Cisco CyberOps Associate 200-201 (200-201) — Questions 826900

985 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

In the Cyber Kill Chain, which phase involves sending a malicious attachment to a targeted user?

A.Exploitation
B.Delivery
C.Weaponization
D.Reconnaissance
AnswerB

Delivery is the phase where the weaponized payload is transmitted to the target.

Why this answer

The delivery phase is when the attacker transmits the weaponized payload to the target, e.g., via email attachment.

827
MCQmedium

Refer to the exhibit. A security analyst reviews the configuration of a router and notices the access list applied to the internal interface. Which traffic from the source network 10.0.0.0/8 will be permitted? (Assume typical web traffic.)

A.HTTP and HTTPS traffic only
B.All TCP traffic
C.All IP traffic from 10.0.0.0/8
D.Only HTTP traffic
AnswerA

The ACL explicitly permits TCP traffic to ports 80 and 443.

Why this answer

Option A is correct because the ACL permits TCP traffic from 10.0.0.0/8 to any destination on ports 80 (HTTP) and 443 (HTTPS). Option B is wrong because only these two ports are permitted. Option C is wrong because it permits only HTTP and HTTPS.

Option D is wrong because both HTTP and HTTPS are allowed.

828
MCQmedium

A change management policy requires that all network configuration changes be approved by a change advisory board (CAB) before implementation. An urgent security vulnerability requires an immediate firewall rule change to block an active exploit. What should the network administrator do?

A.Convene an emergency CAB meeting before making the change
B.Apply the change immediately and then submit an emergency change request for post-approval
C.Ignore the vulnerability until the next scheduled CAB meeting
D.Wait for CAB approval to ensure compliance with policy
AnswerB

Emergency changes are permitted with later documentation and approval.

Why this answer

Option A is correct because emergency change procedures should allow immediate action with retroactive approval. Option B violates policy. Option C is unnecessary if emergency procedure exists.

Option D is unrealistic for an urgent fix.

829
MCQmedium

Refer to the exhibit. A security analyst notices repeated login failures. According to the company's security policy, what action should be taken?

A.Block the source IP at the firewall
B.Ignore because it's only three failures
C.Investigate for brute force attack
D.Disable the user account
AnswerC

The pattern suggests a brute-force attempt; investigation is the first step per incident response procedures.

Why this answer

Repeated login failures are a classic indicator of a brute-force attack, where an attacker attempts to guess credentials by trying many passwords. The security policy should require investigation to confirm the attack pattern (e.g., frequency, source, target accounts) before taking irreversible actions like blocking or disabling. Option C is correct because it follows the principle of verify-then-act, aligning with incident response procedures.

Exam trap

Cisco often tests the candidate's ability to distinguish between reactive actions (block, disable) and proper incident response steps (investigate first), where the trap is to jump to a technical fix without following the security policy's investigation requirement.

How to eliminate wrong answers

Option A is wrong because blocking the source IP at the firewall may be premature without confirming the attack is malicious (e.g., a user with a forgotten password could trigger failures) and could cause denial of service to legitimate users. Option B is wrong because three failures can be part of a larger brute-force attempt; security policies typically define thresholds (e.g., 5 failures in 5 minutes) that trigger investigation, not dismissal. Option D is wrong because disabling the user account without investigation could lock out a legitimate user and does not address the root cause (e.g., the account may not be the target; the attacker could be targeting multiple accounts).

830
MCQeasy

During the Cyber Kill Chain, which phase involves sending a malicious attachment to a target user via email?

A.Exploitation
B.Weaponization
C.Delivery
D.Reconnaissance
AnswerC

Correct. Delivery is the phase where the weaponized payload is sent to the victim.

Why this answer

Delivery is the phase where the attacker transmits the weaponized payload to the target, such as via email attachments.

831
MCQmedium

A security analyst is using Zeek to analyze network traffic. Which Zeek log would be most useful for identifying HTTP requests to a known malicious domain?

A.http.log
B.ssl.log
C.conn.log
D.dns.log
AnswerA

http.log includes URI, host, method, etc.

Why this answer

Zeek's HTTP log records details of HTTP requests, including the host header (domain).

832
MCQmedium

During a PCAP analysis, an analyst sees an ICMP echo reply packet that is larger than usual (2000 bytes). What is this likely indicating?

A.ICMP flood
B.Fragmented packet
C.Smurf attack
D.Ping of death attempt
AnswerD

Ping of death uses oversized ICMP packets to crash systems.

Why this answer

A standard ICMP echo reply packet has a payload of 56 bytes (or 64 bytes including the ICMP header) for a total IP packet size of 84 bytes. A 2000-byte ICMP echo reply exceeds the maximum allowed size for an ICMP packet (65535 bytes for IPv4, but typical implementations limit the data portion to much smaller values). This oversized packet is characteristic of a Ping of Death attack, where the attacker sends a malformed ICMP packet that, when reassembled, causes a buffer overflow on the target system, leading to a crash or denial of service.

Exam trap

Cisco often tests the distinction between a high-volume attack (like an ICMP flood or Smurf attack) and a malformed-packet attack (like Ping of Death), where the key indicator is the abnormal size of a single packet rather than the rate of packets.

How to eliminate wrong answers

Option A is wrong because an ICMP flood involves sending a high volume of ICMP packets, not a single oversized packet; the size of individual packets in a flood is typically normal. Option B is wrong because a fragmented packet is a normal IP mechanism for handling packets larger than the MTU (usually 1500 bytes), and a 2000-byte packet would be fragmented into smaller pieces, not sent as a single large unfragmented packet. Option C is wrong because a Smurf attack uses ICMP echo requests with a spoofed source IP to cause a flood of replies to the victim, but the individual reply packets are of normal size, not oversized.

833
MCQeasy

A security analyst discovers that an attacker used a publicly available tool to scan a company's network for open ports and services. What type of attack is this?

A.Passive reconnaissance
B.Denial of Service
C.Social engineering
D.Active reconnaissance
AnswerD

Port scanning is active because it sends probes to the target.

Why this answer

Option D is correct because using a publicly available tool to scan a company's network for open ports and services involves directly interacting with the target systems by sending probes (e.g., TCP SYN packets, UDP datagrams) and analyzing responses. This constitutes active reconnaissance, as the attacker's actions generate traffic that can be detected by intrusion detection systems (IDS) or firewall logs, unlike passive methods that only observe existing traffic.

Exam trap

Cisco often tests the distinction between active and passive reconnaissance by presenting a scenario where a tool is used to 'scan' or 'probe' the network, and candidates mistakenly choose passive reconnaissance because they think 'scanning' is non-intrusive, but any direct interaction with the target (sending packets) is active.

How to eliminate wrong answers

Option A is wrong because passive reconnaissance involves gathering information without directly interacting with the target network, such as sniffing traffic or using public records (e.g., WHOIS, DNS lookups), not sending probes to identify open ports. Option B is wrong because a Denial of Service (DoS) attack aims to disrupt or degrade service availability by overwhelming resources (e.g., SYN flood, ICMP flood), not to enumerate open ports and services for later exploitation. Option C is wrong because social engineering exploits human psychology to manipulate individuals into divulging confidential information or performing actions, not technical scanning of network ports and services.

834
Multi-Selecthard

An analyst is reviewing web server logs and sees the following entries: 'GET /admin/login.php HTTP/1.1' returning 404, followed by 'GET /admin/login.html' returning 404, then 'GET /admin/login.asp' returning 200. Which TWO observations are most relevant?

Select 2 answers
A.The attacker is probing for valid login page paths
B.The requests indicate a brute-force login attempt
C.The source IP is likely performing a SQL injection
D.The server is misconfigured to reveal directory listings
E.The successful 200 response indicates the attacker accessed the login page
AnswersA, E

The sequence shows an attempt to find the correct login page by trying different extensions.

Why this answer

The sequence of requests probing different file extensions for the login page suggests a directory traversal or file enumeration attack. The fact that the attacker tried multiple extensions and succeeded with .asp may indicate the web server is running ASP. The 200 response is the successful access.

835
MCQeasy

An organization implements encryption for all sensitive data at rest and in transit to prevent unauthorized access. Which element of the CIA triad is being primarily addressed?

A.Non-repudiation
B.Integrity
C.Availability
D.Confidentiality
AnswerD

Encryption directly supports confidentiality by preventing unauthorized access.

Why this answer

Confidentiality ensures that data is not disclosed to unauthorized individuals or systems.

836
Multi-Selectmedium

A security analyst is tuning a Snort IDS to reduce false positives. Which TWO Snort rule options should the analyst modify to make the rule more specific?

Select 2 answers
A.Remove the 'destination port' field
B.Set a 'threshold' to limit the number of alerts per time window
C.Increase the 'priority' value
D.Add a 'content' field to match specific bytes
E.Change the action from 'alert' to 'log'
AnswersB, D

Threshold reduces repeated alerts from the same source.

Why this answer

Option B is correct because setting a 'threshold' in Snort limits the number of alerts generated for a given rule within a specified time window, which directly reduces false positives by suppressing repeated alerts from benign traffic that matches the rule pattern. Option D is correct because adding a 'content' field forces the rule to match specific bytes in the packet payload, making the rule more precise and less likely to trigger on unrelated traffic.

Exam trap

Cisco often tests the misconception that increasing the 'priority' value makes a rule more important or specific, when in fact a lower numeric value (e.g., 1) indicates higher priority, and changing it does not affect rule specificity.

837
MCQmedium

A security policy requires that all changes to firewall rules be approved by two administrators. This is an example of which security principle?

A.Need to know
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerC

Two-person rule prevents unauthorized changes.

Why this answer

The requirement that two administrators must approve firewall rule changes enforces separation of duties, a security principle that prevents any single individual from having exclusive control over a critical operation. This reduces the risk of unauthorized or malicious rule modifications by ensuring collusion or independent review is required. In firewall management, this is often implemented via change management workflows with distinct approval and implementation roles.

Exam trap

Cisco often tests separation of duties by contrasting it with least privilege, where candidates mistakenly think limiting who can change rules is the same as limiting what they can access, but the key difference is that separation of duties focuses on dividing critical tasks among multiple people to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because 'need to know' restricts access to information based on job requirements, not the approval process for changes. Option B is wrong because 'defense in depth' involves multiple layers of security controls (e.g., firewall, IDS, antivirus), not a procedural check on administrative actions. Option D is wrong because 'least privilege' limits user permissions to the minimum necessary for their role, whereas this policy controls how changes are authorized, not the baseline access level.

838
MCQmedium

A company's security policy states that all remote access must be through a VPN. An employee complains that the VPN is too slow and asks for an exception to access a specific internal server directly over the internet. What should the security analyst recommend?

A.Configure a separate VPN profile with lower encryption.
B.Allow direct access but only from the employee's home IP.
C.Grant the exception temporarily and monitor the connection.
D.Investigate the VPN performance issue and optimize if possible.
AnswerD

Performance issues should be resolved; exceptions should be a last resort with formal risk acceptance.

Why this answer

Option D is correct because the security policy mandates VPN for all remote access, and bypassing it would violate the principle of least privilege and expose the internal server directly to the internet. The analyst should first investigate the VPN performance issue—common causes include MTU mismatch, high latency, or encryption overhead—and optimize it (e.g., adjusting MTU, using split tunneling, or upgrading hardware) rather than granting an exception that undermines security.

Exam trap

Cisco often tests the principle that security policies must be enforced consistently, and the trap here is that candidates think a temporary or IP-based exception is acceptable, when in fact any direct access bypasses the VPN's encryption and authentication, violating the core security requirement.

How to eliminate wrong answers

Option A is wrong because lowering encryption (e.g., from AES-256 to AES-128 or disabling PFS) weakens confidentiality and integrity, violating security policy and potentially compliance requirements like PCI DSS. Option B is wrong because allowing direct access from the employee's home IP still exposes the internal server to the public internet, bypassing the VPN's authentication and encryption, and the home IP can change or be spoofed. Option C is wrong because a temporary exception still creates a security gap—attackers could exploit the window, and monitoring does not prevent a direct attack on the exposed server.

839
MCQmedium

A network analyst notices a high volume of traffic from a single external IP address to multiple internal hosts on port 443. The traffic includes incomplete TCP handshakes. Which type of reconnaissance is being performed?

A.Social engineering attack
B.Active reconnaissance via port scanning
C.Denial of Service attack
D.Passive reconnaissance using WHOIS
AnswerB

Port scanning sends probes to identify open ports, generating traffic and incomplete connections.

Why this answer

Active reconnaissance involves direct interaction with the target, such as port scanning, which generates traffic. Passive recon uses public data.

840
MCQmedium

A network administrator is creating a baseline for normal traffic patterns. Which of the following should be considered typical for a web server during business hours?

A.High volume of TCP SYN packets to port 443
B.High volume of DNS queries to external domains
C.High volume of SSH connections on port 22
D.High volume of ICMP echo requests
AnswerA

HTTPS traffic uses port 443, so SYN packets are normal.

Why this answer

A web server typically receives HTTP/HTTPS traffic on ports 80/443. High volumes of SYN packets to port 443 are normal for web traffic.

841
MCQhard

A Snort rule is configured: alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:'NTP DDoS'; content:'|17 00 03 2a|'; depth:4;). What does this rule detect?

A.SNMP community string
B.NTP server misconfiguration
C.DNS amplification attack
D.NTP amplification attack
AnswerD

Correct. The rule detects NTP monlist requests used in DDoS amplification.

Why this answer

The rule triggers on UDP traffic from port 123 (NTP) on the internal network to any port on an external network, with a payload starting with the bytes `17 00 03 2a`. These bytes correspond to the NTP control message header for a `MON_GETLIST` request (opcode 0x17, sequence 0x00, status 0x03, association ID 0x002a), which is the classic pattern used in NTP amplification attacks. This detects an outgoing NTP query that attempts to exploit the `monlist` command to reflect a large volume of traffic toward a victim, making D correct.

Exam trap

Cisco often tests the distinction between the protocol and port used in the attack (NTP on UDP 123) versus other amplification vectors (DNS on UDP 53, SNMP on UDP 161), so the trap here is confusing the NTP amplification attack with DNS amplification because both use reflection, but the rule's port and content bytes uniquely identify NTP.

How to eliminate wrong answers

Option A is wrong because SNMP community strings are carried in SNMP packets (UDP ports 161/162) and use different payload patterns (e.g., version, community string), not the NTP control message bytes `17 00 03 2a`. Option B is wrong because an NTP server misconfiguration (e.g., allowing open queries) is a vulnerability, not a specific attack signature; the rule detects the actual exploit attempt (the `monlist` request), not the configuration state. Option C is wrong because DNS amplification attacks use DNS queries (UDP port 53) with specific opcodes and flags (e.g., ANY query with recursion desired), not NTP control messages on port 123.

842
Multi-Selectmedium

An incident responder is analyzing a Windows machine for evidence of malware persistence. Which TWO registry keys are commonly abused to achieve automatic execution at user logon?

Select 2 answers
A.HKLM\Software\Microsoft\Windows\CurrentVersion\Run
B.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
C.HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
AnswersA, D

This key runs programs at logon for all users.

Why this answer

HKLM\...\Run and HKCU\...\Run are common persistence locations. RunOnce keys also exist but are for one-time execution. AppInit_DLLs is for DLL injection, and Image File Execution Options are for debugging.

843
MCQmedium

After containing a security incident, the incident response team eradicates the malware and restores systems from clean backups. Which phase of the NIST SP 800-61 Rev 2 process does this represent?

A.Preparation
B.Containment, Eradication, and Recovery
C.Post-Incident Activity
D.Detection and Analysis
AnswerB

Eradication and recovery are part of this phase.

Why this answer

Eradication removes the threat, and recovery restores normal operations.

844
MCQmedium

In Wireshark, an analyst follows a TCP stream and sees plaintext usernames and passwords. Which protocol is likely in use?

A.HTTPS
B.SFTP
C.FTP
D.SSH
AnswerC

FTP sends credentials in cleartext.

Why this answer

FTP transmits credentials in plaintext. Other protocols (HTTPS, SSH, SFTP) encrypt traffic.

845
MCQmedium

An analyst detects multiple SMB authentication attempts from a single internal host to several other internal hosts using NTLM hashes instead of plaintext passwords. Which technique is most likely being used?

A.Brute force
B.Kerberoasting
C.Golden ticket attack
D.Pass-the-hash
AnswerD

Pass-the-hash uses NTLM hashes for authentication.

Why this answer

Pass-the-hash uses captured NTLM hashes to authenticate to other systems without needing the plaintext password. This is a common lateral movement technique.

846
MCQmedium

An analyst is examining a Linux system for persistence mechanisms. Which of the following files should be reviewed to detect cron-based persistence?

A./var/log/auth.log
B./etc/passwd
C./home/user/.bash_history
D./var/spool/cron/crontabs
AnswerD

Correct. User crontabs are stored here.

Why this answer

Cron jobs can be set in /etc/crontab, /etc/cron.d/, and user-specific crontabs in /var/spool/cron/. /var/spool/cron/crontabs contains per-user crontabs.

847
MCQeasy

You are a SOC analyst at a medium-sized enterprise. The company uses a SIEM that collects logs from firewalls, endpoints, and Active Directory. At 2:00 AM, the SIEM generates a high-priority alert: 'Multiple Failed Logins for Administrator Account from Remote IP 198.51.100.20'. The analyst on the night shift reviews the alert and sees that there were 50 failed attempts in 10 minutes, followed by a successful login at 2:12 AM. The successful login originated from the same IP. The account is a domain administrator. The analyst checks the firewall logs and sees that the IP is from a known VPN provider. The analyst also checks the endpoint logs and sees that no unusual activity has occurred after the login. The company has a policy that remote administration is allowed only from a specific jump server with IP 203.0.113.10. The analyst suspects a brute-force attack succeeded. What should the analyst do first?

A.Block the IP address 198.51.100.20 on the firewall
B.Disable the compromised administrator account immediately
C.Perform a full network scan of the VPN provider's entire IP range
D.Reset the password of the compromised administrator account
AnswerB

Disabling the account stops all access by the attacker and is the fastest containment action.

Why this answer

Option B is correct because the immediate priority is to contain the breach by disabling the compromised domain administrator account. The successful login from an unauthorized IP (198.51.100.20) after 50 failed attempts indicates a successful brute-force attack, and the account has domain-level privileges. Disabling the account stops any further lateral movement or privilege escalation, which is the first step in incident response containment before any remediation or investigation.

Exam trap

Cisco often tests the distinction between containment (disabling the account) and remediation (resetting the password), where candidates mistakenly choose password reset first because they think it solves the problem, but disabling is the correct immediate action to cut off access.

How to eliminate wrong answers

Option A is wrong because blocking the IP address alone does not address the fact that the attacker already has valid credentials and could reconnect from a different IP or VPN endpoint, leaving the compromised account active for further abuse. Option C is wrong because performing a full network scan of the VPN provider's entire IP range is an inefficient, broad, and potentially disruptive action that does not immediately contain the threat; it also violates typical incident response procedures by focusing on reconnaissance rather than containment. Option D is wrong because resetting the password, while necessary later, is not the first action; the account must be disabled first to prevent the attacker from using the current session or any cached credentials before the password change takes effect.

848
MCQeasy

In the context of risk management, which term describes the risk that remains after implementing security controls?

A.Acceptable risk
B.Inherent risk
C.Transfer risk
D.Residual risk
AnswerD

Residual risk remains after controls.

Why this answer

Residual risk is the risk left after controls are applied. It must be accepted or further treated.

849
MCQmedium

An attacker sends an email posing as the company's IT department, asking employees to click a link and enter their credentials. Which type of social engineering attack is this?

A.Vishing
B.Phishing
C.Pretexting
D.Spear phishing
AnswerB

Phishing is a mass email attack impersonating a legitimate entity.

Why this answer

B is correct because the attack uses email as the delivery vector to trick recipients into revealing credentials, which is the classic definition of phishing. Phishing is a broad category of social engineering that employs deceptive electronic communications (typically email) to steal sensitive information.

Exam trap

Cisco often tests the distinction between phishing (mass, untargeted) and spear phishing (targeted), so the trap here is that candidates may confuse the generic email to all employees with a targeted attack, leading them to incorrectly choose spear phishing.

How to eliminate wrong answers

Option A is wrong because vishing (voice phishing) uses telephone calls or voice messages, not email. Option C is wrong because pretexting involves fabricating a scenario or identity to gain trust and extract information, but it does not specifically require an email with a link to harvest credentials. Option D is wrong because spear phishing is a targeted version of phishing aimed at a specific individual or organization, whereas the question describes a generic email sent to all employees, which is a mass phishing campaign.

850
MCQmedium

A SOC analyst observes a spike in DNS queries for long, random-looking subdomains under a single domain from an internal host. The responses are NXDOMAIN. Which type of activity is most likely indicated?

A.DNS amplification attack
B.DNS tunneling
C.Normal DNS resolution for many websites
D.Misconfigured DNS server
AnswerB

Random subdomains encoding data is a hallmark of DNS tunneling.

Why this answer

Random subdomain queries with NXDOMAIN responses are typical of a DNS tunneling attempt used for data exfiltration or C2.

851
MCQhard

A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?

A.A denial-of-service attack is occurring
B.A TCP connection is being established
C.A port scan is in progress
D.A TCP reset attack is being performed
AnswerD

Forged RST packets terminate connections prematurely.

Why this answer

A TCP reset attack (also known as a forged RST attack) occurs when an attacker sends spoofed TCP RST packets to disrupt an existing connection. The key clue is that the internal hosts are not sending any corresponding packets, indicating the RST packets are unsolicited and likely forged, which is characteristic of this attack rather than a normal network event.

Exam trap

Cisco often tests the distinction between a TCP reset attack and a port scan, where candidates mistakenly associate RST packets with port scanning (e.g., receiving RST from a closed port) rather than recognizing unsolicited RST packets as an active attack.

How to eliminate wrong answers

Option A is wrong because a denial-of-service attack typically involves overwhelming a target with traffic (e.g., SYN flood or volumetric attack), but here the RST packets are directed to multiple internal hosts without corresponding traffic, which is more specific to a reset attack. Option B is wrong because establishing a TCP connection involves a three-way handshake (SYN, SYN-ACK, ACK), not RST packets; RST packets are used to abort connections, not initiate them. Option C is wrong because a port scan (e.g., SYN scan) sends SYN packets to probe open ports, and while RST packets may be sent in response to closed ports, the scenario describes unsolicited RST packets from an external IP to internal hosts, which is not how a scan operates.

852
MCQeasy

Which component of the NIST Cybersecurity Framework involves taking action to stop an ongoing attack?

A.Identify
B.Detect
C.Respond
D.Protect
AnswerC

Respond includes actions to address and mitigate attacks.

Why this answer

The Respond function includes activities to contain and mitigate incidents.

853
MCQhard

A Zeek connection log shows a high number of connections from a single internal IP to many different external IPs on port 25, with small payload sizes. Which behavior is most likely indicated?

A.DNS tunneling
B.Secure web browsing
C.Data exfiltration using FTP
D.Spam email campaign or SMTP scanning
AnswerD

SMTP port 25 is used for email; many connections to various external IPs could indicate scanning for open relays or sending spam.

Why this answer

Port 25 is the default SMTP port used for email transmission. A high volume of connections from a single internal IP to many different external IPs on port 25, with small payload sizes, is characteristic of a spam email campaign or SMTP scanning. This pattern suggests the host is either sending bulk spam emails or probing external mail servers for open relay or user enumeration.

Exam trap

Cisco often tests the association of well-known ports with their protocols, and the trap here is that candidates may confuse port 25 with other common ports like 53 (DNS) or 21 (FTP), leading them to select DNS tunneling or FTP exfiltration instead of recognizing the SMTP spam pattern.

How to eliminate wrong answers

Option A is wrong because DNS tunneling typically uses UDP port 53 (or TCP 53 for large queries) and involves encoding data in DNS queries/responses, not SMTP port 25. Option B is wrong because secure web browsing uses HTTPS on port 443, not port 25, and would show larger payload sizes due to encrypted web content. Option C is wrong because data exfiltration using FTP would use port 21 (control) or port 20 (data), not port 25, and would involve larger file transfers rather than small payloads.

854
MCQmedium

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

A.Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
B.Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.
C.Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.
D.Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.
AnswerA

The -b flag shows the binary involved in creating each connection, directly correlating the connection to the process.

Why this answer

Running 'netstat -b' on a Windows host displays active TCP connections along with the executable name of the process that created each connection. This directly correlates the outbound connection to the malicious IP with the specific process, which is exactly what the analyst needs to identify the pivot point.

Exam trap

Cisco often tests the distinction between network-level logs (firewall logs) and host-level process-to-connection correlation, and the trap here is that candidates may choose 'Get-NetTCPConnection' (Option D) because it lists connections, but they overlook that it does not show the associated process executable without additional scripting.

How to eliminate wrong answers

Option B is wrong because the Windows Firewall log records source/destination IPs and ports but does not associate traffic with a specific process executable; it only logs network-level metadata. Option C is wrong because Event ID 4688 logs process creation events but does not include network connection details, so it cannot correlate a specific outbound connection to a process. Option D is wrong because 'Get-NetTCPConnection' lists TCP connections and their states but does not show the associated process executable; it lacks the -b flag's process-to-connection mapping.

855
MCQhard

A security auditor reviews a company's security policies and finds that the password policy requires a minimum length of 8 characters and complexity including uppercase, lowercase, digit, and special character. However, the policy does not mandate password expiration. Which of the following is the most significant risk due to this omission?

A.Stolen credentials could be used for extended periods without detection
B.Users may choose weak passwords that are easy to guess
C.Help desk will receive an increased number of password reset requests
D.Users might reuse passwords across different systems
AnswerA

No expiration means compromised passwords stay valid until changed, allowing prolonged unauthorized access.

Why this answer

Without mandatory password expiration, an attacker who obtains valid credentials (e.g., via phishing or credential dumping) can maintain access indefinitely, as the password never needs to be changed. This increases the window of opportunity for lateral movement, data exfiltration, or privilege escalation. In contrast, periodic expiration forces re-authentication and reduces the lifespan of compromised credentials.

Exam trap

Cisco often tests the misconception that password complexity alone prevents credential theft, when in fact the absence of expiration creates a persistent risk of undetected long-term access by attackers.

How to eliminate wrong answers

Option B is wrong because the policy already mandates complexity (uppercase, lowercase, digit, special character) and a minimum length of 8 characters, which directly mitigates weak or guessable passwords. Option C is wrong because password expiration typically increases help desk calls due to forgotten passwords, not the absence of expiration. Option D is wrong because password reuse across systems is primarily prevented by password history policies or single sign-on (SSO), not by expiration; expiration alone does not stop reuse.

856
MCQmedium

During an intrusion analysis, a SOC analyst reviews logs showing an outbound connection from an internal host to an external IP at 03:00 AM every 60 seconds. The traffic is HTTPS to a suspicious domain with a high entropy name. Which phase of the Cyber Kill Chain does this activity represent?

A.Actions on Objectives
B.Delivery
C.Command and Control (C2)
D.Weaponisation
AnswerC

Periodic callbacks to an external domain are typical C2 behaviour.

Why this answer

Regular beaconing to an external domain indicates command and control (C2) communication.

857
Multi-Selectmedium

An analyst reviews a PCAP and sees HTTP requests containing script tags and event handlers such as 'onload' and 'onerror'. Additionally, the URI contains 'alert(1)'. Which TWO types of attacks are indicated? (Select 2)

Select 2 answers
A.Command injection
B.Reflected XSS
C.DOM-based XSS
D.Stored XSS
E.SQL injection
AnswersB, C

Script tags in URI indicate reflected XSS.

Why this answer

The presence of script tags, event handlers like 'onload' and 'onerror', and the URI containing 'alert(1)' indicates that the attacker is injecting client-side script into the HTTP response. Since the payload is reflected in the URI (likely in a query parameter or path) and executed immediately in the browser without being stored on the server, this is Reflected XSS (option B). The same payload can also be executed via client-side JavaScript that manipulates the DOM using untrusted data from the URI, which is characteristic of DOM-based XSS (option C).

Exam trap

Cisco often tests the distinction between Reflected and DOM-based XSS by presenting a payload that appears in the URI but is not reflected in the server's response body, leading candidates to incorrectly assume only one type is present.

858
MCQeasy

A security analyst is triaging an alert about a user downloading a suspicious file. According to the NIST SP 800-61 Rev 2 incident response process, in which phase does initial triage occur?

A.Containment, Eradication, and Recovery
B.Post-Incident Activity
C.Preparation
D.Detection and Analysis
AnswerD

Triage is performed during Detection and Analysis to prioritize incidents.

Why this answer

Initial triage is part of the Detection and Analysis phase, where alerts are evaluated to determine if they are actual incidents.

859
MCQmedium

You are a security operations analyst for a medium-sized enterprise. The company's security policy requires that all endpoint devices have antivirus software installed and updated. During a routine check, you find that a group of 50 laptops used by the sales team have not received antivirus updates for over three months. The policy also states that any non-compliant devices must be quarantined from the network until they are remediated. The sales team manager argues that quarantining the laptops will disrupt critical sales activities. The company's incident response policy has a clause that allows for temporary exceptions in business-critical situations, but requires approval from the CISO. What is the best course of action?

A.Ignore the issue to avoid disrupting sales activities
B.Quarantine the laptops immediately as per policy
C.Request a temporary exception from the CISO while expediting the updates
D.Update the antivirus without quarantining, then report to management
AnswerC

The exception process allows business continuity while addressing the issue.

Why this answer

Option C is correct because it balances security policy compliance with business continuity. The incident response policy explicitly allows temporary exceptions for business-critical situations with CISO approval, and expediting the updates ensures the 50 laptops are remediated quickly. Quarantining without considering the business impact could violate the company's own exception clause, while ignoring the issue or updating without quarantining bypasses the security controls required by policy.

Exam trap

Cisco often tests the balance between strict policy enforcement and business continuity, trapping candidates who choose immediate quarantine (Option B) without considering documented exception processes, or who choose to update without quarantine (Option D) thinking it's a practical workaround.

How to eliminate wrong answers

Option A is wrong because ignoring the issue violates the security policy requiring quarantine of non-compliant devices, leaving the network exposed to potential malware outbreaks from outdated antivirus definitions. Option B is wrong because while quarantine is the default policy, it fails to leverage the incident response policy's exception clause for business-critical situations, potentially causing unnecessary disruption without CISO oversight. Option D is wrong because updating antivirus without quarantining bypasses the policy's quarantine requirement and does not address the root cause of non-compliance; reporting after the fact does not obtain the required prior approval for an exception.

860
Multi-Selectmedium

A security policy mandates that all network devices must have logging enabled and that logs must be reviewed regularly. Which TWO practices are essential for effective log review?

Select 2 answers
A.Aggregating logs from all devices into a central server.
B.Reviewing logs only when an incident occurs.
C.Automated log analysis with correlation tools.
D.Storing logs for at least one year.
E.Ensuring logs are in a common format like Syslog.
AnswersA, C

Centralization enables comprehensive analysis and correlation across the network.

Why this answer

Automated log analysis (A) and central aggregation (E) are essential for effective and efficient log review. Retention (B) and format (C) are supporting but not core to review process. Reactive review (D) is not effective.

861
MCQmedium

What is the effect of this configuration on a Cisco device?

A.Users are authenticated using a TACACS+ server.
B.Authorization is done via RADIUS.
C.Users are authenticated using the local database.
D.No authentication is required.
AnswerC

The 'local' keyword means the local username database is used.

Why this answer

The configuration shown (not provided in the question, but implied by the correct answer) is a typical local authentication setup, such as 'aaa authentication login default local' or a username/password defined in the device's local database. This means the device uses its own stored credentials to authenticate users, not an external server. Option C is correct because local authentication is explicitly configured, bypassing any external AAA server.

Exam trap

Cisco often tests the distinction between authentication, authorization, and accounting (AAA) services, and the trap here is that candidates confuse the protocol used for authentication (TACACS+ or RADIUS) with the method (local vs. server-based), leading them to pick an option that assumes an external server is involved when only local authentication is configured.

How to eliminate wrong answers

Option A is wrong because TACACS+ authentication requires the 'aaa authentication login default group tacacs+' command and a configured TACACS+ server; the configuration in question does not reference TACACS+. Option B is wrong because RADIUS is used for authentication and accounting, but authorization via RADIUS requires specific 'aaa authorization' commands (e.g., 'aaa authorization network default group radius'); the configuration only deals with authentication, not authorization, and does not specify RADIUS. Option D is wrong because 'no authentication' would require the 'aaa authentication login default none' command or no AAA configuration at all; the presence of a local authentication configuration means authentication is required.

862
MCQmedium

During an incident response, an analyst checks for persistence mechanisms and finds an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the most likely purpose of this registry key?

A.It lists recently accessed documents.
B.It specifies programs to run automatically at user logon.
C.It stores user interface settings for the current user.
D.It controls Windows Defender exclusions.
AnswerB

The Run key is used for auto-starting applications at logon.

Why this answer

The Run key in HKCU or HKLM causes programs to execute automatically when a user logs in. It is commonly used for legitimate software but also for malware persistence.

863
Multi-Selectmedium

Which THREE are essential components of a security monitoring strategy? (Choose three.)

Select 3 answers
A.Antivirus software on all endpoints.
B.Data encryption at rest.
C.Defined incident response procedures.
D.Centralized log collection from critical systems.
E.Correlation rules to identify suspicious patterns.
AnswersC, D, E

Ensures proper handling.

Why this answer

Defined incident response procedures (Option C) are essential because they provide a structured, repeatable workflow for detecting, analyzing, and containing security incidents. Without pre-defined procedures, a security team cannot consistently execute the 'Respond' phase of the NIST SP 800-61 incident response lifecycle, leading to delayed containment and increased dwell time.

Exam trap

Cisco often tests the distinction between preventive controls (antivirus, encryption) and detective/monitoring controls (log collection, correlation, incident response procedures), causing candidates to mistakenly include security hygiene measures as monitoring components.

864
MCQeasy

A SOC analyst is reviewing a security alert generated by the SIEM. The alert indicates a successful login from an unusual geographic location for a user who typically logs in from the corporate office. The analyst verifies that the user is currently on vacation and should not be accessing the network. What should the analyst do next?

A.Ignore the alert because the user might be using a VPN
B.Block the IP address in the firewall
C.Start a full incident investigation before taking any action
D.Disable the user account and begin an investigation
AnswerD

Disabling the account stops the immediate threat, then investigation can determine the scope.

Why this answer

Option D is correct because the alert indicates a clear security incident: a successful login from an unusual geographic location for a user who is on vacation and should not be accessing the network. Disabling the user account immediately contains the threat by preventing further unauthorized access, and beginning an investigation allows the analyst to determine if the account was compromised or if credentials were stolen. This aligns with the NIST SP 800-61 incident response process, where containment is a priority before proceeding to eradication and recovery.

Exam trap

Cisco often tests the candidate's understanding of the incident response lifecycle, specifically the need to contain a threat immediately (by disabling the account) rather than jumping to investigation or assuming benign intent, which is a common mistake in SOC workflows.

How to eliminate wrong answers

Option A is wrong because ignoring the alert based on a VPN assumption is a dangerous guess; the SIEM alert specifically indicates an unusual geographic location, and the user is on vacation, so the analyst must not assume benign activity without verification. Option B is wrong because blocking the IP address in the firewall is a reactive measure that does not address the root cause; the attacker could use multiple IPs or proxies, and the compromised user account remains active, allowing further unauthorized access. Option C is wrong because starting a full incident investigation without any containment action first violates the incident response principle of 'contain before investigate'; the attacker could continue to use the account during the investigation, escalating the breach.

865
MCQmedium

A SOC analyst notices repeated failed login attempts from a single IP address against multiple user accounts. Which type of attack is most likely occurring?

A.Credential stuffing
B.Brute force attack
C.Password spraying
D.Man-in-the-middle attack
AnswerC

Password spraying tries a few common passwords across many accounts.

Why this answer

Password spraying (C) is correct because the attack involves a single IP address attempting the same common password against multiple user accounts. This technique avoids account lockout policies that typically trigger after a few failed attempts on a single account, making it distinct from brute force attacks that target one account with many passwords.

Exam trap

Cisco often tests the distinction between brute force (many passwords, one user) and password spraying (one password, many users), where candidates mistakenly choose brute force because they focus on the 'repeated failed login attempts' without noticing the attack is spread across multiple accounts.

How to eliminate wrong answers

Option A is wrong because credential stuffing uses previously leaked username/password pairs from one service to attempt access on another, not repeated attempts from a single IP against multiple accounts. Option B is wrong because a brute force attack targets a single account with many password guesses, not a single password against many accounts. Option D is wrong because a man-in-the-middle attack intercepts or relays communications between two parties, not directly related to failed login attempts from a single IP.

866
MCQeasy

An organization's data classification policy defines four levels: Public, Internal, Confidential, and Restricted. An employee accidentally sends an email containing customer payment card information (PCI) to the entire company mailing list. The data should have been classified as which level?

A.Public
B.Restricted
C.Internal
D.Confidential
AnswerB

Restricted is for data whose disclosure would cause severe harm, such as PCI data.

Why this answer

Option D is correct because PCI data is highly sensitive and legally protected, warranting Restricted classification. Option A is for non-sensitive data. Option B is for internal use but not as sensitive.

Option C is sensitive but not as high as Restricted.

867
MCQhard

An organization must comply with a regulation that requires protecting the privacy of EU citizens' personal data. Which compliance framework applies?

A.HIPAA
B.ISO 27001
C.PCI DSS
D.GDPR
AnswerD

GDPR protects personal data of EU citizens.

Why this answer

The General Data Protection Regulation (GDPR) is the EU regulation specifically designed to protect the privacy and personal data of EU citizens. It applies to any organization that processes or controls the personal data of individuals in the EU, regardless of where the organization is based. This makes GDPR the correct compliance framework for the scenario described.

Exam trap

Cisco often tests the distinction between data privacy regulations (like GDPR) and data security standards (like PCI DSS or HIPAA), where candidates mistakenly apply a US-centric regulation to an EU privacy requirement.

How to eliminate wrong answers

Option A is wrong because HIPAA (Health Insurance Portability and Accountability Act) applies only to protected health information (PHI) in the United States, not to EU citizens' personal data. Option B is wrong because ISO 27001 is an international standard for information security management systems (ISMS), not a regulation that specifically addresses EU privacy requirements. Option C is wrong because PCI DSS (Payment Card Industry Data Security Standard) governs the security of credit card data, not the privacy of EU citizens' personal data.

868
MCQhard

During an incident investigation, the IR team collects evidence from a compromised server. The evidence must be admissible in court. Which documentation is essential to maintain the chain of custody?

A.A log of who accessed the evidence and when
B.The CVSS score of the vulnerability
C.A copy of the incident response plan
D.The organization's acceptable use policy
AnswerA

This maintains the chain of custody.

Why this answer

Chain of custody documentation includes detailed logs of evidence handling, including who collected it and when.

869
MCQeasy

A security analyst is reviewing a Wireshark capture and notices a large number of TCP SYN packets sent to multiple ports on a single host from the same source IP. Which type of network activity is most likely being observed?

A.DNS amplification attack
B.ARP spoofing
C.Port scan
D.Man-in-the-middle attack
AnswerC

Multiple SYN packets to different ports indicate a port scan.

Why this answer

A port scan is characterized by multiple connection attempts to different ports on a target host, often using SYN packets.

870
MCQmedium

A security analyst is investigating a potential brute force attack. Which SIEM correlation rule would best detect this activity?

A.Alert on a single failed login from any IP
B.Alert when more than 10 failed logins from the same IP occur within one minute
C.Alert when a successful login occurs after midnight
D.Alert when a user logs in from a new geographic location
AnswerB

This rule detects rapid successive failures, a common brute force pattern.

Why this answer

A typical brute force detection rule monitors for multiple failed authentication attempts from the same source within a short time window.

871
MCQmedium

A SIEM correlation rule triggers an alert when more than 10 failed login attempts from the same source IP occur within 60 seconds. Which attack is this rule designed to detect?

A.Phishing attack
B.Man-in-the-middle
C.SQL injection
D.Brute force attack
AnswerD

The rule targets rapid successive login failures from a single IP, characteristic of brute force.

Why this answer

This SIEM rule detects a brute force attack by correlating a high volume of failed login attempts (more than 10) from the same source IP within a short time window (60 seconds). Brute force attacks rely on rapid, repeated authentication attempts to guess credentials, and this threshold-based correlation is a classic detection method for such behavior.

Exam trap

Cisco often tests the distinction between brute force and other attack types by focusing on the specific behavior of repeated failed logins from a single source, which candidates may confuse with phishing or SQL injection due to overlapping terminology like 'credential theft' or 'authentication bypass'.

How to eliminate wrong answers

Option A is wrong because phishing attacks involve social engineering to trick users into revealing credentials or installing malware, not automated failed login attempts from a single IP. Option B is wrong because man-in-the-middle attacks intercept or modify communications between two parties, typically without generating repeated failed logins from one source. Option C is wrong because SQL injection exploits vulnerabilities in database queries via input fields, not through authentication failure logs or repeated login attempts.

872
MCQmedium

Which Linux log file is most appropriate for reviewing failed SSH login attempts?

A./var/log/auth.log
B./var/log/messages
C./var/log/kern.log
D./var/log/syslog
AnswerA

Auth.log is the standard location for authentication logs on Debian-based systems.

Why this answer

/var/log/auth.log (or /var/log/secure on some distributions) records authentication events including SSH failures.

873
Multi-Selecthard

Which THREE are required steps in a proper incident response procedure? (Choose three.)

Select 3 answers
A.Change Management Processing
B.Containment, Eradication, and Recovery
C.Post-Incident Activity (Lessons Learned)
D.Detection and Analysis
E.System Hardening
AnswersB, C, D

These are core phases of IR.

Why this answer

The NIST SP 800-61 incident response lifecycle defines four core phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Options B, C, and D directly map to these required phases, making them the correct choices for a proper incident response procedure.

Exam trap

Cisco often tests the NIST incident response lifecycle phases and includes attractive distractors like Change Management or System Hardening that are related to security operations but are not part of the mandatory incident response procedure steps.

874
MCQeasy

Refer to the exhibit. A Windows security log shows several events with Event ID 4625 (failed logon). What type of attack is indicated?

A.Brute force attack
B.Pass-the-hash attack
C.Kerberos golden ticket attack
D.Man-in-the-middle attack
AnswerA

Multiple failed logons from same source indicates password guessing.

Why this answer

Event ID 4625 indicates a failed logon attempt. A high volume of these events in a short period is characteristic of a brute force attack, where an attacker systematically tries multiple username/password combinations to gain unauthorized access. This is a direct indicator of repeated authentication failures, not a more sophisticated attack.

Exam trap

Cisco often tests the distinction between brute force attacks (which generate many failed logon events) and pass-the-hash or golden ticket attacks (which succeed without repeated failures), so the trap is assuming any failed logon event indicates a credential theft or replay attack rather than a simple password guessing attempt.

How to eliminate wrong answers

Option B is wrong because a pass-the-hash attack uses captured NTLM hashes to authenticate without needing the plaintext password, and it would not generate a high volume of failed logon events (Event ID 4625) since the attacker already has a valid hash. Option C is wrong because a Kerberos golden ticket attack forges a Ticket Granting Ticket (TGT) using the KRBTGT account hash, allowing persistent access without triggering repeated failed logon events; it would instead show successful logon events (Event ID 4624). Option D is wrong because a man-in-the-middle attack intercepts and potentially modifies communications between two parties, but it does not inherently generate a high volume of failed logon events; it might cause a single failed logon if credentials are replayed, not a flood of 4625 events.

875
MCQmedium

An analyst is examining a PE file and notices that the 'TimeDateStamp' in the optional header is 0x00000000. What does this suggest?

A.The timestamp has been deliberately erased or not set, possibly to avoid forensic analysis.
B.The file is digitally signed.
C.The file was compiled on January 1, 1970 (Unix epoch).
D.The file is a DLL rather than an executable.
AnswerA

Malware authors often zero out the timestamp to hinder timeline analysis.

Why this answer

A timestamp of zero often indicates the linker did not set it, which is common for malware or files compiled with certain tools that omit the timestamp.

876
MCQeasy

A security analyst is investigating an alert from a Windows system log that shows multiple failed logon attempts for the same user account within a short period, followed by a successful logon. Which type of attack does this pattern suggest?

A.Brute-force attack
B.Pass-the-hash attack
C.Denial-of-service attack
D.Phishing attack
AnswerA

Many failures then success is characteristic of brute-forcing.

Why this answer

Multiple failed logons followed by a success indicates a brute-force attack where the attacker eventually guessed the correct password.

877
MCQeasy

Which of the following is a primary goal of the CIA triad?

A.Redundancy
B.Scalability
C.Availability
D.Maintainability
AnswerC

Availability ensures systems are accessible when needed.

Why this answer

The CIA triad's primary goals are confidentiality, integrity, and availability. Availability ensures that authorized users have reliable and timely access to data and resources when needed, which is a core security objective. Option C is correct because availability is explicitly one of the three pillars of the CIA triad.

Exam trap

Cisco often tests the distinction between a primary goal of the CIA triad and a supporting mechanism or operational characteristic, so candidates may confuse redundancy (a means to achieve availability) with availability itself.

How to eliminate wrong answers

Option A is wrong because redundancy is a design strategy to improve availability, not a primary goal of the CIA triad itself. Option B is wrong because scalability refers to the ability to handle increased load, which is a performance characteristic, not a security goal of the CIA triad. Option D is wrong because maintainability concerns the ease of updating or repairing a system, which is an operational concern, not a core security objective of the CIA triad.

878
Multi-Selecthard

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Select 2 answers
A.Disable all alerts that generate more than 100 events per day.
B.Use a separate SIEM for each department.
C.Regularly tune correlation rules based on feedback.
D.Increase the number of log sources.
E.Maintain a whitelist of known benign activity.
AnswersC, E

Adapts to environment.

Why this answer

Option C is correct because SIEM correlation rules must be regularly tuned based on feedback from incident investigations and alert reviews. This iterative process adjusts thresholds, filters, and logic to match the actual threat landscape, reducing noise from benign events that match rule patterns but are not malicious.

Exam trap

Cisco often tests the misconception that more data (Option D) or volume-based suppression (Option A) is a valid way to reduce false positives, when in fact proper tuning and whitelisting are the correct approaches.

879
MCQmedium

An analyst is examining a Linux host suspected of being compromised. The file /etc/passwd shows unusual entries. Which host-based analysis tool is best for verifying if the accounts are actively being used?

A.lsof tool
B.ps aux command
C.last command output
D.auditd logs
AnswerC

last reads /var/log/wtmp and shows login sessions, indicating active use.

Why this answer

The `last` command reads the /var/log/wtmp file to display a list of all users who have logged in and out, including their login times and durations. Since the question asks whether suspicious accounts from /etc/passwd are actively being used, `last` directly shows recent login activity, making it the best tool for verification.

Exam trap

Cisco often tests the distinction between tools that show current state (like `ps` or `lsof`) versus tools that show historical activity (like `last`), trapping candidates who confuse 'active processes' with 'active user accounts'.

How to eliminate wrong answers

Option A is wrong because `lsof` lists open files and network connections, not user login history; it cannot show whether an account has logged in. Option B is wrong because `ps aux` shows currently running processes, not historical or recent login sessions; an account could be active without a running process. Option D is wrong because `auditd` logs system calls and security events but requires pre-configured rules to track logins; it is not a simple, immediate command to check active account usage like `last`.

880
MCQhard

An intrusion analyst is analyzing a series of alerts from a network-based IDS. The alerts are triggered by the signature 'OVERFLOW-ICMP-ECHO' with a payload size of 65535 bytes. The source IP is a trusted internal server. What is the most likely explanation?

A.The server is performing a ping sweep
B.There is a network error causing packet fragmentation
C.The IDS signature is incorrectly configured
D.The server is under a DDoS attack
AnswerC

The payload size exceeds the maximum possible, so it's a false positive.

Why this answer

The ICMP Echo (ping) payload size is limited to 65535 bytes, but the actual data portion of an ICMP packet cannot exceed 65535 minus the IP and ICMP header sizes (typically 20 + 8 = 28 bytes), making a payload of exactly 65535 bytes impossible under normal operation. Since the source IP is a trusted internal server, the most plausible cause is that the IDS signature is misconfigured—likely with an incorrect payload size threshold or a false positive trigger—rather than an actual overflow attempt.

Exam trap

The trap here is that candidates assume a large ICMP payload must indicate an attack (like a Ping of Death or DDoS), but Cisco tests the understanding that a payload of exactly 65535 bytes is impossible in a single unfragmented ICMP packet, pointing to a signature misconfiguration rather than a real threat.

How to eliminate wrong answers

Option A is wrong because a ping sweep involves sending multiple ICMP Echo requests to different hosts, not a single oversized payload; the signature specifically flags payload size, not volume or destination range. Option B is wrong because network errors causing fragmentation would result in fragmented packets with smaller payloads per fragment, not a single packet claiming a 65535-byte payload; fragmentation occurs at the IP layer and does not change the total payload size reported in the ICMP header. Option D is wrong because a DDoS attack would typically involve a high volume of traffic from multiple sources, not a single oversized ICMP packet from a trusted internal server; the signature is triggered by payload size, not traffic volume or source diversity.

881
MCQhard

Refer to the exhibit. Based on the intrusion event, what is the likely intent of the traffic?

A.Denial of service
B.Normal web browsing
C.Port scan
D.Buffer overflow attempt
AnswerD

Shellcode and NOOP sleds are characteristic of buffer overflow exploits.

Why this answer

The intrusion event shows a long string of 'A' characters (0x41) being sent to an HTTP server, which is a classic pattern for a buffer overflow attack. The intent is to overflow a buffer in the web server software, potentially overwriting memory and executing arbitrary code, making D the correct answer.

Exam trap

Cisco often tests the ability to distinguish between attack types by focusing on payload characteristics—candidates may confuse a buffer overflow with a DoS because both involve excessive data, but the structured pattern of repeated characters is the key differentiator.

How to eliminate wrong answers

Option A is wrong because denial of service (DoS) typically involves flooding the target with traffic to exhaust resources, not sending a specific pattern of data to exploit a memory vulnerability. Option B is wrong because normal web browsing does not involve sending repeated, non-standard characters like a long string of 'A's; HTTP requests are structured with valid headers and payloads. Option C is wrong because a port scan uses techniques like SYN, FIN, or NULL packets to probe open ports, not a single connection with a malformed payload to a specific service.

882
MCQeasy

Which log type would an analyst examine to see failed login attempts to a Windows server?

A.DNS logs
B.Firewall logs
C.Web server logs
D.System logs
AnswerD

System logs contain security events like logon failures.

Why this answer

System logs (Event Logs) on a Windows server record security-related events, including failed login attempts under Event ID 4625 (Windows 10/Server 2012 R2 and later). An analyst would examine these logs in Event Viewer under 'Windows Logs > Security' to identify authentication failures, which are critical for detecting brute-force attacks or unauthorized access attempts.

Exam trap

Cisco often tests the distinction between OS-level logs (system/security logs) and application-specific logs (web server logs), so candidates mistakenly choose web server logs thinking they capture all login attempts, but web server logs only capture HTTP authentication, not Windows interactive or RDP logins.

How to eliminate wrong answers

Option A is wrong because DNS logs record domain name resolution queries and responses, not authentication events; they are used for troubleshooting name resolution or detecting DNS tunneling, not failed logins. Option B is wrong because firewall logs track network traffic allowed or blocked by the firewall (e.g., source/destination IPs, ports), but they do not capture OS-level authentication attempts on the server itself. Option C is wrong because web server logs (e.g., IIS or Apache logs) record HTTP requests to web applications, such as GET/POST requests and status codes, not Windows login events.

883
MCQhard

A security policy states that all portable media must be encrypted. An employee loses a USB drive containing customer data. The drive was encrypted with AES-256. Which of the following is true regarding policy compliance?

A.The policy was followed, but the incident still needs to be reported per incident response procedures
B.The employee violated policy because the drive was lost
C.The policy was followed because the data was encrypted, so a breach is not reportable
D.Encryption is not sufficient, the employee should have used a different media
AnswerA

Encryption mitigates exposure but does not negate the need for incident reporting.

Why this answer

Option A is correct because the security policy mandates encryption for portable media, and AES-256 encryption was applied to the USB drive, so the policy was technically followed. However, the loss of a device containing customer data still triggers incident response procedures, as the encryption key or the possibility of decryption could be compromised, and reporting is required to assess risk and comply with breach notification laws.

Exam trap

Cisco often tests the distinction between policy compliance and incident response obligations, trapping candidates who assume encryption alone eliminates the need to report a lost device.

How to eliminate wrong answers

Option B is wrong because the policy does not prohibit loss of media; it requires encryption, which was applied, so the employee did not violate the policy itself. Option C is wrong because encryption does not automatically exempt an incident from reporting; many regulations (e.g., GDPR, HIPAA) require breach notification if there is any risk of data exposure, and the loss of the drive must be evaluated. Option D is wrong because AES-256 is a strong, approved encryption standard, and the policy does not specify a different media type; the issue is not the encryption strength but the physical loss and reporting obligation.

884
MCQeasy

An analyst sees an alert with source IP 10.0.0.1 and destination IP 192.168.1.100 on port 80. The alert type is 'WEB-MISC Attempt to execute command on server'. Which action is most appropriate?

A.Verify if the target host is vulnerable
B.Ignore because it's a false positive
C.Immediately block the source IP
D.Escalate to law enforcement
AnswerA

Correct. Checking the vulnerability status helps determine if the alert is a real threat.

Why this answer

Option A is correct because the alert 'WEB-MISC Attempt to execute command on server' from source IP 10.0.0.1 to destination IP 192.168.1.100 on port 80 indicates a potential command injection attempt against a web server. The most appropriate first action is to verify if the target host is actually vulnerable to such an attack, as this determines whether the alert is a true positive requiring remediation or a false positive that can be dismissed. This aligns with the network intrusion analysis process of validating alerts before taking irreversible actions.

Exam trap

Cisco often tests the candidate's ability to prioritize verification over immediate action, trapping those who choose to block or escalate without confirming the alert's validity, especially when the alert type suggests a high-severity attack like command injection.

How to eliminate wrong answers

Option B is wrong because ignoring the alert outright assumes it is a false positive without any verification, which could leave a real command injection vulnerability unaddressed and the server compromised. Option C is wrong because immediately blocking the source IP is a reactive measure that may disrupt legitimate traffic if the alert is a false positive, and it bypasses the necessary step of verifying the target's vulnerability first. Option D is wrong because escalating to law enforcement is premature and disproportionate for a single command injection attempt on an internal network (10.0.0.1 to 192.168.1.100), which is typically a security incident handled internally unless there is evidence of a broader attack or legal requirement.

885
MCQeasy

An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?

A.Search the SIEM for events with destination port 22 and source IP.
B.Review all firewall logs for the past hour.
C.Run a packet capture on the server's network interface.
D.Check the server's auth.log file manually.
AnswerA

Directly retrieves SSH events for that IP.

Why this answer

Option A is correct because a SIEM indexes and correlates log data from multiple sources, allowing an analyst to quickly filter events by destination port 22 (SSH) and source IP without manually sifting through raw logs. This approach leverages the SIEM's search capabilities to retrieve only relevant events from the past hour, making it the most efficient method for targeted threat hunting.

Exam trap

Cisco often tests the distinction between centralized log analysis (SIEM) and raw data inspection (packet capture or manual log review), trapping candidates who overlook the efficiency of indexed search versus unfiltered data retrieval.

How to eliminate wrong answers

Option B is wrong because reviewing all firewall logs for the past hour would include irrelevant traffic (e.g., web, DNS) and lacks the specific filter for SSH (port 22) and the external IP, requiring manual parsing and wasting time. Option C is wrong because running a packet capture on the server's network interface captures all traffic in real-time or from a buffer, but it does not provide historical data for the past hour unless a capture was already running, and it generates large volumes of data that must be analyzed with tools like tcpdump or Wireshark, which is inefficient for a quick check. Option D is wrong because checking the server's auth.log file manually is a host-based approach that only shows authentication attempts on that specific server, not all SSH-related events from the IP (e.g., connection attempts blocked by a firewall), and it requires direct access to the server, which may not be scalable or centralized.

886
MCQeasy

A NetFlow analysis shows a single internal host communicating with many external IP addresses on port 443, but the traffic volumes are very low (small packets). What is the most likely explanation?

A.Phishing
B.Web browsing
C.Port scanning
D.C2 communication
AnswerD

Malware beacons often use low-volume periodic connections on port 443.

Why this answer

The combination of a single internal host communicating with many external IPs on port 443 (HTTPS) with very low traffic volumes and small packets is a classic indicator of command-and-control (C2) beaconing. C2 malware often uses HTTPS to blend in with legitimate web traffic, but the small, periodic packets (e.g., keep-alive or heartbeat messages) distinguish it from normal web browsing, which would involve larger data transfers and consistent payload sizes.

Exam trap

Cisco often tests the distinction between 'many destinations with low volume' (C2 beaconing) and 'many destinations with high volume' (normal web browsing or data exfiltration), trapping candidates who overlook the packet size and volume clues.

How to eliminate wrong answers

Option A is wrong because phishing typically involves a single or limited number of external servers hosting malicious content, not a pattern of many external IPs, and phishing traffic often includes larger payloads (e.g., email attachments or web page downloads). Option B is wrong because normal web browsing to many external HTTPS sites would generate larger, variable-sized packets due to page content, images, and scripts, not consistently small packets. Option C is wrong because port scanning on port 443 would involve a high volume of SYN packets (often without completing the TCP handshake) or other probe packets, not established HTTPS sessions with small data exchanges.

887
MCQeasy

In the OSI model, which layer is primarily targeted by a SYN flood attack?

A.Network Layer (Layer 3)
B.Application Layer (Layer 7)
C.Transport Layer (Layer 4)
D.Data Link Layer (Layer 2)
AnswerC

TCP is at Layer 4; SYN flood targets TCP connections.

Why this answer

A SYN flood attack targets the Transport Layer (Layer 4) by exploiting the TCP three-way handshake. The attacker sends a high volume of SYN packets with spoofed source IP addresses, causing the target server to allocate resources for half-open connections that never complete, eventually exhausting its connection queue and denying service to legitimate users.

Exam trap

Cisco often tests the distinction between the Transport Layer (Layer 4) and the Network Layer (Layer 3), where candidates mistakenly associate IP spoofing (a Layer 3 technique) with the attack's target layer, rather than recognizing that the attack exploits TCP's stateful handshake at Layer 4.

How to eliminate wrong answers

Option A is wrong because the Network Layer (Layer 3) handles IP routing and packet forwarding, not the TCP handshake mechanics that SYN floods exploit. Option B is wrong because the Application Layer (Layer 7) deals with protocols like HTTP, DNS, and SMTP, whereas SYN floods operate below this layer at the transport protocol level. Option D is wrong because the Data Link Layer (Layer 2) manages MAC addresses and frame delivery on a local network segment, and has no role in TCP connection state management.

888
MCQeasy

A Linux analyst wants to identify all listening TCP ports on a system. Which command is most appropriate?

A.netstat -an
B.ss -tlnp
C.lsof -i
D.ps aux
AnswerB

ss -tlnp -t: TCP, -l: listening, -n: numeric, -p: show process.

Why this answer

ss -tlnp shows listening TCP sockets with process info.

889
MCQhard

In a PKI, what is the role of a Certificate Authority (CA)?

A.Generates private keys for users
B.Provides symmetric keys for session encryption
C.Encrypts data for secure transmission
D.Issues and validates digital certificates
AnswerD

CA issues certificates and validates their authenticity.

Why this answer

A CA issues, revokes, and manages digital certificates, establishing trust in the public key's ownership.

890
MCQhard

A NetFlow report shows that host 10.0.0.5 has sent 1 GB of data to external IP 198.51.100.10 over port 443 in the last hour, while other hosts average 100 MB. This anomaly is most indicative of:

A.Port scan activity
B.Normal video streaming
C.DNS amplification attack
D.Data exfiltration
AnswerD

Large outbound data volume to a single external IP is a common exfiltration indicator.

Why this answer

The sudden, disproportionate egress of 1 GB of data from a single host to an external IP over port 443 (HTTPS) is a classic indicator of data exfiltration. While HTTPS traffic is common, the volume anomaly—10x the average of other hosts—suggests unauthorized copying of sensitive data, as attackers often use encrypted channels to blend in with normal traffic.

Exam trap

Cisco often tests the distinction between 'volume anomalies' and 'connection anomalies'—the trap here is confusing a large data transfer (exfiltration) with a volumetric attack (like DDoS) or reconnaissance (like port scanning), when the key is the direction and volume of the traffic to a single external host.

How to eliminate wrong answers

Option A is wrong because port scan activity typically generates many small packets to multiple ports or IPs, not a large volume of data to a single destination over a single port. Option B is wrong because normal video streaming would show consistent, high-bandwidth flows from many hosts, not a single host sending 10x the average to one external IP. Option C is wrong because a DNS amplification attack uses small queries to generate large responses to a victim, characterized by high UDP traffic on port 53, not a single host sending large amounts of TCP data over port 443.

891
MCQhard

You are a security analyst at a mid-sized company that uses a mix of on-premises servers and cloud services. The company's security policy requires all sensitive data to be encrypted at rest and in transit, and all access to be logged and monitored. Recently, the company experienced a data breach where an attacker exfiltrated a database containing customer PII. The investigation revealed that the attacker gained access using a compromised VPN account that had been inactive for 6 months. The account belonged to a former employee who left the company but the account was never disabled. The VPN logs show that the account was used from an unusual IP address, but no alert was triggered because the account was not on any watchlist. The breach occurred over a weekend when the security team was not monitoring. Which of the following would have most effectively prevented this breach?

A.Deploy a SIEM with anomaly detection for unusual VPN login locations.
B.Implement multi-factor authentication on all VPN accounts.
C.Increase the frequency of log reviews to daily.
D.Automate the de-provisioning of user accounts upon employee termination.
AnswerD

This directly addresses the root cause: the account should have been disabled when the employee left.

Why this answer

The root cause of the breach was that the former employee's VPN account remained active after termination, allowing the attacker to use it. Automating the de-provisioning of user accounts upon employee termination (Option D) directly addresses this by ensuring that accounts are disabled or removed as part of the offboarding process, eliminating the attack vector entirely. This aligns with the principle of least privilege and identity lifecycle management, which are foundational to access control policies.

Exam trap

Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates choose a detective solution (like SIEM or log review) because it sounds more technical, overlooking the fundamental preventive control of account lifecycle management that would have stopped the breach at its source.

How to eliminate wrong answers

Option A is wrong because deploying a SIEM with anomaly detection would only alert on unusual login locations after the fact; it does not prevent the use of an inactive account that should have been disabled. Option B is wrong because multi-factor authentication (MFA) would not have prevented the breach if the attacker already had the compromised VPN credentials and the account was still active; MFA can be bypassed if the attacker has access to the second factor (e.g., via phishing or session hijacking), and the core issue is the account's existence, not the authentication method. Option C is wrong because increasing the frequency of log reviews to daily would still leave a window of opportunity (e.g., over a weekend) and relies on human analysis, which is reactive and does not prevent the initial compromise; the account should have been disabled before the attacker could use it.

892
MCQhard

A security analyst is using Zeek to monitor network traffic. The analyst wants to extract all files transferred over HTTP. Which Zeek script or package accomplishes this?

A.dns-logs.zeek
B.conn-logs.zeek
C.http-logs.zeek
D.file_extraction.zeek
AnswerD

This script extracts files from network streams.

Why this answer

Option D is correct because the file_extraction.zeek script is specifically designed to extract files from network streams, including HTTP transfers. Zeek's default HTTP logging (http.log) records metadata about HTTP sessions, but to actually capture and reassemble the transferred files (e.g., images, executables, documents), the file_extraction framework must be loaded via this script or package.

Exam trap

Cisco often tests the distinction between logging metadata (e.g., http.log) and actually extracting file content, so candidates mistakenly choose http-logs.zeek thinking it captures files, when it only records HTTP session details.

How to eliminate wrong answers

Option A is wrong because dns-logs.zeek is used for logging DNS queries and responses, not for extracting files from HTTP traffic. Option B is wrong because conn-logs.zeek logs connection-level metadata (IP addresses, ports, duration) and does not perform file extraction. Option C is wrong because http-logs.zeek generates HTTP protocol logs (methods, URIs, headers) but does not extract the actual file payloads; it only records metadata about the HTTP requests and responses.

893
Multi-Selecthard

A SOC analyst is investigating a suspected data exfiltration. Which THREE indicators in network traffic are most consistent with exfiltration? (Choose three.)

Select 3 answers
A.Large outbound data transfers to an external IP at unusual hours
B.Images with unusual file sizes but normal resolution
C.DNS queries with base64-encoded subdomains
D.Consistent HTTPS traffic to a CDN
E.Increased inbound web traffic
AnswersA, B, C

Anomalous large transfers are typical for exfiltration.

Why this answer

Large outbound data transfers to an external IP at unusual hours (A) are a classic indicator of data exfiltration because attackers often move stolen data during off-peak times to evade detection. This behavior deviates from normal business traffic patterns and can be flagged by network monitoring tools as anomalous. The volume and timing together suggest intentional data theft rather than routine operations.

Exam trap

Cisco often tests the distinction between normal and malicious traffic patterns; the trap here is that candidates may mistake any encrypted or high-volume traffic (like CDN or HTTPS) as suspicious, when in fact exfiltration indicators require specific anomalies like unusual timing, encoding, or file-size discrepancies.

894
Multi-Selectmedium

An analyst is examining network alerts for lateral movement. Which TWO of the following are typical indicators of lateral movement using SMB?

Select 2 answers
A.A single SMB connection to a file server
B.Multiple SMB connection attempts from a single host to many different hosts
C.NTLM authentication using a hash instead of a password
D.DNS queries for internal hostnames
E.HTTP requests to a web server
AnswersB, C

This is a classic lateral movement pattern.

Why this answer

Lateral movement via SMB often involves many SMB connections from one host to others, and pass-the-hash uses NTLM authentication with a hash.

895
MCQeasy

Which protocol and port combination is commonly used for secure remote administration of network devices?

A.Telnet on port 23
B.SSH on port 22
C.RDP on port 3389
D.HTTP on port 80
AnswerB

SSH provides encrypted remote administration.

Why this answer

SSH (Secure Shell) on port 22 is the correct answer because it provides encrypted, authenticated remote administration of network devices, replacing insecure protocols like Telnet. SSH uses public-key cryptography to establish a secure channel over an unsecured network, ensuring confidentiality and integrity of management traffic. This is the standard for secure CLI-based device management in enterprise environments.

Exam trap

Cisco often tests the distinction between Telnet and SSH, where candidates mistakenly choose Telnet because it is historically common for device management, forgetting that the question explicitly asks for 'secure' remote administration.

How to eliminate wrong answers

Option A is wrong because Telnet uses port 23 but transmits all data, including credentials, in cleartext, making it vulnerable to packet sniffing and man-in-the-middle attacks; it is not secure. Option C is wrong because RDP (Remote Desktop Protocol) on port 3389 is designed for remote GUI access to Windows desktops and servers, not for CLI-based network device administration. Option D is wrong because HTTP on port 80 is unencrypted and used for web traffic, not for secure remote administration; HTTPS (port 443) would be the secure alternative for web-based management.

896
MCQhard

You are a security analyst at a financial services company. The company's security policy mandates that all sensitive data must be encrypted at rest and in transit. A recent internal audit reveals that a database containing customer personally identifiable information (PII) is stored on a server that uses unencrypted storage volumes. The database is accessed by internal applications via unencrypted connections. The policy also requires quarterly vulnerability scans, and the latest scan shows that the server has a critical vulnerability in the database software. Additionally, the server's firewall rules permit inbound traffic from the entire corporate network to the database port. The company's incident response policy requires that any violation of data protection policies be escalated within 24 hours. The IT manager asks you to prioritize actions. What should you do first?

A.Enable encryption on the storage volumes and database connections
B.Apply the critical security patch to the database software
C.Escalate the violation to management within 24 hours
D.Restrict firewall access to only authorized application servers
AnswerB

Patching the critical vulnerability reduces immediate risk of exploitation.

Why this answer

The most immediate threat is the critical vulnerability in the database software, which could allow remote code execution or data exfiltration without any authentication. Patching this vulnerability directly reduces the risk of exploitation, which is the highest priority in a security incident. Encryption and firewall restrictions are important but do not address an actively exploitable software flaw.

Exam trap

Cisco often tests the concept that patching a critical vulnerability takes precedence over other security controls, even when policy mandates encryption or escalation, because the vulnerability represents an active, exploitable risk that can bypass all other defenses.

How to eliminate wrong answers

Option A is wrong because enabling encryption on storage volumes and database connections protects data at rest and in transit but does not remediate the critical software vulnerability that could allow an attacker to bypass those controls entirely. Option C is wrong because while escalation is required by policy, it is a procedural step that should occur after or in parallel with immediate technical remediation; the priority is to stop the active threat first. Option D is wrong because restricting firewall access reduces the attack surface but does not fix the underlying vulnerable software that could be exploited from any allowed source, including authorized application servers.

897
MCQmedium

A security analyst observes a NetFlow record showing a single internal IP communicating with many external IPs on port 445 within seconds. This pattern is indicative of:

A.DNS tunneling
B.Data exfiltration
C.SMB scanning
D.Port scan
AnswerC

Many connections on port 445 to different IPs indicates SMB scanning.

Why this answer

Port 445 is used by SMB; a rapid series of connections to many IPs suggests a scan for vulnerable SMB services.

898
Multi-Selectmedium

Which THREE of the following are common types of malware?

Select 3 answers
A.Patch
B.Virus
C.Ransomware
D.Worm
E.Firewall
AnswersB, C, D

A virus attaches to files and spreads.

Why this answer

A virus is a type of malware that replicates by attaching itself to legitimate executable files or scripts, requiring user action (e.g., opening an infected attachment) to spread. It is one of the classic and most common forms of malicious software, making option B correct.

Exam trap

Cisco often tests the distinction between security tools (like patches and firewalls) and actual malware types, leading candidates to mistakenly classify protective measures as malicious software.

899
Multi-Selecthard

During an incident response, an analyst finds evidence of lateral movement. Which THREE of the following are common techniques used for lateral movement?

Select 3 answers
A.Remote Desktop Protocol (RDP) connections
B.SMB authentication attempts across multiple hosts
C.DNS tunneling
D.Pass-the-hash attacks
E.ICMP echo requests
AnswersA, B, D

Correct. RDP is a common lateral movement vector.

Why this answer

SMB authentication attempts, pass-the-hash, and RDP are common lateral movement techniques.

900
MCQmedium

An analyst reviews an alert that triggered on a network signature for 'shellcode' in a payload. The payload contains a sequence of NOP sleds followed by executable code. Which type of exploitation technique does this indicate?

A.Return-oriented programming (ROP)
B.Heap spray
C.Buffer overflow with NOP sled
D.Format string attack
AnswerC

Correct. NOP sleds are typical in buffer overflow exploits.

Why this answer

A NOP sled is used to increase the chance of landing in the shellcode, commonly used in buffer overflow exploits.

Page 11

Page 12 of 14

Page 13