Cuestionario

1. An attacker sends a piece of malware as an email attachment to employees in a company.
What is
one probable purpose of the attack?
probing open ports on the firewall on the border network
denying external access to a web server that is open to the public
searching and obtaining trade secrets
cracking the administrator password for a critical server
2.
What is cyberwarfare?
It is an attack that only involves robots and bots.
It is an attack designed to disrupt, corrupt, or exploit national interests.
It is an attack on a major corporation.
It is an attack only on military targets.

3. What type of malware has the primary objective of spreading across the network?
botnet
Trojan horse
worm
virus
4. What is a potential risk when using a free and open wireless hotspot in a public location?
Too many users trying to connect to the Internet may cause a network traffic jam.
Network traffic might be hijacked and information stolen.
Purchase of products from vendors might be required in exchange for the Internet access.
The Internet connection can become too slow when many users access the wireless hotspot.
5. At the request of investors, a company is proceeding with cyber attribution with a particular attack
that was conducted from an external source. Which security term is used to describe the person or
device responsible for the attack?
fragmenter
skeleton
tunneler
threat actor
6. What name is given to an amateur hacker?
script kiddie
blue team
black hat
red hat
7. What commonly motivates cybercriminals to attack networks as compared to hacktivists or state-
sponsored hackers?
political reasons
fame seeking
financial gain
status among peers
8.
What is a botnet?
a group of web servers that provide load balancing and fault tolerance
a network that allows users to bring their own technology
an online video game intended for multiple players
a network of infected computers that are controlled as a group

9. What is a rogue wireless hotspot?
It is a hotspot that does not encrypt network user traffic.
It is a hotspot that was set up with outdated devices.
It is a hotspot that appears to be from a legitimate business but was actually set up by someone
without the permission from the business.
It is a hotspot that does not implement strong user authentication mechanisms.

10. What is the best definition of personally identifiable information (PII)?
Data that is collected by businesses to track the digital behavior of consumers.

Data that is collected from servers and web browsers using cookies in order to track a consumer.
Data that is collected by businesses to distinguish identities of individuals.
Data that is collected from servers and websites for anonymous browsing.
11. What was used as a cyberwarfare weapon to attack a uranium enrichment facility in Iran?
DDoS
Stuxnet
PSYOPS
SQL injection
12. A company pays a significant sum of money to hackers in order to regain control of an email and
data server. Which type of security attack was used by the hackers?
DoS
Trojan horse
spyware
Ransomware
1. Which SOC job role manages all the resources of the SOC and serves as a point of contact for the
larger organization or customer?
SME/Threat Hunter
SOC Manager
Cybersecurity Analyst
Incident Responder
2. Which SOC job role processes security alerts and forwards tickets to Tier 2 if necessary?
SME/Threat Hunter
SOC Manager
Incident Responder
3. Which SOC job role is responsible for deep investigation of incidents?
SME/Threat Hunter
SOC Manager
Incident Responder
4. Which device integrates security information and event management into a single platform?
SIEM
SOAR
Threat Hunter
5. Which device integrates orchestration tools and resources to automatically respond to security
events?
SIEM
SOAR
Threat Hunter
1. Which personnel in a SOC is assigned the task of verifying whether an alert triggered by monitoring
software represents a true security incident?
Tier 2 personnel
Tier 3 personnel
SOC Manager
Tier 1 personnel
2. After a security incident is verified in a SOC, an incident responder reviews the incident but cannot
identify the source of the incident and form an effective mitigation procedure. To whom should the
incident ticket be escalated?
the SOC manager to ask for other personnel to be assigned
a SME for further investigation
an alert analyst for further analysis
a cyberoperations analyst for help

3. Which two services are provided by security operations centers? (Choose two.)
monitoring network security threats
responding to data center physical break-ins
providing secure Internet connections

ensuring secure routing packet exchanges
managing comprehensive threat solutions

4. Which metric is used in SOCs to evaluate the average time that it takes to identify that valid security
incidents have occurred in the network?
MTTR
Dwell Time
MTTC
MTTD
5. Which KPI metric does SOAR use to measure the length of time that threat actors have access to a
network before they are detected and the access of the threat actors stopped?
MTTC
Dwell Time
MTTR
MTTD
6. What is the role of SIEM?
to analyze any OS vulnerabilities and apply security patches to secure the operating systems
to analyze all the data that firewalls, network appliances, intrusion detection systems, and other
devices generate and institute preventive measures
to analyze all the network packets for any malware signatures and update the vulnerabilities
database
to analyze all the network packets for any malware signatures and synchronize the signatures with
the Federal Government databases
7. What is a characteristic of the SOAR security platform?
to include predefined playbooks that enable automatic response to specific threats
to provide a user friendly interface that uses the Python programming language to manage security
threats
to provide a means to synchronize the vulnerabilities database
to interact with the Federal Government security sites and update all vulnerability platforms
8. A network security professional has applied for a Tier 2 position in a SOC. What is a typical job
function that would be assigned to a new employee?
hunting for potential security threats and implementing threat detection tools
monitoring incoming alerts and verifying that a true security incident has occurred
serving as the point of contact for a customer
further investigating security incidents

9. If a SOC has a goal of 99.99% uptime, how many minutes of downtime a year would be considered
within its goal?
48.25
50.38
60.56
52.56
10. Which organization offers the vendor-neutral CySA+ certification?
IEEE
GIAC
(ISC)²
CompTIA
11. In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool
to investigate?
syslog server
security alert knowledge-based system
ticketing system
registration system
12. How can a security information and event management system in a SOC be used to help personnel
fight against security threats?
by encrypting communications to remote sites
by collecting and filtering data
by filtering network traffic
by authenticating users to network resources

13. Which three technologies should be included in a security information and event management
system in a SOC? (Choose three.)
intrusion prevention
threat intelligence
VPN connection
security monitoring
vulnerability tracking
firewall appliance
1. Which Windows registry hive stores information about object linking and embedding (OLE)
registrations?
HKEY_CLASSES_ROOT (HKCR)
HKEY_CURRENT_CONFIG (HKCC)
HKEY_CURRENT_USER (HKCU)
HKEY_LOCAL_MACHINE (HKLM)
HKEY_USERS (HKU)
2. Which Windows registry hive stores information about the current hardware profile?
HKEY_USERS (HKU)
3. Which Windows registry hive stores information concerning all the user accounts on the host?
HKEY_USERS (HKU)
4. Which Windows registry hive stores information concerning the currently logged in user?
HKEY_USERS (HKU)
5. Which Windows registry hive stores system-related information?
HKEY_USERS (HKU)
1. Which Windows tool selectively denies traffic to a computer or network segment?
Event Viewer
Resource Monitor
Task manager
Windows Defender
Windows Defender Firewall
Windows Registry
2. Which Windows tool logs history, application, security, and system events?
Event Viewer
Resource Monitor
Task manager
Windows Defender
Windows Firewall
Windows Registry
3. Which windows tool or command can be used to look for inbound or outbound TCP connections on
a Windows host that are not authorized?
netstat
Network and Sharing Center
Regedit
Net
resource monitor
Nslookup
4. Which Windows tool provides resource information, such as memory, CPU, disk, and network?
Event Viewer
Resource Monitor
Task manager
Windows Defender
Windows Firewall
Windows Registry
5. Which Windows tool is the built-in virus and spyware protection?
Event Viewer
Resource Monitor
Task manager
Windows Defender
Windows Firewall
Windows Registry
6. Which command or tool finds the IP address of a server from a URL?
Net
Windows Registry
Nslookup
net session
Netstat
7. Which Windows tool provides information about applications, processes, and services running on
the computer?
Event Viewer
Resource Monitor
Task manager
Windows Defender
Windows Firewall
Windows Registry
8. Which Windows tool is the database that stores all the information about hardware, applications,
users, and system settings?
Event Viewer
Resource Monitor
Task manager
Windows Defender
Windows Firewall
Windows Registry
1. When a user makes changes to the settings of a Windows system, where are these changes
stored?
Registry
win.ini
boot.ini
Control Panel
2. Which user account should be used only to perform system management and not as the account for
regular use?
administrator
power user
guest
standard user
3. Which command is used to manually query a DNS server to resolve a specific host name?
tracert
ipconfig /displaydns
nslookup
net
4. For security reasons a network administrator needs to ensure that local computers cannot ping each
other. Which settings can accomplish this task?
smartcard settings
firewall settings
MAC address settings
file system settings

5. What contains information on how hard drive partitions are organized?
BOOTMGR
Windows Registry
CPU
MBR
6. What utility is used to show the system resources consumed by each user?
Device Manager
Event Viewer
Task Manager
User Accounts
7. What term is used to describe a logical drive that can be formatted to store data?
partition
volume
track
sector
cluster
8. How much RAM is addressable by a 32-bit version of Windows?
4 GB
8 GB
16 GB
32 GB
9. Which Windows version was the first to introduce a 64-bit Windows operating system?
Windows 7
Windows 10
Windows NT
Windows XP
10. Which net command is used on a Windows PC to establish a connection to a shared directory on a
remote server?
net share
net session
net start
net use
11. What is the purpose of the cd command?
changes directory to the root directory
changes directory to the next highest directory
changes directory to the next lower directory
changes directory to the previous directory

12. What would be displayed if the netstat -abno command was entered on a Windows PC?
a local routing table
only active UDP connections in an LISTENING state

only active TCP connections in an ESTABLISHED state
all active TCP and UDP connections, their current state, and their associated process ID (PID)
13. A security incident has been filed and an employee believes that someone has been on the
computer since the employee left last night. The employee states that the computer was turned off
before the employee left for the evening. The computer is running slowly and applications are acting
strangely. Which Microsoft Windows tool would be used by the security analyst to determine if and
when someone logged on to the computer after working hours?
Event Viewer
Task Manager
Performance Monitor
PowerShell
1. Which type of tool is used by a Linux administrator to attack a computer or network to find
vulnerabilities?
malware analysis
PenTesting
firewall
intrusion detection system

2. What is a benefit of Linux being an open source operating system?
Linux distributions must include free support without cost.
Linux distributions are maintained by a single organization.

Linux distributions are simpler operating systems since they are not designed to be connected to a
network.
Linux distribution source code can be modified and then recompiled.

3. Which method can be used to harden a device?
Force periodic password changes.
Allow users to re-use old passwords.
Allow USB auto-detection.
Allow default services to remain enabled.

4. A system administrator issues the command ps on a server that is running the Linux operating
system. What is the purpose of this command?
to process a new task
to list the processes currently running in the system
to display the contents of the current directory
to change file permissions

5. Which operating system source code can be downloaded and modified by any person or company?
Cisco IOS
Windows
Mac OS X
Linux
6. Which file system is the primary file system used by Apple in current Macintosh computers?
CDFS
APFS
HFS+
ext2
ext3
7. Consider the result of the ls -l command in the Linux output below. What are the group file
permissions assigned to the analyst.txt file?
ls –l analyst.txt
-rwxrw-r-- sales staff 1028 May 28 15:50 analyst.txt
full access
read, write, execute
read, write
read only
8. In the context of a Linux operating system, which command can be used to display the syntax and
parameters for a specific command?
man
cat
grep
crontab
9. What is a daemon?
a record to keep track of important events
a type of security attack
a background process that runs without the need for user interaction
an application that monitors and analyzes suspicious activity

10. Which Linux command can be used to display the name of the current working directory?
chmod
ps
sudo
pwd
11. An author is uploading one chapter document from a personal computer to a file server of a book
publisher. What role is the personal computer assuming in this network model?
transient
server
slave
client
master
12. A technician has captured packets on a network that has been running slowly when accessing the
internet. Which port number should the technician look for within the captured material to locate
HTTP packets?
21
20
110
53
80
13. A system administrator issues the apt-get upgrade command on a Linux operating system. What is
the purpose of this command?
Every application installed will update itself to the latest version.
Operating system updates are downloaded and will be installed.
A specific application named upgrade will be installed.
The remote repository of applications and dependencies will be updated to the latest version.
14. Why would a rootkit be used by a hacker?
to do reconnaissance
to try to guess a password
to reverse engineer binary files
to gain access to a device without being detected

1. What is the process of dividing a large data stream into smaller pieces prior to transmission?
sequencing
duplexing
multiplexing
segmentation
2. What is the PDU associated with the transport layer?
segment
packet
bits
frame
3. Which protocol stack layer encapsulates data into frames?
data link
transport
network
application
4. What is the name of the process of adding protocol information to data as it moves down the
protocol stack?
de-encapsulation
sequencing
segmentation
Encapsulation
1. A host is transmitting a broadcast. Which host or hosts will receive it?
the closest neighbor on the same network
a specially defined group of hosts
all hosts in the same network
all hosts on the Internet

2. Which statement describes a characteristic of cloud computing?
A business can connect directly to the Internet without the use of an ISP.
Devices can connect to the Internet through existing electrical wiring.
Applications can be accessed over the Internet by individual users or businesses using any device,
anywhere in the world.
Investment in new infrastructure is required in order to access the cloud.

3. A network administrator can successfully ping the server at www.cisco.com, but cannot ping the
company web server located at an ISP in another city. Which tool or command would help identify
the specific router where the packet was lost or delayed?
netstat
traceroute
telnet
ipconfig
4. Which OSI model layer contains protocols for process-to-process communication?
session
transport
network
application
5. At which OSI layer is a destination port number added to a PDU during the encapsulation process?
data link layer
application layer
network layer
transport layer
6. What process involves placing one PDU inside of another PDU?
encoding
encapsulation
flow control
segmentation
7. Which statement accurately describes a TCP/IP encapsulation process when a PC is sending data
to the network?
Segments are sent from the transport layer to the internet layer.
Data is sent from the internet layer to the network access layer.
Packets are sent from the network access layer to the transport layer.
Frames are sent from the network access layer to the internet layer.
8. A web client is receiving a response for a web page from a web server. From the perspective of the
client, what is the correct order of the protocol stack that is used to decode the received
transmission?
HTTP, Ethernet, IP, TCP
Ethernet, IP, TCP, HTTP
Ethernet, TCP, IP, HTTP
HTTP, TCP, IP, Ethernet

9. How does BYOD change the way in which businesses implement networks?
BYOD users are responsible for their own network security, thus reducing the need for
organizational security policies.
BYOD provides flexibility in where and how users can access network resources.
BYOD devices are more expensive than devices that are purchased by an organization.
BYOD requires organizations to purchase laptops rather than desktops.

10. In computer communication, what is the purpose of message encoding?
to break large messages into smaller frames
to convert information to the appropriate form for transmission
to negotiate correct timing for successful communication
to interpret information
11. Which statement is true about the TCP/IP and OSI models?
The first three OSI layers describe general services that are also provided by the TCP/IP internet
layer.
The TCP/IP network access layer has similar functions to the OSI network layer.
The TCP/IP transport layer and OSI Layer 4 provide similar services and functions.
The OSI Layer 7 and the TCP/IP application layer provide identical functions.
12. What method can be used by two computers to ensure that packets are not dropped because too
much data is being sent too quickly?
encapsulation
response timeout
flow control
access method
1. Which Ethernet frame field assists a host in determining if the frame that is received is addressed to
it?
source address
preamble
destination address
frame check sequence

2. Which Ethernet frame field notifies destinations to get ready for a new frame?
preamble
type
destination address

3. Which Ethernet frame field describes the higher-layer protocol that is encapsulated?
data field
destination address
Type/Length

4. Which part of the Ethernet frame helps a destination detect if there are errors in a frame?
start frame delimiter
preamble
data field
1. What are the two most commonly referenced fields in an IPv4 packet header that indicate where the
packet is coming from and where it is going? (Choose two.)
destination IP address
protocol
Time to Live
source IP address
Differentiated Services (DS)

2. Which statement is correct about IPv4 packet header fields?
The source and destination IPv4 addresses remain the same while travelling from source to
destination.
The Time to Live field is used to determine the priority of each packet.
The Total Length and Header Checksum fields are used to reorder a fragmented packet.
The Version field identifies the next level protocol.

3. Which field is used to detect corruption in the IPv4 header?
Header Checksum
Time to Live
Protocol

4. Which field includes common values such as ICMP (1), TCP (6), and UDP (17)?
Header Checksum
Time to Live
Protocol
1. Which OSI layer sends segments to be encapsulated in an IPv4 or IPv6 packet?
data link layer
network layer
transport layer
session layer
2. Which layer is responsible for taking an IP packet and preparing it for transmission over the
communications medium?
physical layer
network layer
data link layer

transport layer
3. What is the term for splitting up an IP packet when forwarding it from one medium to another
medium with a smaller MTU?
encapsulation
fragmentation
segmentation
serialization
4. Which delivery method does not guarantee that the packet will be delivered fully without errors?
connectionless
best effort
media independent
1. Which two statements are correct about an IPv4 address? (Choose two.)
It contains a network portion.
It contains a host portion.
It is 24 bits in length.
The information within the IPv4 address is sufficient for determining the network portion and host
portion of the address.
2. Which two statements are correct about an IPv4 subnet mask? (Choose two.)
It is 24 bits in length.
It differentiates the network portion from the host portion of an IPv4 address.
It is any combination of 0 and 1 bits.
It is a consecutive sequence of 0 bits followed by a consecutive sequence of 1 bits.
The 1 bits determine the network portion of an IPv4 address, and the 0 bits determine the host
portion.
3. Which three statements are correct about the AND operation? (Choose three.)
The AND operation is performed between an IPv4 address and subnet mask.
The AND operation is performed between two IPv4 addresses.
1 AND 1 results in a 0
1 AND 0 results in a 0
It is used to determine the network and host portions of an IPv4 address.

4. What is the result of a logical AND operation of: 10.128.17.4 255.255.240.0?
The IPv4 network address of 10.128.0.0 255.255.240.0
1. Which statement about host forwarding decisions is true?

A host cannot ping itself.
A remote destination host is on the same local network as the sending host.
Local hosts can reach each other without the need of a router.
Routing is enabled on switches to discover the best path to a destination.

2. Which default gateway statement is true?
A default gateway is required to send packets to other hosts on the local network.
The default gateway address is the IP address of a switch on a remote network.
The default gateway address is the IP address of the router on the local network.
Traffic can only be forwarded outside the local network if there is no default gateway.
3. Which two commands could be entered on a Windows host to view its IPv4 and IPv6 routing table?
(Choose two.)
netroute -l
netstat -r
print route
route print
print net
1. Which two characteristics describe Ethernet technology? (Choose two.)

It typically uses an average of 16 Mb/s for data transfer rates.
It is supported by IEEE 802.3 standards.
It uses a ring topology.
It is supported by IEEE 802.5 standards.
It uses the CSMA/CD access control method.

2. What are two services provided by the OSI network layer? (Choose two.)
placement of frames on the media
routing packets toward the destination
encapsulating PDUs from the transport layer
performing error detection
collision detection
3. How do hosts ensure that their packets are directed to the correct network destination?
They search in their own local routing table for a route to the network destination address and pass
this information to the default gateway.
They always direct their packets to the default gateway, which will be responsible for the packet
delivery.
They have to keep their own local routing table that contains a route to the loopback interface, a
local network route, and a remote default route.
They send a query packet to the default gateway asking for the best route.
4. A technician uses the ping 127.0.0.1 command. What is the technician testing?
connectivity between a PC and the default gateway
physical connectivity of a particular PC and the network
the TCP/IP stack on a network host
connectivity between two PCs on the same network
connectivity between two adjacent Cisco devices

5. What is the correct compressed format of the IPv6 address
2001:0db8:eeff:000a:0000:0000:0000:0001?
2001:db8:eeff:a:::1
2001:db8:eeff:a:1
2001:db8:eeff:a::0001
2001:db8:eeff:a::1
6. Which function or operation is performed by the LLC sublayer?
It adds a header and trailer to a packet to form an OSI Layer 2 PDU.
It is responsible for media access control.
It communicates with upper protocol layers.
It performs data encapsulation.

7. How many usable IP addresses are available on the 192.168.1.0/27 network?
62
16
30
254
256
32
8.
Refer to the exhibit. Consider the IP address configuration shown from PC1. What is a description of
the default gateway address?
It is the IP address of the Router1 interface that connects the PC1 LAN to Router1.
It is the IP address of the ISP network device located in the cloud.
It is the IP address of Switch1 that connects PC1 to other devices on the same LAN.
It is the IP address of the Router1 interface that connects the company to the Internet.
9. What is the command netstat -r used for?
to display the host routing table
to renew the default gateway
to display the TCP sockets

to release the assigned IP address
10. A device has an IPv6 address of 2001:0DB8:75a3:0214:0607:1234:aa10:ba01 /64. What is the host
identifier of the device?
2001:0DB8
ba01
2001:0DB8:75a3
0607:1234:aa10:ba01
11. Which statement describes a MAC address?
It is a physical address assigned to an Ethernet NIC by the manufacturer.
It contains two portions, the network portion and the host portion.
It is 128-bits in length.
It identifies the source and destination addresses of hosts on the Internet.

12. Why does a Layer 3 device perform the ANDing process on a destination IP address and subnet
mask?
to identify the host address of the destination host
to identify the broadcast address of the destination network
to identify the network address of the destination network
to identify faulty frames

13. What are two characteristics of IP? (Choose two.)
retransmits packets if errors occur
re-assembles out of order packets into the correct order at the receiver end
does not require a dedicated end-to-end connection
guarantees delivery of packets
operates independently of the network media

14. Which three IP addresses are private ? (Choose three.)
10.1.1.1
224.6.6.6
192.167.10.10
172.16.4.4
192.168.5.5
172.32.5.2
1. What is indicated by a successful ping to the ::1 IPv6 address?
IP is properly installed on the host.
The default gateway address is correctly configured.
The link-local address is correctly configured.

The host is cabled properly.
All hosts on the local link are available.

2. A user complains that the workstation cannot access the network. The network technician asks the
user to issue the ping 127.0.0.1 command. What is the purpose of using this command?
to test the reachability of a remote network
to check that the workstation can reach a DHCP server
to verify that the NIC is configured with a static address
to verify that the TCP/IP stack is operational

3. What process is used in ICMPv6 for a host to verify that an IPv6 address is unique before
configuring it on an interface?
ARP
EUI-64
SLAAC
DAD
telnet
traceroute
netstat
ipconfig
5. A user executes a traceroute over IPv6. At what point would a router in the path to the destination
device drop the packet?
when the value of the Hop Limit field reaches 255
when the router receives an ICMP time exceeded message
when the target host responds with an ICMP echo reply message
when the value of the Hop Limit field reaches zero

6. Which ICMPv6 message is sent when the IPv6 hop limit field of a packet is decremented to zero and
the packet cannot be forwarded?
time exceeded
protocol unreachable
network unreachable
port unreachable
7. What message is sent by a host to check the uniqueness of an IPv6 address before using that
address?
router solicitation
echo request
ARP request
neighbor solicitation
8. Which protocol is used by ping to test connectivity between network hosts?
ARP
TCP
DHCP
ICMP
9. A user issues a ping 2001:db8:3040:114::88 command and receives a response that includes a
code of 3. What does this code represent?
port unreachable
network unreachable
host unreachable
10. A user issues a ping 192.168.219.8 command and receives a response that includes a code of 0.
What does this code represent?
port unreachable
host unreachable
network unreachable
11. What characterizes a traceroute utility?
It identifies the routers in the path from a source host to a destination host.
It sends four Echo Request messages.
It utilizes the ICMP Route Redirection messages.
It is primarily used to test connectivity between two hosts.

12. Why would a manager need to use the tracert command?
to display a list of the near-side router interfaces between the source device and the destination
device
to quickly verify connectivity by sending echo-request messages to the destination and receiving a
series of echo-reply messages from that destination
to query the Domain Name System (DNS) to get domain names and mapping information
to display a list of current processes running on a local or a remote computer

13. Which protocol supports Stateless Address Autoconfiguration (SLAAC) for dynamic assignment of
IPv6 addresses to a host?
DHCPv6
UDP
ICMPv6
ARPv6
1. A host is transmitting a broadcast. Which host or hosts will receive it?
all hosts in the same network
a specially defined group of hosts

all hosts on the Internet
the closest neighbor on the same network

2. Which statement describes a characteristic of cloud computing?
Devices can connect to the Internet through existing electrical wiring.
A business can connect directly to the Internet without the use of an ISP.
Investment in new infrastructure is required in order to access the cloud.
Applications can be accessed over the Internet by individual users or businesses using any device,
anywhere in the world.
ipconfig
traceroute
netstat
telnet
4. Which OSI model layer contains protocols for process-to-process communication?
session
network
application
transport
5. At which OSI layer is a destination port number added to a PDU during the encapsulation process?
data link layer
transport layer
application layer
network layer
6. What process involves placing one PDU inside of another PDU?
encoding
flow control
encapsulation
segmentation
7. Which statement accurately describes a TCP/IP encapsulation process when a PC is sending data
to the network?
Segments are sent from the transport layer to the internet layer.
Data is sent from the internet layer to the network access layer.
Packets are sent from the network access layer to the transport layer.
Frames are sent from the network access layer to the internet layer.
8. A web client is receiving a response for a web page from a web server. From the perspective of the
client, what is the correct order of the protocol stack that is used to decode the received
transmission?
Ethernet, IP, TCP, HTTP
HTTP, TCP, IP, Ethernet
Ethernet, TCP, IP, HTTP
HTTP, Ethernet, IP, TCP

10. In computer communication, what is the purpose of message encoding?
to convert information to the appropriate form for transmission
to negotiate correct timing for successful communication
to interpret information
to break large messages into smaller frames

11. Which statement is true about the TCP/IP and OSI models?
The OSI Layer 7 and the TCP/IP application layer provide identical functions.
The first three OSI layers describe general services that are also provided by the TCP/IP internet
layer.
The TCP/IP network access layer has similar functions to the OSI network layer.
The TCP/IP transport layer and OSI Layer 4 provide similar services and functions.
12. What method can be used by two computers to ensure that packets are not dropped because too
much data is being sent too quickly?
flow control
response timeout
access method
Encapsulation
1. What field is used by the destination host to reassemble segments into the original order?
Control Bits
Destination Port
Sequence Number
Source Port
Window Size
2. What field is used to provide flow control?
Control Bits
Destination Port
Sequence Number
Source Port
Window Size
3. What happens when a sending host senses there is congestion?
The receiving host increases the number of bytes it sends before receiving an acknowledgment
from the sending host.
The receiving host reduces the number of bytes it sends before receiving an acknowledgment from
the sending host.
The sending host increases the number of bytes it sends before receiving an acknowledgment from
the destination host.
The sending host reduces the number of bytes it sends before receiving an acknowledgment from
the destination host.
1. What are two roles of the transport layer in data communication on a network? (Choose two.)
providing the interface between applications and the underlying network over which messages are
transmitted
tracking the individual communication between applications on the source and destination hosts
performing a cyclic redundancy check on the frame for errors
providing frame delimiting to identify bits making up a frame
identifying the proper application for each communication stream

2. During a TCP session, a destination device sends an acknowledgment number to the source device.
What does the acknowledgment number represent?
the total number of bytes that have been received
one number more than the sequence number
the next byte that the destination expects to receive
the last sequence number that was sent by the source

3. Which two services or protocols use the preferred UDP protocol for fast transmission and low
overhead? (Choose two)
HTTP
FTP
VoIP
POP3
DNS
4. Which transport layer feature is used to guarantee session establishment?
TCP 3-way handshake
UDP ACK flag
TCP port number
UDP sequence number

5. Data is being sent from a source PC to a destination server. Which three statements correctly
describe the function of TCP or UDP in this situation? (Choose three.)
The TCP process running on the PC randomly selects the destination port when establishing a
session with the server.
The TCP source port number identifies the sending host on the network.
UDP segments are encapsulated within IP packets for transport across the network.
TCP is the preferred protocol when a function requires lower network overhead.
The UDP destination port number identifies the application or service on the server which will
handle the data.
The source port field identifies the running application or service that will handle data returning to
the PC.
6. What is the purpose of the TCP sliding window?
to request that a source decrease the rate at which it transmits data
to end communication when data transmission is complete
to inform a source to retransmit data from a specific point forward
to ensure that segments arrive in order at the destination

7. What happens if part of an FTP message is not delivered to the destination?
The FTP source host sends a query to the destination host.
The part of the FTP message that was lost is re-sent.

The entire FTP message is re-sent.
The message is lost because FTP does not use a reliable delivery method.
8. Which two flags in the TCP header are used in a TCP three-way handshake to establish connectivity
between two network devices? (Choose two.)
RST
URG
SYN
PSH
FIN
ACK
9. Which tool is used to provide a list of open ports on network devices?
Tracert
Nmap
Whois
Ping
10. Which two fields are included in the TCP header but not in the UDP header? (Choose two.)
destination port
checksum
source port
window
sequence number
11.
Refer to the exhibit. Which three lines represent the TCP three-way handshake?
lines 1, 2, and 3
lines 4, 5, and 6
lines 6, 7, and 8
lines 2, 8, and 9
lines 2, 3, and 4
12. What is a characteristic of a TCP server process?
There can be many ports open simultaneously on a server, one for each active server application.
Every application process running on the server has to be configured to use a dynamic port
number.
An individual server can have two services assigned to the same port number within the same
transport layer services.
A host running two different applications can have both configured to use the same server port.
1. What information does DHCPv4 provide to network clients? (Choose three.)

host address
MAC address
DHCP version number
subnet mask
default gateway address

2. True or false. DHCP can lease addresses to hosts for different periods of time.
True
False
3. In large networks, static IPv4 addresses are usually assigned to which devices? (Choose two.)
personal computers
phones and tablets
gateway routers
printers
laptops
4. Which DHCP message is sent from a client when the client starts up and requires an IP address?
DHCPDISCOVER
DHCPOFFER
DHCPREQUEST
DHCPACK
5. When client sends a DHCPDISCOVER message, how is the message sent?
It is broadcast on the local network.
It is sent as a unicast directly to the DHCP server.
It is multicast to multiple DHCP servers if they are available.
It is sent to closest router directly.
1. Which message does an IPv4 host use to reply when it receives a DHCPOFFER message from a
DHCP server?
DHCPDISCOVER
DHCPREQUEST
DHCPACK
DHCPOFFER
2. On a home network, which device is most likely to provide dynamic IP addressing to clients on the
home network?
a dedicated file server
an ISP DHCP server
a home router
a DNS server
3. Which protocol automates assignment of IP addresses on a network, and which port number does it
use? (Choose two.)
67
DNS
DHCP
53
80
SMB
4. A particular website does not appear to be responding on a Windows 7 computer. What command
could the technician use to show any cached DNS entries for this web page?
ipconfig /all
ipconfig /displaydns
arp -a
nslookup
5. What type of server would use IMAP?
Telnet
email
DHCP
FTP
DNS
6. What is a benefit of using DDNS?
DDNS has a service called ICANN Lookup used to obtain the registration record of a URL.
The DDNS provider detects a change to the client IP address and immediately updates the
mapping change.
DDNS is a more secure version of DNS and has a robust security profile.
DDNS is a starting point for identifying potentially dangerous internet locations that may have been
reached through the network.
7. What application layer protocol describes the services that are used for file sharing in Microsoft
networks?
DHCP
Telnet
DNS
SMB
SMTP
8. Which application layer protocol uses message types such as GET, PUT, and POST?
DHCP
POP3
SMTP
HTTP
DNS
9. Which protocol enables mail to be downloaded from an email server to a client and then deletes the
email from the server?
IMAP
HTTP
SMTP
POP3
10. Which website is considered secure because it encrypts the communication between the website
and visitors?
http://www.secureaccess.com:8080/
ftp://download.openproject.net/
http://www.thebanks.com/
https://www.ourblogs.info/
11.
Refer to the exhibit. NAT is configured on Remote and Main. The PC is sending a request to the web
server. What IPv4 address is the source IP address in the packet between Main and the web
server?
10.130.5.76
192.0.2.1
172.16.1.10
209.165.200.245
203.0.113.5
209.165.200.226
12. Which statement best describes the operation of the File Transfer Protocol?
An FTP server uses a source port number of 21 and a randomly generated destination port number
during the establishment of control traffic with an FTP client.
An FTP server uses a source port number of 20 and a randomly generated destination port number
during the establishment of control traffic with an FTP client.
An FTP client uses a source port number of 21 and a randomly generated destination port number
during the establishment of control traffic with an FTP Server.
An FTP client uses a source port number of 20 and a randomly generated destination port number
during the establishment of data traffic with an FTP Server.
13. In NAT translation for internal hosts, what address would be used by external users to reach internal
hosts?
inside global
outside local
outside global
inside local
14. What is an example of a top-level domain?
www.cisco.com
cisco.com
.com
root.cisco.com
1. Which device must connect to another device to gain access to the network?
end devices
wireless access point
switch
router
2. Which device connects wireless clients to the network?
switch
router
wireless access point (WAP)
end device
3. Which device uses MAC addresses to determine the exit port?
switch
router
end device
wireless LAN Controller
1. For which discovery mode will an AP generate the most traffic on a WLAN?
open mode
active mode
mixed mode
passive mode
2. Which parameter is commonly used to identify a wireless network name when a home wireless AP is
being configured?
ad hoc
SSID
ESS
BESS
3. Which two protocols are considered distance vector routing protocols? (Choose two.)
RIP
OSPF
BGP
EIGRP
ISIS
4. What information does an Ethernet switch examine and use to build its address table?
source MAC address
destination MAC address
source IP address
5. Which OSI layer header is rewritten with new addressing information by a router when forwarding
between LAN segments?
Layer 7
Layer 3
Layer 4
Layer 2
6. At what layer of the OSI model do routers operate?
Layer 4
Layer 5
Layer 2
Layer 3
7. Which wireless parameter refers to the frequency bands used to transmit data to a wireless access
point?
security mode
SSID
scanning mode
channel settings
8. What is a role of an intermediary device on a network?
determines the path and directs data along the way to its final destination
functions as the primary source of information for end devices
runs applications that support collaboration for business
forms the interface between the human network and the underlying communication network
9. What information does an Ethernet switch examine and use to forward a frame?
destination MAC address
source IP address
source MAC address
10. Which device can control and manage a large number of corporate APs?
LWAP
router
WLC
switch
11. Which two roles are typically performed by a wireless router that is used in a home or small
business? (Choose two.)
Ethernet switch
repeater
RADIUS authentication server
WLAN controller
access point
12. What technology is used to prevent Layer 2 loops?
VTP
ARP
NTP
STP
13. Which sentence correctly describes the SVI inter-VLAN routing method?
The encapsulation type must be configured on the SVI.

Subinterfaces have to be created.
An SVI is needed for each VLAN.
A physical interface is needed for every VLAN that is created.

14. How are IP addressing designs affected by VLAN implementations?
Each VLAN must have a different subnet mask.
VLANs do not support VLSM.
Each VLAN must have a different network number.
VLANs do not use a broadcast address.
1. Which network design layer provides endpoints and users with a connection to the network?
Access layer
Core layer
Distribution layer
Hierarchical layer
2. Which network design layer provides connectivity between distribution layers for large LAN
environments?
Access layer
Core layer
Distribution layer
Hierarchical layer
3. Which network design groups interfaces into zones with similar functions or features?
layered
private
self-zone
ZPF
4. Which layer aggregates traffic and provides connectivity to services?
Access layer
Core layer
Distribution layer
Hierarchical layer
1. Which type of firewall filters information at Layers 3, 4, 5, and 7 of the OSI reference model?
Host-based
Hybrid
Application gateway
Packet filtering
Stateful
2. Which type of firewall is a combination of various firewall types?
Host-based
Hybrid
Next generation
Packet filtering
Proxy
Stateful
Transparent
3. Which type of firewall is part of a router firewall, permitting or denying traffic based on Layer 3 and
Layer 4 information?
Host-based
Hybrid
Next generation
Packet filtering
Proxy
Stateful
Transparent
4. Which type of firewall is a PC or server with firewall software running on it?
Host-based
Hybrid
Next generation
Packet filtering
Proxy
Stateful
Transparent
5. Which type of firewall filters IP traffic between a pair of bridged interfaces?
Host-based
Hybrid
Next generation
Packet filtering
Proxy
Stateful
Transparent
1. What allows a switch to make duplicate copies of traffic passing through it, and then send it out a
port with a network monitor attached?
AAA Server
ACL
Port Mirroring
VPN
2. What is a series of commands that control whether a device forwards or drops packets based on
information found in the packet header?
AAA Server
ACL
Port Mirroring
VPN
3. What provides statistics on packet flows passing through a networking device?
NetFlow
NTP
SNMP
Syslog Servers
4. What is a private network that is created over a public network?
AAA Server
ACL
Port Mirroring
VPN
5. What sets the date and time on network devices?
NetFlow
NTP
SNMP
Syslog Servers
6. What gathers a variety of statistics for devices that are configured to send and log status messages?
NetFlow
NTP
SNMP
Syslog
7. Which option allows administrators to monitor and manage network devices?
NetFlow
NTP
SNMP
Syslog Servers
8. What authenticates users to allow access to specific network resources and records what the user
does while connected to the resource?
AAA Server
ACL
Port Mirroring
VPN
1. What is the purpose of a personal firewall on a computer?
to filter the traffic that is moving in and out of the PC
to protect the hardware against fire hazard
to increase the speed of the Internet connection
to protect the computer from viruses and malware

2. What is the main difference between the implementation of IDS and IPS devices?
An IDS would allow malicious traffic to pass before it is addressed, whereas an IPS stops it
immediately.
An IDS uses signature-based technology to detect malicious packets, whereas an IPS uses profile-
based technology.
An IDS needs to be deployed together with a firewall device, whereas an IPS can replace a firewall.
An IDS can negatively impact the packet flow, whereas an IPS can not.
3. Which two pieces of information should be included in a logical topology diagram of a network?
(Choose two.)
device type
connection type
interface identifier
OS/IOS version
cable type and identifier
cable specification
4. What is a characteristic of a WAN?
It spans across a campus or city to enable sharing of regional resources.
It requires a wireless access point to connect users to the network.
It is typically owned and managed by a single home or business.
It connects multiple networks that are geographically separated.

5. What network monitoring technology enables a switch to copy and forward traffic sent and received
on multiple interfaces out another interface toward a network analysis device?
network tap
SNMP
port mirroring
NetFlow
6. What is a function of a proxy firewall?
drops or forwards traffic based on packet header information
uses signatures to detect patterns in network traffic
filters IP traffic between bridged interfaces
connects to remote servers on behalf of clients

7. Which technology is used by Cisco Advanced Malware Protection (AMP) in defending and protecting
against known and emerging threats?
threat intelligence
network profiling
network admission control
website filtering and blacklisting

8. How is a source IP address used in a standard ACL?
It is the address to be used by a router to determine the best path to forward packets.
It is the criterion that is used to filter traffic.
It is used to determine the default gateway of the router that has the ACL applied.
It is the address that is unknown, so the ACL must be placed on the interface closest to the source
address.
9. Which statement describes the Cisco Cloud Web Security?
It is an advanced firewall solution to guard web servers against security threats.
It is a secure web server specifically designed for cloud computing.
It is a security appliance that provides an all-in-one solution for securing and controlling web traffic.
It is a cloud-based security service to scan traffic for malware and policy enforcement.
10.
Refer to the exhibit. The network "A" contains multiple corporate servers that are accessed by hosts
from the Internet for information about the corporation. What term is used to describe the network
marked as "A"?
DMZ
untrusted network
internal network
perimeter security boundary

11. Which network service allows administrators to monitor and manage network devices?
NTP
NetFlow
syslog
SNMP
12. Which protocol provides authentication, integrity, and confidentiality services and is a type of VPN?
MD5
ESP
IPsec
AES
13. What is a feature of the TACACS+ protocol?
It utilizes UDP to provide more efficient packet transfer.
It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.
It combines authentication and authorization as one process.
It encrypts the entire body of the packet for more secure communications.
14. Which layer of the hierarchical design model is a control boundary between the other layers?
network
core
distribution
access
1. Hackers have gained access to account information and can now login into a system with the same
rights as authorized users. What type of attack is this?
compromised key
password-based
DoS
social engineering
2. In what type of attack can threat actors change the data in packets without the knowledge of the
sender or receiver?
eavesdropping
denial of service
data modification
IP address spoofing
3. Threat actors have positioned themselves between a source and destination to monitor, capture,
and control communications without the knowledge of network users. What type of attack is this?
MiTM
eavesdropping
DoS
IP address spoofing
4. A threat actor has gained access to encryption keys that will permit them to read confidential
information. What type of attack is this?
eavesdropping
man-in-the-middle
password-based
compromised key
5. In what type of attack does a threat attacker attach to the network and read communications from
network users?
data modification
eavesdropping
denial of service
password-based
6. A threat actor constructs IP packets that appear to come from a valid source within the corporate
network. What type of attack is this?
eavesdropping
password-based
MiTM
IP address spoofing
7. What type of attack prevents the normal use of a computer or network by valid users?
DoS
password-based
MiTM
IP address spoofing
1. What is an example of "hacktivism"?
Criminals use the Internet to attempt to steal money from a banking company.
A country tries to steal defense secrets from another country by infiltrating government networks.
A group of environmentalists launch a denial of service attack against an oil company that is
responsible for a large oil spill.
A teenager breaks into the web server of a local newspaper and posts a picture of a favorite cartoon
character.
2. Which statement describes cybersecurity?
It is a framework for security policy development.
It is an ongoing effort to protect Internet-connected systems and the data associated with those
systems from unauthorized use or harm.
It is a standard-based model for developing firewall technologies to fight against cybercriminals.
It is the name of a comprehensive security application for end users to protect workstations from
being attacked.
3. What focus describes a characteristic of an indicator of attack (IOA)?
It focuses more on the risk management strategies after an attack and compromise of systems.
It focuses more on the mitigation after an attack and the potential compromised vulnerabilities.
It focuses more on the motivation behind an attack and the means used to compromise
vulnerabilities to gain access to assets.
It focuses more on threat avoidance after an attack and the potential cost implications.
4. What is the motivation of a white hat attacker?
fine tuning network devices to improve their performance and efficiency
studying operating systems of various platforms to develop a new system
discovering weaknesses of networks and systems to improve the security level of these systems
taking advantage of any vulnerability for illegal personal gain

5. Which risk management plan involves discontinuing an activity that creates a risk?
risk avoidance
risk retention
risk sharing
risk reduction
6. Which type of network threat is intended to prevent authorized users from accessing resources?
reconnaissance attacks
access attacks
DoS attacks
trust exploitation
7. What security tool allows a threat actor to hack into a wireless network and detect security
vulnerabilities?
KisMac
NMap
SuperScan
Click fuzzers
8. Which statement describes the term attack surface?
It is the network interface where attacks originate.
It is the total number of attacks toward an organization within a day.
It is the group of hosts that experiences the same attack.
It is the total sum of vulnerabilities in a system that is accessible to an attacker.

9. Which risk management strategy requires careful evaluation of the costs of loss, the mitigation
strategy, and the benefits gained from the operation or activity that is at risk?
risk reduction
risk avoidance
risk transfer
risk acceptance
10. What characteristic describes script kiddies?
threat actors who steal government secrets, gather intelligence, and sabotage networks of foreign
governments, terrorist groups, and corporations
hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or
rewards
inexperienced threat actors running existing scripts, tools, and exploits, to cause harm, but typically
not for profit
hackers who rally and protest against different political and social ideals
11. What characteristic describes a gray hat hacker?
individuals who use programming skills for good, ethical, and legal purposes
individuals who design risk adoption strategies
individuals who commit cyber crimes but not for personal gain or to cause damage
unethical criminals who violate computer and network security for personal gain or for malicious
reasons
12. A company has contracted with a network security firm to help identify the vulnerabilities of the
corporate network. The firm sends a team to perform penetration tests to the company network. Why
would the team use forensic tools?
to reverse engineer binary files when writing exploits and when analyzing malware
to obtain specially designed operating systems preloaded with tools optimized for hacking
to detect installed tools within files and directories that provide threat actors remote access and
control over a computer or network
to detect any evidence of a hack or malware in a computer or network

13. A company has contracted with a network security firm to help identify the vulnerabilities of the
corporate network. The firm sends a team to perform penetration tests to the company network. Why
would the team use applications such as Nmap, SuperScan, and Angry IP Scanner?
to probe network devices, servers, and hosts for open TCP or UDP ports
to detect installed tools within files and directories that provide threat actors remote access and
control over a computer or network
to detect any evidence of a hack or malware in a computer or network
to reverse engineer binary files when writing exploits and when analyzing malware
1. What type of malware executes arbitrary code and installs copies of itself in the memory of the
infected computer? The main purpose of this malware is to automatically replicate from system to
system across the network.
trojan horse
adware
ransomware
worm
2. What type of malware typically displays annoying pop-ups to generate revenue for its author?
adware
ransomware
scareware
phishing
3. What type of malware encrypts all data on a drive and demands payment in Bitcoin cryptocurrence
to unencrypt the files?
phishing
scareware
ransomware
virus
4. What type of malware attempts to convince people to divulge their personally identifable information
(PII)?
phishing
rootkit
ransomware
trojan horse
1. What is the weakest link in network security?
reconnaissance
access
DoS
social engineering
2. What type of attack is tailgating?
reconnaissance
access
DoS
social engineering
3. What type of attack is port scanning?
reconnaissance
access
DoS
social engineering
4. What is the weakest link in network security?
routers
people
TCP/IP
1. Which is an example of social engineering?
the infection of a computer by a virus carried by a Trojan
a computer displaying unauthorized pop-ups and adware
an unidentified person claiming to be a technician collecting user information from employees
an anonymous programmer directing a DDoS attack on a data center

2. What is a significant characteristic of virus malware?
Once installed on a host system, a virus will automatically propagate itself to other systems.
A virus is triggered by an event on the host system.
Virus malware is only distributed over the Internet.
A virus can execute independently of the host system.

3. Which access attack method involves a software program that attempts to discover a system
password by the use of an electronic dictionary?
port redirection attack
IP spoofing attack
brute-force attack
buffer overflow attack
denial of service attack
packet sniffer attack

4. What is the purpose of a reconnaissance attack on a computer network?
to gather information about the target network and system
to redirect data traffic so that it can be monitored
to prevent users from accessing network resources
to steal data from the network servers

5. To which category of security attacks does man-in-the-middle belong?
reconnaissance
access
social engineering
DoS
6. What is the term used when a malicious party sends a fraudulent email disguised as being from a
legitimate, trusted source?
backdoor
Trojan
vishing
phishing
7. What is the primary goal of a DoS attack?
to obtain all addresses in the address book within the server
to facilitate access to external networks
to scan the data on the target server
to prevent the target server from being able to handle additional requests
8. What is the best description of Trojan horse malware?
It appears as useful software but hides malicious code.
It is the most easily detected form of malware.
It is software that causes annoying but not fatal computer problems.

It is malware that can only be distributed over the Internet.
9. Which tool is used to provide a list of open ports on network devices?
Tracert
Whois
Ping
Nmap
10.
When describing malware, what is a difference between a virus and a worm?
A virus focuses on gaining privileged access to a device, whereas a worm does not.
A virus can be used to launch a DoS attack (but not a DDoS), but a worm can be used to launch
both DoS and DDoS attacks.
A virus can be used to deliver advertisements without user consent, whereas a worm cannot.
A virus replicates itself by attaching to another file, whereas a worm can replicate itself
independently.
11. What is the main goal of using different evasion techniques by threat actors?
to launch DDoS attacks on targets
to prevent detection by network and host defenses
to gain the trust of a corporate employee in an effort to obtain credentials

to identify vulnerabilities of target systems
12. What is the purpose of a rootkit?
to deliver advertisements without user consent
to masquerade as a legitimate program
to replicate itself independently of any other programs
to gain privileged access to a device while concealing itself

13. In what way are zombies used in security attacks?
They are infected machines that carry out a DDoS attack.
They target specific individuals to gain corporate or personal information.
They probe a group of machines for open ports to learn which services are running.
They are maliciously formed code segments used to replace legitimate applications.
1. What allows analysts to request and receive information about the operation of network devices?
NetFlow
SIEM
SNMP
Tcpdump
Wireshark
2. What application captures frames that are saved in a file that contains the frame information,
interface information, packet length, and time stamps?
NetFlow
SIEM
SNMP
Tcpdump
Wireshark
3. Which tool can be used for network and security monitoring, network planning, and traffic analysis?
NetFlow
SIEM
SNMP
Tcpdump
Wireshark
4. Which tool is used in enterprise organizations to provide real time reporting and long-term analysis
of security events?
NetFlow
SIEM
SNMP
Tcpdump
Wireshark
5. Which utility provides numerous command-line options for capturing packets?
NetFlow
SIEM
SNMP
Tcpdump
Wireshark
1. What network monitoring tool can be used to copy packets moving through one port, and send those
copies to another port for analysis?
NAC
syslog
SNMP
SPAN
2. What is the purpose of the Cisco NetFlow IOS technology?
to manage the network performance of nodes
to periodically poll nodes for network management information

to collect operational data from IP networks
to log system messages from network devices

3. Which network technology uses a passive splitting device that forwards all traffic, including Layer 1
errors, to an analysis device?
NetFlow
network tap
IDS
SNMP
4. Which network monitoring tool can provide a complete audit trail of basic information of all IP flows
on a Cisco router and forward the data to a device?
SIEM
Wireshark
SPAN
NetFlow
5. What is a monitoring tool used for capturing traffic statistics?
SNMP
NetFlow
syslog
SPAN
6. Which capability is provided by the aggregation function in SIEM?
reducing the volume of event data by consolidating duplicate event records
increasing speed of detection and reaction to security threats by examining logs from many systems
and applications
presenting correlated and aggregated event data in real-time monitoring
searching logs and event records of multiple sources for more complete forensic analysis
7. What is an essential function of SIEM?
providing reporting and analysis of security events
forwarding traffic and physical layer errors to an analysis device
providing 24x7 statistics on packets flowing through a Cisco router or multilayer switch
monitoring traffic and comparing it against the configured rules

8. Which SIEM function is associated with examining the logs and events of multiple systems to reduce
the amount of time of detecting and reacting to security events?
correlation
retention
aggregation
forensic analysis
9. Which network monitoring capability is provided by using SPAN?
Traffic exiting and entering a switch is copied to a network monitoring device.
Network analysts are able to access network device log files and to monitor network behavior.
Real-time reporting and long-term analysis of security events are enabled.
Statistics on packets flowing through Cisco routers and multilayer switches can be captured.
10. Which network tool uses artificial intelligence to detect incidents and aid in incident analysis and
response?
Wireshark
SOAR
NetFlow
SIEM
11. Which network monitoring tool allows an administrator to capture real-time network traffic and
analyze the entire contents of packets?
nmap
SIEM
SOAR
Wireshark
12. Which technology is an open source SIEM system?
ELK
Wireshark
Splunk
StealthWatch
1. Which attack is being used when threat actors position themselves between a source and
destination to transparently monitor, capture, and control the communication?
Address Spoofing Attack
Amplification and Reflection Attacks
ICMP Attack
MiTM Attack
Session Hijacking
2. Which attack is being used when threat actors gain access to the physical network, and then use an
MiTM attack to capture and manipulate a legitimate user’s traffic?
ICMP Attack
MiTM Attack
Session Hijacking
3. Which attack is being used when threat actors initiate a simultaneous, coordinated attack from
multiple source machines?
ICMP Attack
MiTM Attack
Session Hijacking
4. Which attack is being used when threat actors use pings to discover subnets and hosts on a
protected network, to generate flood attacks, and to alter host routing tables?
ICMP Attack
MiTM Attack
Session Hijacking
5. Which attack being used is when a threat actor creates packets with false source IP address
information to either hide the identity of the sender, or to pose as another legitimate user?
ICMP Attack
MiTM Attack
Session Hijacking
1. Which attack exploits the three-way handshake?
TCP reset attack
UDP flood attack
TCP SYN Flood attack
DoS attack
TCP session hijacking

2. Two hosts have established a TCP connection and are exchanging data. A threat actor sends a TCP
segment with the RST bit set to both hosts informing them to immediately stop using the TCP
connection. Which attack is this?
TCP reset attack
UDP flood attack
DoS attack

3. Which attack is being used when the threat actor spoofs the IP address of one host, predicts the
next sequence number, and sends an ACK to the other host?
TCP reset attack

UDP flood attack
DoS attack

4. A program sends a flood of UDP packets from a spoofed host to a server on the subnet sweeping
through all the known UDP ports looking for closed ports. This will cause the server to reply with an
ICMP port unreachable message. Which attack is this?
TCP reset attack
UDP flood attack
DoS attack
1. Users in a company have complained about network performance. After investigation, the IT staff
has determined that an attacker has used a specific technique that affects the TCP three-way
handshake. What is the name of this type of network attack?
DDoS
SYN flood
session hijacking
DNS poisoning
2. Which type of attack involves the unauthorized discovery and mapping of network systems and
services?
trust exploitation
reconnaissance
DoS
access
3. In which TCP attack is the cybercriminal attempting to overwhelm a target host with half-open TCP
connections?
reset attack
SYN flood attack
port scan attack
session hijacking attack

4. What kind of ICMP message can be used by threat actors to map an internal IP network?
ICMP redirects
ICMP mask reply
ICMP router discovery
ICMP echo request

5. What is involved in an IP address spoofing attack?
A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients.
Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP
server.
A legitimate network IP address is hijacked by a rogue node.
A rogue node replies to an ARP request with its own MAC address indicated for the target IP
address.
6. How is optional network layer information carried by IPv6 packets?
inside an options field that is part of the IPv6 packet header
inside the payload carried by the IPv6 packet
inside an extension header attached to the main IPv6 packet header
inside the Flow Label field

7. An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted
user. Which type of attack is this?
buffer overflow
man in the middle
trust exploitation
port redirection
8. A disgruntled employee is using some free wireless networking tools to determine information about
the enterprise wireless networks. This person is planning on using this information to hack the
wireless network. What type of attack is this?
reconnaissance
DoS
Trojan horse
access
9. Which term describes a field in the IPv4 packet header used to detect corruption in the IPv4 header?
protocol
header checksum
source IPv4 address
TTL
10. Which field in the IPv4 header is used to prevent a packet from traversing a network endlessly?
Sequence Number
Acknowledgment Number
Differentiated Services
Time-to-Live
11. Which field in an IPv6 packet is used by the router to determine if a packet has expired and should
be dropped?
Hop Limit
No Route to Destination
Address Unreachable
TTL
12. A threat actor uses a program to launch an attack by sending a flood of UDP packets to a server on
the network. The program sweeps through all of the known ports trying to find closed ports. It causes
the server to reply with an ICMP port unreachable message and is similar to a DoS attack. Which
two programs could be used by the threat actor to launch the attack? (Choose two.)
WireShark
UDP Unicorn
Smurf
Low Orbit Ion Cannon
ping
13. A threat actor wants to interrupt a normal TCP communication between two hosts by sending a
spoofed packet to both endpoints. Which TCP option bit would the threat actor set in the spoofed
packet?
SYN
FIN
RST
ACK
1. What enables a threat actor to impersonate the default gateway and receive all traffic that is sent to
hosts that are not on the local LAN segment?
DNS tunneling
cross-site scripting
ARP cache poisoning
iFrame attacks
2. What should a cybersecurity analyst look for to detect DNS tunneling?
longer than average DNS queries
incorrect MAC to IP address mappings
gratuitous ARP requests
rogue DHCP servers

3. A threat actor accesses a list of user email addresses by sending database commands through an
insecure login page. What type of attack is this?
client-side scripting
iFrame attack
SQL injection
4. In what type of attack are HTTP redirect messages used to send users to malicious websites?
HTTP 302 cushioning
domain shadowing
iFrame attacks
1. Which action best describes a MAC address spoofing attack?
flooding the LAN with excessive traffic
altering the MAC address of an attacking host to match that of a legitimate host
forcing the election of a rogue root bridge
bombarding a switch with fake source MAC addresses

2. What is the result of a DHCP starvation attack?
Clients receive IP address assignments from a rogue DHCP server.
The IP addresses assigned to legitimate clients are hijacked.
Legitimate clients are unable to lease IP addresses.
The attacker provides incorrect DNS and default gateway information to clients.
3. In which type of attack is falsified information used to redirect users to malicious Internet sites?
ARP cache poisoning
domain generation
DNS cache poisoning
DNS amplification and reflection

4. Which type of DNS attack involves the cybercriminal compromising a parent domain and creating
multiple subdomains to be used during the attacks?
tunneling
shadowing
amplification and reflection
cache poisoning
5. Which language is used to query a relational database?
SQL
Java
Python
C++
6. Which term is used for bulk advertising emails flooded to as many end users as possible?
adware
spam
phishing
brute force
7. Which protocol would be the target of a cushioning attack?
ARP
DHCP
DNS
HTTP
8. Which protocol is attacked when a cybercriminal provides an invalid gateway in order to create a
man-in-the-middle attack?
DNS
DHCP
ICMP
HTTP or HTTPS
9. What is an objective of a DHCP spoofing attack?
to attack a DHCP server and make it unable to provide valid IP addresses to DHCP clients
to gain illegal access to a DHCP server and modify its configuration
to intercept DHCP messages and alter the information before sending to DHCP clients
to provide false DNS server addresses to DHCP clients so that visits to a legitimate web server are
directed to a fake server
10. How do cybercriminals make use of a malicious iFrame?
The iFrame allows multiple DNS subdomains to be used.
The attacker embeds malicious content in business appropriate files.
The attacker redirects traffic to an incorrect DNS server.
The iFrame allows the browser to load a web page from another source.
11. What is a characteristic of a DNS amplification and reflection attack?
Threat actors use DNS open resolvers to increase the volume of attacks and to hide the true source
of an attack.
Threat actors use malware to randomly generate domain names to act as rendezvous points.
Threat actors hide their phishing and malware delivery sites behind a quickly-changing network of
compromised DNS hosts.
Threat actors use a DoS attack that consumes the resources of the DNS open resolvers.
12. Which two attacks target web servers through exploiting possible vulnerabilities of input functions
used by an application? (Choose two.)
port redirection
port scanning
trust exploitation
SQL injection
2. Which device is usually the first line of defense in a layered defense-in-depth approach?
firewall
edge router
internal router
access layer switch

3. With the evolution of borderless networks, which vegetable is now used to describe a defense-in-
depth approach?
cabbage
artichoke
lettuce
onion
4. Which type of business policy establishes the rules of conduct and the responsibilities of employees
and employers?
employee
company
data
security
5. An administrator is concerned with restricting which network applications and uses are acceptable to
the organization. What security policy component does the administrator use to address these
concerns?
remote access policy
network maintenance policy
acceptable use policy
incident handling procedures policy

6. What component of a security policy explicitly defines the type of traffic allowed on a network and
what users are allowed and not allowed to do?
remote access policies
password policies
identification and authentication policies
acceptable use policies

7. What device would be used as the third line of defense in a defense-in-depth approach?
firewall
host
internal router
edge router
8.
Refer to the exhibit. The security policy of an organization allows employees to connect to the office
intranet from their homes. Which type of security policy is this?
incident handling
remote access
acceptable use
network maintenance
9. What is a characteristic of a layered defense-in-depth security approach?
The layers set a baseline of acceptable use of the network.
The different layers work in isolation to create a security architecture.
The failure of one safeguard does not affect the effectiveness of the other safeguards.
The layers define a set of security objectives for a company and define the rules of behavior for
users and administrators.
10. Which is a BYOD security best practice?
disable use of MDM software on any of the BYOD devices
use one global complex password for all BYOD devices
subscribe to a device locator service with remote wipe feature
have all users install an antivirus program of their choice on the BYOD device
11. What do security compliance regulations define?
which websites users cannot access
what organizations are responsible for providing and the liability for failure to comply
which defense-in-depth mechanisms to adopt
which security appliances can be used

12. What device would be used as a second line of defense in a defense-in-depth approach?
edge router
switch
firewall
internal router
13. Which two areas must an IT security person understand in order to identify vulnerabilities on a
network? (Choose two.)
data analysis trends
number of systems on each network
network baseline data
important applications used
hardware used by applications
1. Which access control model is based on attributes of the object (resource) to be accessed, the
subject (user) accessing the resource, and environmental factors regarding how the object is to be
accessed, such as time of day?
non-discretionary access control
discretionary access control

mandatory access control
attribute-based control
2. Which access control model is based on an individual’s roles and responsibilities within the
organization?
attribute-based control
non-discretionary access control
rule-based access control

3. Which access control model applies the strictest access control and is typically used in military or
mission critical applications?
role-based access control
time-based access control
rule-based access control
1. Which component of AAA is used to determine which resources a user can access and which
operations the user is allowed to perform?
accounting
authorization
auditing
authentication
2. What is the biggest issue with local implementation of AAA?
Local implementation cannot provide secure authentication.
Local implementation does not scale well.
Local implementation supports only TACACS+ servers.
Local implementation supports only RADIUS servers.

3. A company is experiencing overwhelming visits to a main web server. The IT department is
developing a plan to add a couple more web servers for load balancing and redundancy. Which
requirement of information security is addressed by implementing the plan?
integrity
confidentiality
availability
scalability
4. What is an example of privilege escalation attack?
A DDoS attack is launched against a government server and causes the server to crash.
A port scanning attack finds that the FTP service is running on a server that allows anonymous
access.
A threat actor sends an email to an IT manager to request the root access.

A threat actor performs an access attack and gains the administrator password.
5. What is the principle of least privilege access control model?
Users are granted the strictest access control possible to data.
Users control access to data they own.
User access to data is based on object attributes.
Users are granted rights on an as-needed approach.

6. A server log includes this entry: User student accessed host server ABC using Telnet yesterday for
10 minutes. What type of log entry is this?
authentication
authorization
accessing
accounting
7. Which objective of secure communications is achieved by encrypting data?
authentication
confidentiality
availability
integrity
8. What are three access control security services? (Choose three.)
access
authentication
authorization
availability
repudiation
accounting
9. Which access control model allows users to control access to data as an owner of that data?
nondiscretionary access control
attribute-based access control

10. Which two protocols are used to provide server-based AAA authentication? (Choose two.)
TACACS+
RADIUS
SNMP
SSH
802.1x
11. What three items are components of the CIA triad? (Choose three.)
integrity
confidentiality
intervention
scalability
availability
access
12. Which type of access control applies the strictest access control and is commonly used in military or
mission critical applications?
Non-discretionary access control
mandatory access control (MAC)
discretionary access control (DAC)
attribute-based access control (ABAC)
1. What is the free service that is offered by the U.S. Department of Homeland Security?
AIS
CVE
FireEye Helix
Talos
2. What is a world leading threat intelligence team with a goal to help protect enterprise users, data,
and infrastructure from active adversaries?
AIS
CVE
FireEye Helix
Talos
3. Which security operations platform integrates and enhances a range of security tools and threat
intelligence??
AIS
CVE
FireEye Helix
Talos
4. What are three threat intelligence information sharing specifications?
STIX
TAXII
FireEye Helix
CyberOX
1. Which service is provided by the Cisco Talos Group?

collecting information about active, existing, and emerging threats
scanning updates for malware code
preventing viruses from affecting end user devices
preventing online malware from affecting end user devices

2. What does the MITRE Corporation create and maintain?
CVE
TAXII
STIX
IOC
3. What is the primary function of (ISC2)?
to maintain a list of common vulnerabilities and exposures (CVE) used by prominent security
organizations
to provide a weekly digest of news articles about computer security
to maintain a detailed list of all zero-day attacks
to provide vendor neutral education products and career services

4. Which threat intelligence sharing open standard specifies, captures, characterizes, and
communicates events and properties of network operations?
MISP
TAXII
CybOX
Talos
5. What is the Common Vulnerabilities and Exposures (CVE) used by the MITRE Corporation?
It is a database of virus signatures.
It is a database of malware signatures.
It is a dictionary of CVE Identifiers for publicly known cybersecurity vulnerabilities.
It is a list of response mechanisms to known threats.

6. Which service is offered by the U.S. Department of Homeland Security (DHS) that enables real-time
exchange of cyberthreat indicators between the U.S. Federal Government and the private sector?
AIS
FireEye
STIX
CVE
7. What is the primary function of SANS?
to foster cooperation and coordination in information sharing, incident prevention, and rapid reaction
to provide vendor neutral education products and career services
to maintain the list of common vulnerabilities and exposures (CVE)

to maintain the Internet Storm Center
8. Why do several network organizations, professionals, and intelligence agencies use shared open
standards for threat intelligence?
to ensure real-time synchronization of all antivirus signature databases
to enable the exchange of CTI in an automated, consistent, and machine readable format
to enable exchange of all response mechanisms to new threats
to update all vulnerabilities databases across all malware vendors

9. What is the primary purpose of the Forum of Incident Response and Security Teams (FIRST)?
to offer 24x7 cyberthreat warnings and advisories, vulnerability identification, and mitigation and
incident response
to provide vendor neutral education products and career services to industry professionals
worldwide
to enable a variety of computer security incident response teams to collaborate, cooperate, and
coordinate information sharing, incident prevention, and rapid reaction strategies
to provide a security news portal that aggregates the latest breaking news pertaining to alerts,
exploits, and vulnerabilities
10. What threat intelligence group provides blogs and podcasts to help network security professionals
remain effective and up-to-date?
Mitre
Talos
FireEye
CybOX

Cuestionario

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cuestionario

Uploaded by

Copyright:

Available Formats

1. An attacker sends a piece of malware as an email attachment to employees in a company.

probing open ports on the firewall on the border network

denying external access to a web server that is open to the public

searching and obtaining trade secrets

cracking the administrator password for a critical server

It is an attack that only involves robots and bots.

It is an attack designed to disrupt, corrupt, or exploit national interests.

It is an attack on a major corporation.

It is an attack only on military targets.

Network traffic might be hijacked and information stolen.

status among peers

a network that allows users to bring their own technology

an online video game intended for multiple players

a network of infected computers that are controlled as a group

It is a hotspot that does not encrypt network user traffic.

It is a hotspot that was set up with outdated devices.

It is a hotspot that does not implement strong user authentication mechanisms.

Data that is collected by businesses to track the digital behavior of consumers.

Data that is collected by businesses to distinguish identities of individuals.

the SOC manager to ask for other personnel to be assigned

a SME for further investigation

an alert analyst for further analysis

a cyberoperations analyst for help

monitoring network security threats

responding to data center physical break-ins

providing secure Internet connections

managing comprehensive threat solutions

to include predefined playbooks that enable automatic response to specific threats

to provide a means to synchronize the vulnerabilities database

serving as the point of contact for a customer

further investigating security incidents

security alert knowledge-based system

by encrypting communications to remote sites

by collecting and filtering data

by filtering network traffic

by authenticating users to network resources

1. Which Windows tool selectively denies traffic to a computer or network segment?

Windows Defender Firewall

Network and Sharing Center

MAC address settings

file system settings

changes directory to the root directory

changes directory to the next highest directory

changes directory to the next lower directory

changes directory to the previous directory

a local routing table

only active UDP connections in an LISTENING state

intrusion detection system

Linux distributions must include free support without cost.

Linux distributions are maintained by a single organization.

Linux distribution source code can be modified and then recompiled.

Force periodic password changes.

Allow users to re-use old passwords.

Allow USB auto-detection.

Allow default services to remain enabled.

to process a new task

to list the processes currently running in the system

to display the contents of the current directory

to change file permissions

read, write, execute

a record to keep track of important events

a type of security attack

an application that monitors and analyzes suspicious activity