CyberOps Final Exam
Which step in the Vulnerability Management Life Cycle determines a baseline risk profile to eliminate risks based on asset criticality, vulnerability threat, and asset classification? a. assess b. discover c. verify d. prioritize assets
a
Which wireless parameter is used by an access point to broadcast frames that include the SSID? a. passive mode b. active mode c. channel setting d. security mode
a
Which category of attacks uses an application or device that can read, monitor, and capture network data exchanges and read network packets? a. sniffer attack b. MiTM c. DoS
a
Which common network technology or protocol uses a hierarchy of authoritative time sources to send time information between devices on the network? a. NTP b. Syslog c. ICMP d. DNS
a
Which destination network routing table entry type is automatically added when an interface is configured and active? a. directly connected interface b. dynamic route c. local route interface d. static route
a
Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology? a. require remote access connections through IPsec VPN b. deploy a Cisco SSL Appliance c. deploy a Cisco ASA d. use a Syslog server to capture network traffic
a
Which monitoring tool provides statistics on packets flowing through a Cisco router or multilayer switch? a. NetFlow b. Wireshark c. SNMP d. SIEM
a
Which network monitoring data type is used to describe and analyze network flow or performance data? a. statistical data b. transaction data c. session data d. alert data
a
Which network service allows administrators to manage network nodes? a. SNMP b. NetFlow c. syslog d. NTP
a
Which network-based antimalware solution provides filtering of websites and blacklisting before they reach the endpoint? a. web security appliance b. email security appliance c. network admission control d. advanced malware protection
a
Which protocol or service uses UDP for a client-to-server communication and TCP for server-to-server communication? a. DNS b. HTTP c. FTP d. SMTP
a
Which security organization maintains and supports the Internet Storm Center and also develops security courses? a. SANS b. MITRE c. FIRST
a
Which server profile element is the parameters defining user access and behavior? a. user accounts b. listening ports c. service accounts d. software environment
a
Which attack took is a network scanning tool used to probe network devices, servers, and hosts for open TCP or UDP ports? a. Nmap b. Yersinia c. RainbowCrack
a
A client application needs to terminate a TCP communication session with a server. What is step 4? a. client sends ACK b. client sends FIN c. client sends SYN d. server sends ACK e. server sends FIN f. server sends SYN
a
A piece of malware has gained access to a workstation and issued a DNS lookup query to a CnC server. What is the purpose of this attack? a. to send stolen sensitive data with encoding b. to request a change of the IP address c. to masquerade the IP address of the workstation d. to check the domain name of the workstation
a
A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon? a. Obtain an automated tool in order to deliver the malware payload through the vulnerability. b. Create a point of persistence by adding services. c. Install a webshell on the web server for persistent access. d. Collect credentials of the web server developers and administrators.
a
After host A receives a web page from server B, host A terminates the connection with server B. What is Step 4? a. Host A sends an ACK to server B b. Server B sends a FIN to host A c. Host A sends a FIN to server B d. Server B sends an ACK to host A
a
Refer to the exhibit. What solution can provide a VPN between site A and site B to support encapsulation of any Layer 3 protocol between the internal networks at each site? a. a GRE tunnel b. an IPsec tunnel c. Cisco SSL VPN d. a remote access tunnel
a
What SIEM function searches logs and events from sources throughout the organization for complete information analysis? a. forensic analysis b. correlation c. aggregation d. reporting
a
What best describes the destination IPv4 address that is used by multicasting? a. a single IP address that is used by all destinations in a group b. an IP address that is unique for each destination in the group c. a 48 bit address that is determined by the number of members in the multicast group d. a group address that shares the last 23 bits with the source IPv4 address
a
What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits? a. WinDbg b. Firesheep c. AIDE d. Skipfish
a
What is a characteristic of a Trojan horse as it relates to network security? a. Malware is contained in a seemingly legitimate executable program. b. Extreme quantities of data are sent to a particular network device interface. c. Too much information is destined for a particular memory block, causing additional memory areas to be affected. d. An electronic dictionary is used to obtain a password to be used to infiltrate a key network device
a
What is a key difference between the data captured by NetFlow and data captured by Wireshark? a. NetFlow collects metadata from a network flow whereas Wireshark captures full data packets. b. NetFlow provides transaction data whereas Wireshark provides session data. c. NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics. d. NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump
a
What is the benefit of converting log file data into a common schema? a. allows easy processing and analysis of datasets b. creates a data model based on fields of data from a source c. allows the implementation of partial normalization and inspection d. creates a set of regex-based field extractions
a
Which Linux host-based firewall application is an application that allows Linux system administrators to configure network access rules that are part of the Linux kernel Netfilter modules? a. iptables b. nftables c. TCP Wrappers
a
Which NIST Cybersecurity Framework core function is concerned with the development and implementation of safeguards that ensure the delivery of critical infrastructure services? a. protect b. recover c. detect d. identify e. respond
a
Which PDU format is used when bits are received from the network medium by the NIC of a host? a. frame b. segment c. packet d. file
a
Which SOC metric is the average time that it takes for the SOC personnel to identify that valid security incidents have occurred in the network? a. MTTD b. MTTC c. MTTR d. dwell time
a
Which Windows 10 Task Manager displays resource utilization information for CPU, memory, network, disk, and others? a. Performance b. Startup c. Service d. Details
a
Which alert classification is when normal traffic is incorrectly identified as a threat? a. false positive b. false negative c. true positive d. true negative
a
Which application layer protocol is used to provide file-sharing and print services to Microsoft applications? a. SMB b. DHCP c. HTTP d. SMTP
a
Which attack surface has an attack exploit of these attacks include conventional wired and wireless network protocols as well as other wireless protocols used by smartphones or IoT devices.? The attacks target vulnerabilities at the transport layer. a. Network Attack Surface b. Software Attack Surface c. Human Attack Surface
a
What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.) a. The code has not been modified since it left the software publisher. b. The code is authentic and is actually sourced by the publisher. c. The code was encrypted with both a private and public key. d. The code contains no viruses. e. The code contains no errors.
a, b
Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.) a. fragment offset b. flag c. protocol d. version e. identification f. TTL
a, b, e
A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two) a. single process for authentication and authorization b. separate processes for authentication and authorization c. hidden passwords during transmission d. encryption for all communication e. encryption for only the data
a, c
What are two uses of an access control list? (Choose two.) a. ACLs can control which areas a host can access on a network. b. Standard ACLs can restrict access to specific applications and ports. c. ACLs provide a basic level of security for network access. d. ACLs can permit or deny traffic based upon the MAC address originating on the router. e. ACLs assist the router in determining the best path to a destination.
a, c
Which three IP addresses are considered private addresses? (Choose three.) a. 172.17.254.4 b. 128.37.255.6 c. 10.234.2.1 d. 198.168.6.18 e. 172.68.83.35 f. 192.168.5.29
a, c, f
A help desk technician notices an increased number of calls relating to the performance of computers located at the manufacturing plant. The technician believes that botnets are causing the issue. What are two purposes of botnets? (Choose two.) a. to transmit viruses or spam to computers on the same network b. to record any and all keystrokes c. to withhold access to a computer or files until money has been paid d. to attack other computers e. to gain access to the restricted part of the operating system
a, d
What are the two methods that a wireless NIC can use to discover an AP? (Choose two.) a. transmitting a probe request b. sending an ARP request broadcast c. initiating a three-way handshake d. receiving a broadcast beacon frame e. sending a multicast frame
a, d
What are three functions provided by the syslog service? (Choose three.) a. to gather logging information for monitoring and troubleshooting b. to provide statistics on packets that are flowing through a Cisco device c. to periodically poll agents for data d. to specify the destinations of captured messages e. to provide traffic analysis f. to select the type of logging information that is captured
a, d, f
What are two potential network problems that can result from ARP operation? (Choose two.) a. Network attackers could manipulate MAC address and IP address mappings in ARP messages with the intent of intercepting network traffic. b. Manually configuring static ARP associations could facilitate ARP poisoning or MAC address spoofing. c. Multiple ARP replies result in the switch MAC address table containing entries that match the MAC addresses of hosts that are connected to the relevant switch port. d. Large numbers of ARP request broadcasts could cause the host MAC address table to overflow and prevent the host from communicating on the network. e. On large networks with low bandwidth, multiple ARP broadcasts could cause data communication delays.
a, e
What are two properties of a cryptographic hash function? (Choose two.) a. The hash function is one way and irreversible. b. The input for a particular hash algorithm has to have a fixed size. c. Hash functions can be duplicated for authentication purposes. d. Complex inputs will produce complex hashes. e. The output is a fixed length.
a, e
What are two ways threat actors use NTP? (Choose two) a. threat actors use NTP systems to direct DDoS attacks b. they place iFrames on a frequently used corporate web page c. they encode stolen data as the subdomain portion where the nameserver is under control of an attacker d. they place an attachment inside an email message e. they attack the NTP infrastructure in order to corrupt the information used to log the attack
a, e
A client application needs to terminate a TCP communication session with a server. What is step 1? a. client sends ACK b. client sends FIN c. client sends SYN d. server sends ACK e. server sends FIN f. server sends SYN
b
A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address? a. It must wait for an ICMPv6 Router Advertisement message giving permission to use this address. b. It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network. c. It must send an ICMPv6 Router Solicitation message to request the address of the DNS server. d. It must send an ICMPv6 Router Solicitation message to determine what default gateway it should use.
b
A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet? a. when the RTT value reaches zero b. when the value in the TTL field reaches zero c. when the router receives an ICMP Time Exceeded message d. when the host responds with an ICMP Echo Reply message e. when the values of both the Echo Request and Echo Reply messages reach zero
b
A user opens three browsers on the same PC to access www.cisco.com to search for certification course information. The Cisco web server sends a datagram as a reply to the request from one of the web browsers. Which information is used by the TCP/IP protocol stack in the PC to identify which of the three web browsers should receive the reply? a. the source IP address b. the destination port number c. the source port number d. the destination IP address
b
After host A receives a web page from server B, host A terminates the connection with server B. What is Step 3? a. Host A sends an ACK to server B b. Server B sends a FIN to host A c. Host A sends a FIN to server B d. Server B sends an ACK to host A
b
An administrator discovers that a user is accessing a newly established website that may be detrimental to company security. What action should the administrator take first in terms of the security policy? a. Ask the user to stop immediately and inform the user that this constitutes grounds for dismissal. b. Revise the AUP immediately and get all users to sign the updated AUP. c. Create a firewall rule blocking the respective website. d. Immediately suspend the network privileges of the user.
b
An administrator wants to create four subnetworks from the network address 192.168.1.0/24. What is the network address and subnet mask of the second useable subnet? a. subnetwork 192.168.1.32subnet mask 255.255.255.240 b. subnetwork 192.168.1.64subnet mask 255.255.255.192 c. subnetwork 192.168.1.128subnet mask 255.255.255.192 d. subnetwork 192.168.1.8subnet mask 255.255.255.224 e. subnetwork 192.168.1.64subnet mask 255.255.255.240
b
How can statistical data be used to describe or predict network behavior? a. by displaying alert messages that are generated by Snort b. by comparing normal network behavior to current network behavior c. by recording conversations between network endpoints d. by listing results of user web surfer activities
b
In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization? a. vulnerability assessment b. risk analysis c. port scanning d. penetration testing
b
What SIEM function speeds detection of and reaction to security threats by examining logs and events from different systems? a. forensic analysis b. correlation c. aggregation d. reporting
b
What characterizes a threat actor? a. they are all highly-skilled individuals b. they always try to cause some harm to an individual or organization c. they always use advanced tools to launch attacks d. they all belong to organized crime
b
What information is required for a WHOIS query? a. outside global address of the client b. FQDN of the domain c. ICANN lookup server address d. link-local address of the domain owner
b
What is a network tap? a. a Cisco technology that provides statistics on packets flowing through a router or multilayer switch b. a passive device that forwards all traffic and physical layer errors to an analysis device c. a technology used to provide real-time reporting and long-term analysis of security events d. a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device
b
What is a property of the ARP table on a device? a. Every operating system uses the same timer to remove old entries from the ARP cache. b. Entries in an ARP table are time-stamped and are purged after the timeout expires. c. Static IP-to-MAC address entries are removed dynamically from the ARP table. d. Windows operating systems store ARP cache entries for 3 minutes.
b
What is the primary objective of a threat intelligence platform (TIP)? a. to provide a specification for an application layer protocol that allows communication of CTI over HTTPS b. to provide a security operations platform that integrates and enhances diverse security tools and threat intelligence c. to aggregate data in one place and present it in a comprehensive and usable format d. to provide a standardized schema for specifying, capturing, characterizing, and communicating events and properties of network operations
b
What technique is used in social engineering attacks? a. man-in-the-middle b. phishing c. buffer overflow d. sending junk email
b
What type of attack targets an SQL database using the input field of a user? a. XML injection b. SQL injection c. buffer overflow d. cross-site scripting
b
Which Cisco sponsored certification is designed to provide the first step in acquiring the knowledge and skills to work with a SOC team? a. CCNA Data Center b. CCNA CyberOps Associate c. CCNA Cloud d. CCNA Security
b
Which Linux host-based firewall application uses a simple virtual machine in the Linux kernel where code is executed and network packets are inspected? a. iptables b. nftables c. TCP Wrappers
b
Which SOC metric is the time required to stop the incident from causing further damage to systems or data? a, MTTD b. MTTC c. MTTR
b
Which Windows 10 Registry key is where data about the preferences of the currently logged on user, including personalization settings, default devices, and programs etc.? a. HKEY_LOCAL_MACHINE b. HKEY_CURRENT_USER c. HKEY_CLASSES_ROOT d. HKEY_USERS e. HKEY_CURRENT_CONFIG
b
Which Windows 10 Task Manager allows programs that are running on system startup to be disabled? a. Performance b. Startup c. Service d. Details
b
Which alert classification is when malicious traffic is not identified as a threat? a. false positive b. false negative c. true positive d. true negative
b
Which attack is when the attacker sends multiple packets that consume server resources? a. domain generation b. resource utilization attack c. ARP cache poisoning d. amplification and reflection
b
Which attack surface has an attack exploit of these attacks are delivered through exploitation of vulnerabilities in web, cloud, or host-based software applications? a. Network Attack Surface b. Software Attack Surface c. Human Attack Surface
b
Which attack tool is a packet crafting tool used to probe and test the robustness of a firewall by using specially crafted, forged packets? a. Nmap b. Yersinia c. RainbowCrack
b
Which category of attacks occurs when threat actors have positioned themselves between a source and a destination and can actively monitor, capture, and control the communication transparently? a. sniffer attack b. MiTM c. DoS
b
Which common network technology or protocol uses UDP port 514 for logging event messages from network devices and endpoints? a. NTP b. Syslog c. ICMP d. DNS
b
Which core open source component of the Elastic-stack is responsible for accepting the data in its native format and making elements of the data consistent across all sources? a. Beats b. Elasticsearch c. Kibana d. Logstash
b
Which destination network routing table entry type is added when a protocol such as OSPF or EIGRP discovers a route? a. directly connected interface b. dynamic route c. local route interface d. static route
b
Which monitoring tool captures packets and saves them in a PCAP file? a. NetFlow b. Wireshark c. SNMP d. SIEM
b
Which network monitoring data type includes device-specific server and host logs? a. statistical data b. transaction data c. session data d. alert data
b
Which network service provides statistics on IP packets flowing through network devices? a. SNMP b. NetFlow c. syslog d. NTP
b
Which network-based antimalware solution provides filtering of SPAM and potentially malicious emails before they reach the endpoint? a. web security appliance b. email security appliance c. network admission control d. advanced malware protection
b
Which security organization maintains a list of common vulnerabilities and exposures (CVE)? a. SANS b. MITRE c. FIRST
b
Which server profile element is the TCP and UDP daemons and ports that are allowed to be open on the server? a. user accounts b. listening ports c. service accounts d. software environment
b
Why would a network administrator choose Linux as an operating system in the Security Operations Center (SOC)? a. It is easier to use than other server operating systems. b. The administrator has control over specific security functions, but not standard applications. c. More network applications are created for this environment. d. It can be acquired at no charge.
b
An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two) a. HTTPS web service b. file and directory access permission c. 802.1x authentication d. FTP transfers e. local NTP server
b, c
Which two techniques are used in a smurf attack? (Choose two) a. session hijacking b. reflection c. amplification d. botnets e. resource exhaustion
b, c
What are three characteristics of an information security management system? (Choose three.) a. It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. b. It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. c. It consists of a set of practices that are systematically applied to ensure continuous improvement in information security. d. It is a systematic and multilayered approach to cybersecurity. e. It addresses the inventory and control of hardware and software configurations of systems. f. It is based on the application of servers and security devices.
b, c, d
An administrator is trying to develop a BYOD security policy for employees that are bringing a wide range of devices to connect to the company network. Which three objectives must the BYOD security policy address? (choose three) a. all devices must have open authentication with the corporate network b. the level of access of employees when connecting to the corporate network must be defined c. rights and activities permitted on the corporate network must be defined d. all devices should be allowed to attach to the corporate network flawlessly e. safeguards must be put in place for any personal device being compromised f. all devices must be insured against liability if used to compromise the corporate network
b, c, e
What are three goals of a port scan attack? (Choose three) a. to discover system passwords b. to identify operating systems c. to identify active services d. to identify peripheral configurations e. to disable used ports and services
b, c, e
What are two characteristics of the SLAAC method for IPv6 address configuration? (Choose two) a. clients send router advertisement messages to routers to request IPv6 addressing b. IPv6 addressing is dynamically assigned to clients through the use of ICMPv6 c. this stateful method of acquiring an IPv6 address requires at least one DHCPv6 server d. the default gateway of an IPv6 client on a LAN will be the link-local address of the router interface e. router solicitation messages are sent by the router to offer IPv6 addressing to clients
b, d
What are two ways that ICMP can be a security threat to a company? (Choose two.) a. by corrupting network IP data packets b. by providing a conduit for DoS attacks c. by the infiltration of web pages d. by collecting information about a network e. by corrupting data between email servers and email recipients
b, d
Which two ICMPv6 messages are used during the Ethernet MAC address resolution process? (Choose two.) a. router solicitation b. neighbor advertisement c. router advertisement d. neighbor solicitation e. echo request
b, d
Which two statements describe the characteristics of symmetric algorithms? (Choose two.) a. They provide confidentiality, integrity, and availability. b. They are commonly used with VPN traffic. c. They use a pair of a public key and a private key. d. They are referred to as a pre-shared key or secret key. e. They are commonly implemented in the SSL and SSH protocols
b, d
Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two) a. syslog b. DNS c. SMTP d. NTP e. HTTP
b, e
What are the three core functions provided by the Security Onion? a. business continuity planning b. alert analysis c. security device management d. threat containment e. intrusion detection f. full packet capture
b, e, f
Which attack is when an attacker sends falsified information to redirect users to malicious sites? a. domain generation b. resource utilization attack c. ARP cache poisoning d. amplification and reflection
c
Which attack surface has an attack exploit of these attacks include social engineering, malicious behavior by trusted insiders, and user error? a. Network Attack Surface b. Software Attack Surface c. Human Attack Surface
c
A client device has initiated a secure HTTP request to a web browser. Which well-known port address number is associated with the destination address? a. 110 b. 80 c. 443 d. 404
c
A computer is presenting a user with a screen requesting payment before the user data is allowed to be accessed by the same user. What type of malware is this? a. a type of virus b. a type of worm c. a type of ransomware d. a type of logic bomb
c
A technician is troubleshooting a network connectivity problem. Pings to the local wireless router are successful but pings to a server on the Internet are unsuccessful. Which CLI command could assist the technician to find the location of the networking problem? a. ipconfig b. ipconfig/renew c. tracert d. msconfig
c
According to NIST, which step in the digital forensics process involves preparing and presenting information that resulted from scrutinizing data? a. examination b. collection c. reporting d. analysis
c
After host A receives a web page from server B, host A terminates the connection with server B. What is Step 1? a. Host A sends an ACK to server B b. Server B sends a FIN to host A c. Host A sends a FIN to server B d. Server B sends an ACK to host A
c
In addressing an identified risk, which strategy aims to shift some of the risk to other parties? a. risk reduction b. risk avoidance c. risk sharing d. risk retention
c
The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk? a. risk sharing b. risk retention c. risk reduction d. risk avoidance
c
What SIEM function reduces the volume of event data by consolidating duplicate event records? a. forensic analysis b. correlation c. aggregation d. reporting
c
What best describes the security threat of spoofing? a. sending bulk email to individuals, lists, or domains with the intention to prevent users from accessing email b. intercepting traffic between two hosts or inserting false information into traffic between two hosts c. making data appear to come from a source that is not the actual source d. sending abnormally large amounts of data to a remote server to prevent user access to the server services
c
What is a characteristic of CybOX? a. It is the specification for an application layer protocol that allows the communication of CTI over HTTPS. b. It enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector. c. It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations. d. It is a set of specifications for exchanging cyberthreat information between organizations.
c
What is privilege escalation? a. Everyone is given full rights by default to everything and rights are taken away only when someone abuses privileges. b. A security problem occurs when high ranking corporate officials demand rights to systems or files that they should not have. c. Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have. d. Someone is given rights because she or he has received a promotion
c
When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination? a. routing protocol convergence b. total throughput c. session duration d. bandwidth of the internet connection
c
Which Linux host-based firewall application is a rule-based access control and logging system for Linux Packet filtering based on IP addresses and network services? a. iptables b. nftables c. TCP Wrappers
c
Which SOC metric is the average time that it takes to stop and remediate a security incident? a. MTTD b. MTTC c. MTTR
c
Which Windows 10 Registry key is where settings about the file system, file associations, shortcuts used when you ask Windows to run a file, or view a directory? a. HKEY_LOCAL_MACHINE b. HKEY_CURRENT_USER c. HKEY_CLASSES_ROOT d. HKEY_USERS e. HKEY_CURRENT_CONFIG
c
Which Windows 10 Task Manager allows for a start, stop or restart of a particular service? a. Performance b. Startup c. Service d. Details
c
Which alert classification is when malicious traffic is correctly identified as a threat? a. false positive b. false negative c. true positive d. true negative
c
Which attack tool is used for password cracking by either removing the original password, after bypassing the data encryption, or by outright discovery of the password? a. Nmap b. Yersinia c. RainbowCrack
c
Which category of attacks can crash applications or network services. It can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload? a. sniffer attack b. MiTM c. DoS
c
Which common network technology or protocol is used by attackers to identify hosts on a network and the structure of the network? a. NTP b. Syslog c. ICMP d. DNS
c
Which destination network routing table entry type is found only in routers running IOS 15+ or IPv6 routing? a. directly connected interface b. dynamic route c. local route interface d. static route
c
Which device supports the use of SPAN to enable monitoring of malicious activity? a. Cisco IronPort b. Cisco Security Agent c. Cisco Catalyst switch d. Cisco NAC
c
Which method can be used to harden a device? a. allow USB auto-detection b. maintain use of the same passwords c. use SSH and disable the root account access over SSH d. allow default services to remain enabled
c
Which monitoring tool retrieves information on the operation of network devices? a. NetFlow b. Wireshark c. SNMP d. SIEM
c
Which network monitoring data type contains details of network flows including the 5-tuples, the amount of data transmitted, and the duration of data transmission? a. statistical data b. transaction data c. session data d. alert data
c
Which network service notifies the administrator with detailed system messages? a. SNMP b. NetFlow c. syslog d. NTP
c
Which network-based antimalware solution permits only authorized and compliant systems to connect to the network? a. web security appliance b. email security appliance c. network admission control d. advanced malware protection
c
Which security organization brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in information sharing, incident prevention, and rapid reaction? a. SANS b. MITRE c. FIRST
c
Which server profile element is the definitions of the type of service that an application is allowed to run on a given host? a. user accounts b. listening ports c. service accounts d. software environment
c
Which statement defines the difference between session data and transaction data in logs? a. Session data is used to make predictions on network behaviors, whereas transaction data is used to detect network anomalies. b. Session data shows the result of a network session, whereas transaction data is in response to network threat traffic. c. Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions. d. Session data analyzes network traffic and predicts network behavior, whereas transaction data records network sessions.
c
Which term is used to describe the process of identifying the NSM-related data to be gathered? a. data archiving b. data normalization c. data reduction d. data retention
c
Which tool included in the Security Onion is a series of software plug-ins that send different types of data to the Elasticsearch data stores? a. OSSEC b. Curator c. Beats d. ElastAlert
c
Which type of data would be considered an example of volatile data? a. web browser cache b. log files c. memory registers d. temp files
c
Which type of evidence cannot prove an IT security fact on its own? a. best b. corroborative c. indirect d. hearsay
c
Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.) a. SIP support b. 802.1X support c. password encryption d. utilization of transport layer protocols e. separate authentication and authorization processes
c, d
Which two net commands are associated with network resource sharing? (Choose two.) a. net start b. net accounts c. net share d. net stop e. net use
c, e
Which two options are window managers for Linux? (Choose two.) a. File Explorer b. Kali c. Gnome d. PenTesting e. KDE
c, e
Which two statements are characteristics of a virus? (Choose two.) a. A virus provides the attacker with sensitive data, such as passwords. b. A virus has an enabling vulnerability, a propagation mechanism, and a payload. c. A virus typically requires end-user activation. d. A virus replicates itself by independently exploiting vulnerabilities in networks. e. A virus can be dormant and then activate at a specific time or date.
c, e
A client application needs to terminate a TCP communication session with a server. What is step 2? a. client sends ACK b. client sends FIN c. client sends SYN d. server sends ACK e. server sends FIN f. server sends SYN
d
A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addresses in the AAA network service framework? a. authentication b. accounting c. automation d. authorization
d
A network administrator is reviewing server alerts because of reports of network slowness. The administrator confirms that an alert was an actual security incident. What is the security alert classification of this type of scenario? a. true negative b. false negative c. false positive d. true positive
d
A newly created company has fifteen Windows 10 computers that need to be installed before the company can open for business. What is a best practice that the technician should implement when configuring the Windows Firewall? a. The technician should create instructions for corporate users on how to allow an app through the WIndows Firewall using the Administrator account. b. The technician should remove all default firewall rules and selectively deny traffic from reaching the company network. c. The technician should enable the Windows Firewall for inbound traffic and install other firewall software for outbound traffic control. d. After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled.
d
A technician needs to verify file permissions on a specific Linux file. Which command would the technician use? a. sudo b. cd c. vi d. ls -l
d
After host A receives a web page from server B, host A terminates the connection with server B. What is Step 2? a. Host A sends an ACK to server B b. Server B sends a FIN to host A c. Host A sends a FIN to server B d. Server B sends an ACK to host A
d
In NAT terms, what address type refers to the globally routable IPv4 address of a destination host on the Internet? a. inside local b. outside local c. inside global d. outside global
d
In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services? a. loss or theft b. media c. impersonation d. attrition
d
Refer to the exhibit. A cybersecurity analyst is using Sguil to verify security alerts. How is the current view sorted? a. by sensor number b. by source IP c. by date/time d. by frequency
d
Refer to the exhibit. A cybersecurity analyst is viewing packets forwarded by switch S2. What addresses will identify frames containing data sent from PCA to PCB? a. Src IP: 192.168.1.212Src MAC: 00-60-0F-B1-33-33Dst IP: 192.168.2.101Dst MAC: 08-CB-8A-5C-BB-BB b. Src IP: 192.168.1.212Src MAC: 01-90-C0-E4-AA-AADst IP: 192.168.2.101Dst MAC: 08-CB-8A-5C-BB-BB c. Src IP: 192.168.2.1Src MAC: 00-60-0F-B1-33-33Dst IP: 192.168.2.101Dst MAC: 08-CB-8A-5C-BB-BB d. Src IP: 192.168.1.212Src MAC: 00-60-0F-B1-33-33Dst IP: 192.168.2.101Dst MAC: 00-D0-D3-BE-00-00
d
Refer to the exhibit. If Host1 were to transfer a file to the server, what layers of the TCP/IP model would be used? a. only application and Internet layers b. only application, transport, network, data link, and physical layers c. application, session, transport, network, data link, and physical layers d. application, transport, internet, and network access layers e. only Internet and network access layers f. only application, Internet, and network access layers
d
Refer to the exhibit. The switches have a default configuration. Host A needs to communicate with host D, but host A does not have the MAC address for the default gateway. Which network devices will receive the ARP request sent by host A? a. only hosts B and C b. only router R1 c. only hosts A, B, and C d. only hosts B, C, and router R1 e. only host D f. only hosts A, B, C, and D
d
What SIEM function presents data in real-time monitoring and long-time summaries? a. forensic analysis b. correlation c. aggregation d. reporting
d
What is a disadvantage of DDNS? a. DDNS is considered malignant and must be monitored by security software. b. DDNS is unable to co-exist on a network subdomain that also uses DNS. c. Using DDNS, a change in an existing IP address mapping can take over 24 hours and could result in a disruption of connectivity. d. Using free DDNS services, threat actors can quickly and easily generate subdomains and change DNS records.
d
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? a. CAM table attack b. DHCP spoofing c. IP address spoofing d. DHCP starvation
d
What part of the URL, http://www.cisco.com/index.html, represents the top-level DNS domain? a. index b. www c. http d. .com
d
What subnet mask is represented by the slash notation /20? a. 255.255.255.248 b. 255.255.224.0 c. 255.255.255.192 d. 255.255.240.0 e. 255.255.255.0
d
What term describes a set of software tools designed to increase the privileges of a user or to grant access to the user to portions of the operating system that should not normally be allowed? a. compiler b. penetration testing c. package manager d. rootkit
d
When a user visits an online store website that uses HTTPS, the user browser queries the CA for a CRL. What is the purpose of this query? a. to check the length of key used for the digital certificate b. to negotiate the best encryption to use c. to request the CA self-signed digital certificate d. to verify the validity of the digital certificate
d
Which ICMPv6 message type provides network addressing information to hosts that use SLAAC? a. neighbor solicitation b. neighbor advertisement c. router solicitation d. router advertisement
d
Which Windows 10 Registry key is where all of the configuration settings for the hardware and software configured on the computer for all users? a. HKEY_LOCAL_MACHINE b. HKEY_CURRENT_USER c. HKEY_CLASSES_ROOT d. HKEY_USERS e. HKEY_CURRENT_CONFIG
d
Which Windows 10 Task Manager allows for a process to have its affinity set? a. Performance b. Startup c. Services d. Details
d
Which Windows Event Viewer log include events regarding the operation of drivers, processes, and hardware? a. application logs b. security logs c. setup logs d. system logs
d
Which alert classification is when normal traffic is not identified as a threat? a. false positive b. false negative c. true positive d. true negative
d
Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server? a. Audit the web server to forensically determine the origin of exploit. b. Collect malware files and metadata for future analysis. c. Build detections for the behavior of known malware. d. Analyze the infrastructure storage path used for files
d
Which attack is when the attacker uses open resolvers to increase the volume of attacks and mask the true source of the attack? a. domain generation b. resource utilization attack c. ARP cache poisoning d. amplification and reflection
d
Which common network technology or protocol is used by attackers to exfiltrate data in traffic disguised as normal client queries? a. NTP b. Syslog c. ICMP d. DNS
d
Which destination network routing table entry type is manually configured by a network administrator? a. directly connected interface b. dynamic route c. local route interface d. static route
d
Which device in a layered defense-in-depth approach denies connections initiated from untrusted networks to internal networks, but allows internal users within an organization to connect to untrusted networks? a. internal router b. IPS c. access layer switch d. firewall
d
Which host-based firewall uses a three-profile approach to configure the firewall functionality? a. TCP Wrapper b. nftables c. iptables d. Windows Firewall
d
Which monitoring tool presents real-time reporting and long-term analysis of security events? a. NetFlow b. Wireshark c. SNMP d. SIEM
d
Which network monitoring data type is generated by IPS or IDS devices when suspicious traffic is detected? a. statistical data b. transaction data c. session data d. alert data
d
Which network service synchronizes the time across all devices on the network? a. SNMP b. NetFlow c. syslog d. NTP
d
Which network-based antimalware solution provides endpoint protection from viruses and malware? a. web security appliance b. email security appliance c. network admission control d. advanced malware protection
d
Which server profile element is the tasks, processes, and applications that are permitted to run on the server? a. user accounts b. listening ports c. service accounts d. software environment
d
Which statement is correct about network protocols? a. They are only required for exchange of messages between devices on remote networks. b. Network protocols define the type of hardware that is used and how it is mounted in racks. c. They all function in the network access layer of TCP/IP. d. They define how messages are exchanged between the source and the destination.
d
What are two drawbacks to using HIPS? (Choose two.) a. With HIPS, the success or failure of an attack cannot be readily determined. b. If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic. c. HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks. d. HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network. e. With HIPS, the network administrator must verify support for all the different operating systems used in the network.
d, e
What are two evasion techniques that are used by hackers? (Choose two.) a. phishing b. Trojan horse c. reconnaissance d. rootkit e. pivot
d, e
Which two data types would be classified as personally identifiable information (PII)? (Choose two.) a. house thermostat reading b. hospital emergency use per region c. average number of cattle per region d. vehicle identification number e. Facebook photographs
d, e
Which two statements describe the use of asymmetric algorithms? (Choose two) a. if a private key is used to encrypt the data, a private key must be used to decrypt the data b. if a public key is used to encrypt the data, a public key must be used to decrypt the data c. public and private keys may be used interchangeably d. if a private key is used to encrypt the data, a public key must be used to decrypt the data e. if a public key is used to encrypt the data, a private key must be used to decrypt the data
d, e
A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.) a. Wazuh b. CapME c. Zeek d. Kibana e. Sguil f. Wireshark
d, e, f
A client application needs to terminate a TCP communication session with a server. What is step 3? a. client sends ACK b. client sends FIN c. client sends SYN d. server sends ACK e. server sends FIN f. server sends SYN
e
A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device? a. 1000:00db8:0058:00ab b. 2001 c. 2001:0db8:cafe:4500:1000:00d8:0058:00ab d. 2001:0db8:cafe:4500:1000 e. 2001:0db8:cafe:4500
e
Which Windows 10 Registry key is where information about the current hardware profile of the machine? a. HKEY_LOCAL_MACHINE b. HKEY_CURRENT_USER c. HKEY_CLASSES_ROOT d. HKEY_USERS e. HKEY_CURRENT_CONFIG
e