Mock : CCNA Cyber Ops - SECFND # 210-250

What type of spoofing attack uses fake source IP addresses that are different than their real IP addresses?

Options are :

  • MAC spoofing
  • IP spoofing (Correct)
  • application spoofing
  • name spoofing

Answer : IP spoofing

What two attacks are initiated by a rogue DHCP server? (Choose two.)

Options are :

  • Trojan virus
  • Compromised-Key
  • DoS (Correct)
  • TCP SYN flood
  • MITM (Correct)

Answer : DoS MITM

Why is using ECDHE_ECDSA stronger than using RSA?

Options are :

  • ECDHE_ECDSA provides both data authenticity and confidentiality.
  • ECDHE_ECDSA uses a much larger key size.
  • ECDHE_ECDSA uses a pseudorandom function to generate the keying materials.
  • If the server's private key is later compromised, all the prior TLS handshakes that are done using the cipher suite cannot be compromised. (Correct)

Answer : If the server's private key is later compromised, all the prior TLS handshakes that are done using the cipher suite cannot be compromised.

Which part of the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 cipher suite is used to specify the bulk encryption algorithm?

Options are :

  • ECDHE_ECDSA
  • AES_128_CBC (Correct)
  • SHA256
  • P384

Answer : AES_128_CBC

Which one of the following statements describes the risk of not destroying a session key that is no longer used for completed communication of encrypted data?

Options are :

  • The attacker could have captured the encrypted communication and stored it while waiting for an opportunity to acquire the key. (Correct)
  • Systems can only store a certain number of keys and could be unable to generate new keys for communication.
  • It increases the risk of duplicate keys existing for the key space of the algorithm.
  • The risk of weaker keys being generated increases as the number of keys stored increases.

Answer : The attacker could have captured the encrypted communication and stored it while waiting for an opportunity to acquire the key.

In addition to discretionary, non-discretionary, and mandatory access control, which two should be part of an organization's access security plan? (Choose two.)

Options are :

  • separation of duties (Correct)
  • account lock-outs
  • physical security locks
  • principle of least privilege (Correct)
  • photo identification

Answer : separation of duties principle of least privilege

What are two goals of compliance regulations? (Choose two.)

Options are :

  • punish organizations that do not comply
  • reduce an organization's security risk (Correct)
  • create worldwide standards for all organizations to follow
  • protect the privacy of individuals in an organization (Correct)

Answer : reduce an organization's security risk protect the privacy of individuals in an organization

What two protocols are used to retrieve email? (Choose two.)

Options are :

  • IMAP (Correct)
  • POP (Correct)
  • LDAP
  • MTA

Answer : IMAP POP

What two options are contained in the SMTP envelope? (Choose two.)

Options are :

  • sender (Correct)
  • recipients (Correct)
  • timestamp
  • mail user agent
  • MX record

Answer : sender recipients

What protocol uses TCP port 143?

Options are :

  • SMTP
  • POP
  • LDAP
  • IMAP (Correct)

Answer : IMAP

What HTTP method is used to request a response without the response body?

Options are :

  • GET
  • POST
  • HEAD (Correct)
  • FETCH

Answer : HEAD

Which two best describe iFrames? (Choose two.)

Options are :

  • a new Apple product
  • hidden inline frames (Correct)
  • loading a webpage inside another webpage (Correct)
  • a frame within a browser where a user can view the page's source code

Answer : hidden inline frames loading a webpage inside another webpage

Which two of the following statements best describe how to access the Microsoft Event Viewer to review its logs? (Choose two.)

Options are :

  • By using a command line, open a Windows command prompt and enter the eventvwr command. (Correct)
  • Open the icon in the system tray.
  • Type go event viewer in the Start menu's Run Application entry section.
  • From the control panel, open Administrative Tools, and then click Event Viewer. (Correct)
  • Right-click on the system clock in the Task Bar.

Answer : By using a command line, open a Windows command prompt and enter the eventvwr command. From the control panel, open Administrative Tools, and then click Event Viewer.

Which tool is used to view the Windows logs?

Options are :

  • syslog viewer
  • event viewer (Correct)
  • log viewer
  • WMI viewer

Answer : event viewer

What is required for a Windows user to perform a task with administrator-level access?

Options are :

  • use the “Run as Administratorâ€? option (Correct)
  • enter the kernel mode
  • boot the system into the safe mode
  • log in as a domain user then switch to the “Adminâ€? group

Answer : use the “Run as Administrator� option

What is the most efficient Linux command for determining whether there is a running process named runme?

Options are :

  • netstat –a >runme
  • netstat –a
  • netstat –a | greprunme
  • ps -ef>runme
  • ps -ef
  • ps –ef | greprunme (Correct)

Answer : ps –ef | greprunme

An administrator believes that an attacker is overwhelming a database server by causing intensive queries to be run. Which log file should the administrator check first?

Options are :

  • /var/log/mysql/mysql.log
  • /var/log/mysql/mysql_error.log
  • /var/log/mysql/mysql_warning.log
  • /var/log/mysql/mysql-slow.log (Correct)

Answer : /var/log/mysql/mysql-slow.log

What is the function of the exploit kit landing page?

Options are :

  • redirect the user’s browser to the CnC server
  • host malicious advertisements with iFrames
  • initiate CnC traffic for malware communications
  • deliver malware to victim machine (Correct)

Answer : deliver malware to victim machine

Why would an attacker use a proxy server in front of the exploit server?

Options are :

  • to protect the identity of the exploit server and make it harder to track (Correct)
  • to be able to infect more machines than a single server could
  • to reduce bandwidth used by the attack infrastructure and keep loaded pages cached
  • redundancy if there is a failure of the exploit server

Answer : to protect the identity of the exploit server and make it harder to track

What characteristic differentiates a server from a client?

Options are :

  • runs many applications
  • has an operating system
  • provides services over open ports (Correct)
  • has open network connections

Answer : provides services over open ports

What are two controls that the Cisco WSA can use to validate web requests? (Choose two.)

Options are :

  • basic URL filtering that leverages pre-defined, category-based web usage controls (Correct)
  • AMP for isolating reputable exploits and malware samples to its local disk for further investigation
  • a reputation database that is used to analyze web requests as part of a security control procedure (Correct)
  • IPS-based signatures that are loaded in the Cisco WSA to prevent intrusions and alert system administrators
  • a reputation database within the Cisco WSA that uses Snort-like rule sets to combat RootKit intrusions

Answer : basic URL filtering that leverages pre-defined, category-based web usage controls a reputation database that is used to analyze web requests as part of a security control procedure

Which one of the following statements is considered a DNS "blind spot?"

Options are :

  • A DNS blind spot is defined as the inability to change the CX DNS records for outbound requests.
  • A blind spot is the failure to properly monitor DNS activity for security purposes. (Correct)
  • DNS blind spots are created when a root-level DNS server is under a DDos attack.
  • Blind spots are caused by improper or lack of proper software patching to DNS BIND servers.
  • DNS blind spots are a direct result of DoS port scanning of UDP port 53.

Answer : A blind spot is the failure to properly monitor DNS activity for security purposes.

What happens when a file hash has never been seen by the cloud malware analysis systems?

Options are :

  • An unknown disposition status is returned, and the file is automatically submitted to the cloud for dynamic analysis. (Correct)
  • An unknown disposition status is returned, and the file is automatically stored on the local firewall SSD module.
  • The file is sent directly to Cisco for analysis
  • A CVE is automatically generated for the file, and uploaded to the cloud for dynamic analysis.
  • The file is quietly discarded and the end user is alerted to the presence of malware.

Answer : An unknown disposition status is returned, and the file is automatically submitted to the cloud for dynamic analysis.

After a file disposition changes from unknown to malicious, what is the next step that should be taken?

Options are :

  • Run the file in a sandbox to verify if it is malicious and to determine the file behaviors.
  • Create a new IPS signature to detect the malicious file.
  • Go back to the system where the file was previously seen and quarantine the malicious file. (Correct)
  • Run a file retrospective analysis in the cloud using machine learning to determine the file SHA.

Answer : Go back to the system where the file was previously seen and quarantine the malicious file.

Which statement is true about sandboxing?

Options are :

  • Using a sandbox technique ensures that no malware infected files can get in the network.
  • Running a file in a sandbox guarantees that the disposition will show the threat that it poses to your environment.
  • Malware authors deploy several techniques to bypass sandbox analysis. (Correct)
  • Using a sandbox replaces the need for expensive antivirus and firewall software.

Answer : Malware authors deploy several techniques to bypass sandbox analysis.

Which three options are valid reasons for tuning an IPS? (Choose three.)

Options are :

  • As you tune the system to be less restrictive, you decrease the likelihood of false negatives.
  • Tuning allows for a clearer picture of what is actually going on in the network. (Correct)
  • Tuning improves the performance and efficacy of an IPS. (Correct)
  • Tuning reduces the occurrence of true negatives.
  • Tuning assists with prioritizing responses to event information. (Correct)

Answer : Tuning allows for a clearer picture of what is actually going on in the network. Tuning improves the performance and efficacy of an IPS. Tuning assists with prioritizing responses to event information.

When tuning an IPS, which three determinations should help you decide whether a rule should be disabled? (Choose three.)

Options are :

  • Does the alert occur frequently?
  • Does the alert generate a true positive condition? (Correct)
  • If the alert is not a security incident, does it offer valuable information? (Correct)
  • Does the alert pertain to your network environment? (Correct)

Answer : Does the alert generate a true positive condition? If the alert is not a security incident, does it offer valuable information? Does the alert pertain to your network environment?

Chain of custody, in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. What five of the following types of information are contained in chain of custody documentation? (Choose five.)

Options are :

  • Who was the attacker?
  • What is the evidence? (Correct)
  • What attack method was used?
  • What method was used to collect the evidence? (Correct)
  • When was the evidence collected? (Correct)
  • Who handled the evidence and why did that person need to handle the evidence? (Correct)
  • What software was used to commit the attack?
  • Where is the evidence permanently stored? (Correct)
  • Why did the attack happen?

Answer : What is the evidence? What method was used to collect the evidence? When was the evidence collected? Who handled the evidence and why did that person need to handle the evidence? Where is the evidence permanently stored?

Which one of the following statements best describes a lightweight access point (LWAP)?

Options are :

  • An LWAP is an AP with low bandwidth and processing capability for small deployments.
  • An LWAP is part of a unified wireless access system where a centralized wireless LAN controller manages the administrative functions of network access. (Correct)
  • An LWAP weighs less than the autonomous AP, so it can be mounted safely on the drop ceiling of a room.
  • Each LWAP handles its own policies with no central point of entry between the wireless and wired networks.

Answer : An LWAP is part of a unified wireless access system where a centralized wireless LAN controller manages the administrative functions of network access.

Which two of the following statements are true regarding an autonomous access point? (Choose two.)

Options are :

  • old technology that has no place in today’s networks, so it should not be used
  • self-contained and offer one or more fully functional standalone BSSs (Correct)
  • can operate without the use of a centralized controller (Correct)
  • can dynamically cover gaps in radio coverage in the event of a peer AP failure

Answer : self-contained and offer one or more fully functional standalone BSSs can operate without the use of a centralized controller

Which four of the following options are benefits of using LWAPs and a unified wireless solution? (Choose four.)

Options are :

  • flexible client roaming (Correct)
  • standalone capability
  • dynamic client load balancing (Correct)
  • security management (Correct)
  • simplicity in network design
  • wireless intrusion protection system (Correct)

Answer : flexible client roaming dynamic client load balancing security management wireless intrusion protection system

Which one of the following options is the AP mode that a typical home Wi-Fi router operates in?

Options are :

  • lightweight
  • standalone (Correct)
  • CAPWAP
  • hybrid

Answer : standalone

A ping attack that exploits the broadcast IP address in a subnet is referred to as what type of attack?

Options are :

  • red rat
  • fraggle
  • smurf (Correct)
  • SYN flood
  • firewalk

Answer : smurf

Which protocol or diagnostic tool helps you determine how many hops away a network is and can be exploited by an attacker?

Options are :

  • SSH
  • traceroute (Correct)
  • ping
  • TCP

Answer : traceroute

Which part of the UDP header would attackers replace if they change the data payload to prevent the receiver from identifying the change?

Options are :

  • source port
  • destination port
  • UDP length
  • UDP port
  • UDP checksum (Correct)

Answer : UDP checksum

Which one of the following is the PKI operation that would likely cause out-of-band communication over the phone?

Options are :

  • The client checks with the CA to determine whether a certificate has been revoked.
  • The client validates with the CA to determine if the peer that they are communicating with is the entity that is identified in a certificate.
  • A new signed certificate is received by the certificate applicant from the CA.
  • The CA administrator contacts the certificate applicant to verify enrollment data before the request can be approved. (Correct)

Answer : The CA administrator contacts the certificate applicant to verify enrollment data before the request can be approved.

Which three of the following options does the client validate on inspection of a server certificate? (Choose three.)

Options are :

  • The subject matches the URL that is being visited. (Correct)
  • The website was already in the browser’s cache.
  • A root DNS server provided the IP address for the URL.
  • The current time is within the certificate’s validity date. (Correct)
  • The signature of the CA that is in the certificate is valid. (Correct)
  • The client already has a session key for the URL.

Answer : The subject matches the URL that is being visited. The current time is within the certificate’s validity date. The signature of the CA that is in the certificate is valid.

What best describes a brute-force attack?

Options are :

  • breaking and entering into a physical building or network closet
  • an attacker's attempt to decode a cipher by attempting each possible key combination to find the correct one (Correct)
  • a rogue DHCP server that is posing as a legitimate DHCP server on a network segment
  • an attacker inserting itself between two devices in a communication session and then taking over the session.

Answer : an attacker's attempt to decode a cipher by attempting each possible key combination to find the correct one

What industry regulation criminalizes production and dissemination of technology, devices, or services that are intended to circumvent digital rights management, or DRM, among other things?

Options are :

  • PIPEDA
  • HIPPA
  • PCI DSS
  • DMCA (Correct)

Answer : DMCA

What security management software/process is used to manage employees’ mobile devices?

Options are :

  • MDM (Correct)
  • SIEM
  • patch management
  • log management
  • configuration management

Answer : MDM

What are three key components of a threat-centric SOC? (Choose three.)

Options are :

  • people (Correct)
  • compliances
  • processes (Correct)
  • regulations
  • technologies (Correct)

Answer : people processes technologies

What best describes the Security Operations Center (SOC)?

Options are :

  • The SOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service.
  • A SOC is related to the people, processes, and technologies that are involved in providing situational awareness through the detection, containment, and remediation of information security threats. (Correct)
  • The SOC is responsible for the physical security of a building or installation location.
  • The SOC and NOC are the same entity, with different names. They are responsible for the health and security of the network infrastructure.

Answer : A SOC is related to the people, processes, and technologies that are involved in providing situational awareness through the detection, containment, and remediation of information security threats.

What type of attack describes malicious JavaScript, which redirects an unsuspecting user to download malware from a remote website?

Options are :

  • drive-by-download (Correct)
  • session hijacking
  • SQL injection
  • denial of service

Answer : drive-by-download

What two types of information are encrypted by the HTTPS protocol? (Choose two.)

Options are :

  • IP headers
  • Ethernet headers
  • HTTP headers (Correct)
  • HTTP cookies (Correct)
  • TCP headers

Answer : HTTP headers HTTP cookies

Which option can lead to an SQL injection attack?

Options are :

  • insufficient user input validation (Correct)
  • running a database in debugging mode
  • using GET method instead of POST method when submitting a web form
  • using * in a SELECT statement

Answer : insufficient user input validation

What are three valid fields in a DNS resource record? (Choose three.)

Options are :

  • RDATA (Correct)
  • PTR
  • AAAA
  • TTL (Correct)
  • CLASS (Correct)

Answer : RDATA TTL CLASS

Which two can be caused by a successful SQL injection attack? (Choose two.)

Options are :

  • read sensitive data from the database (Correct)
  • execute administration operations on the database (Correct)
  • extract all the database accounts password hashes from the database server's memory
  • inject malware in the database server

Answer : read sensitive data from the database execute administration operations on the database

What is the correct path to access on the example.txt file using Windows file share where the servername is “rwc� and the sharename is “users�?

Options are :

  • \rwc\users\example.txt
  • \\rwc\users\example.txt (Correct)
  • \\rwc\users\\example.txt
  • .rwc\users\example.txt
  • ..rwc\users\example.txt

Answer : \\rwc\users\example.txt

With Windows version 8 or higher, which utility can be used to display the users who are currently logged in to the system, and the resources that are consumed by the applications and processes that belong to each user?

Options are :

  • task manager (Correct)
  • msconfig
  • netstat
  • device manager

Answer : task manager

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions