Final Exam

Question 1

Which two techniques are used in a smurf attack? (Choose two.)
session hijacking

• reflection
• amplification
• botnets
• resource exhaustion

Answer 1

reflection
amplification

Question 2

What are three goals of a port scan attack? (Choose three.)

• to discover system passwords
• to identify operating systems
• to identify active services
• to identify peripheral configurations
• to determine potential vulnerabilities
• to disable used ports and services

Answer 2

• to identify operating systems
• to identify active services
• to determine potential vulnerabilities

Question 3

When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?

• routing protocol convergence
• total throughput
• session duration
• bandwidth of the Internet connection

Answer 3

session duration

Question 4

In addressing an identified risk, which strategy aims to shift some of the risk to other parties?

• risk avoidance
• risk retention
• risk reduction
• risk sharing

Answer 4

risk sharing

Question 5

A computer is presenting a user with a screen requesting payment before the user data is allowed to be accessed by the same user. What type of malware is this?

• a type of virus
• a type of worm
• a type of ransomware
• a type of logic bomb

Answer 5

a type of ransomware

Question 6

What characterizes a threat actor?

• They are all highly-skilled individuals.
• They always try to cause some harm to an individual or organization.
• They always use advanced tools to launch attacks.
• They all belong to organized crime.

Answer 6

They always try to cause some harm to an individual or organization

Question 7

What subnet mask is represented by the slash notation /20?

255.255.255.248
255.255.224.0
255.255.255.192
255.255.240.0
255.255.255.0

Answer 7

The slash notation /20 represents a subnet mask with 20 1s.

This would translate to: 11111111.11111111.11110000.0000, which in turn would convert into 255.255.240.0.

Question 8

A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device?

• 1000:00d8:0058:00ab
• 2001
• 2001:0db8:cafe:4500:1000:00d8:0058:00ab
• 2001:0db8:cafe:4500:1000
• 2001:0db8:cafe:4500

Answer 8

2001:0db8:cafe:4500:1000

Question 9

Refer to the exhibit. If Host1 were to transfer a file to the server, what layers of the TCP/IP model would be used?

• only application and Internet layers
• only application, transport, network, data link, and physical layers
• application, session, transport, network, data link, and physical layers
• application, transport, Internet, and network access layers
• only Internet and network access layers
  only application, Internet, and network access layers

Answer 9

application, transport, Internet, and network access layers

Question 10

What best describes the destination IPv4 address that is used by multicasting?

• a single IP multicast address that is used by all destinations in a group
• an IP address that is unique for each destination in the group
• a 48 bit address that is determined by the number of members in the multicast group
• a group address that shares the last 23 bits with the source IPv4 address

Answer 10

a single IP multicast address that is used by all destinations in a group

Question 11

A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon?

• Collect credentials of the web server developers and administrators.
• Install a webshell on the web server for persistent access.
• Obtain an automated tool in order to deliver the malware payload through the vulnerability.
• Create a point of persistence by adding services.

Answer 11

Obtain an automated tool in order to deliver the malware payload through the vulnerability.

Question 12

Which type of data would be considered an example of volatile data?

• web browser cache
• log files
• memory registers
• temp files

Answer 12

memory registers

Question 13

What type of attack targets an SQL database using the input field of a user?

• XML injection
• SQL injection
• buffer overflow
• Cross-site scripting

Answer 13

SQL injection

Question 14

What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

• CAM table attack
• DHCP spoofing
• IP address spoofing
• DHCP starvation

Answer 14

DHCP starvation

Question 15

Which wireless parameter is used by an access point to broadcast frames that include the SSID?

• passive mode
• active mode
• channel setting
• security mode

Answer 15

passive mode

Question 16

How can statistical data be used to describe or predict network behavior?

• by displaying alert messages that are generated by Snort
• by comparing normal network behavior to current network behavior
• by recording conversations between network endpoints
• by listing results of user web surfing activities

Answer 16

by comparing normal network behavior to current network behavior

Question 17

Which Windows Event Viewer log includes events regarding the operation of drivers, processes, and hardware?

• application logs
• security logs
• setup logs
• system logs

Answer 17

system logs

Question 18

What is the primary objective of a threat intelligence platform (TIP)?

• to provide a specification for an application layer protocol that allows the communication of CTI over HTTPS
• to provide a security operations platform that integrates and enhances diverse security tools and threat intelligence
• to aggregate the data in one place and present it in a comprehensible and usable format
• to provide a standardized schema for specifying, capturing, characterizing, and communicating events and properties of network operations

Answer 18

to provide a security operations platform that integrates and enhances diverse security tools and threat intelligence

Question 19

An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.)

• HTTPS web service
• file and directory access permission
• 802.1x authentication
• FTP transfers
• local NTP server

Answer 19

• file and directory access permission
• 802.1x authentication

Explanation: The Public Key Infrastructure (PKI) is a third party-system referred to as a certificate authority or CA. The PKI is the framework used to securely exchange information between parties.

Question 20

Which two statements describe the use of asymmetric algorithms? (Choose two.)

• If a private key is used to encrypt the data, a private key must be used to decrypt the data.
• If a public key is used to encrypt the data, a public key must be used to decrypt the data.
• Public and private keys may be used interchangeably.
• If a private key is used to encrypt the data, a public key must be used to decrypt the data.
• If a public key is used to encrypt the data, a private key must be used to decrypt the data.

Answer 20

• If a private key is used to encrypt the data, a public key must be used to decrypt the data.
• If a public key is used to encrypt the data, a private key must be used to decrypt the data.

Question 21

Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?

• Require remote access connections through IPsec VPN.
• Deploy a Cisco SSL Appliance.
• Deploy a Cisco ASA.
• Use a Syslog server to capture network traffic.

Answer 21

Deploy a Cisco SSL Appliance

Question 22

What are two characteristics of the SLAAC method for IPv6 address configuration? (Choose two.)

• Clients send router advertisement messages to routers to request IPv6 addressing.
• IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.
• This stateful method of acquiring an IPv6 address requires at least one DHCPv6 server.
• The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN.
• Router solicitation messages are sent by the router to offer IPv6 addressing to clients.

Answer 22

• The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN.
• IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.

Explanation: With SLAAC, the default gateway for IPv6 clients will be the link-local address of the router interface that is attached to the client LAN. The IPv6 addressing is dynamically assigned via the ICMPv6 protocol.

Question 23

Which two ICMPv6 messages are used during the Ethernet MAC address resolution process? (Choose two.)

• router solicitation
• neighbor advertisement
• router advertisement
• neighbor solicitation
• echo request

Answer 23

neighbor advertisement
neighbor solicitation

Question 24

Which device supports the use of SPAN to enable monitoring of malicious activity?

• Cisco IronPort
• Cisco Security Agent
• Cisco Catalyst switch
• Cisco NAC

Answer 24

Cisco Catalyst switch

Question 25

What are the two ways threat actors use NTP? (Choose two.)

• Threat actors use NTP systems to direct DDoS attacks.
• They place iFrames on a frequently used corporate web page.
• They encode stolen data as the subdomain portion where the nameserver is under control of an attacker.
• They place an attachment inside an email message.
• They attack the NTP infrastructure in order to corrupt the information used to log the attack.

Answer 25

• They attack the NTP infrastructure in order to corrupt the information used to log the attack.
• Threat actors use NTP systems to direct DDoS attacks.

Question 26

Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two.)

• syslog
• DNS
• SMTP
• NTP
• HTTP

Answer 26

• DNS
• HTTP

Question 27

Which application layer protocol is used to provide file-sharing and print services to Microsoft applications?

• SMB
• DHCP
• HTTP
• SMTP

Answer 27

• SMB

Question 28

What information is required for a WHOIS query?

• outside global address of the client
• FQDN of the domain
• ICANN lookup server address
• link-local address of the domain owner

Answer 28

• FQDN of the domain

Question 29

Which tool included in the Security Onion is a series of software plugins that send different types of data to the Elasticsearch data stores?

• OSSEC
• Curator
• Beats
• ElastAlert

Answer 29

• Beats

Question 30

Which term is used to describe the process of identifying the NSM-related data to be gathered?

• data archiving
• data normalization
• data reduction
• data retention

Answer 30

• data reduction

Question 31

An administrator is trying to develop a BYOD security policy for employees that are bringing a wide range of devices to connect to the company network. Which three objectives must the BYOD security policy address?
(Choose three.)

• All devices must have open authentication with the corporate network.
• The level of access of employees when connecting to the corporate network must be defined.
• Rights and activities permitted on the corporate network must be defined.
• All devices should be allowed to attach to the corporate network flawlessly.
• Safeguards must be put in place for any personal device being compromised.
• All devices must be insured against liability if used to compromise the corporate network.

Answer 31

• Rights and activities permitted on the corporate network must be defined.
• Safeguards must be put in place for any personal device being compromised.
• The level of access of employees when connecting to the corporate network must be defined.

Question 32

Which device in a layered defense-in-depth approach denies connections initiated from untrusted networks to internal networks, but allows internal users within an organization to connect to untrusted networks?

• internal router
• IPS
• access layer switch
• firewall

Answer 32

firewall

Question 33

A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)

• single process for authentication and authorization
• separate processes for authentication and authorization
• hidden passwords during transmission
• encryption for all communication
• encryption for only the data

Answer 33

• single process for authentication and authorization
• hidden passwords during transmission

Question 34

A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework?

• authentication
• accounting
• automation
• authorization

Answer 34

• authorization

Question 35

What are the three core functions provided by the Security Onion? (Choose three.)

• business continuity planning
• alert analysis
• security device management
• threat containment
• intrusion detection
• full packet capture

Answer 35

• full packet capture
• alert analysis
• intrusion detection

Question 36

What best describes the security threat of spoofing?

• sending bulk email to individuals, lists, or domains with the intention to prevent users from accessing email
• intercepting traffic between two hosts or inserting false information into traffic between two hosts
• making data appear to come from a source that is not the actual source
• sending abnormally large amounts of data to a remote server to prevent user access to the server services

Answer 36

• making data appear to come from a source that is not the actual source

Question 37

What is a property of the ARP table on a device?

• Every operating system uses the same timer to remove old entries from the ARP cache.
• Entries in an ARP table are time-stamped and are purged after the timeout expires.
• Static IP-to-MAC address entries are removed dynamically from the ARP table.
• Windows operating systems store ARP cache entries for 3 minutes.

Answer 37

Entries in an ARP table are time-stamped and are purged after the timeout expires.

Question 38

A newly created company has fifteen Windows 10 computers that need to be installed before the company can open for business. What is a best practice that the technician should implement when configuring the Windows Firewall?

• The technician should create instructions for corporate users on how to allow an app through the WIndows Firewall using the Administrator account.
• The technician should remove all default firewall rules and selectively deny traffic from reaching the company network.
• The technician should enable the Windows Firewall for inbound traffic and install other firewall software for outbound traffic control.
• After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled

Answer 38

After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled

Question 39

What is a characteristic of a Trojan horse as it relates to network security?

• Malware is contained in a seemingly legitimate executable program.
• Extreme quantities of data are sent to a particular network device interface.
• Too much information is destined for a particular memory block, causing additional memory areas to be affected.
• An electronic dictionary is used to obtain a password to be used to infiltrate a key network device.

Answer 39

Malware is contained in a seemingly legitimate executable program.

Question 40

What technique is used in social engineering attacks?

• man-in-the-middle
• phishing
• buffer overflow
• sending junk email

Answer 40

phishing

Question 41

What are two evasion techniques that are used by hackers? (Choose two.)

• phishing
• Trojan horse
• reconnaissance
• rootkit
• pivot

Answer 41

• rootkit
• pivot

Question 42

What are two drawbacks to using HIPS? (Choose two.)

• With HIPS, the success or failure of an attack cannot be readily determined.
• If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic.
• HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks.
• HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.
• With HIPS, the network administrator must verify support for all the different operating systems used in the network.

Answer 42

• With HIPS, the network administrator must verify support for all the different operating systems used in the network.
• HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network.

Question 43

What are three functions provided by the syslog service? (Choose three.)

• to gather logging information for monitoring and troubleshooting
• to provide statistics on packets that are flowing through a Cisco device
• to periodically poll agents for data
• to specify the destinations of captured messages
• to provide traffic analysis
• to select the type of logging information that is captured

Answer 43

• to select the type of logging information that is captured
• to gather logging information for monitoring and troubleshooting
• to specify the destinations of captured messages

Question 44

A technician needs to verify file permissions on a specific Linux file. Which command would the technician use?

• sudo
• cd
• vi
• ls -l

Answer 44

• ls -l

Question 45

Why would a network administrator choose Linux as an operating system in the Security Operations Center (SOC)?

• It is easier to use than other operating systems.
• More network applications are created for this environment.
• It is more secure than other server operating systems.
• The administrator has more control over the operating system.

Answer 45

• The administrator has more control over the operating system.

Question 46

Which protocol or service uses UDP for a client-to-server communication and TCP for server-to-server communication?

• DNS
• HTTP
• FTP
• SMTP

Answer 46

• DNS

Question 47

Which two statements describe the characteristics of symmetric algorithms? (Choose two.)

• They provide confidentiality, integrity, and availability.
• They are commonly used with VPN traffic.
• They use a pair of a public key and a private key.
• They are referred to as a pre-shared key or secret key.
• They are commonly implemented in the SSL and SSH protocols.

Answer 47

• They are commonly used with VPN traffic.
• They are referred to as a pre-shared key or secret key.

Question 48

What are two properties of a cryptographic hash function? (Choose two.)

• The hash function is one way and irreversible.
• The input for a particular hash algorithm has to have a fixed size.
• Hash functions can be duplicated for authentication purposes.
• Complex inputs will produce complex hashes.
• The output is a fixed length.

Answer 48

• The hash function is one way and irreversible.
• The output is a fixed length.

Question 49

Which two statements are characteristics of a virus? (Choose two.)

• A virus provides the attacker with sensitive data, such as passwords.
• A virus has an enabling vulnerability, a propagation mechanism, and a payload.
• A virus typically requires end-user activation.
• A virus replicates itself by independently exploiting vulnerabilities in networks.
• A virus can be dormant and then activate at a specific time or date.

Answer 49

• A virus can be dormant and then activate at a specific time or date.
• A virus typically requires end-user activation.

Question 50

What is a network tap?

• a Cisco technology that provides statistics on packets flowing through a router or multilayer switch
• a passive device that forwards all traffic and physical layer errors to an analysis device
• a technology used to provide real-time reporting and long-term analysis of security events
• a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device

Answer 50

• a passive device that forwards all traffic and physical layer errors to an analysis device

Question 51

Which type of evidence cannot prove an IT security fact on its own?

• best
• corroborative
• indirect
• hearsay

Answer 51

• indirect

Question 52

According to NIST, which step in the digital forensics process involves preparing and presenting information that resulted from scrutinizing data?

• examination
• collection
• reporting
• analysis

Answer 52

• reporting

Question 53

What is privilege escalation?

• Everyone is given full rights by default to everything and rights are taken away only when someone abuses privileges.
• A security problem occurs when high ranking corporate officials demand rights to systems or files that they should not have.
• Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.
• Someone is given rights because she or he has received a promotion.

Answer 53

• Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.

Question 54

Which PDU format is used when bits are received from the network medium by the NIC of a host?

• frame
• segment
• packet
• file

Answer 54

• frame

Question 55

Which statement is correct about network protocols?

• They are only required for exchange of messages between devices on remote networks.
• Network protocols define the type of hardware that is used and how it is mounted in racks.
• They all function in the network access layer of TCP/IP.
• They define how messages are exchanged between the source and the destination

Answer 55

• They define how messages are exchanged between the source and the destination.

Question 56

Refer to the exhibit. A cybersecurity analyst is using Sguil to verify security alerts. How is the current view sorted?

• by sensor number
• by source IP
• by frequency
• by date/time

Answer 56

• by frequency

Question 57

What are three characteristics of an information security management system? (Choose three.)

• It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise.
• It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
• It consists of a set of practices that are systematically applied to ensure continuous improvement in information security.
• It is a systematic and multilayered approach to cybersecurity.
• It addresses the inventory and control of hardware and software configurations of systems.
• It is based on the application of servers and security devices.

Answer 57

• It is a systematic and multilayered approach to cybersecurity.
• It consists of a set of practices that are systematically applied to ensure continuous improvement in information security.
• It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.

Question 58

A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet?

• when the RTT value reaches zero
• when the value in the TTL field reaches zero
• when the router receives an ICMP Time Exceeded message
• when the host responds with an ICMP Echo Reply message
• when the values of both the Echo Request and Echo Reply messages reach zero

Answer 58

• when the value in the TTL field reaches zero

Question 59

A network administrator is reviewing server alerts because of reports of network slowness. The administrator confirms that an alert was an actual security incident. What is the security alert classification of this type of scenario?

• true negative
• false negative
• false positive
• true positive

Answer 59

• true positive

Question 60

A client device has initiated a secure HTTP request to a web browser. Which well-known port address number is associated with the destination address?

• 110
• 80
• 443
• 404

Answer 60

• 443

Question 61

What term describes a set of software tools designed to increase the privileges of a user or to grant access to the user to portions of the operating system that should not normally be allowed?

• compiler
• penetration testing
• package manager
• rootkit

Answer 61

• rootkit

Question 62

What are the two methods that a wireless NIC can use to discover an AP? (Choose two.)

• transmitting a probe request
• sending an ARP request broadcast
• initiating a three-way handshake
• receiving a broadcast beacon frame
• sending a multicast frame

Answer 62

• transmitting a probe request
• receiving a broadcast beacon frame

Question 63

An administrator discovers that a user is accessing a newly established website that may be detrimental to company security. What action should the administrator take first in terms of the security policy?

• Ask the user to stop immediately and inform the user that this constitutes grounds for dismissal.
• Create a firewall rule blocking the respective website.
• Revise the AUP immediately and get all users to sign the updated AUP.
• Immediately suspend the network privileges of the user.

Answer 63

• Revise the AUP immediately and get all users to sign the updated AUP.

Question 64

Which statement defines the difference between session data and transaction data in logs?

• Session data analyzes network traffic and predicts network behavior, whereas transaction data records network sessions.
• Session data is used to make predictions on network behaviors, whereas transaction data is used to detect network anomalies.
• Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions.
• Session data shows the result of a network session, whereas transaction data is in response to network threat traffic.

Answer 64

• Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions.

Question 65

Which two data types would be classified as personally identifiable information (PII)? (Choose two.)

• house thermostat reading
• average number of cattle per region
• vehicle identification number
• hospital emergency use per region
• Facebook photographs

Answer 65

• vehicle identification number
• Facebook photographs

Question 66

A help desk technician notices an increased number of calls relating to the performance of computers located at the manufacturing plant. The technician believes that botnets are causing the issue. What are two purposes of botnets? (Choose two.)

• to gain access to the restricted part of the operating system
• to transmit viruses or spam to computers on the same network
• to withhold access to a computer or files until money has been paid
• to record any and all keystrokes
• to attack other computers

Answer 66

• to transmit viruses or spam to computers on the same network
• to attack other computers

Question 67

The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk?

• risk avoidance
• risk retention
• risk reduction
• risk sharing

Answer 67

• risk reduction

Question 68

Which step in the Vulnerability Management Life Cycle determines a baseline risk profile to eliminate risks based on asset criticality, vulnerability threat, and asset classification?

• assess
• discover
• verify
• prioritize assets

Answer 68

• assess

Question 69

A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address?

• It must wait for an ICMPv6 Router Advertisement message giving permission to use this address.
• It must send an ICMPv6 Router Solicitation message to determine what default gateway it should use.
• It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.
• It must send an ICMPv6 Router Solicitation message to request the address of the DNS server.

Answer 69

• It must wait for an ICMPv6 Router Advertisement message giving permission to use this address.

Question 70

Which core open source component of the Elastic-stack is responsible for accepting the data in its native format and making elements of the data consistent across all sources?

• Logstash
• Kibana
• Beats
• Elasticsearch

Answer 70

• Logstash

Question 71

What is the benefit of converting log file data into a common schema?

• creates a data model based on fields of data from a source
• allows the implementation of partial normalization and inspection
• allows easy processing and analysis of datasets
• creates a set of regex-based field extractions

Answer 71

• allows easy processing and analysis of datasets

Question 72

Which host-based firewall uses a three-profile approach to configure the firewall functionality?

• TCP Wrapper
• Windows Firewall
• nftables
• iptables

Answer 72

• Windows Firewall

Question 73

What is a disadvantage of DDNS?

• DDNS is considered malignant and must be monitored by security software.
• DDNS is unable to co-exist on a network subdomain that also uses DNS.
• Using free DDNS services, threat actors can quickly and easily generate subdomains and change DNS records.
• Using DDNS, a change in an existing IP address mapping can take over 24 hours and could result in a disruption of connectivity.

Answer 73

• Using free DDNS services, threat actors can quickly and easily generate subdomains and change DNS records.

Question 74

What are two potential network problems that can result from ARP operation? (Choose two.)

• Manually configuring static ARP associations could facilitate ARP poisoning or MAC address spoofing.
• On large networks with low bandwidth, multiple ARP broadcasts could cause data communication delays.
• Network attackers could manipulate MAC address and IP address mappings in ARP messages with the intent of intercepting network traffic.
• Large numbers of ARP request broadcasts could cause the host MAC address table to overflow and prevent the host from communicating on the network.
• Multiple ARP replies result in the switch MAC address table containing entries that match the MAC addresses of hosts that are connected to the relevant switch port.

Answer 74

• On large networks with low bandwidth, multiple ARP broadcasts could cause data communication delays.
• Network attackers could manipulate MAC address and IP address mappings in ARP messages with the intent of intercepting network traffic.

Question 75

When a user visits an online store website that uses HTTPS, the user browser queries the CA for a CRL. What is the purpose of this query?

• to check the length of key used for the digital certificate
• to negotiate the best encryption to use
• to verify the validity of the digital certificate
• to request the CA self-signed digital certificate

Answer 75

• to verify the validity of the digital certificate

Question 76

What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)

• The code is authentic and is actually sourced by the publisher.
• The code contains no errors.
• The code has not been modified since it left the software publisher.
• The code contains no viruses.
• The code was encrypted with both a private and public key

Answer 76

• The code is authentic and is actually sourced by the publisher.
• The code has not been modified since it left the software publisher.

Question 77

In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?

• Media
• Impersonation
• Attrition
• Loss or theft

Answer 77

• Attrition

Question 78

Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-facing web server?

• Build detections for the behavior of known malware.
• Collect malware files and metadata for future analysis.
• Analyze the infrastructure path used for files.
• Audit the web server to forensically determine the origin of exploit.

Answer 78

• Analyze the infrastructure path used for files.

Question 79

Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)

• SIP support
• password encryption
• 802.1X support
• separate authentication and authorization processes
• utilization of transport layer protocols

Answer 79

• password encryption
• utilization of transport layer protocols

Question 80

What are two uses of an access control list? (Choose two.)

• ACLs can control which areas a host can access on a network.
• ACLs provide a basic level of security for network access.
• Standard ACLs can restrict access to specific applications and ports.
• ACLs can permit or deny traffic based upon the MAC address originating on the router.
• ACLs assist the router in determining the best path to a destination.

Answer 80

• ACLs can control which areas a host can access on a network.
• ACLs provide a basic level of security for network access.

Question 81

Which method can be used to harden a device?

• use SSH and disable the root account access over SSH
• allow default services to remain enabled
• maintain use of the same passwords
• allow USB auto-detection

Answer 81

• use SSH and disable the root account access over SSH

Question 82

Which two options are window managers for Linux? (Choose two.)

• File Explorer
• Kali
• Gnome
• PenTesting
• KDE

Answer 82

• Gnome
• KDE

Question 83

What is a key difference between the data captured by NetFlow and data captured by Wireshark?

• NetFlow provides transaction data whereas Wireshark provides session data.
• NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump.
• NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
• NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.

Answer 83

• NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

Question 84

Which two net commands are associated with network resource sharing? (Choose two.)

• net use
• net start
• net share
• net stop
• net accounts

Answer 84

• net use
• net share

Question 85

What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits?

• WinDbg
• Firesheep
• Skipfish
• AIDE

Answer 85

• WinDbg

Question 86

A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.)

• CapME
• Wazuh
• Kibana
• Zeek
• Sguil
• Wireshark

Answer 86

• CapME
• Wazuh
• Zeek

Question 87

Which three IP addresses are considered private addresses? (Choose three.)

• 198.168.6.18
• 192.168.5.29
• 172.68.83.35
• 128.37.255.6
• 172.17.254.4
• 10.234.2.1

Answer 87

• 192.168.5.29
• 172.17.254.4
• 10.234.2.1

Question 88

Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?

• neighbor solicitation
• router advertisement
• neighbor advertisement
• router solicitation

Answer 88

• router advertisement

Question 89

A technician is troubleshooting a network connectivity problem. Pings to the local wireless router are successful but pings to a server on the Internet are unsuccessful. Which CLI command could assist the technician to find the location of the networking problem?

• tracert
• ipconfig
• msconfig
• ipconfig/renew

Answer 89

• tracert

Question 90

What are two ways that ICMP can be a security threat to a company? (Choose two.)

• by collecting information about a network
• by corrupting network IP data packets
• by providing a conduit for DoS attacks
• by corrupting data between email servers and email recipients
• by the infiltration of web pages

Answer 90

• by collecting information about a network
• by providing a conduit for DoS attacks

Question 91

A piece of malware has gained access to a workstation and issued a DNS lookup query to a CnC server. What is the purpose of this attack?

• to request a change of the IP address
• to send stolen sensitive data with encoding
• to check the domain name of the workstation
• to masquerade the IP address of the workstation

Answer 91

• to send stolen sensitive data with encoding

Question 92

What part of the URL, http://www.cisco.com/index.html, represents the top-level DNS domain?

• .com
• www
• http
• index

Answer 92

• .com

Question 93

What is a characteristic of CybOX?

• It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
• It enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector.
• It is a set of specifications for exchanging cyberthreat information between organizations.
  It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.

Answer 93

• It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.

Question 94

Which NIST Cybersecurity Framework core function is concerned with the development and implementation of safeguards that ensure the delivery of critical infrastructure services?

• respond
• detect
• identify
• recover
• protect

Answer 94

• protect

Question 95

In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?

• port scanning
• risk analysis
• penetration testing
• vulnerability assessment

Answer 95

• risk analysis

Question 96

What are three characteristics of an information security management system? (Choose three.)

• It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise.
• It is a systematic and multilayered approach to cybersecurity.
• It addresses the inventory and control of hardware and software configurations of systems.
• It consists of a set of practices that are systematically applied to ensure continuous improvement in information security.
• It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
• It is based on the application of servers and security devices.

Answer 96

• It is a systematic and multilayered approach to cybersecurity.
• It consists of a set of practices that are systematically applied to ensure continuous improvement in information security.
• It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.

Question 97

The SLAAC Process

Answer 97

SLAAC is the simplest way to give an IPv6 address to a client because it exclusively relies on the Neighbor Discovery Protocol. This protocol, which we simply call NDP, allows devices on a network to discover their Layer 3 neighbors. We use it to retrieve the layer 2 reachability information, like ARP, and to find out routers on the network.

When a device comes online, it sends a Router Solicitation message.The device is asking if there are routers available. If there’s a router on the same network, that router will reply with a Router Advertisement message. Using this message, the router will tell the client some information about the network, such as:

• The default gateway
• The global unicast prefix

Neighbor Discovery defines five new Internet Control Message Protocol (ICMP) messages. The messages serve the following purposes:

• Router solicitation – When an interface becomes enabled, hosts can send router solicitation messages. The solicitations request routers to generate router advertisements immediately, rather than at their next scheduled time.
• Router advertisement – Routers advertise their presence, various link parameters, and various Internet parameters. Routers advertise either periodically, or in response to a router solicitation message. Router advertisements contain prefixes that are used for on-link determination or address configuration, a suggested hop-limit value, and so on.
• Neighbor solicitation – Nodes send neighbor solicitation messages to determine the link-layer address of a neighbor. Neighbor solicitation messages are also sent to verify that a neighbor is still reachable by a cached link-layer address. Neighbor solicitations are also used for duplicate address detection.
• Neighbor advertisement – A node sends neighbor advertisement messages in response to a neighbor solicitation message. The node can also send unsolicited neighbor advertisements to announce a link-layer address change.

Redirect – Routers use redirect messages to inform hosts of a better first hop for a destination, or that the destination is on the same link.