Cyber OPS exam study guide
An administrator wants to create four subnetworks from the network address 192.168.1.0/24. What is the network address and subnet mask of the second useable subnet?
subnetwork 192.168.1.64 subnet mask 255.255.255.192
Which tool captures full data packets with a command-line interface only?
tcpdump
Which metric in the CVSS Base Metric Group is used with an attack vector?
the proximity of the threat actor to the vulnerability
What is the purpose of Tor?
to allow users to browse the Internet anonymously
What are three goals of a port scan attack? (Choose three.)
to determine potential vulnerabilities to identify operating systems to identify active services
Which protocol or service uses UDP for a client-to-server communication and TCP for server-to-server communication?
DNS
Which core open source component of the Elastic-stack is responsible for accepting the data in its native format and making elements of the data consistent across all sources?
Elasticsearch
What is a property of the ARP table on a device?
Entries in an ARP table are time-stamped and are purged after the timeout expires.
What is one difference between the client-server and peer-to-peer network models?
Every device in a peer-to-peer network can function as a client or a server.
What information is required for a WHOIS query?
FQDN of the domain
For what purpose would a network administrator use the Nmap tool?
For what purpose would a network administrator use the Nmap tool?
An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users
HTTPS web service 802.1x authentication
Which two types of unreadable network traffic could be eliminated from data collected by NSM?
IPsec traffic SSL traffic
What are two features of ARP?
If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast. If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply.
Which two statements describe the use of asymmetric algorithms? (Choose two.)
If a public key is used to encrypt the data, a private key must be used to decrypt the data. If a private key is used to encrypt the data, a public key must be used to decrypt the data.
Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two.)
DNS HTTP
In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?
attrition
Match the attack tools with the description.
* Nmap - network scanning tool used to probe network devices for open tcp/udp ports * Yesenia - A packet crafting tool used to probe and test firewalls *RaninbowCrack - used for password cracking
Match the security policy with the description.
*Acceptable use policy(AUP) - identifies network applications and uses that are acceptable to the organization *Identification and authentication Policy - specifies authorized persons that can have access to network resources and identity verification procedures *Network Maintenance Policy - specifies network device operating systems and end user application update procedures. *Network Access Policy - identifies how remote users can access a network and what is accessible via remote connectivity
In a Linux operating system, which component interprets user commands and attempts to execute them?
shell
Match the Security Onion tool with the description.
*Snort - network based intrusion detection system *Wireshark- packet capture *OSSEC - HIDS *Sguil-high level cybersecurity analysis console
Match the server profile element to the description.
*User Accounts - the parameters defining user access and behavior *listening port - the TCP and UDP daemons and ports that are allowed to be open on the server *Software environment - the tasks, processes, and applications, that are permitted to run on the server *service accounts - the definitions of the type of service that an application is allowed to run on a given host
Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)
*fragment offset *flag *identification
If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal?
Approximately 5 minutes per year. (525,000 minutes a year * (1-.99999) = 5.256)
What part of the URL, http://www.cisco.com/index.html, represents the top-level DNS domain?
.com
A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device?
2001:0db8:cafe:4500 the first 64 bits(16 bytes) represent the network portion, whereas the last 64 bits represent the host portion of the IPv6 address.
Which two statements are characteristics of a virus?
A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date.
What are two uses of an access control list? (Choose two.)
ACLs provide a basic level of security for network access. ACLs can control which areas a host can access on a network.
A newly created company has fifteen Windows 10 computers that need to be installed before the company can open for business. What is a best practice that the technician should implement when configuring the Windows Firewall?
After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled.
Which tool included in the Security Onion is a series of software plugins that send different types of data to the Elasticsearch data stores?
Beats
What are two methods to maintain certificate revocation status? (Choose two.)
CRL OCSP
Which tool is a web application that provides the cybersecurity analyst an easy-to-read means of viewing an entire Layer 4 session?
CapME
A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.)
CapME Wazuh Zeek
Which device supports the use of SPAN to enable monitoring of malicious activity?
Cisco Catalyst switch
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?
DHCP starvation
What is a characteristic of CybOX?
It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
What are three characteristics of an information security management system? (Choose three.)
It is a systematic and multilayered approach to cybersecurity. It consists of a set of practices that are systematically applied to ensure continuous improvement in information security. It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address?
It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.
What is a characteristic of a Trojan horse as it relates to network security?
Malware is contained in a seemingly legitimate executable program.
What is an advantage for small organizations of adopting IMAP instead of POP?
Messages are kept in the mail servers until they are manually deleted from the email client.
What is a key difference between the data captured by NetFlow and data captured by Wireshark?
NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
When a security attack has occurred, which two approaches should security professionals take to mitigate a compromised system during the Actions on Objectives step as defined by the Cyber Kill Chain model? (Choose two.)
Perform forensic analysis of endpoints for rapid triage. Detect data exfiltration, lateral movement, and unauthorized credential usage.
Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?
Require remote access connections through IPsec VPN
An administrator is trying to develop a BYOD security policy for employees that are bringing a wide range of devices to connect to the company network. Which three objectives must the BYOD security policy address? (Choose three.)
Rights and activities permitted on the corporate network must be defined. Safeguards must be put in place for any personal device being compromised. The level of access of employees when connecting to the corporate network must be defined.
Match the monitoring tool to the definition.
SEIM - presents real-time reporting and long term analysis of security events Netflow - provides statistics on packets flowing through a cisco router or a multilayer switch WireShark - pcap files SNMP- retrieves information on the operation of network devices
What type of attack targets an SQL database using the input field of a user?
SQL injection
Which statement defines the difference between session data and transaction data in logs?
Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions.
A cybersecurity analyst is viewing packets forwarded by switch S2. What addresses will identify frames containing data sent from PCA to PCB?
Src IP: 192.168.1.212Src MAC: 00-60-0F-B1-33-33Dst IP: 192.168.2.101Dst MAC: 00-D0-D3-BE-00-00
Which consideration is important when implementing syslog in a network?
Synchronize clocks on all network devices with a protocol such as Network Time Protocol.
A technician notices that an application is not responding to commands and that the computer seems to respond slowly when applications are opened. What is the best administrative tool to force the release of system resources from the unresponsive application?
Task Manager
A user calls to report that a PC cannot access the internet. The network technician asks the user to issue the command ping 127.0.0.1 in a command prompt window. The user reports that the result is four positive replies. What conclusion can be drawn based on this connectivity test?
The TCP/IP implementation is functional.
What two assurances does digital signing provide about code that is downloaded from the Internet?
The code has not been modified since it left the software publisher The code is authentic and is actually sourced by the publisher.
What are two characteristics of the SLAAC method for IPv6 address configuration? (Choose two.)
The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN. IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.
The HTTP server has responded to a client request with a 200 status code. What does this status code indicate?
The request was completed successfully.
What characterizes a threat actor?
They always try to cause some harm to an individual or organization.
What are two characteristics of Ethernet MAC addresses? (Choose two.)
They are expressed as 12 hexadecimal digits. They are globally unique.
Which two statements describe the characteristics of symmetric algorithms? (Choose two.)
They are referred to as a pre-shared key or secret key. They are commonly used with VPN traffic.
What are the two ways threat actors use NTP? (Choose two.)
They attack the NTP infrastructure in order to corrupt the information used to log the attack. Threat actors use NTP systems to direct DDoS attacks.
What is a purpose of implementing VLANs on a network?
They can separate user traffic.
What is privilege escalation?
Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.
What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits
WinDbg
What are two drawbacks to using HIPS? (Choose two.)
With HIPS, the network administrator must verify support for all the different operating systems used inthe network. HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.
What solution can provide a VPN between site A and site B to support encapsulation of any Layer 3 protocol between the internal networks at each site?
a GRE tunnel
what is network tap?
a passive device that forwards all traffic and physical layer errors to an analysis device
A computer is presenting a user with a screen requesting payment before the user data is allowed to be accessed by the same user. What type of malware is this?
a type of ransomware
Which two techniques are used in a smurf attack? (Choose two.)
amplification reflection
What are two types of attacks used on DNS open resolvers? (Choose two.)
amplification and reflection resource utilization
If Host1 were to transfer a file to the server, what layers of the TCP/IP model would be used?
application, transport, Internet, and network access layers
A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework?
authorization
What are two ways that ICMP can be a security threat to a company?
by collecting information about a network by providing a conduit for DoS attacks
How can statistical data be used to describe or predict network behavior?
by comparing normal network behavior to current network behavior
Which field in the TCP header indicates the status of the three-way handshake process?
control bits
A person coming to a cafe for the first time wants to gain wireless access to the Internet using a laptop. What is the first step the wireless client will do in order to communicate over the network using a wireless management frame?
discover the AP
When ACLs are configured to block IP address spoofing and DoS flood attacks, which ICMP message should be allowed both inbound and outbound?
echo
Which three technologies should be included in a SOC security information and event management system? (Choose three.)
event collection, correlation, and analysis security monitoring threat intelligence
Which PDU format is used when bits are received from the network medium by the NIC of a host?
frame
Which three security services are provided by digital signatures? (Choose three.)
guarantees data has not changed in transit provides data encryption authenticates the source
A user opens three browsers on the same PC to access www.cisco.com to search for certification course information. The Cisco web server sends a datagram as a reply to the request from one of the web browsers. Which information is used by the TCP/IP protocol stack in the PC to identify which of the three web browsers should receive the reply?
he destination port number
A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication?
single process for authentication and authorization hidden passwords during transmission
Which two net commands are associated with network resource sharing?
net share net use
Which wireless parameter is used by an access point to broadcast frames that include the SSID?
passive mode
Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)
password encryption utilization of transport layer protocols
What technique is used in social engineering attacks?
phishing
What are two evasion techniques that are used by hackers? (Choose two.)
pivot rootkit
Which term is used for describing automated queries that are useful for adding efficiency to the cyberoperations workflow?
playbook
Which NIST Cybersecurity Framework core function is concerned with the development and implementation of safeguards that ensure the delivery of critical infrastructure services?
protect
In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?
risk analysis
The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk?
risk reduction
In addressing an identified risk, which strategy aims to shift some of the risk to other parties?
risk sharing
An employee connects wirelessly to the company network using a cell phone. The employee then configures the cell phone to act as a wireless access point that will allow new employees to connect to the company network. Which type of security threat best describes this situation?
rogue access point
What term describes a set of software tools designed to increase the privileges of a user or to grant access to the user to portions of the operating system that should not normally be allowed?
rootkit
Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?
router advertisement
What is the primary objective of a threat intelligence platform (TIP)?
to provide a security operations platform that integrates and enhances diverse security tools and threat intelligence
What are three functions provided by the syslog service? (Choose three.)
to select the type of logging information that is captured to gather logging information for monitoring and troubleshooting to specify the destinations of captured messages
A help desk technician notices an increased number of calls relating to the performance of computers located at the manufacturing plant. The technician believes that botnets are causing the issue. What are two purposes of botnets? (Choose two.)
to transmit viruses or spam to computers on the same network to attack other computers
A technician is troubleshooting a network connectivity problem. Pings to the local wireless router are successful but pings to a server on the Internet are unsuccessful. Which CLI command could assist the technician to find the location of the networking problem?
tracert
Which method can be used to harden a device?
use SSH and disable the root account access over SSH
Which two data types would be classified as personally identifiable information (PII)? (Choose two.)
vehicle identification number Facebook photographs
What are two scenarios where probabilistic security analysis is best suited? (Choose two.)
when analyzing events with the assumption that they follow predefined steps when analyzing applications designed to circumvent firewalls
A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet?
when the value in the TTL field reaches zero