200-201 CBROPS Cisco CyberOps Associate
What is an example of a top-level domain?
.com Topic 10.2.0 CyberOps Associate v1.0 (Top-level domains represent a country or type of organization, such as .com or .edu.)
A router has received a packet destined for a network that is in the routing table. What steps does the router perform to send this packet on its way?
1. It encapsulates the Layer 3 packet into a new Layer 2 frame and forwards the frame out the exit interface. 2. It de-encapsulates the Layer 2 frame header and trailer to expose the Layer 3 packet. 3. It examines the destination IP address to find the best path in the routing table. Topic 11.1 CyberOps Associate v1.0
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
5-tuple
How is a DHCPDISCOVER transmitted on a network to reach a DHCPserver?
A DHCPDISCOVER message is sent with the broadcast IP address as the destination address. Topic 10.1 CyberOps Associate v1.0 (The DHCPDISCOVER message is sent by a DHCPv4 client and targets a broadcast IP along with the destination port67. The DHCPv4 server or servers respond to the DHCPv4 clients by targeting port 68.)
Which attack method intercepts traffic on a switched network?
ARP cache poisoning
What statement describes the function of the ARP (Address Resolution Protocol)?
ARP is used to discover the MAC address of any host on the local network. Topic 8.2.0 CyberOps Associate v1.0 (When a PC wants to send data on the network, it always knows the IP address of the destination. However, is also needs to discover the MAC address of the destination. ARP is the protocol that is used to discover the MAC address of a host that belongs to the same network.)
What is a characteristic of ARP messages?
ARP replies are unicast. Topic 8.2.0 CyberOps Associate v1.0 (Because ARP requests are broadcasts, they are flooded out all ports by the switch except the receiving port. Only the device that originally sent the ARP request will receive the unicast ARP reply. ARP messages have a type field of 0x806. ARP messages are encapsulated directly within an Ethernet frame. There is no IPv4 header.
Which two actions can be taken when configuring Windows Firewall?
Allow a different software firewall to control access and Manually open ports that are required for specific applications. Topic 3.4 CyberOps Associate v1.0 (When a different software firewall is installed, Windows Firewall must be disabled through the Windows Firewall controlpanel. When Windows Firewall is enabled, specific ports can be enabled that are needed by specific applications.)
Which statement best describes the operation of the File Transfer Protocol?
An FTP server uses a source port number of 21 and a randomly generated destination port number during the establishment of control traffic with an FTP client. Topic 10.4.0 CyberOps Associate v1.0 (When using the File Transfer Protocol, an FTP client uses a randomly generated source port number, but targets a destination port number of 20 or 21 on the FTP server. The destination port numbers depend on whether it is the first connection for control traffic on port 21 or the second connection for data traffic on port 20.)
What are two shared characteristics of the IDS and the IPS?
Both are deployed as sensors and Both use signatures to detect malicious traffic. Topic 12.2 CyberOps Associate v1.0 (Both the IDS and the IPS are deployed as sensors and use signatures to detect malicious traffic. The IDS analyzes copies of network traffic, which results in minimal impact on network performance. The IDS also relies on an IPS to stop malicious traffic.)
Which statement describes the state of the administrator and guestaccounts after a user installs Windows desktop version to a newcomputer?
By default, both the administrator and guest accounts are disabled. Topic 3.3 CyberOps Associate v1.0 (When a user installs Windows desktop version, two local user accounts are created automatically during the process,administrator and guest. Both accounts are disabled by default.)
A web client is receiving a response for a web page from a web server. From the perspective of the client, what is the correct order of the protocol stack that is used to decode the received transmission?
Ethernet, IP, TCP, HTTP Topic 5.3.0 CyberOps Associate v1.0 1. HTTP governs the way that a web server and client interact. 2. TCP manages individual conversations between web servers and clients. 3. IP is responsible for delivery across the best path to the destination. 4. Ethernet takes the packet from IP and formats it for transmission.
An attacker is redirecting traffic to a false default gateway in an attemptto intercept the data traffic of a switched network. What type of attackcould achieve this?
DHCP spoofing Topic 17.1 CyberOps Associate v1.0 (In DHCP spoofing attacks, a threat actor configures a fake DHCP server on the network to issue DHCP addresses toclients with the aim of forcing the clients to use a false or invalid default gateway. A man-in-the-middle attack can becreated by setting the default gateway address to the IP address of the threat actor.)
What is a characteristic of DNS?
DNS servers can cache recent queries to reduce DNS query traffic. Topic 10.2 CyberOps Associate v1.0 (DNS uses a hierarchy for decentralized servers to perform name resolution. DNS servers only maintain records fortheir zone and can cache recent queries so that future queries do not produce excessive DNS traffic.)
What is the difference between deep packet inspection and stateful inspection?
Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4
Which application layer protocol uses message types such as GET, PUT, and POST?
HTTP Topic 10.6.0 CyberOps Associate v1.0 The GET command is a client request for data from a web server. A PUT command uploads resources and content, such as images, to a web server. A POST command uploads data files to a web server.
What are two differences between HTTP and HTTP/2?
HTTP/2 uses multiplexing to support multiple streams and enhance efficiency and HTTP/2 uses a compressed header to reduce bandwidth requirements. Topic 10.6 CyberOps Associate v1.0 (The purpose of HTTP/2 is to improve HTTP performance by addressing the latency issues of HTTP. This isaccomplished using features such as multiplexing, server push, binary code, and header compression.)
What kind of ICMP message can be used by threat actors to performnetwork reconnaissance and scanning attacks?
ICMP unreachable Topic 16.2 CyberOps Associate v1.0 (Common ICMP messages of interest to threat actors include the these: ICMP echo request and echo reply: used to perform host verification and DoS attacks ICMP unreachable: used to perform network reconnaissance and scanning attacks ICMP mask reply: used to map an internal IP network ICMP redirects: used to lure a target host into sending all traffic through a compromised device and create a man-in-the-middle attack ICMP router discovery: used to inject bogus route entries into the routing table of a target host)
Which protocol supports Stateless Address Autoconfiguration (SLAAC) for dynamic assignment of IPv6 addresses to a host?
ICMPv6 Topic 7.1.0 CyberOps Associate v1.0 (SLAAC uses ICMPv6 messages when dynamically assigning an IPv6 address to a host. DHCPv6 is an alternate method of assigning an IPv6 addresses to a host. ARPv6 does not exist. Neighbor Discovery Protocol (NDP) provides the functionality of ARP for IPv6 networks. UDP is the transport layer protocol used by DHCPv6.)
In an attempt to prevent network attacks, cyber analysts share uniqueidentifiable attributes of known attacks with colleagues. What threetypes of attributes or indicators of compromise are helpful to share?
IP addresses of attack servers, features of malware files and changes made to end system software Topic 13.1 CyberOps Associate v1.0 (Many network attacks can be prevented by sharing information about indicators of compromise (IOC). Each attack hasunique identifiable attributes. Indicators of compromise are the evidence that an attack has occurred. IOCs can beidentifying features of malware files, IP addresses of servers that are used in the attack, filenames, and characteristicchanges made to end system software.)
What is indicated by a successful ping to the ::1 IPv6 address?
IP is properly installed on the host. Topic 7.2.0 CyberOps Associate v1.0 (The IPv6 address ::1 is the loopback address. A successful ping to this address means that the TCP/IP stack is correctly installed. It does not mean that any addresses are correctly configured.)
What addresses are mapped by ARP?
IPv4 address to a destination MAC address Topic 8.2 CyberOps Associate v1.0 (ARP, or the Address Resolution Protocol, works by mapping the IPv4 address to a destination MAC address. The host knows the destination IPv4 address and uses ARP to resolve the corresponding destination MAC address.)
Which statement describes the anomaly-based intrusion detection approach?
It compares the behavior of a host to an established baseline to identify potential intrusions. Topic 22.2 CyberOps Associate v1.0 With an anomaly-based intrusion detection approach, a baseline of host behaviors is established first. The hostbehavior is checked against the baseline to detect significant deviations, which might indicate potential intrusions.
Which two functions or operations are performed by the MAC sublayer?
It is responsible for Media Access Control and It adds a header and trailer to form an OSI Layer 2 PDU. Topic 6.1 CyberOps Associate v1.0 (The MAC sublayer is the lower of the two data link sublayers and is closest to the physical layer. The two primary functions of the MAC sublayer are to encapsulate the data from the upper layer protocols and to control access to the media.)
What does it mean to ping ::1?
It means that if there is a successful ping to the address (IPv6) that the TCP/IP stack is correctly installed. It does not mean that any addresses are correctly configured.
What is a benefit of agent-based protection when compared to agentless protection?
It provides a centralized platform
What is the function of a command and control server?
It sends instruction to a compromised system
A host is trying to send a packet to a device on remote LAN segment, but there are currently no mapping in the ARP cache. How will the device obtain a destination MAC address?
It will send an ARP request for the MAC address of the default gateway. Topic 8.2.0 CyberOps Associate v1.0 (When sending a packet to remote destination, a host will need to send the packet to a gateway on the local subnet. Because the gateway will be the Layer 2 destination for MAC address must the address of the gateway. If the host does not already have this address in the ARP cache, it must send an ARP request for the address of the gateway.)
Which three pieces of information are found in session data?
Layer 4 transport protocol, source and destination port numbers and source and destination IP addresses. Topic 25.1 CyberOps Associate v1.0 (Session data includes identifying information such as source and destination IP addresses, source and destination portnumbers, and the Layer 4 protocol in use. Session data does not include user name, source and destination MACaddresses, and a default gateway IP address.)
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
MAC is the strictest of all levels of control and DAC is object-based access
How might corporate IT professionals deal with DNS-based cyberthreats?
Monitor DNS proxy server logs and look for unusual DNS queries. Topic 24.1 CyberOps Associate v1.0 DNS queries for randomly generated domain names or extremely long random-appearing DNS subdomains should be considered suspicious. Cyberanalysts could do the following for DNS-based attacks: Analyze DNS logs. Use a passive DNS service to block requests to suspected CnC and exploit domains
Which protocol enables mail to be downloaded from an email server to a client and then deletes the email from the server?
POP3 Topic 10.5.0 CyberOps Associate v1.0 (With POP, mail is downloaded from the server to the client and then deleted on the server, SMTP is used for sending or forwarding email, Unlike POP, when a user connects via IMAP, copies of the messages are downloaded to the client application and the original messages are kept on the server until manually deleted, HTTP is used for web traffic data and is considered insecure.)
Which two statements describe access attacks?
Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers and Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to executemalicious code. Topic 14.2 CyberOps Associate v1.0 (An access attack tries to gain access to a resource using a hijacked account or other means. The five types of accessattacks include the following: password - a dictionary is used for repeated login attempts trust exploitation - uses granted privileges to access unauthorized material port redirection - uses a compromised internal host to pass traffic through a firewall man-in-the-middle - an unauthorized device positioned between two legitimate devices in order to redirect or capturetraffic buffer overflow - too much data sent to a memory location that already contains data)
Which three algorithms are designed to generate and verify digitalsignatures?
RSA, ECDSA and DSA Topic 21.3 CyberOps Associate v1.0 (There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures: Digital Signature Algorithm (DSA) Rivest-Shamir Adelman Algorithm (RSA) Elliptic Curve Digital Signature Algorithm (ECDSA))
What are two ICMPv6 messages that are not present in ICMP for IPv4?
Router Advertisement and Neighbor Solicitation Topic 7.1 CyberOps Associate v1.0 (ICMPv6 includes four new message types: Router Advertisement, Neighbor Advertisement, Router Solicitation, andNeighbor Solicitation.)
What is a difference between SOAR and SIEM?
SOAR platforms are used for threat and vulnerability management, but SIEM applications are not
What are two monitoring tools that capture network traffic and forward itto network monitoring devices?
SPAN and network tap Topic 15.1 CyberOps Associate v1.0 (A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting deviceimplemented inline on the network and forwards all traffic including physical layer errors to an analysis device. SPAN isa port mirroring technology supported on Cisco switches that enables the switch to copy frames and forward them toan analysis device.)
Which statement accurately describes a TCP/IP encapsulation process when a PC is sending data to the network?
Segments are sent from the transport layer to the internet layer. Topic 5.3.0 CyberOps Associate v1.0 (When the data is traveling from the PC to the network, the transport layer sends segments to the internet layer. The internet layer sends packets to the network access layer, which creates frames and then converts the frames to bits. The bits are released to the network media.)
What is the difference between statistical detection and rule-based detection models?
Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis
A flood of packets with invalid source IP addresses requests aconnection on the network. The server busily tries to respond, resultingin valid requests being ignored. What type of attack has occurred?
TCP SYN flood Topic 16.3 CyberOps Associate v1.0 (The TCP SYN Flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYNsession request packets with a randomly spoofed source IP address to an intended target. The target device replieswith a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses neverarrive. Eventually the target host is overwhelmed with half-open TCP connections and denies TCP services.)
What are two problems that can be caused by a large number of ARPrequest and reply messages?
The ARP request is sent as a broadcast, and will flood the entire subnet and All ARP request messages must be processed by all nodes on the local network. Topic 8.3 CyberOps Associate v1.0 (ARP requests are sent as broadcasts: (1) All nodes will receive them, and they will be processed by software, interrupting the CPU. (2) The switch forwards (floods) Layer 2 broadcasts to all ports. A switch does not change its MAC table based on ARP request or reply messages. The switch populates the MACtable using the source MAC address of all frames. The ARP payload is very small and does not overload the switch.)
What is a benefit of using DDNS?
The DDNS provider detects a change to the client IP address and immediately updates the mapping change. Topic 10.2.0 CyberOps Associate v1.0 (Dynamic DNS (DDNS) allows a user or organization to register an IP address with a domain name as in DNS. However, when the IP address of the mapping changes, the new mapping can be propagated through the DNS almost instantaneously.)
Which statement is true about the TCP/IP and OSI models?
The TCP/IP transport layer and OSI Layer 4 provide similar services and functions. Topic 5.3.0 CyberOps Associate v1.0 (The TCP/IP internet layer provides the same function as the OSI network layer. The transport layer of both the TCP/IP and OSI models provides the same function. The TCP/IP application layer includes the same functions as OSI Layers 5, 6, and 7.)
If the default gateway is configured incorrectly on the host, what is theimpact on communications?
The host can communicate with other hosts on the local network, but is unable to communicate with hosts on remote networks. Topic 6.5 CyberOps Associate v1.0 (A default gateway is only required to communicate with devices on another network. The absence of a default gatewaydoes not affect connectivity between devices on the same local network.)
What are three benefits of using symbolic links over hard links in Linux?
They can link to a directory, They can show the location of the original file and They can link to a file in a different file system. Topic 4.5 CyberOps Associate v1.0 (In Linux, a hard link is another file that points to the same location as the original file. A soft link (also called a symboliclink or a symlink) is a link to another file system name. Hard links are limited to the file system in which they arecreated and they cannot link to a directory; soft links are not limited to the same file system and they can link to adirectory. To see the location of the original file for a symbolic link use the ls -l command.)
What happens if part of an FTP message is not delivered to the destination?
The part of the FTP message that was lost is re-sent. Topic 9.3.0 CyberOps Associate v1.0 (Because FTP uses TCP as its transport layer protocol, sequence and acknowledgment numbers will identify the missing segments, which will be re-sent to complete the message.)
What is a characteristic of a TCP server process?
There can be many ports open simultaneously on a server, one for each active server application. Topic 9.1.0 CyberOps Associate v1.0 (Each application process running on the server is configured to use a port number, either by default or manually, by a system administrator. An individual server cannot have two services assigned to the same port number within the same transport layer services. A host running a web server application and a file transfer application cannot have both configured to use the same server port. There can be many ports open simultaneously on a server, one for each active server application.)
What is the difference between a threat and a risk?
Threat represents a potential danger that could take advantage of a weakness, while the risk is the likelihood of a compromise or damage of an asset.
Which statement describes a typical security policy for a DMZ firewallconfiguration?
Traffic that originates from the DMZ interface is selectively permitted to the outside interface. Topic 12.1 CyberOps Associate v1.0 With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following: Traffic originating from DMZ destined for the internal network is normally blocked. Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ. Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return. Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.
Data is being sent from a source PC to a destination server. Which three statements correctly describe the function of TCP or UDP in this situation?
UDP segments are encapsulated within IP packets for transport across the network, The source port field identifies the running application or service that will handle data returning to the PC and The UDP destination port number identifies the application or service on the server which will handle the data. Topic 9.2.0 CyberOps Associate v1.0 (Layer 4 port numbers identify the application or service which will handle the data. The source port number is added by the sending device and will be the destination port number when the requested information is returned. Layer 4 segments are encapsulated within IP packets. UDP, not TCP, is used when low overhead is needed. A source IP address, not a TCP source port number, identifies the sending host on the network. Destination port numbers are specific ports that a server application or service monitors for requests.)
When a connectionless protocol is in use at a lower layer of the OSI model, how is missing data detected and retransmitted if necessary?
Upper-layer connection-oriented protocols keep track of the data received and can request retransmission from the upper-level protocols on the sending host. Topic 6.2 CyberOps Associate v1.0 (When connectionless protocols are in use at a lower layer of the OSI model, upper-level protocols may need to work together on the sending and receiving hosts to account for and retransmit lost data. In some cases, this is not necessary, because for some applications a certain amount of data loss is tolerable.)
Which two services or protocols use the preferred UDP protocol for fast transmission and low overhead?
VoIP and DNS Topic 9.1.0 CyberOps Associate v1.0 (Both DNS and VoIP use UDP to provide low overhead services within a network implementation.)
What does it mean when the IPv6 packet header has expired?
With ICMPv6 using the hop limit field in an IPv6 packet header, it is used to determine if the packet has expired. If the hop limit field has reached zero, a router will send a time exceeded message back towards the source indicating that the router cannot forward the packet.
Which OSI model layer contains protocols for process-to-process communication?
application Topic 5.2.0 CyberOps Associate v1.0 (The application layer of the OSI model is responsible for communication between processes. Examples of protocols at the application layer are DHCP, DNS, and HTTP.)
How does a security information and event management system (SIEM)in a SOC help the personnel fight against security threats?
by combining data from multiple technologies Topic 2.1 CyberOps Associate v1.0 (A security information and event management system (SIEM) combines data from multiple sources to help SOCpersonnel collect and filter data, detect and classify threats, analyze and investigate threats, and manage resources toimplement preventive measures.)
One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context?
confidentiality, integrity, and availability
Example of: risk assessment
configuration review
Which process is used when IPS events are removed to improve data integrity?
data normalization
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
decision making
A user received a malicious attachment but did not run it. Which category classifies the intrusion?
delivery
What important information is examined in the Ethernet frame header by a Layer 2 device in order to forward the data onward?
destination MAC address Topic 8.1.0 CyberOps Associate v1.0 (The Layer 2 device, such as a switch, uses destination MAC address to determine which path (interface or port) should be used to send the data onward to the destination device.)
What are the two important components of a public key infrastructure (PKI) used in network security?
digital certificates and certificate authority Topic 21.4 CyberOps Associate v1.0 (A public key infrastructure uses digital certificates and certificate authorities to manage asymmetric key distribution.PKI certificates are public information. The PKI certificate authority (CA) is a trusted third-party that issues thecertificate. The CA has its own certificate (self-signed certificate) that contains the public key of the CA.)
What type of server would use IMAP?
email Topic 10.5.0 CyberOps Associate v1.0 (SMTP, IMAP, and POP are three application layer protocols for email applications.)
Which evasion technique is a function of ransomware?
encryption
How is attacking a vulnerability categorized?
exploitation
What are two elements that form the PRI value in a syslog message?
facility and severity Topic 25.2 CyberOps Associate v1.0 (The PRI in a syslog message consists of two elements, the facility and severity of the message.)
Which section of a security policy is used to specify that only authorizedindividuals should have access to enterprise data?
identification and authentication policy Topic 18.2 CyberOps Associate v1.0 (The identification and authentication policy section of the security policy typically specifies authorized persons that canhave access to network resources and identity verification procedures.)
What three services are offered by FireEye?
identifies and stops latent malware on files, identifies and stops email threat vectors and blocks attacks across the web Topic 20.2 CyberOps Associate v1.0 (FireEye is a security company that uses a three-pronged approach combining security intelligence, security expertise,and technology. FireEye offers SIEM and SOAR with the Helix Security Platform, which use behavioral analysis andadvanced threat detection.)
What is a purpose of a vulnerability management framework?
identifies, removes, and mitigates system vulnerabilities "Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities.[1] Vulnerability management is integral to computer security and network security, and must not be confused with Vulnerability assessment" source: https://en.wikipedia.org/wiki/Vulnerability_management
In NAT translation for internal hosts, what address would be used by external users to reach internal hosts?
inside global Topic 10.3.0 CyberOps Associate v1.0 (From the perspective of a NAT device, inside global addresses are used by external users to reach internal hosts. Inside local addresses are the addresses assigned to internal hosts. Outside global addresses are the addresses of destinations on the external network. Outside local addresses are the actual private addresses of destination hosts behind other NAT devices.)
A particular website does not appear to be responding on a Windows 7 computer. What command could the technician use to show any cached DNS entries for this web page?
ipconfig /displaydns Topic 10.2.0 CyberOps Associate v1.0
Example of: vulnerability
lack of an access list
Example of: threat
leakage of confidential information
What is the practice of giving employees only those permissions necessary to perform their specific role within an organization?
least privilege
What are three responsibilities of the transport layer?
multiplexing multiple communication streams from many users or applications on the same network, identifying the applications and services on the client and server that should handle transmitted data and meeting the reliability requirements of applications, if any Topic 9.1 CyberOps Associate v1.0 (The transport layer has several responsibilities. Some of the primary responsibilities include the following: Tracking the individual communication streams between applications on the source and destination hosts Segmenting data at the source and reassembling the data at the destination Identifying the proper application for each communication stream through the use of port numbers Multiplexing the communications of multiple users or applications over a single network Managing the reliability requirements of applications)
Example of: exploit
network is compromised
Which event is user interaction?
opening a malicious file
What does an attacker use to determine which network ports are listening on a potential target device?
port scanning
Which security principle is violated by running all processes as root or administrator?
principle of least privilege
What is the practice of giving an employee access to only the resources needed to accomplish their job?
principle of least privilege https://www.ciscopress.com/articles/article.asp?p=2783637
What is rule-based detection when compared to statistical detection?
proof of a user's action
What are two services provided by the OSI network layer?
routing packets toward the destination and encapsulating PDUs from the transport layer Topic 6.2.0 CyberOps Associate v1.0 (The OSI network layer provides several services to allow communication between devices: addressing encapsulation routing de-encapsulation Error detection, placing frames on the media, and collision detection are all functions of the data ink layer.)
A network administrator is configuring an AAA server to manageTACACS+ authentication. What are two attributes of TACACS+authentication?
separate processes for authentication and authorization and encryption for all communication Topic 19.2 CyberOps Associate v1.0 (TACACS+ authentication includes the following attributes: Separates authentication and authorization processes Encrypts all communication, not just passwords Utilizes TCP port 49)
Which security principle requires more than one person is required to perform a critical task?
separation of duties
What is the virtual address space for a Windows process?
set of virtual memory addresses that can be used
What is the TCP mechanism used in congestion avoidance?
sliding window Topic 9.3 CyberOps Associate v1.0 (TCP uses windows to attempt to manage the rate of transmission to the maximum flow that the network anddestination device can support while minimizing loss and retransmissions. When overwhelmed with data, thedestination can send a request to reduce the of the window. This congestion avoidance is called sliding windows.)
Why would an attacker want to spoof a MAC address?
so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host Topic 8.3.0 CyberOps Associate v1.0 (MAC address spoofing is used to bypass security measures by allowing an attacker to impersonate a legitimate host device, usually for the purpose of collecting network traffic.)
What two kinds of personal information can be sold on the dark web bycybercriminals?
street address and Facebook photos Topic 1.3 CyberOps Associate v1.0 (Personally identifiable information (PII) is any information that can be used to positively identify an individual. Examples of PII include the following: Name Social security number Birthdate Credit card numbers Bank account numbers Facebook information Address information (street, email, phone numbers).)
A user sends an HTTP request to a web server on a remote network. During encapsulation for this request, what information is added to the address field of a frame to indicate the destination?
the MAC address of the default gateway Topic 8.1 CyberOps Associate v1.0 (A frame is encapsulated with source and destination MAC addresses. The source device will not know the MAC address of the remote host. An ARP request will be sent by the source and will be responded to by the router. The router will respond with the MAC address of its interface, the one which is connected to the same network as the source.)
A host needs to reach another host on a remote network, but the ARP cache has no mapping entries. To what destination address will the host send an ARP request?
the broadcast MAC address Topic 8.2.0 CyberOps Associate v1.0 (ARP requests are sent when a host does not have an IP to MAC mapping for a destination in the ARP cache. ARP requests are sent to the Ethernet broadcast of FF:FF:FF:FF:FF:FF. In this example because the address of the remote host is unknown, an ARP request is sent to the Ethernet broadcast to resolve the MAC address of the default gateway that is used to reach the remote host.)
A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?
the foreign government that conducted the attack Threat agent and Threat actor are the same (see https://itlaw.wikia.org/wiki/Threat_agent) And the threat actor is the organization/person performing the attack. (https://orangematter.solarwinds.com/2018/07/18/cybersecurityfundamentals- threat-and-attack-terminology/)
During a TCP session, a destination device sends an acknowledgment number to the source device. What does the acknowledgment number represent?
the next byte that the destination expects to receive Topic 9.1.0 CyberOps Associate v1.0 (The window size determines the number of bytes that will be sent before expecting an acknowledgement. The acknowledgement number is the number of the next expected byte. For example, if a host has received 3140 bytes, the host would respond with an acknowledgement number of 3141.)
Why would a manager need to use the tracert command?
to display a list of the near-side router interfaces between the source device and the destination device Topic 7.2.0 CyberOps Associate v1.0 (Tracert is a utility that generates a list of hops that were successfully reached along the path. This list can provide important verification and troubleshooting information. If the data reaches the destination, then the trace lists the interface of every router in the path between the hosts. If the data fails at some hop along the way, the address of the last router that responded to the trace can provide an indication of where the problem or security restrictions are found.)
What is the most common goal of search engine optimization (SEO)poisoning?
to increase web traffic to malicious sites Topic 17.2 CyberOps Associate v1.0 (A malicious user could create a SEO so that a malicious website appears higher in search results. The maliciouswebsite commonly contains malware or is used to obtain information via social engineering techniques.)
What is the purpose of the TCP sliding window?
to request that a source decrease the rate at which it transmits data Topic 9.3.0 CyberOps Associate v1.0 (The TCP sliding window allows a destination device to inform a source to slow down the rate of transmission. To do this, the destination device reduces the value contained in the window field of the segment. It is acknowledgment numbers that are used to specify retransmission from a specific point forward. It is sequence numbers that are used to ensure segments arrive in order. Finally, it is a FIN control bit that is used to end a communication session.)
What are two roles of the transport layer in data communication on a network?
tracking the individual communication between applications on the source and destination hosts + identifying the proper application for each communication stream Topic 9.1.0 CyberOps Associate v1.0 (The transport layer has several responsibilities. The primary responsibilities include the following: Tracking the individual communication streams between applications on the source and destination hosts, Segmenting data at the source and reassembling the data at the destination and Identifying the proper application for each communication stream through the use of port numbers)
What is a description of a DNS zone transfer?
transferring blocks of DNS data from a DNS server to another server Topic 10.2 CyberOps Associate v1.0 (When a server requires data for a zone, it will request a transfer of that data from an authoritative server for that zone.The process of transferring blocks of DNS data between servers is known as a zone transfer.)
At which OSI layer is a destination port number added to a PDU during the encapsulation process?
transport layer Topic 5.3.0 CyberOps Associate v1.0
A user executes a traceroute over IPv6. At what point would a router in the path to the destination device drop the packet?
when the value of the Hop Limit field reaches zero Topic 7.2.0 CyberOps Associate v1.0 (When a traceroute is performed, the value in the Hop Limit field of an IPv6 packet determines how many router hops the packet can travel. Once the Hop Limit field reaches a value of zero, it can no longer be forwarded and the receiving router will drop the packet.)
Which two fields are included in the TCP header but not in the UDP header?
window and sequence number Topic 9.1.0 CyberOps Associate v1.0 (The sequence number and window fields are included in the TCP header but not in the UDP header.)
