ECIH_B_071-080

 =071==

A company has migrated its infrastructure and services to the cloud to leverage its scalability and flexibility.

一家公司已將其基礎設施和服務遷移到雲端，以利用其可擴展性和靈活性。

However, they are facing challenges in effectively handling and responding to security incidents in the cloud environment.

然而，他們在有效處理和應對雲環境中的安全事件方面面臨挑戰。

What is one of the key challenges in cloud incident handling and response?

雲事件處理和響應的主要挑戰之一是什麼？

Ⓐ Limited availability of cloud service provider’s security tools and features 雲服務提供商的安全工具和功能有限

Ⓑ Inadequate incident response team training and skills 事件響應團隊的培訓和技能不足

Ⓒ Lack of visibility and control over cloud infrastructure and data 缺乏對雲基礎設施和數據的可見性和控制

Ⓓ Difficulty in conducting forensic investigations in a shared cloud environment 在共享的雲環境中進行取證調查困難

=072==

During a web application security incident, the incident response team discovers that a hacker has gained access to a server hosting a critical web application.

在一次網頁應用程序安全事件中，事件響應小組發現黑客已經訪問了一個託管關鍵網頁應用程序的服務器。

The hacker has also installed malware that has enabled them to steal sensitive data from the server.

黑客還安裝了惡意軟件，使他們能夠從服務器中竊取敏感數據。

What is the best course of action for the incident response team during the containment phase?

在遏制階段，事件響應小組的最佳行動方案是什麼？

Ⓐ Disconnect the server from the network to prevent further access 將服務器從網絡斷開以防止進一步訪問

Ⓑ Leave the server connected to the network to gather more information about the attack 保持服務器連接網絡以收集更多有關攻擊的信息

Ⓒ Notify the affected customers of the breach 通知受影響的客戶有關數據泄露的情況

Ⓓ Back up the compromised server to preserve evidence 備份被攻擊的服務器以保留證據

=073==

ABC Corp., in the wake of frequent malware attacks, decided to conduct a forensic investigation on a suspected machine in their network.

在頻繁的惡意軟件攻擊之後，ABC公司決定對其網絡中的可疑機器進行取證調查。

The incident response team used CurrPorts to monitor TCP/IP connections and identified suspicious ports.

事件響應小組使用CurrPorts監控TCP/IP連接並識別可疑端口。

They also leveraged Regshot for registry entry monitoring.

他們還利用Regshot監控註冊表條目。

While analyzing these registry changes before and after the attack using a SystInternals process, they noticed some entries in the autostart section.

在使用SystInternals進行攻擊前後的註冊表變更分析時，他們注意到自啟動部分的一些條目。

What is the best course of action for the incident response team to mitigate the risk posed by these changes?

事件響應小組減輕這些變更帶來的風險的最佳行動方案是什麼？

Ⓐ To ensure that the malicious process runs whenever the system boots 確保系統啟動時惡意進程運行

Ⓑ To log the keystrokes and send the user credentials over the network to the attacker 記錄擊鍵並將用戶憑證通過網絡發送給攻擊者

Ⓒ To spread the malware across connected devices in the network 將惡意軟件傳播到網絡中連接的設備上

Ⓓ To remove the autostart entries in the startup section to prevent further attacks 移除啟動部分的自啟動條目以防止進一步攻擊

=074==

During the eradication phase of a web application security incident, the incident response team discovers that the attacker has compromised the organization’s Active Directory domain controller.

在網頁應用程序安全事件的根除階段，事件響應小組發現攻擊者已經破壞了組織的Active Directory域控制器。

What is the best course of action for the incident response team?

事件響應小組的最佳行動方案是什麼？

Ⓐ Wipe and rebuild the affected domain controller 清除並重建受影響的域控制器

Ⓑ Run a malware scan on the affected domain controller 在受影響的域控制器上運行惡意軟件掃描

Ⓒ Change all passwords and credentials on the affected domain controller 更改受影響的域控制器上的所有密碼和憑證

Ⓓ Install additional security measures on the affected domain controller 在受影響的域控制器上安裝額外的安全措施

=075==

During an email security incident, the Incident Handler & Response (IH&R) team in an organization decided to use Pretty Good Privacy (PGP) protocols via the Gpg4win tool to secure email communications.

在一次電子郵件安全事件中，組織的事件處理和響應（IH&R）小組決定通過Gpg4win工具使用Pretty Good Privacy（PGP）協議來保護電子郵件通信。

While creating a backup of keys, one of the IH&R team members forgot to make a note of the location of the backup files.

在創建密鑰備份時，IH&R小組的一名成員忘記記錄備份文件的位置。

What could be the potential impact of this mistake?

這一錯誤可能造成的潛在影響是什麼？

Ⓐ The member will be unable to sign the outgoing messages with his private key 該成員將無法使用其私鑰簽署外發消息

Ⓑ The member will be unable to decrypt messages encrypted with his public key 該成員將無法解密使用其公鑰加密的消息

Ⓒ The member will not be able to encrypt messages using the recipient’s public key 該成員將無法使用收件人的公鑰加密消息

Ⓓ The member will not be able to retrieve the public key for future communications 該成員將無法檢索到未來通信使用的公鑰

=076==

You are the IT security manager for a large financial services company.

您是一家大型金融服務公司的IT安全經理。

You receive an alert from the email security system that a user in the finance department has received an email with a suspicious attachment.

您收到來自電子郵件安全系統的警報，顯示財務部門的一名用戶收到了一封帶有可疑附件的電子郵件。

The email appears to be from a trusted partner, and the user frequently communicates with this partner.

電子郵件似乎來自一個可信賴的合作夥伴，且該用戶經常與此合作夥伴通信。

The attachment is a zip file that the email security system has flagged as potentially malicious.

該附件是一個zip文件，被電子郵件安全系統標記為可能是惡意的。

Which of the following is the best action for you to take based on email security incident detection and response?

根據電子郵件安全事件的檢測和響應，以下哪一項是您應該採取的最佳行動？

Ⓐ Reviewing email logs only after an incident has been detected 僅在檢測到事件後審查電子郵件日誌

Ⓑ Allowing users to access suspicious email attachments to gather more information 允許用戶訪問可疑的電子郵件附件以收集更多信息

Ⓒ Implementing an email security system with real-time monitoring and alerts 實施具有實時監控和警報的電子郵件安全系統

Ⓓ Disconnecting all systems from the network after an incident has been detected 在檢測到事件後斷開所有系統的網絡連接

=077==

An Incident Handler is conducting a training session on implementing PGP for email security using Gpg4win in an organization.

一名事件處理人員正在組織中舉行使用Gpg4win實現電子郵件安全的PGP培訓課程。

She explains that securing email communication requires a sequence of steps such as creating a PGP key, generating a backup copy, creating a public key text document, and more.

她解釋說，保護電子郵件通信需要一系列步驟，例如創建PGP密鑰、生成備份副本、創建公鑰文本文件等。

The trainee is required to send an encrypted message from one email account to another.

受訓者需要從一個電子郵件帳戶向另一個發送加密消息。

At what point does the trainee need to encrypt the message to ensure it is secure and confidential during transmission?

受訓者需要在什麼時候加密消息，以確保在傳輸過程中的安全性和保密性？

Ⓐ Right after generating the PGP key and saving a backup copy 在生成PGP密鑰並保存備份副本後立即加密

Ⓑ Before sending the email from the second email account to the first account 在從第二個電子郵件帳戶發送到第一個帳戶之前加密

Ⓒ As soon as the message is composed on the clipboard window 在剪貼板窗口中編寫消息後立即加密

Ⓓ Immediately after pasting the public key into a new text document 在將公鑰粘貼到新文本文件後立即加密

=078==

During a recent incident response, the Blue Team of Contoso Corp. discovered a series of sophisticated spear-phishing emails sent to senior executives.

在最近一次事件響應過程中，Contoso公司的藍隊發現了一系列發送給高級管理人員的高級魚叉式網絡釣魚電子郵件。

The emails leveraged zero-day vulnerabilities.

這些電子郵件利用了零日漏洞。

To enhance its proactive defenses, the team was required to incorporate more robust preventive measures into their security strategy.

為了加強其主動防禦，團隊需要在其安全策略中加入更強有力的預防措施。

Which approach would best address this situation?

哪種方法能最好地應對這種情況？

Ⓐ Collaborate with industry-specific Information Sharing and Analysis Centers (ISACs). 與行業特定的信息共享和分析中心（ISAC）合作

Ⓑ Utilize commercial threat feeds to gain insights into emerging threats. 利用商業威脅源獲取新興威脅的見解

Ⓒ Conduct regular penetration testing to identify and patch vulnerabilities. 進行定期滲透測試以識別和修補漏洞

Ⓓ Implement mandatory two-factor authentication for all senior executive accounts. 為所有高級管理人員帳戶實施強制雙因素身份驗證

=079==

In the course of an incident handling task, you identified an email with suspicious attributes.

在處理事件的過程中，您識別了一封具有可疑屬性的電子郵件。

The email header indicates an SPF result of "SoftFail" and a DKIM result of "Neutral."

電子郵件標頭顯示SPF結果為“SoftFail”，DKIM結果為“Neutral”。

Given these attributes, what is the most probable interpretation and appropriate course of action?

根據這些屬性，最可能的解釋和適當的行動方案是什麼？

Ⓐ The email is legitimate as the DKIM result is Neutral, which means the email is signed but the signature could not be processed due to syntax errors. No further action is required. 電子郵件是合法的，因為DKIM結果是中性的，這意味著電子郵件已簽名，但由於語法錯誤，無法處理簽名。無需進一步操作。

Ⓑ The email is likely legitimate as the SPF result is SoftFail, indicating a fail but not a strong fail. Continue to analyze the content of the email for any other suspicions. 電子郵件可能是合法的，因為SPF結果是SoftFail，表明失敗但不是嚴重失敗。繼續分析電子郵件內容以查找其他可疑點。

Ⓒ The email could be suspicious, as the DKIM result indicates syntax errors in the signature. However, no immediate action is required as the SPF/SoftFail does not confirm the email as malicious. 電子郵件可能是可疑的，因為DKIM結果表明簽名中存在語法錯誤。然而，無需立即採取行動，因為SPF/SoftFail並不確認電子郵件是惡意的。

Ⓓ The email is likely a spoofed email and should be quarantined immediately as the SPF SoftFail and DKIM Neutral results together indicate possible email forgery. 電子郵件可能是偽造郵件，應立即隔離，因為SPF SoftFail和DKIM Neutral結果一起表明可能的電子郵件偽造。

=080==

MediTech, a healthcare tech company, is rolling out a proactive strategy against potential malware threats.

MediTech是一家醫療科技公司，正在推出針對潛在惡意軟件威脅的主動策略。

They have a diverse range of software and hardware assets.

他們擁有各種各樣的軟件和硬件資產。

In an executive meeting, a range of measures were discussed.

在一次高管會議上，討論了一系列措施。

Which measure would best enable them to promptly identify unauthorized applications?

哪種措施能最好地使他們及時識別未經授權的應用程序？

Ⓐ Conducting weekly vulnerability assessments. 進行每週的漏洞評估

Ⓑ Enforcing application whitelisting across all company endpoints. 在所有公司端點上強制執行應用程序白名單

Ⓒ Establishing a strict patch management routine. 建立嚴格的補丁管理例行程序

Ⓓ Deploying a heuristic-based intrusion detection system. 部署基於啟發式的入侵檢測系統

CAAAB CCADB