Main Flashcards

1
Q

A. Build ACLs based upon your security policy. B. Always put the ACL closest to the source of origination. C. Place deny statements near the top of the ACL to prevent unwanted traffic from passing through the router. D. Always test ACLs in a small, controlled production environment before you roll it out into the larger production network.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which step is important to take when implementing secure network management?
A. Implement in-band management whenever possible. B. Implement telnet for encrypted device management access.
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
85 C. Implement SNMP with read/write access for troubleshooting purposes. D. Synchronize clocks on hosts and devices. E. Implement management plane protection using routing protocol authentication.

A

D

Explanation:
http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml
Background Information
Network time synchronization, to the degree required for modern performance analysis, is an essential exercise. Depending on the business models, and the services being provided, the characterization of network performance can be considered an important competitive service differentiator. In these cases, great expense may be incurred deploying network management systems and directing engineering resources towards analyzing the collected performance data. However, if proper attention is not given to the often-overlooked principle of time synchronization, those efforts may be rendered useless.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

QUESTION 106
Which statement best represents the characteristics of a VLAN?
A. Ports in a VLAN will not share broadcasts amongst physically separate switches. B. A VLAN can only connect across a LAN within the same building. C. A VLAN is a logical broadcast domain that can span multiple physical LAN segments. D. A VLAN provides individual port security.

A

C Explanation:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4 _0_1a/VLANs.html
Configuring VLANs
You can use virtual LANs (VLANs) to divide the network into separate logical areas. VLANs can also be considered as broadcast domains.
Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in that VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

QUESTION 107
Which Layer 2 protocol provides loop resolution by managing the physical paths to given network segments?
A. root guard B. port fast C. HSRP D. STP

A

Answer: D
Explanation:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml
Introduction
Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
86
specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

QUESTION 108
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?
A. You must then zeroize the keys to reset secure shell before configuring other parameters. B. The SSH protocol is automatically enabled. C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command. D. All vty ports are automatically enabled for SSH to provide secure management.

A

Answer: B
Explanation:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml Generate an RSA key pair for your router, which automatically enables SSH. carter(config)#crypto key generate rsa
Refer to crypto key generate rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

QUESTION 109
What is the key difference between host-based and network-based intrusion prevention?
A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers. C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. D. Host-based IPS can work in promiscuous mode or inline mode. E. Host-based IPS is more scalable then network-based IPS. F. Host-based IPS deployment requires less planning than network-based IPS.QUESTION 110
Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)
A. Service timestamps have been globally enabled. B. This is a normal system-generated information message and does not require further investigation. C. This message is unimportant and can be ignored. D. This message is a level 5 notification message.

A

Answer: C
Explanation:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/8_NIDS.
html
Cisco Network-Based Intrusion Detection–Functionalities and Configuration This chapter highlights the need for and the benefits of deploying network-based intrusion detection in the data center. It addresses mitigation techniques, deployment models, and the management of the infrastructure.
Intrusion detection systems help data centers and other computer installations prepare for and deal with electronic attacks. Usually deployed as a component of a security infrastructure with a set of security policies for a larger, comprehensive information system, the detection systems themselves are of two main types.
Network-based systems inspect traffic “on the wire” and host-based systems monitor only individual computer server traffic.
Network intrusion detection systems deployed at several points within a single network topology, together with host-based intrusion detection systems and firewalls, can provide a solid, multi- pronged defense against both outside, Internet-based attacks, and internal threats, including network misconfiguration, misuse, or negligent practices. The Cisco Intrusion Detection System (IDS) product line provides flAnswer: AD
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html
System Log Message Format
System log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or time-stamp information, if configured. Messages appear in this format:
seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n) The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command.
seq no:
Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.
For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section.
timestamp formats:
mm/dd hh:mm:ss
or
hh:mm:ss (short uptime)
or
d h (long uptime)
Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured. For more information, see the “Enabling and Disabling Time Stamps on Log Messages” section.facility
The facility to which the message refers (for example, SNMP, SYS, and so forth). For a list of supported facilities, see Table 29-4.severity
Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 29-3.
MNEMONIC
Text string that uniquely describes the message.
description
Text string containing detailed information about the event being reported. http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html
This example shows part of a logging display with the service timestamps log datetime global configuration command enabled:
*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2)xible solutions for data center security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which four methods are used by hackers? (Choose four.)
A. footprint analysis attack B. privilege escalation attack C. buffer Unicode attack D. front door attacks E. social engineering attack F. Trojan horse attack

A

Answer: ABEF
Explanation:
https://learningnetwork.cisco.com/servlet/JiveServlet/download/15823-1- 57665/CCNA%20Security%20(640-554)%20Portable%20Command%20Guide_ch01.pdf
Thinking Like a Hacker
The following seven steps may be taken to compromise targets and applications:
Step 1 Perform footprint analysis
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
89
Hackers generally try to build a complete profile of a target company’s security posture using a broad range of easily available tools and techniques. They can discover organizational domain names, network blocks, IP addresses of systems, ports, services that are used, and more.
Step 2 Enumerate applications and operating systems
Special readily available tools are used to discover additional target information. Ping sweeps use Internet Control Message Protocol (ICMP) to discover devices on a network. Port scans discover TCP/UDP port status.
Other tools include Netcat, Microsoft EPDump and Remote Procedure Call (RPC) Dump, GetMAC, and software development kits (SDKs).
Step 3 Manipulate users to gain access
Social engineering techniques may be used to manipulate target employees to acquire passwords. They may call or email them and try to convince them to reveal passwords without raising any concern or suspicion.
Step 4 Escalate privileges
To escalate their privileges, a hacker may attempt to use Trojan horse programs and get target users to unknowingly copy malicious code to their corporate system.
Step 5 Gather additional passwords and secrets
With escalated privileges, hackers may use tools such as the pwdump and LSADump applications to gather passwords from machines running Windows.
Step 6 Install back doors
Hacker may attempt to enter through the “front door,” or they may use “back doors” into the system. The backdoor method means bypassing normal authentication while attempting to remain undetected. A common backdoor point is a listening port that provides remote access to the system.
Step 7 Leverage the compromised system
After hackers gain administrative access, they attempt to hack other systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

QUESTION 113
Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?
A. uses Cisco IPS 5.x signature format B. requires the Basic or Advanced Signature Definition File C. supports both inline and promiscuous mode D. requires IEV for monitoring Cisco IPS alerts E. uses the built-in signatures that come with the Cisco IOS image as backup F. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts

A

Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-ips5-sig- fsue.html
Signature Categories
Cisco IPS appliances and Cisco IOS IPS with Cisco 5.x format signatures operate with signature categories.
All signatures are pregrouped into categories; the categories are hierarchical. An individual signature can belong to more than one category. Top-level categories help to define general types of signatures.
Subcategories exist beneath each top-level signature category. (For a list of supported top-level categories, use your router CLI help (?).)
Router Configuration Files and Signature Event Action Processor (SEAP) As of Cisco IOS Release 12.4(11)T, SDFs are no longer used by Cisco IOS IPS. Instead, routers access signature definition information through a directory that contains three configuration files– the default configuration, the delta configuration, and the SEAP configuration. Cisco IOS accesses this directory through the ip ips config location command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

QUESTION 114
Which characteristic is the foundation of Cisco Self-Defending Network technology?
A. secure connectivity B. threat control and containment C. policy management D. secure network platform

A

Answer: D
Explanation:
http://www.cisco.com/en/US/solutions/ns170/networking_solutions_products_genericcontent0900aecd8051f378.html
Create a Stronger Defense Against Threats
Each day, you reinvent how you conduct business by adopting Internet-based business models. But Internet connectivity without appropriate security can compromise the gains you hope to make. In today’s connected environment, outbreaks spread globally in a matter of minutes, which means your security systems must react instantly.
Maintaining security using tactical, point solutions introduces complexity and inconsistency, but integrating security throughout the network protects the information that resides on it. Three components are critical to effective information security:
A secure network platform with integrated security to which you can easily add advanced security technologies and services
Threat control services focused on antivirus protection and policy enforcement that continuously monitor network activity and prevent or mitigate problems
Secure communication services that maintain the privacy and confidentiality of sensitive data, voice, video, and wireless communications while cost-effectively extending the reach of your network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

QUESTION 115
Which kind of table do most firewalls use today to keep track of the connections through the firewall?
A. dynamic ACL B. reflexive ACL C. netflow D. queuing E. state F. express forwarding

A

Answer: E
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html
Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process. A stateful firewall like the ASA, however, takes into consideration the state of a packet:
Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
91
session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
Performing the access list checks
Performing route lookups
Allocating NAT translations (xlates)
Establishing sessions in the “fast path”
The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use the fast path.
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels:
A data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
?Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the following tasks:
IP checksum verification
Session lookup
TCP sequence number check
NAT translations based on existing sessions
Layer 3 and Layer 4 header adjustments
Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

QUESTION 116
Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured?
A. show archive B. show secure bootset C. show flash D. show file systems E. dir F. dir archive

A

Answer: B
Explanation:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_resil_config_ps6922_TSD_Products_Configuration_Guide_Chapter.html
Restrictions for Cisco IOS Resilient Configuration
This feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. There must be enough space on the storage device to accommodate at least one Cisco IOS image (two for upgrades) and a copy of the running configuration. IOS Files System (IFS) support for secure file systems is also needed by the software.
It may be possible to force removal of secured files using an older version of Cisco IOS software that does not contain file system support for hidden files.
This feature can be disabled only by using a console connection to the router. With the exception
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
92
of the upgrade scenario, feature activation does not require console access.
You cannot secure a bootset with an image loaded from the network. The running image must be loaded from persistent storage to be secured as primary.
Secured files will not appear on the output of a dir command issued from an executive shell because the IFS prevents secure files in a directory from being listed. ROM monitor (ROMMON) mode does not have any such restriction and can be used to list and boot secured files. The running image and running configuration archives will not be visible in the Cisco IOS dir command output. Instead, use the show secure bootset command to verify archive existence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

QUESTION 117
What does the secure boot-config global configuration accomplish?
A. enables Cisco IOS image resilience B. backs up the Cisco IOS image from flash to a TFTP server C. takes a snapshot of the router running configuration and securely archives it in persistent storage D. backs up the router running configuration to a TFTP server E. stores a secured copy of the Cisco IOS image in its persistent storage

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

QUESTION 120
When using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries) B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session C. all TCP and UDP header information only D. all TCP SYN packets and the associated return ACK packets only E. the inside private IP address and the translated inside global IP address

A

b

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

QUESTION 121
Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself?
A. The ACL is applied to the Telnet port with the ip access-group command. B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port. C. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. D. The ACL must be applied to each vty line individually.

A

Answer: B
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-cntrl-acc- vtl.html
Controlling Access to a Virtual Terminal Line
You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an access list to outbound vtys.
Benefits of Controlling Access to a Virtual Terminal Line
By applying an access list to an inbound vty, you can control who can access the lines to a router. By applying an access list to an outbound vty, you can control the destinations that the lines from a router can reach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

QUESTION 122
When configuring role-based CLI on a Cisco router, which step is performed first?
A. Log in to the router as the root user. B. Create a parser view called “root view.” C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. D. Enable the root view on the router. E. Enable AAA authentication and authorization using the local database. F. Create a root local user in the local database.

A

Answer: D
Explanation:
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
96
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
Role-Based CLI Access
The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.
Configuring a CLI View
Prerequisites
Before you create a view, you must perform the following tasks:
Enable AAA via the aaa new-model command. (For more information on enabling AAA, see the chapter
“Configuring Authentication” in the Cisco IOS Security Configuration Guide, Release 12.3.
Ensure that your system is in root view–not privilege level 15.
SUMMARY STEPS
1. enable view
2. configure terminal
3. parser view view-name
4. secret 5 encrypted-password
5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
6. exit
7. exit
8. enable [privilege-level] [view view-name]
9. show parser view [all]
DETAILED STEPS
Step 1
Enable view
Router> enable view
Enables root view.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

QUESTION 124
Which characteristic is a potential security weakness of a traditional stateful firewall?
A. It cannot support UDP flows. B. It cannot detect application-layer attacks. C. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. D. It works only in promiscuous mode. E. The status of TCP sessions is retained in the state table after the sessions terminate. F. It has low performance due to the use of syn-cookies.

A

Answer: B
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html
Cisco IOS Firewall consists of several major subsystems:
Stateful Packet Inspection provides a granular firewall engine
Authentication Proxy offers a per-host access control mechanism
Application Inspection features add protocol conformance checking and network use policy control Enhancements to these features extend these capabilities to VRF instances to support multiple virtual routers per device, and to Cisco Integrated Route-Bridging features to allow greater deployment flexibility, reduce implementation timelines, and ease requirements to add security to existing networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

QUESTION 140
Which consideration is important when implementing Syslogging in your network?
A. Use SSH to access your Syslog information. B. Enable the highest level of Syslogging available to ensure you log all possible event messages. C. Log all messages to the system buffer so that they can be displayed when accessing the router. D. Syncronize clocks on the network with a protocol such as Network Time Protocol.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

QUESTION 141
Which classes does the U.S. government place classified data into? (Choose three.)
A. SBU B. Confidential C. Secret D. Top-secret

A

BCD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

QUESTION 142
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?
A. You must then zeroize the keys to reset secure shell before configuring other parameters. B. The SSH protocol is automatically enabled. C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
124 D. All vty ports are automatically enabled for SSH to provide secure management.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

QUESTION 143
For the following attempts, which one is to ensure that no one employee becomes a pervasive security threat, that data can be recovered from backups, and that information system changes do not compromise a system’s security?
A. Disaster recovery B. Strategic security planning C. Implementation security D. Operations security

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

QUESTION 144
Which three options are network evaluation techniques? (Choose three.)
A. Scanning a network for active IP addresses and open ports on those IP addresses B. Using password-cracking utilities C. Performing end-user training on the use of antispyware software D. Performing virus scans

A

ABD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

QUESTION 145
In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts the data?
A. Roughly 50 percent B. Roughly 66 percent C. Roughly 75 percent D. Roughly 10 percent

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

QUESTION 146
Which three items are Cisco best-practice recommendations for securing a network? (Choose three.)
A. Routinely apply patches to operating systems and applications. B. Disable unneeded services and ports on hosts. C. Deploy HIPS software on all end-user workstations. D. Require strong passwords, and enable password expiration.

A

ABD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

QUESTION 147
What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX?
A. Configuration interceptor B. Network interceptor C. File system interceptor D. Execution space interceptor

A

Answer: A
Explanation:
Configuration interceptor: Read/write requests to the Registry in Windows or to rc configuration files on UNIX are intercepted. This interception occurs because modification of the operating system configuration can have serious consequences. Therefore, Cisco Security Agent tightly controls read/write requests to the Registry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

QUESTION 148
Information about a managed device??s resources and activity is defined by a series of objects. What defines the structure of these management objects?
A. MIB B. FIB C. LDAP D. CEF

A

Answer: A
Explanation:
Management Information Base (MIB) is the database of configuration variables that resides on the networking device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

QUESTION 149
Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?
A. to the zone-pair B. to the zone C. to the interface D. to the global service policy

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

QUESTION 150
Which statement is true about vishing?
A. Influencing users to forward a call to a toll number (for example, a long distance or international number) B. Influencing users to provide personal information over a web page C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number) D. Influencing users to provide personal information over the phone

A

D
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
126
Explanation:
Vishing (voice phishing) uses telephony to glean information, such as account details, directly from users. Because many users tend to trust the security of a telephone versus the security of the web, some users are more likely to provide condential information over the telephone. User education is the most effective method to combat vishing attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

QUESTION 151
Which item is the great majority of software vulnerabilities that have been discovered?
A. Stack vulnerabilities B. Heap overflows C. Software overflows D. Buffer overflows

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

QUESTION 152
Which one of the following items may be added to a password stored in MD5 to make it more secure?
A. Ciphertext B. Salt C. Cryptotext D. Rainbow table

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

QUESTION 153
In which two modes can Cisco Configuration Professional Security Audit operate? (Choose two.)
A. Security Audit wizard B. Lockdown C. One-Step Lockdown D. AutoSecure

A

AC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

QUESTION 154
What are three of the security conditions that Cisco Configuration Professional One-Step Lockdown can automatically detect and correct on a Cisco router? (Choose three.)
A. One-Step Lockdown can set the enable secret password. B. One-Step Lockdown can disable unused ports. C. One-Step Lockdown can disable the TCP small servers service. D. One-Step Lockdown can enable IP Cisco Express Forwarding. E. One-Step Lockdown can enable DHCP snooping. F. One-Step Lockdown can enable SNMP version 3.

A

ACD

32
Q

QUESTION 155
Which statement about Control Plane Policing is true?
A. Control Plane Policing allows QoS filtering to protect the control plane against DoS attacks. B. Control Plane Policing classifies traffic into three categories to intercept malicious traffic. C. Control Plane Policing allows ACL-based filtering to protect the control plane against DoS attacks. D. Control Plane Policing intercepts and classifies all traffic.

A

A

33
Q

QUESTION 156
Which three applications comprise Cisco Security Manager? (Choose three.)
A. Configuration Manager B. Packet Tracer C. Device Manager D. Event Viewer E. Report Manager F. Syslog Monitor

A

ADE

34
Q

QUESTION 157
When a network transitions from IPv4 to IPv6, how many bits does the address expand to?
A. 64 bits B. 128 bits C. 96 bits D. 156 bits

A

B

35
Q

QUESTION 158
On which Cisco Configuration Professional screen do you enable AAA?
A. AAA Summary B. AAA Servers and Groups C. Authentication Policies D. Authorization Policies

A

A

36
Q

QUESTION 159
Under which option do you create a AAA authentication policy in Cisco Configuration Professional?
A. Authentication Policies
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
128 B. Authentication Policies ?Login C. AAA Servers and Groups D. AAA Summary

A

B

37
Q

QUESTION 160
Which three statements about TACACS+ are true? (Choose three.)
A. TACACS+ uses TCP port 49. B. TACACS+ uses UDP ports 1645 and 1812. C. TACACS+ encrypts the entire packet. D. TACACS+ encrypts only the password in the Access-Request packet. E. TACACS+ is a Cisco proprietary technology. F. TACACS+ is an open standard.

A

ACE

38
Q

QUESTION 161
Which three statements about RADIUS are true? (Choose three.)
A. RADIUS uses TCP port 49. B. RADIUS uses UDP ports 1645 or 1812. C. RADIUS encrypts the entire packet. D. RADIUS encrypts only the password in the Access-Request packet. E. RADIUS is a Cisco proprietary technology. F. RADIUS is an open standard.

A

BDF

39
Q

QUESTION 162
Which network security framework is used to set up access control on Cisco Appliances?
A. RADIUS B. AAA C. TACACS+ D. NAS

A

B

40
Q

QUESTION 163
Which two protocols are used in a server-based AAA deployment? (Choose two.)
A. RADIUS B. TACACS+ C. HTTPS D. WCCP E. HTTP

A

AB

41
Q

QUESTION 164
Which Cisco IOS command will verify authentication between a router and a AAA server?
A. debug aaa authentication B. test aaa group C. test aaa accounting D. aaa new-model

A

B

42
Q

QUESTION 165
Which AAA feature can automate record keeping within a network?
A. TACACS+ B. authentication C. authorization D. accounting

A

D

43
Q

QUESTION 166
Which two statements about IPv6 access lists are true? (Choose two).
A. IPv6 access lists support numbered access lists. B. IPv6 access lists support wildcard masks. C. IPv6 access lists support standard access lists. D. IPv6 access lists support named access lists. E. IPv6 access lists support extended access lists.

A

DE

44
Q

QUESTION 167
Which command enables subnet 192.168.8.4/30 to communicate with subnet 192.168.8.32/27 on IP protocol 50?
A. permit esp 192.168.8.4 255.255.255.252 192.168.8.32 255.255.255.224 B. permit esp 192.168.8.4 0.0.0.31 192.168.8.32 0.0.0.31 C. permit esp 192.168.8.4 255.255.255.252 224.168.8.32 255.255.255.192 D. permit esp 192.168.8.4 0.0.0.3 192.168.8.32 0.0.0.31

A

D

45
Q

QUESTION 168
Which two types of access lists can be used for sequencing? (Choose two.)
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
130 A. reflexive B. standard C. dynamic D. extended

A

BD

46
Q

QUESTION 169
Which command will block IP traffic to the destination 172.16.0.1/32?
A. access-list 101 deny ip host 172.16.0.1 any B. access-list 101 deny ip any host 172.16.0.1 C. access-list 101 deny ip any any D. access-list 11 deny host 172.16.0.1

A

B

47
Q

QUESTION 170
Which two considerations about secure network monitoring are important? (Choose two.)
A. log tampering B. encryption algorithm strength C. accurate time stamping D. off-site storage E. Use RADIUS for router commands authorization. F. Do not use a loopback interface for device management access.

A

AC

48
Q

QUESTION 171
Which two countermeasures can mitigate STP root bridge attacks? (Choose two.)
A. root guard B. BPDU filtering C. Layer 2 PDU rate limiter D. BPDU guard

A

AD

49
Q

QUESTION 172
Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.)
A. IP source guard B. port security C. root guard D. BPDU guard

A

AB

50
Q

QUESTION 173
Which statement correctly describes the function of a private VLAN?
A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains. B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains. C. A private VLAN enables the creation of multiple VLANs using one broadcast domain. D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain.

A

A

51
Q

QUESTION 174
What are two primary attack methods of VLAN hopping? (Choose two.)
A. VoIP hopping B. switch spoofing C. CAM-table overflow D. double tagging

A

BD

52
Q

QUESTION 175
Which type of attack can be prevented by setting the native VLAN to an unused VLAN?
A. VLAN-hopping attacks B. CAM-table overflow C. denial-of-service attacks D. MAC-address spoofing

A

A

53
Q

QUESTION 176
What is the purpose of a trunk port?
A. A trunk port carries traffic for multiple VLANs. B. A trunk port connects multiple hubs together to increase bandwidth. C. A trunk port separates VLAN broadcast domains. D. A trunk port provides a physical link specifically for a VPN.

A

A

54
Q

QUESTION 177
The host A Layer 2 port is configured in VLAN 5 on switch 1, and the host B Layer 2 port is configured in VLAN 10 on switch 1. Which two actions you can take to enable the two hosts to communicate with each other? (Choose two.)
A. Configure inter-VLAN routing. B. Connect the hosts directly through a hub.
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
132 C. Configure switched virtual interfaces. D. Connect the hosts directly through a router.

A

AC

55
Q

QUESTION 178
Which two pieces of information should you acquire before you troubleshoot an STP loop? (Choose two.)
A. topology of the routed network B. topology of the switched network C. location of the root bridge D. number of switches in the network

A

BC

56
Q

QUESTION 179
Which two options are symmetric-key algorithms that are recommended by Cisco? (Choose two.)
A. Twofish B. Advanced Encryption Standard C. Blowfish D. Triple Data Encryption Standard

A

BD

57
Q

QUESTION 180
Which technology provides an automated digital certificate management system for use with IPsec?
A. ISAKMP B. public key infrastructure C. Digital Signature Algorithm D. Internet Key Exchange

A

B

58
Q

QUESTION 181
Which two IPsec protocols are used to protect data in motion? (Choose two.)
A. Encapsulating Security Payload Protocol B. Transport Layer Security Protocol C. Secure Shell Protocol D. Authentication Header Protocol

A

AD

59
Q

QUESTION 182
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
133
On which protocol number does Encapsulating Security Payload operate?
A. 06 B. 47 C. 50 D. 51

A

C

60
Q

QUESTION 183
On which protocol number does the authentication header operate?
A. 06 B. 47 C. 50 D. 51

A

D

61
Q

QUESTION 185
In an IPsec VPN, what determination does the access list make about VPN traffic?
A. whether the traffic should be blocked B. whether the traffic should be permitted C. whether the traffic should be encrypted D. the peer to which traffic should be sent

A

C

62
Q

QUESTION 186
Which command verifies phase 2 of an IPsec VPN on a Cisco router?
A. show crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto engine connection active

A

B

63
Q

QUESTION 187
You are troubleshooting a Cisco AnyConnect VPN on a firewall and issue the command show webvpn anyconnect. The output shows the message “SSL VPN is not enabled” instead of showing the AnyConnect package. Which action can you take to resolve the problem?
A. Issue the enable outside command. B. Issue the anyconnect enable command. C. Issue the enable inside command. D. Reinstall the AnyConnect image.

A

B

64
Q

QUESTION 188
What is the key difference between host-based and network-based intrusion prevention?
A. Network-based IPS is C SSL and TLS encrypted data flows. B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers. C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. D. Host-based IPS can work in promiscuous mode or inline mode. E. Host-based IPS is more scalable then network-based IPS. F. Host-based IPS deployment requires less planning than network-based IPS.

A

C

65
Q

QUESTION 189
Which one is the most important based on the following common elements of a network design?
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
135 A. Business needs B. Best practices C. Risk analysis D. Security policy

A

A

66
Q

QUESTION 190
When configuring Cisco IOS login enhancements for virtual connections, what is the “quiet period”?
A. A period of time when no one is attempting to log in B. The period of time in which virtual logins are blocked as security services fully initialize C. The period of time in which virtual login attempts are blocked, following repeated failed login attempts D. The period of time between successive login attempts

A

C

67
Q

QUESTION 191
What is a result of securing the Cisco IOS image using the Cisco IOS image resilience feature?
A. The show version command will not show the Cisco IOS image file location. B. The Cisco IOS image file will not be visible in the output from the show flash command. C. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location. D. The running Cisco IOS image will be encrypted and then automatically backed up to the NVRAM. E. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.

A

B

68
Q

QUESTION 192
Which three statements are valid SDM configuration wizards? (Choose three.)
A. Security Audit B. VPN C. STP D. NAT

A

ABD

69
Q

QUESTION 193
How do you define the authentication method that will be used with AAA?
A. With a method list B. With the method command C. With the method aaa command D. With a method statement

A

A

70
Q

QUESTION 194
Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level?
A. aaa authentication enable default local B. aaa authentication enable level C. aaa authentication enable method default D. aaa authentication enable default

A

D

71
Q

QUESTION 195
Which two ports are used with RADIUS authentication and authorization?(Choose two.)
A. TCP port 2002 B. UDP port 2000 C. UDP port 1645 D. UDP port 1812

A

CD

72
Q

QUESTION 196
Which type of MAC address is dynamically learned by a switch port and then added to the switch’s running configuration?
A. Pervasive secure MAC address B. Static secure MAC address C. Sticky secure MAC address D. Dynamic secure MAC address

A

C

73
Q

QUESTION 197
What command displays all existing IPsec security associations (SA)?
A. show crypto isakmp sa B. show crypto ipsec sa C. show crypto ike active D. show crypto sa active

A

B

74
Q

QUESTION 198
Which of the following is not considered a trustworthy symmetric encryption algorithm?
A. 3DES
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
137 B. IDEA C. EDE D. AES

A

C

75
Q

QUESTION 199
For the following items, which management topology keeps management traffic isolated from production traffic?
A. OOB B. SAFE C. MARS D. OTP

A

A

76
Q

QUESTION 200
Which type of cipher achieves security by rearranging the letters in a string of text?
A. Vigenère cipher B. Stream cipher C. Transposition cipher D. Block cipher

A

C