CyberOps Associate (Version 1.

0) – Modules 1 – 2: Threat Actors and Defenders Group Exam Answers

1. Which personnel in a SOC is assigned the task of verifying  people
whether an alert triggered by monitoring software represents a  database engine
true security incident? 9. Which KPI metric does SOAR use to measure the time
 Tier 1 personnel required to stop the spread of malware in the network?
 Tier 2 personnel  MITR
 Tier 3 personnel  Time to Control
 SOC Manager  MITC
2. After a security incident is verified in a SOC, an incident  MTTD
responder reviews the incident but cannot identify the source of 10. Which three technologies should be included in a SOC
the incident and form an effective mitigation procedure. To security information and event management system? (Choose
whom should the incident ticket be escalated? three.)
 the SOC manager to ask for other personnel to be  security monitoring
assigned
 threat intelligence
 an alert analyst for further analysis
 proxy service
 a cyberoperations analyst for help
 firewall appliance
 a SME for further investigation
3. Which two services are provided by security operations
 intrusion prevention
centers? (Choose two.)  log management
 responding to data center physical break-ins 11. The term cyber operations analyst refers to which group of
personnel in a SOC?
 monitoring network security threats
 Tier 1 personnel
 managing comprehensive threat solutions
 Tier 3 personnel
 ensuring secure routing packet exchanges
 Tier 2 personnel
 providing secure Internet connections
4. Which organization is an international nonprofit
 SOC managers
12. How does a security information and event management
organization that offers the CISSP certification?
system (SIEM) in a SOC help the personnel fight against
 CompTIA security threats?
 (ISC)2  by analyzing logging data in real time
 IEEE  by combining data from multiple technologies
 GIAC  by integrating all security devices and appliances in an
5. What is a benefit to an organization of using SOAR as part of organization
the SIEM system?
 by dynamically implementing firewall rules
 SOAR was designed to address critical security events 13. What job would require verification that an alert represents
and high-end investigation. a true security incident or a false positive?
 SOAR would benefit smaller organizations because it  Alert Analyst
requires no cybersecurity analyst involvement once
installed.
 Threat Hunter
 SOAR automates incident investigation and responds  SOC Manager
to workflows based on playbooks.  Incident Reporter
 SOAR automation guarantees an uptime factor of “5 14. When a user turns on the PC on Wednesday, the PC
displays a message indicating that all of the user files have been
nines”.
locked. In order to get the files unencrypted, the user is
6. Which personnel in a SOC are assigned the task of hunting
supposed to send an email and include a specific ID in the email
for potential threats and implementing threat detection tools?
title. The message also includes ways to buy and submit bitcoins
 Tier 3 SME as payment for the file decryption. After inspecting the
 Tier 2 Incident Reporter message, the technician suspects a security breach occurred.
 Tier 1 Analyst What type of malware could be responsible?
 SOC Manager  Trojan
7. An SOC is searching for a professional to fill a job opening.  spyware
The employee must have expert-level skills in networking,  adware
endpoint, threat intelligence, and malware reverse engineering
in order to search for cyber threats hidden within the network.
 ransomware
15. An employee connects wirelessly to the company network
Which job within an SOC requires a professional with those
using a cell phone. The employee then configures the cell phone
skills?
to act as a wireless access point that will allow new employees to
 Incident Responder connect to the company network. Which type of security threat
 Alert Analyst best describes this situation?
 SOC Manager  rogue access point
 Threat Hunter  cracking
8. Which three are major categories of elements in a security  spoofing
operations center? (Choose three.)
 denial of service
 technologies
 Internet connection
 processes
 data center
16. Match the SOC metric to the description. (Not all options
are used.)
17. A group of users on the same network are all complaining
about their computers running slowly. After investigating, the
technician determines that these computers are part of a
zombie network. Which type of malware is used to control these
computers?
 botnet
 spyware
 virus
 rootkit
18. Which statement describes cyberwarfare?
 It is Internet-based conflict that involves the
penetration of information systems of other nations.
 It is simulation software for Air Force pilots that allows
them to practice under a simulated war scenario.
 Cyberwarfare is an attack carried out by a group of script
kiddies.
 It is a series of personal protective equipment developed
for soldiers involved in nuclear war
19. Why do IoT devices pose a greater risk than other
computing devices on a network?
 Most IoT devices do not receive frequent firmware
updates.
 Most IoT devices do not require an Internet connection
and are unable to receive new updates.
 IoT devices cannot function on an isolated network with
only an Internet connection.
 IoT devices require unencrypted wireless connections.
20. What are two examples of personally identifiable
information (PII)? (Choose two.)
 first name
 IP address
 language preference
 street address
 credit card number
21. What is the dark web?
 It is a website that reports the most recent activities of
cybercriminals all over the world.
 It is a website that sells stolen credit cards.
 It is part of the internet where a person can obtain
personally identifiable information from anyone for free
 It is part of the internet that can only be accessed with
special software.
22. A company has just had a cybersecurity incident. The threat
actor appeared to have a goal of network disruption and
appeared to use a common security hack tool that overwhelmed
a particular server with a large amount of traffic. This traffic
rendered the server inoperable. How would a certified
cybersecurity analyst classify this type of threat actor?
 terrorist
 hacktivist
 state-sponsored
 amateur
23. A user calls the help desk complaining that the password to
access the wireless network has changed without warning. The
user is allowed to change the password, but an hour later, the
same thing occurs. What might be happening in this situation?
 rogue access point
 password policy
 weak password
 user error
 user laptop
24. Which regulatory law regulates the identification, storage,
and transmission of patient personal healthcare information?
 FISMA
 HIPAA
 PCI-DSS
 GLBA
25. A worker in the records department of a hospital
accidentally sends a medical record of a patient to a printer in
another department. When the worker arrives at the printer,
the patient record printout is missing. What breach of
confidentiality does this situation describe?
 EMR
 PII
 PSI
 PHI
26. Which cyber attack involves a coordinated attack from a
botnet of zombie computers?
 DDoS
 MITM
 address spoofing
 ICMP redirect
27. What is the main purpose of cyberwarfare?
 to protect cloud-based data centers
 to develop advanced network devices
 to gain advantage over adversaries
 to simulate possible war scenarios among nations
28. What type of cyberwarfare weapon was Stuxnet?
 botnet
 virus
 worm
 ransomware
29. Which example illustrates how malware might be
concealed?
 A hacker uses techniques to improve the ranking of a
website so that users are redirected to a malicious site.
 An attack is launched against the public website of an
online retailer with the objective of blocking its response
to visitors.
 A botnet of zombies carry personal information back to
the hacker.
 An email is sent to the employees of an organization
with an attachment that looks like an antivirus update,
but the attachment actually consists of spyware.
30. What websites should a user avoid when connecting to a free
and open wireless hotspot?
 websites to check account fees
  websites to check product details
 websites to check stock prices
 websites to make purchases
31. In a smart home, an owner has connected many home
devices to the Internet, such as the refrigerator and the coffee
maker. The owner is concerned that these devices will make the
wireless network vulnerable to attacks. What action could be
taken to address this issue?
 Configure mixed mode wireless operation.
 Install the latest firmware versions for the devices.
 Assign static IP addresses to the wireless devices.
 Disable the SSID broadcast.
 CyberOps
1. When a user makes changes Associate
to the settings(Version
of a Windows  root
1.0) – Modules 3 – 4: Operating System
userOverview Group Exam
system, where are these changes stored? 13. Match the commonly used ports on a Linux server with the
corresponding service.
 win.ini
 Control Panel
 boot.ini  SMTP: 25
 Registry  DNS: 53
2. Which user account should be used only to perform system  HTTPS: 443
management and not as the account for regular use?
 SSH: 22
 TELNET: 23
 guest 14. Match typical Linux log files to the function.
 power user
 standard user  used by RedHat and CentOS computers and tracks
 administrator authentication-related events: /var/log/secure
3. What is the purpose of entering the netsh command on a  contains generic computer activity logs, and is used to
Windows PC? store informational and noncritical system
messages: /var/log/messages
 to configure networking parameters for the PC  stores information related to hardware devices and their
 to change the computer name for the PC drivers: /var/log/dmesg
 to create user accounts  used by Debian and Ubuntu computers and stores all
 to test the hardware devices on the PC authentication-related events: /var/log/auth.log
4. Which type of Windows PowerShell command performs an 15. Which type of tool allows administrators to observe and
action and returns an output or object to the next command understand every detail of a network transaction?
that will be executed?
8. Which Linux command can be used to display the name of  log manager
the current working directory?  malware analysis tool
 ticketing system
 sudo  packet capture software
 ps 16. Match the Linux command to the function. (Not all options
 pwd are used.)
 chmod
9. Consider the result of the ls -l command in the Linux output  Displays the name of the current working directory: pwd
below. What are the file permissions assigned to the sales user  runs a command as another user: sudo
for the analyst.txt file?
 modifies file permissions: chmod
 shuts down the system: Empty
 write only  lists the processes that are currently running: ps
 read, write 17. What are two advantages of the NTFS file system compared
 read only with FAT32? (Choose two.)
 read, write, execute
10. A Linux system boots into the GUI by default, so which  NTFS is easier to configure.
application can a network administrator use in order to access
 NTFS supports larger files.
the CLI environment?
 NTFS allows faster formatting of drives.
 NTFS allows the automatic detection of bad sectors.
 system viewer
 NTFS allows faster access to external peripherals such as
 file viewer a USB drive.
 package management tool  NTFS provides more security features.
 terminal emulator 18. Why is Kali Linux a popular choice in testing the network
11. What is the well-known port address number used by DNS security of an organization?
to serve requests?
 It is a network scanning tool that prioritizes security risks.
 25  It is an open source Linux security distribution
 53 containing many penetration tools.
 110  It can be used to test weaknesses by using only malicious
 60 software.
12. Which user can override file permissions on a Linux  It can be used to intercept and log network traffic.
computer? 19. Match the octal value to the file permission description in
Linux. (Not all options are used.)
 any user that has ‘group’ permission to the file
 only the creator of the file  write only ~~> 010
 any user that has ‘other’ permission to the file  read and execute ~~> 101
  read and write ~~> 110
 execute only ~~> 001
 write and execute ~~> NOT SCORED
 no access ~~> 000
20. A PC user issues the netstat command without any options.
What is displayed as the result of this command?
 a historical list of successful pings that have been sent
 a list of all established active TCP connections
 a network connection and usage report
 a local routing table
21. Which two commands could be used to check if DNS name
resolution is working properly on a Windows PC? (Choose
two.)
 nslookup cisco.com
 net cisco.com
 ipconfig /flushdns
 nbtstat cisco.com
 ping cisco.com
22. A technician has installed a third party utility that is used to
manage a Windows 7 computer. However, the utility does not
automatically start whenever the computer is started. What can
the technician do to resolve this problem?
 Set the application registry key value to one.
 Use the Add or Remove Programs utility to set program
access and defaults.
 Change the startup type for the utility to Automatic in
Services .
 Uninstall the program and then choose Add New
Programs in the Add or Remove Programs utility to
install the application.
23. Which statement describes the function of the Server
Message Block (SMB) protocol?
 It is used to stream media contents.
 It is used to manage remote PCs.
 It is used to compress files stored on a disk.
 It is used to share network resources.
24. What is the purpose of using the net accounts command in
Windows?
 to display information about shared network resources
 to show a list of computers and network devices on the
network
 to start a network service
 to review the settings of password and logon
requirements for users
25. Match the Windows 10 boot sequence after the boot
manager (bootmgr.exe) loads.
 Step one: The Windows boot loader Winload.exe loads
 Step two: Ntosknl.exe and hal.dll are loaded
 Step three: Winload.exe reads the registry, chooses a
hardware profile, and loads the device drivers.
 Step four: Ntoskrnl.exe takes over the process.
 Step five: Winlogon.exe is loaded and excutes the logon
process.
26. A user creates a file with .ps1 extension in Windows. What
type of file is it?
 PowerShell function
 PowerShell cmdlet
 PowerShell documentation
 PowerShell script
27. A user logs in to Windows with a regular user account and
attempts to use an application that requires administrative
privileges. What can the user do to successfully use the
application?
 Right-click the application and choose Run as Priviledge .
 Right-click the application and choose Run as Superuser .
 Right-click the application and choose Run as
Administrator .
 Right-click the application and choose Run as root .
28. An IT technician wants to create a rule on two Windows 10
computers to prevent an installed application from accessing
the public Internet. Which tool would the technician use to
accomplish this task?
 Local Security Policy
 Computer Management
 Windows Defender Firewall with Advanced Security
 DMZ
29. Match the Windows command to the description.
 renames a file ~~> ren
 creates a new directory ~~> mkdir
 changes the current directory ~~> cd
 lists files in a directory ~~> dir
30. What technology was created to replace the BIOS program
on modern personal computer motherboards?
 UEFI
 MBR
 CMOS
 RAM
31. Match the Linux system component with the description.
(Not all options are used.)
 CLI : a text based interface that accepts user commands
 shell : a program that interprets and executes user
commands
 daemon : a background process that runs without the
need for user interaction
 (Empty) : a program that manages CPU and RAM
allocation to processes, system calls, and file systems
32. What is the outcome when a Linux administrator enters the
man man command?
 The man man command configures the network interface
with a manual address
 The man man command opens the most recent log file
 The man man command provides a list of commands
available at the current prompt
 The man man command provides documentation
about the man command
33. Match the description to the Linux term. (Not all options
are used.)
  a type of file that is a reference to another file or  Enforce the password history mechanism.
directory ~~> symlink  Update patches on a strict annual basis irrespective of
 a running background process that does not need user release date.
interaction ~~> daemon  Ensure physical security.
 protecting remote access ~~> hardening
 (Empty) ~~>logging
34. Why is Linux considered to be better protected against
malware than other operating systems? CyberOps Associate (Version 1.0) – Modules 5 – 10: Network
Fundamentals Group Exam
1. A host is transmitting a broadcast. Which host or hosts will
 customizable penetration and protection tools receive it?
 fewer deployments  the closest neighbor on the same network
 file system structure, file permissions, and user  all hosts in the same network
account restrictions
 all hosts on the Internet
 integrated firewall  a specially defined group of hosts
35. Match the commonly used ports on a Linux server with the
2. Which statement describes a characteristic of cloud
corresponding service. (Not all options are used.)
computing?
 Applications can be accessed over the Internet by
36. Match the Windows system tool with the description. (Not individual users or businesses using any device,
all options are used.) anywhere in the world.
 Devices can connect to the Internet through existing
electrical wiring.
 Registry : a hierarchical database of all system and  Investment in new infrastructure is required in order to
user information access the cloud.
 Windows Firewall : selectively denies traffic on  A business can connect directly to the Internet without the
specified interfaces use of an ISP.
 PowerShell : a CLI environment used to run scripts 3. A network administrator can successfully ping the server at
and automate tasks www.cisco.com, but cannot ping the company web server
located at an ISP in another city. Which tool or command
 Event Viewer : maintains system logs
would help identify the specific router where the packet was
 (Empty) : provides information on system resources lost or delayed?
and processes
 netstat
 (Empty) : provides virus and spyware protection
 telnet
37. In the Linux shell, which character is used between two
commands to instruct the shell to combine and execute these  ipconfig
two commands in sequence?  traceroute
4. What type of information is contained in an ARP table?
 $
 domain name to IP address mappings
 #
 switch ports associated with destination MAC addresses
 %
 routes to reach destination networks
 |
 IP address to MAC address mappings
5. Match the characteristic to the protocol category. (Not all
38. Which Windows tool can be used by a cybersecurity
options are used.)
administrator to secure stand-alone computers that are not part
of an active directory domain?
TCP:
 3-wayhandshake
 PowerShell  window size
 Windows Defender UDP:
 Windows Firewall  connectionless
 Local Security Policy  best for VoIP
39. Why would a network administrator choose Linux as an Both UDP and TCP:
operating system in the Security Operations Center (SOC)?  Port number
 checksum
 It is easier to use than other operating systems. 6. When a wireless network in a small office is being set up,
 More network applications are created for this which type of IP addressing is typically used on the networked
environment. devices?
 It is more secure than other server operating systems.  private
 The administrator has more control over the operating  public
system.  network
40. Which two methods can be used to harden a computing  wireless
device? (Choose two.) 7. Which two parts are components of an IPv4 address?
(Choose two.)
 Allow default services to remain enabled.  logical portion
 Allow USB auto-detection.  host portion
  broadcast portion  host unreachable
 subnet portion 16. Which two commands can be used on a Windows host to
 network portion display the routing table? (Choose two.)
 physical portion  netstat -r
8. Match each IPv4 address to the appropriate address  show ip route
category. (Not all options are used.)  netstat -s
 route print
host address:  tracert
 192.168.100.161/25 17. What is the full decompressed form of the IPv6 address
 203.0.113.100/24 2001:420:59:0:1::a/64?
network address:  2001:4200:5900:0:1:0:0:a000
 10.10.10.128/25  2001:0420:0059:0000:0001:0000:000a
 172.110.12.64/28  2001:0420:0059:0000:0001:000a
broadcast address:  2001:0420:0059:0000:0001:0000:0000:000a
 192.168.1.191/26  2001:420:59:0:1:0:0:a
 10.0.0.159/27  2001:4200:5900:0000:1000:0000:0000:a000
9. A cybersecurity analyst believes an attacker is spoofing the 18. A user issues a ping 2001:db8:FACE:39::10 command and
MAC address of the default gateway to perform a man-in-the- receives a response that includes a code of 2 . What does this
middle attack. Which command should the analyst use to view code represent?
the MAC address a host is using to reach the default gateway?
 host unreachable
 route print
 port unreachable
 ipconfig /all
 network unreachable
 netstat -r
 protocol unreachable
 arp -a 19. What message informs IPv6 enabled interfaces to use
10. A user sends an HTTP request to a web server on a remote stateful DHCPv6 for obtaining an IPv6 address?
network. During encapsulation for this request, what
information is added to the address field of a frame to indicate
 the ICMPv6 Router Solicitation
the destination?  the DHCPv6 Advertise message
 the network domain of the destination host  the DHCPv6 Reply message
 the MAC address of the destination host  the ICMPv6 Router Advertisement
 the IP address of the default gateway 20. Refer to the exhibit. From the perspective of users behind
the NAT router, what type of NAT address is 209.165.201.1?
 the MAC address of the default gateway
11. What addresses are mapped by ARP?
 inside global
 destination IPv4 address to the source MAC address  inside local
 destination MAC address to a destination IPv4  outside global
address  outside local
 destination MAC address to the source IPv4 address 21. Match each characteristic to the appropriate email protocol.
(Not all options are used.)
 destination IPv4 address to the destination host name
12. What type of information is contained in a DNS MX record? POP:
 the IP address of an authoritative name server  does not require a centralized backup solution.
 the FQDN of the alias used to identify a service  mail is deleted as it is downloaded.
 the domain name mapped to mail exchange servers  desirable for an ISP or large business.
 the IP address for an FQDN entry IMAP:
13. Match the application protocols to the correct transport  download copies of messages to be the client.
protocols.
 original messages must be manually deleted.
 requires a larger a mount of disk space.
 TCP: FTP, HTTP, SMTP. 22. What is done to an IP packet before it is transmitted over
 UDP: TFTP, DHCP. the physical medium?
14. A PC is downloading a large file from a server. The TCP  It is tagged with information guaranteeing reliable
window is 1000 bytes. The server is sending the file using 100- delivery.
byte segments. How many segments will the server send before  It is segmented into smaller individual pieces.
it requires an acknowledgment from the PC?
 It is encapsulated in a Layer 2 frame.
 1000 segments
 It is encapsulated into a TCP segment.
 100 segments 23. Which PDU is processed when a host computer is de-
 1 segment encapsulating a message at the transport layer of the TCP/IP
 10 segments model?
15. A user issues a ping 192.168.250.103 command and receives  segment
a response that includes a code of 1 . What does this code  packet
represent?
 frame
 port unreachable
 bits
 network unreachable 14. What is the purpose of ICMP messages?
 protocol unreachable  to inform routers about network topology changes
  to ensure the delivery of an IP packet  128 bytes
 to provide feedback of IP packet transmissions  64 bytes
 to monitor the process of a domain name to IP address  1024 bytes
resolution  56 bytes
25. Match the HTTP status code group to the type of message  1518 bytes
generated by the HTTP server. 33. A user who is unable to connect to the file server contacts
the help desk. The helpdesk technician asks the user to ping the
 client error: ~~> 4xx IP address of the default gateway that is configured on the
 redirection: ~~> 3xx workstation. What is the purpose for this ping command?
 success: ~~> 2xx  to resolve the domain name of the file server to its IP
address
 informational: ~~> 1xx
 to request that gateway forward the connection request to
 server error: ~~> 5xx
the file server
26. What network service uses the WHOIS protocol?
 to obtain a dynamic IP address from the server
 HTTPS
 to test that the host has the capability to reach hosts on
 DNS
other networks
 SMTP 34. A user gets an IP address of 192.168.0.1 from the company
 FTP network administrator. A friend of the user at a different
27. What action does a DHCPv4 client take if it receives more company gets the same IP address on another PC. How can two
than one DHCPOFFER from multiple DHCP servers? PCs use the same IP address and still reach the Internet, send
 It sends a DHCPNAK and begins the DHCP process over and receive email, and search the web?
again.  ISPs use Domain Name Service to change a user IP
 It accepts both DHCPOFFER messages and sends a address into a public IP address that can be used on the
DHCPACK. Internet.
 It discards both offers and sends a new  Both users must be using the same Internet Service
DHCPDISCOVER. Provider.
 It sends a DHCPREQUEST that identifies which lease  Both users must be on the same network.
offer the client is accepting.  ISPs use Network Address Translation to change a
28. Which networking model is being used when an author user IP address into an address that can be used on the
uploads one chapter document to a file server of a book Internet.
publisher? 35. How many host addresses are available on the
 peer-to-peer 192.168.10.128/26 network?
 client/server  30
 master-slave  32
 point-to-point  60
29. Which protocol is a client/server file sharing protocol and  62
also a request/response protocol?  64
 FTP 36. What are the three ranges of IP addresses that are reserved
 UDP for internal private use? (Choose three.)
 TCP  64.100.0.0/14
 SMB  192.168.0.0/16
30. How is a DHCPDISCOVER transmitted on a network to  192.31.7.0/24
reach a DHCP server?  172.16.0.0/12
 A DHCPDISCOVER message is sent with the  10.0.0.0/8
broadcast IP address as the destination address.
 127.16.0.0/12
 A DHCPDISCOVER message is sent with a multicast IP 37. Which process failed if a computer cannot access the
address that all DHCP servers listen to as the destination internet and received an IP address of 169.254.142.5?
address.
 DNS
 A DHCPDISCOVER message is sent with the IP address
 IP
of the default gateway as the destination address.
 HTTP
 A DHCPDISCOVER message is sent with the IP address
of the DHCP server as the destination address.  DHCP
31. What is a description of a DNS zone transfer? 38. Which statement describes a feature of the IP protocol?
 transferring blocks of DNS data from a DNS server to  IP relies on Layer 2 protocols for transmission error
another server control.
 the action taken when a DNS server sends a query on  MAC addresses are used during the IP packet
behalf of a DNS resolver encapsulation.
 forwarding a request from a DNS server in a subdomain  IP relies on upper layer services to handle situations of
to an authoritative source missing or out-of-order packets.
 finding an address match and transferring the numbered  IP encapsulation is modified based on network media.
address from a DNS server to the original requesting 39. What is a basic characteristic of the IP protocol?
client  connectionless
32. What are the two sizes (minimum and maximum) of an  media dependent
Ethernet frame? (Choose two.)  user data segmentation
  reliable end-to-end delivery
40. Which statement describes the ping and tracert commands?
 Both ping and tracert can show results in a graphical
display.
 Ping shows whether the transmission is successful; tracert
does not.
 Tracert shows each hop, while ping shows a
destination reply only.
 Tracert uses IP addresses; ping does not.
41. A large corporation has modified its network to allow users
to access network resources from their personal laptops and
smart phones. Which networking trend does this describe?
 cloud computing
 video conferencing
 online collaboration
 bring your own device
42. Match each description to its corresponding term. (Not all
options are used.)
 message encoding : the process of converting information
from one format into another acceptable for transmission
 message sizing : the process of breaking up a long
message into individual pieces before being sent over the
network
 message encapsulation : the process of placing one
message format inside another message format
 (Empty) : the process of determining when to begin
sending messages on a network
 (Empty) : the process of unpacking one message format
from another message format
43. Which method would an IPv6-enabled host using SLAAC
employ to learn the address of the default gateway?
 router advertisement messages received from the link
router
 router solicitation messages received from the link router
 neighbor advertisement messages received from link
neighbors
 neighbor solicitation messages sent to link neighbors
44. Which type of transmission is used to transmit a single video
stream such as a web-based video conference to a select number
of users?
 anycast
 broadcast
 unicast
 multicast
45. Refer to the exhibit. PC1 attempts to connect to File_server1
and sends an ARP request to obtain a destination MAC
address. Which MAC address will PC1 receive in the ARP
reply?
 the MAC address of the GO/O interface on R2
 the MAC address of S2
 the MAC address of S1
 the MAC address of File_server1
 the MAC address of the GO/O interface on R1
46. What is the result of an ARP poisoning attack?
 Network clients are infected with a virus.
 Network clients experience a denial of service.
 Client memory buffers are overwhelmed.
 Client information is stolen.
47. What is the function of the HTTP GET message?
 to upload content to a web server from a web client
 to retrieve client email from an email server using TCP
port 110
 to request an HTML page from a web server
 to send error information from a web server to a web
client
48. Refer to the exhibit. This PC is unable to communicate with
the host at 172.16.0.100. What information can be gathered
from the displayed output?
 The target host is turned off.
 The communication fails after the default gateway.
 172.16.0.100 is only a single hop away.
 This PC has the wrong subnet configured on its NIC
49. A user issues a ping 192.168.250.103 command and receives
a response that includes a code of 1. What does this code
represent?
 network unreachable
 port unreachable
 protocol unreachable
 host unreachable
50. Which two operations are provided by TCP but not by
UDP? (Choose two.)
 retransmitting any unacknowledged data
 acknowledging received data
 reconstructing data in the order received
 identifying the applications
 tracking individual conversations
51. A user is executing a tracert to a remote device. At what
point would a router, which is in the path to the destination
device, stop forwarding the packet?
 when the router receives an ICMP Time Exceeded
message
 when the RTT value reaches zero
 when the values of both the Echo Request and Echo
Reply messages reach zero
 when the host responds with an ICMP Echo Reply
message
 when the value in the TTL field reaches zero
52. A network administrator is testing network connectivity by
issuing the ping command on a router. Which symbol will be
displayed to indicate that a time expired during the wait for an
ICMP echo reply message?
 U
 .
 !
 $
53. A technician is configuring email on a mobile device. The
user wants to be able to keep the original email on the server,
organize it into folders, and synchronize the folders between the
mobile device and the server. Which email protocol should the
technician use?
 SMTP
 MIME
 POP3
 IMAP
54. At which OSI layer is a source MAC address added to a
PDU during the encapsulation process?
 application layer
 presentation layer
 data link layer
 transport layer
55. Which value, that is contained in an IPv4 header field, is
decremented by each router that receives a packet?
 Time-to-Live
  Fragment Offset 62. A device has been assigned the IPv6 address of
 Header Length 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the
host identifier of the device?
 Differentiated Services
56. What are three responsibilities of the transport layer?  2001:0db8:cafe:4500:1000:00d8:0058:00ab
(Choose three.)  00ab
 identifying the applications and services on the client  2001:0db8:cafe:4500
and server that should handle transmitted data  1000:00d8:0058:00ab
 conducting error detection of the contents in frames 63. What three application layer protocols are part of the
 meeting the reliability requirements of applications, if TCP/IP protocol suite? (Choose three.)
any  DHCP
 directing packets towards the destination network  PPP
 formatting data into a compatible form for receipt by the  FTP
destination devices  DNS
 multiplexing multiple communication streams from  NAT
many users or applications on the same network  ARP
57. How does network scanning help assess operations security? 64. A computer can access devices on the same network but
 It can detect open TCP ports on network systems. cannot access devices on other networks. What is the probable
 It can detect weak or blank passwords. cause of this problem?
 It can simulate attacks from malicious sources.  The computer has an invalid IP address.
 It can log abnormal activity.  The cable is not connected properly to the NIC.
58. Refer to the exhibit. A network security analyst is  The computer has an incorrect subnet mask.
examining captured data using Wireshark. The captured  The computer has an invalid default gateway address.
frames indicate that a host is downloading malware from a 65. Refer to the exhibit. PC1 issues an ARP request because it
server. Which source port is used by the host to request the needs to send a packet to PC3. In this scenario, what will
download? happen next?
 RT1 will send an ARP reply with its own Fa0/1 MAC
 66 address.
 1514  SW1 will send an ARP reply with its Fa0/1 MAC address.
 6666  RT1 will send an ARP reply with the PC3 MAC address.
 48598  RT1 will forward the ARP request to PC3.
59. What are three responsibilities of the transport layer?  RT1 will send an ARP reply with its own Fa0/0 MAC
(Choose three.) address.
 identifying the applications and services on the client
and server that should handle transmitted data
 conducting error detection of the contents in frames CyberOps Associate (Version 1.0) – Modules 11 – 12: Network
Infrastructure Security Group Exam
 meeting the reliability requirements of applications, if
1. For which discovery mode will an AP generate the most
any
traffic on a WLAN?
 directing packets towards the destination network
 passive mode
 formatting data into a compatible form for receipt by the
 mixed mode
destination devices
 active mode
 multiplexing multiple communication streams from
many users or applications on the same network  open mode
60. Which two ICMP messages are used by both IPv4 and IPv6 2. Which parameter is commonly used to identify a wireless
protocols? (Choose two.) network name when a home wireless AP is being configured?
 route redirection  ad hoc
 neighbor solicitation  SSID
 router solicitation  BESS
 router advertisement  ESS
3. Which two protocols are considered distance vector routing
 protocol unreachable
protocols? (Choose two.)
61. What mechanism is used by a router to prevent a received
IPv4 packet from traveling endlessly on a network?  ISIS
 It checks the value of the TTL field and if it is 100, it  RIP
discards the packet and sends a Destination Unreachable  BGP
message to the source host.  EIGRP
 It decrements the value of the TTL field by 1 and if the  OSPF
result is 0, it discards the packet and sends a Time 4. Which AAA component can be established using token
Exceeded message to the source host. cards?
 It checks the value of the TTL field and if it is 0, it  authentication
discards the packet and sends a Destination Unreachable  accounting
message to the source host.  authorization
 It increments the value of the TTL field by 1 and if the  auditing
result is 100, it discards the packet and sends a Parameter 5. Which statement describes a VPN?
Problem message to the source host.
  VPNs use open source virtualization software to create  NTP servers at stratum 1 are directly connected to an
the tunnel through the Internet. authoritative time source.
 VPNs use dedicated physical connections to transfer data  NTP servers control the mean time between failures
between remote users. (MTBF) for key network devices.
 VPNs use logical connections to create public networks  NTP servers ensure an accurate time stamp on logging
through the Internet. and debugging information.
 VPNs use virtual connections to create a private  All NTP servers synchronize directly to a stratum 1 time
network through a public network. source.
6. What is an advantage of HIPS that is not provided by IDS? 13. In the data gathering process, which type of device will
 HIPS protects critical system resources and monitors listen for traffic, but only gather traffic statistics?
operating system processes.  NetFlow collector
 HIPS deploys sensors at network entry points and protects  NMS
critical network segments.  SNMP agent
 HIPS monitors network processes and protects critical  syslog server
files. 14. Which two protocols are link-state routing protocols?
 HIPS provides quick analysis of events through detailed (Choose two.)
logging.  ISIS
7. Which statement describes a difference between RADIUS  EIGRP
and TACACS+?
 BGP
 RADIUS separates authentication and authorization
whereas TACACS+ combines them as one process.
 RIP
 RADIUS is supported by the Cisco Secure ACS software  OSPF
15. What is the function of the distribution layer of the three-
whereas TACACS+ is not.
layer network design model?
 RADIUS uses TCP whereas TACACS+ uses UDP.
 providing direct access to the network
 RADIUS encrypts only the password whereas
TACACS+ encrypts all communication.
 providing secure access to the Internet
8. What are two disadvantages of using an IDS? (Choose two.)  aggregating access layer connections
 The IDS does not stop malicious traffic.  providing high speed connection to the network edge
 The IDS works offline using copies of network traffic. 16. What two components of traditional web security appliances
are examples of functions integrated into a Cisco Web Security
 The IDS has no impact on traffic. Appliance? (Choose two.)
 The IDS analyzes actual forwarded packets.  email virus and spam filtering
 The IDS requires other devices to respond to attacks.  VPN connection
9. Which statement describes one of the rules that govern
interface behavior in the context of implementing a zone-based
 firewall
policy firewall configuration?  web reporting
 An administrator can assign interfaces to zones,  URL filtering
regardless of whether the zone has been configured. 17. What are two types of addresses found on network end
 An administrator can assign an interface to multiple devices? (Choose two.)
security zones.  return
 By default, traffic is allowed to flow among interfaces  IP
that are members of the same zone.  MAC
 By default, traffic is allowed to flow between a zone  TCP
member interface and any interface that is not a zone  UDP
member. 18. What is a characteristic of the WLAN passive discover
10. Which technique is necessary to ensure a private transfer of mode?
data using a VPN?  The client must know the name of the SSID to begin the
 encryption discover process.
 virtualization  The client begins the discover process by sending a probe
 scalability request.
 authorization  The beaconing feature on the AP is disabled.
11. Which two devices would commonly be found at the access  The AP periodically sends beacon frames containing
layer of the hierarchical enterprise LAN design model? (Choose the SSID.
two.) 19. What is a characteristic of a routed port that is configured
 modular switch on a Cisco switch?
 Layer 3 device  It supports subinterfaces.
 Layer 2 switch  It is associated with a single VLAN.
 firewall  It runs STP to prevent loops.
 access point  It is assigned an IP address.
12. Which two statements are true about NTP servers in an 20. What action does an Ethernet switch take when it receives a
enterprise network? (Choose two.) frame with an unknown Layer 2 source address?
 There can only be one NTP server on an enterprise  It forwards the frame out all interfaces except the
network. interface on which it was received.
 It forwards the frame to the default gateway.
  It records the source address in the address table of 30. In which memory location is the routing table of a router
the switch. maintained?
 It drops the frame.  ROM
21.. Match each device to a category.  flash
 NVRAM
22. What is a host-based intrusion detection system (HIDS)?  RAM
 It detects and stops potential direct attacks but does not 31. Lightweight access points forward data between which two
scan for malware. devices on the network? (Choose two.)
 It is an agentless system that scans files on a host for  wireless router
potential malware.  default gateway
 It identifies potential attacks and sends alerts but does not  wireless LAN controller
stop the traffic.  autonomous access point
 It combines the functionalities of antimalware  wireless client
applications with firewall protection. 32. A Cisco router is running IOS 15. What are the two routing
23. What type of route is created when a network administrator table entry types that will be added when a network
manually configures a route that has an active exit interface? administrator brings an interface up and assigns an IP address
 directly connected to the interface? (Choose two.)
 static  route that is manually entered by a network administrator
 local  local route interface
 dynamic  route that is learned via OSPF
24. Which characteristic describes a wireless client operating in  directly connected interface
active mode?  route that is learned via EIGRP
 must be configured for security before attaching to an AP 33. Match the secunty service with the description.
 broadcasts probes that request the SSID
 ability to dynamically change channels 34. Match the network security device type with the descnption.
 must know the SSID to connect to an AP
25. Which routing protocol is used to exchange routes between 35. What Wi-Fi management frame is regularly broadcast by
internet service providers? APs to announce their presence?
 OSPF  authentication
 EIGRP  beacon
 ISIS  probe
 BGP  association
 RIP 36. What is a function of SNMP?
26. What is the first step in the CSMA/CA process when a  synchronizes the time across all devices on the network
wireless client is attempting to communicate on the wireless
 captures packets entering and exiting the network
network?
interface card
 The client sends an RTS message to the AP.  provides a message format for communication
 The client sends a test frame onto the channel. between network device managers and agents
 The client listens for traffic on the channel.  provides statistical analysis on packets flowing through a
 The AP sends a CTS message to the client. Cisco router or multilayer switch
27. What Wi-Fi management frame is regularly broadcast by 37. What is a characteristic of a hub?
APs to announce their presence?  operates at Layer 2
 authentication  regenerates signals received on one port out all other
 beacon ports
 probe  subdivides the network into collision domains
 association  uses CSMA/CA to avoid collisions
28. What are the three parts of all Layer 2 frames? (Choose 38. Match the network security device type with the description.
three.)
 source and destination IP address 39. Which firewall feature is used to ensure that packets coming
 payload into a network are legitimate responses to requests initiated
 sequence number from internal hosts?
 frame check sequence  application filtering
 time-to-live  stateful packet inspection
 header  packet filtering
29. What is the first step in the CSMA/CA process when a  URL filtering
wireless client is attempting to communicate on the wireless 40. What is used on WLANs to avoid packet collisions?
network?  SVIs
 The client sends an RTS message to the AP.  STP
 The client sends a test frame onto the channel.  CSMA/CA
 The client listens for traffic on the channel.  VLANs
 The AP sends a CTS message to the client. 41. What information within a data packet does a router use to
make forwarding decisions?
  the destination MAC address  SNMP agent
 the destination host name  Splunk
 the destination service requested 7. What are three functionalities provided by SOAR? (Choose
 the destination IP address three.)
 It automates complex incident response procedures
and investigations.
CyberOps Associate (Version 1.0) – Modules 13 – 17: Threats and  It provides 24×7 statistics on packets that flow through a
Attacks Group Exam Cisco router or multilayer switch.
1. Which is an example of social engineering?  It uses artificial intelligence to detect incidents and aid
 an unidentified person claiming to be a technician in incident analysis and response.
collecting user information from employees  It presents the correlated and aggregated event data in
 the infection of a computer by a virus carried by a Trojan real-time monitoring and long-term summaries.
 an anonymous programmer directing a DDoS attack on a  It provides a complete audit trail of basic information
data center about every IP flow forwarded on a device.
 a computer displaying unauthorized pop-ups and  It provides case management tools that allow
adware cybersecurity personnel to research and investigate
2. What is a significant characteristic of virus malware? incidents.
 A virus is triggered by an event on the host system. 8. Which devices should be secured to mitigate against MAC
 Virus malware is only distributed over the Internet. address spoofing attacks?
 A virus can execute independently of the host system.  Layer 7 devices
 Once installed on a host system, a virus will automatically  Layer 4 devices
propagate itself to other systems.  Layer 3 devices
3. Which access attack method involves a software program  Layer 2 devices
that attempts to discover a system password by the use of an 9. A network administrator is checking the system logs and
electronic dictionary? notices unusual connectivity tests to multiple well-known ports
 brute-force attack on a server. What kind of potential network attack could this
 IP spoofing attack indicate?
 denial of service attack  access
 port redirection attack  denial of service
 buffer overflow attack  information theft
 packet sniffer attack  reconnaissance
4. Which statement describes an operational characteristic of 10. What is a vulnerability that allows criminals to inject scripts
NetFlow? into web pages viewed by users?
 NetFlow collects basic information about the packet  Cross-site scripting
flow, not the flow data itself.  XML injection
 NetFlow captures the entire contents of a packet.  buffer overflow
 NetFlow flow records can be viewed by the tcpdump tool.  SQL injection
 NetFlow can provide services for user access control. 11. Why would a rootkit be used by a hacker?
5. Match the network monitoring solution with a description.  to try to guess a password
(Not all options are used.)  to reverse engineer binary files
 to gain access to a device without being detected
 to do reconnaissance
12. What causes a buffer overflow?
 sending too much information to two or more interfaces
of the same device, thereby causing dropped packets
 attempting to write more data to a memory location
than that location can hold
 sending repeated connections such as Telnet to a
particular device, thus denying other data sources
 downloading and installing too many software updates at
one time
 launching a security countermeasure to mitigate a Trojan
horse
13. Which type of security threat would be responsible if a
spreadsheet add-on disables the local software firewall?
 DoS
 Trojan horse
 buffer overflow
 brute-force attack
6. Which technology is a proprietary SIEM system? 14. Which two types of hackers are typically classified as grey
hat hackers? (Choose two.)
 StealthWatch
 hacktivists
 NetFlow collector
 cyber criminals
  vulnerability brokers of username and password for auditing purposes. Which
 script kiddies security threat does this phone call represent?
 state-sponsored hackers  spam
15. A white hat hacker is using a security tool called Skipfish to  anonymous keylogging
discover the vulnerabilities of a computer system. What type of  DDoS
tool is this?  social engineering
 debugger 23. Which two characteristics describe a worm? (Chose two)
 fuzzer  is self-replicating
 vulnerability scanner  travels to new computers without any intervention or
 packet sniffer knowledge of the user
16. Which two functions are provided by NetFlow? (Choose  infects computers by attaching to software code
two.)  hides in a dormant state until needed by an attacker
 It uses artificial intelligence to detect incidents and aid in  executes when software is run on a computer
incident analysis and response. 24. What kind of ICMP message can be used by threat actors to
 It provides a complete audit trail of basic information create a man-in-the-middle attack?
about every IP flow forwarded on a device.  ICMP echo request
 It provides 24×7 statistics on packets that flow through  ICMP unreachable
a Cisco router or multilayer switch.  ICMP redirects
 It allows an administrator to capture real-time network  ICMP mask reply
traffic and analyze the entire contents of packets. 25. What are two purposes of launching a reconnaissance attack
 It presents correlated and aggregated event data in real- on a network? (Choose two.)
time monitoring and long-term summaries.  to escalate access privileges
17. Which statement describes the function of the SPAN tool
used in a Cisco switch?
 to prevent other users from accessing the system
 It is a secure channel for a switch to send logging to a  to scan for accessibility
syslog server.  to gather information about the network and devices
 It provides interconnection between VLANs over multiple  to retrieve and modify data
switches. 26. Which type of network attack involves randomly opening
 It supports the SNMP trap operation on a switch. many Telnet requests to a router and results in a valid network
administrator not being able to access the device?
 It copies the traffic from one switch port and sends it
to another switch port that is connected to a
 DNS poisoning
monitoring device.  man-in-the-middle
18. What are two evasion methods used by hackers? (Choose  SYN flooding
two.)  spoofing
 scanning 27. What functionality is provided by Cisco SPAN in a switched
 access attack network?
 resource exhaustion  It mirrors traffic that passes through a switch port or
 phishing VLAN to another port for traffic analysis.
 encryption  It prevents traffic on a LAN from being disrupted by a
broadcast storm.
19. Which attack involves threat actors positioning themselves
between a source and destination with the intent of  It protects the switched network from receiving BPDUs
transparently monitoring, capturing, and controlling the on ports that should not be receiving them.
communication?  It copies traffic that passes through a switch interface and
 man-in-the-middle attack sends the data directly to a syslog or SNMP server for
 DoS attack analysis.
 ICMP attack  It inspects voice protocols to ensure that SIP, SCCP,
H.323, and MGCP requests conform to voice standards.
 SYN flood attack
20. What is the goal of a white hat hacker?
 It mitigates MAC address overflow attacks.
28. An attacker is redirecting traffic to a false default gateway
 validating data in an attempt to intercept the data traffic of a switched
 modifying data network. What type of attack could achieve this?
 stealing data  MAC address snoopin
 protecting data  DHCP snooping
21. Once a cyber threat has been verified, the US Cybersecurity  MAC address starvation
Infrastructure and Security Agency (CISA) automatically
shares the cybersecurity information with public and private
 DHCP spoofing
29. What would be the target of an SQL injection attack?
organizations. What is this automated system called?
 AIS  DHCP
 NCSA  DNS
 ENISA  email
 NCASM  database
30. The IT department is reporting that a company web server
22. A user receives a phone call from a person who claims to
is receiving an abnormally high number of web page requests
represent IT services and then asks that user for confirmation
from different locations simultaneously. Which type of security
attack is occurring?
 social engineering
 adware
 DDoS
 phishing
 spyware
31. Why would an attacker want to spoof a MAC address?
 so that the attacker can capture traffic from multiple
VLANs rather than from just the VLAN that is assigned
to the port to which the attacker device is attached
 so that a switch on the LAN will start forwarding
frames to the attacker instead of to the legitimate host
 so that a switch on the LAN will start forwarding all
frames toward the device that is under control of the
attacker (that can then capture the LAN traffic)
 so that the attacker can launch another type of attack in
order to gain access to the switch
32. Match the security concept to the description.
33. What is the significant characteristic of worm malware?
 Worm malware disguises itself as legitimate software.
 Once installed on a host system, a worm does not
replicate itself.
 A worm must be triggered by an event on the host system.
 A worm can execute independently of the host system.
34. What are the three major components of a worm attack?
(Choose three.)
 a payload
 a propagation mechanism
 an infecting vulnerability
 a probing mechanism
 an enabling vulnerability
 a penetration mechanism
35. A user is curious about how someone might know a
computer has been infected with malware. What are two
common malware behaviors? (Choose two.)
 The computer emits a hissing sound every time the pencil
sharpener is used.
 The computer beeps once during the boot process.
 The computer gets increasingly slower to respond.
 No sound emits when an audio CD is played.
 The computer freezes and requires reboots.
36. Which two types of attacks are examples of reconnaissance
attacks? (Choose two.)
 brute force
 port scan
 ping sweep
 man-in-the-middle
 SYN flood
37. An administrator discovers a vulnerability in the network.
On analysis of the vulnerability the administrator decides the
cost of managing the risk outweighs the cost of the risk itself.
The risk is accepted, and no action is taken. What risk
management strategy has been adopted?
 risk transfer
 risk acceptance
 risk reduction
 risk avoidance
38. Which protocol is exploited by cybercriminals who create
malicious iFrames?
 HTTP
 DNS
 ARP
 DHCP
39. How can a DNS tunneling attack be mitigated?
 by preventing devices from using gratuitous ARP
 by using a filter that inspects DNS traffic
 by securing all domain owner accounts
 by using strong passwords and two-factor authentication
40. What is the function of a gratuitous ARP sent by a
networked device when it boots up?
 to request the netbios name of the connected system
 to request the MAC address of the DNS server
 to request the IP address of the connected network
 to advise connected devices of its MAC address
41. What is the result of a passive ARP poisoning attack?
 Data is modified in transit or malicious data is inserted in
transit.
 Network clients experience a denial of service.
 Confidential information is stolen.
 Multiple subdomains are created.
42. What are two methods used by cybercriminals to mask DNS
attacks? (Choose two.)
 reflection
 shadowing
 domain generation algorithms
 fast flux
 tunneling
43. Match the security tool with the description. (Not all options leaking sensitive information, and performing distributed
apply.) denial of service (DDoS) attacks
 script kiddies : inexperienced threat actors running
existing scripts, tools, and exploits, to cause harm, but
typically not for profit
 State-sponsored : threat actors who steal government
secrets, gather intelligence, and sabotage networks of
foreign governments, terrorist groups, and corporations
46. What scenario describes a vulnerability broker?
 a teenager running existing scripts, tools, and exploits, to
cause harm, but typically not for profit
 a threat actor attempting to discover exploits and
report them to vendors, sometimes for prizes or
rewards
 a threat actor publicly protesting against governments by
posting articles and leaking sensitive information
 a State-Sponsored threat actor who steals government
secrets and sabotages networks of foreign governments
47. In what type of attack is a cybercriminal attempting to
prevent legitimate users from accessing network services?
 DoS
 session hijacking
 MITM
44. Match the type of cyberattackers to the description. (Not all  address spoofing
options are used.) 16. Which field in the IPv6 header points to optional network
layer information that is carried in the IPv6 packet?
 traffic class
 version
 flow label
 next header
48. Which type of attack is carried out by threat actors against
a network to determine which IP addresses, protocols, and
ports are allowed by ACLs?
 social engineering
 denial of service
 phishing
 reconnaissance
49. Which cyber attack involves a coordinated attack from a
botnet of zombie computers?
 ICMP redirect
 MITM
45. Match the threat actors with the descriptions. (Not all  DDoS
options are used.)
 address spoofing
50. What technique is a security attack that depletes the pool of
IP addresses available for legitimate hosts?
 reconnaissance attack
 DHCP starvation
 DHCP spoofing
 DHCP snooping
51 Which type of Trojan horse security breach uses the
computer of the victim as the source device to launch other
attacks?
 proxy
 FTP
 DoS
 data-sending
52. What are two examples of DoS attacks? (Choose two.)
 buffer overflow
 SQL injection
 port scanning
 hacktivists : threat actors that publicly protest against  phishing
organizations or governments by posting articles, videos,  ping of death
CyberOps Associate (Version 1.0) – Modules 18 – 20: Network
Defense Group Exam
1. How does BYOD change the way in which businesses
implement networks?
 BYOD requires organizations to purchase laptops rather
than desktops.
 BYOD provides flexibility in where and how users can
access network resources.
 BYOD users are responsible for their own network
security, thus reducing the need for organizational
security policies.
 BYOD devices are more expensive than devices that are
purchased by an organization.
2. Which type of business policy establishes the rules of conduct
and the responsibilities of employees and employers?
 employee
 data
 company
 security
3. What device would be used as the third line of defense in a
defense-in-depth approach?
 host
 firewall
 internal router
 edge router
4. What does the incident handling procedures security policy
describe?
 It describes how security incidents are handled.
 It describes the procedure for auditing the network after a
cyberattack.
 It describes the procedure for mitigating cyberattacks.
 It describes how to prevent various cyberattacks.
5. What is the benefit of a defense-in-depth approach?
 All network vulnerabilities are mitigated.
 The need for firewalls is eliminated.
 Only a single layer of security at the network core is
required.
 The effectiveness of other security measures is not
impacted when a security mechanism fails.
6. Match the term to the description.
Match the term to the description
7. Match the type of business policy to the description.
 defines system requirements and objectives, rules, and
requirements for users when they attach to or on the
network ==> security
 protects the rights of workers and the company
interests ==> company
 identifies salary, pay schedule, benefits, work schedule,
vacations, etc. ==> employee
8. Why is asset management a critical function of a growing
organization against security threats?
 It identifies the ever increasing attack surface to
threats.
 It allows for a build of a comprehensive AUP.
 It serves to preserve an audit trail of all new purchases.
 It prevents theft of older assets that are decommissioned.
9. In a defense-in-depth approach, which three options must be
identified to effectively defend a network against attacks?
(Choose three.)
 total number of devices that attach to the wired and
wireless network
 assets that need protection
 vulnerabilities in the system
 location of attacker or attackers
 past security breaches
 threats to assets
10. What is the first line of defense when an organization is
using a defense-in-depth approach to network security?
 edge router
 firewall
 proxy server
 IPS
11. What is the primary function of the Center for Internet
Security (CIS)?
 to maintain a list of common vulnerabilities and
exposures (CVE) used by security organizations
 to provide a security news portal that aggregates the latest
breaking news pertaining to alerts, exploits, and
vulnerabilities
 to offer 24×7 cyberthreat warnings and advisories,
vulnerability identification, and mitigation and
incident responses
 to provide vendor-neutral education products and career
services to industry professionals worldwide
12. What is CybOX?
 It is a specification for an application layer protocol that
allows the communication of CTI over HTTPS.
  It is a set of standardized schemata for specifying,
capturing, characterizing, and communicating events
and properties of network operations.
 It enables the real-time exchange of cyberthreat indicators
between the U.S. Federal Government and the private
sector.
 It is a catalog of known security threats called Common
Vulnerabilities and Exposures (CVE) for publicly known
cybersecurity vulnerabilities.
13. What three goals does a BYOD security policy accomplish?
(Choose three.)
 identify all malware signatures and synchronize them
across corporate databases
 identify which employees can bring their own devices
 identify safeguards to put in place if a device is
compromised
 identify and prevent all heuristic virus signatures
 identify a list of websites that users are not permitted to
access
 describe the rights to access and activities permitted to
security personnel on the device
14. When designing a prototype network for a new server farm,
a network designer chooses to use redundant links to connect to
the rest of the network. Which business goal will be addressed
by this choice?
 availability
 manageability
 security
 scalability
15. When a security audit is performed at a company, the
auditor reports that new users have access to network resources
beyond their normal job roles. Additionally, users who move to
different positions retain their prior permissions. What kind of
violation is occurring?
 least privilege
 network policy
 password
 audit
16. Which component of the zero trust security model focuses
on secure access when an API, a microservice, or a container is
accessing a database within an application?
 workflow
 workforce
 workload
 workplace
17. Which two options are security best practices that help
mitigate BYOD risks? (Choose two.)
 Use paint that reflects wireless signals and glass that
prevents the signals from going outside the building.
 Keep the device OS and software updated.
 Only allow devices that have been approved by the
corporate IT team.
 Only turn on Wi-Fi when using the wireless network.
 Decrease the wireless antenna gain level.
 Use wireless MAC address filtering.
18. What is the purpose of mobile device management (MDM)
software?
 It is used to create a security policy.
 It is used to implement security policies, setting, and
software configurations on mobile devices.
 It is used to identify potential mobile device
vulnerabilities.
 It is used by threat actors to penetrate the system.
19. Match the threat intelligence sharing standards with the
description.
 This is the specification for an application layer protocol
that allows the communication of CTI over
HTTPS. ==> TAXII
 This is a set of specifications for exchanging cyberthreat
information between organizations. ==> STIX
 This is is a set of standardized schemata for specifying,
capturing, characterizing, and communicating events and
properties of network operations. ==> CybOX
20. What is the primary purpose of the Forum of Incident
Response and Security Teams (FIRST)?
 to enable a variety of computer security incident
response teams to collaborate, cooperate, and
coordinate information sharing, incident prevention,
and rapid reaction strategies
 to provide a security news portal that aggregates the latest
breaking news pertaining to alerts, exploits, and
vulnerabilities
 to offer 24×7 cyberthreat warnings and advisories,
vulnerability identification, and mitigation and incident
response
 to provide vendor neutral education products and career
services to industry professionals worldwide
21. What is the primary purpose of the Malware Information
Sharing Platform (MISP) ?
 to publish all informational materials on known and
newly discovered cyberthreats
 to enable automated sharing of IOCs between people
and machines using the STIX and other exports
formats
 to provide a set of standardized schemata for specifying
and capturing events and properties of network operations
 to exchange all the response mechanisms to known threats
22. Which statement describes Trusted Automated Exchange of
Indicator Information (TAXII)?
 It is a set of specifications for exchanging cyber threat
information between organizations.
 It is a signature-less engine utilizing stateful attack
analysis to detect zero-day threats.
 It is a dynamic database of real-time vulnerabilities.
 It is the specification for an application layer protocol
that allows the communication of CTI over HTTPS.
23. Which organization defines unique CVE Identifiers for
publicly known information-security vulnerabilities that make
it easier to share data?
 Cisco Talos
 DHS
 FireEye
 MITRE
24. How does FireEye detect and prevent zero-day attacks?
 by establishing an authentication parameter prior to any
data exchange
 by addressing all stages of an attack lifecycle with a
signature-less engine utilizing stateful attack analysis
 by keeping a detailed analysis of all viruses and malware
 by only accepting encrypted data packets that validate
against their configured hash values
25. A web server administrator is configuring access settings to
require users to authenticate first before accessing certain web
pages. Which requirement of information security is addressed
through the configuration?
 availability
 integrity
  scalability
 confidentiality
26. What is the purpose of the network security accounting
function?
 to determine which resources a user can access
 to provide challenge and response questions
 to keep track of the actions of a user
 to require users to prove who they are
27. Which term describes the ability of a web server to keep a
log of the users who access the server, as well as the length of
time they use it?
 authentication
 accounting
 assigning permissions
 authorization
28. Match the information security component with the
description.
 Only authorized individuals, entities, or processes can
access sensitive information. : confidentiality
 Data is protected from unauthorized alteration. : Integrity
 Authorized users must have uninterrupted access to
important resources and data. : availability
29. What are two characteristics of the RADIUS protocol?
(Choose two.)
 encryption of the entire body of the packet
 encryption of the password only
 the use of UDP ports for authentication and
accounting
 the separation of the authentication and authorization
processes
 the use of TCP port 49
30. Which AAA component can be established using token
cards?
 accounting
 authorization
 authentication
 auditing
31. What is a characteristic of the security artichoke, defense-
in-depth approach?
 Threat actors can easily compromise all layers
safeguarding the data or systems.
 Threat actors no longer have to peel away each layer
before reaching the target data or system.
 Threat actors can no longer penetrate any layers
safeguarding the data or system.
 Each layer has to be penetrated before the threat actor can
reach the target data or system.
32. What is a characteristic of a layered defense-in-depth
security approach?
 Three or more devices are used.
 Routers are replaced with firewalls.
 One safeguard failure does not affect the effectiveness
of other safeguards.
 When one device fails, another one takes over.
33. What is the principle behind the nondiscretionary access
control model?
 It applies the strictest access control possible.
 It allows access decisions to be based on roles and
responsibilities of a user within the organization.
 It allows users to control access to their data as owners of
that data.
 It allows access based on attributes of the object be to
accessed.
34. Which type of access control applies the strictest access
control and is commonly used in military or mission critical
applications?
 Non-discretionary access control
 discretionary access control (DAC)
 attribute-based access control (ABAC)
 mandatory access control (MAC)
35. Passwords, passphrases, and PINs are examples of which
security term?
 identification
 access
 authentication
 authorization
36. How does AIS address a newly discovered threat?
 by creating response strategies against the new threat
 by advising the U.S. Federal Government to publish
internal response strategies
 by enabling real-time exchange of cyberthreat
indicators with U.S. Federal Government and the
private sector
 by mitigating the attack with active response defense
mechanisms
CyberOps Associate (Version 1.0) – Modules 21 – 23:
Cryptography and Endpoint Protection Group Exam
1. Which technology might increase the security challenge to the
implementation of IoT in an enterprise environment?
 network bandwidth
 cloud computing
 CPU processing speed
 data storage
2. Which statement describes the term attack surface?
 It is the total number of attacks toward an organization
within a day.
 It is the group of hosts that experiences the same
attack.
 It is the total sum of vulnerabilities in a system that is
accessible to an attacker.
 It is the network interface where attacks originate.
3. Which HIDS is an open-source based product?
 OSSEC
 Cisco AMP
 Tripwire
 AlienVault USM
4. What does the telemetry function provide in host-based
security software?
 It updates the heuristic antivirus signature database.
  It blocks the passage of zero-day attacks. 12. What technology has a function of using trusted third-party
 It enables updates of malware signatures. protocols to issue credentials that are accepted as an
authoritative identity?
 It enables host-based security programs to have
comprehensive logging functions.  digital signatures
5. Which type of attack does the use of HMACs protect against?  hashing algorithms
 brute force  PKI certificates
 DDoS  symmetric keys
 DoS 13. In addressing a risk that has low potential impact and
relatively high cost of mitigation or reduction, which strategy
 man-in-the-middle will accept the risk and its consequences?
6. Which objective of secure communications is achieved by
encrypting data?  risk avoidance
 confidentiality  risk reduction
 integrity  risk retention
 availability  risk sharing
14. Which two classes of metrics are included in the CVSS Base
 authentication Metric Group? (Choose two.)
7. Which two statements correctly describe certificate classes
used in the PKI? (Choose two.)  Confidentiality Requirement
 A class 4 certificate is for online business transactions  Modified Base
between companies.  Exploit Code Maturity
 A class 0 certificate is more trusted than a class 1  Exploitability
certificate.  Impact metrics
 A class 0 certificate is for testing purposes. 15. Match the NIST Cybersecurity Framework core function
 The lower the class number, the more trusted the with the description. (Not all options are used.)
certificate.
 A class 5 certificate is for users with a focus on
verification of email.
8. A customer purchases an item from an e-commerce site. The
e-commerce site must maintain proof that the data exchange
took place between the site and the customer. Which feature of
digital signatures is required?
 nonrepudiation of the transaction
 integrity of digitally signed data
 authenticity of digitally signed data
 confidentiality of the public key
9. What is the purpose of a digital certificate?
 It provides proof that data has a traditional signature
attached.
 It guarantees that a website has not been hacked.
 It ensures that the person who is gaining access to a
network device is authorized.
 It authenticates a website and establishes a secure
connection to exchange confidential data.
10. In a hierarchical CA topology, where can a subordinate CA
obtain a certificate for itself?
 from the root CA or another subordinate CA at a
higher level
 from the root CA or another subordinate CA at the same
level
 develop and implement the appropriate activities to
 from the root CA or from self-generation
identify the occurrence of a cybersecurity event : detect
 from the root CA only  develop and implement the appropriate safeguards to
 from the root CA or another subordinate CA anywhere in ensure delivery of critical infrastructure services : protect
the tree
 develop and implement the appropriate activities to act on
11. What is the purpose for using digital signatures for code
a detected cybersecurity event
signing?
 develop an organizational understanding to manage
 to establish an encrypted connection to exchange
cybersecurity risk to systems, assets, data, and capabilities
confidential data with a vendor website
: identify
 to verify the integrity of executable files downloaded 16. A cybersecurity analyst is performing a CVSS assessment
from a vendor website on an attack where a web link was sent to several employees.
 to authenticate the identity of the system with a vendor Once clicked, an internal attack was launched. Which CVSS
website Base Metric Group Exploitability metric is used to document
 to generate a virtual ID that the user had to click on the link in order for the attack to
occur?
 scope
  integrity requirement
 availability requirement
 user interaction
17. In network security assessments, which type of test employs
software to scan internal networks and Internet facing servers
for various types of vulnerabilities?
 vulnerability assessment
 risk analysis
 strength of network security testing
 penetration testing
18. What are the three outcomes of the NIST Cybersecurity
Framework identify core function? (Choose three.)
 information protection process and procedures
 governance
 mitigation
 risk assessment
 asset management
 recovery planning
19. Which statement describes the term iptables?
 It is a file used by a DHCP server to store current active
IP addresses.
 It is a rule-based firewall application in Linux.
 It is a DHCP application in Windows.
 It is a DNS daemon in Linux.
20. What is the difference between an HIDS and a firewall?
 An HIDS works like an IPS, whereas a firewall just
monitors traffic.
 An HIDS monitors operating systems on host
computers and processes file system activity. Firewalls
allow or deny traffic between the computer and other
systems.
 A firewall performs packet filtering and therefore is
limited in effectiveness, whereas an HIDS blocks
intrusions.
 An HIDS blocks intrusions, whereas a firewall filters
them.
 A firewall allows and denies traffic based on rules and an
HIDS monitors network traffic.
21. Which statement describes the Cisco Threat Grid
Glovebox?
 It is a network-based IDS/IPS.
 It is a host-based intrusion detection system (HIDS)
solution to fight against malware.
 It is a sandbox product for analyzing malware
behaviors.
 It is a firewall appliance.
22. Which statement describes the policy-based intrusion
detection approach?
 It compares the signatures of incoming traffic to a known
intrusion database.
 It compares the operations of a host against well-
defined security rules.
 It compares the antimalware definitions to a central
repository for the latest updates.
 It compares the behaviors of a host to an established
baseline to identify potential intrusion.
23. What is the purpose of the DH algorithm?
 to provide nonrepudiation support
 to generate a shared secret between two hosts that
have not communicated before
 to encrypt data traffic after a VPN is established
 to support email data confidentiality
24. What is a difference between symmetric and asymmetric
encryption algorithms?
 Symmetric encryption algorithms are used to authenticate
secure communications. Asymmetric encryption
algorithms are used to repudiate messages.
 Symmetric encryption algorithms are used to encrypt
data. Asymmetric encryption algorithms are used to
decrypt data.
 Symmetric encryption algorithms use pre-shared keys.
Asymmetric encryption algorithms use different keys
to encrypt and decrypt data.
 Symmetric algorithms are typically hundreds to thousands
of times slower than asymmetric algorithms.
25. When a server profile for an organization is being
established, which element describes the TCP and UDP
daemons and ports that are allowed to be open on the server?
 critical asset address space
 service accounts
 software environment
 listening ports
26. What is an action that should be taken in the discovery step
of the vulnerability management life cycle?
 documenting the security plan
 assigning business value to assets
 developing a network baseline
 determining a risk profile
27. In what order are the steps in the vulnerability management
life cycle conducted?
 discover, assess, prioritize assets, report, remediate, verify
 discover, prioritize assets, assess, remediate, report, verify
 discover, prioritize assets, assess, remediate, verify, report
 discover, prioritize assets, assess, report, remediate,
verify
28. A security professional is making recommendations to a
company for enhancing endpoint security. Which security
endpoint technology would be recommended as an agent-based
system to protect hosts against malware?
 IPS
 HIDS
 blacklisting
 baselining
29. What is a feature of distributed firewalls?
 They all use an open sharing standard platform.
 They use only TCP wrappers to configure rule-based
access control and logging systems.
 They use only iptables to configure network rules.
 They combine the feature of host-based firewalls with
centralized management.
30. An administrator suspects polymorphic malware has
successfully entered the network past the HIDS system
perimeter. The polymorphic malware is, however, successfully
identified and isolated. What must the administrator do to
create signatures to prevent the file from entering the network
again?
 Execute the polymorphic file in the Cisco Threat Grid
Glovebox.
 Run the Cisco Talos security intelligence service.
 Use Cisco AMP to track the trajectory of a file through
the network.
 Run a baseline to establish an accepted amount of risk,
and the environmental components that contribute to the
risk level of the polymorphic malware.
31. On a Windows host, which tool can be used to create and
maintain blacklists and whitelists?
  Local Users and Groups changed every day. Which two algorithms can be used to
 Group Policy Editor achieve this task? (Choose two.)
 Task Manager  HMAC
 Computer Management  MD5
32. In addressing an identified risk, which strategy aims to stop  3DES
performing the activities that create risk?  SHA-1
 risk retention  AES
 risk avoidance 39. Which security management plan specifies a component that
 risk sharing involves tracking the location and configuration of networked
devices and software across an enterprise?
 risk reduction
33. A company is developing a security policy for secure  asset management
communication. In the exchange of critical messages between a  patch management
headquarters office and a branch office, a hash value should  vulnerability management
only be recalculated with a predetermined code, thus ensuring  risk management
the validity of data source. Which aspect of secure
communications is addressed?
 data integrity CyberOps Associate (Version 1.0) – Modules 24 – 25: Protocols
 data confidentiality and Log Files Group Exam
 non-repudiation 1. What is a feature of the tcpdump tool?
 origin authentication  It provides real-time reporting and long-term analysis of
34. Match the network profile element to the description. (Not security events.
all options are used.)  It records metadata about packet flows.
 It uses agents to submit host logs to centralized
management servers.
 It can display packet captures in real time or write
them to a file.
2. Which Windows tool can be used to review host logs?
 Services
 Event Viewer
 Task Manager
 Device Manager
3. Which type of security data can be used to describe or
predict network behavior?
 alert
 transaction
 session
 statistical
4. Which function is provided by the Sguil application?
35. What is blacklisting?
 It reports conversations between hosts on the network.
 This is an application list that can dictate which user
 It makes Snort-generated alerts readable and
applications are not permitted to run on a computer.
searchable.
 This is a user list to prevent blacklisted users from
 It detects potential network intrusions.
accessing a computer.
 It prevents malware from attacking a host.
 This is a network process list to stop a listed process from
5. Which ICMP message type should be stopped inbound?
running on a computer.
 source quench
 This is a Heuristics-based list to prevent a process from
running on a computer.  echo-reply
36. Which technology is used by Cisco Advanced Malware  echo
Protection (AMP) in defending and protecting against known  unreachable
and emerging threats? 6. How can IMAP be a security threat to a company?
 network admission control  Someone inadvertently clicks on a hidden iFrame.
 network profiling  Encrypted data is decrypted.
 website filtering and blacklisting  An email can be used to bring malware to a host.
 threat intelligence  It can be used to encode stolen data and send to a threat
37. Which technique could be used by security personnel to actor.
analyze a suspicious file in a safe environment? Explanation: IMAP, SMTP, and POP3 are email protocols. SMTP
 sandboxing is used to send data from a host to a server or to send data between
 baselining servers. IMAP and POP3 are used to download email messages and
can be responsible for bringing malware to the receiving host.
 whitelisting
7. Which two technologies are primarily used on peer-to-peer
 blacklisting networks? (Choose two.)
38. A company implements a security policy that ensures that a
 Bitcoin
file sent from the headquarters office to the branch office can
only be opened with a predetermined code. This code is  BitTorrent
  Wireshark 16. Match the Windows host log to the messages contained in it.
 Darknet (Not all options are used.)
 Snort
8. Which protocol is exploited by cybercriminals who create
malicious iFrames?
 HTTP
 ARP
 DHCP
 DNS
9. Which method is used by some malware to transfer files from
infected hosts to a threat actor host?
 UDP infiltration
 ICMP tunneling
 HTTPS traffic encryption
 iFrame injection
10. Why does HTTPS technology add complexity to network
security monitoring?
 HTTPS dynamically changes the port number on the web
server.
 HTTPS uses tunneling technology for confidentiality.
 HTTPS hides the true source IP address using NAT/PAT.
 HTTPS conceals data traffic through end-to-end
encryption.
11. Which approach is intended to prevent exploits that target
syslog?  events logged by various applications : application logs
 Use a Linux-based server.  events related to the web server access and activity :
 Use syslog-ng.  events related to the operation of drivers, processes, and
 Create an ACL that permits only TCP traffic to the syslog hardware : system logs
server.  information about the installation of software, including
 Use a VPN between a syslog client and the syslog server. Windows updates : setup logs
12. Which type of attack is carried out by threat actors against  events related to logon attempts and operations related to
a network to determine which IP addresses, protocols, and file or object management and access : security logs
ports are allowed by ACLs? 17. Which Cisco appliance can be used to filter network traffic
 phishing contents to report and deny traffic based on the web server
 denial of service reputation?
 reconnaissance  WSA
 social engineering  AVC
13. Which two application layer protocols manage the exchange  ASA
of messages between a client with a web browser and a remote  ESA
web server? (Choose two.) 18. Which technique would a threat actor use to disguise traces
 HTTP of an ongoing exploit?
 HTTPS  Create an invisible iFrame on a web page.
 DNS  Corrupt time information by attacking the NTP
 DHCP infrastructure.
 HTML  Encapsulate other protocols within DNS to evade security
14. What is Tor? measures.
 a rule created in order to match a signature of a known  Use SSL to encapsulate malware.
exploit 19. A system administrator runs a file scan utility on a
 a software platform and network of P2P hosts that Windows PC and notices a file lsass.exe in the Program Files
function as Internet routers directory. What should the administrator do?
 a way to share processors between network devices across  Delete the file because it is probably malware.
the Internet  Move it to Program Files (x86) because it is a 32bit
 a type of Instant Messaging (IM) software used on the application.
darknet  Uninstall the lsass application because it is a legacy
15. Which Windows log contains information about application and no longer required by Windows.
installations of software, including Windows updates?  Open the Task Manager, right-click on the lsass process
 system logs and choose End Task .
 application logs 20. Refer to the exhibit. A network administrator is viewing
 setup logs some output on the Netflow collector. What can be determined
 security logs
from the output of the traffic flow shown?  It shows the results of network activities between network
hosts.
 It lists each alert message along with statistical
information.
28. Match the SIEM function with the description.

 This is a UDP DNS request to a DNS server.

 This is a UDP DNS response to a client machine.
 This is a TCP DNS request to a DNS server.
 This is a TCP DNS response to a client machine.
21 In a Cisco AVC system, in which module is NetFlow
deployed?
 Management and Reporting
 Control
 Application Recognition
 Metrics Collection
22. What does it indicate if the timestamp in the HEADER
section of a syslog message is preceded by a period or asterisk
symbol?
 There is a problem associated with NTP.
 The timestamp represents the round trip duration value.
 links logs and events from disparate systems or
 The syslog message should be treated with high priority. applications, speeding detection of and reaction to
 The syslog message indicates the time an email is security threats : correlation
received.  satisfies the requirements of various compliance
23. Which protocol is a name resolution protocol often used by regulations :
malware to communicate with command-and-control (CnC)
servers?
 reduces the volume of event data by consolidating
duplicate event records : aggregation
 IMAP
 maps log messages from different systems into a common
 DNS data model : normalization
 HTTPS 29. Which two tools have a GUI interface and can be used to
 ICMP view and analyze full packet captures? (Choose two.)
24. Which technique is necessary to ensure a private transfer of  nfdump
data using a VPN?  Wireshark
 authorization  Cisco Prime Network Analysis Module
 scalability  tcpdump
 encryption  Splunk
 virtualization 30. Which statement describes session data in security logs?
25. Which technology would be used to create the server logs  It can be used to describe or predict network behavior.
generated by network devices and reviewed by an entry level
network person who works the night shift at a data center?
 It shows the result of network sessions.
 syslog  It is a record of a conversation between network hosts.
 NAT  It reports detailed network activities between network
hosts.
 ACL 31. Which two options are network security monitoring
 VPN approaches that use advanced analytic techniques to analyze
26. Which statement describes a Cisco Web Security Appliance network telemetry data? (Choose two.)
(WSA)?  NBAD
 It protects a web server by preventing security threats  Sguil
from accessing the server.
 NetFlow
 It provides high performance web services.
 IPFIX
 It acts as an SSL-based VPN server for an enterprise.
 Snorby
 It functions as a web proxy.
27. Which statement describes statistical data in network
 NBA
32. How does a web proxy device provide data loss prevention
security monitoring processes?
(DLP) for an enterprise?
 It is created through an analysis of other forms of
network data.
 by functioning as a firewall
 It contains conversations between network hosts.  by inspecting incoming traffic for potential exploits
 by scanning and logging outgoing traffic
  by checking the reputation of external web servers  the networks, systems, and applications affected by an
33. Which information can be provided by the Cisco NetFlow incident
utility?  the amount of time and resources needed to handle an
 security and user account restrictions incident
 IDS and IPS capabilities  the strategies and procedures used for incident
 peak usage times and traffic routing containment
 source and destination UDP port mapping  the processes used to preserve evidence
9. According to NIST standards, which incident response
stakeholder is responsible for coordinating an incident response
CyberOps Associate (Version 1.0) – Modules 26 – 28: Analyzing with other stakeholders to minimize the damage of an incident?
Security Data Group Exam  human resources
1. When real-time reporting of security events from multiple  legal department
sources is being received, which function in SIEM provides  management
capturing and processing of data in a common format?
 IT support
 normalization 10. According to NIST, which step in the digital forensics
 aggregation process involves drawing conclusions from data?
 compliance  reporting
 log collection  collection
2. What is the value of file hashes to network security  examination
investigations?
 analysis
 They ensure data availability. 11. A cybersecurity analyst has been called to a crime scene that
 They assure nonrepudiation. contains several technology items including a computer. Which
 They can serve as malware signatures. technique will be used so that the information found on the
 They offer confidentiality. computer can be used in court?
3. Which technology is an open source SIEM system?  Tor
 StealthWatch  rootkit
 Wireshark  unaltered disk image
 Splunk  log collection
 ELK 12. In which phase of the NIST incident response life cycle is
4. A threat actor has successfully breached the network firewall evidence gathered that can assist subsequent investigations by
without being detected by the IDS system. What condition authorities?
describes the lack of alert?  postincident activities
 false negative  detection and analysis
 true negative  preparation
 true positive  containment, eradication, and recovery
 false positive 13. When dealing with security threats and using the Cyber Kill
5. What information is contained in the options section of a Chain model, which two approaches can an organization use to
Snort rule? block a potential back door creation? (Choose two.)
 direction of traffic flow  Audit endpoints to discover abnormal file creations.
 text describing the event  Establish an incident response playbook.
 action to be taken  Consolidate the number of Internet points of presence.
 source and destination address  Conduct damage assessment.
6. Match the intrusion event defined in the Diamond Model of  Use HIPS to alert or place a block on common
intrusion to the description. installation paths.
14. What is defined in the SOP of a computer security incident
response capability (CSIRC)?
 network path used to establish and maintain command
and control : infrastructure  the details on how an incident is handled
 a tool or technique used to attack the victim : capability  the procedures that are followed during an incident
response
 the parties responsible for the intrusion : adversary
 the metrics for measuring incident response capabilities
 the target of the attack : victim
7. What two shared sources of information are included within  the roadmap for increasing incident response capabilities
the MITRE ATT&CK framework? (Choose two.) 15. How does an application program interact with the
operating system?
 collection of digital evidence from most volatile evidence
to least volatile  sending files
 attacker tactics, techniques, and procedures  accessing BIOS or UEFI
 details about the handling of evidence including times,  making API calls
places, and personnel involved  using processes
 eyewitness evidence from someone who directly observed 16. Which tool included in the Security Onion provides a visual
criminal behavior interface to NSM data?
 mapping the steps in an attack to a matrix of  Curator
generalized tactics  Beats
8. What information is gathered by the CSIRT when  Squert
determining the scope of a security incident?
  OSSEC  to enhance the secure transmission of alert data
17. Which tool included in the Security Onion includes the  to diminish the quantity of NSM data to be handled
capability of designing custom dashboards? 27. Why would threat actors prefer to use a zero-day attack in
 Sguil the Cyber Kill Chain weaponization phase?
 Kibana  to avoid detection by the target
 Squert  to launch a DoS attack toward the target
 OSSEC  to get a free malware package
18. How is the hash value of files useful in network security  to gain faster delivery of the attack on the target
investigations? 28. What is the objective the threat actor in establishing a two-
 It is used to decode files. way communication channel between the target system and a
 It helps identify malware signatures. CnC infrastructure?
 It verifies confidentiality of files.  to allow the threat actor to issue commands to the
 It is used as a key for encryption. software that is installed on the target
19. Which technology is a major standard consisting of a  to send user data stored on the target to the threat actor
pattern of symbols that describe data to be matched in a query?  to steal network bandwidth from the network where the
 OSSEC target is located
 POSIX  to launch a buffer overflow attack
 Squert 29. Which meta-feature element in the Diamond Model
describes information gained by the adversary?
 Sguil
20. Which tool is a Security Onion integrated host-based  methodology
intrusion detection system?  resources
 Snort  results
 OSSEC  direction
 ELK 30. In which step of the NIST incident response process does the
CSIRT perform an analysis to determine which networks,
 Sguil systems, or applications are affected; who or what originated
21. Which term is used to describe the process of converting log
the incident; and how the incident is occurring?
entries into a common format?
 incident notification
 classification
 attacker identification
 systemization
 scoping
 normalization
 detection
 standardization 31. What is indicated by a Snort signature ID that is below
22. What is the purpose for data normalization?
3464?
 to simplify searching for correlated events  The SID was created by Sourcefire and distributed
 to reduce the amount of alert data under a GPL agreement.
 to enhance the secure transmission of alert data  This is a custom signature developed by the organization
 to make the alert data transmission fast to address locally observed rules.
23. Which personnel in a SOC is assigned the task of verifying  The SID was created by the Snort community and is
whether an alert triggered by monitoring software represents a maintained in Community Rules.
true security incident?  The SID was created by members of EmergingThreats.
 SOC Manager 32. After a security monitoring tool identifies a malware
 Tier 3 personnel attachment entering the network, what is the benefit of
 Tier 2 personnel performing a retrospective analysis?
 Tier 1 personnel  A retrospective analysis can help in tracking the
24. Refer to the exhibit. A security analyst is reviewing an alert behavior of the malware from the identification point
message generated by Snort. What does the number 2100498 in forward.
the message indicate?  It can identify how the malware originally entered the
network.
 It can calculate the probability of a future incident.
 the id of the user that triggers the alert  It can determine which network host was first affected.
33. Which classification indicates that an alert is verified as an
 the message length in bits
actual security incident?
 the Snort rule that is triggered
 false negative
 the session number of the message
 true positive
25. What are security event logs commonly based on when
sourced by traditional firewalls?  false positive
 static filtering  true negative
34. A network administrator is trying to download a valid file
 application analysis from an internal server. However, the process triggers an alert
 signatures on a NMS tool. What condition describes this alert?
 5-tuples  false negative
26. What is the purpose for data reduction as it relates to NSM?  false positive
 to make the alert data transmission fast  true negative
 to remove recurring data streams  true positive
35. A threat actor collects information from web servers of an
organization and searches for employee contact information.
The information collected is further used to search personal
information on the Internet. To which attack phase do these
activities belong according to the Cyber Kill Chain model?
 action on objectives
 exploitation
 reconnaissance
 weaponization
36. Which HIDS is integrated into the Security Onion and uses
rules to detect changes in host-based operating parameters
caused by malware through system calls?
 OSSEC
 Bro
 Snort
 Suricata
37. Which type of events should be assigned to categories in
Sguil?
 false positive
 true positive
 false negative
 true negative
38. A cybersecurity analyst is going to verify security alerts
using the Security Onion. Which tool should the analyst visit
first?
 Bro
 Sguil
 CapME
 ELK
39. Refer to the exhibit. Which field in the Sguil application
window indicates the priority of an event or set of correlated
events?

 ST
 AlertID
 Pr
 CNT
40. Match the Snort rule source to the description.