What is the major difference between a worm and a Trojan horse?
A. A worm spreads via e-mail, while a Trojan horse does not.
B. A worm is a form of malicious program, while a Trojan horse is a utility.
C. A worm is self replicating, while a Trojan horse is not.
D. A Trojan horse is a malicious program, while a worm is an anti-virus software.
Which of the following is executed when a predetermined event occurs?
A. Trojan horse
B. Logic bomb
C. MAC
D. Worm
Which of the following statements is true about a Trojan engine?
A. It limits the system resource usage.
B. It specifies the signatures that keep a watch for a host or a network sending multiple packets to a single host or a single network.
C. It specifies events that occur in a related manner within a sliding time interval.
D. It analyzes the nonstandard protocols, such as TFN2K and BO2K.
Your company's web server administrator reports that the Apache servers are running slowly, but the IIS servers are not. Based on this report, which of the following pieces of information will help you determine the event should be classified as an incident?
A. Traffic logs from the border routers serving the web server farm
B. The Apache versions from the affected web servers
C. The output of the netstat command from an IIS server
D. The httpd configuration files from the Apache servers
You are responding to an incident in which the organization's Extranet server has been compromised. The Extranet is the browser home page for most users in the organization. You have been instructed to watch the attacker, but minimize the business impact and the risk of further compromise. How can you continue providing services to the organization's users while isolating the compromised server?
A. Point the domain name to the IP address of a secondary, patched production server
B. Change the server IP address to a different IP address
C. Isolate the switch port and put the system on a quarantined VLAN
D. Rebuild the system during a downtime window and restore the service
Which approach is recommended to prevent a DoS condition due to account lockouts as a result of a password guessing attack?
A. Limit the attack to a small number of dormant accounts, and maximize the number of password guesses per account
B. Maximize the number of accounts and hosts that are targeted, but try only two password guesses per account
C. Employ a hybrid attack during non-business hours
D. Use a script to automate password guesses at the accounts, limiting the guesses to 1 per every 3-seconds
Examine the image below. Which of the following defensive measures could be taken to control the activity?

A. Block all traffic to the web server until a full investigation has been completed
B. Create an IDS signature that blocks iamawesome.nasl on the web servers
C. Sanitize the input from external users to the web server
D. Ping back to the host that uploaded the script to identify the host
From the choices below, which type of defense is the best way to protect against User-Mode RootKits?
A. Reactive
B. Directive
C. Responsive
D. Proactive
E. Corrective
An attacker wishes to steal browser cookies through a Cross-Site Scripting attack. Which website provides the best attack vector?
A. A user-generated message board
B. A login page protected by Basic Authentication
C. A news aggregator RSS feed in XML format
Which of the following statements describes the data below from volatility's pstree plugin?

A. Cmd.exe was the child process of OneDrive.exe
B. Chrmstp.exe was launched by MSASCuiL.exe
C. Explorer.exe was the parent process for firefox.exe
D. Notepad.exe was launched with Administrative privileges