Cisco CCNA CyberOps Associate (Version 1.0) All Modules & Final Exam
Which statement describes a VPN?
VPNs use virtual connections to create a private network through a public network.
Match the HTTP status code group to the type of message generated by the HTTP server.
client error: 4xx redirection: 3xx success: 2xx informational: 1xx server error: 5xx
Which networking model is being used when an author uploads one chapter document to a file server of a book publisher?
client/server
What are two purposes of launching a reconnaissance attack on a network? (Choose two.)
to scan for accessibility to gather information about the network and devices
A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device? 2001:0db8:cafe:4500:1000:00d8:0058:00ab 2001:0db8:cafe:4500 1000:00d8:0058:00ab 2001 2001:0db8:cafe:4500:1000
2001:0db8:cafe:4500
What are security event logs commonly based on when sourced by traditional firewalls? static filtering application analysis signatures 5-tuples
5-tuples
What is the well-known port address number used by DNS to serve requests?
53
Which method is used to make data unreadable to unauthorized users? Add a checksum to the end of the data. Encrypt the data. Assign it a username and password. Fragment the data.
Encrypt the data.
A worker in the records department of a hospital accidentally sends a medical record of a patient to a printer in another department. When the worker arrives at the printer, the patient record printout is missing. What breach of confidentiality does this situation describe?
PHI
What technology has a function of using trusted third-party protocols to issue credentials that are accepted as an authoritative identity? digital signatures hashing algorithms PKI certificates symmetric keys
PKI certificates
A user creates a file with .ps1 extension in Windows. What type of file is it?
PowerShell script
Which organization is an international nonprofit organization that offers the CISSP certification?
(ISC) 2
What is the full decompressed form of the IPv6 address 2001:420:59:0:1::a/64?
2001:0420:0059:0000:0001:0000:0000:000a
A PC is downloading a large file from a server. The TCP window is 1000 bytes. The server is sending the file using 100-byte segments. How many segments will the server send before it requires an acknowledgment from the PC?
10 segments
Which two statements correctly describe certificate classes used in the PKI? (Choose two.) A class 4 certificate is for online business transactions between companies. A class 0 certificate is more trusted than a class 1 certificate. A class 0 certificate is for testing purposes. The lower the class number, the more trusted the certificate. A class 5 certificate is for users with a focus on verification of email.
A class 4 certificate is for online business transactions between companies. A class 0 certificate is for testing purposes.
After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis? A retrospective analysis can help in tracking the behavior of the malware from the identification point forward. It can identify how the malware originally entered the network. It can calculate the probability of a future incident. It can determine which network host was first affected.
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.
Which two statements are characteristics of a virus? (Choose two.) A virus replicates itself by independently exploiting vulnerabilities in networks. A virus has an enabling vulnerability, a propagation mechanism, and a payload. A virus provides the attacker with sensitive data, such as passwords. A virus can be dormant and then activate at a specific time or date. A virus typically requires end-user activation.
A virus can be dormant and then activate at a specific time or date. A virus typically requires end-user activation.
What are two uses of an access control list? (Choose two.) ACLs provide a basic level of security for network access. Standard ACLs can restrict access to specific applications and ports. ACLs can permit or deny traffic based upon the MAC address originating on the router. ACLs assist the router in determining the best path to a destination. ACLs can control which areas a host can access on a network.
ACLs provide a basic level of security for network access. ACLs can control which areas a host can access on a network.
What job would require verification that an alert represents a true security incident or a false positive?
Alert Analyst
Match the tabs of the Windows 10 Task Manager to their functions. (Not all options are used.) Performance Startup Services Details
Allows for a process to have its affinity set. + Details Displays resource utilization information for CPU, memory, network, disk, and others + Performance Shows all of the resources used by applications and processes of a user. + Allows programs that are running on system startup to be disabled. + Startup Allows for a start, stop or restart of a particular service. + Services
How can IMAP be a security threat to a company? Someone inadvertently clicks on a hidden iFrame. Encrypted data is decrypted. An email can be used to bring malware to a host. It can be used to encode stolen data and send to a threat actor.
An email can be used to bring malware to a host.
Which example illustrates how malware might be concealed?
An email is sent to the employees of an organization with an attachment that looks like an antivirus update, but the attachment actually consists of spyware
When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to block a potential back door creation? (Choose two.) Audit endpoints to discover abnormal file creations. Establish an incident response playbook. Consolidate the number of Internet points of presence. Conduct damage assessment. Use HIPS to alert or place a block on common installation paths.
Audit endpoints to discover abnormal file creations. Use HIPS to alert or place a block on common installation paths.
Which routing protocol is used to exchange routes between internet service providers?
BGP
Which two technologies are primarily used on peer-to-peer networks? (Choose two.) Bitcoin BitTorrent Wireshark Darknet Snort
Bitcoin BitTorrent
Which two protocols are link-state routing protocols? (Choose two.)
ISIS OSPF
Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration?
By default, traffic is allowed to flow among interfaces that are members of the same zone.
What are two methods to maintain certificate revocation status? (Choose two.) subordinate CA CRL LDAP DNS OCSP
CRL OCSP
A technician has installed a third party utility that is used to manage a Windows 7 computer. However, the utility does not automatically start whenever the computer is started. What can the technician do to resolve this problem?
Change the startup type for the utility to Automatic in Services
Which device supports the use of SPAN to enable monitoring of malicious activity? Cisco Catalyst switch Cisco NAC Cisco IronPort Cisco Security Agent
Cisco Catalyst switch
What is the result of a passive ARP poisoning attack?
Confidential information is stolen.
What is a vulnerability that allows criminals to inject scripts into web pages viewed by users?
Cross-site scripting
What technique is a security attack that depletes the pool of IP addresses available for legitimate hosts?
DHCP starvation
What network service uses the WHOIS protocol?
DNS
Which protocol is a name resolution protocol often used by malware to communicate with command-and-control (CnC) servers? IMAP DNS HTTPS ICMP
DNS
Which protocol or service uses UDP for a client-to-server communication and TCP for server-to-server communication? DNS HTTP FTP SMTP
DNS
Which two methods can be used to harden a computing device? (Choose two.)
Enforce the password history mechanism. Ensure physical security.
An administrator suspects polymorphic malware has successfully entered the network past the HIDS system perimeter. The polymorphic malware is, however, successfully identified and isolated. What must the administrator do to create signatures to prevent the file from entering the network again? Execute the polymorphic file in the Cisco Threat Grid Glovebox. Run the Cisco Talos security intelligence service. Use Cisco AMP to track the trajectory of a file through the network. Run a baseline to establish an accepted amount of risk, and the environmental components that contribute to the risk level of the polymorphic malware.
Execute the polymorphic file in the Cisco Threat Grid Glovebox.
Which two classes of metrics are included in the CVSS Base Metric Group? (Choose two.) Confidentiality Requirement Modified Base Exploit Code Maturity Exploitability Impact metrics
Exploitability Impact metrics
Which two data types would be classified as personally identifiable information (PII)? (Choose two.) hospital emergency use per region Facebook photographs vehicle identification number house thermostat reading average number of cattle per region
Facebook photographs vehicle identification number
On a Windows host, which tool can be used to create and maintain blacklists and whitelists? Local Users and Groups Group Policy Editor Task Manager Computer Management
Group Policy Editor
A security professional is making recommendations to a company for enhancing endpoint security. Which security endpoint technology would be recommended as an agent-based system to protect hosts against malware? IPS HIDS blacklisting baselining
HIDS
Which regulatory law regulates the identification, storage, and transmission of patient personal healthcare information?
HIPAA
What is an advantage of HIPS that is not provided by IDS?
HIPS protects critical system resources and monitors operating system processes.
Which protocol is exploited by cybercriminals who create malicious iFrames? HTTP ARP DHCP DNS
HTTP
Which two application layer protocols manage the exchange of messages between a client with a web browser and a remote web server? (Choose two.) HTTP HTTPS DNS DHCP HTML
HTTP HTTPS
Why does HTTPS technology add complexity to network security monitoring? HTTPS dynamically changes the port number on the web server. HTTPS uses tunneling technology for confidentiality. HTTPS hides the true source IP address using NAT/PAT. HTTPS conceals data traffic through end-to-end encryption.
HTTPS conceals data traffic through end-to-end encryption.
Which two types of unreadable network traffic could be eliminated from data collected by NSM? (Choose two.) IPsec traffic routing updates traffic STP traffic SSL traffic broadcast traffic
IPsec traffic SSL traffic
What kind of ICMP message can be used by threat actors to create a man-in-the-middle attack?
ICMP redirects
Which method is used by some malware to transfer files from infected hosts to a threat actor host? UDP infiltration ICMP tunneling HTTPS traffic encryption iFrame injection
ICMP tunneling
What are two types of addresses found on network end devices? (Choose two.)
IP MAC
What type of information is contained in an ARP table?
IP address to MAC address mappings
What are two features of ARP? (Choose two.) If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply. If no device responds to the ARP request, then the originating node will broadcast the data packet to all devices on the network segment. When a host is encapsulating a packet into a frame, it refers to the MAC address table to determine the mapping of IP addresses to MAC addresses. If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast. An ARP request is sent to all devices on the Ethernet LAN and contains the IP address of the destination host and the multicast MAC address.
If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply. If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast.
Which two statements describe the use of asymmetric algorithms? (Choose two.) If a public key is used to encrypt the data, a public key must be used to decrypt the data. If a private key is used to encrypt the data, a private key must be used to decrypt the data. If a private key is used to encrypt the data, a public key must be used to decrypt the data. If a public key is used to encrypt the data, a private key must be used to decrypt the data. Public and private keys may be used interchangeably.
If a private key is used to encrypt the data, a public key must be used to decrypt the data. If a public key is used to encrypt the data, a private key must be used to decrypt the data.
What is the purpose of a digital certificate? It provides proof that data has a traditional signature attached. It guarantees that a website has not been hacked. It ensures that the person who is gaining access to a network device is authorized. It authenticates a website and establishes a secure connection to exchange confidential data.
It authenticates a website and establishes a secure connection to exchange confidential data.
What is a host-based intrusion detection system (HIDS)?
It combines the functionalities of antimalware applications with firewall protection.
What are three characteristics of an information security management system? (Choose three.) It consists of a set of practices that are systematically applied to ensure continuous improvement in information security. It is based on the application of servers and security devices. It is a systematic and multilayered approach to cybersecurity. It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. It addresses the inventory and control of hardware and software configurations of systems.
It consists of a set of practices that are systematically applied to ensure continuous improvement in information security. It is a systematic and multilayered approach to cybersecurity. It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
Which statement describes the function of the SPAN tool used in a Cisco switch?
It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.
What does the incident handling procedures security policy describe? It describes how security incidents are handled. It describes the procedure for auditing the network after a cyberattack. It describes the procedure for mitigating cyberattacks. It describes how to prevent various cyberattacks.
It describes how security incidents are handled.
What does the telemetry function provide in host-based security software? It updates the heuristic antivirus signature database. It blocks the passage of zero-day attacks. It enables updates of malware signatures. It enables host-based security programs to have comprehensive logging functions.
It enables host-based security programs to have comprehensive logging functions.
Which statement describes a Cisco Web Security Appliance (WSA)? It protects a web server by preventing security threats from accessing the server. It provides high performance web services. It acts as an SSL-based VPN server for an enterprise. It functions as a web proxy.
It functions as a web proxy.
How is the hash value of files useful in network security investigations? It is used to decode files. It helps identify malware signatures. It verifies confidentiality of files. It is used as a key for encryption.
It helps identify malware signatures.
Why is asset management a critical function of a growing organization against security threats? It identifies the ever increasing attack surface to threats. It allows for a build of a comprehensive AUP. It serves to preserve an audit trail of all new purchases. It prevents theft of older assets that are decommissioned.
It identifies the ever increasing attack surface to threats.
Which statement describes cyberwarfare?
It is Internet-based conflict that involves the penetration of information systems of other nations.
Which statement describes session data in security logs? It can be used to describe or predict network behavior. It shows the result of network sessions. It is a record of a conversation between network hosts. It reports detailed network activities between network hosts.
It is a record of a conversation between network hosts.
What is CybOX? It is a specification for an application layer protocol that allows the communication of CTI over HTTPS. It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations. It enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector. It is a catalog of known security threats called Common Vulnerabilities and Exposures (CVE) for publicly known cybersecurity vulnerabilities.
It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
Why is Kali Linux a popular choice in testing the network security of an organization?
It is an open source Linux security distribution containing many penetration tools.
What is a characteristic of a routed port that is configured on a Cisco switch?
It is assigned an IP address.
Which statement describes statistical data in network security monitoring processes? It is created through an analysis of other forms of network data. It contains conversations between network hosts. It shows the results of network activities between network hosts. It lists each alert message along with statistical information.
It is created through an analysis of other forms of network data.
What is done to an IP packet before it is transmitted over the physical medium?
It is encapsulated in a Layer 2 frame.
What is the dark web?
It is part of the internet that can only be accessed with special software.
Which statement describes Trusted Automated Exchange of Indicator Information (TAXII)? It is a set of specifications for exchanging cyber threat information between organizations. It is a signature-less engine utilizing stateful attack analysis to detect zero-day threats. It is a dynamic database of real-time vulnerabilities. It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.
It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.
What is the purpose of mobile device management (MDM) software? It is used to create a security policy. It is used to implement security policies, setting, and software configurations on mobile devices. It is used to identify potential mobile device vulnerabilities. It is used by threat actors to penetrate the system.
It is used to implement security policies, setting, and software configurations on mobile devices.
Which statement describes the function of the Server Message Block (SMB) protocol?
It is used to share network resources.
Match the security organization with its security functions. (Not all options are used.) SANS MITRE FIRST
It maintains and supports the Internet Storm Center and also develops security courses. + SANS It maintains a list of common vulnerabilities and exposures (CVE). + MITRE It provides vendor neutral educational products and career services to industry professionals globally. It brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in information sharing, incident prevention and rapid reaction. + FIRST
Which function is provided by the Sguil application? It reports conversations between hosts on the network. It makes Snort-generated alerts readable and searchable. It detects potential network intrusions. It prevents malware from attacking a host.
It makes Snort-generated alerts readable and searchable.
What functionality is provided by Cisco SPAN in a switched network?
It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.
A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address? It must send an ICMPv6 Router Solicitation message to determine what default gateway it should use. It must send an ICMPv6 Router Solicitation message to request the address of the DNS server. It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network. It must wait for an ICMPv6 Router Advertisement message giving permission to use this address.
It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.
Which two functions are provided by NetFlow? (Choose two.)
It provides 24x7 statistics on packets that flow through a Cisco router or multilayer switch. It provides a complete audit trail of basic information about every IP flow forwarded on a device.
What are three functionalities provided by SOAR? (Choose three.)
It provides case management tools that allow cybersecurity personnel to research and investigate incidents. It uses artificial intelligence to detect incidents and aid in incident analysis and response. It automates complex incident response procedures and investigations.
What action does an Ethernet switch take when it receives a frame with an unknown Layer 2 source address?
It records the source address in the address table of the switch.
What action does a DHCPv4 client take if it receives more than one DHCPOFFER from multiple DHCP servers?
It sends a DHCPREQUEST that identifies which lease offer the client is accepting.
Which two options are security best practices that help mitigate BYOD risks? (Choose two.) Use paint that reflects wireless signals and glass that prevents the signals from going outside the building. Keep the device OS and software updated. Only allow devices that have been approved by the corporate IT team. Only turn on Wi-Fi when using the wireless network. Decrease the wireless antenna gain level. Use wireless MAC address filtering.
Keep the device OS and software updated. Only turn on Wi-Fi when using the wireless network.
Which tool included in the Security Onion includes the capability of designing custom dashboards? Sguil Kibana Squert OSSEC
Kibana
Which devices should be secured to mitigate against MAC address spoofing attacks?
Layer 2 devices
Which two devices would commonly be found at the access layer of the hierarchical enterprise LAN design model? (Choose two.)
Layer 2 switch access point
Which organization defines unique CVE Identifiers for publicly known information-security vulnerabilities that make it easier to share data? Cisco Talos DHS FireEye MITRE
MITRE
What is a characteristic of a Trojan horse as it relates to network security? Too much information is destined for a particular memory block, causing additional memory areas to be affected. An electronic dictionary is used to obtain a password to be used to infiltrate a key network device. Extreme quantities of data are sent to a particular network device interface. Malware is contained in a seemingly legitimate executable program.
Malware is contained in a seemingly legitimate executable program.
What is an advantage for small organizations of adopting IMAP instead of POP? When the user connects to a POP server, copies of the messages are kept in the mail server for a short time, but IMAP keeps them for a long time. IMAP sends and retrieves email, but POP only retrieves email. Messages are kept in the mail servers until they are manually deleted from the email client. POP only allows the client to store messages in a centralized way, while IMAP allows distributed storage.
Messages are kept in the mail servers until they are manually deleted from the email client.
Why do IoT devices pose a greater risk than other computing devices on a network?
Most IoT devices do not receive frequent firmware updates.
Which two options are network security monitoring approaches that use advanced analytic techniques to analyze network telemetry data? (Choose two.) NBAD Sguil NetFlow IPFIX Snorby NBA
NBAD NBA
What are two advantages of the NTFS file system compared with FAT32? (Choose two.)
NTFS provides more security features. NTFS supports larger files.
Which two statements are true about NTP servers in an enterprise network? (Choose two.)
NTP servers at stratum 1 are directly connected to an authoritative time source. NTP servers ensure an accurate time stamp on logging and debugging information.
In the data gathering process, which type of device will listen for traffic, but only gather traffic statistics?
NetFlow collector
Which statement describes an operational characteristic of NetFlow?
NetFlow collects basic information about the packet flow, not the flow data itself.
Which tool is a Security Onion integrated host-based intrusion detection system? Snort OSSEC ELK Sguil
OSSEC
Match the information security component with the description.
Only authorized individuals, entities, or processes can access sensitive information. + confidentiality Data is protected from unauthorized alteration. + Integrity Authorized users must have uninterrupted access to important resources and data. + availability
Match each characteristic to the appropriate email protocol. (Not all options are used.)
POP: does not require a centralized backup solution. mail is deleted as it is downloaded. desirable for an ISP or large business. IMAP: download copies of messages to be the client. original messages must be manually deleted. requires a larger a mount of disk space.
Which technology is a major standard consisting of a pattern of symbols that describe data to be matched in a query? OSSEC POSIX Squert Sguil
POSIX
Which tool can be used in a Cisco AVC system to analyze and present the application analysis data into dashboard reports? IPFIX NetFlow Prime NBAR2
Prime
Which statement describes a difference between RADIUS and TACACS+?
RADIUS encrypts only the password whereas TACACS+ encrypts all communication.
In which memory location is the routing table of a router maintained?
RAM
A user logs in to Windows with a regular user account and attempts to use an application that requires administrative privileges. What can the user do to successfully use the application?
Right-click the application and choose Run as Administrator
Match the commonly used ports on a Linux server with the corresponding service. (Not all options are used.)
SMTP 25 DNS 53 HTTPS 443 SSH 22 TELNET 23
What is a benefit to an organization of using SOAR as part of the SIEM system?
SOAR automates incident investigation and responds to workflows based on playbooks.
What is a benefit to an organization of using SOAR as part of the SIEM system?
SOC Manager Incident Reporter Threat Hunter Alert Analyst Navigation Bar
What type of attack targets an SQL database using the input field of a user? XML injection buffer overflow Cross-site scripting SQL injection
SQL injection
What is used on WLANs to avoid packet collisions?
SVIs STP CSMA/CA VLANs CSMA/CA
Which type of network attack involves randomly opening many Telnet requests to a router and results in a valid network administrator not being able to access the device?
SYN flooding
Which tool included in the Security Onion provides a visual interface to NSM data? Curator Beats Squert OSSEC
Squert
Match the correct sequence of steps typically taken by a threat actor carrying out a domain shadowing attack. The website is compromised. HTTP 302 cushionong is used. Domain shadowing is used. An exploit kit landing page is created. Malware is spread through the payload.
Step 1 : Step 2 : Step 3 : Step 4 : Step 5 :
Match the Windows 10 boot sequence after the boot manager (bootmgr.exe) loads.
Step one: The Windows boot loader Winload.exe loads Step two: Ntosknl.exe and hal.dll are loaded Step three: Winload.exe reads the registry, chooses a hardware profile, and loads the device drivers. Step four: Ntoskrnl.exe takes over the process. Step five: Winlogon.exe is loaded and excutes the logon process.
Which consideration is important when implementing syslog in a network? Enable the highest level of syslog available to ensure logging of all possible event messages. Synchronize clocks on all network devices with a protocol such as Network Time Protocol. Use SSH to access syslog information. Log all messages to the system buffer so that they can be displayed when accessing the router. Navigation Bar
Synchronize clocks on all network devices with a protocol such as Network Time Protocol.
Match the characteristic to the protocol category. (Not all options are used.)
TCP: 3-wayhandshake window size UDP: connectionless best for VoIP Both UDP and TCP: Port number checksum
Match the application protocols to the correct transport protocols.
TCP: FTP, HTTP, SMTP UDP: TFTP, DHCP
What is a characteristic of the WLAN passive discover mode?
The AP periodically sends beacon frames containing the SSID.
What are two disadvantages of using an IDS? (Choose two.)
The IDS does not stop malicious traffic. The IDS requires other devices to respond to attacks.
What is indicated by a Snort signature ID that is below 3464? The SID was created by Sourcefire and distributed under a GPL agreement. This is a custom signature developed by the organization to address locally observed rules. The SID was created by the Snort community and is maintained in Community Rules. The SID was created by members of EmergingThreats.
The SID was created by Sourcefire and distributed under a GPL agreement.
A user calls to report that a PC cannot access the internet. The network technician asks the user to issue the command ping 127.0.0.1 in a command prompt window. The user reports that the result is four positive replies. What conclusion can be drawn based on this connectivity test? The IP address obtained from the DHCP server is correct. The PC can access the Internet. However, the web browser may not work. The PC can access the network. The problem exists beyond the local network. The TCP/IP implementation is functional.
The TCP/IP implementation is functional.
Why would a network administrator choose Linux as an operating system in the Security Operations Center (SOC)?
The administrator has more control over the operating system.
What is the first step in the CSMA/CA process when a wireless client is attempting to communicate on the wireless network?
The client listens for traffic on the channel.
Match the attack surface with attack exploits. Network Attack Surface Software Attack Surface Human Attack Surface
These attacks are delivered through exploitation of vulnerabilities in web, cloud, or host-based software applications. +Software Attack Surface These attacks include conventional wired and wireless network protocols, as well as other wireless protocols used by smartphones or IoT devices. The attacks target vulnerabilities at the transport layer. +Network Attack Surface These attacks include social engineering, malicious behaviour by trusted insiders, and user error. +Human Attack Surface
What characterizes a threat actor? They all belong to organized crime. They are all highly-skilled individuals. They always try to cause some harm to an individual or organization. They always use advanced tools to launch attacks.
They always try to cause some harm to an individual or organization.
Which two statements describe the characteristics of symmetric algorithms? (Choose two.) They are commonly implemented in the SSL and SSH protocols. They use a pair of a public key and a private key. They are referred to as a pre-shared key or secret key. They are commonly used with VPN traffic. They provide confidentiality, integrity, and availability.
They are referred to as a pre-shared key or secret key. They are commonly used with VPN traffic.
What is a feature of distributed firewalls? They all use an open sharing standard platform. They use only TCP wrappers to configure rule-based access control and logging systems. They use only iptables to configure network rules. They combine the feature of host-based firewalls with centralized management.
They combine the feature of host-based firewalls with centralized management.
What is blacklisting? This is an application list that can dictate which user applications are not permitted to run on a computer. This is a user list to prevent blacklisted users from accessing a computer. This is a network process list to stop a listed process from running on a computer. This is a Heuristics-based list to prevent a process from running on a computer.
This is an application list that can dictate which user applications are not permitted to run on a computer.
Match the threat intelligence sharing standards with the description.
This is the specification for an application layer protocol that allows the communication of CTI over HTTPS. + TAXII This is a set of specifications for exchanging cyberthreat information between organizations. + STIX This is is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations. +CybOX
Match the attack tools with the description. (Not all options are used.) Nmap Yersinia RainbowCrack
This is used for password cracking by either removing the original password, after bypassing the data encryption, or by outright discovery of the password. + RainbowCrack This is a packet crafting tool used to probe and test the robustness of a firewall by using specially crafted, forged packets. + Yersinia This is a wireless hacking tool used to detect security vulnerabilities in wireless networks. This is a network scanning tool used to probe network devices, servers, and hosts for open TCP or UDP ports. + Nmap
An SOC is searching for a professional to fill a job opening. The employee must have expert-level skills in networking, endpoint, threat intelligence, and malware reverse engineering in order to search for cyber threats hidden within the network. Which job within an SOC requires a professional with those skills?
Threat Hunter
The term cyber operations analyst refers to which group of personnel in a SOC?
Tier 1 personnel
Which personnel in a SOC is assigned the task of verifying whether an alert triggered by monitoring software represents a true security incident? SOC Manager Tier 3 personnel Tier 2 personnel Tier 1 personnel
Tier 1 personnel
Which personnel in a SOC are assigned the task of hunting for potential threats and implementing threat detection tools?
Tier 3 SME
Which KPI metric does SOAR use to measure the time required to stop the spread of malware in the network?
Time to Control
Which type of security threat would be responsible if a spreadsheet add-on disables the local software firewall?
Trojan horse
What technology was created to replace the BIOS program on modern personal computer motherboards?
UEFI
Which approach is intended to prevent exploits that target syslog? Use a Linux-based server. Use syslog-ng. Create an ACL that permits only TCP traffic to the syslog server. Use a VPN between a syslog client and the syslog server.
Use syslog-ng.
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation? WSA AVC ASA ESA
WSA
What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits? AIDE WinDbg Firesheep Skipfish
WinDbg
An IT technician wants to create a rule on two Windows 10 computers to prevent an installed application from accessing the public Internet. Which tool would the technician use to accomplish this task?
Windows Defender Firewall with Advanced Security
Which two tools have a GUI interface and can be used to view and analyze full packet captures? (Choose two.) nfdump Wireshark Cisco Prime Network Analysis Module tcpdump Splunk
Wireshark Cisco Prime Network Analysis Module
What are two drawbacks to using HIPS? (Choose two.) With HIPS, the network administrator must verify support for all the different operating systems used in the network. HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks. If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic. HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network. With HIPS, the success or failure of an attack cannot be readily determined.
With HIPS, the network administrator must verify support for all the different operating systems used in the network. HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.
Which ICMP message type should be stopped inbound? source quench echo-reply echo unreachable
echo
A PC user issues the netstat command without any options. What is displayed as the result of this command?
a list of all established active TCP connections
What is Tor? a rule created in order to match a signature of a known exploit a software platform and network of P2P hosts that function as Internet routers a way to share processors between network devices across the Internet a type of Instant Messaging (IM) software used on the darknet
a software platform and network of P2P hosts that function as Internet routers
Which term describes the ability of a web server to keep a log of the users who access the server, as well as the length of time they use it? authentication accounting assigning permissions authorization
accounting
What is the function of the distribution layer of the three-layer network design model?
aggregating access layer connections
Match the security service with the description.
allows administrators to manage network devices: -SNMP a series of commands that control wether a device forwards or drops packets: -ACL allows a switch to make duplicate copies of traffic that is sent to a traffic analyzer: -port mirroring provides statistics on packets flowing through a Cisco router or multilayer switch: -NetFlow
A company has just had a cybersecurity incident. The threat actor appeared to have a goal of network disruption and appeared to use a common security hack tool that overwhelmed a particular server with a large amount of traffic. This traffic rendered the server inoperable. How would a certified cybersecurity analyst classify this type of threat actor?
amateur
What are the three major components of a worm attack? (Choose three.)
an enabling vulnerability a propagation mechanism a payload
According to NIST, which step in the digital forensics process involves drawing conclusions from data? reporting collection examination analysis
analysis
Refer to the exhibit. If Host1 were to transfer a file to the server, what layers of the TCP/IP model would be used? only application, transport, network, data link, and physical layers only application and Internet layers only Internet and network access layers application, session, transport, network, data link, and physical layers application, transport, Internet, and network access layers only application, Internet, and network access layers
application, transport, Internet, and network access layers
A cybersecurity analyst believes an attacker is spoofing the MAC address of the default gateway to perform a man-in-the-middle attack. Which command should the analyst use to view the MAC address a host is using to reach the default gateway?
arp -a
In a defense-in-depth approach, which three options must be identified to effectively defend a network against attacks? (Choose three.) total number of devices that attach to the wired and wireless network assets that need protection vulnerabilities in the system location of attacker or attackers past security breaches threats to assets
assets that need protection vulnerabilities in the system threats to assets
What two shared sources of information are included within the MITRE ATT&CK framework? (Choose two.) collection of digital evidence from most volatile evidence to least volatile attacker tactics, techniques, and procedures details about the handling of evidence including times, places, and personnel involved eyewitness evidence from someone who directly observed criminal behavior mapping the steps in an attack to a matrix of generalized tactics
attacker tactics, techniques, and procedures mapping the steps in an attack to a matrix of generalized tactics
Which AAA component can be established using token cards?
authentication
When designing a prototype network for a new server farm, a network designer chooses to use redundant links to connect to the rest of the network. Which business goal will be addressed by this choice? availability manageability security scalability
availability
What Wi-Fi management frame is regularly broadcast by APs to announce their presence?
beacon
A user issues a ping 2001:db8:FACE:39::10 command and receives a response that includes a code of 2 . What does this code represent?
beyond scope of the source address
How does FireEye detect and prevent zero-day attacks? by establishing an authentication parameter prior to any data exchange by addressing all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis by keeping a detailed analysis of all viruses and malware by only accepting encrypted data packets that validate against their configured hash values
by addressing all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis
How does a security information and event management system (SIEM) in a SOC help the personnel fight against security threats?
by combining data from multiple technologies
What are two ways that ICMP can be a security threat to a company? (Choose two.) by the infiltration of web pages by corrupting network IP data packets by providing a conduit for DoS attacks by corrupting data between email servers and email recipients by collecting information about a network
by providing a conduit for DoS attacks by collecting information about a network
How does a web proxy device provide data loss prevention (DLP) for an enterprise? by functioning as a firewall by inspecting incoming traffic for potential exploits by scanning and logging outgoing traffic by checking the reputation of external web servers
by scanning and logging outgoing traffic
How can a DNS tunneling attack be mitigated?
by using a filter that inspects DNS traffic
A web server administrator is configuring access settings to require users to authenticate first before accessing certain web pages. Which requirement of information security is addressed through the configuration? availability integrity scalability confidentiality
confidentiality
Which objective of secure communications is achieved by encrypting data? confidentiality integrity availability authentication
confidentiality
For network systems, which management system addresses the inventory and control of hardware and software configurations? risk management vulnerability management asset management configuration management
configuration management
In which phase of the NIST incident response life cycle is evidence gathered that can assist subsequent investigations by authorities? postincident activities detection and analysis preparation containment, eradication, and recovery
containment, eradication, and recovery
Match the type of business policy to the description. company employee security
defines system requirements and objectives, rules, and requirements for users when they attach to or on the network + security protects the rights of workers and the company interests + company identifies salary, pay schedule, benefits, work schedule, vacations, etc. +employee
What is the first line of defense when an organization is using a defense-in-depth approach to network security? edge router firewall proxy server IPS
edge router
What addresses are mapped by ARP?
destination MAC address to a destination IPv4 address
For what purpose would a network administrator use the Nmap tool? identification of specific network anomalies detection and identification of open ports collection and analysis of security alerts and logs protection of the private IP addresses of internal hosts
detection and identification of open ports
Match the NIST Cybersecurity Framework core function with the description. (Not all options are used.) identify protect detect
develop and implement the appropriate activities to identify the occurrence of a cybersecurity event + detect develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services + protect develop and implement the appropriate activities to act on a detected cybersecurity event develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities + identify
What is an action that should be taken in the discovery step of the vulnerability management life cycle? documenting the security plan assigning business value to assets developing a network baseline determining a risk profile
developing a network baseline
In what order are the steps in the vulnerability management life cycle conducted? discover, assess, prioritize assets, report, remediate, verify discover, prioritize assets, assess, remediate, report, verify discover, prioritize assets, assess, remediate, verify, report discover, prioritize assets, assess, report, remediate, verify
discover, prioritize assets, assess, report, remediate, verify
What are two methods used by cybercriminals to mask DNS attacks? (Choose two.)
domain generation algorithms fast flux
Which technique is necessary to ensure a private transfer of data using a VPN?
encryption
Which technique is necessary to ensure a private transfer of data using a VPN? authorization scalability encryption virtualization
encryption
What are two characteristics of the RADIUS protocol? (Choose two.) encryption of the entire body of the packet encryption of the password only the use of UDP ports for authentication and accounting the separation of the authentication and authorization processes the use of TCP port 49
encryption of the password only the use of UDP ports for authentication and accounting
Match each device to a category.
end devices: PC, printer, smart device intermediary devices: firewall, router, switch
Which three technologies should be included in a SOC security information and event management system? (Choose three.) user authentication event collection, correlation, and analysis security monitoring intrusion prevention proxy service threat intelligence
event collection, correlation, and analysis security monitoring threat intelligence
Match the Windows host log to the messages contained in it. (Not all options are used.) setup logs system logs security logs appliccation logs
events logged by various applications + application logs events related to the web server access and activity + events related to the operation of drivers, processes, and hardware + system logs information about the installation of software, including Windows updates + setup logs events related to logon attempts and operations related to file or object management and access + security logs
A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert? false negative true negative true positive false positive
false negative
A network administrator is trying to download a valid file from an internal server. However, the process triggers an alert on a NMS tool. What condition describes this alert? false negative false positive true negative true positive
false positive
Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.) protocol version flag TTL identification fragment offset
flag identification fragment offset
Match the destination network routing table entry type with a defintion. DIRECTLY CONNECTED INTERFACE DYNAMIC ROUTE LOCAL ROUTE INTERFACE STATIC ROUTE
found only in routers running IOS 15+ or IPv6 routing + LOCAL ROUTE INTERFACE automatically added when an interface is configured and active + DIRECTLY CONNECTED INTERFACE added when a protocol such as OSPF or EIGRP discovers a route + DYNAMIC ROUTE manually configured by a network administrator + STATIC ROUTE
In a hierarchical CA topology, where can a subordinate CA obtain a certificate for itself? from the root CA or another subordinate CA at a higher level from the root CA or another subordinate CA at the same level from the root CA or from self-generation from the root CA only from the root CA or another subordinate CA anywhere in the tree
from the root CA or another subordinate CA at a higher level
What are the three core functions provided by the Security Onion? (Choose three.) full packet capture intrusion detection security device management threat containment alert analysis business continuity planning
full packet capture intrusion detection alert analysis
What are the three outcomes of the NIST Cybersecurity Framework identify core function? (Choose three.) information protection process and procedures governance mitigation risk assessment asset management recovery planning
governance risk assessment asset management
Which two types of hackers are typically classified as grey hat hackers? (Choose two.)
hacktivists vulnerability brokers
Match the Linux command to the function. (Not all options are used.)
hmodudodisplays the name of the current working directory: pwd runs a command as another user: sudo modifies file permissions: chmod shuts down the system: lists the processes that are currently running: ps
Match each IPv4 address to the appropriate address category. (Not all options are used.)
host address: 192.168.100.161/25 203.0.113.100/24 network address: 10.10.10.128/25 172.110.12.64/28 broadcast address: 192.168.1.191/26 10.0.0.159/27
Which two parts are components of an IPv4 address? (Choose two.)
host portion network portion
A user issues a ping 192.168.250.103 command and receives a response that includes a code of 1 . What does this code represent?
host unreachable
Match the security policy with the description. (Not all options are used.) identification and authentication policy acceptable use policy (AUP) remote access policy network maitenance policy
identifies network applications and uses that are acceptable to the organization + acceptable use policy (AUP) ensures that passwords meet minimum requirements and are changed regularly + specifies authorized persons that can have access to network resources and identity verification procedures + identification and authentication policy specifies network device operating systems and end user application update procedures + network maitenance policy identifies how remote users can access a network and what is accessible via remote connectivity + remote access policy
What three goals does a BYOD security policy accomplish? (Choose three.) identify all malware signatures and synchronize them across corporate databases identify which employees can bring their own devices identify safeguards to put in place if a device is compromised identify and prevent all heuristic virus signatures identify a list of websites that users are not permitted to access describe the rights to access and activities permitted to security personnel on the device
identify which employees can bring their own devices identify safeguards to put in place if a device is compromised describe the rights to access and activities permitted to security personnel on the device
Refer to the exhibit. From the perspective of users behind the NAT router, what type of NAT address is 209.165.201.1?
inside global
Match the SIEM function with the description. normalization correlation aggregation
links logs and events from disparate systems or applications, speeding detection of and reaction to security threats + correlation satisfies the requirements of various compliance regulations + reduces the volume of event data by consolidating duplicate event records + aggregation maps log messages from different systems into a common data model + normalization
Which Linux command is used to manage processes? kill ls chrootkit grep
kill
When a security audit is performed at a company, the auditor reports that new users have access to network resources beyond their normal job roles. Additionally, users who move to different positions retain their prior permissions. What kind of violation is occurring? least privilege network policy password audit
least privilege
When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server? critical asset address space service accounts software environment listening ports
listening ports
A Cisco router is running IOS 15. What are the two routing table entry types that will be added when a network administrator brings an interface up and assigns an IP address to the interface? (Choose two.)
local route interface directly connected interface
How does an application program interact with the operating system? sending files accessing BIOS or UEFI making API calls using processes
making API calls
Match the alert classification with the description. false positive false negative true positive true negative
malicious traffic is correctly identified as a threat + normal traffic is incorrectly identified as a threat + malicious traffic is not identified as a threat + normal traffic is not identified as a threat +
Which type of attack does the use of HMACs protect against? brute force DDoS DoS man-in-the-middle
man-in-the-middle
Which attack involves threat actors positioning themselves between a source and destination with the intent of transparently monitoring, capturing, and controlling the communication?
man-in-the-middle attack
According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident? human resources legal department management IT support
management
Which type of transmission is used to transmit a single video stream such as a web-based video conference to a select number of users?
multicast
Which characteristic describes a wireless client operating in active mode?
must know the SSID to connect to an AP
Which two net commands are associated with network resource sharing? (Choose two.) net share net start net stop net use net accounts
net share net use
Match the intrusion event defined in the Diamond Model of intrusion to the description. victim adversary capability infrastructure
network path used to establish and maintain command and control + infrastructure a tool or technique used to attack the victim + capability the parties responsible for the intrusion + adversary the target of the attack + victim
Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?
next header
Which host-based firewall uses a three-profile approach to configure the firewall functionality? nftables TCP Wrapper Windows Firewall iptables Navigation Bar
nftables
A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required? nonrepudiation of the transaction integrity of digitally signed data authenticity of digitally signed data confidentiality of the public key
nonrepudiation of the transaction
Which term is used to describe the process of converting log entries into a common format? classification systemization normalization standardization
normalization
Which two commands could be used to check if DNS name resolution is working properly on a Windows PC? (Choose two.)
nslookup cisco.com ping cisco.com
In NAT terms, what address type refers to the globally routable IPv4 address of a destination host on the Internet? outside local outside global inside global inside local
outside global
Which type of tool allows administrators to observe and understand every detail of a network transaction?
packet capture software
What are the three parts of all Layer 2 frames? (Choose three.)
payload frame check sequence header
Which information can be provided by the Cisco NetFlow utility? security and user account restrictions IDS and IPS capabilities peak usage times and traffic routing source and destination UDP port mapping
peak usage times and traffic routing
Which two types of attacks are examples of reconnaissance attacks? (Choose two.)
ping sweep port scan
When a wireless network in a small office is being set up, which type of IP addressing is typically used on the networked devices?
private
What is the goal of a white hat hacker?
protecting data
A user issues a ping 2001:db8:FACE:39::10 command and receives a response that includes a code of 2 . What does this code represent?
protocol unreachable
What is a function of SNMP?
provides a message format for communication between network device managers and agents
Which Linux command can be used to display the name of the current working directory?
pwd
When a user turns on the PC on Wednesday, the PC displays a message indicating that all of the user files have been locked. In order to get the files unencrypted, the user is supposed to send an email and include a specific ID in the email title. The message also includes ways to buy and submit bitcoins as payment for the file decryption. After inspecting the message, the technician suspects a security breach occurred. What type of malware could be responsible?
ransomware
Consider the result of the ls -l command in the Linux output below. What are the file permissions assigned to the sales user for the analyst.txt file?
read, write, execute
Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs? phishing denial of service reconnaissance social engineering
reconnaissance
Match the SIEM function to the description. forensic analysis correlation aggregation reporting
reduces the volume of event data by consolidating duplicate event records + aggregation presents event data in real-time monitoring and long-time summaries + reporting speeds detection of and reaction to security threats by examining logs and events from different systems + correlation searches logs and events from sources throughout the organization for complete information analysis + forensic analysis
Match the Windows command to the description
renames a file: ren creates a new directory: mkdir changes the current directory: cd lists files in a directory: dir
What are two evasion methods used by hackers? (Choose two.)
resource exhaustion encryption
Which two operations are provided by TCP but not by UDP? (Choose two.)
retransmitting any unacknowledged data acknowledging received data
An administrator discovers a vulnerability in the network. On analysis of the vulnerability the administrator decides the cost of managing the risk outweighs the cost of the risk itself. The risk is accepted, and no action is taken. What risk management strategy has been adopted?
risk acceptance
In addressing an identified risk, which strategy aims to shift some of the risk to other parties? risk avoidance risk retention risk sharing risk reduction
risk reduction
In addressing a risk that has low potential impact and relatively high cost of mitigation or reduction, which strategy will accept the risk and its consequences? risk avoidance risk reduction risk retention risk sharing
risk retention
A user calls the help desk complaining that the password to access the wireless network has changed without warning. The user is allowed to change the password, but an hour later, the same thing occurs. What might be happening in this situation?
rogue access point
An employee connects wirelessly to the company network using a cell phone. The employee then configures the cell phone to act as a wireless access point that will allow new employees to connect to the company network. Which type of security threat best describes this situation?
rogue access point
Which user can override file permissions on a Linux computer?
root user
What are two evasion techniques that are used by hackers? (Choose two.) rootkit reconnaissance phishing pivot Trojan horse
rootkit pivot
Which ICMPv6 message type provides network addressing information to hosts that use SLAAC? neighbor solicitation neighbor advertisement router solicitation router advertisement
router solicitation
Which technique could be used by security personnel to analyze a suspicious file in a safe environment? sandboxing baselining whitelisting blacklisting
sandboxing
Which three technologies should be included in a SOC security information and event management system? (Choose three.)
security monitoring threat intelligence log management
Which PDU is processed when a host computer is de-encapsulating a message at the transport layer of the TCP/IP model?
segment
What best describes the security threat of spoofing? making data appear to come from a source that is not the actual source sending abnormally large amounts of data to a remote server to prevent user access to the server services intercepting traffic between two hosts or inserting false information into traffic between two hosts sending bulk email to individuals, lists, or domains with the intention to prevent users from accessing email
sending abnormally large amounts of data to a remote server to prevent user access to the server services
Which Windows log contains information about installations of software, including Windows updates? system logs application logs setup logs security logs
setup logs
A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.) single process for authentication and authorization hidden passwords during transmission encryption for only the data separate processes for authentication and authorization encryption for all communication
single process for authentication and authorization hidden passwords during transmission
A group of users on the same network are all complaining about their computers running slowly. After investigating, the technician determines that these computers are part of a zombie network. Which type of malware is used to control these computers?
spyware
Which firewall feature is used to ensure that packets coming into a network are legitimate responses to requests initiated from internal hosts?
stateful packet inspection
What type of route is created when a network administrator manually configures a route that has an active exit interface?
static
What are two examples of personally identifiable information (PII)? (Choose two.)
street address credit card number
Which technology would be used to create the server logs generated by network devices and reviewed by an entry level network person who works the night shift at a data center? syslog NAT ACL VPN
syslog
Which Windows Event Viewer log includes events regarding the operation of drivers, processes, and hardware? application logs security logs setup logs system logs
system logs
Which three are major categories of elements in a security operations center? (Choose three.)
technologies people processes
A Linux system boots into the GUI by default, so which application can a network administrator use in order to access the CLI environment?
terminal emulator
What information is contained in the options section of a Snort rule? direction of traffic flow text describing the event action to be taken source and destination address
text describing the event
What message informs IPv6 enabled interfaces to use stateful DHCPv6 for obtaining an IPv6 address?
the ICMPv6 Router Advertisement
A user sends an HTTP request to a web server on a remote network. During encapsulation for this request, what information is added to the address field of a frame to indicate the destination?
the MAC address of the default gateway
Refer to the exhibit. A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate? the id of the user that triggers the alert the message length in bits the Snort rule that is triggered the session number of the message
the Snort rule that is triggered
What information within a data packet does a router use to make forwarding decisions?
the destination IP address
What information is gathered by the CSIRT when determining the scope of a security incident? the networks, systems, and applications affected by an incident the amount of time and resources needed to handle an incident the strategies and procedures used for incident containment the processes used to preserve evidence
the networks, systems, and applications affected by an incident
What is defined in the SOP of a computer security incident response capability (CSIRC)? the details on how an incident is handled the procedures that are followed during an incident response the metrics for measuring incident response capabilities the roadmap for increasing incident response capabilities
the procedures that are followed during an incident response
Match the threat actors with the descriptions. (Not all options are used.)
threat actors that publicly protest against organizations or governments by posting articles, videos, leaking sensitive information, and performing distributed denial of service (DDoS) attacks: + hacktivists inexperienced threat actors running existing scripts, tools, and exploits, to cause harm, but typically not for profit: + script kiddies threat actors who steal government secrets, gather intelligence, and sabotage networks of foreign governments, terrorist groups, and corporations: + State-sponsored
Which technology is used by Cisco Advanced Malware Protection (AMP) in defending and protecting against known and emerging threats? network admission control network profiling website filtering and blacklisting threat intelligence
threat intelligence
What is the primary purpose of the Forum of Incident Response and Security Teams (FIRST)? to enable a variety of computer security incident response teams to collaborate, cooperate, and coordinate information sharing, incident prevention, and rapid reaction strategies to provide a security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities to offer 24x7 cyberthreat warnings and advisories, vulnerability identification, and mitigation and incident response to provide vendor neutral education products and career services to industry professionals worldwide
to enable a variety of computer security incident response teams to collaborate, cooperate, and coordinate information sharing, incident prevention, and rapid reaction strategies
What is the primary purpose of the Malware Information Sharing Platform (MISP) ? to publish all informational materials on known and newly discovered cyberthreats to enable automated sharing of IOCs between people and machines using the STIX and other exports formats to provide a set of standardized schemata for specifying and capturing events and properties of network operations to exchange all the response mechanisms to known threats
to enable automated sharing of IOCs between people and machines using the STIX and other exports formats
Why would a rootkit be used by a hacker?
to gain access to a device without being detected
What is the main purpose of cyberwarfare?
to gain advantage over adversaries
What are three goals of a port scan attack? (Choose three.) to discover system passwords to identify active services to disable used ports and services to identify operating systems to identify peripheral configurations to determine potential vulnerabilities
to identify active services to identify operating systems to determine potential vulnerabilities
What is the purpose of the network security accounting function? to determine which resources a user can access to provide challenge and response questions to keep track of the actions of a user to require users to prove who they are
to keep track of the actions of a user
What is the primary function of the Center for Internet Security (CIS)? to maintain a list of common vulnerabilities and exposures (CVE) used by security organizations to provide a security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities to offer 24x7 cyberthreat warnings and advisories, vulnerability identification, and mitigation and incident responses to provide vendor-neutral education products and career services to industry professionals worldwide
to offer 24x7 cyberthreat warnings and advisories, vulnerability identification, and mitigation and incident responses
What is the purpose of ICMP messages?
to provide feedback of IP packet transmissions
What is the purpose of using the net accounts command in Windows?
to review the settings of password and logon requirements for users
What are three functions provided by the syslog service? (Choose three.) to select the type of logging information that is captured to provide traffic analysis to gather logging information for monitoring and troubleshooting to provide statistics on packets that are flowing through a Cisco device to periodically poll agents for data to specify the destinations of captured messages
to select the type of logging information that is captured to gather logging information for monitoring and troubleshooting to specify the destinations of captured messages
What is the purpose for data normalization? to simplify searching for correlated events to reduce the amount of alert data to enhance the secure transmission of alert data to make the alert data transmission fast
to simplify searching for correlated events
What is the purpose for using digital signatures for code signing? to establish an encrypted connection to exchange confidential data with a vendor website to verify the integrity of executable files downloaded from a vendor website to authenticate the identity of the system with a vendor website to generate a virtual ID
to verify the integrity of executable files downloaded from a vendor website
A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court? Tor rootkit unaltered disk image log collection
unaltered disk image
Match typical Linux log files to the function.
used by RedHat and CentOS computers and tracks authentication-related events: /VAR/LOG/SECURE contains generic computer activity logs, and is used to store informational and noncritical system messages: /var/log/messages stores information related to hardware devices and their drivers: /var/log/dmesg used by Debian and Ubuntu computers and stores all authentication-related events: /var/log/auth.log
A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur? scope integrity requirement availability requirement user interaction
user interaction
Match the common network technology or protocol with the description. (Not all options are used.) NTP Syslog ICMP DNS
uses application protocols that are commonly responsible for bringing malware to a host + uses a hierarchy of authoritative time sources to send time information between devices on the network + NTP used by attackers to exfiltrate data in traffic disguised as normal client queries + DNS uses UDP port 514 for logging event messages from network devices and endpoints + Syslog used by attackers to identify hosts on a network and the structure of the network + ICMP
Match the network security device type with the description.
uses signatures to detect patterns in network traffic: -IPS enforces an access control policy based on packet content: -packet filter firewall filters traffic based on defined rules as well as connection context: -stateful firewall filters traffic on Layer 7 information: application firewall
In network security assessments, which type of test employs software to scan internal networks and Internet facing servers for various types of vulnerabilities? vulnerability assessment risk analysis strength of network security testing penetration testing
vulnerability assessment
What two components of traditional web security appliances are examples of functions integrated into a Cisco Web Security Appliance? (Choose two.)
web reporting URL filtering
A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet? when the value in the TTL field reaches zero when the router receives an ICMP Time Exceeded message when the RTT value reaches zero when the host responds with an ICMP Echo Reply message when the values of both the Echo Request and Echo Reply messages reach zero
when the value in the TTL field reaches zero
Lightweight access points forward data between which two devices on the network? (Choose two.)
wireless LAN controller wireless client
Which component of the zero trust security model focuses on secure access when an API, a microservice, or a container is accessing a database within an application? workflow workforce workload workplace
workload
What type of cyberwarfare weapon was Stuxnet?
worm
Match the octal value to the file permission description in Linux. (Not all options are used.)
write only: 010 read and execute: 101 read and write: 110 execute only: 001 write and execute no access: 000