Modules 13-17: Threats and Attacks Flashcards by Rachman Walker

What are two methods used by cybercriminals to mask dns attacks? (choose two.)

Domain generation algorithms

Reflection

Fast flux

Shadowing

Tunneling

Domain generation algorithms
Fast flux

Fast flux is a technique used to hide phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts (bots within botnets). The double IP flux technique rapidly changes the hostname to IP address mappings and the authoritative name server.

Domain generation algorithms randomly generate domain names to be used as rendezvous points.

How well did you know this?

Not at all

Perfectly

Which network tool uses artificial intelligence to detect incidents and aid in incident analysis and response?

SIEM

Wireshark

NetFlow

SOAR

SOAR works with SIEMs systems, where SIEM can detect a malicious activity and SOAR helps to respond to the threat. SOAR has many functions and benefits, including these abilities:

The use of predefined playbooks to enable automatic response to specific threats

The use of artificial intelligence to detect incidents and aid in incident analysis and response

How well did you know this?

Not at all

Perfectly

A user is curious about how someone might know a computer has been infected with malware. What are two common malware behaviors? (choose two.)

The computer emits a hissing sound every time the pencil sharpener is used.

The computer beeps once during the boot process.

The computer gets increasingly slower to respond.

No sound emits when an audio cd is played.

The computer freezes and requires reboots.

The computer gets increasingly slower to respond.
The computer freezes and requires reboots.

Other symptoms:

Appearance of files, applications, or desktop icons
Security tools such as antivirus software or firewalls turned off or changed
System crashes
Emails spontaneously sent to others
Modified or missing files
Slow system or browser response
Unfamiliar processes or services running
Unknown tcp or udp ports open
Connections made to unknown remote devices

How well did you know this?

Not at all

Perfectly

Why would a rootkit be used by a hacker?

to try to guess a password

to reverse engineer binary files

to gain access to a device without being detected

to do reconnaissance

to gain access to a device without being detected

How well did you know this?

Not at all

Perfectly

Which protocol is attacked when a cybercriminal provides an invalid gateway in order to create a man-in-the-middle attack?

ICMP

DNS

DHCP

HTTP or HTTPS

DHCP

A cybercriminal could set up a rogue DHCP server that provides one or more of the following:

Wrong default gateway that is used to create a man-in-the-middle attack and allow the attacker to intercept data

Wrong DNS server that results in the user being sent to a malicious website

Invalid default gateway IP address that results in a denial of service attack on the DHCP client

How well did you know this?

Not at all

Perfectly

What is the result of a DHCP starvation attack?

Clients receive IP address assignments from a rogue DHCP server.

The IP addresses assigned to legitimate clients are hijacked.

The attacker provides incorrect DNS and default gateway information to clients.

Legitimate clients are unable to lease IP addresses.

How well did you know this?

Not at all

Perfectly

A company has contracted with a network security firm to help identify the vulnerabilities of the corporate network. The firm sends a team to perform penetration tests to the company network. Why would the team use applications such as Nmap, SuperScan, and Angry IP Scanner?

to probe network devices, servers, and hosts for open TCP or UDP ports

to reverse engineer binary files when writing exploits and when analyzing malware

to detect installed tools within files and directories that provide threat actors remote access and control over a computer or network

to detect any evidence of a hack or malware in a computer or network

to probe network devices, servers, and hosts for open TCP or UDP ports

How well did you know this?

Not at all

Perfectly

Which attack involves threat actors positioning themselves between a source and destination with the intent of transparently monitoring, capturing, and controlling the communication?

DoS attack

ICMP attack

SYN flood attack

man-in-the-middle attack

How well did you know this?

Not at all

Perfectly

What technique is a security attack that depletes the pool of IP addresses available for legitimate hosts?

reconnaissance attack

DHCP starvation

DHCP spoofing

DHCP snooping

DHCP starvation

How well did you know this?

Not at all

Perfectly

To which category of security attacks does man-in-the-middle belong?

access

social engineering

reconnaissance

DoS

access

With a man-in-the-middle attack, a threat actor is positioned in between two legitimate entities in order to read, modify, or redirect the data that passes between the two parties.

How well did you know this?

Not at all

Perfectly

How do cybercriminals make use of a malicious iFrame?

The attacker embeds malicious content in business appropriate files.

The iFrame allows multiple DNS subdomains to be used.

The attacker redirects traffic to an incorrect DNS server.

The iFrame allows the browser to load a web page from another source.

How well did you know this?

Not at all

Perfectly

Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?

traffic class

version

flow label

next header

Next Header

Optional Layer 3 information about fragmentation, security, and mobility is carried inside of extension headers in an IPv6 packet. The next header field of the IPv6 header acts as a pointer to these optional extension headers if they are present.

https://www.youtube.com/watch?v=58S_W-KuES8

How well did you know this?

Not at all

Perfectly

Which field in the IPv4 header is used to prevent a packet from traversing a network endlessly?

Time-to-Live

Sequence Number

Differentiated Services

Acknowledgment Number

The value of the Time-to-Live (TTL) field in the IPv4 header is used to limit the lifetime of a packet.

The sending host sets the initial TTL value; which is decreased by one each time the packet is processed by a router.

If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address.

The Differentiated Services (DS) field is used to determine the priority of each packet.

Sequence Number and Acknowledgment Number are two fields in the TCP header.

How well did you know this?

Not at all

Perfectly

What is the purpose of a reconnaissance attack on a computer network?

to prevent users from accessing network resources

to gather information about the target network and system

to steal data from the network servers

to redirect data traffic so that it can be monitored

to gather information about the target network and system

How well did you know this?

Not at all

Perfectly

A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes. Which security threat does this phone call represent?

social engineering

spam

anonymous keylogging

DDoS

social engineering

How well did you know this?

Not at all

Perfectly

Which statement describes the term attack surface?

It is the network interface where attacks originate.

It is the total number of attacks toward an organization within a day.

It is the group of hosts that experiences the same attack.

It is the total sum of vulnerabilities in a system that is accessible to an attacker.

How well did you know this?

Not at all

Perfectly

Which action best describes a MAC address spoofing attack?

flooding the LAN with excessive traffic
bombarding a switch with

fake source MAC addresses

altering the MAC address of an attacking host to match that of a legitimate host

forcing the election of a rogue root bridge

altering the MAC address of an attacking host to match that of a legitimate host

How well did you know this?

Not at all

Perfectly

Which type of network attack involves randomly opening many Telnet requests to a router and results in a valid network administrator not being able to access the device?

DNS poisoning

man-in-the-middle

SYN flooding

spoofing

SYN flooding

How well did you know this?

Not at all

Perfectly

A threat actor uses a program to launch an attack by sending a flood of UDP packets to a server on the network.

The program sweeps through all of the known ports trying to find closed ports. It causes the server to reply with an ICMP port unreachable message and is similar to a DoS attack.

Which two programs could be used by the threat actor to launch the attack? (Choose two.)

WireShark

ping

Low Orbit Ion Cannon

UDP Unicorn

Smurf

Low Orbit Ion Cannon
UDP Unicorn

A threat actor can use a tool like UDP Unicorn or Low Orbit Ion Cannon to send a flood of UDP packets to launch a UDP flood attack that causes all the resources on a network to become consumed.

These types of programs will sweep through all the known ports trying to find closed ports. This causes the server to reply with an ICMP port unreachable message.

Because of the many closed ports on the server, there is so much traffic on the segment that almost all the bandwidth gets used. The end result is very similar to a DoS attack.

How well did you know this?

Not at all

Perfectly

Which two types of hackers are typically classified as grey hat hackers? (Choose two.)

hacktivists

cyber criminals

vulnerability brokers

script kiddies

state-sponsored hackers

Hacktivists
Vulnerability brokers

Grey hat hackers may do unethical or illegal things, but not for personal gain or to cause damage.

Vulnerability brokers hack to uncover weaknesses and report them to vendors.

How well did you know this?

Not at all

Perfectly

Which network monitoring capability is provided by using SPAN?

Real-time reporting and long-term analysis of security events are enabled.

Statistics on packets flowing through Cisco routers and multilayer switches can be captured.

Network analysts are able to access network device log files and to monitor network behavior.

Traffic exiting and entering a switch is copied to a network monitoring device.

When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received by the switch and forwards them to another port, known as a Switch Port ANalyzer port, which has a analysis device attached.

How well did you know this?

Not at all

Perfectly

What are the three major components of a worm attack? (choose three.)

A payload

A propagation mechanism

An infecting vulnerability

A probing mechanism

An enabling vulnerability

A penetration mechanism

A payload

A propagation mechanism

An enabling vulnerability

How well did you know this?

Not at all

Perfectly

Match the security concept to the description.

How well did you know this?

Not at all

Perfectly

A network administrator is checking the system logs and notices unusual connectivity tests to multiple well-known ports on a server. What kind of potential network attack could this indicate?

reconnaissance

access

denial of service

information theft

reconnaissance

How well did you know this?

Not at all

Perfectly

Users in a company have complained about network performance. After investigation, the IT staff has determined that an attacker has used a specific technique that affects the TCP three-way handshake. What is the name of this type of network attack? DNS poisoning session hijacking SYN flood DDoS

SYN flood The TCP SYN flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target.

Why would an attacker want to spoof a MAC address? so that the attacker can capture traffic from multiple VLANs rather than from just the VLAN that is assigned to the port to which the attacker device is attached so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host so that a switch on the LAN will start forwarding all frames toward the device that is under control of the attacker (that can then capture the LAN traffic) so that the attacker can launch another type of attack in order to gain access to the switch

so that a switch on the LAN will start forwarding frames to the attacker instead of to the legitimate host

Which type of security threat would be responsible if a spreadsheet add-on disables the local software firewall? DoS Trojan horse buffer overflow brute-force attack

Trojan horse

Which field in an IPv6 packet is used by the router to determine if a packet has expired and should be dropped? TTL No Route to Destination Hop Limit Address Unreachable

Hop Limit

What is a vulnerability that allows criminals to inject scripts into web pages viewed by users? Cross-site scripting XML injection buffer overflow SQL injection

Cross-site scripting

An attacker is redirecting traffic to a false default gateway in an attempt to intercept the data traffic of a switched network. What type of attack could achieve this? MAC address snooping DHCP spoofing DHCP snooping MAC address starvation

DHCP spoofing

What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source? backdoor vishing Trojan phishing

phishing

What causes a buffer overflow? sending too much information to two or more interfaces of the same device, thereby causing dropped packets attempting to write more data to a memory location than that location can hold sending repeated connections such as Telnet to a particular device, thus denying other data sources downloading and installing too many software updates at one time launching a security countermeasure to mitigate a Trojan horse

attempting to write more data to a memory location than that location can hold

What would be the target of an SQL injection attack? DHCP DNS email database

database

The IT department is reporting that a company web server is receiving an abnormally high number of web page requests from different locations simultaneously. Which type of security attack is occurring? social engineering adware phishing spyware DDoS

DDoS

Which statement describes an operational characteristic of NetFlow? NetFlow can provide services for user access control. NetFlow captures the entire contents of a packet. NetFlow flow records can be viewed by the tcpdump tool. NetFlow collects basic information about the packet flow, not the flow data itself.

NetFlow collects basic information about the packet flow, not the flow data itself.

Which term is used for bulk advertising emails flooded to as many end users as possible? spam adware brute force phishing

spam

Which is an example of social engineering? an unidentified person claiming to be a technician collecting user information from employees a computer displaying unauthorized pop-ups and adware an anonymous programmer directing a DDoS attack on a data center the infection of a computer by a virus carried by a Trojan

an unidentified person claiming to be a technician collecting user information from employees

Which tool is used to provide a list of open ports on network devices? Ping Nmap Whois Tracert

Nmap

What are two purposes of launching a reconnaissance attack on a network? (Choose two.) to escalate access privileges to gather information about the network and devices to prevent other users from accessing the system to scan for accessibility to retrieve and modify data

to scan for accessibility to gather information about the network and devices

What is the best description of Trojan horse malware? It is software that causes annoying but not fatal computer problems. It is the most easily detected form of malware. It appears as useful software but hides malicious code. It is malware that can only be distributed over the Internet.

It appears as useful software but hides malicious code.

A white hat hacker is using a security tool called Skipfish to discover the vulnerabilities of a computer system. What type of tool is this? debugger fuzzer vulnerability scanner packet sniffer

Fuzzer Fuzzers are tools used by threat actors to discover a computer's security vulnerabilities. Examples include Skipfish, Wapiti, and W3af. These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer.

Which type of security attack would attempt a buffer overflow? ransomware reconnaissance DoS scareware

DoS

Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs? social engineering denial of service phishing reconnaissance

reconnaissance

Which type of Trojan horse security breach uses the computer of the victim as the source device to launch other attacks? proxy FTP DoS data-sending

proxy

In which type of attack is falsified information used to redirect users to malicious Internet sites? domain generation ARP cache poisoning DNS amplification and reflection DNS cache poisoning

DNS cache poisoning

Which statement describes cybersecurity? It is a framework for security policy development. It is an ongoing effort to protect Internet-connected systems and the data associated with those systems from unauthorized use or harm. It is a standard-based model for developing firewall technologies to fight against cybercriminals. It is the name of a comprehensive security application for end users to protect workstations from being attacked.

It is an ongoing effort to protect Internet-connected systems and the data associated with those systems from unauthorized use or harm

What is an essential function of SIEM? forwarding traffic and physical layer errors to an analysis device providing reporting and analysis of security events monitoring traffic and comparing it against the configured rules providing 24×7 statistics on packets flowing through a Cisco router or multilayer switch

providing reporting and analysis of security events SIEM provides real-time reporting and analysis of security events. SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies.

Which two types of attacks are examples of reconnaissance attacks? (choose two.) Brute force Port scan Ping sweep Man-in-the-middle Syn flood

port scan ping sweep

How is optional network layer information carried by IPv6 packets? inside an extension header attached to the main IPv6 packet header inside an options field that is part of the IPv6 packet header inside the Flow Label field inside the payload carried by the IPv6 packet

inside an extension header attached to the main IPv6 packet header

What kind of ICMP message can be used by threat actors to create a man-in-the-middle attack? ICMP echo request ICMP unreachable ICMP redirects ICMP mask reply

ICMP redirects. Common ICMP messages of interest to threat actors include the following: ICMP echo request and echo reply: used to perform host verification and DoS attacks ICMP unreachable: used to perform network reconnaissance and scanning attacks ICMP mask reply: used to map an internal IP network ICMP redirects: used to lure a target host into sending all traffic through a compromised device and create a man-in-the-middle attack ICMP router discovery: used to inject bogus route entries into the routing table of a target host

Which two characteristics describe a virus? (Choose two.) Malicious code that can remain dormant before executing an unwanted action. Malware that executes arbitrary code and installs copies of itself in memory. Malware that relies on the action of a user or a program to activate. Program code specifically designed to corrupt memory in network devices. A self-replicating attack that is independently launched.

Malicious code that can remain dormant before executing an unwanted action. Malware that relies on the action of a user or a program to activate.

A threat actor wants to interrupt a normal TCP communication between two hosts by sending a spoofed packet to both endpoints. Which TCP option bit would the threat actor set in the spoofed packet? SYN ACK RST FIN

RST A TCP reset attack can be used to terminate TCP communications between two hosts by sending a spoofed TCP RST packet. A TCP connection is torn down when it receives an RST bit.

What is the primary goal of a DoS attack? to scan the data on the target server to prevent the target server from being able to handle additional requests to obtain all addresses in the address book within the server to facilitate access to external networks

to prevent the target server from being able to handle additional requests

What is the goal of a white hat hacker? protecting data validating data modifying data stealing data

protecting data

In what type of attack is a cybercriminal attempting to prevent legitimate users from accessing network services? DoS session hijacking MITM address spoofing

DoS

What are two evasion methods used by hackers? (Choose two.) scanning access attack resource exhaustion phishing encryption

- Encryption - Resource Exhaustion

What functionality is provided by Cisco SPAN in a switched network? It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis. It prevents traffic on a LAN from being disrupted by a broadcast storm. It protects the switched network from receiving BPDUs on ports that should not be receiving them. It copies traffic that passes through a switch interface and sends the data directly to a syslog or SNMP server for analysis. It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards. It mitigates MAC address overflow attacks.

It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.

Which term describes a field in the IPv4 packet header used to detect corruption in the IPv4 header? TTL source IPv4 address protocol header checksum

header checksum

Which two characteristics describe a worm? (Choose two) travels to new computers without any intervention or knowledge of the use infects computers by attaching to software code hides in a dormant state until needed by an attacker is self-replicating executes when software is run on a computer

is self-replicating travels to new computers without any intervention or knowledge of the user

What are two examples of DoS attacks? (Choose two.) SQL injection ping of death port scanning phishing buffer overflow

buffer overflow ping of death

Match the security tool with the description. (Not all options apply.)

What focus describes a characteristic of an indicator of attack (IOA)? It focuses more on threat avoidance after an attack and the potential cost implications. It focuses more on the risk management strategies after an attack and compromise of systems. It focuses more on the motivation behind an attack and the means used to compromise vulnerabilities to gain access to assets. It focuses more on the mitigation after an attack and the potential compromised vulnerabilities.

It focuses more on the motivation behind an attack and the means used to compromise vulnerabilities to gain access to assets.

What is an objective of a DHCP spoofing attack? to intercept DHCP messages and alter the information before sending to DHCP clients to gain illegal access to a DHCP server and modify its configuration to provide false DNS server addresses to DHCP clients so that visits to a legitimate web server are directed to a fake server to attack a DHCP server and make it unable to provide valid IP addresses to DHCP clients

to provide false DNS server addresses to DHCP clients so that visits to a legitimate web server are directed to a fake server

What Is The Significant Characteristic Of Worm Malware? * Worm Malware Disguises Itself As Legitimate Software. * Once Installed On A Host System, A Worm Does Not Replicate Itself. * A Worm Must Be Triggered By An Event On The Host System. * A Worm Can Execute Independently Of The Host System

A Worm Can Execute Independently Of The Host System. Explanation: Worm Malware Can Execute And Copy Itself Without Being Triggered By A Host Program. It Is A Significant Network And Internet Security Threat.

What is a characteristic of a DNS amplification and reflection attack? Threat actors hide their phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts. Threat actors use malware to randomly generate domain names to act as rendezvous points. Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack. Threat actors use a DoS attack that consumes the resources of the DNS open resolvers.

Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source of an attack.

What is the result of a passive ARP poisoning attack? Data is modified in transit or malicious data is inserted in transit. Network clients experience a denial of service. Confidential information is stolen. Multiple subdomains are created.

Confidential information is stolen.

An administrator discovers a vulnerability in the network. On analysis of the vulnerability the administrator decides the cost of managing the risk outweighs the cost of the risk itself. The risk is accepted, and no action is taken. What risk management strategy has been adopted? risk transfer risk acceptance risk reduction risk avoidance

risk acceptance

Which type of DNS attack involves the cybercriminal compromising a parent domain and creating multiple subdomains to be used during the attacks? shadowing cache poisoning tunneling amplification and reflection

shadowing

Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.) - SQL injection - Port scanning - Cross-site scripting - Port redirection - Trust exploitation

SQL injection Cross-site scripting

What is the main goal of using different evasion techniques by threat actors? to launch DDoS attacks on targets to identify vulnerabilities of target systems to gain the trust of a corporate employee in an effort to obtain credentials to prevent detection by network and host defenses

to prevent detection by network and host defenses

What scenario describes a vulnerability broker? a teenager running existing scripts, tools, and exploits, to cause harm, but typically not for profit a threat actor attempting to discover exploits and report them to vendors, sometimes for prizes or rewards a threat actor publicly protesting against governments by posting articles and leaking sensitive information a State-Sponsored threat actor who steals government secrets and sabotages networks of foreign governments

a threat actor attempting to discover exploits and report them to vendors, sometimes for prizes or rewards

Once a cyber threat has been verified, the US Cybersecurity Infrastructure and Security Agency (CISA) automatically shares the cybersecurity information with public and private organizations. What is this automated system called? - ENISA - NCSA - NCASM - AIS

Automated Indicator Sharing (AIS) is a service the Cybersecurity and Infrastructure Security Agency (CISA) provides to enable real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations. AIS helps to protect the participants of the service and ultimately reduce the prevalence of cyberattacks.

Which capability is provided by the aggregation function in SIEM? - reducing the volume of event data by consolidating duplicate event records - increasing speed of detection and reaction to security threats by examining logs from many systems and applications - presenting correlated and aggregated event data in real-time monitoring - searching logs and event records of multiple sources for more complete forensic analysis

reducing the volume of event data by consolidating duplicate event records

Which risk management strategy requires careful evaluation of the costs of loss, the mitigation strategy, and the benefits gained from the operation or activity that is at risk? risk avoidance risk transfer risk reduction risk acceptance

risk reduction

An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attack is this? man in the middle port redirection buffer overflow trust exploitation

man in the middle man-in-the-middle is an unauthorized device positioned between two legitimate devices in order to redirect or capture traffic

Which two functions are provided by NetFlow? (Choose two.) It uses artificial intelligence to detect incidents and aid in incident analysis and response. It provides a complete audit trail of basic information about every IP flow forwarded on a device. It provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch. It allows an administrator to capture real-time network traffic and analyze the entire contents of packets. It presents correlated and aggregated event data in real-time monitoring and long-term summaries.

It provides a complete audit trail of basic information about every IP flow forwarded on a device. It provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch.

What is the function of a gratuitous ARP sent by a networked device when it boots up? - To request the IP address of the connected network - To advise connected devices of its mac address - To request the Netbios name of the connected system - To request the mac address of the DNS server

To advise connected devices of its mac address

What kind of ICMP message can be used by threat actors to map an internal IP network? ICMP echo request ICMP redirects ICMP router discovery ICMP mask reply

ICMP mask reply

Which protocol is exploited by cybercriminals who create malicious iFrames? HTTP DNS ARP DHCP

HTTP

Which SIEM function is associated with examining the logs and events of multiple systems to reduce the amount of time of detecting and reacting to security events? forensic analysis correlation aggregation retention

correlation SIEM provides administrators with details on sources of suspicious activity such as user information, device location, and compliance with security policies. One of the essential functions of SIEM is correlation of logs and events from different systems in order to speed the detection and reaction to security

Which access attack method involves a software program that attempts to discover a system password by the use of an electronic dictionary? buffer overflow attack denial of service attack port redirection attack brute-force attack packet sniffer attack IP spoofing attack

brute-force attack

Which cyber attack involves a coordinated attack from a botnet of zombie computers? ICMP redirect MITM DDoS address spoofing

DDoS

How can a DNS TUNNELING attack be MITIGATED? - By preventing devices from using gratuitous arp - By using a filter that inspects dns traffic - By securing all domain owner accounts - By using strong passwords and two-factor authentication

By using a filter that inspects DNS traffic

Which technology is a proprietary SIEM system? StealthWatch Splunk NetFlow collector SNMP agent

Splunk

Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device? NetFlow network tap IDS SNMP

Network Tap A network tap is a common technology that is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and that forwards all traffic, including physical layer errors, to an analysis device.

Which protocol would be the target of a cushioning attack? ARP DHCP HTTP DNS

HTTP

Which technology is an open source SIEM system? StealthWatch Splunk ELK Wireshark

ELK

Which statement describes the function of the SPAN tool used in a Cisco switch? It is a secure channel for a switch to send logging to a syslog server. It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device. It provides interconnection between VLANs over multiple switches. It supports the SNMP trap operation on a switch.

It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.

When describing malware, what is a difference between a virus and a worm? A virus focuses on gaining privileged access to a device, whereas a worm does not. A virus can be used to deliver advertisements without user consent, whereas a worm cannot. A virus replicates itself by attaching to another file, whereas a worm can replicate itself independently. A virus can be used to launch a DoS attack (but not a DDoS), but a worm can be used to launch both DoS and DDoS attacks.

A virus replicates itself by attaching to another file, whereas a worm can replicate itself independently.

What are three functionalities provided by SOAR? (Choose three.) It automates complex incident response procedures and investigations. It provides 24×7 statistics on packets that flow through a Cisco router or multilayer switch. It uses artificial intelligence to detect incidents and aid in incident analysis and response. It presents the correlated and aggregated event data in real-time monitoring and long-term summaries. It provides a complete audit trail of basic information about every IP flow forwarded on a device. It provides case management tools that allow cybersecurity personnel to research and investigate incidents

It automates complex incident response procedures and investigations. It uses artificial intelligence to detect incidents and aid in incident analysis and response. It provides case management tools that allow cybersecurity personnel to research and investigate incidents