Last Updated on June 14, 2021 by InfraExam

CyberOps Associate 1.0 Practice Final Exam Answers Full 100% 2021

  1. Users report that a database file on the main server cannot be accessed. A database administrator verifies the issue and notices that the database file is now encrypted. The organization receives a threatening email demanding payment for the decryption of the database file. What type of attack has the organization experienced?

    • DoS attack
    • man-in-the-middle attack
    • ransomware
    • Trojan horse
      Answers Explanation & Hints:

      A cybersecurity specialist needs to be familiar with the characteristics of the different types of malware and attacks that threaten an organization.

  2. What two kinds of personal information can be sold on the dark web by cybercriminals? (Choose two.)

    • city of residence
    • Facebook photos
    • name of a pet
    • street address
    • name of a bank
      Answers Explanation & Hints:

      Personally identifiable information (PII) is any information that can be used to positively identify an individual. Examples of PII include the following:

      Social security number
      Credit card numbers
      Bank account numbers
      Facebook information
      Address information (street, email, phone numbers).

  3. Match the job titles to SOC personnel positions. (Not all options are used.)

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 001
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 001
  4. How does a security information and event management system (SIEM) in a SOC help the personnel fight against security threats?

    • by analyzing logging data in real time
    • by dynamically implementing firewall rules
    • by combining data from multiple technologies
    • by integrating all security devices and appliances in an organization
      Answers Explanation & Hints:

      A security information and event management system (SIEM) combines data from multiple sources to help SOC personnel collect and filter data, detect and classify threats, analyze and investigate threats, and manage resources to implement preventive measures.

  5. Which statement describes the state of the administrator and guest accounts after a user installs Windows desktop version to a new computer?

    • By default, both the administrator and guest accounts are enabled.
    • By default, both the administrator and guest accounts are disabled.
    • By default, the administrator account is enabled but the guest account is disabled.
    • By default, the guest account is enabled but the administrator account is disabled.
      Answers Explanation & Hints:

      When a user installs Windows desktop version, two local user accounts are created automatically during the process, administrator and guest. Both accounts are disabled by default.

  6. What is a purpose of entering the nslookup command on a Windows PC?

    • to connect to the Cisco server
    • to test if the Cisco server is reachable
    • to check if the DNS service is running
    • to discover the transmission time needed to reach the Cisco server
      Answers Explanation & Hints:

      The nslookup command queries DNS servers to find out the IP address or addresses associated with the domain name A successful result indicates that the DNS configuration on the PC is functional, and also indicates the IP address for the domain name being displayed. The command does not try connect to the actual Cisco host directly.

  7. Which two actions can be taken when configuring Windows Firewall? (Choose two.)

    • Enable MAC address authentication.
    • Turn on port screening.
    • Manually open ports that are required for specific applications.
    • Allow a different software firewall to control access.
    • Perform a rollback.
      Answers Explanation & Hints:

      When a different software firewall is installed, Windows Firewall must be disabled through the Windows Firewall control panel. When Windows Firewall is enabled, specific ports can be enabled that are needed by specific applications.

  8. Based on the command output shown, which file permission or permissions have been assigned to the other user group for the data.txt file?ls –l data.txt

    -rwxrw-r– sales staff 1028 May 28 15:50 data.txt

    • read, write, execute
    • read
    • read, write
    • full access
      Answers Explanation & Hints:

      The file permissions are always displayed in the user, group and other order. In the example displayed, the file has the following permissions:
      The dash ( – ) means that this is a file. For directories, the first dash would be replaced with a “d”.
      The first set of characters is for user permission (rwx). The user, sales, who owns the file can read, write and execute the file.
      The second set of characters is for group permissions (rw-). The group, staff, who owns the file can read and write to the file.
      The third set of characters is for any other user or group permissions (r–). Any other user or group on the computer can only read the file.

  9. What are three benefits of using symbolic links over hard links in Linux? (Choose three.)

    • Symbolic links can be exported.
    • They can be encrypted.
    • They can be compressed.
    • They can link to a directory.
    • They can show the location of the original file.
    • They can link to a file in a different file system.
      Answers Explanation & Hints:

      In Linux, a hard link is another file that points to the same location as the original file. A soft link (also called a symbolic link or a symlink) is a link to another file system name. Hard links are limited to the file system in which they are created and they cannot link to a directory; soft links are not limited to the same file system and they can link to a directory. To see the location of the original file for a symbolic link use the ls –l command.

  10. What is the Internet?

    • It is a network based on Ethernet technology.
    • It provides network access for mobile devices.
    • It provides connections through interconnected global networks.
    • It is a private network for an organization with LAN and WAN connections.
      Answers Explanation & Hints:

      The Internet provides global connections that enable networked devices (workstations and mobile devices) with different network technologies, such as Ethernet, DSL/cable, and serial connections, to communicate. A private network for an organization with LAN and WAN connections is an intranet.

  11. Which two protocols are associated with the transport layer? (Choose two.)

    • TCP
    • IP
    • UDP
    • PPP
    • ICMP
      Answers Explanation & Hints:

      TCP and UDP reside at the transport layer in both the OSI and TCP/IP models.

  12. At which OSI layer is a source IP address added to a PDU during the encapsulation process?

    • network layer
    • data link layer
    • transport layer
    • application layer
  13. When a connectionless protocol is in use at a lower layer of the OSI model, how is missing data detected and retransmitted if necessary?

    • Connectionless acknowledgements are used to request retransmission.
    • Upper-layer connection-oriented protocols keep track of the data received and can request retransmission from the upper-level protocols on the sending host.
    • Network layer IP protocols manage the communication sessions if connection-oriented transport services are not available.
    • The best-effort delivery process guarantees that all packets that are sent are received.
      Answers Explanation & Hints:

      When connectionless protocols are in use at a lower layer of the OSI model, upper-level protocols may need to work together on the sending and receiving hosts to account for and retransmit lost data. In some cases, this is not necessary, because for some applications a certain amount of data loss is tolerable.

  14. What is the prefix length notation for the subnet mask

    • /25
    • /26
    • /27
    • /28
      Answers Explanation & Hints:

      The binary format for is 11111111.11111111.11111111.11100000. The prefix length is the number of consecutive 1s in the subnet mask. Therefore, the prefix length is /27.

  15. If the default gateway is configured incorrectly on the host, what is the impact on communications?

    • The host is unable to communicate on the local network.
    • The host can communicate with other hosts on the local network, but is unable to communicate with hosts on remote networks.
    • The host can communicate with other hosts on remote networks, but is unable to communicate with hosts on the local network.
    • There is no impact on communications.
      Answers Explanation & Hints:

      A default gateway is only required to communicate with devices on another network. The absence of a default gateway does not affect connectivity between devices on the same local network.

  16. What are two ICMPv6 messages that are not present in ICMP for IPv4? (Choose two.)

    • Destination Unreachable
    • Host Confirmation
    • Neighbor Solicitation
    • Route Redirection
    • Router Advertisement
    • Time Exceeded
      Answers Explanation & Hints:

      ICMPv6 includes four new message types: Router Advertisement, Neighbor Advertisement, Router Solicitation, and Neighbor Solicitation.

  17. Which protocol is used by the traceroute command to send and receive echo-requests and echo-replies?

    • SNMP
    • ICMP
    • Telnet
    • TCP
      Answers Explanation & Hints:

      Traceroute uses the ICMP (Internet Control Message Protocol) to send and receive echo-request and echo-reply messages.

  18. Which two types of messages are used in place of ARP for address resolution in IPv6? (Choose two.)

    • anycast
    • broadcast
    • echo reply
    • echo request
    • neighbor solicitation
    • neighbor advertisement
      Answers Explanation & Hints:

      IPv6 does not use ARP. Instead, ICMPv6 neighbor discovery is used by sending neighbor solicitation and neighbor advertisement messages.

  19. What are two problems that can be caused by a large number of ARP request and reply messages? (Choose two.)

    • A large number of ARP request and reply messages may slow down the switching process, leading the switch to make many changes in its MAC table.
    • All ARP request messages must be processed by all nodes on the local network.
    • The ARP request is sent as a broadcast, and will flood the entire subnet.
    • The network may become overloaded because ARP reply messages have a very large payload due to the 48-bit MAC address and 32-bit IP address that they contain.
    • Switches become overloaded because they concentrate all the traffic from the attached subnets.
      Answers Explanation & Hints:

      ARP requests are sent as broadcasts:
      (1) All nodes will receive them, and they will be processed by software, interrupting the CPU.
      (2) The switch forwards (floods) Layer 2 broadcasts to all ports.

      A switch does not change its MAC table based on ARP request or reply messages. The switch populates the MAC table using the source MAC address of all frames. The ARP payload is very small and does not overload the switch.

  20. Which network monitoring tool saves captured network frames in PCAP files?

    • Wireshark
    • SNMP
    • NetFlow
    • SIEM
      Answers Explanation & Hints:

      Wireshark is a network protocol analyzer used to capture network traffic. The traffic captured by Wireshark is saved in PCAP files and includes interface information and time stamps.

  21. What is the TCP mechanism used in congestion avoidance?

    • three-way handshake
    • socket pair
    • two-way handshake
    • sliding window
      Answers Explanation & Hints:

      TCP uses windows to attempt to manage the rate of transmission to the maximum flow that the network and destination device can support while minimizing loss and retransmissions. When overwhelmed with data, the destination can send a request to reduce the of the window. This congestion avoidance is called sliding windows.

  22. What kind of message is sent by a DHCPv4 client requesting an IP address?

    • DHCPDISCOVER broadcast message
    • DHCPDISCOVER unicast message
    • DHCPOFFER unicast message
    • DHCPACK unicast message
      Answers Explanation & Hints:

      When the DHCPv4 client requests an IP address, it sends a DHCPDISCOVER broadcast message seeking a DHCPv4 server on the network.

  23. Why is DHCP preferred for use on large networks?

    • Large networks send more requests for domain to IP address resolution than do smaller networks.
    • DHCP uses a reliable transport layer protocol.
    • It prevents sharing of files that are copyrighted.
    • It is a more efficient way to manage IP addresses than static address assignment.
    • Hosts on large networks require more IP addressing configuration settings than hosts on small networks.
      Answers Explanation & Hints:

      Static IP address assignment requires personnel to configure each network host with addresses manually. Large networks can change frequently and have many more hosts to configure than do small networks. DHCP provides a much more efficient means of configuring and managing IP addresses on large networks than does static address assignment.

  24. What is a characteristic of DNS?

    • DNS relies on a hub-and-spoke topology with centralized servers.
    • DNS servers can cache recent queries to reduce DNS query traffic.
    • All DNS servers must maintain mappings for the entire DNS structure.
    • DNS servers are programmed to drop requests for name translations that are not within their zone.
      Answers Explanation & Hints:

      DNS uses a hierarchy for decentralized servers to perform name resolution. DNS servers only maintain records for their zone and can cache recent queries so that future queries do not produce excessive DNS traffic.

  25. Refer to the exhibit. A cybersecurity analyst is viewing captured packets forwarded on switch S1. Which device has the MAC address d8:cb:8a:5c:d5:8a?router

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 02
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 02
    • DG
    • PC-A
    • router ISP
    • web server
    • DNS server
      Answers Explanation & Hints:

      The Wireshark capture is a DNS response from the DNS server to PC-A. Because the packet was captured on the LAN that the PC is on, router DG would have encapsulated the response packet from the ISP router into an Ethernet frame addressed to PC-A and forwarded the frame with the MAC address of PC-A as the destination.

  26. Match the steps with the actions that are involved when an internal host with IP address attempts to send a packet to an external server at the IP address across a router R1 that is running dynamic NAT. (Not all options are used.)

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 002
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 002
    Answers Explanation & Hints:

    The translation of the IP addresses from to will take place when the reply comes back from the server.

  27. A technician is configuring email on a mobile device. The user wants to be able to keep the original email on the server, organize it into folders, and synchronize the folders between the mobile device and the server. Which email protocol should the technician use?

    • POP3
    • IMAP
    • MIME
    • SMTP
      Answers Explanation & Hints:

      The IMAP protocol allows email data to be synchronized between a client and server. Changes made in one location, such as marking an email as read, are automatically applied to the other location. POP3 is also an email protocol. However, the data is not synchronized between the client and the server. SMTP is used for sending email, and is typically used in conjunction with the POP3 protocol. MIME is an email standard that is used to define attachment types, and allows extra content like pictures and documents to be attached to email messages.

  28. What are two differences between HTTP and HTTP/2? (Choose two.)

    • HTTP/2 uses different status codes than HTTP does to improve performance.
    • HTTP/2 uses a compressed header to reduce bandwidth requirements.
    • HTTP has a different header format than HTTP/2 has.
    • HTTP/2 issues requests using a text format whereas HTTP uses binary commands.
    • HTTP/2 uses multiplexing to support multiple streams and enhance efficiency.
      Answers Explanation & Hints:

      The purpose of HTTP/2 is to improve HTTP performance by addressing the latency issues of HTTP. This is accomplished using features such as multiplexing, server push, binary code, and header compression.

  29. A router has received a packet destined for a network that is in the routing table. What steps does the router perform to send this packet on its way? Match the step to the task performed by the router.

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 003
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 003
  30. What is the purpose of CSMA/CA?

    • to prevent collisions
    • to prevent loops
    • to filter traffic
    • to isolate traffic
      Answers Explanation & Hints:

      CSMA/CA stands for carrier sense multiple access with collision avoidance. It is a mechanism used in wireless networks to prevent packet collisions from occurring.

  31. Which statement describes a typical security policy for a DMZ firewall configuration?

    • Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with few or no restrictions.
    • Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
    • Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface.
    • Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface.
    • Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.
      Answers Explanation & Hints:

      With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:Traffic originating from DMZ destined for the internal network is normally blocked.
      Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
      Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
      Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.

  32. What are two shared characteristics of the IDS and the IPS? (Choose two.)Both are deployed as sensors.

    • Both analyze copies of network traffic.
    • Both use signatures to detect malicious traffic.
    • Both have minimal impact on network performance.​
    • Both rely on an additional network device to respond to malicious traffic.
      Answers Explanation & Hints:

      Both the IDS and the IPS are deployed as sensors and use signatures to detect malicious traffic. The IDS analyzes copies of network traffic, which results in minimal impact on network performance. The IDS also relies on an IPS to stop malicious traffic. ​​

  33. In an attempt to prevent network attacks, cyber analysts share unique identifiable attributes of known attacks with colleagues. What three types of attributes or indicators of compromise are helpful to share? (Choose three.)

    • features of malware files
    • IP addresses of attack servers
    • system ID of compromised systems
    • BIOS of attacking systems
    • changes made to end system software
    • netbios names of compromised firewalls
      Answers Explanation & Hints:

      Many network attacks can be prevented by sharing information about indicators of compromise (IOC). Each attack has unique identifiable attributes. Indicators of compromise are the evidence that an attack has occurred. IOCs can be identifying features of malware files, IP addresses of servers that are used in the attack, filenames, and characteristic changes made to end system software.

  34. Match the network security testing technique with how it is used to test network security. (Not all options are used.)

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 004
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 004
    Answers Explanation & Hints:

    Network scanning tools are used to probe network devices, servers and hosts for open TCP or UDP ports. Vulnerability scanning tools are used to discover security weaknesses in a network or computer system. Penetration testing tools are used to determine the possible outcome of a successful attack on a network or computer system.

  35. Which two statements describe access attacks? (Choose two.)

    • Port redirection attacks use a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.
    • Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers.
    • Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code.
    • To detect listening services, port scanning attacks scan a range of TCP or UDP port numbers on a host.
    • Trust exploitation attacks often involve the use of a laptop to act as a rogue access point to capture and copy all network traffic in a public location, such as a wireless hotspot.
      Answers Explanation & Hints:

      An access attack tries to gain access to a resource using a hijacked account or other means. The five types of access attacks include the following:password – a dictionary is used for repeated login attempts
      trust exploitation – uses granted privileges to access unauthorized material
      port redirection – uses a compromised internal host to pass traffic through a firewall
      man-in-the-middle – an unauthorized device positioned between two legitimate devices in order to redirect or capture traffic
      buffer overflow – too much data sent to a memory location that already contains data

  36. After complaints from users, a technician identifies that the college web server is running very slowly. A check of the server reveals that there are an unusually large number of TCP requests coming from multiple locations on the Internet. What is the source of the problem?

    • A DDoS attack is in progress.
    • The server is infected with a virus.
    • There is insufficient bandwidth to connect to the server.
    • There is a replay attack in progress.
      Answers Explanation & Hints:

      The source of the problem cannot be a virus because in this situation the server is passive and at the receiving end of the attack. A replay attack uses intercepted and recorded data in an attempt to gain access to an unauthorized server. This type of attack does not involve multiple computers. The issue is not the bandwidth available, but the number of TCP connections taking place. Receiving a large number of connections from multiple locations is the main symptom of a distributed denial of service attack which use botnets or zombie computers.

  37. What are two monitoring tools that capture network traffic and forward it to network monitoring devices? (Choose two.)

    • SIEM
    • Wireshark
    • SNMP
    • SPAN
    • network tap
      Answers Explanation & Hints:

      A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and forwards all traffic including physical layer errors to an analysis device. SPAN is a port mirroring technology supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device.

  38. Which network monitoring tool is in the category of network protocol analyzers?

    • SNMP
    • SPAN
    • Wireshark
    • SIEM
      Answers Explanation & Hints:

      Wireshark is a network protocol analyzer used to capture network traffic. The traffic captured by Wireshark is saved in PCAP files and includes interface information and time stamps.

  39. What kind of ICMP message can be used by threat actors to perform network reconnaissance and scanning attacks?

    • ICMP redirects
    • ICMP unreachable
    • ICMP mask reply
    • ICMP router discovery
      Answers Explanation & Hints:

      Common ICMP messages of interest to threat actors include the these:
      ICMP echo request and echo reply: used to perform host verification and DoS attacks
      ICMP unreachable: used to perform network reconnaissance and scanning attacks
      ICMP mask reply: used to map an internal IP network
      ICMP redirects: used to lure a target host into sending all traffic through a compromised device and create a man-in-the-middle attack
      ICMP router discovery: used to inject bogus route entries into the routing table of a target host

  40. A flood of packets with invalid source IP addresses requests a connection on the network. The server busily tries to respond, resulting in valid requests being ignored. What type of attack has occurred?

    • UDP flood
    • TCP session hijacking
    • TCP reset
    • TCP SYN flood
      Answers Explanation & Hints:

      The TCP SYN Flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive. Eventually the target host is overwhelmed with half-open TCP connections and denies TCP services.

  41. An attacker is redirecting traffic to a false default gateway in an attempt to intercept the data traffic of a switched network. What type of attack could achieve this?

    • ARP cache poisoning
    • DHCP spoofing
    • DNS tunneling
    • TCP SYN flood
      Answers Explanation & Hints:

      In DHCP spoofing attacks, a threat actor configures a fake DHCP server on the network to issue DHCP addresses to clients with the aim of forcing the clients to use a false or invalid default gateway. A man-in-the-middle attack can be created by setting the default gateway address to the IP address of the threat actor.

  42. What is the most common goal of search engine optimization (SEO) poisoning?

    • to trick someone into installing malware or divulging personal information
    • to overwhelm a network device with maliciously formed packets
    • to build a botnet of zombies
    • to increase web traffic to malicious sites
      Answers Explanation & Hints:

      A malicious user could create a SEO so that a malicious website appears higher in search results. The malicious website commonly contains malware or is used to obtain information via social engineering techniques.

  43. Match the security concept to the description.

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 005
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 005
  44. Which section of a security policy is used to specify that only authorized individuals should have access to enterprise data?

    • statement of scope
    • statement of authority
    • Internet access policy
    • acceptable use policy
    • campus access policy
    • identification and authentication policy
      Answers Explanation & Hints:

      The identification and authentication policy section of the security policy typically specifies authorized persons that can have access to network resources and identity verification procedures.

  45. A network security specialist is tasked to implement a security measure that monitors the status of critical files in the data center and sends an immediate alert if any file is modified. Which aspect of secure communications is addressed by this security measure?

    • data integrity
    • nonrepudiation
    • data confidentiality
    • origin authentication
      Answers Explanation & Hints:

      Secure communications consists of four elements: Data confidentiality – guarantees that only authorized users can read the message
      Data integrity – guarantees that the message was not altered
      Origin authentication – guarantees that the message is not a forgery and does actually come from whom it states
      Data nonrepudiation – guarantees that the sender cannot repudiate, or refute, the validity of a message sent

  46. A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.)

    • encryption for only the password of a user
    • encryption for all communication
    • separate processes for authentication and authorization
    • UDP port 1645
    • single process for authentication and authorization
    • TCP port 40
      Answers Explanation & Hints:

      TACACS+ authentication includes the following attributes:
      Separates authentication and authorization processes
      Encrypts all communication, not just passwords
      Utilizes TCP port 49

  47. What three services are offered by FireEye? (Choose three.)

    • blocks attacks across the web
    • identifies and stops email threat vectors
    • identifies and stops latent malware on files
    • creates firewall rules dynamically
    • subjects all traffic to deep packet inspection analysis
    • deploys incident detection rule sets to network security tools
      Answers Explanation & Hints:

      FireEye is a security company that uses a three-pronged approach combining security intelligence, security expertise, and technology. FireEye offers SIEM and SOAR with the Helix Security Platform, which use behavioral analysis and advanced threat detection.

  48. Which three algorithms are designed to generate and verify digital signatures? (Choose three.)

    • IKE
    • AES
    • DSA
    • RSA
    • 3DES
    • ECDSA
      Answers Explanation & Hints:

      There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:Digital Signature Algorithm (DSA)
      Rivest-Shamir Adelman Algorithm (RSA)
      Elliptic Curve Digital Signature Algorithm (ECDSA)

  49. What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.)

    • intrusion prevention system
    • certificate authority
    • digital certificates
    • pre-shared key generation
    • symmetric encryption algorithms
      Answers Explanation & Hints:

      A public key infrastructure uses digital certificates and certificate authorities to manage asymmetric key distribution. PKI certificates are public information. The PKI certificate authority (CA) is a trusted third-party that issues the certificate. The CA has its own certificate (self-signed certificate) that contains the public key of the CA.

  50. Match the description to the antimalware approach. (Not all options are used.)

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 006
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 006
    Answers Explanation & Hints:

    Antimalware programs may detect viruses using three different approaches:

    • signature-based – by recognizing various characteristics of known malware files
    • heuristics-based – by recognizing general features shared by various types of malware
    • behavior-based – through analysis of suspicious activities


  51. Which statement describes the anomaly-based intrusion detection approach?

    • It compares the operations of a host against a well-defined security policy.
    • It compares the signatures of incoming traffic to a known intrusion database.
    • It compares the antivirus definition file to a cloud based repository for latest updates.
    • It compares the behavior of a host to an established baseline to identify potential intrusions.
      Answers Explanation & Hints:

      With an anomaly-based intrusion detection approach, a baseline of host behaviors is established first. The host behavior is checked against the baseline to detect significant deviations, which might indicate potential intrusions.

  52. A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?

    • the list of TCP or UDP processes that are available to accept data
    • the IP addresses or the logical location of essential systems or data
    • the time between the establishment of a data flow and its termination
    • the TCP and UDP daemons and ports that are allowed to be open on the server
      Answers Explanation & Hints:

      A network profile should include some important elements, such as the following:

      Total throughput – the amount of data passing from a given source to a given destination in a given period of time
      Session duratio n – the time between the establishment of a data flow and its termination
      Ports used – a list of TCP or UDP processes that are available to accept data
      Critical asset address space – the IP addresses or the logical location of essential systems or data

  53. What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)

    • attack vector
    • availability
    • confidentiality
    • exploit
    • integrity
    • remediation level
      Answers Explanation & Hints:

      The Common Vulnerability Scoring System (CVSS) is a vendor-neutral, industry standard, open framework for weighing the risks of a vulnerability using a variety of metrics. CVSS uses three groups of metrics to assess vulnerability, the Base Metric Group, Temporal Metric Group, and Environmental Metric Group. The Base Metric Group has two classes of metrics (exploitability and impact). The impact metrics are rooted in the following areas: confidentiality, integrity, and availability.

  54. How might corporate IT professionals deal with DNS-based cyber threats?

    • Use IPS/IDS devices to scan internal corporate traffic.
    • Monitor DNS proxy server logs and look for unusual DNS queries.
    • Limit the number of DNS queries permitted within the organization.
    • Limit the number of simultaneously opened browsers or browser tabs.
      Answers Explanation & Hints:

      DNS queries for randomly generated domain names or extremely long random-appearing DNS subdomains should be considered suspicious. Cyberanalysts could do the following for DNS-based attacks:Analyze DNS logs.
      Use a passive DNS service to block requests to suspected CnC and exploit domains.

  55. How does using HTTPS complicate network security monitoring?

    • HTTPS can be used to infiltrate DNS queries.
    • HTTPS adds complexity to captured packets.
    • Web browser traffic is directed to infected servers.
    • HTTPS cannot protect visitors to a company-provided web site.
      Answers Explanation & Hints:

      HTTPS adds extra overhead to the HTTP-formed packet. HTTPS encrypts using secure socket layer (SSL). Even though some devices can perform SSL decryption and inspection, this can present processing and privacy issues. HTTPS adds complexity to packet captures due to the additional message involved in establishing an encrypted data connection.

  56. Which three pieces of information are found in session data? (Choose three.)

    • user name
    • source and destination port numbers
    • Layer 4 transport protocol
    • source and destination IP addresses
    • source and destination MAC addresses
    • default gateway IP address
      Answers Explanation & Hints:

      Session data includes identifying information such as source and destination IP addresses, source and destination port numbers, and the Layer 4 protocol in use. Session data does not include user name, source and destination MAC addresses, and a default gateway IP address.

  57. What are two elements that form the PRI value in a syslog message? (Choose two.)

    • facility
    • header
    • severity
    • hostname
    • timestamp
      Answers Explanation & Hints:

      The PRI in a syslog message consists of two elements, the facility and severity of the message.

  58. Refer to the exhibit. Which field in the Sguil application window indicates the priority of an event or set of correlated events?

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 01
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 01
    • CNT
    • ST
    • Pr
    • AlertID
      Answers Explanation & Hints:

      The Sguil application window has several fields available that give information about an event. The ST field gives the status of an event that includes a color-coded priority from light yellow to red to indicate four levels of priority.

  59. What is indicated by a true negative security alert classification?

    • An alert is verified to be an actual security incident.
    • Normal traffic is correctly ignored and erroneous alerts are not being issued.
    • An alert is incorrectly issued and does not indicate an actual security incident.
    • Exploits are not being detected by the security systems that are in place.
      Answers Explanation & Hints:

      True negative classifications are desirable because they indicate that normal traffic is correctly not being identified as malicious traffic by security measures.

  60. Which two types of network traffic are from protocols that generate a lot of routine traffic? (Choose two.)

    • SSL traffic
    • STP traffic
    • IPsec traffic
    • routing updates traffic
    • Windows security auditing alert traffic
      Answers Explanation & Hints:

      To reduce the huge amount of data collected so that cybersecurity analysts can focus on critical threats, some less important or less relevant data could be eliminated from the datasets. For example, routing network management traffic, such as routing updates and STP traffic, could be eliminated.

  61. How is the event ID assigned in Sguil?

    • Each event in the series of correlated events is assigned a unique ID.
    • All events in the series of correlated events are assigned the same event ID.
    • All events in the series of correlated events are assigned the same event group ID.
    • Only the first event in the series of correlated events is assigned a unique ID.
      Answers Explanation & Hints:

      In Sguil, each event receives a unique event ID, but only the first event ID in the series of correlated events is displayed in the RealTime tab.

  62. Which type of evidence supports an assertion based on previously obtained evidence?

    • best evidence
    • corroborating evidence
    • direct evidence
    • indirect evidence
      Answers Explanation & Hints:

      Corroborating evidence is evidence that supports a proposition already supported by initial evidence, therefore confirming the original proposition. Circumstantial evidence is evidence other than first-hand accounts of events provided by witnesses.

  63. Place the evidence collection priority from most volatile to least volatile as defined by the IETF guidelines.

    CyberOps Associate (Version 1.0) - CyberOps Associate 1.0 Practice Final Exam Answers 007
    CyberOps Associate (Version 1.0) – CyberOps Associate 1.0 Practice Final Exam Answers 007
  64. When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)

    • Conduct full malware analysis.
    • Train web developers for securing code.
    • Collect email and web logs for forensic reconstruction.
    • Build detections for the behavior of known weaponizers.
    • Perform regular vulnerability scanning and penetration testing.
      Answers Explanation & Hints:

      The most common exploit targets, once a weapon is delivered, are applications, operating system vulnerabilities, and user accounts. Among other measures, such as regular vulnerability scanning and penetration testing, training web developers in securing code can help block potential exploitations on systems.

  65. What is the goal of an attack in the installation phase of the Cyber Kill Chain?

    • Break the vulnerability and gain control of the target.
    • Establish command and control (CnC) with the target system.
    • Create a back door in the target system to allow for future access.
    • Use the information from the reconnaissance phase to develop a weapon against the target.
      Answers Explanation & Hints:

      In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target.

  66. Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?

    • Harvest email addresses of user accounts.
    • Obtain an automated tool to deliver the malware payload.
    • Open a two-way communication channel to the CnC infrastructure.
    • Install a web shell on the target web server for persistent access.
      Answers Explanation & Hints:

      In the installation phase of the Cyber Kill Chain, the threat actor establishes a back door into the system to allow for continued access to the target.

  67. What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?

    • Collect and exfiltrate data.
    • Add services and autorun keys.
    • Obtain an automated tool to deliver the malware payload.
    • Open a two-way communications channel to the CnC infrastructure.
      Answers Explanation & Hints:

      Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.

  68. What is the responsibility of the human resources department when handling a security incident?

    • Coordinate the incident response with other stakeholders and minimize the damage of the incident.
    • Review the incident policies, plans, and procedures for local or federal guideline violations.
    • Perform actions to minimize the effectiveness of the attack and preserve evidence.
    • Apply disciplinary measures if an incident is caused by an employee.
      Answers Explanation & Hints:

      The human resources department may be called upon to perform disciplinary measures if an incident is caused by an employee.

  69. Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?

    • detection and analysis
    • preparation
    • containment, eradication, and recovery
    • postincident activities
      Answers Explanation & Hints:

      It is in the detection and analysis phase of the NIST incident response life cycle that the CSIRT identifies and validates incidents through continuous monitoring. The NIST defines four stages of the incident response life cycle.

  70. After containment, what is the first step of eradicating an attack?

    • Patch all vulnerabilities.
    • Change all passwords.
    • Identify all hosts that need remediation.
    • Hold meetings on lessons learned.
      Answers Explanation & Hints:

      Once an attack is contained, the next step is to identify all hosts that will need remediation so that the effects of the attack can be eliminated.

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments