The individual’s name1. A. The transport layer is concerned with end-to-end communication and provides multiplexing through the use of sockets.
2. C. CSMA/CD allows stations to detect a collision. When that occurs, each station waits a random time, called the backoff time, before retransmitting.
3. A. Hubs and repeaters simply regenerate the signal and transmit to all ports.
4. A. A MAC address table includes information about the MAC address and the port where the frame should be forwarded.
5. A and B. A wireless LAN controller provides station authentication, QoS, security management. and other management services.
6. A. The Identification field is used by the receiving host to recognize fragments belonging to the same original IP packet.
7. A. Address Resolution Protocol (ARP) is used to request a MAC address given a known IP address.
8. A. A DNS resolver sends recursive queries to the configured DNS server.
9. A. A /25 network has 7 bits reserved for host addressing. The number of hosts can be found as follows: 2^7 – 2 = 126. Two addresses need to be removed because they are used for the network ID and broadcast address.
10. B. A /64 network allows 64 bits to be used for host addressing.
11. A. SLAAC is a protocol used to generate an IPv6 address.
12. A. TCP requires a connection to be established through a three-way handshake before transmitting data.
13. B. The TCP window is used for flow control.
1. B, C, D. Firewalls, traditional and next-generation intrusion prevention systems (IPSs), and anomaly detection systems are network security devices that provide enforcement and network visibility.
2. A, C, E, F. ACEs can classify packets by inspecting Layer 2 protocol information such as EtherTypes; Layer 3 protocol information such as ICMP, TCP, or UDP; Layer 3 header information such as source and destination IP addresses; and Layer 4 header information such as source and destination TCP or UDP ports.
3. A, B. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.
4. C, D. Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host. Also, NAT is often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT.
5. B, D. Cisco ASA 5500-X and the Cisco Firepower 4100 Series are next-generation firewalls.
6. B, C, D, E, F. Cisco Cloud Email Security (CES), Cisco AMP Threat Grid, Cisco Threat Awareness Service (CTAS), OpenDNS, and CloudLock are examples of cloud-based security solutions.
7. A, C, D, E. The Cisco ISR routers, Cisco ASA, Cisco WSA, and Cisco AnyConnect have connectors for CWS.
8. B, C, D, E. There are different versions of NetFlow. Depending on the version of NetFlow, the router can also gather additional information, such as the type of service (ToS) byte, the differentiated services code point (DSCP), the device’s input interface, TCP flags, byte counters, and start and end times.
9. C. One of the main differences between NetFlow and full-packet capture is the cost and the amount of data that needs to be analyzed. In a lot of scenarios and in most cases, you don’t need heavyweight packet capture technology everywhere throughout your network if you have an appropriate NetFlow collection and analysis ecosystem.
10. B. Cisco CloudLock is designed to protect organizations of any type against data breaches in any cloud environment or application through a highly configurable cloud-based DLP architecture.
1. C. One of the primary benefits of a defense-in-depth strategy is that even if a single control (such as a firewall or IPS) fails, other controls can still protect your environment and assets.
2. A, C, E, F. Understanding the management, control, user/data, and services planes is crucial for a defense-in-depth strategy.
3. C, D, E, F. SQL injection, command injection, XSS, and CSRF are all examples of vulnerabilities.
4. D. CVE is a standard for identifying vulnerabilities to make it easier to share data across tools, vulnerability repositories, and security services.
5. B. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats.
6. C. Collaborative Research Into Threats (CRITs) is an open source feed for threat data. Learn more at https://crits.github.io.
7. C. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine the urgency and priority of response.
8. A, B, D. The following are a few examples of PII:
The individual’s name
Social security number
Biological or personal characteristics, such as an image of distinguishing features, fingerprints, x-rays, voice signature, retina scan, and geometry of the face
Date and place of birth
Mother’s maiden name
Credit card numbers
Bank account numbers
Driver’s license number
Address information, such as email addresses or street addresses, and telephone numbers for businesses or personal use
9. B, C. The principle of least privilege states that all users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their job, and no more. It also applies to programs or processes running on a system. These programs or processes should have the capabilities they need to “get their job done,” but no root access to the system.
10. D. A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators.
11. A, B, C. Chain of custody is the way you document and preserve evidence from the time you started the cyber forensics investigation to the time the evidence is presented at court. It is extremely important to be able to show clear documentation of the following:
How the evidence was collected
When it was collected
How it was transported
How is was tracked
How it was stored
Who had access to the evidence and how it was accessed
1. B. A subject is the active entity that requests access to a resource.
2. B. Authentication is the process of proving one’s identity.
3. A and C. Password and PIN code are examples of authentication by knowledge.
4. C. False rejection rate (FRR) refers to when the system rejects a valid user that should have been authenticated.
5. B. In military classification, the Secret label is usually associated with severe damage to the organization.
6. A. Encryption and storage media access controls are commonly used to protect data at rest.
7. A. The asset owner and senior management are ultimately responsible for the security of the assets.
8. A and B. Preventive and Deterrent access controls are controls used to prevent a breach.
9. B. Attribute-based access control (ABAC) uses subject, object, and environmental attributes to make an access decision.
10. A. MAC offers better security compared to DAC because the operating system ensures compliance with the organization’s security policy.
11. A and B. Classification and category are typically found in a security label.
12. C. Role-based access control (RBAC) uses the role or function of a subject to make access decisions.
13. C. Host-based IDS can detect attacks using encryption, because it can see the decrypted payload on the host.
14. B. Host-based antimalware can detect attacks using encryption, because it can see the decrypted payload on the host.
15. D. A security group access list (SGACL) implements access control based on a security group tag (SGT) assigned to a packet. The SGT could be assigned, for example, based on the role of the user.
16. C. TACACS+ encrypts the TACACS+ message payload.
17. A. Cisco TrustSec uses MACSec to provide link-level encryption.
1. C. Access rights are provided during the privileges provisioning phase.
2. B. System-generated passwords are created by the system by following the constraints embedded in the security policy.
3. B. An asynchronous token system uses a challenge-response mechanism.
4. A. An entity is uniquely identified by its distinguish name (DN).
5. A. The advantage of SSO is that the user authenticates once and he is granted access to organization resources.
6. B. One of the critical functions of an SIEM compared to a normal log collector is the log correlation capability.
7. A. An asset inventory results in a list of assets owned by the organization.
8. B, C, D. A cloud-based MDM provides more flexibility and scalability, and it is easier to maintain.
9. B. MDM solutions typically provide PIN lock enforcement capabilities.
10. A. A security baseline configuration is a configuration that has been formally reviewed and approved and cannot be changed without a formal request.
11. A. A standard change is a low-risk change that might not require the full change management process.
12. A. With a white box approach, all information about the systems is known prior to the start of the penetration assessment.
13. C. In a responsible disclosure approach, the information about how to exploit a vulnerability is not disclosed.
14. A, B, D. Verifying that the patch works correctly is done after the patch has been deployed.
1. A, B, C. Common methods that ciphers use include substitution, polyalphabetic, and transposition.
2. A, B, D. AES, 3DES, and Blowfish are examples of symmetric block cipher algorithms. DSA and ElGamal are examples of asymmetric algorithms.
3. B, C, D. The three most popular types of hashes are Message Digest 5 (MD5), Secure Hash Algorithm 1 (SHA-1), and Secure Hash Algorithm 2 (SHA-2).
4. A and B. A digital signature provides three core benefits: authentication, data integrity, and nonrepudiation.
5. A and C. A key pair is a set of two keys that work in combination with each other as a team, and if you use the public key to encrypt data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.
6. A and D. Inside of a digital certificate is information about the identity of a device, such as its IP address, fully qualified domain name (FQDN), and the public key of that device or person.
7. C. A root certificate contains the public key of the CA server and the other details about the CA server.
8. B and C. PKCS #10 and PKCS #12 are public key standards you should become familiar with. They include protocols by themselves and protocols used for working with digital certificates. PKCS #10 defines the format of a certificate request sent to a CA that wants to receive its identity certificate. This type of request would include the public key for the entity desiring a certificate. PKCS #12 is a standard that defines the format for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be used or accessed.
1. B, D, E. MPLS, IPsec, SSL, PPTP, and GRE are examples of protocols used for VPN implementations.
2. A, B, E. L2TP, GRE, and MPLS VPNs do not provide data integrity, authentication, and data encryption.
3. C and D. VPN implementations are categorized into two general groups: Site-to-site VPNs, which enable organizations to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium such as the Internet, and remote-access VPNs, which enable users to work from remote locations such as their homes, hotels, and other premises as if they were directly connected to their corporate network.
4. B. The Cisco AnyConnect Secure Mobility Client is an example of a remote-access VPN client.
5. A, B, C, D. Encryption algorithms, hashing algorithms, Diffie-Hellman groups, the authentication method, and vendor-specific attributes are all exchanged in IKEv1 phase 1.
6. C and D. SHA and MD5 are hashing algorithms used in IPsec. AES 192 and AES 256 are not hashing algorithms; they are encryption algorithms.
7. A. Each SA is assigned a unique security parameter index (SPI) value—one by the initiator and the other by the responder.
8. B. In the clientless mode, the remote client needs only an SSL-enabled web browser to access resources on the private network of the security appliances.
9. B, C, D. Reverse proxy technology, port-forwarding technology and smart tunnels, and an SSL VPN tunnel client (such as the AnyConnect Secure Mobility Client) are some of the commonly used SSL VPN technologies.
1. A. Although the other answers are somewhat correct, Answer A is the most specific and correct definition of process permissions as they relate to Windows.
2. A. Answer A is the best comparison of a heap and stack.
3. C. Answer C is the correct definition of the Windows registry.
4. B. Some of the functions of the Windows registry are to load device drivers, run startup programs, set environmental variables, and store user settings and operating system parameters.
5. D. Answer D is the correct explanation of WMI.
6. C. Answer C is the best explanation of virtual address space in Windows.
7. A. Answer A is the correct explanation of a pointer and handle.
8. A. Answer A is a correct statement. Answer B is incorrect because programmers don’t change handles. Answer C is incorrect because the OS provides handles. Answer D is incorrect because a pointer and handle are different things.
9. C. Windows services run in their own session and therefore can operate with or without a user logged in.
10. D. Answer D is the correct explanation of a log parser.
1. B. An orphan process results when a parent process is terminated and the remaining child process is permitted to continue on its own.
2. D. A zombie process occurs when a process releases the associated memory and resources but remains in the entry table.
3. B. A fork occurs when a parent process creates a child process.
4. A. Answer A represents the file owner being given rwx permissions, the file owner rx permissions, and all others x permissions.
5. D. Answer D is correct. Best practice is to avoid giving daemons root or super user access because that level of access could be abused. Typically the init process is used to create daemons.
6. A. Symlinks can run even though the data they reference doesn’t exist.
7. C. Answer C is the best answer in this case. There can be multiple daemon programs, making Answer D incorrect. Although a daemon can be a parent program, that isn’t the best explanation, making answer B incorrect. Answer A is incorrect because daemons are not tasked to just manage a mother board.
8. D. Answer D represents err and every level above it.
9. D. Mail is an example of a facility.
10. C. NetFlow would be the best security technology for detecting a pivot attack.
1. B. A Trojan horse is a type of malware that executes instructions determined by the nature of the Trojan to delete files, steal data, and compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices.
2. A. Ransomware is a type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system.
3. C and D. ClamAV and Immunet are free. The rest are commercial-based antivirus software.
4. B. Host-based firewalls are often referred to as “personal firewalls.”
5. C. Cisco AMP for Endpoints is an example of a Cisco solution for endpoint protection. Cisco ASA is a network firewall, Cisco ESA is an email security appliance, and Firepower Endpoint System does not exist.
6. C. A graylist is a list of different objects that have not yet been established as not harmful or malicious. Once additional information is obtained, graylist items can be moved onto a whitelist or a blacklist.
A whitelist is a list of separate things, such as hosts, applications, email addresses, and services, that are authorized to be installed or active on a system in accordance to a predetermined baseline. A blacklist is a list of different entities that have been determined to be malicious.
7. B, C, D. File path, filename, and file size are examples of application file and folder attributes that can help with application whitelisting.
8. A, B, D. Google Chromium sandboxing, JVM sandboxing, and the HTML5 “sandbox” attribute for use with iframes are all examples of sandboxing implementations.
1. B. Syslog data is useless if it shows the wrong date and time. As a best practice, you should configure all network devices to use the Network Time Protocol (NTP). Using NTP ensures that the correct time is set and that all devices within the network are synchronized.
2. A, B, C, D, E. All of these logging capabilities are supported in Cisco ASA.
3. A, C, D. Splunk, Graylog, and ELK Stack are examples of commercial and open source log-collection and -analysis platforms.
4. B. Host-based firewalls are often referred to as “personal firewalls.”
5. B and C. You can monitor events for traffic that does not conform with your access control policies. Access control policies allow you to specify, inspect, and log the traffic that can traverse your network. An access control policy determines how the system handles traffic on your network. To help you identify and mitigate the effects of malware, the FMC file control, network file trajectory, and Advanced Malware Protection (AMP) can detect, track, capture, analyze, log, and optionally block the transmission of files, including malware files and nested files inside archive files.
6. B and C. Next-generation firewalls and next-generation IPS systems via the FMC support an incident lifecycle, allowing you to change an incident’s status as you progress through your response to an attack. When you close an incident, you can note any changes you have made to your security policies as a result of any lessons learned. Generally, an incident is defined as one or more intrusion events that you suspect are involved in a possible violation of your security policies. The FMC and next-generation firewalls and IPS systems are particularly well suited to supporting the investigation and qualification procedures of the incident response process. You can create your own event classifications and then apply them in a way that best describes the vulnerabilities on your network.
7. A. Full packet capture demands great system resources and engineering effort, not only to collect the data and store it, but also to be able to analyze it. That is why, in many cases, it is better to obtain network metadata by using NetFlow.
8. A, B, C. IP address or DNS hostname, application logs, and processes running on the system are some useful attributes you should seek to collect from endpoint systems.
9. A and D. Antivirus or antimalware applications and personal firewalls produce good security telemetry on endpoints.
10. A, B, D. The Cisco ISE Administrator Logins report provides an audit trail of all administrator logins. The web server log reports and top application reports provide additional contextual information that you can collect from Cisco ISE to help you investigate security incidents.
1. B. Privacy is one of the main benefits of encryption. The rest of the answers are either not valid or not a benefit.
2. C. Encryption can be used by threat actors as a method of evasion and obfuscation, and security monitoring tools might not be able to inspect encrypted traffic.
3. B. A few security products, such as the Cisco Lancope Stealthwatch system, provide features such as NAT stitching to use NetFlow with other data in the network and be able to correlate and “map” translated IP addresses. This accelerates incident response tasks and eases continuous security monitoring operations.
4. C. NTP is recommended as a best practice to synchronize the “clock” (date and time) of all network infrastructure devices, servers, and other endpoints.
5. B. DNS was not created for tunneling, but a few tools have used it to encapsulate data in the payload of DNS packets. Threat actors have been using many different untraditional techniques to steal data from corporate networks without being detected. For example, they have been sending stolen credit card data, intellectual property, and confidential documents over DNS using tunneling.
6. A, B, C. DeNiSe, dns2tcp, and DNScapy are examples of DNS tunneling tools. They were originally not created for malicious purposes, but they have been used by attackers to steal data from victims for years.
7. D. Tor is a free tool that enables its users to surf the Web anonymously. Tor has been used by nonmalicious users to keep their activity private, but also by malicious threat actors to carry out their attacks and perform other illicit activities.
8. B. A Tor exit node is basically the last Tor node or the “gateway” where the Tor encrypted traffic “exits” to the Internet. A Tor exit node can be targeted to monitor Tor traffic. Many organizations block Tor exit nodes in their environment. The Tor project has a dynamic list of Tor exit nodes that make this task a bit easier. This Tor exit node list can be downloaded from https://check.torproject.org/exit-addresses.
9. A. Attackers can insert or “inject” a SQL query via the input data from the client to the application or database. Attackers can exploit SQL injector vulnerabilities to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system.
10. A, C, D. LionShare, Napster, and Peercoin are examples of P2P tools. P2P NetFlow does not exist.
1. B, C, D. Nexpose, Nessus, and nmap are all vulnerability and port scanners.
2. C. Because UDP is a connectionless protocol and does not have a three-way handshake like TCP, the UDP scans have to rely on ICMP “port unreachable” messages to determine whether a port is open. When the scanner sends a UDP packet and the port is not open on the victim’s system, that system will respond with an ICMP “port unreachable” message.
3. D. In phishing attacks, the attacker presents a link that looks like a valid, trusted resource to a user. When the user clicks it, he is prompted to disclose confidential information such as his username and password.
4. C. A backdoor is an application or code used by an attacker either to allow future access or to collect information to use in further attacks.
5. B. An amplification attack is a form of reflected attack in which the response traffic (sent by the unwitting participant) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim).
6. D. A buffer overflow is when a program or software puts more data in a buffer than it can hold or when a program tries to put data in a memory location past a buffer. This is done so that data outside the bounds of a block of allocated memory can corrupt other data or crash the program or operating system. In a worst-case scenario, a buffer overflow can lead to the execution of malicious code.
7. A. XSS is a type of web application vulnerability where malicious scripts are injected into legitimate and trusted websites. An attacker can launch an attack against an XSS vulnerability using a web application to send malicious code (typically in the form of a browser-side script) to a different end user.
8. A. Attackers can insert or “inject” a SQL query via the input data from the client to the application or database. Attackers can exploit SQL injection vulnerabilities to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system.
1. D. This example represents adjusting the timing of traffic, which is a timing attack.
2. B. Encryption would be the biggest challenge because traffic cannot be evaluated by the IPS for threats.
3. A. Resource exhaustion is when the attacker sends a ton of traffic with the goal of consuming available resources. This could generate a bunch of alarms and render the system useless.
4. A. Modifying routing would not cause a traffic fragmentation error on a security detection device.
5. D. Proxies and inline security devices can help prevent traffic fragmentation attacks. Protocols can be manipulated to confuse security devices from properly evaluating traffic. TCP Checksum and Time-to-Live protocols can be manipulated to first look like one thing and then later look like something else, with the goal of tricking the security defenses.
6. C. Answer C is correct because this does not modify the legitimate traffic and act over HTTP. Answer A is incorrect because this doesn’t work over HTTPS. Answer B is incorrect because this attack doesn’t modify the legitimate traffic. Answer D doesn’t provide enough detail.
7. C. Answer C is the best answer. Answers A and D do not include a payload, meaning there isn’t an associated attack. Answer B is incorrect because if the same payload is used, it will be detected by most security solutions. Answer C would be formatted to bypass detection but not modify the attacker payload.
8. B. Using Unicode instead of ASCII can cause a traffic substitution and insertion attack.
9. A. Content filtering is a method for controlling what type of content is available to users. This is not a method of preventing a pivot attack. Answer B is a way to harden systems to avoid lateral movement through system exploitation. Answers C and D both represent methods to control what can access other systems on the network and lateral movement.
10. C. NetFlow can be used to detect unusual network patterns such as internal pivoting. Answer A is an encryption technology that can be used once a pivot has occurred. Answer B is typically a signature-based security solution that can prevent a host from exploiting another host, but this is not the best answer. Answer D could help but is typically used for controlling what traffic can and can’t pass. Answer D, in its current state, is too vague, but it would be a good defense using segmentation. However, this doesn’t necessarily mean it is the best solution for pivot detection.
1. B. A router mainly operates at the Network layer.
2. A and B. In full-duplex mode, a station can transmit and receive at the same time. This prevents collisions form happening.
3. D. Because no Layer 3 device is involved, there is only one broadcast domain.
4. A. A trunk link is used to transport multiple VLANs.
5. A. Multilayer switch includes Layer 3 functionality.
6. C. CAPWAP is used between a LAP and the WLC.
7. A and B. LAP includes real-time functionalities such as channel encryption and the TX/RX of frames.
8. A and B. Class B allows 216 – 2 host addresses. C is incorrect because it allows a maximum of 254 usable addresses.
9. D. A /29 network can have six hosts, whereas /30 can have only two.
10. C. OSPF is a routing protocol of the type link state.
11. A. Because OSPF nodes have a full view of the topology, the problem of count to infinity is avoided.
12. A and C. These are the correct alternative ways that the IPv6 address can be written.
13. C. NDP uses NA/NS messages to provide functionality similar to ARP.
14. A. 2345:0:0:0:0500.11FF.FE11.2222 is the correct answer.
15. A. Iterative queries are used between DNS servers.
16. B. A TCP client will start a connection by sending a TCP SYN packet.
17. A, B, C. A network socket includes a protocol, IP address, and port.
1. B. ACLs are the heart of a traditional stateful firewall, and they are based on source and destination IP addresses, source and destination ports, and protocol information.
2. C. A traditional IPS is a network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.
3. B. NetFlow provides information about network flows and sessions.
4. B. DLP stands for data loss prevention and is a software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network.
5. C and D. ACLs inspect and apply policies based on source and destination IP addresses as well as source and destination ports and protocol information.
6. B and C. OpenDNS and CloudLock are Cisco cloud security solutions.
7. D. Cisco pxGrid is used to enable the sharing of contextual-based information from a Cisco ISE session directory to other policy network systems, such as Cisco IOS devices and the Cisco ASA.
8. A. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives.
9. C. DMZs provide security to the systems that reside within them, with different security levels and policies between them. DMZs can have several purposes; for example, they can serve as segments on which a web server farm resides or as extranet connections to business partners.
10. C. Full packet captures take more storage resources in comparison to NetFlow, syslog, and other network logs.
1. B and C. A vulnerability is an exploitable weakness in a system or its design. Vulnerabilities can be found in protocols, operating systems, applications, hardware, and system designs. An exploit is software or a sequence of commands that takes advantage of a vulnerability in order to cause harm to a system or network.
2. A. Exploit kits can be uploaded and can run from web servers in order to spread malware and compromise other systems.
3. A and C. Angler and Blackhole are examples of exploit kits.
4. C. A threat is any potential danger to an asset.
5. A. IoC stands for indicator of compromise.
6. A and B. Threat intelligence feeds typically include information such as indicators of compromise, known malicious domains, IP addresses of attacking systems, and other types of information.
7. D. Chain of custody is the way you document and preserve evidence from the time you start the cyber forensics investigation to the time the evidence is presented in court.
8. A. Decompilers are programs that take an executable binary file and attempt to produce readable high-level language code from it.
9. D. Mean time to repair (MTTR), mean time between failures (MTBF), and mean time to discover a security incident are all examples of metrics that can measure the effectiveness of a runbook.
10. B. PHI stands for protected health information.
1. C. In the authorization phase, access is granted to a resource.
2. A, B, C. Uniqueness, nondescriptiveness, and secured issuance are characteristics of a secure identity.
3. D. Strong authentication is obtained by the combination of at least two methods.
4. A. The asset owner assigns the classification.
5. A. Clearing ensures protection against simple and noninvasive data-recovery techniques.
6. A. Security training is a type of administrative control.
7. A. Dropping a packet prevents a security incident from occurring.
8. C. A fence is an example of physical deterrent control.
9. A. A capability table is user centric and includes several objects with user access rights.
10. B. The RADIUS exchange happens between the NAS and the authentication server.
11. C. Diameter allows for the exchange of nodes’ capabilities.
12. C. 802.1x allows authorization policy to be downloaded and enforced at the access device.
13. B. EAPoL messages are transmitted between the supplicant and the authenticator.
14. B. SXP can be used to exchange SGT between an access device with only Cisco TrustSec capability on software and a device with Cisco TrustSec hardware support.
15. D. An isolated port can only communicate with the promiscuous port.
16. A. An IPS may add latency due to its packet-processing engine.
17. A. Network-based antimalware can block malware before it enters the network. Answers C and D are true for host-based antimalware as well. Answer B applies only to host-based antimalware.
18. A. Location is part of the environmental attributes.
19. B. MAC uses security labels for access decisions.
20. B. Strict control over the access to resources is one of the main advantages of MAC.
21. A. In a DAC model, the object owner grants authorization permission over the objects he owns.
1. A and B. A secure digital identity should be a unique and nondescriptive security issuance.
2. A. A periodic privileges review is needed to make sure each user has the correct level of privileges after any event that could require the assignment of different privileges.
3. A, B, D. Access can be revoked due to job termination, change of the job, or a violation of security policy.
4. B and C. Asset classification and Asset disposal are responsibilities of the asset owner.
5. A. Answer A is correct in this case.
6. C is the most correct answer.
7. A. Configuration records are stored in a configuration management database (CMDB).
8. D. Active vulnerability scanners probes the target system.
9. C. Agent based deployment model gives automatic patch installation capabilities.
10. A. The syslog PRI is obtained by multiplying the facility code by 8 and adding the severity code.
11. D. Log normalization extracts relevant attributes from logs received in different formats and stores them in a common data model or template.
12. A, B, C. SIEM provides correlation, archiving, normalization, aggregation, and reporting for logs.
13. A and B. Cisco ISE and an MDM server are typically found in a Cisco BYOD architecture.
14. A. After the RFC is closed, the configuration database is updated with the new configuration.
15. B and D. Vulnerability scanners usually work with known vulnerabilities and can work in passive and active modes.
16. A. An OVAL definition is an XML file that contains information about how to check a system for the presence of vulnerabilities.
1. C. The files chicken.txt and cat.txt have the same SHA checksum; subsequently, they have the same contents.
2. D. A collision attack is an attempt to find two input strings of a hash function that produce the same hash result. This is because hash functions have an infinite input length and a predefined output length.
3. B. SHA-2 is more secure than SHA-1 and MD5.
4. B. Root CAs can delegate their authority to subordinate CAs.
5. C. A CRL is a list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted. A CRL could be very large, and the client would have to process the entire list to verify a particular certificate is not on the list. A CRL can be thought of as the naughty list, and is the primary protocol used for this purpose.
6. A. PKCS #12 is a format for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be used or accessed.
7. C. PKCS #10 is a format of a certificate request sent to a CA that wants to receive its identity certificate.
8. A and B. AES and IDEA are both examples of symmetric encryption algorithms.
9. C and D. Diffie-Hellman and RSA are both examples of asymmetric encryption algorithms.
10. A and C. SHA and MD5 are both examples of hashing algorithms.
1. B. ESP packets cannot be successfully translated (NATed) because ESP does not have any ports.
2. C. IPsec transport mode protects upper-layer protocols, such as UDP and TCP, and tunnel mode protects the entire IP packet.
3. A. Diffie-Hellman is a key agreement protocol and it enables users or devices to authenticate each other using preshared keys without actually sending the keys over the unsecured medium.
4. A. SSL is not supported for Cisco site-to-site VPN tunnels.
5. C. IKEv1 has a simple exchange of two message pairs for the CHILD_SA. IKEv2 uses an exchange of at least three message pairs for Phase 2.
6. D. AES is more secure than DES and 3DES. 4DES does not exist.
7. C. NAT Traversal is an IPsec feature and specification.
8. B. The Tor browser is used by individuals to keep themselves anonymous on the Internet and it is also used to browse the dark web.
9. B, C, D. Attackers use VPN to exfiltrate data, encrypt traffic between a compromised host and a command and control system, and to evade detection.
10. B and D. MD5 and SHA are hashing algorithms. RSA and AES are encryption algorithms.
1. A. Answer A is the best definition of a Windows process. Answer B describes a thread, Answer C describes a thread pool, and Answer D describes a fiber.
2. B. Answer B is the only correct statement. Virtual address space is not shared unless it is specified. It is a reference to the physical location and not the actual physical location of an object in memory.
3. C. RAM is an example of volatile memory.
4. C. The command regedit is used to view the Windows Registry.
5. A. HKEY_LOCAL (HKLM) is not a Windows Registry hive.
6. B. Windows Management Instrumentation is the correct name.
7. C. WMI can’t be used to uninstall an application.
8. C. A handle that’s not released after being used is an example of how a handle leak could occur.
9. B. The correct command is services.msc.
10. D. The Log Parser is a common Windows tool that can be used to adjust logs for this purpose.
1. C. Daemons are not controlled by the active user.
2. A. ErrorLog is the correct file that Apache sends error data to.
3. C. Remember that rwx stands for read, write, and execution, and the order is owner, group, and everybody else.
4. D. Soft link is another name for a symlink.
5. A. Transaction logs is the best answer. If an error occurred, then an alert log would be generated.
6. D. Init has a PID of 1. Note that init is not a daemon. This will be important for the exam.
7. D. The correct format is owner, group, everybody else.
8. C. The correct command is chown.
9. B. Answer B is correct. Answer A is typically how daemons are created; however, sometimes they are not created by the init process. Usually init creates daemons.
10. A. The default location is /var/log.
1. B. Worms are viruses that replicate themselves over the network, infecting numerous vulnerable systems.
2. A. Ramsomware is a type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system.
3. B and C. Google Chromium sandboxing and Java JVM sandboxing are examples of system-based sandboxing implementations.
4. B and C. Answers B and C are both benefits of system-based sandboxing.
5. D. A limitation of whitelisting is the need to continuously manage what is and is not on the whitelist. It is extremely difficult to keep a list of what is and is not allowed on a system where there are hundreds of thousands of files with a legitimate need to be present and running on the system.
6. C. Cisco AMP for Endpoints takes advantage of telemetry from big data, continuous analysis, and advanced analytics provided by Cisco threat intelligence in order to detect, analyze, and stop advanced malware across endpoints.
7. C. Pretty Good Privacy (PGP) is an example of a host-based encryption technology that can help protect files as well as email.
8. A. An application blacklist is a list of different entities that have been determined to be malicious.
9. D. BitLocker is software for encrypting files on a hard disk drive.
10. B, C, D. Answers B, C, and D represent actions you should take to ensure your emails are protected.
1. B and C. Wireshark and tcpdump are examples of open source packet capture software.
2. A. Hadoop is a big data analytics technology that’s used by several frameworks in security operation centers and many scenarios.
3. D. Router syslogs are not a host-based telemetry source. Router syslogs are a network-based telemetry source.
4. C. Encryption can cause problems in an SOC because you cannot see the actual payload of the packet.
5. B. Cisco Prime Infrastructure is a network management platform you can use to configure and monitor many network infrastructure devices in your network. It provides network administrators with a single solution for provisioning, monitoring, optimizing, and troubleshooting both wired and wireless devices.
6. B. Linux-based systems store most of their logs (including syslog) in /var/log.
7. D. NBAR2 is used by Cisco AVC to provide deep packet inspection.
8. A. QoS can be used with NBAR2 to help ensure that the network bandwidth is best used.
9. C. Cisco NetFlow records are usually exported using UDP packets.
10. D. IPFIX is not a NetFlow version, it is a flow based standard based on NetFlow version 9.
1. A. The Onion Router (Tor) is both free and enables its users to surf the Web anonymously.
2. C. Answer C correctly states the challenge NAT presents to security monitoring.
3. B. A Tor exit node is the last Tor node or the “gateway” where the Tor encrypted traffic “exits” to the Internet.
4. C. DNScapy is an example of a DNS tunneling tool.
5. D. Base64 encoding is an example of an encoding mechanism used by threat actors.
6. A. The Network Time Protocol (NTP) ensures that the correct time is set and that all devices within the network are synchronized.
1. C. In a rainbow table, an attacker computes possible passwords and their hashes in a given system and puts the results into a lookup table.
2. A. War driving is a technique used by attackers to find wireless access points and wireless routers wherever they may be.
3. B. XSS is one of the most common types of web application vulnerabilities where the attacker uses malicious scripts and injects them into legitimate and trusted websites.
4. A. SQL injection vulnerabilities are used by attackers to read sensitive data from the database, modify or delete database data, execute administration operations on the database, and even issue commands to the operating system.
5. B. A man-in-the-middle attack results when attackers place themselves in line between two devices that are communicating, with the intent of performing reconnaissance or manipulating the data as it moves between the devices.
6. A. Deserialization of untrusted data vulnerabilities is used by attackers to use or cause malformed data or unexpected data to abuse an application’s logic, cause a DoS attack, or execute arbitrary code.
7. D. A buffer overflow is when a program or software puts more data in a buffer than it can hold or when a program tries to put data in a memory location past a buffer.
8. B. In an evil twin attack the attacker tries to create rogue access points so as to gain access to the network or steal information.
9. B. ARP cache poisoning is an attack where threat actors can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet.
10. D. Dynamic ARP inspection is a feature in Cisco switches that validates ARP packets and intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings.
1. D. Answer D is the best answer. Answer A doesn’t have enough information. Answer B is incorrect in that a client isn’t required. Answer C is correct, but it’s not the only use for SSH.
2. C. A remote-access VPN can be client or clientless, thus making Answer C correct.
3. A. Consuming resources typically slows down or prevents a system from operating properly. This usually doesn’t corrupt the actual application, just its ability to function due to low available resources.
4. A. Encrypting traffic hides the traffic from the IPS rather than confusing it, which is the tactic used in the other answers.
5. D. Answer D is the correct explanation of an overlapping fragment attack.
6. C. Answer C is the correct explanation of a timing attack.
7. C. Answer C is an example of a traffic substitution and insertion attack. Answers A and D are input validation attacks. Answer B is a coding practice.
8. B. Answer B is a method of establishing a foothold on a network. However, this does not provide new access to the network, meaning the attacker isn’t pivoting to another network resource.
9. D. Segmentation is the best approach listed for reducing the risk of a compromised system to be able to attack another system with higher, trusted network access.
10. C. SSH uses public-key encryption.