Module 13-17 Finals Module Exam PDF

Summary

This document appears to be a collection of exam questions on cybersecurity, focused on threats and attacks, and risk management strategies.

Full Transcript

Modules 13 – 17: Threats and Attacks Group 5. An administrator discovers a vulnerability in the
1. What is the significant characteristic of worm malware? network. On analysis of the vulnerability the administrator
Worm malware disguises itself as legitimate decides the cost of managing the risk outweighs the cost
software. of the risk itself. The risk is accepted, and no action is
Once installed on a host system, a worm does taken. What risk management strategy has been
not replicate itself. adopted?
A worm must be triggered by an event on the risk transfer
host system. risk acceptance
A worm can execute independently of the risk reduction
host system. risk avoidance

2. What are the three major components of a worm 6. Which protocol is exploited by cybercriminals who
attack? (Choose three.) create malicious iFrames?
a payload HTTP
a propagation mechanism DNS
an infecting vulnerability ARP
a probing mechanism DHCP
an enabling vulnerability
a penetration mechanism 7. How can a DNS tunneling attack be mitigated?
by preventing devices from using gratuitous ARP
3. A user is curious about how someone might know a by using a filter that inspects DNS traffic
computer has been infected with malware. What are two by securing all domain owner accounts
common malware behaviors? (Choose two.) by using strong passwords and two-factor
The computer emits a hissing sound every time authentication
the pencil sharpener is used.
The computer beeps once during the boot 8. What is the function of a gratuitous ARP sent by a
process. networked device when it boots up?
The computer gets increasingly slower to to request the netbios name of the connected
respond. system
No sound emits when an audio CD is played. to request the MAC address of the DNS server
The computer freezes and requires reboots. to request the IP address of the connected
network
4. Which two types of attacks are examples of to advise connected devices of its MAC
reconnaissance attacks? (Choose two.) address
brute force
port scan 9. What is the result of a passive ARP poisoning attack?
ping sweep Data is modified in transit or malicious data is
man-in-the-middle inserted in transit.
SYN flood Network clients experience a denial of service.
Confidential information is stolen.
Multiple subdomains are created.
10. What are two methods used by cybercriminals to 13. Match the threat actors with the descriptions. (Not all
mask DNS attacks? (Choose two.) options are used.)
reflection
shadowing
domain generation algorithms
fast flux
tunneling

11. Match the security tool with the description. (Not all
options apply.)

14. What scenario describes a vulnerability broker?
a teenager running existing scripts, tools, and
exploits, to cause harm, but typically not for profit
a threat actor attempting to discover exploits
and report them to vendors, sometimes for
prizes or rewards
a threat actor publicly protesting against
governments by posting articles and leaking
sensitive information
a State-Sponsored threat actor who steals
government secrets and sabotages networks of
foreign governments
12. Match the type of cyberattackers to the description.
(Not all options are used.) 15. In what type of attack is a cybercriminal attempting to
prevent legitimate users from accessing network
services?
DoS
session hijacking
MITM
address spoofing

16. Which field in the IPv6 header points to optional
network layer information that is carried in the IPv6
packet?
traffic class
version
flow label
next header
17. Which type of attack is carried out by threat actors It copies traffic that passes through a switch
against a network to determine which IP addresses, interface and sends the data directly to a syslog
protocols, and ports are allowed by ACLs? or SNMP server for analysis.
social engineering It inspects voice protocols to ensure that SIP,
denial of service SCCP, H.323, and MGCP requests conform to
phishing voice standards.
reconnaissance It mitigates MAC address overflow attacks.

18. What kind of ICMP message can be used by threat 22. Which statement describes an operational
actors to create a man-in-the-middle attack? characteristic of NetFlow?
ICMP echo request NetFlow collects basic information about the
ICMP unreachable packet flow, not the flow data itself.
ICMP redirects NetFlow captures the entire contents of a packet.
ICMP mask reply NetFlow flow records can be viewed by the
tcpdump tool.
19. What are two purposes of launching a NetFlow can provide services for user access
reconnaissance attack on a network? (Choose two.) control.
to escalate access privileges
to prevent other users from accessing the system 23.. Match the network monitoring solution with a
to scan for accessibility description. (Not all options are used.)
to gather information about the network and
devices
to retrieve and modify data

20. Which type of network attack involves randomly
opening many Telnet requests to a router and results in a
valid network administrator not being able to access the
device?
DNS poisoning
man-in-the-middle
SYN flooding
spoofing

21. What functionality is provided by Cisco SPAN in a
switched network? 24. Which technology is a proprietary SIEM system?
It mirrors traffic that passes through a switch StealthWatch
port or VLAN to another port for traffic NetFlow collector
analysis. SNMP agent
It prevents traffic on a LAN from being disrupted Splunk
by a broadcast storm.
It protects the switched network from receiving
BPDUs on ports that should not be receiving
them.
25. What are three functionalities provided by SOAR? 29. Which cyber attack involves a coordinated attack from
(Choose three.) a botnet of zombie computers?
It automates complex incident response ICMP redirect
procedures and investigations. MITM
It provides 24×7 statistics on packets that flow DDoS
through a Cisco router or multilayer switch. address spoofing
It uses artificial intelligence to detect
incidents and aid in incident analysis and 30. What technique is a security attack that depletes the
response. pool of IP addresses available for legitimate hosts?
It presents the correlated and aggregated event reconnaissance attack
data in real-time monitoring and long-term DHCP starvation
summaries. DHCP spoofing
It provides a complete audit trail of basic DHCP snooping
information about every IP flow forwarded on a
device. 31 Which type of Trojan horse security breach uses the
It provides case management tools that allow computer of the victim as the source device to launch
cybersecurity personnel to research and other attacks?
investigate incidents. proxy
FTP
26. Which devices should be secured to mitigate against DoS
MAC address spoofing attacks? data-sending
Layer 7 devices
Layer 4 devices 32. What are two examples of DoS attacks? (Choose
Layer 3 devices two.)
Layer 2 devices buffer overflow
SQL injection
27. A network administrator is checking the system logs port scanning
and notices unusual connectivity tests to multiple phishing
well-known ports on a server. What kind of potential ping of death
network attack could this indicate?
access 33. Why would a rootkit be used by a hacker?
denial of service to try to guess a password
information theft to reverse engineer binary files
reconnaissance to gain access to a device without being
detected
28. What is a vulnerability that allows criminals to inject to do reconnaissance
scripts into web pages viewed by users?
Cross-site scripting 34. What causes a buffer overflow?
XML injection sending too much information to two or more
buffer overflow interfaces of the same device, thereby causing
SQL injection dropped packets
attempting to write more data to a memory
location than that location can hold
 sending repeated connections such as Telnet to It presents correlated and aggregated event data
a particular device, thus denying other data in real-time monitoring and long-term summaries.
sources
downloading and installing too many software 39. Which statement describes the function of the SPAN
updates at one time tool used in a Cisco switch?
launching a security countermeasure to mitigate It is a secure channel for a switch to send logging
a Trojan horse to a syslog server.
It provides interconnection between VLANs over
35. Which type of security threat would be responsible if a multiple switches.
spreadsheet add-on disables the local software firewall? It supports the SNMP trap operation on a switch.
DoS It copies the traffic from one switch port and
Trojan horse sends it to another switch port that is
buffer overflow connected to a monitoring device.
brute-force attack
40. What are two evasion methods used by hackers?
36. Which two types of hackers are typically classified as (Choose two.)
grey hat hackers? (Choose two.) scanning
hacktivists access attack
cyber criminals resource exhaustion
vulnerability brokers phishing
script kiddies encryption
state-sponsored hackers
41. Which attack involves threat actors positioning
37. A white hat hacker is using a security tool called themselves between a source and destination with the
Skipfish to discover the vulnerabilities of a computer intent of transparently monitoring, capturing, and
system. What type of tool is this? controlling the communication?
debugger man-in-the-middle attack
fuzzer DoS attack
vulnerability scanner ICMP attack
packet sniffer SYN flood attack

38. Which two functions are provided by NetFlow? 42. What is the goal of a white hat hacker?
(Choose two.) validating data
It uses artificial intelligence to detect incidents modifying data
and aid in incident analysis and response. stealing data
It provides a complete audit trail of basic protecting data
information about every IP flow forwarded on
a device. 43. Once a cyber threat has been verified, the US
It provides 24×7 statistics on packets that Cybersecurity Infrastructure and Security Agency (CISA)
flow through a Cisco router or multilayer automatically shares the cybersecurity information with
switch. public and private organizations. What is this automated
It allows an administrator to capture real-time system called?
network traffic and analyze the entire contents of AIS
packets. NCSA
ENISA
 NCASM 49. Why would an attacker want to spoof a MAC
address?
44. A user receives a phone call from a person who so that the attacker can capture traffic from
claims to represent IT services and then asks that user multiple VLANs rather than from just the VLAN
for confirmation of username and password for auditing that is assigned to the port to which the attacker
purposes. Which security threat does this phone call device is attached
represent? so that a switch on the LAN will start
spam forwarding frames to the attacker instead of
anonymous keylogging to the legitimate host
DDoS so that a switch on the LAN will start forwarding
social engineering all frames toward the device that is under control
of the attacker (that can then capture the LAN
45. Which two characteristics describe a worm? (Choose traffic)
two) so that the attacker can launch another type of
is self-replicating attack in order to gain access to the switch
travels to new computers without any
intervention or knowledge of the user 50. Match the security concept to the description.
infects computers by attaching to software code
hides in a dormant state until needed by an
attacker
executes when software is run on a computer

46. An attacker is redirecting traffic to a false default
gateway in an attempt to intercept the data traffic of a
switched network. What type of attack could achieve this?
MAC address snoopin
DHCP snooping
MAC address starvation
DHCP spoofing

47. What would be the target of an SQL injection attack?
DHCP 51. Which two characteristics describe a virus? (Choose
DNS two.)
email Malicious code that can remain dormant
database before executing an unwanted action.
Malware that executes arbitrary code and installs
48. The IT department is reporting that a company web copies of itself in memory.
server is receiving an abnormally high number of web Malware that relies on the action of a user or
page requests from different locations simultaneously. a program to activate.
Which type of security attack is occurring? Program code specifically designed to corrupt
social engineering memory in network devices.
adware A self-replicating attack that is independently
DDoS launched.
phishing
spyware
52. Which type of security attack would attempt a buffer identify a list of websites that users are not
overflow? permitted to access
ransomware describe the rights to access and activities
reconnaissance permitted to security personnel on the device
DoS
scareware 5. Which two options are security best practices that help
mitigate BYOD risks? (Choose two.)
Modules 18 – 20: Network Defense Group Use paint that reflects wireless signals and glass
1. Why is asset management a critical function of a that prevents the signals from going outside the
growing organization against security threats? building.
It identifies the ever increasing attack surface Keep the device OS and software updated.
to threats. Only allow devices that have been approved by
It allows for a build of a comprehensive AUP. the corporate IT team.
It serves to preserve an audit trail of all new Only turn on Wi-Fi when using the wireless
purchases. network.
It prevents theft of older assets that are Decrease the wireless antenna gain level.
decommissioned. Use wireless MAC address filtering.

2. In a defense-in-depth approach, which three options 6. What is the purpose of mobile device management
must be identified to effectively defend a network against (MDM) software?
attacks? (Choose three.) It is used to create a security policy.
total number of devices that attach to the wired It is used to implement security policies,
and wireless network setting, and software configurations on
assets that need protection mobile devices.
vulnerabilities in the system It is used to identify potential mobile device
location of attacker or attackers vulnerabilities.
past security breaches It is used by threat actors to penetrate the
threats to assets system.

3. What is the first line of defense when an organization is 7. What does the incident handling procedures security
using a defense-in-depth approach to network security? policy describe?
edge router It describes how security incidents are
firewall handled.
proxy server It describes the procedure for auditing the
IPS network after a cyberattack.
It describes the procedure for mitigating
4. What three goals does a BYOD security policy cyberattacks.
accomplish? (Choose three.) It describes how to prevent various cyberattacks.
identify all malware signatures and synchronize
them across corporate databases
identify which employees can bring their own
devices
identify safeguards to put in place if a device
is compromised
identify and prevent all heuristic virus signatures
8. Match the type of business policy to the description. 10. What is the primary purpose of the Forum of Incident
Response and Security Teams (FIRST)?
to enable a variety of computer security
incident response teams to collaborate,
cooperate, and coordinate information
sharing, incident prevention, and rapid
reaction strategies
to provide a security news portal that aggregates
the latest breaking news pertaining to alerts,
exploits, and vulnerabilities
to offer 24×7 cyberthreat warnings and
advisories, vulnerability identification, and
mitigation and incident response
to provide vendor neutral education products and
9. Match the threat intelligence sharing standards with the career services to industry professionals
description. worldwide

11. What is the primary purpose of the Malware
Information Sharing Platform (MISP) ?
to publish all informational materials on known
and newly discovered cyberthreats
to enable automated sharing of IOCs between
people and machines using the STIX and
other exports formats
to provide a set of standardized schemata for
specifying and capturing events and properties of
network operations
to exchange all the response mechanisms to
known threats

12. Which statement describes Trusted Automated
Exchange of Indicator Information (TAXII)?
It is a set of specifications for exchanging cyber
threat information between organizations.
It is a signature-less engine utilizing stateful
attack analysis to detect zero-day threats.
It is a dynamic database of real-time
vulnerabilities.
It is the specification for an application layer
protocol that allows the communication of
CTI over HTTPS.
13. Which organization defines unique CVE Identifiers for It is a catalog of known security threats called
publicly known information-security vulnerabilities that Common Vulnerabilities and Exposures (CVE) for
make it easier to share data? publicly known cybersecurity vulnerabilities.
Cisco Talos
DHS 17. A web server administrator is configuring access
FireEye settings to require users to authenticate first before
MITRE accessing certain web pages. Which requirement of
information security is addressed through the
14. How does FireEye detect and prevent zero-day configuration?
attacks? availability
by establishing an authentication parameter prior integrity
to any data exchange scalability
by addressing all stages of an attack lifecycle confidentiality
with a signature-less engine utilizing stateful
attack analysis 18. When designing a prototype network for a new server
by keeping a detailed analysis of all viruses and farm, a network designer chooses to use redundant links
malware to connect to the rest of the network. Which business
by only accepting encrypted data packets that goal will be addressed by this choice?
validate against their configured hash values availability
manageability
15. What is the primary function of the Center for Internet security
Security (CIS)? scalability
to maintain a list of common vulnerabilities and
exposures (CVE) used by security organizations 19. When a security audit is performed at a company, the
to provide a security news portal that aggregates auditor reports that new users have access to network
the latest breaking news pertaining to alerts, resources beyond their normal job roles. Additionally,
exploits, and vulnerabilities users who move to different positions retain their prior
to offer 24×7 cyberthreat warnings and permissions. What kind of violation is occurring?
advisories, vulnerability identification, and least privilege
mitigation and incident responses network policy
to provide vendor-neutral education products and password
career services to industry professionals audit
worldwide
20. Which component of the zero trust security model
16. What is CybOX? focuses on secure access when an API, a microservice,
It is a specification for an application layer or a container is accessing a database within an
protocol that allows the communication of CTI application?
over HTTPS. workflow
It is a set of standardized schemata for workforce
specifying, capturing, characterizing, and workload
communicating events and properties of workplace
network operations.
It enables the real-time exchange of cyberthreat
indicators between the U.S. Federal Government
and the private sector.
21. What is the purpose of the network security
accounting function? 26. What is a characteristic of the security artichoke,
to determine which resources a user can access defense-in-depth approach?
to provide challenge and response questions Threat actors can easily compromise all layers
to keep track of the actions of a user safeguarding the data or systems.
to require users to prove who they are Threat actors no longer have to peel away
each layer before reaching the target data or
22. Which term describes the ability of a web server to system.
keep a log of the users who access the server, as well as Threat actors can no longer penetrate any layers
the length of time they use it? safeguarding the data or system.
authentication Each layer has to be penetrated before the threat
accounting actor can reach the target data or system.
assigning permissions
authorization 27. What is a characteristic of a layered defense-in-depth
security approach?
23. Match the information security component with the Three or more devices are used.
description. Routers are replaced with firewalls.
One safeguard failure does not affect the
effectiveness of other safeguards.
When one device fails, another one takes over.

28. What is the benefit of a defense-in-depth approach?
All network vulnerabilities are mitigated.
The need for firewalls is eliminated.
Only a single layer of security at the network core
is required.
The effectiveness of other security measures
is not impacted when a security mechanism
fails.

24. What are two characteristics of the RADIUS protocol?
29. Match the term to the description.
(Choose two.)
encryption of the entire body of the packet
encryption of the password only
the use of UDP ports for authentication and
accounting
the separation of the authentication and
authorization processes
the use of TCP port 49

25. Which AAA component can be established using
token cards?
accounting
authorization
authentication
auditing
30. What is the principle behind the nondiscretionary
access control model? 2. Which objective of secure communications is achieved
It applies the strictest access control possible. by encrypting data?
It allows access decisions to be based on confidentiality
roles and responsibilities of a user within the integrity
organization. availability
It allows users to control access to their data as authentication
owners of that data.
It allows access based on attributes of the object 3. Which two statements correctly describe certificate
be to accessed. classes used in the PKI? (Choose two.)
A class 4 certificate is for online business
31. Which type of access control applies the strictest transactions between companies.
access control and is commonly used in military or A class 0 certificate is more trusted than a class
mission critical applications? 1 certificate.
Non-discretionary access control A class 0 certificate is for testing purposes.
discretionary access control (DAC) The lower the class number, the more trusted the
attribute-based access control (ABAC) certificate.
mandatory access control (MAC) A class 5 certificate is for users with a focus on
verification of email.
32. Passwords, passphrases, and PINs are examples of
which security term? 4. A customer purchases an item from an e-commerce
identification site. The e-commerce site must maintain proof that the
access data exchange took place between the site and the
authentication customer. Which feature of digital signatures is required?
authorization nonrepudiation of the transaction
integrity of digitally signed data
33. How does AIS address a newly discovered threat? authenticity of digitally signed data
by creating response strategies against the new confidentiality of the public key
threat
by advising the U.S. Federal Government to 5. What is the purpose of a digital certificate?
publish internal response strategies It provides proof that data has a traditional
by enabling real-time exchange of cyberthreat signature attached.
indicators with U.S. Federal Government and It guarantees that a website has not been
the private sector hacked.
by mitigating the attack with active response It ensures that the person who is gaining access
defense mechanisms to a network device is authorized.
It authenticates a website and establishes a
Modules 21 – 23: Cryptography and Endpoint secure connection to exchange confidential
Protection Group data.
1. Which type of attack does the use of HMACs protect
against? 6. In a hierarchical CA topology, where can a subordinate
brute force CA obtain a certificate for itself?
DDoS from the root CA or another subordinate CA
DoS at a higher level
man-in-the-middle
 from the root CA or another subordinate CA at 11. Match the NIST Cybersecurity Framework core
the same level function with the description. (Not all options are used.)
from the root CA or from self-generation
from the root CA only
from the root CA or another subordinate CA
anywhere in the tree

7. What is the purpose for using digital signatures for
code signing?
to establish an encrypted connection to
exchange confidential data with a vendor website
to verify the integrity of executable files
downloaded from a vendor website
to authenticate the identity of the system with a
vendor website
to generate a virtual ID

8. What technology has a function of using trusted
third-party protocols to issue credentials that are
accepted as an authoritative identity? 12. A cybersecurity analyst is performing a CVSS
digital signatures assessment on an attack where a web link was sent to
hashing algorithms several employees. Once clicked, an internal attack was
PKI certificates launched. Which CVSS Base Metric Group Exploitability
symmetric keys metric is used to document that the user had to click on
the link in order for the attack to occur?
9. In addressing a risk that has low potential impact and scope
relatively high cost of mitigation or reduction, which integrity requirement
strategy will accept the risk and its consequences? availability requirement
risk avoidance user interaction
risk reduction
risk retention 13. In network security assessments, which type of test
risk sharing employs software to scan internal networks and Internet
facing servers for various types of vulnerabilities?
10. Which two classes of metrics are included in the vulnerability assessment
CVSS Base Metric Group? (Choose two.) risk analysis
Confidentiality Requirement strength of network security testing
Modified Base penetration testing
Exploit Code Maturity
Exploitability
Impact metrics
14. What are the three outcomes of the NIST 19. A security professional is making recommendations to
Cybersecurity Framework identify core function? (Choose a company for enhancing endpoint security. Which
three.) security endpoint technology would be recommended as
information protection process and procedures an agent-based system to protect hosts against
governance malware?
mitigation IPS
risk assessment HIDS
asset management blacklisting
recovery planning baselining

15. When a server profile for an organization is being 20. What is a feature of distributed firewalls?
established, which element describes the TCP and UDP They all use an open sharing standard platform.
daemons and ports that are allowed to be open on the They use only TCP wrappers to configure
server? rule-based access control and logging systems.
critical asset address space They use only iptables to configure network
service accounts rules.
software environment They combine the feature of host-based
listening ports firewalls with centralized management.

16. What is an action that should be taken in the 21. An administrator suspects polymorphic malware has
discovery step of the vulnerability management life cycle? successfully entered the network past the HIDS system
documenting the security plan perimeter. The polymorphic malware is, however,
assigning business value to assets successfully identified and isolated. What must the
developing a network baseline administrator do to create signatures to prevent the file
determining a risk profile from entering the network again?
Execute the polymorphic file in the Cisco
17. In what order are the steps in the vulnerability Threat Grid Glovebox.
management life cycle conducted? Run the Cisco Talos security intelligence service.
discover, assess, prioritize assets, report, Use Cisco AMP to track the trajectory of a file
remediate, verify through the network.
discover, prioritize assets, assess, remediate, Run a baseline to establish an accepted amount
report, verify of risk, and the environmental components that
discover, prioritize assets, assess, remediate, contribute to the risk level of the polymorphic
verify, report malware.
discover, prioritize assets, assess, report,
remediate, verify 22. On a Windows host, which tool can be used to create
and maintain blacklists and whitelists?
18. What does the telemetry function provide in Local Users and Groups
host-based security software? Group Policy Editor
It updates the heuristic antivirus signature Task Manager
database. Computer Management
It blocks the passage of zero-day attacks.
It enables updates of malware signatures.
It enables host-based security programs to
have comprehensive logging functions.
23. What is blacklisting? An HIDS blocks intrusions, whereas a firewall
This is an application list that can dictate filters them.
which user applications are not permitted to A firewall allows and denies traffic based on rules
run on a computer. and an HIDS monitors network traffic.
This is a user list to prevent blacklisted users
from accessing a computer. 28. Which statement describes the Cisco Threat Grid
This is a network process list to stop a listed Glovebox?
process from running on a computer. It is a network-based IDS/IPS.
This is a Heuristics-based list to prevent a It is a host-based intrusion detection system
process from running on a computer. (HIDS) solution to fight against malware.
It is a sandbox product for analyzing malware
24. Which technology is used by Cisco Advanced behaviors.
Malware Protection (AMP) in defending and protecting It is a firewall appliance.
against known and emerging threats?
network admission control 29. Which statement describes the policy-based intrusion
network profiling detection approach?
website filtering and blacklisting It compares the signatures of incoming traffic to a
threat intelligence known intrusion database.
It compares the operations of a host against
25. Which technique could be used by security personnel well-defined security rules.
to analyze a suspicious file in a safe environment? It compares the antimalware definitions to a
sandboxing central repository for the latest updates.
baselining It compares the behaviors of a host to an
whitelisting established baseline to identify potential
blacklisting intrusion.

26. Which statement describes the term iptables? 30. What is the purpose of the DH algorithm?
It is a file used by a DHCP server to store current to provide nonrepudiation support
active IP addresses. to generate a shared secret between two
It is a rule-based firewall application in Linux. hosts that have not communicated before
It is a DHCP application in Windows. to encrypt data traffic after a VPN is established
It is a DNS daemon in Linux. to support email data confidentiality

27. What is the difference between an HIDS and a
firewall?
An HIDS works like an IPS, whereas a firewall
just monitors traffic.
An HIDS monitors operating systems on host
computers and processes file system activity.
Firewalls allow or deny traffic between the
computer and other systems.
A firewall performs packet filtering and therefore
is limited in effectiveness, whereas an HIDS
blocks intrusions.
31. What is a difference between symmetric and 35. A company is developing a security policy for secure
asymmetric encryption algorithms? communication. In the exchange of critical messages
Symmetric encryption algorithms are used to between a headquarters office and a branch office, a
authenticate secure communications. hash value should only be recalculated with a
Asymmetric encryption algorithms are used to predetermined code, thus ensuring the validity of data
repudiate messages. source. Which aspect of secure communications is
Symmetric encryption algorithms are used to addressed?
encrypt data. Asymmetric encryption algorithms data integrity
are used to decrypt data. data confidentiality
Symmetric encryption algorithms use non-repudiation
pre-shared keys. Asymmetric encryption origin authentication
algorithms use different keys to encrypt and
decrypt data. 36. Match the network profile element to the description.
Symmetric algorithms are typically hundreds to (Not all options are used.)
thousands of times slower than asymmetric
algorithms.

32. A company implements a security policy that ensures
that a file sent from the headquarters office to the branch
office can only be opened with a predetermined code.
This code is changed every day. Which two algorithms
can be used to achieve this task? (Choose two.)
HMAC
MD5
3DES
SHA-1
AES
37. Which three security services are provided by digital
33. Which security management plan specifies a signatures? (Choose three.)
component that involves tracking the location and provides nonrepudiation using HMAC functions
configuration of networked devices and software across guarantees data has not changed in transit
an enterprise? provides data encryption
asset management authenticates the source
patch management provides confidentiality of digitally signed data
vulnerability management authenticates the destination
risk management
Modules 24 – 25: Protocols and Log Files Group
34. In addressing an identified risk, which strategy aims 1. Which ICMP message type should be stopped
to stop performing the activities that create risk? inbound?
risk retention source quench
risk avoidance echo-reply
risk sharing echo
risk reduction unreachable
2. How can IMAP be a security threat to a company? 7. Which approach is intended to prevent exploits that
Someone inadvertently clicks on a hidden target syslog?
iFrame. Use a Linux-based server.
Encrypted data is decrypted. Use syslog-ng.
An email can be used to bring malware to a Create an ACL that permits only TCP traffic to
host. the syslog server.
It can be used to encode stolen data and send it Use a VPN between a syslog client and the
to a threat actor. syslog server.

3. Which two technologies are primarily used on 8. Which type of attack is carried out by threat actors
peer-to-peer networks? (Choose two.) against a network to determine which IP addresses,
Bitcoin protocols, and ports are allowed by ACLs?
BitTorrent phishing
Wireshark denial of service
Darknet reconnaissance
Snort social engineering

4. Which protocol is exploited by cybercriminals who 9. Which two application layer protocols manage the
create malicious iFrames? exchange of messages between a client with a web
HTTP browser and a remote web server? (Choose two.)
ARP HTTP
DHCP HTTPS
DNS DNS
DHCP
5. Which method is used by some malware to transfer HTML
files from infected hosts to a threat actor host?
UDP infiltration 10. What is Tor?
ICMP tunneling a rule created in order to match a signature of a
HTTPS traffic encryption known exploit
iFrame injection a software platform and network of P2P hosts
that function as Internet routers
6. Why does HTTPS technology add complexity to a way to share processors between network
network security monitoring? devices across the Internet
HTTPS dynamically changes the port number on a type of Instant Messaging (IM) software used
the web server. on the darknet
HTTPS uses tunneling technology for
confidentiality. 11. Which protocol is a name resolution protocol often
HTTPS hides the true source IP address using used by malware to communicate with
NAT/PAT. command-and-control (CnC) servers?
HTTPS conceals data traffic through IMAP
end-to-end encryption. DNS
HTTPS
ICMP
12. Which technique is necessary to ensure a private 17. Which two options are network security monitoring
transfer of data using a VPN? approaches that use advanced analytic techniques to
authorization analyze network telemetry data? (Choose two.)
scalability NBAD
encryption Sguil
virtualization NetFlow
IPFIX
13. Which technology would be used to create the server Snorby
logs generated by network devices and reviewed by an NBA
entry level network person who works the night shift at a
data center? 18. How does a web proxy device provide data loss
syslog prevention (DLP) for an enterprise?
NAT by functioning as a firewall
ACL by inspecting incoming traffic for potential
VPN exploits
by scanning and logging outgoing traffic
14. Which function is provided by the Sguil application? by checking the reputation of external web
It reports conversations between hosts on the servers
network.
It makes Snort-generated alerts readable and 19. Which information can be provided by the Cisco
searchable. NetFlow utility?
It detects potential network intrusions. security and user account restrictions
It prevents malware from attacking a host. IDS and IPS capabilities
peak usage times and traffic routing
15. Which statement describes a Cisco Web Security source and destination UDP port mapping
Appliance (WSA)?
It protects a web server by preventing security 20. Which statement describes statistical data in network
threats from accessing the server. security monitoring processes?
It provides high performance web services. It is created through an analysis of other
It acts as an SSL-based VPN server for an forms of network data.
enterprise. It contains conversations between network hosts.
It functions as a web proxy. It shows the results of network activities between
network hosts.
16. Which statement describes session data in security It lists each alert message along with statistical
logs? information.
It can be used to describe or predict network
behavior.
It shows the result of network sessions.
It is a record of a conversation between
network hosts.
It reports detailed network activities between
network hosts.
21. Match the SIEM function with the description. 24. Match the Windows host log to the messages
contained in it. (Not all options are used.)

22. Which two tools have a GUI interface and can be
used to view and analyze full packet captures? (Choose
two.)
nfdump
Wireshark
Cisco Prime Network Analysis Module 25. Which Cisco appliance can be used to filter network
tcpdump traffic contents to report and deny traffic based on the
Splunk web server reputation?
WSA
23. Which Windows log contains information about AVC
installations of software, including Windows updates? ASA
system logs ESA
application logs
setup logs 26. Which technique would a threat actor use to disguise
security logs traces of an ongoing exploit?
Create an invisible iFrame on a web page.
Corrupt time information by attacking the NTP
infrastructure.
Encapsulate other protocols within DNS to evade
security measures.
Use SSL to encapsulate malware.

27. A system administrator runs a file scan utility on a
Windows PC and notices a file lsass.exe in the Program
Files directory. What should the administrator do?
Delete the file because it is probably malware.
Move it to Program Files (x86) because it is a
32bit application.
 Uninstall the lsass application because it is a Modules 26 – 28: Analyzing Security Data Group
legacy application and no longer required by
Windows. 1. Match the intrusion event defined in the Diamond
Open the Task Manager, right-click on the lsass Model of intrusion to the description.
process and choose End Task.

28. Refer to the exhibit. A network administrator is
viewing some output on the Netflow collector. What can
be determined from the output of the traffic flow shown?

This is a UDP DNS request to a DNS server.
This is a UDP DNS response to a client
machine.
This is a TCP DNS request to a DNS server.
This is a TCP DNS response to a client machine.

29 In a Cisco AVC system, in which module is NetFlow
deployed?
Management and Reporting
Control network path used to establish and maintain
Application Recognition command and control : infrastructure
Metrics Collection a tool or technique used to attack the victim :
capability
30. What does it indicate if the timestamp in the HEADER the parties responsible for the intrusion :
section of a syslog message is preceded by a period or adversary
asterisk symbol? the target of the attack : victim
There is a problem associated with NTP.
The timestamp represents the round trip duration 2. What two shared sources of information are included
value. within the MITRE ATT&CK framework? (Choose two.)
The syslog message should be treated with high collection of digital evidence from most volatile
priority. evidence to least volatile
The syslog message indicates the time an email attacker tactics, techniques, and procedures
is received. details about the handling of evidence including
times, places, and personnel involved
eyewitness evidence from someone who directly
observed criminal behavior
mapping the steps in an attack to a matrix of
generalized tactics
3. What information is gathered by the CSIRT when 8. When dealing with security threats and using the Cyber
determining the scope of a security incident? Kill Chain model, which two approaches can an
the networks, systems, and applications organization use to block a potential backdoor creation?
affected by an incident (Choose two.)
the amount of time and resources needed to Audit endpoints to discover abnormal file
handle an incident creations.
the strategies and procedures used for incident Establish an incident response playbook.
containment Consolidate the number of Internet points of
the processes used to preserve evidence presence.
Conduct damage assessment.
4. According to NIST standards, which incident response Use HIPS to alert or place a block on common
stakeholder is responsible for coordinating an incident installation paths.
response with other stakeholders to minimize the damage
of an incident? 9. What is defined in the SOP of a computer security
human resources incident response capability (CSIRC)?
legal department the details on how an incident is handled
management the procedures that are followed during an
IT support incident response
the metrics for measuring incident response
5. According to NIST, which step in the digital forensics capabilities
process involves drawing conclusions from data? the roadmap for increasing incident response
reporting capabilities
collection
examination 10. How does an application program interact with the
analysis operating system?
sending files
6. A cybersecurity analyst has been called to a crime accessing BIOS or UEFI
scene that contains several technology items including a making API calls
computer. Which technique will be used so that the using processes
information found on the computer can be used in court?
Tor 11. Which tool included in the Security Onion provides a
rootkit visual interface to NSM data?
unaltered disk image Curator
log collection Beats
Squert
7. In which phase of the NIST incident response life cycle OSSEC
is evidence gathered that can assist subsequent
investigations by authorities? 12. Which tool included in the Security Onion includes the
postincident activities capability of designing custom dashboards?
detection and analysis Sguil
preparation Kibana
containment, eradication, and recovery Squert
OSSEC
13. How is the hash value of files useful in network 19. Refer to the exhibit. A security analyst is reviewing an
security investigations? alert message generated by Snort. What does the
It is used to decode files. number 2100498 in the message indicate?
It helps identify malware signatures.
It verifies confidentiality of files.
It is used as a key for encryption. the id of the user that triggers the alert
the message length in bits
14. Which technology is a major standard consisting of a the Snort rule that is triggered
pattern of symbols that describe data to be matched in a the session number of the message
query?
OSSEC 20. What are security event logs commonly based on
POSIX when sourced by traditional firewalls?
Squert static filtering
Sguil application analysis
signatures
15. Which tool is a Security Onion integrated host-based 5-tuples
intrusion detection system?
Snort 21. A threat actor has successfully breached the network
OSSEC firewall without being detected by the IDS system. What
ELK condition describes the lack of alert?
Sguil false negative
true negative
16. Which term is used to describe the process of true positive
converting log entries into a common format? false positive
classification
systemization 22. What information is contained in the options section
normalization of a Snort rule?
standardization direction of traffic flow
text describing the event
17. What is the purpose for data normalization? action to be taken
to simplify searching for correlated events source and destination address
to reduce the amount of alert data
to enhance the secure transmission of alert data 23. A network administrator is trying to download a valid
to make the alert data transmission fast file from an internal server. However, the process triggers
an alert on a NMS tool. What condition describes this
18. Which personnel in a SOC is assigned the task of alert?
verifying whether an alert triggered by monitoring false negative
software represents a true security incident? false positive
SOC Manager true negative
Tier 3 personnel true positive
Tier 2 personnel
Tier 1 personnel
24. What is indicated by a Snort signature ID that is 28. Which type of events should be assigned to
below 3464? categories in Sguil?
The SID was created by Sourcefire and false positive
distributed under a GPL agreement. true positive
This is a custom signature developed by the false negative
organization to address locally observed rules. true negative
The SID was created by the Snort community
and is maintained in Community Rules. 29. A cybersecurity analyst is going to verify security
The SID was created by members of alerts using the Security Onion. Which tool should the
EmergingThreats. analyst visit first?
Bro
25. After a security monitoring tool identifies a malware Sguil
attachment entering the network, what is the benefit of CapME
performing a retrospective analysis? ELK
A retrospective analysis can help in tracking
the behavior of the malware from the 30. Refer to the exhibit. Which field in the Sguil
identification point forward. application window indicates the priority of an event or set
It can identify how the malware originally entered of correlated events?
the network.
It can calculate the probability of a future
incident.
It can determine which network host was first
affected.

26. A threat actor collects information from web servers of
an organization and searches for employee contact ST
information. The information collected is further used to AlertID
search personal information on the Internet. To which Pr
attack phase do these activities belong according to the CNT
Cyber Kill Chain model?
action on objectives
exploitation
reconnaissance
weaponization

27. Which HIDS is integrated into the Security Onion and
uses rules to detect changes in host-based operating
parameters caused by malware through system calls?
OSSEC
Bro
Snort
Suricata
31. Match the Snort rule source to the description.
35. Which meta-feature element in the Diamond Model
describes information gained by the adversary?
methodology
resources
results
direction

36. In which step of the NIST incident response process
does the CSIRT perform an analysis to determine which
networks, systems, or applications are affected; who or
what originated the incident; and how the incident is
occurring?
incident notification
attacker identification
scoping
detection

37. Which classification indicates that an alert is verified
32. What is the purpose for data reduction as it relates to as an actual security incident?
NSM? false negative
to make the alert data transmission fast true positive
to remove recurring data streams false positive
to enhance the secure transmission of alert data true negative
to diminish the quantity of NSM data to be
handled

33. Why would threat actors prefer to use a zero-day
attack in the Cyber Kill Chain weaponization phase?
to avoid detection by the target
to launch a DoS attack toward the target
to get a free malware package
to gain faster delivery of the attack on the target

34. What is the objective the threat actor in establishing a
two-way communication channel between the target
system and a CnC infrastructure?
to allow the threat actor to issue commands
to the software that is installed on the target
to send user data stored on the target to the
threat actor
to steal network bandwidth from the network
where the target is located
to launch a buffer overflow attack