Bezpečnostný Manažment 2023
18. Match the destination network routing table entry type with a defintion.
---
6. Match the Windows 10 Registry key with its description. (Not all options are used)
---
12. A client application needs to terminate a TCP communication session with a server. Place the termination process steps in the order that they will occur. (Nat all options are used.)
----
37. Match the tabs of the Windows 10 Task Manager to their functions. (Not all options are used.)
----
39. Match the common network technology or protocol with the description. (Not all options are used.)
----
11. Match the network service with the description.
-----
13. Match the attack surface with attack exploits.
-----
14. Match the Linux host-based firewall application with its description.
-----
56. Match the SOC metric with the description. (Not all options apply.)
-----
16. Refer to the exhibit. If Host1 were to transfer a file to the server, what layers of the TCP/IP model would be used? -only application and Internet layers -application, transport, Internet, and network access layers -only Internet and network access layers -only application, transport, network, data link, and physical layers -only application, Internet, and network access layers -application, session, transport, network, data link, and physical layers
-application, transport, Internet, and network access layers
76. What part of the URL, http://www.cisco.com/index.html, represents the top-level DNS domain? http www .com index
.com
20. A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device? 2001:0db8:cafe:4500:1000 2001:0db8:cafe:4500:1000:00d8:0058:00ab 1000:00d8:0058:00ab 2001:0db8:cafe:4500 2001
2001:0db8:cafe:4500
84. After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis? It can identify how the malware originally entered the network. A retrospective analysis can help in tracking the behavior of the malware from the identification point forward. It can calculate the probability of a future incident. It can determine which network host was first affected.
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.
58. Which two statements are characteristics of a virus? (Choose two.) A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date. A virus replicates itself by independently exploiting vulnerabilities in networks. A virus has an enabling vulnerability, a propagation mechanism, and a payload. A virus provides the attacker with sensitive data, such as passwords
A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date.
90. What are two uses of an access control list? (Choose two.) ACLs provide a basic level of security for network access. ACLs can control which areas a host can access on a network. Standard ACLs can restrict access to specific applications and ports. ACLs assist the router in determining the best path to a destination. ACLs can permit or deny traffic based upon the MAC address originating on the router.
ACLs provide a basic level of security for network access. ACLs can control which areas a host can access on a network.
78. A newly created company has fifteen Windows 10 computers that need to be installed before the company can open for business. What is a best practice that the technician should implement when configuring the Windows Firewall? The technician should remove all default firewall rules and selectively deny traffic from reaching the company network. After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled. The technician
After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled.
31. Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server? Build detections for the behavior of known malware. Collect malware files and metadata for future analysis. Audit the web server to forensically determine the origin of exploit. Analyze the infrastructure storage path used for files.
Analyze the infrastructure storage path used for files.
70. If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal? Approximately 5 minutes per year. Approximately 10 minutes per year Approximately 20 minutes per year. Approximately 30 minutes per year.
Approximately 5 minutes per year.
44. What is the main purpose of exploitations by a threat actor through the weapon delivered to a target during the Cyber Kill Chain exploitation phase? Launch a DoS attack. Send a message back to a CnC controlled by the threat actor. Break the vulnerability and gain control of the target. Establish a back door into the system.
Break the vulnerability and gain control of the target.
89. What are two methods to maintain certificate revocation status? (Choose two.) CRL DNS subordinate CA OCSP LDAP
CRL OCSP
100. Which tool is a web application that provides the cybersecurity analyst an easy-to-read means of viewing an entire Layer 4 session? Snort Zeek CapME OSSEC
CapME
81. Which device supports the use of SPAN to enable monitoring of malicious activity? Cisco Catalyst switch Cisco IronPort Cisco NAC Cisco Security Agent
Cisco Catalyst switch
15. What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? DHCP starvation IP address spoofing DHCP spoofing CAM table attack
DHCP starvation
36. Which method is used to make data unreadable to unauthorized users? Encrypt the data. Fragment the data. Add a checksum to the end of the data. Assign it a username and password.
Encrypt the data.
55. Which three procedures in Sguil are provided to security analysts to address alerts? (Choose three.) Escalate an uncertain alert. Correlate similar alerts into a single line. Categorize true positives. Pivot to other information sources and tools. Construct queries using Query Builder. Expire false positives.
Escalate an uncertain alert. Categorize true positives. Expire false positives.
29. What is one difference between the client-server and peer-to-peer network models? Only in the client-server model can file transfers occur. A data transfer that uses a device serving in a client role requires that a dedicated server be present. A peer-to-peer network transfers data faster than a transfer using a client-server network. Every device in a peer-to-peer network can function as a client or a server.
Every device in a peer-to-peer network can function as a client or a server.
87. Which two statements describe the use of asymmetric algorithms? (Choose two.) Public and private keys may be used interchangeably. If a public key is used to encrypt the data, a private key must be used to decrypt the data. If a public key is used to encrypt the data, a public key must be used to decrypt the data. If a private key is used to encrypt the data, a public key must be used to decrypt the data. If a private key is used to encrypt the data, a private key must be used to decryp
If a public key is used to encrypt the data, a private key must be used to decrypt the data. If a private key is used to encrypt the data, a public key must be used to decrypt the data.
74. What are three characteristics of an information security management system? (Choose three.) It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. It is a systematic and multilayered approach to cybersecurity. It addresses the inventory and control of hardware and software configurations of systems. It consists of a set of practices that are systematically applied to ensure continuous improvement in inf
It is a systematic and multilayered approach to cybersecurity. It consists of a set of practices that are systematically applied to ensure continuous improvement in information security. It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
91. A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address? It must send an ICMPv6 Router Solicitation message to determine what default gateway it should use. It must send an ICMPv6 Router Solicitation message to request the address of the DNS server. It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already
It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.
63. A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.) CapME Wazuh Kibana Zeek Sguil Wireshark
Kibana Sguil Wireshark
59. What is a characteristic of a Trojan horse as it relates to network security? Too much information is destined for a particular memory block, causing additional memory areas to be affected. Extreme quantities of data are sent to a particular network device interface. An electronic dictionary is used to obtain a password to be used to infiltrate a key network device. Malware is contained in a seemingly legitimate executable program.
Malware is contained in a seemingly legitimate executable program.
72. What is an advantage for small organizations of adopting IMAP instead of POP? POP only allows the client to store messages in a centralized way, while IMAP allows distributed storage. IMAP sends and retrieves email, but POP only retrieves email. When the user connects to a POP server, copies of the messages are kept in the mail server for a short time, but IMAP keeps them for a long time. Messages are kept in the mail servers until they are manually deleted from the email client.
Messages are kept in the mail servers until they are manually deleted from the email client.
54. What are two potential network problems that can result from ARP operation? (Choose two.) Large numbers of ARP request broadcasts could cause the host MAC address table to overflow and prevent the host from communicating on the network. On large networks with low bandwidth, multiple ARP broadcasts could cause data communication delays. Network attackers could manipulate MAC address and IP address mappings in ARP messages with the intent of intercepting network traffic. Multiple ARP repli
Network attackers could manipulate MAC address and IP address mappings in ARP messages with the intent of intercepting network traffic.
94. When a security attack has occurred, which two approaches should security professionals take to mitigate a compromised system during the Actions on Objectives step as defined by the Cyber Kill Chain model? (Choose two.) Perform forensic analysis of endpoints for rapid triage. Train web developers for securing code. Build detections for the behavior of known malware. Collect malware files and metadata for future analysis. Detect data exfiltration, lateral movement, and unauthorized crede
Perform forensic analysis of endpoints for rapid triage. Detect data exfiltration, lateral movement, and unauthorized credential usage.
34. Which tool can be used in a Cisco AVC system to analyze and present the application analysis data into dashboard reports? NetFlow NBAR2 Prime IPFIX
Prime
45. Refer to the exhibit. An administrator is trying to troubleshoot connectivity between PC1 and PC2 and uses the tracert command from PC1 to do it. Based on the displayed output, where should the administrator begin troubleshooting? R1 PC2 SW2 R2 SW1
R1 (obrazok)
52. Which application layer protocol is used to provide file-sharing and print services to Microsoft applications? SMTP HTTP SMB DHCP
SMB
79. Which statement defines the difference between session data and transaction data in logs? Session data analyzes network traffic and predicts network behavior, whereas transaction data records network sessions. Session data is used to make predictions on network behaviors, whereas transaction data is used to detect network anomalies. Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions. Session data shows the result of a net
Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions
46. What three security tools does Cisco Talos maintain security incident detection rule sets for? (Choose three.) Snort NetStumbler Socat SpamCop ClamAV
Snort SpamCop ClamAV
62. Refer to the exhibit. A cybersecurity analyst is viewing packets forwarded by switch S2. What addresses will identify frames containing data sent from PCA to PCB? Src IP: 192.168.2.1Src MAC: 00-60-0F-B1-33-33Dst IP: 192.168.2.101Dst MAC: 08-CB-8A-5C-BB-BB Src IP: 192.168.1.212Src MAC: 01-90-C0-E4-AA-AADst IP: 192.168.2.101Dst MAC: 08-CB-8A-5C-BB-BB Src IP: 192.168.1.212Src MAC: 00-60-0F-B1-33-33Dst IP: 192.168.2.101Dst MAC: 08-CB-8A-5C-BB-BB Src IP: 192.168.1.212Src MAC: 00-60-0F-B1-33-3
Src IP: 192.168.1.212Src MAC: 00-60-0F-B1-33-33Dst IP: 192.168.2.101Dst MAC: 00-D0-D3-BE-00-00 (obrazok)
25. A technician notices that an application is not responding to commands and that the computer seems to respond slowly when applications are opened. What is the best administrative tool to force the release of system resources from the unresponsive application? Event Viewer System Restore Add or Remove Programs Task Manager
Task Manager
24. What are two characteristics of the SLAAC method for IPv6 address configuration? (Choose two.) The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN. This stateful method of acquiring an IPv6 address requires at least one DHCPv6 server. Clients send router advertisement messages to routers to request IPv6 addressing. IPv6 addressing is dynamically assigned to clients through the use of ICMPv6. Router solicitation message
The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN. IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.
71. The HTTP server has responded to a client request with a 200 status code. What does this status code indicate? The request is understood by the server, but the resource will not be fulfilled. The request was completed successfully. The server could not find the requested resource, possibly because of an incorrect URL. The request has been accepted for processing, but processing is not completed.
The request was completed successfully.
61. What is a purpose of implementing VLANs on a network? They can separate user traffic. They prevent Layer 2 loops. They eliminate network collisions. They allow switches to forward Layer 3 packets without a router.
They can separate user traffic.
30. Which statement is correct about network protocols? They define how messages are exchanged between the source and the destination. They all function in the network access layer of TCP/IP. They are only required for exchange of messages between devices on remote networks. Network protocols define the type of hardware that is used and how it is mounted in racks.
They define how messages are exchanged between the source and the destination.
73. What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits? WinDbg Firesheep Skipfish AIDE
WinDbg
47. Which host-based firewall uses a three-profile approach to configure the firewall functionality? Windows Firewall iptables TCP Wrapper nftables
Windows Firewall
9. Refer to the exhibit. What solution can provide a VPN between site A and site B to support encapsulation of any Layer 3 protocol between the internal networks at each site? an IPsec tunnel Cisco SSL VPN a GRE tunnel a remote access tunnel
a GRE tunnel
68. What is a network tap? a technology used to provide real-time reporting and long-term analysis of security events a Cisco technology that provides statistics on packets flowing through a router or multilayer switch a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device a passive device that forwards all traffic and physical layer errors to an analysis device
a passive device that forwards all traffic and physical layer errors to an analysis device
49. Which step in the Vulnerability Management Life Cycle determines a baseline risk profile to eliminate risks based on asset criticality, vulnerability threat, and asset classification? discover assess prioritize assets verify
assess
50. Which management system implements systems that track the location and configuration of networked devices and software across an enterprise? asset management vulnerability management risk management configuration management
asset management
17. A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework? automation authentication authorization accounting
authorization
26. How can statistical data be used to describe or predict network behavior? by comparing normal network behavior to current network behavior by recording conversations between network endpoints by listing results of user web surfing activities by displaying alert messages that are generated by Snort
by comparing normal network behavior to current network behavior
38. For network systems, which management system addresses the inventory and control of hardware and software configurations? asset management vulnerability management risk management configuration management
configuration management
97. Which field in the TCP header indicates the status of the three-way handshake process? control bits window reserved checksum
control bits
10. For what purpose would a network administrator use the Nmap tool? -protection of the private IP addresses of internal hosts -identification of specific network anomalies -collection and analysis of security alerts and logs -detection and identification of open ports
detection and identification of open ports
19. A person coming to a cafe for the first time wants to gain wireless access to the Internet using a laptop. What is the first step the wireless client will do in order to communicate over the network using a wireless management frame? associate with the AP authenticate to the AP discover the AP agree with the AP on the payload
discover the AP
83. When ACLs are configured to block IP address spoofing and DoS flood attacks, which ICMP message should be allowed both inbound and outbound? echo reply unreachable source quench echo
echo
75. Which three technologies should be included in a SOC security information and event management system? (Choose three.) event collection, correlation, and analysis security monitoring user authentication proxy service intrusion prevention threat intelligence
event collection, correlation, and analysis security monitoring threat intelligence
53. Which device in a layered defense-in-depth approach denies connections initiated from untrusted networks to internal networks, but allows internal users within an organization to connect to untrusted networks? access layer switch firewall internal router IPS
firewall
7. Which PDU format is used when bits are received from the network medium by the NIC of a host? segment file packet frame
frame
40. What are the three core functions provided by the Security Onion? (Choose three.) business continuity planning full packet capture alert analysis intrusion detection security device management threat containment
full packet capture alert analysis intrusion detection
33. Which Linux command is used to manage processes? chrootkit ls grep kill
kill
43. Which type of data would be considered an example of volatile data? web browser cache memory registers log files temp files
memory registers
42. Which two fields or features does Ethernet examine to determine if a received frame is passed to the data link layer or discarded by the NIC? (Choose two.) CEF source MAC address minimum frame size auto-MDIX Frame Check Sequence
minimum frame size Frame Check Sequence
5. Which two net commands are associated with network resource sharing? (Choose two.) net start net accounts net share net use net stop
net share net use
64. Match the Security Onion tool with the description.
obrazok
66. Match the server profile element to the description. (Not all options are used.)
obrazok
69. Match the monitoring tool to the definition.
obrazok
80. Match the network monitoring data type with the description.
obrazok
95. Place the seven steps defined in the Cyber Kill Chain in the correct order.
obrazok
41. In NAT terms, what address type refers to the globally routable IPv4 address of a destination host on the Internet? outside global inside global outside local inside local
outside global
60. What technique is used in social engineering attacks? sending junk email buffer overflow phishing man-in-the-middle
phishing
93. What are two evasion techniques that are used by hackers? (Choose two.) Trojan horse pivot rootkit reconnaissance phishing
pivot rootkit
2. The strategy and goals element is in which part of the incident response plan? plan procedure policy
plan
82. Which term is used for describing automated queries that are useful for adding efficiency to the cyberoperations workflow? cyber kill chain playbook chain of custody rootkit
playbook
1. The definition of computer security incidents and related terms element is in which part of the incident response plan? A)policy B)plan C)procedure
policy
3. The organizational structure and definition of roles, responsibilities, and levels of authority element is in which part of the incident response plan? policy plan procedure
policy
4. The prioritization and severity ratings of incidents element is in which part of the incident response plan? policy plan procedure
policy
28. Which NIST Cybersecurity Framework core function is concerned with the development and implementation of safeguards that ensure the delivery of critical infrastructure services? respond detect identify recover protect
protect
88. Which three security services are provided by digital signatures? (Choose three.) provides confidentiality of digitally signed data guarantees data has not changed in transit provides nonrepudiation using HMAC functions provides data encryption authenticates the source authenticates the destination
provides confidentiality of digitally signed data provides data encryption authenticates the source
32. Which meta-feature element in the Diamond Model classifies the general type of intrusion event? phase results methodology direction
results
65. In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization? port scanning risk analysis penetration testing vulnerability assessment
risk analysis
23. The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk? risk sharing risk avoidance risk reduction risk retention
risk reduction
67. In addressing an identified risk, which strategy aims to shift some of the risk to other parties? risk avoidance risk sharing risk retention risk reduction
risk reduction
22. What term describes a set of software tools designed to increase the privileges of a user or to grant access to the user to portions of the operating system that should not normally be allowed? compiler rootkit package manager penetration testing
rootkit
77. What best describes the security threat of spoofing? sending bulk email to individuals, lists, or domains with the intention to prevent users from accessing email sending abnormally large amounts of data to a remote server to prevent user access to the server services intercepting traffic between two hosts or inserting false information into traffic between two hosts making data appear to come from a source that is not the actual source
sending abnormally large amounts of data to a remote server to prevent user access to the server services
21. An administrator wants to create four subnetworks from the network address 192.168.1.0/24. What is the network address and subnet mask of the second useable subnet? subnetwork 192.168.1.64subnet mask 255.255.255.192 subnetwork 192.168.1.64subnet mask 255.255.255.240 subnetwork 192.168.1.32subnet mask 255.255.255.240 subnetwork 192.168.1.128subnet mask 255.255.255.192 subnetwork 192.168.1.8subnet mask 255.255.255.224
subnetwork 192.168.1.64 subnet mask 255.255.255.192
35. Which Windows Event Viewer log includes events regarding the operation of drivers, processes, and hardware? system logs application logs security logs setup logs
system logs
98. A user opens three browsers on the same PC to access www.cisco.com to search for certification course information. The Cisco web server sends a datagram as a reply to the request from one of the web browsers. Which information is used by the TCP/IP protocol stack in the PC to identify which of the three web browsers should receive the reply? the source IP address the destination port number the destination IP address the source port number
the destination port number
27. Which metric in the CVSS Base Metric Group is used with an attack vector? the proximity of the threat actor to the vulnerability the presence or absence of the requirement for user interaction in order for an exploit to be successful the determination whether the initial authority changes to a second authority during the exploit the number of components, software, hardware, or networks, that are beyond the control of the attacker and that must be present in order for a vulnerability to b
the proximity of the threat actor to the vulnerability
96. What are three goals of a port scan attack? (Choose three.) to identify peripheral configurations to determine potential vulnerabilities to disable used ports and services to identify operating systems to identify active services to discover system passwords
to determine potential vulnerabilities to identify operating systems to identify active services
86. A help desk technician notices an increased number of calls relating to the performance of computers located at the manufacturing plant. The technician believes that botnets are causing the issue. What are two purposes of botnets? (Choose two.) to transmit viruses or spam to computers on the same network to record any and all keystrokes to attack other computers to withhold access to a computer or files until money has been paid to gain access to the restricted part of the operating sys
to transmit viruses or spam to computers on the same network to attack other computers
48. When a user visits an online store website that uses HTTPS, the user browser queries the CA for a CRL. What is the purpose of this query? to verify the validity of the digital certificate to request the CA self-signed digital certificate to check the length of key used for the digital certificate to negotiate the best encryption to use
to verify the validity of the digital certificate
92. A technician is troubleshooting a network connectivity problem. Pings to the local wireless router are successful but pings to a server on the Internet are unsuccessful. Which CLI command could assist the technician to find the location of the networking problem? tracert ipconfig msconfig ipconfig/renew
tracert
51. A network administrator is reviewing server alerts because of reports of network slowness. The administrator confirms that an alert was an actual security incident. What is the security alert classification of this type of scenario? false negative true positive true negative false positive
true positive
57. Which two services are provided by the NetFlow tool? (Choose two.) QoS configuration usage-based network billing log analysis access list monitoring network monitoring
usage-based network billing network monitoring
85. Which two data types would be classified as personally identifiable information (PII)? (Choose two.) house thermostat reading average number of cattle per region vehicle identification number hospital emergency use per region Facebook photographs
vehicle identification number Facebook photographs
99. What are two scenarios where probabilistic security analysis is best suited? (Choose two.) when applications that conform to application/networking standards are analyzed when analyzing events with the assumption that they follow predefined steps when random variables create difficulty in knowing with certainty the outcome of any given event when analyzing applications designed to circumvent firewalls when each event is the inevitable result of antecedent causes
when analyzing events with the assumption that they follow predefined steps when analyzing applications designed to circumvent firewalls
8. A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet? -when the router receives an ICMP Time Exceeded message -when the values of both the Echo Request and Echo Reply messages reach zero -when the RTT value reaches zero -when the value in the TTL field reaches zero -when the host responds with an ICMP Echo Reply message
when the value in the TTL field reaches zero