Practice : CCNA Cyber Ops - SECFND # 210-250

What HTTP feature is a small piece of data that is sent from the web server and stored in the user's web browser while the user is browsing?

Options are :

  • HTTP status code
  • HTTP cookie (Correct)
  • HTTP request method
  • HTTP response code

Answer : HTTP cookie

Ultimately, what does the client web browser need to validate the signature on the web server’s identity certificate?

Options are :

  • the client public key
  • the client private key
  • the web server public key
  • the web server private key
  • the root CA public key (Correct)
  • the root CA private key

Answer : the root CA public key

What are two vulnerabilities that are present when using standard HTTP versus HTTPS? (Choose two.)

Options are :

  • Personal data is exchanged in clear text format. (Correct)
  • Passwords will not be understood by peer.
  • Devices will be overloaded with information data.
  • User passwords can be sniffed and captured by an attacker. (Correct)

Answer : Personal data is exchanged in clear text format. User passwords can be sniffed and captured by an attacker.

Which form of cryptography is used to protect passwords?

Options are :

  • asymmetric cryptography
  • two factor cryptography
  • hash cryptography (Correct)
  • elliptical curve Diffie-Hellman cryptography

Answer : hash cryptography

Which two statements are true regarding an attacker who is performing a “pass-the-hash? attack? (Choose two.)

Options are :

  • The attacker knows the actual password.
  • The attacker does not know the actual password. (Correct)
  • The attacker has control over the victim’s machine. (Correct)
  • The attacker performs a brute-force computation of the hash.

Answer : The attacker does not know the actual password. The attacker has control over the victim’s machine.

Which two of the following options are ways to launch the Windows Task Manager application? (Choose two.)

Options are :

  • In the Windows Start menu, type Go Task Manager.
  • Right-click the taskbar and choose the Start Task Manager option. (Correct)
  • Run the taskmgr command from the Windows command line. (Correct)
  • Launch the task manager hyperlink from the Internet Explorer browser.

Answer : Right-click the taskbar and choose the Start Task Manager option. Run the taskmgr command from the Windows command line.

Which two of the following statements are true about Windows virtual memory? (Choose two.)

Options are :

  • Virtual memory combines the RAM memory with the hard disk space to compensate for lack of RAM. (Correct)
  • Adding a larger disk drive to a system automatically increases its virtual memory allocation.
  • A virtual address does not represent the actual physical location of an object in memory. Instead, the system maintains a page table for each process, which is an internal data structure that is used to translate virtual addresses into their corresponding physical addresses. (Correct)
  • Adding more RAM to a system automatically increases the need for more virtual memory on the system.

Answer : Virtual memory combines the RAM memory with the hard disk space to compensate for lack of RAM. A virtual address does not represent the actual physical location of an object in memory. Instead, the system maintains a page table for each process, which is an internal data structure that is used to translate virtual addresses into their corresponding physical addresses.

Which Windows structure is used to map each process virtual address into the corresponding physical address?

Options are :

  • route table
  • memory table
  • page table (Correct)
  • cache table
  • CPU table

Answer : page table

A junior analyst is trying to use the tcpdump –i eth1 command on an Ubuntu system, but it is not working. What could be the problem?

Options are :

  • The tcpdump command requires root level privilege. (Correct)
  • The tcpdump command requires the Ethernet adapter to be in non-promiscuous mode.
  • The tcpdump command –i option used to specify the interface is an invalid option.
  • The tcpdump command used is missing some of the required options (such as –n and –v).

Answer : The tcpdump command requires root level privilege.

When a host name is being translated to an IP address, where will the operating system look first?

Options are :

  • /etc/hosts
  • /etc/hostname
  • /etc/resolv.conf
  • It depends on the configuration of /etc/nsswitch.conf. (Correct)

Answer : It depends on the configuration of /etc/nsswitch.conf.

Choose the most difficult stage of an endpoint attack.

Options are :

  • acquiring access to an endpoint inside the network (Correct)
  • propagating a botnet once you have access to the systems
  • acquiring a list of ports open on a targeted computer
  • delivering a phishing email to employees

Answer : acquiring access to an endpoint inside the network

What is the difference between spear phishing and whaling?

Options are :

  • There is no difference. Both are targeted phishing.
  • Spear phishing focuses on voice services and whaling is primarily sent through SMS messages.
  • Both are targeted phishing, but only whaling targets individuals in executive positions. (Correct)
  • Spear phishing involves email, and whaling involves DNS cache poisoning.

Answer : Both are targeted phishing, but only whaling targets individuals in executive positions.

What is the main purpose of an exploit kit for malicious actors?

Options are :

  • continuously changing the IP addresses for the command and control infrastructure
  • sending updates and new commands to all the endpoint bots in a DDoS botnet
  • scanning potential victim computer for vulnerable applications so that malware can be delivered (Correct)
  • encrypting malware to hinder the reverse engineering efforts of incident response teams

Answer : scanning potential victim computer for vulnerable applications so that malware can be delivered

What are three characteristics of RADIUS? (Choose three.)

Options are :

  • RADIUS uses the UDP protocol. (Correct)
  • RADIUS encrypts passwords. (Correct)
  • RADIUS performs authentication and accounting only.
  • RADIUS encrypts the entire body of the packet.
  • RADIUS uses one UDP port for authentication and one for accounting. (Correct)

Answer : RADIUS uses the UDP protocol. RADIUS encrypts passwords. RADIUS uses one UDP port for authentication and one for accounting.

Why is a transparent firewall considered a "bump in the wire" or "stealth firewall"?

Options are :

  • It is a bump on the wire because it filters packets at the OSI physical layer.
  • Using separate IP subnets for inside and outside interfaces, packets are inspected quietly.
  • A transparent firewall is considered a Layer 2 firewall and has no routing capabilities. (Correct)
  • Transparent firewalls work in "stealth mode" by using network taps.
  • Because transparent firewalls can route between inside and outside interfaces, packets are "bumped" between them by using special firewall rule-sets.

Answer : A transparent firewall is considered a Layer 2 firewall and has no routing capabilities.

Which endpoint security technology should be used to prevent any incoming connections to the host?

Options are :

  • host-based personal firewall (Correct)
  • host-based anti-virus
  • host-based IPS
  • host-based malware protection

Answer : host-based personal firewall

What can a HIPS do that a NIPS cannot? (Choose two.)

Options are :

  • Detect malware delivered to the host via an encrypted channel. (Correct)
  • Protect a mobile host while connected to non-secured networks. (Correct)
  • Block malware as it is carried across the network.
  • Inspect traffic crossing a link in the network.

Answer : Detect malware delivered to the host via an encrypted channel. Protect a mobile host while connected to non-secured networks.

Which three statements indicate why an email server log would be important to a security analyst? (Choose three.)

Options are :

  • Modern email proxies compile and log per-sender behavior statistics.
  • Most typical email proxies log outgoing emails containing sensitive confidential content that is detected by their DLP function. (Correct)
  • Most email proxies perform log filtering so that false positives are kept to a minimum.
  • Email proxies such as Cisco ESA have the capability to identify malware attachments, drop them, and log the drop action. (Correct)
  • Most email proxies decrypt traffic so that it can be inspected.
  • Email proxy logs contain historical information such as sender and receiver entries that can be used to track phishing attacks. (Correct)

Answer : Most typical email proxies log outgoing emails containing sensitive confidential content that is detected by their DLP function. Email proxies such as Cisco ESA have the capability to identify malware attachments, drop them, and log the drop action. Email proxy logs contain historical information such as sender and receiver entries that can be used to track phishing attacks.

Which statement is true about a SIEM system?

Options are :

  • A SIEM can identify when anomalous behavior patterns are exceeding threshold.
  • A SIEM can detect when specific transactions occur that may be violating a policy.
  • A SIEM cannot perform logical correlation of events as efficiently as a human can. (Correct)
  • A SIEM never needs to be tuned.

Answer : A SIEM cannot perform logical correlation of events as efficiently as a human can.

What are three characteristics of an advanced persistent threat (APT)? (Choose three.)

Options are :

  • one time or drive-by file dropper
  • pursues its objectives repeatedly over an extended period (Correct)
  • easily identified by common antivirus tools
  • adapts to defenders’ efforts to detect it (Correct)
  • maintains a level of interactions with the attacker's command and control infrastructure to execute its objectives (Correct)
  • usually injected via email attachment
  • does not exhibit any signs of polymorphic behavior

Answer : pursues its objectives repeatedly over an extended period adapts to defenders’ efforts to detect it maintains a level of interactions with the attacker's command and control infrastructure to execute its objectives

What are the four characteristics of an SOC runbook? (Choose four.)

Options are :

  • A runbook is a collection of plays, and each play generates a report from some set of data sources. (Correct)
  • The runbook describes the security architecture and technical details of protective measures.
  • Instead of being a rigid framework that stifles creativity, the open-ended nature of the runbook allows security analysts to document ideas and explore ways of achieving objectives. (Correct)
  • The runbook is a living document that is always up to the task of handling tomorrow’s security challenges. (Correct)
  • Plays should also evolve over time as attack methods evolve. (Correct)
  • The runbook is a fixed set of standard operating procedures that cannot be changed easily.

Answer : A runbook is a collection of plays, and each play generates a report from some set of data sources. Instead of being a rigid framework that stifles creativity, the open-ended nature of the runbook allows security analysts to document ideas and explore ways of achieving objectives. The runbook is a living document that is always up to the task of handling tomorrow’s security challenges. Plays should also evolve over time as attack methods evolve.

Which two statements are true about Windows operating systems? (Choose two.)

Options are :

  • Windows operating systems are used exclusively for desktop computing.
  • Windows server platforms offer numerous services. (Correct)
  • Some Windows operating systems support Active Directory services for managing domain-based networks. (Correct)
  • Windows operating systems offer NFS, SMB, and UFS file services.

Answer : Windows server platforms offer numerous services. Some Windows operating systems support Active Directory services for managing domain-based networks.

Why is malware that runs as a Windows service more difficult for the average end user to detect?

Options are :

  • because services run in the background and do not interact with the users (Correct)
  • because services run in the Kernel mode
  • because services run in the User mode
  • because all services run automatically when the system boots up

Answer : because services run in the background and do not interact with the users

What statement best describes the process that can be used to edit the windows registry?

Options are :

  • You cannot manually edit the registry.
  • Run the regedit command from the command line. (Correct)
  • Double-click the task manager icon
  • Expand regedit from the system tray and edit the registry from the GUI.

Answer : Run the regedit command from the command line.

Where is the sda block device stored in the file system?

Options are :

  • /sys
  • /dev (Correct)
  • /proc
  • /tmp

Answer : /dev

If the parent process is terminated before its children, what will the PPID column show in the ps command?

Options are :

  • N/A
  • -
  • 0
  • 1 (Correct)

Answer : 1

What is the best source of data for analysis of a system that is potentially compromised by a rootkit?

Options are :

  • checking for running processes using command line tools on the system
  • using static binaries in a trusted toolset imported to the machine to check running processes
  • reviewing active network connections with netstat or nbtstat
  • taking a forensic image of the machine (Correct)

Answer : taking a forensic image of the machine

If an attacker uses phishing to obtain user credentials for an employee without administrator access and needs to install a rootkit backdoor that requires system level access, what might be the attacker's next course of action to gain the administrator privileges?

Options are :

  • set a scheduled task to install the rootkit the following day under the current user account
  • try to brute force that user’s password for an RDP connection to the user’s workstation
  • change the IP address of the user’s computer from DHCP-assigned to static.
  • attempt to extract local administrator credentials stored on the machine in running memory or the registry (Correct)

Answer : attempt to extract local administrator credentials stored on the machine in running memory or the registry

What policy change could limit the ability of attackers to escalate privileges on computers?

Options are :

  • eliminate hashes from computers
  • enforce complex passwords that do not incorporate portions of the employee ID, employee name, or company name (Correct)
  • only run Linux operating systems for the enterprise
  • block employees from visiting social media web sites on the company network

Answer : enforce complex passwords that do not incorporate portions of the employee ID, employee name, or company name

Data source on the left are matched with the data type on the right.

True/False?


Options are :

  • True (Correct)
  • False

Answer : True

Which protocol maps IP network addresses to MAC hardware addresses so that IP packets can be sent across networks?

Options are :

  • Internet Control Message Protocol
  • Address Resolution Protocol (Correct)
  • Session Initiation Protocol
  • Transmission Control Protocol/Internet Protocol

Answer : Address Resolution Protocol

Which option is an advantage to using network-based anti-virus versus host-based anti-virus?

Options are :

  • Network-based has the ability to protect unmanaged devices and unsupported operating systems. (Correct)
  • There are no advantages compared to host-based antivirus.
  • Host-based antivirus does not have the ability to collect newly created signatures.
  • Network-based can protect against infection from malicious files at rest.

Answer : Network-based has the ability to protect unmanaged devices and unsupported operating systems.

Which concern is important when monitoring NTP servers for abnormal levels of traffic?

Options are :

  • Being the cause of a distributed reflection denial of service attack. (Correct)
  • Users changing the time settings on their systems.
  • A critical server may not have the correct time synchronized.
  • Watching for rogue devices that have been added to the network.

Answer : Being the cause of a distributed reflection denial of service attack.

While viewing packet capture data, you notice that one IP is sending and receiving traffic for multiple devices by modifying the IP header. Which option is making this behavior possible?

Options are :

  • TOR
  • NAT (Correct)
  • encapsulation
  • tunneling

Answer : NAT

Which hashing algorithm is the least secure?

Options are :

  • MD5 (Correct)
  • RC4
  • SHA-3
  • SHA-2

Answer : MD5

You must create a vulnerability management framework. Which main purpose of this framework is true?

Options are :

  • Conduct vulnerability scans on the network.
  • Manage a list of reported vulnerabilities.
  • Identify, remove, and mitigate system vulnerabilities. (Correct)
  • Detect and remove vulnerabilities in source code.

Answer : Identify, remove, and mitigate system vulnerabilities.

Which definition of Windows Registry is true?

Options are :

  • set of pages that are currently resident in physical memory
  • basic unit to which the operating system allocates processor time
  • set of virtual memory addresses
  • database that stores low-level settings for the operating system (Correct)

Answer : database that stores low-level settings for the operating system

Which two features must a next generation firewall include? (Choose two.)

Options are :

  • data mining
  • host-based antivirus
  • application visibility and control (Correct)
  • Security Information and Event Management
  • intrusion detection system (Correct)

Answer : application visibility and control intrusion detection system

Which type of exploit normally requires the culprit to have prior access to the target system?

Options are :

  • local exploit (Correct)
  • denial of service
  • system vulnerability
  • remote exploit

Answer : local exploit

Data source on the left are matched with the data type on the right.

True/False?

Options are :

  • True (Correct)
  • False

Answer : True

Which two options are recognized forms of phishing? (Choose two.)

Options are :

  • spear (Correct)
  • whaling (Correct)
  • mailbomb
  • hooking
  • mailnet

Answer : spear whaling

According to RFC 1035, which transport protocol is recommended for use with DNS queries?

Options are :

  • Transmission Control Protocol
  • Reliable Data Protocol
  • Hypertext Transfer Protocol
  • User Datagram Protocol (Correct)

Answer : User Datagram Protocol

Which statement about digitally signing a document is true?

Options are :

  • The document is hashed and then the document is encrypted with the private key.
  • The document is hashed and then the hash is encrypted with the private key. (Correct)
  • The document is encrypted and then the document is hashed with the public key.
  • The document is hashed and then the document is encrypted with the public key.

Answer : The document is hashed and then the hash is encrypted with the private key.

Which term represents a weakness in a system that could lead to the system being compromised?

Options are :

  • vulnerability (Correct)
  • threat
  • exploit
  • risk

Answer : vulnerability

In context of business continuity and availability of resources, which metric defines how long it will take to recover a failed system?

Options are :

  • BCP (Business Continuity Plan)
  • Mean Time Between Failures (MTBF)
  • Mean Time To Repair (MTTR) (Correct)
  • Mean Time To Ship (MTTS)

Answer : Mean Time To Repair (MTTR)

Which of the following U.S. laws mandates the protection of Protected Health Information (PHI)?

Options are :

  • GLBA
  • HIPAA (Correct)
  • PCI DSS
  • FERPA

Answer : HIPAA

What methodology can validate a merchant’s or a financial institution’s compliance with the Payment Card Industry Data Security Standard (PCI-DSS)?

Options are :

  • Audit (Correct)
  • Vulnerability assessment
  • Penetration testing
  • Security assessment

Answer : Audit

An 802.1x secure-port based access construct is comprised of which three critical roles? (Choose three.)

Options are :

  • Identity Database
  • Authenticator (Correct)
  • Authentication Server (Correct)
  • Supplicant (Correct)

Answer : Authenticator Authentication Server Supplicant

An organization deploys an authentication system that relies on an RFID card as well as requires a retina scan of an authorized user. What types of authentication are being employed in this system?

Options are :

  • Authentication by ownership and characteristic (Correct)
  • Authentication by knowledge and characteristic
  • Authentication by knowledge and ownership
  • Authentication by ownership and knowledge

Answer : Authentication by ownership and characteristic

A system requires users to present a password and enter a dynamically generated PIN at the onset of gaining access to a secure environment. What is this type of system known as?

Options are :

  • Authentication, Authorization, and Accounting (AAA)
  • Two-factor authentication (2FA) (Correct)
  • Three-factor authentication (3FA)
  • Hyper-Secure login

Answer : Two-factor authentication (2FA)

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions