Correct answer:

Rootkits are normally installed through the execution of a virus, so you can block the installation of the rootkit by blocking other malware.

Rootkits do provide low-level control over a system and can allow an attacker remote access to the system.

Incorrect answers:

A rootkit can detect an antivirus scan and hide itself from the scan, making it difficult for the antivirus software to detect it. Some rootkit detectors have been released, but rootkits are still more difficult to detect than other forms of malware.

Correct answer:

A clipping level uses a predetermined level as a threshold and ignores events until the threshold is met.

Incorrect answers:

Account lockout causes a user account to be locked out after a specified number of incorrect login attempts.

Audit trail exception and password exception are distractors and not valid terms in this context.

Correct answers:

Baselines are an important element of configuration control and are often implemented with images.

Incorrect answers:

Although change management and system auditing can ensure that systems stay the same after deployment, they would not ensure that the systems were deployed originally with the same baseline settings.

Compliance auditing is associated with compliance with outside requirements, not internal policies.

Correct answer:

An alert provides notification of a potential adverse event, but it isn’t considered an incident until it is analyzed and verified. An alert from an intrusion detection system (IDS) can be a false positive, which isn’t an incident.

Incorrect answers:

An event is not considered an incident immediately or based on when the notification is received.

An event is considered an incident only after analysis and verification.

Correct answer:

Domain Name System (DNS) uses a pointer (PTR) record to resolve IP addresses to host names.

Incorrect answers:

An A record resolves a host name to an IP address.

An MX record is used to locate mail servers.

A CNAME record is used to create alias names for servers.

Correct answer:

Threat events are any type of activity or event that can result in a loss of confidentiality, integrity, or availability to a system.

Incorrect answers:

Controls and countermeasures protect systems.

Vulnerabilities (not threats) are any weaknesses in a system, network, or infrastructure.

An attacker can exploit a vulnerability by attacking, but the potential for the attack isn’t the threat event.

Correct answer:

It is appropriate to share threat intelligence (such as the knowledge gained by analyzing the server) with other entities such as law enforcement agencies.

Incorrect answers:

Security professionals do not recommend keeping the information private because it can help other organizations detect and/or block attacks.

Unless it is your specific job to launch attacks, it is never appropriate to launch attacks.

The knowledge gained by analyzing the server is the tactics, techniques, and procedures (TTPs) used by the attackers and the question is asking what to do with this knowledge.

Correct answer:

A hash is a number created by executing a hashing algorithm against a file or message. It can be used to verify the integrity of the downloaded file.

Incorrect answers:

A hash is not a key.

Hashing algorithms create a hash through a one-way encryption process.

Correct answer:

An anomaly-based intrusion detection system (IDS) attempts to document normal behavior in the form of a baseline, so if the normal behavior is modified by changing the environment, the baseline must be updated.

Incorrect answers:

It is not necessary to reinstall or upgrade the IDS.

A signature-based (not anomaly-based) detection method uses signatures.

Correct answer:

Heuristics-based detection (sometimes called behavior-based detection) attempts to identify previously unknown malware by observing its behavior. This form of detection isolates an application in an area called a sandbox and observes its behavior.

Incorrect answers:

Signature-based detection uses a database of known malware identified by specific characteristics or patterns of bytes within the malware.