SEC 150 - Chapters 1 - 8
Which solution allows for one method to be used on the first two vty lines, and a different method to be used on the rest of the vty lines? (Choose two.) - Use the default method for all the vty lines. - Create two method lists and assign the first one to the first two lines and assign the second list to the remaining vty lines. - Create a default and custom method list. Assign the custom list to the first two vty lines. - This cannot be done. All the vty lines must use the same method.
- Create two method lists and assign the first one to the first two lines and assign the second list to the remaining vty lines. - Create a default and custom method list. Assign the custom list to the first two vty lines. Response Feedback: Using a single default list only would apply the same methods on all the vty lines. The combinations shown in the answer are two ways of implementing this policy.
What algorithms in a VPN provide the Confidentiality? (Choose all that apply.) MD5 3DES AES SHA-1
3DES AES
What is one reason that drives BYOD solutions? - Bandwidth requirements for mobile devices streaming video increase the need for better QoS. - Remote workers use mobile devices for personal reasons, and corporations want to motivate them to use them for work also. - Mobile devices do not usually have the apps necessary to perform business. - A number of consumer devices have personal and work uses without a clear distinction between the two.
A number of consumer devices have personal and work uses without a clear distinction between the two. Response Feedback: The mix of personal and business devices that need to connect to the corporate network drive BYOD solutions. Bandwidth or the application in mobile devices is not related to BYOD. Motivating users to use remote workers to use mobile devices for corporate reason is false. Users themselves want to use them at work also.
Which of the following is NOT enabled through the use of the Cisco AnyConnect Client? 802.1X Posture checking AAA VPN
AAA
Which of the following are symmetrical encryption ciphers? (Choose all that apply.) AES RSA SHA1 3DES
AES 3DES
Which security term refers to a person, property, or data of value to a company? Risk Asset Threat prevention Mitigation technique
Asset
What is the third step of IKE Phase 1? Negotiate hashing Negotiate encryption Diffie-Hellman exchange Authenticate the peer
Authenticate the peer Response Feedback: The steps of IKE Phase 1 are to Negotiate Policy, Run DH, and then Authenticate the Peer.
On the router, what should be created and applied to a vty line to enforce a specific set of methods for identifying who a user is? Authentication method list Authorization method list TACACS+ server RADIUS server
Authentication method list
Which component is NOT placed directly in a crypto map? PFS Transform set ACL Authentication policy
Authentication policy
Which statement is true for ACS 5.x and later? - There must be at least one user in a user group. - User groups are nested in network device groups. - Authorization policies can be associated with user groups that are accessing specific network device groups. - User groups can be used instead of device groups for simplicity.
Authorization policies can be associated with user groups that are accessing specific network device groups.
Why is the public key in a typical public-private key pair referred to as public? Because it is shared publicly Because it is a well-known algorithm that is published Because the public already has it The last name of the creator was publica, which is Latin for public
Because it is shared publicly
In which area of the Cisco borderless network security architecture would we see security controls for malware and viruses? Borderless Internet Borderless data center Borderless end zone Policy management layer
Borderless end zone Response Feedback: The borderless end zone is where devices connect to the network. It is here that we are concerned with viruses, malware, and other malicious software.
Which of the following is NOT a motivation of malicious actors? Financial Disruption Geopolitical Bug bounty awards
Bug bounty awards
Which of the following is NOT considered a type of DDoS attack? Amplified Reflected Directed Cached
Cached
Which data classification label is usually NOT found in a government organization? Secret Sensitive but unclassified Unclassified Confidential. Classified but not important
Classified but not important
You plan to encrypt traffic that is being sent from one department in your network to another. What primary goal of network security are you helping to accomplish? Confidentiality Integrity Availability Scalability
Confidentiality Response Feedback: Data confidentiality implies keeping data private. This privacy could entail physically or logically restricting access to sensitive data or encrypting traffic traversing a network.
Which three items are the primary network security objectives for a company? Confidentiality Revenue generation Integrity Availability
Confidentiality Integrity Availability
Which of the following uses programs or communications in unintended ways, often hiding the original payload of a packet? Man-in-the-middle Covert channel CAM table overflow Trust exploitation
Covert channel Response Feedback: A covert channel is used to hide the original content, or use a protocol for a non-traditional purpose, such as tunneling traffic that is not allowed inside of HTTP, which is allowed.
What is the method for specifying the IKEv1 Phase 2 encryption method? Crypto ACLs crypto isakmp policy RSA signatures Crypto IPSec Transform-Set
Crypto IPSec Transform-Set
Which component acts as an if-then statement, looking for packets that should be encrypted before they leave the interface? crypto access-list (access list used for cryptography) Crypto Map crypto ipsec transform-set crypto isakmp policy
Crypto Map
What device binds together the policies and transform sets associated with a specific peer? ISAKMP policy Crypto Map Crypto ACLs IKE Phase 1
Crypto Map Response Feedback: The crypto map is the mechanism that will bind together the policies and transform sets associated with a specific peer.
Which of the following might you find in a network that is based on a defense-in-depth security implementation? Current patches on servers All of the above. Access lists IPS Firewall
Current patches on servers Access lists IPS Firewall
Under typical corporate classification roles, who is responsible for ensuring that data is periodically backed up? Custodian Guardian User Owner
Custodian Response Feedback: The custodian typically keeps up-to-date backups of classified data.
What is the key exchange method used in IPsec? AES PSK RSA DH - Diffie-Hellman
DH - Diffie-Hellman Response Feedback: Diffie-Hellman is the key exchange used in IPsec during IKE Phase 1.
What method is used to allow two VPN peers to establish shared secret keys and to establish those keys over an untrusted network? DH - Diffie-Helman RSA SHA AES
DH - Diffie-Helman
Which of the following potentially could be negotiated during IKEv1 Phase 2? (Choose all that apply.) DH group Encryption Authentication method Hashing
DH group Encryption Authentication method Hashing
Which of the following is NOT a form of social engineering? Denial of service (DoS) Malvertising Phone scams Phishing
Denial of service (DoS)
Which is NOT a function of mobile device management (MDM)? Deploy software updates to BYOD devices? Remotely wipe data from BYOD devices? Enforce data encryption requirements on BYOD devices? Enforce strong passwords on BYOD devices?
Deploy software updates to BYOD devices?
Which of the following are protocols that are most likely used for authentication? (Choose all that apply.) Diameter RADIUS ACS TACACS+
Diameter RADIUS TACACS+
Which of the following is an accurate statement about the Diffie-Helman exchange? - Its primary purpose is to generate public and private key pairs that can be used with symmetrical algorithms such as DES. - This is only used as part of SSL VPNs. - During IKE Phase 1, it is performed over an unsecure network. - It is performed using symmetrical keys only.
During IKE Phase 1, it is performed over an unsecure network. Response Feedback: DH has the ability to establish secure shared secrets between two VPN peers, using an unsecure network to do it. It is the second step of IKE Phase 1.
Which is NOT an advantage of an On-Premise MDM solution? Ease of deployment and operation of the BYOD solution Ability to meet regulatory requirements Higher level of control over the BYOD solution Security of the overall BYOD solution
Ease of deployment and operation of the BYOD solution
Which is NOT an advantage of an On-Premise MDM solution? Security of the overall BYOD solution Ease of deployment and operation of the BYOD solution Higher level of control over the BYOD solution Ability to meet regulatory requirements
Ease of deployment and operation of the BYOD solution
What is the immediate cost savings when implementing SSL VPNs? Easy deployment. No licensing is required on the clients. SSL VPN licenses are significantly less expensive on the server than IPsec licenses. No licensing is required on the server.
Easy deployment.
Which of the following is likely to occur if a wireless access point is configured using weak or no encryption? Denial of service Eavesdropping Social engineering Phishing
Eavesdropping Response Feedback: Eavesdropping is the process of "listening in" to existing network traffic. Because of the nature of an access point making the network available without cables, anyone close to the radio signal would have an opportunity to eavesdrop on nonencrypted traffic.
Which of the following represents a physical control? Background checks Electronic lock Access lists Change control policy
Electronic lock
(True or False) The Cisco ASA cannot be configured with more than one IKEv1 or IKE v2 policy.
False
What is the primary motivation for most attacks against networks today? Political Financial Curiosity Theological
Financial
Which of the DH groups is the most prudent to use when security is of the utmost importance? Group 6 Group 5 Group 1 Group 2
Group 5
What is a hash function that uses an additional secret key that allows authentication of the other party as well as data integrity? ESP AES HMAC - Hash-based Message Authentication Code SHA
HMAC - Hash-based Message Authentication Code Response Feedback: Hashed Message Authentication Code (HMAC) uses the mechanism of hashing. Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type. Then only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. When this mechanism is used, an attacker who is eavesdropping and intercepting packets cannot inject or remove data from those packets without being noticed because he cannot recalculate the correct hash for the modified packet because he does not have the key or keys used for the calculation.
What are valid options to protect data in motion with or without a full VPN? HTTPS SSL All answers are correct. TLS IPsec
HTTPS SSL TLS IPsec
Which of the following are negotiated during IKE Phase 1? Hashing Authentication method DH group All answers are correct. Encryption
Hashing Authentication method DH group Encryption The steps of IKE Phase 1 are to Negotiate Policy, Run DH, and then Authenticate the Peer.
Which of the following is leveraged in social engineering? Protocol violations Software vulnerabilities Application issues Human nature
Human nature
Which phase is used for private management traffic between the two VPN peers? IPsec IKE Phase 1 - Internet Key Exchange 1 IKE Phase 3 IKE Phase 2
IKE Phase 1 - Internet Key Exchange 1
Which of the following IKE versions are supported by the Cisco ASA? (Choose all that apply.) IKEv4 IKEv3 IKEv2 IKEv1
IKEv2 IKEv1
NetFlow provides which of the following? Network names of routers, end hosts, servers Troubleshooting messages about the network devices Information on the types of traffic traversing the network Detailed data about each packet on the network
Information on the types of traffic traversing the network
Which of the following is NOT a valid defense against social engineering? Infrastructure hardening Physical security Information classification Two-factor authentication
Infrastructure hardening
You have prevented an attacker from modifying the contents of financial information that was sent via the public Internet. What primary goal of network security have you met? Availability Integrity Confidentiality Nonrepudiation
Integrity Response Feedback: Data integrity ensures that data has not been modified in transit. Also, a data-integrity solution might perform origin authentication to verify whether traffic is originating from the source that should send the traffic.
Which of the following is a characteristic of a VPN and primarily is concerned that no packet is modified while in transit? Integrity Authentication Confidentiality Antireplay
Integrity Response Feedback: Data integrity is implemented through hashing and is one of the core components of a VPN.
Which of the following is true about an amplification attack? - It is not a reflected attack - It is a type of denial-of-service attack where the initial trigger packets are much smaller than the response packets that cause the attack. - It requires the attacker to have control of the hosts generating the attack traffic. - It cannot be deployed using DNS.
It is a type of denial-of-service attack where the initial trigger packets are much smaller than the response packets that cause the attack. Response Feedback: Amplification attacks, as their name alludes to, are attacks where the attacker with small effort can introduce bigger impact. For example with a small packet you can introduce DoS with big responses. These attacks are reflected and usually use UDP (like DNS) without controlling the victim.
How is it possible that a packet with a private Layer 3 destination address is forwarded over the Internet? The Internet does not filter private addresses, only some public addresses, based on policy. It cannot be sent. It will always be dropped. It is encapsulated into another packet, and the Internet only sees the outside valid IP destination address. NAT is used to change the destination IP address before the packet is sent.
It is encapsulated into another packet, and the Internet only sees the outside valid IP destination address.
What is the role of ISE in BYOD?
It is the cornerstone of the authentication, authorization, and accounting (AAA) requirements for endpoint access, which are governed by the security policies put forth by the organization. ISE offers AAA for endpoint access. It does not provide WAN access, or enhance security. OTP is provided by other server/applications like RSA SecurID.
Which of the following would cause a VPN tunnel using IPsec to never initialize or work correctly? Lack of traffic matching the crypto ACL. All of the above. Incorrect pre-shared keys or missing digital certificates Incorrect routing Incompatible IKEv1 Phase 2 transform sets
Lack of traffic matching the crypto ACL. Incorrect pre-shared keys or missing digital certificates Incorrect routing Incompatible IKEv1 Phase 2 transform sets
Which two approaches to security provide the most secure results on day one? Least privilege Role based Authentication Defense in depth
Least privilege Defense in depth
Which of the following is NOT a way for a client to check to see whether a certificate has been revoked? Look at the lifetime of the certificate itself CRL LDAP OCSP
Look at the lifetime of the certificate itself
Which technology is a primary method that IPsec uses to implement data integrity? RSA DH AES MD5
MD5
Which of the following could be part of both an IKEv1 Phase 1 and IKEv1 Phase 2 policy? (Choose all that apply.) RSA MD5 AES DH
MD5 AES DH
Which network management technique should be used to avoid mistaking a valid certificate as invalid? SNMP Syslog NTP Out-of-band (OOB)
NTP Response Feedback: If a device's local clock is significantly off, a peer that presents a valid certificate may not be considered valid, because of the receiving host's own error about what the time is. Every certificate has a validity date.
Which of the following is NOT part of the IKE Phase 1 process? Running DH - 2nd Negotiating the transform set to use Authenticating the peer - 3rd Negotiation of the IKE Phase 1 protocols - 1st
Negotiating the transform set to use
Where does the ASA keep the copy of the Cisco AnyConnect Secure Mobility Client that may be deployed down to the client? On an HTTPS server only On an SFTP server only On flash On NVRAM
On flash
The purpose of the RSA SecurID server/application is to provide what? 802.1X enforcement VPN access One-time password (OTP) capabilities Authentication, authorization, accounting (AAA) functions
One-time password (OTP) capabilities
Which standard format is used to request a digital certificate from a CA? TLS/SSL/HTTPS PKCS#10 LDAP PKCS#7
PKCS#10
What are the two main methods for authenticating a peer as the last step of IKE Phase 1? (Choose all that apply.) TCP three-way handshake PSK (pre-shared key) DH Group 2 RSA signatures, using digital certificates to exchange public keys
PSK (pre-shared key) RSA signatures, using digital certificates to exchange public keys
Which tool provides the most granular information to help in the identification of malware? NetFlow Packet Capture Syslog Server logs
Packet Capture
How could you identify malware "in the network"? Access lists Cisco Zone-Based Firewall Antispoofing protections Packet Captures
Packet Captures Response Feedback: Access lists and anti-spoofing filter at the network layer. ZBF can filter at L3 or L7 of the OSI model. Packet captures of unencrypted can identify malware by reassembling the flows.
What is the key component used to create a digital signature? AES Private key Public key Ink
Private key
What is the primary purpose of the Integrated Services Routers (ISRs) in the BYOD solution? Provide connectivity for the mobile phone environment back to the corporate campus Provide WAN and Internet access for users on the corporate campus Provide connectivity in the home office environment back to the corporate campus Enforce firewall-type filtering in the data center
Provide connectivity in the home office environment back to the corporate campus
Which is the most secure method for authentication of IKEv1 Phase 1? Symmetrical AES-256 DH group 5 RSA Signatures, using digital certificates to exchange public keys PSK
RSA Signatures, using digital certificates to exchange public keys
A remote user needs to access the corporate network from a hotel room from a laptop. What type of VPN is used for this? Site-to-site VPN Dial-up VPN PPP VPN Remote-access VPN
Remote-access VPN
Which devices or users would be clients of an ACS server? (Choose all that apply.) Administrators Routers VPN users Switches
Routers Switches
Which of the following is NOT used for identification of malware on the network? NetFlow Routing Information Base (RIB) Packet captures NetFlow
Routing Information Base (RIB)
Which method, when supported by both the client and the CA, is the simplest to use when implementing identity certificates on the client? PKCS#7 PKCS#10 LDAP SCEP - Simple Certificate Enrollment Protocol
SCEP - Simple Certificate Enrollment Protocol
What is a hashing algorithm that can be used with Hashed Message Authentication Code (HMAC)? (Choose two) Keys AES SHA1 - Secure Hash Algorithms 1 MD5
SHA1 - Secure Hash Algorithms 1 MD5
What is the key component used to verify a digital signature? One-time PAD Sender's public key Receiver's public key AES
Sender's public key
Which of the following could be found in a typical identity certificate? Select all that apply. Serial number Validity date Public key of the certificate owner CRL locations
Serial number Validity date Public key of the certificate owner CRL locations
Which VPN implementation uses an IPsec VPN gateway at each end? AnyConnect VPNs Remote-access VPNs Site-to-site VPNs MPLS L3 VPNs
Site-to-site VPNs Response Feedback: A VPN peer is referred to as a VPN gateway. There is a peer at each end of a VPN tunnel, as in the case of a site-to-site tunnel.
Why is a common CA important for two VPN devices that want to authenticate using digital certificates? - So that both peers can run the DH exchange with the common CA - So that both peers can negotiate authentication with the CA - So that both peers will be able to verify the signature of the CA - So that both peers can verify the hash on the other parties digital certificate
So that both peers will be able to verify the signature of the CA Response Feedback: Using a common, trusted CA allows each party to verify the certificate of their peer's certificate by checking the common CA's signature that is on each certificate.
Which of the following is likely the single most serious threat to a well-configured and well-secured network? Phishing Eavesdropping Denial of service Social engineering
Social engineering Response Feedback: The user element is a weak link in the security because the users have the credentials to access the data, and if compromised, an attacker could use those same credentials to access the data.
Which type of an attack involves lying about the source address of a frame or packet? Man-in-the-middle attack Spoofing attack Denial-of-service attack Reconnaissance attack
Spoofing attack
Which elements of PKI would be found in a hierarchical PKI environment and not found in a monolithic CA environment? PKCS #10 Subordinate CA Hash on certificates Root certificates
Subordinate CA Response Feedback: A subordinate CA could be one of the devices found in a hierarchical PKI environment. It offloads work from the root CA.
What is true about symmetrical algorithms and symmetrical crypto access lists used on VPN peers?
Symmetrical algorithms use the same secret (key) to lock and unlock the data. Symmetrical ACLs between two VPN peers should symmetrically swap the source and destination portions of the ACL
Which of the following allows for granular control related to authorization of specific Cisco IOS commands that are being attempted by an authenticated and authorized Cisco router administrator? Diameter TACACS+ RADIUS ISE
TACACS+
Which of the following allows for granular control related to authorization of specific Cisco IOS commands that are being attempted by an authenticated and authorized Cisco router administrator? TACACS+ Diameter RADIUS ISE
TACACS+
You want to use AAA to authenticate administrators before they are given access to the routers. Which of the following would NOT be used to verify the credentials? Cisco ACS server Running config RADIUS server TFTP server
TFTP server Response Feedback: The local database (running config), a RADIUS server, or an ACS server that runs TACACS+/RADIUS could all be used to authenticate a user such as the administrator.
What prevents an eavesdropper from interpreting the cipher text being sent between two VPN peers? The hash The cipher The authentication method The key
The key Response Feedback: The key is the element in cryptography that allows peers to use well-known algorithms like AES and still keep the resulting data encrypted from the rest of the world who are not participating in the VPN tunnel and who do not have access to the key.
Which of the following is NOT a business driver for a BYOD solution? Need for employees to work anywhere and anytime Increase in the type of devices needed and used by employees to connect to the corporate network Fluidity of today's work schedules The lack of IPv4 address space
The lack of IPv4 address space
Which encryption method will be used to protect the negotiation of the IPsec (IKEv1 Phase 2) tunnel? There is no encryption during this time; that is why DH is used. The one negotiated for the IKEv1 Phase 2 tunnel. The one negotiated in the transform set. The one negotiated in the ISAKMP policy.
The one negotiated in the ISAKMP policy.
What is used to verify a digital signature of the sender? The public key of the sender The pre-shared key The keys generated by the Diffie-Hellman exchange The HMAC
The public key of the sender Response Feedback: Digital signatures are signed using the sender's private key. The recipient will then use the sender's public key to verify the signature. Public keys are communicated using digital certificates.
You want to implement as many of the Cisco-defined security controls as possible in your organization. Which of the following is an example of a physical control? Properly screening potential employees The use of authorization systems The use of security appliances The use of power protection systems Response Feedback: Physical controls help protect the environment of the data and prevent potential attackers from readily having physical access to the data. One example of a physical control is the use of power-protection systems.
The use of power protection systems Response Feedback: Physical controls help protect the environment of the data and prevent potential attackers from readily having physical access to the data. One example of a physical control is the use of power-protection systems.
You want to implement as many of the Cisco-defined security controls as possible in your organization. Which of the following is an example of a technical control? Routine security awareness programs Clearly defined security policies The use of security appliances Security monitoring equipment
The use of security appliances Response Feedback: Technical controls use a variety of hardware and software technologies to protect data. An example of a technical control is the use of security appliances.
What is the purpose of NAT exemption? To bypass NAT for traffic in the VPN tunnel To never bypass NAT in the local or remote peer To bypass NAT for all traffic not sent over the IPsec tunnel To bypass NAT in the remote peer
To bypass NAT for traffic in the VPN tunnel
What are the primary responsibilities for a Certificate Authority (CA)? (Choose all that apply.) Tracking identity certificates intaining client's private keys Issuing identity certificates Verification of certificates
Tracking identity certificates Issuing identity certificates
Which type of data is NOT often attractive to malicious actors? Training schedules Credit and debit card data Personally identifiable information (PII) Intellectual property (IP)
Training schedules
In relation to production networks, which of the following are viable options when dealing with risk? (Choose all that apply.) Transfer it Mitigate it Ignore it Remove it
Transfer it Mitigate it Remove it
Why is UDP the "protocol of choice" for reflected DDoS attacks? There are more application choices when using UDP. TCP cannot be used in DDoS attacks. UDP requires a three way handshake to establish a connection. UDP is much more easily spoofed.
UDP is much more easily spoofed.
Where in the ACS do you go to create a new group of administrators? Users and Groups > Identity Groups Identity Stores and Groups > Identity Groups Identity Stores > Identity Groups Users and Identity Stores > Identity Groups
Users and Identity Stores > Identity Groups
How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely? Uses the IKE Phase 2 tunnel Uses the IPsec tunnel Uses RSA Uses the IKE Phase 1 tunnel
Uses the IKE Phase 1 tunnel
Which asset characteristic refers to risk that results from a threat and lack of a countermeasure? Threat prevention High availability Vulnerability Liability
Vulnerability
Which of the following should be used to specify that a local username of admin from the running configuration should be used for authentication on the vty lines? aaa authentication login default group radius aaa authentication login default local aaa authentication login default enable aaa authentication login default group tacacs+
aaa authentication login default local Response Feedback: The only method list defining the use of the local database is the default, which would apply to the vty in absence of any other custom method lists applied to those lines.
Which one of the following commands reveal the ACLs, transform sets, and peer information and indicate which interface is being used to connect to the remote IPsec VPN peer? show crypto map show crypto isakmp policy show crypto ipsec sa show crypto config
show crypto map
From the router, which method tests the most about the ACS configuration, without forcing you to log in again at the router? test aaa traceroute ping telnet
test aaa
