Cyberops Final
What are two uses of an access control list? (Choose two.) - ACLs provide a basic level of security for network access. - ACLs can control which areas a host can access on a network. - Standard ACLs can restrict access to specific applications and ports. - ACLs assist the router in determining the best path to a destination. - ACLs can permit or deny traffic based upon the MAC address originating on the router.
- ACLs provide a basic level of security for network access. - ACLs can control which areas a host can access on a network.
What are two methods to maintain certificate revocation status? (Choose two.) - CRL - DNS - subordinate CA - OCSP - LDAP
- CRL - OCSP
Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two.) - NTP - DNS - HTTP - syslog - SMTP
- DNS - HTTP
An IT enterprise is recommending the use of PKI applications to securely exchange information between employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.) - HTTPS web service - 802.1x authentication - local NTP server - FTP transfers file and directory access permission
- HTTPS web service - 802.1x authentication
Which two types of unreadable network traffic could be eliminated from data collected by NSM? (Choose two.) - STP traffic - IPsec traffic - routing updates traffic - SSL traffic - broadcast traffic
- IPsec traffic - SSL traffic
What are two features of ARP? (Choose two.) - If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast. - If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply. - When a host is encapsulating a packet into a frame, it refers to the MAC address table to determine the mapping of IP addresses to MAC addresses. - If no device responds to the ARP request, then the originating node will broadcast the data packet to all devices on the network segment. - An ARP request is sent to all devices on the Ethernet LAN and contains the IP address of the destination host and the multicast MAC address.
- If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast. - If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply.
Which two statements describe the use of asymmetric algorithms? (Choose two.) - Public and private keys may be used interchangeably. - If a public key is used to encrypt the data, a private key must be used to decrypt the data. - If a public key is used to encrypt the data, a public key must be used to decrypt the data. - If a private key is used to encrypt the data, a public key must be used to decrypt the data. - If a private key is used to encrypt the data, a private key must be used to decrypt the data.
- If a public key is used to encrypt the data, a private key must be used to decrypt the data. - If a private key is used to encrypt the data, a public key must be used to decrypt the data.
What are three characteristics of an information security management system? (Choose three.) - It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. - It is a systematic and multilayered approach to cybersecurity. - It addresses the inventory and control of hardware and software configurations of systems. - It consists of a set of practices that are systematically applied to ensure continuous improvement in information security. - It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. - It is based on the application of servers and security devices.
- It is a systematic and multilayered approach to cybersecurity. - It consists of a set of practices that are systematically applied to ensure continuous improvement in information security. - It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
When a security attack has occurred, which two approaches should security professionals take to mitigate a compromised system during the Actions on Objectives step as defined by the Cyber Kill Chain model? (Choose two.) - Perform forensic analysis of endpoints for rapid triage. - Train web developers for securing code. - Build detections for the behavior of known malware. - Collect malware files and metadata for future analysis. - Detect data exfiltration, lateral movement, and unauthorized credential usage.
- Perform forensic analysis of endpoints for rapid triage. - Detect data exfiltration, lateral movement, and unauthorized credential usage.
An administrator is trying to develop a BYOD security policy for employees that are bringing a wide range of devices to connect to the company network. Which three objectives must the BYOD security policy address? (Choose three.) - All devices must be insured against liability if used to compromise the corporate network. - All devices must have open authentication with the corporate network. - Rights and activities permitted on the corporate network must be defined. - Safeguards must be put in place for any personal device being compromised. - The level of access of employees when connecting to the corporate network must be defined. - All devices should be allowed to attach to the corporate network flawlessly.
- Rights and activities permitted on the corporate network must be defined. - Safeguards must be put in place for any personal device being compromised. - The level of access of employees when connecting to the corporate network must be defined.
What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.) - The code contains no viruses. - The code has not been modified since it left the software publisher. - The code is authentic and is actually sourced by the publisher. - The code contains no errors. - The code was encrypted with both a private and public key.
- The code has not been modified since it left the software publisher. - The code is authentic and is actually sourced by the publisher.
What are two characteristics of the SLAAC method for IPv6 address configuration? (Choose two.) - The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN. - This stateful method of acquiring an IPv6 address requires at least one DHCPv6 server. - Clients send router advertisement messages to routers to request IPv6 addressing. - IPv6 addressing is dynamically assigned to clients through the use of ICMPv6. -Router solicitation messages are sent by the router to offer IPv6 addressing to clients.
- The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN. - IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.
What are two characteristics of Ethernet MAC addresses? (Choose two.) - MAC addresses use a flexible hierarchical structure. - They are expressed as 12 hexadecimal digits. - They are globally unique. - They are routable on the Internet. - MAC addresses must be unique for both Ethernet and serial interfaces on a device.
- They are expressed as 12 hexadecimal digits. - They are globally unique.
Which two statements describe the characteristics of symmetric algorithms? (Choose two.) - They are referred to as a pre-shared key or secret key. - They use a pair of a public key and a private key. - They are commonly used with VPN traffic. - They provide confidentiality, integrity, and availability.
- They are referred to as a pre-shared key or secret key. - They are commonly used with VPN traffic.
What are the two ways threat actors use NTP? (Choose two.) - They place an attachment inside an email message. - They attack the NTP infrastructure in order to corrupt the information used to log the attack. - They place iFrames on a frequently used corporate web page. - They encode stolen data as the subdomain portion where the nameserver is under control of an attacker. - Threat actors use NTP systems to direct DDoS attacks.
- They attack the NTP infrastructure in order to corrupt the information used to log the attack. - Threat actors use NTP systems to direct DDoS attacks.
What are two drawbacks to using HIPS? (Choose two.) - With HIPS, the success or failure of an attack cannot be readily determined. - With HIPS, the network administrator must verify support for all the different operating systems used inthe network. - HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network. - If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic. - HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks
- With HIPS, the network administrator must verify support for all the different operating systems used inthe network. - HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.
A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.)
- Zeek - Wazuh - CapME
Which two techniques are used in a smurf attack? (Choose two.) - session hijacking - resource exhaustion - botnets - amplification - reflection
- amplification - reflection
What are two types of attacks used on DNS open resolvers? (Choose two.) - amplification and reflection - fast flux - ARP poisoning - resource utilization - cushioning
- amplification and reflection - resource utilization
What are two ways that ICMP can be a security threat to a company? (Choose two.) - by collecting information about a network - by corrupting data between email servers and email recipients - by the infiltration of web pages - by corrupting network IP data packets - by providing a conduit for DoS attacks
- by collecting information about a network - by providing a conduit for DoS attacks
Which three technologies should be included in a SOC security information and event management system? (Choose three.) - event collection, correlation, and analysis - security monitoring - user authentication - proxy service - intrusion prevention - threat intelligence
- event collection, correlation, and analysis - security monitoring - threat intelligence
Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.) - fragment offset - protocol - flag - TTL - identification - version
- fragment offset - flag - identification
Which three security services are provided by digital signatures? (Choose three.) - provides nonrepudiation using HMAC functions - guarantees data has not changed in transit - provides data encryption - authenticates the source - provides confidentiality of digitally signed data - authenticates the destination
- guarantees data has not changed in transit - provides data encryption - authenticates the source
Which two net commands are associated with network resource sharing? (Choose two.) - net start - net accounts - net share - net use - net stop
- net share - net use
Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.) - password encryption - separate authentication and authorization processes - SIP support - utilization of transport layer protocols - 802.1X support
- password encryption - utilization of transport layer protocols
What are two evasion techniques that are used by hackers? (Choose two.) - Trojan horse - pivot - rootkit - reconnaissance - phishing
- pivot - rootkit
A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.) - encryption for all communication - encryption for only the data - single process for authentication and authorization - separate processes for authentication and authorization - hidden passwords during transmission
- single process for authentication and authorization - hidden passwords during transmission
What are three goals of a port scan attack? (Choose three.) - to identify peripheral configurations - to determine potential vulnerabilities - to disable used ports and services - to identify operating systems - to identify active services - to discover system passwords
- to determine potential vulnerabilities - to identify operating systems - to identify active services
What are three functions provided by the syslog service? (Choose three.) - to select the type of logging information that is captured - to periodically poll agents for data - to provide statistics on packets that are flowing through a Cisco device - to provide traffic analysis - to gather logging information for monitoring and troubleshooting - to specify the destinations of captured messages
- to select the type of logging information that is captured - to gather logging information for monitoring and troubleshooting - to specify the destinations of captured messages
A help desk technician notices an increased number of calls relating to the performance of computers located at the manufacturing plant. The technician believes that botnets are causing the issue. What are two purposes of botnets? (Choose two.) - to transmit viruses or spam to computers on the same network - to record any and all keystrokes - to attack other computers - to withhold access to a computer or files until money has been paid - to gain access to the restricted part of the operating system
- to transmit viruses or spam to computers on the same network - to attack other computers
Which two data types would be classified as personally identifiable information (PII)? (Choose two.) - house thermostat reading - average number of cattle per region - vehicle identification number - hospital emergency use per region - Facebook photographs
- vehicle identification number - Facebook photographs
What are two scenarios where probabilistic security analysis is best suited? (Choose two.) - when applications that conform to application/networking standards are analyzed - when analyzing events with the assumption that they follow predefined steps - when random variables create difficulty in knowing with certainty the outcome of any given event - when analyzing applications designed to circumvent firewalls - when each event is the inevitable result of antecedent causes
- when analyzing events with the assumption that they follow predefined steps - when analyzing applications designed to circumvent firewalls
What part of the URL, http://www.cisco.com/index.html, represents the top-level DNS domain?
.com
A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device?
A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device?
After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis?
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.
A newly created company has fifteen Windows 10 computers that need to be installed before the company can open for business. What is a best practice that the technician should implement when configuring the Windows Firewall?
After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled.
Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server?
Analyze the infrastructure storage path used for files.
Which two statements are characteristics of a virus? (Choose two.) - A virus typically requires end-user activation. - A virus can be dormant and then activate at a specific time or date. - A virus replicates itself by independently exploiting vulnerabilities in networks. - A virus has an enabling vulnerability, a propagation mechanism, and a payload. - A virus provides the attacker with sensitive data, such as passwords
Answer - A virus typically requires end-user activation. - A virus can be dormant and then activate at a specific time or date.
If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal?
Approximately 5 minutes per year.
Which tol included in the Security Onion is a series of software plugins that send different types of data to the Elasticsearch data stores?
Beats
Which tool is a web application that provides the cybersecurity analyst an easy-to-read means of viewing an entire Layer 4 session?
CapME
Which device supports the use of SPAN to enable monitoring of malicious activity?
Cisco Catalyst switch
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?
DHCP starvation
Which protocol or service uses UDP for a client-to-server communication and TCP for server-to-server communication?
DNS
What is a property of the ARP table on a device?
Entries in an ARP table are time-stamped and are purged after the timeout expires.
What is one difference between the client-server and peer-to-peer network models?
Every device in a peer-to-peer network can function as a client or a server.
What information is required for a WHOIS query?
FQDN of the domain
What is a characteristic of CybOX?
It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address?
It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.
Which core open source component of the Elastic-stack is responsible for accepting the data in its native format and making elements of the data consistent across all sources?
Logstash
What is a characteristic of a Trojan horse as it relates to network security?
Malware is contained in a seemingly legitimate executable program.
What is an advantage for small organizations of adopting IMAP instead of POP?
Messages are kept in the mail servers until they are manually deleted from the email client.
What is a key difference between the data captured by NetFlow and data captured by Wireshark?
NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
Which tool can be used in a Cisco AVC system to analyze and present the application analysis data into dashboard reports?
Prime
Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?
Require remote access connections through IPsec VPN.
What type of attack targets an SQL database using the input field of a user?
SQL injection
Which statement defines the difference between session data and transaction data in logs?
Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions.
Which consideration is important when implementing syslog in a network?
Synchronize clocks on all network devices with a protocol such as Network Time Protocol.
Which Windows Event Viewer log includes events regarding the operation of drivers, processes, and hardware?
System logs
A technician notices that an application is not responding to commands and that the computer seems to respond slowly when applications are opened. What is the best administrative tool to force the release of system resources from the unresponsive application?
Task Manager
A user calls to report that a PC cannot access the internet. The network technician asks the user to issue the command ping 127.0.0.1 in a command prompt window. The user reports that the result is four positive replies. What conclusion can be drawn based on this connectivity test?
The TCP/IP implementation is functional.
The HTTP server has responded to a client request with a 200 status code. What does this status code indicate?
The request was completed successfully
What characterizes a threat actor?
They always try to cause some harm to an individual or organization.
What is a purpose of implementing VLANs on a network?
They can separate user traffic.
Which statement is correct about network protocols?
They define how messages are exchanged between the source and the destination.
What is privilege escalation?
Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.
What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits?
WinDbg
What is a network tap?
a passive device that forwards all traffic and physical layer errors to an analysis device
A computer is presenting a user with a screen requesting payment before the user data is allowed to be accessed by the same user. What type of malware is this?
a type of ransomware
In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?
attrition
A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework?
authorization
How can statistical data be used to describe or predict network behavior?
by comparing normal network behavior to current network behavior
Which field in the TCP header indicates the status of the three-way handshake process?
control bits
For what purpose would a network administrator use the Nmap tool?
detection and identification of open ports
A person coming to a cafe for the first time wants to gain wireless access to the Internet using a laptop. What is the first step the wireless client will do in order to communicate over the network using a wireless management frame?
discover the AP
When ACLs are configured to block IP address spoofing and DoS flood attacks, which ICMP message should be allowed both inbound and outbound?
echo
Which PDU format is used when bits are received from the network medium by the NIC of a host?
frame
Which Linux command is used to manage processes?
kill
What best describes the security threat of spoofing?
making data appear to come from a source that is not the actual source
Which meta-feature element in the Diamond Model classifies the general type of intrusion event?
methodology
Which wireless parameter is used by an access point to broadcast frames that include the SSID?
passive mode
What technique is used in social engineering attacks?
phishing
Which term is used for describing automated queries that are useful for adding efficiency to the cyberoperations workflow?
playbook
Which NIST Cybersecurity Framework core function is concerned with the development and implementation of safeguards that ensure the delivery of critical infrastructure services?
protect
In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?
risk analysis
The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk?
risk reduction
In addressing an identified risk, which strategy aims to shift some of the risk to other parties?
risk sharing
An employee connects wirelessly to the company network using a cell phone. The employee then configures the cell phone to act as a wireless access point that will allow new employees to connect to the company network. Which type of security threat best describes this situation?
rogue access point
What term describes a set of software tools designed to increase the privileges of a user or to grant access to the user to portions of the operating system that should not normally be allowed?
rootkit
Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?
router advertisement
In a Linux operating system, which component interprets user commands and attempts to execute them?
shell
An administrator wants to create four subnetworks from the network address 192.168.1.0/24. What is the network address and subnet mask of the second useable subnet?
subnetwork 192.168.1.64 subnet mask 255.255.255.192
Which tool captures full data packets with a command-line interface only?
tcpdump
A user opens three browsers on the same PC to access www.cisco.com to search for certification course information. The Cisco web server sends a datagram as a reply to the request from one of the web browsers. Which information is used by the TCP/IP protocol stack in the PC to identify which of the three web browsers should receive the reply?
the destination port number
Which metric in the CVSS Base Metric Group is used with an attack vector?
the proximity of the threat actor to the vulnerability
What is the primary objective of a threat intelligence platform (TIP)?
to aggregate the data in one place and present it in a comprehensible and usable format
What is the purpose of Tor?
to allow users to browse the Internet anonymously
A technician is troubleshooting a network connectivity problem. Pings to the local wireless router are successful but pings to a server on the Internet are unsuccessful. Which CLI command could assist the technician to find the location of the networking problem?
tracert
Which method can be used to harden a device?
use SSH and disable the root account access over SSH
A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet?
when the value in the TTL field reaches zero