CCNA Cybersecurity Operations ( Version 1.1) - Cybersecurity Operations 1.1 Final Exam
What are two advantages of using the community VERIS database? (Choose two.) The database is sponsored and backed by governments. The data sets are compact for easy download. The access fee is minimal. The data is open and free to the public. Data is in a format that allows for manipulation. Navigation Bar
The data is open and free to the public. Data is in a format that allows for manipulation.
Which type of data would be considered an example of volatile data? log files temp files web browser cache memory registers
memory registers
Document incident handling.
post-incident activities
normal traffic is not identified as a threa
true negative
a list of TCP or UDP processes that are available to accept data
Ports Used
uses UDP port 514 for logging event messages from network devices and endpoints
Syslog
What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.) The code is authentic and is actually sourced by the publisher. The code contains no viruses. The code has not been modified since it left the software publisher. The code contains no errors. The code was encrypted with both a private and public key.
The code is authentic and is actually sourced by the publisher. The code has not been modified since it left the software publisher.
the time between the establishment of a data flow and its termination
Time Between
Which two statements describe access attacks? (Choose two.) To detect listening services, port scanning attacks scan a range of TCP or UDP port numbers on a host. Trust exploitation attacks often involve the use of a laptop to act as a rogue access point to capture and copy all network traffic in a public location, such as a wireless hotspot. Port redirection attacks use a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN. Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code. Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers.
Trust exploitation attacks often involve the use of a laptop to act as a rogue access point to capture and copy all network traffic in a public location, such as a wireless hotspot.
Authorized users must have uninterrupted access to important resources and data.
availability
Only authorized individuals, entities, or processes can access sensitive information.
confidentiality
Implement procedures to contain the threat
containment, eradication and recovery
the IP addresses or the logical location of essential systems or data
critical asset address space
Identify, analyze, and validate an incident.
detection analysis
the amount of data passing from a given source to a given destination in a given period of time
total through put
In which situation is an asymmetric key algorithm used? An office manager encrypts confidential files before saving them to a removable device. Two Cisco routers authenticate each other with CHAP. User data is transmitted across the network after a VPN is established. A network administrator connects to a Cisco router with SSH.
A network administrator connects to a Cisco router with SSH.
uses a hierarchy of authoritative time sources to send time information between devices on the network
NTP
How do cybercriminals make use of a malicious iFrame? The iFrame allows the browser to load a web page from another source. The attacker redirects traffic to an incorrect DNS server. The iFrame allows multiple DNS subdomains to be used. The attacker embeds malicious content in business appropriate files.
The iFrame allows the browser to load a web page from another source.
Which type of security threat would be responsible if a spreadsheet add-on disables the local software firewall? DoS brute-force attack buffer overflow Trojan horse
Trojan horse
What commonly motivates cybercriminals to attack networks as compared to hactivists or state-sponsored hackers? financial gain fame seeking political reasons status among peers
financial gain
Which device in a layered defense-in-depth approach denies connections initiated from untrusted networks to internal networks, but allows internal users within an organization to connect to untrusted networks? firewall internal router access layer switch IPS
firewall
Data is protected from unauthorized alteration.
intergrity
malicious traffic is correctly identified as a threat
true positive
used by attackers to identify hosts on a network and the structure of the network
ICMP
A company implements a security policy that ensures that a file sent from the headquarters office to the branch office can only be opened with a predetermined code. This code is changed every day. Which two algorithms can be used to achieve this task? (Choose two.) MD5 3DES SHA-1 AES HMAC
3DES AES
Which two statements are characteristics of a virus? (Choose two.) A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date. A virus has an enabling vulnerability, a propagation mechanism, and a payload. A virus replicates itself by independently exploiting vulnerabilities in networks. A virus provides the attacker with sensitive data, such as passwords.
A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date.
Refer to the exhibit. If host A sends an IP packet to host B, what will the destination address be in the frame when it leaves host A? AA:AA:AA:AA:AA:AA 172.168.10.65 172.168.10.99 BB:BB:BB:BB:BB:BB DD:DD:DD:DD:DD:DD CC:CC:CC:CC:CC:CC
BB:BB:BB:BB:BB:BB
What is the responsibility of the human resources department when handling a security incident? Coordinate the incident response with other stakeholders and minimize the damage of the incident. Perform actions to minimize the effectiveness of the attack and preserve evidence. Apply disciplinary measures if an incident is caused by an employee. Review the incident policies, plans, and procedures for local or federal guideline violations. Navigation Bar
Coordinate the incident response with other stakeholders and minimize the damage of the incident.
Which protocol translates a website name such as www.cisco.com into a network address? DNS HTTP DHCP FTP
DNS
uses application protocols that are commonly responsible for bringing malware to a host
DNS
Which two roles are typically performed by a wireless router that is used in a home or small business? (Choose two.) Ethernet switch RADIUS authentication server access point WLAN controller repeater
Ethernet switch access point
Which metric class in the CVSS Basic Metric Group identifies the impacts on confidentiality, integrity, and availability? Impact Modified Base Exploit Code Maturity Exploitability
Exploitability
Refer to the exhibit. A network administrator is showing a junior network engineer some output on the server. Which service would have to be enabled on the server to receive such output? debug SNMP ICMP AAA
ICMP
Why would a network administrator choose Linux as an operating system in the Security Operations Center (SOC)? It can be acquired at no charge. More network applications are created for this environment. The administrator has control over specific security functions, but not standard applications. It is easier to use than other server operating systems. Navigation Bar
It can be acquired at no charge.
Which statement describes the policy-based intrusion detection approach? It compares the behaviors of a host to an established baseline to identify potential intrusion. It compares the antimalware definitions to a central repository for the latest updates. It compares the operations of a host against well-defined security rules. It compares the signatures of incoming traffic to a known intrusion database.
It compares the operations of a host against well-defined security rules.
How is a source IP address used in a standard ACL? It is the criterion that is used to filter traffic. It is used to determine the default gateway of the router that has the ACL applied. It is the address to be used by a router to determine the best path to forward packets. It is the address that is unknown, so the ACL must be placed on the interface closest to the source address.
It is used to determine the default gateway of the router that has the ACL applied.
Why is Diffie-Hellman algorithm typically avoided for encrypting data? The large numbers used by DH make it too slow for bulk data transfers. Most data traffic is encrypted using asymmetrical algorithms. DH requires a shared key which is easily exchanged between sender and receiver. DH runs too quickly to be implemented with a high level of security.
Most data traffic is encrypted using asymmetrical algorithms.
What are two advantages of the NTFS file system compared with FAT32? (Choose two.) NTFS provides more security features. NTFS allows faster formatting of drives. NTFS supports larger partitions. NTFS is easier to configure. NTFS allows faster access to external peripherals such as a USB drive. NTFS allows the automatic detection of bad sectors.
NTFS provides more security features. NTFS supports larger partitions.
What is indicated by a true negative security alert classification? An alert is incorrectly issued and does not indicate an actual security incident. An alert is verified to be an actual security incident. Exploits are not being detected by the security systems that are in place. Normal traffic is correctly ignored and erroneous alerts are not being issued
Normal traffic is correctly ignored and erroneous alerts are not being issued
Refer to the exhibit. Which access list configuration on router R1 will prevent traffic from the 192.168.2.0 LAN from reaching the Restricted LAN while permitting traffic from any other LAN? R1(config-std-nacl)# permit any R1(config-std-nacl)# deny 192.168.3.0 R1(config)# interface G0/2 R1(config-if)# ip access-group BLOCK-LAN2 in R1(config-std-nacl)# deny 192.168.3.0 R1(config-std-nacl)# permit any R1(config)# interface G0/2 R1(config-if)# ip access-group BLOCK_LAN2 in R1(config-std-nacl)# permit any R1(config-std-nacl)# deny 192.168.2.0 R1(config)# interface G0/2 R1(config-if)# ip access-group BLOCK_LAN2 out R1(config-std-nacl)# deny 192.168.2.0 R1(config-std-nacl)# permit any R1(config)# interface G0/2 R1(config-if)# ip access-group BLOCK_LAN2 out
R1(config-std-nacl)# permit any R1(config-std-nacl)# deny 192.168.2.0 R1(config)# interface G0/2 R1(config-if)# ip access-group BLOCK_LAN2 out
How might DNS be used by a threat actor to create mayhem? Collect personal information and encode the data in outgoing DNS queries. Surveil or deny service from outside the corporate network. Intercept and decrypt network traffic. Change the timestamp on network messages in order to conceal the cyberattack.
Surveil or deny service from outside the corporate network.
What is a difference between symmetric and asymmetric encryption algorithms? Symmetric encryption algorithms are used to encrypt data. Asymmetric encryption algorithms are used to decrypt data. Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data. Symmetric encryption algorithms are used to authenticate secure communications. Asymmetric encryption algorithms are used to repudiate messages. Symmetric algorithms are typically hundreds to thousands of times slower than asymmetric algorithms.
Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.
A technician notices that an application is not responding to commands and that the computer seems to respond slowly when applications are opened. What is the best administrative tool to force the release of system resources from the unresponsive application? Event Viewer Task Manager System Restore Add or Remove Programs
Task Manager
Which statement identifies an important difference between the TACACS+ and RADIUS protocols? The RADIUS protocol encrypts the entire packet transmission. RADIUS can cause delays by establishing a new TCP session for each authorization request. TACACS+ provides extensive accounting capabilities when compared to RADIUS. The TACACS+ protocol allows for separation of authentication from authorization
The TACACS+ protocol allows for separation of authentication from authorization
In a networking class, the instructor tells the students to ping the other computers in the classroom from the command prompt. Why do all pings in the class fail? A virus is on the classroom computers. The Windows firewall is blocking the ping. Port 25 is blocked and preventing the echo request from being transmitted. The computers are on different networks.
The Windows firewall is blocking the ping.
What is the result of using security devices that include HTTPS decryption and inspection services? The devices must have preconfigured usernames and passwords for all users. Monthly service contracts with reputable web filtering sites can be costly. The devices require continuous monitoring and fine tuning. The devices introduce processing delays and privacy issues.
The devices introduce processing delays and privacy issues.
Which scenario is probably the result of activities by a group of hacktivists? The internal emails related to the handling of an environmental disaster by a petroleum company appear on multiple websites. The sales record files of recent years in a large company suddenly cannot be opened and an offer comes forward promising that the data could be restored for a hefty fee. The major power grid in a country is experiencing frequent attacks from another country. The central database of student grades is accessed and a few grades are modified illegally. Navigation Bar
The internal emails related to the handling of an environmental disaster by a petroleum company appear on multiple websites.
Refer to the exhibit. A network administrator is viewing some output on the Netflow collector. What can be determined from the output of the traffic flow shown? This is a TCP DNS request to a DNS server. This is a UDP DNS request to a DNS server. This is a UDP DNS response to a client machine. This is a TCP DNS response to a client machine
This is a TCP DNS request to a DNS server.
What is a network tap? a technology used to provide real-time reporting and long-term analysis of security events a passive device that forwards all traffic and physical layer errors to an analysis device a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device a Cisco technology that provides statistics on packets flowing through a router or multilayer switch
a passive device that forwards all traffic and physical layer errors to an analysis device
A threat actor has gained administrative access to a system and achieved the goal of controlling the system for a future DDoS attack by establishing a communication channel with a CnC owned by the threat actor. Which phase in the Cyber Kill Chain model describes the situation? action on objectives delivery command and control exploitation
action on objectives
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this? auditing authentication authorization accounting accessibility
authorization
Which technology might increase the security challenge to the implementation of IoT in an enterprise environment? cloud computing data storage CPU processing speed network bandwidth
cloud computing
Which technique is necessary to ensure a private transfer of data using a VPN? scalability virtualization authorization encryption
encryption
normal traffic is incorrectly identified as a threat
false positive
malicious traffic is not identified as a threat
fasle negative
A network security professional has applied for a Tier 2 position in a SOC. What is a typical job function that would be assigned to a new employee? further investigating security incidents serving as the point of contact for a customer hunting for potential security threats and implementing threat detection tools monitoring incoming alerts and verifying that a true security incident has occurred
further investigating security incidents
Which two characteristics describe a worm? (Choose two.) is self-replicating travels to new computers without any intervention or knowledge of the user infects computers by attaching to software code hides in a dormant state until needed by an attacker executes when software is run on a computer
is self-replicating travels to new computers without any intervention or knowledge of the user
What are three responsibilities of the transport layer? (Choose three.) conducting error detection of the contents in frames multiplexing multiple communication streams from many users or applications on the same network directing packets towards the destination network meeting the reliability requirements of applications, if any identifying the applications and services on the client and server that should handle transmitted data formatting data into a compatible form for receipt by the destination devices
multiplexing multiple communication streams from many users or applications on the same network directing packets towards the destination network meeting the reliability requirements of applications, if any
Which two net commands are associated with network resource sharing? (Choose two.) net use net stop net start net accounts net share
net use net share
Conduct CSIRT response training.
preperation
Which three are major categories of elements in a security operations center? (Choose three.) database engine processes Internet connection technologies people data center
processes technologies people
What is a function of SNMP? provides a message format for communication between network device managers and agents provides statistical analysis on packets flowing through a Cisco router or multilayer switch synchronizes the time across all devices on the network captures packets entering and exiting the network interface card
provides a message format for communication between network device managers and agents
Which Linux command could be used to discover the process ID (PID) for a specific process before using the kill command? ps grep ls chkrootkit
ps
Based on the command output shown, which file permission or permissions have been assigned to the other user group for the data.txt file? ls -l data.txt -rwxrw-r-- sales staff 1028 May 28 15:50 data.txt read, write, execute read, write full access read
read
According to NIST, which step in the digital forensics process involves preparing and presenting information that resulted from scrutinizing data? reporting collection examination analysis
reporting
What are two evasion techniques that are used by hackers? (Choose two.) phishing pivot reconnaissance Trojan horse rootkit
rootkit pivot
Refer to the exhibit. A cybersecurity analyst is viewing captured packets forwarded on switch S1. Which device has the MAC address d8:cb:8a:5c:d5:8a? router ISP web server PC-A DNS server router DG
router DG
Which Windows Event Viewer log includes events regarding the operation of drivers, processes, and hardware? security logs system logs setup logs application logs
system logs
Refer to the exhibit. A network security specialist issues the command tcpdump to capture events. What does the number 6337 indicate? the port that tcpdump is listening to the process id of the tcpdump command the number of transactions currently captured the Snort signature id that tcpdump will watch and capture
the number of transactions currently captured
Why would threat actors prefer to use a zero-day attack in the Cyber Kill Chain weaponization phase? to gain faster delivery of the attack on the target to avoid detection by the target to launch a DoS attack toward the target to get a free malware package
to avoid detection by the target
Which two services are provided by the NetFlow tool? (Choose two.) access list monitoring log analysis QoS configuration usage-based network billing network monitoring
usage-based network billing network monitoring
Which method can be used to harden a device? allow USB auto-detection maintain use of the same passwords use SSH and disable the root account access over SSH allow default services to remain enabled
use SSH and disable the root account access over SSH
Which three technologies should be included in a security information and event management system in a SOC? (Choose three.) vulnerability tracking firewall appliance VPN connection threat intelligence intrusion prevention security monitoring
vulnerability tracking intrusion prevention security monitoring
As described by the SANS Institute, which attack surface includes the use of social engineering? network attack surface human attack surface Internet attack surface software attack surface
human attack surface