CISCO cyberops whole Flashcards

Question 1

Q

Which two statements are characteristics of a virus? (Choose two.)

A virus typically requires end-user activation.
A virus can be dormant and then activate at a specific time or date.
A virus replicates itself by independently exploiting vulnerabilities in networks.
A virus has an enabling vulnerability, a propagation mechanism, and a payload.
A virus provides the attacker with sensitive data, such as passwords.

Answer

A

A virus typically requires end-user activation.
A virus can be dormant and then activate at a specific time or date.

The type of end user interaction required to launch a virus is typically opening an application, opening a web page, or powering on the computer. Once activated, a virus may infect other files located on the computer or other computers on the same network.

Question 2

Q

What is a characteristic of a Trojan horse as it relates to network security?

Too much information is destined for a particular memory block, causing additional memory areas to be affected.
Extreme quantities of data are sent to a particular network device interface.
An electronic dictionary is used to obtain a password to be used to infiltrate a key network device.
Malware is contained in a seemingly legitimate executable program.

Answer

A

Malware is contained in a seemingly legitimate executable program.

A Trojan horse carries out malicious operations under the guise of a legitimate program. Denial of service attacks send extreme quantities of data to a particular host or network device interface. Password attacks use electronic dictionaries in an attempt to learn passwords. Buffer overflow attacks exploit memory buffers by sending too much information to a host to render the system inoperable.

Question 3

Q

What technique is used in social engineering attacks?

sending junk email
buffer overflow
phishing
man-in-the-middle

Answer

A

phishing

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

Question 4

Q

What is a purpose of implementing VLANs on a network?

They can separate user traffic.
They prevent Layer 2 loops.
They eliminate network collisions.
They allow switches to forward Layer 3 packets without a router.

Answer

A

They can separate user traffic.

VLANs are used on a network to separate user traffic based on factors such as function, project team, or application, without regard for the physical location of the user or device.

Question 5

Q

A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.)

CapME
Wazuh
Kibana
Zeek
Sguil
Wireshark

Answer

A

CapME
Wazuh
Zeek

Question 6

Q

Match the Security Onion tool with the description.

Snort
OSSEC
Squil
Wireshark
-------------------------
network-based intrusion detection system
packet capture application
host-based intrusion detection system
high-level cybersecurity analysis console

Answer

A

Snort — network-based intrusion detection system
OSSEC — host-based intrusion detection system
Squil — high-level cybersecurity analysis console
Wireshark — packet capture application

Question 7

Q

In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?

port scanning
risk analysis
penetration testing
vulnerability assessment

Answer

A

risk analysis

Question 8

Q

Match the server profile element to the description. (Not all options are used.)

user accounts
listening ports
service accounts
software enviroment
———————————
the parameters defininf user access and behavior
the number of times the server is powered on and off
the TCP and UDP daemons and ports that are allowed to be open on the server
the tasks, processes, and applications that are permitted to run on the server
the definitions of the type of service that an application is allowed to run on a given host

Answer

A

user accounts — the parameters defininf user access and behavior
listening ports — the TCP and UDP daemons and ports that are allowed to be open on the server
software enviroment — the tasks, processes, and applications that are permitted to run on the server
service accounts — the definitions of the type of service that an application is allowed to run on a given host

The elements of a server profile include the following:Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
User accounts – the parameters defining user access and behavior
Service accounts – the definitions of the type of service that an application is allowed to run on a given host
Software environment – the tasks, processes, and applications that are permitted to run on the server

Question 9

Q

In addressing an identified risk, which strategy aims to shift some of the risk to other parties?

risk avoidance
risk sharing
risk retention
risk reduction

Answer

A

risk sharing

Question 10

Q

What is a network tap?

a technology used to provide real-time reporting and long-term analysis of security events
a Cisco technology that provides statistics on packets flowing through a router or multilayer switch
a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device
a passive device that forwards all traffic and physical layer errors to an analysis device

Answer

A

a passive device that forwards all traffic and physical layer errors to an analysis device

Question 11

Q

Match the monitoring tool to the definition.

NetFlow
Wireshark
SNMP
SIEM
——————–
presents real-time reporting and long-term analysis of security events
provides statistics on packets flowing through a Cisco router or multilayer switch
captures packets and saves them as PCAP file
retrieves information on the operation of network devices

Answer

A

SIEM — presents real-time reporting and long-term analysis of security events
NetFlow — provides statistics on packets flowing through a Cisco router or multilayer switch
Wireshark — captures packets and saves them as PCAP file
SNMP — retrieves information on the operation of network devices

Question 12

Q

If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal?

Approximately 5 minutes per year.
Approximately 10 minutes per year
Approximately 20 minutes per year.
Approximately 30 minutes per year.

Answer

A

Approximately 5 minutes per year.

Within a year, there are 365 days x 24 hours a day x 60 minutes per hour = 525,600 minutes. With the goal of uptime 99.999% of time, the downtime needs to be controlled under 525,600 x (1-0.99999) = 5.256 minutes a year.

Question 13

Q

The HTTP server has responded to a client request with a 200 status code. What does this status code indicate?

The request is understood by the server, but the resource will not be fulfilled.
The request was completed successfully.
The server could not find the requested resource, possibly because of an incorrect URL.
The request has been accepted for processing, but processing is not completed.

Answer

A

The request was completed successfully.

Question 14

Q

What is an advantage for small organizations of adopting IMAP instead of POP?

POP only allows the client to store messages in a centralized way, while IMAP allows distributed storage.
IMAP sends and retrieves email, but POP only retrieves email.
When the user connects to a POP server, copies of the messages are kept in the mail server for a short time, but IMAP keeps them for a long time.
Messages are kept in the mail servers until they are manually deleted from the email client.

Answer

A

Messages are kept in the mail servers until they are manually deleted from the email client.

IMAP and POP are protocols that are used to retrieve email messages. The advantage of using IMAP instead of POP is that when the user connects to an IMAP-capable server, copies of the messages are downloaded to the client application. IMAP then stores the email messages on the server until the user manually deletes those messages.

Question 15

Q

What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits?

WinDbg
Firesheep
Skipfish
AIDE

Question 16

Q

question 17 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 17

Q

What are two features of ARP? (Choose two.)

When a host is encapsulating a packet into a frame, it refers to the MAC address table to determine the mapping of IP addresses to MAC addresses.
If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast.
If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply.
If no device responds to the ARP request, then the originating node will broadcast the data packet to all devices on the network segment.
An ARP request is sent to all devices on the Ethernet LAN and contains the IP address of the destination host and the multicast MAC address.

Answer

A

If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast.
If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply.

When a node encapsulates a data packet into a frame, it needs the destination MAC address. First it determines if the destination device is on the local network or on a remote network. Then it checks the ARP table (not the MAC table) to see if a pair of IP address and MAC address exists for either the destination IP address (if the destination host is on the local network) or the default gateway IP address (if the destination host is on a remote network). If the match does not exist, it generates an ARP broadcast to seek the IP address to MAC address resolution. Because the destination MAC address is unknown, the ARP request is broadcast with the MAC address FFFF.FFFF.FFFF. Either the destination device or the default gateway will respond with its MAC address, which enables the sending node to assemble the frame. If no device responds to the ARP request, then the originating node will discard the packet because a frame cannot be created.

Question 18

Q

What is a property of the ARP table on a device?

Entries in an ARP table are time-stamped and are purged after the timeout expires.
Every operating system uses the same timer to remove old entries from the ARP cache.
Static IP-to-MAC address entries are removed dynamically from the ARP table.
Windows operating systems store ARP cache entries for 3 minutes.

Answer

A

Entries in an ARP table are time-stamped and are purged after the timeout expires.

Question 19

Q

What is the purpose of Tor?

to allow users to browse the Internet anonymously
to securely connect to a remote network over an unsecure link such as an Internet connection
to donate processor cycles to distributed computational tasks in a processor sharing P2P network
to inspect incoming traffic and look for any that violates a rule or matches the signature of a known exploit

Answer

A

to allow users to browse the Internet anonymously

Tor is a software platform and network of peer-to-peer (P2P) hosts that function as routers. Users access the Tor network by using a special browserthat allows them to browse anonymously

Question 20

Q

Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two.)

NTP
DNS
HTTP
syslog
SMTP

Question 21

Q

What is a key difference between the data captured by NetFlow and data captured by Wireshark?

NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.
NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump.
NetFlow provides transaction data whereas Wireshark provides session data.
NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

Answer

A

NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

Wireshark captures the entire contents of a packet. NetFlow does not. Instead, NetFlow collects metadata, or data about the flow.

Question 22

Q

Which tool captures full data packets with a command-line interface only?

nfdump
Wireshark
NBAR2
tcpdump

Answer

A

tcpdump

The command-line tool tcpdump is a packet analyzer. Wireshark is a packet analyzer with a GUI interface.

Question 23

Q

Which method can be used to harden a device?

maintain use of the same passwords
allow default services to remain enabled
allow USB auto-detection
use SSH and disable the root account access over SSH

Answer

A

use SSH and disable the root account access over SSH

The basic best practices for device hardening are as follows:
Ensure physical security.
Minimize installed packages.
Disable unused services.
Use SSH and disable the root account login over SSH.
Keep the system updated.
Disable USB auto-detection.
Enforce strong passwords.
Force periodic password changes.
Keep users from re-using old passwords.
Review logs regularly.

Question 24

Q

In a Linux operating system, which component interprets user commands and attempts to execute them?

GUI
daemon
kernel
shell

Question 25

Q

A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)

encryption for all communication
encryption for only the data
single process for authentication and authorization
separate processes for authentication and authorization
hidden passwords during transmission

Answer

A

single process for authentication and authorization
hidden passwords during transmission

RADIUS authentication supports the following features:
RADIUS authentication and authorization as one process
Encrypts only the password
Utilizes UDP
Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)

Question 26

Q

What is privilege escalation?

Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.
Everyone is given full rights by default to everything and rights are taken away only when someone abuses privileges.
Someone is given rights because she or he has received a promotion.
A security problem occurs when high ranking corporate officials demand rights to systems or files that they should not have.

Answer

A

Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.

With privilege escalation, vulnerabilities are exploited to grant higher levels of privilege. After the privilege is granted, the threat actor can access sensitive information or take control of the system.

Question 27

Q

What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)

The code contains no viruses.
The code has not been modified since it left the software publisher.
The code is authentic and is actually sourced by the publisher.
The code contains no errors.
The code was encrypted with both a private and public key.

Answer

A

The code has not been modified since it left the software publisher.
The code is authentic and is actually sourced by the publisher.

Digitally signing code provides several assurances about the code:
The code is authentic and is actually sourced by the publisher.
The code has not been modified since it left the software publisher.
The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.

Question 28

Q

An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.)

HTTPS web service
802.1x authentication
local NTP server
FTP transfers
file and directory access permission

Answer

A

HTTPS web service
802.1x authentication

The Public Key Infrastructure (PKI) is a third party-system referred to as a certificate authority or CA. The PKI is the framework used to securely exchange information between parties. Common PKI applications are as follows:

SSL/TLS certificate-based peer authentication
Secure network traffic using IPsec VPNs
HTTPS Web traffic
Control access to the network using 802.1x authentication
Secure email using the S/MIME protocol
Secure instant messaging
Approve and authorize applications with Code Signing
Protect user data with the Encryption File System (EFS)
Implement two-factor authentication with smart cards
Securing USB storage devices

Question 29

Q

Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?

Use a Syslog server to capture network traffic.
Deploy a Cisco SSL Appliance.
Require remote access connections through IPsec VPN.
Deploy a Cisco ASA.

Answer

A

Require remote access connections through IPsec VPN.

Question 30

Q

An administrator is trying to develop a BYOD security policy for employees that are bringing a wide range of devices to connect to the company network. Which three objectives must the BYOD security policy address? (Choose three.)

All devices must be insured against liability if used to compromise the corporate network.
All devices must have open authentication with the corporate network.
Rights and activities permitted on the corporate network must be defined.
Safeguards must be put in place for any personal device being compromised.
The level of access of employees when connecting to the corporate network must be defined.
All devices should be allowed to attach to the corporate network flawlessly.

Answer

A

Rights and activities permitted on the corporate network must be defined.
Safeguards must be put in place for any personal device being compromised.
The level of access of employees when connecting to the corporate network must be defined.

Question 31

Q

question 32 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 32

Q

question 33 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 33

Q

What type of attack targets an SQL database using the input field of a user?

XML injection
buffer overflow
Cross-site scripting
SQL injection

Answer

A

SQL injection

A criminal can insert a malicious SQL statement in an entry field on a website where the system does not filter the user input correctly.

Question 34

Q

What are two characteristics of Ethernet MAC addresses? (Choose two.)

MAC addresses use a flexible hierarchical structure.
They are expressed as 12 hexadecimal digits.
They are globally unique.
They are routable on the Internet.
MAC addresses must be unique for both Ethernet and serial interfaces on a device.

Answer

A

They are expressed as 12 hexadecimal digits.

They are globally unique.

Question 35

Q

A user calls to report that a PC cannot access the internet. The network technician asks the user to issue the command ping 127.0.0.1 in a command prompt window. The user reports that the result is four positive replies. What conclusion can be drawn based on this connectivity test?

The IP address obtained from the DHCP server is correct.
The PC can access the network. The problem exists beyond the local network.
The PC can access the Internet. However, the web browser may not work.
The TCP/IP implementation is functional.

Answer

A

The TCP/IP implementation is functional.

Question 36

Q

What characterizes a threat actor?

They are all highly-skilled individuals.
They always use advanced tools to launch attacks.
They always try to cause some harm to an individual or organization.
They all belong to organized crime.

Answer

A

They always try to cause some harm to an individual or organization.

Question 37

Q

A computer is presenting a user with a screen requesting payment before the user data is allowed to be accessed by the same user. What type of malware is this?

a type of logic bomb
a type of virus
a type of worm
a type of ransomware

Answer

A

a type of ransomware

Ransomware commonly encrypts data on a computer and makes the data unavailable until the computer user pays a specific sum of money

Question 38

Q

Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?

router solicitation
neighbor advertisement
neighbor solicitation
router advertisement

Answer

A

router advertisement

Question 39

Q

Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?

router solicitation
neighbor advertisement
neighbor solicitation
router advertisement

Answer

A

router advertisement

Question 40

Q

Which tol included in the Security Onion is a series of software plugins that send different types of data to the Elasticsearch data stores?

Curator
Beats
OSSEC
ElastAlert

Question 41

Q

Which two types of unreadable network traffic could be eliminated from data collected by NSM? (Choose two.)

STP traffic
IPsec traffic
routing updates traffic
SSL traffic
broadcast traffic

Answer

A

IPsec traffic
SSL traffic

To reduce the huge amount of data collected so that cybersecurity analysts can focus on critical threats, some less important or unusable data could be eliminated from the datasets. For example, encrypted data, such as IPsec and SSL traffic, could be eliminated because it is unreadable in a reasonable time frame.

Question 42

Q

Which core open source component of the Elastic-stack is responsible for accepting the data in its native format and making elements of the data consistent across all sources?

Logstash
Kibana
Beats
Elasticsearch

Question 43

Q

question 43 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 44

Q

In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?

media
impersonation
attrition
loss or theft

Answer

A

attrition

Common attack vectors include media, attrition, impersonation, and loss or theft. Attrition attacks are any attacks that use brute force. Media attacks are those initiated from storage devices. Impersonation attacks occur when something or someone is replaced for the purpose of the attack, and loss or theft attacks are initiated by equipment inside the organization.

Question 45

Q

question 45 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 46

Q

What is a characteristic of CybOX?

It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
It enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector.
It is a set of specifications for exchanging cyberthreat information between organizations.
It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.

Answer

A

It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.

Question 47

Q

question 47 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 48

Q

What are two ways that ICMP can be a security threat to a company? (Choose two.)

by collecting information about a network
by corrupting data between email servers and email recipients
by the infiltration of web pages
by corrupting network IP data packets
by providing a conduit for DoS attacks

Answer

A

by collecting information about a network
by providing a conduit for DoS attacks

ICMP can be used as a conduit for DoS attacks. It can be used to collect information about a network such as the identification of hosts and network structure, and by determining the operating systems being used on the network.

Question 49

Q

Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)

fragment offset
protocol
flag
TTL
identification
version

Answer

A

fragment offset
flag
identification

Unlike IPv4, IPv6 routers do not perform fragmentation. Therefore, all three fields supporting fragmentation in the IPv4 header are removed and have no equivalent in the IPv6 header. These three fields are fragment offset, flag, and identification. IPv6 does support host packet fragmentation through the use of extension headers, which are not part of the IPv6 header.

Question 50

Q

Which two net commands are associated with network resource sharing? (Choose two.)

net start
net accounts
net share
net use
net stop

Answer

A

net share
net use

The net command is a very important command. Some common net commands include these:

net accounts – sets password and logon requirements for users
net session – lists or disconnects sessions between a computer and other computers on the network
net share – creates, removes, or manages shared resources
net start – starts a network service or lists running network services
net stop – stops a network service
net use – connects, disconnects, and displays information about shared network resources
net view – shows a list of computers and network devices on the network

Question 51

Q

question 51 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 52

Q

Which PDU format is used when bits are received from the network medium by the NIC of a host?

segment
file
packet
frame

Answer

A

frame

When received at the physical layer of a host, the bits are formatted into a frame at the data link layer. A packet is the PDU at the network layer. A segment is the PDU at the transport layer. A file is a data structure that may be used at the application layer.

Question 53

Q

A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet?

when the router receives an ICMP Time Exceeded message
when the values of both the Echo Request and Echo Reply messages reach zero
when the RTT value reaches zero
when the value in the TTL field reaches zero
when the host responds with an ICMP Echo Reply message

Answer

A

when the value in the TTL field reaches zero

When a router receives a traceroute packet, the value in the TTL field is decremented by 1. When the value in the field reaches zero, the receiving router will not forward the packet, and will send an ICMP Time Exceeded message back to the source

Question 54

Q

Q 54 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 55

Q

For what purpose would a network administrator use the Nmap tool?

protection of the private IP addresses of internal hosts
identification of specific network anomalies
collection and analysis of security alerts and logs
detection and identification of open ports

Answer

A

detection and identification of open ports

Question 56

Q

Q 56 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 57

Q

Q 57 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 58

Q

Q 58 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 59

Q

Q 59 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 60

Q

What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

DHCP starvation
IP address spoofing
DHCP spoofing
CAM table attack

Answer

A

DHCP starvation

DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

Question 61

Q

Q 61 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 62

Q

A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework?

automation
authentication
authorization
accounting

Answer

A

authorization

After a user is successfully authenticated (logged into the server), the authorization is the process of determining what network resources the user can access and what operations (such as read or edit) the user can perform.

Question 63

Q

Q 63 https://itexamanswers.net/cyberops-associate-version-1-0-final-exam-answers.html

Question 64

Q

A person coming to a cafe for the first time wants to gain wireless access to the Internet using a laptop. What is the first step the wireless client will do in order to communicate over the network using a wireless management frame?

associate with the AP
authenticate to the AP
discover the AP
agree with the AP on the payload

Answer

A

discover the AP

In order for wireless devices to communicate on a wireless network, management frames are used to complete a three-stage process:

Discover the AP
Authenticate with the AP
Associate with the AP

Answer 46

A

2001:0db8:cafe:4500

The address has a prefix length of /64. Thus the first 64 bits represent the network portion, whereas the last 64 bits represent the host portion of the IPv6 address.

Answer 47

A

subnetwork 192.168.1.64

subnet mask 255.255.255.192

Answer 48

A

rootkit

A rootkit is used by an attacker to secure a backdoor to a compromised computer, grant access to portions of the operating system normally not permitted, or increase the privileges of a user.

Answer 49

A

risk reduction

There are four potential strategies for responding to risks that have been identified:

Risk avoidance – Stop performing the activities that create risk.

Risk reduction – Decrease the risk by taking measures to reduce vulnerability.

Risk sharing – Shift some of the risk to other parties.

Risk retention – Accept the risk and its consequences.

Answer 50

A

It is a systematic and multilayered approach to cybersecurity.
It consists of a set of practices that are systematically applied to ensure continuous improvement in information security.
It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.

An Information Security Management System (ISMS) consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. ISMSs are not based in servers or security devices. Instead, an ISMS consists of a set of practices that are systematically applied by an organization to ensure continuous improvement in information security. ISMSs provide conceptual models that guide organizations in planning, implementing, governing, and evaluating information security programs.

ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity.

An ISMS is a systematic, multi-layered approach to cybersecurity. The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.

Answer 51

A

event collection, correlation, and analysis
security monitoring
threat intelligence

Technologies in a SOC should include the following:
• Event collection, correlation, and analysis
• Security monitoring
• Security control
• Log management
• Vulnerability assessment
• Vulnerability tracking
• Threat intelligence
Proxy server, VPN, and IPS are security devices deployed in the network infrastructure.

Answer 52

A

.com

The components of the URL http://www.cisco.com/index.htm are as follows:
http = protocol
www = part of the server name
cisco = part of the domain name
index = file name
com = the top-level domain

Answer 53

A

making data appear to come from a source that is not the actual source

Answer 54

A

After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled.

Only disable Windows Firewall if other firewall software is installed. Use the Windows Firewall (Windows 7 or 8) or the Windows Defender Firewall (Windows 10) Control Panel to enable or disable the Windows Firewall.

Answer 55

A

Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions.

Answer 56

A

Cisco Catalyst switch

SPAN is a Cisco technology that allows all of the traffic from one port to be redirected to another port.

Answer 57

A

playbook

A playbook is an automated query that can add efficiency to the cyberoperations workflow.

Answer 58

A

A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.

General security monitoring can identify when a malware attachment enters a network and which host is first infected. Retrospective analysis takes the next step and is the tracking of the behavior of the malware from that point forward.

Answer 59

A

vehicle identification number

Facebook photographs

Answer 60

A

to transmit viruses or spam to computers on the same network
to attack other computers

Botnets can be used to perform DDoS attacks, obtain data, or transmit malware to other devices on the network.

Answer 61

A

If a public key is used to encrypt the data, a private key must be used to decrypt the data.
If a private key is used to encrypt the data, a public key must be used to decrypt the data.

Asymmetric algorithms use two keys: a public key and a private key. Both keys are capable of the encryption process, but the complementary matched key is required for decryption. If a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data.

Answer 62

A

guarantees data has not changed in transit
provides data encryption
authenticates the source

Digital signatures are a mathematical technique used to provide three basic security services. Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction. In other words, the digital signature serves as legal proof that the data exchange did take place.

Answer 63

A

CRL
OCSP

A digital certificate might need to be revoked if its key is compromised or it is no longer needed. The certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP), are two common methods to check a certificate revocation status.

Answer 64

A

ACLs provide a basic level of security for network access.
ACLs can control which areas a host can access on a network.

ACLs can be used for the following:Limit network traffic in order to provide adequate network performance
Restrict the delivery of routing updates
Provide a basic level of security
Filter traffic based on the type of traffic being sent
Filter traffic based on IP addressing

Answer 65

A

ACLs provide a basic level of security for network access.
ACLs can control which areas a host can access on a network.

ACLs can be used for the following:Limit network traffic in order to provide adequate network performance
Restrict the delivery of routing updates
Provide a basic level of security
Filter traffic based on the type of traffic being sent
Filter traffic based on IP addressing

Answer 66

A

It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.

Stateless DHCPv6 or stateful DHCPv6 uses a DHCP server, but Stateless Address Autoconfiguration (SLAAC) does not. A SLAAC client can automatically generate an address that is based on information from local routers via Router Advertisement (RA) messages. Once an address has been assigned to an interface via SLAAC, the client must ensure via Duplicate Address Detection (DAD) that the address is not already in use. It does this by sending out an ICMPv6 Neighbor Solicitation message and listening for a response. If a response is received, then it means that another device is already using this address.

Answer 67

A

tracert

The tracert utlility (also known as the tracert command or tracert tool) will enable the technician to locate the link to the server that is down. The ipconfig command displays the computer network configuration details. The ipconfig/renew command requests an IP address from a DHCP server. Msconfig is not a network troubleshooting command.

Answer 68

A

pivot
rootkit

The following methods are used by hackers to avoid detection:Encryption and tunneling – hide or scramble the malware content
Resource exhaustion – keeps the host device too busy to detect the invasion
Traffic fragmentation – splits the malware into multiple packets
Protocol-level misinterpretation – sneaks by the firewall
Pivot – uses a compromised network device to attempt access to another device
Rootkit – allows the hacker to be undetected and hides software installed by the hacker

Answer 69

A

Perform forensic analysis of endpoints for rapid triage.
Detect data exfiltration, lateral movement, and unauthorized credential usage.

When security professionals are alerted about the system compromises, forensic analysis of endpoints should be performed immediately for rapid triage. In addition, detection efforts for further attacking activities such as data exfiltration, lateral movement, and unauthorized credential usage should be enhanced to reduce damage to the minimum.

Answer 70

A

control bits

he value in the control bits field of theTCP header indicates the progress and status of the connection.

Answer 71

A

the destination port number

Each web browser client application opens a randomly generated port number in the range of the registered ports and uses this number as the source port number in the datagram that it sends to a server. The server then uses this port number as the destination port number in the reply datagram that it sends to the web browser. The PC that is running the web browser application receives the datagram and uses the destination port number that is contained in this datagram to identify the client application.

Answer 72

A

when analyzing events with the assumption that they follow predefined steps
when analyzing applications designed to circumvent firewalls

Answer 73

A

The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN.
IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.

Answer 74

A

Task Manager

Use the Task Manager Performance tab to see a visual representation of CPU and RAM utilization. This is helpful in determining if more memory is needed. Use the Applications tab to halt an application that is not responding.

Answer 75

A

by comparing normal network behavior to current network behavior

Statistical data is created through the analysis of other forms of network data. Statistical characteristics of normal network behavior can be compared to current network traffic in an effort to detect anomalies. Conclusions resulting from analysis can be used to describe or predict network behavior.

Answer 76

A

the proximity of the threat actor to the vulnerability

This is a metric that reflects the proximity of the threat actor to the vulnerable component. The more remote the threat actor is to the component, the higher the severity. Threat actors close to your network or inside your network are easier to detect and mitigate.

Answer 77

A

amplification

reflection

Answer 78

A

to aggregate the data in one place and present it in a comprehensible and usable format

Answer 79

A

passive mode

The two scanning or probing modes an access point can be placed into are passive or active. In passive mode, the AP advertises the SSID, supported standards, and security settings in broadcast beacon frames. In active mode, the wireless client must be manually configured for the same wireless parameters as the AP has configured.

Answer 80

A

rogue access point

Configuring the cell phone to act as a wireless access point means that the cell phone is now a rogue access point. The employee unknowingly breached the security of the company network by allowing a user to access the network without connecting through the company access point. Cracking is the process of obtaining passwords from data stored or transmitted on a network. Denial of service attacks refer to sending large amounts of data to a networked device, such as a server, to prevent legitimate access to the server. Spoofing refers to access gained to a network or data by an attacker appearing to be a legitimate network device or user.

Answer 81

A

FQDN of the domain

Answer 82

A

They are referred to as a pre-shared key or secret key.
They are commonly used with VPN traffic.

Symmetric encryption algorithms use the same key (also called shared secret) to encrypt and decrypt the data. In contrast, asymmetric encryption algorithms use a pair of keys, one for encryption and another for decryption

Answer 83

A

With HIPS, the network administrator must verify support for all the different operating systems used inthe network.
HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.

Answer 84

A

to select the type of logging information that is captured
to gather logging information for monitoring and troubleshooting
to specify the destinations of captured messages

There are three primary functions provided by the syslog service:

gathering logging information
selection of the type of information to be logged
selection of the destination of the logged information

Answer 85

A

Synchronize clocks on all network devices with a protocol such as Network Time Protocol.

Answer 86

A

They attack the NTP infrastructure in order to corrupt the information used to log the attack.
Threat actors use NTP systems to direct DDoS attacks.

Answer 87

A

password encryption
utilization of transport layer protocols

Both TACACS+ and RADIUS support password encryption (TACACS+ encrypts all communication) and use Layer 4 protocol (TACACS+ uses TCP and RADIUS uses UDP). TACACS+ supports separation of authentication and authorization processes, while RADIUS combines authentication and authorization as one process. RADIUS supports remote access technology, such as 802.1x and SIP; TACACS+ does not.

Answer 88

A

amplification and reflection
resource utilization

Three types of attacks used on DNS open resolvers are as follows:DNS cache poisoning – attacker sends spoofed falsified information to redirect users from legitimate sites to malicious sites
DNS amplification and reflection attacks – attacker sends an increased volume of attacks to mask the true source of the attack
DNS resource utilization attacks – a denial of service (DoS) attack that consumes server resources

Answer 89

A

to determine potential vulnerabilities
to identify operating systems
to identify active services

Answer 90

A

DNS

Some applications may use both TCP and UDP. DNS uses UDP when clients send requests to a DNS server, and TCP when two DNS serves directly communicate.

Answer 91

A

Every device in a peer-to-peer network can function as a client or a server.

Answer 92

A

They define how messages are exchanged between the source and the destination.

Network protocols are implemented in hardware, or software, or both. They interact with each other within different layers of a protocol stack. Protocols have nothing to do with the installation of the network equipment. Network protocols are required to exchange information between source and destination devices in both local and remote networks.

Answer 93

A

Analyze the infrastructure storage path used for files.

A threat actor may send the weapon through web interfaces to the target server, either in file uploads or coded web requests. By analyzing the infrastructure storage path used for files, security measures can be implemented to monitor and detect malware deliveries through these methods.

Answer 94

A

methodology

Methodology – This is used to classify the general type of event, such as port scan, phishing, content delivery attack, syn flood, etc.

Answer 95

A

kill

The kill command is used to stop, restart, or pause a process. The chrootkit command is used to check the computer for rootkits, a set of software tools that can increase the privilege level of a user or grant access to portions of software normally not allowed. The grep command is used to look for a file or text within a file. The ls command is used to list files, directories, and file information.

Answer 96

A

Prime

A management and reporting system, such as Cisco Prime, can be used to analyze and present the application analysis data into dashboard reports for use by network monitoring personnel.

Answer 97

A

system logs

By default Windows keeps four types of host logs:

Application logs – events logged by various applications
System logs – events about the operation of drivers, processes, and hardware
Setup logs – information about the installation of software, including Windows updates
Security logs – events related to security, such as logon attempts and operations related to file or object management and access

Answer 98

A

Encrypt the data.

Network data can be encrypted using various cryptography applications so that the data is made unreadable to unauthorized users. Authorized users have the cryptography application so the data can be unencrypted.

Answer 99

A

configuration management

Configuration management addresses the inventory and control of hardware and software configurations of network systems.

Answer 100

A

full packet capture
alert analysis
intrusion detection

Security Onion is an open source suite of Network Security Monitoring (NSM) tools for evaluating cybersecurity alerts. For cybersecurity analysts the Security Onion provides full packet capture, network-based and host-based intrusion detection systems, and alert analysis tools.

Answer 101

A

outside global

From the perspective of a NAT device, inside global addresses are used by external users to reach internal hosts. Inside local addresses are the addresses assigned to internal hosts. Outside global addresses are the addresses of destinations on the external network. Outside local addresses are the actual private addresses of destination hosts behind other NAT devices.

Answer 102

A

minimum frame size

Frame Check Sequence

Answer 103

A

memory registers

Volatile data is data stored in memory such as registers, cache, and RAM, or it is data that exists in transit. Volatile memory is lost when the computer loses powe

Answer 104

A

Break the vulnerability and gain control of the target.

After the weapon has been delivered, the threat actor uses it to break the vulnerability and gain control of the target. The threat actor will use an exploit that gains the effect desired, does it quietly, and avoids detections. Establishing a back door in the target system is the phase of installation.

Answer 105

A

Snort
SpamCop
ClamAV

Answer 106

A

Windows Firewall

Windows Firewall uses a profile-based approach to configuring firewall functionality. It uses three profiles, Public, Private, and Domain, to define firewall functions.

Answer 107

A

to verify the validity of the digital certificate

A digital certificate must be revoked if it is invalid. CAs maintain a certificate revocation list (CRL), a list of revoked certificate serial numbers that have been invalidated. The user browser will query the CRL to verify the validity of a certificate.

Answer 108

A

assess

The steps in the Vulnerability Management Life Cycle include these:

Discover – inventory all assets across the network and identify host details, including operating systems and open services, to identify vulnerabilities
Prioritize assets – categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations
Assess – determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability threats, and asset classification
Report – measure the level of business risk associated with assets according to security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities.
Remediate – prioritize according to business risk and fix vulnerabilities in order of risk
Verify – verify that threats have been eliminated through follow-up audits

Answer 109

A

asset management

Asset management involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise.

Answer 110

A

true positive

Answer 111

A

SMB

SMB is used in Microsoft networking for file-sharing and print services. The Linux operating system provides a method of sharing resources with Microsoft networks by using a version of SMB called SAMBA.

Answer 112

A

firewall

A firewall is typically a second line of defense in a layered defense-in-depth approach to network security. The firewall typically connects to an edge router that connects to the service provider. The firewall tracks connections initiated within the company going out of the company and denies initiation of connections from external untrusted networks going to internal trusted networks.

Answer 113

A

Network attackers could manipulate MAC address and IP address mappings in ARP messages with the intent of intercepting network traffic.

Answer 114

A

Escalate an uncertain alert.
Categorize true positives.
Expire false positives.

Sguil is a tool for addressing alerts. Three tasks can be completed in Sguil to manage alerts:

Alerts that have been found to be false positives can be expired.
An alert can be escalated if the cybersecurity analyst is uncertain how to handle it.
Events that have been identified as true positives can be categorized.

Answer 115

A

usage-based network billing
network monitoring

NetFlow efficiently provides an important set of services for IP applications including network traffic accounting, usage-based network billing, network planning, security, denial of service monitoring capabilities, and network monitoring.

Answer 116

A

Revise the AUP immediately and get all users to sign the updated AUP.

Answer 117

A

forwarding name resolution requests between servers

mapping name-to-IP addresses for internal hosts

Answer 118

A

network discovery

Network discovery events in Cisco NGIPS represent changes that have been detected in the monitored network.

Answer 119

A

Acquire and deploy the tools that are needed to investigate incidents.
Create and train the CSIRT.

Answer 120

A

255.255.240.0

The slash notation /20 represents a subnet mask with 20 1s. This would translate to: 11111111.11111111.11110000.0000, which in turn would convert into 255.255.240.0.

Answer 121

A

allows easy processing and analysis of datasets

When data is converted into a universal format, it can be effectively structured for performing fast queries and event analysis.

Answer 122

A

CCNA CyberOps Associate

Answer 123

A

168.5.29
17.254.4
234.2.1

The designated private IP addresses are within the three IP address ranges:

0.0.0 – 10.255.255.255
16.0.0 – 172.31.255.255
168.0.0 – 192.168.255.255

Answer 124

A

session duration

A network profile should include some important elements, such as the following:

Total throughput – the amount of data passing from a given source to a given destination in a given period of time
Session duration – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or data

Answer 125

A

discover a wireless AP, authenticate with the AP, associate with the AP

Answer 126

A

The output is a fixed length.

The hash function is one way and irreversible.

Answer 127

A

indirect

indirect evidence cannot prove a fact on its own, but direct evidence can. Corroborative evidence is supporting information. Best evidence is most reliable because it is something concrete such as a signed contract.

Answer 128

A

each event an inevitable result of antecedent causes

Answer 129

A

The administrator has control over specific security functions, but not standard applications.

Answer 130

A

DNS
SMTP

POP, POP3, and IMAP are protocols that are used to retrieve email from servers. SMTP is the default protocol that is used to send email. DNS may be used by the sender email server to find the address of the destination email server. HTTP is a protocol for send and receiving web pages.

Answer 131

A

to send stolen sensitive data with encoding

A piece of malware, after accessing a host, may exploit the DNS service by communicating with command-and-control (CnC) servers and then exfiltrate data in traffic disguised as normal DNS lookup queries. Various types of encoding, such as base64, 8-bit binary, and hex can be used to camouflage the data and evade basic data loss prevention (DLP) measures.

Answer 132

A

Analyze web log alerts and historical search data.
Build playbooks for detecting browser behavior.

Threat actors may use port scanning toward a web server of an organization and identify vulnerabilities on the server. They may visit the web server to collect information about the organization. The web server logging should be enabled and the logging data should be analyzed to identify possible reconnaissance threats. Building playbooks by filtering and combining related web activities by visitors can sometimes reveal the intentions of threat actors.

Answer 133

A

neighbor solicitation
neighbor advertisement

IPv6 uses neighbor solicitation (NS) and neighbor advertisement (NA) ICMPv6 messages for MAC address resolution.

Answer 134

A

a single IP multicast address that is used by all destinations in a group

The destination multicast IPv4 address is a group address, which is a single IP multicast address within the Class D range.

Answer 135

A

The devices introduce processing delays and privacy issues.

HTTPS adds extra overhead to the HTTP-formed packet. HTTPS encrypts using Secure Sockets Layer (SSL). Even though some devices can perform SSL decryption and inspection, this can present processing and privacy issues.

Answer 136

A

Using free DDNS services, threat actors can quickly and easily generate subdomains and change DNS records.

Answer 137

A

Obtain an automated tool in order to deliver the malware payload through the vulnerability.

One tactic of weaponization used by a threat actor after the vulnerability is identified is to obtain an automated tool to deliver the malware payload through the vulnerability.

Answer 138

A

data reduction

Answer 139

A

reporting

NIST describes the digital forensics process as involving the following four steps:

Collection – the identification of potential sources of forensic data and acquisition, handling, and storage of that data
Examination – assessing and extracting relevant information from the collected data. This may involve decompression or decryption of the data
Analysis – drawing conclusions from the data. Salient features, such as people, places, times, events, and so on should be documented
Reporting – preparing and presenting information that resulted from the analysis. Reporting should be impartial and alternative explanations should be offered if appropriate

Answer 140

A

transmitting a probe request
receiving a broadcast beacon frame

Two methods can be used by a wireless device to discover and register with an access point: passive mode and active mode. In passive mode, the AP sends a broadcast beacon frame that contains the SSID and other wireless settings. In active mode, the wireless device must be manually configured for the SSID, and then the device broadcasts a probe request.

Answer 141

A

443

Port numbers are used in TCP and UDP communications to differentiate between the various services running on a device. The well-known port number used by HTTPs is port 443.

Answer 142

A

Best evidence

Evidence can be classified as follows:
Best evidence: This is evidence that is in its original state. It might be storage devices used by an accused or archives of files that can be proven to be unaltered.
Corroborating evidence: This is evidence that supports a propositionalready supported by initial evidence, therefore confirming the original proposition.
Indirect evidence: This evidence acts in combination with other facts to establish a hypothesis.

Answer 143

A

The destination IP address is 255.255.255.255
The message comes from a client seeking an IP address.
All hosts receive the message, but only a DHCP server replies.

When a host configured to use DHCP powers up on a network it sends a DHCPDISCOVER message. FF-FF-FF-FF-FF-FF is the L2 broadcast address. A DHCP server replies with a unicast DHCPOFFER message back to the host.

Answer 144

A

b. prioritize assets

Answer 145

A

directing data packets to destination hosts on other networks
providing end devices with a unique network identifier

Brainscape's Knowledge GenomeTM

CISCO cyberops whole Flashcards

Brainscape's Knowledge Genome^TM