CyberOps Associate 1.0 Final Exam Answers 2020 – 2021 Full 100%

Last Updated on June 17, 2021 by InfraExam

CyberOps Associate 1.0 Final Exam Answers 2020 – 2021 Full 100%

CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Final exam Answers 2020 – 2021

1. Which two techniques are used in a smurf attack? (Choose two.)

   • session hijacking
   • reflection
   • amplification
   • botnets
   • resource exhaustion

2. What are three goals of a port scan attack? (Choose three.)

   • to discover system passwords
   • to identify operating systems
   • to identify active services
   • to identify peripheral configurations
   • to determine potential vulnerabilities
   • to disable used ports and services

3. After host A receives a web page from server B, host A terminates the connection with server B. Match each step to its correct option in the normal termination process for a TCP connection. (Not all options are used.)

   

4. When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?

   • routing protocol convergence
   • total throughput
   • session duration
   • bandwidth of the Internet connection
     

     Answers Explanation & Hints: A network profile should include some important elements, such as the following: Total throughput – the amount of data passing from a given source to a given destination in a given period of time Session duration – the time between the establishment of a data flow and its termination Ports used – a list of TCP or UDP processes that are available to accept data Critical asset address space – the IP addresses or the logical location of essential systems or data

5. In addressing an identified risk, which strategy aims to shift some of the risk to other parties?

   • risk avoidance
   • risk retention
   • risk reduction
   • risk sharing

6. Match the security management function with the description.

7. A computer is presenting a user with a screen requesting payment before the user data is allowed to be accessed by the same user. What type of malware is this?

   • a type of virus
   • a type of worm
   • a type of ransomware
   • a type of logic bomb
     

     Answers Explanation & Hints: Ransomware commonly encrypts data on a computer and makes the data unavailable until the computer user pays a specific sum of money

8. What characterizes a threat actor?

   • They are all highly-skilled individuals.
   • They always try to cause some harm to an individual or organization.
   • They always use advanced tools to launch attacks.
   • They all belong to organized crime.

9. What subnet mask is represented by the slash notation /20?

   • 255.255.255.248
   • 255.255.224.0
   • 255.255.255.192
   • 255.255.240.0
   • 255.255.255.0
     

     Answers Explanation & Hints: The slash notation /20 represents a subnet mask with 20 1s. This would translate to: 11111111.11111111.11110000.0000, which in turn would convert into 255.255.240.0.

10. A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device?

    • 1000:00d8:0058:00ab
    • 2001
    • 2001:0db8:cafe:4500:1000:00d8:0058:00ab
    • 2001:0db8:cafe:4500:1000
    • 2001:0db8:cafe:4500
      

      Answers Explanation & Hints: The address has a prefix length of /64. Thus the first 64 bits represent the network portion, whereas the last 64 bits represent the host portion of the IPv6 address.

11. Refer to the exhibit. If Host1 were to transfer a file to the server, what layers of the TCP/IP model would be used?

    

     

    • only application and Internet layers
    • only application, transport, network, data link, and physical layers
    • application, session, transport, network, data link, and physical layers
    • application, transport, Internet, and network access layers
    • only Internet and network access layers
    • only application, Internet, and network access layers
      

      Answers Explanation & Hints: The TCP/IP model contains the application, transport, internet, and network access layers. A file transfer uses the FTP application layer protocol. The data would move from the application layer through all of the layers of the model and across the network to the file server.

12. What best describes the destination IPv4 address that is used by multicasting?

    • a single IP multicast address that is used by all destinations in a group
    • an IP address that is unique for each destination in the group
    • a 48 bit address that is determined by the number of members in the multicast group
    • a group address that shares the last 23 bits with the source IPv4 address
      

      Answers Explanation & Hints: The destination multicast IPv4 address is a group address, which is a single IP multicast address within the Class D range.

13. Match the network-based antimalware solution to the function. (Not all options are used.)

    

14. Match the Linux host-based firewall application with its description.

    

15. A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon?

    • Collect credentials of the web server developers and administrators.
    • Install a webshell on the web server for persistent access.
    • Obtain an automated tool in order to deliver the malware payload through the vulnerability.
    • Create a point of persistence by adding services.

16. Which type of data would be considered an example of volatile data?

    • web browser cache
    • log files
    • memory registers
    • temp files
      

      Answers Explanation & Hints: Volatile data is data stored in memory such as registers, cache, and RAM, or it is data that exists in transit. Volatile memory is lost when the computer loses power.

17. What type of attack targets an SQL database using the input field of a user?

    • XML injection
    • SQL injection
    • buffer overflow
    • Cross-site scripting
      

      Answers Explanation & Hints: A criminal can insert a malicious SQL statement in an entry field on a website where the system does not filter the user input correctly.

18. What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

    • CAM table attack
    • DHCP spoofing
    • IP address spoofing
    • DHCP starvation
      

      Answers Explanation & Hints: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

19. Match the attack tools with the description. (Not all options are used.)

    

20. Match the category of attacks with the description. (Not all options are used.)

    

21. Match the destination network routing table entry type with a defintion.

    

22. Which wireless parameter is used by an access point to broadcast frames that include the SSID?

    • passive mode
    • active mode
    • channel setting
    • security mode
      

      Answers Explanation & Hints: The two scanning or probing modes an access point can be placed into are passive or active. In passive mode, the AP advertises the SSID, supported standards, and security settings in broadcast beacon frames. In active mode, the wireless client must be manually configured for the same wireless parameters as the AP has configured.

23. How can statistical data be used to describe or predict network behavior?

    • by displaying alert messages that are generated by Snort
    • by comparing normal network behavior to current network behavior
    • by recording conversations between network endpoints
    • by listing results of user web surfing activities
      

      Answers Explanation & Hints: Statistical data is created through the analysis of other forms of network data. Statistical characteristics of normal network behavior can be compared to current network traffic in an effort to detect anomalies. Conclusions resulting from analysis can be used to describe or predict network behavior.

24. Which Windows Event Viewer log includes events regarding the operation of drivers, processes, and hardware?

    • application logs
    • security logs
    • setup logs
    • system logs
      

      Answers Explanation & Hints: By default Windows keeps four types of host logs: Application logs – events logged by various applications System logs – events about the operation of drivers, processes, and hardware Setup logs – information about the installation of software, including Windows updates Security logs – events related to security, such as logon attempts and operations related to file or object management and access

25. Match the security organization with its security functions. (Not all options are used.)

    

26. What is the primary objective of a threat intelligence platform (TIP)?

    • to provide a specification for an application layer protocol that allows the communication of CTI over HTTPS
    • to provide a security operations platform that integrates and enhances diverse security tools and threat intelligence
    • to aggregate the data in one place and present it in a comprehensible and usable format
    • to provide a standardized schema for specifying, capturing, characterizing, and communicating events and properties of network operations

27. An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.)

    • HTTPS web service
    • file and directory access permission
    • 802.1x authentication
    • FTP transfers
    • local NTP server

28. Which two statements describe the use of asymmetric algorithms? (Choose two.)

    • If a private key is used to encrypt the data, a private key must be used to decrypt the data.
    • If a public key is used to encrypt the data, a public key must be used to decrypt the data.
    • Public and private keys may be used interchangeably.
    • If a private key is used to encrypt the data, a public key must be used to decrypt the data.
    • If a public key is used to encrypt the data, a private key must be used to decrypt the data.
      

      Answers Explanation & Hints: Asymmetric algorithms use two keys: a public key and a private key. Both keys are capable of the encryption process, but the complementary matched key is required for decryption. If a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data.

29. Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?

    • Require remote access connections through IPsec VPN.
    • Deploy a Cisco SSL Appliance.
    • Deploy a Cisco ASA.
    • Use a Syslog server to capture network traffic.

30. What are two characteristics of the SLAAC method for IPv6 address configuration? (Choose two.)

    • Clients send router advertisement messages to routers to request IPv6 addressing.
    • IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.
    • This stateful method of acquiring an IPv6 address requires at least one DHCPv6 server.
    • The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN.
    • Router solicitation messages are sent by the router to offer IPv6 addressing to clients.

31. Which two ICMPv6 messages are used during the Ethernet MAC address resolution process? (Choose two.)

    • router solicitation
    • neighbor advertisement
    • router advertisement
    • neighbor solicitation
    • echo request
      

      Answers Explanation & Hints: IPv6 uses neighbor solicitation (NS) and neighbor advertisement (NA) ICMPv6 messages for MAC address resolution.

32. Match the SIEM function to the description.

    

33. Which device supports the use of SPAN to enable monitoring of malicious activity?

    • Cisco IronPort
    • Cisco Security Agent
    • Cisco Catalyst switch
    • Cisco NAC

34. Match the SOC metric with the description. (Not all options apply.)

    

35. What are the two ways threat actors use NTP? (Choose two.)

    • Threat actors use NTP systems to direct DDoS attacks.
    • They place iFrames on a frequently used corporate web page.
    • They encode stolen data as the subdomain portion where the nameserver is under control of an attacker.
    • They place an attachment inside an email message.
    • They attack the NTP infrastructure in order to corrupt the information used to log the attack.

36. Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two.)

    • syslog
    • DNS
    • SMTP
    • NTP
    • HTTP

37. Which application layer protocol is used to provide file-sharing and print services to Microsoft applications?

    • SMB
    • DHCP
    • HTTP
    • SMTP
      

      Answers Explanation & Hints: SMB is used in Microsoft networking for file-sharing and print services. The Linux operating system provides a method of sharing resources with Microsoft networks by using a version of SMB called SAMBA.

38. What information is required for a WHOIS query?

    • outside global address of the client
    • FQDN of the domain
    • ICANN lookup server address
    • link-local address of the domain owner

39. Which tool included in the Security Onion is a series of software plugins that send different types of data to the Elasticsearch data stores?

    • OSSEC
    • Curator
    • Beats
    • ElastAlert

40. Which term is used to describe the process of identifying the NSM-related data to be gathered?

    • data archiving
    • data normalization
    • data reduction
    • data retention

41. An administrator is trying to develop a BYOD security policy for employees that are bringing a wide range of devices to connect to the company network. Which three objectives must the BYOD security policy address? (Choose three.)

    • All devices must have open authentication with the corporate network.
    • The level of access of employees when connecting to the corporate network must be defined.
    • Rights and activities permitted on the corporate network must be defined.
    • All devices should be allowed to attach to the corporate network flawlessly.
    • Safeguards must be put in place for any personal device being compromised.
    • All devices must be insured against liability if used to compromise the corporate network.

42. Which device in a layered defense-in-depth approach denies connections initiated from untrusted networks to internal networks, but allows internal users within an organization to connect to untrusted networks?

    • internal router
    • IPS
    • access layer switch
    • firewall
      

      Answers Explanation & Hints: A firewall is typically a second line of defense in a layered defense-in-depth approach to network security. The firewall typically connects to an edge router that connects to the service provider. The firewall tracks connections initiated within the company going out of the company and denies initiation of connections from external untrusted networks going to internal trusted networks.

43. A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)

    • single process for authentication and authorization
    • separate processes for authentication and authorization
    • hidden passwords during transmission
    • encryption for all communication
    • encryption for only the data

44. A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework?

    • authentication
    • accounting
    • automation
    • authorization
      

      Answers Explanation & Hints: After a user is successfully authenticated (logged into the server), the authorization is the process of determining what network resources the user can access and what operations (such as read or edit) the user can perform.

45. Match the alert classification with the description.

    

46. What are the three core functions provided by the Security Onion? (Choose three.)

    • business continuity planning
    • alert analysis
    • security device management
    • threat containment
    • intrusion detection
    • full packet capture
      

      Answers Explanation & Hints: Security Onion is an open source suite of Network Security Monitoring (NSM) tools for evaluating cybersecurity alerts. For cybersecurity analysts the Security Onion provides full packet capture, network-based and host-based intrusion detection systems, and alert analysis tools.

47. What best describes the security threat of spoofing?

    • sending bulk email to individuals, lists, or domains with the intention to prevent users from accessing email
    • intercepting traffic between two hosts or inserting false information into traffic between two hosts
    • making data appear to come from a source that is not the actual source
    • sending abnormally large amounts of data to a remote server to prevent user access to the server services

48. What is a property of the ARP table on a device?

    • Every operating system uses the same timer to remove old entries from the ARP cache.
    • Entries in an ARP table are time-stamped and are purged after the timeout expires.
    • Static IP-to-MAC address entries are removed dynamically from the ARP table.
    • Windows operating systems store ARP cache entries for 3 minutes.

49. A newly created company has fifteen Windows 10 computers that need to be installed before the company can open for business. What is a best practice that the technician should implement when configuring the Windows Firewall?

    • The technician should create instructions for corporate users on how to allow an app through the WIndows Firewall using the Administrator account.
    • The technician should remove all default firewall rules and selectively deny traffic from reaching the company network.
    • The technician should enable the Windows Firewall for inbound traffic and install other firewall software for outbound traffic control.
    • After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled.
      

      Answers Explanation & Hints: Only disable Windows Firewall if other firewall software is installed. Use the Windows Firewall (Windows 7 or 8) or the Windows Defender Firewall (Windows 10) Control Panel to enable or disable the Windows Firewall.

50. Match the Windows 10 Registry key with its description. (Not all options are used.)

    

51. What is a characteristic of a Trojan horse as it relates to network security?

    • Malware is contained in a seemingly legitimate executable program.
    • Extreme quantities of data are sent to a particular network device interface.
    • Too much information is destined for a particular memory block, causing additional memory areas to be affected.
    • An electronic dictionary is used to obtain a password to be used to infiltrate a key network device.
      

      Answers Explanation & Hints: A Trojan horse carries out malicious operations under the guise of a legitimate program. Denial of service attacks send extreme quantities of data to a particular host or network device interface. Password attacks use electronic dictionaries in an attempt to learn passwords. Buffer overflow attacks exploit memory buffers by sending too much information to a host to render the system inoperable.

52. What technique is used in social engineering attacks?

    • man-in-the-middle
    • phishing
    • buffer overflow
    • sending junk email
      

      Answers Explanation & Hints: A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

53. What are two evasion techniques that are used by hackers? (Choose two.)

    • phishing
    • Trojan horse
    • reconnaissance
    • rootkit
    • pivot
      

      Answers Explanation & Hints: The following methods are used by hackers to avoid detection:Encryption and tunneling – hide or scramble the malware content Resource exhaustion – keeps the host device too busy to detect the invasion Traffic fragmentation – splits the malware into multiple packets Protocol-level misinterpretation – sneaks by the firewall Pivot – uses a compromised network device to attempt access to another device Rootkit – allows the hacker to be undetected and hides software installed by the hacker

54. Refer to the exhibit. What solution can provide a VPN between site A and site B to support encapsulation of any Layer 3 protocol between the internal networks at each site?

    

    • a GRE tunnel
    • an IPsec tunnel
    • Cisco SSL VPN
    • a remote access tunnel
      

      Answers Explanation & Hints: A Generic Routing Encapsulation (GRE) tunnel is a non-secure, site-to-site VPN tunneling solution that is capable of encapsulating any Layer 3 protocol between multiple sites across over an IP internetwork.

55. What are two drawbacks to using HIPS? (Choose two.)

    • With HIPS, the success or failure of an attack cannot be readily determined.
    • If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic.
    • HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks.
    • HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.
    • With HIPS, the network administrator must verify support for all the different operating systems used in the network.

56. What are three functions provided by the syslog service? (Choose three.)

    • to gather logging information for monitoring and troubleshooting
    • to provide statistics on packets that are flowing through a Cisco device
    • to periodically poll agents for data
    • to specify the destinations of captured messages
    • to provide traffic analysis
    • to select the type of logging information that is captured
      

      Answers Explanation & Hints: There are three primary functions provided by the syslog service: gathering logging information selection of the type of information to be logged selection of the destination of the logged information

57. A technician needs to verify file permissions on a specific Linux file. Which command would the technician use?

    • sudo
    • cd
    • vi
    • ls -l

58. Why would a network administrator choose Linux as an operating system in the Security Operations Center (SOC)?

    • It is easier to use than other server operating systems.
    • The administrator has control over specific security functions, but not standard applications.
    • More network applications are created for this environment.
    • It can be acquired at no charge.

59. A client application needs to terminate a TCP communication session with a server. Place the termination process steps in the order that they will occur. (Not all options are used.)

    

60. Which protocol or service uses UDP for a client-to-server communication and TCP for server-to-server communication?

    • DNS
    • HTTP
    • FTP
    • SMTP
      

      Answers Explanation & Hints: Some applications may use both TCP and UDP. DNS uses UDP when clients send requests to a DNS server, and TCP when two DNS serves directly communicate.

61. Which two statements describe the characteristics of symmetric algorithms? (Choose two.)

    • They provide confidentiality, integrity, and availability.
    • They are commonly used with VPN traffic.
    • They use a pair of a public key and a private key.
    • They are referred to as a pre-shared key or secret key.
    • They are commonly implemented in the SSL and SSH protocols.
      

      Answers Explanation & Hints: Symmetric encryption algorithms use the same key (also called shared secret) to encrypt and decrypt the data. In contrast, asymmetric encryption algorithms use a pair of keys, one for encryption and another for decryption.

62. What are two properties of a cryptographic hash function? (Choose two.)

    • The hash function is one way and irreversible.
    • The input for a particular hash algorithm has to have a fixed size.
    • Hash functions can be duplicated for authentication purposes.
    • Complex inputs will produce complex hashes.
    • The output is a fixed length.

63. Which two statements are characteristics of a virus? (Choose two.)

    • A virus provides the attacker with sensitive data, such as passwords.
    • A virus has an enabling vulnerability, a propagation mechanism, and a payload.
    • A virus typically requires end-user activation.
    • A virus replicates itself by independently exploiting vulnerabilities in networks.
    • A virus can be dormant and then activate at a specific time or date.
      

      Answers Explanation & Hints: The type of end user interaction required to launch a virus is typically opening an application, opening a web page, or powering on the computer. Once activated, a virus may infect other files located on the computer or other computers on the same network.

64. What is a network tap?

    • a Cisco technology that provides statistics on packets flowing through a router or multilayer switch
    • a passive device that forwards all traffic and physical layer errors to an analysis device
    • a technology used to provide real-time reporting and long-term analysis of security events
    • a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device
      

      Answers Explanation & Hints: A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and forwards all traffic, including physical layer errors, to an analysis device.

65. Which type of evidence cannot prove an IT security fact on its own?

    • best
    • corroborative
    • indirect
    • hearsay
      

      Answers Explanation & Hints: Indirect evidence cannot prove a fact on its own, but direct evidence can. Corroborative evidence is supporting information. Best evidence is most reliable because it is something concrete such as a signed contract.

66. According to NIST, which step in the digital forensics process involves preparing and presenting information that resulted from scrutinizing data?

    •  examination
    • collection
    • reporting
    • analysis
      

      Answers Explanation & Hints: NIST describes the digital forensics process as involving the following four steps: Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate

67. What is privilege escalation?

    • Everyone is given full rights by default to everything and rights are taken away only when someone abuses privileges.
    • A security problem occurs when high ranking corporate officials demand rights to systems or files that they should not have.
    • Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.
    • Someone is given rights because she or he has received a promotion.
      

      Answers Explanation & Hints: With privilege escalation, vulnerabilities are exploited to grant higher levels of privilege. After the privilege is granted, the threat actor can access sensitive information or take control of the system.

68. Which PDU format is used when bits are received from the network medium by the NIC of a host?

    • frame
    • segment
    • packet
    • file
      

      Answers Explanation & Hints: When received at the physical layer of a host, the bits are formatted into a frame at the data link layer. A packet is the PDU at the network layer. A segment is the PDU at the transport layer. A file is a data structure that may be used at the application layer.

69. Which statement is correct about network protocols?

    • They are only required for exchange of messages between devices on remote networks.
    • Network protocols define the type of hardware that is used and how it is mounted in racks.
    • They all function in the network access layer of TCP/IP.
    • They define how messages are exchanged between the source and the destination.
      

      Answers Explanation & Hints: Network protocols are implemented in hardware, or software, or both. They interact with each other within different layers of a protocol stack. Protocols have nothing to do with the installation of the network equipment. Network protocols are required to exchange information between source and destination devices in both local and remote networks.

70. Refer to the exhibit. A cybersecurity analyst is using Sguil to verify security alerts. How is the current view sorted?

    

    • by sensor number
    • by source IP
    • by date/time
    • by frequency
      

      Answers Explanation & Hints: The CNT column, between the ST and Sensor columns, displays the frequency of alerts. By sorting with frequency, the analyst will get a better sense of what has happened on the network.

71. What are three characteristics of an information security management system? (Choose three.)

    • It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise.
    • It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
    • It consists of a set of practices that are systematically applied to ensure continuous improvement in information security.
    • It is a systematic and multilayered approach to cybersecurity.
    • It addresses the inventory and control of hardware and software configurations of systems.
    • It is based on the application of servers and security devices.
      

      Answers Explanation & Hints: An Information Security Management System (ISMS) consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. ISMSs are not based in servers or security devices. Instead, an ISMS consists of a set of practices that are systematically applied by an organization to ensure continuous improvement in information security. ISMSs provide conceptual models that guide organizations in planning, implementing, governing, and evaluating information security programs. ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity. An ISMS is a systematic, multi-layered approach to cybersecurity. The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.

72. In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?

    • vulnerability assessment
    • risk analysis
    • port scanning
    • penetration testing

73. Which NIST Cybersecurity Framework core function is concerned with the development and implementation of safeguards that ensure the delivery of critical infrastructure services?

    • protect
    • recover
    • detect
    • identify
    • respond

74. What is a characteristic of CybOX?

    • It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.
    • It enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector.
    • It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
    • It is a set of specifications for exchanging cyberthreat information between organizations.

75. What part of the URL, http://www.cisco.com/index.html, represents the top-level DNS domain?

    • index
    • www
    • http
    • .com
      

      Answers Explanation & Hints: The components of the URL http://www.cisco.com/index.htm are as follows: http = protocol www = part of the server name cisco = part of the domain name index = file name com = the top-level domain

76. In NAT terms, what address type refers to the globally routable IPv4 address of a destination host on the Internet?

    • inside local
    • outside local
    • inside global
    • outside global
      

      Answers Explanation & Hints: From the perspective of a NAT device, inside global addresses are used by external users to reach internal hosts. Inside local addresses are the addresses assigned to internal hosts. Outside global addresses are the addresses of destinations on the external network. Outside local addresses are the actual private addresses of destination hosts behind other NAT devices.

77. A piece of malware has gained access to a workstation and issued a DNS lookup query to a CnC server. What is the purpose of this attack?

    • to send stolen sensitive data with encoding
    • to request a change of the IP address
    • to masquerade the IP address of the workstation
    • to check the domain name of the workstation
      

      Answers Explanation & Hints: A piece of malware, after accessing a host, may exploit the DNS service by communicating with command-and-control (CnC) servers and then exfiltrate data in traffic disguised as normal DNS lookup queries. Various types of encoding, such as base64, 8-bit binary, and hex can be used to camouflage the data and evade basic data loss prevention (DLP) measures.

78. What are two ways that ICMP can be a security threat to a company? (Choose two.)

    • by corrupting network IP data packets
    • by providing a conduit for DoS attacks
    • by the infiltration of web pages
    • by collecting information about a network
    • by corrupting data between email servers and email recipients
      

      Answers Explanation & Hints: ICMP can be used as a conduit for DoS attacks. It can be used to collect information about a network such as the identification of hosts and network structure, and by determining the operating systems being used on the network.

79. Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)

    • fragment offset
    • flag
    • protocol
    • version
    • identification
    • TTL
      

      Answers Explanation & Hints: Unlike IPv4, IPv6 routers do not perform fragmentation. Therefore, all three fields supporting fragmentation in the IPv4 header are removed and have no equivalent in the IPv6 header. These three fields are fragment offset, flag, and identification. IPv6 does support host packet fragmentation through the use of extension headers, which are not part of the IPv6 header.

80. A technician is troubleshooting a network connectivity problem. Pings to the local wireless router are successful but pings to a server on the Internet are unsuccessful. Which CLI command could assist the technician to find the location of the networking problem?

    • ipconfig
    • ipconfig/renew
    • tracert
    • msconfig
      

      Answers Explanation & Hints: The tracert utlility (also known as the tracert command or tracert tool) will enable the technician to locate the link to the server that is down. The ipconfig command displays the computer network configuration details. The ipconfig/renew command requests an IP address from a DHCP server. Msconfig is not a network troubleshooting command.

81. Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?

    • neighbor solicitation
    • neighbor advertisement
    • router solicitation
    • router advertisement

82. Refer to the exhibit. The switches have a default configuration. Host A needs to communicate with host D, but host A does not have the MAC address for the default gateway. Which network devices will receive the ARP request sent by host A?

    

    • only hosts B and C
    • only router R1
    • only hosts A, B, and C
    • only hosts B, C, and router R1
    • only host D
    • only hosts A, B, C, and D

83. Refer to the exhibit. A cybersecurity analyst is viewing packets forwarded by switch S2. What addresses will identify frames containing data sent from PCA to PCB?

    

    • Src IP: 192.168.1.212
      Src MAC: 00-60-0F-B1-33-33
      Dst IP: 192.168.2.101
      Dst MAC: 08-CB-8A-5C-BB-BB
    • Src IP: 192.168.1.212
      Src MAC: 01-90-C0-E4-AA-AA
      Dst IP: 192.168.2.101
      Dst MAC: 08-CB-8A-5C-BB-BB
    • Src IP: 192.168.2.1
      Src MAC: 00-60-0F-B1-33-33
      Dst IP: 192.168.2.101
      Dst MAC: 08-CB-8A-5C-BB-BB
    • Src IP: 192.168.1.212
      Src MAC: 00-60-0F-B1-33-33
      Dst IP: 192.168.2.101
      Dst MAC: 00-D0-D3-BE-00-00

      Answers Explanation & Hints: When a message sent from PCA to PCB reaches router R2, some frame header fields will be rewritten by R2 before forwarding to switch S2. The frames will contain the source MAC address of router R2 and the destination MAC address of PCB. The frames will retain the original IPv4 addressing applied by PCA which is the IPv4 address of PCA as the source address and the IPv4 address of PCB as the destination.

84. Which three IP addresses are considered private addresses? (Choose three.)

    • 172.17.254.4
    • 128.37.255.6
    • 10.234.2.1
    • 198.168.6.18
    • 172.68.83.35
    • 192.168.5.29

85. An administrator wants to create four subnetworks from the network address 192.168.1.0/24. What is the network address and subnet mask of the second useable subnet?

    • subnetwork 192.168.1.32
      subnet mask 255.255.255.240
    • subnetwork 192.168.1.64
      subnet mask 255.255.255.192
    • subnetwork 192.168.1.128
      subnet mask 255.255.255.192
    • subnetwork 192.168.1.8
      subnet mask 255.255.255.224
    • subnetwork 192.168.1.64
      subnet mask 255.255.255.240

86. A user opens three browsers on the same PC to access www.cisco.com to search for certification course information. The Cisco web server sends a datagram as a reply to the request from one of the web browsers. Which information is used by the TCP/IP protocol stack in the PC to identify which of the three web browsers should receive the reply?

    • the source IP address
    • the destination port number
    • the source port number
    • the destination IP address
      

      Answers Explanation & Hints: Each web browser client application opens a randomly generated port number in the range of the registered ports and uses this number as the source port number in the datagram that it sends to a server. The server then uses this port number as the destination port number in the reply datagram that it sends to the web browser. The PC that is running the web browser application receives the datagram and uses the destination port number that is contained in this datagram to identify the client application.

87. A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.)

    • Wazuh
    • CapME
    • Zeek
    • Kibana
    • Sguil
    • Wireshark

88. Match the attack to the definition. (Not all options are used.)

    

89. What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits?

    • WinDbg
    • Firesheep
    • AIDE
    • Skipfish

90. Which two net commands are associated with network resource sharing? (Choose two.)

    • net start
    • net accounts
    • net share
    • net stop
    • net use
      

      Answers Explanation & Hints: The net command is a very important command. Some common net commands include these: net accounts – sets password and logon requirements for users net session – lists or disconnects sessions between a computer and other computers on the network net share – creates, removes, or manages shared resources net start – starts a network service or lists running network services net stop – stops a network service net use – connects, disconnects, and displays information about shared network resources net view – shows a list of computers and network devices on the network

91. Match the attack surface with attack exploits.

    

92. What is a key difference between the data captured by NetFlow and data captured by Wireshark?

    • NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
    • NetFlow provides transaction data whereas Wireshark provides session data.
    • NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.
    • NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump .
      

      Answers Explanation & Hints: Wireshark captures the entire contents of a packet. NetFlow does not. Instead, NetFlow collects metadata, or data about the flow.

93. Match the network monitoring data type with the description.

    

94. Which two options are window managers for Linux? (Choose two.)

    • File Explorer
    • Kali
    • Gnome
    • PenTesting
    • KDE

95. Which method can be used to harden a device?

    • allow USB auto-detection
    • maintain use of the same passwords
    • use SSH and disable the root account access over SSH
    • allow default services to remain enabled
      

      Answers Explanation & Hints: The basic best practices for device hardening are as follows: Ensure physical security. Minimize installed packages. Disable unused services. Use SSH and disable the root account login over SSH. Keep the system updated. Disable USB auto-detection. Enforce strong passwords. Force periodic password changes. Keep users from re-using old passwords. Review logs regularly.

96. What are two uses of an access control list? (Choose two.)

    • ACLs can control which areas a host can access on a network.
    • Standard ACLs can restrict access to specific applications and ports.
    • ACLs provide a basic level of security for network access.
    • ACLs can permit or deny traffic based upon the MAC address originating on the router.
    • ACLs assist the router in determining the best path to a destination.
      

      Answers Explanation & Hints: ACLs can be used for the following:Limit network traffic in order to provide adequate network performance Restrict the delivery of routing updates Provide a basic level of security Filter traffic based on the type of traffic being sent Filter traffic based on IP addressing

97. Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)

    • SIP support
    • 802.1X support
    • password encryption
    • utilization of transport layer protocols
    • separate authentication and authorization processes
      

      Answers Explanation & Hints: Both TACACS+ and RADIUS support password encryption (TACACS+ encrypts all communication) and use Layer 4 protocol (TACACS+ uses TCP and RADIUS uses UDP). TACACS+ supports separation of authentication and authorization processes, while RADIUS combines authentication and authorization as one process. RADIUS supports remote access technology, such as 802.1x and SIP; TACACS+ does not.

98. Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server?

    • Audit the web server to forensically determine the origin of exploit.
    • Collect malware files and metadata for future analysis.
    • Build detections for the behavior of known malware.
    • Analyze the infrastructure storage path used for files.
      

      Answers Explanation & Hints: A threat actor may send the weapon through web interfaces to the target server, either in file uploads or coded web requests. By analyzing the infrastructure storage path used for files, security measures can be implemented to monitor and detect malware deliveries through these methods.

99. In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?

    • loss or theft
    • media
    • impersonation
    • attrition
      

      Answers Explanation & Hints: Common attack vectors include media, attrition, impersonation, and loss or theft. Attrition attacks are any attacks that use brute force. Media attacks are those initiated from storage devices. Impersonation attacks occur when something or someone is replaced for the purpose of the attack, and loss or theft attacks are initiated by equipment inside the organization.

100. What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)

     • The code has not been modified since it left the software publisher.
     • The code is authentic and is actually sourced by the publisher.
     • The code was encrypted with both a private and public key.
     • The code contains no viruses.
     • The code contains no errors.
       

       Answers Explanation & Hints: Digitally signing code provides several assurances about the code: The code is authentic and is actually sourced by the publisher. The code has not been modified since it left the software publisher. The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.

101. When a user visits an online store website that uses HTTPS, the user browser queries the CA for a CRL. What is the purpose of this query?

     • to check the length of key used for the digital certificate
     • to negotiate the best encryption to use
     • to request the CA self-signed digital certificate
     • to verify the validity of the digital certificate
       

       Answers Explanation & Hints: A digital certificate must be revoked if it is invalid. CAs maintain a certificate revocation list (CRL), a list of revoked certificate serial numbers that have been invalidated. The user browser will query the CRL to verify the validity of a certificate.

102. Match the tabs of the Windows 10 Task Manager to their functions. (Not all options are used.)

     

103. What are two potential network problems that can result from ARP operation? (Choose two.)

     • Network attackers could manipulate MAC address and IP address mappings in ARP messages with the intent of intercepting network traffic.
     • Manually configuring static ARP associations could facilitate ARP poisoning or MAC address spoofing.
     • Multiple ARP replies result in the switch MAC address table containing entries that match the MAC addresses of hosts that are connected to the relevant switch port.
     • Large numbers of ARP request broadcasts could cause the host MAC address table to overflow and prevent the host from communicating on the network.
     • On large networks with low bandwidth, multiple ARP broadcasts could cause data communication delays.

104. What is a disadvantage of DDNS?

     • DDNS is considered malignant and must be monitored by security software.
     • DDNS is unable to co-exist on a network subdomain that also uses DNS.
     • Using DDNS, a change in an existing IP address mapping can take over 24 hours and could result in a disruption of connectivity.
     • Using free DDNS services, threat actors can quickly and easily generate subdomains and change DNS records.

105. Which host-based firewall uses a three-profile approach to configure the firewall functionality?

     • TCP Wrapper
     • nftables
     • iptables
     • Windows Firewall
       

       Answers Explanation & Hints: Windows Firewall uses a profile-based approach to configuring firewall functionality. It uses three profiles, Public, Private, and Domain, to define firewall functions.

106. What is the benefit of converting log file data into a common schema?

     • allows easy processing and analysis of datasets
     • creates a data model based on fields of data from a source
     • allows the implementation of partial normalization and inspection
     • creates a set of regex-based field extractions
       

       Answers Explanation & Hints: When data is converted into a universal format, it can be effectively structured for performing fast queries and event analysis.

107. Which core open source component of the Elastic-stack is responsible for accepting the data in its native format and making elements of the data consistent across all sources?

     • Beats
     • Elasticsearch
     • Kibana
     • Logstash

108. A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address?

     • It must wait for an ICMPv6 Router Advertisement message giving permission to use this address.
     • It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.
     • It must send an ICMPv6 Router Solicitation message to request the address of the DNS server.
     • It must send an ICMPv6 Router Solicitation message to determine what default gateway it should use.
       

       Answers Explanation & Hints: Stateless DHCPv6 or stateful DHCPv6 uses a DHCP server, but Stateless Address Autoconfiguration (SLAAC) does not. A SLAAC client can automatically generate an address that is based on information from local routers via Router Advertisement (RA) messages. Once an address has been assigned to an interface via SLAAC, the client must ensure via Duplicate Address Detection (DAD) that the address is not already in use. It does this by sending out an ICMPv6 Neighbor Solicitation message and listening for a response. If a response is received, then it means that another device is already using this address.

109. Which step in the Vulnerability Management Life Cycle determines a baseline risk profile to eliminate risks based on asset criticality, vulnerability threat, and asset classification?

     • assess
     • discover
     • verify
     • prioritize assets
       

       Answers Explanation & Hints: The steps in the Vulnerability Management Life Cycle include these: Discover – inventory all assets across the network and identify host details, including operating systems and open services, to identify vulnerabilities Prioritize assets – categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations Assess – determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability threats, and asset classification Report – measure the level of business risk associated with assets according to security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities. Remediate – prioritize according to business risk and fix vulnerabilities in order of risk Verify – verify that threats have been eliminated through follow-up audits

110. The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk?

     • risk sharing
     • risk retention
     • risk reduction
     • risk avoidance
       

       Answers Explanation & Hints: There are four potential strategies for responding to risks that have been identified: Risk avoidance – Stop performing the activities that create risk. Risk reduction – Decrease the risk by taking measures to reduce vulnerability. Risk sharing – Shift some of the risk to other parties. Risk retention – Accept the risk and its consequences.

111. Match the server profile element to the description. (Not all options are used.)

     

112. Match the network service with the description.

     

113. A help desk technician notices an increased number of calls relating to the performance of computers located at the manufacturing plant. The technician believes that botnets are causing the issue. What are two purposes of botnets? (Choose two.)

     • to transmit viruses or spam to computers on the same network
     • to record any and all keystrokes
     • to withhold access to a computer or files until money has been paid
     • to attack other computers
     • to gain access to the restricted part of the operating system
       

       Answers Explanation & Hints: Botnets can be used to perform DDoS attacks, obtain data, or transmit malware to other devices on the network.

114. Which two data types would be classified as personally identifiable information (PII)? (Choose two.)

     • house thermostat reading
     • hospital emergency use per region
     • average number of cattle per region
     • vehicle identification number
     • Facebook photographs

115. Which statement defines the difference between session data and transaction data in logs?

     • Session data is used to make predictions on network behaviors, whereas transaction data is used to detect network anomalies.
     • Session data shows the result of a network session, whereas transaction data is in response to network threat traffic.
     • Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions.
     • Session data analyzes network traffic and predicts network behavior, whereas transaction data records network sessions.

116. An administrator discovers that a user is accessing a newly established website that may be detrimental to company security. What action should the administrator take first in terms of the security policy?

     • Ask the user to stop immediately and inform the user that this constitutes grounds for dismissal.
     • Revise the AUP immediately and get all users to sign the updated AUP.
     • Create a firewall rule blocking the respective website.
     • Immediately suspend the network privileges of the user.

117. Which Cisco sponsored certification is designed to provide the first step in acquiring the knowledge and skills to work with a SOC team?

     • CCNA Data Center
     • CCNA CyberOps Associate
     • CCNA Cloud
     • CCNA Security

118. What are the two methods that a wireless NIC can use to discover an AP? (Choose two.)

     • transmitting a probe request
     • sending an ARP request broadcast
     • initiating a three-way handshake
     • receiving a broadcast beacon frame
     • sending a multicast frame
       

       Answers Explanation & Hints: Two methods can be used by a wireless device to discover and register with an access point: passive mode and active mode. In passive mode, the AP sends a broadcast beacon frame that contains the SSID and other wireless settings. In active mode, the wireless device must be manually configured for the SSID, and then the device broadcasts a probe request.

119. What term describes a set of software tools designed to increase the privileges of a user or to grant access to the user to portions of the operating system that should not normally be allowed?

     • compiler
     • penetration testing
     • package manager
     • rootkit
       

       Answers Explanation & Hints: A rootkit is used by an attacker to secure a backdoor to a compromised computer, grant access to portions of the operating system normally not permitted, or increase the privileges of a user.

120. A client device has initiated a secure HTTP request to a web browser. Which well-known port address number is associated with the destination address?

     • 110
     • 80
     • 443
     • 404
       

       Answers Explanation & Hints: Port numbers are used in TCP and UDP communications to differentiate between the various services running on a device. The well-known port number used by HTTPs is port 443.

121. Match the monitoring tool to the definition.

     

122. A network administrator is reviewing server alerts because of reports of network slowness. The administrator confirms that an alert was an actual security incident. What is the security alert classification of this type of scenario?

     • true negative
     • false negative
     • false positive
     • true positive

123. Match the common network technology or protocol with the description. (Not all options are used.)

     

124. A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet?

     • when the RTT value reaches zero
     • when the value in the TTL field reaches zero
     • when the router receives an ICMP Time Exceeded message
     • when the host responds with an ICMP Echo Reply message
     • when the values of both the Echo Request and Echo Reply messages reach zero
       

       Answers Explanation & Hints: When a router receives a traceroute packet, the value in the TTL field is decremented by 1. When the value in the field reaches zero, the receiving router will not forward the packet, and will send an ICMP Time Exceeded message back to the source.