnerability in the web application exploited by the attacker.

Question65: Rossi san incident manager (IM) and his team provides support to all users in the organization that are affected by the threat or attack. David, who is the organizational internal auditor, is also part of the Ross's incident response team.
Among the following duties, identify one of the responsibilities of David.

Question66: Which of the following is not called volatile data?

Question67: Finnis working in the eradication phase, wherein he is eliminating the root cause of an incident that occurred in the Windows operating system installed in a system. He ran a tool that can detect missing security patches and install the latest patches on the system and networks.
Which of the following tools did he use to detect the missing se cunty patches?

Question68: Ren is assigned to handle a security incident of an organization. He is tasked with forensics investigation to find the evidence needed by the management.
Which of the following steps falls under the investigation phase of the computer forensics investigation process?

Question69: Bran is an incident handler who is assessing the network of the organization. He wants to detect ping sweep attempts on the network using Wire shark.
Which of the following W re shark filters would Bran use to accomplish this task?

Question70: James is working as an incident responder at Cyber Sol Inc. The management instructed James to invest gate a cybersecurity incident that recently happened in the company. As a part of the investigation process, James started collecting volatile information from a system running on Windows operating system.
Which of the following commands helps James in determining all the executable files for running processes?

Question71: Oscar receives an email from an unknown source containing his domain name oscar.com. Upon checking the link, he found that it contains a malicious URL that redirects to the website evil site.org.
What type of vulnerability is this?

Question72: An attacker after performing an attack decided to wipe evidence using artifact wiping techniques to evade forensic investigation. He applied a magnetic field to the digital media device, resulting in a device entirely cleaned of any previously stored data.
Identify the artifact wiping technique used by the attacker.

Question73: In the cloud environment, an authorized security professional executes approved sanitation procedures using approved utilities to permanently remove data spilled from contaminated information systems and applications in the cloud.
This is an example of which of the following?

Question74: In which of the following phases of incident handling and response (IH&R) process are the identified security incidents analyzed, validated, categorized, and prioritized?