 IT Questions Bank  IOS Command List  Ebooks  IP Calculators »  Donations

Search the site 

AD

 Home  CCNA » Security » CyberOps »

 IT Questions Bank  IOS Command List CCNA » CCNA Security v2.0 » Cybersecurity »

Networking Essentials IP Subnet Calculators » Donation Contact

CyberOps Associate Exam

Answers
AD

CyberOps Associate v1.0

Cyber Ops v1.1

Modules 1 - 2: Threat
Actors and Defenders
Group Exam Answers

Modules 3 - 4: Operating
System Overview Group
Exam Answers
AD
Modules 5 - 10: Network
Fundamentals Group Exam

Answers

Modules 11 - 12: Network

Infrastructure Security
Group Exam Answers
CyberOps Associate 1.0 Practice Final Modules 13 - 17: Threats
Exam (Answers) and Attacks Group Exam
Answers
 Sep 21, 2020 |  Last Updated: Nov 26, 2024 |
 CyberOps Associate |  7 Comments AD
Modules 18 - 20: Network
Defense Group Exam
 Share  Tweet  Share  Pin it
Answers

Modules 21 - 23:
How to find: Press “Ctrl + F” in the browser and fill in Cryptography and Endpoint
whatever wording is in the question to find that Protection Group Exam
Answers
question/answer. If the question is not here, find it in
Questions Bank. Modules 24 - 25: Protocols
and Log Files Group Exam
Answers
NOTE: If you have the new question on this test, please
Modules 26 - 28: Analyzing
comment Question and Multiple-Choice list in form Security Data Group Exam
below this article. We will update answers for you in Answers
the shortest time. Thank you! We truly value your
[Skills Exams] CA Skills
contribution to the website.
Assessment

CyberOps Associate

AD
(Version 1.0) Practice
Final Exam Answers

CyberOps Associate
Course FINAL EXAM
ANSWERS

CyberOps Associate (200-

201) Certification Practice
Exam

Related Posts
CyberOps Associate (Version 1.0) – CyberOps
Module 14: Common Threats and
Associate 1.0 Practice Final exam answers Attacks Quiz Answers

1. What are two problems that can be caused by a large 12.3.12 Check Your Understanding –
number of ARP request and reply messages? (Choose two.) Identify the Network Security Device
or Service Answers 
All ARP request messages must be processed by all
CyberOps Associate: Module 24 –
nodes on the local network.
Technologies and Protocols
A large number of ARP request and reply messages may
slow down the switching process, leading the switch to CyberOps Associate: Module 11 –
Network Communication Devices
make many changes in its MAC table.
 The network may become overloaded because ARP reply Module 8: Address Resolution
Protocol Quiz Answers
messages have a very large payload due to the 48-bit MAC
address and 32-bit IP address that they contain. 6.2.10 Check Your Understanding –
The ARP request is sent as a broadcast, and will flood IPv4 Packet Answers
the entire subnet. CCNA CyberOps Associate (Version
Switches become overloaded because they concentrate all 1.0) Exam Answers Full
the traffic from the attached subnets.
Modules 1 – 2: Threat Actors and
Defenders Group Exam (Answers)
Explanation: ARP requests are sent as broadcasts:
28.3.4 Check Your Understanding –
(1) All nodes will receive them, and they will be processed Identify the Diamond Model Features
by software, interrupting the CPU. Answers
(2) The switch forwards (floods) Layer 2 broadcasts to all
3.2.12 Check Your Understanding –
ports. Identify the Windows Registry Hive
A switch does not change its MAC table based on ARP Answers
request or reply messages. The switch populates the MAC
table using the source MAC address of all frames. The ARP Recent Comments
payload is very small and does not overload the switch.
sdf on SRWE (Version 7.00) Final PT
Skills Assessment Exam (PTSA)
2. Refer to the exhibit. Which field in the Sguil application Answers

window indicates the priority of an event or set of Kram on CCNA1 v7.0: ITN Practice
correlated events? PT Skills Assessment (PTSA)
Answers

juan on IT Essentials 7.0 8.0 Practice

Final Exam (Chapters 10-14)
Answers

sca on ENSA (Version 7.00) Final PT

Skills Assessment Exam (PTSA)
Answers

Nini on CCNA 3 – ENSA Practice PT

Skills Assessment (PTSA) Answers

ST
AlertID
Pr
CNT

Explanation: The Sguil application window has several


fields available that give information about an event. The
ST field gives the status of an event that includes a color-
coded priority from light yellow to red to indicate four levels
of priority.
3. Match the job titles to SOC personnel positions. (Not all
options are used.)

AD

Tier 1 Alert monitors incoming alerts and verifies

Analyst that a true incident has occurred

Tier 2 Incident involved in deep investigation of

Responder incidents

Tier 3 Subject involved in hunting for potential
Matter Expert threats and implements threat
detection tools

None serve as the point of contact for the

large organitazion
4. If the default gateway is configured incorrectly on the
host, what is the impact on communications?

The host is unable to communicate on the local network.

The host can communicate with other hosts on the
local network, but is unable to communicate with hosts
on remote networks.
The host can communicate with other hosts on remote
networks, but is unable to communicate with hosts on the
local network.
There is no impact on communications.

Explanation: A default gateway is only required to

communicate with devices onanother network. The
absence of a default gateway does not affect connectivity
between devices on the same local network

5. When a connectionless protocol is in use at a lower layer

of the OSI model, how is missing data detected and
retransmitted if necessary?

Connectionless acknowledgements are used to request

retransmission.
Upper-layer connection-oriented protocols keep track
of the data received and can request retransmission
from the upper-level protocols on the sending host.
Network layer IP protocols manage the communication
sessions if connection-oriented transport services are not
available.
The best-effort delivery process guarantees that all packets
that are sent are received.

Explanation: When connectionless protocols are in use at

a lower layer of the OSI model, upper-level protocols may
need to work together on the sending and receiving hosts
to account for and retransmit lost data. In some cases, this
is not necessary, because for some applications a certain
amount of data loss is tolerable. 

6. What is the prefix length notation for the subnet mask

255.255.255.224?

/25
 /26
/27
/28

Explanation: The binary format for 255.255.255.224 is

11111111.11111111.11111111.11100000. The prefix length is
the number of consecutive 1s in the subnet mask.
Therefore, the prefix length is /27.

AD

7. Which network monitoring tool saves captured network

frames in PCAP files?

NetFlow
Wireshark
SNMP
SIEM

Explanation: Wireshark is a network protocol analyzer

used to capture network traffic. The traffic captured by
Wireshark is saved in PCAP files and includes interface
information and timestamps.

8. What is the TCP mechanism used in congestion

avoidance?

three-way handshake
socket pair
two-way handshake
sliding window
 Explanation: TCP uses windows to attempt to manage the
rate of transmission to the maximum flow that the network
and destination device can support while minimizing loss
and retransmissions. When overwhelmed with data, the
destination can send a request to reduce the of the window.
This congestion avoidance is called sliding windows.

9. What is the Internet?

It is a network based on Ethernet technology.

It provides network access for mobile devices.
It provides connections through interconnected global
networks.
It is a private network for an organization with LAN and
WAN connections.

Explanation: The Internet provides global connections that

enable networked devices (workstations and mobile
devices) with different network technologies, such as
Ethernet, DSL/cable, and serial connections, to
communicate. A private network for an organization with
LAN and WAN connections is an intranet.

10. Which protocol is used by the traceroute command to

send and receive echo-requests and echo-replies?

SNMP
ICMP
Telnet
TCP

Explanation: Traceroute uses the ICMP (Internet Control

Message Protocol) to send and receive echo-request and
echo-reply messages.


 AD

11. What are two ICMPv6 messages that are not present in
ICMP for IPv4? (Choose two.)

Neighbor Solicitation
Destination Unreachable
Host Confirmation
Time Exceeded
Router Advertisement
Route Redirection

Explanation: ICMPv6 includes four new message types:

Router Advertisement, Neighbor Advertisement, Router
Solicitation, and Neighbor Solicitation.

12. Match the network security testing technique with how it

is used to test network security. (Not all options are used.)


 penetration used to determine the possible
testing consequences of successful attacks on
the network

network used to discover available resources on

scanning the network

vulnerability used to find weaknesses and

scanning misconfigurations on network systems

Explanation: Network scanning tools are used to probe

network devices, servers and hosts for open TCP or UDP
ports. Vulnerability scanning tools are used to discover
security weaknesses in a network or computer system.
Penetration testing tools are used to determine the possible
outcome of a successful attack on a network or computer
system.

13. What are two monitoring tools that capture network

traffic and forward it to network monitoring devices?
(Choose two.) 
SPAN
network tap
SNMP
SIEM
Wireshark
 Explanation: A network tap is used to capture traffic for
monitoring the network. The tap is typically a passive
splitting device implemented inline on the network and
forwards all traffic including physical layer errors to an
analysis device. SPAN is a port mirroring technology
supported on Cisco switches that enables the switch to
copy frames and forward them to an analysis device.

14. Which network monitoring tool is in the category of

network protocol analyzers?

SNMP
SPAN
Wireshark
SIEM

Explanation: Wireshark is a network protocol analyzer

used to capture network traffic. The traffic captured by
Wireshark is saved in PCAP files and includes interface
information and timestamps.

AD

15. Based on the command output shown, which file

permission or permissions have been assigned to the other
user group for the data.txt file?

ls –l data.txt
-rwxrw-r-- sales staff 1028 May 28 15:50 data.txt

full access
 read, write
read
read, write, execute

Explanation: The file permissions are always displayed in

the user, group and other order. In the example displayed,
the file has the following permissions:
The dash ( – ) means that this is a file. For directories, the
first dash would be replaced with a “d”.
The first set of characters is for user permission (rwx). The
user, sales, who owns the file can read, write and execute
the file.
The second set of characters is for group permissions (rw-).
The group, staff, who owns the file can read and write to
the file.
The third set of characters is for any other user or group
permissions (r–). Any other user or group on the computer
can only read the file.

16. What are three benefits of using symbolic links over

hard links in Linux? (Choose three.)

They can link to a directory.

They can be compressed.
Symbolic links can be exported.
They can be encrypted.
They can link to a file in a different file system.
They can show the location of the original file.

Explanation: In Linux, a hard link is another file that points

to the same location as the original file. A soft link (also
called a symbolic link or a symlink) is a link to another file
system name. Hard links are limited to the file system in
which they are created and they cannot link to a directory;
soft links are not limited to the same file system and they
can link to a directory. To see the location of the original file
for a symbolic link use the ls –l command.


17. A network security specialist is tasked to implement a

security measure that monitors the status of critical files in
the data center and sends an immediate alert if any file is
modified. Which aspect of secure communications is
addressed by this security measure?

origin authentication
data integrity
nonrepudiation
data confidentiality

Explanation: Secure communications consists of four

elements:
Data confidentiality – guarantees that only authorized users
can read the message
Data integrity – guarantees that the message was not
altered
Origin authentication – guarantees that the message is not
a forgery and does actually come from whom it states
Data nonrepudiation – guarantees that the sender cannot
repudiate, or refute, the validity of a message sent

18. A network administrator is configuring an AAA server to

manage TACACS+ authentication. What are two attributes
of TACACS+ authentication? (Choose two.)

TCP port 40
encryption for all communication
single process for authentication and authorization
UDP port 1645
encryption for only the password of a user
separate processes for authentication and
authorization

Explanation: TACACS+ authentication includes the

following attributes:
Separates authentication and authorization processes
Encrypts all communication, not just passwords
Utilizes TCP port 49


AD
19. In an attempt to prevent network attacks, cyber analysts
share unique identifiable attributes of known attacks with
colleagues. What three types of attributes or indicators of
compromise are helpful to share? (Choose three.)

IP addresses of attack servers

changes made to end system software
netbios names of compromised firewalls
features of malware files
BIOS of attacking systems
system ID of compromised systems

Explanation: Many network attacks can be prevented by

sharing information about indicators of compromise (IOC).
Each attack has unique identifiable attributes. Indicators of
compromise are the evidence that an attack has occurred.
IOCs can be identifying features of malware files, IP
addresses of servers that are used in the attack, filenames,
and characteristic changes made to end system software.

20. Which two types of messages are used in place of ARP

for address resolution in IPv6? (Choose two.)

anycast
broadcast
neighbor solicitation
echo reply
echo request
neighbor advertisement

Explanation: IPv6 does not use ARP. Instead, ICMPv6

neighbor discovery is used by sending neighbor solicitation 
and neighbor advertisement messages.

21. What is indicated by a true negative security alert

classification?
 An alert is verified to be an actual security incident.
An alert is incorrectly issued and does not indicate an actual
security incident.
Normal traffic is correctly ignored and erroneous alerts
are not being issued.
Exploits are not being detected by the security systems that
are in place.

Explanation: True negative classifications are desirable

because they indicate that normal traffic is correctly not
being identified as malicious traffic by security measures.

22. Which statement describes the anomaly-based intrusion

detection approach?

It compares the antivirus definition file to a cloud based

repository for latest updates.
It compares the behavior of a host to an established
baseline to identify potential intrusions.
It compares the signatures of incoming traffic to a known
intrusion database.
It compares the operations of a host against a well-defined
security policy.

Explanation: With an anomaly-based intrusion detection

approach, a baseline of host behaviors is established first.
The host behavior is checked against the baseline to detect
significant deviations, which might indicate potential
intrusions.

AD


23. Match the description to the antimalware approach. (Not
all options are used.)

recognizing various characteristics of signature-

known malware files based

analyzing suspicious activities behavior-

based

recognizing general features shared by heuristics-

various types of malware based

Explanation: Antimalware programs may detect viruses

using three different approaches:
signature-based – by recognizing various
characteristics of known malware files
heuristics-based – by recognizing general features
shared by various types of malware
behavior-based – through analysis of suspicious
activities

24. Which two protocols are associated with the transport

layer? (Choose two.)

ICMP 
IP
UDP
PPP
TCP
 Explanation: TCP and UDP reside at the transport layer in
both the OSI and TCP/IP models.

25. A network administrator is creating a network profile to

generate a network baseline. What is included in the critical
asset address space element?

the time between the establishment of a data flow and its

termination
the TCP and UDP daemons and ports that are allowed to
be open on the server
the IP addresses or the logical location of essential
systems or data
the list of TCP or UDP processes that are available to
accept data

Explanation: A network profile should include some

important elements, such as the following:
Total throughput – the amount of data passing from a given
source to a given destination in a given period of time
Session duratio n – the time between the establishment of
a data flow and its termination
Ports used – a list of TCP or UDP processes that are
available to accept data
Critical asset address space – the IP addresses or the
logical location of essential systems or data

26. What are the three impact metrics contained in the

CVSS 3.0 Base Metric Group? (Choose three.)

confidentiality
remediation level
integrity
attack vector
exploit
availability

Explanation:
The Common Vulnerability Scoring System (CVSS) is a
vendor-neutral, industry standard, open framework for
weighing the risks of a vulnerability using a variety of
metrics. CVSS uses three groups of metrics to assess
 vulnerability, the Base Metric Group, Temporal Metric
Group, and Environmental Metric Group. The Base Metric
Group has two classes of metrics (exploitability and
impact). The impact metrics are rooted in the following
areas: confidentiality, integrity, and availability.

AD

27. What is a characteristic of DNS?

DNS servers can cache recent queries to reduce DNS

query traffic.
All DNS servers must maintain mappings for the entire DNS
structure.
DNS servers are programmed to drop requests for name
translations that are not within their zone.
DNS relies on a hub-and-spoke topology with centralized
servers.

Explanation: DNS uses a hierarchy for decentralized

servers to perform name resolution. DNS servers only
maintain records for their zone and can cache recent
queries so that future queries do not produce excessive
DNS traffic.

28. What are two differences between HTTP and HTTP/2?

(Choose two.) 
HTTP/2 uses a compressed header to reduce
bandwidth requirements.
HTTP/2 uses multiplexing to support multiple streams
and enhance efficiency.
 HTTP/2 uses different status codes than HTTP does to
improve performance.
HTTP/2 issues requests using a text format whereas HTTP
uses binary commands.
HTTP has a different header format than HTTP/2 has.

Explanation: The purpose of HTTP/2 is to improve HTTP

performance by addressing the latency issues of HTTP.
This is accomplished using features such as multiplexing,
server push, binary code, and header compression.

29. Match the steps with the actions that are involved when
an internal host with IP address 192.168.10.10 attempts to
send a packet to an external server at the IP address
209.165.200.254 across a router R1 that is running dynamic
NAT. (Not all options are used.)


 Step The host sends packets that request a connection
1 to the server at the address 209.165.200.254.

Step R1 checks the NAT configuration to determine if

2 this packet should be translated.

Step If there is no translation entry for this IP address,

3 R1 determines that the source address
192.168.10.10 must be translated.

Step R1 selects an available global address from the

4 dynamic address pool.

Step R1 replaces the address 192.168.10.10 with a

5 translated inside global address.

Explanation: The translation of the IP addresses from

209.65.200.254 to 192.168.10.10 will take place when the
reply comes back from the server.

30. A router has received a packet destined for a network

that is in the routing table. What steps does the router
perform to send this packet on its way? Match the step to
the task performed by the router.

Step It de-encapsulates the Layer 2 frame header and

1 trailer to expose the Layer 3 packet.

Step It examines the destination IP address to find the 

2 best path in the routing table.

Step It encapsulates the Layer 3 packet into a new

3 Layer 2 frame and forwards the frame out the exit
interface.
 AD

31. What are two shared characteristics of the IDS and the
IPS? (Choose two.)

Both have minimal impact on network performance.​

Both are deployed as sensors.
Both analyze copies of network traffic.
Both use signatures to detect malicious traffic.
Both rely on an additional network device to respond to
malicious traffic.

Explanation: Both the IDS and the IPS are deployed as

sensors and use signatures to detect malicious traffic. The
IDS analyzes copies of network traffic, which results in
minimal impact on network performance. The IDS also
relies on an IPS to stop malicious traffic. ​

32. Which statement describes a typical security policy for

a DMZ firewall configuration?

Traffic that originates from the DMZ interface is

selectively permitted to the outside interface.
Return traffic from the inside that is associated with traffic
originating from the outside is permitted to traverse from the
inside interface to the outside interface.
Return traffic from the outside that is associated with traffic
originating from the inside is permitted to traverse from the
outside interface to the DMZ interface. 
Traffic that originates from the inside interface is generally
blocked entirely or very selectively permitted to the outside
interface.
Traffic that originates from the outside interface is permitted
to traverse the firewall to the inside interface with few or no
 restrictions.

Explanation:
With a three interface firewall design that has internal,
external, and DMZ connections, typical configurations
include the following:
Traffic originating from DMZ destined for the internal
network is normally blocked.
Traffic originating from the DMZ destined for external
networks is typically permitted based on what services are
being used in the DMZ.
Traffic originating from the internal network destined from
the DMZ is normally inspected and allowed to return.
Traffic originating from external networks (the public
network) is typically allowed in the DMZ only for specific
services.

33. After complaints from users, a technician identifies that

the college web server is running very slowly. A check of
the server reveals that there are an unusually large number
of TCP requests coming from multiple locations on the
Internet. What is the source of the problem?

The server is infected with a virus.

A DDoS attack is in progress.
There is insufficient bandwidth to connect to the server.
There is a replay attack in progress.

Explanation: The source of the problem cannot be a virus

because in this situation the server is passive and at the
receiving end of the attack. A replay attack uses intercepted
and recorded data in an attempt to gain access to an
unauthorized server. This type of attack does not involve
multiple computers. The issue is not the bandwidth
available, but the number of TCP connections taking place.
Receiving a large number of connections from multiple
locations is the main symptom of a distributed denial of

service attack which use botnets or zombie computers.

34. Which two statements describe access attacks?

(Choose two.)
 Password attacks can be implemented by the use of
brute-force attack methods, Trojan horses, or packet
sniffers.
To detect listening services, port scanning attacks scan a
range of TCP or UDP port numbers on a host.
Port redirection attacks use a network adapter card in
promiscuous mode to capture all network packets that are
sent across a LAN.
Trust exploitation attacks often involve the use of a laptop to
act as a rogue access point to capture and copy all network
traffic in a public location, such as a wireless hotspot.
Buffer overflow attacks write data beyond the allocated
buffer memory to overwrite valid data or to exploit
systems to execute malicious code.

Explanation: An access attack tries to gain access to a

resource using a hijacked account or other means. The five
types of access attacks include the following:
password – a dictionary is used for repeated login attempts
trust exploitation – uses granted privileges to access
unauthorized material
port redirection – uses a compromised internal host to pass
traffic through a firewall
man-in-the-middle – an unauthorized device positioned
between two legitimate devices in order to redirect or
capture traffic
buffer overflow – too much data sent to a memory location
that already contains data

AD


35. Which two actions can be taken when configuring
Windows Firewall? (Choose two.)

Turn on port screening.

Manually open ports that are required for specific
applications.
Allow a different software firewall to control access.
Enable MAC address authentication.
Perform a rollback.

Explanation: When a different software firewall is installed,

Windows Firewall must be disabled through the Windows
Firewall control panel. When Windows Firewall is enabled,
specific ports can be enabled that are needed by specific
applications.

36. Which statement describes the state of the

administrator and guest accounts after a user installs
Windows desktop version to a new computer?

By default, the guest account is enabled but the

administrator account is disabled.
By default, both the administrator and guest accounts are
enabled.
By default, both the administrator and guest accounts
are disabled.
By default, the administrator account is enabled but the
guest account is disabled.

Explanation: When a user installs Windows desktop

version, two local user accounts are created automatically
during the process, administrator and guest. Both accounts
are disabled by default.

37. What is a purpose of entering the nslookup cisco.com

command on a Windows PC?

to check if the DNS service is running 

to connect to the Cisco server
to test if the Cisco server is reachable
to discover the transmission time needed to reach the Cisco
server
 Explanation: The nslookup command queries DNS
servers to find out the IP address or addresses associated
with the domain name cisco.com. A successful result
indicates that the DNS configuration on the PC is
functional, and also indicates the IP address for the domain
name being displayed. The command does not try connect
to the actual Cisco host directly.

38. How is the event ID assigned in Sguil?

All events in the series of correlated events are assigned

the same event ID.
Only the first event in the series of correlated events is
assigned a unique ID.
All events in the series of correlated events are assigned
the same event group ID.
Each event in the series of correlated events is
assigned a unique ID.

Explanation: In Sguil, each event receives a unique event

ID, but only the first event ID in the series of correlated
events is displayed in the RealTime tab.

39. Which two types of network traffic are from protocols

that generate a lot of routine traffic? (Choose two.)

routing updates traffic

Windows security auditing alert traffic
IPsec traffic
STP traffic
SSL traffic

Explanation: To reduce the huge amount of data collected

so that cybersecurity analysts can focus on critical threats,
some less important or less relevant data could be
eliminated from the datasets. For example, routing network
management traffic, such as routing updates and STP 
traffic, could be eliminated.

40. What are two elements that form the PRI value in a
syslog message? (Choose two.)
 facility
timestamp
severity
header
hostname

Explanation: The PRI in a syslog message consists of two

elements, the facility and severity of the message.

41. Which three pieces of information are found in session

data? (Choose three.)

default gateway IP address

source and destination port numbers
Layer 4 transport protocol
source and destination MAC addresses
user name
source and destination IP addresses

Explanation: Session data includes identifying information

such as source and destination IP addresses, source and
destination port numbers, and the Layer 4 protocol in use.
Session data does not include user name, source and
destination MAC addresses, and a default gateway IP
address.

42. What kind of ICMP message can be used by threat

actors to perform network reconnaissance and scanning
attacks?

ICMP mask reply

ICMP router discovery
ICMP unreachable
ICMP redirects

Explanation: Common ICMP messages of interest to

threat actors include the these:

ICMP echo request and echo reply: used to perform host
verification and DoS attacks
ICMP unreachable: used to perform network
reconnaissance and scanning attacks
ICMP mask reply: used to map an internal IP network
ICMP redirects: used to lure a target host into sending all
 traffic through a compromised device and create a man-in-
the-middle attack
ICMP router discovery: used to inject bogus route entries
into the routing table of a target host

43. A flood of packets with invalid source IP addresses

requests a connection on the network. The server busily
tries to respond, resulting in valid requests being ignored.
What type of attack has occurred?

TCP session hijacking

TCP SYN flood
TCP reset
UDP flood

Explanation: The TCP SYN Flood attack exploits the TCP

three-way handshake. The threat actor continually sends
TCP SYN session request packets with a randomly spoofed
source IP address to an intended target. The target device
replies with a TCP SYN-ACK packet to the spoofed IP
address and waits for a TCP ACK packet. Those responses
never arrive. Eventually the target host is overwhelmed with
half-open TCP connections and denies TCP services.

44. An attacker is redirecting traffic to a false default

gateway in an attempt to intercept the data traffic of a
switched network. What type of attack could achieve this?

DNS tunneling
TCP SYN flood
DHCP spoofing
ARP cache poisoning

Explanation: In DHCP spoofing attacks, a threat actor

configures a fake DHCP server on the network to issue
DHCP addresses to clients with the aim of forcing the
clients to use a false or invalid default gateway. A man-in-
the-middle attack can be created by setting the default 
gateway address to the IP address of the threat actor.

45. What is the most common goal of search engine

optimization (SEO) poisoning?
 to increase web traffic to malicious sites
to build a botnet of zombies
to trick someone into installing malware or divulging
personal information
to overwhelm a network device with maliciously formed
packets

Explanation: A malicious user could create a SEO so that

a malicious website appears higher in search results. The
malicious website commonly contains malware or is used
to obtain information via social engineering techniques.

46. Users report that a database file on the main server

cannot be accessed. A database administrator verifies the
issue and notices that the database file is now encrypted.
The organization receives a threatening email demanding
payment for the decryption of the database file. What type
of attack has the organization experienced?

man-in-the-middle attack
DoS attack
ransomware
Trojan horse

Explanation: In a ransomware attack, the attacker

compromises the victum computer and encrypts the hard
drive so that data can no longer be accessed by the user.
The attacker then demands payment from the user to
decrypt the drive.

47. What two kinds of personal information can be sold on

the dark web by cybercriminals? (Choose two.)

city of residence
Facebook photos
name of a bank
name of a pet
street address 

Explanation: Personally identifiable information (PII) is any

information that can be used to positively identify an
individual. Examples of PII include the following:
Name
 Social security number
Birthdate
Credit card numbers
Bank account numbers
Facebook information
Address information (street, email, phone numbers).

48. What three services are offered by FireEye? (Choose

three.)

blocks attacks across the web

creates firewall rules dynamically
identifies and stops latent malware on files
subjects all traffic to deep packet inspection analysis
deploys incident detection rule sets to network security tools
identifies and stops email threat vectors

Explanation: FireEye is a security company that uses a

three-pronged approach combining security intelligence,
security expertise, and technology. FireEye offers SIEM
and SOAR with the Helix Security Platform, which use
behavioral analysis and advanced threat detection.

49. After containment, what is the first step of eradicating

an attack?

Change all passwords.

Patch all vulnerabilities.
Hold meetings on lessons learned.
Identify all hosts that need remediation.

Explanation: Once an attack is contained, the next step is

to identify all hosts that will need remediation so that the
effects of the attack can be eliminated.

50. Which activity is typically performed by a threat actor in

the installation phase of the Cyber Kill Chain?

Install a web shell on the target web server for
persistent access.
Harvest email addresses of user accounts.
Open a two-way communication channel to the CnC
infrastructure.
 Obtain an automated tool to deliver the malware payload.

Explanation: In the installation phase of the Cyber Kill

Chain, the threat actor establishes a back door into the
system to allow for continued access to the target.

51. When dealing with a security threat and using the Cyber
Kill Chain model, which two approaches can an
organization use to help block potential exploitations on a
system? (Choose two.)

Collect email and web logs for forensic reconstruction.

Conduct full malware analysis.
Train web developers for securing code.
Build detections for the behavior of known weaponizers.
Perform regular vulnerability scanning and penetration
testing.

Explanation: The most common exploit targets, once a

weapon is delivered, are applications, operating system
vulnerabilities, and user accounts. Among other measures,
such as regular vulnerability scanning and penetration
testing, training web developers in securing code can help
block potential exploitations on systems.

52. How might corporate IT professionals deal with DNS-

based cyber threats?

Limit the number of simultaneously opened browsers or

browser tabs.
Monitor DNS proxy server logs and look for unusual
DNS queries.
Use IPS/IDS devices to scan internal corporate traffic.
Limit the number of DNS queries permitted within the
organization.

Explanation: DNS queries for randomly generated domain


names or extremely long random-appearing DNS
subdomains should be considered suspicious.
Cyberanalysts could do the following for DNS-based
attacks:
Analyze DNS logs.
 Use a passive DNS service to block requests to suspected
CnC and exploit domains.

53. How does using HTTPS complicate network security

monitoring?

HTTPS adds complexity to captured packets.

HTTPS cannot protect visitors to a company-provided web
site.
Web browser traffic is directed to infected servers.
HTTPS can be used to infiltrate DNS queries.

Explanation:
HTTPS adds extra overhead to the HTTP-formed packet.
HTTPS encrypts using secure socket layer (SSL). Even
though some devices can perform SSL decryption and
inspection, this can present processing and privacy issues.
HTTPS adds complexity to packet captures due to the
additional message involved in establishing an encrypted
data connection.

54. Match the security concept to the description.

threat a potential danger to an asset 

vulnerability a weakness in a system

exploit a mechanism used to compromise an asset

 risk the likelihood of undesireable
consequences

55. What are the two important components of a public key

infrastructure (PKI) used in network security? (Choose
two.)

intrusion prevention system

digital certificates
symmetric encryption algorithms
certificate authority
pre-shared key generation

Explanation: A public key infrastructure uses digital

certificates and certificate authorities to manage
asymmetric key distribution. PKI certificates are public
information. The PKI certificate authority (CA) is a trusted
third-party that issues the certificate. The CA has its own
certificate (self-signed certificate) that contains the public
key of the CA.

56. Which three algorithms are designed to generate and

verify digital signatures? (Choose three.)

3DES
IKE
DSA
AES
ECDSA
RSA

Explanation: There are three Digital Signature Standard

(DSS) algorithms that are used for generating and verifying
digital signatures:
Digital Signature Algorithm (DSA)
Rivest-Shamir Adelman Algorithm (RSA)
Elliptic Curve Digital Signature Algorithm (ECDSA)


57. Which section of a security policy is used to specify that

only authorized individuals should have access to
enterprise data?

statement of authority
 identification and authentication policy
campus access policy
Internet access policy
statement of scope
acceptable use policy

Explanation: The identification and authentication policy

section of the security policy typically specifies authorized
persons that can have access to network resources and
identity verification procedures.

58. Refer to the exhibit. A cybersecurity analyst is viewing

captured packets forwarded on switch S1. Which device
has the MAC address d8:cb:8a:5c:d5:8a?

PC-A
DNS server
web server
router DG
router ISP

Explanation: The Wireshark capture is a DNS response

from the DNS server to PC-A. Because the packet was
captured on the LAN that the PC is on, router DG would
have encapsulated the response packet from the ISP router
into an Ethernet frame addressed to PC-A and forwarded

the frame with the MAC address of PC-A as the destination.

59. What kind of message is sent by a DHCPv4 client

requesting an IP address?

DHCPDISCOVER broadcast message

 DHCPDISCOVER unicast message
DHCPOFFER unicast message
DHCPACK unicast message

Explanation: When the DHCPv4 client requests an IP

address, it sends a DHCPDISCOVER broadcast message
seeking a DHCPv4 server on the network.

60. Place the evidence collection priority from most volatile

to least volatile as defined by the IETF guidelines.

memory registers, caches 1. (most

volatile)

routing table, ARP cache, process table, 2. 

kernel statistics, RAM

temporary file systems 3.

non-volatile media, fixed and removable 4.

 remote logging and monitoring data 5.

physical interconnections and topologies 6.

archival media, tape or other backups 7. (least

volatile)

61. What is the responsibility of the human resources

department when handling a security incident?

Coordinate the incident response with other stakeholders

and minimize the damage of the incident.
Perform actions to minimize the effectiveness of the attack
and preserve evidence.
Apply disciplinary measures if an incident is caused by
an employee.
Review the incident policies, plans, and procedures for local
or federal guideline violations.

Explanation: The human resources department may be

called upon to perform disciplinary measures if an incident
is caused by an employee.

62. How does a security information and event management

system (SIEM) in a SOC help the personnel fight against
security threats?

by integrating all security devices and appliances in an

organization
by analyzing logging data in real time
by combining data from multiple technologies
by dynamically implementing firewall rules

Explanation: A security information and event

management system (SIEM) combines data from multiple
sources to help SOC personnel collect and filter data,
detect and classify threats, analyze and investigate threats,
and manage resources to implement preventive measures. 

63. At which OSI layer is a source IP address added to a

PDU during the encapsulation process?

network layer
transport layer
 data link layer
application layer

64. What is the purpose of CSMA/CA?

to prevent loops
to isolate traffic
to filter traffic
to prevent collisions

Explanation: CSMA/CA stands for carrier sense multiple

access with collision avoidance. It is a mechanism used in
wireless networks to prevent packet collisions from
occurring.

65. Why is DHCP preferred for use on large networks?

Hosts on large networks require more IP addressing

configuration settings than hosts on small networks.
It prevents sharing of files that are copyrighted.
It is a more efficient way to manage IP addresses than
static address assignment.
Large networks send more requests for domain to IP
address resolution than do smaller networks.
DHCP uses a reliable transport layer protocol.

Explanation: Static IP address assignment requires

personnel to configure each network host with addresses
manually. Large networks can change frequently and have
many more hosts to configure than do small networks.
DHCP provides a much more efficient means of configuring
and managing IP addresses on large networks than does
static address assignment.

66 Which NIST incident response life cycle phase includes

continuous monitoring by the CSIRT to quickly identify and
validate an incident?

postincident activities 
detection and analysis
containment, eradication, and recovery
preparation
 Explanation: It is in the detection and analysis phase of
the NIST incident response life cycle that the CSIRT
identifies and validates incidents through continuous
monitoring. The NIST defines four stages of the incident
response life cycle.

67. What will a threat actor do to create a back door on a

compromised target according to the Cyber Kill Chain
model?

Add services and autorun keys.

Collect and exfiltrate data.
Obtain an automated tool to deliver the malware payload.
Open a two-way communications channel to the CnC
infrastructure.

Explanation: Once a target system is compromised, the

threat actor will establish a back door into the system to
allow for continued access to the target. Adding services
and autorun keys is a way to create a point of persistent
access.

68. Which type of evidence supports an assertion based on

previously obtained evidence?

direct evidence
corroborating evidence
best evidence
indirect evidence

Explanation: Corroborating evidence is evidence that

supports a proposition already supported by initial
evidence, therefore confirming the original proposition.
Circumstantial evidence is evidence other than first-hand
accounts of events provided by witnesses.

69. A technician is configuring email on a mobile device. 

The user wants to be able to keep the original email on the
server, organize it into folders, and synchronize the folders
between the mobile device and the server. Which email
protocol should the technician use?
 POP3
MIME
IMAP
SMTP

Explanation: The IMAP protocol allows email data to be

synchronized between a client and server. Changes made
in one location, such as marking an email as read, are
automatically applied to the other location. POP3 is also an
email protocol. However, the data is not synchronized
between the client and the server. SMTP is used for
sending email, and is typically used in conjunction with the
POP3 protocol. MIME is an email standard that is used to
define attachment types, and allows extra content like
pictures and documents to be attached to email messages.

70. What is the goal of an attack in the installation phase of

the Cyber Kill Chain?

Break the vulnerability and gain control of the target.

Establish command and control (CnC) with the target
system.
Create a back door in the target system to allow for
future access.
Use the information from the reconnaissance phase to
develop a weapon against the target.

Explanation: In the installation phase of the Cyber Kill

Chain, the threat actor establishes a back door into the
system to allow for continued access to the target.

← Previous Article Next Article →

CyberOps Associate Skills CyberOps Associate
Assessment Answers – CA (version 1.0) – Course Final
v1.0 Skills Exam Exam Answers

 Subscribe 
 Join the discussion

{} [+] 

7 COMMENTS

bob  3 years ago

if this isn’t for 200-201, what is it for please?

Reply

anon  3 years ago

A technician is configuring email on a mobile device. The

user wants to be able to keep the original email on the
server, organize it into folders, and synchronize the
folders between the mobile device and the server. Which
email protocol should the technician use?

POP3
MIME
IMAP
SMTP

Reply

IT Administrator  3 years ago

 Reply to anon
Author
Added, thanks for sharing!
Reply

someone  3 years ago

Which type of evidence supports an assertion based on

previously obtained evidence? 
direct evidence
corroborating evidence
indirect evidence
best evidence
 Reply

IT Administrator  3 years ago

 Reply to someone
Author
Thanks for sharing!

Reply

Anon  4 years ago

What will a threat actor do to create a back door on a

compromised target according to the Cyber Kill
Chain model?

Add services and autorun keys.

Collect and exfiltrate data.
Obtain an automated tool to deliver the malware
payload.
Open a two-way communications channel to the CnC
infrastructure.

Reply

IT Administrator  3 years ago

 Reply to Anon
Author
Thanks for sharing!
Reply

ITExamAnswers.net Copyright © 2024. Privacy Policy

Contact