200-201 : Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) : Part 01

  1. Which type of algorithm encrypts data bit by bit?

    • block
    • asymmetric
    • stream
    • symmetric
    Explanation:
    Stream ciphers operate bit by rather on a block of data at a time. Stream and block ciphers are the two main types of symmetric algorithms.

    Block ciphers process one block of bits, and stream ciphers process one bit at a time. RC5 and RC6 are block ciphers.

    Symmetric ciphers are those that use the same key to encrypt as to decrypt. Symmetric ciphers have modes of operation: ECB, CBC, CTM or CTR, and GCM.

    – Electronic Code Book (ECB) mode implements the cipher in its original form.
    – Cipher-block Chaining (CBC) mode uses the output of each block and XORs it with the following block to increase diffusion.
    – Counter Mode (CTM or CTR) converts a block cipher into a stream cipher.
    – Galois Counter Mode (GTM) uses a hash function to further complicate the encryption.

    Asymmetric cryptography involves the use of different keys to encrypt and decrypt the data. These keys are referred to as private and public keys, respectively. The public encryption key is used to ensure only the intended recipient the cipher text. The public key is shared and used to encrypt information, and the private key is secret and used to decrypt data that was encrypted with the matching public key. ElGamal is an asymmetric public key encryption algorithm based on the Diffie-Hellman key agreement.

    Block ciphers operate on a block of data at a time rather than bit by bit.

    Objective: Cryptography
    Sub-Objective: Compare and contrast symmetric and asymmetric encryption algorithms

  2. Which of the following is true of privilege escalation?

    • vertical movement to a different level
    • horizontal movement to the same level
    • obtained without authorization
    • granted freely
    Explanation:
    Privilege escalation occurs when someone obtains, without authorization, the rights and privileges of a different user. Privilege escalation usually occurs by logging in to a system using your valid user account and then finding a way to access files that you do not have permissions to access. This often involves invoking a program that can change your permissions, such as Set User ID (SUID), or invoking a program that runs in an administrative context.

    There are several methods of dealing with privilege escalation can lead to denial-of-service (DoS) attacks. An example of privilege escalation is gaining access to a file you should not access by changing the permissions of your valid account.

    Horizontal escalation is movement to an account on the same level, such as from a regular user another regular user.

    Vertical escalation is movement to an account on a different level, such as from a regular user to an administrator.

    Privilege escalation is never granted freely. It is an attack.

    Objective: Attack Methods
    Sub-Objective: Define privilege escalation

  3. Examine the diagram below, which contains all devices currently connected to Switch0.

    200-201 Part 01 Q03 001
    200-201 Part 01 Q03 001

    Which of the following statements is true of this scenario?

    • PC0 can communicate with PC1
    • is we change the VLAN of Fa0/15 to VLAN 2, PC0 will be able to connect with PC1
    • if we change the IP address of PC1 to 192.168.6.4, it will be able to connect with PC0
    • if we change the VLAN of Fa0/2 to VLAN 3 and change the IP address of PC1 to 192.168.6.5, PC1 will be able to connect with PC0
    Explanation:
    Currently the interfaces to which the two PCs are connected in different VLANs and the PCs have IP addresses in different IP subnets. that is the normal configuration when creating VLANs. The reason they cannot currently connect is because there is NO router in the scenario to route traffic between the VLANs. Therefore, if we place both interfaces in the same VLAN and place both PCs in the same IP subnet, no router will be required to route traffic and the devices can communicate.

    PC0 cannot communicate with PC1 in this scenario. Currently the interfaces to which the two PCs are connected in different VLANs, and the PCs have IP addresses in different IP subnets. That is the normal configuration when creating VLANs.

    If we change the IP address of PC1 to 192.168.6.4, it will still not be able to connect with PC0 because they will still be in different VLANs. They must be in both the same VLAN and the same IP subnet to communicate in the absence of a router to route between VLANs.

    If we change the VLAN of Fa0/15 to VLAN 2, PC0 will till not be to connect with PC1 because they will still be in different IP subnets. They must be in both the same VLAN and the same IP subnet to communicate in the absence of a router to route between VLANs.

    Objective: Network Concepts
    Sub-Objective: Describe the relationship between VLANs and data visibility

  4. Which of the following is deployed on an endpoint as an agent or standalone application?

    • NIPS
    • NGFW
    • HIDS
    • NIDS
    Explanation:
    A host-based intrusion detection system (HIDS) monitors individual workstations on a network.

    A network intrusion detection system (NIDS) is a system that operated on the network and detects attacks on that network. It monitors real-time traffic over the network, captures the packets, and analyzes them either through a signature database or against the normal traffic pattern behavior to ensure that there are no intrusion attempts or malicious threats. The primary disadvantage of an NIDS is its inability to analyze encrypted information. For example, the packets that traverse through a Virtual Private Network (VPN) tunnel cannot be analyzed by the NIDS. An NIDS would most likely be used to detect, but not react to, behavior on the network.

    A network intrusion prevention system (NIPS) is a system that operated on the network and detects attacks on that network while also taking actions to stop the attack. Intrusion prevention system (IPS) and intrusion detection systems (IDS) work together to complement each other. IPS systems can block activities on certain Web sites. Users may be allowed to access the sites but may be prevented from accessing certain features within the site. In other cases, the entire site may be blocked, depending on the security requirements for the organization.

    A next generation firewall (NGFW) is one that monitors all layers if the OSI model. It is not deployed on a host.

    Objective: Host-Based Analysis
    Sub-Objective: Describe the functionality of these endpoint technologies in regards to security monitoring: Host-based intrusion detection, Antimalware and antivirus, Host-based firewall, Application-level whitelisting/blacklisting, Systems-based sandboxing (such as Chrome, Java, Adobe reader).

  5. Which of the following represents an exploitable, unpatched, and unmitigated weakness in software?

    • vulnerability
    • exploit
    • threat
    • breach
    Explanation:
    A vulnerability is a susceptibility to a threat that exists in a system that has not been mitigated. Patching would be a form of mitigation if it were used to address the vulnerability

    When a security weakness or vulnerability exists in a system and threat actor takes advantage, the attack is considered an exploit. An example of a vulnerability is keeping ports open for nonessential services.

    A threat is an external danger to which a system may or may not be vulnerable. Is it a potential danger that could take advantage of a system it is vulnerable. An attacker picking the lock of the back entrance to a facility is an example of a threat, not a vulnerability.

    A breach is when an exploit is successful in providing unauthorized access to data.

    Objective: Security Concepts
    Sub-Objective: Compare and contrast these concepts: Risk, Threat, Vulnerability, Exploit

  6. Which of the following describes a TCP injection attack?

    • Many TCP SYN packets are captures with the same sequence number, source, and destination IP address, but different payloads.
    • there is an abnormally high volume of scanning from numerous sources
    • many TCP SYN packets are captured with the same sequence number, but different source and destination IP addresses and different payloads
    • an attacker performs actions slower than normal
    Explanation:
    A TCP injection attack occurs when the attacker injects data into a TCP packet. Evidence of this attack would be many TCP SYN packets captured with the same sequence number, source and destination IP address but different payloads.

    In a resource exhaustion attack, the goal is to overwhelm the IPS or IDS that it cannot keep up. Therefore, it uses an abnormally high volume of scanning from numerous sources. resource exhaustion occurs when a system runs out of limited resources, such as bandwidth, RAM, or hard drive space. Without the required storage space (as an example), the system can no longer perform as expected, and crashes.

    Timing attacks are those in which the operations are carried out at a much slower than normal pace to keep the IPS or IDS from assembling the operation in to a recognizable attack.

    Capturing many TCP SYN packets captured with the same sequence number, but different source and destination IP address and different payloads, is possible but unlikely. It would not represent a TCP injection attack.

    Objective: Attack Methods
    Sub-Objective: Describe these evasion methods. Encryption and tunneling, Resource exhaustion, Traffic fragmentation, Protocol-level misinterpretation, traffic substitution and insertion, Pivot.

  7. How are attributes of ownership and control of an object managed in Linux?

    • permissions
    • rights
    • iptables
    • processes
    Explanation:
    Just as in Windows, Linux manages ownership and control of an object though the use of permissions. Permissions issues that can be encountered include users being assigned allow permissions that they should not have or being denied access when they need it.

    Implementing file auditing will allow you to determine who is accessing files regularly. If a user or group is given access to files and you discover that they are not accessing them, you may want to remove their file permissions. Recertification is the process of examining a user’s permissions and determining if they still need access to what was previously granted.

    iptables is a firewall built into Linux. It requires elevated privileges to operate and must be executed by the root user, otherwise it fails to function. On most Linux systems, iptabled is installed as /usr/sbin/iptables.

    Rights are network actions granted to a person, such as the right to manage a printer.

    A program or service in Linux is called a process, although services are also called daemons. A process is a single application as seen from the perspective of the processor. Multiprocessing is the operation of more than one process at a time.

    Objective: Host-Based Analysis
    Sub-Objective: Define these terms as they pertain to Linux: Processes, Forks, Permissions, Symlinks, Daemon

  8. What is the standard for digital certificates?

    • IEEE 802.3af
    • IEEE 802.11
    • X.509
    • X.500
    Explanation:
    The standard for digital certificates is X.509. These text documents include identifying information of the holder, the most important being the public key of the holder.

    X.500 is the standards for directory services.

    Power over Ethernet (PoE) is defined by the IEEE 802.3af and 802.3at standards. PoE allows an Ethernet switch to provide power to an attached device by applying power to the same wires in a UTP cable that are used to transmit and receive data. PoE+ is an enhanced version of PoE that provides more power and better reliability. PoE+ is most commonly deployed in enterprise networks, while PoE is usually sufficient for small business or home networks.

    The IEEE 802.11 standard, which is the main standard for wireless LANs (WLANs), specifies using Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) for its media access method. Like an Ethernet network, which uses Carrier Sense Multiple Access/Collision Detection (CSMA/CD), wireless adapter cards “sense”, or listen, for network traffic before transmitting. If the network is free of traffic, the station will send its data. The 802.22 standard also refers to CSMA/CA as Distributed Coordination Function (DCF).

    However, unlike an Ethernet network, wireless network cards cannot send and receive transmissions at the same time, which means that they cannot detect a collision. Instead, the sending station will wait for an acknowledgement packet (ACK) to be sent by the destination computer, verifying that the data was received. If, after a random amount of time, an acknowledgement has not been received, the sending station will retransmit the data.

    Objective: Cryptography
    Sub-Objective: Describe these items in regards to SSL/TLS: Cipher-suite, X.509 certificates, Key exchange, Protocol version, PKCS

  9. Which of the following is used to validate and in some cases revoke certificates?

    • PKI
    • DHCP
    • PGP
    • POP
    Explanation:
    A public key infrastructure (PKI) contains software hardware and policies that allow digital certificates to be created, validated, or revoked. A digital signature provides integrity, authentication, and non-repudiation in electronic mail. A PKI typically consists of the following components: certificates, a key repository, a method for revoking certificates, and a method to evaluate a certificate chain, which security professionals can use to follow the possession of keys.

    Pretty Good Privacy (PGP) is an email encryption system. PGP uses a web of trust to validate public key pairs. In a web of trust model, users sign their own key pairs. If a user wants to receive a file encrypted with PGP, the user must first supply the public key.

    Post Office Protocol (POP) is a client email program. It is used to retrieve email from the email server.

    Dynamic Host Configuration (DHCP) is a protocol that allows network administrators to centrally manage and automate the assignment of Internet Protocol (IP) addresses in an organization’s network. DHCP can automatically assign a new IP address when a computer is plugged into a different location on the network.

    Objective: Cryptography
    Sub-Objective: Describe the operation of a PKI

  10. Which of the following describes a timing attack?

    • delays attack for an amount of time
    • waits for an opportune moment
    • performs actions slower than normal
    • performs actions faster than normal
    Explanation:
    Timing attacks are those in which operations carried out are done much slower than normal to keep the IPS or IDS from assembling the operation into a recognizable attack.

    Performing actions faster than normal might even make it easier for the IPS or IDS to assemble the parts of the operation into a recognizable attack.

    Delaying the attack will have no bearing how easily the IPS may or may not recognize the attack.

    Attackers really have no way of recognizing or acting upon an opportune moment.

    Objective: Attack Methods
    Sub-Objective: Describe these evasion methods: Encryption and tunneling, Resource exhaustion, Traffic fragmentation, Protocol-level misinterpretation, Traffic substitution and insertion, Pivot.

  11. Your organization uses both the users location and the time of a day when assessing a connection request.

    What type of access control model is this?

    • RBAC
    • DAC
    • ABAC
    • MAC
    Explanation:
    This is an example of attribute-based access control (ABAC). In this model, attributes and their combinations are used to control access. There are several classes of attributes that might be included:

    – Environmental attributes – items such as location, time of day
    – Object attributes – object type (medical record, bank account)
    – Subject attributes – age, clearance, department, role, job title
    – Action attribute – read, delete, view, approve

    Role-based access control (RBAC) provides a specific set of rights and permission based on the job role assigned to the user.

    Discretionary access control (DAC) prescribes that the owner of an asset (data) decides the sensitively of the resource and who has access.

    Mandatory access control (MAC) creates clearance levels and assigns clearance levels to data assets and to users. Subjects (users) can only access levels to which they have been given clearance and those below.

    Objective: Security Concepts
    Sub-Objective: Compare and contrast these access control models: Discretionary access control, mandatory access control, Nondiscretionary access control

  12. At what layer of the OSI model Internet Protocol (IP) operate?

    • Layer 3
    • Layer 1
    • Layer 2
    • Layer 4
    Explanation:
    Both IPv4 and IPv6 operate at the Network Layer 3 of the Open System Interconnection (OSI) model.

    The TCP/IP suite of protocols includes Address Resolution Protocol (ARP), Internet Protocol (IP), Internet Control Message (ICMP), Internet Group Management Protocol (IGMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).

    The TCP/IP suite operates at Layer 2, Layer 3, and Layer 4 of the OSI model follows:

    Layer 2, Data Link: ARP
    Layer 3, Network: IP, ICMP, IGMP, ARP
    Layer 4, Transport: TCP, UDP
    The TCP/IP suite operates at layer 2, and layer 3 of the TCP/IP model as follows:
    Layer 1, Link: ARP
    Layer 2, Internet: IP, ICMP, IGMP, ARP
    Layer 3, Transport: TCP, UDP

    Objective: Network Concepts
    Sub-Objective: Describe the operation of the following: IP, TCP, UDP, ICMP

  13. Which of the following is a compilation of routine procedures and operations that the system administrator or operator carries out?

    • workflow
    • script
    • agenda
    • runbook
  14. Which of the following occurs at Layer 7 of the OSI model?

    • VLANs
    • Packet filtering
    • Stateful firewall operation
    • Deep packet inspection

    Explanation: Deep packet inspection is performed by application firewalls, which operate at layer 7 (the Application layer) of the OSI model. This is the examination of the actual data portion of the IP packet. An application firewall is typically integrated into another type of firewall to filter traffic that is traveling at the Application layer of the Open Systems Interconnection (OSI) model. An embedded firewall is typically implemented as a component of a hardware device, such as a switch or a router.

    Stateful firewall operation occurs at Layer 3. This type of inspection monitors the TCP three-way handshake which occurs at Layer 3. Stateful firewalls, monitor the state of each TCP connection as well. When traffic is encountered, a stateful firewall first examines a packet to see if it is the result of a previous connection. Information about previous connections is maintained in the state table.

    With a stateful firewall, a packet is allowed if it is a response to a previous connection. If the state table holds no information about the packet, the packet is compared to the access control list (ACL). Depending on the ACL, the packet will be forwarded to the appropriate host or dropped completely.

    Packer filtering can be done based on IP addresses and port numbers. That means this type of filtering occurs at Layer 3 and 4.

    VLANs filter traffic by MAC addresses, and as such operate at Layer 2 of the OSI model.

    Objective: Network Concepts
    Sub-Objective: Compare and contrast deep packet inspection with packet filtering and stateful firewall operation.

  15. What occurs when you allow specific executable files while denying all others?

    • whitelisting
    • blacklisting
    • greylisting
    • redlisting
    Explanation:
    When you whitelisting, you are creating a list of allowed applications while denying all others. Those approved applications are designated as whitelisted. These lists can also be used for domain name allowance with DNS. Several products are available that check for applications that are not on the whitelist, including attempts to install those applications. For example, the logs generated by the whitelisting product would tell you if someone had attempted to install a key logger.

    When blacklisting, you create a list of denied applications while allowing all others. These lists can also be used for domain name blocking with DNS. Blacklisting is an allow by default concept, where all software is allowed to execute unless it is on the Deny List.

    There is no form of filtering called redlisting or greylisting.

    Objective: Security Monitoring
    Sub-Objective: Describe these NextGen IPS event types: Connection event, Intrusion event, Host or endpoint event, Network discovery event, NetFlow event.

  16. Which operation has as its goal the identification of all available services on a device?

    • port scan
    • banner grabbing
    • OS fingerprinting
    • ping scan
    Explanation:
    A port scan identifies the open ports on a device, and thus the services available.

    A ping scan has as its goal identification of all live devices in the network. A smurf attack is an attack where a ping request is sent to a broadcast network address with the aim of overwhelming the system.

    Operating system (OS) fingerprinting has as its goal the identification of the operating system and version. Banner grabbing is a fingerprinting technique that relies on morphed or empty TCP packets that are sent over to a target machine. Telnet, Netcat, Nmap and other tools can be used to carry out banner grabbing.

    Banner grabbing also has as its goal the identification of the operating system and its version. Banner grabbing intercepts a text file sent by a server or a host. The text file includes OS information and in the case of a web server, perhaps the basic configuration info. The attacker can then exploit that information.

    Objective: Attack Methods
    Sub-Objective: Describe these endpoint-based attacks: Duffer overflows, Command and control (C2), Malware, Rootkit, Port scanning, Host Profiling

  17. Which cross-site scripting attack is sometimes called persistent?

    • reflected
    • stored
    • directed
    • DOM based
    Explanation:
    A stored XSS attack is one in which the injected script is stored in the server and received from the server by the user device. Cross-site scripting (XSS) poses the most danger when a user accesses a financial organization’s site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client’s session. This will allow the hacker to gain information about the legitimate user that is not publicly available. To prevent XSS, a programmer should validate input to remove hypertext. You can mitigate XSS by preventing the use of HTML tags or JavaScript image tags.

    A reflected or non-persistent attack is one that is reflected off the web server and not stored on the server.

    Directed is not a term used to describe cross site scripting attacks.

    Objective: Attack Methods
    Sub-Objective: Describe these web application attacks: SQL injection, Command injections, Cross-site scripting

  18. Quantitative and qualitative are two types of which of the following?

    • risk analysis
    • business impact analysis
    • disaster recovery plan
    • heuristics
    Explanation:
    Risk analysis come in two basic types. When scoring is used to rate risks rather than dollar figures to potential outcomes.

    A business impact analysis (BIA) focuses on critical business systems and the impact if they are lost to an outage. A BIA is created to identify the company’s vital functions and prioritize them based on need. It identifies vulnerabilities and threats and calculates the associated risks.

    A disaster recovery plan is a short term plan that is implemented when a large disaster event occurs. The plan is created to ensure that your company can resume operations in a timely manner. It mainly focuses on alternative procedures for processing transactions in the short term. it is carries out when the emergency occurs and immediately following the emergency.

    Heuristics is an approach that identifies malware based on the behavior it exhibits rather than a signature. A heuristics IDS uses artificial intelligence (AI) to detect intrusions. Analytics are performed on the actions taken, and the IDS takes action based on the logic in the AI.

    Objective: Security Concepts
    Sub-Objective: Describe these security terms: Principle of least privilege, Risk scoring/risk weighting, Risk reduction, Risk assessment.

  19. What is the primary function of routers?

    • To separate collision domains only
    • To separate DNS domains
    • To separate broadcast domains only
    • To separate collision domains and broadcast domains
    Explanation:
    Routers create both a broadcast domain for each interface. Routers move traffic from one network to another network, with each interface hosting an IP subnet. A router is a hardware device that transmits data among computers in different networks. Routers use IP addresses to make routing decisions.

    A switch is a device that separates collision domains only. Switches make switching decisions based on MAC addresses. A switch is a high-speed networking device that receives incoming data packets from one of its ports and directs them to a destination port for local area network access. A switch will redirect traffic bound outside the local area to a router for forwarding through an appropriate WAN interface.

    Neither routers nor switches create only a broadcast domain on each interface. Routers create both a broadcast domain and collision domain for each interface. A switch is a device that separates collision domain only.

    DNS servers, not routers, separate DNS domains. A Domain Name Service (DNS) server provides a centralized database of domain name-to-IP address resolutions on a server that other computers on a network can use for name resolution.

    Objective: Network Concepts
    Sub-Objective: Describe the basic operation of these network device types: Router, Switch, Hub, Bridge, Wireless access point (WAP), Wireless LAN controller (WLC)

  20. OpenDNS is a Cisco security solution designed to protect which component?

    • LAN
    • Cloud
    • WAN
    • DMZ
    Explanation:
    OpenDNS is a company and service that hosts a cloud computing security product suite, Umbrella. OpenDNS’s business services were renamed as Cisco Umbrella; home products retained the OpenDNS name. It also offers DNS resolution as an alternative to using Internet service providers’ DNS servers or locally installed DNS servers.

    Other services offered for cloud protection by Cisco include Cloud lock.

    While other products exist for LAN, WAN and DMZ, the Umbrella feature is not one of them.

    A local area network (LAN) covers a small geographic area. Typically, a LAN is confined to a campus, a single building, a floor of a building, or an area with in building.

    A wide area network (WAN) uses routers (or a collection of routers) to connect LANs that are dispersed over a large geographic area. An example would be a company with office locations in Boston, Miami, Chicago, Dallas, Denver, and San Francisco. Each office has its own LAN, and routers are used to provide connections between the offices. By building the WAN, the offices can share resources and data.

    Objective: Network Concepts
    Sub-Objective: Describe the functions of these network security systems as deployed on the host, network, or the cloud: Firewall, Cisco Intrusion Prevention System (IPS), Cisco Advanced Malware Protection (AMP), Web Security Appliance (WSA) / Cisco Cloud Web Security (CWS, Email Security Appliance (ESA) / Cisco Cloud Email Security (CES).

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments