A security administrator discovers that an attack has been completed against a node on the corporate
network. All available logs were collected and stored.
You must review all network logs to discover the scope of the attack, check the box of the node(s) that
have been compromised and drag and drop the appropriate actions to complete the incident response on
the network. The environment is a critical production environment; perform the LEAST disruptive actions
on the network, while still performing the appropriate incident responses.
Instructions: The web server, database server, IDS, and User PC are clickable. Check the box of the
node(s) that have been compromised and drag and drop the appropriate actions to complete the incident
response on the network. Not all actions may be used, and order is not important. If at anytime you
would like to bring back the initial state of the simulation, please select the Reset button. When you have
completed the simulation, please select the Done button to submit. Once the simulation is submitted,
please select the Next button to continue.

A program has been discovered that infects a critical Windows system executable and stays dormant in
memory. When a Windows mobile phone is connected to the host, the program infects the phone’s boot
loader and continues to target additional Windows PCs or phones. Which of the following malware
categories BEST describes this program?

A user casually browsing the Internet is redirected to a warez site where a number of pop-ups appear.
After clicking on a pop-up to complete a survey, a drive-by download occurs. Which of the following is
MOST likely to be contained in the download?

Which of the following malware types typically allows an attacker to monitor a user’s computer, is
characterized by a drive-by download, and requires no user interaction?

Sara, a user, downloads a keygen to install pirated software. After running the keygen, system
performance is extremely slow and numerous antivirus alerts are displayed. Which of the following BEST
describes this type of malware?

During a server audit, a security administrator does not notice abnormal activity. However, a network
security analyst notices connections to unauthorized ports from outside the corporate network. Using
specialized tools, the network security analyst also notices hidden processes running. Which of the
following has MOST likely been installed on the server?

A trojan was recently discovered on a server. There are now concerns that there has been a security
breach that allows unauthorized people to access data. The administrator should be looking for the
presence of a/an:

Two programmers write a new secure application for the human resources department to store personal
identifiable information. The programmers make the application available to themselves using an
uncommon port along with an ID and password only they know. This is an example of which of the
following?

The Chief Information Officer (CIO) receives an anonymous threatening message that says “beware of the
1st of the year”. The CIO suspects the message may be from a former disgruntled employee planning an
attack.Which of the following should the CIO be concerned with?

Ann, a software developer, has installed some code to reactivate her account one week after her account
has been disabled. Which of the following is this an example of? (Select TWO).