Test : CCNA Cyber Ops - SECOPS # 210-255

Which security appliance acts like the glue between the various security controls in an organization to provide real-time reporting and analysis of security events?

Options are :

  • SIEM (Correct)
  • firewall
  • IPS
  • identity access and management
  • syslog server
  • proxy server

Answer : SIEM

Which two functions are offered by a security WMS, but may not be offered by a SIEM? (Choose two.)

Options are :

  • workflow automation (Correct)
  • events correlation
  • events normalization
  • logs management
  • playbook management (Correct)

Answer : workflow automation playbook management

Which regulation provides data privacy and security provisions for safeguarding medical information, and ensures patient confidentiality for all health care-related data?

Options are :

  • PCI DSS
  • HIPAA (Correct)
  • SOX
  • Gramm-Leach-Bliley Act

Answer : HIPAA

Which two statements about proactive services that are offered by CSIRT are correct? (Choose two.)

Options are :

  • Proactive services provide assistance and information to help prepare, protect, and secure constituent systems in anticipation of attacks, problems, or events. (Correct)
  • Proactive services are triggered by an event or request, such as a report of a compromised host, widespread malicious code, software vulnerability, or something that was identified by an intrusion detection or logging system.
  • Proactive services, such as monitoring network-based IPS and host-based IPS and events, are the core component of the CSIRT work within a threat-centric SOC.
  • Performance of proactive services will directly reduce the number of incidents in the future. (Correct)

Answer : Proactive services provide assistance and information to help prepare, protect, and secure constituent systems in anticipation of attacks, problems, or events. Performance of proactive services will directly reduce the number of incidents in the future.

Security audit is an example of which CSIRT service?

Options are :

  • proactive services (Correct)
  • aggressive services
  • passive services
  • reactive services
  • backup services
  • restore services

Answer : proactive services

In the category of hacking action that is defined by VERIS, which three attacks can be classified under the variety attribute? (Choose three.)

Options are :

  • man-in-the-middle attacks (Correct)
  • rootkit
  • remote file injection (Correct)
  • VPN
  • command shell
  • web application
  • buffer overflow (Correct)

Answer : man-in-the-middle attacks remote file injection buffer overflow

In the category of hacking action that is defined by VERIS, which three attacks can be classified under the vector attribute? (Choose three.)

Options are :

  • man-in-the-middle attacks
  • rootkit
  • VPN (Correct)
  • remote file injection
  • command shell (Correct)
  • web application (Correct)
  • buffer overflow

Answer : VPN command shell web application

Which description of a retrospective malware detection is true?

Options are :

  • You use Wireshark to identify the malware source.
  • You use historical information from one or more sources to identify the affected host or file. (Correct)
  • You use information from a network analyzer to identify the malware source.
  • You use Wireshark to identify the affected host or file.

Answer : You use historical information from one or more sources to identify the affected host or file.

A user on your network receives an email in their mailbox that contains a malicious attachment. There is no indication that the file was run. Which category as defined in the Kill Chain Model of Intrusion does this activity fall under?

Options are :

  • reconnaissance
  • weaponization
  • delivery (Correct)
  • installation

Answer : delivery

An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. Which term defines the initial event in the NIST SP800-61 r2?

Options are :

  • instigator
  • precursor (Correct)
  • online assault
  • trigger

Answer : precursor

In the context of incident handling phases, which two activities fall under scoping? (Choose two.)

Options are :

  • determining the number of attackers that are associated with a security incident
  • ascertaining the number and types of vulnerabilities on your network
  • identifying the extent that a security incident is impacting protected resources on the network (Correct)
  • determining what and how much data may have been affected
  • identifying the attackers that are associated with a security incident (Correct)

Answer : identifying the extent that a security incident is impacting protected resources on the network identifying the attackers that are associated with a security incident

Which information must be left out of a final incident report?

Options are :

  • server hardware configurations (Correct)
  • exploit or vulnerability used
  • impact and/or the financial loss
  • how the incident was detected

Answer : server hardware configurations

Which option has a drastic impact on network traffic because it can cause legitimate traffic to be blocked?

Options are :

  • true positive
  • true negative
  • false positive (Correct)
  • false negative

Answer : false positive

Which string matches the regular expression r(ege)+x?

Options are :

  • rx
  • regeegex (Correct)
  • r(ege)x
  • rege+x

Answer : regeegex

Which goal of data normalization is true?

Options are :

  • Reduce data redundancy. (Correct)
  • Increase data redundancy.
  • Reduce data availability.
  • Increase data availability.

Answer : Reduce data redundancy.

What is the process of mapping the translated IP addresses in context to NAT when using NetFlow known as?

Options are :

  • NAT stitching (Correct)
  • NAT mapping
  • Outsiding NAT
  • Insiding NAT

Answer : NAT stitching

Most well-known protocols can be identified with the TCP or UDP ports they use to communicate. The protocol that mail servers use to talk to each other, and the relevant port are?

Options are :

  • IMAP, TCP 143
  • SMTP, TCP 25 (Correct)
  • POP3, TCP 110
  • LDAP, TCP 389

Answer : SMTP, TCP 25

In the OSI model which layer is responsible for the compression and decompression as well as encryption and decryption of data?

Options are :

  • Presentation (Correct)
  • Session
  • Application
  • Transport

Answer : Presentation

What option can be used while scanning a network with nmap to enable operating system identification?

Options are :

  • nmap –info
  • nmap –id
  • nmap –o (Correct)
  • nmap –osver

Answer : nmap –o

Which of the following tools offers the most comprehensive information for identification of malware?

Options are :

  • NetFlow
  • Linux or Windows logs
  • Packet capture utilities (Correct)
  • Syslog

Answer : Packet capture utilities

Which of the following is the main goal of a security awareness program? And during which phase of the incident response process would developing a user awareness program be useful?

Options are :

  • It provides a clear understanding of potential risk and exposure. The user awareness training is part of the preparation phase. (Correct)
  • It provides a forum for discussing exposure and associated risk analysis. The user awareness training is part of the preparation phase.
  • It provides a forum to communicate user responsibilities. The user awareness training is part of the preparation phase.
  • It provides a clear understanding of potential risk and exposure. The user awareness training is part of the containment, eradication, and recovery phase.

Answer : It provides a clear understanding of potential risk and exposure. The user awareness training is part of the preparation phase.

Which of the following statements best describes containment?

Options are :

  • Stop the attack from propagating to limit further damage. (Correct)
  • Defer the attack from propagating to sustain further damage.
  • Prevent the attack from initiating.
  • Work around an attack to deter it and to limit further damage.

Answer : Stop the attack from propagating to limit further damage.

Which of the following is not a valid exploitability metric? 

Options are :

  • Report Level (RL) (Correct)
  • Attack Complexity (AC)
  • Attack Vector (AV)
  • Report Confidence (RC)

Answer : Report Level (RL)

A vulnerability exists; however, the attacker does not yet know that it exists and, hence, cannot exploit it just yet. The attacker may be able to exploit the vulnerability in the near future. What is such a vulnerability known as?

Options are :

  • Ex-vulnerability
  • Theoretical vulnerability (Correct)
  • Hypothetical vulnerability
  • Make-shift case-vulnerability

Answer : Theoretical vulnerability

A security researcher recently discovered a new security vulnerability. Upon computing its CVSS base score, the score was 9. What risk category would this vulnerability fall into?

Options are :

  • Low
  • Medium
  • High
  • Critical (Correct)

Answer : Critical

Which of the following statements are true about HIPAA goals? (Choose three.)

Options are :

  • To provide the ability to transfer and continue health insurance coverage for millions of workers and their families when they change or lose their jobs (Correct)
  • To reduce healthcare fraud and abuse (Correct)
  • To mandate industry-wide standards for healthcare information on electronic billing and other processes (Correct)
  • To protect financial information and make the information publically auditable

Answer : To provide the ability to transfer and continue health insurance coverage for millions of workers and their families when they change or lose their jobs To reduce healthcare fraud and abuse To mandate industry-wide standards for healthcare information on electronic billing and other processes

An organization deals with credit card transactions. The security consultant recommends placing all credit card processing systems in an isolated network, dedicated just to card processing. Based on the advice, the organization implemented appropriate network segmentation controls to limit the scope of PCI DSS to those systems only. The network segmentation leverages use of VLANs and firewalls. What systems must be scanned for PCI DSS compliance?

Options are :

  • Only the systems belonging to the organization
  • Only the systems on the general (non PCI DSS) network
  • Only the systems on the isolated network (Correct)
  • All systems belonging to the organization and its partners

Answer : Only the systems on the isolated network

Which of the following U.S. laws governs the protection Protected Health Information (PHI)?

Options are :

  • HIPAA (Correct)
  • GLBA
  • PCI DSS
  • SOX

Answer : HIPAA

Which compliance involves special focus on Section 302 and Section 404?

Options are :

  • PCI DSS
  • SOX (Correct)
  • GPDR
  • FedRAMP

Answer : SOX

Regarding log mining, which statement is true about path analysis?

Options are :

  • Path analysis can be used to reconstruct network traffic or to follow it.
  • Path analysis is an interpretation of a chain of consecutive events that occur during a set period. (Correct)
  • Path analysis can be used to make predictions about unknown future attacks or events.
  • Path analysis can be used to mine through large amounts of data to build profiles and to identify anomalous behavior.
  • Path analysis labels data packets allowing them to traverse through the network on different paths but still remaining identifiable to the destination node when it is reconstructed.

Answer : Path analysis is an interpretation of a chain of consecutive events that occur during a set period.

Which two tools can be used to perform raw network packet capture? (Choose two.)

Options are :

  • Wireshark (Correct)
  • Snort
  • Metasploit
  • TCPDump (Correct)
  • Nessus
  • Squert

Answer : Wireshark TCPDump

Which four options are tools that can perform packet captures? (Choose four.)

Options are :

  • NetSniff-ng (Correct)
  • Wireshark (Correct)
  • Bro
  • ELSA
  • Sguil
  • Squert
  • Tshark (Correct)
  • tcpdump (Correct)

Answer : NetSniff-ng Wireshark Tshark tcpdump

Which phase of the kill chain often involves performing social engineering?

Options are :

  • command-and-control
  • installation
  • reconnaissance (Correct)
  • exploitation

Answer : reconnaissance

Which CVSS v3.0 metric group is optionally computed by the end-user organizations to adjust the score?

Options are :

  • temporal
  • environmental (Correct)
  • maturity
  • scope

Answer : environmental

Which organization publishes a report of the top 10 most widely exploited web application vulnerabilities?

Options are :

  • OWASP (Correct)
  • Spamhaus
  • Alexa
  • Farsight

Answer : OWASP

Consider the following IPS alert:

Count:7 Event#7.2 2017-01-03 21:31:44

FILE-FLASH Adobe Flash Player integer underflow attempt

209.165.200.235 -> 10.10.6.238

IPVer=4 hlen=5 tos=0 dlen=673 ID=56477 flags=2 offset=0 ttl=62 chksum=45616 Protocol: 6 sport=80 ->dport=40381


Which of the following HTTP transaction records provides the most relevant correlation with the alert?

Options are :

  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.10 srcport=39472 dstip=209.165.200.235 dstport=80 status_code=200 content_length=1211 method=GET site= iluvcats.publicuri=/home/index.phpreferer=- user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=text/html
  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.238 srcport=40381 dstip=209.165.200.235 dstport=80 status_code=200 content_length=1211 method=GET site= iluvcats.publicuri=/home/index.phpreferer=- user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=text/html
  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.238 srcport=40381 dstip=209.165.200.235 dstport=80 status_code=200 content_length=455 method=GET site=iluvcats.publicuri=/EN7rkG55w/pQfsLXfUa.swf referer=http://iluvcats.public:8080/EN7rkG55w user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=application/x-shockwave-flash (Correct)
  • host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.28 srcport=41772 dstip=209.165.200.235 dstport=80 status_code=200 content_length=455 method=GET site=iluvcats.publicuri=/EN7rkG55w/pQfsLXfUa.swf referer=http://iluvcats.public:8080/EN7rkG55w user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=application/x-shockwave-flash

Answer : host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.238 srcport=40381 dstip=209.165.200.235 dstport=80 status_code=200 content_length=455 method=GET site=iluvcats.publicuri=/EN7rkG55w/pQfsLXfUa.swf referer=http://iluvcats.public:8080/EN7rkG55w user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 mime_type=application/x-shockwave-flash

What are the three basic types of payloads within the Metasploit framework? (Choose three.)

Options are :

  • singles (Correct)
  • stagers (Correct)
  • stages (Correct)
  • crypto
  • active

Answer : singles stagers stages

What is an HTTP exploit that allows attackers to access restricted directories and execute commands outside of the root directory of the web server?

Options are :

  • XSS
  • web redirection
  • directory traversal (Correct)
  • HTTP 302 cushioning
  • iFrames

Answer : directory traversal

Which five items make up the IP 5-tuple? (Choose five.)

Options are :

  • source IP address (Correct)
  • destination IP address (Correct)
  • source MAC address
  • destination MAC address
  • source port (Correct)
  • destination port (Correct)
  • protocol (Correct)
  • EtherType

Answer : source IP address destination IP address source port destination port protocol

In what three ways can a corporate user exploit Microsoft PowerShell? (Choose three.)

Options are :

  • modify system settings (Correct)
  • modify IDS or IPS signatures
  • disrupt services (Correct)
  • customer PII theft (Correct)

Answer : modify system settings disrupt services customer PII theft

What makes China Chopper "stealthy" as a Remote Access Tool Kit?

Options are :

  • the traffic between the web shell and the client is sent over an encrypted SSH connection
  • the small size of the web shell application (Correct)
  • the small UDP traffic footprint
  • the complexity of the web shell script written in PHP

Answer : the small size of the web shell application

Which tool is used to block suspicious DNS queries by domain names rather than by IP addresses?

Options are :

  • DNS sinkhole (Correct)
  • BGP black hole
  • firewall
  • IPS

Answer : DNS sinkhole

What is a typical task for the SOC Tier 1 analyst?

Options are :

  • Advise on what remediation is to be performed.
  • Continuously monitor the alert queue. (Correct)
  • Perform forensics on the exploited endpoint.
  • Perform IPS and SIEM tuning.

Answer : Continuously monitor the alert queue.

Organizations that are trying to share information with external organizations should also consult with which department before initiating any coordination efforts?

Options are :

  • IT
  • legal (Correct)
  • human resources
  • engineering

Answer : legal

Which three options are elements of an incident response policy? (Choose three.)

Options are :

  • buy-in from senior management (Correct)
  • SOC, NOC, and IT capabilities to determine the structure of the incident response plan
  • metrics for measuring the incident response effectiveness (Correct)
  • how to communicate with the rest of the organization, and with other organizations (Correct)
  • agreement from outside organizations such as the CERT/CC

Answer : buy-in from senior management metrics for measuring the incident response effectiveness how to communicate with the rest of the organization, and with other organizations

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions