CCNA Cyber Ops v1.1

CCNA Cyber Ops v1.
1 Chapter 1 Exam Answers

1. A computer is presenting a user with a screen requesting payment
before the user data is allowed to be accessed by the same user. What
type of malware is this?
A type of virus
A type of logic bomb
A type of ransomware *
A type of worm
C. Ransomware commonly encrypts data on a computer and makes the data unavailable until
the computer user pays a specific sum of money
2. What is cyberwarfare?
It is an attack only on military targets.
It is an attack on a major corporation.
It is an attack that only involves robots and bots.
It is an attack designed to disrupt, corrupt, or exploit national interests. *
D. Cyberwarfare is a subset of information warfare (IW). Its objective is to disrupt

(availability), corrupt (integrity), or exploit (confidentiality or privacy). It can be directed
against military forces, critical infrastructures, or other national interests, such as economic
targets. It involves several teams that work together. A botnet might be one of several tools
used for launching the attack.
3. How can a security information and event management system in

an SOC be used to help personnel fight against security threats?
By collecting and filtering data *
By filtering network traffic
By authenticating users to network resources
By encrypting communications to remote sites
A. A security information and event management system (SIEM) combines data from
multiple sources to help SOC personnel collect and filter data, detect and classify threats,
analyze and investigate threats, and manage resources to implement preventive measures.
4. Which three technologies should be included in an SOC security

information and event management system? (Choose three.)
Proxy service
User authentication
Threat intelligence *
Security monitoring *
Intrusion prevention
Event collection, correlation, and analysis *
C, D, F. Technologies in a SOC should include the following:

Event collection, correlation, and analysis
Security monitoring
Security control
Log managementVulnerability assessment
Vulnerability tracking
Threat intelligence
Proxy server, user authentication, and intrusion prevention systems (IPS) are security devices
and mechanisms deployed in the network infrastructure and managed by the network
operations center (NOC).
5. What name is given to hackers who hack for a political or social

cause?
White hat
Hacker
Hacktivist *
Blue hat
C. The term is used to describe gray hat hackers who rally and protect for a cause.
6. Which organization is an international nonprofit organization that

offers the CISSP certification?
(ISC)2 *
IEEE
GIAC
CompTIA
A. (ISC)2 is an international nonprofit organization that offers the CISSP certification.
7. After a security incident is verified in a SOC, an incident responder

reviewsthe incident but cannot identify the source of the incident and
form an effective mitigation procedure. To whom should the incident
ticket be escalated?
A cyberoperations analyst for help
An SME for further investigation *
An alert analyst for further analysis
The SOC manager to ask for other personnel to be assigned
B. An incident responder is a Tier 2 security professional in an SOC. If the responder cannot
resolve the incident ticket, the incident ticket should be escalated to the next-tier support, a
Tier 3 subject matter expert. A Tier 3 SME would further investigate the incident.
8. The term Alert Analyst refers to which group of personnel in an

SOC?
Tier 1 personnel *
Tier 2 personnel
Tier 3 personnel
SOC managers
A. In a typical SOC, the Tier 1 personnel are called alert analysts, also known as
cyberoperations analysts.
9. What is a rogue wireless hotspot?

It is a hotspot that was set up with outdated devices.
It is a hotspot that does not encrypt network user traffic.
It is a hotspot that does not implement strong user authentication mechanisms.
It is a hotspot that appears to be from a legitimate business but was actually set up by
someone without the permission from the business. *
D. A rogue wireless hotspot is a wireless access point running in a business or an organization

without the official permission from the business or organization.
10. What is a potential risk when using a free and open wireless
hotspot in a public location?
Too many users trying to connect to the Internet may cause a network traffic jam.
The Internet connection can become too slow when many users access the wireless hotspot.
Network traffic might be hijacked and information stolen.*
Purchase of products from vendors might be required in exchange for the Internet access.
11. How does a security information and event management system

(SIEM) in a SOC help the personnel fight against security threats?
by integrating all security devices and appliances in an organization
by analyzing logging data in real time
by combining data from multiple technologies*
by dynamically implementing firewall rules
A security information and event management system (SIEM) combines data from multiple
sources to help SOC personnel collect and filter data, detect and classify threats, analyze and
investigate threats, and manage resources to implement preventive measures.
12. Which statement best describes a motivation of hacktivists?
They are part of a protest group behind a political cause.*
They are curious and learning hacking skills.
They are trying to show off their hacking skills.
They are interested in discovering new exploits.
Each type of cybercriminal has a distinct motivation for his or her actions.
13. If a SOC has a goal of 99.999% uptime, how many minutes of

downtime a year would be considered within its goal?
Approximately 5 minutes per year.*
Approximately 10 minutes per year.
Within a year, there are 365 days x 24 hours a day x 60 minutes per hour = 525,600 minutes.
With the goal of uptime 99.999% of time, the downtime needs to be controlled under 525,600
x (1-0.99999) = 5.256 minutes a year.
14. Why do IoT devices pose a greater risk than other computing
devices on a network?
Most IoT devices do not require an Internet connection and are unable to receive new updates.
IoT devices cannot function on an isolated network with only an Internet connection.
Most IoT devices do not receive frequent firmware updates.*
IoT devices require unencrypted wireless connections.
IoT devices commonly operate using their original firmware and do not receive updates as
frequently as laptops, desktops, and mobile platforms.
15. Which two services are provided by security operations centers?

(Choose two.)
managing comprehensive threat solutions*
ensuring secure routing packet exchanges
responding to data center physical break-ins
monitoring network security threats*
providing secure Internet connections
Security operations centers (SOCs) can provide a broad range of services to defend against
threats to information systems of an organization. These services include monitoring threats to
network security and managing comprehensive solutions to fight against threats. Ensuring
secure routing exchanges and providing secure Internet connections are tasks typically
performed by a network operations center (NOC). Responding to facility break-ins is typically
the function and responsibility of the local police department.
16. Users report that a database file on the main server cannot be
accessed. A database administrator verifies the issue and notices that
the database file is now encrypted. The organization receives a
threatening email demanding payment for the decryption of the
database file. What type of attack has the organization experienced?
man-in-the-middle attack
DoS attack
ransomware*
Trojan horse
A cybersecurity specialist needs to be familiar with the characteristics of the different types of
malware and attacks that threaten an organization.
17. Which organization offers the vendor-neutral CySA+

certification?
IEEE
CompTIA*
(ISC)²
GIAC
18. What was used as a cyberwarfare weapon to attack a uranium

enrichment facility in Iran?
DDoS
SQL injection
PSYOPS
Stuxnet*
The Stuxnet malware program is an excellent example of a sophisticated cyberwarfare

weapon. In 2010, it was used to attack programmable logic controllers that operated uranium
enrichment centrifuges in Iran.
19. Which three technologies should be included in a SOC security

information and event management system? (Choose three.)
firewall appliance
security monitoring*
log management*
intrusion prevention
proxy service
threat intelligence*
Technologies in a SOC should include the following:

• Event collection, correlation, and analysis
• Security monitoring
• Security control
• Log management
• Vulnerability assessment
• Vulnerability tracking
• Threat intelligence
Proxy server, VPN, and IPS are security devices deployed in the network infrastructure.
20. Which personnel in a SOC is assigned the task of verifying

whether an alert triggered by monitoring software represents a true
security incident?
SOC Manager
Tier 2 personnel
Tier 3 personnel
Tier 1 personnel*
In a SOC, the job of a Tier 1 Alert Analyst includes monitoring incoming alerts and verifying
that a true security incident has occurred.
21. Which statement describes cyberwarfare?

Cyberwarfare is an attack carried out by a group of script kiddies.
It is a series of personal protective equipment developed for soldiers involved in nuclear war.
It is simulation software for Air Force pilots that allows them to practice under a simulated
war scenario.
It is Internet-based conflict that involves the penetration of information systems of other
nations.*
Cyberwarfare is Internet-based conflict that involves the penetration of the networks and
computer systems of other nations. Organized hackers are typically involved in such an
attack.
22. in the operation of a SOC, which system is frequently used to let

an analyst select alerts from a pool to investigate?
syslog server
registration system
ticketing system*
security alert knowledge-based system
In a SOC, a ticketing system is typically used for a work flow management system.
23. What name is given to an amateur hacker?

red hat
script kiddie*
black hat
blue team
Script kiddies is a term used to describe inexperienced hackers
24. Which personnel in a SOC are assigned the task of hunting for
potential threats and implementing threat detection tools?
Tier 1 Analyst
SOC Manager
Tier 2 Incident Reporter
Tier 3 SME*
In a SOC, Tier 3 SMEs have expert-level skills in network, endpoint, threat intelligence, and
malware reverse engineering (RE). They are deeply involved in hunting for potential security
threats and implementing threat detection tools.
25. Match the components to the major categories in a SOC.

Answer:
SOS Proceesses
Alert
Investigate
monitor
SOC Technologies
log
database
sensor
CCNA Cyber Ops v1.1 Chapter 2 Exam Answers

1. What contains information on how hard drive partitions are
organized?
CPU
MBR *
BOOTMGR
Windows Registry
B. The master boot record (MBR) contains a small program that is responsible for locating
and loading the operating system. The BIOS executes this code and the operating system
starts to load.
2. Which net command is used on a Windows PC to establish a

connection to a shared directory on a remote server?
net use *
net start
net share
net session
A. The net command is a very important command in Windows. Some common net
commands include the following:
net accounts: Sets password and logon requirements for users
net session: Lists or disconnects sessions between a computer and other
computers on the network
net share: Creates, removes, or manages shared resourcesnet start: Starts a network service or
lists running network services
net stop: Stops a network service
net use: Connects, disconnects, and displays information about shared
network resources
net view: Shows a list of computers and network devices on the network
3. Which type of startup must be selected for a service that should run
each time the computer is booted?
Boot
Manual
Automatic *
Start
Startup
C. An automatic startup will start the service automatically when the PC starts. The manual
startup process will occur when the application is launched by a user. There is no boot, start,
or startup service type that can be configured.
4. A user creates a file with a .ps1 extension in Windows. What type of

file is it?
PowerShell cmdlet
PowerShell function
PowerShell documentation
PowerShell script *
D. The types of commands that PowerShell can execute include the following:
Cmdlets: Perform an action and return an output or object to the next command that will be
executed
PowerShell scripts: Files with a .ps1 extension that contain PowerShell commands that are
executed
PowerShell functions: Pieces of code that can be referenced in a script
5. When a user makes changes to the settings of a Windows system,

where are these changes stored?
Control panel
Registry *
win.ini
boot.ini
B. The registry contains information about applications, users, hardware, network settings,
and file types. The registry also contains a unique section for every user, which contains the
settings configured by that particular user.
6. Which Windows version was the first to introduce a 64-bit

Windows operating system?
Windows NT
Windows XP *
Windows 7
Windows 10
B. There are more than 20 releases and versions of the Windows operating system. The
Windows XP release introduced 64-bit processing to Windows computing.
7. Two pings were issued from a host on a local network. The first
ping was issued to the IP address of the default gateway of the host
and it failed. The second ping was issued to the IP address of a host
outside the local network and it was successful. What is a possible
cause for the failed ping?
The default gateway device is configured with the wrong IP address.
The TCP/IP stack on the default gateway is not working properly.
The default gateway is not operational.
Security rules are applied to the default gateway device, preventing it from processing
ping requests. *
D. If the ping from one host to another host on a remote network is successful, this indicates
that the default gateway is operational. In this scenario, if a ping from one host to the default
gateway failed, it is possible that some security features are applied to the router interface,
preventing it from responding to ping requests.
8. Which command is used to manually query a DNS server to resolve

a specific hostname?
net
tracert
nslookup *
ipconfig /displaydns
C. The nslookup command was created to allow a user to manually query a DNS server to
resolve a given host name. The ipconfig /displaydns command only displays previously
resolved DNS entries. The tracert command was created to examine the path that packets take
as they cross a network and can resolve a hostname by automatically querying a DNS server.
The net command is used to manage network computers, servers, printers, and network
drives.
9. What is the purpose of the cd\ command?

changes directory to the previous directory
changes directory to the root directory *
changes directory to the next highest directory
changes directory to the next lower directory
B. CLI commands are typed into the Command Prompt window of the Windows operating
system. The cd\ command is used to change the directory to the Windows root directory.
10. How much RAM is addressable by a 32-bit version of Windows?

4 GB *
8 GB
16 GB
32 GB
A. A 32-bit operating system is capable of supporting approximately 4 GB of memory. This is

because 2^32 is approximately 4 GB.
11. How can a user prevent specific applications from accessing a

Windowscomputer over a network?
Enable MAC address filtering.
Disable automatic IP address assignment.
Block specific TCP or UDP ports in Windows Firewall. *
Change default usernames and passwords.
C. Network applications have specific TCP or UDP ports that can be left open or blocked in
Windows Firewall. Disabling automatic IP address assignment may result in the computer not
being able to connect to the network at all. Enabling MAC address filtering is not possible in
Windows and would only block specific network hosts, not applications. Changing default
usernames and passwords will secure the computer from unauthorized users, not from
applications.
12. What utility is used to show the system resources consumed by

each user?
Task Manager *
User Accounts
Device Manager
Event Viewe
A. The Windows Task Manager utility includes a Users tab from which the system resources
consumed by each user can be displayed.
13. What utility is available on a Windows PC to view current

running applications and processes?
nslookup
ipconfig
Control Panel
Task Manager*
On a Windows PC the Task Manager utility can be used to view the applications, processes,
and services that are currently running.
14. A user logs in to Windows with a regular user account and

attempts to use an application that requires administrative privileges.
What can the user do to successfully use the application?
Right-click the application and choose Run as root.
Right-click the application and choose Run as Priviledge.
Right-click the application and choose Run as Administrator.*
Right-click the application and choose Run as Superuser.
As a security best practice, it is advisable not to log on to Windows using the Administrator
account or an account with administrative privileges. When it is necessary to run or install
software that requires the privileges of the Administrator, the user can right-click the software
in the Windows File Explorer and choose Run as Administrator.
15. A technician can ping the IP address of the web server of a remote
company but cannot successfully ping the URL address of the same
web server. Which software utility can the technician use to diagnose
the problem?
Nslookup*
tracert
netstat
ipconfig
Traceroute (tracert) is a utility that generates a list of hops that were successfully reached
along the path from source to destination.This list can provide important verification and
troubleshooting information. The ipconfig utility is used to display the IP configuration
settings on a Windows PC. The Netstat utility is used to identify which active TCP
connections are open and running on a networked host. Nslookup is a utility that allows the
user to manually query the name servers to resolve a given host name. This utility can also be
used to troubleshoot name resolution issues and to verify the current status of the name
servers.
16. Where are the settings that are chosen during the installation
process stored?
in the recovery partition
in flash memory
in the Registry*
in BIOS
The Registry contains all settings chosen from Control Panels, file associations, system
policies, applications installed, and application license keys.
17. What technology was created to replace the BIOS program on

modern personal computer motherboards?
CMOS
MBR
RAM
UEFI*
As of 2015, most personal computer motherboards are shipped with UEFI as the replacement
for the BIOS program.
18. Which two things can be determined by using the ping command?
(Choose two.)
the number of routers between the source and destination device
the destination device is reachable through the network*
the average time it takes each router in the path between source and destination to respond
the IP address of the router nearest the destination device
the average time it takes a packet to reach the destination and for the response to return
to the source*
A ping command provides feedback on the time between when an echo request was sent to a
remote host and when the echo reply was received. This can be a measure of network
performance. A successful ping also indicates that the destination host was reachable through
the network.
19. What function is provided by the Windows Task Manager?

It provides an active list of TCP connections.
It maintains system logs.
It selectively denies traffic on specified interfaces.
It provides information on system resources and processes.*
Windows Task Manager enables an end user to monitor applications, processes, and services
currently running on the end device. It can be used to start or stop programs, stop processes,
and display informative statistics about the device.
20. Which type of Windows PowerShell command performs an action

and returns an output or object to the next command that will be
executed?
scripts
functions
cmdlets*
routines
The types of commands that PowerShell can execute include the following:cmdlets – perform
an action and return an output or object to the next command that will be executed
PowerShell scripts – files with a .ps1 extension that contain PowerShell commands that are
executed
PowerShell functions – pieces of code that can be referenced in a script
21. What would be displayed if the netstat -abno command was

entered on a Windows PC?
all active TCP and UDP connections, their current state, and their associated process ID
(PID)*
only active TCP connections in an ESTABLISHED state
only active UDP connections in an LISTENING state
a local routing table
With the optional switch -abno, the netstat command will display all network connections

together with associated running processes. It helps a user identify possible malware
connections.
22. Which two commands could be used to check if DNS name

resolution is working properly on a Windows PC? (Choose two.)
ipconfig /flushdns
net cisco.com
nslookup cisco.com*
ping cisco.com*
nbtstat cisco.com
The ping command tests the connection between two hosts. When ping uses a host domain
name to test the connection, the resolver on the PC will first perform the name resolution to
query the DNS server for the IP address of the host. If the ping command is unable to resolve
the domain name to an IP address, an error will result.
Nslookup is a tool for testing and troubleshooting DNS servers.
23. Refer to the exhibit.
A cyber security administrator is attempting to view system

information from the Windows PowerShell and recieves the error
message shown. What action does the administrator need to take to
successfully run the command?
Run the command from the command prompt.
Install latest Windows updates.
Restart the abno service in Task Manager.
Run PowerShell as administrator.*
Best practices advise not to log into systems with an administrator account, but rather a user
account. When logged in as a user it is possible to run Windows utilitites, such as PowerShell
and the Command Prompt as an administrator by right clicking on the utility and slecting Run
as Administrator.
A cybersecurity analyst is investigating a reported security incident on

a Microsoft Windows computer. Which tool is the analyst using?
Event Viewer*
PowerShell
Task Manager
Performance Monitor
Event Viewer is used to investigate the history of application, security, and system events.
Events show the date and time that the event occurred along with the source of the event. If a
cybersecurity analyst has the address of the Windows computer targeted and/or the date and
time that a security breach occurred, the analyst could use Event Viewer to document and
prove what occurred on the computer.
25. For security reasons a network administrator needs to ensure that

local computers cannot ping each other. Which settings can
accomplish this task?
firewall settings*
MAC address settings
smartcard settings
file system settings
Smartcard and file system settings do not affect network operation. MAC address settings and
filtering may be used to control device network access but cannot be used to filter different
data traffic types.
26. Consider the path representation in Windows CLI C:\Users\

Jason\Desktop\mydocu.txt. What does the Users\Jason component
represent?
file directory and subdirectory*
current file directory
file attribute
storage device or partition
In the path representation in Windows CLI, the components of C:\Users\Jason\Desktop\

mydocu.txt are as follows:C:\ represents the root directory of the storage device.
Users\Jason represents the file directory.
Desktop represents the current file directory.
The mydocu.txt represents the user file.
27. Which two user accounts are automatically created when a user
installs Windows to a new computer? (Choose two.)
superuser
guest*
root
administrator*
system
When a user installs Windows, two local user accounts are created automatically during the
process, administrator and guest.
28. What term is used to describe a logical drive that can be formatted
to store data?
Partition*
track
sector
cluster
volume
Hard disk drives are organized by several physical and logical structures. Partitions are logical
portions of the disk that can be formatted to store data. Partitions consist of tracks, sectors,
and clusters. Tracks are concentric rings on the disk surface. Tracks are divided into sectors
and multiple sectors are combined logically to form clusters
29. What is the purpose of entering the netsh command on a

Windows PC?
to create user accounts
to test the hardware devices on the PC
to change the computer name for the PC
to configure networking parameters for the PC*
The netsh.exe tool can be used to configure networking parameters for the PC from a
command prompt.
30. A technician is troubleshooting a PC unable to connect to the

network. What command should be issued to check the IP address of
the device?
Ipconfig*
ping
tracert
nslookup
The commands tracert and ping are used to test the connectivity of the PC to the network. The
command nslookup initiates a query to an Internet domain name server.
Which Microsoft Windows application is being used?

Event Viewer
PowerShell
Task Manager
Performance Monitor*
Windows Performance Monitor is used to evaluate the performance of individual components

on a Windows host computer. Commonly monitored components include the processor, hard
drive, network, and memory. Windows Task Manager and Performance Monitor are used
when malware is suspected and a component is not performing the way it should.
32. What are two reasons for entering the ipconfig command on a

Windows PC? (Choose two.)
to review the network configuration on the PC*
to check if the DNS server can be contacted
to ensure that the PC can connect to remote networks
to review the status of network media connections*
to display the bandwidth and throughput of the network connection
The command ipconfig is a useful tool for troubleshooting. The command will display some
IP addressing configuration and the network media connection status. The command does not
test the connection to the DNS server configured or test remote networks. It does not display
bandwidth and throughput information.
33. What are two advantages of the NTFS file system compared with
FAT32? (Choose two.)
NTFS allows the automatic detection of bad sectors.
NTFS is easier to configure.
NTFS allows faster formatting of drives.
NTFS provides more security features.*
NTFS supports larger files.*
NTFS allows faster access to external peripherals such as a USB drive.
The file system has no control over the speed of access or formatting of drives, and the ease of
configuration is not file system-dependent.
34. What is the purpose of using the net accounts command in

Windows?
to start a network service
to display information about shared network resources
to show a list of computers and network devices on the network
to review the settings of password and logon requirements for users*
These are some common net commands:

net accounts – sets password and logon requirements for users
net start – starts a network service or lists running network services
net use – connects, disconnects, and displays information about shared network resources
net view – shows a list of computers and network devices on the network
When used without options, the net accounts command displays the current settings for
password, logon limitations, and domain information.
35. What are two reasons for entering the ping 127.0.0.1 command on

a Windows PC? (Choose two.)
to check if the NIC functions as expected*
to check if the default gateway is configured correctly
to display the bandwidth and throughput of the network connection
to check if the TCP/IP protocol suite is installed properly*
to ensure that the PC can connect to remote networks
The IP address 127.0.0.1 is a loopback address on the PC. A successful ping to the loopback
address indicates that the TCP/IP protocol suite is installed properly and the NIC is working
as expected. A ping to the loopback address does not test the connectivity to remote networks,
nor will it display bandwidth and throughput information.

1. What is the outcome when a Linux administrator enters the man
man command?
The man man command configures the network interface with a manual address.
The man man command provides documentation about the man command. *
The man man command provides a list of commands available at the current prompt.
The man man command opens the most recent log file.
B. The man command is short for manual and is used to obtain documentation about a Linux
command. The command man man would provide documentation about how to use the
manual.
2. What is a benefit of Linux being an open source operating system?

Linux distributions are maintained by a single organization.
Linux distributions must include free support without cost.
Linux distribution source code can be modified and then recompiled. *
Linux distributions are simpler operating systems since they are not designed to be connected
to a network.
C. Linux is an open source operating system and any person can access the source code,
inspect it, modify it, and recompile it. Linux distributions are maintained by a community of
programmers, are designed to be connected to a network, and do not have to provide free
support.
3. Which types of files are used to manage services in a Linux system?

Device files
System files
Directory files
Configuration files *
D. In Linux, services are managed using configuration files. When the service starts, it looks
for its configuration files, loads them into memory, and adjusts itself according to the settings
in the files.
4. Which working environment is more user-friendly?

A CLI *
A GUI
The command prompt
A hybrid GUI and CLI interface
B. A graphical user interface (GUI) is considered to be more user-friendly because it presents

the operating system with an interface and icons that make it easy to locate applications and
complete tasks.
5. Which Linux component would be used to access a short list of

tasks theapplication can perform?
Launcher
Quicklist *
Dash Search Box
System and Notification Menu
B. The Quicklist is accessed by right-clicking any application hosted on the Launcher.

Quicklist allows access to a few tasks for the specific application.
6. Which term is used to describe a running instance of a computer

program?
Fork
Patch
Process *
Package manager
C. A process is a running instance of a computer program. Multitasking operating systems can

execute multiple processes at the same time. A processID (PID) is used to identify a process.
The ps or top command can be used to see what processes are currently running on a
computer.
7. Which type of tool is used by a Linux administrator to attack a

computer or network to find vulnerabilities?
Firewall
PenTesting *
Malware analysis
Intrusion detection system
B. PenTesting is known as penetration testing and includes tools that are used to search for
vulnerabilities in a network or computer by attacking it.
8. Which method can be used to harden a computing device?

Allow USB auto-detection.
Force periodic password changes. *
Allow default services to remain enabled.
Update patches on a strict annual basis irrespective of release date.
B. The basic best practices for device hardening are as follows:

Ensure physical security.
Minimize installed packages.
Disable unused services.
Use SSH and disable the root account login over SSH.
Keep the system updated.
Disable USB auto-detection.
Enforce strong passwords.
Force periodic password changes.
Keep users from reusing old passwords.
Review logs regularly.
9. Consider the result of the ls -l command in the Linux output below.

What are the group file permissions assigned to the analyst.txt file?
Click here to view code image
ls -l analyst.txt
-rwxrw-r– sales staff 1028 May 28 15:50 analyst.txt
Read only
Read, write *
Full access
Read, write, execute
B. The file permissions are always displayed in the User, Group, and Other order. In the
example displayed, the file has the following permissions:
The dash (-) means that this is a file. For directories, the first dash would be replaced with a
“d”.
The first set of characters is for user permission (rwx). The user, sales, who owns the file can
read, write, and execute the file.
The second set of characters is for group permissions (rw-). The group, staff, who owns the
file can read and write to the file.
The third set of characters is for any other user or group permissions (r–).
Any other user or group on the computer can only read the file.
10. Why would a network administrator choose Linux as an

operating system in the Security Operations Center (SOC)?
It is easier to use than other operating systems.
It is more secure than other server operating systems.
The administrator has more control over the operating system.*
More network applications are created for this environment
There are several reasons why Linux is a good choice for the SOC.Linux is open source.
The command line interface is a very powerful environment.
The user has more control over the operating system.
Linux allows for better network communication control.
11. Which Linux command can be used to display the name of the
current working directory?
chmod
pwd*
ps
sudo
One of the most important commands in Linux is the pwd command, which stands for print
working directory. It shows users the physical path for the directory they are working in.
12. Consider the result of the ls -l command in the Linux output

below. What are the file permissions assigned to the sales user for the
analyst.txt file?
ls –l analyst.txt
-rwxrw-r– sales staff 1028 May 28 15:50 analyst.txt
write only
read, write, execute*
read, write
read only
The file permissions are always displayed in the User, Group and Other order. In the example
displayed, the file has the following permissions:
The dash (-) means that this is a file. For directories, the first dash would replaced with a “d”.
read, write and execute the file.
The third set of characters is for any other user or group permissions (r–). Any other user or
group on the computer can only read the file.
13. A Linux system boots into the GUI by default, so which

application can a network administrator use in order to access the
CLI environment?
file viewer
package management tool
terminal emulator*
system viewer
A terminal emulator is an application program a user of Linux can use in order to access the
CLI environment.
14. The image displays a laptop that is acting as the SSH client that is
communicating with an SSH server. Refer to the exhibit.
CCNA Cyber Ops
v1.1 Chapter 3 Exam Q14
Which well-known port number is used by the server?

23
22*
21
25
SSH is a protocol that is used to securely access a remote network device. The well-known
port number used by SSH is 22.
15. How is a server different from a workstation computer?

The server works as a standalone computer.
The server is designed to provide services to clients.*
The workstation has fewer applications installed.
The workstation has more users who attach to it.
Servers provide services such as file management, email, web pages, log management,
financial transactions, databases, and more.
16. Which two methods can be used to harden a computing device?

(Choose two.)
Update patches on a strict annual basis irrespective of release date.
Enforce the password history mechanism.*
Ensure physical security.*
The basic best practices for device hardening are as follows:

Keep users from reusing old passwords.
17. What is the main purpose of the X Window System?

to provide a customizable CLI environment
to provide a basic framework for a GUI*
to provide remote access to a Linux-based system
to provide a basic set of penetration testing tools
The X Window System provides the basic framework for a GUI, but the GUI itself varies
greatly between different distributions.
18. Which Linux command is used to manage processes?

Kill*
grep
chrootkit
ls
The kill command is used to stop, restart, or pause a process. The chrootkit command is used
to check the computer for rootkits, a set of software tools that can increase the privilege level
of a user or grant access to portions of software normally not allowed. The grep command is
used to look for a file or text within a file. The ls command is used to list files, directories, and
file information.
19. Why is Linux considered to be better protected against malware

than other operating systems?
fewer deployments
integrated firewall
customizable penetration and protection tools
file system structure, file permissions, and user account restrictions*
The Linux operating design including how the file system is structured, standard file
permissions, and user account restrictions make Linux a better protected operating system.
However, Linux still has vulnerabilities and can have malware installed that affects the
operating system.
20. Which two Linux commands might be used before using the kill
command? (Choose two.)
top*
ls
grep
ps*
chroot
The ps or top command might be used before using the kill command to discover the process
ID (PID) for the specific process.
21. What term is used for operating system updates?

Patches*
new releases
penetration testing
packages
Operating system updates, also known as patches, are provided by companies that create the
operating system. A user can check for operating system updates at any time. In a Linux GUI
environment, the Dash Search Box can be used to search for the Software Updater icon.
22. What term describes a set of software tools designed to increase

the privileges of a user or to grant access to the user to portions of the
operating system that should not normally be allowed?
penetration testing
package manager
rootkit*
compiler
A rootkit is used by an attacker to secure a backdoor to a compromised computer, grant access

to portions of the operating system normally not permitted, or increase the privileges of a
user.
23. What is the well-known port address number used by DNS to

serve requests?
60
110
25
53*
Port numbers are used in TCP and UDP communications to differentiate between the various
services running on a device. The well-known port number used by DNS is port 53.
24. Which file system is the primary file system used by Apple in
current Macintosh computers?
CDFS
APFS*
ext3
ext2
HFS+
The primary file system used by Apple in its lates Macintosh computers is APFS.
25. Which type of tool allows administrators to observe and

understand every detail of a network transaction?
malware analysis tool
packet capture software*
ticketing system
log manager
Network packet capture software is an important tool because it makes it possible to observe
and understand the details of a network transaction.
26. Which command can be utilized to view log entries of NGINX

system events in real time?
sudo journalctl –u nginx.service –f*
sudo journalctl –f
sudo journalctl –until “1 hour ago”
sudo journalctl –u nginx.services
The journalctl command supports mixing options to achieve a desired filter set. The –u option
allows filtering on the desired unit, whereas the –f option follows the specific log, thus
monitoring the event in real time.
27. What is the purpose of a Linux package manager?

It provides access to settings and the shutdown function.
It is used to compile code that creates an application.
It is used to install an application.*
It provides a short list of tasks a particular application can perform.
A package is a specific program and all of the files needed to run that application. A package
manager is used to install a package and place all the associated files in the correct location
within the operating system.
28. Which user can override file permissions on a Linux computer?

only the creator of the file
any user that has ‘group’ permission to the file
any user that has ‘other’ permission to the file
root user*
A user has as much rights to a file as the file permissions allow. The only user that can
override file permission on a Linux computer is the root user. Because the root user has the
power to override file permissions, the root user can write to any file.
29. Which Linux file system introduced the journaled file system,
which can be used to minimize the risk of file system corruption in the
event of a sudden power loss?
ext2
ext3*
NFS
CDFS
The ext3 file system is considered a journaled file system that was designed to improve the
existing ext2 file system. A journal, the main feature added to ext3, is a technique used to
minimize the risk of file system corruption in the event of sudden power loss.
30. What is the method employed by a Linux kernel to create new

processes for multitasking of a process?
creating interdependent processes
dynamic processes
pipelining
forking*
Multitasking operating systems are required to execute several processes at the same time.
Forking is a method that the kernel uses to allow a process to create a copy of itself.
31. What is a purpose of apt-get commands?

to configure an appointment for a specific date and time
to configure and manage task (to-do) lists
to update the operating system*
to apportion and configure a part of the hard disk for file storage
The Advanced Packaging Tool (apt) package manager is used to update the operating system.
The apt-get update command is used to search and obtain the package list from a repository
and update the local package database.

1. Which message does an IPv4 host use to reply when it receives a
DHCPOFFER message from a DHCP server?
DHCPACK
DHCPREQUEST *
DHCPDISCOVER
DHCPOFFER
B. When the client receives the DHCPOFFER from the server, it sends back a
DHCPREQUEST broadcast message. On receiving the DHCPREQUESTmessage, the server
replies with a unicast DHCPACK message.
2. What OSI layer is responsible for establishing a temporary

communication session between two applications and ensuring that
transmitted data can be reassembled in proper sequence?
Session
Transport *
Network
Data link
B. The transport layer of the OSI model has several responsibilities. One of the primary
responsibilities is to segment data into blocks that can be reassembled in proper sequence at
the destination device.
3. PC1 and PC3 are on different networks separated by a router,

RT1. PC1 issues an ARP request because it needs to send a packet to
PC3. In this scenario, what will happen next?
RT1 will forward the ARP request to PC3.
RT1 will drop the ARP request.
RT1 will send an ARP reply with its own MAC address. *
RT1 will send an ARP reply with the PC3 MAC address.
C. When a network device has to communicate with a device on another network, it

broadcasts an ARP request asking for the default gateway MAC address. The default gateway
(RT1) unicasts an ARP reply with its MAC address.
4. What addresses are mapped by ARP?

Destination IPv4 address to the source MAC address
Destination IPv4 address to the destination hostname
Destination MAC address to the source IPv4 address
Destination MAC address to a destination IPv4 address *
D. ARP, or the Address Resolution Protocol, works by mapping a destination MAC address to
a destination IPv4 address. The host knows the destination IPv4 address and uses ARP to
resolve the corresponding destination MAC address.
5. Which statement is true about FTP?

The client can download data from or upload data to the server. *
The client can choose if FTP is going to establish one or two connections with the server.
FTP is a peer-to-peer application.
FTP does not provide reliability during data transmission.
A. FTP is a client/server protocol. FTP requires two connections between the client and the
server and uses TCP to provide reliable connections. With FTP, data transfer can happen in
either direction. The client can download (pull) data from the server or upload (push) data to
the server.
6. Which two OSI model layers have the same functionality as two
layers of the TCP/IP model? (Choose two.)
Session
Transport *
Network *
Data link
Physical
B, C. The OSI transport layer is functionally equivalent to the TCP/IP transport layer, and the
OSI network layer is equivalent to the TCP/IP Internet layer. The OSI data link and physical
layers together are equivalent to the TCP/IP network access layer. The OSI session layer (with
the presentation layer) is included within the TCP/IP application layer.
7. Which statement is true about the TCP/IP and OSI models?

The TCP/IP transport layer and OSI Layer 4 provide similar services and functions. *
The TCP/IP network access layer has similar functions to the OSI network layer.
The OSI Layer 7 and the TCP/IP application layer provide identical functions.
The first three OSI layers describe general services that are also provided by the TCP/IP
Internet layer.
A. The TCP/IP Internet layer provides the same function as the OSI network layer. The
transport layer of both the TCP/IP and OSI models provides the same function. The TCP/IP
application layer includes the same functions as OSI Layers 5, 6, and 7.
8. What is the most compressed representation of the IPv6 address

2001:0000:0000:abcd:0000:0000:0000:0001?
2001::abcd::1
2001:0:abcd::1
2001::abcd:0:1
2001:0:0:abcd::1 *
2001:0000:abcd::1
D. The IPv6 address 2001:0000:0000:abcd:0000:0000:0000:0001 in its most compressed

format would be 2001:0:0:abcd::1. The first two hextets of zeros would each compress to a
single zero. The three consecutive hextets of zeros can be compressed to a double colon ::.
The three leading zeros in the last hextet can be removed. The double colon :: can only be
used once in an address.
9. What three application layer protocols are part of the TCP/IP

protocol suite? (Choose three.)
ARP
DHCP *
DNS *
FTP *
NAT
PPP
B, C, D. DNS, DHCP, and FTP are all application layer protocols in the TCP/IP protocol
suite. ARP and PPP are network access layer protocols, and NAT is an Internet layer protocol
in the TCP/IP protocol suite.
10. If the default gateway is configured incorrectly on the host, what is

the impact on communications?
The host is unable to communicate on the local network.
There is no impact on communications.
The host can communicate with other hosts on remote networks, but is unable to
communicate with hosts on the local network.
The host can communicate with other hosts on the local network, but isunable to
communicate with hosts on remote networks. *
D. A default gateway is only required to communicate with devices onanother network. The
absence of a default gateway does not affect connectivity between devices on the same local
network
11. Which message delivery option is used when all devices need to
receive the same message simultaneously?
Duplex
Unicast
Multicast
Broadcast *
D. When all devices need to receive the same message simultaneously, the message would be
delivered as a broadcast. Unicast delivery occurs when one source host sends a message to
one destination host. The sending of the same message from a host to a group of destination
hosts is multicast delivery. Duplex communications refers to the ability of the medium to
carry messages in both directions.
12. How is a DHCPDISCOVER transmitted on a network to reach a

DHCP server?
A DHCPDISCOVER message is sent with a multicast IP address that all DHCP servers listen
to as the destination address.
A DHCPDISCOVER message is sent with the broadcast IP address as the destination
address.*
A DHCPDISCOVER message is sent with the IP address of the default gateway as the
destination address.
A DHCPDISCOVER message is sent with the IP address of the DHCP server as the
destination address.
The DHCPDISCOVER message is sent by a DHCPv4 client and targets a broadcast IP along
with the destination port 67. The DHCPv4 server or servers respond to the DHCPv4 clients by
targeting port 68.
13. A high school in New York (school A) is using videoconferencing

technology to establish student interactions with another high school
(school B) in Russia. The videoconferencing is conducted between two
end devices through the Internet. The network administrator of
school A configures the end device with the IP address 209.165.201.10.
The administrator sends a request for the IP address for the end
device in school B and the response is 192.168.25.10. Neither school is
using a VPN. The administrator knows immediately that this IP will
not work. Why?
This is a link-local address.
This is a loopback address.
There is an IP address conflict.
This is a private IP address.*
The IP address 192.168.25.10 is an IPv4 private address. This address will not be routed over
the Internet, so school A will not be able to reach school B. Because the address is a private
one, it can be used freely on an internal network. As long as no two devices on the internal
network are assigned the same private IP, there is no IP conflict issue. Devices that are
assigned a private IP will need to use NAT in order to communicate over the Internet.
14. What is a socket?

the combination of the source and destination sequence numbers and port numbers
the combination of a source IP address and port number or a destination IP address and
port number*
the combination of the source and destination sequence and acknowledgment numbers
the combination of the source and destination IP address and source and destination Ethernet
address
A socket is a combination of the source IP address and source port or the destination IP
address and the destination port number.
15. What part of the URL, http://www.cisco.com/index.html,

represents the top-level DNS domain?
www
http
index
com*
The components of the URL http://www.cisco.com/index.htm are as follows:

http = protocol
www = part of the server name
cisco = part of the domain name
index = file name
com = the top-level domain
16. The graphic shows a network diagram as follows:

PC A connects to switch S1, which connects to the G0/0 interface of
router R1. PC B connects to switch S2, which connects to the G0/1
interface of router R1. A network analyst is connected to switch S2.
The address of each device is as follows:
PC A: 192.168.1.212 and FE80::1243:FEFE:8A43:2122 and 01-90-C0-E4-55-BB
PC B: 192.168.2.101 and FE80::FBB2:E77A:D143 and 08-CB-8A-5C-D5-8A
R1 G0/0:192.168.1.1 and FE80::1 and 00-D0-D3-BE-79-26
R1 G0/1: 192.168.2.1 and FE80::1 and 00-60-0F-B1-D1-11

Refer to the exhibit. A cybersecurity analyst is viewing captured
ICMP echo request packets sent from host A to host B on switch S2.
What is the source MAC address of Ethernet frames carrying the
ICMP echo request packets?
08-CB-8A-5C-D5-BA
00-D0-D3-BE-79-26
00-60-0F-B1-D1-11*
01-90-C0-E4-55-BB
When router R1 receives the ICMP echo requests from host A it will forward the packets out
interface G0/1 towards host B. However, before forwarding the packets, R1 will encapsulate
them in a new Ethernet frame using the MAC address of interface G0/1 as the source and the
MAC address of host B as the destination.

A cybersecurity analyst is viewing captured packets forwarded on
switch S1. Which device has the MAC address 50:6a:03:96:71:22?
PC-A
router DG*
DSN server
router ISP
web server
The Wireshark capture is of a DNS query from PC-A to the DNS server. Because the DNS
server is on a remote network, the PC will send the query to the default gateway router, router
DG, using the MAC address of the router G0/0 interface on the router.
18. Which term is used to describe the process of placing one message
format inside another message format?
encoding
multiplexing
encapsulation*
segmentation
The encapsulation process is performed at each OSI layer and is the process of placing one
message format inside another message format.
19. Which PDU format is used when bits are received from the
network medium by the NIC of a host?
Frame*
file
packet
segment
When received at the physical layer of a host, the bits are formatted into a frame at the data
link layer. A packet is the PDU at the network layer. A segment is the PDU at the transport
layer. A file is a data structure that may be used at the application layer.
20. What are two features of ARP? (Choose two.)

An ARP request is sent to all devices on the Ethernet LAN and contains the IP address of the
destination host and its multicast MAC address.
If no device responds to the ARP request, then the originating node will broadcast the data
packet to all devices on the network segment.
When a host is encapsulating a packet into a frame, it refers to the MAC address table to
determine the mapping of IP addresses to MAC addresses.
If a host is ready to send a packet to a local destination device and it has the IP address
but not the MAC address of the destination, it generates an ARP broadcast.*
If a device receiving an ARP request has the destination IPv4 address, it responds with an
ARP reply.*
When a node encapsulates a data packet into a frame, it needs the destination MAC address.
First it determines if the destination device is on the local network or on a remote network.
Then it checks the ARP table (not the MAC table) to see if a pair of IP address and MAC
address exists for either the destination IP address (if the destination host is on the local
network) or the default gateway IP address (if the destination host is on a remote network). If
the match does not exist, it generates an ARP broadcast to seek the IP address to MAC
address resolution. Because the destination MAC address is unknown, the ARP request is
broadcast with the MAC address FFFF.FFFF.FFFF. Either the destination device or the
default gateway will respond with its MAC address, which enables the sending node to
assemble the frame. If no device responds to the ARP request, then the originating node will
discard the packet because a frame cannot be created.
21. In NAT translation for internal hosts, what address would be used
by external users to reach internal hosts?
outside global
outside local
inside local
inside global*
From the perspective of a NAT device, inside global addresses are used by external users to
reach internal hosts. Inside local addresses are the addresses assigned to internal hosts.
Outside global addresses are the addresses of destinations on the external network. Outside
local addresses are the actual private addresses of destination hosts behind other NAT
devices.
22. The exhibit shows a network topology. PC1 and PC2 are
connected to the Fa0/1 and Fa0/2 ports of the SW1 switch,
respectively. SW1 is connected through its Fa0/3 port to the Fa0/0
interface of the RT1 router. RT1 is connected through its Fa0/1 to the
Fa0/2 port of SW2 switch. SW2 is connected through its Fa0/1 port to
the PC3.
Refer to the exhibit. PC1 issues an ARP request because it needs to

send a packet to PC2. In this scenario, what will happen next?
SW1 will send an ARP reply with the PC2 MAC address.
PC2 will send an ARP reply with its MAC address.*
RT1 will send an ARP reply with its Fa0/0 MAC address.
RT1 will send an ARP reply with the PC2 MAC address.
SW1 will send an ARP reply with its Fa0/1 MAC address.
When a network device wants to communicate with another device on the same network, it
sends a broadcast ARP request. In this case, the request will contain the IP address of PC2.
The destination device (PC2) sends an ARP reply with its MAC address.
23. Which two characteristics are associated with UDP sessions?

(Choose two.)
Unacknowledged data packets are retransmitted.
Destination devices receive traffic with minimal delay.*
Destination devices reassemble messages and pass them to an application.
Transmitted data segments are tracked.
Received data is unacknowledged.*
TCP:
• Provides tracking of transmitted data segments
• Destination devices will acknowledge received data.
• Source devices will retransmit unacknowledged data.
UDP
• Destination devices will not acknowledge received data
• Headers use very little overhead and cause minimal delay.
What is the global IPv6 address of the host in uncompressed format?

2001:0DB8:0000:0000:0BAF:0000:3F57:FE94*
2001:0DB8:0000:0BAF:0000:0000:3F57:FE94
2001:DB80:0000:0000:BAF0:0000:3F57:FE94
2001:0DB8:0000:0000:0000:0BAF:3F57:FE94
In the compressed format, the :: represents two contiguous hextets of all zeros. Leading zeros
in the second, fifth, and sixth hextets have also been removed.
25. What is the purpose of the routing process?

to provide secure Internet file transfer
to convert a URL name into an IP address
to forward traffic on the basis of MAC addresses
to encapsulate data that is used to communicate across a network
to select the paths that are used to direct traffic to destination networks*
26. Which application layer protocol uses message types such as GET,
PUT, and POST?
SMTP
POP3
DHCP
HTTP*
DNS
The GET command is a client request for data from a web server. A PUT command uploads
resources and content, such as images, to a web server. A POST command uploads data files
to a web server.
27. Which transport layer feature is used to guarantee session

establishment?
UDP sequence number
TCP 3-way handshake*
TCP port number
UDP ACK flag
TCP uses the 3-way handshake. UDP does not use this feature. The 3-way handshake ensures
there is connectivity between the source and destination devices before transmission occurs.
28. What is the prefix length notation for the subnet mask
255.255.255.224?
/26
/27*
/28
/25
The binary format for 255.255.255.224 is 11111111.11111111.11111111.11100000. The

prefix length is the number of consecutive 1s in the subnet mask. Therefore, the prefix length
is /27.
29. What are two potential network problems that can result from
ARP operation? (Choose two.)
Multiple ARP replies result in the switch MAC address table containing entries that match the
MAC addresses of hosts that are connected to the relevant switch port.
Network attackers could manipulate MAC address and IP address mappings in ARP
messages with the intent of intercepting network traffic.*
On large networks with low bandwidth, multiple ARP broadcasts could cause data
communication delays.*
Manually configuring static ARP associations could facilitate ARP poisoning or MAC
address spoofing.
Large numbers of ARP request broadcasts could cause the host MAC address table to
overflow and prevent the host from communicating on the network.
Large numbers of ARP broadcast messages could cause momentary data communications
delays. Network attackers could manipulate MAC address and IP address mappings in ARP
messages with the intent to intercept network traffic. ARP requests and replies cause entries to
be made into the ARP table, not the MAC address table. ARP table overflows are very
unlikely. Manually configuring static ARP associations is a way to prevent, not facilitate,
ARP poisoning and MAC address spoofing. Multiple ARP replies resulting in the switch
MAC address table containing entries that match the MAC addresses of connected nodes and
are associated with the relevant switch port are required for normal switch frame forwarding
operations. It is not an ARP caused network problem.
30. Which TCP mechanism is used to identify missing segments?

sequence numbers*
FCS
acknowledgments
window size
TCP segments are acknowledged by the receiver as they arrive. The receiver keeps track of
the sequence number of received segments and uses the sequence number to reorder the
segments and to identify any missing segments that need to be retransmitted.
31. What is the purpose of ICMP messages?

to provide feedback of IP packet transmissions*
to monitor the process of a domain name to IP address resolution
to inform routers about network topology changes
to ensure the delivery of an IP packet
The purpose of ICMP messages is to provide feedback about issues that are related to the
processing of IP packets.
32. What happens if part of an FTP message is not delivered to the

destination?
The message is lost because FTP does not use a reliable delivery method.
The part of the FTP message that was lost is re-sent.*
The FTP source host sends a query to the destination host.
The entire FTP message is re-sent.
Because FTP uses TCP as its transport layer protocol, sequence and acknowledgment
numbers will identify the missing segments, which will be re-sent to complete the message.
33. What is the primary purpose of NAT?

conserve IPv4 addresses*
allow peer-to-peer file sharing
enhance network performance
increase network security
NAT was developed to conserve IPv4 addresses. A side benefit is that NAT adds a small level
of security by hiding the internal network addressing scheme. However, there are some
drawbacks of using NAT. It does not allow true peer-to-peer communication and it adds
latency to outbound connections.
34. Why does a Layer 3 device perform the ANDing process on a

destination IP address and subnet mask?
to identify the network address of the destination network*
to identify the host address of the destination host
to identify the broadcast address of the destination network
to identify faulty frames
ANDing allows us to identify the network address from the IP address and the network mask.
Using the network in the exhibit, what would be the default gateway
address for host A in the 192.133.219.0 network?
192.135.250.1
192.133.219.0
192.133.219.1*
192.31.7.1
36. Which three IP addresses are private ? (Choose three.)
192.167.10.10
10.1.1.1*
192.168.5.5*
172.16.4.4*
172.32.5.2
224.6.6.6
The private IP addresses are within these three ranges:

10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
CCNA Cyber Ops v1.1 Chapter 5 Exam

Answers
Byadmin
SEP 9, 2019
1. What specialized network device is responsible for enforcing access

control policies between networks?
Bridge
Switch
Firewall *
IDS
C. Firewalls are used to permit or block traffic between networks according to access control
policies.
2. What information does an Ethernet switch examine and use to

build its address table?
Source IP address
Destination IP address
Source MAC address *
Destination MAC address
C. An Ethernet switch examines the source MAC address of an incoming frame. If the source
MAC address is not in the MAC address table, the switch will add it to the table with the
associated ingress Ethernet port.
3. Which device is an intermediary device?

Smart device
PC
Server
Firewall *
D. An intermediary device sends network messages toward a final destination. Examples of

intermediary devices include a firewall, router, switch, multilayer switch, and wireless router.
4. Which statement describes a difference between RADIUS and

TACACS+?
RADIUS uses TCP, whereas TACACS+ uses UDP.
RADIUS is supported by the Cisco Secure ACS software, whereas TACACS+ is not.
RADIUS encrypts only the password, whereas TACACS+ encrypts all communication. *
RADIUS separates authentication and authorization, whereas TACACS+ combines them as
one process.
C. TACACS+ uses TCP, encrypts the entire packet (not just the password), and separates
authentication and authorization into two distinct processes. Both protocols are supported by
the Cisco Secure ACS software.
5. Which wireless parameter refers to the frequency bands used to

transmit data to a wireless access point?
SSID
Security mode
Scanning mode
Channel settings *
D. An access point can be manually set to a specific frequency band or channel in order to
avoid interference with other wireless devices in the area.
6. What specialized network device uses signatures to detect patterns

in network traffic?
Bridges
Switches
IDS *
Firewalls
C. Intrusion detection systems (IDSs) use a set of rules, referred to as signatures, to identify
malicious traffic on the network.
7. What type of physical topology can be created by connecting all

Ethernet cables to a central device?
Star *
Bus
Ring
Mesh
A. Devices connected to the Ethernet star topology connect to either a hub or a switch.
8. Which network service synchronizes the time across all devices on

the network?
NetFlow
Syslog
NTP *
SNMP
C. There are two methods that can be used to set date and time settings on network devices.
Manual configuration and automatically using the Network Time Protocol (NTP). NTP keeps
the time across all devices synchronized by using a hierarchical system of sources.
9. Which network service allows administrators to monitor and

manage network devices?
NTP
SNMP *
Syslog
NetFlow
B. SNMP is an application layer protocol that allows administrators to manage and monitor
devices on the network such as routers, switches, and servers.
10. What are two types of addresses found on network end devices?
(Choose two.)
UDP
return
IP*
TCP
MAC*
Intermediary devices use two types of addresses when sending messages to the final
destination device, MAC and IP addresses. TCP and UDP are protocols used at Layer 4 to
identify what port numbers are being used on the source and destination devices. A return
address is used when mailing a letter, not in networking.
11. Which OSI layer header is rewritten with new addressing

information by a router when forwarding between LAN segments?
Layer 2*
Layer 3
Layer 4
Layer 7
When a router forwards traffic between LAN segments it encapsulates the Layer 2 frame to
determine the Layer 3 path. Once the Layer 3 path is determined, the router encapsulates the
Layer 3 packet in a new Layer 2 frame with new Layer 2 addressing infomation for the
destination LAN segment.
12. Which protocol provides authentication, integrity, and

confidentiality services and is a type of VPN?
MD5
AES
ESP
IPsec*
IPsec services allow for authentication, integrity, access control, and confidentiality. With
IPsec, the information exchanged between remote sites can be encrypted and verified. Both
remote-access and site-to-site VPNs can be deployed using IPsec.
13. What are two uses of an access control list? (Choose two.)
ACLs can control which areas a host can access on a network.*
ACLs provide a basic level of security for network access.*
Standard ACLs can restrict access to specific applications and ports.
ACLs can permit or deny traffic based upon the MAC address originating on the router.
ACLs assist the router in determining the best path to a destination.
ACLs can be used for the following:Limit network traffic in order to provide adequate
network performance
Restrict the delivery of routing updates
Provide a basic level of security
Filter traffic based on the type of traffic being sent
Filter traffic based on IP addressing
14. Which protocol or service is used to automatically synchronize the

software clocks on Cisco routers?
SNMP
NTP*
DHCP
DNS
Network Time Protocol (NTP) is used to allow network devices to synchronize their time
settings with a centralized time server. DHCP (Dynamic Host Configuration Protocol) is a
protocol which assigns IP addresses to hosts. DNS (Domain Name Service) is a service which
resolves host names to IP addresses. SNMP (Simple Network Management Protocol) is a
protocol which allows administrators to manage network nodes.
15. What is the only attribute used by standard access control lists to
identify traffic?
source MAC address
protocol type
source IP address*
source TCP port
Standard access control lists can only identify traffic based on the source IPv4 address in the
protocol header.
16. Which wireless parameter is used by an access point to broadcast

frames that include the SSID?
passive mode*
security mode
channel setting
active mode
The two scanning or probing modes an access point can be placed into are passive or active.
In passive mode, the AP advertises the SSID, supported standards, and security settings in
broadcast beacon frames. In active mode, the wireless client must be manually configured for
the same wireless parameters as the AP has configured.
17. A Cisco router is running IOS 15. What are the two routing table
entry types that will be added when a network administrator brings
an interface up and assigns an IP address to the interface? (Choose
two.)
route that is learned via OSPF
route that is learned via EIGRP
route that is manually entered by a network administrator
directly connected interface*
local route interface*
A local route interface routing table entry is found when a router runs IOS 15 or higher or if
IPv6 routing is enabled. Whenever an interface is addressed and enabled (made active), a
directly connected interface is automatically shown in the routing table.
The network “A” contains multiple corporate servers that are

accessed by hosts from the Internet for information about the
corporation. What term is used to describe the network marked as
“A”?
perimeter security boundary
internal network
DMZ*
untrusted network
A demilitarized zone or DMZ is a network area protected by one or more firewalls. The DMZ
typically contains servers that are commonly accessed by external users. A web server is
commonly contained in a DMZ.
19. What is the role of an IPS?

to detect patterns of malicious traffic by the use of signature files*
to filter traffic based on defined rules and connection context
to filter traffic based on Layer 7 information
to enforce access control policies based on packet content
For detecting malicious activity, an IPS uses a set of rules called signatures to detect patterns
in network traffic.
20. Which two features are included by both TACACS+ and

RADIUS protocols? (Choose two.)
SIP support
password encryption*
802.1X support
separate authentication and authorization processes
utilization of transport layer protocols*
Both TACACS+ and RADIUS support password encryption (TACACS+ encrypts all
communication) and use Layer 4 protocol (TACACS+ uses TCP and RADIUS uses UDP).
TACACS+ supports separation of authentication and authorization processes, while RADIUS
combines authentication and authorization as one process. RADIUS supports remote access
technology, such as 802.1x and SIP; TACACS+ does not.
21. What does the TACACS+ protocol provide in a AAA

deployment?
AAA connectivity via UDP
compatibility with previous TACACS protocols
authorization on a per-user or per-group basis*
password encryption without encrypting the packet
TACACS+ utilizes TCP port 49, provides authorization on a per-user or per-group basis,
encrypts the entire packet, and does not provide compatibility with previous TACACS
protocols.
22. Which parameter is commonly used to identify a wireless network
name when a home wireless AP is being configured?
ESS
SSID*
ad hoc
BESS
The SSID is used to name a wireless network. This parameter is required in order for a
wireless client to attach to a wireless AP.
23. What information within a data packet does a router use to make
forwarding decisions?
the destination service requested
the destination IP address*
the destination host name
the destination MAC address
A Layer 3 device like a router uses a Layer 3 destination IP address to make a forwarding
decision.
24. Which protocol creates a virtual point-to-point connection to

tunnel unencrypted traffic between Cisco routers from a variety of
protocols?
GRE*
IPsec
OSPF
IKE
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that

encapsulates multiprotocol traffic between remote Cisco routers. GRE does not encrypt data.
OSPF is a open source routing protocol. IPsec is a suite of protocols that allow for the
exchange of information that can be encrypted and verified. Internet Key Exchange (IKE) is a
key management standard used with IPsec.
25. Which two statements are true about NTP servers in an enterprise
network? (Choose two.)
NTP servers at stratum 1 are directly connected to an authoritative time source.*
NTP servers ensure an accurate time stamp on logging and debugging information.*
There can only be one NTP server on an enterprise network.
All NTP servers synchronize directly to a stratum 1 time source.
NTP servers control the mean time between failures (MTBF) for key network devices.
Network Time Protocol (NTP) is used to synchronize the time across all devices on the
network to make sure accurate timestamping on devices for managing, securing and
troubleshooting. NTP networks use a hierarchical system of time sources. Each level in this
hierarchical system is called a stratum. The stratum 1 devices are directly connected to the
authoritative time sources.
26. What is true concerning physical and logical topologies?

Physical topologies display the IP addressing scheme of each network.
Logical topologies refer to how a network transfers data between devices.*
The logical topology is always the same as the physical topology.
Physical topologies are concerned with how a network transfers frames.
Physical topologies show the physical interconnection of devices. Logical topologies show
the way the network will transfer data between connected nodes.
27. Which layer of the hierarchical design model is a control

boundary between the other layers?
access
network
distribution*
core
The three design layers from lowest to highest are access, distribution, and core. The
distribution layer commonly provides policy-based connectivity which permits or denies
traffic based on predefined parameters. The distribution layer also acts as a control boundary
between the access and core layers.
28. Which protocol or service allows network administrators to

receive system messages that are provided by network devices?
NTP
NetFlow
SNMP
Syslog*
Cisco developed NetFlow for the purpose of gathering statistics on packets flowing through
Cisco routers and multilayer switches. SNMP can be used to collect and store information
about a device. Syslog is used to access and store system messages.
NTP is used to allow network devices to synchronize time settings.
29. What is a function of a proxy firewall?

uses signatures to detect patterns in network traffic
connects to remote servers on behalf of clients*
drops or forwards traffic based on packet header information
filters IP traffic between bridged interfaces
Proxy firewalls filter traffic through the application layer of the TPC/IP model and shield
client information by connecting to remote servers on behalf of clients.
30. What is the function of the distribution layer of the three-layer

network design model?
aggregating access layer connections*
providing high speed connection to the network edge
providing secure access to the Internet
providing direct access to the network
The function of the distribution layer is to provide connectivity to services and to aggregate
the access layer connections
31.Which LAN topology requires a central intermediate device to

connect end devices?
Star*
ring
bus
mesh
In a star network topology end devices are connected to a central intermediate device such as
a hub or a switch.
32. Which device can control and manage a large number of

corporate APs?
switch
WLC*
router
LWAP
A wireless LAN controller (WLC) can be configured to manage multiple lightweight access
points (LWAPs). On the WLC, a network administrator can configure SSIDs, security, IP
addressing, and other wireless network parameters in a centralized management environment.
33. For which discovery mode will an AP generate the most traffic on
a WLAN?
active mode
mixed mode
passive mode*
open mode
The two discovery modes are passive and active. When operating in passive mode, an AP will
generate more traffic as it continually broadcasts beacon frames to potential clients. In active
mode, the client initiates the discovery process instead of the AP. Mixed mode refers to
network mode settings, and open mode refers to security parameter settings.
34. What is a feature of the TACACS+ protocol?

It utilizes UDP to provide more efficient packet transfer.
It hides passwords during transmission using PAP and sends the rest of the packet in
plaintext.
It encrypts the entire body of the packet for more secure communications.*
It combines authentication and authorization as one process.
TACACS+ has the following features:separates authentication and authorization

encrypts all communication
uses TCP port 49
1. What type of attack uses zombies?

Trojan horse
SEO poisoning
Spear phishing
DDoS *
D. The hacker infects multiple machines (zombies), creating a botnet. Zombies launch the
distributed denial-of-service (DDoS) attack.
2. What is the best description of Trojan horse malware?

It is the most easily detected form of malware.
It appears as useful software but hides malicious code. *
It is malware that can only be distributed over the Internet.
It is software that causes annoying but not fatal computer problems.
B. The best description of Trojan horse malware, and what distinguishes it from viruses and
worms, is that it appears as useful software but hides malicious code. Trojan horse malware
may cause annoying computer problems, but can also cause fatal problems. Some Trojan
horses may be distributed over the Internet, but they can also be distributed by USB memory
sticks and other means. Specifically targeted Trojan horse malware can be some of the most
difficult malware to detect.
3. What is the purpose of a rootkit?
To masquerade as a legitimate program
To deliver advertisements without user consent
To replicate itself independently of any other programs
To gain privileged access to a device while concealing itself *
D. Malware can be classified as follows:

Virus (self replicates by attaching to another program or file)
Worm (replicates independently of another program)
Trojan horse (masquerades as a legitimate file or program)
Rootkit (gains privileged access to a machine while concealing itself)
Spyware (collects information from a target system)
Adware (delivers advertisements with or without consent)
Bot (waits for commands from the hacker)
Ransomware (holds a computer system or data captive until payment is received)
4. When describing malware, what is a difference between a virus and

a worm?
A virus focuses on gaining privileged access to a device, whereas a worm does not.
A virus replicates itself by attaching to another file, whereas a worm can replicate itself
independently. *
A virus can be used to launch a DoS attack (but not a DDoS), but a worm can be used to
launch both DoS and DDoS attacks.
A virus can be used to deliver advertisements without user consent, whereas a worm cannot.
B. Malware can be classified as follows:

Virus (self-replicates by attaching to another program or file)
Worm (replicates independently of another program)
Trojan horse (masquerades as a legitimate file or program)
Rootkit (gains privileged access to a machine while concealing itself)
Spyware (collects information from a target system)
Adware (delivers advertisements with or without consent)
Bot (waits for commands from the hacker)
Ransomware (holds a computer system or data captive until payment isreceived)
5. What is an example of “hacktivism”?

Criminals use the Internet to attempt to steal money from a banking company.
A country tries to steal defense secrets from another country by infiltrating government
networks.
A teenager breaks into the web server of a local newspaper and posts a picture of a favorite
cartoon character.
A group of environmentalists launch a denial-of-service attack against an oil company
that is responsible for a large oil spill. *
D. Hacktivism is a term used to describe cyberattacks carried out by people who are
considered political or ideological extremists. Hacktivists attack people or organizations that
they believe are enemies to the hacktivist agenda.
6. What is the purpose of a reconnaissance attack on a computer

network?
To steal data from the network servers
To prevent users from accessing network resources *
To redirect data traffic so that it can be monitored
To gather information about the target network and system
B. Preventing users from accessing network resources is a denial-of-service attack. Being able
to steal data from the network servers may be the objective after a reconnaissance attack
gathers information about the target network and system. Redirecting data traffic so it can be
monitored is a man-in-the-middle attack.
7. Which tool is used to provide a list of open ports on network

devices?
Nmap *
Ping
Whois
Tracert
A. The Nmap tool is a port scanner that is used to determine which ports are open on a
particular network device. A port scanner is used before launching an attack.
8. Which type of attack allows an attacker to use a brute-force

approach?
Packet sniffing
Social engineering
Denial of service
Password cracking *
D. Common ways used to crack Wi-Fi passwords include social engineering, brute-force
attacks, and network sniffing.
9. Which term is used to describe the act of sending an email message

in an attempt to divulge sensitive information from someone?
Phishing *
DoS attack
Hacktivisim
Script kiddie
A. Phishing uses deception to convince people to divulge information. Hactivism is hacking

done for a specific cause such as political or social reasons. A script kiddie is an
inexperienced hacker who uses free scripts, software, and tools. A denial-of-service (DoS)
attack causes one or more services to be inaccessible or not work.
10. What is the significant characteristic of worm malware?

A worm can execute independently of the host system. *
Worm malware disguises itself as legitimate software.
A worm must be triggered by an event on the host system.
Once installed on a host system, a worm does not replicate itself.
A. Worm malware can execute and copy itself without being triggered by a host program. It is
a significant network and Internet security threat.
11. A network administrator detects unknown sessions involving port

21 on the network. What could be causing this security breach?
An FTP Trojan horse is executing. *
A reconnaissance attack is occurring.
A denial-of-service attack is occurring.
Cisco Security Agent is testing the network.
A. Network security personnel must be familiar with port numbers in order to identify the
service being attacked. Well-known port number 21 is used to initiate an FTP connection to
an FTP server. Well-known port 20 is then used to transfer data between the two devices. If
the device connecting to the FTP server is unknown and launching an attack, the type of
attack might be an FTP Trojan horse.
12. Which example illustrates how malware might be concealed?

A botnet of zombies carry personal information back to the hacker.
An attack is launched against the public website of an online retailer with the objective of
blocking its response to visitors.
A hacker uses techniques to improve the ranking of a website so that users are redirected to a
malicious site.
An email is sent to the employees of an organization with an attachment that looks like
an antivirus update, but the attachment actually consists of spyware. *
D. An email attachment that appears as valid software but actually contains spyware shows
how malware might be concealed. An attack to block access to a website is a DoS attack. A
hacker uses search engine optimization (SEO) poisoning to improve the ranking of a website
so that users are directed to a malicious site that hosts malware or uses social engineering
methods to obtain information. A botnet of zombie computers is used to launch a DDoS
attack.
13. Which type of security threat can be described as software that

attaches itself to another program to execute a specific unwanted
function?
Worm
Virus *
Proxy Trojan horse
Denial-of-service Trojan horse
B. Viruses can be malicious and destructive or simply change something about the computer,
such as words or images, and not necessarily cause thecomputer to malfunction. Viruses can
be spread through shared media such as CDs or memory sticks, but can also be delivered via
the Internet and email.
14. What type of malware has the primary objective of spreading

across the network?
virus
worm*
Trojan horse
botnet
The main purpose of a worm is to self-replicate and propagate across the network. A virus is a
type of malicious software that needs a user to spread. A trojan horse is not self-replicating
and disguises itself as a legitimate application when it is not. A botnet is a series of zombie
computers working together to wage a network attack.
15. Why would a rootkit be used by a hacker?

to gain access to a device without being detected*
to do reconnaissance
to reverse engineer binary files
to try to guess a password
Hackers use rootkits to avoid detection as well as hide any software installed by the hacker.
16. Which type of hacker is motivated to protest against political and

social issues?
cybercriminal
script kiddie
vulnerability broker
hacktivist*
Hackers are categorized by motivating factors. Hacktivists are motivated by protesting

political and social issues.
17. What is a characteristic of a Trojan horse as it relates to network

security?
Extreme quantities of data are sent to a particular network device interface.
An electronic dictionary is used to obtain a password to be used to infiltrate a key network
device.
Too much information is destined for a particular memory block, causing additional memory
areas to be affected.
Malware is contained in a seemingly legitimate executable program.*
A Trojan horse carries out malicious operations under the guise of a legitimate program.
Denial of service attacks send extreme quantities of data to a particular host or network device
interface. Password attacks use electronic dictionaries in an attempt to learn passwords.
Buffer overflow attacks exploit memory buffers by sending too much information to a host to
render the system inoperable.
18. What is a botnet?
a group of web servers that provide load balancing and fault tolerance
an online video game intended for multiple players
a network that allows users to bring their own technology
a network of infected computers that are controlled as a group*
One method of executing a DDoS attack involves using a botnet. A botnet builds or purchases
a botnet of zombie hosts, which is a group of infected devices. The zombies continue to create
more zombies which carry out the DDoS attack.
19. Which type of Trojan horse security breach uses the computer of
the victim as the source device to launch other attacks?
DoS
FTP
data-sending
proxy*
The attacker uses a proxy Trojan horse attack to penetrate one device and then use that device
to launch attacks on other devices. The DoS Trojan horse slows or halts network traffic. The
FTP trojan horse enables unauthorized file transfer services when port 21 has been
compromised. A data-sending Trojan horse transmits data back to the hacker that could
include passwords.
20. What is the primary goal of a DoS attack?

to prevent the target server from being able to handle additional requests*
to scan the data on the target server
to facilitate access to external networks
to obtain all addresses in the address book within the server
A denial of service (DoS) attack attempts to overwhelm a system or process by sending large
amounts of data or requests to the target. The goal is to keep the system so overwhelmed
handling false requests that it is unable to respond to legitimate ones.
21. What is a main purpose of launching an access attack on network

systems?
to prevent other users from accessing the system
to scan for accessible networks
to gather information about the network
to retrieve data*
Gathering information about a network and scanning for access is a reconnaissance attack.
Preventing other users from accessing a system is a denial of service attack.
22. What causes a buffer overflow?

launching a security countermeasure to mitigate a Trojan horse
attempting to write more data to a memory location than that location can hold*
sending repeated connections such as Telnet to a particular device, thus denying other data
sources
sending too much information to two or more interfaces of the same device, thereby causing
dropped packets
downloading and installing too many software updates at one time
By sending too much data to a specific area of memory, adjacent memory locations are
overwritten, which causes a security issue because the program in the overwritten memory
location is affected.
23. A company pays a significant sum of money to hackers in order to

regain control of an email and data server. Which type of security
attack was used by the hackers?
DoS
spyware
Trojan horse
Ransomware*
Ransomware involves the hackers preventing user access to the infected and controlled
system until the user pays a specified amount.
24. What is the term used to describe an email that is targeting a

specific person employed at a financial institution?
spam
spyware
vishing
target phishing
spear phishing*
Spear phishing is a phishing attack customized to reach a specific person or target.
25. Which access attack method involves a software program that

attempts to discover a system password by the use of an electronic
dictionary?
packet sniffer attack
denial of service attack
buffer overflow attack
brute-force attack*
port redirection attack
IP spoofing attack
An access attack tries to affect services that affect entry into accounts, databases, and other
sensitive information. Access attacks commonly involve a dictionary ths is used to guess a
specific user password. A brute-force access attack would try to access an account via
repeated attempts.
26. In what way are zombies used in security attacks?

They are infected machines that carry out a DDoS attack.*
They are maliciously formed code segments used to replace legitimate applications.
They target specific individuals to gain corporate or personal information.
They probe a group of machines for open ports to learn which services are running
Zombies are infected computers that make up a botnet. The zombies are used to deploy a
distributed denial of service (DDoS) attack.
27. What are two evasion methods used by hackers? (Choose two.)
scanning
encryption*
access attack
phishing
resource exhaustion*
The following methods are used by hackers to avoid detection:Encryption and tunneling –
hide or scramble the malware content
Resource exhaustion – keep the host device too busy to detect the invasion
Traffic fragmentation – split the malware into multiple packets
Protocol-level misinterpretation – sneak by the firewall
Pivot – use a compromised network device to attempt access to another device
Rootkit – allow the hacker to avoid detection as well as hide software installed by the hacker
28. What are two purposes of launching a reconnaissance attack on a

network? (Choose two.)
to retrieve and modify data
to scan for accessibility*
to escalate access privileges
to prevent other users from accessing the system
to gather information about the network and devices*
Gathering information about a network and scanning for access is a reconnaissance attack.
Preventing other users from accessing a system is a denial of service attack. Attempting to
retrieve and modify data, and attempting to escalate access privileges are types of access
attacks.
29. What are three techniques used in social engineering attacks?

(Choose three.)
vishing*
phishing*
pretexting*
buffer overflow
man-in-the-middle
sending junk email
Phishing is an attempt to get a user to divulge information. Vishing is a type of phishing that
uses voice and the phone system. With pretexting, the hacker lies to the user in an attempt to
obtain information.
30. An attacker is using a laptop as a rogue access point to capture all

network traffic from a targeted user. Which type of attack is this?
port redirection
trust exploitation
buffer overflow
man in the middle*
An access attack tries to gain access to a resource using a hijacked account or other means.
The five types of access attacks include the following:password – a dictionary is used for
repeated login attempts
trust exploitation – uses granted privileges to access unauthorized material
port redirection – uses a compromised internal host to pass traffic through a firewall
man-in-the-middle – an unauthorized device positioned between two legitimate devices in
order to redirect or capture traffic
buffer overflow – too much data sent to a memory location that already contains data
31. A user is curious about how someone might know a computer has
been infected with malware. What are two common malware
behaviors? (Choose two.)
The computer emits a hissing sound every time the pencil sharpener is used.
The computer freezes and requires reboots.*
No sound emits when an audio CD is played.
The computer gets increasingly slower to respond.*
The computer beeps once during the boot process.
Common symptoms of computers infected with malware:Appearance of files, applications, or

desktop icons
Security tools such as antivirus software or firewalls turned off or changed
System crashes
Emails spontaneously sent to others
Modified or missing files
Slow system or browser response
Unfamiliar processes or services running
Unknown TCP or UDP ports open
Connections made to unknown remote devices
32. Which type of security attack would attempt a buffer overflow?

ransomware
reconnaissance
DoS*
scareware
Denial of service (DoS) attacks attempt to disrupt service on the network by either sending a
particular device an overwhelming amount of data so no other devices can access the attacked
device or by sending malformed packets.
33. What is a significant characteristic of virus malware?

Virus malware is only distributed over the Internet.
Once installed on a host system, a virus will automatically propagate itself to other systems.
A virus is triggered by an event on the host system.*
A virus can execute independently of the host system
A virus is malicious code that is attached to a legitimate program or executable file, and
requires specific activation, which may include user actions or a time-based event. When
activated, a virus can infect the files it has not yet infected, but does not automatically
propagate itself to other systems. Self-propagation is a feature of worms. In addition to being
distributed over the Internet, viruses are also spread by USB memory sticks, CDs, and DVDs.
34. A senior citizen receives a warning on the computer that states

that the operating system registry is corrupt and to click a particular
link to repair it. Which type of malware is being used to try to create
the perception of a computer threat to the user?
DoS
Scareware*
phishing
adware
Scareware is a type of malware that attempts to shock or induce anxiety by creating a

perception of a threat. Phishing tries to get the user to divulge some information. A DoS
attack tries to disrupt service on a network. Adware usually appears in pop-ups trying to get
the user to buy something or to visit a website.
35. What is the motivation of a white hat attacker?

fine tuning network devices to improve their performance and efficiency
taking advantage of any vulnerability for illegal personal gain
studying operating systems of various platforms to develop a new system
discovering weaknesses of networks and systems to improve the security level of these
systems*
White hat attackers break into networks or computer systems in order to discover weaknesses
for the purpose of improving the security of these systems. These break-ins are done with
permission from the owner or the organization. Any results are reported back to the owner or
the organization.
36. What is a ping sweep?
a network scanning technique that indicates the live hosts in a range of IP addresses.*
a query and response protocol that identifies information about a domain, including the
addresses that are assigned to that domain.
a software application that enables the capture of all network packets that are sent across a
LAN.
a scanning technique that examines a range of TCP or UDP port numbers on a host to detect
listening services
A ping sweep is a tool that is used during a reconnaissance attack. Other tools that might be
used during this type of attack include a ping sweep, port scan, or Internet information query.
A reconnaissance attack is used to gather information about a particular network, usually in
preparation for another type of network attack.
37. What is the term used when a malicious party sends a fraudulent
email disguised as being from a legitimate, trusted source?
Trojan
vishing
phishing*
backdoor
Phishing is used by malicious parties who create fraudulent messages that attempt to trick a
user into either sharing sensitive information or installing malware.
38. What are the three major components of a worm attack? (Choose
three.)
an enabling vulnerability*
a propagation mechanism*
a payload*
a probing mechanism
a penetration mechanism
an infecting vulnerability
A computer can have a worm installed through an email attachment, an executable program
file, or a Trojan Horse. The worm attack not only affects one computer, but replicates to other
computers. What the worm leaves behind is the payload–the code that results in some action.
39. Which security threat installs on a computer without the

knowledge of the user and then monitors computer activity?
Spyware*
viruses
worms
adware
Spyware normally installs on a system without end-user knowledge and monitors activity on a
computer, which can then be sent to the source of spyware. Viruses infect systems and
execute malicious code. Worms self-replicate and propagate across networks from a singular
host, consuming a lot of bandwidth. Adware is normally distributed through downloaded
software and results in the exhibition of several pop-up windows on the system.
1. Which technology is a proprietary SIEM system?

SNMP agent
Splunk *
Stealthwatch
NetFlow collector
B. Security information event management (SIEM) is a technology that is used in enterprise

organizations to provide real-time reporting and long-term analysis of security events. Splunk
is a proprietary SIEM system.
2. Which term is used to describe legitimate traffic that is mistaken for

unauthorized traffic by firewalls and IPSs?
True positive
True negative
False positive *
False negative
C. Network security devices such as firewalls and intrusion prevention systems (IPSs) use
preconfigured rules to identify malicious traffic on the network. Sometimes legitimate traffic
is mistakenly identified as unauthorized or malicious. When legitimate traffic is incorrectly
identified as unauthorized, it is known as a false positive.
3. Which monitoring technology mirrors traffic flowing through a

switch to an analysis device connected to another switch port?
SNMP
SIEM
SPAN *
NetFlow
C. When enabled on a switch, SPAN, or port mirroring, copies frames sent and received by
the switch and forwards them to another port, known as a Switch Port Analyzer port, which
has an analysis device attached.
4. Which network monitoring tool saves captured network frames in
PCAP files?
NetFlow
Wireshark *
SNMP
SIEM
B. Wireshark is a network protocol analyzer used to capture network traffic. The traffic
captured by Wireshark is saved in PCAP files and includes interface information and
timestamps.
5. Which language is used to query a relational database?

SQL *
C++
Python
Java
A. Cybercriminals use SQL injections to breach a relational database, create malicious SQL
queries, and obtain sensitive data.
6. Which network monitoring tool is in the category of network

protocol analyzers?
SNMP
SPAN
Wireshark*
SIEM
C. Wireshark is a network protocol analyzer used to capture network traffic. The traffic
captured by Wireshark is saved in PCAP files and includes interface information and
timestamps.
7. Which SIEM function is associated with examining the logs and

events of multiple systems to reduce the amount of time of detecting
and reacting to security events?
Retention
Aggregation
Correlation *
Forensic analysis
C. SIEM provides administrators with details on sources of suspicious activity such as user
information, device location, and compliance with security policies. One of the essential
functions of SIEM is correlation of logs and events from different systems in order to speed
the detection and reaction to security events.
8. Which network technology uses a passive splitting device that

forwards all traffic, including Layer 1 errors, to an analysis device?
IDS
SNMP
NetFlow
Network TAP *
D. A network TAP is a common technology that is used to capture traffic for monitoring the
network. The TAP is typically a passive splitting device implemented inline on the network
and that forwards all traffic, including physical layer errors, to an analysis device.
9. What technique is a security attack that depletes the pool of IP

addresses available for legitimate hosts?
DHCP spoofing
DHCP snooping
DHCP starvation *
Reconnaissance attack
C. DHCP starvation attacks create a denial of service for network clients. Theattacker sends
DHCP discovery messages that contain fake MAC addresses in an attempt to lease all of the
IP addresses. In contrast, DHCP spoofing occurs when a cybercriminal configures a rogue
DHCP server to provide network clients with incorrect IP configuration information.
10. In what type of attack is a cybercriminal attempting to prevent

legitimate users from accessing network services?
DoS *
MITM
Session hijacking
Address spoofing
A. In a DoS, or denial-of-service, attack, the goal of the attacker is to prevent legitimate users
from accessing network services.
11. Which network monitoring technology collects IP operational data

on packets flowing through Cisco routers and multilayer switches?
SNMP
SIEM
NetFlow *
Wireshark
C. NetFlow is a Cisco technology that runs on Cisco routers and multilayer switches and that
gathers statistics on forwarded packets.
12. What are two monitoring tools that capture network traffic and
forward it to network monitoring devices? (Choose two.)
SPAN*
network tap*
SNMP
SIEM
Wireshark
A network tap is used to capture traffic for monitoring the network. The tap is typically a
passive splitting device implemented inline on the network and forwards all traffic including
physical layer errors to an analysis device. SPAN is a port mirroring technology supported on
Cisco switches that enables the switch to copy frames and forward them to an analysis device.
13. Which technology is an open source SIEM system?

Wireshark
StealWatch
Splunk
ELK*
There are many SIEM systems available to network administrators. The ELK suite is an open
source option.
14. What network attack seeks to create a DoS for clients by

preventing them from being able to obtain a DHCP lease?
IP address spoofing
DHCP starvation*
CAM table attack
DHCP spoofing
DCHP starvation attacks are launched by an attacker with the intent to create a DoS for
DHCP clients. To accomplish this goal, the attacker uses a tool that sends many
DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus
denying them to legitimate hosts.
15. Which protocol would be the target of a cushioning attack?

DHCP
HTTP*
ARP
DNS
The HTTP 302 cushioning attack is used by cybercriminals to take advantage of the 302
Found HTTP response status code to redirect the browser of the user to a new location,
usually a malicious site.
16. Which network monitoring capability is provided by using SPAN?

Network analysts are able to access network device log files and to monitor network behavior.
Statistics on packets flowing through Cisco routers and multilayer switches can be captured.
Traffic exiting and entering a switch is copied to a network monitoring device.*
Real-time reporting and long-term analysis of security events are enabled.
When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received
by the switch and forwards them to another port, known as a Switch Port Analyzer port,
which has a analysis device attached.
17. Which type of DNS attack involves the cybercriminal

compromising a parent domain and creating multiple subdomains to
be used during the attacks?
Shadowing*
amplification and reflection
tunneling
cache poisoning
Two threats to DNS are DNS shadowing and DNS tunneling attacks. DNS shadowing attacks
compromise a parent domain and then the cybercriminal creates subdomains to be used in
attacks. DNS tunneling attacks build botnets to bypass traditional security solutions. Three
threats to DNS open resolvers are cache poisoning, amplification and reflection, and resource
utilization attacks.
What protocol would be used by the syslog server service to create

this type of output for security purposes?
NTP
AAA
ICMP
SNMP*
The Simple Network Management Protocol is used by network devices to send and log
messages to a syslog server in order to monitor traffic and network device events.
19. What is the result of a passive ARP poisoning attack?

Confidential information is stolen.*
Network clients experience a denial of service
Data is modified in transit or malicious data is inserted in transit.
Multiple subdomains are created.
ARP poisoning attacks can be passive or active. The result of a passive attack is that
cybercriminals steal confidential information. With an active attack, cybercriminals modify
data in transit or they inject malicious data.
20. Which term is used for bulk advertising emails flooded to as many
end users as possible?
Spam*
adware
brute force
phishing
Spam is annoying and unwanted bulk email that is sent to as many end users as possible.
21. Which capability is provided by the aggregation function in

SIEM?
reducing the volume of event data by consolidating duplicate event records*
searching logs and event records of multiple sources for more complete forensic analysis
presenting correlated and aggregated event data in real-time monitoring
increasing speed of detection and reaction to security threats by examining logs from many
systems and applications
The aggregation function of SIEM reduces the volume of event data by consolidating
duplicate event records.
22. Which protocol is attacked when a cybercriminal provides an

invalid gateway in order to create a man-in-the-middle attack?
HTTP or HTTPS
ICMP
DNS
DHCP*
A cybercriminal could set up a rogue DHCP server that provides one or more of the
following:Wrong default gateway that is used to create a man-in-the-middle attack and allow
the attacker to intercept data
Wrong DNS server that results in the user being sent to a malicious website
Invalid default gateway IP address that results in a denial of service attack on the DHCP client
23. Which network monitoring tool can provide a complete audit trail
of basic information of all IP flows on a Cisco router and forward the
data to a device?
SPAN
Wireshark
NetFlow*
SIEM
NetFlow is a Cisco technology that provides statistics on packets flowing through a Cisco
router or multilayer switch.
24. What are two methods used by cybercriminals to mask DNS

attacks? (Choose two.)
domain generation algorithms*
shadowing
fast flux*
reflection
tunneling
Fast flux, double IP flux, and domain generation algorithms are used by cybercrimals to
attack DNS servers and affect DNS services. Fast flux is a technique used to hide phishing
and malware delivery sites behind a quickly-changing network of compromised DNS hosts
(bots within botnets). The double IP flux technique rapidly changes the hostname to IP
address mappings and the authoritative name server. Domain generation algorithms randomly
generate domain names to be used as rendezvous points.
25. Which protocol is exploited by cybercriminals who create

malicious iFrames?
HTTP*
ARP
DNS
DHCP
An HTML element known as an inline frame or iFrame allows the browser to load a different
web page from another source.
26. Which SIEM function is associated with speeding up detection of

security threats by examining logs and events from different systems?
forensic analysis
retention
correlation*
aggregation
The correlation function of SIEM speeds the detection and reaction to security threats by
examining logs and events from different systems.
27. In which TCP attack is the cybercriminal attempting to

overwhelm a target host with half-open TCP connections?
reset attack
session hijacking attack
port scan attack
SYN flood attack*
In a TCP SYN flood attack, the attacker sends to the target host a continuous flood of TCP
SYN session requests with a spoofed source IP address. The target host responds with a TCP-
SYN-ACK to each of the SYN session requests and waits for a TCP ACK that will never
arrive. Eventually the target is overwhelmed with half-open TCP connections.
28. In which type of attack is falsified information used to redirect

users to malicious Internet sites?
ARP cache poisoning
DNS amplification and reflection
DNS cache poisoning*
domain generation
In a DNS cache poisoning attack, falsified information is used to redirect users from
legitimate to malicious internet sites.

A junior network administrator is inspecting the traffic flow of a
particular server in order to make security recommendations to the
departmental supervisor. Which recommendation should be made?
A more secure protocol should be used.*
The total length (TL) field indicates an unsecure Layer 4 protocol is being used.
The person accessing the server should never access it from a device using a private IP
address.
The person accessing the server should use the private IP address of the server.
FTP is an unsecure network protocol. Anyone capturing packets can obtain the username and
password from the capture. A more secure protocol such as SFTP should be used.
30. Which network monitoring tool saves captured packets in a PCAP

file?
Wireshark*
SIEM
SNMP
NetFlow
Wireshark captures are saved as PCAP files, which contain frame, interface, and packet
information, and also time stamps.
31. Which cyber attack involves a coordinated attack from a botnet of

zombie computers?
ICMP redirect
MITM
DDoS*
address spoofing
DDoS is a distributed denial-of-services attack. A DDoS attack is launched from multiple

coordinated sources. The sources of the attack are zombie hosts that the cybercriminal has
built into a botnet. When ready, the cybercriminal instructs the botnet of zombies to attack the
chosen target.
32. How is optional network layer information carried by IPv6

packets?
inside an options field that is part of the IPv6 packet header
inside the Flow Label field
inside the payload carried by the IPv6 packet
inside an extension header attached to the main IPv6 packet header*
IPv6 uses extension headers to carry optional network layer information. Extension headers
are not part of the main IPv6 header but are separate headers placed between the IPv6 header
and the payload.
33. What type of attack targets an SQL database using the input field
of a user?
Cross-site scripting
SQL injection*
buffer overflow
XML injection
A criminal can insert a malicious SQL statement in an entry field on a website where the
system does not filter the user input correctly.
34. What network monitoring technology enables a switch to copy

and forward traffic sent and received on multiple interfaces out
another interface toward a network analysis device?
port mirroring*
NetFlow
SNMP
network tap
When enabled on a switch, port mirroring copies frames sent and recieved by the switch and
forwards them to another port, which has a analysis device attached.
1. With the evolution of borderless networks, which vegetable is now
used to describe a defense-in-depth approach?
Artichoke *
Lettuce
Onion
Cabbage
A. The artichoke is now used to provide a visual analogy to describe a defense-in-depth

security approach. The onion used to be descriptive because the attacker would “peel away”
each layer of the network defense mechanisms. Now the artichoke is used because a single
petal or leaf can be moved or removed to reveal sensitive information.
2. What is a characteristic of a layered defense-in-depth security

approach?
Three or more devices are used.
Routers are replaced with firewalls.
When one device fails, another one takes over.
One safeguard failure does not affect the effectiveness of other safeguards. *
D. When a layered defense-in-depth security approach is used, layers of security are placed
through the organization—at the edge, within the network, and on endpoints. The layers work
together to create the security architecture. In this environment, a failure of one safeguard
does not affect the effectiveness of other safeguards.
3. Passwords, passphrases, and PINs are examples of which security

term?
Identification
Authorization
Authentication *
Access
C. Authentication methods are used to strengthen access control systems. It is important to

understand the available authentication methods.
4. What is privilege escalation?

Someone is given rights because she or he has received a promotion.
Vulnerabilities in systems are exploited to grant higher levels of privilege than someone
or some process should have. *
A security problem occurs when high-ranking corporate officials demand rights to systems or
files that they should not have.
Everyone is given full rights by default to everything and rights are taken away only when
someone abuses privileges.
B. With privilege escalation, vulnerabilities are exploited to grant higher levels of privilege.
After the privilege is granted, the threat actor can access sensitive information or take control
of the system.
5. What are two characteristics of the RADIUS protocol? (Choose

two.)
Encryption of the entire body of the packet
The use of TCP port 49
The use of UDP ports for authentication and accounting *
Encryption of the password only *
The separation of the authentication and authorization processes
C, D. RADIUS is an open-standard AAA protocol using UDP port 1645 or 1812 for
authentication and UDP port 1646 or 1813 for accounting. It combines authentication and
authorization into one process.
6. Which component of AAA is used to determine which resources a

user can access and which operations the user is allowed to perform?
Auditing
Accounting
Authorization *
Authentication
C. One of the components in AAA is authorization. After a user is authenticated through

AAA, authorization services determine which resources the user can access and which
operations the user is allowed to perform.
7. Which type of business policy establishes the rules of conduct and

the responsibilities of employees and employers?
Company *
Data
Employee
Security
A. Business policies set a baseline of acceptable use. Company policies establish the rules and
conduct and the responsibilities of both employees andthe employer. Company policies
protect the rights of the workers as well as the business interests of the company.
8. Which component of AAA allows an administrator to track
individuals who access network resources and any changes that are
made to those resources?
Accessibility
Accounting *
Authentication
Authorization
B. One of the components in AAA is accounting. After a user is authenticated through AAA,
AAA servers keep a detailed log of exactly what actions the authenticated user takes on the
device.
9. Which of the following offers a free service called Automated

Indicator Sharing that enables the real-time exchange of cyberthreat
indicators?
FireEye
Department of Homeland Security *
The MITRE Corporation
Talos
B. The U.S. Department of Homeland Security (DHS) offers a free service called Automated
Indicator Sharing (AIS). AIS enables the real-time exchange of cyberthreat indicators (e.g.,
malicious IP addresses, the sender address of a phishing email, etc.) between the U.S. federal
government and the private sector.
10. The security policy of an organization allows employees to connect

to the office intranet from their homes. Which type of security policy
is this?
Acceptable use
Incident handling
Network maintenance
Remote access *
D. The remote access policy section of a corporate security policy identifies how remote users
can access a network and what is accessible via remote connectivity.
11. During the AAA process, when will authorization be

implemented?
Immediately after successful authentication against an AAA data source *
Immediately after AAA accounting and auditing receives detailed reports
Immediately after an AAA client sends authentication information to a centralized server
Immediately after the determination of which resources a user can access
A. AAA authorization is implemented immediately after the user is authenticated against a

specific AAA data source.
12. A web server administrator is configuring access settings to

require users to authenticate first before accessing certain web pages.
Which requirement of information security is addressed through the
configuration?
availability
confidentiality*
integrity
scalability
Confidentiality ensures that data is accessed only by authorized individuals. Authentication

will help verify the identity of the individuals.
13. What component of a security policy explicitly defines the type of

traffic allowed on a network and what users are allowed and not
allowed to do?
password policies
identification and authentication policies
remote access policies
acceptable use policies*
Security policies specify requirements and provide a baseline for organizations. Security
policies may include the following:
Identification and authentication policies that specify authorized individuals that have access
to network resources and verification procedures
Password policies that ensure minimum requirements are met and authentication methods are
being enforced and updated
Remote access policies that identify how remote users can access a network and to what they
are allowed to connect
Acceptable use policies that identify network applications and network usage that are allowed
within the organization
14. What is the principle of least privilege access control model?

User access to data is based on object attributes.
Users are granted rights on an as-needed approach.*
Users are granted the strictest access control possible to data.
Users control access to data they own.
The principle of least privilege is an access control model that specifies a limited and as-
needed approach to user access to data.
15. Which statement describes a difference between RADIUS and

TACACS+?
RADIUS is supported by the Cisco Secure ACS software whereas TACACS+ is not.
RADIUS encrypts only the password whereas TACACS+ encrypts all communication.*
RADIUS separates authentication and authorization whereas TACACS+ combines them as
one process.
RADIUS uses TCP whereas TACACS+ uses UDP.
TACACS+ uses TCP, encrypts the entire packet (not just the password), and separates
authentication and authorization into two distinct processes. Both protocols are supported by
the Cisco Secure ACS software.
16. What is the purpose of mobile device management (MDM)

software?
It is used to create a security policy.
It is used to implement security policies, setting, and software configurations on mobile
devices.*
It is used by threat actors to penetrate the system.
It is used to identify potential mobile device vulnerabilities.
Mobile device management (MDM) software is used with mobile devices so that corporate IT
personnel can track the devices, implement security settings, as well as control software
configurations.
17. What service determines which resources a user can access along
with the operations that a user can perform?
authentication
biometric
authorization*
accounting
token
Authorization determines whether a user has certain access privileges.
18. A company has a file server that shares a folder named Public.
The network security policy specifies that the Public folder is assigned
Read-Only rights to anyone who can log into the server while the Edit
rights are assigned only to the network admin group. Which
component is addressed in the AAA network service framework?
automation
accounting
authentication
authorization*
After a user is successfully authenticated (logged into the server), the authorization is the
process of determining what network resources the user can access and what operations (such
as read or edit) the user can perform.
19. In threat intelligence communications, what set of specifications is

for exchanging cyberthreat information between organizations?
Trusted automated exchange of indicator information (TAXII)
Structured threat information expression (STIX)*
Automated indicator sharing (AIS)
Common vulnerabilities and exposures (CVE)
The two common threat intelligence-sharing standards are as follows:

Structured Threat Information Expression (STIX) – This is a set of specifications for
exchanging cyberthreat information between organizations. The Cyber Observable Expression
(CybOX) standard has been incorporated into STIX.
Trusted Automated Exchange of Indicator Information (TAXII) – This is the specification for
an application layer protocol that allows the communication of CTI over HTTPS. TAXII is
designed to support STIX.
20. What three items are components of the CIA triad? (Choose
three.)
Integrity*
Availability*
Confidentiality*
access
scalability
intervention
The CIA triad contains three components: confidentiality, integrity, and availability. It is a
guideline for information security for an organization.
21. A company is experiencing overwhelming visits to a main web

server. The IT department is developing a plan to add a couple more
web servers for load balancing and redundancy. Which requirement
of information security is addressed by implementing the plan?
integrity
scalability
availability*
confidentiality
Availability ensures that network services are accessible and performing well under all
conditions. By load balancing the traffic destined to the main web servers, in times of a huge
volume of visits the systems will be well managed and serviced.
22. Which AAA component can be established using token cards?

authorization
authentication*
auditing
accounting
The authentication component of AAA is established using username and password

combinations, challenge and response questions, and token cards. The authorization
component of AAA determines which resources the user can access and which operations the
user is allowed to perform. The accounting and auditing component of AAA keeps track of
how network resources are used.
23. Which method is used to make data unreadable to unauthorized

users?
Encrypt the data.*
Fragment the data.
Add a checksum to the end of the data.
Assign it a username and password.
Network data can be encrypted using various cryptography applications so that the data is
made unreadable to unauthorized users. Authorized users have the cryptography application
so the data can be unencrypted.
24. Which two areas must an IT security person understand in order

to identify vulnerabilities on a network? (Choose two.)
number of systems on each network
network baseline data
data analysis trends
hardware used by applications*
important applications used*
In order to identify security vulnerabilities, a cybersecurity expert must understand the
applications being used and their associated vulnerabilities, as well as the hardware used.
25. Which three services are provided by the AAA framework?

(Choose three.)
autoconfiguration
automation
authorization*
authentication*
accounting*
autobalancing
The authentication, authorization, and accounting (AAA) framework provides services to help
secure access to network devices.
26. How does BYOD change the way in which businesses implement
networks?
BYOD provides flexibility in where and how users can access network resources.*
BYOD requires organizations to purchase laptops rather than desktops.
BYOD users are responsible for their own network security, thus reducing the need for
organizational security policies.
BYOD devices are more expensive than devices that are purchased by an organization.
A BYOD environment requires an organization to accommodate a variety of devices and

access methods. Personal devices, which are not under company control, may be involved, so
security is critical. Onsite hardware costs will be reduced, allowing a business to focus on
delivering collaboration tools and other software to BYOD users.
27. Which technology provides the framework to enable scalable

access security?
AutoSecure
role-based CLI access
authentication, authorization, and accounting*
Simple Network Management Protocol
Cisco Configuration Professional communities
AAA network security services (authentication, authorization, and accounting) provide the
primary framework to set up access control on a network device. It provides a higher degree
of scalability than the con, aux, vty and privileged EXEC authentication commands alone by
using centrally managed Cisco Secure ACS servers using TACACS+ and RADIUS protocols.
28. Which device is usually the first line of defense in a layered
defense-in-depth approach?
access layer switch
internal router
edge router*
firewall
The edge router connects an organization to a service provider. The edge router has a set of
rules that specify which traffic is allowed or denied.
29. Which type of access control applies the strictest access control
and is commonly used in military or mission critical applications?
mandatory access control (MAC)*
discretionary access control (DAC)
attribute-based access control (ABAC)
Non-discretionary access control
Access control models are used to define the access controls implemented to protect corporate
IT resources. The different types of access control models are as follows:Mandatory access
control (MAC) – The strictest access control that is typically used in military or mission
critical applications.
Discretionary access control (DAC) – Allows users to control access to their data as owners of
that data. Access control lists (ACLs) or other security measures may be used to specify who
else may have access to the information.
Non-discretionary access control – Also known as role-based access control (RBAC). Allows
access based on the role and responsibilities of the individual within the organization.
Attribute-based access control (ABAC) – Allows access based on the attributes of the
resource to be accessed, the user accessing the resource, and the environmental factors such as
the time of day.
30. In a defense-in-depth approach, which three options must be

identified to effectively defend a network against attacks? (Choose
three.)
assets that need protection*
location of attacker or attackers
total number of devices that attach to the wired and wireless network
threats to assets*
vulnerabilities in the system*
past security breaches
In order to prepare for a security attack, IT security personnel must identify assets that need to
be protected such as servers, routers, access points, and end devices. They must also identify
potential threats to the assets and vulnerabilities in the system or design.
31. Which section of a security policy is used to specify that only

authorized individuals should have access to enterprise data?
statement of authority
statement of scope
campus access policy
Internet access policy
identification and authentication policy*
acceptable use policy
The identification and authentication policy section of the security policy typically specifies
authorized persons that can have access to network resources and identity verification
procedures.
1. If an asymmetric algorithm uses a public key to encrypt data, what

is used to decrypt it?
DH *
A private key
A digital certificate
A different public key
A. When an asymmetric algorithm is used, public and private keys are used for the
encryption. Either key can be used for encryption, but the complementary matched key must
be used for the decryption. For example, if the public key is used for encryption, then the
private key must be used for the decryption.
2. Which type of attack does the use of HMACs protect against?

DoS
DDoS
Brute force
Man-in-the-middle *
D. Because only the sender and receiver know the secret key, only parties that have access to
that key can compute the digest of an HMAC function. This defeats man-in-the-middle
attacks and provides authentication of where the data originated.
3. Which algorithm can ensure data confidentiality?

MD5
AES *
RSA
PKI
B. Data confidentiality is ensured through symmetric encryption algorithms, including DES,

3DES, and AES.
4. What is the purpose of code signing?

Data encryption
Reliable transfer of data
Source identity secrecy
Integrity of source .EXE files *
D. Code signing is used to verify the integrity of executable files downloaded from a vendor
website. Code signing uses digital certificates to authenticate and verify the identity of a
website.
5. What are two symmetric encryption algorithms? (Choose two.)

3DES *
MD5
AES *
HMAC
SHA
A, C. MD5, HMAC, and SHA are hashing algorithms.
6. What is the purpose of the DH algorithm?

To provide non-repudiation support
To support email data confidentiality
To encrypt data traffic after a VPN is established
To generate a shared secret between two hosts that have not communicated before *
D. DH is an asymmetric mathematical algorithm that allows two computers togenerate an

identical shared secret, without having communicated before. Asymmetric key systems are
extremely slow for any sort of bulk encryption. It is common to encrypt the bulk of the traffic
using a symmetric algorithm such as DES, 3DES, or AES, and use the DH algorithm to create
keys that will be used by the symmetric encryption algorithm.
7. Which cryptographic technique provides both data integrity and

nonrepudiation?
3DES
HMAC *
MD5
SHA-1
B. A Keyed-hash message authentication code (HMAC and KHMAC) is a type of message

authentication code that uses an additional secret key as input to the hash function. This adds
authentication to integrity assurance. When two parties share a secret key and use HMAC
functions for authentication, the received HMAC digest of a message indicates that the other
party was the originator of the message (non-repudiation), because it is the only other entity
possessing the secret key. 3DES is an encryption algorithm, and MD5 and SHA-1 are hashing
algorithms.
8. In a hierarchical CA topology, where can a subordinate CA obtain

a certificate for itself?
From the root CA only
From the root CA or from self-generation
From the root CA or another subordinate CA at the same level
From the root CA or another subordinate CA at a higher level *
From the root CA or another subordinate CA anywhere in the tree
D. In a hierarchical CA topology, CAs can issue certificates to end users and to subordinate
CAs, which in turn issue their certificates to end users, other lower level CAs, or both. In this
way, a tree of CAs and end users is built in which every CA can issue certificates to lower
level CAs and end users. Only the root CA can issue a self-signing certificate in a hierarchical
CA topology.
9. Which objective of secure communications is achieved by

encrypting data?
Authentication
Availability
Confidentiality *
Integrity
C. When data is encrypted, it is scrambled to keep the data private and confidential so that
only authorized recipients can read the message. A hash function is another way of providing
confidentiality.
10. Which statement describes the use of hashing?

Hashing can be used to prevent both accidental and deliberate changes.
Hashing can be used to detect both accidental and deliberate changes.
Hashing can be used to detect accidental changes, but does not protect against deliberate
changes. *
Hashing can be used to protect against deliberate changes, but does not detect accidental
changes.
C. Hashing can be used to detect accidental changes only. It is possible for an attacker to
intercept a message, change it, recalculate the hash, and append it to the message. The
receiving device would validate the appended hash.
11. Which IETF standard defines the PKI digital certificate format?
X.500
X.509 *
LDAP
SSL/TLS
B. To address the interoperability of different PKI vendors, IETF published the Internet X.509
Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC
2527). The standard defines the format of a digital certificate.
12. Which two statements correctly describe certificate classes used in

the PKI? (Choose two.)
A class 0 certificate is for testing purposes. *
A class 0 certificate is more trusted than a class 1 certificate.
The lower the class number, the more trusted the certificate.
A class 5 certificate is for users with a focus on verification of email.
A class 4 certificate is for online business transactions between companies. *
A, E. A digital certificate class is identified by a number. The higher the number, the more
trusted the certificate. The classes include the following:
Class 0 is for testing purposes in which no checks have been performed.
Class 1 is for individuals with a focus on verification of email.
Class 2 is for organizations for which proof of identity is required.
Class 3 is for servers and software signing for which independentverification and checking of
identity and authority is done by the issuing certificate authority.
Class 4 is for online business transactions between companies.
Class 5 is for private organizations or governmental security.
13. Alice and Bob want to use a CA authentication procedure to

authenticate each other. What must be obtained first?
CA self-signed certificate *
Self-signed certificates of two CA authorities
Self-signed certificate of the other device and the CA certificate
Self-sig
A. In the CA authentication procedure, the first step when contacting the PKI is to obtain a
copy of the public key of CA itself, called the self-signed certificate. The CA public key
verifies all the certificates issued by the CA.
14. Which algorithm is used to automatically generate a shared secret
for two systems to use in establishing an IPsec VPN?
SSL
DES
AH
DH*
ESP
3DES
The Diffie-Helman (DH) algorithm is the basis of most modern automatic key exchange
methods. It is a mathematical algorithm that allows two computers to generate an identical
shared secret on both systems without having communicated before. DH is commonly used
when data is exchanged using an IPsec VPN.
15. A security specialist is tasked to ensure that files transmitted

between the headquarters office and the branch office are not altered
during transmission. Which two algorithms can be used to achieve
this task? (Choose two.)
3DES
HMAC
AES
SHA-1*
MD5*
The task to verify that messages are not altered during transmission is to ensure data integrity,
which can be implemented using hash function. HMAC can be used for ensuring origin
authentication. AES and 3DES are encryption algorithms.
16. In which way does the use of HTTPS increase the security
monitoring challenges within enterprise networks?
HTTPS traffic can carry a much larger data payload than HTTP can carry.
HTTPS traffic is much faster than HTTP traffic.
HTTPS traffic does not require authentication.
HTTPS traffic enables end-to-end encryption.*
HTTPS enables end-to-end encrypted network communication, which adds further challenges
for network administrators to monitor the content of packets to catch malicious attacks.
17. What technology has a function of using trusted third-party
protocols to issue credentials that are accepted as an authoritative
identity?
hashing algorithms
digital signatures
symmetric keys
PKI certificates*
Digital certificates are used to prove the authenticity and integrity of PKI certificates, but a
PKI Certificate Authority is a trusted third-party entity that issues PKI certificates. PKI
certificates are public information and are used to provide authenticity, confidentiality,
integrity, and nonrepudiation services that can scale to large requirements.
18. Which three algorithms are designed to generate and verify digital
signatures? (Choose three.)
IKE
DSA*
RSA*
ECDSA*
AES
.3DES
There are three Digital Signature Standard (DSS) algorithms that are used for generating and
verifying digital signatures:Digital Signature Algorithm (DSA)
Rivest-Shamir Adelman Algorithm (RSA)
Elliptic Curve Digital Signature Algorithm (ECDSA)
19. What are two properties of a cryptographic hash function?

(Choose two.)
Complex inputs will produce complex hashes.
Hash functions can be duplicated for authentication purposes.
The hash function is one way and irreversible.*
The input for a particular hash algorithm has to have a fixed size.
The output is a fixed length.*
A cryptographic hash function should have the following properties:The input can be any
length.
The output has a fixed length.
The hash value is relatively easy to compute for any given input.
The hash is one way and not reversible.
The hash is collision free, meaning that two different input values will result in different hash
values
20. Which statement is a feature of HMAC?
HMAC uses a secret key that is only known to the sender and defeats man-in-the-middle
attacks.
HMAC uses protocols such as SSL or TLS to provide session layer confidentiality.
HMAC uses a secret key as input to the hash function, adding authentication to integrity
assurance.*
HMAC is based on the RSA hash function.
A keyed-hash message authentication code (HMAC or KHMAC) is a type of message

authentication code (MAC). HMACs use an additional secret key as input to the hash
function, adding authentication to data integrity assurance.
21. Which two statements describe the characteristics of symmetric

algorithms? (Choose two.)
They are commonly used with VPN traffic.*
They use a pair of a public key and a private key.
They are commonly implemented in the SSL and SSH protocols.
They provide confidentiality, integrity, and availability.
They are referred to as a pre-shared key or secret key.*
Symmetric encryption algorithms use the same key (also called shared secret) to encrypt and
decrypt the data. In contrast, asymmetric encryption algorithms use a pair of keys, one for
encryption and another for decryption.
22. Which encryption algorithm is an asymmetric algorithm?

AES
SEAL
DH*
3DES
DH is an asymmetric algorithm. AES, 3DES, and SEAL are all symmetric algorithms.
23. Which statement describes the use of certificate classes in the PKI?
Email security is provided by the vendor, not by a certificate.
A vendor must issue only one class of certificates when acting as a CA.
A class 5 certificate is more trustworthy than a class 4 certificate.*
The lower the class number, the more trusted the certificate.
The higher the certificate number, the more trustworthy the certificate. Class 1 certificates are
for individuals, with a focus on email verification. An enterprise can act as its own CA and
implement PKI for internal use. In that situation, the vendor can issue certificates as needed
for various purposes.
24. What is the focus of cryptanalysis?
developing secret codes
breaking encrypted codes*
implementing encrypted codes
hiding secret codes
Cryptology is the science of making and breaking secret codes. There are two separate
disciplines in cryptology, cryptography and cryptanalysis. Cryptography is the development
and use of codes. Cryptanalysis is the breaking of those secret (encrypted) codes.
25. Two users must authenticate each other using digital certificates
and a CA. Which option describes the CA authentication procedure?
The users must obtain the certificate of the CA and then their own certificate.*
The CA is always required, even after user verification is complete.
CA certificates are retrieved out-of-band using the PSTN, and the authentication is done in-
band over a network.
After user verification is complete, the CA is no longer required, even if one of the involved
certificates expires.
When two users must authenticate each other using digital certificates and CA, both users
must obtain their own digital certificate from a CA. They submit a certificate request to a CA,
and the CA will perform a technical verification by calling the end user (out-of-band). Once
the request is approved, the end user retrieves the certificate over the network (in-band) and
installs the certificate on the system. After both users have installed their certificate, they can
perform authentication by sending their certificate to each other. Each site will use the public
key of the CA to verify the validity of the certificate; no CA is involved at this point. If both
certificates are verified, both users can now authenticate each other.
26. When implementing keys for authentication, if an old key length

with 4 bits is increased to 8 bits, which statement describes the new
key space?
The key space is increased by 3 times.
The key space is increased by 15 times.*
A key length with 4 bits will provide a key space of 2^4=16 keys. The new key length with 8
bits can provide a key space of 2^8=256 keys. The key space with 256 keys is 15 times larger
than a key space with 16 keys.
27. What is the service framework that is needed to support large-

scale public key-based technologies?
PKI*
RSA
3DES
HMAC
The service framework that is needed to support large-scale public key-based technologies is
a PKI (public key infrastructure). SHA and HMAC are hashing algorithms. RSA is an
asymmetric encryption algorithm.
28. What are the two important components of a public key

infrastructure (PKI) used in network security? (Choose two.)
symmetric encryption algorithms
certificate authority*
intrusion prevention system
digital certificates*
pre-shared key generation
A public key infrastructure uses digital certificates and certificate authorities to manage
asymmetric key distribution. PKI certificates are public information. The PKI certificate
authority (CA) is a trusted third-party that issues the certificate. The CA has its own
certificate (self-signed certificate) that contains the public key of the CA.
29. A company is developing a security policy to ensure that OSPF

routing updates are authenticated with a key. What can be used to
achieve the task?
SHA-1
HMAC*
AES
MD5
3DES
The task to ensure that routing updates are authenticated is data origin authentication, which
can be implemented using HMAC. HMAC is MD5 or SHA-1 plus a secret key. AES and
3DES are two encryption algorithms. MD5 and SHA-1 can be used to ensure data integrity,
but not authentication.
30. An online retailer needs a service to support the nonrepudiation of

the transaction. Which component is used for this service?
the private key of the retailer
the digital signatures*
the unique shared secret known only by the retailer and the customer
the public key of the retailer
Digital signatures, generated by hash function, can provide the service for nonrepudiation of
the transaction. Both public and private keys are used to encrypt data during the transaction.
Shared secrets between the retailer and customers are not used.
31. Which statement describes the Software-Optimized Encryption

Algorithm (SEAL)?
It uses a 112-bit encryption key.
It requires more CPU resources than software-based AES does.
It is an example of an asymmetric algorithm.
SEAL is a stream cipher.*
SEAL is a stream cipher that uses a 160-bit encryption key. It is a symmetric encryption
algorithm that has a lower impact on the CPU resources compared to other software-based
algorithms, such as software-based DES, 3DES, and AES.
32. What role does an RA play in PKI?

a super CA
a subordinate CA*
a backup root CA
a root CA
A registration authority (RA) is a subordinate CA. It is certified by a root CA to issue

certificates for specific uses.
33. What technology allows users to verify the identity of a website

and to trust code that is downloaded from the Internet?
encryption
asymmetric key algorithm
digital signature*
hash algorithm
Digital signatures provide assurance of the authenticity and integrity of software codes. They
provide the ability to trust code that is downloaded from the Internet.
34. Which three services are provided through digital signatures?

(Choose three.)
accounting
authenticity*
compression
nonrepudiation*
integrity*
encryption
Digital signatures use a mathematical technique to provide three basic security

services:Integrity
Authenticity
Nonrepudiation
35. What are two methods to maintain certificate revocation status?

(Choose two.)
subordinate CA
OCSP*
DNS
LDAP
CRL*
A digital certificate might need to be revoked if its key is compromised or it is no longer

needed. The certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP),
are two common methods to check a certificate revocation status.
36. The following message was encrypted using a Caesar cipher with a
key of 2:
fghgpf vjg ecuvng
What is the plaintext message?

invade the castle
defend the castle*
defend the region
invade the region
The Caesar cipher was a simple substitution cipher. In this example, if the key is 2, the letter d
was moved two spaces to the right, resulting in an encoded message that used the letter f in
place of the letter d. The letter g would be the substitute for the letter e, and so on. So, the
resulting plaintext is f=d, g=e, h=f, g=e, p=n, f=d, v=t, j=h, g=e, e=c, c=a, u=s, v=t, n=l, g=e.
37. What is the purpose of a digital certificate?

It ensures that the person who is gaining access to a network device is authorized.
It provides proof that data has a traditional signature attached.
It guarantees that a website has not been hacked.
It authenticates a website and establishes a secure connection to exchange confidential
data*
Digital signatures commonly use digital certificates that are used to verify the identity of the
originator in order to authenticate a vendor website and establish an encrypted connection to
exchange confidential data. One such example is when a person logs into a financial
institution from a web browser.
38. A company is developing a security policy for secure

communication. In the exchange of critical messages between a
headquarters office and a branch office, a hash value should only be
recalculated with a predetermined code, thus ensuring the validity of
data source. Which aspect of secure communications is addressed?
data integrity
non-repudiation
origin authentication*
data confidentiality
Secure communications consists of four elements:Data confidentiality – guarantees that only

authorized users can read the message
Data integrity – guarantees that the message was not altered
Origin authentication – guarantees that the message is not a forgery and does actually come
from whom it states
Data nonrepudiation – guarantees that the sender cannot repudiate, or refute, the validity of a
message sent
1. Which HIDS is an open source product?

Tripwire
OSSEC *
Cisco AMP
AlienVault USM
B. The Open Source HIDS SECurity (OSSEC) software is an open source HIDS that uses a
central manager server and agents that are installed on the hosts that are to be monitored.
2. In Windows Firewall, when is the Domain profile applied?

When the host accesses the Internet
When the host checks emails from an enterprise email server
When the host is connected to a trusted network such as an internal business network *
When the host is connected to an isolated network from the Internet by another security
device
C. The Domain profile in Windows Firewall configuration is for connections to a trusted

network, such as a business network, that is assumed to have an adequate security
infrastructure.
3. Which function does CVSS provide?

Risk assessment *
Penetration testing
Vulnerability assessment
Central security management service
A. The Common Vulnerability Scoring System (CVSS) is a risk assessment tool to convey the
common attributes and severity of vulnerabilities in computer hardware and software systems.
4. In addressing an identified risk, which strategy aims to decrease the

risk by taking measures to reduce vulnerability?
Risk sharing
Risk retention
Risk reduction *
Risk avoidance
C. There are four potential strategies for responding to risks that have been identified:
Risk avoidance: Stop performing the activities that create risk.
Risk reduction: Decrease the risk by taking measures to reduce vulnerability.
Risk sharing: Shift some of the risk to other parties.
Risk retention: Accept the risk and its consequences.
5. Which regulatory compliance regulation specifies security

standards for U.S.government systems and contractors to the U.S.
government?
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act of 2002 (SOX)

Health Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act of 2002 (FISMA) *
D. The major regulatory compliance options include:

Federal Information Security Management Act of 2002 (FISMA):
Specifies security standards for U.S. government systems and contractors to the U.S.
government.
Sarbanes-Oxley Act of 2002 (SOX): Sets new or expanded requirements for all U.S. public
company boards, management, and public accountingfirms regarding the way in which
corporations control and disclose financial information.
Gramm-Leach-Bliley Act (GLBA): Established that financial institutions must ensure the
security and confidentiality of customer information; protect against any anticipated threats or
hazards to the security or integrity of such information; and protect against unauthorized
access to or use of customer information that could result in substantial harm or
inconvenience to any customer.
Health Insurance Portability and Accountability Act (HIPAA):
Requires that all patient personally identifiable healthcare information be stored, maintained,
and transmitted in ways that ensure patient privacy and confidentiality.
6. Which three devices are possible examples of network

endpoints? (Choose three.)
Router
Sensor *
Wireless AP
IoT controller *
VPN appliance
Network security camera *
B, D, F. IoT components, such as sensors, controllers, and network security cameras, are
network endpoints when they are connected to a network. Routers, VPN appliances, and
wireless access points are examples of intermediate devices.
7. Which antimalware software approach can recognize various

characteristics of known malware files to detect a threat?
Routing-based
Behavior-based
Signature-based *
Heuristics-based
C. Antimalware programs may detect viruses using three different approaches:

Signature-based, by recognizing various characteristics of known malware files
Heuristics-based, by recognizing general features shared by various types of malware
Behavior-based, through analysis of suspicious activities
8. As described by the SANS Institute, which attack surface includes

the exploitation of vulnerabilities in wired and wireless protocols used
by IoT devices?
Human Attack Surface
Internet Attack Surface
Network Attack Surface *
Software Attack Surface
C. The SANS Institute describes three components of the attack surface:

Network Attack Surface: Exploitation of vulnerabilities in networks
Software Attack Surface: Exploitation of vulnerabilities in web, cloud, or host-based software
applications
Human Attack Surface: Exploitation of weaknesses in user behavior
9. In profiling a server, what defines what an application is allowed to

do or run on a server?
User accounts
Listening ports
Service accounts *
Software environment
C. The service accounts element of a server profile defines the type of service that an
application is allowed to run on a given host.
10. Which class of metric in the CVSS Basic metric group defines the
features ofthe exploit such as the vector, complexity, and user
interaction required by the exploit?
Impact
Exploitability *
Modified Base
Exploit Code Maturity
B. The Base metric group of CVSS represents the characteristics of a vulnerability that are
constant over time and across contexts. It contains two classes of metrics:
Exploitability metrics: Features of the exploit such as the vector,complexity, and user
interaction required by the exploit
Impact metrics: The impacts of the exploit rooted in the CIA triad of confidentiality, integrity,
and availability
11. Which step in the Vulnerability Management Life Cycle performs

inventory of all assets across the network and identifies host details,
including operating system and open services?
Assess
Discover *
Remediate
Prioritize assets
B. The steps in the Vulnerability Management Life Cycle include these:

Discover: Inventory all assets across the network and identify host details, including operating
systems and open services to identify vulnerabilities.
Prioritize assets: Categorize assets into groups or business units, and assign a business value
to asset groups based on their criticality to business operations.
Assess: Determine a baseline risk profile to eliminate risks based on asset criticality,
vulnerability threats, and asset classification.
Report: Measure the level of business risk associated with your assets according to your
security policies. Document a security plan, monitor suspicious activity, and describe known
vulnerabilities.
Remediate: Prioritize according to business risk and fix vulnerabilities in order of risk.
Verify: Verify that threats have been eliminated through follow-up audits.
12. In network security assessments, which type of test is used to

evaluate the risk posed by vulnerabilities to a specific organization,
including assessment of the likelihood of attacks and the impact of
successful exploits on the organization?
Risk analysis *
Port scanning
Penetration testing
A. A risk analysis includes assessment of the likelihood of attacks, identifies types of likely
threat actors, and evaluates the impact of successful exploits on the organization.
13. In most host-based security suites, which function provides robust

logging of security-related events and sends logs to a central location?
intrusion detection and prevention
anti-phishing
telemetry*
safe browsing
The telemetry functionality in most host-based security suites provides robust logging
functionality and submits logs to a central location for analysis.
14. On a Windows host, which tool can be used to create and maintain
blacklists and whitelists?
Group Policy Editor*
Local Users and Groups
Computer Management
Task Manager
In Windows, blacklisting and whitelisting settings can be managed through the Group Policy
Editor.
15. Which statement describes agentless antivirus protection?

Host-based antivirus systems provide agentless antivirus protection.
The antivirus protection is provided by the router that is connected to a cloud service.
The antivirus protection is provided by the ISP.
Antivirus scans are performed on hosts from a centralized system.*

Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on
every protected machine. Agentless antivirus protection performs scans on hosts from a
centralized system.
16. In network security assessments, which type of test employs

software to scan internal networks and Internet facing servers for
various types of vulnerabilities?
risk analysis
penetration testing
vulnerability assessment*
strength of network security testing
In vulnerability assessment, security analysts use software to scan internal networks and
Internet facing servers for various types of vulnerabilities. Tools for vulnerability assessment
include the open source OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus,
Qualys, and Fireeye Mandiant services.
17. The IT security personnel of an organization notice that the web

server deployed in the DMZ is frequently targeted by threat actors.
The decision is made to implement a patch management system to
manage the server. Which risk management strategy method is being
used to respond to the identified risk?
risk avoidance
risk retention
risk reduction*
risk sharing
There are four potential strategies for responding to risks that have been identified:
1. Risk avoidance – Stop performing the activities that create risk.

2. Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
3. Risk sharing – Shift some of the risk to other parties.
4. Risk retention – Accept the risk and its consequences.
18. In addressing a risk that has low potential impact and relatively
high cost of mitigation or reduction, which strategy will accept the risk
and its consequences?
risk reduction
risk avoidance
risk retention*
risk sharing

19. What is a host-based intrusion detection system (HIDS)?

It identifies potential attacks and sends alerts but does not stop the traffic.
It detects and stops potential direct attacks but does not scan for malware.
It is an agentless system that scans files on a host for potential malware.
It combines the functionalities of antimalware applications with firewall protection.*
A current HIDS is a comprehensive security application that combines the functionalities of

antimalware applications with firewall protection. An HIDS not only detects malware but also
prevents it from executing. Because the HIDS runs directly on the host, it is considered an
agent-based system.
20. What type of antimalware program is able to detect viruses by

recognizing various characteristics of a known malware file?
behavior-based
agent-based
signature-based*
heuristic-based
Using a signature-based approach, host security software can detect viruses and malware by
recognizing various characteristics of known malware files.
21. Which device in a LAN infrastructure is susceptible to MAC

address-table overflow and spoofing attacks?
firewall
workstation
server
switch*
Switches are LAN infrastructure devices interconnecting endpoints. They are susceptible to
LAN-related attacks including MAC address-table overflow attacks, spoofing attacks, LAN
storm attacks, STP manipulation attacks, and VLAN attacks.
22. Which criterion in the Base Metric Group Exploitability metrics

reflects the proximity of the threat actor to the vulnerable
component?
user interaction
attack vector*
attack complexity
privileges required
The Base Metric Group Exploitability metrics include the criteria:
 Attack vector – a metric that reflects the proximity of the threat actor to the vulnerable
component
 Attack complexity – a metric that expresses the number of components, software, hardware, or
networks, that are beyond control of the attacker and that must be present in order for a
vulnerability to be successfully exploited
 Privileges required – a metric that captures the level of access that is required for a successful
exploit of the vulnerability
 User interaction – second component of the attack complexity metric that expresses the
presence or absence of the requirement for user interaction in order for an exploit to be
successful
 Scope – a metric that expresses whether multiple authorities must be involved in an exploit
23. In addressing an identified risk, which strategy aims to stop

performing the activities that create risk?
risk reduction
risk avoidance*
risk retention
risk sharing

24. Which statement describes the term iptables?

It is a file used by a DHCP server to store current active IP addresses.
It is a DHCP application in Windows.
It is a DNS daemon in Linux.
It is a rule-based firewall application in Linux.*
Iptables is an application that allows Linux system administrators to configure network access
rules.
25. For network systems, which management system addresses the

inventory and control of hardware and software configurations?
asset management
vulnerability management
risk management
configuration management*
Configuration management addresses the inventory and control of hardware and software
configurations of network systems.
26. Which statement describes the anomaly-based intrusion detection

approach?
It compares the signatures of incoming traffic to a known intrusion database.
It compares the antivirus definition file to a cloud based repository for latest updates.
It compares the operations of a host against a well-defined security policy.
It compares the behavior of a host to an established baseline to identify potential

intrusions.*
With an anomaly-based intrusion detection approach, a baseline of host behaviors is

established first. The host behavior is checked against the baseline to detect significant
deviations, which might indicate potential intrusions.
27. What is the first step taken in risk assessment?

Identify threats and vulnerabilities and the matching of threats with vulnerabilities.*
Establish a baseline to indicate risk before security controls are implemented.
Compare to any ongoing risk assessment as a means of evaluating risk management

effectiveness.
Perform audits to verify threats are eliminated.
The three steps of risk assessment in order are as follows:
1. Identify threats and vulnerabilities and the matching of threats with vulnerabilities.
2. Establish a baseline to indicate risk before security controls are implemented.
3. Compare to an ongoing risk assessment as a means of evaluating risk management
effectiveness.
28. Which statement describes the threat-vulnerability (T-V) pairing?

It is the identification of threats and vulnerabilities and the matching of threats with
vulnerabilities.*
It is the comparison between known malware and system risks.
It is the detection of malware against a central vulnerability research center.
It is the advisory notice from a vulnerability research center.
A mandatory activity in risk assessment is the identification of threats and vulnerabilities and
the matching of threats with vulnerabilities, also called threat-vulnerability (T-V) pairing.
29. Which security procedure would be used on a Windows

workstation to prevent access to a specific set of websites?
whitelisting
HIDS
blacklisting*
baselining
Blacklists can be used to identify and prevent specific applications, websites, or services from
being downloaded or executed within an enterprise network.
30. Which statement describes the use of a Network Admission

Control (NAC) solution?
It provides network access to only authorized and compliant systems.*
A Network Admission Control solution provides filtering of potentially malicious emails

before they reach the endpoint.
It provides endpoint protection from viruses and malware.
It provides filtering and blacklisting of websites being accessed by end users.
Network Admission Control (NAC) allows only authorized and compliant systems to connect
to a network.
31. Which statement describes the Cisco Threat Grid Glovebox?

It is a network-based IDS/IPS.
It is a firewall appliance.
It is a host-based intrusion detection system (HIDS) solution to fight against malware
It is a sandbox product for analyzing malware behaviors.*
Cisco ThreatGrid Glovebox is a sandbox product for analyzing malware behaviors.
32. Which type of antimalware software detects and mitigates

malware by analyzing suspicious activities?
heuristics-based
packet-based
behavior-based*
signature-based
Antimalware programs may detect viruses using three different approaches:
1. signature-based – by recognizing various characteristics of known malware files

2. heuristics-based – by recognizing general features shared by various types of malware
3. behavior-based – through analysis of suspicious activities
33. Which regulatory compliance regulation sets requirements for all

U.S. public company boards, management and public accounting
firms regarding the way in which corporations control and disclose
financial information?
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Management Act of 2002 (FISMA)
Sarbanes-Oxley Act of 2002 (SOX)*
There are five major regulatory compliance regulations including:
 Federal Information Security Management Act of 2002 (FISMA) – specifies security

standards for U.S. government systems and contractors to the U.S. government.
 Sarbanes-Oxley Act of 2002 (SOX) – sets new or expanded requirements for all U.S. public
company boards, management and public accounting firms regarding the way in which
corporations control and disclose financial information.
 Gramm-Leach-Bliley Act (GLBA) – established that financial institutions must ensure the
security and confidentiality of customer information; protect against any anticipated threats or
hazards to the security or integrity of such information; and protect against unauthorized
access to or use of customer information that could result in substantial harm or inconvenience
to any customer.
 Health Insurance Portability and Accountability Act (HIPAA) – requires that all patient
personally identifiable healthcare information be stored, maintained, and transmitted in ways
that ensure patient privacy and confidentiality.
34. Which statement describes the term attack surface?

It is the total sum of vulnerabilities in a system that is accessible to an attacker.*
It is the group of hosts that experiences the same attack.
It is the network interface where attacks originate.
It is the total number of attacks toward an organization within a day.
An attack surface is the total sum of the vulnerabilities in a system that is accessible to an
attacker. The attack surface can consist of open ports on servers or hosts, software that runs
on Internet-facing servers, wireless network protocols, and even users.
35. Which step in the Vulnerability Management Life Cycle
determines a baseline risk profile to eliminate risks based on asset
criticality, vulnerability threat, and asset classification?
assess*
discover
verify
prioritize assets
The steps in the Vulnerability Management Life Cycle include these:
 Discover – inventory all assets across the network and identify host details, including
operating systems and open services, to identify vulnerabilities.
 Prioritize assets – categorize assets into groups or business units, and assign a business value
to asset groups based on their criticality to business operations.
 Assess – determine a baseline risk profile to eliminate risks based on asset criticality,
vulnerability threats, and asset classification.
 Report – measure the level of business risk associated with assets according to security
policies. Document a security plan, monitor suspicious activity, and describe known
vulnerabilities.
 Remediate – prioritize according to business risk and fix vulnerabilities in order of risk
 Verify – verify that threats have been eliminated through follow-up audits.
36. When a network baseline is being established for an organization,

which network profile element indicates the time between the
establishment of a data flow and its termination?
session duration*
critical asset address space
ports used
total throughput
Important elements of a network profile include:
 Total throughput – the amount of data passing from a given source to a given destination in a
given period of time
 Session duration – the time between the establishment of a data flow and its termination
 Ports used – a list of TCP or UDP processes that are available to accept data
 Critical asset address space – the IP addresses or the logical location of essential systems or
data
37. Which two classes of metrics are included in the CVSS Base
Metric Group? (Choose two.)
Modified Base
Confidentiality Requirement
Exploitability*
Impact metrics*
The Base Metric Group of CVSS represents the characteristics of a vulnerability that are
constant over time and across contexts. It contains two classes of metrics, Exploitability and
Impact.
38. Which two criteria in the Base Metric Group Exploitability

metrics are associated with the complexity of attacks? (Choose two)
scope
attack complexity*
user interaction*
attack vector
privileges required
The Base Metric Group Exploitability metrics include these criteria:
 Attack vector – a metric that reflects the proximity of the threat actor to the vulnerable
component
 Attack complexity – a metric that expresses the number of components, software, hardware, or
networks, that are beyond control of the attacker and that must be present in order for a
vulnerability to be successfully exploited
 Privileges required – a metric that captures the level of access that is required for a successful
exploit of the vulnerability
 User interaction – second component of the attack complexity metric that expresses the
presence or absence of the requirement for user interaction in order for an exploit to be
successful
 Scope – a metric that expresses whether multiple authorities must be involved in an exploit
39. Use the following scenario to answer the questions. An

entrepreneur is starting a small business and is considering the server
services needed for the startup company. The company handling the
IT service is presenting options to the company.
a) If the entrepreneur decides to go with Linux server, how are services handled
differently from how Windows server services would be handled?
The services are managed using configuration files. *
Services can only be managed from the Administrator account.
Services use only TCP port numbers because they are more secure.
The PowerShell environment can be used to make configuration changes.
b) The company will be using both Linux- and Windows-based hosts. Which two
solutions would be used in a distributed firewall network design? (Choose two.)
iptables *
SIEM
Snort
Windows Firewall *
Wireshark
c)Which protocol should be recommended to the company to monitor and manage

network performance?
NTP
PAT
SNMP *
SSH
d)The IT company is recommending the use of PKI applications. In which two instances
might the entrepreneur make use of PKIs? (Choose two.)
802.1x authentication *
FTP transfers
HTTPS web service *

local NTP server
file and directory access permission
e)The entrepreneur is concerned about company employees having uninterrupted access

to important resources and data. Which of the CIA triad components would address the
concern?
authentication
availability *
confidentiality
integrity
40. Match the description to the antimalware approach. (Not all

options are used.)
41. Match the network-based antimalware solution to the function.

(Not all options are used.)
1. Which statement describes the tcpdump tool?
It is a command line packet analyzer. *
It is used to control multiple TCP-based applications.
It accepts and analyzes data captured by Wireshark.
It can be used to analyze network log data in order to describe and predict network behavior.
A. The tcpdump command line tool is a popular packet analyzer. It can display packet
captures in real time or write packet captures to a file.
2. Which Windows host log event type describes the successful

operation of an application, driver, or service?
Error
Warning
Information *
Success Audit
C. Various Windows host logs can have different event types. The Information event type
records an event that describes the successful operation of an application, driver, or service.
3. A NIDS/NIPS has identified a threat. Which type of security data

will be generated and sent to a logging device?
Alert *
Session
Statistical
Transaction
A. Alert data is generated by IPS or IDS devices in response to traffic that violates a rule or
matches the signature of a known security threat.
4. What is the purpose of Tor?

To donate processor cycles to distributed computational tasks in a processor-sharing P2P
network
To allow users to browse the Internet anonymously *
To securely connect to a remote network over an unsecure link such as an Internet connection
To inspect incoming traffic and look for any that violates a rule or matches the signature of a
known exploit
B. Tor is a software platform and network of peer-to-peer (P2P) hosts that function as routers.
Users access the Tor network by using a special browserthat allows them to browse
anonymously.
5. Which statement describes an operational characteristic of

NetFlow?
NetFlow captures the entire contents of a packet.
NetFlow can provide services for user access control.
NetFlow flow records can be viewed by the tcpdump tool.
NetFlow collects metadata about the packet flow, not the flow data itself. *
D. NetFlow does not capture the entire contents of a packet. Instead, NetFlow collects
metadata, or data about the flow, not the flow data itself. NetFlow information can be viewed
with tools such as nfdump and FlowViewer.
6. Which type of security data can be used to describe or predict

network behavior?
Alert
Session
Statistical *
Transaction
C. Statistical data is created through the analysis of other forms of network data. Conclusions
from these analyses can be used to describe or predict network behavior.
7. What type of server can threat actors use DNS to communicate

with?
CnC *
Database
NTP
Web
A. Some malware uses DNS to communicate with command-and-control (CnC) servers to

exfiltrate data in traffic that is disguised as normal DNS query traffic.
8. In a Cisco AVC system, in which module is NBAR2 deployed?

Control *
Metrics Collection
Application Recognition
Management and Reporting
C. AVC uses Cisco Next-Generation Network-Based Application Recognition (NBAR2) to

discover and classify the applications in use on the network.
9. A security analyst reviews network logs. The data shows user

network activities such as username, IP addresses, web pages
accessed, and timestamp. Which type of data is the analyst reviewing?
Alert
Session
Application
Transaction *
D. Transaction data focuses on the results of network sessions as reflected by the device logs
kept by server processes, such as the details of a user’s visit to a website.
10. Which type of server daemon accepts messages sent by network

devices to create a collection of log entries?
SSH
NTP
Syslog *
AAA
C. Syslog is important to security monitoring because network devices send periodic

messages to the syslog server. These logs can be examined to detect inconsistencies and
issues within the network.
11. Which Windows tool can be used to review host logs?

Services
Event Viewer *
Task Manager
Device Manager
B. Event Viewer in Windows can be used to review entries in various logs.
12. Which two protocols may devices use in the application process
that sends email? (Choose two.)
HTTP
SMTP *
POP
IMAP
DNS *
POP3
B, E. POP, POP3, and IMAP are protocols that are used to retrieve email from servers. SMTP
is the default protocol that is used to send email. DNS may be used by the sender email server
to find the address of the destination email server. HTTP is a protocol for send and receiving
web pages.
13. How does using HTTPS complicate network security monitoring?

HTTPS cannot protect visitors to a company-provided web site.
HTTPS can be used to infiltrate DNS queries.
Web browser traffic is directed to infected servers.
HTTPS adds complexity to captured packets.*
HTTPS adds extra overhead to the HTTP-formed packet. HTTPS encrypts using secure
socket layer (SSL). Even though some devices can perform SSL decryption and inspection,
this can present processing and privacy issues. HTTPS adds complexity to packet captures
due to the additional message involved in establishing an encrypted data connection.
14. Which protocol is used to send e-mail messages between two

servers that are in different e-mail domains?
POP3
SMTP*
HTTP
IMAP4
SMTP is used to send data between mail servers and to send data from a host to a mail server.
The other two protocols that can be used for email are IMAP and POP3. IMAP and POP3 are
used to download email messages from a mail server.
15. What are two ways that ICMP can be a security threat to a
company? (Choose two.)
by collecting information about a network*
by corrupting network IP data packets
by providing a conduit for DoS attacks*
by corrupting data between email servers and email recipients
by the infiltration of web pages
ICMP can be used as a conduit for DoS attacks. It can be used to collect information about a
network such as the identification of hosts and network structure, and by determining the
operating systems being used on the network.
16. Which function is provided by the Sguil application?

It makes Snort-generated alerts readable and searchable.*
It detects potential network intrusions.
It reports conversations between hosts on the network.
It prevents malware from attacking a host.
Applications such as Snorby and Sguil can be used to read and search alert messages
generated by NIDS/NIPS.
17. Which two options are network security monitoring approaches

that use advanced analytic techniques to analyze network telemetry
data? (Choose two.)
NetFlow
Snorby
NBAD*
NBA*
IPFIX
Sguil
Network behavior analysis (NBA) and network behavior anomaly detection (NBAD) are
approaches to network security monitoring that use advanced analytical techniques to analyze
NetFlow or IPFIX network telemetry data.
18. A system administrator has recommended to the CIO a move of
some applications from a Windows server to a Linux server. The
proposed server will use ext4 partitions and serve as a web server, file
server, and print server. The CIO is considering the recommendation,
but has some questions regarding security.
18.a. Which two methods does Linux use to log data in order to
identify a security event? (Choose two.)
Apache access logs*
Event Viewer
NetFlow
SPAN
Syslog*
The syslog standard is used for logging event messages from network devices. Syslog
messages are sent from the device to a logging server. Apache web server access logs are an
important source of information for a cybersecurity analyst in order to see who accessed the
server, the IP address used, date/time of access, and URL used.
18.b. What is a daemon?

a background process that runs without the need for user interaction*
a record to keep track of important events
a type of security attack
an application that monitors and analyzes suspicious activity
A daemon in Linux is a background process that runs without the need for user interaction. A
network administrator can view log files in order to see information about daemons running
on the Linux server.
18.c. Because the company uses discretionary access control (DAC)

for user file management, what feature would need to be supported
on the server?
access based on security clearance held
principle of least privilege
role-based access control
user-based data access control*
Discretionary access control allows users to control access to their data as owners of that data.
ACLs may also be used in order to specify which users or groups have access to the data.
18.d. What are two benefits of using an ext4 partition instead of ext3?
(Choose two.)
compatibility with CDFS
compatibility with NTFS
decreased load time
improved performance*
an increase in the number of supported devices
increase in the size of supported files*
Based on the ex3 file system, an ext4 partition includes extensions that improve performance
and an increase in the of supported files. An ext4 partition also supports journaling, a file
system feature that minimizes the risk of file system corruption if power is suddenly lost to
the system.
19. How can IMAP be a security threat to a company?

It can be used to encode stolen data and send to a threat actor.
An email can be used to bring malware to a host.*
Encrypted data is decrypted.
Someone inadvertently clicks on a hidden iFrame.
IMAP, SMTP, and POP3 are email protocols. SMTP is used to send data from a host to a
server or to send data between servers. IMAP and POP3 are used to download email messages
and can be responsible for bringing malware to the receiving host.
20. A system administrator runs a file scan utility on a Windows PC

and notices a file lsass.exe in the Program Files directory. What
should the administrator do?
Open the Task Manager, right-click on the lsass process and choose End Task.
Uninstall the lsass application because it is a legacy application and no longer required by
Windows.
Move it to Program Files (x86) because it is a 32bit application.
Delete the file because it is probably malware.*
On Windows computers, security logging and security policies enforcement are carried out by
the Local Security Authority Subsystem Service (LSASS), running as lsass.exe. It should be
running from the Windows\System32 directory. If a file with this name, or a camouflaged
name, such as 1sass.exe, is running or running from another directory, it could be malware.
21. How does a web proxy device provide data loss prevention (DLP)
for an enterprise?
by checking the reputation of external web servers
by functioning as a firewall
by inspecting incoming traffic for potential exploits
by scanning and logging outgoing traffic*
A web proxy device can inspect outgoing traffic as means of data loss prevention (DLP). DLP
involves scanning outgoing traffic to detect whether the data that is leaving the enterprise
network contains sensitive, confidential, or secret information.
22. A system analyst is reviewing syslog messages and notices that the
PRI value of a message is 26. What is the severity value of the
message?
1
2*
3
6
The priority (PRI) value consists of two elements, the facility and severity of the message. It
is calculated by multiplying the facility value by 8, and then adding the severity value, that is,
priority = (facility * 8) + severity. To find the severity value from a given PRI, divide the PRI
by 8 and the remainder is the severity value.
23. Which statement describes session data in security logs?

It is a record of a conversation between network hosts.*
It can be used to describe or predict network behavior.
It reports detailed network activities between network hosts.
It shows the result of network sessions.
Session data is a record of a conversation between two network endpoints.
24. In a Cisco AVC system, in which module is NetFlow deployed?

Management and Reporting
Metrics Collection*
Control
Application Recognition
NetFlow technology is deployed in the Metrics Collection module of a Cisco AVC system to
collect network flow metrics and to export to management tools.
25. What port number would be used if a threat actor was using NTP
to direct DDoS attacks?
443
25
69
123*
NTP uses UDP port number 123. Threat actors could use port 123 on NTP systems in order to
direct DDoS attacks through vulnerabilities in client or server software.
26. Which information can be provided by the Cisco NetFlow utility?

IDS and IPS capabilities
security and user account restrictions
peak usage times and traffic routing*
source and destination UDP port mapping
NetFlow efficiently provides an important set of services for IP applications including

network traffic accounting, usage-based network billing, network planning, security, denial of
service monitoring capabilities, and network monitoring. NetFlow provides valuable
information about network users and applications, peak usage times, and traffic routing.
27. What is Tor?

a type of Instant Messaging (IM) software used on the darknet
a way to share processors between network devices across the Internet
a rule created in order to match a signature of a known exploit
a software platform and network of P2P hosts that function as Internet routers*
A special browser is used to access the Tor network. This browser allows a user to browse the
Internet anonymously.
28. Which statement describes statistical data in network security

monitoring processes?
It shows the results of network activities between network hosts.
It contains conversations between network hosts.
It is created through an analysis of other forms of network data.*
It lists each alert message along with statistical information.
Like session data, statistical data is about network traffic. Statistical data is created through
the analysis of other forms of network data.

A network administrator is reviewing an Apache access log message.
What is the status of the access request by the client?
The request was unsuccessful because of server errors.
The request was fulfilled successfully.*
The request was redirected to another web server.
The request was unsuccessful because of client errors.
The sixth field of the Apache access log message is the three-digital numeric status code.
Codes that begin with a 2 represent success. Codes that begin with a 3 represent redirection.
Codes that begin with a 4 represent client errors. Codes that begin with a 5 represent server
errors.
30. How might corporate IT professionals deal with DNS-based cyber

threats?
Monitor DNS proxy server logs and look for unusual DNS queries.*
Use IPS/IDS devices to scan internal corporate traffic.
Limit the number of simultaneously opened browsers or browser tabs.
Limit the number of DNS queries permitted within the organization.
DNS queries for randomly generated domain names or extremely long random-appearing
DNS subdomains should be considered suspicious. Cyberanalysts could do the following for
DNS-based attacks:Analyze DNS logs.
Use a passive DNS service to block requests to suspected CnC and exploit domains.
A junior network engineer is handed a print-out of the network

information shown. Which protocol or service originated the
information shown in the graphic?
NetFlow
TACACS+
RADIUS
Syslog*
Syslog clients send log entries to a syslog server. The syslog server concentrates and stores
log entries. Log entries are categorized by seven severity levels:
emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5),
informational (6), and debugging (7).
32. Which technology is used in Cisco Next-Generation IPS devices to

consolidate multiple security layers into a single platform?
WinGate
FirePOWER*
Apache Traffic Server
Squid
Cisco Next-Generation IPS devices (NGIPS) use FirePOWER Services to consolidate

multiple security layers into a single platform, which helps to contain costs and simplify
management. Apache Traffic Server, Squid, and WinGate are examples of web proxies.
How is the traffic from the client web browser being altered when
connected to the destination website of www.cisco.com?
Traffic is sent in plain-text by the user machine and is encrypted by the TOR node in France
and decrypted by the TOR node in Germany.
Traffic is encrypted by the user machine and sent directly to the cisco.com server to be
decrypted.
Traffic is encrypted by the user machine, and the TOR network only routes the traffic through
France, Canada, Germany, and delivers it to cisco.com.
Traffic is encrypted by the user machine, and the TOR network encrypts next-hop
information on a hop-by-hop basis.*
When data is being sent into the TOR network, the data is only encrypted by the sending
client itself. The next-hop information is encrypted and decrypted between the TOR relays on
a hop-by-hop basis. In this way, no single device knows the entire path to the destination, and
routing information is readable only by the device that requires it. Finally, at the end of the
Tor path, the traffic reaches its Internet destination. The client data is not encrypted by the
TOR network; that encryption is the responsibility of the user.
34. Which Windows log contains information about installations of

software, including Windows updates?
setup logs*
application logs
system logs
security logs
On a Windows host, setup logs record information about the installation of software,
including Windows updates.
35. Which Windows log records events related to login attempts and
operations related to file or object access?
setup logs
security logs*
application logs
system logs
On a Windows host, security logs record events related to security, such as login attempts and
operations related to file or object management and access.
36. What does it indicate if the timestamp in the HEADER section of a

syslog message is preceded by a period or asterisk symbol?
The timestamp represents the round trip duration value.
The syslog message indicates the time an email is received.
There is a problem associated with NTP.*
The syslog message should be treated with high priority.
The HEADER section of the message contains the timestamp. If the timestamp is preceded by
the period (.) or asterisk (*) symbols, a problem is indicated with NTP.
37. Which two application layer protocols manage the exchange of

messages between a client with a web browser and a remote web
server? (Choose two.)
HTTPS*
DHCP
HTML
DNS
HTTP*
Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) are two application layer
protocols that manage the content requests from clients and the responses from the web
server. HTML (Hypertext Mark-up Language) is the encoding language that describes the
content and display features of a web page. DNS is for domain name to IP address resolution.
DHCP manages and provides dynamic IP configurations to clients.
38. Which protocol is a name resolution protocol often used by

malware to communicate with command-and-control (CnC) servers?
IMAP
HTTPS
DNS*
ICMP
Domain Name Service (DNS) is used to convert domain names into IP addresses. Some
organizations have less stringent policies in place to protect against DNS-based threats than
they have in place for other exploits.
1. Which two technologies are used in the ELSA tool? (Choose two.)
MySQL *
CapME
Suricata
Sphinx Search *
Security Onion
A, D. Enterprise Log Search and Archive (ELSA) is an enterprise-level tool for allowing
searching and archiving of NSM data that originates from multiple sources. ELSA receives
logs over Syslog-NG, stores logs in MySQL databases, and indexes using Sphinx Search.
2. What is the host-based intrusion detection tool that is integrated

into Security Onion?
OSSEC *
Snort
Sguil
Wireshark
A. Integrated into the Security Onion, OSSEC is a host-based intrusion detection system
(HIDS) that can conduct file integrity monitoring, local log monitoring, system process
monitoring, and rootkit detection.
3. According to NIST, which step in the digital forensics process

involves drawing conclusions from data?
Data collection
Examination
Analysis *
Reporting
C. NIST describes the digital forensics process as involving the following four steps:
Data collection: The identification of potential sources of forensic data and acquisition,
handling, and storage of that data.
Examination: Assessing and extracting relevant information from the collected data. This may
involve decompression or decryption of the data.
Analysis: Drawing conclusions from the data. Salient features, such as people, places, times,
events, and so on, should be documented.
Reporting: Preparing and presenting information that resulted from the analysis. Reporting
should be impartial and alternative explanations should be offered if appropriate.
4. Which two strings will be matched by the regular expression [24]?

(Choose two.)
Level1
Level2 *
Level3
Level4 *
Level5
B, D. Regular expressions allow forensics analysts to search through large quantities of text
information for patterns of data. Some common operators used in regular expressions are the
following:
$ End of a line
[] Any single value within the square brackets
* Preceding sub-expression zero or more times
[^1] Any character except those bound by the [^ and the ]
5. Which alert classification indicates that exploits are not being

detected by installed security systems?
False negative *
True negative
True positive
False positive
A. A false negative classification indicates that a security system has not detected an actual
exploit.
6. A cybersecurity analyst is going to verify security alerts using the

Security Onion. Which tool should the analyst visit first?
Bro
Sguil *
ELSA
CapME
B. The primary duty of a cybersecurity analyst is the verification of security alerts. In the
Security Onion, the first place that a cybersecurity analyst will go to verify alerts is Sguil
because it provides a high-level console for investigating security alerts from a wide variety
of sources.
7. What is the purpose for data normalization?

To reduce the amount of alert data
To make the alert data transmission fast
To simplify searching for correlated events *
To enhance the secure transmission of alert data
C. With data normalization various sources of data are combined into a common display
format, which simplifies the searching for similar or relevant events.
8. Which term describes evidence that is in its original state?

Corroborating evidence
Best evidence *
Indirect evidence
Direct evidence
B. Evidence can be classified as follows:

Best evidence: This is evidence that is in its original state. It might be storage devices used by
an accused or archives of files that can be proven to be unaltered.
Corroborating evidence: This is evidence that supports a propositionalready supported by
initial evidence, therefore confirming the original proposition.
Indirect evidence: This evidence acts in combination with other facts to establish a
hypothesis.
9. How is the hash value of files useful in network security

investigations?
It helps identify malware signatures.*
It is used to decode files.
It is used as a key for encryption.
It verifies confidentiality of files.
When ELSA is used to investigate downloaded files, the hash value of each file is created and
stored with other information about the file. If a cybersecurity analyst is suspicious of the file,
the hash value can be submitted to an online malware repository site to determine if the file is
known malware.
10. Which tool is a Security Onion integrated host-based intrusion

detection system?
OSSEC*
Sguil
ELSA
Snort
OSSEC is a host-based intrusion detection system (HIDS) that is integrated into Security
Onion and actively monitors host system operation.
11. Which type of evidence supports an assertion based on previously

obtained evidence?
direct evidence
corroborating evidence*
best evidence
indirect evidence
Corroborating evidence is evidence that supports a proposition already supported by initial

evidence, therefore confirming the original proposition. Circumstantial evidence is evidence
other than first-hand accounts of events provided by witnesses.
12. Which tool is developed by Cisco and provides an interactive

dashboard that allows investigation of the threat landscape?
Wireshark
Talos*
Sguil
Snort
Cisco Talos provides an interactive dashboard that allows investigation of the threat
landscape.
13. Which term is used to describe the process of converting log

entries into a common format?
standardization
normalization*
classification
systemization
For processing log entries, data normalization can organize and convert data values in datasets
from difference sources into common format. The normalization makes it easy for further data
analysis and reporting.

involves extracting relevant information from data?
collection
examination*
analysis
reporting
NIST describes the digital forensics process as involving the following four steps:
Collection – the identification of potential sources of forensic data and acquisition, handling,
and storage of that data.
Examination – assessing and extracting relevant information from the collected data. This
may involve decompression or decryption of the data.
Analysis – drawing conclusions from the data. Salient features such as people, places, times,
events, and so on should be documented.
Reporting – preparing and presenting information that resulted from the analysis. Reporting
should be impartial and alternative explanations should be offered if appropriate.
15. A law office uses a Linux host as the firewall device for the
network. The IT administrator is adding a rule to the firewall iptables
to block internal hosts from connecting to a remote device that has the
IP address 209.165.202.133. Which command should the
administrator use?
iptables -I FORWARD -p tcp -d 209.165.202.133 –dport 7777 -j DROP*
iptables -I INPUT -p tcp -d 209.165.202.133 –dport 7777 -j DROP
iptables -I PASS -p tcp -d 209.165.202.133 –dport 7777 -j DROP
iptables -I OUTPUT -p tcp -d 209.165.202.133 –dport 7777 -j DROP
The firewall iptables uses the concepts of chains and rules to filter traffic:
INPUT chain – handles traffic entering the firewall and destined to the firewall device itself
OUTPUT chain – handles traffic originating within the firewall device itself and destined to
somewhere else
FORWARD chain – handles traffic originated somewhere else and passing through the
firewall device
16. What procedure should be avoided in a digital forensics
investigation?
Secure physical access to the computer under investigation.
Reboot the affected system upon arrival.*
Make a copy of the hard drive.
Recover deleted files.
Digital forensic investigation is the science of collecting and examining electronic evidence
that can evaluate damage to a computer as a result of an electronic attack or that can recover
lost information from a system in order to prosecute a criminal. To prevent tampering and
alteration of the suspect data, a data forensic analysis should be conducted on a copy of the
suspect computer. Furthermore, restarting a computer may change or overwrite files and
inadvertently destroy evidence.
17. Which statement describes a feature of timestamps in Linux?

Human readable timestamps measure the number of seconds that have passed since January 1,
1970.
All devices generate human readable and Unix Epoch timestamps.
It is easier to work with Unix Epoch timestamps for addition and subtraction
operations.*
Unix Epoch timestamps are easier for humans to interpret.
18. Which tool is included with Security Onion that is used by Snort to
automatically download new rules?
Sguil
Wireshark
ELSA
PulledPork*
PulledPork is a rule management utility included with Security Onion to automatically

download rules for Snort.
19. Which tool would an analyst use to start a workflow investigation?

ELSA
Bro
Sguil*
Snort
Sguil is a GUI-based application used by security analysts to analyze network security events.
20. What is indicated by a Snort signature ID that is below 3464?

The SID was created by Sourcefire and distributed under a GPL agreement.*
This is a custom signature developed by the organization to address locally observed rules.
The SID was created by members of EmergingThreats.
The SID was created by the Snort community and is maintained in Community Rules.
Snort is an open source network intrusion prevention system (NIPS) and network intrusion
detection system (NIDS) developed by Sourcefire. It has the ability to perform real time
traffic analysis and packet logging on Internet Protocol (IP) networks and can also be used to
detect probes or attacks.
21. How does an application program interact with the operating

system?
accessing BIOS or UEFI
making API calls*
sending files
using processes
Application programs interact with an operating system through system calls to the OS
application programming interface (API). These system calls allow access to many aspects of
system operation such as software process control, file management, device management, and
network access.
22. A threat actor has successfully breached the network firewall

without being detected by the IDS system. What condition describes
the lack of alert?
true negative
true positive
false positive
false negative*
A false negative is where no alert exists and exploits are not being detected by the security
systems that are in place.
23. Use the following scenario to answer the questions. A company has
just had a cybersecurity incident. The threat actor or actors appeared
to have a goal of network disruption and appeared to use a common
security hack tool that overwhelmed a particular server with a large
amount of traffic, which rendered the server inoperable.
a. How would a certified cybersecurity analyst classify this type of
threat actor?
Amateur*
hacktivist
state-sponsored
terrorist
b. The security team at this company has removed the compromised

server and preserved it with the security hack still embedded. What
type of evidence is this?
Best*
classified
corroborating
indirect
c. Which type of attack was achieved?

access
DoS*
DDoS
social engineering
d. What would be the threat attribution in this case?

evaluating the server alert data
obtaining the most volatile evidence
determining who is responsible for the attack*
reporting the incident to the proper authorities
e. What are three common tools used to carry out this type of attack?
(Choose three.)
ping sweep
TCP SYN flood*
buffer overflow*
IP, MAC, and DHCP spoofing
smurf attack*
man-in-the-middle

A network security specialist issues the command tcpdump to capture
events. What is the function provided by the ampersand symbol used
in the command?
It instructs the tcpdump to capture data that starts with the symbol.
It tells the Linux shell to execute the tcpdump process in the background.*
It tells the Linux shell to display the captured data on the console.
It tells the Linux shell to execute the tcpdump process indefinitely.
The ampersand symbol tells the Linux shell to execute tcpdump in the background.
A cybersecurity analyst is using Sguil to verify security alerts. How is

the current view sorted?
by sensor number
by source IP
by frequency*
by date/time
The CNT column, between the ST and Sensor columns, displays the frequency of alerts. By
sorting with frequency, the analyst will get a better sense of what has happened on the
network.
26. Which three procedures in Sguil are provided to security analysts

to address alerts? (Choose three.)
Expire false positives.*
Pivot to other information sources and tools.
Construct queries using Query Builder.
Escalate an uncertain alert.*
Correlate similar alerts into a single line.
Categorize true positives.*
Sguil is a tool for addressing alerts. Three tasks can be completed in Sguil to manage alerts:
Alerts that have been found to be false positives can be expired.
An alert can be escalated if the cybersecurity analyst is uncertain how to handle it.
Events that have been identified as true positives can be categorized.
27. Which two strings will be matched by the regular expression?

(Choose two.)
Level[^12]
Level4*
Level3*
Level2
Level1
Level12
Regular expressions allow forensics analysts to search through large quantities of text
information for patterns of data. Some common operators used in regular expressions are as
follows:
$ End of a line.
[] Any single value within the square brackets.
* Preceding sub-expression zero or more times.
[^1] Any character except those bound by the [^ and the].
28. Which statement describes the status after the Security Onion VM
is started?
SGUIL becomes enabled via the sudo sguil -e terminal command.
Awk becomes enabled via the sudo awk terminal command.
Pullpork is used by ELSA as an open source search engine.
Snort is enabled by default.*
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log
management. It contains many security tools like Snort, Suricata, Bro, and ELSA.
29. What are the three core functions provided by the Security
Onion? (Choose three.)
business continuity planning
full packet capture*
alert analysis*
intrusion detection*
security device management
threat containment
Security Onion is an open source suite of Network Security Monitoring (NSM) tools for
evaluating cybersecurity alerts. For cybersecurity analysts the Security Onion provides full
packet capture, network-based and host-based intrusion detection systems, and alert analysis
tools.

A network security analyst is using the Follow TCP Stream feature in
Wireshark to rebuild the TCP transaction. However, the transaction
data seems indecipherable. What is the explanation for this?
The transaction data is encoded with Base64.
The transaction data is a binary file.*
The data shown is line noise.
The transaction data is corrupted.
The host is downloading W32.Nimda.Amm.exe, a binary file. Wireshark does not know how
to represent it. The displayed symbols are the best guess at making sense of the binary data
while decoding it as text.
31. What is the tool that has alert records linked directly to the search
functionality of the Enterprise Log Search and Archive (ELSA)?
Sguil*
Wireshark
CapME
Snort
The Enterprise Log Search and Archive (ELSA) is an enterprise-level tool for allowing
searching and archiving of NSM data. Searches can be executed by pivoting from Sguil to
ELSA as its search functionality is directly linked to Sguil alert records.
A network security analyst is examining captured data using

Wireshark. The captured frames indicate that a host is downloading
malware from a server. Which source port is used by the host to
request the download?
66
1514
6666
48598*
During the TCP three-way handshake process, the output shows that the host uses source port
48598 to initiate the connection and request the download.
33. Which two types of unreadable network traffic could be

eliminated from data collected by NSM? (Choose two.)
routing updates traffic
STP traffic
SSL traffic*
IPsec traffic*
broadcast traffic
To reduce the huge amount of data collected so that cybersecurity analysts can focus on
critical threats, some less important or unusable data could be eliminated from the datasets.
For example, encrypted data, such as IPsec and SSL traffic, could be eliminated because it is
unreadable in a reasonable time frame.
1. In the NIST incident response process life cycle, which type of

attack vector involves the use of brute force against devices, networks,
or services?
Media
Impersonation
Attrition *
Loss or theft
C. Common attack vectors include media, attrition, impersonation, and loss or theft. Attrition
attacks are any attacks that use brute force. Media attacks are those initiated from storage
devices. Impersonation attacks occur when something or someone is replaced for the purpose
of the attack, and loss or theft attacks are initiated by equipment inside the organization.
2. Which NIST incident response life cycle phase includes continuous

monitoring by the CSIRT to quickly identify and validate an
incident?
Detection and analysis *
Preparation
Containment, eradication, and recovery
Post-incident activities
A. It is in the detection and analysis phase of the NIST incident response life cycle that the
CSIRT identifies and validates incidents through continuous monitoring. The NIST defines
four stages of the incident response life cycle.
3. Which NIST incident response life cycle phase includes training for
the computer security incident response team on how to respond to an
incident?
Post-incident activities
Containment, eradication, and recovery
Detection and analysis
Preparation *
D. It is in the preparation phase of the NIST incident response life cycle phase that the CSIRT
is trained on how to respond to an incident.
4. Which three aspects of a target system are most likely to be

exploited after a weapon is delivered? (Choose three.)
Applications *
User accounts *
OS vulnerabilities *
Existing backdoors
Domain name space
DHCP configurations
A, B, C. The most common exploit targets, once a weapon is delivered, are applications,
operating system vulnerabilities, and user accounts. Threat actors will use an exploit that
gains the effect they desire, does it quietly, and avoids detection.
5. Which meta-feature element in the Diamond Model describes tools

and information (such as software, black hat knowledge base, and
username and password) that the adversary uses for the intrusion
event?
Results
Direction
Resources *
Methodology
C. The resources element in the Diamond Model is used to describe one or more external
resources used by the adversary for the intrusion event. The resources include software,
knowledge gained by the adversary, information (e.g., username/passwords), and assets to
carry out the attack.
6. Which activity is typically performed by a threat actor in the

installation phase of the Cyber Kill Chain?
Harvest email addresses of user accounts.
Obtain an automated tool to deliver the malware payload.
Open a two-way communication channel to the CnC infrastructure.
Install a web shell on the target web server for persistent access. *
D. In the installation phase of the Cyber Kill Chain, the threat actor establishes a backdoor
into the system to allow for continued access to the target.
7. Which top-level element of the VERIS schema would allow a
company to document the incident timeline?
Discovery and Response *
Incident Description
Incident Tracking
Victim Demographics
A. The Discovery and Response element is used to record the timeline of events, the method
of incident discovery, and what the response was to the incident. Incident Tracking is for
recording general information about the incident.
8. When dealing with a security threat and using the Cyber Kill Chain
model, which two approaches can an organization use to help block
potential exploitations on a system? (Choose two.)
Conduct full malware analysis.
Train web developers to secure code. *
Collect email and web logs for forensic reconstruction.
Build detections for the behavior of known weaponizers.
Perform regular vulnerability scanning and penetration testing. *
B, E. The most common exploit targets, once a weapon is delivered, are applications,
operating system vulnerabilities, and user accounts. Amongother measures, such as regular
vulnerability scanning and penetration testing, training web developers in securing code can
help block potential exploitations on systems.
9. What is a chain of custody?

The documentation surrounding the preservation of evidence related to an incident *
A list of all of the stakeholders that were exploited by an attacker
The disciplinary measures an organization may perform if an incident is caused by an
employee
A plan ensuring that each party involved in an incident response understands how to collect
evidence
A. A chain of custody refers to the documentation of evidence collected about an incident that
is used by authorities during an investigation.
10. What type of CSIRT organization is responsible for determining

trends to help predict and provide warning of future security
incidents?
Analysis center *
Vendor team
Coordination center
National CSIRT
A. There are many different types of CSIRTs and related information security organizations.
Analysis centers use data from many sources to determine security incident trends that can
help predict future incidents and provide early warning. This helps to mitigate the damages
that incidents can cause.
11. Which approach can help block potential malware delivery

methods, as described in the Cyber Kill Chain model, on an Internet-
facing web server?
Build detections for the behavior of known malware.
Collect malware files and metadata for future analysis.
Analyze the infrastructure path used for files. *
Audit the web server to forensically determine the origin of exploit.
C. A threat actor may send the weapon through web interfaces to the target server, either in
file uploads or coded web requests. By analyzing the infrastructure storage path used for files,
security measures can be implemented to monitor and detect malware deliveries through these
methods.
12. According to NIST standards, which incident response

stakeholder isresponsible for coordinating an incident response with
other stakeholders to minimize the damage of an incident?
IT support
Management *
Legal department
Human resources
B. The management team creates the policies, designs the budget, and is in charge of staffing
all departments. Management is also responsible for coordinating the incident response with
other stakeholders and minimizing the damage of an incident.
13. After a threat actor completes a port scan of the public web server
of an organization and identifies a potential vulnerability, what is the
next phase for the threat actor in order to prepare and launch an
attack as defined in the Cyber Kill Chain?
Exploitation
Weaponization *
Reconnaissance
Action on objectives
B. The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor
must complete to accomplish an attack:
1. Reconnaissance: The threat actor performs research, gathers intelligence, and selects
targets.
2. Weaponization: The threat actor uses the information from the reconnaissance phase to
develop a weapon against specific targeted systems.
3. Delivery: The weapon is transmitted to the target using a delivery vector.
4. Exploitation: The threat actor uses the weapon delivered to break the vulnerability and gain
control of the target.
5. Installation: The threat actor establishes a backdoor into the system to allow for continued
access to the target.
6. Command and Control (CnC): The threat actor establishes command and control (CnC)
with the target system.
7. Action on Objectives: The threat actor is able to take action on the target system, thus
achieving the original obj
14. When dealing with security threats and using the Cyber Kill
Chain model, which two approaches can an organization use to help
block potential exploitations of a system? (Choose two.)
Collect email and web logs for forensic reconstruction.
Analyze the infrastructure path used for delivery.
Audit endpoints to forensically determine origin of exploit.*
Conduct employee awareness training and email testing.*
The most common exploit targets, once a weapon is delivered, are applications, operating
system vulnerabilities, and user accounts. Among other measures, conducting employee
awareness training and email testing and auditing endpoints to forensically determine the
origin of an exploit can help block future exploitations of systems.
15. Which action should be included in a plan element that is part of a

computer security incident response capability (CSIRC)?
Detail how incidents should be handled based on the mission and functions of an
organization.
Develop metrics for measuring the incident response capability and its effectiveness.*
Create an organizational structure and definition of roles, responsibilities, and levels of
authority.
Prioritize severity ratings of security incidents.
NIST recommends creating policies, plans, and procedures for establishing and maintaining a
CSIRC. A purpose of the plan element is to develop metrics for measuring the incident
response capability and its effectiveness.
16. What is the objective the threat actor in establishing a two-way
communication channel between the target system and a CnC
infrastructure?
to allow the threat actor to issue commands to the software that is installed on the
target*
to steal network bandwidth from the network where the target is located
to launch a buffer overflow attack
to send user data stored on the target to the threat actor
In the command and control phase of the Cyber Kill Chain, the threat actor establishes
command and control (CnC) with the target system. With the two-way communication
channel, the threat actor is able to issue commands to the malware software installed on the
target.
17. After containment, what is the first step of eradicating an attack?

Hold meetings on lessons learned.
Change all passwords.
Patch all vulnerabilities.
Identify all hosts that need remediation.*
Once an attack is contained, the next step is to identify all hosts that will need remediation so
that the effects of the attack can be eliminated.
18. What is defined in the SOP of a computer security incident

response capability (CSIRC)?
the procedures that are followed during an incident response*
the metrics for measuring incident response capabilities
the roadmap for increasing incident response capabilities
the details on how an incident is handled
A CSIRC will include standard operating procedures (SOPs) that are followed during an
incident response. Procedures include following technical processes, filling out forms, and
following checklists.
19. A school has a web server mainly used for parents to view school
events, access student performance indicators, and communicate with
teachers. The network administrator suspects a security-related event
has occurred and is reviewing what steps should be taken.
a. The threat actor has already placed malware on the server causing
its performance to slow. The network administrator has found and
removed the malware as well as patched the security hole where the
threat actor gained access. The network administrator can find no
other security issue. What stage of the Cyber Kill Chain did the threat
actor achieve?
actions on objectives*
command and control
delivery
exploitation
installation
During the installation step, the threat actor installed a server backdoor in order to install the
malware (installation step), and an outside server command channel was created to
manipulate the target (CnC step). The final step is used to access the server to achieve the
objective of the attack.
The Cyber Kill Chain has seven steps:
1. reconnaissance
2. weaponization
3. delivery
4. exploitation
5. installation
6. command and control (CnC)
7. actions on objectives
b. If the web server runs Microsoft IIS, which Windows tool would
the network administrator use to view the access logs?
Event Viewer*
net command
PowerShell
Task Manager
Information provided in the IIS access log includes the date, time, client IP address,
username, port number, requested action, bytes sent, bytes received, and content of the cookie
sent or received.
c. Reports of network slowness lead the network administrator to

review server alerts. The administrator confirms that an alert was an
actual security incident. Which type of security alert classification
would this be?
false negative
false positive
true negative
true positive*
A positive alert of any type means that the system generated a system alert. A true positive
indicates the incident occurred. A false positive is that no incident occurred (the system
alerted, but there was no problem). A negative alert of any type means there was no alert
generated. A true negative indicates that there wasn’t any incident (thus no alert). A false
negative indicates that there was an incident, but an alert was not generated.
d. The network administrator believes that the threat actor used a

commonly available tool to slow the server down. The administrator
concludes that based on the source IP address identified in the alert,
the threat actor was probably one of the students. What type of
hacker would the student be classified as?
black hat*
gray hat
red hat
white hat
Three classifications of hackers are black hat, gray hat, and white hat. White hat hackers use
their security skills for good, ethical, legal purposes. Gray hat hackers do not compromise the
network for personal gain or to cause damage such as when users leave their computers
logged into the corporate network and walk away. Black hat hackers penetrate computers or
servers for malicious reasons, such as to slow down system performance.
20. What is the goal of an attack in the installation phase of the Cyber
Kill Chain?
Create a back door in the target system to allow for future access.*
Establish command and control (CnC) with the target system.
Use the information from the reconnaissance phase to develop a weapon against the target.
Break the vulnerability and gain control of the target.
In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into
the system to allow for continued access to the target.
21. Which meta-feature element in the Diamond Model describes

information gained by the adversary?
resources
methodology
direction
results*
The meta-feature element results are used to delineate what the adversary gained from the
intrusion event.
22. What is a benefit of using the VERIS community database?

It can be used to discover how other organizations dealt with a particular type of
security incident.*
Companies who pay to contribute and access the database are protected from security threats.
It can be used to discover the name of known threat actors.
The database can be easily compressed.
The VERIS community database is free. It can be used as a tool for risk management, to
document security incidents, to discover over incidents, and to compare how other
organizations dealt with a particular type of security incident.
23. When a security attack has occurred, which two approaches

should security professionals take to mitigate a compromised system
during the Actions on Objectives step as defined by the Cyber Kill
Chain model? (Choose two.)
Build detections for the behavior of known malware.
Train web developers for securing code.
Detect data exfiltration, lateral movement, and unauthorized credential usage.*
Perform forensic analysis of endpoints for rapid triage.*
Collect malware files and metadata for future analysis.
When security professionals are alerted about the system compromises, forensic analysis of
endpoints should be performed immediately for rapid triage. In addition, detection efforts for
further attacking activities such as data exfiltration, lateral movement, and unauthorized
credential usage should be enhanced to reduce damage to the minimum.
24. A threat actor has identified the potential vulnerability of the web
server of an organization and is building an attack. What will the
threat actor possibly do to build an attack weapon?
Obtain an automated tool in order to deliver the malware payload through the
vulnerability.*
Install a webshell on the web server for persistent access.
Create a point of persistence by adding services.
Collect credentials of the web server developers and administrators.
One tactic of weaponization used by a threat actor after the vulnerability is identified is to
obtain an automated tool to deliver the malware payload through the vulnerability.
25. Which action is taken in the postincident phase of the NIST

incident response life cycle?
Document the handling of the incident.*
identify and validate incidents.
Conduct CSIRT response training.
Implement procedures to contain threats.
It is in the post-incident phase of the NIST incident response life cycle phase that the CSIRT
documents how incidents are handled. Recommended changes for future response are also
made to avoid reoccurrences.
26. Which top-level element of the VERIS schema would allow a

company to log who the actors were, what actions affected the asset,
which assets were affected, and how the asset was affected?
incident description*
incident tracking
discovery and response
victim demographics
The incident description top-level element uses the 4A model (actors, actions, assets, and
attributes). Each section has subsections to further document the incident.
27. What is the role of vendor teams as they relate to CSIRT?

Coordinate incident handling across multiple CSIRTs.
Handle customer reports concerning security vulnerabilities.*
Use data from many sources to determine incident activity trends.
Provide incident handling to other organizations as a fee-based service.
There are many different types of CSIRTs and related information security organizations.
Vendor CSIRT teams provide remediation for vulnerabilities in the software or hardware of
an organization and often handle customer reports concerning security vulnerabilities.
28. According to information outlined by the Cyber Kill Chain, which

two approaches can help identify reconnaissance threats? (Choose
two.)
Analyze web log alerts and historical search data.*
Audit endpoints to forensically determine origin of exploit.
Build playbooks for detecting browser behavior.*
Understand targeted servers, people, and data available to attack.
Threat actors may use port scanning toward a web server of an organization and identify
vulnerabilities on the server. They may visit the web server to collect information about the
organization. The web server logging should be enabled and the logging data should be
analyzed to identify possible reconnaissance threats. Building playbooks by filtering and
combining related web activities by visitors can sometimes reveal the intentions of threat
actors.
29. To ensure that the chain of custody is maintained, what three

items should be logged about evidence that is collected and analyzed
after a security incident has occurred? (Choose three.)
measures used to prevent an incident
time and date the evidence was collected*
extent of the damage to resources and assets
vulnerabilities that were exploited in an attack
serial numbers and hostnames of devices used as evidence*
location of all evidence*
A chain of custody refers to the proper accounting of evidence collected about an incident that
is used as part of an investigation. The chain of custody should include the location of all
evidence, the identifying information of all evidence such as serial numbers and hostnames,
identifying information about all persons handing the evidence, and the time and date that the
evidence was collected.
30. Which schema or model was created to anonymously share

quality information about security events to the security community?
VERIS*
Diamond
CSIRT
Cyber Kill Chain
Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to
create a way to describe security incidents in a structured or repeatable way. A Computer
Security Incident response Team (CSIRT) is an internal organizational group that provides
services and functions to secure assets. Cyber Kill Chain contains seven steps which help
analysts understand the techniques, tools, and procedures of threat actors. The Diamond
Model of intrusion has four parts that represent a security incident.
31. What is the purpose of the policy element in a computer security
incident response capability of an organization, as recommended by
NIST?
It provides a roadmap for maturing the incident response capability.
It provides metrics for measuring the incident response capability and effectiveness.
It defines how the incident response teams will communicate with the rest of the organization
and with other organizations.
It details how incidents should be handled based on the organizational mission and
functions.*
NIST recommends creating policies, plans, and procedures for establishing and maintaining a
CSIRC. A purpose of the policy element is to detail how incidents should be handled based on
the mission and functions of an organization.
32. What information is gathered by the CSIRT when determining

the scope of a security incident?
the processes used to preserve evidence
the strategies and procedures used for incident containment
the networks, systems, and applications affected by an incident*
the amount of time and resources needed to handle an incident
The scoping activity performed by the CSIRT after an incident determines which networks,
systems, or applications are affected; who or what originated the incident; and how the
incident is occurring.
33. What is the main purpose of exploitations by a threat actor

through the weapon delivered to a target during the Cyber Kill Chain
exploitation phase?
Launch a DoS attack.
Send a message back to a CnC controlled by the threat actor.
Break the vulnerability and gain control of the target.*
Establish a back door into the system.
After the weapon has been delivered, the threat actor uses it to break the vulnerability and
gain control of the target. The threat actor will use an exploit that gains the effect desired,
does it quietly, and avoids detections. Establishing a back door in the target system is the
phase of installation.
34. Which term is used in the Diamond Model of intrusion to describe

a tool that a threat actor uses toward a target system?
infrastructure
capability*
weaponization
adversary
The Diamond Model of intrusion contains four parts:

Adversary – the parties responsible for the intrusion
Capability – a tool or technique that the adversary uses to attack the victim
Infrastructure – the network path or paths that the adversaries use to establish and maintain
command and control over their capabilities
Victim – the target of the attack
35. What is the role of a Computer Emergency Response Team?

Receive, review, and respond to security incidents in an organization.
Provide national standards as a fee-based service.
Coordinate security incident handling across multiple CSIRTs.
Provide security awareness, best practices, and security vulnerability information to a
specific population.*
A Computer Emergency Response Team (CERT) provides security awareness, best practices,
and security vulnerability information to populations. A CERT does not respond directly to
security incidents.
36. A threat actor collects information from web servers of an

organization and searches for employee contact information. The
information collected is further used to search personal information
on the Internet. To which attack phase do these activities belong
according to the Cyber Kill Chain model?
exploitation
weaponization
reconnaissance*
action on objectives
According to the Cyber Kill Chain model, in the reconnaissance phase the threat actor
performs research, gathers intelligence, and selects targets.
1. What is the main purpose of cyberwarfare?

to protect cloud-based data centers
to gain advantage over adversaries*
to develop advanced network devices
to simulate possible war scenarios among nations
Explanation:
Cyberwarfare is Internet-based conflict that involves the penetration of the networks and
computer systems of other nations. The main purpose of cyberwarfare is to gain advantage
over adversaries, whether they are nations or competitors.
2. A technician has installed a third party utility that is used to

manage a Windows 7 computer. However, the utility does not
automatically start whenever the computer is started. What can the
technician do to resolve this problem?
Uninstall the program and then choose Add New Programs in the Add or Remove Programs
utility to install the application.
Use the Add or Remove Programs utility to set program access and defaults.
Change the startup type for the utility to Automatic in Services.*
Set the application registry key value to one.
Explanation:
The Services console in Windows OS allows for the management of all the services on the
local and remote computers. The setting of Automatic in the Services console enables the
chosen service to start when the computer is started.
3. Which statement describes the state of the administrator and guest

accounts after a user installs Windows desktop version to a new
computer?
By default, both the administrator and guest accounts are enabled.
By default, both the administrator and guest accounts are disabled.*
By default, the administrator account is enabled but the guest account is disabled.
By default, the guest account is enabled but the administrator account is disabled.
Explanation:
When a user installs Windows desktop version, two local user accounts are created
automatically during the process, administrator and guest. Both accounts are disabled by
default.

Approximately what percentage of the physical memory is in use on
this Windows system?
33%*
53%
67%
90%
Explanation:
The graphic shows that there is 5.0 GB (187 MB) of memory in use with 10.7 GB still
available. Together this adds up to 16 GB of total physical memory. 5 GB is approximately
33% of 16 GB.

Which security issue would a cybersecurity analyst use the displayed
tool?
ARP cache poisoning
DNS attack
malware*
TCP attack
Explanation:
Windows Performance Monitor is used to evaluate the performance of individual components
on a Windows host computer. Commonly monitored components include the processor, hard
drive, network, and memory. Windows Task Manager and Performance Monitor are used
when malware is suspected and a component is not performing the way it should.
6. A PC user issues the netstat command without any options. What is

displayed as the result of this command?
a local routing table
a network connection and usage report
a list of all established active TCP connections*
a historical list of successful pings that have been sent
Explanation:
When used by itself (without any options), the netstat command will display all the active
TCP connections that are available.
7. A security incident has been filed and an employee believes that

someone has been on the computer since the employee left last night.
The employee states that the computer was turned off before the
employee left for the evening. The computer is running slowly and
applications are acting strangely. Which Microsoft Windows tool
would be used by the security analyst to determine if and when
someone logged on to the computer after working hours?
Task Manager
PowerShell
Performance Monitor
Event Viewer*
Explanation:
Event Viewer is used to investigate the history of application, security, and system events.
Events show the date and time that the event occurred along with the source of the event. If a
cybersecurity analyst has the address of the Windows computer targeted or the date and time
that a security breach occurred, the analyst could use Event Viewer to document and prove
what occurred on the computer.
8. A client device has initiated a secure HTTP request to a web

browser. Which well-known port address number is associated with
the destination address?
404
80
443*
110
Explanation:
Port numbers are used in TCP and UDP communications to differentiate between the various
services running on a device. The well-known port number used by HTTPs is port 443.
9. Which component in Linux is responsible for interacting directly

with the device hardware?
shell
kernel*
command interpreter
command line interface
Explanation:
A Linux OS can be divided into kernel and shell. The shell, also called the command line
interface, is a command interpreter that parses the inputs (or commands) from a user and
interacts with the kernel. The kernel, in turn, interacts with the hardware components of a
device.
10. Which method can be used to harden a device?

Allow users to re-use old passwords.
Force periodic password changes.*
Explanation:
The basic best practices for device hardening are as follows:
Keep users from re-using old passwords.
11. Which Linux program is going to be used when installing an

application?
launcher
package manager*
penetration tool
X Window System
Explanation:
A package is a specific program and all of the files needed to run that program. A package
manager is used to install a package and place all the associated files in the correct location
within the operating system.
12. How many host addresses are available on the 192.168.10.128/26

network?
30
32
60
62*
64
Explanation:
A /26 prefix gives 6 host bits, which provides a total of 64 addresses, because 26 = 64.
Subtracting the network and broadcast addresses leaves 62 usable host addresses.

What is a valid address on the PC for the default gateway?
192.168.1.1*
192.168.0.1
192.168.2.1
192.168.255.1
Explanation:
The default gateway setting is the IP address of the router to which the host will send packets
in order to reach remote networks. The default gateway address setting must be on the same
logical network as the host IP address. In this case, the network of the host is 192.168.1.0 so
the default gateway must also be on the 192.168.1.0 network.

Which IPv4 address does the PC use for sending traffic to remote
networks?
192.168.1.2
192.168.1.1*
127.0.0.1
192.168.1.255
Explanation:
The default gateway setting is the IP address of the router to which the host will send packets
that are destined for remote networks. In the routing table of a PC, the gateway address is the
default gateway and must be on the same logical network as the host IP address, in this case
192.168.1.0. Thus the gateway address, which must be on the 192.168.1.0 network, is
192.168.1.1.
15. A cybersecurity analyst believes that an attacker is announcing a

forged MAC address to network hosts in an attempt to spoof the
default gateway. Which command could the analyst use on the
network hosts to see what MAC address the hosts are using to reach
the default gateway?
netsat -r
route print
ipconfig /all
arp -a*
Explanation:
The command arp -a will display the MAC address table on a PC.
16. Which value, that is contained in an IPv4 header field, is

decremented by each router that receives a packet?
Differentiated Services
Fragment Offset
Header Length
Time-to-Live*
Explanation:
When a router receives a packet, the router will decrement the Time-to-Live (TTL) field by
one. When the field reaches zero, the receiving router will discard the packet and will send an
ICMP Time Exceeded message to the sender.
17. What information does an Ethernet switch examine and use to

forward a frame?
destination IP address
source IP address
destination MAC address*
source MAC address
Explanation:
A switch is a Layer 2 device that uses source MAC addresses to build a MAC address table (a
CAM table) and destination MAC addresses to forward frames.
18. A person coming to a cafe for the first time wants to gain wireless
access to the Internet using a laptop. What is the first step the wireless
client will do in order to communicate over the network using a
wireless management frame?
agree
with the AP on the payload
associate with the AP
authenticate to the AP*
discover the AP
Explanation:
In order for wireless devices to communicate on a wireless network, management frames are
used to complete a three-stage process:
1. Discover the AP
2. Authenticate with the AP
3. Associate with the AP
A cybersecurity analyst is viewing packets forwarded by switch S2.

What addresses will identify frames containing data sent from PCA to
PCB?
Src IP: 192.168.1.212
Src MAC: 00-60-0F-B1-33-33
Dst IP: 192.168.2.101
Dst MAC: 08-CB-8A-5C-BB-BB****
Src IP: 192.168.1.212

Src MAC: 01-90-C0-E4-AA-AA
Dst IP: 192.168.2.101
Dst MAC: 08-CB-8A-5C-BB-BB
Src IP: 192.168.2.1

Src MAC: 00-60-0F-B1-33-33
Dst IP: 192.168.2.101
Dst MAC: 08-CB-8A-5C-BB-BB
Src IP: 192.168.1.212

Src MAC: 00-60-0F-B1-33-33
Dst IP: 192.168.2.101
Dst MAC: 00-D0-D3-BE-00-00
Explanation:
When a message sent from PCA to PCB reaches router R2, some frame header fields will be
rewritten by R2 before forwarding to switch S2. The frames will contain the source MAC
address of router R2 and the destination MAC address of PCB. The frames will retain the
original IPv4 addressing applied by PCA which is the IPv4 address of PCA as the source
address and the IPv4 address of PCB as the destination.
20. What are three functions provided by the syslog service? (Choose
three.)
to gather logging information for monitoring and troubleshooting*
to select the type of logging information that is captured*
to specify the destinations of captured messages*
to periodically poll agents for data
to provide statistics on packets that are flowing through a Cisco device
to provide traffic analysis
Explanation:
There are three primary functions provided by the syslog service:
1. gathering logging information
2. selection of the type of information to be logged
3. selection of the destination of the logged information
21. Users report to the helpdesk that icons usually seen on the menu
bar are randomly appearing on their computer screens. What could
be a reason that computers are displaying these random graphics?
An access attack has occurred.
A virus has infected the computers.*
A DoS attack has been launched against the network.
The computers are subject to a reconnaissance attack.
Explanation:
A virus such as this is harmless, but still needs to be removed. Other viruses can be
destructive in that they modify or delete files on the local computer and possibly other
computers on the network.
22. Why does a worm pose a greater threat than a virus poses?
Worms run within a host program.
Worms are not detected by antivirus programs.
Worms directly attack the network devices.
Worms are more network-based than viruses are.*
Explanation:
One major component of a worm is the propagation mechanism which replicates the worm
and targets unprotected network devices. A virus requires a host program, but worms do not.
23. Which two characteristics describe a virus? (Choose two.)
A self-replicating attack that is independently launched.
Malicious code that can remain dormant before executing an unwanted action.*
Program code specifically designed to corrupt memory in network devices.
Malware that relies on the action of a user or a program to activate.*
Malware that executes arbitrary code and installs copies of itself in memory.
Explanation:
A virus is malicious code that is attached to legitimate programs or executable files. Most
viruses require end user activation, can lie dormant for an extended period, and then activate
at a specific time or date. In contrast, a worm executes arbitrary code and installs copies of
itself in the memory of the infected computer. The main purpose of a worm is automatic
replication to spread quickly across a network. A worm does not require a host program to
run.
24. The IT department is reporting that a company web server is

receiving an abnormally high number of web page requests from
different locations simultaneously. Which type of security attack is
occurring?
adware
DDoS*
phishing
social engineering
spyware
Explanation:
Phishing, spyware, and social engineering are security attacks that collect network and user
information. Adware consists, typically, of annoying popup windows. Unlike a DDoS attack,
none of these attacks generate large amounts of data traffic that can restrict access to network
services.
25. A disgruntled employee is using Wireshark to discover

administrative Telnet usernames and passwords. What type of
network attack does this describe?
denial of service
port redirection
reconnaissance*
trust exploitation
Explanation:
Wireshark is a free download that allows network packet inspection. Someone using this tool
for malicious intent would be performing a reconnaissance attack. Through the capture of
network packets, weak security network connectivity protocols such as Telnet can be caught,
inspected, and then analyzed for detailed network information, including passwords.
26. What is an essential function of SIEM?

providing reporting and analysis of security events*
providing 24×7 statistics on packets flowing through a Cisco router or multilayer switch
monitoring traffic and comparing it against the configured rules
forwarding traffic and physical layer errors to an analysis device
Explanation:
SIEM provides real-time reporting and analysis of security events. SIEM provides
administrators with details on sources of suspicious activity such as user information, device
location, and compliance with security policies.
27. What is the result of a DHCP starvation attack?

Legitimate clients are unable to lease IP addresses.*
Clients receive IP address assignments from a rogue DHCP server.
The attacker provides incorrect DNS and default gateway information to clients.
The IP addresses assigned to legitimate clients are hijacked.
Explanation:
DCHP starvation attacks are launched by an attacker with the intent to create a DoS for
DHCP clients. To accomplish this goal, the attacker uses a tool that sends many
DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying
them to legitimate hosts.
28. What are two types of attacks used on DNS open resolvers?
(Choose two.)
resource utilization*
ARP poisoning
amplification and reflection
fast flux
cushioning
Explanation:
Three types of attacks used on DNS open resolvers are as follows:DNS cache poisoning –
attacker sends spoofed falsified information to redirect users from legitimate sites to
malicious sites
DNS amplification and reflection attacks – attacker sends an increased volume of attacks to
mask the true source of the attack
DNS resource utilization attacks – a denial of service (DoS) attack that consumes server
resources
29. What would be the target of an SQL injection attack?

database*
DHCP
DNS
email
Explanation:
SQL is the language used to query a relational database. Cybercriminals use SQL injections to
get information, create fake or malicious queries, or to breach the database in some other way.
30. Which two options are security best practices that help mitigate
BYOD risks? (Choose two.)
Use wireless MAC address filtering.
Decrease the wireless antenna gain level.
Keep the device OS and software updated.*
Only turn on Wi-Fi when using the wireless network.*
Only allow devices that have been approved by the corporate IT team.
Use paint that reflects wireless signals and glass that prevents the signals from going outside
the building.
Explanation:
Many companies now support employees and visitors attaching and using wireless devices
that connect to and use the corporate wireless network. This practice is known as a bring-
your-own-device policy or BYOD. Commonly, BYOD security practices are included in the
security policy. Some best practices that mitigate BYOD risks include the following:Use
unique passwords for each device and account.
Turn off Wi-Fi and Bluetooth connectivity when not being used. Only connect to trusted
networks.
Keep the device OS and other software updated.
Backup any data stored on the device.
Subscribe to a device locator service with a remote wipe feature.
Provide antivirus software for approved BYODs.
Use Mobile Device Management (MDM) software that allows IT teams to track the device
and implement security settings and software controls.
31. A user successfully logs in to a corporate network via a VPN

connection. Which part of the AAA process records that a certain
user performed a specific operation at a particular date and time?
access
accounting*
authentication
authorization
Explanation:
The three parts of the AAA process are authentication, authorization, and accounting. The
accounting function records information such as who logged in, when the user logged in and
out, and what the user did with network resources.
32. What are three access control security services? (Choose three.)
availability
authentication*
authorization*
repudiation
accounting*
access
Explanation:
This question refers to AAA authentication, authorization, and accountability.
33. In threat intelligence communications, which sharing standard is a

specification for an application layer protocol that allows
communication of cyberthreat intelligence over HTTPS?
Structured threat information expression (STIX)
Trusted automated exchange of indicator information (TAXII)*
Common vulnerabilities and exposures (CVE)
Automated indicator sharing (AIS)
Explanation:
The two common threat intelligence sharing standards are as follows:
Structured Threat Information Expression (STIX) – This is a set of specifications for
exchanging cyberthreat information between organizations. The Cyber Observable Expression
(CybOX) standard has been incorporated into STIX.
Trusted Automated Exchange of Indicator Information (TAXII) – This is the specification for
an application layer protocol that allows the communication of CTI over HTTPS. TAXII is
designed to support STIX.
34. A network security specialist is tasked to implement a security

measure that monitors the status of critical files in the data center and
sends an immediate alert if any file is modified. Which aspect of
secure communications is addressed by this security measure?
data integrity*
nonrepudiation
data confidentiality
origin authentication
Explanation:
Secure communications consists of four elements:
Data confidentiality – guarantees that only authorized users can read the message
Data integrity – guarantees that the message was not altered
Origin authentication – guarantees that the message is not a forgery and does actually come
from whom it states
Data nonrepudiation – guarantees that the sender cannot repudiate, or refute, the validity of a
message sent
35. Which two statements describe the use of asymmetric algorithms?

(Choose two.)
If a public key is used to encrypt the data, a public key must be used to decrypt the data.
If a private key is used to encrypt the data, a private key must be used to decrypt the data.
If a public key is used to encrypt the data, a private key must be used to decrypt the
data.*
If a private key is used to encrypt the data, a public key must be used to decrypt the
data.*
Public and private keys may be used interchangeably.
Explanation:
Asymmetric algorithms use two keys: a public key and a private key. Both keys are capable of
the encryption process, but the complementary matched key is required for decryption. If a
public key encrypts the data, the matching private key decrypts the data. The opposite is also
true. If a private key encrypts the data, the corresponding public key decrypts the data.
36. What is the most common use of the Diffie-Helman algorithm in

communications security?
to provide routing protocol authentication between routers
to create password hashes for secure authentication
to encrypt data for secure e-commerce communications
to secure the exchange of keys used to encrypt data*
Explanation:
Diffie-Helman is not an encryption mechanism and is not typically used to encrypt data.
Instead, it is a method to securely exchange the keys used to encrypt the data.
37. A customer purchases an item from an e-commerce site. The e-

commerce site must maintain proof that the data exchange took place
between the site and the customer. Which feature of digital signatures
is required?
authenticity of digitally signed data
integrity of digitally signed data
nonrepudiation of the transaction*
confidentiality of the public key
Explanation:
Digital signatures provide three basic security services:Authenticity of digitally signed data –
Digital signatures authenticate a source, proving that a certain party has seen and signed the
data in question.
Integrity of digitally signed data – Digital signatures guarantee that the data has not changed
from the time it was signed.
Nonrepudiation of the transaction – The recipient can take the data to a third party, and the
third party accepts the digital signature as a proof that this data exchange did take place. The
signing party cannot repudiate that it has signed the data.
38. When a user visits an online store website that uses HTTPS, the
user browser queries the CA for a CRL. What is the purpose of this
query?
to negotiate the best encryption to use
to verify the validity of the digital certificate*
to request the CA self-signed digital certificate
to check the length of key used for the digital certificate
Explanation:
A digital certificate must be revoked if it is invalid. CAs maintain a certificate revocation list
(CRL), a list of revoked certificate serial numbers that have been invalidated. The user
browser will query the CRL to verify the validity of a certificate.
39. Which management system implements systems that track the

location and configuration of networked devices and software across
an enterprise?
risk management
asset management*
vulnerability management
configuration management
Explanation:
Asset management involves the implementation of systems that track the location and
configuration of networked devices and software across an enterprise.
40. Which host-based firewall uses a three-profile approach to

configure the firewall functionality?
iptables
nftables
TCP Wrapper
Windows Firewall*
Explanation:
Windows Firewall uses a profile-based approach to configuring firewall functionality. It uses
three profiles, Public, Private, and Domain, to define firewall functions.
41. Which approach is intended to prevent exploits that target syslog?

Use syslog-ng.*
Use a Linux-based server.
Use a VPN between a syslog client and the syslog server.
Create an ACL that permits only TCP traffic to the syslog server.
Explanation:
Hackers may try to block clients from sending data to the syslog server, manipulate or erase
logged data, or manipulate the software used to transmit messages between the clients and the
server. Syslog-ng is the next generation of syslog and it contains improvements to prevent
some of the exploits.
42. Which two technologies are primarily used on peer-to-peer

networks? (Choose two.)
Bitcoin*
BitTorrent*
Darknet
Snort
Wireshark
Explanation:
Bitcoin is used to share a distributed database or ledger. BitTorrent is used for file sharing.
43. How can statistical data be used to describe or predict network

behavior?
by listing results of user web surfing activities
by displaying alert messages that are generated by Snort
by recording conversations between network endpoints
by comparing normal network behavior to current network behavior*
Explanation:
Statistical data is created through the analysis of other forms of network data. Statistical
characteristics of normal network behavior can be compared to current network traffic in an
effort to detect anomalies. Conclusions resulting from analysis can be used to describe or
predict network behavior.
44. What are two elements that form the PRI value in a syslog
message? (Choose two.) facility
header*
severity
hostname*
timestamp
Explanation:
The PRI in a syslog message consists of two elements, the facility and severity of the
message.
45. Which tool can be used in a Cisco AVC system to analyze and
present the application analysis data into dashboard reports?
Prime*
IPFIX
NBAR2
NetFlow
Explanation:
A management and reporting system, such as Cisco Prime, can be used to analyze and present
the application analysis data into dashboard reports for use by network monitoring personnel.
Which field in the Sguil event window indicates the number of times
an event is detected for the same source and destination IP address?
ST
CNT*
AlertID
Pr
Explanation:
The CNT field indicates the number of times an event is detected from the same source and
destination IP address. Having a high number of events can indicated a problem with event
signatures.
A network security specialist is issuing the tail command to monitor

the Snort alert in real time. Which option should be used in the
command line to watch the file for changes?
-c
-f*
-n
-q
Explanation:
For the Linux tail command, the option -f is used to monitor a file for changes. The -c option
is used to limit the number of bytes shown. The -n option is used to set the number of lines to
display. The -q option is used to suppress the header line.
48. A law office uses a Linux host as the firewall device for the
network. The IT administrator is configuring the firewall iptables to
block pings from Internet devices to the Linux host. Which iptables
chain should be modified to achieve the task?
INPUT*
OUTPUT
INTERNET
FORWARD
Explanation:
The firewall iptables uses the concepts of chains and rules to filter traffic:
INPUT chain – handles traffic entering the firewall and destined to the firewall device itself
OUTPUT chain – handles traffic originating within the firewall device itself and destined to
somewhere else
FORWARD chain – handles traffic originated somewhere else and passing through the
firewall device
49. Which type of events should be assigned to categories in Sguil?

true positive*
true negative
false positive
false negative
Explanation:
Sguil includes seven pre-built categories that can be assigned to events that have been
identified as true positives.
A network security analyst is examining captured data using

Wireshark. What is represented by the first three frames?
UDP DNS request
TCP three-way handshake*
request of a file from the client
connectivity test between two hosts
Explanation:
The first three frames consist of the SYN, SYN/ACK, and ACK exchanges that constitute the
TCP three-way handshake between the two hosts.
51. Which term is used for describing automated queries that are
useful for adding efficiency to the cyberoperations workflow?
rootkit
cyber kill chain
chain of custody
playbook *
Explanation:
A playbook is an automated query that can add efficiency to the cyberoperations workflow.
52. Which statement describes the Cyber Kill Chain?

It uses the OSI model to describe cyberattacks at each of the seven layers.
It identifies the steps that adversaries must complete to accomplish their goals.*
It specifies common TCP/IP protocols used to fight against cyberattacks.
It is a set of metrics designed to create a way to describe security incidents in a structured and
repeatable way.
Explanation:
The Cyber Kill Chain was developed to identify and prevent cyber intrusions by specifying
what threat actors must complete to accomplish their goals.
53. When dealing with security threats and using the Cyber Kill
Chain model, which two approaches can an organization use to block
a potential back door creation? (Choose two.)
Conduct damage assessment.
Establish an incident response playbook.
Consolidate the number of Internet points of presence.
Audit endpoints to discover abnormal file creations.*
Use HIPS to alert or place a block on common installation paths.*
Explanation:
In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into
the system to allow for continued access to the target. Among other measures, using HIPS to
alert or block on common installation paths and auditing endpoints to discover abnormal file
creations can help block a potential back door creation.
54. Which schema or model allows security professionals to enter data

about a particular incident, such as victim demographics, incident
description, discovery method and response, and impact assessment,
and share that data with the security community anonymously?
CSIRT
Cyber Kill Chain
Diamond
VERIS*
Explanation:
Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to
create a way to describe security incidents in a structured or repeatable way. A Computer
Security Incident response Team (CSIRT) is an internal organizational group that provides
services and functions to secure assets. Cyber Kill Chain contains seven steps which help
analysts understand the techniques, tools, and procedures of threat actors. The Diamond
Model of intrusion has four parts that represent a security incident.
55. What is the responsibility of the IT support group when handling

a security incident?
Perform disciplinary measures if an incident is caused by an employee.
Coordinate the incident response with other stakeholders and minimize the damage of the
incident.
Perform actions to minimize the effectiveness of the attack and preserve evidence.*
Review the incident policies, plans, and procedures for local or federal guideline violations.
Explanation:
IT support best understands the technology used in the organization and can perform the
correct actions to minimize the effectiveness of the attack and preserve evidence.
56. Match the type of CSIRT with the description.
57. Match the IPS alarm with the description.
58. Match the Windows host log to the messages contained in it. (Not
all options are used.)
59. Match the term to the description.
60. Match the server profile element to the description. (Not all
options are used.)
Explanation:
The elements of a server profile include the following:Listening ports – the TCP and UDP
daemons and ports that are allowed to be open on the server
User accounts – the parameters defining user access and behavior
Service accounts – the definitions of the type of service that an application is allowed to run
on a given host
Software environment – the tasks, processes, and applications that are permitted to run on the
server

CCNA Cyber OPS v1.1 Final Exam Answers p1
A network security specialist issues the command tcpdump to capture

events. What does the number 6337 indicate?
the number of transactions currently captured
the process id of the tcpdump command*
the port that tcpdump is listening to
the Snort signature id that tcpdump will watch and capture
Explanation:After the tcpdump command is issued, the device displays the message, [1]
6337. The message indicates that the process with PID 6337was sent to the background.
2. How do cybercriminals make use of a malicious iFrame?

The iFrame allows multiple DNS subdomains to be used.
The attacker embeds malicious content in business appropriate files.
The iFrame allows the browser to load a web page from another source.*
The attacker redirects traffic to an incorrect DNS server.
Explanation:An inline frame or iFrame is an HTML element that allows the browser to load
a different web page from another source.
3. What is a difference between symmetric and asymmetric

encryption algorithms?
Symmetric encryption algorithms are used to encrypt data. Asymmetric encryption algorithms
are used to decrypt data.
Symmetric algorithms are typically hundreds to thousands of times slower than asymmetric
algorithms.
Symmetric encryption algorithms are used to authenticate secure communications.

Asymmetric encryption algorithms are used to repudiate messages.
Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption
algorithms use different keys to encrypt and decrypt data.*
Explanation:Asymmetric algorithms can use very long key lengths in order to avoid being
hacked. This results in the use of significantly increased resources and time compared to
symmetric algorithms.
4. What is a network tap?

a Cisco technology that provides statistics on packets flowing through a router or multilayer
switch
a technology used to provide real-time reporting and long-term analysis of security events
a feature supported on Cisco switches that enables the switch to copy frames and forward
them to an analysis device
a passive device that forwards all traffic and physical layer errors to an analysis device*
Explanation:A network tap is used to capture traffic for monitoring the network. The tap is
typically a passive splitting device implemented inline on the network and forwards all traffic,
including physical layer errors, to an analysis device.
A network administrator is viewing some output on the Netflow

collector. What can be determined from the output of the traffic flow
shown?
This is a UDP DNS response to a client machine.*
This is a UDP DNS request to a DNS server.
This is a TCP DNS request to a DNS server.
This is a TCP DNS response to a client machine.
Explanation:The traffic flow shown has a source port of 53 and a destination port of 1025.
Port 53 is used for DNS and because the source port is 53, this traffic is responding to a client
machine from a DNS server. The IP PROTOCOL is 17 and specifies that UDP is being used
and the TCP flag is set to 0.

involves preparing and presenting information that resulted from
scrutinizing data?
examination
reporting*
collection
analysis
Explanation:NIST describes the digital forensics process as involving the following four
steps:
 Collection – the identification of potential sources of forensic data and acquisition,

handling, and storage of that data
 Examination – assessing and extracting relevant information from the collected data.
This may involve decompression or decryption of the data
 Analysis – drawing conclusions from the data. Salient features, such as people, places,
times, events, and so on should be documented
 Reporting – preparing and presenting information that resulted from the analysis.
Reporting should be impartial and alternative explanations should be offered if
appropriate
7. A technician notices that an application is not responding to

commands and that the computer seems to respond slowly when
applications are opened. What is the best administrative tool to force
the release of system resources from the unresponsive application?
Event Viewer
System Restore
Add or Remove Programs
Task Manager*
Explanation:Use the Task Manager Performance tab to see a visual representation of CPU
and RAM utilization. This is helpful in determining if more memory is needed. Use the
Applications tab to halt an application that is not responding.
8. Which three technologies should be included in a security

information and event management system in a SOC? (Choose three.)
firewall appliance
threat intelligence*
VPN connection
security monitoring*
vulnerability tracking*
intrusion prevention
Explanation:Technologies in a SOC should include the following:Event collection,

correlation, and analysis
Security monitoring
Security control
Log management
Vulnerability tracking
Threat intelligence
Firewall appliances, VPNs, and IPS are security devices deployed in the network
infrastructure.
9. In which situation is an asymmetric key algorithm used?

An office manager encrypts confidential files before saving them to a removable device.
Two Cisco routers authenticate each other with CHAP.
User data is transmitted across the network after a VPN is established.
A network administrator connects to a Cisco router with SSH.*

Explanation:The SSH protocol uses an asymmetric key algorithm to authenticate users and
encrypt data transmitted. The SSH server generates a pair of public/private keys for the
connections. Encrypting files before saving them to a storage device uses a symmetric key
algorithm because the same key is used to encrypt and decrypt files. The router authentication
with CHAP uses a symmetric key algorithm. The key is pre-configured by the network
administrator. A VPN may use both an asymmetric key and a symmetric encryption
algorithm. For example in an IPSec VPN implementation, the data transmission uses a shared
secret (generated with an asymmetric key algorithm) with a symmetric encryption algorithm
used for performance.
10. Which two statements are characteristics of a virus? (Choose two.)

A virus replicates itself by independently exploiting vulnerabilities in networks.
A virus typically requires end-user activation.*
A virus provides the attacker with sensitive data, such as passwords.
A virus can be dormant and then activate at a specific time or date.*
A virus has an enabling vulnerability, a propagation mechanism, and a payload.
Explanation:The type of end user interaction required to launch a virus is typically opening
an application, opening a web page, or powering on the computer. Once activated, a virus
may infect other files located on the computer or other computers on the same network.
11. Which Windows Event Viewer log includes events regarding the
operation of drivers, processes, and hardware?
system logs*
application logs
security logs
setup logs
Explanation:By default Windows keeps four types of host logs:
 Application logs – events logged by various applications

 System logs – events about the operation of drivers, processes, and hardware
 Setup logs – information about the installation of software, including Windows
updates
 Security logs – events related to security, such as logon attempts and operations
related to file or object management and access
12. What is the responsibility of the human resources department
when handling a security incident?
Perform actions to minimize the effectiveness of the attack and preserve evidence.
Review the incident policies, plans, and procedures for local or federal guideline violations.
Coordinate the incident response with other stakeholders and minimize the damage of the
incident.
Apply disciplinary measures if an incident is caused by an employee.*
Explanation:The human resources department may be called upon to perform disciplinary

measures if an incident is caused by an employee.
13. Which two net commands are associated with network resource

sharing? (Choose two.)
net use*
net start
net share*
net stop
net accounts
14. A network security professional has applied for a Tier 2 position in

a SOC. What is a typical job function that would be assigned to a new
employee?
monitoring incoming alerts and verifying that a true security incident has occurred
hunting for potential security threats and implementing threat detection tools
further investigating security incidents*
serving as the point of contact for a customer
Explanation:In a typical SOC, the job of a Tier 2 incident responder involves deep
investigation of security incidents.
15. What are three responsibilities of the transport layer? (Choose
three.)
meeting the reliability requirements of applications, if any*
identifying the applications and services on the client and server that should handle
transmitted data*
multiplexing multiple communication streams from many users or applications on the

same network*
directing packets towards the destination network
formatting data into a compatible form for receipt by the destination devices
conducting error detection of the contents in frames
Explanation:The transport layer has several responsibilities. Some of the primary

responsibilities include the following:
Tracking the individual communication streams between applications on the source and
destination hosts
Segmenting data at the source and reassembling the data at the destination
Identifying the proper application for each communication stream through the use of port
numbers
Multiplexing the communications of multiple users or applications over a single network
Managing the reliability requirements of applications
16. Which technique is necessary to ensure a private transfer of data

using a VPN?
scalability
authorization
virtualization
encryption*
Explanation:Confidential and secure transfers of data with VPNs require data encryption.
17. As described by the SANS Institute, which attack surface includes

the use of social engineering?
Internet attack surface
software attack surface
human attack surface*
network attack surface
Explanation:The SANS Institute describes three components of the attack surface:
 Network Attack Surface – exploitation of vulnerabilities in networks

 Software Attack Surface – exploitation of vulnerabilities in web, cloud, or host-
based software applications
 Human Attack Surface – exploitation of weaknesses in user behavior
A network administrator is showing a junior network engineer some

output on the server. Which service would have to be enabled on the
server to receive such output?
SNMP*
ICMP
debug
AAA
Explanation:The Simple Network Management Protocol is used by network devices to send

and log messages to a syslog server in order to monitor traffic and network device events. The
syslog service must be enabled on the server or a syslog server application must be installed
in order to receive such traffic.
19. Which scenario is probably the result of activities by a group of

hacktivists?
The major power grid in a country is experiencing frequent attacks from another country.
The central database of student grades is accessed and a few grades are modified illegally.
The sales record files of recent years in a large company suddenly cannot be opened and an
offer comes forward promising that the data could be restored for a hefty fee.
The internal emails related to the handling of an environmental disaster by a petroleum

company appear on multiple websites.*
Explanation:Hacktivists are typically hackers who protest against a variety of political and
social ideas. Hacktivists publicly protest against organizations or governments by posting
articles and leaking sensitive information. Accessing school database and changing grades is
probably made by a few script kiddies. Offers from someone to restore data for a hefty fee is a
ransomware attack. Attacking the major power grid is typically conducted by a government.
20. What are two advantages of the NTFS file system compared with
FAT32? (Choose two.)
NTFS is easier to configure.
NTFS provides more security features.*
NTFS allows the automatic detection of bad sectors.
NTFS supports larger partitions.*
NTFS allows faster access to external peripherals such as a USB drive.
NTFS allows faster formatting of drives.
Explanation:The file system has no control over the speed of access or formatting of drives,
and the ease of configuration is not file system-dependent.
21. What two assurances does digital signing provide about code that
is downloaded from the Internet? (Choose two.)
The code is authentic and is actually sourced by the publisher.*
The code contains no errors.
The code has not been modified since it left the software publisher.*
The code contains no viruses.
The code was encrypted with both a private and public key.
Explanation:Digitally signing code provides several assurances about the code:

The code is authentic and is actually sourced by the publisher.
The code has not been modified since it left the software publisher.
The publisher undeniably published the code. This provides nonrepudiation of the act of
publishing.
22. Which statement identifies an important difference between the

TACACS+ and RADIUS protocols?
TACACS+ provides extensive accounting capabilities when compared to RADIUS.
RADIUS can cause delays by establishing a new TCP session for each authorization request.
The RADIUS protocol encrypts the entire packet transmission.
The TACACS+ protocol allows for separation of authentication from authorization.*
Explanation:One key difference between TACACS+ and RADIUS protocols is that

TACACS+ provides flexibility by separating authentication and authorization processes.
RADIUS, on the other hand, combines authentication and authorization as one process.
23. What is a function of SNMP?

synchronizes the time across all devices on the network
provides a message format for communication between network device managers and
agents*
captures packets entering and exiting the network interface card
provides statistical analysis on packets flowing through a Cisco router or multilayer switch
Explanation:SNMP is an application layer protocol that allows administrators to manage

devices on the network by providing a messaging format for communication between network
device managers and agents.
24. What commonly motivates cybercriminals to attack networks as

compared to hactivists or state-sponsored hackers?
fame seeking
financial gain*
status among peers
political reasons
Explanation:Cybercriminals are commonly motivated by money. Hackers are known to hack
for status. Cyberterrorists are motivated to commit cybercrimes for religious or political
reasons.
25. In a networking class, the instructor tells the students to ping the
other computers in the classroom from the command prompt. Why
do all pings in the class fail?
Port 25 is blocked and preventing the echo request from being transmitted.
The computers are on different networks.
A virus is on the classroom computers.
The Windows firewall is blocking the ping.*
Explanation:Unsuccessful pings usually indicate a network problem which eliminates the

virus option. In this case computers in the same classroom would also be on the same
network. Port 25 is used used by the email SMTP protocol, not by ping.
26. Which method can be used to harden a device?

use SSH and disable the root account access over SSH*
allow default services to remain enabled
maintain use of the same passwords
allow USB auto-detection
Explanation:The basic best practices for device hardening are as follows:

Keep users from re-using old passwords.
27. Because of implemented security controls, a user can only access a

server with FTP. Which AAA component accomplishes this?
auditing
authorization*
accessibility
accounting
authentication
Explanation:One of the components in AAA is authorization. After a user is authenticated

through AAA, authorization services determine which resources the user can access and
which operations the user is allowed to perform.
28. Which protocol translates a website name such as www.cisco.com

into a network address?
DNS*
HTTP
FTP
DHCP
Explanation:Domain Name Service translates names into numerical addresses, and

associates the two. DHCP provides IP addresses dynamically to pools of devices. HTTP
delivers web pages to users. FTP manages file transfers.
29. How might DNS be used by a threat actor to create mayhem?

Change the timestamp on network messages in order to conceal the cyberattack.
Surveil or deny service from outside the corporate network.
Collect personal information and encode the data in outgoing DNS queries.*
Intercept and decrypt network traffic.
Explanation:Malware could be used by a threat actor to collect stolen encoded data, decode
it, and then gain access to corporate data such as a username/password database.

A cybersecurity analyst is viewing captured packets forwarded on

switch S1. Which device has the MAC address d8:cb:8a:5c:d5:8a?
web server
router DG
router ISP
PC-A*
DNS server
Explanation: The Wireshark capture is a DNS response from the DNS server to PC-A.
Because the packet was captured on the LAN that the PC is on, router DG would have
encapsulated the response packet from the ISP router into an Ethernet frame addressed to PC-
A and forwarded the frame with the MAC address of PC-A as the destination.
31. Which statement describes the policy-based intrusion detection

approach?
It compares the antimalware definitions to a central repository for the latest updates.
It compares the behaviors of a host to an established baseline to identify potential intrusion.
It compares the operations of a host against well-defined security rules.*

It compares the signatures of incoming traffic to a known intrusion database.
Explanation: With the anomaly-based intrusion detection approach, a set of rules or policies

are applied to a host. Violation of these policies is interpreted to be the result of a potential
intrusion.
32. Why would threat actors prefer to use a zero-day attack in the
Cyber Kill Chain weaponization phase?
to launch a DoS attack toward the target
to get a free malware package
to avoid detection by the target*
to gain faster delivery of the attack on the target
Explanation: When a threat actor prepares a weapon for an attack, the threat actor chooses an
automated tool (weaponizer) that can be deployed through discovered vulnerabilities.
Malware that will carry desired attacks is then built into the tool as the payload. The weapon
(tool plus malware payload) will be delivered to the target system. By using a zero-day
weaponizer, the threat actor hopes that the weapon will not be detected because it is unknown
to security professionals and detection methods are not yet developed.
33. Which two services are provided by the NetFlow tool? (Choose
two.)
QoS configuration
usage-based network billing*
log analysis
access list monitoring
network monitoring*
Explanation: NetFlow efficiently provides an important set of services for IP applications

including network traffic accounting, usage-based network billing, network planning,
security, denial of service monitoring capabilities, and network monitoring.
34. Why would a network administrator choose Linux as an

operating system in the Security Operations Center (SOC)?
The administrator has control over specific security functions, but not standard applications.
It is easier to use than other server operating systems.
More network applications are created for this environment.
It can be acquired at no charge.*
Explanation: There are several reasons why Linux is a good choice for the SOC.Linux is
open source.
The command line interface is a very powerful environment.
The user has more control over the operating system.
Linux allows for better network communication control.
35. Which two statements describe access attacks? (Choose two.)

Buffer overflow attacks write data beyond the allocated buffer memory to overwrite
valid data or to exploit systems to execute malicious code.*
Port redirection attacks use a network adapter card in promiscuous mode to capture all
network packets that are sent across a LAN.
Trust exploitation attacks often involve the use of a laptop to act as a rogue access point to
capture and copy all network traffic in a public location, such as a wireless hotspot.
To detect listening services, port scanning attacks scan a range of TCP or UDP port numbers
on a host.
Password attacks can be implemented by the use of brute-force attack methods, Trojan
horses, or packet sniffers.*
Explanation: An access attack tries to gain access to a resource using a hijacked account or
other means. The five types of access attacks include the following:password – a dictionary is
used for repeated login attempts
trust exploitation – uses granted privileges to access unauthorized material
port redirection – uses a compromised internal host to pass traffic through a firewall
man-in-the-middle – an unauthorized device positioned between two legitimate devices in
order to redirect or capture traffic
buffer overflow – too much data sent to a memory location that already contains data
36. Which type of data would be considered an example of volatile

data?
temp files
log files
memory registers*
web browser cache
Explanation: Volatile data is data stored in memory such as registers, cache, and RAM, or it
is data that exists in transit. Volatile memory is lost when the computer loses power.
37. Which Linux command could be used to discover the process ID

(PID) for a specific process before using the kill command?
ps*
ls
chkrootkit
grep
38. Which two characteristics describe a worm? (Choose two.)

infects computers by attaching to software code
travels to new computers without any intervention or knowledge of the user*
hides in a dormant state until needed by an attacker
executes when software is run on a computer
is self-replicating*
Explanation: Worms are self-replicating pieces of software that consume bandwidth on a

network as they propagate from system to system. They do not require a host application,
unlike a virus. Viruses, on the other hand, carry executable malicious code which harms the
target machine on which they reside.
39. Which two roles are typically performed by a wireless router that
is used in a home or small business? (Choose two.)
WLAN controller
RADIUS authentication server
Ethernet switch*
access point*
repeater
Explanation: In addition to its roles as router, a typical SOHO wireless router acts as both a
wireless access point and an Ethernet switch. RADIUS authentication is provided by an
external server. A WLAN controller is used in enterprise deployments to manage groups of
lightweight access points. A repeater is a device that enhances an incoming signal and
retransmits it.
C
CNA Cyber OPS v1.1 Final Exam Answers p40
If host A sends an IP packet to host B, what will the destination

address be in the frame when it leaves host A?
AA:AA:AA:AA:AA:AA
CC:CC:CC:CC:CC:CC
DD:DD:DD:DD:DD:DD
172.168.10.65
172.168.10.99
BB:BB:BB:BB:BB:BB*
Explanation: When a host sends information to a distant network, the Layer 2 frame header
will contain a source and destination MAC address. The source address will be the originating
host device. The destination address will be the router interface that connects to the same
network. In the case of host A sending information to host B, the source address is
AA:AA:AA:AA:AA:AA and the destination address is the MAC address assigned to the R2
Ethernet interface, BB:BB:BB:BB:BB:BB.
41. A threat actor has gained administrative access to a system and
achieved the goal of controlling the system for a future DDoS attack
by establishing a communication channel with a CnC owned by the
threat actor. Which phase in the Cyber Kill Chain model describes
the situation?
delivery
exploitation
command and control
action on objectives*
Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a
threat actor must complete to accomplish an attack:
Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
Weaponization – The threat actor uses the information from the reconnaissance phase to
develop a weapon against specific targeted systems.
Delivery – The weapon is transmitted to the target using a delivery vector.
Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain
control of the target.
Installation – The threat actor establishes a back door into the system to allow for continued
access to the target.
Command and Control (CnC) – The threat actor establish command and control (CnC) with
the target system.
Action on Objectives – The threat actor is able to take action on the target system, thus
achieving the original objective.
42. How is a source IP address used in a standard ACL?

It is used to determine the default gateway of the router that has the ACL applied.
It is the address that is unknown, so the ACL must be placed on the interface closest to the
source address.
It is the address to be used by a router to determine the best path to forward packets.
It is the criterion that is used to filter traffic.*
Explanation: The only filter that can be applied with a standard ACL is the source IP
address. An extended ACL is used to filter on such traffic as the source IP address, destination
IP address, type of traffic, and type of message.

CCN
A Cyber OPS v1.1 Final Exam Answers p43
Which access list configuration on router R1 will prevent traffic from

the 192.168.2.0 LAN from reaching the Restricted LAN while
permitting traffic from any other LAN?
R1(config-std-nacl)# permit any
R1(config-std-nacl)# deny 192.168.2.0
R1(config)# interface G0/2
R1(config-if)# ip access-group BLOCK_LAN2 out

R1(config-if)# ip access-group BLOCK_LAN2 out****

R1(config-if)# ip access-group BLOCK_LAN2 in

R1(config-if)# ip access-group BLOCK-LAN2 in
Explanation: The correct access list syntax requires that the deny source IP address
(192.168.2.0) statement come before the permit statement so that only traffic sourced from the
192.168.2.0 LAN is denied. Then the access list must be applied on interface G0/2 in the
outbound direction.
44. A company implements a security policy that ensures that a file

sent from the headquarters office to the branch office can only be
opened with a predetermined code. This code is changed every day.
Which two algorithms can be used to achieve this task? (Choose two.)
SHA-1
AES*
3DES*
HMAC
MD5
Explanation: The task to ensure that only authorized personnel can open a file is data
confidentiality, which can be implemented with encryption. AES and 3DES are two
encryption algorithms. HMAC can be used for ensuring origin authentication. MD5 and SHA-
1 can be used to ensure data integrity.
45. What is the result of using security devices that include HTTPS
decryption and inspection services?
The devices require continuous monitoring and fine tuning.
The devices introduce processing delays and privacy issues.*
The devices must have preconfigured usernames and passwords for all users.
Monthly service contracts with reputable web filtering sites can be costly.
Explanation: HTTPS adds extra overhead to the HTTP-formed packet. HTTPS encrypts

using Secure Sockets Layer (SSL). Even though some devices can perform SSL decryption
and inspection, this can present processing and privacy issues.
46. Which three are major categories of elements in a security

operations center? (Choose three.)
database engine
technologies*
data center
people*
Internet connection
processes*
Explanation: The three major categories of elements of a security operations center are

people, processes, and technologies. A database engine, a data center, and an Internet
connection are components in the technologies category.
47. What are two advantages of using the community VERIS

database? (Choose two.)
Data is in a format that allows for manipulation.*
The data sets are compact for easy download.
The data is open and free to the public.*
The access fee is minimal.
The database is sponsored and backed by governments.
Explanation: The VERIS community database (VCDB) is open and free to the public. The
VCDB uses metrics to describe incidents in a structured and repeatable way, thus allowing for
data manipulation.
48. Which device in a layered defense-in-depth approach denies

connections initiated from untrusted networks to internal networks,
but allows internal users within an organization to connect to
untrusted networks?
firewall*
IPS
internal router
access layer switch
Explanation: A firewall is typically a second line of defense in a layered defense-in-depth

approach to network security. The firewall typically connects to an edge router that connects
to the service provider. The firewall tracks connections initiated within the company going
out of the company and denies initiation of connections from external untrusted networks
going to internal trusted networks.
49. Based on the command output shown, which file permission or

permissions have been assigned to the other user group for the
data.txt file?
ls –l data.txt -rwxrw-r-- sales staff 1028 May 28 15:50 data.txt
read, write
read, write, execute
read*
full access
Explanation: The file permissions are always displayed in the user, group and other order. In
the example displayed, the file has the following permissions:
The dash (-) means that this is a file. For directories, the first dash would be replaced with a
“d”.
read, write and execute the file.
The third set of characters is for any other user or group permissions (r–). Any other user or
group on the computer can only read the file.
50. What is indicated by a true negative security alert classification?

Normal traffic is correctly ignored and erroneous alerts are not being issued.*
An alert is verified to be an actual security incident.
Exploits are not being detected by the security systems that are in place.
An alert is incorrectly issued and does not indicate an actual security incident.
Explanation: True negative classifications are desirable because they indicate that normal
traffic is correctly not being identified as malicious traffic by security measures.
51. Which metric class in the CVSS Basic Metric Group identifies the
impacts on confidentiality, integrity, and availability?
Exploitability
Modified Base
Impact*
Explanation: The Base Metric Group of CVSS represents the characteristics of a

vulnerability that are constant over time and across contexts. It contains two classes of
metrics:
 Exploitability metrics – features of the exploit such as the vector, complexity, and
user interaction required by the exploit
 Impact metrics – the impacts of the exploit rooted in the CIA triad of confidentiality,
integrity, and availability
52. What are two evasion techniques that are used by hackers?
(Choose two.)
pivot*
reconnaissance
rootkit*
Trojan horse
phishing
Explanation: The following methods are used by hackers to avoid detection:Encryption and

tunneling – hide or scramble the malware content
Resource exhaustion – keeps the host device too busy to detect the invasion
Traffic fragmentation – splits the malware into multiple packets
Protocol-level misinterpretation – sneaks by the firewall
Pivot – uses a compromised network device to attempt access to another device
Rootkit – allows the hacker to be undetected and hides software installed by the hacker
53. Which technology might increase the security challenge to the

implementation of IoT in an enterprise environment?
CPU processing speed
data storage
cloud computing*
network bandwidth
Explanation: With cloud computing, boundaries of enterprise networks are expanded to
include locations on the Internet for which the enterprises are not responsible. Malicious
software might access the internal network endpoints to attack internal networks.
54. Which type of security threat would be responsible if a

spreadsheet add-on disables the local software firewall?
brute-force attack
Trojan horse*
buffer overflow
DoS
Explanation: A Trojan horse is software that does something harmful, but is hidden in
legitimate software code. A denial of service (DoS) attack results in interruption of network
services to users, network devices, or applications. A brute-force attack commonly involves
trying to access a network device. A buffer overflow occurs when a program attempts to store
more data in a memory location than it can hold.
55. Why is Diffie-Hellman algorithm typically avoided for encrypting

data?
DH requires a shared key which is easily exchanged between sender and receiver.
Most data traffic is encrypted using asymmetrical algorithms.
DH runs too quickly to be implemented with a high level of security.
The large numbers used by DH make it too slow for bulk data transfers.*
Explanation: Diffie-Hellman (DH) is an asymmetric mathematical algorithm that is too slow

for encrypting large amounts of data. The longer key length and complexity of DH make it
ideal for generating the keys used by symmetric algorithms. Symmetric algorithms typically
encrypt the data, whereas DH creates the keys they use.
56. Which two net commands are associated with network resource
sharing? (Choose two.)
net use*
net stop
net start
net share*
Explanation: The net command is a very important command. Some

common net commands include these:
 net accounts – sets password and logon requirements for users

 net session – lists or disconnects sessions between a computer and other computers
on the network
 net share – creates, removes, or manages shared resources
 net start – starts a network service or lists running network services
 net stop – stops a network service
 net use – connects, disconnects, and displays information about shared network
resources
 net view – shows a list of computers and network devices on the network
57. Which Linux command could be used to discover the process ID

(PID) for a specific process before using the kill command?
chkrootkit
grep
ls
ps*
Explanation: The ps command is used before the kill command to discover the PID for the
specific process. The kill command requires root privileges, but listing the processes that use
the ps command does not.
58. Match the phase in the NIST incident response life cycle to the
action.
Document incident handling. –> post-incident actvities
Conduct CSIRT response training. –> preparation
Identify, analyze, and validate an incident. –> detection and analysis
Implement procedures to contain the threat. –> containment, eradication, and recovery
59. Match the alert classification with the description.

CCNA
Cyber OPS v1.1 Final Exam Answers p59
malicious traffic is correctly identified as a threat –> true positive
normal traffic is incorrectly identified as a threat –> false positive
malicious traffic is not identified as a threat –> false negative
normal traffic is not identified as a threat –> true negative
60. Match the common network technology or protocol with the

description. (Not all options are used.)
NTP –> uses a hierarchy of authoritative time sources to send time information between
devices on the network
DNS –> used by attackers to exfiltrate data in traffic disguised as normal client queries
Syslog –> uses UDP port 514 for logging event messages from network devices and
endpoints
ICMP –> used by attackers to identify hosts on a network and the structure of the network
61. Match the information security component with the description.

Only authorized individuals, entities, or processes can access sensitive information –>
confidentiality
Data is protected from unauthorized alteration. –> integrity
Authorized users must have uninterrupted access to important resources and data. –>
availability
62. Match the network profile element to the description. (Not all
options are used.)
Important elements of a network profile include:
Total throughput – the amount of data passing from a given source to a given destination in
a given period of time
Session duration – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or
data

CCNA Cyber Ops v1.1

Uploaded by

Copyright:

Available Formats

CCNA Cyber Ops v1.1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Cyber Ops v1.1

Uploaded by

Copyright:

Available Formats

CCNA Cyber Ops v1.

1 Chapter 1 Exam Answers

D. Cyberwarfare is a subset of information warfare (IW). Its objective is to disrupt

3. How can a security information and event management system in

4. Which three technologies should be included in an SOC security

C, D, F. Technologies in a SOC should include the following:

5. What name is given to hackers who hack for a political or social

6. Which organization is an international nonprofit organization that

A. (ISC)2 is an international nonprofit organization that offers the CISSP certification.

7. After a security incident is verified in a SOC, an incident responder

8. The term Alert Analyst refers to which group of personnel in an

9. What is a rogue wireless hotspot?

D. A rogue wireless hotspot is a wireless access point running in a business or an organization

11. How does a security information and event management system

13. If a SOC has a goal of 99.999% uptime, how many minutes of

15. Which two services are provided by security operations centers?

17. Which organization offers the vendor-neutral CySA+

18. What was used as a cyberwarfare weapon to attack a uranium

The Stuxnet malware program is an excellent example of a sophisticated cyberwarfare

19. Which three technologies should be included in a SOC security

Technologies in a SOC should include the following:

20. Which personnel in a SOC is assigned the task of verifying

21. Which statement describes cyberwarfare?

22. in the operation of a SOC, which system is frequently used to let

23. What name is given to an amateur hacker?

Script kiddies is a term used to describe inexperienced hackers

25. Match the components to the major categories in a SOC.

CCNA Cyber Ops v1.1 Chapter 2 Exam Answers

2. Which net command is used on a Windows PC to establish a

4. A user creates a file with a .ps1 extension in Windows. What type of

5. When a user makes changes to the settings of a Windows system,

6. Which Windows version was the first to introduce a 64-bit

8. Which command is used to manually query a DNS server to resolve

9. What is the purpose of the cd\ command?

10. How much RAM is addressable by a 32-bit version of Windows?

A. A 32-bit operating system is capable of supporting approximately 4 GB of memory. This is

11. How can a user prevent specific applications from accessing a

12. What utility is used to show the system resources consumed by

13. What utility is available on a Windows PC to view current

14. A user logs in to Windows with a regular user account and

17. What technology was created to replace the BIOS program on

19. What function is provided by the Windows Task Manager?

20. Which type of Windows PowerShell command performs an action

21. What would be displayed if the netstat -abno command was

With the optional switch -abno, the netstat command will display all network connections

22. Which two commands could be used to check if DNS name

23. Refer to the exhibit.

A cyber security administrator is attempting to view system

A cybersecurity analyst is investigating a reported security incident on

25. For security reasons a network administrator needs to ensure that

26. Consider the path representation in Windows CLI C:\Users\

In the path representation in Windows CLI, the components of C:\Users\Jason\Desktop\

29. What is the purpose of entering the netsh command on a

30. A technician is troubleshooting a PC unable to connect to the

31. Refer to the exhibit.

Which Microsoft Windows application is being used?

Windows Performance Monitor is used to evaluate the performance of individual components

32. What are two reasons for entering the ipconfig command on a

34. What is the purpose of using the net accounts command in