DECK Flashcards
What is the attack vector used in a phishing attack?
A. Email
B. Phone
C. LAN
D. Modem
A. Email
A phishing attack is an email-based attack in which an email is sent to a user in hopes of convincing him to click in a link to a web site, which will appear to be a web site the user trusts. When the user logs into the fake site, the hacker collects his login credentials.
Some other common social engineering attacks are:
- Should surfing - watching someone when they enter sensitive data.
- Tailgating - following someone through a door unlocked with someone else’s credentials.
- Vishing - a special type of phishing that uses VoIP.
- Whaling - a special type of phishing that targets a single power user.
Which of the following instances of malware was deliberately deployed against critical IT targets? A. Hearbleed B. Flame C. Melissa D. Michelangelo
B. Flame
Both the Flame and Stuxnet viruses are examples of cyber warfare, supposedly a part of the US cyberattack strategy codenamed Olympic Games. Discovered in 2012, Flame is a scanning and capture malware deployed across computers in the Middle East. Stuxnet was a coordinated mulit-zero-day Windows exploit, is believed to have been used to degrade the nuclear program of Iran in 2010.
Heartbleed attacks web sites using TLS security, and is otherwise known as the OpenSSL heartbeat extension vulnerability.
Melissa was a mass-mailing macro virus that originated in Microsoft Word and spread through the victim?s Outlook address book.
Michelangelo was a boot sector virus that launched annually on March 6. None of these attacks was targeted at a state or country?s critical military infrastructure, so they are not considered cyber warfare.
Threat mitigation is a security control that best supports which of the following? A. Defense in depth B. Least privilege C. Need to know D. Dual control
A. Defense in depth
Defense in depth is a concept that prescribes the application of layers of security controls. One of those is performing threat mitigation, which reduces the attack surface of the organization.
Least privilege is a concept that should drive the granting of permissions and privileges. It calls for only granting the minimum privileges for the user to get his job done. It is not supported by threat mitigation.
Need to know is a concept that prescribes that information should only be revealed to those who need to know the information to do their job. It is not supported by threat mitigation.
Dual control is one application of the separation of duties concept, which calls for multiple users to be present to perform sensitive operations. It is not supported by threat mitigation.
Which of the following provides business partners with secure access to your network? A. DMZ B. Extranet C. Intranet D. Stuxnet
B. Extranet
An extranet is a logical portion of your network to which you allow access to other companies, vendors, or customers. You would place resources for these groups access in your extranet. An extranet is created for the purpose of hosting resources for a specific group of outsiders, such as business partners or high-end clients. Access to an extranet is typically controlled by use of a VPN.
A demilitarized zone (DMZ) is a logical portion of the network that contains publically accessible computers. That means it should contain no sensitive information and should be securely separated from the extranet and the intranet. Firewalls are used to protect local networks and create demilitarized zones (DMZs).
The intranet is the interior part of your network to which only authorized employees should have access. An intranet is a local area network (LAN) add-on that is restricted to certain users, usually a company’s employees. The data contained on it is usually private in nature. An extranet, on the other hand, has a wider boundary because it usually allows two or more companies to communicate and share private information.
Stuxnet is a computer virus and is not a type of network.
Which statement is true of symmetric key algorithms?
A. They are slower than asymmetric key
B. They use different keys on each end
C. They use the same key on both ends
D. They are typically used for key exchange
C. They use the same key on both ends
Symmetric key algorithms use the same key on both ends to encrypt and decrypt.
Symmetric key algorithms are not slower. They are actually faster than asymmetric algorithms.
Symmetric algorithms do not use different keys on each end. That is a characteristic of asymmetric algorithms.
Symmetric algorithms are not used for key exchange; they are used to encrypt data. Asymmetric algorithms are used for key exchange. In asymmetric encryption, which is sometimes referred to as public key encryption, a user creates a public key and a private key pair. The user distributes the public key and retains the private key. Another user can then use the distributed public key to encrypt a file before sending that file to the owner of the private key. The owner then uses the private key to decrypt the received file.
Which of the following is NOT a cloud service model? A. SaaS B. IaaS C. PaaS D. GaaS
D. GaaS
There is no cloud service model that uses the acronym GaaS.
Software as a Service (SaaS) is a model that delivers an entire solution including the infrastructure, platform, and the application.
Infrastructure as a Service (IaaS) is a model that delivers only the hardware and access to the hardware to the customer. The customer is responsible for managing applications, data, runtime, middleware, and OSes.
Platform as a Service is a model that delivers the hardware and software required to use the platform as a development environment.
What command could you use to determine if a read-only string was used to attempt a write operation? A. show snmp host B. show snmp community C. show snmp location D. show snmp
D. show snmp
The show snmp command can be used. Below is a partial output of the command:
Router# show snmp
Chassis: 12161083
0 SNMP packets input
0 Bad SNMP version errors 0 Unknown community name 5 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000)
0 SNMP packets output
0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs
In the above output, you would look at the only the line with a value of 5 (Illegal operation for community name supplied) to find this information.
The show snmp host command displays details such as IP address of the Network Management System (NMS), notification type, SNMP version, and the port number of the NMS. It does not show illegal operations related to the community string.
The show snmp location command displays the snmp-server location. It does not show illegal operations related to the community string.
The show snmp community displays the Simple Network Management Protocol (SNMP) community access strings. It does not show illegal operations related to the community string.
Examine the following output:
Router > show clock detail
15:29:03.158 PST Mon Mar 3 2015
Time source is NTP
Which of the following statements is true?
A. The time is user configured
B. The time is authoritative and the time source is NTP
C. The time source is not authoritative
D. The time source is a hardware clock
B. The time is authoritative and the time source is NTP
The output indicates the time source is authoritative and the time source is an NTP server. The time source will be listed in the output (in this case NTP) and the area to the left of the listed time will indicate one of three conditions:
Time is not authoritative. ( *)
Time is authoritative. ( Blank)
Time is authoritative, but NTP is not synchronized ( .)
In this case, there is nothing to the left of the time or it is blank, which includes the time is authoritative.
The output does not indicate that the time source is user configured. If that were the case, it would be listed as below, stating this fact.
Router > show clock detail
*15:29:03.158 PST Mon Mar 3 2015
Time source is user configured
The output does not indicate that the time source is not authoritative. If that were the case, it would be listed as below with an asterisk before the time, indicating the time is not authoritative.
Router > show clock detail
*15:29:03.158 PST Mon Mar 3 2015
Time source is NTP
The output does not indicate that the time source is a hardware clock. If that were the case, it would be listed as below, stating this fact.
Router > show clock detail
*15:29:03.158 PST Mon Mar 3 2015
Time source is hardware calendar
.
Which task can be completed on the AAA Summary page of CCP?
A. Create AAA server groups
B. Create policies to control authentication
C. Configure AAA servers
D. Enable AAA
D. Enable AAA
The only listed task that can be performed on this page is to enable AAA. In the screenshot below you can see it has the Enable AAA button.
See screen shot CCP_aaa-enable-1.jpg
Which statement is FALSE with regard to the Cisco ACS?
A. ACS servers can be clustered
B. ACS servers cannot support multiple Active Directory forests
C. ACS can use multiple authorization profiles to allow or deny requests
D. ACS allows for the disabling of NetBIOS
B. ACS servers cannot support multiple Active Directory forests
One of the new features of ACS for Windows 4.2 is the ability to support multiple AD forests.
ACS servers can be clustered to provide scalability.
ACS servers can use multiple profiles when allowing or denying traffic.
Another new feature of ACS 4.2 for Windows is the ability to disable NetBIOS.
Which of the following must be installed on a wireless Windows device to make remote locking of the device possible with ISE? A. NAC agent for Windows B. NAC Web Agent C. Cisco Agent Desktop D. Cisco Security Agent
A. NAC agent for Windows
The Network Access Control agent (NAC) for Windows must be installed. This agent installs and remains on the client and must be present to accept a remote wipe or remote lock.
The NAC Web Agent only provides temporal posture assessment and, as such, does not install itself on the device. Therefore, it cannot be used for this purpose.
The Cisco Agent Desktop is a computer telephony integration (CTI) solution for single- and multisite IP-based contact centers. It has nothing to do with ISE.
The Cisco Security Agent is an endpoint intrusion prevention system agent and has nothing to do with ISE.
Which of the following commands will result in maintaining a record of failed authentication attempts?
A. aaa accounting commands 15 ACCCMDS stop-only group tacacs+
B. aaa accounting commands 15 ACCCMDS start-stop group tacacs+ groups radius
C. aaa accounting commands 15 ACCCMDS none grop tacacs+ groups radius
D. aaa accounting commands 15 ACCCMDS stop group tacacs+ groups radius
A. aaa accounting commands 15 ACCCMDS stop-only group tacacs+
The only listed command that will result in the maintaining of a record of failed authentication attempts is:
aaa accounting commands 15 ACCCMDS stop-only group tacacs+
This command includes the parameter stop-only. This parameter will record the end of processes, which will include failed authentications.
The command aaa accounting commands 15 ACCCMDS start-stop group tacacs+ groups radius uses the start-stop parameter, which records the start and stop of processes. However, it only records authenticated processes, so it will not record failed authentications.
The command aaa accounting commands 15 ACCCMDS none group tacacs+ groups radius uses the parameter none, which disables accounting services on a line or interface.
The command aaa accounting commands 15 ACCCMDS stop group tacacs+ groups radius uses the parameter stop, which is not a valid parameter with the accounting command.
When EAP-FAST is deployed, what is the function of the PAC? A. Authenticates the device B. Establishes the secured tunnel C. Authenticates the user D. Performs mutual authentication
B. Establishes the secured tunnel
The Protected Access Credential (PAC) is used to establish a secure tunnel prior to the authentication process. This allows it to support the use of passwords rather than certificates, while still protecting the passwords.
The PAC is not used to authenticate either the user or the device. EAP-GTC, TLS, and MS-CHAP are supported as inner authentication EAP methods.
The PAC does not perform mutual authentication. It merely is used to establish the secure tunnel.
Your assistant configured the default ACL to apply to Access layer switches. It is intended to allow wired BYOD devices to supply valid credentials and connect to the network:
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps log
20 permit udp any host 10.230.1.45 eq domain
30 permit icmp any any
50 deny ip any any log
Once implemented, how does this ACL affect wired BYOD devices?
A. It does not allow SSL, which is required.
B. It does not allow DNS, which is required.
C. It allows ICMP, which interferes with the process.
D. It does not allow TFTP, which is required.
E. It allows wired BYOD devices to connect to the network.
D. It does not allow TFTP, which is required.
This ACL will not allow TFTP, which is required. There are three protocols that, according to best practices, should be allowed in this list. They are:
BOOTP TFTP DNS
This line would add the required configuration to permit TFTP:
permit udp any any eq tftp
SSL is not required for this connection type, and so its block it will not be an issue.
DNS is required, but line 20 permits DNS as shown below:
20 permit udp any host 10.230.1.45 eq domain
Which feature is enabled with the following command?
R2(config)# same-security-traffic permit intra-interface
A. NAT
B. Hairpinning
C. Split Tunneling
D. NAT traversal
B. Hairpinning
The same-security-traffic permit intra-interface global configuration command enables hairpinning. In hairpinning, IPSec-protected traffic from a VPN client is sent to another VPN user by allowing such traffic in and out of the same interface.
In the ASDM, you can enable hairpinning on the Configuration page. To do so, highlight the interface to be enabled for the feature and select the check box at the bottom of the screen that says “Enable traffic between two or more hosts connected to the same interface” as shown below: (see screen shot 210-260_2-hairpin.jpg)
The command does not enable Network Address Translation (NAT). Enabling NAT requires multiple steps, the specifics of which depend on the type of NAT to be deployed.
The command does not enable split tunneling. Split tunneling allows a VPN client to access the Internet directly without using the VPN, while using the VPN only to access specified subnets in the Intranet. It involves creating an ACL that specifies the network destinations that should use the VPN, specifying a split tunnel mode, and adding it to the policy controlling the VPN connection. On the ASDM, this is added to the policy, as shown below. In this case, there is a list named Split_Tunnel_List that specifies the only network destinations that should use the VPN. (see screen shot 210-260_3-split_tunnel.jpg)
The command does not enable NAT traversal. NAT traversal makes it possible to send IPsec traffic through a NAT interface. When NAT Traversal or NAT-T is used to allow IPsec to function in a NAT environment, IPsec traffic is encapsulated in UDP packets that are sourced from UDP port 4500. This is why part of the configuration of NAT-T is to create an ACL that allows traffic through UDP port 4500. The configuration is shown below:
ASA(config)# crypto isakmp nat-traversal
Examine the command string:
ASA(config)# group-policy sales attributes
ASA(config-group-policy)# webvpn
ASA(config-group-policy)# anyconnect keep-installer installed none
What will be the result of executing the commands?
A. All VPN users will experience a longer connection time.
B. AnyConnect VPN users under the sales policy will experience slower connection times.
C. All AnyConnect clients will have a faster connection time.
D. All VPN users will experience a shorter connection time.
B. AnyConnect VPN users under the sales policy will experience slower connection times.
With these commands executed all Anyconnect VPN users under the sales policy will experience slower connection times. This is because the anyconnect keep-installer none command prevents the permanent installation of the AnyConnect client. This means the client will be downloaded at every connection, slowing the connection time.
It will not cause all VPN users to experience a longer connection time. Only Anyconnect users that are controlled by the Sales policy will have an issue. The fact that the command was executed after entering configuration mode for the Sales policy limits it to the Sales policy, and since they executed the webvpn command as well, that restricts it to Anyconnect clients.
It will not cause all AnyConnect clients to have a faster connection time. If the setting were left at the default, the client will install permanently the first time and then subsequent connections would be faster. Moreover, this command will not affect all Anyconnect clients, but only those controlled by the Sales policy.
It will not cause all VPN users to experience a shorter connection time. For one, it only applies to all Anyconnect clients controlled by the Sales policy. Secondly, it causes connections to be slower not faster.
Which of the following must be completed before you download the RDP plug-in in a VPN gateway?
A. Install the VNC plug-in.
B. Add a bookmark entry to display a link to the server.
C. Enable clientless SSL VPN on an interface.
D. Specify SSO
C. Enable clientless SSL VPN on an interface.
One of the prerequisites of installing the RDP plug-in is that clientless SSL VPN must be enabled in an interface. The RDP plug-in makes it possible to advertise an RDP menu option in the portal web page that clientless SSL VPN users arrive at after authentication. If the RDP plug-in is not present, users will not have the RDP menu option presented to them.
It is not required to install the VNC plug-in. While this is one of the plug-ins that is available to install, it is not related in any way to the RDP plug-in.
You do need to add a bookmark entry to display the link to the server, but it does not have to be done prior to installing the RDP plug-in. This bookmark is what directs the user to the ports page.
You also need to specify single sign on (SSO), but it is done when you add the bookmark and does not need to be done prior to installing the RDP plug-in.
What command generated the following output?
IOS resilience router id JMX0704L5GH
IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002
Secure archive slot0:c3745-js2-mz type is image (elf) []
file size is 25469248 bytes, run size is 25634900 bytes
Runnable image, entry point 0x80008000, run from ram
IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002
Secure archive slot0:.runcfg-20020616-081702.ar type is config
configuration archive size 1059 bytes
A. show secure bootset
B. secure boot-image
C. secure boot-config
D. show secure config
A. show secure bootset
The output is from the show secure bootset command. This command verifies and displays the name of the hidden image and of the configuration file for configuration resilience. IOS Resilient Configuration is a feature that allows you to secure a copy of both the IOS and the startup configuration file that cannot be seen by using the dir command. Resilient Configuration makes it much easier to recover from a security event in which both original versions have been deleted. If that occurs, restoring from these copies is much faster than restoring the IOS and configuration file from backup on the network.
The secure boot-image command is used to create the hidden backup copy of the IOS. Once this command is executed, the IOS image will no longer appear when you execute the dir command unless you run it from ROMMON mode. Moreover, this feature cannot be disabled unless you are connected to the console port.
The secure boot-config command is used to create the hidden copy of the configuration file.
There is no Cisco command show secure config.
Which of the following is NOT a function of the session management path? A. Performing access list checks B. Performing route lookups C. Allocating new NAT translations D. Checking TCP sequence numbers
D. Checking TCP sequence numbers
Checking TCP sequence numbers is not a function of the session management path. Packets undergoing stateful inspection are subjected to the session management path, and these are always new packets. Packets that are part of existing connections are sent on the “fast” path. On the “fast” path, the following functions may be performed:
- IP checksum verification
- Session lookup
- TCP sequence number check
- NAT translations based on existing sessions
- Layer 3 and Layer 4 header adjustments
All packets that are new packets (new conversations) will go through the session management path first. After session establishment, subsequent packets will go to the fast path. Functions performed in the session management path are:
- Performing the access list checks
- Performing route lookups
- Allocating NAT translations (new)
- Establishing sessions in the “fast path”
Which of the following components is the target when a CDP DoS attack is launched?
A. CAM table
B. MAC address table
C. CDP table
D. TCAM table
C. CDP table
Explanation:
A Cisco Discover Protocol (CDP) DoS attack floods the CDP table, taking the switch offline and making it unreachable until the attack stops. Along with the fact that CDP frames are in clear text and contain lots of useful information for hackers, many administrators choose to disable CDP. This is an unfortunate situation, as CDP also provides useful error messages to the console about misconfigurations such as duplex mismatches on interfaces.
The Content Addressable Memory (CAM) table is not the target of CDP attacks, but it can be a target of a different attack. The CAM table, more commonly known as the MAC address table, can hold a limited number of MAC address to port mappings. A CAM overflow occurs when a hacker sends many fake MAC addressees to a port, causing the table to eventually fill. When that occurs, the switch will start forwarding all frames out of all ports.
The MAC address table is not the target of CDP attacks. This is simply another name for the CAM table.
The Tertiary Content Addressable Memory (TCAM) table is not the target of CDP attacks. This table is related to the CAM table. These tables are found on multilayer switches. The TCAM table is an extension of the CAM table and allows a packet to be evaluated against an entire access list in a single table lookup.
When a switch configured with root guard receives a superior BPDU, how will the switch react?
A. The interface on which it was received will enter a root inconsistent state.
B. All interfaces will enter a blocked state.
C. The interface on which it was received will shut down.
D. The switch will relinquish its role as root bridge.
A. The interface on which it was received will enter a root inconsistent state.
When a switch configured with root guard receives a superior BPDU, the interface on which the superior BPDU was received will enter a root inconsistent state. In this state no traffic will be passed, which will allow the switch to maintain its root bridge status. Recovery occurs as soon as the offending device ceases to send superior BPDUs. Bridge Protocol Data Units (BPDU) are used by switches to communicate STP information. A superior BPDU is one that indicates that the sending switch has a lower priority than the current root bridge.
It will not result in all interfaces entering a blocked state. The purpose of root guard is not to isolate the root bridge but to prevent the reception of the superior BPDUs.
The interface on which it was received will not shut down. No traffic will be passed. Recovery occurs as soon as the offending device ceases to send superior BPDUs.
The switch will not relinquish its role as root bridge. The entire purpose of root guard is to ensure the current root bridge remains the root bridge.
Which of the following statements is FALSE with respect to PVLANs?
A. A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANS.
B. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.
C. Private VLANs can span multiple switches.
D. VTP version 2 supports private VLANs.
D. VTP version 2 supports private VLANs.
Neither VTP version 1 nor version 2 supports private VLANs. This means if you need private VLANs to span switches, you must manually create the private VLAN on each switch.
A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains The primary VLAN will include all devices in the Layer 3 subnet, while each PVLAN within the primary VLAN will be separated at Layer 2.
A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs.
Private VLANs can span multiple switches; however, you must manually create the PVLAN on each switch. You cannot use VTP to accomplish this.
Note: VTP version 3 does support advertising PVLANs now.
Which of the following is an alternative to using port forwarding that offers better performance for Clientless SSL VPN connections?
A. Smart Tunnels
B. Tunnel Groups
C. GRE Tunnels
D. Port Triggering
A. Smart Tunnels
Smart tunnels are a feature that can provide seamless access for native client-server applications running on devices that use clientless SSL VPN connections. They are configured as a list of applications that are allowed to use the clientless SSL VPN connection. It requires no administrative privileges on the part of the client and offers better performance than utilizing port forwarding to accomplish the same goal.
Tunnel groups are not used as an alternative to port forwarding. They are used to specify details that apply to groups of users and use a group policy to define those details.
Generic Routing Encapsulation (GRE) tunnels are not used as an alternative to port forwarding. These are general purpose tunnels used to carry a traffic type across a network that doesn’t support the traffic type (for example, IPv6 traffic across an IPV4 network).
Port triggering is not used as an alternative to port forwarding. Port forwarding redirects a communication request from one IP address and port number combination to another while the packets are traversing a network gateway. By contrast, port triggering opens an incoming port when the user’s computer is using a specified outgoing port for specific traffic.
You need to provide separation between business units in your network. Which feature on the ASA would allow you to do this?
A. Security Contexts
B. Cisco MPF
C. Interface Security Levels
D. SPAN
A. Security Contexts
Security contexts can be used to provide this separation. Security contexts operate as separate virtual firewalls in the same physical ASA. These contexts can each have their own interfaces and configuration.
Cisco Modular Policy Framework (MPF) cannot be used to provide this separation. Modular Policy Framework is a command framework that can be used to create security policies for multiple features, including TCP and general connection settings, inspections, IPS, CSC, and QoS.
Interface security levels cannot be used to provide this separation. Interface security levels are used to specify the relative security of multiple interfaces on the ASA. Once these levels are established, they are used to control the behavior of various features in the ASA, such as filtering inspection and NAT.
The Switched Port Analyzer (SPAN) feature cannot be used to provide this separation. This feature enables the copying of all frames on all ports on a switch to a port configured for SPAN. It is usually used to allow a sniffer to capture all frames on a switch.
