What are two characteristics of an advanced persistent threat (APT) that differentiate it from prolific malware attacks such as the MyDoom worm? (Choose two.)
Options are :
- targeted attack against specific company, sector, or data
(Correct)
- consumes high system resources and network traffic
- compiles copies of itself on each machine to match architecture
- internal reconnaissance for lateral movement
(Correct)
- often destructive to infected machines and intended to cause havoc
Answer :
targeted attack against specific company, sector, or data
internal reconnaissance for lateral movement
CCNA ICND1 Questions
What is the purpose of an exploit kit in a client-side attack?
Options are :
- hides an iframe in a legitimate webpage to redirect the user to an exploit server
- profiles the user's computer and delivers exploit code to the computer based on its OS, browser, and applications
(Correct)
- beacons to an attacker's command and control servers, allowing the attacker to issues commands to the user’s machine
- compromises a web-server to carry out DDoS attacks as part of a botnet
Answer :
profiles the user's computer and delivers exploit code to the computer based on its OS, browser, and applications
What is one of the main causes of successful buffer overflow attacks?
Options are :
- careless users violating acceptable use policy
- poorly written application code that does not validate input data size
(Correct)
- intentional installation of illegitimate software
- bad luck of the user who falls victim to such an attack
Answer :
poorly written application code that does not validate input data size
What common defense-in-depth method can help reduce the attack surface?
Options are :
- use 8-character passwords
- replace copper connections with fiber-based connections
- deploy IPS, firewalls, and AAA-based platforms and services
(Correct)
- use UDP protocols to preserve bandwidth and protocol overhead
- place systems on Internet-facing DMZ links to control traffic flows
Answer :
deploy IPS, firewalls, and AAA-based platforms and services
Certification : CCNA Cyber Ops - SECOPS # 210-255
When are "point-in-time detection technologies" considered useless?
Options are :
- after the attacker has compromised the Internet-facing firewall appliance
- when a malicious file is not caught, or is self-morphing after entering the environment
(Correct)
- when the IPS appliance detects an anomaly.
- when forensics are performed on the malicious payload to ascertain its origin and attack behaviors
Answer :
when a malicious file is not caught, or is self-morphing after entering the environment
What is the primary difference between a host-based firewall and a traditional firewall?
Options are :
- The host-based firewall can block traffic based on application or file type.
- The traditional firewall can identify and protect against malicious HTTP exploits.
- There is no difference between the functional aspects of host-based and traditional firewalls.
- Host-based firewalls protect an individual machine while traditional firewalls control traffic arriving at and leaving networks.
(Correct)
Answer :
Host-based firewalls protect an individual machine while traditional firewalls control traffic arriving at and leaving networks.
What is one result of placing an IPS on the trusted (inside) segment of a firewall?
Options are :
- The IPS can provide raw data that can be correlated with other network security monitoring devices.
- The IPS generates more alerts.
- The IPS can detect new forms of attacks.
- The IPS catches attacks before they hit the firewall.
- The IPS alerts include real IP addresses rather than NATed addresses.
(Correct)
Answer :
The IPS alerts include real IP addresses rather than NATed addresses.
Practice : CCNA Cyber Ops - SECOPS # 210-255
What does the syslog on a Cisco ASA firewall offer a security analyst?
Options are :
- time-stamped record of domain user log in history
- time-stamped record of transaction and alert history
(Correct)
- time-stamped record of file transfers from within the network
- time-stamped record of protocol violations
Answer :
time-stamped record of transaction and alert history
How can SOC analysts use the cyber kill chain?
Options are :
- to gain insight into an attacker’s tactics and techniques
(Correct)
- to delete detected malware
- to prevent all types of cyber attacks
- to require attackers to follow all phases of the cyber kill chain in sequence
- to implement additional security controls at the network level
Answer :
to gain insight into an attacker’s tactics and techniques
Which two tasks can be performed by analyzing the logs of a traditional stateful firewall? (Choose two.)
Options are :
- Confirm the timing of network connections differentiated by the TCP 5-tuple.
(Correct)
- Audit the applications used within a social networking web site.
(Correct)
- Determine the user IDs involved in an instant messaging exchange.
- Map internal private IP addresses to dynamically translated external public IP addresses.
- Identify the malware variant carried by an SMTP connection
Answer :
Confirm the timing of network connections differentiated by the TCP 5-tuple.
Audit the applications used within a social networking web site.
Certification : CCNA Cyber Ops - SECOPS # 210-255
Which
term represents a potential danger that could take advantage of a weakness in a
system?
Options are :
- vulnerability
- risk
- threat
(Correct)
- exploit
Answer :
threat
An
intrusion detection system begins receiving an abnormally high volume of
scanning from numerous sources. Which evasion technique does this attempt indicate?
Options are :
- traffic fragmentation
- resource exhaustion
(Correct)
- timing attack
- tunneling
Answer :
resource exhaustion
Which
term represents the chronological record of how evidence was collected,
analyzed, preserved, and transferred?
Options are :
- chain of evidence
- evidence chronology
- chain of custody
(Correct)
- record of safekeeping
Answer :
chain of custody
Test : CCNA Cyber Ops - SECOPS # 210-255
In
computer security, which information is the term PHI used to describe?
Options are :
- private host information
- protected health information
(Correct)
- personal health information
- protected host information
Answer :
protected health information
For
which reason can HTTPS traffic make security monitoring difficult?
Options are :
- encryption
(Correct)
- large packet headers
- Signature detection takes longer
- SSL interception
Answer :
encryption
Which network device is used to separate broadcast domains?
Options are :
- router
(Correct)
- repeater
- switch
- bridge
Answer :
router
Certification : CCNA Cyber Ops - SECOPS # 210-255
Which
term describes the act of a user, without authority or permission, obtaining
rights on a system, beyond what were assigned?
Options are :
- authentication tunneling
- administrative abuse
- rights exploitation
- privilege escalation
(Correct)
Answer :
privilege escalation
Which
term represents the practice of giving employees only those permissions
necessary to perform their specific role within an organization?
Options are :
- integrity validation
- due diligence
- need to know
- least privilege
(Correct)
Answer :
least privilege
Based
on which statement does the discretionary access control security model grant
or restrict access?
Options are :
- discretion of the system administrator
- security policy defined by the owner of an object
(Correct)
- security policy defined by the system administrator
- role of a user within an organization
Answer :
security policy defined by the owner of an object
QA : CCNA Cyber Ops - SECOPS # 210-255
Which
event occurs when a signature-based IDS encounters network traffic that triggers
an alert?
Options are :
- connection event
- endpoint event
- NetFlow event
- intrusion event
(Correct)
Answer :
intrusion event
One of
the objectives of information security is to protect the CIA of information and
systems. What does CIA mean in this context?
Options are :
- Confidentiality, Integrity, and Availability
(Correct)
- Confidentiality, Identity, and Availability
- Confidentiality, Integrity, and Authorization
- Confidentiality, Identity, and Authorization
Answer :
Confidentiality, Integrity, and Availability
Which
protocol is primarily supported by the third layer of the Open Systems
Interconnection reference model?
Options are :
- HTTP/TLS
- IPv4/IPv6
(Correct)
- TCP/UDP
- ATM/MPLS
Answer :
IPv4/IPv6
QA : CCNA Cyber Ops - SECOPS # 210-255
Which
information security property is supported by encryption?
Options are :
- sustainability
- integrity
- confidentiality
(Correct)
- availability
Answer :
confidentiality
Which
two activities are examples of social engineering? (Choose two.)
Options are :
- receiving call from the IT department asking you to verify your username/password to maintain the account
(Correct)
- receiving an invite to your department’s weekly WebEx meeting
- sending a verbal request to an administrator to change the password to the account of a user the administrator does know
- receiving an email from HR requesting that you visit the secure HR website and update your contract information
(Correct)
- receiving an unexpected email from an unknown person with an uncharacteristic attachment from someone in the same company
Answer :
receiving call from the IT department asking you to verify your username/password to maintain the account
receiving an email from HR requesting that you visit the secure HR website and update your contract information
Cisco WSA can be deployed in which two modes? (Choose two.)
Options are :
- Standalone
- Explicit proxy
(Correct)
- Transparent proxy
(Correct)
- Combined proxy
Answer :
Explicit proxy
Transparent proxy
Test : CCNA Cyber Ops - SECOPS # 210-255
Network Address Translation (NAT) can be implemented in which three ways?
Options are :
- Static, dynamic, semi-dynamic
- NAT pool, dynamic, static
- Static, dynamic, overload
(Correct)
- NAT pool, overload, dynamic
Answer :
Static, dynamic, overload
Which of the following tool or method can be used to validate the identity of other organizations based on their domain name when receiving and sending email?
Options are :
- PEM
- S/MIME
- DKIM
(Correct)
- MOSS
Answer :
DKIM
What is a shortcoming of signature driven IDS systems?
Options are :
- They are only available in network mode and not in host mode.
- They cannot detect traffic anomalies.
- They cannot detect zero-day (or day-0) attacks.
(Correct)
- They cannot be implemented in promiscuous mode, only in inline mode.
Answer :
They cannot detect zero-day (or day-0) attacks.
CCNA Cyber Ops - SECFND # 210-250
Cisco offers cloud-based security products and services. Which of the following are Cisco cloud-based security platforms?
Options are :
- Cisco Talos
- Cisco Cloud Email Security
- Cisco AMP Threat Grid
- Cisco CloudLock
- All of these answers are correct.
(Correct)
Answer :
All of these answers are correct.
What are the three pillars of Information Security (InfoSec)?
Options are :
- Confidentiality, integrity, and availability
(Correct)
- Confidentiality, backup, and availability
- Secure access, integrity, and availability
- ACS, IPS, and ASA
Answer :
Confidentiality, integrity, and availability
What does CVE stand for?
Options are :
- Critical Vulnerability and Exposure
- Critical Vulnerabilities and Exploits
- Common Vulnerabilities and Exposures
(Correct)
- Common Vulnerabilities and Exploits
Answer :
Common Vulnerabilities and Exposures
Practice : CCNA Cyber Ops - SECOPS # 210-255
What is the process of removing superfluous programs and/or services installed on an operating system (OS) known as?
Options are :
- Hardening
(Correct)
- Patching
- Exploit scanning
- Vulnerability management
Answer :
Hardening
An organization has mandated that all their remote sites and offices will not broadcast the corporate or guest SSID. Why might the organization be doing this and how can an attacker discover the SSIDs?
Options are :
- Disabling SSID broadcast helps circumvent SSID conflicts. The SSID can be discovered by attempting to connect to the network.
- Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can still be discovered using a wireless sniffer.
(Correct)
- Disabling SSID broadcast saves power. The SSID can be still be discovered by using a wireless sniffer.
- Disabling SSID broadcast prevents attackers from discovering the encrypted streams. The SSID can be discovered by decrypting packets.
Answer :
Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can still be discovered using a wireless sniffer.
Cisco Next Generation Intrusion Prevention System (NGIPS) devices include global correlation capabilities that utilize real-world data from Cisco Talos. To leverage global correlation in blocking traffic, what should be configured on the NGIPS?
Options are :
- Reputation filtering
(Correct)
- Policy-based IPS
- Signature-based IPS
- Anomaly-based IPS
Answer :
Reputation filtering
Test : CCNA Cyber Ops - SECOPS # 210-255
An organization requires a cloud-based identity solution for validating the identity of internal and external stakeholders. What type of solution satisfies its requirements?
Options are :
- Identity as a Service
(Correct)
- Cloud-based SAML
- OAuth
- SSL
Answer :
Identity as a Service
At which OSI layer can Cisco ASA be configured as a transparent firewall?
Options are :
- Layer 1 (Physical layer)
- Layer 2 (Data Link layer)
(Correct)
- Layer 3 (Network layer)
- Layer 4 and higher layers
Answer :
Layer 2 (Data Link layer)
As a result of the latest risk assessment exercise, an organization that deals with financial transactions receives the recommendation to upgrade access security at the data center. The cost of upgrading security, however, outweighs the cost to benefit factor, and the organization’s stakeholders have decided not to go ahead with the recommendation. Which of the following options describes the decision taken by the stakeholders?
Options are :
- Transfer the risk
- Mitigate the risk
- Avoid the risk
- Accept the risk
(Correct)
Answer :
Accept the risk
CCNA ICND1 Questions
Which two of the following options are benefits of using VLSM when subnetting a block of IP addresses? (Choose two.)
Options are :
- the ability to join Class B and Class C networks on the same broadcast domain
- more efficient use of IP addresses.
(Correct)
- Better-defined network hierarchical levels
(Correct)
- There are no benefits. Using VLSM wastes IP addresses, because all subnets must contain the same quantity of usable IP addresses.
Answer :
more efficient use of IP addresses.
Better-defined network hierarchical levels
Which two of the following statements are true regarding a network that uses sub networks? (Choose two.)
Options are :
- It is more complex to apply network security policies.
- Smaller networks are easier to manage.
(Correct)
- Overall broadcast traffic is increased.
- Overall broadcast traffic is reduced.
(Correct)
Answer :
Smaller networks are easier to manage.
Overall broadcast traffic is reduced.
Which one of the following best describes how a switch processes the traffic, if the switch does not have the MAC address of an endpoint in the MAC address table, and it receives a frame that is destined for that device?
Options are :
- It will flood the frame out all ports, except the one that it arrived on within the VLAN.
(Correct)
- It will forward the frame back out the interface that it came in through.
- It will drop the frame, because it does not know where to forward it.
- It will be sent to all multicast listeners, hoping to find its destination host.
Answer :
It will flood the frame out all ports, except the one that it arrived on within the VLAN.
QA : CCNA Cyber Ops - SECOPS # 210-255
Which two of the following statements are true regarding the hub? (Choose two.)
Options are :
- All ports on the hub are in the same single collision domain.
(Correct)
- Hubs use the MAC address table to make its switching decisions.
- Hubs function at the data link layer.
- Hubs can run only in half-duplex mode.
(Correct)
Answer :
All ports on the hub are in the same single collision domain.
Hubs can run only in half-duplex mode.
What phase of the TCP communication process is attacked during a TCP SYN flood attack?
Options are :
- three-way handshake
(Correct)
- connection established
- connection closed
- connection reset
Answer :
three-way handshake
What two are examples of UDP-based attacks? (Choose two.)
Options are :
- SYN flood
- SQL slammer
(Correct)
- UDP flooding
(Correct)
- MAC address flooding
Answer :
SQL slammer
UDP flooding
Test : CCNA Cyber Ops - SECOPS # 210-255
What best describes an attack vector?
Options are :
- the resolution of an attack
- a path, method, or route by which an attack was carried out
(Correct)
- the result of, or damage from, an attack
- the last stage of the attack continuum
Answer :
a path, method, or route by which an attack was carried out
Which one of the following options describes the concept of using a different key for encrypting and decrypting data?
Options are :
- symmetric encryption
- avalanche effect
- asymmetric encryption
(Correct)
- cipher text
Answer :
asymmetric encryption
Which one of the following methods of cryptanalysis should you use if you only have access to the cipher text messages (all of which have been encrypted using the same encryption algorithm), and want to perform statistical analysis to attempt to determine the potentially weak keys?
Options are :
- birthday attack
- chosen-plaintext attack
- ciphertext-only attack
(Correct)
- chosen-ciphertext attack
Answer :
ciphertext-only attack
CCNA ICND1 Test
Which one of the following options is the attack that can be used to find collisions in a cryptographic hash function?
Options are :
- birthday attack
(Correct)
- chosen-plaintext attack
- ciphertext-only attack
- chosen-ciphertext attack
Answer :
birthday attack
Which one of the following commands should you use on a Windows system to examine all the IP to MAC address mappings of the neighboring devices that are on the same network?
Options are :
- ifconfig
- ipconfig /all
- netstat
- arp -a
(Correct)
Answer :
arp -a
If a host on a network wants to ping another host on the same network, which three of the following options are required? (Choose three.)
Options are :
- ICMP echo request and echo reply
(Correct)
- source and destination IP addresses
(Correct)
- source and destination MAC addresses
(Correct)
- source and destination ports
- default gateway MAC address
- default gateway IP address
Answer :
ICMP echo request and echo reply
source and destination IP addresses
source and destination MAC addresses
Test : CCNA Cyber Ops - SECOPS # 210-255
Which three are considered personally identifiable information (PII) data? (Choose three.)
Options are :
- passport number
(Correct)
- driver’s license
(Correct)
- office address
- birthplace
(Correct)
- type and model of personal vehicle
Answer :
passport number
driver’s license
birthplace
What option does not contain a security risk?
Options are :
- a service that is deployed in the cloud
- data that are backed up on a USB drive
- a new unconfigured router that is not connected to the network
(Correct)
- an old hard drive that is about to be scrapped
Answer :
a new unconfigured router that is not connected to the network
