To detect worms and viruses buried deep within a network packet payload, Gigabytes worth of traffic content entering and exiting a network must be checked with which of the following technologies?
A. Proxy matching
B. Signature matching
C. Packet matching
D. Irregular expression matching
E. Object matching
When identifying malware, what is a key difference between a Worm and a Bot?
A. A Worm gets instructions from an external control channel like an IRC server.
B. A Worm, unlike a Bot, is installed silently as an add-on to a legitimate program.
C. A Bot, unlike a Worm, is frequently spread through email attachments.
D. A Bot gets instructions from an external control channel like an IRC server.
Monitoring the transmission of data across the network using a man-in-the-middle attack presents a threat against which type of data?
A. At-rest
B. In-transit
C. Public
D. Encrypted
At the start of an investigation on a Windows system, the lead handler executes the following commands after inserting a USB drive. What is the purpose of this command? C:\ >dir / s / a dhsra d: \ > a: \ IRCD.txt
A. To create a file on the USB drive that contains a listing of the C: drive
B. To show hidden and archived files on the C: drive and copy them to the USB drive
C. To copy a forensic image of the local C: drive onto the USB drive
D. To compare a list of known good hashes on the USB drive to files on the local C: drive
An internal host at IP address 10.10.50.100 is suspected to be communicating with a command and control whenever a user launches browser window. What features and settings of Wireshark should be used to isolate and analyze this network traffic?
A. Filter traffic using ip.src = = 10.10.50.100 and tcp.srcport = = 80, and use Expert Info
B. Filter traffic using ip.src = = 10.10.50.100 and tcp.dstport = = 53, and use Expert Info
C. Filter traffic using ip.src = = 10.10.50.100 and tcp.dstport = = 80, and use Follow TCP stream
D. Filter traffic using ip.src = = 10.10.50.100, and use Follow TCP stream
Michael, a software engineer, added a module to a banking customer's code. The new module deposits small amounts of money into his personal bank account. Michael has access to edit the code, but only code reviewers have the ability to commit modules to production. The code reviewers have a backlog of work, and are often willing to trust the software developers' testing and confidence in the code.
Which technique is Michael most likely to engage to implement the malicious code?
A. Denial of Service
B. Race Condition
C. Phishing
D. Social Engineering
How does the Cisco IOS IP Source Guard feature help prevent spoofing attacks?
A. Filters traffic based on IP address once a DHCP address has been assigned
B. Prevents unauthorized MAC addresses from receiving an IP address on the network
C. Blocks unsolicited ARP packets after a client has received an IP address
D. Rate limits client traffic to prevent CAM table flooding
An analyst will capture traffic from an air-gapped network that does not use DNS. The analyst is looking for unencrypted Syslog data being transmitted. Which of the following is most efficient for this purpose?
A. tcpdump –s0 –i eth0 port 514
B. tcpdump –nnvvX –i eth0 port 6514
C. tcpdump –nX –i eth0 port 514
D. tcpdump –vv –i eth0 port 6514
Although the packet listed below contained malware, it freely passed through a layer 3 switch. Why didn't the switch detect the malware in this packet?

A. The packet was part of a fragmentation attack
B. The data portion of the packet was encrypted
C. The entire packet was corrupted by the malware
D. It didn't look deeply enough into the packet
What does the following WMIC command accomplish?
process where name='malicious.exe' delete
A. Removes the `malicious.exe' process form the Start menu and Run registry key
B. Stops current process handles associated with the process named `malicious.exe'
C. Removes the executable `malicious.exe' from the file system
D. Stops the `malicious.exe' process from running and being restarted at the next reboot