Cisco CCNP SCOR 350-701 Practice Questions
ABCDE
Refer to the exhibit. The figure represents the SDN communication elements. Match the item on the left with the architectural position on the right. 1 2 3 4 5 A. Python Custom Script B. Northbound API C. SDN Controller D. Southbound API E. Virtual Switch
A
Refer to the exhibit. Which communication method is used between the Office 365 application and Cisco Cloudlock? A. API B. DNS C. FTP D. OAuth
C
What is the main disadvantage of using MAC Authentication Bypass (MAB)? A. it is resource-intensive B. it is slower C. the authentication credentials can be easily spoofed D. the username and the password are the same
AD
Which are two valid certificate revocation solutions available to solve the problem of a key compromise? (Choose two.) A. Certificate Revocation Lists (CRLs) B. certificate validity C. certification authority signature D. Online Certificate Status Protocol (OSCP) E. X.509
B
Which cloud architecture is adopted by AMP Cloud? A. community cloud B. either public or private cloud C. private cloud D. public cloud
D
Which cloud service model does Cloud Access Security Broker (CASB) aim to protect? A. DaaS B. IaaS C. PaaS D. SaaS
D
Which component of a VPN implementation ensures that the transferred data has not been tampered with? A. data encryption B. encapsulation method C. non-repudiation D. packet integrity
B
Which event is raised in Cisco Stealthwatch Cloud when a port and protocol mismatch occurs on the network? A. Bad Protocol Event B. Bad Protocol Observation C. Geographically Unusual Remote Access D. Unusual Protocol Observation
C
Which feature helps against DHCP spoofing and DHCP starvation attacks? A. port security B. ARP inspection C. DHCP snooping D. MACsec
ABCE
Which four options are examples of Layer 2 data plane security controls? (Choose four.) A. DHCP snooping B. Dynamic ARP Inspection C. private VLANs D. uRPF E. MACsec F. Flexible Packets Matching
D
Which function in Cisco ISE allows the integration with Stealthwatch v6.9? A. Profiler B. syslog C. RESTAPI D. pxGrid
C
Which option describes part of the required or mandatory DHCP snooping configuration task on a Cisco switch? A. enable dynamic ARP inspection B. enable port security C. enable DHCP snooping globally on the switch and in all VLANs that require DHCP spoofing protection D. configure all access ports as untrusted, since, by default, all ports are considered trusted
C
Which option is an example of an open source off-box method that network operations teams might use for managing network devices? A. TcL B. EEM C. Ansible D. APIC-EM
A
Which option is configured inside a connection profile configuration on the Cisco ASA? A. authentication method B. split tunneling C. IP filter D. allowed VPN protocols
C
Which option is the appropriate encapsulation type on a VTI? A. Frame Relay B. ATM C. AH or ESP D. IKE E. IPsec
C
Which protocol should be disabled on a Cisco switch to mitigate VLAN hopping attacks? A. STP B. VTP C. DTP D. CDP
B
What is the purpose of the Adaptive Scanning feature on the Cisco WSA? A. It analyzes web server behavior and assigns a WBRS to an URL. B. It decides which anti-malware scanning will process the web request. C. It enables file reputation, file sandboxing, and file retrospection. D. It inspects web traffic and provides protection against the widest variety of web-based malware.
B
What is the reason why most antivirus solutions cannot detect zero-day attacks? A. It uses anomaly based detection. B. It uses signature-based detection. C. It uses behavior-based detection. D. It uses a sandbox to run the file.
D
Which public cloud provider requires you to deploy an additional appliance to integrate the Cisco Stealthwatch Cloud appliance? A. Alibaba Cloud B. Amazon Web Services C. Google Cloud Platform D. Microsoft Azure
A
What is used by the Cisco Umbrella Virtual Appliances and roaming clients to embed the unique device identifiers into each DNS request? A. encrypted EDNS B. DNS over HTTPS C. DNS Text Records D. DNSSEC
B
What portion of the following URI is known as the query? http://www.cisco.com/users/accounts/66cgdoj7c7gg_main/type?source=learning A. learning B. source=learning C. cisco.com D. http://
D
Which security property guarantees that sensitive information is changed only by an authorized party? A. accountability B. availability C. confidentiality D. integrity E. visibility
BC
What two options are examples of UDP-based attacks? (Choose two.) A. SYN flood B. SQL slammer C. UDP flooding D. MAC address flooding E. IP flooding
C
Where do you configure Cisco Umbrella policies? A. on the Cisco Umbrella Virtual Appliance B. on the Cisco Umbrella Windows or MAC connector C. inside the public cloud-based dashboard D. on the Cisco Umbrella Roaming Client
C
Which Cisco ASA appliance or Cisco Firepower NGFW configuration construct defines the post login settings? A. connection profiles B. user profiles C. group policies D. connection policies E. group profiles
D
Which Cisco ASA appliance or Firepower NGFW configuration construct defines the prelogin requirements for a particular access method? A. group policies B. group profiles C. user profiles D. connection profiles
B
Which action is required in the client browser to implement HTTPS decryption on Cisco Web Security Appliance (WSA)? A. configuring the client to use WCCP B. installing the CA certificate used by WSA C. installing the CA certificate used by WSA to sign the server certificate D. installing the trusted public CA certificate used by the WSA
AE
Which two data transport protocols are used in a Cisco Firepower SSL VPN? (Choose two.) A. DTLS B. ESP C. IKEv2 D. SSL E. TLS
AD
Which two engines are disabled by default in the default outgoing mail policy on Cisco ESA? (Choose two.) A. antispam B. antivirus C. message filters D. Outbreak Filters E. content filters
DE
Which two of the following are never exchanged in an OAuth framework? (Choose two.) A. authorization request B. authorization token C. data D. password E. username
AC
Which two of the following are the responsibility of the customer when the Infrastructure as a Service (IaaS) service model is in place? (Choose two.) A. application B. networking C. OS D. servers E. virtualization
AD
Which two options are countermeasures that an administrator should employ to protect against DNS tunneling? (Choose two.) A. monitor the DNS log for suspicious activities B. deny all DNS transactions C. encrypt DNS communications using a hash D. deploy a solution such as Cisco Umbrella to block the DNS tunneling traffic E. Block all DNS traffic on firewall
AD
You want to make sure that you can detect if data were changed in transit. Which two options would you use to accomplish this task? (Choose two.) A. digital signature B. symmetric encryption C. asymmetric encryption D. HMAC
B
Which statement regarding an IP address assigned to a client by an ASA Remote Access VPN gateway is true? A. It is matched in the routing table of the client's default gateway for the traffic destined to it. B. It is tunneled in a carrier IP packet, which uses the physical adapter IP address of the physical adapter on the client PC. C. It is used only on the client PC and it is translated by the VPN gateway into a routable IP on the remote network by the VPN gateway. D. The client PC requests the VPN IP address according to the local network IP addressing scheme.
C
Which statement regarding routing support for IPsec VPNs on Cisco ASA appliance is correct? A. BGP is supported for crypto map-based IPsec VPN. B. OSPF is supported for VTI-based IPsec VPN. C. BGP is supported for VTI-based IPsec VPN. D. EIGRP is supported for VTI-based IPsec VPN.
A
Which technology achieves the virtualization of the networking devices at Layer 3? A. VRF B. VLAN C. 802.1X Trunk D. Access List
ABC
Which three options are services of the Cisco Identity Services Engine? (Choose three.) A. AAA B. posture compliance C. guest management D. firewall policy enforcement E. inline traffic filtering F. anti-malware protection
AD
In addition to helping to secure and control web traffic, which two forms of system protection does web content security also provide? (Choose two.) A. advanced malware protection B. email security scan C. intrusion prevention protection D. secure mobility E. web server protection
D
An attacker gains access to a remote web server via an unpatched installation of the Apache web server. Which attack surface has been utilized? A. network B. physical C. social engineering D. software
ABC
At which three points in time should you defend your network? (Choose three.) A. before a network attack occurs B. during an active network attack C. after a network attack D. when your data is in transit between on-premise and the cloud E. when your data is in transit between the cloud and your customer F. before any regulatory compliance audit G. after any regulatory compliance audit
B
Compared to native supplicants, what is the main benefit of using the Cisco AnyConnect Network Access Manager supplicant for user and computer authentication? A. computer authentication support B. EAP Chaining support C. EAP-TLS support D. user authentication support
ABCED
Match the VPN characteristic with the correct VPN technology. 1. hub and spoke topology 2. IKEv2 only 3. non-tunneled IPSec 4. available on Cisco Firepower NGFW 5. low configuration scalability A. DMVPN B. FlexVPN C. GET VPN D. Static VTI E. Static Crypto Map
D
Refer to the exhibit. You want to establish the OSPF neighbor relationship over a point-to-point IPsec VPN tunnel. What is the correct site-to-site VPN implementation to achieve this objective? A. AnyConnect VPN with IGP support B. Dynamic Multipoint VPN C. IPsec static Crypto Map D. IPsec static Virtual Tunnel Interface
B
Which of the following holds true for the length of the result for a hash function? A. It depends on the complexity of the input data. B. It depends on the hashing function. C. It depends on the length of the input data. D. It depends on the length of the secret key.
BD
Which of the following options are properties of the dynamic VTI tunnel mode? (Choose two.) A. used for simple point-to-point topologies B. used for hub-and-spoke topologies C. provides a routable interface D. VTIs are created dynamically from a template E. provides always on connectivity
A
Which parameter cannot be used to determine the identity of a transaction? A. authenticated user B. proxy port C. subnet D. user agent
A
Inside the Cisco Umbrella Investigate, what can you use to start the investigation? A. A domain name, an IP address, an ASN or a file hash. B. An IP address, ports, and protocols. C. A domain name, an IP address, ports, and protocols. D. A domain name or URL category.
A
The "Catch All" Stealthwatch subordinate host group is contained within which top-level host group? A. Inside Hosts B. Default C. Other Hosts D. Outside Hosts
C
Assume that two systems are communicating by using asymmetric encryption. Which type of key is distributed amongst systems participating in the communication? A. hash of public B. private C. public D. shared
B
By default, Stealthwatch Enterprise baselines every host in which top-level host group? A. Outside Hosts B. Inside Hosts C. DMZ Hosts D. SLIC Hosts
C
Cisco ASA appliance has four operational interfaces running, each one configured with an IP address, interface name, and security levels. The following security levels are configured on the interfaces, 100 on the inside interface, 0 on the outside interface, and 50 on both dmz1 and dmz2 interfaces. To which interfaces can dmz1 interface send outbound traffic, if Cisco ASA is using the default parameters? A. inside interface B. dmz2 interface C. outside interface D. all interfaces
AD
Cisco ASA firewalls are advanced stateful firewalls. Which two advanced features can be found in these devices? (Choose two.) A. botnet traffic filtering B. ATM cell filtering C. malware detonation using the embedded hard drive D. network address translation mechanisms E. RIPv2 payload encryption mechanisms
B
Cisco ASA forwards packets based on different parameters when running in routed and transparent mode. On which parameter is the packet forwarding process on Cisco ASA running in transparent mode based on? A. source IP address B. destination MAC address C. destination IP address D. source MAC address
BDE
Cisco ASA interface access rules are the most commonly used access control mechanisms on the security appliance. Interface access rules permit or deny network applications to establish their sessions through the security appliance based on different information. On which three of these options is the access rules filtering based? (Choose three.) A. based on source and destination MAC addresses B. based on input or output interface C. based on NAT rules D. based on source or destination IP addresses E. based on source or destination ports
B
Default Stealthwatch Enterprise policies pertain to which hosts? A. all Inside Hosts only B. all Inside Hosts and all Outside Hosts C. all Outside Hosts only D. all Command & Control Servers only
C
File integrity checking tools work by calculating hash values of important files, storing the hash values, and periodically comparing those hash values to hash values that it calculates later. If a file hash value comparison results in a mismatch, what does that indicate? A. It means nothing; it is a mismatch because the files hashes were compiled on different days. B. It means that one file did not calculate correctly and need to be recalculated. C. It indicates that the file has been changed in some way and there may be an issue to be resolved. D. It indicates that your organization has suffered a security breach and a full-scale investigation is needed as soon as possible.
B
Following the network segmentation design recommendations, which of the following segments is a common point to which all the other segments connect to? A. enterprise campus B. enterprise core C. enterprise internet edge D. enterprise WAN edge
D
For which use case could Stealthwatch Cloud be deployed? A. for public cloud monitoring only B. for private network monitoring only C. for collecting telemetry from Stealthwatch UDP Director D. for both public cloud monitoring and private network monitoring E. for collecting telemetry from Stealthwatch UDP Director and Stealthwatch Flow Collector
C
How can you quickly block IP communication to and from a certain IP address before traffic gets inspected by ACP? A. In the events view, right-click IP address and select Whitelist IP Now. B. In the events view, right-click IP address and select Whitelist IP Now. Deployment of configuration change is needed for the change to take effect. C. In the events view, right-click IP address and select Blacklist IP Now. D. In the events view, right-click IP address and select Blacklist IP Now. Deployment of configuration change is needed for the change to take effect.
A
How do watering hole attacks avoid detection by scanning services? A. by focusing the malware of its campaign so that it is only delivered to visitors from the IP address range of the target organization B. by compromising the web server of an innocent bystander, so that the malware attack cannot be attributed to servers owned by the attacker C. by compromising DHCP servers of home routers so that the users will be directed to the websites that are compromised by the attacker D. by delivering email only to valid email addresses that are targeted from a specific list so that the volume of traffic stays low
A
How do you manage Cisco Umbrella? A. Through a public cloud-based dashboard. B. Through a private cloud-based dashboard. C. Through the Cisco Umbrella Virtual Appliance dashboard. D. Through the Cisco Defense Orchestrator.
A
How does AMP for Endpoints use behavioral Indication of Compromise (IoC)? A. as a comparison reference to recognize anomalous patterns and activities B. as a trigger to update application policies based on file patterns C. as an indication to block files presenting repetitive patterns or activities D. as an indication to send all file patterns to AMP Cloud
AB
How does Cisco ASA appliance or Cisco Firepower NGFW allow users to choose the correct Connection Profile by using Cisco AnyConnect Secure Mobility Client? (Choose two.) A. By entering the Connection Profile in the VPN headend URL inside the AnyConnect Secure Mobility Client GUI. B. By choosing a Connection Profile from a drop-down menu after the user connects to the VPN endpoint. C. By configuring the Connection Profile on the Cisco ASA or Cisco Firepower NGFW and assigning it to the user. D. By adding the Connection Profile to the Preferences menu of Cisco AnyConnect Secure Mobility Client. E. By choosing the Connection Profile based on the private IP address of the PC connecting to the VPN.
C
How does Cisco Umbrella differentiate which policy to apply for incoming DNS requests? A. Each customer uses a unique set of DNS resolvers, which are configured with a policy specific for the customer. B. Cisco Umbrella users must specify which policy to accept or reject in their Cisco Umbrella client. C. Cisco Umbrella applies the policy based on the source IP of the DNS request, unless the request comes from the Cisco Umbrella Roaming Client. D. The policy is uploaded from the administrative console to the Cisco Umbrella dashboard and includes a list of client-to-policy binding in CSV format.
C
How does DNS security combat CnC callbacks? A. By filtering DNS requests, it blocks all requested zone transfers. By changing the DNS MX field, CnC systems cannot be reached on the outbound connection. B. By implementing DNS security measures, CnC callbacks over any ports and protocols are blocked when the DNS queries to any bad or malicious domains are prevented. C. Using Cisco Umbrella servers, such as Google openDNS (8.8.8.8), DNS requests are filtered based on the IP reputation tables that are maintained. D. By configuring clients to use cloud-based DNS services, CnC callbacks are originated only in the cloud.
C
How does Stealthwatch Cloud for Private Network Monitoring operate? A. Telemetry data, such as NetFlow, is collected at the networking devices that forward telemetry data to Stealthwatch Cloud. B. Telemetry data, such as NetFlow, is collected at the networking devices that forward telemetry data to Stealthwatch Flow Collector. Stealthwatch Cloud then ingests metadata sent from Flow Collector. C. Telemetry data, such as NetFlow, is collected at the networking devices that forward telemetry data to a Private Network Monitoring appliance. The Private Network Monitoring appliance then encrypts the metadata and sends it to the Stealthwatch Cloud platform for analysis. D. Telemetry data, such as NetFlow, is collected at the networking devices that forward telemetry data to a Private Network Monitoring appliance. The Private Network Monitoring appliance then sends metadata in cleartext to the Stealthwatch Cloud platform for analysis.
C
How does the AMP for Endpoints Ethos engine recognize potentially dangerous files? A. It performs an antivirus scan. B. It examines patterns learned via machine learning. C. It examines pieces of code. D. It performs a SHA-256 integrity check.
B
How does the AMP for Endpoints Spero engine recognize potentially dangerous files? A. It performs an antivirus scan. B. It examines patterns learned via machine learning. C. It examines pieces of code. D. It performs a SHA-256 integrity check.
B
How is physical security relevant to cloud networking? A. In the shared security model, customers are responsible for physically securing entities in their cloud environment. B. A physical compromise in your on-premises network could lead to a compromise in your cloud environment. C. The cloud application vendor must have a secure data facility, including locking their front door and preventing unauthorized personnel from accessing multitenant cages. D. Private cloud environments have more stringent physical security requirements than public cloud environments.
C
How many AMP Clouds are there and in which regions are they located? A. There are two AMP Clouds located in the US and Europe. B. There are three AMP Clouds located in the US, Europe, and the Middle East. C. There are three AMP Clouds located in the US, Europe, and Asia Pacific-Japan-China. D. There are four AMP Clouds located in the US, Europe, Asia Pacific-Japan-China, and the Middle East.
D
How many HTTPS sessions are used on the Cisco WSA when the decryption policy matches HTTPS traffic flowing between a user and a web server? A. Only one HTTPS session between the user and web server is used in both directions. B. Three HTTPS sessions, two sessions between the user and Cisco WSA, and one between the Cisco WSA and web server. C. Two HTTPS sessions between the user and web server, one for each direction. D. Two HTTPS sessions, one session between the user and Cisco WSA and the other session between the Cisco WSA and web server.
E
How many IPsec security associations are required to secure a typical, bidirectional communication between two security gateways? A. zero B. one C. two (in the same direction) D. four (two in each direction) E. two (one in each direction)
C
How would you define an Indicator of Compromise (IoC)? A. a piece of malicious code B. a Trojan horse executable file C. an artifact or a behavior set D. an attack vector
B
How would you filter traffic for a specific remote access VPN user group in a Cisco Firepower NGFW? A. by assigning different IP pools to different groups and filtering traffic with an ACL applied to the VPN tunnel interface B. by configuring a filtering ACL and applying it within a group policy C. by applying a filtering ACL in the specific Remote Access VPN Policy Wizard D. by configuring a filtering ACL with the same name of the group policy it must be applied to
B
How would you protect company data on mobile devices if they get lost or stolen? A. enable device tracking on the mobile devices B. enroll devices into MDM C. install an antivirus application D. prevent access to resources with mobile devices
B
If an attacker uses phishing to obtain user credentials for an employee without administrator access and needs to install a rootkit backdoor that requires system level access, what might be the attacker's next course of action to gain the administrator privileges? A. Set a scheduled task to install the rootkit the following day under the current user account B. Attempt to extract local administrator credentials stored on the machine in running memory or the registry C. Try to brute force that user's password for an RDP connection to the user's workstation D. Change the IP address of the user's computer from DHCP-assigned to static.
B
If an engineering server's risk of being hacked is assigned a risk level of very high, which assessment strategy is being used? A. quantitative B. qualitative C. impact D. discretionary E. non-discretionary F. mandatory
A
If you consider that the 802.1X standard uses different protocols for its operation, which statement is correct? A. EAPOL is used between the supplicant and authenticator. RADIUS is used between the authenticator and authentication server. B. RADIUS is used between the supplicant and authenticator. EAPOL is used between the authenticator and authentication server. C. RADIUS is used between the supplicant and authenticator. RADIUS is used between the authenticator and authentication server. D. EAPOL is used between the supplicant and authenticator. EAPOL is used between the authenticator and authentication server.
C
If you want to configure NTP on a Cisco Firepower NGFW 9300 Series device, from where would you configure it? A. FDM B. FMC C. FX-OS D. CCW
B
In Cisco Stealthwatch Cloud, what is an observation? A. an active threat moving laterally through the network, behind the firewall B. any fact about traffic in the network that Cisco Stealthwatch Cloud deems significant enough to record C. an alarm about anomalous behavior D. an alarm about known risky sources connected to your network
ACE
In Cisco secure network access, which three options are the traditional methods for user authentication? (Choose three.) A. web authentication B. downloadable access control lists C. IEEE 802.1X D. VLANs E. MAC Authentication Bypass
C
In Stealthwatch Cloud, what is an Observation? A. an alarm about anomalous behavior B. an alarm about known risky sources connected to your network C. any fact about traffic in the network that Stealthwatch Cloud deems significant enough to record D. an active threat moving laterally through the network, behind the firewall
BDE
In addition to helping secure and control web traffic, web content security systems also provide which three security options? (Choose three.) A. NAC B. AMP C. remote VPN access controls D. insightful reporting E. secure mobility
CE
In an IKE implementation, what are the two differences between Main Mode and Aggressive Mode? (Choose two.) A. Aggressive Mode is more secure than Main Mode. B. Only Aggressive Mode protects the policy more strictly. C. Only Aggressive Mode supports dynamically addressed peers when using PSK. D. Only Main Mode is a standard. E. Only Main Mode protects peer identity.
CDE
In an IaaS use model, for which three components is the customer responsible? (Choose three.) A. hardware B. physical networking and storage C. operating system D. application data E. application software
A
In an attack where the attacker must have access to the local network and be within the Layer 3 network boundary, which Common Vulnerability Scoring System (CVSS) Attack Vector metric value will be assigned to a vulnerability? A. adjacent B. local C. network D. physical
B
In an enterprise deployment of Microsoft Windows OS, which system utility can you use to block or permit the execution of applications? A. Device Manager B. Group Policy Editor C. Registry Editor D. Services
AC
In order to deploy 802.1X on a wired network, you want to enable AAA and 802.1X. Which two commands will you use in the global configuration mode to achieve that? (Choose two.) A. aaa new-model B. aaa group server radius name C. dot1x system-auth-control D. radius server name E. dot1x enable
A
In the DevOps culture, what does the acronym CALMS stand for? A. culture, automation, lean, measurement, sharing B. culture, automation, lean, manageability, source code C. culture, autonomy, lean, measurement, speed D. culture, autonomy, limited, manageability, speed
C
In which scenario would a company most likely choose a hybrid cloud deployment? A. A company has strict data security requirements and cannot allow any of their data to leave their network. B. A company wants to minimize their IT staff and does not have any security requirements that prevent them from fully utilizing cloud services outside of their company. C. A company has strict security requirements on a portion of their operating data; however, there is data and communication that can leave their network. D. A company wants to host all the cloud services they use in-house.
AC
In which two ways can Cisco Cloudlock protect against accidentally shared files, or files shared with confidential information, in cloud storage? (Choose two.) A. Cisco Cloudlock provides file storage auto-remediation that can encrypt the file. B. Cisco Cloudlock can delete the shared copy of the file. C. Cisco Cloudlock can send a notification to the user who shared the file. D. Cisco Cloudlock provides storage auto-remediation that will lock the user's account on the file storage system. E. Cisco Cloudlock automatically changes read permissions for all unknown users that will try to access file in cloud storage.
B
Log monitoring and correlation, IPSs, and surveillance cameras are examples of which type of countermeasure? A. Deterrent B. Detective C. Corrective D. Recovery
FADECB
Match each interface command with its function: 1. Enables MDA 2. Allows traffic before authentication is successful 3. A FlexAuth command that selects the order in which authentication methods are executed 4. Determines the priority of authentication methods 5. Specifies the behavior when authentication fails 6. Enables MAC-based authentication on a port A. authentication open B. mab C. authentication event fail action next-method D. authentication order E. authentication priority F. authentication host-mode multi-domain
ABCD
Match each item with a number to create the hierarchy that the Cisco ASA appliance uses when applying user policies to remote access user VPN connections. 1. user profile 2. group policy attached to user profile 3. group policy attached to connection profile 4. DfltGrpPolicy settings A. 1 B. 2 C. 3 D. 4
BADC
Match security intelligence objects with their proper definitions. 1. Feed objects 2. List objects 3. General network or URL objects 4. Global whitelist/blacklist A. Created by administrators in the form of a text file and contain a static list of IP addresses and URL names with bad reputations B. Provided by Cisco and contains IP addresses and URLs with bad reputations C. Initially empty and can be populated by an administrator from connection events D. Static object you create inside Cisco FMC object manager and can also be used as objects in other policies
BAC
Match terminology with the correct definition. 1. Blocks packets when exceeded 2. Restores forwarding packets when traffic rate gets lower 3. Measures in interface bandwidth percentage or traffic rate at which packets are received A. Falling threshold B. Rising threshold C. Traffic activity
ADCB
Match the IPsec VPN implementation technology with its benefit. 1. Is a well-known configuration concept 2. Is a virtual interface that supports many Cisco IOS and Cisco IOS XE interface capabilities 3. Provides configuration scalability when adding new spokes 4. Provides flexible deployment types with capabilities of IKEv2 A. Crypto map B. FlexVPN C. DMVPN D. VTI
CADBE
Match the NGFW requirement to its description. 1. automatically blocks suspected bad web sites 2. allows only engineering employees to access development servers 3. decrypts social networking website traffic so that it can be inspected and controlled 4. detects malicious payload in network 5. differentiates between games on a social networking website and the social networking website A. user- or group-based policy B. Intrusion Prevention System C. reputation-based filtering D. SSL/TLS traffic decryption E. Granular application visibility and control
ABC
Match the attack continuum stage to its characteristic. 1. identifies network devices, implements access controls, blocks applications, and determines what consumes most of the company's time and financial resources 2. detects intrusions, scans for viruses and malware, and defends against network attacks 3. performs log analysis, forensic fingerprinting, and malware analysis, and determines the scope and diameter of the security event A. Before B. During C. After
CDBA
Match the command terminology with the correct description. 1. authentication and encryption 2. authentication; no encryption 3. no encapsulation 4. encapsulation; no authentication or encryption A. null B. no-encap C. gcm-encrypt D. gmac
ACDB
Match the correct programmatic API to the Cisco platform. 1. RESTCONF 2. gRPC 3. NETCONF 4. REST A. Cisco IOS XE B. Cisco Firewall Management Center (FMC) C. Cisco IOS XR D. Cisco Nexus
BDAC
Match the following: 1. examples are firewalls, physical locks, and security policies 2. examples are log monitoring and correlation, IPSs, and surveillance cameras 3. examples are virus cleaning procedures or IPS signature updates after a worm outbreak 4. examples are signage or the mere presence of controls such as surveillance cameras A. Corrective B. Preventative C. Deterrent D. Detective
ADCB
Match the host antimalware detection techniques with the correct descriptions. 1. behavioral-based detection 2. heuristics 3. sandbox analysis 4. signature-based detection A. monitors the activities of a process and provides a certain level of protection against zero-day threats B. scans files and memory content against the catalog of known characteristics C. runs a file in a controlled environment to monitor and examine specific execution attributes D. recognizes classes or families of malware recognition on imprecise signature matches
CAB
Match the malware type with its description. 1. self-propagates through use of networks and vulnerabilities 2. requires human interaction and inserts itself into another program 3. is a hidden malicious functionality or backdoor within existing program A. Virus B. Trojan C. Worm
ABCD
Match the phase with its correct description. 1. establish client-server security capabilities 2. server certificate and key exchange 3. client certificate (if required) and key exchange 4. finish A. Phase 1 B. Phase 2 C. Phase 3 D. Phase 4
ABCD
Match the social engineering term with its description. 1. Following someone into an area where a badge is required. 2. Looking for account information in trash. 3. Sending an email to entice a user to click a malicious link. 4. Watching someone enter credentials to compromise them. A. tailgating B. dumpster diving C. phishing D. visual hacking
BCA
Match the terminology with the correct description. 1. When a violation occurs, the interface is placed in an error-disabled state, an SNMP trap or syslog message is generated, and the security violation count number is increased by one. 2. When a violation occurs, the offending frame is dropped, an SNMP trap or syslog message is generated, and the security violation count number is increased by one. 3. When a violation occurs, the offending frame is dropped, without any notification message generated, and the security violation count number is increased by one. A. Protect B. Shutdown C. Restrict
CDBA
Match the terms with their correct definition. 1. It defines how close the rule matches must occur in the message or attachment to qualify as valid. 2. This value is the minimum score that is required for the classifier to return a result. 3. For each rule, you specify a weight to indicate the importance of the rule. 4. A rule's maximum score prevents many matches for a low-weight rule from skewing the final score of the scan. A. Maximum score B. Weight C. Proximity D. Minimum total score
CBDA
Match the tool with the service that it aims to protect. 1. CASB 2. Proxy 3. Anti-Malware 4. Firewall A. Network B. Email and Web-browsing C. Cloud D. Endpoint
DBAC
Match the type of attack to its example. 1. "You've won a $1million!" 2. [email protected] 3. www.pαypal.com 4. "Please see attached file" A. homoglyph B. spoofing C. attachments D. spam
C
Observe the output from a Cisco IOS router. Which messages will be logged to buffer? logging on ! logging buffered warnings ! logging trap debugging logging host 172.16.200.51 A. levels 4 through 7 B. levels 5 through 0 C. levels 4 through 0 D. levels 5 through 7
B
Observe the output from a Cisco switch. What is the stratum level of the switch on which the command was executed? switch#show ntp associations address ref clock st when poll reach delay offset disp *~162.159.200.123 10.89.8.4 2 64 64 17 2.986 0.766 2.911 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured A. 1 B. 3 C. 4 D. 2
AC
On a device with the routed control plane, which two packets received on a device physical interface would not be processed by the CPU? (Choose two.) A. application traffic blocked by the ingress ACL B. EIGRP Hello message C. ICMP Echo towards a remote destination D. IP packet with the TTL of 1 destined to a remote destination E. IP packet with the TTL of 1 destined to the device itself F. SSH packet destined to the device itself
C
On the Cisco ASA appliance, several interfaces can be grouped into a EtherChannel group for more throughput and redundancy between the security appliance and the connected networking devices. What is the maximum number of EtherChannels and interfaces assigned per channel group that you can create on the Cisco ASA? A. The Cisco ASA security appliances support up to 16 EtherChannels with up to 8 active interfaces per channel group. B. The Cisco ASA security appliances support up to 16 EtherChannels with up to 16 active interfaces per channel group. C. The Cisco ASA security appliances support up to 48 EtherChannels with up to 16 active interfaces per channel group. D. The Cisco ASA security appliances support up to 48 EtherChannels with up to 32 active interfaces per channel group.
B
On the Cisco ASA appliance, which address and subnet mask in the ACL configuration will match 10.10.10.16 to 10.10.10.31? A. 10.10.10.16 0.0.0.15 B. 10.10.10.16 255.255.255.240 C. 10.10.10.17 0.0.0.15 D. 10.10.10.17 255.255.255.240
CDAB
Rearrange the following steps in such way that they follow the Cisco Adaptive Security Appliance (ASA) active/standby failover election process: 1. Step 1 2. Step 2 3. Step 3 4. Step 4 A. Another ASA not detected; become active. B. ASA appliance detected after this event; go into failover role negotiation. C. Another negotiating ASA detected; become primary if configured, otherwise become standby. D. Active ASA detected; become standby.
B
Refer to the exhibit. In the single interface deployment shown in the topology, the DMZ network is assigned the 172.18.1.0/24 network. Which statement is true regarding the IP address assigned to the MX record, the IP address assigned to Cisco ESA, and the firewall configuration? A. The MX record points to a public IP address assigned to Cisco ESA; Cisco ESA is assigned a public IP address; and proxy ARP is configured on the firewalls. B. The MX record points to the inside global address assigned to ES; Cisco ESA is assigned a private DMZ IP address; and static NAT is implemented on the firewalls. C. The MX records point to the firewall IP address with low priority and Cisco ESA IP address with high priority; Cisco ESA is assigned a private DMZ IP address; and static NAT is implemented on the firewalls. D. The MX records point to the firewall IP addresses; Cisco ESA is assigned a private DMZ IP address; and dynamic NAT is implemented on the firewall.
BE
Refer to the exhibit. In the topology, NAT is present only on the VPN headends. Which two port and protocol options must be permitted on the firewall to allow for the Site-to-Site IPsec VPN? (Choose two.) A. DTLS B. Protocol 50 C. SSL D. UDP 4500 E. UDP 500
A
Refer to the exhibit. In which Cisco Umbrella segment can you find the information shown in the figure? A. Investigate B. Overview C. Policies D. Reporting
A
Refer to the exhibit. It shows a partial Cisco ASA point-to-point VPN configuration. Supposing VPN 101 is entirely configured and working correctly, which statement about the VPN traffic is true? access-list EXAMPLE extended deny host 10.0.0.1 host 192.168.1.1 access-list EXAMPLE extended permit ip 10.0.0.0 255.255.255.0 host 192.168.1.1 crypto map VPN 101 match address EXAMPLE A. Traffic sourced from 10.0.0.1 destined to 192.168.1.1 is not IPsec protected. B. The VPN forbids the use of 10.0.0.1 as a VPN headend but allows the use of 192.168.1.1. C. Traffic sourced from 10.0.0.1 and destined to 192.168.1.1 is always dropped. D. Traffic sourced from 10.1.1.1 is dropped only if the VPN is up.
ABCD
Refer to the exhibit. Match the action icon on the left with its meaning, indicated by the number on the right. 1 2 3 4 A. A file of unknown disposition copied itself. B. A benign file was moved. C. A detected file was created. D. A benign file was scanned.
ABDC
Refer to the exhibit. Match the target number with the correct protocol. 1 2 3 4 A. DTLS B. TLS C. ESP D. AHIKEv2 only
A
Refer to the exhibit. On a Windows device, an administrator is configuring the local policy by using the Local Group Policy Editor to define which applications a user can run. The user starts MS PowerPoint by using the command line and uses the File Explorer to run MS Excel. What is the resulting system behavior? A. The user can run both MS PowerPoint and MS Excel. B. The user can run MS PowerPoint and cannot run MS Excel. C. The user cannot run MS PowerPoint and can run MS Excel. D. The user cannot run MS Word or MS Excel.
A
Refer to the exhibit. On which device is the Cisco Firepower NGFW VPN topology configured and what can you conclude from it? A. The FMC; the topology includes two nodes: an FTD VPN endpoint and an external or FMC-managed endpoint. B. The FMC; the configuration is incorrect because both Node A and Node B must be FTD FMC-managed endpoints. C. The FTD; the configuration is used to configure a VPN point-to-point with an external endpoint. D. The FMC, the configuration is valid because it satisfied the requirement that both endpoints must be Cisco supported endpoints.
A
Refer to the exhibit. On which platform did Cisco Cloudlock detect an incident? A. Box B. Cloudlock C. Dropbox D. Microsoft Office
C
Refer to the exhibit. User1 needs to send an email to the admin user in the cisco.com domain. He makes a mistake and sends the email to [email protected], but this email box is not configured on the Exchange mail server of cisco.com. Which system drops the email? A. client PC of [email protected] B. Cisco ESA C. the mail server D. MTA server
D
Refer to the exhibit. Which packet is permitted by the access control list (ACL)? access-list 100 permit tcp 10.0.0.1 0.1.1.254 any access-list 100 deny ip 10.0.0.1 0.1.1.254 any access-list 100 permit ip 10.0.0.0 0.0.0.255 any A. DNS packet with source 10.1.1.101 B. HTTP packet with source 10.1.0.128 C. ICMP packet with source address 10.0.0.1 D. SSH packet with source address 10.0.1.3
B
Refer to the exhibit. Which transport type does the message format represent? A. AH Transport mode and ESP Tunnel mode B. NAT-T ESP Tunnel mode C. regular ESP and AH Tunnel mode D. regular ESP Tunnel mode
D
Refer to the exhibit. Which type of topology is represented? A. dual hub-multi spoke network B. hub-and-spoke network C. joined hub-and-spoke network D. tiered hub-and-spoke network
C
Refer to the exhibit. You are configuring the private VLAN (PVLAN) feature across multiple switches. Which interface or interfaces should be configured as promiscuous? A. interface po11 on the Access01 switch and interface po22 on the Access02 switch B. interface Te1/0/0 on the router C. interface Te1/7 on the Dist01 switch D. interface po11 and interface po22 on the Dist01 switch
ABCD
Refer to the figure. Match the action icon on the left with its meaning, indicated by the number on the right. 1 2 3 4 A. A benign file was executed. B. A detected file copied itself. C. A file of unknown disposition was created. D. A detected file was moved.
ACDB
Refer to the figure. Match the action icon on the left with its meaning, indicated by the number on the right. 1 2 3 4 A. A file of unknown disposition was moved. B. A detected file was opened. C. A detected file was scanned. D. A file was successfully convicted by TETRA or ClamAV.
DBCAEF
Refer to the figure. Match the policy actions represented by numbers with the correct policy type and correct score range. A. Monitor B. Allow C. Block D. Scan E. Decrypt F. Pass-through.
AD
Refer to the following show output. Which two statements are correct? (Choose two.) Router# show policy-map control-plane all Control Plane Host Service-policy input: CPPR-POLICY Class-map: CPPR-EIGRP-CLASS (match-all) 13 packets, 1062 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name CPPR-EIGRP police: rate 200 pps, burst 48 packets conformed 13 packets, 13 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 pps, exceeded 0 pps Class-map: class-default (match-any) 16 packets, 7664 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: any police: rate 50 pps, burst 12 packets conformed 2 packets, 2 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 pps, exceeded 0 pps A. 13 packets matched the CPPR-EIGRP-CLASS class-map. B. A total of 60 packets have been rate limited. C. The CPPR-POLICY is applied to the transit subinterface. D. This is a Control Plane Protection example. E. This is a Control Plane Policing example.
ABC
Referring to the suspicious URL that is shown below, which three statements are correct? (Choose three.) A. The www.example.com web server has a vulnerable PHP script. B. The attacker is attempting to cause the www.example.com web server to execute an external script from the www.example1.com server. C. The attacker is attempting to hide the attack by encoding part of the URL. D. The attacker is exploiting a vulnerability in the client web browser using a PHP script. E. The attacker is using directory traversal to access a directory that is outside of the www.example.com web server's root directory.
A
Regarding exploit kits, which option explains what a shadow domain is? A. a second-level domain that is registered by a malicious person using compromised domain registration information from a legitimate site B. the series of redirects that a web browser goes through when a web page is unavailable due to being moved C. websites set up by company's information security teams to act as a "honey pot" to catch malicious actors who may try to deface their website D. domains that are registered with dynamic DNS or fast flux DNS services to keep the domain and IP addresses frequently rotating to prevent detection by scanning tools
B
The Cisco ASA global ACL is applied in which traffic direction? A. outbound B. inbound C. outbound or inbound D. outbound and inbound
C
To provide file and device trajectory features, what is used by the AMP console to track AMP clients? A. IP address B. username C. AMP connector client ID D. computer name
BCE
What are the three basic security requirements of network security? (Choose three.) A. accountability B. availability C. confidentiality D. cryptography E. integrity F. visibility G. hashing
ADE
What are the three control plane subinterfaces that are automatically created by control plane protection? (Choose three.) A. host subinterface B. fast-switched subinterface C. process-switched subinterface D. Cisco Express Forwarding-exception subinterface E. transit subinterface F. control subinterface
BDE
What are the three similarities between IDS and IPS sensors? (Choose three.) A. Both use reflective ACLs to detect malicious network activity. B. Both use signature files to determine whether suspicious activity is occurring. C. Both can block attacks that would normally pass through a traditional firewall device. D. Both can verify that the rules of network protocols such as TCP/IP, UDP, and ICMP are properly followed. E. Both can analyze all traffic that controls Layer 2-to-Layer 3 mappings, such as ARP and DHCP.
ABC
What are the three threats to a vulnerable application during a buffer overflow attack? (Choose three.) A. corruption of data B. crash the application C. execution of malicious code D. iframe injection E. cross-site-scripting execution
AB
What are the two benefits of cloud-based security services? (Choose two.) A. The cloud promotes greater optimization and utilization of assets to achieve significant cost reduction. B. The cloud provides flexibility in the way that enterprise organizations source, deliver, and consume security services. C. Cloud providers automatically deploy advanced threat analytics to secure confidential customer data, such as customer information. D. With cloud-based security services, enterprise organizations can remove complex layers of on-premises security policies and procedures. E. Migration of security services between cloud providers is easier to achieve.
A
What are the two general categories of CASB architectures? A. inline and out-of-band B. inline and proxy C. log-based and proxy D. API-based and log-based
AB
What are the two main concepts in the Cisco SAFE design methodology? (Choose two.) A. PINs B. secure domains C. secure designs D. policy enforcement points E. cloud compliance
BE
What are the two reasons that organizations are deploying CASB solutions? (Choose two.) A. SaaS-based solutions typically provide customers with comprehensive security tools to control access to any application, from anywhere, on any device. B. It is not always possible to force cloud-based traffic through corporate security infrastructure. C. CASB is the next big thing. D. CASB solutions primarily focus on protecting the endpoints. E. Deploying and maintaining all of the individual security microservices required to secure the SaaS applications usage is costly, in terms of both money and time, and there is no guarantee of parity between different vendors.
BD
What are the two use cases of retrospective security? (Choose two.) A. sending an unknown file to Threat Grid for analysis B. determining where a file has been in the network over time C. updating perimeter security devices to block traffic that was previously permitted D. identifying previously unknown malware E. disseminating threat information to all customers globally
ACE
What are three characteristics of RADIUS? (Choose three.) A. RADIUS uses UDP. B. RADIUS performs authentication and accounting only. C. RADIUS encrypts passwords. D. RADIUS encrypts the entire body of the packet. E. RADIUS uses one UDP port for authentication and one for accounting.
ABC
What are three core 802.1X components? (Choose three.) A. 802.1X supplicant B. authentication server C. authenticator D. NAC server E. AAA client F. NAC manager G. NAC agent
BDE
What are three required Cisco Stealthwatch components? (Choose three.) A. Flow Sensor B. Flow Collector C. UDP Director D. SMC E. Flow Rate License F. Stealthwatch Endpoint Connector G. Stealthwatch Cloud
DEF
What are three types of contextual information that Stealthwatch Enterprise can receive from ISE? (Choose three.) A. Pre-NAT Address and Post-NAT IP Address B. Device Posture Information C. Network Visibility Flow (nvzFlow) Data D. User Name E. SGT F. Device Type
AD
What are two benefits of a DMVPN implementation compared to a hub and spoke topology built by using multiple point-to-point links? (Choose two.) A. compact configuration on the hub B. faster VPN setup using IKE Aggressive mode C. more secure VPN implementation D. spoke-to-spoke traffic optimization E. support of routing protocols on VPN tunnels
CD
What are two benefits to deploying a threat-monitoring appliance for SMTP traffic? (Choose two.) A. Email content security appliances detect malware and detonate it in a sandbox environment for further analysis. B. Email content security appliances allow Snort rules to trigger system administrator alerts. C. Email content security appliances can filter sensitive outbound email. D. Reputation-based filtering can be deployed to filter a large percentage of spam email. E. Email content security appliances establish secure tunnels between end-user email clients and the SMTP server, reducing the need for email authentication.
AE
What are two default behaviors for public and private listeners of Host Access Table (HAT) on Cisco Email Security Appliance (ESA)? (Choose two.) A. accept connections from external hosts B. accept connections from internal hosts C. drop connections from external hosts D. relay connections from external hosts E. relay connections from internal hosts
AB
What are two examples of control plane security controls? (Choose two.) A. routing protocol authentication B. spanning tree protection C. private VLANs D. uRPF checks E. stateful packet inspections
AB
What are two of the top-level default host groups in the SMC? (Choose two.) A. Inside Hosts B. Outside Hosts C. Network Scanners D. VoIP
DE
What are two valid Cyber Threat Intelligence (CTI) sources on Cisco Firepower Management Center (FMC)? (Choose two.) A. Cisco Talos B. CVSS C. Shodan D. STIX E. TAXII
B
What do attackers use to launch an attack on a location without the attack coming directly from the attacker's location? A. spear phishing B. malware that is controlled through CnC C. direct SYN flood attack D. ping of death
D
What does IP source guard do? A. Statelessly matches the IP packet header or payload (or both), based on arbitrary criteria. B. Statefully matches the IP packet header or payload (or both), based on arbitrary criteria. C. Matches the IP address of a packet against the IP routing table. D. Matches the IP address and MAC address of a packet against a DHCP binding table, IP device tracking table, or manually configured bindings.
C
What does NTP authentication verify? A. NTP client B. NTP server and client C. NTP server D. session between server and client
C
What does PIN stand for in Cisco SAFE design methodology? A. personal identification number B. persons of interest C. places of interest D. places on internet
A
What does it mean that an application is an open solution? A. It contains an integration point to accept connections from outside entities. B. No authentication is needed to access resources. C. The application can be deployed in the public cloud. D. The source code is open-source.
B
What does strict uRPF do? A. Validates the existence of the source network of the packet in the routing table and provides a method for dropping packets from unknown and therefore invalid networks. B. Verifies that the packet is coming through the expected interface. Packets that are coming from unexpected interfaces (the RIB and FIB) are dropped. C. Uses ACL on each interface to protect against spoofed packets. D. Uses the multicast routing table to verify if each incoming packet has a valid source IP address.
A
What does the AMP for Endpoints TETRA engine examine or perform to recognize potentially dangerous files? A. antivirus scan B. patterns learned via machine learning C. pieces of code D. SHA-256 integrity check
D
What does the NAT term "outside global address" represent in the NAT configuration? A. A globally routable IPv4 address that represents one or more inside local IPv4 addresses to the outside world. B. The IPv4 address of an outside host as it appears to the inside network. C. The IPv4 address that is assigned to a host on the inside network. D. The IPv4 address that is assigned to a host on the outside network by the host owner.
B
What does the proximity value define in a custom Data Loss Prevention (DLP) policy configured on the Cisco Email Security Appliance (ESA)? A. the maximum difference from a regular expression rule to qualify as valid B. the maximum distance of the rule matches that still qualify as valid C. the similarity of the matches within two different DLP policies D. the similarity of two matches within the same DLP policy
A
What happens to the victim's browser during an HTTP 302 cushioning? A. The browser is redirected to the malicious web page that delivers the exploit to the victim's machine through a series of HTTP 302 redirections. B. The browser displays the HTTP 302 redirection warning and prevents the web redirection to the malicious web page that delivers the exploit to the victim's machine. C. The browser executes the malicious script and is then redirected to the malicious web page that delivers the exploit to the victim's machine. D. The browser loads the iFrame and is then redirected to the malicious web page that delivers the exploit to the victim's machine.
A
What happens when a file hash has never been seen by the Cisco cloud malware analysis system? A. An unknown disposition status is returned, and the file is automatically submitted to the cloud for dynamic analysis. B. An unknown disposition status is returned, and the file is automatically stored on the local firewall SSD module. C. The file is sent directly to Cisco for analysis D. A CVE is automatically generated for the file and uploaded to the cloud for dynamic analysis. E. The file is quietly discarded, and the end user is alerted to the presence of malware.
A
What is Cisco SAFE? A. a design methodology to ensure security at multiple places in the network B. a standards-based protocol for analyzing encrypted traffic C. a standards-based organization within the IEEE that prescribes secure network architectures D. the Cisco security intelligence organization, tasked with threat response for cloud environments
A
What is a benefit of Static Crypto Map VPNs compared to other VPN types? A. interoperability between Cisco ASA and IOS XE B. the possibility to map users to multiple encryption criteria C. routing-based encryption criteria D. support for multicast
B
What is a characteristic of the Double IP Flux DNS technique regarding queries and responses? A. different response for the same DNS Query B. different response for the same Name Server (NS) C. same response for a different DNS Query D. same response for the same DNS Query
A
What is a disadvantage of an API-based CASB approach? A. If the application developer has not written an API, it is up to each customer to write their own APIs for the application. B. If the application developer has not written an API, the CASB solution cannot integrate with the application. C. API-based CASB solutions must be in the data path between the client and application. D. API-based CASB solutions must be deployed by the application developer to integrate with the customer's API-based CASB solution.
A
What is a primary security benefit when using identity and access management for authorization posturing services? A. The user will be provided different levels of access and service based on the device they are using when they enter their authentication credentials. B. The user device is assigned a log key, which eliminates the need to authenticate the user or device when accessing the network. C. The posturing service enables endpoint camera services to validate user identity. D. Authenticated devices allow multiple users to access network services using the same user authentication credentials.
C
What is an advantage of a Clientless SSL Remote Access VPN? A. Encryption performs more efficiently than with other VPN solutions. B. It can traverse most firewalls by using the NAT-T feature. C. It does not require administrative privileges on clients. D. It is designed for real-time applications.
C
What is an advantage when deploying the Talos Intelligence Group security intelligence feed? A. updated virus signatures for IT administrators to deploy on user end stations B. updated geolocation database updates, to track malicious activities origins C. regular updates to ensure that the system uses up-to-date information to filter your network traffic D. archival intelligence feeds that are only obtained from the internet storm center E. real-time cyber analytics feeds from leading governments around the globe
D
What is an example of a reconnaissance attack tool that will cycle through all well-known ports to provide a complete list of all services that are running on the hosts? A. Netuse B. ipconfig C. show run D. NMAP
A
What is in a conversational flow record? A. The end-to-end bidirectional communications between the hosts, including the who, when, where, how, and what questions about the flow. B. The unidirectional communications between the hosts, including the who, when, where, how, and what questions about the unidirectional flow. C. The duplicated NetFlow data from the different flow exporters (network devices), including the who, when, where, how, and what questions about the flow. D. The bidirectional communications between the flow collector and the flow exporters (network devices), including the who, when, where, how, and what questions about the flow.
B
What is not possible for a Cisco Cloudlock administrator to see in the Behavioral Risk dashboard? A. location-based risk B. most downloaded assets C. top users with admin activity D. users with the most login failures
C
What is required for on-network Cisco Umbrella deployment that requires local IP granularity to enable granular policy control and reporting on a per-network basis? A. Roaming Clients B. Active Directory connector C. Virtual Appliance D. Cisco Umbrella Investigate
D
What is required for the end user devices to have off-network Cisco Umbrella protection? A. Cisco Umbrella Virtual Appliance B. Cisco AMP for Endpoints agent C. Cisco Umbrella Windows or MAC connector D. Cisco Umbrella Roaming Client or the Cisco Umbrella Roaming Security module for Cisco AnyConnect client
A
What is the Stealthwatch Enterprise mechanism that assigns index points to a host? A. Security Event B. Alarm C. Concern Level D. Impact Level
A
What is the attacker trying to gain by turning off the Windows Firewall on the victim's Windows machine? A. allow unsolicited incoming connections to the victim's machine. B. block all outgoing connections from the victim's machine. C. enable the victim's machine to send outbound CnC traffic back to the attacker's infrastructure. D. allow a VPN connection from the victim's machine to the attacker's CnC server.
A
What is the benefit of using the PKI signed Cisco ISE certificates instead of self-signed ones when deploying user or computer authentication with 802.1X? A. ease of distribution B. extended usage capabilities C. increased security D. transparency to the user
C
What is the biggest risk associated with applications on mobile devices? A. built-in backdoors B. common compromise C. elevated privileges D. parallel malware installation
C
What is the correct description of the Device Trajectory and File Trajectory features of Cisco AMP for Endpoints? A. Device Trajectory shows device interaction with the same file and File Trajectory shows how different files traversed the network. B. Device Trajectory shows how different devices traversed the network and File Trajectory shows how different files traversed the network. C. Device Trajectory shows process interaction on the same endpoint and File Trajectory shows how different files traversed the network. D. Device Trajectory shows how different files traversed the network and File Trajectory shows process interaction on the same endpoint.
ACBED
What is the correct order of the security controls applied by the Cisco Email Security Appliance (ESA) to an email received by an external source? Match the ordinal number with the Cisco ESA security control. 1st 2nd 3rd 4th 5th A. Reputation filter B. Antispam C. Message filter D. Content filter E. Antivirus
D
What is the default port security violation mode on Cisco switches? A. dynamic B. protect C. restrict D. shutdown E. sticky
D
What is the default security level of an interface named "inside"? A. 0 B. 25 C. 50 D. 100
A
What is the difference between DevOps and SecDevOps? A. DevOps is a deliberate effort to align the application development team with the application operations team, while SecDevOps introduces additional processes within the framework, to mitigate the risk that the CI/CD operational tempo will compromise application security. B. DevOps is a deliberate effort to align the application development team with the application operations team, while SecDevOps introduces security layers to protect the data in the rest of the application development code. C. DevOps is a design methodology to incorporate operational feedback into the software development lifecycle, while SecDevOps is a security-centric approach to application design that places application security at the center of every application design. D. DevOps is a CI/CD framework, while SecDevOps is a CASB framework.
D
What is the difference between a host-based firewall and a traditional firewall? A. The host-based firewall can block traffic based on application or file type. B. The traditional firewall can identify and protect against malicious HTTP exploits. C. There is no difference between the functional aspects of host-based and traditional firewalls. D. Host-based firewalls protect an individual machine, while traditional firewalls control traffic arriving at and leaving networks.
D
What is the difference between brute-forcing and password spraying? A. Brute-forcing refers to extracting AES keys from memory, and password spraying is attempting all possible passwords from a dictionary of common passwords. B. Brute-forcing is calculating the most likely password for a user, based on the user's birthday, anniversary, and children's birthdays. Password spraying means to try every password based on a dictionary. C. Brute-forcing is coercing users to give you their password, and password spraying refers to gathering credentials through phishing campaigns. D. Brute-forcing is an attempt of every possible password on certain accounts, and password spraying is attempting only a couple common passwords on every possible account.
C
What is the difference between spear phishing and whaling? A. There is no difference. Both are targeted phishing. B. Spear phishing focuses on voice services and whaling is primarily sent through SMS messages. C. Both are targeted phishing, but only whaling targets individuals in executive positions. D. Spear phishing involves email, and whaling involves DNS cache poisoning.
D
What is the difference between using the Dynamic VTI compared to a DMVPN solution when implementing a hub-and-spoke IPsec VPN? A. Using DMVPN reduces the number of routing protocol neighbor relationships required. B. IPsec profiles are more flexible by using Dynamic VTI rather than DMVPN. C. DMVPN supports routing protocols on top of the tunnel while, with Dynamic VTI, only Reverse Route Injection can be used. D. Using DMVPN reduces packet delay more than Dynamic VTI.
A
What is the distinctive feature of the HIPS in comparison to NIPS? A. the ability to analyze encrypted traffic B. the ability to generate alerts C. the ability to trigger protective actions D. the usage of customized detection techniques
C
What is the function of the exploit kit landing page? A. redirect the user's browser to the CnC server B. host malicious advertisements with iFrames C. deliver malware to victim machine D. initiate CnC traffic for malware communications
B
What is the functional purpose of the HTTP 302 response code? A. alert users that an attack is underway B. identify a temporary URL redirection for a web site and redirect the user to it C. ask for authentication of the user D. alert the user that the webpage is no longer available
B
What is the main cause of successful buffer overflow attacks? A. careless users violating acceptable use policy B. poorly written application code that does not validate input data size C. intentional installation of illegitimate software D. bad luck of the user who falls victim to such an attack
D
What is the main goal of Distributed Denial of Service (DDoS) attacks? A. data access B. endpoint malware installation C. mapping the network D. service disruption
C
What is the main purpose of an exploit kit for malicious actors? A. continuously changing the IP addresses for the command and control infrastructure B. sending updates and new commands to all the endpoint bots in a DDoS botnet C. scanning potential victim computer for vulnerable applications so that malware can be delivered D. encrypting malware to hinder the reverse engineering efforts of incident response teams
B
What is the main reason why enterprises are reluctant to move to cloud-based security services? A. Cloud-based services are not stable, and do not provide high-availability features. B. Data within the cloud is not natively secure and customer data breaches are a major concern to enterprises. C. Cloud-based deployments are significantly more complex to deploy and administer. D. Enterprises do not trust cloud-based services because of inaccurate X.509 certificates E. Cloud-based services do not support NGFW encryption technologies.
B
What is the minimum requirement regarding the number and type of listeners for accepting incoming and outgoing email in a single interface deployment of the Cisco ESA? A. only one private listener B. only one public listener C. one public and one private listener D. one public and more private listeners
D
What is the most common result of an attack staged with an Angler exploit kit? A. creation of a backdoor for future access to the system B. Cryptomining software installation C. data exfiltration via DNS Tunneling D. encrypted files and ransom demand
A
What is the most common way to deploy Cisco Umbrella? A. Update DNS settings in a DHCP scope. B. Deploy Cisco Umbrella Virtual Appliance. C. Deploy Cisco Umbrella Roaming Client. D. Configure firewall to redirect DNS requests to Cisco Umbrella cloud.
D
What is the most difficult stage of an endpoint attack? A. propagating a botnet once you have access to the systems B. acquiring a list of ports open on a targeted computer C. delivering a phishing email to employees D. acquiring access to an endpoint inside the network
D
What is the name of the Cisco Advanced Malware Protection (AMP) for Endpoints feature that is employed to communicate the change of disposition from "unknown" or "benign" to "malicious"? A. device trajectory B. file trajectory C. hash-based detection D. retrospective alerting E. threat grid
A
What is the name of the SNMP entity running on the SNMP-managed device? A. Agent B. Client C. Manager D. MIB
A
What is the name of the stateful firewall feature available on Cisco IOS routers? A. Zone-Based Policy Firewall B. IOS Stateful Firewall C. Stateful Router Firewall D. Zone-Based IOS Firewall E. Stateful IOS Firewall
C
What is the organizational benefit of incorporating CVSS into risk analysis? A. It gives insight into the result of a compromise or attack. B. It lowers the threat to detection time. C. It is a structured method to assist with prioritizing a vulnerability response. D. It makes the engineer read more information than they would have on their own.
A
What is the primary advantage of using an NFV-centric platform when implementing network function virtualization? A. The scalability numbers are well-documented, or at least predictable, providing a prescriptive design architecture. B. VNFs are designed explicitly to run on compatible NFV platforms. C. The NFV platform provides additional API hooks to manage the VNs from a centralized dashboard. D. NFV enhances security for the network through anagram-integrated security for VNF blocks.
B
What is the primary goal of an attacker when using an iFrame or HTTP 302 cushioning? A. To help the user find the correct web page location B. To ensure that the victim's web browser ends up on the attacker's web page, which serves out the malicious exploit to the victim C. To offer a secure transaction in a web page D. To protect against malware infiltration
D
What is the primary purpose of the "relative threat exposure" regarding the Cisco CTA dashboard? A. Using a single pane, it quickly identifies, which device on the network is compromised. B. It provides an instant view into existing CnC channels within the network infrastructure. C. It answers the question, "Who has infiltrated the network?" D. It answers the question, "How is my organization doing as it relates to others?" E. It identifies which known CVE vulnerabilities are present within the configured network devices, included routers, switches, and NGFWs.
A
What is the primary reason to use a sandbox to analyze unknown suspicious files? A. To determine exactly what a file does before it is labeled malicious or benign. B. To block any suspected malware in real time before it can inflect the end user. C. To provide evidence for post-incident forensics reports. D. To run it in a production environment to see its effects.
B
What is the primary telemetry source for Stealthwatch Enterprise? A. firewall configurations and ACL audit exports B. flow data, including NetFlow, JFlow, and sFlow C. sensor data from any Snort-based IPS/IDS appliances D. threat intelligence feeds from Open Threat Exchange (OTX)
D
What is the purpose of an exploit kit in a client-side attack? A. It hides an iframe in a legitimate webpage to redirect the user to an exploit server. B. It beacons to an attacker's command and control servers, allowing the attacker to issues commands to the user's machine. C. It compromises a web-server to carry out DDoS attacks as part of a botnet. D. It profiles the user's computer and delivers exploit code to the computer based on its OS, browser, and applications.
C
What is the role of an AMP Connector in the Cisco Advanced Malware Protection architecture? A. It is installed on an endpoint in the case of on-premise AMP deployments. B. It is installed on an on-premise server to send and collect data about files from the cloud. C. It is installed on the endpoint to send and collect data about files to and from the cloud. D. It is used on the client to buffer information about files in case of a lack of connectivity with the cloud.
B
What is the severity level of the following Cisco ASA syslog message? %ASA-3-213003: PPP virtual interface interface_number isn't opened. A. critical B. error C. warning D. notification
C
What is the valid range and the meaning of the Sender Base Reputation Score (SBRS)? A. The SBRS range is 0 to 10 and it represents the probability that the sender is sending dangerous attachments. B. The SBRS range is 0 to 10 and represents the likelihood that the sender is sending spam. C. The SBRS range is -10 to 10 and it represents the likelihood that the sender is sending spam. D. The SBRS range is -10 to 10 and represents the likelihood that the sender is sending dangerous attachments.
A
What should be done to give an Amazon EC2 instance access to other AWS resources within the same AWS account? A. Give the instance an IAM role that allows access to the desired resources. B. Nothing needs to be done, all resources within an AWS account already have access to each other. C. Store the connection information in a file on the server that can only be read by a root user. D. Create a security group that allows network traffic to move between the resources.
D
What should your first goal be when you are under a network security attack? A. scanning the network B. stopping the active threat C. threat analysis D. threat containment
B
What statement correctly describes a reconnaissance attack? A. A reconnaissance attack is nothing more than script kiddies playing around with software tools. B. A reconnaissance attack is an attempt to gather information about an intended victim before attempting a more intrusive attack. C. Reconnaissance attacks pose no threat to the infrastructure. D. Reconnaissance attacks are easy to identify and can be suppressed with minimal effort.
BCE
What three factors contribute to a CVSS score? (Choose three.) A. performance B. confidentiality C. privileges D. reliability E. availability F. flexibility
BD
What two measures of posture compliance are used by identity and access management systems? (Choose two.) A. username B. operating system patch levels C. IP address D. antivirus version E. access group
C
What type of data can be learned about a server by performing a basic port scan on it with nmap? A. list of patches missing from applications B. misconfigurations of web applications allowing command injection C. list of all open ports and services that are running D. list of all systems that the server is communicating with E. list of users who are logged on to the server
B
What type of information does CVSS provide for a vulnerability? A. risk transfer procedures B. severity of the vulnerability C. suggestions for managing the vulnerability D. risk mitigation
A
What would be the action if a TLS connection is unavailable but the Destination Controls TLS setting is set to Required? A. retry/bounce message B. encrypt envelope and send C. error notification and retry D. encrypt message and send
C
When Identity and Access Management (IAM) is implemented with Cisco Identity Services Engine (ISE) which process follows the posture assessment of the device? A. Active Directory lookup B. Authentication C. CoA D. Profiling
B
When Modular Policy Framework (MPF) is enabled on a Cisco Adaptive Security Appliance (ASA), which component is used to identify interesting traffic that the policy applies to? A. ACL B. class map C. policy map D. service policy
B
When a URL is encoded to hide an attack, which value can the forward slash (/) character be encoded as? A. %20 B. %2f C. %3c D. %5c
A
When a point-to-point IPsec VPN is present on a Cisco Firepower NGFW, why might you have to configure a NAT exemption rule? A. Because otherwise the VPN traffic may not match the crypto ACL. B. Because in case of AH protocol for IPsec, NAT is not supported. C. Because there may be conflicts with NAT Traversal (NAT-T) translations. D. Because translating VPN traffic can result in poor performance.
B
When are "point-in-time detection technologies" considered useless? A. after the attacker has compromised the internet-facing firewall appliance B. when a malicious file is not caught, or is self-morphing after entering the environment C. when the IPS appliance detects an anomaly D. when forensics are performed on the malicious payload to ascertain its origin and attack behaviors
D
When configuring DHCP snooping, which ports should be configured as untrusted ports? A. all access ports B. all inter-switch trunk ports C. all ports that are connecting toward the DHCP server D. all access ports, except the port to which the DHCP server is directly connected
A
When should devices be updated if patch management is implemented in the cloud? A. as soon as they are connected to the network B. once a year C. when a security vulnerability is exploited D. when a user initiates the update
C
When should the AMP for Endpoints TETRA engine be enabled? A. in high-risk environments, on high-value assets, where one antivirus engine might not be sufficient to catch day-zero threats B. any time that additional virus protection capabilities are desired C. only if there are no other antivirus products on the endpoint, because enabling TETRA alongside another antivirus solution could cause serious degradation in the performance of the endpoint D. you should not enable the AMP for Endpoints TETRA engine unless directed to do so by Cisco Technical Assistance Center (TAC)
D
Where are infrastructure ACLs typically applied? A. output direction at all the network edge routers B. input direction at all the network core routers C. output direction at all the network core routers D. input direction at all the network edge routers
C
Which 802.1X wired deployment mode offers you control over the traffic before authentication takes place? A. closed mode B. low impact mode with a dACL C. low impact mode with a static port ACL D. monitor mode
B
Which ACP rule action will allow you to send traffic for additional inspection against IPS policy? A. Trust B. Allow C. Block D. Monitor
B
Which Cisco AMP for Endpoints feature helps you determine which endpoints were the first to download malware on your network? A. Ethos B. retrospective security C. Spero D. TETRA
C
Which Cisco IOS command applies the CPPr policy to the host subinterface? A. policy-map B. class-map C. service-policy D. police
F
Which Cisco IOS feature provides early rate limiting and drops traffic that is destined for the central processor of the network device by applying QoS policies to a virtual aggregate CPU-bound queue? A. Data Plane Protection B. Data Plane Policing C. Management Plane Protection D. Management Plane Policing E. Control Plane Protection F. Control Plane Policing
D
Which Cisco IOS feature would you use to determine which application is causing slow network performance? A. SNMP B. CCP C. IP SLA D. NetFlow
D
Which Cisco IOS tool does CoPP use to protect the router CPU? A. ACLs B. prefix lists C. route maps D. Modular QoS CLI E. CoPP policies
B
Which Cisco SDN solution can you centrally manage using a Cisco vManage console? A. Cisco SD-Access B. Cisco SD-WAN C. Cisco SD-Branch D. Cisco SD-Data
D
Which Cisco Stealthwatch component aggregates multiple data sources (NetFlow, SNMP, Syslog) and forwards them to applicable recipients? A. FlowCollector B. Flow Sensor C. SMC D. UDP Director
D
Which Cisco Stealthwatch component can be used to simplify the integration and distribution of multiple types of network and security data by aggregating and providing a single, standardized destination for disparate information? A. SMC B. Flow Sensor C. Flow Collector D. UDP Director
C
Which Cisco Stealthwatch component stores and analyzes NetFlow data from as many as 4000 flow sources (network devices) at up to 240,000 flows per second? A. SMC B. Flow Sensor C. Flow Collector D. UDP Director
D
Which Cisco Stealthwatch index is increased if hosts appear to be victims of actions performed by other hosts? A. Concern Index B. File-Sharing Index C. Host Index D. Target Index
D
Which Cisco Stealthwatch optional component provides an overlay solution for generating NetFlow data for legacy network infrastructure devices not capable of producing line-rate, unsampled NetFlow data? A. SMC B. UDP Director C. Flow Collector D. Flow Sensor
B
Which Cisco VPN solution requires use of IKEv2? A. DMVPN B. FlexVPN C. GET VPN D. VTIs
A
Which Cisco appliance uses reputation-based filtering to stop a large percent of spam before it enters the network? A. Cisco Email Security Appliance B. Cisco Adaptive Security Appliance C. Cisco Web Security Appliance D. Cisco Talos Threat Intelligence Appliance E. Cisco Security Intelligence Appliance
C
Which Cisco product offers visibility for cloud-deployed Kubernetes frameworks? A. Cisco FMC B. Cisco Secure Workload (Tetration) C. Cisco Stealthwatch Cloud D. Cisco Umbrella
C
Which Cisco solution provides network visibility for public clouds without any need of installing software agents? A. Stealthwatch Enterprise B. Private Network Monitoring appliance C. Stealthwatch Cloud D. Stealthwatch Flow Collector
C
Which Cisco solution provides outstanding protection from malicious email with little administrative overhead? A. on-premises solution B. hybrid solution C. cloud-based solution D. Cisco Cloud Email Security
A
Which Cisco solution supports Remote Access VPN implementation? A. Cisco ASA AnyConnect SSL Remote Access VPN B. Cisco ASA Clientless AnyConnect Remote Access VPN C. Cisco Firepower NGFW Clientless Remote Access VPN D. Cisco Firepower NGFW IKEv1 Remote Access VPN
D
Which Cisco solution would you use to collect NetFlow events? A. Cisco ESA B. Cisco FMC C. Cisco SecureX D. Cisco Stealthwatch
D
Which DNS record is typically used for data exfiltration in a DNS tunneling operation? A. A B. CNAME C. MX D. TXT
C
Which DNS record is used to locate the IP address of the receiving SMTP server? A. the MX record B. the PTR record C. the A record D. the NS record
A
Which Dynamic Entity Modeling (DEM) telemetry category in Cisco Stealthwatch Cloud covers recognition of deviation from a device's past behavior? A. consistency B. forecast C. group D. role
B
Which EAP method requires a client certificate? A. EAP-MD5 B. EAP-TLS C. PEAP D. EAP-FAST
C
Which HIPS technology detects intrusive activity by comparing traffic to a set of rules called signatures? A. Anomaly based IPS B. Policy-based IPS C. Signature-based IPS D. Heuristic-based IPS
B
Which IP attack type is a simultaneous, coordinated attack from multiple source machines? A. Rogue DHCP attack B. DDoS attack C. MITM attack D. MAC address flooding attack
A
Which Linux security control should be used with a personal firewall to provide an additional layer of protection at the application layer and to permit or deny access to a specific service? A. TCP wrappers B. IP tables C. uncomplicated firewall (UFW) D. host-based IPS
D
Which NAT configuration is required when hosts from the 192.168.10.0/24 subnet in the inside NAT domain require a translation to a single 209.165.200.230 IPv4 address, but only when they are connecting to the 209.165.202.130 host in the outside NAT domain? A. static NAT B. dynamic NAT C. dynamic PAT D. policy NAT
D
Which Stealthwatch page allows you to view which hosts generate the greatest number of alarms? A. Analyze > Flow Search B. Cognitive Intelligence Dashboard C. Monitor > Hosts D. Security Insight Dashboard
D
Which VPN type can be implemented by using FlexVPN? A. DMVPN without IPsec B. IKEv1 DMVPN C. IKEv1 Static VTI D. IKEv2 Crypto Map
B
Which access method would you use in clientless SSL VPNs for a custom Windows application that is transported over TCP? A. plug-ins B. smart tunnels C. port forwarding D. applets
C
Which action can be specified for a recipient address in the RAT? A. Relay B. Continue C. Accept D. TCP refuse
D
Which advantage is provided by Cisco Umbrella Virtual Appliance? A. better performances with lower delay B. improved Cisco Talos integration C. improved reliability based on hypervisor virtual machine fault tolerance D. internal IP visibility
B
Which application-layer protocol, that uses UDP to manage and monitor devices on the network, could be exploited if it is not secured on devices? A. TFTP B. SNMP C. HTTPS D. FTP E. SMTP
BCE
Which are three supported methods to install an AMP Connector with Cisco AMP for Endpoints? (Choose three.) A. download from on-premises dedicated distribution AMP server B. download from the AMP console C. download through a URL D. download through automatic email attachment sender E. installation through Cisco AnyConnect AMP Enabler F. installation through clientless SSL remote access VPN
D
Which authentication method is supported for remote access VPN by the NGFW? A. RSA SecurID B. TACACS+ C. local user database D. RADIUS
C
Which authentication protocol uses a challenge-response sequence of messages exchanged between the Cisco WSA and the user? A. Basic B. Kerberos C. NTLMSSP D. WCCP
A
Which benefit does Cisco Umbrella Investigate provide? A. It allows an analyst to see everything Cisco Umbrella knows globally. B. It allows for the verification of statistics about organization DNS queries. C. It helps the organization to define geographical zones for configuration fine-tuning. D. It protects organizations implementing automatic protection policies.
C
Which characteristic about the Cisco IOS management plane protection is true? A. When MPP is enabled, only the Telnet and HTTP management protocols are affected. B. It is difficult to configure. C. Device management traffic is permitted to enter a device only through the out-of-band management interfaces. D. It only allows a single router interfaces as the management interface
A
Which characteristic applies to the Cisco AnyConnect VPN when processed by the Cisco Firepower NGFW? A. It provides direct and full access to VPN resources. B. The local user database can be used for authenticating users. C. Only TLS and DTLS technologies can be used. D. Cisco Firepower NGFW allows third-party VPN software to be used by the remote users.
A
Which characteristic of the Cisco AMP framework is the base for retrospective security features? A. File disposition is dynamic. B. Risk thresholds are configurable. C. TETRA antivirus setup can be customized. D. The client has an active component installed.
BD
Which client options are available for off-network clients? (Choose two.) A. Cisco AMP client. B. Cisco Umbrella Roaming Client C. Cisco AnyConnect Secure Mobility Client D. Cisco Umbrella Roaming Security module for Cisco AnyConnect Secure Mobility Client E. ISE Posture module for Cisco AnyConnect Secure Mobility Client F. Native OS DNS client
B
Which cloud service model provides the smallest shift of security responsibility from the customer to the service provider? A. Desktop as a Service (DaaS) B. Infrastructure as a Service (IaaS) C. Platform as a Service (PaaS) D. Software as a Service (SaaS)
D
Which command applies the control plane protection policy map to the host subinterface? A. class-map B. police C. policy-map D. service-policy
C
Which common defense-in-depth method can help reduce the attack surface? A. Use 8-character passwords. B. Replace copper connections with fiber-based connections. C. Deploy IPS, firewalls, and AAA-based platforms and services. D. Use UDP protocols to preserve bandwidth and protocol overhead. E. Place systems on internet-facing DMZ links to control traffic flows.
C
Which communication is allowed by default on the Cisco ASA appliance? A. Traffic from a lower security level interface to a higher security level interface. B. Traffic between interfaces with same security level. C. Traffic from a higher security level interface to a lower security level interface. D. Traffic entering and exiting the same interface.
E
Which component is under the customer responsibility in a SaaS use model? A. The customer is responsible for hardware. B. The customer is responsible for physical networking and storage. C. The customer is responsible for the operating system. D. The customer is responsible for application data. E. The customer is not responsible for any of the components.
C
Which configuration is required to implement seamless closest-location routing between Cisco Umbrella services and clients? A. BGP community attributes activated on-site routers B. geographical zones on the on-premise routers C. no additional configuration is required D. running a deep learning algorithm in a public or private cloud
C
Which countermeasure can an organization employ to improve the confidentiality of data that is transmitted by users and devices? A. update network cable to use shielded twisted pair cable B. increase password complexity rules C. use encryption between sending and receiving parties D. make sure that operating systems have up-to-date software patches
D
Which criterion is checked to allow or deny an IP packet when Unicast Reverse Path Forwarding (uRPF) check is configured on an interface? A. loose mode: permit an IP packet with a source IP address matching a known route originated by a routing protocol B. loose mode: permit every IP packet with any source address, logging the source IP address C. strict mode: permit an IP packet with a source IP address matching a connected or static known route D. strict mode: permit an IP packet with a source IP address matching a known route and received on the outgoing route interface
A
Which cryptographic service provides the proof of the origin of data? A. nonrepudiation B. integrity or data authentication C. peer authentication D. confidentiality
C
Which detection engine sends the whole file to the Cisco Threat Grid cloud where the file is analyzed in sandbox environment? A. SHA-256 malware cloud lookup B. Spero C. Dynamic analysis D. Local malware analysis
A
Which disposition will be returned by Cisco AMP cloud if definitive disposition for the file could not be determined? A. Unknown B. Clean C. Not available D. Unavailable
B
Which dynamic entity modeling algorithm detects that endpoints are breaking established network rules? A. Role B. Rule analysis C. Consistency D. Forecast
C
Which dynamic entity modeling algorithm recognizes when a device has critically deviated from its past behavior? A. Role B. Group C. Consistency D. Forecast
A
Which engine in the Cisco FTD software is responsible for inspecting traffic against security intelligence and IPS features? A. Snort engine B. ASA engine C. Firewall engine D. IPS engine
B
Which entity updates Snort rules that are shipped with Cisco Firepower Management Center? A. Cisco SecureX B. Cisco Talos C. General public (anyone) D. Network administrators
C
Which feature can automatically enable rules that address Linux 2.6 vulnerabilities for environments where Linux 2.6 OS is detected? A. Connectivity over Security B. Firepower Discovery C. Firepower Recommendations D. Host profile
A
Which feature in the email pipeline is available only in the outgoing mail policies? A. DLP B. antispam C. antivirus D. content filters
C
Which feature is not a component of a content filter? A. conditions B. actions C. SBRS D. action variables
B
Which feature on Cisco Firepower Management Center is an example of leveraging shared threat intelligence information? A. Cisco STIX B. Cisco Threat Intelligence Director C. Cisco TAXII D. Cisco Security Intelligence E. Cisco Talos Intelligence
A
Which feature on a Cisco IOS switch keeps track of connected hosts (association of MAC and IP address) that can be used with IP source guard? A. IP device tracking B. IP host tracking C. IP address tracking D. IP-to-MAC address tracking
C
Which feature protects against a rogue Cisco switch to overtake the role of the root bridge in the topology? A. PortFast B. STP C. root guard D. BPDU guard
A
Which flow log type is handled by the Stealthwatch Cloud to provide network visibility into Microsoft Azure cloud environments? A. Network Security Group flow logs B. Security Group Tag flow logs C. Virtual Private Cloud flow logs D. NetFlow flow logs
ABFG
Which four activities does the vulnerability assessment process typically include? (Choose four.) A. device discovery B. service enumeration C. patching the software and firmware D. fixing configuration issues E. reimaging the infected hosts F. scanning G. validation
A
Which function is performed by an attacker running whoami from the command shell? A. learns which user account that they are running under and the domain it is running under B. determines the registrant that the domain web services are running under C. maps IP address back to domain names on the network D. lists all users who are logged on to the machine
BCE
Which functionalities are performed by LINA (ASA) engine of the Cisco FTD Software? (Choose three.) A. URL Filtering B. IP routing C. NAT D. intrusion inspection E. VPN F. protecting against malware G. decrypting SSL traffic
C
Which hash function is used to query AMP Cloud when Cisco AMP inspects a file for disposition? A. MD6 B. RIPEMD-160 C. SHA-2 D. Whirlpool
B
Which information can an attacker use within the ICMP to determine which type of operating system the device is running? A. total length B. TTL value C. version D. checksum
D
Which information does AMP Connector send to AMP Cloud when a file is copied, moved, or executed on a system? A. always the hash along with the whole file B. only the file hash C. only the whole file D. the file hash and the whole file if necessary
D
Which kernel is the Async OS for Cisco Email Security Appliance based on? A. Cisco proprietary kernel B. Debian Linux C. DoS D. FreeBSD
D
Which level within a cluster overrides the settings for the other levels? (ESA) A. cluster B. group C. host D. machine
A
Which listener type receives connections from a limited number of internal mail servers and directs messages to many external mail hosts? A. private (outgoing email) B. public (incoming email) C. DMZ D. inside
B
Which malware type does not reproduce by infecting other files or self-replicating? A. Ransomware B. Trojan horses C. Viruses D. Worms
C
Which mechanism covers the "What can you do?" paradigm? A. Accounting B. Authentication C. CoA D. Posture Assessment
B
Which method is a permissive security control in which only specified applications can run on an end host, while all other applications are prevented? A. application blocked list B. application allowed list C. application deep packets inspection D. application recognition and detection
B
Which network behavior makes users increasingly important control points for security? A. Enterprises are giving all users full access to resources. B. Users are using their personal assets to access company resources. C. Users are learning how to write their own malware. D. Users are susceptible to disruptive human mistakes when using the software.
D
Which network device plane builds the structures required for traffic forwarding? A. data plane B. management plane C. forwarding plane D. control plane
A
Which network device plane is responsible for device administration, provisioning the configuration, and monitoring the device operation? A. management plane B. data plane C. control plane D. signaling plane
C
Which network device plane provides the traffic forwarding function? A. control plane B. management plane C. data plane D. forwarding plane
C
Which network topology is in use when every network has a direct VPN connection to every other network? This topology provides any-to-any communication and provides the most optimal direct path for network traffic. A. star topology network B. partially meshed network C. fully meshed network D. individual point-to-point VPN connection E. hub-and-spoke network
A
Which object would you create and reuse in ACP if you want to create a rule that will block Facebook chat application? A. Application filter B. Variable set C. URL D. Network
C
Which of these actions inside an ACP rule on a Cisco Firepower NGFW allows network traffic to be discovered and sent to IPS policy? A. Permit B. Fastpath C. Allow D. Inspect E. Block F. Deny G. Trust
D
Which of these is not an S/MIME security service? A. signing B. encryption C. verification D. authentication
C
Which one of the following statements describes the primary IPS mechanism used in rule-based detection to help stop attackers from compromising systems? A. The geolocation database can be installed to filter specific countries, based on reputation scores. B. IPS rule-sets evaluate various network activities over a long period, allowing rule-based detection configuration to automatically update its rule-set. C. Rule-based detection, using updated IPS signature files, can be leveraged to stop attackers from malicious activity. D. Complex ACLs can be applied to the WAN-facing interfaces, allowing rule-based detection to inspect traffic as it enters the sensor. E. By deploying NAT on WAN-facing interfaces and working with rule-based detection methods, malicious activity can be inspected and blocked before it is sent to internal network resources.
B
Which option about IPsec VPNs on the Cisco FMC is correct? A. supports asymmetric authentication with IKEv2 B. uses a concept of a VPN topology to configure all required IPsec components on managed devices C. uses a concept of tunnel groups for VPN configuration D. uses the Cisco ASA appliance engine
B
Which option about the IKEv2 profile is correct? A. It describes negotiable parameters of IKE SA. B. It describes nonnegotiable parameters of IKE SA. C. It describes nonnegotiable parameters of IPsec SA. D. It describes negotiable parameters of IPsec SA.
C
Which option applies to the TACACS+ protocol? A. suitable for network access B. combines authentication and authorization in a single process C. separates all three aspects of AAA into individual processes D. uses UDP port 1645 or 1812 for authentication and authorization
B
Which option best describes an MITM attack? A. easily detected and not a threat B. a system that has the ability to view the communication between two systems and imposes itself in the communication path between those other systems C. a device that connects to a switch and issues an enormous amount of DHCP requests until the DHCP server runs out of IP addresses D. a device that issues an extremely large amount of SYN requests to a server, preventing all other devices from making a connection
A
Which option can be used to represent the network 192.168.1.0/24 as an object? A. network object B. service object C. network object group D. service object group
A
Which option can be used to secure the data on a BYOD device of a former employee that has left the company? A. EMM or MDM B. Cisco ISE C. PKI X.509 certificates D. Integrated mobile APIs
A
Which option correctly describes IKEv2 Smart Defaults? A. default IKE and IPsec values B. noneditable default values C. always-active default values D. default IKE values
B
Which option defines a method that can be used for matching senders and recipients for the "example.com" domain? A. [email protected] B. @example.com C. user@ D. @.example.com
B
Which option describes a benefit of prefilter policies? A. Prefilter policies are used to improve performances on Cisco IOS. B. Prefilter policies are used to exclude traffic that does not need inspection, for better device performance. C. Prefilter policies are used to filter routing protocol updates, excluding certain networks from routing. D. Prefilter policies are used to save CPU resources, and they are used with CoPP or CPPr.
C
Which option describes a valid IKEv2 proposal? A. AES-GCM-128 as encryption algorithm, SHA-256 as hashing algorithm, and DH group 19. B. AES-CBC-128 as encryption algorithm, SHA-256 as PRF algorithm, and DH group 19. C. AES-GCM-128 as encryption algorithm, SHA-256 as PRF algorithm, and DH group 19. D. AES-CBC-128 as encryption algorithm, SHA-256 as PRF algorithm, and DH group 6.
C
Which option describes an attack vector? A. the resolution of an attack B. the result of, or damage from, an attack C. a path, method, or route by which an attack was carried out D. the last stage of the attack continuum
D
Which option is a property of FlexVPN? A. It uses IKEv1. B. It does not support remote access VPN. C. It requires GRE encapsulation. D. It uses IKEv2.
A
Which option is a property of SVTIs? A. Support for dynamic routing protocols. B. Non-intuitive configuration syntax. C. Zero-touch provisioning of new spokes. D. Use GRE encapsulation.
D
Which option is a property of an asymmetric encryption algorithms? A. Asymmetric algorithms are much faster than symmetric algorithms. B. Asymmetric algorithms can be easily hardware-accelerated. C. Asymmetric algorithms are generally used for bulk encryption. D. Asymmetric algorithms are much slower than symmetric algorithms. E. With asymmetric algorithms, key management tends to be more complex than with symmetric algorithms.
C
Which option is a property of crypto maps? A. Support for dynamic routing protocols. B. Support for multicast traffic. C. Traffic that needs encryption is defined by an ACL. D. All traffic entering an interface is encrypted and encapsulated.
B
Which option is a valid Cisco IOS and IOS XE VTI type? A. manual B. static C. downloadable D. flexible
C
Which option is a valid RADIUS CoA packet that can be sent from a AAA server? A. Reply-CoA B. CoA-Response C. CoA-Request D. Access-Challenge
B
Which option is an IPsec protocol that provides key management to IPsec? A. AH B. IKE C. ESP D. Oakley E. SPI
E
Which option is an example of a symmetric key algorithm? A. SHA-1 B. MD5 C. RSA D. DH E. AES
C
Which option is required by the ARP inspection feature when determining the validity of ARP replies? A. routing table B. MAC address table C. DHCP snooping database D. port security
D
Which option is required to configure scalable and easy-to-maintain infrastructure ACLs? A. high-end edge routers B. high ACLs analyzing performance on core routers C. detailed TCP-UDP port defined ACLs D. contiguous address space assigned to infrastructure IP addresses
B
Which option is the illegitimate DHCP server that is referred in context to a DHCP server-based attack? A. a sitting duck server B. a rogue DHCP server C. a target server D. an erroneous server
B
Which option is true regarding security responsibilities in a private cloud deployment? A. A cloud consumer does not have any security responsibilities when utilizing private cloud services. B. A cloud consumer can still shift security responsibilities when using private cloud, by hiring a company that will deploy and manage their private cloud. C. All security responsibilities for private cloud must stay with the company in question. D. Private cloud deployments do not have security considerations because they are within a company's firewall.
C
Which option is used by the storm control feature to block incoming packets on an interface? A. bandwidth percentage B. traffic rate C. rising threshold D. falling threshold
C
Which option is used to establish a covert connection between two remote computers, using ICMP echo requests and reply packets, and which can be used to bypass firewall rules? A. Smurf attack B. Firewalking C. ICMP tunneling D. ICMP-based Operating System fingerprinting
B
Which option is valid to apply a group policy to a VPN session on the Cisco Firepower NGFW? A. Apply the group policy to a user account in the local user database. B. Apply the group policy to the connection profile. C. Allow the user to select group policy from the drop-down menu in Cisco AnyConnect Secure Mobility Client GUI. D. Allow the user to select group policy using the group URL when connecting to VPN.
B
Which option prevents an attacker from breaking an IKE SA secret key and using the knowledge gained to derive another key for compromising an IPsec SA? A. AES B. PFS C. encrypted preshared key D. Replay-detection
B
Which option represents the messages that are used by AAA framework to dynamically modify active client's authorized state after a successful authentication in the guest portal? A. Change of Authentication (CoA) B. Change of Authorization (CoA) C. Downloadable access control lists (dACLs) D. Scalable Group Tags (SGTs)
B
Which option should be avoided when implementing routing authentication? A. using HMAC-MD5 authentication B. using cleartext authentication C. not using the same password on all the routers in the same domain D. implementing routing authentication when the peer router is reachable over an untrusted network
A
Which part of the following HTTP request URI represents the fragment portion? http://www.example.com/myvideo.mp4#t=20,50 A. #t=20,50 B. /myvideo.mp4 C. http:// D. www.example.com
C
Which password attack type is characterized by trying every possible character combination until all combinations have been exhausted? A. phishing B. dictionary C. brute force D. guessing
A
Which phase of the TCP communication process is attacked during a TCP SYN flood attack? A. three-way handshake B. connection established C. connection closed D. connection reset
A
Which physical or virtual appliance is used to manage several Cisco Firepower NGFW firewalls? A. Cisco FMC B. Cisco Security Manager C. Cisco ASDM D. Cisco FTD
D
Which prerequisite is mandatory to have a successful cloud patch management? A. The device must be owned by the company. B. The device must be on-premises, inside a security perimeter—that is, behind the firewall. C. The device cannot be part of an internal network; that is, it cannot reside behind the firewall. D. The device must be connected to the internet.
A
Which protocol and port is used by NTP for communication? A. UDP, port 123 B. TCP, port 123 C. UDP, port 80 D. TCP, port 80 E. SCP, port 69
B
Which protocol can Cisco Stealthwatch use to gather information about events in the network? A. DNS B. IPFIX C. SNMP D. Syslog
B
Which protocol is an alternative VPN transport protocol to SSL/TLS? A. IKEv2 B. DTLS C. IKEv1 D. DPD
A
Which protocol is not required by DMVPN to build direct spoke-to-spoke tunnels? A. IP Security (IPsec) B. Multipoint Generic Routing Encapsulation Protocol (mGRE) C. Next Hop Resolution Protocol (NHRP) D. routing protocol or static routing
B
Which protocol is permitted by default when a switch port is configured to require 802.1X authentication? A. DHCP B. EAPOL C. IP D. TCP
B
Which protocol is used for accessing most modern Application Programming Interfaces (APIs)? A. DNS B. HTTPS C. IPSec D. REST
B
Which protocol or framework is used to integrate Cisco Identity Services Engine (ISE) with Cisco Stealthwatch (version 6.9 and above) to exchange user information? A. NetFlow B. pxGrid C. REST API D. Syslog
A
Which protocol provides the required session keys and manages the required encryption keys for switch-to-host encryption, also called downlink MACsec encryption? A. MKA B. NDAC C. SAP D. EAP
B
Which protocol would be most suitable for out-of-band access to the Command Line Interface (CLI) of a network device, such as a switch? A. SCP B. SSH C. TACACS+ D. Telnet
A
Which purpose is served by the CA root certificate on clients, during an 802.1X/EAP authentication session? A. This is how the authentication server (ISE) proves its validity to the client B. This is how the user proves its validity to the authentication server (ISE) C. This is used for both the user and the network to prove their validity to each other D. This is how the Certificate Authority proves its identity to the authentication server (ISE)
B
Which range of OSI model layers can an Intrusion Prevention System (IPS) analyze? A. Layer 2 to Layer 4 B. Layer 2 to Layer 7 C. Layer 3 to Layer 4 D. Layer 3 to Layer 7
C
Which security countermeasure can protect against MAC spoofing attacks? A. disabling of DTP B. DHCP snooping C. port security D. ARP inspection
D
Which security feature can install an autogenerated implicit PACL on the interface? A. DHCP snooping B. dynamic ARP inspection C. root guard D. IP source guard E. uRPF
C
Which security level provides the best protection in an SNMPv3 implementation? A. noAuthNoPriv B. community string C. authPriv D. authNoPriv
A
Which security term refers to a weakness in a system or its design that can be exploited by a threat? A. Vulnerability B. Threat C. Asset D. Countermeasure
C
Which security threat resource pool does Cisco Umbrella use to evaluate the risk of a connection? A. any third-party resource pool based on STIX B. Cisco Firepower NGIPS anomaly detection C. Cisco Talos resources D. Cisco Umbrella dedicated threat database
D
Which service must be enabled on Microsoft Windows to enable the supplicant for wired networks? A. IP Helper B. Microsoft Passport C. Plug and Play D. Wired AutoConfig
A
Which service on Cisco Firepower Management Center (FMC) runs over TCP port 8302 and allows you to deliver logs to client applications? A. eStreamer B. REST API C. SNMP D. Syslog
D
Which severity level on Cisco ASA is the most urgent? A. critical B. errors C. warnings D. alerts
B
Which show command would you use to verify if NTP authentication is in use with the current primary NTP server? A. show clock B. show ntp associations detail C. show ntp information D. show ntp status
C
Which site-to-site VPN is supported by using two different types of endpoints? A. FlexVPN on IOS XE and Clientless SSL VPN on Cisco Firepower NGFW B. FlexVPN on IOS XE and IKEv1 IPSec site-to-site on a third-party device C. FlexVPN on IOS XE and IKEv2 Crypto Map on Cisco ASA D. FlexVPN on IOS XE and IKEv2 Static IPsec Tunnel on Cisco ASA
D
Which solution can be used to mitigate ARP attacks in non-DHCP environments? A. ARP inspection to validate the ARP packets using the IP Device Tracking feature B. ARP inspection to validate the ARP packets using the ARP snooping database C. ARP inspection to validate the ARP packets using the CAM and routing tables D. ARP inspection to validate the ARP packets using the user-configured ARP ACL
B
Which solution is the most suitable to protect your business against common email threats, such as attachment-based attacks, email spoofing, and spam? A. deployment of a Next-Generation Firewall (NGFW) at the network perimeter B. deployment of an email security appliance C. deployment of an IPS solution D. patching company SMTP server(s)
B
Which spanning-tree protection feature disables ports when a violation occurs? A. IP source guard B. BPDU guard C. root guard D. PortFast
C
Which statement about AAA is correct? A. Authentication is a process of applying authentication attributes to an authenticator in order to limit access from a user to the network. B. Accounting is a process of identifying a user accessing the network. C. Cisco ISE acts as AAA server in Cisco secure network access deployments. D. Authorization is a process of tracking and auditing user's access to the network.
D
Which statement about ASA Active/Standby failover is true? A. Both ASA units are managed separately. B. The primary and the secondary roles of the ASAs change. C. When a Cisco ASA boots, if it does not detect an ASA, it stops the failover process. D. The active ASA replicates all configuration changes to the standby ASA.
C
Which statement about Cisco ASA global ACL is true? A. It is applied on a single interface. B. It is applied globally on all interfaces in inbound and outbound direction. C. There is a default implicit deny-all global access rule at the end of the global ACL. D. Global access rules are used before interface access rules.
C
Which statement about Cisco TrustSec propagation is true? A. IP address to SGT mapping can be propagated using the SXT protocol. B. Inline tagging inserts the destination SGT into an Ethernet frame. C. Inline tagging inserts the source SGT into an Ethernet frame. D. Inline tagging inserts the source SGT and destination SGT into an Ethernet frame.
B
Which statement about Device Flow Correlation is correct? A. DFC is a signature-based technology. B. DFC provides a network connections view. C. DFC is available only in Android deployments. D. DFC is available only by sending the file sample to the cloud.
C
Which statement about IPSG is correct? A. IPSG filters IP packets based on ACLs. B. IPSG filters IP packets based on MPL. C. IPSG filters IP packets based on a DHCP snooping database. D. IPSG filters IP packets based on route maps.
B
Which statement about OAuth architecture is true? A. OAuth is an extension of the TACACS protocol. B. OAuth is an open authorization protocol. C. In an OAuth framework username and passwords are exchanged between resource owner and third-party applications. D. A resource provider cannot authenticate a resource owner to grant access to a third-party environment.
B
Which statement about TCP reset attacks is correct? A. A TCP reset attack is designed to disrupt the TCP 3-way handshake. B. A TCP reset attack terminates TCP communications between two hosts. C. A malicious attack is always indicated when the RST bit is set to 1 in a TCP packet header. D. In a TCP reset attack, the RST bit in the TCP packet header must be set to 1; settings for other fields in the TCP header are irrelevant.
B
Which statement about a DNS "blind spot" is correct? A. A DNS blind spot is defined as the inability to change the CX DNS records for outbound requests. B. A blind spot is the failure to properly monitor DNS activity for security purposes. C. DNS blind spots are created when a root-level DNS server is under a DDoS attack. D. Blind spots are caused by improper or lack of proper software patching to DNS BIND servers. E. DNS blind spots are a direct result of DoS port scanning of UDP port 53.
C
Which statement about malware protection is true? A. Malware protection at the host installation level is useless and can only be performed at the network level. B. Most modern malware protection products typically achieve 100 percent success in detection and prevention. C. Antivirus and antispyware tools provide a line of defense, but their efficacy is dropping. D. A combination of an antivirus product and an antispyware product provides the best defense against malware.
C
Which statement about sandboxing is correct? A. Using a sandbox technique ensures that no malware infected files can get in the network. B. Running a file in a sandbox guarantees that the disposition will show the threat that it poses to your environment. C. Malware authors deploy several techniques to bypass sandbox analysis. D. Using a sandbox replaces the need for expensive antivirus and firewall software.
B
Which statement about the default group policy is true? A. The name of the default group policy is DefaultWEBVPNGroup. B. The default group policy is fully customizable. C. The default group policy cannot be used as a regular group policy. D. The default group policy inherits settings from the default connection profile.
A
Which statement about the hybrid SDN approach is correct? A. It takes advantage of the hardware intelligence and existing feature sets within the network operating system. B. It takes advantage of the hardware intelligence when supporting modern applications, and the existing feature set to support legacy applications. C. It uses a controller-based approach for the main sites and keeps the traditional approach for the branches. D. It uses a controller-based approach on complex devices, such as SD routers, and keeps the traditional approach on simple devices such as switches.
C
Which statement accurately describes inaccessible authentication bypass? A. Port in the critical-authentication state is put into a restricted VLAN. B. Once a port is put into the critical VLAN, it cannot be re-initialized without bouncing the port. C. When a host tries to authenticate, and all the RADIUS servers are down, the switch puts the port into the critical authentication state. D. Inaccessible authentication bypass feature works well with low-impact 802.1X deployment mode.
C
Which statement best describes SecDevOps? A. SecDevOps aims to teach developers and operators about security operations. B. SecDevOps secures the operations that are developed. C. SecDevOps is the philosophy that security should not be overlooked when adopting DevOps principles. D. SecDevOps creates a secure development environment for operators.
C
Which statement best describes how Cisco CTA identifies security breaches? A. Cisco CTA uses geolocation database signatures to geolocate attackers, which provide forensic data points. B. Breaches are identified by scanning SSL/TLS based payloads, decrypting the packet for deep packet analysis. C. Cisco CTA leverages network traffic behaviors, machine learning, and anomaly detection to detect security breaches. D. Cisco CTA performs detailed analytics based on provided SYSLOG and NetFlow v5 data elements. E. Cisco CTA detects data breaches by decoding ESP security payloads and comparing them to known signatures from security intelligence feeds that are provided by the Talos Intelligence Group.
C
Which statement best describes how Cisco Cognitive Analytics identifies security breaches? A. Cognitive Analytics uses geo-location database signatures to geo-locate attackers, which provides forensic data points. B. Cognitive Analytics detects threats by scanning SSL/TLS-based payloads, decrypting the packet for deep packet analysis. C. Cognitive Analytics uses network traffic behaviors, machine learning, and anomaly detection to detect security breaches. D. Cognitive Analytics performs detailed analytics based on provided syslog and IPFIX data elements. E. Cognitive Analytics detects data breaches by decoding ESP security payloads and comparing them to known signatures from security intelligence feeds that are provided by the Talos Intelligence Group.
A
Which statement best describes the difference between STIX and TAXII? A. STIX is a language used to share Cyber Threat Intelligence (CTI), while TAXII is a protocol used to carry STIX threat intelligence information. B. TAXII is a language used to share Cyber Threat Intelligence (CTI), while STIX is a protocol used to carry STIX threat intelligence information. C. TAXII is a protocol controlled by Cisco Talos Intelligence Group, while STIX is a protocol used to carry STIX threat intelligence information. D. TAXII is a language used to share Cyber Threat Intelligence (CTI), while STIX is a protocol used to carry STIX threat intelligence information and controlled by Cisco Talos Intelligence Group.
D
Which statement correctly describes Cisco Umbrella Investigate? A. Cisco Umbrella virtual appliance which provides internal IP address visibility. B. Cisco Umbrella client which protects off-network clients. C. Policy component inside Cisco Umbrella dashboard. D. A dashboard inside Cisco Umbrella which provides contextual data to perform security analyses and predict future threats.
D
Which statement correctly describes IKEv2? A. It uses a bi-directional authentication method. B. It uses two phases to establish IKE SAs and IPsec SAs. C. It runs on UDP port 3500. D. It runs on UDP port 500.
B
Which statement correctly describes key management in cryptography? A. If a system requires manual key configuration, it is recommended that keys are generated by humans. B. Key management deals with the secure generation, verification, exchange, storage, revocation, and destruction of keys. C. Security of a cryptosystem is solely dependent on the key length. D. Secure storage of keys is not important.
D
Which statement correctly describes the theory behind the command injection attacks? A. The goal of a command injection attack is to exfiltrate data on the web server's operating system via a vulnerable web application. B. The goal of a command injection attack is to execute arbitrary commands on the mail server. C. The user enters arbitrary commands on the web server's OS via a vulnerable web application. D. The goal of a command injection attack is to execute arbitrary commands on the web server's OS via a vulnerable web application.
B
Which statement describes CSRF? A. CSRF is a type of command injection web-based attack, which uses malicious scripts that are injected into otherwise benign and trusted web sites. B. CSRF is a type of attack that occurs when a malicious web site, email, blog, instant message, and so on, causes a user's web browser to perform an unwanted action on a trusted web site for which the user is currently authenticated. C. CSRF attacks may occur when a malicious user is allowed to post content to a trusted web site without any input validations. D. CSRF can use JavaScript, Visual Basic script, and other types of code to implement the attack script.
C
Which statement describes VPN behavior on Cisco Firepower NGFW? A. VPN traffic is by default allowed by ACP. B. VPN traffic is by default exempted from NAT. C. VPN traffic is by default denied by ACP. D. IKEv2 IPsec is not supported.
B
Which statement describes VPNs correctly? A. VPN technology secures communication across trusted network boundaries. B. VPNs can be defined as a technology used to secure communication across an untrusted network. C. VPNs are best deployed on mobile and BYOD-based devices. D. VPNs are logical networks that are dependent on the physical architecture. E. VPNs are created at the transport layer of the OSI model.
D
Which statement describes a DoS attack? A. poses as legitimate software or email attachment in order to launch a malicious attack when opened B. can steal data such as usernames and passwords without the user realizing that they have been compromised C. rarely seen because DoS attacks are extremely difficult to engineer and almost impossible to deliver D. attempts to consume all of a critical computer or network resource in order to make it unavailable for valid use
A
Which statement describes a next-generation firewall versus a standard firewall? A. Next-generation firewalls perform various security functions, such as generating different types of logs and alerts related to suspicious activities, to protect the network from advanced attacks. B. Standard firewalls are more secure, due to the ease of installation and deployment, and are capable of preventing all malicious activities from penetrating the network. C. Next-generation firewalls contain the appropriate features to detect malware and detonate unknown files in a secure hard drive partition on the Firewall appliance, saving the analyst time and additional equipment requirements. D. Next-generation firewalls and standard firewalls are functionally the same. The key difference is that standard firewalls provide granular application visibility and control. E. Standard firewalls support malware protection only.
D
Which statement describes how a DNS amplification and reflection attack is implemented? A. by predicting the next transaction ID used in DNS query and using that to construct a spoofed DNS message B. by falsifying and spoofing RR information on the DNS resolver C. by depleting DNS resolver's CPU, memory, and/or socket buffers D. by using multiple DNS open resolvers to send DNS response messages to the target device
B
Which statement describes how a network-based malware protection feature detects a possible event? A. Using virus signature files locally on the firewall, it will detect incorrect MD5 file hashes. B. The firewall applies broad-based application and file control policies to detect malware. C. Malware can be detected correctly by using reputation databases on both the firewall and/or from the cloud. D. IDS signature files that are located on the firewall are used to detect the presence of malware. E. Malware can be detected and stopped by using ACLs and the modular policy framework within the firewall appliance.
C
Which statement describes the Cisco Firepower IDS inline tap mode? A. To deploy Cisco Firepower NGFW where it will block only high-critical events. B. To ensure that if one interface goes down in an inline set, the other interface is also taken down. C. To have an inline set act as a tap—a copy of the traffic is analyzed. D. IDS inline tap mode is supported only in the Cisco Firepower NGFW transparent mode.
C
Which statement describes the advantage of using PVLAN over traditional VLANs? A. PVLAN traffic is encrypted, VLAN traffic is cleartext. B. A PVLAN provides better performance when combined with an ASA firewall. C. PVLANs isolate traffic without the need to allocate a subnet to each VLAN. D. A PVLAN can be configured on firewalls and switches, VLANs can be configured only on switches.
B
Which statement describes the concept of a connection profile inside Cisco ASDM? A. It is the same as a tunnel group and defines authentication parameters. B. It is a logical construct that combines all required IPsec components. C. It is the same as a group policy and defines VPN session parameters. D. It is a logical construct that combines all required IPsec components, routing configuration, and NAT exemption configuration.
B
Which statement describes the difference between security intelligence and typical firewall ACLs in preventing malicious traffic? A. Security intelligence uses a dictionary list of keywords, which, if detected in the data payload, will trigger a security event. B. Using intelligence feeds that provide IP addresses with known bad reputations, malicious activity is blocked before any other policy-based inspection, analysis, or traffic handling is performed. C. ACLs provide a more granular ability to control known bad IP addresses that have a poor reputation. Security intelligence feeds are broader in scope. D. Security intelligence feeds can be used to detect security issues in improperly configured ACLs. E. ACLs provide superior reflexive ACL entries, based on the known IP address that has a poor reputation, which will automatically be installed in the inspection engine of NGFWs.
C
Which statement explains the primary difference between reputation-based detection and anomaly-based detection methods? A. Over time, reputation-based detection will learn and evaluate patterns that could indicate suspicious activity. B. Anomaly-based detection leverages use of a "signature" to determine whether suspicious activity is occurring. C. Reputation-based detection allows the IPS to block all traffic from known bad sources before any significant inspection is done. D. Anomaly-based detection is faster than reputation-based detection. E. Reputation-based detection leverages use of a "signature," to determine whether suspicious activity is occurring.
A
Which statement is correct about NetFlow and IPFIX? A. NetFlow protocol records can be exported to an external SIEM server for analysis and correlation. B. NetFlow and IPFIX are used to measure the bandwidth usage on a router interface. C. NetFlow can be implemented on a Cisco router and IPFIX on an ASA firewall. D. NetFlow is a standard IETF protocol, IPFIX is a Cisco proprietary protocol.
B
Which statement is correct about transparent user authentication using Cisco Web Security Appliance (WSA)? A. A specific patch file is required on the client browser. B. The user's browser must be explicitly redirected to the WSA using an HTTP redirect. C. A WCCP redirect message must be sent to the client. D. Cisco WSA must redirect HTTP traffic to an external authentication server.
B
Which statement is correct regarding Common Vulnerabilities and Exposures (CVE)? A. CVE is a database structure that can be used to describe private vulnerabilities. B. CVE is a database that provides common identifiers for data exchange between security products. C. CVE is a standard language to build a threat signature database in security devices. D. CVE is a transport protocol to communicate threats and vulnerabilities.
D
Which statement is correct regarding the security requirements and the use of hybrid cloud computing? A. In hybrid cloud computing, the customer always assumes full security responsibility for the cloud services they use. B. In hybrid cloud computing, the cloud provider takes all security responsibilities for the customer. C. Hybrid cloud security requirements are the same for all cloud services used. D. The security requirements in a hybrid cloud deployment vary greatly, so the customer must keep up with what they are responsible for and which security responsibilities they are outsourcing.
C
Which statement is correct? A. When the AMP connector sees file, it first looks in the cache in the cloud. B. All SHA-256 hashes are known on the host upon installation if a full scan is performed, so processing time is much faster. C. When the AMP connector sees file, it first calculates the SHA-256. D. Windows Servers receive higher priority than Windows hosts when referencing the cloud.
A
Which statement is true about a Cisco ASA network object group? A. Several network objects of different types can be included in a network object group. B. You cannot include inline networks or hosts on the fly during configuration. C. A network object group can group only network objects of the same type. D. A raw IP address cannot be included in a network object group.
A
Which statement is true about the message splintering feature for Cisco Email Security Appliance? A. It allows for multiple recipient-based security rules to be applied independently to messages with multiple recipients. B. It allows for multiple recipient-based security rules to be applied independently to messages with a single recipient. C. It allows for multiple single recipient-based security rules to be applied independently to messages with multiple recipients. D. It allows for single recipient-based security rules to be applied independently to messages with a single recipient.
B
Which statement regarding Cisco TrustSec is correct? A. Assignment of SGT can be only done after 802.1X authentication. B. Cisco TrustSec decouples access policy from network topology. C. The only supported mechanism for SGT propagation is inline tagging. D. Policy enforcement on switching platforms is done using SGFW functionality.
C
Which statement regarding Ethos is correct? A. Ethos is a signature-based technology. B. Ethos is a type of machine learning. C. Ethos is a type of fuzzy fingerprinting. D. Ethos is available only by sending the file sample to the cloud.
B
Which statement regarding IPsec security protocols is true? A. AH and ESP are both transport protocols and they cannot be used at the same time. B. IKE provides key management, but IPsec can be implemented without IKE. C. In an IPsec deployment, AH should be used if IKEv2 is unavailable. D. In tunnel mode, only AH guarantees data integrity for the carrier IP header, so it is more secure than ESP.
B
Which statement regarding Structured Threat Information Expression (STIX) is true? A. STIX is a controller that automates actions based on threat intelligence information. B. STIX is a language used to share threat intelligence information. C. STIX is a proprietary format widely used in the industry. D. STIX is a protocol to share threat intelligence information.
D
Which statement regarding routing support for IPsec VPNs on Cisco Firepower NGFW is correct? A. BGP is supported for crypto map-based IPsec VPN. B. OSPF is supported for VTI-based IPsec VPN. C. EIGRP is supported for VTI-based IPsec VPN. D. RRI is supported for crypto map-based IPsec VPN.
D
Which statement regarding the Cisco ISE identity certificate is correct? A. It is used to identify Cisco ISE for management accessed over SSH. B. It is used to identify the Cisco ISE server in EAP methods that use digital certificates for client-side authentication. C. It is used to authenticate the CA server root certificate. D. It is used to identify the Cisco ISE server in EAP methods that use digital certificates for server-side authentication.
D
Which statement regarding the device and file trajectory is correct? A. Device trajectory displays life cycle of a file in your organization across all endpoints. B. File trajectory displays processes, files, network connections, and IOCs on a device. C. File trajectory is used to displayed inside the AMP connector. D. File trajectory displays life cycle of a file in your organization across all endpoints.
D
Which statement regarding the level of redundancy required in a VPN network design is true? A. A hub should always be redundant. B. A spoke should never be redundant. C. The level of redundancy required depends on the number of routers in the topology. D. The level of redundancy required depends strictly on business requirements.
B
Which statement regarding uRPF support on Cisco ASA is correct? A. Cisco ASA firewall does not support uRPF. B. Cisco ASA firewall supports only strict uRPF. C. Cisco ASA firewall supports only loose uRPF. D. Cisco ASA firewall supports both strict uRPF and loose uRPF.
D
Which statements regarding AMP for Endpoints management is correct? A. Policies are configured inside the AMP connector. B. Policies for different operating systems support the same set of features. C. Policy changes require manual administrator intervention to deploy changes to endpoints. D. Policies are configured inside the AMP management console.
A
Which system-provided base IPS policy is most stringent? A. Security over Connectivity B. Connectivity over Security C. Balanced Security and Connectivity D. Security E. Connectivity
CDG
Which three actions are valid actions inside a prefilter rule? (Choose three.) A. Permit B. Deny C. Block D. Fastpath E. Allow F. Drop G. Analyze H. Slowpath
ACE
Which three actions does the Dynamic Content Analysis engine perform when evaluating uncategorized web content? (Choose three.) A. It evaluates the requested URL against the Cisco WSA URL category database. B. It evaluates the requested URL against the custom URL categories on the Cisco WSA. C. It dynamically inspects the website, scores the content, calculates model document proximity, and returns the closest category match. D. It identifies the requested URL as uncategorized after an unsuccessful match against the URL database. E. It performs a URL keyword analysis to determine the URL category.
BCE
Which three anti-malware scanning engines can be used by the Cisco Dynamic Vectoring and Streaming engine in the process of inspecting web traffic for malicious content? (Choose three.) A. Advanced Malware Protection B. McAfee C. Sophos D. file reputation E. Webroot F. Web Reputation Filters G. file analysis
ADE
Which three changes have occurred in modern networks that require enhanced security? (Choose three.) A. Modern networks utilize a common set of widely known and open protocols. B. The use of common operating systems on smart phones such as Apple iOS and Android has provided attackers with simpler means to instigate targeted attacks. C. Fault tolerance and backup systems provide threat actors easy access to system resources and data. D. The global connectivity of the Internet provides more opportunities for threat actors to connect to information systems. E. The increased complexity of operating systems and application software has made it more difficult to ensure security across all systems.
ADE
Which three characteristics and operations apply to the transparent deployment mode of a web proxy? (Choose three.) A. Authentication is problematic. B. Authentication is straightforward. C. Client configuration must change. D. Network device redirects the client request to the web proxy. E. The client directs traffic to the target web server. F. Server configuration must change.
BDE
Which three classification criteria can be used in the sender groups? (Choose three.) A. outbreak rule B. SBRS C. AMP verdict D. IP addressing E. domain
ACE
Which three companies are public cloud providers? (Choose three.) A. Amazon (Amazon Web Services) B. Facebook C. Google Cloud D. Walmart E. Rackspace F. Cisco
ABD
Which three components are used in the Cisco ASA MPF configuration? (Choose three.) A. class maps B. policy maps C. access control lists D. service policy E. TCP and UDP ports
ACD
Which three connection behaviors are supported in the mail flow policies? (Choose three.) A. accept B. permit C. reject D. TCP refuse E. deny
BCE
Which three control families are covered in NIST SP 800-53? (Choose three.) A. programming languages B. physical and environmental protection C. configuration management D. vendor selection E. risk assessment
CDF
Which three devices can use uRPF as the first line of defense in a network? (Choose three.) A. web server B. Cisco UCS server C. Cisco ASA D. Cisco NGFW E. Cisco IOS Layer 2 switch F. Cisco IOS Layer 3 switch
ADE
Which three features does the Acceptable Use Policy software on the Cisco WSA offer? (Choose three.) A. acceptable use policy, application, and protocol control B. data loss prevention C. integrated authentication D. URL filters E. web proxy F. data security G. malware defense
ADE
Which three guest portals exist on Cisco ISE by default? (Choose three.) A. sponsored B. BYOD C. blacklist D. self-registered E. hotspot
ABE
Which three host groups are automatically created within Stealthwatch Threat Feed? (Choose three.) A. Bogon B. Command and Control Servers C. Inside Hosts D. Outside Hosts E. Tor
ACD
Which three management plane countermeasures can be implemented against management session spoofing? (Choose three.) A. out-of-band management B. RBAC C. use of cryptographically protected management protocols D. filtering of management access E. management access authentication
ADE
Which three management protocols can provide secure communications with the management plane of the device? (Choose three.) A. HTTPS B. HTTP C. Telnet D. SSH E. SNMPv3
ACE
Which three management services should be disabled when not needed on the device? (Choose three.) A. Telnet B. SSH C. HTTP D. HTTPS E. Cisco Discovery Protocol
BCE
Which three message types can be assigned to a malicious message after being scanned by the antivirus engine? (Choose three.) A. clean message B. repaired message C. encrypted message D. virus disinfected message E. unscannable message
ABD
Which three methods can be used to authenticate to an API? (Choose three.) A. username and password B. token C. chip D. API keys E. URL
ACD
Which three mitigation techniques on a Cisco switch will protect against VLAN hopping attacks? (Choose three.) A. disabling DTP B. enabling port security C. using a dedicated 802.1Q native VLAN D. explicitly assigning trunk or access mode on interfaces E. using dynamic mode on interfaces
ADF
Which three of the following are examples of common non-behavioral-based Indications of Compromise (IOC)? (Choose three.) A. domain name B. file creation C. file editing D. filename E. registry renaming F. source and destination IP address
BDF
Which three of the following are examples of the behavioral-based Indications of Compromise (IOC)? (Choose three.) A. domain name B. file creation C. file hash D. file reading E. filename F. registry renaming G. source/destination IP address
BCF
Which three open source platforms can be used to automate network operations? (Choose three.) A. PuTTY B. Ansible C. Puppet D. PostgreSQL E. VMware vCenter F. Chef G. Citrix XenServer
BCE
Which three options are Cisco AMP for Endpoints policy components? (Choose three.) A. access control lists B. application control lists C. exclusions D. inclusions E. modes and engines F. network monitor lists
ACD
Which three options are Cisco ISE functionalities? (Choose three.) A. 802.1X supplicant provisioning automation B. classification of endpoints based on SMTP traffic C. classification of endpoints based on DHCP traffic D. customization of the guest web authentication portal E. client anti-malware software provisioning automation.
ACE
Which three options are benefits to adopting cloud computing? (Choose three.) A. scalability and elasticity B. better hardware available to purchase C. reliability D. more IT professionals on staff E. decrease in capital and operating costs F. increase in capital costs but decrease in operating costs
ADG
Which three options are considered as DNS vulnerabilities? (Choose three.) A. DNS cache poisoning attacks B. DNS resolution interception C. DNS phishing D. DNS amplification and reflection attacks E. TCP SYN flood F. DNS brute force attack G. DNS resource utilization attacks
BEF
Which three options are methods that are used by an attacker while gathering network data? (Choose three.) A. unplug network devices B. packet sniffer C. port sniffer D. ping sniffer E. ping sweeps F. port scans
BDE
Which three options are possible categories that a message can be put into after antispam scanning? (Choose three.) A. possible spam B. suspected spam C. acceptable spam D. positively identified spam E. not spam
BCF
Which three options are programmatic methods that can be used to manage network devices through APIs? (Choose three.) A. EEM B. gRPC C. NETCONF D. SNMP E. SSH F. RESTCONF
ABC
Which three options are the components of the rule in the authentication policy? (Choose three.) A. name B. set of conditions C. resulting identity source D. control flow statements E. authorization profiles
ABC
Which three options are the management options for Cisco ASA adaptive security appliances? (Choose three.) A. ASDM B. Cisco Security Manager C. Cisco Defense Orchestrator D. Cisco UCS Manager E. Cisco Prime Manager F. Cisco Prime Secure Orchestrator
ABE
Which three options are true when the Cisco ASA appliance is set to operate in multiple-context mode? (Choose three.) A. Multiple-context mode is beneficial for an enterprise that wants to keep the administration of different departments completely separate and independent. B. When a user logs into the system execution space, they are able to create new contexts. C. There is support for OSPFv3, RIP, and multicast routing. D. All security contexts must operate in the same firewall mode. E. There is support for static routing, access control features, security modules, and management features.
BDE
Which three options can be used as membership criteria in the Access policy groups? (Choose three.) A. anti-Malware and reputation B. identification profiles and users C. objects D. URL categories E. user agents F. bandwidth limit G. applications
BCD
Which three options could be best suited for in-band management? (Choose three.) A. Telnet B. HTTPS C. ASDM D. SSH E. HTTP
ADE
Which three packet types are received by the CEF-exception control plane subinterface? (Choose three.) A. Cisco Discovery Protocol messages B. EIGRP Hello messages C. GRE packets D. IP packets with expiring TTL E. IP packets with unreachable destination F. IPsec VPN packets G. SNMP trap H. SSH packets in an active user session
BGH
Which three packet types are received by the host control plane subinterface? (Choose three.) A. Cisco Discovery Protocol messages B. EIGRP Hello messages C. GRE packets D. IP packets with expiring TTL E. IP packets with unreachable destination F. IPsec VPN packets G. SNMP trap H. SSH packets in an active user session
ADE
Which three parameters are set by enabling Cisco ISE Default settings under AAA RADIUS configuration on Cisco WLC? (Choose three.) A. sets the Layer 2 security of a WLAN to WPA+WPA2 B. disables MAC filtering if the Layer 2 security of a WLAN is set to None C. applies authentication server details also to the authorization server D. enables RADIUS CoA E. sets the AKM method to 802.1X
ABE
Which three parameters can define a recipient address for being checked against the RAT? (Choose three.) A. domain name B. username C. SBRS D. AMP verdict E. full email address
CEG
Which three parameters define a decryption policy on the Cisco WSA? (Choose three.) A. applications B. authentication realm C. default D. objects E. URL filtering F. identification profile G. web reputation
BDE
Which three primary actions can Cisco ESA take when it detects a possible DLP violation in an outgoing message? (Choose three.) A. Encrypt B. Deliver C. Add disclaimer text D. Drop E. Quarantine
ACD
Which three request methods can you use when sending requests to Cisco FMC REST API? (Choose three.) A. GET B. LEAVE C. PUT D. POST E. PATCH F. LOGOUT
BCF
Which three security responsibilities regarding the PaaS solution are correct? (Choose three.) A. The customer is responsible for the physical hardware. B. The provider is responsible for the physical hardware. C. The customer is responsible for the application and its data, and the application being used securely. D. The provider is responsible for the application and its data, and the application being used securely. E. The customer has virtual networking components security responsibilities. F. The provider has network infrastructure security responsibilities.
ACE
Which three security services are provided with SNMPv3? (Choose three.) A. origin authentication B. authorization C. data integrity D. community string E. privacy
ABD
Which three social engineering statements are correct? (Choose three.) A. Social engineering largely leverages most people's "good nature" and desire to help to obtain the information that is needed. B. Social engineering can be achieved through seemingly normal situations or appearances to obtain access to resources or physical locations otherwise off-limits to personnel. C. Social engineering is easy to spot and should be called out immediately in front of everyone to unveil a fraud. D. Phishing is a social engineering technique. E. Social engineering is not a security threat.
ADE
Which three software blades are included in the Cisco AsyncOS on the Cisco WSA? (Choose three.) A. acceptable use policy B. data loss prevention C. HTTP proxy D. data security E. malware defense F. web reputation filters G. FTP proxy
ABF
Which three statements about site-to-site VPNs are correct? (Choose three.) A. They authenticate VPN peers and network devices that provide VPN functionality. B. They provide transmission security between sites over an untrusted network. C. They eliminate the need for basic network traffic controls. D. They often encounter problems with traffic filtering. E. They support only Cisco routers. F. They can be used as replacements for classic routed WANs. G. They eliminate the need for high availability. H. They eliminate the need for QoS.
ADE
Which three statements apply to XSS? (Choose three.) A. Malicious scripts are injected into web pages and executed on the client side. B. A web application processes an attacker's request using the victim's authenticated session. C. Malicious scripts are injected into web pages and executed on the server side. D. Scripting languages used by XSS have security weaknesses. E. Clicking an infected link causes a malicious script to run in a background process. F. Scripting languages used by XSS do not have security weaknesses.
CDE
Which three statements characterize the use of a PAC file? (Choose three.) A. The PAC file must be hosted only on the Cisco WSA. B. WCCP provides automatic PAC file detection on the browser. C. The PAC file provides failover and load balancing. D. The PAC file avoids configuration on the client side. E. The WPAD protocol provides automatic PAC file detection on the browser. F. PAC files are supported in transparent proxy deployment only. G. PAC files do not support failover and load balancing.
ACD
Which three statements characterize user authentication in transparent proxy mode for web traffic? (Choose three.) A. Redirect the client (status code 307) to the Cisco WSA, performing authentication, and then redirect the user back to the real website. B. Proxy authentication (status code 407) is used. C. The client is not aware of the web proxy. D. LDAP authentication is not supported in transparent proxy mode. E. User authentication in transparent proxy mode is not supported F. The client recognizes the web proxy. G. Use client IP address or cookies to track authentication.
BCE
Which three strategies can be used for implementing SenderBase protection? (Choose three.) A. neutral B. conservative C. moderate D. optimized E. aggressive
BDE
Which three tactics do the Outbreak Filters employ to protect the users from outbreaks? (Choose three.) A. Quarantine B. Delay C. Release D. Modify E. Redirect
BCF
Which three technologies typically send traffic using cleartext? (Choose three.) A. SCP B. SMTP C. FTP/TFTP D. SSH E. SSL F. Telnet
ACD
Which three threats are email-based? (Choose three.) A. spam B. SQL injection C. attachment-based attacks D. email address spoofing E. Cross-Site Request Forgery F. cross-site scripting G. insufficient user authentication
A
Which translation type of NAT performs NAT based on a combination of source and destination IP addresses and services? A. Policy NAT B. Static NAT C. Dynamic NAT D. Static PAT
DF
Which two Cisco Stealthwatch offerings are available? (Choose two.) A. Stealthwatch Small Business B. Stealthwatch Large Business C. Stealthwatch SaaS D. Stealthwatch Enterprise E. Stealthwatch Private F. Stealthwatch Cloud
CE
Which two Cisco Umbrella packages include access to the Investigate console? (Choose two.) A. DNS Security Essentials B. Secure Internet Gateway Advantage C. DNS Security Advantage D. DNS Security Foundations E. Secure Internet Gateway Essentials
CD
Which two EAP methods belong to tunnel EAP types? (Choose two.) A. EAP-MD5 B. EAP-TLS C. PEAP D. EAP-FAST E. EAP-MSCHAPv2 F. EAP-GTC
CD
Which two EAP methods require a server certificate? (Choose two.) A. EAP-MD5 B. MEAP C. EAP-TLS D. PEAP E. EAP-FAST F. EAP-SLOW
CE
Which two IKEv2 proposals should you avoid? (Choose two.) A. Proposals that use AES as the encryption algorithm. B. Proposals that use DH group 14. C. Proposals that use MD5 as the hash algorithm. D. Proposals that use SHA-2 as the hash algorithm. E. Proposals that use DH group 5.
AB
Which two IP packet attributes does NetFlow use? (Choose two.) A. destination port B. destination IP C. Layer 7 protocol type D. Layer 1 type E. device type
BE
Which two Remote Access VPN features are supported by Cisco ASA but are not supported by Cisco Firepower NGFW? A. AnyConnect SSL VPN B. Internet Key Exchange v1 C. Multiple IKE policies D. Split tunneling E. XAUTH using a local user database
AB
Which two VPN components can be used when deploying a remote access VPN on a Cisco Firepower NGFW? (Choose two.) A. AnyConnect Secure Mobility Client B. external AAA authentication server C. web browser D. application plug-ins E. ASA image installed
BE
Which two VPN statements are correct? (Choose two.) A. Every VPN implementation must have traffic-filtering capabilities. B. VPNs carry private traffic over a public or shared infrastructure. C. VPNs use methods such as signatures and anomaly based inspection to inspect traffic. D. VPNs must be updated frequently in order to remain effective. E. VPNs can use encryption and authentication protocols to protect data from unauthorized access. F. Every VPN implementation includes packet integrity and nonrepudiation.
AD
Which two actions are needed on a Cisco WLC in order to configure a wireless CWA? (Choose two.) A. Enable Cisco ISE NAC state on the guest WLAN. B. Enable RADIUS NAC state on the guest WLAN. C. Configure redirect ACL to deny DHCP, DNS, and traffic to Cisco ISE. D. Configure redirect ACL to permit DHCP, DNS, and traffic to Cisco ISE. E. Set Layer 3 security on the WLAN to web authentication. F. Set Layer 2 security on the WLAN to WPA.
CD
Which two advanced membership criteria can be used to configure an access policy on Cisco Web Security Appliance (WSA)? (Choose two.) A. Layer 3 protocol B. operating system C. proxy port D. user agent E. user sessions count
CE
Which two are advantages of objects? (Choose two.) A. They allow you to change object values used within an ACP without needing to redeploy the ACP to which the objects are associated. B. They allow Cisco Talos to gain visibility into your network based on the network objects you create. C. They can be grouped. D. Objects allow you to block traffic based on application detection. E. They allow you to manage certain ACP conditions separately from the ACP policy.
CD
Which two are not examples of behavioral-based indications of compromise (BIOC) for a file? (Choose two.) A. bandwidth usage B. copying content from a hard drive C. destination IP address D. file hash E. multiplication of itself F. renaming registry
AC
Which two authentication methods apply to the establishment process of the SSL session? (Choose two.) A. Server authentication is required. B. Client authentication is required. C. Client authentication is optional. D. Server authentication is optional. E. Server and client authentication are both required.
BD
Which two characteristics apply to a content filter? (Choose two.) A. It can scan only outgoing messages. B. You cannot define a filter that scans both incoming and outgoing messages. C. It can scan only incoming messages. D. It can scan either incoming or outgoing messages. E. One filter can be assigned to incoming and outgoing mail policies.
AD
Which two characteristics may categorize adware as spyware or malware? (Choose two.) A. covert sending of tracking data B. frequent serving of advertisements C. tricking the user to agree to advertisements D. unsolicited installation on the user device E. using tracking cookies
DE
Which two configuration methods can be used on Cisco ASA to configure the static route used for a point-to-point VPN? (Choose two.) A. policy-based routing forwarding traffic into the VPN tunnel B. redistribution of static route C. routing configuration in IPsec profile D. Reverse Route Injection E. static route explicit definition F. Policy-based routing forwarding traffic into the VPN tunnel
BC
Which two configuration objects are grouped inside the Cisco ASA connection profile? (Choose two.) A. VPN topology B. IKE policy C. IPsec proposal D. IPsec policy E. ACL bypass configuration F. IKE proposal
BE
Which two controls can Cisco WSA use to validate web requests? (Choose two.) A. AMP for isolating reputable exploits and malware samples to its local disk for further investigation B. basic URL filtering that leverages predefined, category-based web usage controls C. IPS-based signatures that are loaded in the Cisco WSA to prevent intrusions and alert system administrators D. a reputation database within the Cisco WSA that uses Snort-like rule sets to combat RootKit intrusions E. a reputation database that is used to analyze web requests as part of a security control procedure
AD
Which two countermeasures should an administrator employ to protect against DNS tunneling? (Choose two.) A. monitor the DNS log for suspicious activities B. deny all DNS transactions C. encrypt DNS communications using a hash D. deploy a solution such as Cisco Umbrella to block the DNS tunneling traffic E. Block all DNS traffic on firewall
BC
Which two criteria can be used for matching users to a mail policy? (Choose two.) A. IP address B. sender C. recipients D. WBRS E. external threat feeds
AB
Which two criteria make it possible to configure a sender group on Cisco Email Security Appliance (ESA)? (Choose two.) A. IP address range B. lack of Sender Base Reputation Score C. mailbox assigned space D. MX record priority E. time sending range
BE
Which two features can be used to implement policy-based authorization with the Cisco Secure Network Access solution? (Choose two.) A. distribute lists B. downloadable ACL C. interface filtering ACL D. interface Route Maps E. Security Group Tag
AE
Which two features does IKE provide in an IPsec implementation? (Choose two.) A. automatic key generation B. communication reliability C. data encryption D. performance improvement E. scalability
AD
Which two inspections can be performed by the Cisco Umbrella Intelligent Proxy? (Choose two). A. URL inspection B. AVC inspection C. IPS inspection D. file inspection E. Layer 3 and 4 inspection for clients without roaming clients
AD
Which two items can be found in a host profile? (Choose two.) A. IP address of the host B. Ability to control that host's desktop via RDP session. C. Ability to control that host's desktop via SSH session. D. Operating system of the host. E. List of all interfaces and network interface controllers.
CD
Which two of the following are site-to-site VPN properties? (Choose two.) A. SSL technology B. SSH technology C. IPsec technology D. cryptographic traffic protection E. routing protocols for traffic isolation
BD
Which two options are 802.1X authenticator functions? (Choose two.) A. provide client credentials to network access device B. forward client credentials to authentication server C. validate client credentials against directory server D. enforce network access policy E. determine network access policy based on identity and group affiliation
AB
Which two options are OOB management connections? (Choose two.) A. firewall console connection B. router management VRF connection C. ESA data interface, also used for management D. WSA in-band connection E. switch SSH connection to IP phone dedicated VLAN SVI
BC
Which two options are advantages of using Cisco AnyConnect Secure Mobility Client over native Microsoft Windows 10 OS supplicant? (Choose two.) A. lower cost B. richer support for EAP methods C. support for MACsec encryption D. support for IPsec encryption E. smaller management overhead
CD
Which two options are basic IP address assignment options for SSL VPN clients on Cisco Firepower NGFW? (Choose two.) A. using a connection profile remote pool B. using a remote pool in a group policy C. using a local pool in a group policy D. using a connection profile local pool E. using a per-user IP address in the local user database.
DE
Which two options are examples of command injection attacks? (Choose two.) A. TCP injection B. DNS injection C. Malvertising D. SQL injection E. Cross-Site Scripting (XSS)
BD
Which two options are examples of password cracker tools? (Choose two.) A. NMAP B. Cain and Abel C. Bonnie and Clyde D. John the Ripper E. Wireshark
BD
Which two options are software vulnerability scanners? (Choose two.) A. VmStat B. Nessus C. fingerprint D. openVAS E. Cisco FirepowerDNS
AE
Which two options are the typical types of authentication used in the routing protocol process? (Choose two.) A. MD5 B. AES C. digital certificate D. password E. cleartext
CD
Which two options are triggers for an organization to perform a vulnerability assessment? (Choose two.) A. the onset of high volumes of network traffic, such as the holiday purchasing rush B. when new users are brought on-board C. when a new technology or software is planned to be deployed D. when software or hardware updates are released
BC
Which two options are uses for DNS covert tunnels? (Choose two.) A. modify data in database B. stealthy data exfiltration C. issue CnC traffic to bots on the network D. DoS attacks E. to send DNS traffic within IPsec tunnel
AC
Which two options are valid Cisco AMP components? (Choose two.) A. AMP cloud B. Umbrella dashboard C. AMP connector D. Umbrella Roaming Client E. AMP file trajectory F. AMP device trajectory
BC
Which two options are valid fields in the X.509 version 3 format of a digital certificate? (Choose two.) A. subject private key B. subject public key C. certificate expiration date D. CA private key E. CRL serial number
BD
Which two options correctly describe how HMAC differs from hashing? (Choose two.) A. Only HMAC uses the SHA-512 hash function. B. Only HMAC adds a secret key as input to the hash function. C. Only HMAC provides integrity assurance. D. Only HMAC provides protection against man-in-the-middle attacks.
BC
Which two options correctly describe the reasons why a company might choose a public cloud deployment? (Choose two.) A. Strict data security requirements mean that all data must stay within the company. B. There are no data security requirements. C. A company does not have the resources available for a large, dedicated IT staff. D. A company employs, and wants to keep employed, a large IT staff. E. A company already owns a lot of hardware and wants to utilize it.
AC
Which two options define scalability and elasticity? (Choose two.) A. provisioning cloud resources rapidly B. better reliability C. decommissioning cloud resources quickly after they are no longer needed D. better visibility into cloud usage E. more computing power
AD
Which two options describe NFV and VNF? (Choose two.) A. NFV is an architectural approach to building dynamic virtual environments. B. NFV is a standards-based protocol for moving virtual hardware between dynamic virtual environments. C. VNF is a standards-based protocol for moving virtual hardware between dynamic virtual environments. D. VNF is a building block of the overall architecture and can be fulfilled by one or more virtual machines or virtual appliances. E. VNF is a discrete individual virtual machine or virtual appliance in the architecture.
BE
Which two options describe the Cisco Web Security Appliance (WSA) deployment type and configuration method? (Choose two.) A. Explicit forward -L4-7 redirection B. Explicit Forward -Proxy Auto-Configuration (PAC) file C. Explicit forward -Web Cache Communication Protocol (WCCP) D. Transparent -Browser Configuration E. Transparent -Policy Based Routing (PBR)
BC
Which two options describe the benefits of using VPNs instead of dedicated WAN lines? (Choose two.) A. high availability B. cost savings C. scalability D. incompatibility with broadband technology
AE
Which two options describe the goals of the open source software trend? (Choose two.) A. community involvement in continuous improvement B. inaccessibility to the underlying network operating system C. using proprietary protocols D. using proprietary code to interact with network devices E. using open APIs to interact with network devices
AC
Which two options describe the most common authorization permission options in Cisco secure network access? (Choose two.) A. downloadable ACLs B. dynamic ACLs C. dynamic VLAN assignment D. QoS policy E. web authorization
AB
Which two options describe value propositions of using APIs in the network? (Choose two.) A. Network automation becomes easier, through device-to-device communications of third-party applications and environments. Integration with third-party applications is easier, allowing you to share context and policy information between applications in your network. B. Integration with third-party applications is more difficult, leading to increased security against unknown risky applications. C. Administrators no longer need to use the native management tools of the application or appliance. D. Support for Autonomous Platforms Everywhere (APE) environments is based on RESTful API architectures and requires API calls to function correctly.
BD
Which two options determine the speed at which a password can be cracked using the brute-force method? (Choose two.) A. willingness of the victim to share personal information B. the attacker's computer speed C. the attacker's list of the commonly used passwords D. the length and complexity of the password E. The victim's computer speed
AC
Which two options does SSL VPN on the Cisco ASA appliance use to authenticate an SSL VPN server to clients? (Choose two.) A. CA-signed identity certificate B. local user database on Cisco IOS router C. self-signed identity certificate D. local user database on Cisco ASA E. user database on AAA server
AD
Which two options might be considered attack surfaces in the network environment? (Choose two.) A. open ports B. privacy settings C. use of SSH D. use of Telnet
BD
Which two options represent valid EAP messages? (Choose two.) A. Access-Request B. Request C. Challenge D. Failure E. Access-Accept F. Hello
AE
Which two options represent valid RADIUS messages? (Choose two.) A. Access-Request B. Request C. Challenge D. Reject E. Access-Accept F. Access-Start
CD
Which two options should not be part of your regular cloud patch management? (Choose two.) A. mobile phone B. mail server C. system running fully custom application D. always-on embedded system E. laptop
AD
Which two outcomes can be caused by a successful SQL injection attack? (Choose two.) A. read sensitive data from the database B. extract all the database accounts password hashes from the database server's memory C. inject malware in the database server D. execute administration operations on the database
CF
Which two packet types are received by the transit control plane subinterface? (Choose two.) A. Cisco Discovery Protocol messages B. EIGRP Hello messages C. GRE packets D. IP packets with expiring TTL E. IP packets with unreachable destination F. IPsec VPN packets G. SNMP trap H. SSH packets in an active user session
CE
Which two pieces of the enhanced NetFlow data are required to perform Encrypted Traffic Analytics? (Choose two.) A. TLS session tickets B. decrypted TLS payload C. sequence of packet lengths and times D. decrypted TLS Record header E. initial data packet
BC
Which two possibilities are the most common key exchange options? (Choose two.) A. symmetric encryption B. DH algorithm C. PKI D. SHA-1 algorithm E. SHA-2 algorithm
AB
Which two probe types are supported and used to profile a device in a Cisco Identity Service Engine (ISE)? (Choose two.) A. DHCP B. DNS C. LDAP D. SSL E. TACACS+
DE
Which two programmatic methods can be used to communicate with a network device by using an API? (Choose two.) A. Ansible B. Java C. Python D. REST E. RESTCONF
BD
Which two protocols are most commonly found in AAA? (Choose two.) A. TCP/IP B. TACACS+ C. OSPF MD5 D. RADIUS E. IPSEC
AD
Which two results are required to make an SQL injection possible? (Choose two.) A. The application was poorly programmed. B. User input was sufficiently validated. C. Strict security measures were followed when developing web site code. D. User input was not sufficiently validated. E. The webserver operating system has not been patched.
AB
Which two secure authentication types can be used with OSPF authentication on Cisco IOS routers? (Choose two.) A. MD5 B. SHA C. AES D. RSA digital certificates E. Cleartext
BC
Which two settings are needed to successfully enable 802.1X on a WLAN? (Choose two.) A. Set Layer 2 security to WEP. B. Enable 802.1X authentication key management. C. Set Layer 2 security to WPA+WPA2. D. Set DHCP address assignment setting to required. E. Set Layer 2 security to AKM.
AD
Which two statements about Cisco ASA appliance or Cisco Firepower NGFW connection profiles are correct? (Choose two.) A. A connection profile refers to a default group policy. B. A group policy refers to a default connection profile. C. A connection profile can be assigned multiple group policies. D. A group policy can be assigned to multiple connection profiles. E. A user cannot select a connection profile.
CD
Which two statements about Cisco Secure Network Access solutions are correct? (Choose two.) A. Cisco ISE acts as the authenticator server in Cisco secure network access deployments. B. Authorization is a process of identifying a user accessing the network. C. To authenticate users and devices, the AAA server is needed. D. Accounting is a process of tracking and auditing user access to the network. E. Cisco ISE acts as a supplicant in Cisco secure network access deployments.
BD
Which two statements about IPsec are correct? (Choose two.) A. It provides security services at Layers 2 through 7 of the OSI model. B. It can provide data origin authentication and confidentiality. C. It provides four different transport modes. D. It provides transmission security for IP traffic.
AE
Which two statements about RADIUS and TACACS+ protocols are true? (Choose two.) A. RADIUS combines authentication and authorization. B. RADIUS encrypts the entire body of the packet. C. RADIUS separates authentication, authorization, and accounting. D. TACACS+ combines authentication and authorization. E. TACACS+ separates authentication, authorization, and accounting.
AC
Which two statements about encryption are correct? (Choose two.) A. It provides confidentiality. B. It is used primarily for integrity assurance. C. It obscures information to make it unreadable to unauthorized recipients. D. It is implemented in VPN by use of MD5 or SHA.
AC
Which two statements about host-based antivirus software are true? (Choose two.) A. Antivirus software may use heuristics with other methods to detect malware. B. User identity detection is embedded in most antivirus software code. C. Most antivirus software uses signature-based malware detection. D. Antivirus software is wholly dependent on running scans to find malware that has already obtained a foothold on a system. E. Antivirus software cannot use heuristics with other methods to detect malware.
AC
Which two statements about identity certificates are true? (Choose two.) A. They are used to bind the name of a PKI member to its public key. B. They are used to sign other certificates. C. They must be signed by a CA so that end entities other than the holder can verify it. D. They must be encrypted. E. They contain confidential information.
AC
Which two statements about malvertisements are correct? (Choose two.) A. Malvertisements are sometimes set up to affect all visitors to a site only during a specific period of time. B. Malvertisements' malicious code remains forever. C. Malvertisements affect both trustworthy and untrustworthy sites. D. Infection only occurs when the victim clicks a malvertisement. E. Malvertisements are not a security concern
DG
Which two statements about public key cryptography are true? (Choose two.) A. implemented in 3DES and AES B. derives private keys from public keys C. uses a single key to encrypt and decrypt traffic D. uses two keys—one to encrypt traffic and another to decrypt traffic E. efficient in software and easily hardware accelerated F. also known as symmetric algorithms G. also known as asymmetric algorithms
CD
Which two statements about the Cisco clientless remote access SSL VPN solution are correct? (Choose two.) A. It offers direct full network access to internal resources. B. It allows remote users to access enterprise applications only from enterprise-managed endpoints. C. It can bypass most firewalls in the path. D. It enables a remote user to use a web browser to access internal resources. E. The VPN gateway for clientless SSL VPN must be a Cisco Firepower NGFW appliance.
CF
Which two statements about using split tunneling in an SSL VPN are correct? (Choose two.) A. It creates a separate tunnel from the SSL VPN client to each network that you specify. B. It creates two separate tunnels—one for traffic that is destined for specific internal protected networks and another for all other traffic. C. It can increase risk because the client is not protected by central site security mechanisms when it is connecting to the other networks. D. It routes all traffic to the VPN gateway. E. It decreases the performance of applications that do not require the VPN tunnel. F. It may increase risk because the client can be used as a relay between the external networks and the internal protected network more easily if the client is compromised by an attacker.
BD
Which two statements accurately describe MAB? (Choose two.) A. MAB augments the security of 802.1X authentication. B. MAB uses a MAC address for both the username and the password. C. MAB is more secure than 802.1X authentication method. D. MAB is often used to allow network access for devices like printers or IP-based video cameras.
BC
Which two statements apply to Cisco TrustSec enforcement? (Choose two.) A. Enforcement using traditional ACLs is less resource intensive than Cisco TrustSec enforcement using SGACLs. B. Cisco TrustSec enforcement can be performed on a network device using SGACLs or on an SGT-aware firewall, such as Cisco ASA appliance. C. Cisco TrustSec provides role-based, topology-independent access control within a network. D. SGACL contains source and destination SGTs. E. SGACL contains source and destination IP addresses.
CE
Which two statements are applicable to SDN? (Choose two.) A. Ultimate solution for all networking challenges B. A mandate for all network engineers to become programmers C. Decouples the control and data planes, while intelligence and state are logically centralized D. A concept that leverages the existing network infrastructure for centralized control E. A concept that leverages programmatic interfaces to enable external systems to influence network provisioning, control, and operations
CD
Which two statements are benefits of using the DTLS protocol when using Cisco AnyConnect VPNs? (Choose two.) A. It provides better confidentiality than TLS. B. It stipulates retransmissions when packets are lost. C. It mitigates latency and bandwidth. D. It improves the performance of real-time applications. E. It provides better integrity than TLS.
BE
Which two statements are correct? (Choose two.) A. EAP is authentication protocol that uses client and server-side certificates for authentication B. EAP is a transport mechanism to carry arbitrary authentication protocol C. EAP only runs over IEEE 802.3 wired media D. EAPOL is used to send EAP messages between authenticator and authentication server E. EAPOL is used to send EAP messages between supplicant and authenticator F. By default, switch port enabled for 802.1X permits only EAPOL and RADIUS traffic.
AB
Which two statements are correct? (Choose two.) A. Security engineers that need to locate vulnerabilities in a managed environment commonly use vulnerability scanners, such as Nessus and OpenVAS. B. Attackers use vulnerability scanners such as Nessus and OpenVAS to locate vulnerabilities in potential target hosts. C. Vulnerability scanners, such as Nessus and OpenVAS, are safe to experiment with on a production network environment. D. Vulnerability scanners, such as Nessus and OpenVAS, should never be used on a production network for any reason. E. Educate your employees how to use vulnerability scanners, such as Nessus and OpenVAS and encourage them to use vulnerability scanners on production network.
AC
Which two statements are limitations of the clientless SSL VPN solution? (Choose two.) A. It does not support all IP applications, although most web-based client-server enterprise applications are supported. B. It cannot traverse most firewall and NAT devices. C. It does not support low-latency forwarding and the use of real-time applications, due to its proxying nature. D. It requires a VPN client software E. Allows access only from company-managed systems.
AC
Which two statements are true about malvertisements? (Choose two.) A. Malvertisements are sometimes set up to affect all visitors to a site only during a specific period of time. B. Malvertisements' malicious code remains forever. C. Malvertisements affect both trustworthy and untrustworthy sites. D. Infection only occurs when the victim clicks a malvertisement.
AC
Which two statements below accurately describe the functions of a policy set? (Choose two.) A. Serves as a container for a logical grouping of authentication and authorization policies B. Uses Boolean conditions to steer users to an appropriate group of posture and profiling policies C. Limits the user's session to a set of allowed authentication methods D. Control which databases are used to check for user credentials
BD
Which two statements correctly describe the interaction of IKEv2 constructs? (Choose two.) A. The IKEv2 profile references an IPsec profile. B. The IPsec profile references an IKEv2 profile. C. The IKEv2 proposal references an IKEv2 policy. D. The IKEv2 policy references an IKEv2 proposal. E. The IKEv2 proposal references an IKEv2 profile. F. The IKEv2 profile references an IKEv2 proposal.
BE
Which two statements describe the Cisco secure network access solution? (Choose two.) A. It is a product you can use to implement secure access to your network. B. It is a set of products and services you can use to implement secure access to your network. C. It is a set of products and services you can use to implement SSL VPN access to your network. D. It is a feature only provided by Cisco Catalyst switches. E. The foundation for Cisco secure network access is the IEEE 802.1X protocol.
BF
Which two statements describe the default IPsec transform set configuration? (Choose two.) A. The mode of the default transform set is tunnel. B. The mode of the default transform set is transport. C. The default mode of the custom transform set is tunnel. D. The default mode of the custom transform set is transport. E. The default protocol of the custom transform set is AH. F. The hashing algorithm of the default transform set is SHA-1.
AB
Which two statements describe what a Host-Based Intrusion Prevention System can do that a Network Intrusion Prevention System cannot? (Choose two.) A. Detect malware delivered to the host via an encrypted channel. B. Protect a mobile host while connected to nonsecured networks. C. Block malware as it is carried across the network. D. Inspect traffic crossing a link in the network. E. Send a file to sandbox for malware inspection.
BC
Which two statements regarding early TCP/IP development are correct? (Choose two.) A. TCP/IP was the only network protocol suite available and was developed for internet work environments. B. The focus was on solving the technical challenges of moving information quickly and reliably, not to secure it. C. The model was developed as a flexible, fault-tolerant set of protocols. D. The design and architecture of TCP/IP have not changed since its adoption in the early 1970s.
AD
Which two statements regarding management options of VPNs are correct? (Choose two.) A. You can manage VPNs on the Cisco ASA appliance using CLI. B. You can manage VPNs on the Cisco ASA appliance using FDM. C. You can manage VPNs on Cisco Firepower NGFW using CLI. D. You can manage VPNs on Cisco Firepower NGFW using Cisco FMC. E. You can manage VPNs on Cisco Firepower NGFW using Cisco ASDM. F. You can manage VPNs on the Cisco ASA appliance using Cisco FMC.
BD
Which two technologies use cryptographic services to secure communications in a VPN? (Choose two.) A. MPLS VPN B. IPsec C. Frame Relay D. SSL E. HTTPS
AC
Which two third-party vendors integrate with Cisco ESA to provide antivirus scanning? (Choose two.) A. Sophos B. Symantec C. McAfee D. Scanguard E. Trend Micro
CE
Which two transport methods for Security Group Tag (SGT) can be used in a Cisco TrustSec implementation? (Choose two.) A. 802.1X B. destination Security Group (DGT) C. inline tagging D. RADIUS E. SGT Exchange Protocol
BE
Which two types of attacks are examples of ICMP DoS attacks? (Choose two.) A. blooming onion attack B. ICMP flood attack C. DHCP depletion attack D. DHCP whale attack E. smurf attack
CE
Which two types of functionality can be used with IPsec static Virtual Tunnel Interface to choose the protected traffic? (Choose two.) A. Crypto Access Control List B. IKE profile C. policy-based routing D. Service Policy E. static routing
DE
Which two values must be the same within a sequence of packets for NetFlow to consider them a network flow? (Choose two.) A. IP next-hop B. source MAC address C. destination MAC address D. ingress interface E. destination IP address
D
Which type of Cisco Firepower discovery is NMAP an example of? A. passive discovery B. identity discovery C. user discovery D. active discovery
C
Which type of Cloud Access Security Broker (CASB) is Cisco Cloudlock? A. inline forward proxy B. inline reverse proxy C. out-of-band API based D. out-of-band log based
C
Which type of PVLAN port has a complete Layer 2 separation from the other ports within the same primary VLAN, except from the promiscuous ports? A. promiscuous B. community C. isolated D. secondary
C
Which type of Stealthwatch Enterprise policies has the highest precedence? A. Default B. Role C. Host D. Flow
C
Which type of VPN technology is likely to be used in a site-to-site VPN? A. HTTPS B. SSL C. IPsec D. TLS
D
Which type of a common security threat can be solved by patching the operating system or hardware device? A. phishing B. SQL injection C. malware D. known vulnerabilities E. weak authentication
A
Which type of an IP attack occurs when an attacker inserts itself into a communication session and then takes over the session? A. session hijacking B. MAC address flooding attack C. DHCP depletion attack D. DoS attack
C
Which type of an attack occurs when the attacker spoofs the IP address of the victim, sending a continuous stream of small requests, which produce a continuous stream of much larger replies that are to be sent to the victim's IP address? A. reflection attack B. MITM attack C. amplification attack D. Trojan virus
C
Which type of authentication is first used when Central Web Authentication takes place in a guest network? A. Certificate-based machine authentication B. Certificate-based user authentication C. MAC Authentication Bypass (MAB) D. User authentication (username and password)
B
Which type of spoofing attack uses fake source IP addresses that are different than their real IP addresses? A. MAC spoofing B. IP spoofing C. application spoofing D. name spoofing
C
Which uRPF types are available on the Cisco IOS routers? A. only strict uRPF B. only loose uRPF C. both strict uRPF and loose uRPF D. Cisco IOS routers do not support uRPF
C
Which utility allows you to cycle through all well-known ports to provide a complete list of all services that are running on the hosts? A. Wireshark B. whois C. nmap D. Cain & Abel E. UDP Unicorn
B
Which valid authentication option would you use for remote access VPN users on Cisco Firepower NGFW? A. username and password against a local database B. username and password against a RADIUS server C. username and password against a TACACS+ server D. username and one-time password against RSA SecureID server
B
Which violation action allows the port security feature to deny offending frames and generate an SNMP trap or syslog notification message at the same time? A. shutdown B. restrict C. protect D. deny
D
Which vty line configuration command can restrict remote management access to SSH only? A. access-class B. login local C. transport input all D. transport input ssh
B
Which web filtering technology allows the Cisco WSA to deny users to play games on popular social networking websites, but still provide access to the social networking websites? A. Advanced Malware Protection B. Application Visibility and Control C. Dynamic Content Analysis D. URL filtering
B
Who defines the security assessment procedures to be followed when there is a security audit of a cloud-based solution? A. cloud provider B. customer C. legal authorities D. standardization agency
A
Who is responsible for providing the security of the solution in a Software as a Service (SaaS) cloud model? A. cloud service provider B. customer's CISO C. customer's IT engineers D. customer's SOC
B
Why are DNS open resolvers the focus of so many malicious activities? A. DNS open resolvers sit inside the enterprise firewall which must pass DNS traffic making them easy attack vectors. B. These servers must respond to any query from any Internet host. C. Since DNS open resolvers belong to no administrative authority, they cannot be secured. D. DNS open resolvers are used by enterprises allowing the attacker an easy means to infiltrate the enterprise network.
A
Why does ETA for Cryptographic Compliance Audit (ETA-CA) not require the SPLT? A. ETA-CA only needs to look at the PKI negotiations, which are contained in the Initial Data Packet (IDP), to determine which cipher suites and protocols are in use between the endpoints. B. ETA-CA can send any encrypted data packet to the CTA cloud, and CTA will use the Global Risk Map to determine which cipher suites and protocols are in use between the endpoints. C. Compliance Audits, such as PCI, SoX, and HIPAA, typically do not cover traffic count between secure and unsecure zones. D. Compliance Audits, such as PCI, SoX, and HIPAA, typically do not cover traffic encryption between secure and unsecure zones.
B
Why is DNS-layer security important in today's networks? A. Firewalls cannot filter based on destination URLs. B. Firewalls cannot block threats that already came into the inside network. C. Advanced persistent threats always initiate on the public internet. D. Only DNS-based security tools have visibility into the global threat landscape.
B
Why is high availability a challenge for virtual appliances in public cloud environments? A. Public cloud providers prefer to charge by the VM-hour, and an idle VM incurs no charges. B. Link-local multicast is not supported in most public cloud environments like in AWS VPCs. C. The virtual machine ID for a highly available pair would need to be the same between the active and standby virtual machines. D. Deploying two virtual machines with the same virtual IP address would cause an IP conflict on the network, similar to using the same virtual IP address on multiple devices in a physical network.
A
Why would an attacker use Mimikatz once they gained access to a system? A. to extract passwords and hashes for user accounts that have logged on to the system B. to create a tunnel for covert communication channels back to the attacker network C. to list the user accounts currently logged on to the machine D. to create a new domain user account to log in to so regular users will not notice their activity
A
Why would an attacker use a proxy server in front of the exploit server? A. to protect the identity of the exploit server and make it harder to track B. to be able to infect more machines than a single server could C. to reduce bandwidth used by the attack infrastructure and keep loaded pages cached D. redundancy if there is a failure of the exploit server
B
Why would you choose to install the Cisco Umbrella roaming client in a Cisco Umbrella implementation? A. to correlate Cisco Umbrella DNS queries in multiple sites B. to evaluate queries based on organization dedicated policy C. to implement Cisco Umbrella on Linux operating systems D. to improve security mitigating DNS queries hijacking
C
You are configuring IP source guard on a Cisco IOS switch to stop IP spoofing attacks. After you have enabled IP source guard on an interface, the switch blocks all IP traffic received on the interface except specific packets. Which packets are allowed in this situation? A. routing protocol packets B. ARP packets allowed by ARP snooping C. DHCP packets allowed by DHCP snooping D. DNS packets allowed by DNS snooping
B
You are configuring an infrastructure antispoofing ACL on the branch router that connects the branch office to the central location in your company. Which type of filtering should permit the valid IP addresses from the branch office as the source and deny everything else? A. ingress filtering B. egress filtering C. ingress and egress filtering D. routing protocols filtering
B
You are developing a Python script to obtain the configuration from the FMC. Which Python library should you import? A. csv B. json C. ncclient D. xmltodict
D
You are explaining SDN to a young engineer in your company. Which statement regarding northbound APIs is correct? A. Northbound APIs are not used in SDN. B. Northbound APIs are used by the controller to dynamically make changes according to real-time needs, as well as retrieve information for the state of the devices. C. Northbound APIs are used for communication with the applications and services over the network and by the controller to dynamically make changes according to real-time needs. D. Northbound APIs in SDN are used for communication with the applications and services running over the network.
C
You are implementing Control-Plane Policing (CoPP) by using the Modular QoS CLI (MQC) policy. On which device entity do you apply the policy? A. all data interfaces B. all vty lines C. control plane interface D. dedicated management interfaces
CBAD
You are implementing a static VTI point-to-point IPsec IKEv2 VPN. Match the order of the implementation steps with the configuration blocks. 1. Step 1 2. Step 2 3. Step 3 4. Step 4 A. Configure the tunnel (VTI) interface. B. Configure the IPsec transform set and IPsec profile. C. Configure IKE peering between VPN endpoints. D. Configure static or dynamic routing on the tunnel interface.
D
You are planning to implement IP source guard on a Cisco IOS switch in your company, to all ports on which DHCP snooping is enabled. Which command should you use to enable IP source guard with IP and MAC address verification on the ports? A. ip verify source B. ip verify source IP-MAC C. ip verify MAC-IP port-security D. ip verify source port-security
B
You are planning to implement uRPF as the first line of defense on a Cisco IOS router that connects your company to the internet. Which type of uRPF validates the existence of the source network of the packet in the routing table while providing a method to drop packets from unknown and therefore invalid networks? A. strict uRPF B. loose uRPF C. invalid uRPF D. network uRPF
C
You are responsible for managing many devices and for using the out-of-band (OOB) network for management purposes. Which control feature would you use to protect access to the devices? A. Control Plane Protection B. management interface ACL C. Management Plane Protection D. service-specific ACLs
A
You are using the Microsoft Active Directory domain machine with native supplicant. You want to confirm that the network connectivity is available before a user has initiated a successful login attempt on the machine. Which type of authentication do you use? A. Machine Connection B. User Connection C. End-Device Connection D. Machine and User Connection E. EAP Chaining
C
You configured a site-to-site VPN on your Cisco Firepower NGFW, but the CLI output does not show any IKE SA being established. What would you do as the first troubleshooting step? A. Verify if IPsec proposal matches on both peers. B. Check if interesting traffic is reaching the crypto engine using Packet Capture. C. Check if interesting traffic is reaching the crypto engine using Packet Tracer. D. Check if interesting traffic is reaching the crypto engine by examining connection events.
AB
You configured site-to-site VPNs on your two Cisco ASA appliances. However, the IKE SA is not being established between the peers. Which two options could be the causes? (Choose two.) A. You did not specify the same DH group on both peers. B. You did not specify the same PSK on both peers. C. You did not specify matching transform sets on the peers. D. You did not specify the traffic to be protected by the VPN.
D
You deployed a virtual Cisco Adaptive Security Appliance (ASAv) in a cloud environment, and you are filtering traffic between virtual infrastructure and physical environments. Which use case is being implemented? A. providing IP Security (IPSec) VPN connectivity B. providing SSL VPN connectivity C. securing East-West traffic D. securing North-South traffic
D
You gain access to a system running the Windows Operating System. What output do you get when you execute the quser command? A. current users' account and domain information B. processes running on the system C. services running on the system D. a list of users
A
You must scan your retina to access your company's data center. Which category of access check is in place? A. what you are B. what you have C. what you know D. who you know
AD
You plan to automate operations on the Cisco devices in your company's network infrastructure using scripting for network tasks. Which two options are on-box automation and scripting mechanisms that are pre-built into the NOS of various Cisco platforms? (Choose two.) A. TcL B. RESTCONF C. NETCONF D. Python E. DevOps tools
D
You plan to use Python scripting to interact with the Cisco FMC REST API, so you can perform network automation tasks. Which statement regarding the authentication method in the script is correct? A. You do not have to specify any authentication parameters, because the Cisco FMC REST API does not require authentication. B. You have to specify only the password, which is further constantly used during the communication. C. You have to specify only username and password, which are further constantly used during the communication. D. You have to specify the username and password and code for generation of the authentication token, which is further used during the communication.
CD
Your company plans to use Cisco CSR 1000V while integrating Amazon Web Services cloud with its network. Because Cisco CSR 1000V is based on Cisco IOS XE Software, which two programmatic APIs can you use for network automation? (Choose two.) A. SSH B. gRPC C. NETCONF D. RESTCONF E. NX-API REST
D
Refer to the figure. What do the x and y-axis of the graph represent in the AMP for Endpoints dashboard? A. x = size, y = files B. x = size, y = processes C. x = time, y = files D. x = time, y = processes
D
Which Layer 2 security algorithm must be chosen when you are configuring an 802.1X enabled SSID on a Cisco Wireless LAN Controller (WLC)? A. 802.1X B. None C. Static WEP D. WPA + WPA2
A
Which NAT configuration type would you use to implement NAT exemption on Cisco Firepower NGFW? A. Manual NAT B. Auto NAT C. Static NAT D. Port forwarding
C
Which NAT type would you use in a Cisco Firepower device to translate both source and destination IP addresses at the same time? A. Auto B. Inside C. Manual D. Outside
C
Which NGFW feature supports inspection of SSL-based traffic? A. user or user group policies B. intelligent security automation, correlating different event data and payloads C. SSL/TLS traffic flow analysis D. ESP packet payload enforcement policies E. malware protection
B
Which RADIUS Change of Authorization (CoA) message is used by the network device to let the RADIUS server know that the CoA was not successful? A. CoA-ACK B. CoA-NAK C. Disconnect-ACK D. Disconnect-NAK
B
Which RADIUS packet type is returned from the RADIUS server to the client to request additional information from the user trying to connect to the network? A. Access-Accept B. Access-Challenge C. Access-Reject D. Access-Request
A
Which Stealthwatch Cloud observation becomes triggered if an HTTP session happens over TCP port 179? A. Bad Protocol B. Bad HTTP C. Bad IP D. Bad Port
D
Which Stealthwatch function ties two unidirectional flows together? A. Flow Deduplication B. Flow Query C. NAT Stitching D. Flow Stitching
C
Which Stealthwatch index tracks the hosts performing suspicious activities that indicate the network could be under some form of attack? A. Target Index B. File Sharing Index C. Concern Index D. Host Index
B
Which TCP flag is used to initiate a graceful termination of a TCP connection? A. RST B. FIN C. ACK D. SYN E. URG F. PSH
D
Which TCP/IP application protocol can be used in an amplification attack by exploiting the protocol weakness in recursive lookup? A. HTTPS B. LDAP C. HTTP D. DNS E. SMTP
C
Which VPN deployment mode provides secure communications for remote users to networks and applications? A. Site-to-site VPN B. Remote VPN C. Remote-Access VPN D. MPLS VPN
C
Which policy could be used to improve performance by early blocking or fastpathing traffic based on Layer 3/Layer 4 conditions? A. Identity policy B. NAT policy C. Prefilter policy D. IPS policy
AD
Which technique would an attacker utilize in order to have a client send packets to the wrong gateway? (Choose two) A. ICMP Redirects B. Reflection C. DNS spoofing D. ARP poisoning E. DHCP amplification
D
Which telemetry sources are supported by the Stealthwatch Cloud Private Network Monitoring appliance? A. NetFlow only B. Copy of the traffic via SPAN port only C. IPFIX only D. NetFlow, IPFIX, and copy of the traffic via SPAN port
E
Which module in the modular design approach glues all other modules together? A. Enterprise campus B. Data center C. Enterprise Internet Edge D. Enterprise WAN Edge E. Enterprise core
C
Which name is used for the ASA engine in Cisco Firepower? A. ASA B. FMC C. LINA D. TID
C
Which option is an attack in which the session established by the client to the server is taken over by a malicious person or process? A. Password attack B. Spoofing/masquerading attack C. Session hijacking D. Malware
A
Which option is an example of a Layer 3 data plane security control? A. ACLs B. DHCP snooping C. dynamic ARP inspections D. port security E. root guard
B
Which protocol can be used to send information to a SIEM server? A. NTP B. NetFlow C. SMTP D. HTTPS
ACD
Which three options state the key email security features of Cisco ESA? (Choose three.) A. threat defense B. AVC C. data security D. manageability E. DCA
B
You wish to deploy a Cisco CSR1000v router in VMware vSphere and run both a zone-based firewall (ZBFW) and Virtual Extensible LAN (VXLAN) at the same time. Which technology package (license) is required? A. AppX B. AX C. IP Base D. Security
ACE
Which three actions can be applied on Cisco ASA to the traffic class in a Layer 5-7 policy map? (Choose three.) A. drop connection B. inspect connection C. reset connection D. redirect connection E. log connection
ACE
Which three actions can be applied on the messages before they are released due to overflow? (Choose three.) A. Add X-Header B. Release C. Strip attachment D. Delete E. Modify subject
BCE
Which three options are available topology types when you configure IPsec VPN using Cisco FMC? (Choose three.) A. site-to-site B. hub and spoke C. point-to-point D. partial mesh E. full mesh F. star
B
Cognitive Analytics receives web proxy log and NetFlow information from which Cisco Stealthwatch device? A. Stealthwatch Management Console B. Flow Collector C. UDP Director D. Flow Sensor
A
A Layer 2 redirect or a spoofing attack can be referred to as which type of an attack? A. MAC address spoofing B. IP address spoofing C. application or service spoofing D. land attack
D
A company decides to protect their organization by purchasing insurance to refund possible losses in case of a user data breach. Which risk countermeasure is the company adopting? A. avoidance B. reduction C. retention D. sharing
C
A company hosts highly sensitive data and has security guards employed and surveillance cameras installed for physical security. For network security, they utilize firewalls with Intrusion Protection Systems (IPSs). Which safeguard categories does the company employ? A. detective and recovery B. preventive and corrective C. preventive and detective D. recovery and deterrent
A
According to Cisco SAFE design guidelines, which device would you install between two Points of Interest? A. firewall B. load balancer C. router D. switch
D
An attacker discovers a vulnerable website and infects the web server in such a way that a malicious JavaScript script is installed on the website. Which attack was utilized? A. Cross-Site Request Forgery B. Reflected Cross Site Scripting C. SQL Injection D. Stored Cross-Site Scripting
D
An attacker is sending a large amount of spoofed TCP segments. The attack is trying to start the TCP three-way handshake but is not finishing it. Which type of attack is being performed? A. TCP amplification attack B. TCP reset attack C. TCP session hijacking D. TCP SYN flooding
A
An attacker used social engineering to gain administrative access to a router, then altered the router image. How can an analyst detect that the router's image has been altered? A. By verifying the router's image digital signature hash. B. By verifying the router's running configurations. C. By verifying the router's image creation date. D. By verifying the router's image version.
C
An end user's host becomes infected with a virus because the end user browsed to a malicious website. Which endpoint security technology can be used to best prevent such an incident? A. personal firewall B. personal antivirus C. endpoint malware protection D. file sandboxing E. file integrity checks
D
At which layer of the OSI model is the most effective VPN technology applied? A. physical layer B. presentation layer C. session layer D. network layer E. transport layer
B
By default, without any ACLs configured, what traffic is permitted through the Cisco ASA appliance? A. all inbound connections from hosts on the lower-security-level interfaces to hosts on the higher-security-level interfaces B. all outbound connections from hosts on the higher-security-level interfaces to hosts on the lower-security-level interfaces C. all connections between interfaces with the same security level D. all connections
D
By what means is the retrospective security in AMP for Endpoints provided by? A. file trajectory B. inspection engines C. AMP connector D. device trajectory
CE
Cisco ESA can be both a physical and virtual instance. Which two options are hypervisors that are currently supported in a virtual implementation of Cisco ESA? (Choose two.) A. Citrix XenServer B. Oracle VM Server for x86 C. VMware ESXi D. Nutanix Acropolis E. Kernel-based Virtual Machine
C
Cisco AMP for Endpoints is deployed in a corporate network. A security breach is detected involving malware based on a file copying itself on multiple devices. Which feature can be used to learn where and when the malware propagated through the network? A. Device Trajectory B. File Sandboxing C. File Trajectory D. Security Intelligence Feed
D
If a company's servers are hosted in Microsoft Azure, which cloud deployment are they using? A. community B. hybrid C. private D. public
ABDF
Which four options are considered as main protocols of the Internet Protocol suite? (Choose four.) A. UDP B. TCP C. HTTP D. IP E. SSL F. ICMP G. FTP H. Telnet
B
How can an organization protect against a privilege escalation attack? A. Use a common password for multiple accounts so the users do not need to write it down on a sticky note at their desk. B. Exercise a strong password policy that includes the requirement of unique passwords for multiple accounts. C. Assign new passwords to employees every 30 days. D. Use open authentication on wireless and guest networks.
A
How is access to user data authenticated in an OAuth framework? A. Third-party applications provide an authentication frame or codelet from the resource provider and the user authenticates to the resource provider. B. Third-party applications collect login credentials from the user and then use those credentials to access data from the resource provider. C. Resource providers publish access tokens based on global user-defined policies and then third-party applications apply user-provided credentials to access the tokens. D. Users establish an online token repository and publish access tokens to the repository for their resource providers. Third-party applications claim the tokens and use those tokens to authenticate to the resource provider.
A
How is malware that is not on the allowed list able to execute? A. by executing it in memory and injecting malicious code into a legitimate process that is currently running B. by changing the register setting C. by packing (encrypting or compressing) the file D. by executing it using the safe mode
DE
Which two attacks can be caused by a rogue DHCP server? (Choose two.) A. Trojan virus B. Compromised-Key C. TCP SYN flood D. DoS E. MITM
CDBA
Match each AMP engine below with its capability. 1. Fingerprint-based, or signature, recognition 2. Machine learning 3. Fuzzy fingerprinting 4. Offline antivirus protection A. TETRA B. Ethos C. Hash recognition D. Spero
AECDB
Match each AMP policy component below with its description. 1. Identifies the conviction modes of both file and network convictions 2. Lists of directories, file extensions, or threat names that you do not want the AMP for Endpoints Connector to scan or convict 3. Specify custom files you want to detect or quarantine, or both 4. Specify applications you want to temporarily block 5. Used to define IP addresses for DFC A. Modes and engines B. Network allow or block lists C. Custom detection lists D. Application control lists E. Exclusions
BD
Which two authentication mechanisms can be used with SNMP version 3? (Choose two.) A. AES B. MD5 C. 3DES D. SHA E. DES
CDAEB
Match the action to the stage of the web attack. 1 2 3 4 5 A. The exploit kit sends a request to the exploit kit server to get the exploit code that compromises the vulnerable software on the victim's machine. B. Encrypted malware is decrypted and executed on the victim's machine. C. The victim visits a compromised web site, which redirects the victim to a site with malicious code. D. An exploit kit is "drive-by" downloaded. E. Malicious code connects the victim's machine to the malware download server to retrieve the payload.
ABDC
Match the basic security terms with the correct characteristic. 1. asset 2. countermeasure 3. threat 4. vulnerability A. anything in the network B. required to mitigate risk C. something found in protocols D. exploited by a threat vector
C
Networks and computer systems employ defense-in-depth strategies to prevent a compromise. Which option best describes defense-in-depth strategies? A. They provide end-to-end security controls and mechanisms. B. They provide attackers the ability to understand which types of security controls are in place. C. They apply a layered approach to a set of systems or networks, by employing multiple security controls. D. They eliminate single points of failure.
BC
On the Cisco ASA appliance, which of the following are two valid options for users to select a connection profile? (Choose two.) A. Select a connection profile from a drop-down menu after authentication. B. Select a connection profile from a drop-down menu before authentication, but after connecting to the VPN headend. C. Enter connection profile alias as a part of URL inside Cisco AnyConnect Secure Mobility Client. D. Enter connection profile alias as a part of a username inside Cisco AnyConnect Secure Mobility Client. E. Select a connection profile from a drop-down menu before connecting to the VPN headend. F. Enter connection profile alias as a part of domain name inside Cisco AnyConnect Secure Mobility Client.
C
On which basis does Cisco Umbrella provide protection? A. IP addresses seen inside an HTTP request. B. URL requested inside an HTTP request. C. domain name requested inside a DNS request. D. IP addresses, ports, and protocols seen inside IP traffic.
BCAD
Place the AAA process in the correct order. 1. Step One 2. Step Two 3. Step Three 4. Step Four A. The device passes the username and password to the AAA server. B. The user establishes a connection with the networking device. C. The networking device prompts the user for a username and password. D. The AAA server authenticates the user.
C
Refer to the exhibit. DTLS use was successfully negotiated. Which port or protocol must be permitted on the firewall to allow for the AnyConnect SSL VPN? A. ESP B. TCP 442 C. UDP 443 D. UDP 500
ACD
Risk is a function of which three factors? (Choose three.) A. threat B. cost of security solution C. vulnerabilities D. impact E. deployment time F. support costs
B
Routing processes run in which network device plane? A. data plane B. control plane C. management plane D. forwarding plane
E
Stealthwatch alarms are generated based on which type of events that have occurred? A. Flow Events B. Connection Events C. Intrusion Events D. Malware Events E. Security Events
A
The scope metric is part of which CVSS v3.0 metrics group? A. base B. temporal C. environmental D. maturity
BDCFEA
The structure of an APT attack does not follow a blueprint, but there is a common methodology to the attack. Put the following attack steps in the correct order. A. Mission completion B. Initial compromise C. Internal reconnaissance D. Escalation of privileges E. The end goal of the attacker, for example, maybe to exfiltrate sensitive data out F. Lateral propagation, compromising other systems on track towards goal
A
This RADIUS packet type usually includes a username, but it must also include information about the network access server and some form of password. This packet type is always sent to the RADIUS server. Which RADIUS packet type is described? A. Access-Request B. Access-Accept C. Access-Reject D. Access-Challenge
B
This host mode divides the individual switch port into two virtual domains. The authenticator independently and asynchronously authenticates the device in the voice VLAN and the device in the data VLAN. After successful authentication the two devices are given access to their corresponding virtual domains. This is a description of which host mode? A. multihost mode B. multidomain authentication host mode C. single-host mode D. multiauth host mode
D
Which EAP method works only for server authentication? A. EAP-MSCHAPv2 B. EAP-TLS C. EAP-GTC D. PEAP
A
Which process in the Stealthwatch Cloud solution performs dynamic behavior analysis? A. dynamic entity modeling B. Flow Collector C. Observation D. Private Network Monitoring appliance
ABD
Which three options are valid building blocks of the DMVPN solution? (Choose three.) A. NHRP B. GRE C. DVTI D. IPsec E. AES
D
Which type of private VLAN port typically connects to a router or firewall? A. community B. isolated C. primary D. promiscuous
C
You plan to use REST API to manage Cisco FMC in your environment. Because you want to use the API Explorer to familiarize yourself with the API, which URL should you use to access the API Explorer? A. https://<management_center_IP_or_name>/api/api-ex B. https://<management_center_IP_or_name>/api-explorer C. https://<management_center_IP_or_name>/api/api-explorer D. https://<API_expolorer_server_IP_or_name>/api/api-ex
BDE
You plan to use network automation for various common tasks in your environment. Which three actions represent typical common tasks that network programmability techniques can perform? (Choose three.) A. device procurement B. compliance checks C. WAN optimization D. device provisioning E. data collection and telemetry F. LAN optimization
EF
You want to leverage the Cisco FMC Legacy API Explorer to export a chosen action in scripting language. Into which two types of scripts can you export? (Choose two.) A. C# B. Java C. PHP D. Ruby E. Perl F. Python
B
You wish to use a Cisco Firepower system to collect detailed information about hosts in the network—such as operating systems, vulnerabilities, and running protocols. Which action should you perform to collect the information? A. Enable NetFlow collection on Cisco Firepower Management Center B. enable the Network Discovery feature C. enable SXP D. install a special client on the target systems
B
Your company uses a single router to connect to the internet, and you plan to configure infrastructure antispoofing ACLs on this router. Which type of filtering prevents external networks from sending spoofed traffic into your company network? A. router filtering B. ingress filtering C. egress filtering D. ingress and egress filtering