CCNA Scor Security Concepts Questions

75 of 80 questions · Page 1/2 · Scor Security Concepts topic · Answers revealed

1
MCQmedium

A web application accepts user input and directly includes it in SQL queries without sanitization. An attacker submits a single quote (') to cause a syntax error. What is this attack called?

A.Cross-site scripting (XSS)
B.Buffer overflow
C.CSRF
D.SQL injection
AnswerD

The description matches SQL injection.

Why this answer

SQL injection occurs when user input is not sanitized and alters SQL query structure.

2
Multi-Selectmedium

A security engineer is implementing a zero trust architecture. Which TWO principles are foundational to zero trust? (Choose two.)

Select 2 answers
A.Implicit trust for internal users
B.Single perimeter defense
C.All traffic must be inspected by a firewall
D.Least privilege access
E.Never trust, always verify
AnswersD, E

Least privilege is a fundamental concept in zero trust.

Why this answer

Zero trust is based on 'never trust, always verify' and least privilege. Microsegmentation is a technique to enforce least privilege, but the core principles are never trust/always verify and least privilege.

3
MCQmedium

An attacker injects a malicious SQL query into a web application's login form, bypassing authentication. Which type of exploitation is this?

A.Cross-site request forgery (CSRF)
B.Buffer overflow
C.SQL injection
D.Cross-site scripting (XSS)
AnswerC

SQL injection manipulates database queries through user input.

Why this answer

SQL injection is an attack where malicious SQL statements are inserted into an entry field for execution.

4
Multi-Selecthard

An organization is experiencing repeated SQL injection attacks. A security analyst is tasked with recommending mitigations. Which THREE actions are most effective in preventing SQL injection? (Choose three.)

Select 3 answers
A.Use prepared statements with parameterized queries
B.Disable detailed database error messages in production
C.Use a web application firewall (WAF) to filter malicious requests
D.Implement strict input validation on all user inputs
E.Enforce strong password policies for database accounts
AnswersA, C, D

This is the most effective defense against SQL injection.

Why this answer

Prepared statements/parameterized queries prevent SQL injection by separating code from data. Input validation and stored procedures (if properly parameterized) also help. WAFs can detect and block SQLi attempts.

Disabling error messages prevents information leakage.

5
Multi-Selectmedium

An organization is experiencing a DDoS attack that floods the network with large volumes of traffic, overwhelming bandwidth. Which three types of DDoS attacks are primarily volumetric? (Choose three.)

Select 3 answers
A.UDP flood
B.DNS amplification
C.HTTP GET flood
D.ICMP flood
E.SYN flood
AnswersA, B, D

UDP floods send many UDP packets to random ports.

Why this answer

Volumetric attacks aim to consume bandwidth. UDP floods, ICMP floods, and DNS amplification are common examples.

6
MCQmedium

A security administrator is configuring a Cisco Firepower NGFW to detect and block application-layer DDoS attacks. Which type of DDoS attack is characterized by overwhelming a server with incomplete HTTP requests, causing resource exhaustion?

A.UDP Flood
B.ICMP Flood
C.Slowloris
D.SYN Flood
AnswerC

Slowloris is an application-layer attack that sends incomplete HTTP headers to tie up connections.

Why this answer

Slowloris is an application-layer DDoS attack that sends partial HTTP requests to keep connections open, exhausting server resources.

7
MCQeasy

What is the primary purpose of a digital signature?

A.Encrypt data
B.Generate random numbers
C.Verify the sender's identity and data integrity
D.Compress data
AnswerC

Correct answer. Digital signatures verify identity and integrity.

Why this answer

Digital signatures provide authentication, integrity, and non-repudiation by signing data with a private key.

8
MCQmedium

Which Cisco security product provides identity-based access control and policy enforcement for wired and wireless networks?

A.Cisco ISE
B.Cisco Stealthwatch
C.Cisco Firepower
D.Cisco ASA
AnswerA

ISE provides authentication, authorization, and accounting (AAA).

Why this answer

Cisco Identity Services Engine (ISE) is a policy platform for secure access control.

9
MCQhard

During a penetration test, an attacker sends a malicious payload to a web application that causes the server to execute arbitrary SQL commands on the backend database. Which type of attack is being performed?

A.Cross-Site Request Forgery (CSRF)
B.Buffer Overflow
C.Cross-Site Scripting (XSS)
D.SQL Injection
AnswerD

SQL injection directly targets the database layer via crafted input.

Why this answer

SQL injection occurs when user input is improperly sanitized and concatenated into SQL queries, allowing attackers to execute arbitrary SQL commands.

10
MCQmedium

Which Cisco security product is primarily used for endpoint threat detection and retrospective security?

A.Cisco ESA
B.Cisco AMP for Endpoints
C.Cisco Firepower
D.Cisco WSA
AnswerB

Correct answer. AMP for Endpoints provides endpoint threat detection.

Why this answer

Cisco AMP (Advanced Malware Protection) provides endpoint protection with retrospective analysis and threat detection.

11
MCQeasy

Which authentication factor relies on something the user is, such as a fingerprint or retina scan?

A.Knowledge
B.Possession
C.Inherence
D.Location
AnswerC

Inherence factors are biometrics, such as fingerprints or iris patterns.

Why this answer

Inherence factors are biometric characteristics unique to the user.

12
MCQmedium

An employee receives an email that appears to be from the company's IT department requesting their login credentials. This is an example of which type of attack?

A.Spear phishing
B.Phishing
C.Vishing
D.Whaling
AnswerB

Correct answer. Phishing is a social engineering attack using deceptive emails.

Why this answer

Social engineering attacks manipulate individuals into divulging confidential information. Phishing is a common form.

13
MCQmedium

A security team implements a policy where users must provide a password and a one-time code from a mobile app. Which authentication factors are being used?

A.Inherence only
B.Possession and inherence
C.Knowledge and possession
D.Knowledge and inherence
AnswerC

Password (knowledge) and mobile device (possession).

Why this answer

Something you know (password) and something you have (mobile app one-time code).

14
MCQhard

During an incident response, a forensic analyst finds that an attacker used a script to modify ARP tables, enabling them to intercept and modify traffic between two hosts. Which attack technique was used?

A.Man-in-the-middle
B.Pass-the-hash
C.Replay attack
D.DNS tunneling
AnswerA

MITM attacks intercept and potentially alter communications.

Why this answer

Man-in-the-middle (MITM) attacks, such as ARP spoofing, allow interception and modification of traffic between two parties.

15
MCQeasy

Which component of the CIA triad ensures that data is not altered by unauthorized entities during transmission?

A.Non-repudiation
B.Integrity
C.Availability
D.Confidentiality
AnswerB

Correct answer. Integrity ensures data has not been tampered with by unauthorized parties.

Why this answer

Integrity ensures that data remains accurate and unaltered during storage or transmission, preventing unauthorized modifications.

16
MCQmedium

Which type of malware is characterized by encrypting files on a victim's system and demanding payment for the decryption key?

A.RAT
B.Keylogger
C.Ransomware
D.Botnet
AnswerC

Ransomware encrypts files for ransom.

Why this answer

Ransomware encrypts data and demands ransom.

17
MCQhard

An attacker intercepts traffic between a client and a server and modifies the communication without either party knowing. Which type of attack is being performed?

A.Phishing
B.Man-in-the-middle attack
C.Replay attack
D.Denial of service
AnswerB

MITM allows interception and modification.

Why this answer

A man-in-the-middle (MITM) attack involves interception and potential modification of communications.

18
MCQeasy

A security analyst is reviewing logs and identifies numerous ICMP echo requests from an external IP address to multiple internal hosts. Which type of reconnaissance activity is this?

A.Active scanning
B.Passive OSINT
C.ARP spoofing
D.DNS cache poisoning
AnswerA

Active scanning involves sending probes (e.g., ICMP echo requests) to discover hosts and services.

Why this answer

ICMP echo requests (ping sweeps) are used in active scanning to identify live hosts.

19
MCQmedium

A company wants to protect against DNS-based attacks by filtering malicious domains and providing secure DNS resolution. Which Cisco product should be deployed?

A.Cisco AMP
B.Cisco Umbrella
C.Cisco ESA
D.Cisco WSA
AnswerB

Umbrella provides DNS-layer security and threat intelligence.

Why this answer

Cisco Umbrella is a cloud-delivered DNS security solution that blocks malicious domains and provides secure internet gateway.

20
MCQhard

A Cisco ESA administrator notices that a large number of emails with malicious attachments are being delivered to users. Which feature should be configured to inspect attachments in a sandbox environment before delivery?

A.Cisco AMP for Endpoints
B.Cisco ESA with AMP
C.Cisco Stealthwatch
D.Cisco Firepower
AnswerB

ESA can leverage AMP to sandbox attachments.

Why this answer

Cisco ESA can integrate with AMP (Advanced Malware Protection) to sandbox and analyze attachments.

21
Multi-Selecthard

A company wants to implement a Zero Trust architecture. Which THREE principles should be included? (Choose three.)

Select 3 answers
A.Least privilege access
B.Single sign-on (SSO)
C.Never trust, always verify
D.Microsegmentation
E.Defense in depth
AnswersA, C, D

Users and devices get only necessary permissions.

Why this answer

Zero Trust core principles: never trust, always verify; least privilege; microsegmentation. Defense in depth is a separate concept.

22
Multi-Selecthard

A company is implementing a Zero Trust architecture. Which THREE principles are core to the Zero Trust model? (Choose three.)

Select 3 answers
A.Trust but verify
B.Never trust, always verify
C.Least privilege access
D.Microsegmentation
E.Defense in depth
AnswersB, C, D

This is the fundamental principle of Zero Trust.

Why this answer

Zero Trust is built on the principles of never trust, always verify; least privilege; and microsegmentation to enforce granular access controls.

23
MCQmedium

An organization wants to implement a security model where no user or device is trusted by default, regardless of whether they are inside or outside the network perimeter. Which concept does this describe?

A.Defense in depth
B.Least privilege
C.Zero Trust
D.Network segmentation
AnswerC

Zero Trust enforces 'never trust, always verify'.

Why this answer

Zero Trust assumes no implicit trust and verifies every access request.

24
MCQmedium

An attacker uses a tool to scan a target network for open ports and running services. Which type of reconnaissance does this represent?

A.Active scanning
B.DNS cache poisoning
C.Social engineering
D.Passive OSINT
AnswerA

Correct answer. Active scanning sends packets to the target to identify open ports and services.

Why this answer

Active reconnaissance involves direct interaction with the target, such as port scanning, to gather information.

25
Multi-Selecthard

A company is planning to deploy a Zero Trust architecture. Which two principles are fundamental to Zero Trust?

Select 2 answers
A.Single-factor authentication
B.Perimeter-based security
C.Never trust, always verify
D.Least privilege access
E.Implicit trust for internal networks
AnswersC, D

Every access request must be authenticated and authorized.

Why this answer

Zero Trust is based on 'never trust, always verify' and least privilege access.

26
MCQmedium

Which Cisco product provides advanced malware protection for endpoints, including file analysis and retrospective security?

A.Cisco Identity Services Engine (ISE)
B.Cisco Web Security Appliance (WSA)
C.Cisco Email Security Appliance (ESA)
D.Cisco Advanced Malware Protection (AMP)
AnswerD

AMP provides endpoint protection and file analysis.

Why this answer

Cisco AMP for Endpoints provides endpoint protection with advanced malware analysis.

27
MCQmedium

What is the primary purpose of a digital signature?

A.Compress the data
B.Verify the sender's identity and ensure message integrity
C.Prevent replay attacks
D.Encrypt the message
AnswerB

Signatures authenticate the sender and detect tampering.

Why this answer

A digital signature provides authentication, integrity, and non-repudiation.

28
MCQmedium

An attacker performs a DNS cache poisoning attack on a recursive DNS server. What is the primary impact of this attack?

A.Encryption of DNS queries
B.Exposure of DNS server credentials
C.Redirection of traffic to malicious servers
D.Denial of service to the DNS server
AnswerC

The injected records redirect traffic to attacker-controlled servers.

Why this answer

DNS cache poisoning injects false DNS records, causing users to be redirected to malicious sites when they attempt to access legitimate domains.

29
MCQhard

A security administrator is evaluating symmetric encryption algorithms for a new VPN deployment. Which algorithm uses a 128-bit block size and supports key sizes of 128, 192, and 256 bits?

A.3DES
B.AES
C.RSA
D.MD5
AnswerB

Correct answer. AES meets the described parameters.

Why this answer

AES is a symmetric block cipher with a fixed block size of 128 bits and key sizes of 128, 192, or 256 bits.

30
MCQeasy

Which cryptographic algorithm is a symmetric block cipher commonly used in modern VPNs and is considered secure?

A.AES
B.ECC
C.RSA
D.3DES
AnswerA

AES is the standard symmetric cipher for secure communications.

Why this answer

AES (Advanced Encryption Standard) is a widely used symmetric block cipher with key sizes of 128, 192, or 256 bits.

31
MCQeasy

Which of the following is a characteristic of a zero trust security model?

A.Implicit trust for internal users
B.Never trust, always verify
C.Trust but verify
D.Trust based on network location
AnswerB

Correct answer. This is the core principle of zero trust.

Why this answer

Zero trust assumes no implicit trust; every request must be verified regardless of source.

32
MCQhard

An attacker sends a flood of SYN packets with spoofed IP addresses to a server, causing it to allocate resources for half-open connections until it can no longer accept legitimate traffic. This is which type of DDoS attack?

A.Protocol DDoS
B.Application layer DDoS
C.Volumetric DDoS
D.Amplification DDoS
AnswerA

SYN flood targets protocol weaknesses (TCP handshake).

Why this answer

SYN flood is a protocol-based DDoS attack that exploits the TCP handshake.

33
MCQeasy

Which of the following is an example of a passive reconnaissance technique?

A.Port scanning
B.Social engineering
C.Vulnerability scanning
D.OSINT gathering from public websites
AnswerD

OSINT uses publicly available information without direct engagement.

Why this answer

Passive reconnaissance involves gathering information without directly interacting with the target, such as through public sources.

34
MCQhard

A security engineer is evaluating Cisco solutions to detect and respond to network anomalies, including potential insider threats, by analyzing NetFlow data and behavioral patterns. Which Cisco product is best suited?

A.Cisco ISE
B.Cisco Firepower
C.Cisco Stealthwatch
D.Cisco ASA
AnswerC

Stealthwatch provides network visibility and behavioral detection using NetFlow.

Why this answer

Cisco Stealthwatch uses NetFlow and behavioral analytics to detect network threats and anomalies.

35
MCQhard

A security engineer needs to choose a hashing algorithm for storing passwords. Which of the following should be avoided due to known collision vulnerabilities?

A.RIPEMD-160
B.SHA-3
C.SHA-256
D.MD5
AnswerD

MD5 is vulnerable to collisions and should be avoided.

Why this answer

MD5 has known collision attacks and should not be used. SHA-256 and SHA-3 are secure. SHA-1 is also deprecated but not an option.

36
MCQmedium

An attacker intercepts ARP packets on a local network and associates their MAC address with the IP address of a legitimate host. This is an example of which attack?

A.ARP spoofing
B.Typosquatting
C.SSL stripping
D.DNS cache poisoning
AnswerA

ARP spoofing involves sending forged ARP replies to link an attacker's MAC to a legitimate IP.

Why this answer

ARP spoofing (ARP poisoning) allows an attacker to intercept traffic by associating their MAC with the victim's IP.

37
Multi-Selectmedium

A network engineer is tasked with securing email communications. Which TWO Cisco products are specifically designed for email security? (Choose two.)

Select 2 answers
A.Cisco Stealthwatch
B.Cisco ISE (Identity Services Engine)
C.Cisco ESA (Email Security Appliance)
D.Cisco Secure Email (Cloud)
E.Cisco WSA (Web Security Appliance)
AnswersC, D

ESA is an on-premises email security gateway.

Why this answer

Cisco Email Security Appliance (ESA) and Cisco Secure Email (formerly Cloud Email Security) are dedicated email security solutions.

38
MCQmedium

What is the primary function of a Certificate Revocation List (CRL) in a PKI?

A.List revoked certificates
B.Store private keys
C.Validate certificate signatures
D.Generate new certificates
AnswerA

Correct answer. CRL provides a list of revoked certificates.

Why this answer

CRL lists certificates that have been revoked before their expiration date, allowing relying parties to verify validity.

39
Multi-Selecteasy

Which three components are part of the CIA triad?

Select 3 answers
A.Authentication
B.Integrity
C.Confidentiality
D.Authorization
E.Availability
AnswersB, C, E

Ensures data is not tampered with.

Why this answer

The CIA triad consists of Confidentiality, Integrity, and Availability.

40
MCQmedium

An attacker intercepts communication between a client and server by spoofing ARP messages to associate the attacker's MAC address with the server's IP. This is an example of which type of attack?

A.Reconnaissance
B.Man-in-the-middle (MITM)
C.DNS cache poisoning
D.DDoS attack
AnswerB

ARP spoofing enables MITM by intercepting traffic.

Why this answer

ARP spoofing allows an attacker to intercept traffic, a classic man-in-the-middle (MITM) technique.

41
MCQhard

A security engineer is configuring a Cisco Firepower NGFW to detect and block a new malware variant that communicates with a command-and-control server using encrypted DNS queries. Which Cisco security product is best suited to provide visibility into this malicious DNS traffic?

A.Cisco Umbrella
B.Cisco ASA
C.Cisco AMP
D.Cisco Stealthwatch
AnswerA

Umbrella provides DNS-layer security to block malicious domains.

Why this answer

Cisco Umbrella is a cloud-delivered DNS security service that can block malicious domains and provide visibility into DNS queries.

42
MCQeasy

Which security model requires that all subjects and devices are untrusted by default, and access is granted only after verification, regardless of the network location?

A.Least Privilege
B.Defense in Depth
C.CIA Triad
D.Zero Trust
AnswerD

Zero Trust explicitly requires verification for every access attempt, regardless of location.

Why this answer

Zero Trust is a security model based on the principle of 'never trust, always verify', requiring continuous authentication and authorization.

43
MCQeasy

Which Cisco product provides next-generation firewall (NGFW) capabilities, including application visibility and intrusion prevention?

A.Cisco ASA
B.Cisco Firepower
C.Cisco Stealthwatch
D.Cisco ISE
AnswerB

Firepower provides NGFW, IPS, and advanced malware protection.

Why this answer

Cisco Firepower (now part of Cisco Secure Firewall) is the NGFW that includes IPS and application control.

44
MCQhard

A network administrator is configuring an ASA to enforce that traffic between two internal zones must be inspected by the firewall. Which security principle is being applied?

A.Microsegmentation
B.Least Privilege
C.Separation of Duties
D.Defense in Depth
AnswerA

Microsegmentation enforces traffic inspection between segments, aligning with zero trust.

Why this answer

Microsegmentation is a zero trust principle that divides the network into small zones and enforces granular access controls between them.

45
MCQeasy

An attacker uses Shodan to discover internet-facing ICS devices and then performs banner grabbing. This is an example of which type of attack?

A.Social engineering
B.Active reconnaissance
C.Exploitation
D.Passive OSINT
AnswerD

Shodan is a search engine for internet-connected devices; using it without direct interaction is passive OSINT.

Why this answer

Passive OSINT involves collecting publicly available information without directly interacting with the target. Banner grabbing is active scanning, but the question emphasizes the initial passive phase. However, Shodan is a passive OSINT tool.

46
Multi-Selectmedium

A network administrator wants to deploy security products that provide network-based intrusion prevention and advanced threat detection. Which TWO Cisco products are most suitable? (Choose two.)

Select 2 answers
A.Cisco Identity Services Engine (ISE)
B.Cisco Advanced Malware Protection (AMP) for Endpoints
C.Cisco Stealthwatch
D.Cisco Email Security Appliance (ESA)
E.Cisco Firepower NGFW
AnswersC, E

Stealthwatch provides network visibility and anomaly detection.

Why this answer

Cisco Firepower is an NGFW/IPS. Cisco Stealthwatch provides network detection and analysis. ISE is for identity, not IPS.

ESA is email, AMP is endpoint.

47
Multi-Selectmedium

A security analyst is investigating a potential insider threat. Which TWO indicators are most commonly associated with malicious insider activity? (Choose two.)

Select 2 answers
A.Frequent password changes as required by policy
B.Receiving a promotion to a higher security clearance
C.Using a company-approved VPN for remote access
D.Accessing files outside normal working hours without justification
E.Attempting to disable security logging on a workstation
AnswersD, E

This is a common indicator of anomalous behavior.

Why this answer

Insider threats often involve unusual access patterns (e.g., accessing sensitive data not needed for the role) and attempts to bypass security controls (e.g., disabling logging).

48
MCQmedium

Which security model mandates that access decisions should be based on context, device posture, and user identity, and never trust any entity by default?

A.Defense in depth
B.CIA triad
C.Least privilege
D.Zero Trust
AnswerD

Zero Trust is based on 'never trust, always verify' and least privilege.

Why this answer

Zero Trust architecture requires continuous verification and least privilege access, never trusting any user or device automatically.

49
MCQhard

A PKI administrator needs to check the revocation status of a certificate without causing a heavy load on the CA. Which protocol should be used?

A.EST
B.SCEP
C.CRL
D.OCSP
AnswerD

OCSP is a lightweight protocol that queries the CA for individual certificate status.

Why this answer

OCSP (Online Certificate Status Protocol) provides real-time revocation status without requiring clients to download a full CRL.

50
MCQhard

An attacker intercepts traffic between a client and server using ARP spoofing. Which type of attack is this?

A.Session hijacking
B.DNS poisoning
C.Man-in-the-middle
D.Denial of Service
AnswerC

Correct answer. ARP spoofing is a common MITM technique.

Why this answer

ARP spoofing allows an attacker to intercept traffic, enabling man-in-the-middle (MITM) attacks.

51
MCQhard

In a PKI hierarchy, which component is responsible for issuing and revoking certificates for end entities, and is directly subordinate to the root CA?

A.Intermediate CA
B.Registration Authority (RA)
C.Root CA
D.Certificate Revocation List (CRL)
AnswerA

Intermediate CAs are subordinate to the root and issue certificates to end entities or other CAs.

Why this answer

An intermediate CA (subordinate CA) is a CA that is signed by the root CA and issues certificates to end entities, forming a chain of trust.

52
Multi-Selecthard

An organization is adopting Cisco's security portfolio. Which THREE products are correctly paired with their primary function? (Choose three.)

Select 3 answers
A.Cisco Stealthwatch - Endpoint detection and response
B.Cisco Umbrella - Cloud-delivered DNS security and secure web gateway
C.Cisco Firepower - Next-generation firewall and intrusion prevention
D.Cisco ASA - Next-generation firewall with advanced malware protection
E.Cisco ISE - Identity services engine for network access control
AnswersB, C, E

Umbrella provides DNS-layer security and cloud-based protection.

Why this answer

Cisco Firepower is an NGFW/IPS, ISE provides identity and access control, and Umbrella is a DNS/cloud security solution. ASA is a stateful firewall, not NGFW; Stealthwatch is for network detection, not endpoint protection.

53
MCQmedium

A company's server is infected with malware that encrypts files and demands payment for decryption. Which type of malware is this?

A.Remote Access Trojan (RAT)
B.Botnet C2
C.Ransomware
D.Keylogger
AnswerC

Ransomware specifically encrypts files and demands payment.

Why this answer

Ransomware encrypts files and demands a ransom for the decryption key.

54
MCQeasy

Which authentication factor does a fingerprint scanner represent?

A.Knowledge factor (something you know)
B.Possession factor (something you have)
C.Location factor (somewhere you are)
D.Inherence factor (something you are)
AnswerD

Biometrics are inherence factors.

Why this answer

Inherence factors are based on biological traits like fingerprints.

55
MCQhard

An organization implements a policy where every access request must be authenticated and authorized, even if it originates from within the internal network. Network segments are isolated, and lateral movement is restricted through microsegmentation. Which security model does this align with?

A.CIA triad
B.Zero Trust
C.AAA model
D.Defense in depth
AnswerB

Zero Trust principles: never trust, always verify, least privilege, microsegmentation.

Why this answer

Zero Trust requires verification for every request regardless of network location, and uses microsegmentation to limit movement.

56
MCQmedium

An organization wants to ensure that digital certificates issued by its internal CA are validated for revocation in real-time. Which protocol should be implemented to allow clients to check certificate status without downloading a full CRL?

A.SCEP
B.EST
C.OCSP
D.CRL
AnswerC

OCSP provides real-time revocation status for individual certificates.

Why this answer

OCSP (Online Certificate Status Protocol) enables real-time checking of a certificate's revocation status by querying the CA's responder, avoiding the need to download the entire CRL.

57
MCQmedium

A company deploys a solution that uses a root certificate authority (CA) and intermediate CAs to issue certificates. What is the term for the hierarchical structure of certificates from the root CA to the end entity?

A.Certificate signing request
B.Certificate revocation list
C.Certificate chaining
AnswerC

The chain of trust from root to leaf.

Why this answer

Certificate chaining refers to the path from the root CA through intermediates to the end-entity certificate.

58
MCQhard

A security engineer is configuring a Cisco Firepower NGFW to detect a buffer overflow attack. Which attack vector is this?

A.Malware delivery
B.Exploitation
C.Reconnaissance
D.Denial of Service
AnswerB

Correct answer. Buffer overflow is a classic exploitation technique.

Why this answer

Buffer overflow is an exploitation technique where an attacker writes beyond the allocated buffer to execute arbitrary code.

59
MCQeasy

Which Cisco security product provides DNS-layer security to block malicious domains and cloud-based threats?

A.Cisco Stealthwatch
B.Cisco Umbrella
C.Cisco ISE
D.Cisco AMP
AnswerB

Correct answer. Umbrella offers DNS-layer security.

Why this answer

Cisco Umbrella is a cloud-delivered security service that provides DNS-layer filtering to block malicious destinations.

60
Multi-Selecthard

A security team is investigating a breach where the attacker gained access to a server using stolen credentials. Later, the attacker moved laterally and exfiltrated data. Which three security controls would best help detect and prevent lateral movement? (Choose three.)

Select 3 answers
A.Microsegmentation
B.Stateful firewall at perimeter
C.SSL inspection
D.Network behavioral analytics (e.g., Stealthwatch)
E.Endpoint detection and response (EDR)
AnswersA, D, E

Microsegmentation divides the network into small zones, limiting lateral movement.

Why this answer

Microsegmentation, network behavioral analytics, and endpoint detection help limit and detect lateral movement.

61
MCQmedium

A security analyst notices traffic from an internal host to an external IP address on port 4444, and the host's CPU is high. The host has been running unknown processes. Which type of malware is most likely involved?

A.Ransomware
B.Keylogger
C.Remote Access Trojan (RAT)
D.Botnet C2 client
AnswerC

A RAT provides remote control and often uses ports like 4444 for C2 communication.

Why this answer

Port 4444 is commonly associated with Blaster worm and remote access tools. A Remote Access Trojan (RAT) allows remote control and often communicates on such ports.

62
Multi-Selecthard

A security analyst detects a DDoS attack targeting the company's web server. Which three attack types are classified as application layer attacks? (Choose three.)

Select 3 answers
A.DNS query flood
B.Slowloris
C.DNS amplification
D.SYN flood
E.HTTP flood
AnswersA, B, E

Correct. DNS query flood targets the DNS application.

Why this answer

Application layer DDoS attacks target specific applications, such as HTTP floods, Slowloris, and DNS query floods.

63
MCQeasy

Which Cisco product provides DNS-layer security to block malicious domains and prevent connections to malware command-and-control servers?

A.Cisco Stealthwatch
B.Cisco Umbrella
C.Cisco Firepower
D.Cisco ASA
AnswerB

Umbrella provides DNS-layer security for threat protection.

Why this answer

Cisco Umbrella is a cloud-based DNS security solution that blocks requests to malicious destinations.

64
MCQeasy

Which encryption algorithm is classified as symmetric?

A.RSA
B.Diffie-Hellman
C.AES
D.ECDSA
AnswerC

AES is symmetric.

Why this answer

AES is a symmetric encryption algorithm, using the same key for encryption and decryption.

65
Multi-Selectmedium

A security analyst is investigating a potential ARP spoofing attack. Which two symptoms would indicate this type of attack?

Select 2 answers
A.High CPU usage on the switch
B.Duplicate IP addresses in the ARP table
C.Increased broadcast traffic
D.Intermittent connectivity to a server
E.Unusual outbound DNS queries
AnswersB, D

ARP spoofing can cause multiple MACs for one IP.

Why this answer

ARP spoofing involves sending fake ARP messages to associate the attacker's MAC with the IP of another host, causing traffic to be misdirected.

66
Multi-Selectmedium

Which three cryptographic algorithms are considered secure for use in modern systems? (Choose three.)

Select 3 answers
A.ECDSA
B.MD5
C.RSA
D.3DES
E.AES
AnswersA, C, E

Correct. ECDSA is a secure elliptic curve signature algorithm.

Why this answer

AES (symmetric), RSA (asymmetric), and ECDSA (asymmetric) are widely accepted secure algorithms.

67
MCQmedium

A security analyst notices unusual outbound traffic from an internal host to a known malicious IP address on TCP port 4444. The host is also exhibiting high CPU usage and running an unknown process. Which type of malware is most likely present?

A.Ransomware
B.Botnet C2 client
C.Remote Access Trojan (RAT)
D.Keylogger
AnswerC

RATs commonly use ports like 4444 for C2 communication, allowing remote control and data exfiltration.

Why this answer

A RAT (Remote Access Trojan) often uses a command-and-control (C2) channel on high-numbered ports like 4444, allowing attackers to control the host remotely.

68
MCQeasy

A security analyst is reviewing logs and sees multiple failed login attempts from a single IP address, followed by a successful login. Which type of attack does this represent?

A.SQL injection
B.Man-in-the-middle attack
C.Brute-force attack
D.Phishing
AnswerC

Multiple failed logins followed by success indicates password guessing.

Why this answer

A brute-force attack involves repeated attempts to guess credentials, often automated, until successful.

69
Multi-Selectmedium

A security administrator is implementing a zero-trust architecture. Which two principles are core to the zero-trust model? (Choose two.)

Select 2 answers
A.Single perimeter defense
B.Implicit trust for internal networks
C.Never trust, always verify
D.Trust but verify
E.Least privilege access
AnswersC, E

This is a foundational principle of zero trust.

Why this answer

Zero trust is based on 'never trust, always verify' and least privilege access.

70
Multi-Selecteasy

A network administrator is configuring PKI for secure communications. Which TWO components are essential for a public key infrastructure? (Choose two.)

Select 2 answers
A.Certificate Authority (CA)
B.Private key of the end user
C.Certificate revocation list (CRL) or OCSP responder
D.Hashing function
E.Symmetric encryption algorithm
AnswersA, C

CA is the trusted entity that issues digital certificates.

Why this answer

PKI relies on a Certificate Authority (CA) to issue certificates and a CRL or OCSP to check revocation. Private keys are part of the key pair, but the PKI components are CA and revocation mechanism.

71
Multi-Selectmedium

An organization is implementing a zero trust architecture. Which two principles are foundational to this model? (Choose two.)

Select 2 answers
A.Single factor authentication
B.Never trust, always verify
C.Implicit trust for internal networks
D.Trust but verify
E.Least privilege access
AnswersB, E

Correct. This is a core tenet of zero trust.

Why this answer

Zero trust is built on 'never trust, always verify' and 'least privilege' to minimize access.

72
Multi-Selectmedium

A security analyst observes a sustained increase in traffic from many different IP addresses to a single web application, causing CPU spikes. The traffic consists of legitimate-looking HTTP GET requests for the same resource. Which TWO types of attack could this be? (Choose two.)

Select 2 answers
A.Volumetric DDoS
B.DNS amplification attack
C.Distributed denial-of-service (DDoS) attack
D.Man-in-the-middle attack
E.Application layer DDoS (Layer 7) attack
AnswersC, E

Multiple sources indicate a distributed attack.

Why this answer

Application layer DDoS (Layer 7) uses legitimate-looking requests. A DDoS attack involves many sources. Volumetric DDoS is about bandwidth, not CPU.

DNS amplification uses UDP reflection.

73
MCQmedium

An organization implements multi-factor authentication requiring a password and a fingerprint scan. Which two authentication factors are being used?

A.Knowledge and possession
B.Knowledge and inherence
C.Inherence and location
D.Possession and inherence
AnswerB

Correct answer. Password (knowledge) and fingerprint (inherence).

Why this answer

Password is a knowledge factor, fingerprint is an inherence (biometric) factor.

74
MCQeasy

Which Cisco security product is primarily designed to provide DNS-layer security by blocking requests to malicious domains?

A.AMP for Endpoints
B.Firepower NGFW
C.Stealthwatch
D.Cisco Umbrella
AnswerD

Umbrella provides DNS-layer security as a key feature.

Why this answer

Cisco Umbrella is a cloud-based security solution that provides DNS-layer protection to block malicious domains before a connection is established.

75
MCQmedium

An attacker uses ARP spoofing to intercept traffic between two devices on the same subnet. After successfully becoming a man-in-the-middle, the attacker can then perform which further attack to downgrade HTTPS connections to HTTP?

A.SSL stripping
B.Session hijacking
C.DNS cache poisoning
D.Typosquatting
AnswerA

SSL stripping downgrades secure connections to plaintext.

Why this answer

SSL stripping is a MITM attack that downgrades HTTPS connections to HTTP by intercepting the initial HTTPS request and maintaining a plaintext connection with the client.

Page 1 of 2 · 80 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Scor Security Concepts questions.