Module 5: Security Fundamentals

Question 1

Which of the following commands should you issue on a switch port so that no more than two devices can send traffic into the port? (Select the best answer.)

A. switchport port-security mac-address 2
B. switchport port-security
C. switchport port-security mac-address sticky
D. switchport port-security 2
E. switchport port-security maximum 2

Answer 1

E. switchport port-security maximum 2

Question 2

Which of the following statements best describes the AAA Override feature on a Cisco WLC? (Select the best answer)

A. It can be used to configure VLAN tagging, QoS, and ACLs to individuals clients based on RADIUS attributes.
B. It enables automatic checks of the security posture of endpoints.
C. It can be used to modify or terminate an already authenticated session.
D. It is a means of facilitating communication among security applications.

Answer 2

A. It can be used to configure VLAN tagging, QoS, and ACLs to individuals clients based on RADIUS attributes.

Question 3

Which of the following are used by WPA2 to provide MICs and encryption? (Select 2 choices.)

A. GCMP
B. AES
C. TKIP
D. CCMP
E. RC4

Answer 3

B. AES
D. CCMP

Question 4

You issue the following commands on Switch1:
~~~
Switch1#configure terminal
Switch1(config)#ip arp inspection vlan 11-12,14
Switch1(config)#interface range gigabitethernet 0/1 - 2
Switch1(config-if-range)#switchport access vlan 1
Switch1(config-if-range)#switchport mode access
~~~

Which of the following statements are true? (Select the best answer.)
A. DAI is configured on only GigabitEthernet 0/1 and GigabitEthernet 0/2
B. Only GigabitEthernet 0/1 and GigabitEthernet 0/2 ports are untrusted ports
C. DAI is not configured on GigabitEthernet 0/1 and GigabitEthernet 0/2
D. Only GigabitEthernet 0/1 and GigabitEthernet 0/2 are trusted ports

Answer 4

C. DAI is not configured on GigabitEthernet 0/1 and GigabitEthernet 0/2

Question 5

Which of the following combinations represents a single-factor authentication method? (Select the best answer.)
A. a smart card, a password, an a PIN
B. a password, a fingerprint, and a smart card
C. a fingerprint, a retina scan, and a password
D. a password and a PIN

Answer 5

D. a password and a PIN

Question 6

Which of the following best describes authentication? (Select the best answer.)

A. the process of establishing a user’s accounts upon hire
B. the process of recording the use of resources
C. the process of verifying a user’s identity
D. the process of verifying the level of access configured for a user

Answer 6

C. the process of verifying a user’s identity

Question 7

Which of the following Layer 2 attacks uses MAC address of another known host on the network in order to bypass port security measures? (Select the best answer.)
A. MAC flooding
B. VLAN hopping
C. ARP poisoning
D. DHCP spoofing
E. MAC spoofing

Answer 7

E. MAC spoofing

Question 8

You want to create a user account named boson with the password eX$1mM@x on a router. The password should be converted to an MD5 hash an stored on the router.

Which of the following commands should you issue on the router? (Select the best answer.)

A. username boson eX$1mM@x
B. username boson secret 5 eX$1mM@x
C. username boson password eX$1mM@x
D. username boson secret eX$1mM@x

Answer 8

D. username boson secret eX$1mM@x

Question 9

You issue the show running-config | section line command on RouterB and receive the following output:

RouterB#show running-config | section line
line con 0
line aux 0
line vty 0 4
  access-class 10 in
  login
  password cisco

Which of the following ACL types is applied to the VTY lines on RouterB? (Select the best answer.)

A. standard
B. dynamic
C. named
D. extended

Answer 9

**A. standard
**

Standard acl-number value goes from 1 through 99 or 1300 through 1999

Question 10

Which of the following can be implemented to provide assisted roaming in a wireless network? (Select the best answer.)

A. 802.11v
B. 802.11k
C. 802.11w
D. 802.11r

Answer 10

B. 802.11k

Question 11

Which of the following features are provided by IPSec? (Select 2 choices.)

A. broadcast packet encapsulation
B. data confidentiality
C. multicast packet encapsulation
D. data integrity

Answer 11

B. data confidentiality
D. data integrity

Question 12

What is the appropriate order of the four steps of the site-to-site VPN IPSec encryption process?

• The destination device decrypts the data and the session key.
• The sending device sends the decrypted packet to the destination device.
• The sending device encrypts the original packet and the session key.
• The sending device encapsulates the encrypted data with new headers.

Answer 12

1. The sending device encrypts the original packet and the session key.
2. The sending device encapsulates the encrypted data with new headers.
3. The sending device sends the decrypted packet to the destination device.
4. The destination device decrypts the data and the session key.

Question 13

Which of the following is the best way to mitigate zero-day exploits? (Select the best answer.)

A. wiping media by writing a series of zeroes to it.
B. patching a system to fix the zero-day vulnerability.
C. hardening a system so that it provides only required functionality.
D. wiping media by writing random data to it.

Answer 13

C. hardening a system so that it provides only required functionality.

Question 14

An administrator has generated the following MD5 hash from a plain-text password:

sd.skf@2342/11%32343-1.1wesw2@

The administrator wants to configure the password so that it will be used to access enable mode on a Cisco router. The no service password-encryption command has been issued on the router.

Which of the following commands should the administrator issue? (Select the best answer.)

A. password 0 sd.skf@2342/11%32343-1.1wesw2@
B. enable secret 5 sd.skf@2342/11%32343-1.1wesw2@
C. enable secret 0 sd.skf@2342/11%32343-1.1wesw2@
D. password 7 sd.skf@2342/11%32343-1.1wesw2@
E. enable password 5 sd.skf@2342/11%32343-1.1wesw2@

Answer 14

B. enable secret 5 sd.skf@2342/11%32343-1.1wesw2@

Question 15

You issue the following commands on a Cisco router named RouterA:

enable password !bo0s0nu$3r!
enable secret b0$0n4dm!n
line console 0
password b0$0n4dm1n
line vty 0 15
login
password b0s0nu$3r
service password-encryption

Another user has been asked to examine the running configuration on RouterA but not make any configuration changes. The user connects to RouterA by using Telnet.

Which of the following will the user require in order to perform this task? (Select the best answer.)

A. the console password alone
B. the enable secret password and the console password
C. the console password and the VTY line password
D. the enable secret password and the VTY line password
E. the enable password and the VTY line password

Answer 15

D. the enable secret password and the VTY line password

Question 16

You are configuring security on a new WLAN by using the WLC GUI.

Which of the following security settings are you most likely to configure by using the Layer3 Security drop-down list box on the Layer 3 tab? (Select the best answer.)

A. VPN Pass-Through
B. WPA+WPA2
C. Web Passthrough
D. Web Authentication

Answer 16

A. VPN Pass-Through

Question 17

Which of the following is most likely to be considered a form of accounting? (Select the best answer.)

A. verifying a user’s password
B. verifying a user’s fingerprint pattern
C. allowing a user to access a specific file
D. assigning a role to a verified user
E. logging a verified user’s file access

Answer 17

E. logging a verified user’s file access

Question 18

Which of the following is true about IPSec configured in transport mode? (Select the best answer.)
A. It is required for NAT traversal.
B. It requires additional headers
C. It encrypts the entire packet.
D. I does not encrypt the IP header.

Answer 18

D. I does not encrypt the IP header.