Last Updated on June 7, 2019 by Admin
CCNA Cybersecurity Operations (Version 1.1) – Practice Final Exam Online 2019
CCNA CyberOps 1.1 -- Practice Final Exam
Quiz-summary
0 of 60 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
Information
CCNA CyberOps 1.1 -- Practice Final Exam
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 60 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- Answered
- Review
-
Question 1 of 60
1. Question
1 pointsWhat is the main purpose of cyberwarfare?Correct
Incorrect
Cyberwarfare is Internet-based conflict that involves the penetration of the networks and computer systems of other nations. The main purpose of cyberwarfare is to gain advantage over adversaries, whether they are nations or competitors.
Hint
Cyberwarfare is Internet-based conflict that involves the penetration of the networks and computer systems of other nations. The main purpose of cyberwarfare is to gain advantage over adversaries, whether they are nations or competitors. -
Question 2 of 60
2. Question
1 pointsA technician has installed a third party utility that is used to manage a Windows 7 computer. However, the utility does not automatically start whenever the computer is started. What can the technician do to resolve this problem?Correct
Incorrect
The Services console in Windows OS allows for the management of all the services on the local and remote computers. The setting of Automatic in the Services console enables the chosen service to start when the computer is started.
Hint
The Services console in Windows OS allows for the management of all the services on the local and remote computers. The setting of Automatic in the Services console enables the chosen service to start when the computer is started. -
Question 3 of 60
3. Question
1 pointsWhich statement describes the state of the administrator and guest accounts after a user installs Windows desktop version to a new computer?Correct
Incorrect
When a user installs Windows desktop version, two local user accounts are created automatically during the process, administrator and guest. Both accounts are disabled by default.
Hint
When a user installs Windows desktop version, two local user accounts are created automatically during the process, administrator and guest. Both accounts are disabled by default. -
Question 4 of 60
4. Question
1 pointsRefer to the exhibit. Approximately what percentage of the physical memory is in use on this Windows system?Correct
Incorrect
The graphic shows that there is 5.0 GB (187 MB) of memory in use with 10.7 GB still available. Together this adds up to 16 GB of total physical memory. 5 GB is approximately 33% of 16 GB.
Hint
The graphic shows that there is 5.0 GB (187 MB) of memory in use with 10.7 GB still available. Together this adds up to 16 GB of total physical memory. 5 GB is approximately 33% of 16 GB. -
Question 5 of 60
5. Question
1 pointsRefer to the exhibit. Which security issue would a cybersecurity analyst use the displayed tool?Correct
Incorrect
Windows Performance Monitor is used to evaluate the performance of individual components on a Windows host computer. Commonly monitored components include the processor, hard drive, network, and memory. Windows Task Manager and Performance Monitor are used when malware is suspected and a component is not performing the way it should.
Hint
Windows Performance Monitor is used to evaluate the performance of individual components on a Windows host computer. Commonly monitored components include the processor, hard drive, network, and memory. Windows Task Manager and Performance Monitor are used when malware is suspected and a component is not performing the way it should. -
Question 6 of 60
6. Question
1 pointsA PC user issues the netstat command without any options. What is displayed as the result of this command?Correct
Incorrect
When used by itself (without any options), the netstat command will display all the active TCP connections that are available.
Hint
When used by itself (without any options), the netstat command will display all the active TCP connections that are available. -
Question 7 of 60
7. Question
1 pointsA security incident has been filed and an employee believes that someone has been on the computer since the employee left last night. The employee states that the computer was turned off before the employee left for the evening. The computer is running slowly and applications are acting strangely. Which Microsoft Windows tool would be used by the security analyst to determine if and when someone logged on to the computer after working hours?Correct
Incorrect
Event Viewer is used to investigate the history of application, security, and system events. Events show the date and time that the event occurred along with the source of the event. If a cybersecurity analyst has the address of the Windows computer targeted or the date and time that a security breach occurred, the analyst could use Event Viewer to document and prove what occurred on the computer.
Hint
Event Viewer is used to investigate the history of application, security, and system events. Events show the date and time that the event occurred along with the source of the event. If a cybersecurity analyst has the address of the Windows computer targeted or the date and time that a security breach occurred, the analyst could use Event Viewer to document and prove what occurred on the computer. -
Question 8 of 60
8. Question
1 pointsA client device has initiated a secure HTTP request to a web browser. Which well-known port address number is associated with the destination address?Correct
Incorrect
Port numbers are used in TCP and UDP communications to differentiate between the various services running on a device. The well-known port number used by HTTPs is port 443.
Hint
Port numbers are used in TCP and UDP communications to differentiate between the various services running on a device. The well-known port number used by HTTPs is port 443. -
Question 9 of 60
9. Question
1 pointsWhich component in Linux is responsible for interacting directly with the device hardware?Correct
Incorrect
A Linux OS can be divided into kernel and shell. The shell, also called the command line interface, is a command interpreter that parses the inputs (or commands) from a user and interacts with the kernel. The kernel, in turn, interacts with the hardware components of a device.
Hint
A Linux OS can be divided into kernel and shell. The shell, also called the command line interface, is a command interpreter that parses the inputs (or commands) from a user and interacts with the kernel. The kernel, in turn, interacts with the hardware components of a device. -
Question 10 of 60
10. Question
1 pointsWhich method can be used to harden a device?Correct
Incorrect
The basic best practices for device hardening are as follows: Ensure physical security. Minimize installed packages. Disable unused services. Use SSH and disable the root account login over SSH. Keep the system updated. Disable USB auto-detection. Enforce strong passwords. Force periodic password changes. Keep users from re-using old passwords. Review logs regularly.
Hint
The basic best practices for device hardening are as follows: Ensure physical security. Minimize installed packages. Disable unused services. Use SSH and disable the root account login over SSH. Keep the system updated. Disable USB auto-detection. Enforce strong passwords. Force periodic password changes. Keep users from re-using old passwords. Review logs regularly. -
Question 11 of 60
11. Question
1 pointsWhich Linux program is going to be used when installing an application?Correct
Incorrect
A package is a specific program and all of the files needed to run that program. A package manager is used to install a package and place all the associated files in the correct location within the operating system.
Hint
A package is a specific program and all of the files needed to run that program. A package manager is used to install a package and place all the associated files in the correct location within the operating system. -
Question 12 of 60
12. Question
1 pointsHow many host addresses are available on the 192.168.10.128/26 network?Correct
Incorrect
A /26 prefix gives 6 host bits, which provides a total of 64 addresses, because 26 = 64. Subtracting the network and broadcast addresses leaves 62 usable host addresses.
Hint
A /26 prefix gives 6 host bits, which provides a total of 64 addresses, because 26 = 64. Subtracting the network and broadcast addresses leaves 62 usable host addresses. -
Question 13 of 60
13. Question
1 pointsRefer to the exhibit. What is a valid address on the PC for the default gateway?Correct
Incorrect
The default gateway setting is the IP address of the router to which the host will send packets in order to reach remote networks. The default gateway address setting must be on the same logical network as the host IP address. In this case, the network of the host is 192.168.1.0 so the default gateway must also be on the 192.168.1.0 network.
Hint
The default gateway setting is the IP address of the router to which the host will send packets in order to reach remote networks. The default gateway address setting must be on the same logical network as the host IP address. In this case, the network of the host is 192.168.1.0 so the default gateway must also be on the 192.168.1.0 network. -
Question 14 of 60
14. Question
1 pointsRefer to the exhibit. Which IPv4 address does the PC use for sending traffic to remote networks?Correct
Incorrect
The default gateway setting is the IP address of the router to which the host will send packets that are destined for remote networks. In the routing table of a PC, the gateway address is the default gateway and must be on the same logical network as the host IP address, in this case 192.168.1.0. Thus the gateway address, which must be on the 192.168.1.0 network, is 192.168.1.1.
Hint
The default gateway setting is the IP address of the router to which the host will send packets that are destined for remote networks. In the routing table of a PC, the gateway address is the default gateway and must be on the same logical network as the host IP address, in this case 192.168.1.0. Thus the gateway address, which must be on the 192.168.1.0 network, is 192.168.1.1. -
Question 15 of 60
15. Question
1 pointsA cybersecurity analyst believes that an attacker is announcing a forged MAC address to network hosts in an attempt to spoof the default gateway. Which command could the analyst use on the network hosts to see what MAC address the hosts are using to reach the default gateway?Correct
Incorrect
The command arp -a will display the MAC address table on a PC.
Hint
The command arp -a will display the MAC address table on a PC. -
Question 16 of 60
16. Question
1 pointsWhich value, that is contained in an IPv4 header field, is decremented by each router that receives a packet?Correct
Incorrect
When a router receives a packet, the router will decrement the Time-to-Live (TTL) field by one. When the field reaches zero, the receiving router will discard the packet and will send an ICMP Time Exceeded message to the sender.
Hint
When a router receives a packet, the router will decrement the Time-to-Live (TTL) field by one. When the field reaches zero, the receiving router will discard the packet and will send an ICMP Time Exceeded message to the sender. -
Question 17 of 60
17. Question
1 pointsWhat information does an Ethernet switch examine and use to forward a frame?Correct
Incorrect
A switch is a Layer 2 device that uses source MAC addresses to build a MAC address table (a CAM table) and destination MAC addresses to forward frames.
Hint
A switch is a Layer 2 device that uses source MAC addresses to build a MAC address table (a CAM table) and destination MAC addresses to forward frames. -
Question 18 of 60
18. Question
1 pointsA person coming to a cafe for the first time wants to gain wireless access to the Internet using a laptop. What is the first step the wireless client will do in order to communicate over the network using a wireless management frame?Correct
Incorrect
In order for wireless devices to communicate on a wireless network, management frames are used to complete a three-stage process:
- Discover the AP
- Authenticate with the AP
- Associate with the AP
Hint
In order for wireless devices to communicate on a wireless network, management frames are used to complete a three-stage process:- Discover the AP
- Authenticate with the AP
- Associate with the AP
-
Question 19 of 60
19. Question
1 pointsRefer to the exhibit. A cybersecurity analyst is viewing packets forwarded by switch S2. What addresses will identify frames containing data sent from PCA to PCB?Correct
Incorrect
When a message sent from PCA to PCB reaches router R2, some frame header fields will be rewritten by R2 before forwarding to switch S2. The frames will contain the source MAC address of router R2 and the destination MAC address of PCB. The frames will retain the original IPv4 addressing applied by PCA which is the IPv4 address of PCA as the source address and the IPv4 address of PCB as the destination.
Hint
When a message sent from PCA to PCB reaches router R2, some frame header fields will be rewritten by R2 before forwarding to switch S2. The frames will contain the source MAC address of router R2 and the destination MAC address of PCB. The frames will retain the original IPv4 addressing applied by PCA which is the IPv4 address of PCA as the source address and the IPv4 address of PCB as the destination. -
Question 20 of 60
20. Question
3 pointsWhat are three functions provided by the syslog service? (Choose three.)Correct
Incorrect
There are three primary functions provided by the syslog service:
- gathering logging information
- selection of the type of information to be logged
- selection of the destination of the logged information
Hint
There are three primary functions provided by the syslog service:- gathering logging information
- selection of the type of information to be logged
- selection of the destination of the logged information
-
Question 21 of 60
21. Question
1 pointsUsers report to the helpdesk that icons usually seen on the menu bar are randomly appearing on their computer screens. What could be a reason that computers are displaying these random graphics?Correct
Incorrect
A virus such as this is harmless, but still needs to be removed. Other viruses can be destructive in that they modify or delete files on the local computer and possibly other computers on the network.
Hint
A virus such as this is harmless, but still needs to be removed. Other viruses can be destructive in that they modify or delete files on the local computer and possibly other computers on the network. -
Question 22 of 60
22. Question
1 pointsWhy does a worm pose a greater threat than a virus poses?Correct
Incorrect
One major component of a worm is the propagation mechanism which replicates the worm and targets unprotected network devices. A virus requires a host program, but worms do not.
Hint
One major component of a worm is the propagation mechanism which replicates the worm and targets unprotected network devices. A virus requires a host program, but worms do not. -
Question 23 of 60
23. Question
2 pointsWhich two characteristics describe a virus? (Choose two.)Correct
Incorrect
A virus is malicious code that is attached to legitimate programs or executable files. Most viruses require end user activation, can lie dormant for an extended period, and then activate at a specific time or date. In contrast, a worm executes arbitrary code and installs copies of itself in the memory of the infected computer. The main purpose of a worm is automatic replication to spread quickly across a network. A worm does not require a host program to run.
Hint
A virus is malicious code that is attached to legitimate programs or executable files. Most viruses require end user activation, can lie dormant for an extended period, and then activate at a specific time or date. In contrast, a worm executes arbitrary code and installs copies of itself in the memory of the infected computer. The main purpose of a worm is automatic replication to spread quickly across a network. A worm does not require a host program to run. -
Question 24 of 60
24. Question
1 pointsThe IT department is reporting that a company web server is receiving an abnormally high number of web page requests from different locations simultaneously. Which type of security attack is occurring?Correct
Incorrect
Phishing, spyware, and social engineering are security attacks that collect network and user information. Adware consists, typically, of annoying popup windows. Unlike a DDoS attack, none of these attacks generate large amounts of data traffic that can restrict access to network services.
Hint
Phishing, spyware, and social engineering are security attacks that collect network and user information. Adware consists, typically, of annoying popup windows. Unlike a DDoS attack, none of these attacks generate large amounts of data traffic that can restrict access to network services. -
Question 25 of 60
25. Question
1 pointsA disgruntled employee is using Wireshark to discover administrative Telnet usernames and passwords. What type of network attack does this describe?Correct
Incorrect
Wireshark is a free download that allows network packet inspection. Someone using this tool for malicious intent would be performing a reconnaissance attack. Through the capture of network packets, weak security network connectivity protocols such as Telnet can be caught, inspected, and then analyzed for detailed network information, including passwords.
Hint
Wireshark is a free download that allows network packet inspection. Someone using this tool for malicious intent would be performing a reconnaissance attack. Through the capture of network packets, weak security network connectivity protocols such as Telnet can be caught, inspected, and then analyzed for detailed network information, including passwords. -
Question 26 of 60
26. Question
1 pointsWhat is an essential function of SIEM?Correct
Incorrect
SIEM provides real-time reporting and analysis of security events. SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies.
Hint
SIEM provides real-time reporting and analysis of security events. SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies. -
Question 27 of 60
27. Question
1 pointsWhat is the result of a DHCP starvation attack?Correct
Incorrect
DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.
Hint
DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying them to legitimate hosts. -
Question 28 of 60
28. Question
2 pointsWhat are two types of attacks used on DNS open resolvers? (Choose two.)Correct
Incorrect
Three types of attacks used on DNS open resolvers are as follows:DNS cache poisoning - attacker sends spoofed falsified information to redirect users from legitimate sites to malicious sites DNS amplification and reflection attacks - attacker sends an increased volume of attacks to mask the true source of the attack DNS resource utilization attacks - a denial of service (DoS) attack that consumes server resources
Hint
Three types of attacks used on DNS open resolvers are as follows:DNS cache poisoning - attacker sends spoofed falsified information to redirect users from legitimate sites to malicious sites DNS amplification and reflection attacks - attacker sends an increased volume of attacks to mask the true source of the attack DNS resource utilization attacks - a denial of service (DoS) attack that consumes server resources -
Question 29 of 60
29. Question
1 pointsWhat would be the target of an SQL injection attack?Correct
Incorrect
SQL is the language used to query a relational database. Cybercriminals use SQL injections to get information, create fake or malicious queries, or to breach the database in some other way.
Hint
SQL is the language used to query a relational database. Cybercriminals use SQL injections to get information, create fake or malicious queries, or to breach the database in some other way. -
Question 30 of 60
30. Question
2 pointsWhich two options are security best practices that help mitigate BYOD risks? (Choose two.)Correct
Incorrect
Many companies now support employees and visitors attaching and using wireless devices that connect to and use the corporate wireless network. This practice is known as a bring-your-own-device policy or BYOD. Commonly, BYOD security practices are included in the security policy. Some best practices that mitigate BYOD risks include the following:Use unique passwords for each device and account. Turn off Wi-Fi and Bluetooth connectivity when not being used. Only connect to trusted networks. Keep the device OS and other software updated. Backup any data stored on the device. Subscribe to a device locator service with a remote wipe feature. Provide antivirus software for approved BYODs. Use Mobile Device Management (MDM) software that allows IT teams to track the device and implement security settings and software controls.
Hint
Many companies now support employees and visitors attaching and using wireless devices that connect to and use the corporate wireless network. This practice is known as a bring-your-own-device policy or BYOD. Commonly, BYOD security practices are included in the security policy. Some best practices that mitigate BYOD risks include the following:Use unique passwords for each device and account. Turn off Wi-Fi and Bluetooth connectivity when not being used. Only connect to trusted networks. Keep the device OS and other software updated. Backup any data stored on the device. Subscribe to a device locator service with a remote wipe feature. Provide antivirus software for approved BYODs. Use Mobile Device Management (MDM) software that allows IT teams to track the device and implement security settings and software controls. -
Question 31 of 60
31. Question
1 pointsA user successfully logs in to a corporate network via a VPN connection. Which part of the AAA process records that a certain user performed a specific operation at a particular date and time?Correct
Incorrect
The three parts of the AAA process are authentication, authorization, and accounting. The accounting function records information such as who logged in, when the user logged in and out, and what the user did with network resources.
Hint
The three parts of the AAA process are authentication, authorization, and accounting. The accounting function records information such as who logged in, when the user logged in and out, and what the user did with network resources. -
Question 32 of 60
32. Question
4 pointsWhat are three access control security services? (Choose three.)Correct
Incorrect
This question refers to AAA authentication, authorization, and accountability.
Hint
This question refers to AAA authentication, authorization, and accountability. -
Question 33 of 60
33. Question
1 pointsIn threat intelligence communications, which sharing standard is a specification for an application layer protocol that allows communication of cyberthreat intelligence over HTTPS?Correct
Incorrect
The two common threat intelligence sharing standards are as follows:
- Structured Threat Information Expression (STIX) - This is a set of specifications for exchanging cyberthreat information between organizations. The Cyber Observable Expression (CybOX) standard has been incorporated into STIX.
- Trusted Automated Exchange of Indicator Information (TAXII) – This is the specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support STIX.
Hint
The two common threat intelligence sharing standards are as follows:- Structured Threat Information Expression (STIX) - This is a set of specifications for exchanging cyberthreat information between organizations. The Cyber Observable Expression (CybOX) standard has been incorporated into STIX.
- Trusted Automated Exchange of Indicator Information (TAXII) – This is the specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support STIX.
-
Question 34 of 60
34. Question
1 pointsA network security specialist is tasked to implement a security measure that monitors the status of critical files in the data center and sends an immediate alert if any file is modified. Which aspect of secure communications is addressed by this security measure?Correct
Incorrect
Secure communications consists of four elements:
- Data confidentiality - guarantees that only authorized users can read the message
- Data integrity - guarantees that the message was not altered
- Origin authentication - guarantees that the message is not a forgery and does actually come from whom it states
- Data nonrepudiation – guarantees that the sender cannot repudiate, or refute, the validity of a message sent
Hint
Secure communications consists of four elements:- Data confidentiality - guarantees that only authorized users can read the message
- Data integrity - guarantees that the message was not altered
- Origin authentication - guarantees that the message is not a forgery and does actually come from whom it states
- Data nonrepudiation – guarantees that the sender cannot repudiate, or refute, the validity of a message sent
-
Question 35 of 60
35. Question
2 pointsWhich two statements describe the use of asymmetric algorithms? (Choose two.)Correct
Incorrect
Asymmetric algorithms use two keys: a public key and a private key. Both keys are capable of the encryption process, but the complementary matched key is required for decryption. If a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data.
Hint
Asymmetric algorithms use two keys: a public key and a private key. Both keys are capable of the encryption process, but the complementary matched key is required for decryption. If a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data. -
Question 36 of 60
36. Question
1 pointsWhat is the most common use of the Diffie-Helman algorithm in communications security?Correct
Incorrect
Diffie-Helman is not an encryption mechanism and is not typically used to encrypt data. Instead, it is a method to securely exchange the keys used to encrypt the data.
Hint
Diffie-Helman is not an encryption mechanism and is not typically used to encrypt data. Instead, it is a method to securely exchange the keys used to encrypt the data. -
Question 37 of 60
37. Question
1 pointsA customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required?Correct
Incorrect
Digital signatures provide three basic security services:Authenticity of digitally signed data - Digital signatures authenticate a source, proving that a certain party has seen and signed the data in question. Integrity of digitally signed data - Digital signatures guarantee that the data has not changed from the time it was signed. Nonrepudiation of the transaction - The recipient can take the data to a third party, and the third party accepts the digital signature as a proof that this data exchange did take place. The signing party cannot repudiate that it has signed the data.
Hint
Digital signatures provide three basic security services:Authenticity of digitally signed data - Digital signatures authenticate a source, proving that a certain party has seen and signed the data in question. Integrity of digitally signed data - Digital signatures guarantee that the data has not changed from the time it was signed. Nonrepudiation of the transaction - The recipient can take the data to a third party, and the third party accepts the digital signature as a proof that this data exchange did take place. The signing party cannot repudiate that it has signed the data. -
Question 38 of 60
38. Question
1 pointsWhen a user visits an online store website that uses HTTPS, the user browser queries the CA for a CRL. What is the purpose of this query?Correct
Incorrect
A digital certificate must be revoked if it is invalid. CAs maintain a certificate revocation list (CRL), a list of revoked certificate serial numbers that have been invalidated. The user browser will query the CRL to verify the validity of a certificate.
Hint
A digital certificate must be revoked if it is invalid. CAs maintain a certificate revocation list (CRL), a list of revoked certificate serial numbers that have been invalidated. The user browser will query the CRL to verify the validity of a certificate. -
Question 39 of 60
39. Question
1 pointsWhich management system implements systems that track the location and configuration of networked devices and software across an enterprise?Correct
Incorrect
Asset management involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise.
Hint
Asset management involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. -
Question 40 of 60
40. Question
1 pointsWhich host-based firewall uses a three-profile approach to configure the firewall functionality?Correct
Incorrect
Windows Firewall uses a profile-based approach to configuring firewall functionality. It uses three profiles, Public, Private, and Domain, to define firewall functions.
Hint
Windows Firewall uses a profile-based approach to configuring firewall functionality. It uses three profiles, Public, Private, and Domain, to define firewall functions. -
Question 41 of 60
41. Question
1 pointsWhich approach is intended to prevent exploits that target syslog?Correct
Incorrect
Hackers may try to block clients from sending data to the syslog server, manipulate or erase logged data, or manipulate the software used to transmit messages between the clients and the server. Syslog-ng is the next generation of syslog and it contains improvements to prevent some of the exploits.
Hint
Hackers may try to block clients from sending data to the syslog server, manipulate or erase logged data, or manipulate the software used to transmit messages between the clients and the server. Syslog-ng is the next generation of syslog and it contains improvements to prevent some of the exploits. -
Question 42 of 60
42. Question
2 pointsWhich two technologies are primarily used on peer-to-peer networks? (Choose two.)Correct
Incorrect
Bitcoin is used to share a distributed database or ledger. BitTorrent is used for file sharing.
Hint
Bitcoin is used to share a distributed database or ledger. BitTorrent is used for file sharing. -
Question 43 of 60
43. Question
1 pointsHow can statistical data be used to describe or predict network behavior?Correct
Incorrect
Statistical data is created through the analysis of other forms of network data. Statistical characteristics of normal network behavior can be compared to current network traffic in an effort to detect anomalies. Conclusions resulting from analysis can be used to describe or predict network behavior.
Hint
Statistical data is created through the analysis of other forms of network data. Statistical characteristics of normal network behavior can be compared to current network traffic in an effort to detect anomalies. Conclusions resulting from analysis can be used to describe or predict network behavior. -
Question 44 of 60
44. Question
2 pointsWhat are two elements that form the PRI value in a syslog message? (Choose two.)Correct
Incorrect
The PRI in a syslog message consists of two elements, the facility and severity of the message.
Hint
The PRI in a syslog message consists of two elements, the facility and severity of the message. -
Question 45 of 60
45. Question
1 pointsWhich tool can be used in a Cisco AVC system to analyze and present the application analysis data into dashboard reports?Correct
Incorrect
A management and reporting system, such as Cisco Prime, can be used to analyze and present the application analysis data into dashboard reports for use by network monitoring personnel.
Hint
A management and reporting system, such as Cisco Prime, can be used to analyze and present the application analysis data into dashboard reports for use by network monitoring personnel. -
Question 46 of 60
46. Question
1 pointsRefer to the exhibit. Which field in the Sguil event window indicates the number of times an event is detected for the same source and destination IP address?Correct
Incorrect
The CNT field indicates the number of times an event is detected from the same source and destination IP address. Having a high number of events can indicated a problem with event signatures.
Hint
The CNT field indicates the number of times an event is detected from the same source and destination IP address. Having a high number of events can indicated a problem with event signatures. -
Question 47 of 60
47. Question
1 pointsRefer to the exhibit. A network security specialist is issuing the tail command to monitor the Snort alert in real time. Which option should be used in the command line to watch the file for changes?Correct
Incorrect
For the Linux tail command, the option -f is used to monitor a file for changes. The -c option is used to limit the number of bytes shown. The -n option is used to set the number of lines to display. The -q option is used to suppress the header line.Hint
For the Linux tail command, the option -f is used to monitor a file for changes. The -c option is used to limit the number of bytes shown. The -n option is used to set the number of lines to display. The -q option is used to suppress the header line. -
Question 48 of 60
48. Question
1 pointsA law office uses a Linux host as the firewall device for the network. The IT administrator is configuring the firewall iptables to block pings from Internet devices to the Linux host. Which iptables chain should be modified to achieve the task?Correct
Incorrect
The firewall iptables uses the concepts of chains and rules to filter traffic:
- INPUT chain – handles traffic entering the firewall and destined to the firewall device itself
- OUTPUT chain – handles traffic originating within the firewall device itself and destined to somewhere else
- FORWARD chain – handles traffic originated somewhere else and passing through the firewall device
Hint
The firewall iptables uses the concepts of chains and rules to filter traffic:- INPUT chain – handles traffic entering the firewall and destined to the firewall device itself
- OUTPUT chain – handles traffic originating within the firewall device itself and destined to somewhere else
- FORWARD chain – handles traffic originated somewhere else and passing through the firewall device
-
Question 49 of 60
49. Question
1 pointsWhich type of events should be assigned to categories in Sguil?Correct
Incorrect
Sguil includes seven pre-built categories that can be assigned to events that have been identified as true positives.
Hint
Sguil includes seven pre-built categories that can be assigned to events that have been identified as true positives. -
Question 50 of 60
50. Question
1 pointsRefer to the exhibit. A network security analyst is examining captured data using Wireshark. What is represented by the first three frames?Correct
Incorrect
The first three frames consist of the SYN, SYN/ACK, and ACK exchanges that constitute the TCP three-way handshake between the two hosts.
Hint
The first three frames consist of the SYN, SYN/ACK, and ACK exchanges that constitute the TCP three-way handshake between the two hosts. -
Question 51 of 60
51. Question
1 pointsWhich term is used for describing automated queries that are useful for adding efficiency to the cyberoperations workflow?Correct
Incorrect
A playbook is an automated query that can add efficiency to the cyberoperations workflow.
Hint
A playbook is an automated query that can add efficiency to the cyberoperations workflow. -
Question 52 of 60
52. Question
1 pointsWhich statement describes the Cyber Kill Chain?Correct
Incorrect
The Cyber Kill Chain was developed to identify and prevent cyber intrusions by specifying what threat actors must complete to accomplish their goals.
Hint
The Cyber Kill Chain was developed to identify and prevent cyber intrusions by specifying what threat actors must complete to accomplish their goals. -
Question 53 of 60
53. Question
2 pointsWhen dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to block a potential back door creation? (Choose two.)Correct
Incorrect
In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target. Among other measures, using HIPS to alert or block on common installation paths and auditing endpoints to discover abnormal file creations can help block a potential back door creation.
Hint
In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target. Among other measures, using HIPS to alert or block on common installation paths and auditing endpoints to discover abnormal file creations can help block a potential back door creation. -
Question 54 of 60
54. Question
1 pointsWhich schema or model allows security professionals to enter data about a particular incident, such as victim demographics, incident description, discovery method and response, and impact assessment, and share that data with the security community anonymously?Correct
Incorrect
Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to create a way to describe security incidents in a structured or repeatable way. A Computer Security Incident response Team (CSIRT) is an internal organizational group that provides services and functions to secure assets. Cyber Kill Chain contains seven steps which help analysts understand the techniques, tools, and procedures of threat actors. The Diamond Model of intrusion has four parts that represent a security incident.
Hint
Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to create a way to describe security incidents in a structured or repeatable way. A Computer Security Incident response Team (CSIRT) is an internal organizational group that provides services and functions to secure assets. Cyber Kill Chain contains seven steps which help analysts understand the techniques, tools, and procedures of threat actors. The Diamond Model of intrusion has four parts that represent a security incident. -
Question 55 of 60
55. Question
1 pointsWhat is the responsibility of the IT support group when handling a security incident?Correct
Incorrect
IT support best understands the technology used in the organization and can perform the correct actions to minimize the effectiveness of the attack and preserve evidence.
Hint
IT support best understands the technology used in the organization and can perform the correct actions to minimize the effectiveness of the attack and preserve evidence. -
Question 56 of 60
56. Question
4 pointsMatch the type of CSIRT with the description.
Sort elements
- handles security incidents across multiple CSIRTs
- handles customer reports about vulnerabilities
- handles security incidents of other organizations for a fee
- uses trends to predict future incidents
-
coordination center
-
vendor team
-
managed security service provider
-
analysis center
Correct
Incorrect
-
Question 57 of 60
57. Question
4 pointsMatch the IPS alarm with the description.
Sort elements
- normal traffic is correctly not identified as a threat
- malicious traffic is correctly identified as a threat
- malicious traffic is not correctly identified as a threat
- normal traffic is incorrectly identified as a threat
-
true negative
-
true positive
-
false negative
-
false positive
Correct
Incorrect
-
Question 58 of 60
58. Question
4 pointsMatch the Windows host log to the messages contained in it. (Not all options are used.)
Sort elements
- events logged by various applications
- events related to the operation of drivers, processes, and hardware
- information about the installation of software, including Windows updates
- events related to logon attempts and operations related to file or object management and access
- events related to the web server access and activity
-
application logs
-
system logs
-
setup logs
-
security logs
Correct
Incorrect
-
Question 59 of 60
59. Question
3 pointsMatch the term to the description.
Sort elements
- assets
- threats
- vulnerabilities
-
information or equipment valuable enough to an organization to warrant protection
-
potential dangers to a protected asset
-
weaknesses in a system or design
Correct
Incorrect
-
Question 60 of 60
60. Question
4 pointsMatch the server profile element to the description. (Not all options are used.)
Sort elements
- the parameters defining user access and behavior
- the number of times the server is powered on and off
- the TCP and UDP daemons and ports that are allowed to be open on the server
- the tasks, processes, and applications that are permitted to run on the server
- the definitions of the type of service that an application is allowed to run on a given host
-
user accounts
-
listening ports
-
software environment
-
service accounts
Correct
Incorrect
The elements of a server profile include the following:Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server User accounts – the parameters defining user access and behavior Service accounts – the definitions of the type of service that an application is allowed to run on a given host Software environment – the tasks, processes, and applications that are permitted to run on the server
Hint
The elements of a server profile include the following:Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server User accounts – the parameters defining user access and behavior Service accounts – the definitions of the type of service that an application is allowed to run on a given host Software environment – the tasks, processes, and applications that are permitted to run on the server