Cisco CyberOps Associate 200-201 (200-201) — Questions 751825

985 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQhard

An analyst notices a Zeek (Bro) connection log showing a single HTTP request from internal IP 192.168.1.10 to external IP 203.0.113.5 with a URI of '/files/secret.docx' and a response code of 200. The file size is unusually large (50 MB). What should the analyst suspect?

A.Phishing attempt
B.Malware download
C.Normal business activity
D.Data exfiltration
AnswerD

An internal host sending a large file over HTTP to an external IP is a classic indicator of data theft.

Why this answer

A large file download over HTTP from an internal host to an external IP, especially with a filename like 'secret.docx', suggests data exfiltration. The single request and response code 200 indicate successful transfer.

752
Multi-Selecteasy

A security analyst is identifying potential vulnerabilities in the network. Which TWO of the following are examples of passive reconnaissance?

Select 2 answers
A.Vulnerability scan
B.Google search for company information
C.WHOIS lookup
D.Ping sweep
E.Port scanning
AnswersB, C

Google search uses public data without interacting with the target network.

Why this answer

Passive reconnaissance involves gathering information without directly interacting with the target systems. A Google search for company information (Option B) collects publicly available data from search engine caches and indexed pages, which does not send any packets to the target's network. A WHOIS lookup (Option C) queries public registration databases for domain ownership and contact details, again without touching the target's infrastructure.

Both methods rely on third-party sources and leave no trace on the target's systems.

Exam trap

Cisco often tests the distinction between passive and active reconnaissance by including 'vulnerability scan' as a distractor, because candidates may mistakenly think it is passive since it can be run with minimal privileges, but it always involves direct interaction with the target.

753
MCQmedium

A security analyst is reviewing logs from a Cisco Firepower Management Center and notices that many legitimate SSL connections are being blocked by the intrusion policy. Which configuration change should the analyst make to reduce false positives without compromising security?

A.Increase the severity threshold for SSL-related rules.
B.Add the affected servers to a network analysis policy exception.
C.Change the intrusion policy to "Connectivity Over Security".
D.Disable SSL inspection globally.
AnswerB

This allows specific traffic to bypass inspection while keeping security for others.

Why this answer

Adding the affected servers to a network analysis policy (NAP) exception allows the Firepower system to bypass intrusion inspection for traffic to and from those specific hosts while still performing SSL decryption and other security checks. This reduces false positives from legitimate SSL connections without completely disabling SSL inspection or weakening the overall security posture.

Exam trap

Cisco often tests the distinction between modifying intrusion policy rules versus using network analysis policy exceptions, tempting candidates to choose a global or severity-based change instead of the targeted exception that preserves security for other traffic.

How to eliminate wrong answers

Option A is wrong because increasing the severity threshold for SSL-related rules would suppress alerts based on severity, not address the root cause of false positives from legitimate traffic; it could also cause real threats to be missed. Option C is wrong because changing the intrusion policy to 'Connectivity Over Security' disables most intrusion prevention features, severely compromising security rather than selectively reducing false positives. Option D is wrong because disabling SSL inspection globally would prevent the system from decrypting and inspecting any SSL traffic, leaving the network blind to threats hidden in encrypted connections.

754
MCQeasy

A security analyst notices that a workstation is generating multiple DNS queries to a known malicious domain. Which host-based analysis technique would be most effective in confirming the infection?

A.Review the Windows Firewall logs to see blocked connections
B.Check the scheduled tasks for suspicious entries
C.Use Process Explorer to examine the process responsible for the DNS queries
D.Analyze the Windows Event Log for Event ID 5156
AnswerC

Process Explorer can show network activity per process, directly linking the DNS queries to a specific executable.

Why this answer

Process Explorer is a host-based analysis tool that provides detailed information about running processes, including their network connections and DNS queries. By examining the process responsible for the DNS queries to the known malicious domain, the analyst can directly identify the infected executable or script, confirming the infection at the process level.

Exam trap

Cisco often tests the distinction between host-based analysis tools (like Process Explorer) and log-based analysis (like firewall or event logs), trapping candidates who choose a log-based option when a process-level tool is needed to confirm the infection source.

How to eliminate wrong answers

Option A is wrong because Windows Firewall logs only show blocked connections, but the DNS queries are likely succeeding (generating traffic), so blocked connections would not capture the malicious activity. Option B is wrong because scheduled tasks are a persistence mechanism, not the immediate source of active DNS queries; the infection may not rely on scheduled tasks. Option D is wrong because Event ID 5156 logs successful outbound connections, but it does not link the connection to a specific process or DNS query, making it less effective for pinpointing the responsible process.

755
Multi-Selectmedium

An analyst is examining a suspicious executable file. The file has a .pdf extension but the magic bytes are 'MZ'. Which THREE indicators suggest the file is malicious?

Select 3 answers
A.The file imports functions like URLDownloadToFile
B.The file has a valid Authenticode signature
C.The file extension does not match the magic bytes
D.The file has a low entropy value (e.g., 2.5)
E.The file has a high entropy value (e.g., 7.8)
AnswersA, C, E

Correct. Network-related imports are common in malware.

Why this answer

Magic bytes MZ indicate PE, high entropy suggests packing, suspicious imports (e.g., URLDownloadToFile) are common in malware.

756
MCQeasy

An analyst needs to determine if a host is infected with malware that is attempting to contact a known malicious domain. Which log source is most appropriate for this analysis?

A.Syslog from the host
B.NetFlow records
C.DNS server logs
D.Data loss prevention (DLP) logs
AnswerC

DNS logs record all domain name queries, allowing detection of malicious domain lookups.

Why this answer

DNS server logs are the most appropriate source because they record all DNS queries made by hosts on the network. If a host is attempting to contact a known malicious domain, the DNS query for that domain will appear in the logs, allowing the analyst to identify the infected host by its source IP address and the timestamp of the query.

Exam trap

Cisco often tests the distinction between network-level logs that contain domain names (DNS logs) versus those that only contain IP addresses (NetFlow), leading candidates to mistakenly choose NetFlow because they think it captures all network activity.

How to eliminate wrong answers

Option A is wrong because syslog from the host may not capture outbound DNS queries at the network level and can be tampered with by malware if the host is compromised. Option B is wrong because NetFlow records show IP-level traffic metadata but do not include the domain name being resolved; they only show the destination IP, which may belong to a CDN or shared hosting and not directly reveal the malicious domain. Option D is wrong because DLP logs focus on detecting and preventing the exfiltration of sensitive data, not on monitoring DNS resolution attempts to known malicious domains.

757
MCQhard

An IPS sensor is configured inline and drops traffic that triggers the signature 'OVERFLOW-ICMP-ECHO', which triggers on ICMP packets with size > 1024 bytes. A network administrator reports that legitimate network monitoring tools using large ICMP packets are being blocked. What is the best course of action?

A.Increase the threshold to 2048
B.Create a whitelist for the monitoring tool's source IP
C.Disable the signature entirely
D.Change the sensor mode to IDS for that signature
AnswerB

A whitelist permits specific IPs to bypass the signature while keeping detection for others.

Why this answer

Option B is correct because creating a whitelist for the monitoring tool's source IP allows the IPS to continue dropping malicious oversized ICMP packets while permitting legitimate traffic from known, trusted sources. This maintains security for the rest of the network without disabling the signature or changing its mode, which would reduce protection.

Exam trap

Cisco often tests the misconception that you should adjust the signature threshold (option A) to fix false positives, but the correct approach is to use a whitelist or exception rule to allow known legitimate traffic without weakening the overall security posture.

How to eliminate wrong answers

Option A is wrong because simply increasing the threshold to 2048 would still block legitimate monitoring tools that send packets between 1025 and 2048 bytes, and it does not address the root cause of false positives. Option C is wrong because disabling the signature entirely removes protection against real overflow attacks using oversized ICMP packets, leaving the network vulnerable. Option D is wrong because changing the sensor mode to IDS for that signature would only alert on the traffic rather than dropping it, but the administrator's issue is that legitimate traffic is being blocked; switching to IDS would stop the blocking but also fail to block malicious oversized ICMP packets, which defeats the purpose of an inline IPS.

758
MCQhard

An organization uses a qualitative risk assessment to evaluate a new vendor. Which characteristic is typical of qualitative risk assessments?

A.Calculates annual loss expectancy (ALE)
B.Assigns numeric probabilities and impact
C.Uses monetary values to estimate loss
D.Ranks risks using scales such as high, medium, low
AnswerD

Qualitative assessments use descriptive scales.

Why this answer

Qualitative assessments use subjective ratings like high, medium, low.

759
MCQeasy

Which element of the CIA triad ensures that data cannot be modified by unauthorized parties?

A.Non-repudiation
B.Confidentiality
C.Integrity
D.Availability
AnswerC

Integrity ensures data remains unaltered by unauthorized actors.

Why this answer

Integrity ensures that data is not altered by unauthorized individuals or processes.

760
MCQhard

Refer to the exhibit. An analyst sees repeated denied TCP connections from the same source to the same destination web server. Which of the following actions should the analyst take first?

A.Increase the logging level to get more details.
B.Create a permit rule for the source IP to allow legitimate traffic.
C.Investigate the source IP for malicious activity.
D.Block the source IP globally.
AnswerC

Investigation helps determine intent and whether the source is a threat.

Why this answer

Repeated denied TCP connections from the same source to the same destination web server are a classic indicator of a potential reconnaissance or attack pattern, such as a port scan or brute-force attempt. The first priority in security monitoring is to investigate the source IP for malicious activity (Option C) to determine intent and scope before taking any irreversible action. This aligns with the incident response process of identification and analysis before containment or eradication.

Exam trap

Cisco often tests the candidate's understanding of the incident response order of operations, where the trap is to jump to a containment action (like blocking or permitting) without first performing analysis and validation of the threat.

How to eliminate wrong answers

Option A is wrong because increasing the logging level may provide more detail but does not address the immediate need to determine if the source IP is malicious; it delays the investigative step and could overwhelm the analyst with noise. Option B is wrong because creating a permit rule for the source IP would allow all traffic from that IP, which could enable an attacker to bypass security controls if the source is indeed malicious; this action should only be taken after confirming the source is legitimate. Option D is wrong because blocking the source IP globally is a premature containment action that could disrupt legitimate business operations if the source is a false positive; it should only be performed after investigation confirms malicious intent.

761
MCQeasy

A security policy mandates that all employees complete annual security awareness training. Which of the following metrics best demonstrates the effectiveness of this training?

A.Results of a post-training quiz
B.Percentage of employees who completed the training
C.Number of help desk tickets related to phishing
D.Decrease in security incidents attributed to user error
AnswerD

A decline in user-caused incidents is a direct indicator that training is modifying behavior.

Why this answer

Option D is correct because a decrease in security incidents attributed to user error directly measures the behavioral outcome of the training. Effective security awareness training should reduce the frequency of incidents caused by human mistakes, such as clicking malicious links or mishandling data. This metric reflects the ultimate goal of the training, not just participation or short-term knowledge retention.

Exam trap

Cisco often tests the distinction between 'compliance metrics' (e.g., completion rates) and 'effectiveness metrics' (e.g., incident reduction), trapping candidates who confuse activity with outcome.

How to eliminate wrong answers

Option A is wrong because a post-training quiz only measures immediate recall, not long-term behavioral change or real-world application; employees can pass a quiz but still make errors in practice. Option B is wrong because completion percentage only tracks attendance, not whether the training was effective; it ignores the quality of learning and subsequent behavior. Option C is wrong because the number of help desk tickets related to phishing may decrease due to improved reporting or filtering, not necessarily due to training; it is an indirect metric that can be influenced by other factors like better spam filters.

762
MCQmedium

Refer to the exhibit. A security analyst sees this syslog message from the ASA. Which statement best describes what is occurring?

A.An inside host is initiating a connection to a web server
B.Traffic is being denied by the access list
C.An external host is connecting to an internal host
D.The connection is being torn down
AnswerC

The log shows the connection from outside to inside.

Why this answer

The syslog message shows a built connection from an external IP address (10.10.10.10) to an internal host (192.168.1.100) on port 80. The ASA logs 'built inbound TCP connection' when a new TCP session is established from a lower-security interface (outside) to a higher-security interface (inside), which requires an ACL or NAT rule to permit. This indicates an external host is connecting to an internal host, not an inside host initiating outbound traffic.

Exam trap

Cisco often tests the distinction between 'built' (connection established) and 'denied' (traffic blocked) syslog messages, and candidates may confuse the direction of traffic by misreading the source/destination IPs or assuming all external IPs are attackers.

How to eliminate wrong answers

Option A is wrong because the source IP (10.10.10.10) is external and the destination (192.168.1.100) is internal, meaning the connection is inbound, not initiated by an inside host. Option B is wrong because the message explicitly states 'built inbound TCP connection,' which indicates the traffic was permitted and the connection was established, not denied by an access list. Option D is wrong because the message says 'built,' not 'teardown'; a teardown message would appear when the connection is closed or times out.

763
MCQmedium

A company implements a policy requiring all employees to use a hardware token for remote access. This is an example of which type of security control?

A.Compensating
B.Deterrent
C.Preventive
D.Detective
AnswerC

Preventive controls block unauthorized access, as the token does.

Why this answer

A hardware token for remote access implements multifactor authentication (something you have), which directly prevents unauthorized access by requiring a physical device in addition to credentials. This is a preventive control because it stops the threat before it can occur, aligning with the NIST definition of preventive controls that block or mitigate attacks.

Exam trap

Cisco often tests the distinction between preventive and deterrent controls by using a technology that physically blocks access (like a token or firewall) and expecting candidates to recognize that 'deterrent' applies only to psychological discouragement, not technical enforcement.

How to eliminate wrong answers

Option A is wrong because compensating controls are alternative measures that provide equivalent protection when a primary control cannot be used (e.g., using software tokens instead of hardware tokens due to cost), not the primary control itself. Option B is wrong because deterrent controls discourage malicious behavior through fear of consequences (e.g., warning banners or surveillance signs), but a hardware token does not deter; it physically prevents access. Option D is wrong because detective controls identify and log incidents after they occur (e.g., intrusion detection systems or audit logs), whereas a hardware token actively blocks unauthorized access in real time.

764
MCQmedium

A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?

A.Change the IPS to fail-open mode.
B.Increase the number of IPS sensors.
C.Disable or modify signatures causing false positives.
D.Reduce the IPS sensitivity level to lower.
AnswerC

Directly addresses the root cause of legitimate traffic being blocked.

Why this answer

Option C is correct because false positives occur when IPS signatures incorrectly match legitimate traffic. The most direct and effective tuning approach is to disable or modify the specific signatures causing the false positives, which reduces unnecessary blocking without compromising overall security posture.

Exam trap

Cisco often tests the distinction between tuning signatures (which addresses false positives directly) versus changing operational modes or sensitivity levels, which are broader, less precise adjustments that can introduce new risks.

How to eliminate wrong answers

Option A is wrong because changing the IPS to fail-open mode would cause the device to pass all traffic if it fails, but this does not address the root cause of false positives; it merely bypasses the IPS functionality, potentially allowing attacks through. Option B is wrong because increasing the number of IPS sensors does not resolve signature misclassification; it would only distribute the same false-positive traffic across more sensors, amplifying the problem. Option D is wrong because reducing the IPS sensitivity level to lower may decrease false positives but also increases the risk of missing real threats (false negatives), as sensitivity controls the threshold for alerting, not the specific signature logic.

765
Multi-Selecteasy

Which TWO of the following are symmetric encryption algorithms? (Choose two.)

Select 2 answers
A.AES
B.RSA
C.Diffie-Hellman
D.ECC
E.3DES
AnswersA, E

AES is a symmetric block cipher.

Why this answer

AES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning it uses the same key for both encryption and decryption. It is widely adopted due to its strong security and efficiency, with key sizes of 128, 192, or 256 bits. 3DES (Triple Data Encryption Standard) is also symmetric, applying the DES cipher three times to each data block, effectively increasing key length and security over single DES.

Exam trap

Cisco often tests the distinction between symmetric encryption, asymmetric encryption, and key exchange protocols, so candidates mistakenly select Diffie-Hellman or ECC as encryption algorithms when they are actually used for key agreement or asymmetric operations.

766
MCQeasy

Which log type would an analyst examine to view details about HTTP methods (GET, POST), response codes, and user-agent strings?

A.Web server logs
B.System logs
C.Firewall logs
D.DNS logs
AnswerA

Web server logs contain detailed HTTP transaction data.

Why this answer

Web server logs record HTTP requests and responses, including methods, URLs, response codes, and user-agent information.

767
MCQmedium

During a host-based analysis, a Windows system is found to have a suspicious service that starts automatically. Which command-line tool can be used to query the status and configuration of services, particularly to identify non-standard service names or paths?

A.sc query
B.services.msc
C.tasklist /svc
D.net start
AnswerA

sc query shows service status and configuration including binary path name.

Why this answer

sc query displays detailed service information including name, display name, and binary path.

768
MCQeasy

Which Windows registry hive is most likely to contain evidence of malware persistence via a service?

A.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
B.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
C.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
D.HKEY_LOCAL_MACHINE\SAM
AnswerB

This hive stores service configurations, including the path to the executable.

Why this answer

The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry hive stores the configuration for all Windows services, including their executable paths and startup types. Malware often installs itself as a service to achieve persistence, and evidence of this can be found by examining the ImagePath value under a suspicious service subkey. This is the correct location for service-based persistence, unlike the Run keys which handle startup programs for users.

Exam trap

Cisco often tests the distinction between Run keys (user logon persistence) and Services keys (system service persistence), and the trap here is that candidates confuse the Run keys with service persistence because both are common persistence mechanisms, but only the Services hive stores service-specific configurations.

How to eliminate wrong answers

Option A is wrong because HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is used for auto-starting programs at user logon, not for services; malware using this key persists via Run registry entries, not as a service. Option C is wrong because HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is a per-user Run key that only affects the currently logged-in user, not system-wide service persistence. Option D is wrong because HKEY_LOCAL_MACHINE\SAM stores Security Account Manager data (user and group hashes) and is not related to service configuration or persistence mechanisms.

769
MCQmedium

A security analyst discovers that a server's configuration allows users to access files outside of their intended directory. In security terminology, what is this weakness called?

A.Exploit
B.Vulnerability
C.Threat
D.Risk
AnswerB

A vulnerability is a specific weakness in a system that can be exploited.

Why this answer

A vulnerability is a weakness that can be exploited.

770
MCQmedium

Refer to the exhibit. A network analyst sees these firewall logs. What is the most likely interpretation?

A.An attacker is performing a port scan on internal hosts from the outside
B.The firewall rule OUTSIDE_IN is misconfigured and blocking all traffic
C.A malware is trying to phone home to an external C2 server
D.A user is trying to access internal web servers legitimately but is blocked by ACL
AnswerA

Repeated denies from same source to different destinations on common ports indicate a scan.

Why this answer

The firewall logs show multiple denied TCP connection attempts from a single external IP to various internal IPs on different ports (e.g., 80, 443, 22). This pattern of sequential probes across multiple destinations and ports is characteristic of a port scan, where an attacker systematically probes for open services. The rule OUTSIDE_IN is correctly logging and blocking these attempts, indicating the firewall is functioning as designed to prevent reconnaissance.

Exam trap

Cisco often tests the distinction between a port scan (multiple destinations/ports from one source) and a C2 beacon (single destination, periodic traffic), where candidates mistakenly interpret any blocked external traffic as malware callbacks.

How to eliminate wrong answers

Option B is wrong because the firewall is actively logging and blocking traffic, which shows the rule is working correctly, not misconfigured; a misconfigured rule would either allow all traffic or block all traffic without such selective logging. Option C is wrong because malware phoning home typically uses a single, consistent destination (C2 server) on a fixed port, not a broad scan across multiple internal hosts and ports. Option D is wrong because legitimate internal web server access would originate from internal IPs, not an external source, and the logs show the source is external (e.g., 203.0.113.5), not a user inside the network.

771
MCQeasy

A security monitoring tool generates an alert for a user accessing a sensitive file at an unusual hour. What is the most appropriate next step?

A.Ignore the alert since it is likely a false positive.
B.Contact the user to confirm if the access was legitimate.
C.Escalate the alert to the incident response team.
D.Block the user's account immediately.
AnswerB

Direct verification is a quick way to triage the alert.

Why this answer

Option B is correct because the alert indicates an anomaly (unusual hour), but not necessarily malicious activity. The most appropriate first step is to verify the user's intent through direct communication, as this aligns with the principle of validation before escalation. In security monitoring, contacting the user helps confirm whether the access was authorized, reducing false positives and unnecessary incident response activation.

Exam trap

Cisco often tests the distinction between triage and escalation, trapping candidates who jump to escalation or containment without first performing the basic verification step of contacting the user.

How to eliminate wrong answers

Option A is wrong because ignoring the alert outright violates the fundamental security monitoring principle of investigating anomalies; even if it is a false positive, the alert must be triaged, not dismissed without analysis. Option C is wrong because escalating directly to the incident response team bypasses the initial triage step; escalation should occur only after preliminary verification (e.g., user confirmation or log correlation) indicates a genuine security incident. Option D is wrong because immediately blocking the user's account is an overreaction that could disrupt legitimate business operations; account lockdown should be reserved for confirmed threats, not based solely on a single anomalous access time.

772
MCQhard

MedSecure is a healthcare organization with a security policy that requires all security incidents to be handled following the NIST framework. A system administrator discovers that an unauthorized user has accessed a database containing patient records. The administrator immediately disconnects the server from the network. The security analyst is called to investigate. The analyst finds that the server was not part of the centralized logging system, and the only logs available are the database audit logs. The security policy mandates preservation of evidence and chain of custody. The analyst needs to collect the database audit logs. Which action should the analyst take to ensure proper evidence collection?

A.Make a bit-for-bit copy of the audit log files using a forensic tool, hash the original and copy, and document the process
B.Export the logs to a CSV file and email them to the security team
C.Use a write-blocker to create a forensic image of the entire hard drive
D.Copy the audit logs to a USB drive and store it in a locked drawer
AnswerA

This ensures integrity, authenticity, and proper chain of custody.

Why this answer

Option C is correct because creating a forensic copy with hashing preserves integrity and chain of custody. Option A lacks chain of custody. Option B is overkill for log files.

Option D does not preserve integrity.

773
Multi-Selectmedium

A network analyst is investigating a suspected DNS tunneling attack. Which THREE of the following are indicators of DNS tunneling?

Select 3 answers
A.DNS queries for well-known domains like google.com
B.Unusually high volume of DNS queries to a single domain
C.DNS queries with long subdomain names containing encoded characters
D.Low volume of DNS queries from internal hosts
E.DNS responses with large TXT record sizes
AnswersB, C, E

High query volume can indicate data exfiltration via DNS.

Why this answer

DNS tunneling often involves high volumes of DNS queries to a single domain, large payloads in TXT records, and encoded data in subdomains to exfiltrate data.

774
Multi-Selecthard

An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)

Select 2 answers
A.Delete the malicious files found on the host
B.Isolate the host from the network
C.Collect a forensic image of the host's hard drive
D.Reboot the host to clear any malware from memory
E.Run a full antivirus scan on the host
AnswersB, C

Isolating the host stops ongoing malicious activity and prevents lateral movement.

Why this answer

Option B is correct because isolating the host from the network immediately stops the outbound connections to known malicious destinations, preventing further data exfiltration, lateral movement, or command-and-control (C2) communication. This containment step is critical in incident response to limit the blast radius before any other investigative or remediation actions are taken.

Exam trap

Cisco often tests the misconception that immediate remediation (deleting files, running antivirus) is the priority, when in fact containment (isolation) and evidence preservation (forensic imaging) are the correct first steps in a structured incident response process.

775
MCQhard

A company operating in the EU experiences a data breach involving personal data of EU citizens. Under GDPR, what is the maximum timeframe to notify the supervisory authority?

A.96 hours
B.72 hours
C.24 hours
D.48 hours
AnswerB

GDPR Article 33 requires notification within 72 hours.

Why this answer

Under Article 33 of the GDPR, a controller must notify the supervisory authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it. This 72-hour window is the maximum timeframe, making option B correct for the 200-201 exam context.

Exam trap

Cisco often tests the exact GDPR notification timeframe (72 hours) versus other common breach notification periods (e.g., 48 hours for some US state laws or 24 hours for PCI DSS), so candidates must memorize the precise 72-hour requirement for EU personal data breaches.

How to eliminate wrong answers

Option A is wrong because 96 hours exceeds the GDPR-mandated 72-hour notification window, reflecting a common misconception that a longer period is allowed. Option C is wrong because 24 hours is too short; GDPR does not require notification within 24 hours, though some other regulations (e.g., certain state breach laws) may have shorter timelines. Option D is wrong because 48 hours is not the GDPR standard; while some organizations aim for internal escalation within 48 hours, the regulatory requirement is 72 hours.

776
MCQmedium

An analyst is examining a firewall log entry: '2023-10-25 14:30:00 ACTION=DENY SRC=10.0.0.5 DST=203.0.113.50 PROTO=TCP SPT=445 DPT=445'. Which statement best describes this event?

A.An internal host attempted to establish an SMB connection to an external IP and was blocked.
B.A DNS query was made from an internal host to an external server.
C.An external host attempted to access an internal SMB server on port 445 and was blocked.
D.An internal host successfully connected to an external server on port 445.
AnswerA

The source is internal (10.0.0.5), destination external (203.0.113.50), and traffic was denied. This could be an outbound SMB connection attempt.

Why this answer

The log entry shows a deny action for traffic from internal IP 10.0.0.5 to external IP 203.0.113.50 on TCP port 445, which is the default port for SMB (Server Message Block) protocol. Since the source is internal (RFC 1918 address) and the destination is external, this indicates an outbound connection attempt that was blocked by the firewall. SMB is commonly used for file sharing and is often restricted outbound to prevent data exfiltration or malware propagation.

Exam trap

Cisco often tests the ability to interpret firewall log fields (SRC, DST, ACTION, PROTO, SPT, DPT) and map them to network directionality, where candidates mistakenly reverse source/destination or confuse port numbers with unrelated protocols like DNS.

How to eliminate wrong answers

Option B is wrong because the log shows TCP port 445 (SMB), not UDP/TCP port 53 (DNS), and there is no indication of a DNS query in the fields. Option C is wrong because the source IP (10.0.0.5) is internal and the destination (203.0.113.50) is external, meaning this is an outbound attempt from an internal host, not an inbound attempt from an external host. Option D is wrong because the ACTION field is 'DENY', not 'ALLOW', so the connection was blocked, not successful.

777
MCQmedium

A Linux server is configured with auditd to monitor file access. Which audit rule will detect any attempt to read the /etc/shadow file?

A.-w /etc/shadow -p x
B.-w /etc/shadow -p a
C.-w /etc/shadow -p w
D.-w /etc/shadow -p r
AnswerD

The -p r flag monitors read access exactly.

Why this answer

Option D is correct because the `-p r` flag in an auditd rule specifies that the rule should monitor for read access attempts. The `/etc/shadow` file contains hashed passwords, and reading it is a common post-exploitation reconnaissance step. The `-w` flag watches a file, and `-p r` triggers an audit event when the file is opened for reading.

Exam trap

Cisco often tests the specific meaning of auditd permission flags (`r`, `w`, `x`, `a`) and expects candidates to know that `-p r` is for read access, not `-p x` which is for execute, a common confusion because both involve accessing a file.

How to eliminate wrong answers

Option A is wrong because `-p x` monitors for execute access, not read access; while `/etc/shadow` is not an executable, this rule would only catch attempts to execute it, which is not the typical attack vector. Option B is wrong because `-p a` monitors for attribute changes (e.g., permissions or ownership), not read operations; this would miss the actual reading of the file. Option C is wrong because `-p w` monitors for write access, which would detect modifications but not read attempts; reading is the more common reconnaissance action against `/etc/shadow`.

778
MCQmedium

Which of the following is an example of a symmetric encryption algorithm?

A.SHA-256
B.RSA
C.AES
D.ECC
AnswerC

AES is a widely used symmetric cipher.

Why this answer

Symmetric encryption uses the same key for encryption and decryption. AES and 3DES are symmetric algorithms.

779
MCQeasy

A company's security policy states that all employees must use multi-factor authentication (MFA) when accessing the corporate network remotely. Which policy is being applied?

A.Incident Response Policy
B.Remote Access Policy
C.Acceptable Use Policy
D.Access Control Policy
AnswerD

Access Control Policy defines authentication requirements like MFA.

Why this answer

MFA is an authentication control, often part of an Access Control Policy. Option B is correct. Option A (remote access policy) is a subset but the stem directly says 'accessing the corporate network.' Option C (acceptable use) is about behavior.

Option D (incident response) is about handling incidents.

780
MCQeasy

During which phase of the NIST SP 800-61 Rev 2 incident response process does an organization develop an incident response plan and assemble a team?

A.Containment, Eradication, and Recovery
B.Detection and Analysis
C.Preparation
D.Post-Incident Activity
AnswerC

Correct: Preparation includes planning, team formation, and tool setup.

Why this answer

The Preparation phase includes developing the IR plan, team, tools, and conducting exercises.

781
Multi-Selectmedium

Which TWO are common indicators of a compromised host? (Choose two.)

Select 2 answers
A.User logging in during business hours.
B.Scheduled tasks running at regular intervals.
C.Unusual spikes in outbound network traffic at odd hours.
D.Unexpected outbound connections to known malicious IPs.
E.Antivirus updates occurring daily.
AnswersC, D

May indicate data exfiltration.

Why this answer

Unusual spikes in outbound network traffic at odd hours (Option C) are a common indicator of a compromised host because they often signal data exfiltration, command-and-control (C2) beaconing, or botnet activity. Attackers frequently schedule malicious traffic during off-peak hours to evade detection, and the abnormal volume or timing relative to baseline behavior is a key anomaly in security monitoring.

Exam trap

Cisco often tests the distinction between normal administrative activity (scheduled tasks, daily updates) and true behavioral anomalies (unusual timing, unexpected destinations), so candidates must avoid confusing routine operations with compromise indicators.

782
MCQhard

A cybersecurity firm is conducting a red team exercise for a client. The red team successfully gained access to the client's internal network through a phishing email and escalated privileges to domain administrator. During the exercise, the red team uses a tool to dump password hashes from the domain controller. The client's security team detects the hash dump activity and sends an alert to the SOC. The SOC analyst reviews the alert and sees that the source IP of the hash dump is from a server that is part of the red team's scope. However, the red team is not scheduled to perform hash dumping until the next phase. The analyst also notes that the activity uses a known red team tool. Which of the following actions is most appropriate?

A.Launch a full incident response procedure assuming a real attacker.
B.Assume the red team is acting out of scope and contact the red team lead for clarification.
C.Treat the alert as a false positive because the red team is authorized.
D.Immediately block the red team's IP addresses and escalate to management.
AnswerB

Given the source IP belongs to the red team and the tool is known, it is likely a schedule mismatch; contacting the lead is the best course.

Why this answer

Option B is correct because the red team is authorized to operate within the client's environment, but the activity occurred outside the scheduled phase, creating ambiguity. The most appropriate action is to contact the red team lead for clarification to determine if the hash dump was a deviation from the plan or a sign of a real attacker. This aligns with incident response best practices, which prioritize verification before escalation, especially when authorized testing is in progress.

Exam trap

Cisco often tests the concept that authorized red team activity can still be out of scope, and the trap is assuming that any activity from an authorized IP is automatically benign, leading candidates to choose Option C instead of verifying with the red team lead.

How to eliminate wrong answers

Option A is wrong because launching a full incident response procedure without first clarifying the red team's actions could waste resources and disrupt the authorized exercise, as the activity may be a legitimate part of the test. Option C is wrong because treating the alert as a false positive solely because the red team is authorized ignores the fact that the activity is out of scope and could indicate a real compromise or a miscommunication. Option D is wrong because immediately blocking the red team's IP addresses and escalating to management is an overreaction that could disrupt the authorized test and damage the relationship with the client, without first verifying the nature of the activity.

783
MCQhard

An organization's security policy requires that all traffic between the corporate network and the internet be inspected by an IPS. However, encrypted traffic (HTTPS) cannot be inspected without breaking encryption. Which solution best meets the policy requirement?

A.Allow all HTTPS traffic without inspection
B.Implement SSL/TLS interception using a proxy with a trusted certificate
C.Rely on endpoint security only
D.Disable HTTPS for internal users
AnswerB

SSL inspection decrypts, inspects, and re-encrypts traffic, enabling IPS visibility.

Why this answer

Option B is correct because SSL/TLS interception using a proxy with a trusted certificate allows the IPS to decrypt, inspect, and re-encrypt HTTPS traffic. The proxy acts as a man-in-the-middle, presenting a certificate trusted by internal clients, so the IPS can apply security policies to the decrypted content before forwarding it to the internet.

Exam trap

Cisco often tests the misconception that encrypted traffic cannot be inspected at all, leading candidates to choose 'allow without inspection' or 'disable encryption,' rather than understanding that SSL/TLS interception with a trusted proxy is the standard enterprise solution.

How to eliminate wrong answers

Option A is wrong because allowing all HTTPS traffic without inspection violates the security policy requirement that all traffic be inspected by the IPS, leaving encrypted threats undetected. Option C is wrong because relying solely on endpoint security does not provide network-level inspection of encrypted traffic, and endpoints can be compromised or misconfigured, bypassing policy enforcement. Option D is wrong because disabling HTTPS for internal users is impractical, breaks modern web functionality, and does not meet the requirement to inspect traffic; it simply removes the encryption rather than enabling inspection.

784
MCQmedium

During a host-based investigation, an analyst finds a process named 'svchost.exe' consuming high CPU. The process path is 'C:\Windows\Temp\svchost.exe'. What should the analyst conclude?

A.It is a legitimate Windows service host process
B.It is a third-party application that requires investigation
C.It is likely malware disguised as a legitimate process
D.It is a temporary file created by Windows Update
AnswerC

Malware often uses common names in non-standard locations to evade detection.

Why this answer

The legitimate svchost.exe (Service Host) runs from C:\Windows\System32, not C:\Windows\Temp. The Temp directory is a common location for malware to masquerade as system processes to evade detection. High CPU usage combined with an anomalous path strongly indicates malicious activity, as legitimate svchost.exe instances are signed by Microsoft and reside in System32.

Exam trap

Cisco often tests the misconception that any process named 'svchost.exe' is automatically legitimate, but the trap here is that the file path is the critical differentiator—malware frequently uses the same name as a trusted system binary but runs from an unauthorized location.

How to eliminate wrong answers

Option A is wrong because the legitimate svchost.exe is located in C:\Windows\System32, not C:\Windows\Temp; any svchost.exe outside System32 is not a genuine Windows service host. Option B is wrong because while third-party applications can run from Temp, the name 'svchost.exe' is specifically chosen to impersonate a Windows system process, making it far more likely to be malware than a benign third-party app. Option D is wrong because Windows Update does not create svchost.exe in the Temp directory; it uses trusted binaries in System32 and may create temporary files with different names (e.g., .tmp) in C:\Windows\Temp.

785
MCQmedium

Refer to the exhibit. A host-based analyst reviews auth.log. What does the accepted password log entry indicate?

A.The root account was successfully compromised
B.The system prevented a brute-force attack on the admin account
C.The admin login is legitimate because it was accepted
D.The admin account was accessed by an attacker after brute-forcing root
AnswerD

The IP tried root multiple times, then succeeded with admin, likely guessing the password.

Why this answer

The log entry shows 'Accepted password for admin from 10.10.10.10 port 22 ssh2' followed by 'Failed password for root from 10.10.10.10 port 22 ssh2'. The sequence indicates that the attacker first successfully logged in as 'admin' (accepted password), then attempted to escalate privileges by brute-forcing the 'root' account. Option D correctly identifies that the admin account was accessed by an attacker who then attempted to brute-force root, as evidenced by the failed root attempts after a successful admin login.

Exam trap

Cisco often tests the trap that 'Accepted password' automatically implies a legitimate user, but in host-based analysis, the context of subsequent failed attempts reveals malicious intent, so candidates must correlate multiple log entries rather than evaluating them in isolation.

How to eliminate wrong answers

Option A is wrong because the log shows 'Failed password for root', meaning the root account was not compromised—only an attempt was made. Option B is wrong because the system did not prevent a brute-force attack on the admin account; in fact, the admin login was accepted, indicating a successful authentication, not a prevention. Option C is wrong because the admin login being 'accepted' does not automatically make it legitimate—it could be an attacker using a valid credential, and the subsequent failed root attempts suggest malicious intent.

786
MCQeasy

Refer to the exhibit. A security analyst views these log entries from a Cisco router. What conclusion can be drawn about ACL 101?

A.ACL 101 blocks HTTP traffic
B.ACL 101 applies only to inbound traffic
C.ACL 101 denies Telnet and permits HTTP
D.ACL 101 permits all traffic
AnswerC

Denied to port 23, permitted to port 80.

Why this answer

ACL 101 contains an explicit deny statement for TCP port 23 (Telnet) followed by a permit statement for TCP port 80 (HTTP). Since ACLs process rules sequentially, Telnet traffic is denied and HTTP traffic is permitted. This matches option C exactly.

Exam trap

Cisco often tests the sequential processing of ACLs and the specific protocol/port mappings (TCP 23 for Telnet, TCP 80 for HTTP) to see if candidates can correctly interpret log entries rather than just the ACL configuration.

How to eliminate wrong answers

Option A is wrong because ACL 101 permits HTTP traffic (TCP port 80), not blocks it. Option B is wrong because ACL 101 is applied to the interface with the 'ip access-group 101 in' command, which applies to inbound traffic, but the question asks about the conclusion drawn from the log entries, not the direction; the log entries themselves show both inbound and outbound matches, and the ACL's direction is not the focus. Option D is wrong because ACL 101 explicitly denies Telnet traffic, so it does not permit all traffic.

787
MCQeasy

A small retail company uses a cloud-based point-of-sale (POS) system. The IT manager receives an alert from the cloud provider that the POS application is generating an unusually high number of outbound connections to an IP address in a foreign country. The POS application is only supposed to communicate with the cloud provider's servers in the United States. The IT manager checks the POS terminal logs and finds that a new user account was created locally on the terminal with administrative privileges two days ago. The terminal does not have antivirus installed. What should the IT manager do first to contain the incident and prevent data loss?

A.Reset the password for the new user account and disable it.
B.Install antivirus software on the terminal and run a full scan.
C.Contact the cloud provider to block the outbound IP address.
D.Disconnect the POS terminal from the network immediately.
AnswerD

This is the fastest way to stop the outbound connections and prevent further data exfiltration.

Why this answer

Disconnecting the POS terminal from the network immediately halts the suspected data exfiltration and prevents further loss.

788
MCQeasy

An intrusion detection system (IDS) generates an alert for a packet containing the string '/etc/passwd'. What type of attack is likely detected?

A.Directory traversal
B.Cross-site scripting
C.Buffer overflow
D.SQL injection
AnswerA

/etc/passwd is a common target for directory traversal.

Why this answer

The string '/etc/passwd' is a classic indicator of a directory traversal attack, where an attacker attempts to access files outside the web root directory by manipulating path parameters. An IDS detecting this string in a packet payload (e.g., in a URL or HTTP request) suggests the attacker is trying to read the Unix password file, which is a common target in path traversal exploits. This attack exploits insufficient input validation to navigate the file system using '../' sequences or absolute paths.

Exam trap

Cisco often tests the distinction between attack types by using a specific string like '/etc/passwd' to mislead candidates into thinking of SQL injection or XSS, when the key is recognizing that file path references in payloads indicate directory traversal.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) involves injecting malicious scripts (e.g., JavaScript) into web pages viewed by other users, not file path strings like '/etc/passwd'. Option C is wrong because a buffer overflow attack exploits memory corruption by overflowing a buffer with excessive data, not by referencing a specific file path in a request. Option D is wrong because SQL injection targets database queries by inserting SQL commands (e.g., ' OR 1=1 --) into input fields, not by requesting a file path like '/etc/passwd'.

789
Multi-Selectmedium

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Select 2 answers
A.High bandwidth usage during business hours
B.A single failed login attempt from an internal user
C.Regular ICMP echo requests to external hosts
D.A sudden increase in DNS queries to unknown domains from a single host
E.Multiple outbound connections from a server to an external IP on port 445
AnswersD, E

This could indicate malware beaconing or DNS tunneling.

Why this answer

Option D is correct because a sudden spike in DNS queries to unknown domains from a single host is a classic sign of DNS tunneling or command-and-control (C2) activity. Attackers often use DNS to exfiltrate data or communicate with external servers by encoding data in DNS queries, bypassing traditional firewall rules that allow DNS traffic.

Exam trap

Cisco often tests the distinction between normal administrative traffic (like ICMP pings or a single failed login) and true indicators of compromise (like anomalous DNS queries or outbound SMB connections), trapping candidates who mistake benign activity for malicious.

790
Multi-Selecthard

Which TWO of the following are essential requirements for a security policy to be effective?

Select 2 answers
A.It should be as long and detailed as possible
B.It must be communicated to all relevant parties
C.It must be enforceable
D.It must comply with all applicable laws
E.It should be updated only when an incident occurs
AnswersB, C

Effective policies require awareness and understanding.

Why this answer

A security policy must be communicated to all relevant parties because it establishes the baseline of expected behaviors and responsibilities across the organization. Without communication, users cannot be held accountable for violations, and the policy becomes a theoretical document rather than an operational control. This aligns with the ISO 27001 requirement for awareness and training, ensuring that every stakeholder understands their role in maintaining security.

Exam trap

Cisco often tests the distinction between 'essential for effectiveness' and 'generally good practice' — candidates mistakenly select 'comply with all applicable laws' (D) because it sounds mandatory, but the exam focuses on whether the policy can be enforced and understood by the people it governs, not its legal alignment.

791
MCQhard

Refer to the exhibit. A security analyst sees this syslog message repeatedly. Which change should the analyst make to reduce the log volume while still detecting the activity?

A.Change the access-group to inbound on the outside interface
B.Add an ACL permit statement for traffic from 10.0.0.2 to 192.168.1.1
C.Implement a shun for source IP 10.0.0.2
D.Disable logging for syslog message ID 106023
AnswerC

Shun drops all packets from that IP without logging further, reducing log volume.

Why this answer

Option C is correct because implementing a shun for source IP 10.0.0.2 will block all traffic from that specific host at the Cisco ASA, preventing the repeated syslog message ID 106023 (which indicates denied traffic) from being generated. This reduces log volume while still effectively detecting and stopping the malicious activity, as the shun action drops packets before they are logged.

Exam trap

Cisco often tests the distinction between suppressing logs (which hides all future activity) and blocking the source (which stops the activity while still allowing detection of other events), leading candidates to mistakenly choose disabling logging instead of implementing a shun.

How to eliminate wrong answers

Option A is wrong because changing the access-group to inbound on the outside interface would alter the traffic filtering direction but would not reduce the log volume for the specific denied traffic from 10.0.0.2; it might even increase log entries if the ACL is misapplied. Option B is wrong because adding an ACL permit statement for traffic from 10.0.0.2 to 192.168.1.1 would allow the traffic, which defeats the purpose of detecting the activity and could introduce a security risk by permitting potentially malicious traffic. Option D is wrong because disabling logging for syslog message ID 106023 would suppress all logs for denied traffic, preventing the analyst from detecting any such activity in the future, which violates the requirement to still detect the activity.

792
MCQhard

An organization wants to ensure that a user cannot deny having sent an email. Which security goal does this address?

A.Non-repudiation
B.Availability
C.Integrity
D.Confidentiality
AnswerA

Non-repudiation prevents denial of actions.

Why this answer

Non-repudiation ensures that a party cannot deny having performed a specific action, such as sending an email. This is typically achieved through digital signatures using asymmetric cryptography (e.g., RSA or ECDSA) and public key infrastructure (PKI), where the sender's private key creates a signature that can be verified by anyone with the sender's public key. The goal is to provide irrefutable proof of origin and integrity, preventing the sender from later claiming they did not send the message.

Exam trap

Cisco often tests the distinction between integrity and non-repudiation, where candidates mistakenly choose integrity because they associate hashing with proof of origin, but integrity alone does not link the data to a specific sender.

How to eliminate wrong answers

Option B (Availability) is wrong because availability ensures that systems and data are accessible when needed, often through redundancy and fault tolerance, not by preventing denial of actions. Option C (Integrity) is wrong because integrity guarantees that data has not been altered in transit or storage, typically via hashing (e.g., SHA-256) or checksums, but does not tie an action to a specific user. Option D (Confidentiality) is wrong because confidentiality protects data from unauthorized disclosure using encryption (e.g., AES or TLS), but does not provide proof of origin or prevent repudiation.

793
MCQmedium

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

A.The access-group 'OUTSIDE_IN' permitted the traffic.
B.An internal host attempted to connect to an external web server.
C.An external host attempted to connect to an internal web server and was blocked.
D.The ASA allowed the connection because it is a stateful firewall.
AnswerC

Matches the deny action and direction.

Why this answer

The syslog message shows a deny action for traffic from an external IP (10.10.10.10) to an internal IP (192.168.1.100) on TCP port 443 (HTTPS). The access-group 'OUTSIDE_IN' is applied to the outside interface, and the deny indicates the packet was blocked by an ACL entry. This matches the scenario of an external host attempting to connect to an internal web server and being blocked.

Exam trap

Cisco often tests the ability to interpret syslog message fields (source/destination IPs and ports) to determine traffic direction and action, and the trap here is assuming that any syslog message from an ASA implies a permitted connection, when the 'deny' keyword clearly indicates a block.

How to eliminate wrong answers

Option A is wrong because the log entry explicitly shows 'deny', meaning the access-group 'OUTSIDE_IN' blocked the traffic, not permitted it. Option B is wrong because the source IP (10.10.10.10) is external (not RFC 1918), and the destination IP (192.168.1.100) is internal, indicating an inbound connection from outside to inside, not an internal host connecting outbound. Option D is wrong because while the ASA is stateful, the log entry shows a deny action, meaning the connection was not allowed; stateful inspection would only permit traffic that matches an existing session or an explicit permit ACL.

794
MCQhard

You are a SOC analyst for a financial services firm. The firm uses a combination of Cisco Firepower IPS, Windows Event Log collection, and a custom SIEM. At 10:00 AM, the SIEM generates an alert: 'Event ID 4625: Multiple failed logins for user 'jdoe' from IP 10.0.0.100'. The alert fires 10 times within 5 minutes. The source IP is a file server. You check the file server's logs and see that it is running a scheduled script that attempts to map a network drive using jdoe's credentials. The script is legitimate and has been running for months. However, the script's credentials may have expired or changed. The user jdoe is currently on leave. The file server administrator confirms that the script is part of a backup process. What is the best course of action?

A.Escalate the alert to the incident response team for investigation
B.Disable user jdoe's account immediately to prevent further attempts
C.Block the file server's IP address in the firewall
D.Update the script with correct credentials and clear the alert
AnswerD

The root cause is expired credentials; updating the script resolves the issue without unnecessary action.

Why this answer

The alert is a false positive triggered by a legitimate scheduled script that has been running for months. The root cause is expired or changed credentials for user 'jdoe'. Updating the script with the correct credentials resolves the issue without disrupting operations.

Clearing the alert removes the noise from the SIEM, allowing the SOC to focus on genuine threats.

Exam trap

Cisco often tests the ability to distinguish between a true security incident and a false positive caused by a legitimate process, where the trap is to immediately escalate or take reactive security actions without first verifying the context and root cause of the alert.

How to eliminate wrong answers

Option A is wrong because escalating to the incident response team is unnecessary for a known, legitimate process; incident response should be reserved for confirmed security incidents, not false positives. Option B is wrong because disabling jdoe's account would disrupt the legitimate backup script and potentially other services, and the user is on leave, so the account is not actively being used maliciously. Option C is wrong because blocking the file server's IP in the firewall would break the backup process and potentially other legitimate services hosted on that server, as the source IP is a trusted internal asset.

795
MCQmedium

During the Containment, Eradication, and Recovery phase, the incident response team collects evidence from a compromised system. Which document is used to record the chain of custody?

A.Data classification policy
B.Acceptable Use Policy
C.Incident response plan
D.Chain of custody form
AnswerD

This form records evidence handling details.

Why this answer

Chain of custody documentation tracks who handled evidence from collection to court presentation.

796
MCQmedium

In Wireshark, which filter can be used to quickly find all HTTP requests that contain a specific keyword in the URL?

A.dns.qry.name contains "keyword"
B.tcp.port == 80
C.ip.src == 10.0.0.1
D.http.request.uri contains "keyword"
AnswerD

This filter matches HTTP request URIs containing the keyword.

Why this answer

The http.request filter combined with a contains operator can isolate HTTP requests with specific patterns.

797
MCQhard

A threat hunter identifies a binary that uses a Domain Generation Algorithm (DGA) to create domain names like 'eksdghf23.com', 'mzncxv89.net' each day. The malware contacts these domains over HTTPS. Which phase of the Cyber Kill Chain is most directly associated with this technique?

A.Installation
B.Exploitation
C.Command and Control
D.Actions on Objectives
AnswerC

DGA is a C2 technique to evade domain blacklisting.

Why this answer

DGA domains are used to maintain resilient command and control infrastructure, which falls under the C2 phase.

798
MCQmedium

A company's security policy requires that sensitive data be encrypted at rest using AES-256. Which type of encryption does AES-256 represent?

A.Hashing algorithm
B.Digital signature
C.Asymmetric encryption
D.Symmetric encryption
AnswerD

AES is a symmetric block cipher.

Why this answer

AES is a symmetric encryption algorithm, meaning the same key is used for encryption and decryption.

799
MCQhard

An analyst is investigating lateral movement and observes SMB authentication attempts from host A to multiple other hosts using NTLM authentication with a hash value instead of a password. Which attack technique is most likely being used?

A.Pass-the-hash attack
B.Brute force attack
C.Kerberos golden ticket attack
D.SMB relay attack
AnswerA

Using NTLM hashes for authentication across multiple hosts is pass-the-hash.

Why this answer

Pass-the-hash uses NTLM hashes to authenticate without the plaintext password. SMB authentication with hashes is a classic sign.

800
MCQmedium

An analyst is reviewing Windows Event Logs and finds Event ID 4648. What does this event typically indicate?

A.A failed logon attempt
B.An account creation event
C.A successful logon event
D.A logon using explicit credentials
AnswerD

4648 is logged when a process attempts to log on using explicit credentials.

Why this answer

Event ID 4648 indicates that a logon was attempted using explicit credentials, meaning a user supplied credentials to run a program or access a resource.

801
Multi-Selecteasy

Which TWO actions are characteristic of a port scan performed by an attacker? (Choose two.)

Select 2 answers
A.Using TCP SYN packets without completing the three-way handshake.
B.Sending multiple connection requests to various ports on a single host.
C.Randomly selecting target ports without any pattern.
D.Spoofing the source IP address to evade detection.
E.Sending packets at a very low rate to avoid triggering threshold-based alerts.
AnswersA, B

SYN scans are a common stealth scanning technique.

Why this answer

A is correct because a TCP SYN scan sends a SYN packet to initiate a connection but never completes the three-way handshake by sending the final ACK. This allows the attacker to determine if a port is open (SYN-ACK received) or closed (RST received) without establishing a full connection, which helps evade some logging mechanisms.

Exam trap

Cisco often tests the distinction between a port scan's core mechanism (SYN packets without completing the handshake) and optional evasion techniques (like low rate or IP spoofing), leading candidates to mistakenly choose evasion methods as defining characteristics.

802
MCQeasy

As a SOC analyst, you are reviewing alerts from a network-based IDS. One alert is for 'ET TROJAN Zeus Trojan Check-in' triggered by traffic from an internal host to an external IP on port 8080. The IDS packet capture shows the traffic is encrypted. You check the host's antivirus logs and find that the host has not been scanned in 30 days. The host belongs to the HR department and typically accesses only internal resources and a few external HR portals. What should be your first action?

A.Ignore the alert because it is encrypted and likely a false positive.
B.Block the external IP address at the firewall.
C.Immediately isolate the host from the network by disabling its switch port.
D.Perform a full antivirus scan on the host and review recent process activity.
AnswerD

This verifies if the host is actually compromised.

Why this answer

Option C is correct because the alert indicates possible trojan activity; verifying with a scan and process review is appropriate before taking more drastic action. Option A is too aggressive without confirmation. Option B may be done but first need to verify host compromise.

Option D is dangerous.

803
MCQmedium

An analyst sees this syslog message on the Cisco ASA. What is the most likely cause of this alert?

A.Normal traffic spike
B.A routing loop
C.A DoS attack
D.A misconfigured firewall
AnswerC

The high burst rate exceeding the configured max is consistent with a DoS attack overwhelming the firewall.

Why this answer

The syslog message likely indicates a high rate of connection attempts or incomplete sessions (e.g., %ASA-4-106017: Deny TCP due to SYN flood or %ASA-4-733100: Drop rate exceeded). This is characteristic of a Denial of Service (DoS) attack, where an attacker overwhelms the firewall with traffic to exhaust resources or disrupt service. Option C is correct because the ASA's threshold-based alerting specifically triggers on abnormal traffic volumes that match DoS patterns.

Exam trap

Cisco often tests the distinction between a DoS attack and a misconfiguration by embedding syslog messages that reference rate-based thresholds (e.g., 'Drop rate exceeded') rather than explicit ACL deny messages, leading candidates to mistakenly choose 'misconfigured firewall' when the alert is actually a security event.

How to eliminate wrong answers

Option A is wrong because a normal traffic spike would not typically exceed the ASA's configured connection or rate limits unless the baseline is misestimated, and the syslog message explicitly flags a security event rather than a mere statistical anomaly. Option B is wrong because a routing loop would manifest as TTL-exceeded ICMP messages or routing protocol instability, not as a syslog message about denied connections or rate limits on the ASA. Option D is wrong because a misconfigured firewall might cause legitimate traffic to be blocked, but the alert specifically indicates an attack-level volume or pattern (e.g., SYN flood), not a configuration error like an incorrect ACL or NAT rule.

804
MCQeasy

A security analyst discovers that a malicious actor is using a technique to gather information about employees by searching social media sites. Which type of attack is being performed?

A.Active reconnaissance
B.Passive reconnaissance
C.Denial of Service
D.Social engineering
AnswerB

Passive reconnaissance collects information without directly engaging the target.

Why this answer

Reconnaissance attacks involve gathering information to identify vulnerabilities. Passive reconnaissance uses publicly available sources like social media.

805
MCQmedium

You are monitoring a network segment that hosts a public-facing web server. The NIDS alerts on a signature 'ET WEB_SERVER SQL Injection Attempt' triggered by traffic to the web server. The alert details show a GET request with the parameter 'id=1 OR 1=1'. The web server responds with a 200 OK and returns data. You check the web server logs and find that the application is a legacy system that does not use prepared statements. The security team has a policy to block all SQL injection attempts at the network level. However, you notice that the web server is also receiving legitimate traffic with similar patterns from internal monitoring tools that use dynamic queries. What is the most appropriate response?

A.Add the internal monitoring tools' IP addresses to the whitelist and ensure that the network blocks the suspicious external request.
B.Disable the SQL injection signature for the web server because it causes false positives.
C.Immediately block all traffic from the external source IP that triggered the alert.
D.Request that the internal monitoring tools stop using dynamic queries, and leave the signature as is.
AnswerA

Whitelisting internal tools reduces false positives; blocking external malicious traffic maintains security.

Why this answer

Option A is correct because it balances security policy compliance with operational continuity. The internal monitoring tools' IP addresses should be whitelisted at the NIDS to prevent false positives, while the suspicious external request (which matches the SQL injection signature) should be blocked at the network level, as per policy. This approach ensures that legitimate internal traffic is not disrupted, while the external threat is mitigated.

Exam trap

Cisco often tests the candidate's ability to distinguish between a true positive and a false positive in the context of security policy, where the trap is to immediately block the external IP (Option C) without considering that the alert might be a false positive or that a whitelist for legitimate internal traffic is the more appropriate first step.

How to eliminate wrong answers

Option B is wrong because disabling the entire SQL injection signature for the web server would leave the system vulnerable to actual attacks, violating the security team's policy to block all SQL injection attempts. Option C is wrong because immediately blocking all traffic from the external source IP could be too aggressive; the alert may be a false positive or a reconnaissance attempt, and a more measured response (e.g., rate-limiting or further investigation) is appropriate before a permanent block. Option D is wrong because requesting internal monitoring tools to stop using dynamic queries is impractical and unnecessary; the tools are legitimate and their traffic can be whitelisted, while the signature should remain active for external threats.

806
Multi-Selectmedium

During a Linux incident response, an analyst runs 'ps aux' and sees a process with a suspicious name. The analyst wants to gather more information. Which TWO commands can provide the process's network connections?

Select 2 answers
A.cat /proc/[pid]/net/tcp
B.lsof -i
C.ss -tlnp
D.cat /var/log/syslog
E.netstat -antp
AnswersA, C

Correct. This file contains TCP connection details for the PID.

Why this answer

ss -tlnp shows listening TCP sockets with the process PID. /proc/[pid]/net/tcp contains TCP connection info for that process.

807
MCQhard

An attacker intercepts communication between a client and a server, allowing the attacker to read, insert, and modify messages in both directions. Which type of network attack is this?

A.Denial of Service
B.ARP spoofing
C.DNS poisoning
D.Man-in-the-middle
AnswerD

MitM allows interception, reading, and modification of communications between two parties.

Why this answer

A man-in-the-middle (MitM) attack places the attacker between two parties to intercept and manipulate traffic.

808
MCQeasy

During network intrusion analysis, an analyst observes a TCP connection with the SYN flag set but no subsequent ACK. This pattern is indicative of:

A.SYN flood attack
B.DNS resolution
C.Normal three-way handshake
D.ICMP echo request
AnswerA

Incomplete SYN handshakes are a sign of SYN flood.

Why this answer

A SYN flood attack is a type of denial-of-service (DoS) attack where the attacker sends a high volume of TCP SYN packets to a target server but never completes the three-way handshake by sending the final ACK. This leaves the server with half-open connections, consuming resources and potentially exhausting the connection backlog, which prevents legitimate clients from establishing connections.

Exam trap

Cisco often tests the distinction between a normal three-way handshake and an incomplete handshake pattern, where candidates mistakenly think any SYN packet indicates a legitimate connection attempt rather than recognizing the missing ACK as the hallmark of a SYN flood.

How to eliminate wrong answers

Option B is wrong because DNS resolution uses UDP (or TCP for zone transfers) and does not involve TCP SYN flags; it relies on query/response pairs over port 53. Option C is wrong because a normal three-way handshake requires a SYN, SYN-ACK, and then an ACK; the absence of the final ACK indicates an incomplete handshake, not a normal one. Option D is wrong because ICMP echo request is a network-layer diagnostic message (type 8) that does not use TCP flags or ports; it operates at the Internet layer and is not part of TCP connection establishment.

809
MCQhard

A company uses syslog for logging from all network devices. The SOC notices that logs from a critical router are not appearing in the SIEM for the past hour, but other devices are sending logs normally. Which step should the analyst take FIRST to troubleshoot?

A.Ping the SIEM server from the router
B.Restart the router syslog service
C.Check the router logging configuration
D.Check the SIEM server's log receiver status
AnswerA

Verifying network connectivity helps isolate if the issue is network or device related.

Why this answer

The SOC sees that only one router's logs are missing while all other devices are sending logs normally. This strongly suggests the issue is isolated to that router, not the SIEM server. The quickest first step is to verify basic IP connectivity from the router to the SIEM server using ping.

If the router cannot reach the SIEM server (e.g., due to a routing problem, ACL, or firewall change), no syslog UDP packets (port 514) will arrive, and no amount of local configuration checking or service restarting will fix it. This aligns with the standard troubleshooting methodology of verifying Layer 3 reachability before diving into application-layer settings.

Exam trap

Cisco often tests the principle of 'start with the simplest, least disruptive test'—candidates mistakenly jump to checking configuration or restarting services because they assume the problem is software-related, when the most common cause is a network connectivity issue that can be verified with a single ping.

How to eliminate wrong answers

Option B is wrong because restarting the router's syslog service is a disruptive action that should only be taken after confirming connectivity and configuration; it assumes the service is hung, which is unlikely given that other devices are fine. Option C is wrong because checking the router logging configuration is a valid step, but it should come after confirming basic network connectivity—if the router can't reach the SIEM, the configuration is irrelevant. Option D is wrong because the SIEM server's log receiver status is not the likely root cause since all other devices are successfully sending logs, indicating the SIEM receiver is operational.

810
MCQeasy

A SOC Tier 1 analyst receives an alert for a potential malware infection. What is the primary responsibility of the Tier 1 analyst?

A.Communicate with the media
B.Develop detection signatures
C.Conduct advanced malware analysis
D.Perform initial triage and basic investigation
AnswerD

Tier 1 handles initial alert triage and basic investigation.

Why this answer

Tier 1 analysts monitor alerts and perform initial triage to determine if further investigation is needed.

811
Multi-Selectmedium

A SOC Tier 3 analyst is performing advanced threat analysis. Which TWO activities are typical for this tier?

Select 2 answers
A.Forensic analysis of compromised systems
B.Correlating multiple alerts
C.Monitoring SIEM dashboards
D.Initial triage of alerts
E.Threat hunting
AnswersA, E

Advanced forensics is a Tier 3 function.

Why this answer

Tier 3 involves threat hunting and advanced forensics, while Tier 1 handles triage and Tier 2 handles correlation.

812
MCQmedium

An analyst needs to collect volatile data from a live host before performing a memory dump. Which data is most volatile?

A.Registry data
B.Network connections
C.File system metadata
D.Event logs
AnswerB

Network state changes with every packet, making it highly volatile.

Why this answer

Network connections are the most volatile data because they change rapidly as packets flow and sessions are established or torn down. In live response, the current state of TCP/UDP connections (e.g., via netstat -ano) can be lost the instant the system is powered off or the network cable is pulled, making them more ephemeral than registry data, file system metadata, or event logs.

Exam trap

Cisco often tests the order of volatility (RFC 3227) by making candidates confuse persistent disk-based data (registry, logs, file metadata) with transient memory-based data, so the trap is assuming that any system artifact is equally volatile when network state is actually the most ephemeral.

How to eliminate wrong answers

Option A is wrong because registry data persists on disk and changes only when software is installed, configured, or uninstalled, making it less volatile than active network connections. Option C is wrong because file system metadata (e.g., timestamps, permissions) is stored on disk and remains relatively stable until files are explicitly modified, so it is not as transient as network state. Option D is wrong because event logs are written to disk and persist across reboots, so they are far less volatile than live network connection tables.

813
MCQmedium

A NetFlow analysis shows that a single internal IP sent 10 GB of data to an external IP within one hour, whereas the baseline for that host is typically 100 MB per day. Which type of activity does this indicate?

A.Denial of service attack
B.Network scanning
C.Normal business activity
D.Data exfiltration
AnswerD

Unusually high outbound data volume suggests stealing data.

Why this answer

A sudden large volume of outbound data from a host that normally sends little is a classic indicator of data exfiltration.

814
MCQmedium

During an incident response, a Linux system shows unusual outbound network connections from a process named 'httpd'. The analyst uses 'ss -tlnp' to examine listening sockets. Which column would most likely indicate if the process is malicious?

A.Local Address:Port
B.State
C.Peer Address:Port
D.Process
AnswerD

Correct. The Process column reveals the program name and PID.

Why this answer

The 'Process' column in 'ss -tlnp' shows the PID and process name. If the process name is misrepresented or the PID does not match a legitimate httpd, it indicates malicious activity.

815
Multi-Selecteasy

Which TWO of the following are commonly used protocols for network security monitoring? (Select 2)

Select 2 answers
A.SMTP
B.SNMP
C.TLS
D.Syslog
E.NetFlow
AnswersB, E

SNMP is used for device monitoring.

Why this answer

SNMP (Simple Network Management Protocol) is correct because it is a standard protocol used to collect and organize information about managed devices on IP networks, enabling network monitoring and alerting via traps and polls. NetFlow is correct because it is a Cisco-developed protocol that captures metadata about network traffic flows, providing visibility into bandwidth usage, top talkers, and security anomalies for monitoring purposes.

Exam trap

Cisco often tests the distinction between protocols used for monitoring (SNMP, NetFlow) versus protocols used for transport or security (TLS, SMTP) or logging (Syslog), leading candidates to mistakenly select Syslog because it is associated with security logs, even though it is not a monitoring protocol in the same sense as SNMP or NetFlow.

816
Multi-Selectmedium

An analyst is reviewing alerts from an IDS and needs to classify them. Which THREE of the following are valid alert classification types?

Select 3 answers
A.False negative
B.True positive
C.True negative
D.False positive
E.Indeterminate
AnswersB, C, D

True positive is a correct alert for a real attack.

Why this answer

Alert classifications help analysts prioritize: True Positive (real attack), False Positive (no attack but alert), False Negative (attack missed, but not an alert), True Negative (no attack, no alert).

817
MCQhard

A security analyst is reviewing Zeek connection logs and sees the following entry: '192.168.1.10:12345 > 10.0.0.1:80 (tcp) duration 0.001 sec, service http, bytes 60, state S0'. Based on the state 'S0', what does this indicate about the connection?

A.Data was transferred successfully and the connection closed normally.
B.A SYN packet was sent but no reply was received.
C.The connection was established successfully.
D.The connection was reset by the remote host.
AnswerB

S0 specifically indicates a 'SYN seen, no reply' state, typical of half-open scanning.

Why this answer

In Zeek, S0 indicates that a SYN packet was sent but no SYN-ACK was received (connection attempt without completion). This could be part of a port scan or a half-open connection.

818
Multi-Selecteasy

Which TWO of the following are typical indicators of a C2 beaconing communication?

Select 2 answers
A.Regular intervals of communication at consistent times
B.Large outbound data transfers to an external IP
C.Multiple failed login attempts from a single source
D.ICMP echo requests to multiple hosts
E.DNS queries for domains that are rarely visited
AnswersA, E

Beaconing often uses fixed intervals to check in with C2 server.

Why this answer

C2 beaconing often involves regular periodic callbacks and communications to unusual domains. These patterns help attackers maintain persistence.

819
MCQeasy

An analyst is reviewing Windows Event Logs and sees Event ID 4625. What does this event indicate?

A.Credential validation was attempted
B.An account logon failed
C.An account was created
D.An account was successfully logged on
AnswerB

Correct. 4625 is failed logon.

Why this answer

Event ID 4625 in the Security log indicates a failed logon attempt. This is often used to detect brute-force attacks or unauthorized access attempts.

820
Multi-Selectmedium

Which three types of data are commonly collected and analyzed for network intrusion detection? (Choose three.)

Select 3 answers
A.Syslog messages
B.NetFlow records
C.Full packet captures
D.Windows event logs
E.DNS query logs
AnswersA, B, C

Logs from network devices are critical.

Why this answer

Syslog messages are a standard protocol (RFC 5424) used to forward log messages from network devices, servers, and applications to a central logging server. In intrusion detection, syslog data provides critical event information such as authentication failures, interface status changes, and security policy violations, which analysts correlate with other data sources to identify malicious activity.

Exam trap

Cisco often tests the distinction between network-based and host-based data sources, and the trap here is that candidates may incorrectly include Windows event logs (host-based) or DNS query logs (specialized) as primary network intrusion detection data, when the exam expects the three foundational types: syslog, NetFlow, and full packet captures.

821
MCQhard

An organization is conducting a risk assessment and wants to assign numerical values to the likelihood and impact of risks. Which type of risk assessment is being performed?

A.Quantitative risk assessment
B.Operational risk assessment
C.Qualitative risk assessment
D.Hybrid risk assessment
AnswerA

Quantitative uses numerical values.

Why this answer

Quantitative risk assessment uses numerical values (e.g., monetary, percentages) to calculate risk.

822
MCQmedium

An analyst is investigating a Windows system where a suspicious executable is running. Using Process Explorer, the analyst observes that the process 'svchost.exe' has a parent process of 'cmd.exe'. What is the significance of this parent-child relationship?

A.It shows that svchost.exe is a critical system process and is safe
B.It indicates that svchost.exe is likely malicious, as it should be spawned by services.exe
C.It suggests that svchost.exe is a child of explorer.exe, which is normal
D.It is normal behavior; svchost.exe often has cmd.exe as parent
AnswerB

Correct. Anomalous parent process is a red flag.

Why this answer

Legitimate svchost.exe processes are spawned by services.exe, not cmd.exe. A parent of cmd.exe indicates that svchost.exe was launched manually, which is abnormal and suggests malicious activity.

823
Multi-Selecthard

An analyst is examining the Windows Registry on a host suspected of persistence via a malicious service. Which two registry keys are most relevant to investigate?

Select 2 answers
A.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
B.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_CLASSES_ROOT\exefile\shell\open\command
D.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
E.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AnswersA, D

This key lists all system services.

Why this answer

Option A is correct because the Services key under CurrentControlSet lists all registered Windows services, including their executable paths and startup types. Malicious services often register here to achieve persistence by starting automatically with the system. Examining this key allows an analyst to identify suspicious service names, image paths, or startup configurations that indicate persistence.

Exam trap

Cisco often tests the distinction between service persistence (Services key) and other autorun mechanisms (Run, RunOnce, AppInit_DLLs), so candidates may confuse the Services key with the Run key or other startup locations.

824
MCQhard

A security analyst is investigating an incident where an employee received an email that appeared to be from the company's IT department, requesting the employee to verify their account by clicking a link and entering their credentials. The employee complied, and later the attacker used those credentials to access the corporate VPN. Which combination of attack types best describes this incident?

A.Pretexting and privilege escalation
B.Phishing and man-in-the-middle
C.Spear phishing and credential theft
D.Vishing and brute force
AnswerC

Spear phishing is the targeted email; credential theft is the result.

Why this answer

The email is a social engineering technique known as phishing. Since it targeted a specific employee with a tailored message (IT department), it is spear phishing. The attacker then used the credentials to access the VPN, which is a direct use of the stolen information, not a separate attack like MitM.

825
MCQeasy

During a security audit, an analyst discovers that several employees have shared their login credentials with colleagues to expedite work. Which policy enforcement mechanism would be most effective in preventing this behavior?

A.Implement a password complexity policy.
B.Implement multi-factor authentication.
C.Enforce a password change policy every 30 days.
D.Conduct annual security awareness training.
AnswerB

MFA requires a physical token or biometric, making sharing impractical.

Why this answer

Multi-factor authentication (MFA) is the most effective enforcement mechanism because it requires a second factor (e.g., a one-time passcode from an authenticator app, a hardware token, or a biometric) in addition to the password. Even if employees share their passwords, MFA prevents unauthorized access because the second factor is tied to the individual's device or identity and cannot be easily shared. This directly addresses the root cause of credential sharing by making shared credentials useless without the additional factor.

Exam trap

The trap here is that candidates often choose security awareness training (Option D) because it seems like a logical educational fix, but Cisco tests the distinction between administrative controls (training) and technical enforcement mechanisms (MFA) that actually prevent the behavior at the authentication layer.

How to eliminate wrong answers

Option A is wrong because a password complexity policy only enforces the strength of the password (e.g., length, character types) but does nothing to prevent users from voluntarily sharing those strong passwords with colleagues. Option C is wrong because enforcing a password change every 30 days may reduce the window of exposure but does not prevent sharing; users can simply share the new password after each change. Option D is wrong because annual security awareness training educates users about policy but relies on voluntary compliance and does not technically enforce or prevent the behavior; users may still share credentials despite knowing the policy.

Page 10

Page 11 of 14

Page 12