Certification : CCNA Cyber Ops - SECFND # 210-250

What are two characteristics of an advanced persistent threat (APT) that differentiate it from prolific malware attacks such as the MyDoom worm? (Choose two.)

Options are :

  • targeted attack against specific company, sector, or data (Correct)
  • consumes high system resources and network traffic
  • compiles copies of itself on each machine to match architecture
  • internal reconnaissance for lateral movement (Correct)
  • often destructive to infected machines and intended to cause havoc

Answer : targeted attack against specific company, sector, or data internal reconnaissance for lateral movement

What is the purpose of an exploit kit in a client-side attack?

Options are :

  • hides an iframe in a legitimate webpage to redirect the user to an exploit server
  • profiles the user's computer and delivers exploit code to the computer based on its OS, browser, and applications (Correct)
  • beacons to an attacker's command and control servers, allowing the attacker to issues commands to the user’s machine
  • compromises a web-server to carry out DDoS attacks as part of a botnet

Answer : profiles the user's computer and delivers exploit code to the computer based on its OS, browser, and applications

What is one of the main causes of successful buffer overflow attacks?

Options are :

  • careless users violating acceptable use policy
  • poorly written application code that does not validate input data size (Correct)
  • intentional installation of illegitimate software
  • bad luck of the user who falls victim to such an attack

Answer : poorly written application code that does not validate input data size

What common defense-in-depth method can help reduce the attack surface?

Options are :

  • use 8-character passwords
  • replace copper connections with fiber-based connections
  • deploy IPS, firewalls, and AAA-based platforms and services (Correct)
  • use UDP protocols to preserve bandwidth and protocol overhead
  • place systems on Internet-facing DMZ links to control traffic flows

Answer : deploy IPS, firewalls, and AAA-based platforms and services

When are "point-in-time detection technologies" considered useless?

Options are :

  • after the attacker has compromised the Internet-facing firewall appliance
  • when a malicious file is not caught, or is self-morphing after entering the environment (Correct)
  • when the IPS appliance detects an anomaly.
  • when forensics are performed on the malicious payload to ascertain its origin and attack behaviors

Answer : when a malicious file is not caught, or is self-morphing after entering the environment

What is the primary difference between a host-based firewall and a traditional firewall?

Options are :

  • The host-based firewall can block traffic based on application or file type.
  • The traditional firewall can identify and protect against malicious HTTP exploits.
  • There is no difference between the functional aspects of host-based and traditional firewalls.
  • Host-based firewalls protect an individual machine while traditional firewalls control traffic arriving at and leaving networks. (Correct)

Answer : Host-based firewalls protect an individual machine while traditional firewalls control traffic arriving at and leaving networks.

What is one result of placing an IPS on the trusted (inside) segment of a firewall?

Options are :

  • The IPS can provide raw data that can be correlated with other network security monitoring devices.
  • The IPS generates more alerts.
  • The IPS can detect new forms of attacks.
  • The IPS catches attacks before they hit the firewall.
  • The IPS alerts include real IP addresses rather than NATed addresses. (Correct)

Answer : The IPS alerts include real IP addresses rather than NATed addresses.

What does the syslog on a Cisco ASA firewall offer a security analyst?

Options are :

  • time-stamped record of domain user log in history
  • time-stamped record of transaction and alert history (Correct)
  • time-stamped record of file transfers from within the network
  • time-stamped record of protocol violations

Answer : time-stamped record of transaction and alert history

How can SOC analysts use the cyber kill chain?

Options are :

  • to gain insight into an attacker’s tactics and techniques (Correct)
  • to delete detected malware
  • to prevent all types of cyber attacks
  • to require attackers to follow all phases of the cyber kill chain in sequence
  • to implement additional security controls at the network level

Answer : to gain insight into an attacker’s tactics and techniques

Which two tasks can be performed by analyzing the logs of a traditional stateful firewall? (Choose two.)

Options are :

  • Confirm the timing of network connections differentiated by the TCP 5-tuple. (Correct)
  • Audit the applications used within a social networking web site. (Correct)
  • Determine the user IDs involved in an instant messaging exchange.
  • Map internal private IP addresses to dynamically translated external public IP addresses.
  • Identify the malware variant carried by an SMTP connection

Answer : Confirm the timing of network connections differentiated by the TCP 5-tuple. Audit the applications used within a social networking web site.

Which term represents a potential danger that could take advantage of a weakness in a system?

Options are :

  • vulnerability
  • risk
  • threat (Correct)
  • exploit

Answer : threat

An intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources. Which evasion technique does this attempt indicate?

Options are :

  • traffic fragmentation
  • resource exhaustion (Correct)
  • timing attack
  • tunneling

Answer : resource exhaustion

Which term represents the chronological record of how evidence was collected, analyzed, preserved, and transferred?

Options are :

  • chain of evidence
  • evidence chronology
  • chain of custody (Correct)
  • record of safekeeping

Answer : chain of custody

In computer security, which information is the term PHI used to describe?

Options are :

  • private host information
  • protected health information (Correct)
  • personal health information
  • protected host information

Answer : protected health information

For which reason can HTTPS traffic make security monitoring difficult?

Options are :

  • encryption (Correct)
  • large packet headers
  • Signature detection takes longer
  • SSL interception

Answer : encryption

Which network device is used to separate broadcast domains?

Options are :

  • router (Correct)
  • repeater
  • switch
  • bridge

Answer : router

Which term describes the act of a user, without authority or permission, obtaining rights on a system, beyond what were assigned?

Options are :

  • authentication tunneling
  • administrative abuse
  • rights exploitation
  • privilege escalation (Correct)

Answer : privilege escalation

Which term represents the practice of giving employees only those permissions necessary to perform their specific role within an organization?

Options are :

  • integrity validation
  • due diligence
  • need to know
  • least privilege (Correct)

Answer : least privilege

Based on which statement does the discretionary access control security model grant or restrict access?

Options are :

  • discretion of the system administrator
  • security policy defined by the owner of an object (Correct)
  • security policy defined by the system administrator
  • role of a user within an organization

Answer : security policy defined by the owner of an object

Which event occurs when a signature-based IDS encounters network traffic that triggers an alert?

Options are :

  • connection event
  • endpoint event
  • NetFlow event
  • intrusion event (Correct)

Answer : intrusion event

One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context?

Options are :

  • Confidentiality, Integrity, and Availability (Correct)
  • Confidentiality, Identity, and Availability
  • Confidentiality, Integrity, and Authorization
  • Confidentiality, Identity, and Authorization

Answer : Confidentiality, Integrity, and Availability

Which protocol is primarily supported by the third layer of the Open Systems Interconnection reference model?

Options are :

  • HTTP/TLS
  • IPv4/IPv6 (Correct)
  • TCP/UDP
  • ATM/MPLS

Answer : IPv4/IPv6

Which information security property is supported by encryption?

Options are :

  • sustainability
  • integrity
  • confidentiality (Correct)
  • availability

Answer : confidentiality

Which two activities are examples of social engineering? (Choose two.)

Options are :

  • receiving call from the IT department asking you to verify your username/password to maintain the account (Correct)
  • receiving an invite to your department’s weekly WebEx meeting
  • sending a verbal request to an administrator to change the password to the account of a user the administrator does know
  • receiving an email from HR requesting that you visit the secure HR website and update your contract information (Correct)
  • receiving an unexpected email from an unknown person with an uncharacteristic attachment from someone in the same company

Answer : receiving call from the IT department asking you to verify your username/password to maintain the account receiving an email from HR requesting that you visit the secure HR website and update your contract information

Cisco WSA can be deployed in which two modes? (Choose two.)

Options are :

  • Standalone
  • Explicit proxy (Correct)
  • Transparent proxy (Correct)
  • Combined proxy

Answer : Explicit proxy Transparent proxy

Network Address Translation (NAT) can be implemented in which three ways?

Options are :

  • Static, dynamic, semi-dynamic
  • NAT pool, dynamic, static
  • Static, dynamic, overload (Correct)
  • NAT pool, overload, dynamic

Answer : Static, dynamic, overload

Which of the following tool or method can be used to validate the identity of other organizations based on their domain name when receiving and sending email?

Options are :

  • PEM
  • S/MIME
  • DKIM (Correct)
  • MOSS

Answer : DKIM

What is a shortcoming of signature driven IDS systems?

Options are :

  • They are only available in network mode and not in host mode.
  • They cannot detect traffic anomalies.
  • They cannot detect zero-day (or day-0) attacks. (Correct)
  • They cannot be implemented in promiscuous mode, only in inline mode.

Answer : They cannot detect zero-day (or day-0) attacks.

Cisco offers cloud-based security products and services. Which of the following are Cisco cloud-based security platforms?

Options are :

  • Cisco Talos
  • Cisco Cloud Email Security
  • Cisco AMP Threat Grid
  • Cisco CloudLock
  • All of these answers are correct. (Correct)

Answer : All of these answers are correct.

What are the three pillars of Information Security (InfoSec)?

Options are :

  • Confidentiality, integrity, and availability (Correct)
  • Confidentiality, backup, and availability
  • Secure access, integrity, and availability
  • ACS, IPS, and ASA

Answer : Confidentiality, integrity, and availability

What does CVE stand for?

Options are :

  • Critical Vulnerability and Exposure
  • Critical Vulnerabilities and Exploits
  • Common Vulnerabilities and Exposures (Correct)
  • Common Vulnerabilities and Exploits

Answer : Common Vulnerabilities and Exposures

What is the process of removing superfluous programs and/or services installed on an operating system (OS) known as?

Options are :

  • Hardening (Correct)
  • Patching
  • Exploit scanning
  • Vulnerability management

Answer : Hardening

An organization has mandated that all their remote sites and offices will not broadcast the corporate or guest SSID. Why might the organization be doing this and how can an attacker discover the SSIDs?

Options are :

  • Disabling SSID broadcast helps circumvent SSID conflicts. The SSID can be discovered by attempting to connect to the network.
  • Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can still be discovered using a wireless sniffer. (Correct)
  • Disabling SSID broadcast saves power. The SSID can be still be discovered by using a wireless sniffer.
  • Disabling SSID broadcast prevents attackers from discovering the encrypted streams. The SSID can be discovered by decrypting packets.

Answer : Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can still be discovered using a wireless sniffer.

Cisco Next Generation Intrusion Prevention System (NGIPS) devices include global correlation capabilities that utilize real-world data from Cisco Talos. To leverage global correlation in blocking traffic, what should be configured on the NGIPS?

Options are :

  • Reputation filtering (Correct)
  • Policy-based IPS
  • Signature-based IPS
  • Anomaly-based IPS

Answer : Reputation filtering

An organization requires a cloud-based identity solution for validating the identity of internal and external stakeholders. What type of solution satisfies its requirements?

Options are :

  • Identity as a Service (Correct)
  • Cloud-based SAML
  • OAuth
  • SSL

Answer : Identity as a Service

At which OSI layer can Cisco ASA be configured as a transparent firewall?

Options are :

  • Layer 1 (Physical layer)
  • Layer 2 (Data Link layer) (Correct)
  • Layer 3 (Network layer)
  • Layer 4 and higher layers

Answer : Layer 2 (Data Link layer)

As a result of the latest risk assessment exercise, an organization that deals with financial transactions receives the recommendation to upgrade access security at the data center. The cost of upgrading security, however, outweighs the cost to benefit factor, and the organization’s stakeholders have decided not to go ahead with the recommendation. Which of the following options describes the decision taken by the stakeholders?

Options are :

  • Transfer the risk
  • Mitigate the risk
  • Avoid the risk
  • Accept the risk (Correct)

Answer : Accept the risk

Which two of the following options are benefits of using VLSM when subnetting a block of IP addresses? (Choose two.)

Options are :

  • the ability to join Class B and Class C networks on the same broadcast domain
  • more efficient use of IP addresses. (Correct)
  • Better-defined network hierarchical levels (Correct)
  • There are no benefits. Using VLSM wastes IP addresses, because all subnets must contain the same quantity of usable IP addresses.

Answer : more efficient use of IP addresses. Better-defined network hierarchical levels

Which two of the following statements are true regarding a network that uses sub networks? (Choose two.)

Options are :

  • It is more complex to apply network security policies.
  • Smaller networks are easier to manage. (Correct)
  • Overall broadcast traffic is increased.
  • Overall broadcast traffic is reduced. (Correct)

Answer : Smaller networks are easier to manage. Overall broadcast traffic is reduced.

Which one of the following best describes how a switch processes the traffic, if the switch does not have the MAC address of an endpoint in the MAC address table, and it receives a frame that is destined for that device?

Options are :

  • It will flood the frame out all ports, except the one that it arrived on within the VLAN. (Correct)
  • It will forward the frame back out the interface that it came in through.
  • It will drop the frame, because it does not know where to forward it.
  • It will be sent to all multicast listeners, hoping to find its destination host.

Answer : It will flood the frame out all ports, except the one that it arrived on within the VLAN.

Which two of the following statements are true regarding the hub? (Choose two.)

Options are :

  • All ports on the hub are in the same single collision domain. (Correct)
  • Hubs use the MAC address table to make its switching decisions.
  • Hubs function at the data link layer.
  • Hubs can run only in half-duplex mode. (Correct)

Answer : All ports on the hub are in the same single collision domain. Hubs can run only in half-duplex mode.

What phase of the TCP communication process is attacked during a TCP SYN flood attack?

Options are :

  • three-way handshake (Correct)
  • connection established
  • connection closed
  • connection reset

Answer : three-way handshake

What two are examples of UDP-based attacks? (Choose two.)

Options are :

  • SYN flood
  • SQL slammer (Correct)
  • UDP flooding (Correct)
  • MAC address flooding

Answer : SQL slammer UDP flooding

What best describes an attack vector?

Options are :

  • the resolution of an attack
  • a path, method, or route by which an attack was carried out (Correct)
  • the result of, or damage from, an attack
  • the last stage of the attack continuum

Answer : a path, method, or route by which an attack was carried out

Which one of the following options describes the concept of using a different key for encrypting and decrypting data?

Options are :

  • symmetric encryption
  • avalanche effect
  • asymmetric encryption (Correct)
  • cipher text

Answer : asymmetric encryption

Which one of the following methods of cryptanalysis should you use if you only have access to the cipher text messages (all of which have been encrypted using the same encryption algorithm), and want to perform statistical analysis to attempt to determine the potentially weak keys?

Options are :

  • birthday attack
  • chosen-plaintext attack
  • ciphertext-only attack (Correct)
  • chosen-ciphertext attack

Answer : ciphertext-only attack

Which one of the following options is the attack that can be used to find collisions in a cryptographic hash function?

Options are :

  • birthday attack (Correct)
  • chosen-plaintext attack
  • ciphertext-only attack
  • chosen-ciphertext attack

Answer : birthday attack

Which one of the following commands should you use on a Windows system to examine all the IP to MAC address mappings of the neighboring devices that are on the same network?

Options are :

  • ifconfig
  • ipconfig /all
  • netstat
  • arp -a (Correct)

Answer : arp -a

If a host on a network wants to ping another host on the same network, which three of the following options are required? (Choose three.)

Options are :

  • ICMP echo request and echo reply (Correct)
  • source and destination IP addresses (Correct)
  • source and destination MAC addresses (Correct)
  • source and destination ports
  • default gateway MAC address
  • default gateway IP address

Answer : ICMP echo request and echo reply source and destination IP addresses source and destination MAC addresses

Which three are considered personally identifiable information (PII) data? (Choose three.)

Options are :

  • passport number (Correct)
  • driver’s license (Correct)
  • office address
  • birthplace (Correct)
  • type and model of personal vehicle

Answer : passport number driver’s license birthplace

What option does not contain a security risk?

Options are :

  • a service that is deployed in the cloud
  • data that are backed up on a USB drive
  • a new unconfigured router that is not connected to the network (Correct)
  • an old hard drive that is about to be scrapped

Answer : a new unconfigured router that is not connected to the network

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions