1. Which two statements are characteristics of a virus? (Choose two.)

• A virus typically requires end-user activation.
• A virus can be dormant and then activate at a specific time or date.
• A virus replicates itself by independently exploiting vulnerabilities in networks.
• A virus has an enabling vulnerability, a propagation mechanism, and a payload.
• A virus provides the attacker with sensitive data, such as passwords

Explanation: The type of end user interaction required to launch a virus is typically opening an application, opening a web page, or powering on the computer. Once activated, a virus may infect other files located on the computer or other computers on the same network.

2. What is a characteristic of a Trojan horse as it relates to network security?

• Too much information is destined for a particular memory block, causing additional memory areas to be affected.
• Extreme quantities of data are sent to a particular network device interface.
• An electronic dictionary is used to obtain a password to be used to infiltrate a key network device.
• Malware is contained in a seemingly legitimate executable program.

Explanation: A Trojan horse carries out malicious operations under the guise of a legitimate program. Denial of service attacks send extreme quantities of data to a particular host or network device interface. Password attacks use electronic dictionaries in an attempt to learn passwords. Buffer overflow attacks exploit memory buffers by sending too much information to a host to render the system inoperable.

3. What technique is used in social engineering attacks?

• sending junk email
• buffer overflow
• phishing
• man-in-the-middle

Explanation: A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

4. What is a purpose of implementing VLANs on a network?

• They can separate user traffic.
• They prevent Layer 2 loops.
• They eliminate network collisions.
• They allow switches to forward Layer 3 packets without a router.

Explanation: VLANs are used on a network to separate user traffic based on factors such as function, project team, or application, without regard for the physical location of the user or device.

5. Refer to the exhibit. A cybersecurity analyst is viewing packets forwarded by switch S2. What addresses will identify frames containing data sent from PCA to PCB?

Src IP: 192.168.2.1

Src MAC: 00-60-0F-B1-33-33

Dst IP: 192.168.2.101

Dst MAC: 08-CB-8A-5C-BB-BB

Src IP: 192.168.1.212

Src MAC: 01-90-C0-E4-AA-AA

Dst IP: 192.168.2.101

Dst MAC: 08-CB-8A-5C-BB-BB

Src IP: 192.168.1.212

Src MAC: 00-60-0F-B1-33-33

Dst IP: 192.168.2.101

Dst MAC: 08-CB-8A-5C-BB-BB

Src IP: 192.168.1.212

Src MAC: 00-60-0F-B1-33-33

Dst IP: 192.168.2.101

Dst MAC: 00-D0-D3-BE-00-00

Explanation: When a message sent from PCA to PCB reaches router R2, some frame header fields will be rewritten by R2 before forwarding to switch S2. The frames will contain the source MAC address of router R2 and the destination MAC address of PCB. The frames will retain the original IPv4 addressing applied by PCA which is the IPv4 address of PCA as the source address and the IPv4 address of PCB as the destination.

6. A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this task in the Security Onion architecture? (Choose three.)

• CapME
• Wazuh
• Kibana
• Zeek
• Sguil
• Wireshark

Explanation: A Security Onion Architecture:

Detection tools in Security Onion Architecture include: CapME, Snort, Zeek, OSSEC, Wazuh, Suricata.

7. Match the Security Onion tool with the description.

8. In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?

• port scanning
• risk analysis
• penetration testing
• vulnerability assessment

Explanation: A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.

9. Match the server profile element to the description. (Not all options are used.)

Explanation: The elements of a server profile include the following:Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server

User accounts – the parameters defining user access and behavior

Service accounts – the definitions of the type of service that an application is allowed to run on a given host

Software environment – the tasks, processes, and applications that are permitted to run on the server

10. In addressing an identified risk, which strategy aims to shift some of the risk to other parties?

• risk avoidance
• risk sharing
• risk retention
• risk reduction

Explanation: There are four potential strategies for responding to risks that have been identified:

Risk avoidance – Stop performing the activities that create risk.

Risk reduction – Decrease the risk by taking measures to reduce vulnerability.

Risk sharing – Shift some of the risk to other parties.

Risk retention – Accept the risk and its consequences.

11. What is a network tap?

• a technology used to provide real-time reporting and long-term analysis of security events
• a Cisco technology that provides statistics on packets flowing through a router or multilayer switch
• a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device
• a passive device that forwards all traffic and physical layer errors to an analysis device

Explanation: A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and forwards all traffic, including physical layer errors, to an analysis device.

12. Match the monitoring tool to the definition.

13. If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal?

• Approximately 5 minutes per year.
• Approximately 10 minutes per year
• Approximately 20 minutes per year.
• Approximately 30 minutes per year.

Explanation: Within a year, there are 365 days x 24 hours a day x 60 minutes per hour = 525,600 minutes. With the goal of uptime 99.999% of time, the downtime needs to be controlled under 525,600 x (1-0.99999) = 5.256 minutes a year.

14. The HTTP server has responded to a client request with a 200 status code. What does this status code indicate?

• The request is understood by the server, but the resource will not be fulfilled.
• The request was completed successfully.
• The server could not find the requested resource, possibly because of an incorrect URL.
• The request has been accepted for processing, but processing is not completed.

15. What is an advantage for small organizations of adopting IMAP instead of POP?

• POP only allows the client to store messages in a centralized way, while IMAP allows distributed storage.
• IMAP sends and retrieves email, but POP only retrieves email.
• When the user connects to a POP server, copies of the messages are kept in the mail server for a short time, but IMAP keeps them for a long time.
• Messages are kept in the mail servers until they are manually deleted from the email client.

Explanation: IMAP and POP are protocols that are used to retrieve email messages. The advantage of using IMAP instead of POP is that when the user connects to an IMAP-capable server, copies of the messages are downloaded to the client application. IMAP then stores the email messages on the server until the user manually deletes those messages.

16. What debugging security tool can be used by black hats to reverse engineer binary files when writing exploits?

• WinDbg
• Firesheep
• Skipfish
• AIDE

17. Match the attack tools with the description. (Not all options are used.)

18. What are two features of ARP? (Choose two.)

• When a host is encapsulating a packet into a frame, it refers to the MAC address table to determine the mapping of IP addresses to MAC addresses.
• If a host is ready to send a packet to a local destination device and it has the IP address but not the MAC address of the destination, it generates an ARP broadcast.
• If a device receiving an ARP request has the destination IPv4 address, it responds with an ARP reply.
• If no device responds to the ARP request, then the originating node will broadcast the data packet to all devices on the network segment.
• An ARP request is sent to all devices on the Ethernet LAN and contains the IP address of the destination host and the multicast MAC address.

Explanation: When a node encapsulates a data packet into a frame, it needs the destination MAC address. First it determines if the destination device is on the local network or on a remote network. Then it checks the ARP table (not the MAC table) to see if a pair of IP address and MAC address exists for either the destination IP address (if the destination host is on the local network) or the default gateway IP address (if the destination host is on a remote network). If the match does not exist, it generates an ARP broadcast to seek the IP address to MAC address resolution. Because the destination MAC address is unknown, the ARP request is broadcast with the MAC address FFFF.FFFF.FFFF. Either the destination device or the default gateway will respond with its MAC address, which enables the sending node to assemble the frame. If no device responds to the ARP request, then the originating node will discard the packet because a frame cannot be created.

19. What is a property of the ARP table on a device?

• Entries in an ARP table are time-stamped and are purged after the timeout expires.
• Every operating system uses the same timer to remove old entries from the ARP cache.
• Static IP-to-MAC address entries are removed dynamically from the ARP table.
• Windows operating systems store ARP cache entries for 3 minutes.

20. What is the purpose of Tor?

• to allow users to browse the Internet anonymously
• to securely connect to a remote network over an unsecure link such as an Internet connection
• to donate processor cycles to distributed computational tasks in a processor sharing P2P network
• to inspect incoming traffic and look for any that violates a rule or matches the signature of a known exploit

Explanation: Tor is a software platform and network of peer-to-peer (P2P) hosts that function as routers. Users access the Tor network by using a special browserthat allows them to browse anonymously.

21. Which two network protocols can be used by a threat actor to exfiltrate data in traffic that is disguised as normal network traffic? (Choose two.)

• NTP
• DNS
• HTTP
• syslog
• SMTP

22. What is a key difference between the data captured by NetFlow and data captured by Wireshark?

• NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.
• NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump.
• NetFlow provides transaction data whereas Wireshark provides session data.
• NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

Explanation: Wireshark captures the entire contents of a packet. NetFlow does not. Instead, NetFlow collects metadata, or data about the flow.

23. Which tool captures full data packets with a command-line interface only?

• nfdump
• Wireshark
• NBAR2
• tcpdump

Explanation: The command-line tool tcpdump is a packet analyzer. Wireshark is a packet analyzer with a GUI interface.

24. Which method can be used to harden a device?

• maintain use of the same passwords
• allow default services to remain enabled
• allow USB auto-detection
• use SSH and disable the root account access over SSH

Explanation: The basic best practices for device hardening are as follows:

Ensure physical security.

Minimize installed packages.

Disable unused services.

Use SSH and disable the root account login over SSH.

Keep the system updated.

Disable USB auto-detection.

Enforce strong passwords.

Force periodic password changes.

Keep users from re-using old passwords.

Review logs regularly.

25. In a Linux operating system, which component interprets user commands and attempts to execute them?

• GUI
• daemon
• kernel
• shell

26. A network administrator is configuring an AAA server to manage RADIUS authentication. Which two features are included in RADIUS authentication? (Choose two.)

• encryption for all communication
• encryption for only the data
• single process for authentication and authorization
• separate processes for authentication and authorization
• hidden passwords during transmission

Explanation: RADIUS authentication supports the following features:

RADIUS authentication and authorization as one process

Encrypts only the password

Utilizes UDP

Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)

27. What is privilege escalation?

• Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.
• Everyone is given full rights by default to everything and rights are taken away only when someone abuses privileges.
• Someone is given rights because she or he has received a promotion.
• A security problem occurs when high ranking corporate officials demand rights to systems or files that they should not have.

Explanation: With privilege escalation, vulnerabilities are exploited to grant higher levels of privilege. After the privilege is granted, the threat actor can access sensitive information or take control of the system.

28. What two assurances does digital signing provide about code that is downloaded from the Internet? (Choose two.)

• The code contains no viruses.
• The code has not been modified since it left the software publisher.
• The code is authentic and is actually sourced by the publisher.
• The code contains no errors.
• The code was encrypted with both a private and public key.

Explanation: Digitally signing code provides several assurances about the code:

The code is authentic and is actually sourced by the publisher.

The code has not been modified since it left the software publisher.

The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.

29. An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.)

• HTTPS web service
• 802.1x authentication
• local NTP server
• FTP transfers
• file and directory access permission

Explanation: The Public Key Infrastructure (PKI) is a third party-system referred to as a certificate authority or CA. The PKI is the framework used to securely exchange information between parties. Common PKI applications are as follows:

SSL/TLS certificate-based peer authentication

Secure network traffic using IPsec VPNs

HTTPS Web traffic

Control access to the network using 802.1x authentication

Secure email using the S/MIME protocol

Secure instant messaging

Approve and authorize applications with Code Signing

Protect user data with the Encryption File System (EFS)

Implement two-factor authentication with smart cards

Securing USB storage devices

30. Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology?

• Use a Syslog server to capture network traffic.
• Deploy a Cisco SSL Appliance.
• Require remote access connections through IPsec VPN.
• Deploy a Cisco ASA.

31. An administrator is trying to develop a BYOD security policy for employees that are bringing a wide range of devices to connect to the company network. Which three objectives must the BYOD security policy address? (Choose three.)

• All devices must be insured against liability if used to compromise the corporate network.
• All devices must have open authentication with the corporate network.
• Rights and activities permitted on the corporate network must be defined.
• Safeguards must be put in place for any personal device being compromised.
• The level of access of employees when connecting to the corporate network must be defined.
• All devices should be allowed to attach to the corporate network flawlessly.

32. Match the security policy with the description. (Not all options are used.)

33. Match the attack to the definition. (Not all options are used.)

34. What type of attack targets an SQL database using the input field of a user?

• XML injection
• buffer overflow
• Cross-site scripting
• SQL injection

Explanation: A criminal can insert a malicious SQL statement in an entry field on a website where the system does not filter the user input correctly.

35. What are two characteristics of Ethernet MAC addresses? (Choose two.)

• MAC addresses use a flexible hierarchical structure.
• They are expressed as 12 hexadecimal digits.
• They are globally unique.
• They are routable on the Internet.
• MAC addresses must be unique for both Ethernet and serial interfaces on a device.

36. A user calls to report that a PC cannot access the internet. The network technician asks the user to issue the command ping 127.0.0.1 in a command prompt window. The user reports that the result is four positive replies. What conclusion can be drawn based on this connectivity test?

• The IP address obtained from the DHCP server is correct.
• The PC can access the network. The problem exists beyond the local network.
• The PC can access the Internet. However, the web browser may not work.
• The TCP/IP implementation is functional.

Explanation: The ping 127.0.0.1 command is used to verify that the TCP/IP stack is functional. It verifies the proper operation of the protocol stack from the network layer to physical layer, without sending a signal on the media. That is, this test does not go beyond the PC itself. For example, it does not detect whether a cable is connected to the PC or not.

37. What characterizes a threat actor?

• They are all highly-skilled individuals.
• They always use advanced tools to launch attacks.
• They always try to cause some harm to an individual or organization.
• They all belong to organized crime.

38. A computer is presenting a user with a screen requesting payment before the user data is allowed to be accessed by the same user. What type of malware is this?

• a type of logic bomb
• a type of virus
• a type of worm
• a type of ransomware

Explanation: Ransomware commonly encrypts data on a computer and makes the data unavailable until the computer user pays a specific sum of money

39. Which ICMPv6 message type provides network addressing information to hosts that use SLAAC?

• router solicitation
• neighbor advertisement
• neighbor solicitation
• router advertisement

40. Which tol included in the Security Onion is a series of software plugins that send different types of data to the Elasticsearch data stores?

• Curator
• Beats
• OSSEC
• ElastAlert

41. Which two types of unreadable network traffic could be eliminated from data collected by NSM? (Choose two.)

• STP traffic
• IPsec traffic
• routing updates traffic
• SSL traffic
• broadcast traffic

Explanation: To reduce the huge amount of data collected so that cybersecurity analysts can focus on critical threats, some less important or unusable data could be eliminated from the datasets. For example, encrypted data, such as IPsec and SSL traffic, could be eliminated because it is unreadable in a reasonable time frame.

42. Which core open source component of the Elastic-stack is responsible for accepting the data in its native format and making elements of the data consistent across all sources?

• Logstash
• Kibana
• Beats
• Elasticsearch

43. Match the security incident stakeholder with the role.

44. In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?

• media
• impersonation
• attrition
• loss or theft

Explanation: Common attack vectors include media, attrition, impersonation, and loss or theft. Attrition attacks are any attacks that use brute force. Media attacks are those initiated from storage devices. Impersonation attacks occur when something or someone is replaced for the purpose of the attack, and loss or theft attacks are initiated by equipment inside the organization.

45. Match the security organization with its security functions. (Not all options are used.)

46. What is a characteristic of CybOX?

• It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
• It enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector.
• It is a set of specifications for exchanging cyberthreat information between organizations.
• It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.

47. After host A receives a web page from server B, host A terminates the connection with server B. Match each step to its correct option in the normal termination process for a TCP connection. (Not all options are used.)

48. What are two ways that ICMP can be a security threat to a company? (Choose two.)

• by collecting information about a network
• by corrupting data between email servers and email recipients
• by the infiltration of web pages
• by corrupting network IP data packets
• by providing a conduit for DoS attacks

Explanation: ICMP can be used as a conduit for DoS attacks. It can be used to collect information about a network such as the identification of hosts and network structure, and by determining the operating systems being used on the network.

49. Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)

• fragment offset
• protocol
• flag
• TTL
• identification
• version

Explanation: Unlike IPv4, IPv6 routers do not perform fragmentation. Therefore, all three fields supporting fragmentation in the IPv4 header are removed and have no equivalent in the IPv6 header. These three fields are fragment offset, flag, and identification. IPv6 does support host packet fragmentation through the use of extension headers, which are not part of the IPv6 header.

50. Which two net commands are associated with network resource sharing? (Choose two.)

• net start
• net accounts
• net share
• net use
• net stop

Explanation:

The net command is a very important command. Some common net commands include these:

• net accounts – sets password and logon requirements for users
• net session – lists or disconnects sessions between a computer and other computers on the network
• net share – creates, removes, or manages shared resources
• net start – starts a network service or lists running network services
• net stop – stops a network service
• net use – connects, disconnects, and displays information about shared network resources
• net view – shows a list of computers and network devices on the network

51. Match the Windows 10 Registry key with its description. (Not all options are used)

52. Which PDU format is used when bits are received from the network medium by the NIC of a host?

• segment
• file
• packet
• frame

Explanation: When received at the physical layer of a host, the bits are formatted into a frame at the data link layer. A packet is the PDU at the network layer. A segment is the PDU at the transport layer. A file is a data structure that may be used at the application layer.

53. A user is executing a tracert to a remote device. At what point would a router, which is in the path to the destination device, stop forwarding the packet?

• when the router receives an ICMP Time Exceeded message
• when the values of both the Echo Request and Echo Reply messages reach zero
• when the RTT value reaches zero
• when the value in the TTL field reaches zero
• when the host responds with an ICMP Echo Reply message

Explanation: When a router receives a traceroute packet, the value in the TTL field is decremented by 1. When the value in the field reaches zero, the receiving router will not forward the packet, and will send an ICMP Time Exceeded message back to the source.

54. Refer to the exhibit. What solution can provide a VPN between site A and site B to support encapsulation of any Layer 3 protocol between the internal networks at each site?

• an IPsec tunnel
• Cisco SSL VPN
• a GRE tunnel
• a remote access tunnel

Explanation: A Generic Routing Encapsulation (GRE) tunnel is a non-secure, site-to-site VPN tunneling solution that is capable of encapsulating any Layer 3 protocol between multiple sites across over an IP internetwork.

55. For what purpose would a network administrator use the Nmap tool?

• protection of the private IP addresses of internal hosts
• identification of specific network anomalies
• collection and analysis of security alerts and logs
• detection and identification of open ports

56. Match the network service with the description.

57. A client application needs to terminate a TCP communication session with a server. Place the termination process steps in the order that they will occur. (Nat all options are used.)

58. Match the attack surface with attack exploits.

59. Match the Linux host-based firewall application with its description.

60. What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

• DHCP starvation
• IP address spoofing
• DHCP spoofing
• CAM table attack

Explanation: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

61. Refer to the exhibit. If Host1 were to transfer a file to the server, what layers of the TCP/IP model would be used?

• only application and Internet layers
• application, transport, Internet, and network access layers
• only Internet and network access layers
• only application, transport, network, data link, and physical layers
• only application, Internet, and network access layers
• application, session, transport, network, data link, and physical layers

Explanation: The TCP/IP model contains the application, transport, internet, and network access layers. A file transfer uses the FTP application layer protocol. The data would move from the application layer through all of the layers of the model and across the network to the file server.

62. A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework?

• automation
• authentication
• authorization
• accounting

Explanation: After a user is successfully authenticated (logged into the server), the authorization is the process of determining what network resources the user can access and what operations (such as read or edit) the user can perform.

63. Match the destination network routing table entry type with a defintion.

64. A person coming to a cafe for the first time wants to gain wireless access to the Internet using a laptop. What is the first step the wireless client will do in order to communicate over the network using a wireless management frame?

• associate with the AP
• authenticate to the AP
• discover the AP
• agree with the AP on the payload

Explanation: In order for wireless devices to communicate on a wireless network, management frames are used to complete a three-stage process:

Discover the AP

Authenticate with the AP

Associate with the AP

65. A device has been assigned the IPv6 address of 2001:0db8:cafe:4500:1000:00d8:0058:00ab/64. Which is the network identifier of the device?

• 2001:0db8:cafe:4500:1000
• 2001:0db8:cafe:4500:1000:00d8:0058:00ab
• 1000:00d8:0058:00ab
• 2001:0db8:cafe:4500
• 2001

Explanation: The address has a prefix length of /64. Thus the first 64 bits represent the network portion, whereas the last 64 bits represent the host portion of the IPv6 address.

66. An administrator wants to create four subnetworks from the network address 192.168.1.0/24. What is the network address and subnet mask of the second useable subnet?

subnetwork 192.168.1.64

subnet mask 255.255.255.192

subnetwork 192.168.1.64

subnet mask 255.255.255.240

subnetwork 192.168.1.32

subnet mask 255.255.255.240

subnetwork 192.168.1.128

subnet mask 255.255.255.192

subnetwork 192.168.1.8

subnet mask 255.255.255.224

Explanation: The number of bits that are borrowed would be two, thus giving a total of 4 useable subnets:

192.168.1.0

192.168.1.64

192.168.1.128

192.168.1.192

Because 2 bits are borrowed, the new subnet mask would be /26 or 255.255.255.192

67. What term describes a set of software tools designed to increase the privileges of a user or to grant access to the user to portions of the operating system that should not normally be allowed?

• compiler
• rootkit
• package manager
• penetration testing

Explanation: A rootkit is used by an attacker to secure a backdoor to a compromised computer, grant access to portions of the operating system normally not permitted, or increase the privileges of a user.

68. The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk?

• risk sharing
• risk avoidance
• risk reduction
• risk retention

Explanation: There are four potential strategies for responding to risks that have been identified:

Risk avoidance – Stop performing the activities that create risk.

Risk reduction – Decrease the risk by taking measures to reduce vulnerability.

Risk sharing – Shift some of the risk to other parties.

Risk retention – Accept the risk and its consequences.

69. What are three characteristics of an information security management system? (Choose three.)

• It involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise.
• It is a systematic and multilayered approach to cybersecurity.
• It addresses the inventory and control of hardware and software configurations of systems.
• It consists of a set of practices that are systematically applied to ensure continuous improvement in information security.
• It consists of a management framework through which an organization identifies, analyzes, and addresses information security risks.
• It is based on the application of servers and security devices.

Explanation: An Information Security Management System (ISMS) consists of a management framework through which an organization identifies, analyzes, and addresses information security risks. ISMSs are not based in servers or security devices. Instead, an ISMS consists of a set of practices that are systematically applied by an organization to ensure continuous improvement in information security. ISMSs provide conceptual models that guide organizations in planning, implementing, governing, and evaluating information security programs.

ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity.

An ISMS is a systematic, multi-layered approach to cybersecurity. The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.

70. Which three technologies should be included in a SOC security information and event management system? (Choose three.)

• event collection, correlation, and analysis
• security monitoring
• user authentication
• proxy service
• intrusion prevention
• threat intelligence

Explanation: Technologies in a SOC should include the following:

• Event collection, correlation, and analysis

• Security monitoring

• Security control

• Log management

• Vulnerability assessment

• Vulnerability tracking

• Threat intelligence

Proxy server, VPN, and IPS are security devices deployed in the network infrastructure.

71. What part of the URL, http://www.cisco.com/index.html, represents the top-level DNS domain?

• http
• www
• .com
• index

Explanation: The components of the URL http://www.cisco.com/index.htm are as follows:

http = protocol

www = part of the server name

cisco = part of the domain name

index = file name

com = the top-level domain

72. What best describes the security threat of spoofing?

• sending bulk email to individuals, lists, or domains with the intention to prevent users from accessing email
• sending abnormally large amounts of data to a remote server to prevent user access to the server services
• intercepting traffic between two hosts or inserting false information into traffic between two hosts
• making data appear to come from a source that is not the actual source

73. A newly created company has fifteen Windows 10 computers that need to be installed before the company can open for business. What is a best practice that the technician should implement when configuring the Windows Firewall?

• The technician should remove all default firewall rules and selectively deny traffic from reaching the company network.
• After implementing third party security software for the company, the technician should verify that the Windows Firewall is disabled.
• The technician should create instructions for corporate users on how to allow an app through the WIndows Firewall using the Administrator account.
• The technician should enable the Windows Firewall for inbound traffic and install other firewall software for outbound traffic control.

Explanation: Only disable Windows Firewall if other firewall software is installed. Use the Windows Firewall (Windows 7 or 8) or the Windows Defender Firewall (Windows 10) Control Panel to enable or disable the Windows Firewall.

74. Which statement defines the difference between session data and transaction data in logs?

• Session data analyzes network traffic and predicts network behavior, whereas transaction data records network sessions.
• Session data is used to make predictions on network behaviors, whereas transaction data is used to detect network anomalies.
• Session data records a conversation between hosts, whereas transaction data focuses on the result of network sessions.
• Session data shows the result of a network session, whereas transaction data is in response to network threat traffic.

75. Match the network monitoring data type with the description.

76. Which device supports the use of SPAN to enable monitoring of malicious activity?

• Cisco Catalyst switch
• Cisco IronPort
• Cisco NAC
• Cisco Security Agent

Explanation: SPAN is a Cisco technology that allows all of the traffic from one port to be redirected to another port.

77. Which term is used for describing automated queries that are useful for adding efficiency to the cyberoperations workflow?

• cyber kill chain
• playbook
• chain of custody
• rootkit

Explanation: A playbook is an automated query that can add efficiency to the cyberoperations workflow.

78. When ACLs are configured to block IP address spoofing and DoS flood attacks, which ICMP message should be allowed both inbound and outbound?

• echo reply
• unreachable
• source quench
• echo

79. After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis?

• It can identify how the malware originally entered the network.
• A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.
• It can calculate the probability of a future incident.
• It can determine which network host was first affected.

Explanation: General security monitoring can identify when a malware attachment enters a network and which host is first infected. Retrospective analysis takes the next step and is the tracking of the behavior of the malware from that point forward.

80. Which two data types would be classified as personally identifiable information (PII)? (Choose two.)

• house thermostat reading
• average number of cattle per region
• vehicle identification number
• hospital emergency use per region
• Facebook photographs

81. A help desk technician notices an increased number of calls relating to the performance of computers located at the manufacturing plant. The technician believes that botnets are causing the issue. What are two purposes of botnets? (Choose two.)

• to transmit viruses or spam to computers on the same network
• to record any and all keystrokes
• to attack other computers
• to withhold access to a computer or files until money has been paid
• to gain access to the restricted part of the operating system

Explanation: Botnets can be used to perform DDoS attacks, obtain data, or transmit malware to other devices on the network.

82. Which two statements describe the use of asymmetric algorithms? (Choose two.)

• Public and private keys may be used interchangeably.
• If a public key is used to encrypt the data, a private key must be used to decrypt the data.
• If a public key is used to encrypt the data, a public key must be used to decrypt the data.
• If a private key is used to encrypt the data, a public key must be used to decrypt the data.
• If a private key is used to encrypt the data, a private key must be used to decrypt the data.

Explanation: Asymmetric algorithms use two keys: a public key and a private key. Both keys are capable of the encryption process, but the complementary matched key is required for decryption. If a public key encrypts the data, the matching private key decrypts the data. The opposite is also true. If a private key encrypts the data, the corresponding public key decrypts the data.

83. Which three security services are provided by digital signatures? (Choose three.)

• provides nonrepudiation using HMAC functions
• guarantees data has not changed in transit
• provides data encryption
• authenticates the source
• provides confidentiality of digitally signed data
• authenticates the destination

Explanation: Digital signatures are a mathematical technique used to provide three basic security services. Digital signatures have specific properties that enable entity authentication and data integrity. In addition, digital signatures provide nonrepudiation of the transaction. In other words, the digital signature serves as legal proof that the data exchange did take place.

84. What are two methods to maintain certificate revocation status? (Choose two.)

• CRL
• DNS
• subordinate CA
• OCSP
• LDAP

Explanation: A digital certificate might need to be revoked if its key is compromised or it is no longer needed. The certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP), are two common methods to check a certificate revocation status.

85. What are two uses of an access control list? (Choose two.)

• ACLs provide a basic level of security for network access.
• ACLs can control which areas a host can access on a network.
• Standard ACLs can restrict access to specific applications and ports.
• ACLs assist the router in determining the best path to a destination.
• ACLs can permit or deny traffic based upon the MAC address originating on the router.

Explanation: ACLs can be used for the following:Limit network traffic in order to provide adequate network performance

Restrict the delivery of routing updates

Provide a basic level of security

Filter traffic based on the type of traffic being sent

Filter traffic based on IP addressing

86. A client is using SLAAC to obtain an IPv6 address for the interface. After an address has been generated and applied to the interface, what must the client do before it can begin to use this IPv6 address?

• It must send an ICMPv6 Router Solicitation message to determine what default gateway it should use.
• It must send an ICMPv6 Router Solicitation message to request the address of the DNS server.
• It must send an ICMPv6 Neighbor Solicitation message to ensure that the address is not already in use on the network.
• It must wait for an ICMPv6 Router Advertisement message giving permission to use this address.

Explanation: Stateless DHCPv6 or stateful DHCPv6 uses a DHCP server, but Stateless Address Autoconfiguration (SLAAC) does not. A SLAAC client can automatically generate an address that is based on information from local routers via Router Advertisement (RA) messages. Once an address has been assigned to an interface via SLAAC, the client must ensure via Duplicate Address Detection (DAD) that the address is not already in use. It does this by sending out an ICMPv6 Neighbor Solicitation message and listening for a response. If a response is received, then it means that another device is already using this address.

87. A technician is troubleshooting a network connectivity problem. Pings to the local wireless router are successful but pings to a server on the Internet are unsuccessful. Which CLI command could assist the technician to find the location of the networking problem?

• tracert
• ipconfig
• msconfig
• ipconfig/renew

Explanation: The tracert utlility (also known as the tracert command or tracert tool) will enable the technician to locate the link to the server that is down. The ipconfig command displays the computer network configuration details. The ipconfig/renew command requests an IP address from a DHCP server. Msconfig is not a network troubleshooting command.

88. What are two evasion techniques that are used by hackers? (Choose two.)

• Trojan horse
• pivot
• rootkit
• reconnaissance
• phishing

Explanation: The following methods are used by hackers to avoid detection:Encryption and tunneling – hide or scramble the malware content

Resource exhaustion – keeps the host device too busy to detect the invasion

Traffic fragmentation – splits the malware into multiple packets

Protocol-level misinterpretation – sneaks by the firewall

Pivot – uses a compromised network device to attempt access to another device

Rootkit – allows the hacker to be undetected and hides software installed by the hacker

89. When a security attack has occurred, which two approaches should security professionals take to mitigate a compromised system during the Actions on Objectives step as defined by the Cyber Kill Chain model? (Choose two.)

• Perform forensic analysis of endpoints for rapid triage.
• Train web developers for securing code.
• Build detections for the behavior of known malware.
• Collect malware files and metadata for future analysis.
• Detect data exfiltration, lateral movement, and unauthorized credential usage.

Explanation: When security professionals are alerted about the system compromises, forensic analysis of endpoints should be performed immediately for rapid triage. In addition, detection efforts for further attacking activities such as data exfiltration, lateral movement, and unauthorized credential usage should be enhanced to reduce damage to the minimum.

90. Place the seven steps defined in the Cyber Kill Chain in the correct order.

91. Which field in the TCP header indicates the status of the three-way handshake process?

• control bits
• window
• reserved
• checksum

Explanation: The value in the control bits field of theTCP header indicates the progress and status of the connection.

92. A user opens three browsers on the same PC to access www.cisco.com to search for certification course information. The Cisco web server sends a datagram as a reply to the request from one of the web browsers. Which information is used by the TCP/IP protocol stack in the PC to identify which of the three web browsers should receive the reply?

• the source IP address
• the destination port number
• the destination IP address
• the source port number

Explanation: Each web browser client application opens a randomly generated port number in the range of the registered ports and uses this number as the source port number in the datagram that it sends to a server. The server then uses this port number as the destination port number in the reply datagram that it sends to the web browser. The PC that is running the web browser application receives the datagram and uses the destination port number that is contained in this datagram to identify the client application.

93. What are two scenarios where probabilistic security analysis is best suited? (Choose two.)

• when applications that conform to application/networking standards are analyzed
• when analyzing events with the assumption that they follow predefined steps
• when random variables create difficulty in knowing with certainty the outcome of any given event
• when analyzing applications designed to circumvent firewalls
• when each event is the inevitable result of antecedent causes

94. Which tool is a web application that provides the cybersecurity analyst an easy-to-read means of viewing an entire Layer 4 session?

• Snort
• Zeek
• CapME
• OSSEC

95. Match the category of attacks with the description. (Not all options are used.)

96. What are two characteristics of the SLAAC method for IPv6 address configuration? (Choose two.)

• The default gateway of an IPv6 client on a LAN will be the link-local address of the router interface attached to the LAN.
• This stateful method of acquiring an IPv6 address requires at least one DHCPv6 server.
• Clients send router advertisement messages to routers to request IPv6 addressing.
• IPv6 addressing is dynamically assigned to clients through the use of ICMPv6.
• Router solicitation messages are sent by the router to offer IPv6 addressing to clients.

Explanation: With SLAAC, the default gateway for IPv6 clients will be the link-local address of the router interface that is attached to the client LAN. The IPv6 addressing is dynamically assigned via the ICMPv6 protocol. SLAAC is a stateless method of acquiring an IPv6 address, a method that requires no servers. When a client is configured to obtain its addressing information automatically via SLAAC, the client sends a router solicitation message to the IPv6 all-routers multicast address FF02::2. The router advertisement messages are sent by routers to provide addressing information to clients.

97. A technician notices that an application is not responding to commands and that the computer seems to respond slowly when applications are opened. What is the best administrative tool to force the release of system resources from the unresponsive application?

• Event Viewer
• System Restore
• Add or Remove Programs
• Task Manager

Explanation: Use the Task Manager Performance tab to see a visual representation of CPU and RAM utilization. This is helpful in determining if more memory is needed. Use the Applications tab to halt an application that is not responding.

98. How can statistical data be used to describe or predict network behavior?

• by comparing normal network behavior to current network behavior
• by recording conversations between network endpoints
• by listing results of user web surfing activities
• by displaying alert messages that are generated by Snort

Explanation: Statistical data is created through the anal