Certified Incident Handler (CIH) Practice Ecam

What indicator can help an incident responder detect web application security incidents?

• A. Variation in user-agent strings
• B. Variation in the HTTP request and response sizes
• C. Increased page load times
• D. Frequent database queries

The correct answer is: Variation in the HTTP request and response sizes

Identifying variations in HTTP request and response sizes can significantly aid incident responders in detecting web application security incidents. Typically, legitimate interactions with a web application exhibit consistent patterns in request and response sizes. When there are unusual variations, it may indicate suspicious activity, such as data exfiltration attempts, injection attacks, or other forms of exploitation. For instance, if a typical request from a user results in a predictable response size, but there's a sudden spike in the response size—potentially indicating that larger amounts of data are being sent back, perhaps due to a vulnerability being exploited—this can signal an alarming incident that merits further investigation. Moreover, analyzing these size variations over time can help identify anomalies that deviate from established baselines. This becomes invaluable in a proactive security posture, allowing for timely interventions before a security breach escalates. Other indicators, while they may also signal issues, do not provide the same direct correlation to web application security incidents. For instance, variations in user-agent strings could reflect normal user behavior or benign changes rather than nefarious activity. Increased page load times often arise from various technical issues unrelated to security breaches. Frequent database queries might not necessarily indicate a problem unless coupled with context about abnormal patterns. Each of these offers insight but