Which of the following does NOT reduce the success rate of SQL injection?

Michael, a digital forensic responder, enters a server room after a suspected data breach. He ensures all individuals not involved in the investigation are escorted out, avoids altering any device configurations, and isolates the server from the network without powering it down. What is the main goal of Michael's actions?

Sam. an employee of a multinational company, sends emails to third-party organizations with a spoofed email address of his organization. How can you categorize this type of incident?

A mid-sized healthcare organization undergoing digital modernization is working toward ISO/IEC 27001 certification. During a readiness review, the CISO identifies gaps: staff lack clear channels to raise concerns about system weaknesses, outcome tracking after adverse events is inconsistent, and there is no formalized way to assess what went right or wrong following disruptions. To comply with ISO/IEC 27001 Annex A.16, which action should be prioritized?

ClobalTech, an avant-garde tech giant, became victim to a massive data breach. The perpetrator was identified as an inside employee who had been with the company for over a decade. The breach unveiled sensitive client data that severely tarnished the company's reputation. ClobalTech is now revamping its security strategy. What should be its primary emphasis?

Andrew, an incident responder, is performing risk assessment of the client organization.

As a part of risk assessment process, he identified the boundaries of the IT systems,

along with the resources and the information that constitute the systems.

Identify the risk assessment step Andrew is performing.

You are a systems administrator for a company. You are accessing your file server remotely for maintenance. Suddenly, you are unable to access the server. After contacting others in your department, you find out that they cannot access the file server either. You can ping the file server but not connect to it via RDP. You check the Active Directory Server, and all is well. You check the email server and find that emails are sent and received normally. What is the most likely issue?

Alice is a disgruntled employee. She decided to acquire critical information from her organization for financial benefit. To acccomplish this, Alice started running a virtual machine on the same physical host as her victim's virtual machine and took advantage of shared physical resources (processor cache) to steal data (cryptographic key/plain text secrets) from the victim machine. Identify the type of attack Alice is performing in the above scenario.

A large multinational enterprise recently integrated a digital HR onboarding system to streamline applicant submissions and document collection. During a cybersecurity audit, it was revealed that attackers had set up a phishing site mimicking the official HR document submission portal. Several employees and new hires uploaded their resumes and downloaded pre-filled form templates, believing them to be legitimate. Upon opening the downloaded Word documents, the system silently connected to external servers and fetched additional template data without any user consent or visible macro execution warnings. This bypassed email gateway filters and endpoint antivirus tools, leading to lateral malware spread across systems used by HR, finance, and legal departments.

Digital forensic analysis showed that the documents did not contain visible scripts or macros but relied on hidden structural definitions to retrieve malicious payloads dynamically from attacker-controlled servers. Which of the following web-based malware distribution techniques best explains the observed behavior?

A user downloaded what appears to be genuine software. Unknown to her, when she installed the application, it executed code that provided an unauthorized remote attacker access to her computer. What type of malicious threat displays this characteristic?

David, a certified digital first responder, arrives at the scene of a reported security breach in the HR department of a corporate office. The breach involves multiple digital endpoints, including desktop systems and mobile devices. Upon entering the scene, David observes that one desktop computer is still powered ON and logged in, showing a sensitive financial dashboard on the screen. Realizing the importance of preserving this evidence, David refrains from interacting directly with the keyboard or running applications. Instead, he takes high-resolution photographs of the screen to capture the current session details, including open applications and time-sensitive data. To avoid altering the system state, David gently moves the mouse without clicking, just enough to dismiss a screen saver without triggering any on-screen changes. He records the system’s behavior, notes any visible alerts or programs running, and tags all connected cables and peripheral ports for proper documentation. What step in the evidence handling process is David demonstrating?

Following an internal audit at a mid-sized software development firm, it was discovered that several employees had been sharing system login credentials using personal messaging applications that were not approved by the organization. The audit further revealed that no structured guidance, awareness training, or acceptable usage policies had been provided regarding how and where confidential organizational information should be transmitted. Which of the following preparation steps would have most effectively prevented this situation?

Jason is an incident handler dealing with malware incidents. He was asked to perform memory dump analysis in order to collect the information about the basic functionality of any program. As a part of his assignment, he needs to perform string search analysis to search for the malicious string that could determine harmful actions that a program

can perform. Which of the following string-searching tools Jason needs to use to do the intended task?

In which of the following phases of incident handling and response (IH&R) process the identified security incidents are analyzed, validated, categorized, and prioritized?

Alice is an incident handler and she has been informed by her lead that the data on affected systems must be backed up so that it can be retrieved if it is damaged during the incident response process. She was also told that the system backup can also be used for further investigation of the incident. In which of the following stages of the incident handling and response (IH&R) process does Alice need to do a complete backup of the infected system?

Which of the following is not the responsibility of first responders?

Liam, a certified digital forensics technician, labels seized laptops, USB drives, and smartphones with exhibit tags, records detailed descriptions in an evidence logbook, photographs items in their original positions, and documents custody transfers. Which aspect of evidence handling is Liam demonstrating?

Eve’s is an incident handler in ABC organization. One day, she got a complaint about email hacking incident from one of the employees of the organization. As a part of

incident handling and response process, she must follow many recovery steps in order to recover from incident impact to maintain business continuity.

What is the first step that she must do to secure employee account?

Sameer, part of the incident response team, is alerted that several employees unknowingly entered credentials on a fake login page after receiving a spoofed internal notification. The domain name used in the attack had subtle character changes. What kind of unauthorized access incident did this attack begin with?

Which of the following is an Inappropriate usage incident?

If the browser does not expire the session when the user fails to logout properly, which of the following OWASP Top 10 web vulnerabilities is caused?

A cloud service provider’s IH&R team faces huge volumes of cloud-native logs after anomalous activity. To ensure swift and effective incident triage, what should be the primary course of action?

A US Federal Agency network was the target of a DoS attack that prevented and

impaired the normal authorized functionality of the networks. According to agency’s

reporting timeframe guidelines, this incident should be reported within 2 h of

discovery/detection if the successful attack is still ongoing and the agency is unable to

successfully mitigate the activity.

Which incident category of US Federal Agency does this incident belong to?

Racheal is an incident handler working in InceptionTech organization. Recently,

numerous employees are complaining about receiving emails from unknown senders. In

order to prevent employees against spoofing emails and keeping security in mind,

Racheal was asked to take appropriate actions in this matter. As a part of her

assignment, she needs to analyze the email headers to check the authenticity of received

emails.

Which of the following protocol/authentication standards she must check in email

header to analyze the email authenticity?

SevTech detected malicious code injected into its client data protection module, with indicators of a nation-state actor. In this high-pressure scenario, what should be SevTech's primary course of action?

Which of the following is NOT part of the static data collection process?

During the process of detecting and containing malicious emails, incident responders

should examine the originating IP address of the emails.

The steps to examine the originating IP address are as follow:

1. Search for the IP in the WHOIS database

2. Open the email to trace and find its header

3. Collect the IP address of the sender from the header of the received mail

4. Look for the geographic address of the sender in the WHOIS database

Identify the correct sequence of steps to be performed by the incident responders to

examine originating IP address of the emails.

An IT security analyst at a logistics firm is alerted to unusual outbound traffic originating from an employee’s mobile device connected to the corporate VPN. Antivirus scans fail to remove the malware, indicating persistence. The organization cannot afford further data leakage. Which action should the incident handler take next?

A cybersecurity team at a financial services firm detects abnormal behavior on several endpoints, suggesting a possible breach. The anomalies include unexpected data transfers and processes running with unusual permissions. Given the potential impact, the team needs to quickly validate whether these are indicators of a security incident or benign anomalies. What method should the team prioritize to detect and validate the incident effectively?

Clark, a professional hacker, exploited the web application of a target organization by

tampering the form and parameter values. He successfully exploited the web

application and gained access to the information assets of the organization.

Identify the vulnerability in the web application exploited by the attacker.

In an international bank, the IT security team identified unusual network traffic indicating a potential malware infection. Further analysis revealed that several high-value transaction servers were communicating with an external command and control server. The team needs to decide the immediate action to best handle this malware incident triage. What should they prioritize to mitigate the threat and safeguard sensitive data effectively?

If a hacker cannot find any other way to attack an organization, they can influence an employee or a disgruntled staff member. What type of threat is this?

An insider threat response plan helps an organization minimize the damage caused by malicious insiders. One of the approaches to mitigate these threats is setting up controls from the human resources department. Which of the following guidelines can the human resources department use?

Aaron, a digital first responder, is dispatched to an R&D lab after a suspected insider data breach involving intellectual property theft. Upon entering the lab, he observes fingerprint smudges on a workstation keyboard, oily residue on a DVD near the printer, and an unplugged USB drive on the desk. He documents the position of each item, uses gloves and evidence tags, covers surfaces to prevent contamination, and restricts access to the area. Which best practice is Aaron demonstrating?

OmegaTech Corp identified unauthorized remote access to its primary server and data exfiltration tunnels. Simultaneously, IoT device firmware corruption was reported. As the first responder, what should Olivia prioritize?

James is a professional hacker and is employed by an organization to exploit their cloud services. In order to achieve this, James created anonymous access to the cloud services to carry out various attacks such as password and key cracking, hosting malicious data, and DDoS attacks. Which of the following threats is he posing to the cloud platform?

Stanley works as an incident responder at a top MNC based out of Singapore. He was asked to investigate a cybersecurity incident that recently occurred in the company.

While investigating the crime, he collected the evidence from the victim systems. He must present this evidence in a clear and comprehensible manner to the members of

jury so that the evidence explains the facts clearly and further helps in obtaining an expert opinion on the same to confirm the investigation process.

In the above scenario, what is the characteristic of the digital evidence Stanley tried to preserve?

Drake is an incident handler in Dark CLoud Inc. He is intended to perform log analysis

in order to detect traces of malicious activities within the network infrastructure.

Which of the following tools Drake must employ in order to view logs in real time and

identify malware propagation within the network?

Joseph is an incident handling and response (IH&R) team lead in Toro Network Solutions Company. As a part of IH&R process, Joseph alerted the service providers,

developers, and manufacturers about the affected resources.

Identify the stage of IH&R process Joseph is currently in.

Which of the following terms refers to vulnerable account management functions, including account update, recovery of forgotten or lost passwords, and password reset, that might weaken valid authentication schemes?

The following steps describe the key activities in forensic readiness planning:

1. Train the staff to handle the incident and preserve the evidence

2. Create a special process for documenting the procedure

3. Identify the potential evidence required for an incident

4. Determine the source of the evidence

5. Establish a legal advisory board to guide the investigation process

6. Identify if the incident requires full or formal investigation

7. Establish a policy for securely handling and storing the collected evidence

8. Define a policy that determines the pathway to legally extract electronic evidence

with minimal disruption

Identify the correct sequence of steps involved in forensic readiness planning.

Raven is a part of an IH&R team and was informed by her manager to handle and lead the removal of the root cause for an incident and to close all attack vectors to prevent similar incidents in the future. Raven notifies the service providers and developers of affected resources. Which of the following steps of the incident handling and response process does Raven need to implement to remove the root cause of the incident?

Francis is an incident handler and security expert. He works at MorisonTech Solutions based in Sydney, Australia. He was assigned a task to detect phishing/spam mails for the client organization.

Which of the following tools can assist Francis to perform the required task?

Which of the following has been used to evade IDS and IPS?

Oscar receives an email from an unknown source containing his domain name oscar.com. Upon checking the link, he found that it contains a malicious URL that redirects to the website evilsite.org. What type of vulnerability is this?

Raven is a part of an IH&R team and was informed by her manager to handle and lead the removal of the root cause for an incident and to close all attack vectors to prevent similar incidents in the future. Raven notifies the service providers and developers of affected resources. Which of the following steps of the incident handling and response process does Raven need to implement to remove the root cause of the incident?

Sophia, an incident handler at a cloud hosting provider, is investigating reports of intermittent web server slowdowns and timeouts. Upon analyzing router logs, she finds an unusually high number of incomplete connection attempts, causing the server’s memory and CPU resources to spike. Suspecting a form of resource exhaustion attack, she applies a protective configuration to the router that allows it to validate connection requests before they reach the server. Soon after this change, the number of partial connections decreases, and the server regains stable performance. What was the purpose of this action?

Eric works as a system administrator in ABC organization. He granted privileged users with unlimited permissions to access the systems. These privileged users can misuse

their rights unintentionally or maliciously or attackers can trick them to perform malicious activities.

Which of the following guidelines helps incident handlers to eradicate insider attacks by privileged users?

Sophia, an incident handler at a cloud hosting provider, is investigating reports of intermittent web server slowdowns and timeouts. Upon analyzing router logs, she finds an unusually high number of incomplete connection attempts, causing the server’s memory and CPU resources to spike. Suspecting a form of resource exhaustion attack, she applies a protective configuration to the router that allows it to validate connection requests before they reach the server. Soon after this change, the number of partial connections decreases, and the server regains stable performance. What was the purpose of this action?

Alexis is working as an incident responder in XYZ organization. She was asked to identify and attribute the actors behind an attack that took place recently. In order to do so, she is performing threat attribution that deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target. Which of the following types of threat attributions Alexis performed?

XYZ Inc. was affected by a malware attack and James, being the incident handling and

response (IH&R) team personnel handling the incident, found out that the root cause of

the incident is a backdoor that has bypassed the security perimeter due to an existing

vulnerability in the deployed firewall. James had contained the spread of the infection

and removed the malware completely. Now the organization asked him to perform

incident impact assessment to identify the impact of the incident over the organization

and he was also asked to prepare a detailed report of the incident.

Which of the following stages in IH&R process is James working on?

Ren is assigned to handle a security incident of an organization. He is tasked with forensics investigation to find the evidence needed by the management. Which of the following steps falls under the investigation phase of the computer forensics investigation process?

Elena, a first responder at a multinational firm, receives multiple reports from employees claiming they were asked to update their payroll information through an email that appears to be from HR. The email includes a URL directing users to a login page identical to the company’s intranet but hosted on an unfamiliar domain. Elena immediately informs the IH&R team, preserves the email headers, captures screenshots of the spoofed page, and blocks the domain at the network level. What type of email security incident is Elena handling?

Emily, a member of the cybersecurity response team, receives an alert indicating suspicious login attempts on the company’s internal HR portal. Upon inspection, she finds several failed login attempts from a foreign IP address targeting administrative accounts. Further investigation reveals that one of the accounts was compromised and its privileges were escalated. What indicator most strongly suggests this is an unauthorized access incident?

An attack on a network is BEST blocked using which of the following?

AlphaTech, a cloud-based storage company, recently suffered data leakage. Investigation revealed an employee sent sensitive client data to a personal email. AlphaTech wants to implement a solution to monitor and prevent such incidents. What should they prioritize?

Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user’s information and system. These

programs may unleash dangerous programs that may erase the unsuspecting user’s disk and send the victim’s credit card numbers and passwords to a stranger.

An energy company discovers unusual data transmission patterns in its IoT-based smart grid system, suggesting a potential cybersecurity incident. Given the complexity and criticality, what should be the company’s first step?

Which one of the following is the correct flow of the stages in an incident handling and response (IH&R) process?

Following a spear-phishing campaign targeting executive-level employees, a mid-sized financial firm experienced unauthorized access to internal systems, leading to widespread disruption of customer-facing applications. Although the technical issues were resolved within days, the breach triggered legal scrutiny and negative press coverage. Several major customers expressed concern about the firm's risk posture and began transitioning to competitors. Investor confidence was impacted as the stock value dipped, and senior leadership initiated a damage control campaign. Which of the following best categorizes the broader consequences experienced by the organization?

NovoMed discovers encrypted data transfers of drug research and participant data to an unknown location and receives an extortion-like message implying the formula may be released. What is the most prudent course of action?

Who is mainly responsible for providing proper network services and handling network-related incidents in all the cloud service models?

Adam is an attacker who along with his team launched multiple attacks on target organization for financial benefits. Worried about getting caught, he decided to forge

his identity. To do so, he created a new identity by obtaining information from different victims.

Identify the type of identity theft Adam has performed.

A cybersecurity analyst at a technology firm discovers suspicious activity on a network segment dedicated to research and development. The initial indicators suggest a possible compromise of several endpoints with potential intellectual property theft. Given the sensitive nature of the data involved, what is the most effective method for the analyst to detect and validate the security incident?

After experiencing a large-scale distributed denial-of-service (DDoS) attack that caused service outages, a national telecom provider recovered its web platform. The IH&R team must now implement post-recovery measures to enhance resilience against future DDoS attempts. Which action would be most effective?

Eric works as an incident handler at Erinol software systems. He was assigned a task to protect the organization from any kind of DoS/DDoS attacks.

Which of the following tools can be used by Eric to achieve his objective?

A regional healthcare provider leveraging a platform-as-a-service (PaaS) cloud model detects suspicious activity involving unauthorized access to patient records. During the investigation, the incident response team attempts to retrieve system logs from virtual machines used during the breach. However, they realize that crucial log files are unavailable, as the short-lived instances were automatically terminated shortly after the event. This hampers their ability to reconstruct a complete activity trail and trace the attacker's movements. Which core cloud forensic challenge does this situation most likely reflect?

SafeGuard Inc., a cloud storage company, identified attackers exploiting a Server-Side Request Forgery (SSRF) vulnerability, leading to internal network reconnaissance. Which measure should SafeGuard Inc. prioritize to mitigate this vulnerability?

Otis is an incident handler working in an organization called Delmont. Recently, the organization faced several setbacks in business, whereby its revenues are decreasing. Otis was asked to take charge and look into the matter. While auditing the enterprise security, he found traces of an attack through which proprietary information was stolen from the enterprise network and passed onto their competitors. Which of the following information security incidents did Delmont face?

EcoEarth Inc. detects abnormal archival data access from dormant employee profiles, modification of critical datasets, and suspicious encrypted packet transmissions. Given the risk, what is the first responder’s primary action?

WebDynamics experienced altered webpage content due to stored Cross-Site Scripting (XSS) attacks caused by lack of output encoding. What should be the main focus to prevent this?

A regional healthcare provider leveraging a platform-as-a-service (PaaS) cloud model detects suspicious activity involving unauthorized access to patient records. During the investigation, the incident response team attempts to retrieve system logs from virtual machines used during the breach. However, they realize that crucial log files are unavailable, as the short-lived instances were automatically terminated shortly after the event. This hampers their ability to reconstruct a complete activity trail and trace the attacker's movements. Which core cloud forensic challenge does this situation most likely reflect?

Which of the following is an attack that attempts to prevent the use of systems, networks, or applications by the intended users?

Which of the following is the ECIH phase that involves removing or eliminating the root cause of an incident and closing all attack vectors to prevent similar incidents in the future?

Jason is setting up a computer forensics lab and must perform the following steps: 1. physical location and structural design considerations; 2. planning and budgeting; 3. work area considerations; 4. physical security recommendations; 5. forensic lab licensing; 6. human resource considerations. Arrange these steps in the order of execution.

AlphaTech recently discovered signs of an advanced persistent threat (APT) in its infrastructure. The incident response team is trying to gather more information about the threat to form a comprehensive response strategy. While leveraging threat intelligence platforms, which of the following approaches would be most effective in gathering detailed and actionable insights about the APT?

Richard is analyzing a corporate network. After an alert in the network’s IPS. he identified that all the servers are sending huge amounts of traffic to the website abc.xyz. What type of information security attack vectors have affected the network?

Employee monitoring tools are mostly used by employers to find which of the following?

Which of the following is a technique used by attackers to make a message difficult to understand through the use of ambiguous language?

Khai was tasked with examining the logs from a Linux email server. The server uses Sendmail to execute the command to send emailsand Syslog to maintain logs. To validate the data within email headers, which of the following directories should Khai check for information such as source and destination IP addresses, dates, and timestamps?

Dan is a newly appointed information security professional in a renowned organization. He is supposed to follow multiple security strategies to eradicate malware incidents. Which of the following is not considered as a good practice for maintaining information security and eradicating malware incidents?