Cisco CyberOps Associate 200-201 (200-201) — Questions 76150

507 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQeasy

Refer to the exhibit. A network administrator applies this ACL to the WAN interface. What is the effect on BitTorrent traffic (which typically uses ports 6881-6889)?

A.All TCP traffic is blocked
B.Only outgoing BitTorrent traffic is blocked
C.Incoming BitTorrent traffic using ports 6881-6889 is blocked
D.All BitTorrent traffic is permitted
AnswerC

The ACL denies those ports inbound, blocking incoming BitTorrent connections.

Why this answer

Option D is correct. The ACL denies TCP and UDP on ports 6881-6889 and permits everything else. BitTorrent uses these ports, so it is blocked in the inbound direction.

Option A is wrong because it only denies those ports. Option B is wrong because it blocks only those specific ports. Option C is wrong because the permit any any allows all other traffic.

77
MCQmedium

A security analyst is reviewing logs from multiple network devices and notices that a large number of ICMP echo requests with a payload size of 65507 bytes are being sent to a single server from various external IP addresses. The server is becoming unresponsive. Which type of attack is most likely occurring?

A.Ping of death
B.SYN flood
C.Smurf attack
D.ICMP flood
AnswerD

An ICMP flood sends a high volume of ICMP echo request packets to overwhelm the target's resources, matching the description of many large ping packets from multiple sources.

Why this answer

D is correct because an ICMP flood attack involves overwhelming a target with a high volume of ICMP echo request packets, consuming bandwidth and processing resources. The large payload size (65507 bytes) is a characteristic of a crafted ICMP packet, but the key indicator here is the sheer volume from multiple sources causing the server to become unresponsive, which aligns with a volumetric ICMP flood rather than a single malformed packet.

Exam trap

Cisco often tests the distinction between a Ping of Death (single malformed packet) and an ICMP flood (high volume of normal or large packets), where candidates mistakenly choose 'Ping of Death' because they see the large payload size, but the key is the volume and the fact that 65507 bytes is within the legal limit for a single packet.

How to eliminate wrong answers

Option A is wrong because a Ping of Death attack exploits a single malformed ICMP packet that exceeds the maximum IP packet size (65535 bytes), causing a buffer overflow; the question describes many packets with a payload of 65507 bytes (which is within the total IP packet limit when headers are included), not a single oversized packet. Option B is wrong because a SYN flood targets the TCP three-way handshake by sending numerous SYN packets without completing the handshake, exhausting the server's connection queue; ICMP echo requests are not part of TCP. Option C is wrong because a Smurf attack uses ICMP echo requests sent to a network's broadcast address with a spoofed source IP of the victim, causing all hosts on the network to reply to the victim; the question states the requests are sent directly to a single server from various external IPs, not to a broadcast address.

78
MCQhard

A SOC team is implementing a security monitoring solution for a cloud-based infrastructure. Which of the following is the most important consideration for effective monitoring?

A.Centralized logging from all cloud services and on-premises.
B.Encrypting all logs at rest.
C.Reducing log retention to save cost.
D.Using only native cloud monitoring tools.
AnswerA

Centralized logging enables correlation and consistent analysis across the infrastructure.

Why this answer

Centralized logging is the most important consideration because it provides a single, unified view of security events across all cloud services and on-premises infrastructure. Without aggregation, the SOC cannot correlate events, detect distributed attacks, or perform effective threat hunting. This aligns with the principle of 'visibility first' in security monitoring.

Exam trap

Cisco often tests the misconception that encryption or cost-saving measures are the top priority in monitoring, when in fact the foundational requirement is complete visibility through centralized logging.

How to eliminate wrong answers

Option B is wrong because encrypting logs at rest protects confidentiality but does not address the core requirement of visibility and correlation; encryption is a secondary control, not the primary monitoring consideration. Option C is wrong because reducing log retention to save cost directly undermines forensic analysis and compliance requirements; logs must be retained long enough to support incident investigation and meet regulatory mandates. Option D is wrong because using only native cloud monitoring tools creates silos and blind spots; a hybrid environment requires a centralized solution that aggregates logs from multiple sources, including third-party and on-premises tools.

79
MCQmedium

A security policy requires that all privileged access be logged and monitored. A junior admin uses a shared service account to perform maintenance. The logs show the account logged in from multiple IPs at the same time. What does this indicate?

A.There is a network issue causing duplicate logs.
B.The account is compromised.
C.The account is being used by multiple administrators simultaneously.
D.The account is being used by an automated script.
E.The logging system is malfunctioning.
AnswerC

Shared accounts lead to loss of accountability.

Why this answer

Option B is correct because a shared account used by multiple admins explains simultaneous logins. Option A is possible but less likely than policy violation. Options C, D, E are less plausible.

80
MCQmedium

Refer to the exhibit. An administrator configured AAA on a Cisco router. What is the expected outcome when a user tries to access privileged EXEC mode (enable) with the username 'admin' and password 'cisco123'?

A.The user is granted access to user EXEC mode only
B.The user is denied all access because no enable secret is set
C.The user is granted full privileged EXEC access
D.The user enters user EXEC mode but is denied enable access due to missing enable secret
AnswerD

Correct: local-case works for login, but enable authentication fails.

Why this answer

The configuration uses 'enable' authentication for enable mode, which means it uses the enable password (not set) or if not set, the local user database? Actually 'enable' method uses the enable secret/password. Since no enable secret is configured, authentication fails. However, the user must first log in to user EXEC mode.

For user EXEC, it uses local-case authentication, so 'admin' with password 'cisco123' works there. But for enable, it uses 'enable' method, which requires the enable password. Since no enable password is set, the user is denied enable access.

Option D is correct. Option A is wrong because user EXEC works. Option B is wrong because enable access fails.

Option C is wrong because the user cannot even enter enable mode.

81
MCQmedium

An analyst examines a PCAP file and sees multiple packets with the same source IP, destination port 443, and a payload that starts with 'GET /login.php HTTP/1.1'. The packets occur in rapid succession with slight variations in the URL parameter. Which type of attack is most likely occurring?

A.SSL/TLS renegotiation attack
B.HTTP flood DDoS attack
C.DNS amplification
D.ARP poisoning
AnswerB

Rapid HTTP requests with variations are characteristic of HTTP flood.

Why this answer

The attack involves multiple packets with the same source IP, all targeting destination port 443 with HTTP GET requests to '/login.php'. The rapid succession and slight variations in URL parameters indicate an attempt to overwhelm the web server with legitimate-looking HTTP requests, which is characteristic of an HTTP flood DDoS attack. This attack exploits the application layer (Layer 7) by exhausting server resources through repeated HTTP requests, rather than exploiting SSL/TLS or network-layer vulnerabilities.

Exam trap

Cisco often tests the distinction between application-layer DDoS attacks (like HTTP floods) and protocol-specific attacks (like SSL/TLS renegotiation or DNS amplification), where candidates mistakenly associate any attack on port 443 with SSL/TLS issues rather than recognizing the HTTP payload as the key indicator.

How to eliminate wrong answers

Option A is wrong because an SSL/TLS renegotiation attack exploits the TLS renegotiation handshake to inject plaintext into an encrypted session, not by sending multiple HTTP GET requests with varying parameters. Option C is wrong because a DNS amplification attack uses small DNS queries with spoofed source IPs to generate large responses from open resolvers, targeting UDP port 53, not TCP port 443 with HTTP payloads. Option D is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP address on a local network, disrupting Layer 2 communication, not sending HTTP requests to a remote server.

82
MCQmedium

An organization uses both network-based intrusion detection (NIDS) and host-based intrusion detection (HIDS). A HIDS alert reports that a critical server's registry key was modified. The NIDS shows no corresponding network activity. The change occurred during a scheduled maintenance window. What is the best course of action for the analyst?

A.Ignore the alert because it occurred during maintenance
B.Check the change management system to see if the modification was authorized
C.Escalate the alert as a potential security incident
D.Immediately revert the registry change
AnswerB

Scheduled maintenance windows often involve authorized changes; verifying with change management is the logical first step.

Why this answer

Option B is correct because the registry modification occurred during a scheduled maintenance window, which is a legitimate time for authorized changes. The analyst should first verify the change management system to confirm whether the modification was planned and approved, as this aligns with standard change control processes. The absence of NIDS alerts further suggests the change was likely local and non-malicious, but confirmation via change management is essential before taking any action.

Exam trap

Cisco often tests the concept that maintenance windows do not automatically validate all changes; candidates must remember to verify against change management records rather than assuming safety or immediately escalating.

How to eliminate wrong answers

Option A is wrong because ignoring the alert solely because it occurred during maintenance is a dangerous assumption; maintenance windows can be exploited by attackers, and the alert must be verified against authorized changes. Option C is wrong because escalating immediately as a potential security incident without first checking the change management system could waste resources and cause unnecessary alarm, especially since the NIDS showed no corresponding network activity. Option D is wrong because immediately reverting the registry change could disrupt legitimate maintenance work and potentially cause system instability; the change should only be reverted after confirming it was unauthorized.

83
MCQmedium

An analyst sees an alert: 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent (Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1)'. The source is an internal host that typically uses Windows 10. What should the analyst suspect?

A.The traffic is from a web proxy
B.The host is running Windows XP
C.The host is running a browser update
D.The traffic is likely generated by malware
AnswerD

Malware often uses old User-Agents to evade detection.

Why this answer

The User-Agent string 'Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1' mimics Internet Explorer 6 on Windows XP (NT 5.1). Since the source host normally runs Windows 10, this outdated and mismatched User-Agent is a strong indicator of malware attempting to disguise its traffic as legacy browser activity to evade detection.

Exam trap

Cisco often tests the concept that an anomalous User-Agent string inconsistent with the host's known OS is a red flag for malware, not an indication of the actual OS version.

How to eliminate wrong answers

Option A is wrong because a web proxy typically preserves the original client's User-Agent or adds its own header, not fabricate a legacy Windows XP User-Agent. Option B is wrong because the host is known to run Windows 10, not Windows XP; the alert indicates the traffic is spoofing XP, not that the OS is actually XP. Option C is wrong because browser updates do not change the User-Agent to an older, incompatible version like MSIE 6.0 on Windows NT 5.1; updates would use a current User-Agent string.

84
MCQmedium

Refer to the exhibit. A security analyst reviews the ACL configuration applied outbound on the external interface. Which statement is true about traffic from the 192.168.1.0/24 network to the internet?

A.All outbound traffic is denied except HTTP and HTTPS.
B.Only HTTP and HTTPS traffic is allowed.
C.HTTP and HTTPS traffic from the internal network is allowed, but SSH is denied.
D.SSH traffic is only denied if it originates from the 192.168.1.0/24 network.
AnswerC

Lines 10 and 20 permit HTTP/HTTPS; line 30 denies SSH; line 40 permits everything else.

Why this answer

The ACL applied outbound on the external interface permits TCP traffic from the 192.168.1.0/24 network to any destination on ports 80 (HTTP) and 443 (HTTPS), and denies all other traffic, including SSH (port 22). Since the ACL has an implicit deny at the end, only HTTP and HTTPS are allowed; SSH is explicitly denied because it does not match any permit statement. Therefore, HTTP and HTTPS traffic from the internal network is allowed, but SSH is denied.

Exam trap

Cisco often tests the implicit deny any at the end of an ACL, and the trap here is that candidates assume SSH is explicitly denied rather than understanding it is blocked by the implicit deny because it is not permitted.

How to eliminate wrong answers

Option A is wrong because it states 'all outbound traffic is denied except HTTP and HTTPS' — this is too broad; the ACL only applies to traffic from 192.168.1.0/24, not all outbound traffic, and it does not deny all other protocols (e.g., ICMP could be implicitly denied but not explicitly). Option B is wrong because it says 'only HTTP and HTTPS traffic is allowed' — while this is true for the 192.168.1.0/24 network, the statement omits the source network restriction and implies it applies to all traffic, which is inaccurate. Option D is wrong because it claims 'SSH traffic is only denied if it originates from the 192.168.1.0/24 network' — the ACL denies all traffic not matching the permit statements, so SSH from any source (including other internal networks) would be denied by the implicit deny, not just from 192.168.1.0/24.

85
Multi-Selectmedium

Which TWO of the following are common network security protocols? (Choose two.)

Select 2 answers
A.IPsec
B.FTP
C.SSL
D.HTTP
E.SNMP
AnswersA, C

IPsec provides secure IP communications.

Why this answer

IPsec is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a data stream. It operates at the network layer (Layer 3) and is commonly used in VPNs to provide confidentiality, integrity, and authentication. This makes it a fundamental network security protocol.

Exam trap

Cisco often tests the distinction between protocols that are inherently secure (like IPsec and SSL/TLS) versus those that are not (like FTP, HTTP, and SNMPv1/v2c), leading candidates to mistakenly select common but insecure protocols as security protocols.

86
Multi-Selecthard

Which THREE of the following are key principles of zero trust security? (Choose three.)

Select 3 answers
A.Least privilege
B.Perimeter-based security
C.Never trust, always verify
D.Assume breach
E.Implicit trust
AnswersA, C, D

Least privilege limits access to only what is necessary.

Why this answer

Least privilege is a core principle of zero trust because it ensures users, devices, and applications are granted only the minimum permissions necessary to perform their functions. This limits the blast radius of a potential compromise by restricting lateral movement and access to sensitive resources. In zero trust, least privilege is enforced through granular policies, often using micro-segmentation and identity-based access controls, rather than relying on network location.

Exam trap

Cisco often tests whether candidates confuse zero trust with traditional perimeter defense, so the trap here is that 'perimeter-based security' sounds like a valid security principle but is actually the outdated model that zero trust aims to replace.

87
Multi-Selecthard

Which TWO locations in a Linux filesystem should be checked for evidence of malware persistence?

Select 2 answers
A./proc
B./var/spool/cron/crontabs
C./var/log/syslog
D./etc/init.d
E./etc/passwd
AnswersB, D

Cron jobs can run malware periodically.

Why this answer

Option B is correct because cron is a standard Linux mechanism for scheduling recurring tasks, and malware often uses cron jobs to re-execute itself after a reboot or at specific intervals. The crontabs directory under /var/spool/cron/ contains the actual cron job files for each user, making it a primary location to check for unauthorized persistence entries. Malware can add a cron entry that downloads or runs a malicious script, ensuring its continued presence on the system.

Exam trap

Cisco often tests the distinction between locations that store persistent configuration (like crontabs and init.d) versus runtime or log-only directories (like /proc and /var/log), so candidates mistakenly choose /proc or /var/log/syslog because they are commonly examined during live analysis, but they do not hold persistence artifacts.

88
MCQhard

A network engineer is designing a segmented network to protect a sensitive database. The database must be accessible only from a specific application server. Which security concept best describes this design?

A.Defense in depth
B.Separation of duties
C.Weakest link
D.Least privilege
AnswerD

Least privilege ensures that entities have only the access necessary to perform their functions.

Why this answer

Option D, least privilege, is correct because the design restricts access to the sensitive database to only the specific application server that requires it. This principle dictates that users, processes, or systems should be granted the minimum permissions necessary to perform their functions, thereby reducing the attack surface. By implementing network access control lists (ACLs) or firewall rules that permit traffic solely from the application server's IP address to the database port, the engineer enforces least privilege at the network layer.

Exam trap

Cisco often tests least privilege by framing it as a network segmentation or access control question, and the trap here is confusing it with defense in depth because both involve multiple layers, but least privilege specifically focuses on granting only the necessary permissions rather than layering controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy that employs multiple, overlapping controls (e.g., firewalls, IDS/IPS, encryption) to protect assets, not a single restriction between two specific hosts. Option B is wrong because separation of duties divides critical tasks among different individuals to prevent fraud or error (e.g., one admin creates accounts, another approves them), which is unrelated to network segmentation for database access. Option C is wrong because the weakest link concept refers to the idea that a system's security is only as strong as its most vulnerable component, not a design principle for restricting access between a specific application server and a database.

89
Multi-Selectmedium

Which THREE of the following are key elements of a security monitoring and analysis strategy? (Choose three.)

Select 3 answers
A.Establishing a feedback loop for continuous improvement
B.Focusing only on network-based monitoring to reduce complexity
C.Regularly tuning detection mechanisms to reduce false positives
D.Automating all incident response decisions to eliminate human error
E.Centralized log management and correlation across multiple sources
AnswersA, C, E

Continuous improvement adapts the monitoring to new threats and changing environments.

Why this answer

Establishing a feedback loop for continuous improvement (A) is a key element because security monitoring is not a static process; it requires iterative refinement based on lessons learned from incidents, false positives, and changes in the threat landscape. This loop ensures that detection rules, response playbooks, and monitoring configurations evolve to maintain effectiveness against new attack vectors and reduce noise over time.

Exam trap

Cisco often tests the misconception that security monitoring can be purely network-focused or fully automated, but the correct approach requires a balanced, multi-source strategy with human oversight and continuous tuning.

90
MCQmedium

A company's remote access policy requires VPN connections to use two-factor authentication (2FA). An employee reports they cannot connect because their token is not syncing. What is the best course of action?

A.Disable 2FA for the employee
B.Replace the token and allow access anyway
C.Temporarily allow connections without 2FA
D.Provide a new token and synchronize it correctly
AnswerD

This resolves the issue while maintaining policy compliance.

Why this answer

Option D is correct because the core issue is a synchronization problem between the employee's token and the authentication server. Two-factor authentication (2FA) relies on time-based one-time passwords (TOTP) or event-based (HOTP) algorithms; if the token's clock drifts or the counter becomes out of sync, authentication fails. Providing a new token and correctly synchronizing it (e.g., via NTP time alignment or reseeding the HMAC-based OTP counter) restores secure access without bypassing the security policy.

Exam trap

Cisco often tests the misconception that any token failure should be resolved by temporarily disabling security controls (like 2FA) rather than fixing the underlying technical issue, tempting candidates to choose options that weaken security instead of following proper troubleshooting procedures.

How to eliminate wrong answers

Option A is wrong because disabling 2FA for the employee violates the remote access policy and eliminates the second authentication factor, leaving the VPN connection protected only by a password, which is a security downgrade. Option B is wrong because replacing the token without ensuring proper synchronization will likely result in the same sync failure; simply allowing access anyway bypasses authentication controls and undermines the 2FA requirement. Option C is wrong because temporarily allowing connections without 2FA creates a window of vulnerability where an attacker could exploit the lack of a second factor, and it violates the explicit policy requiring 2FA for all VPN connections.

91
MCQhard

Which type of traffic is most prominent in this NetFlow data?

A.SSH
B.HTTP
C.DNS
D.HTTPS
AnswerB

Port 80 is HTTP and has the most packets and bytes.

Why this answer

HTTP traffic is most prominent because the NetFlow data shows a high volume of packets and bytes on TCP port 80, which is the default port for HTTP. NetFlow records summarize traffic flows, and the large number of flows and bytes on port 80 indicates that HTTP is the dominant protocol in the captured data.

Exam trap

Cisco often tests the ability to distinguish between HTTP and HTTPS by port number, and the trap here is that candidates might assume HTTPS is more common due to modern encryption trends, but the NetFlow data explicitly shows higher traffic on port 80.

How to eliminate wrong answers

Option A is wrong because SSH uses TCP port 22, and the NetFlow data does not show significant traffic on that port. Option C is wrong because DNS primarily uses UDP port 53 (and sometimes TCP for zone transfers), and the data does not indicate a high volume of traffic on port 53. Option D is wrong because HTTPS uses TCP port 443, and while it may appear in the data, the question specifies that HTTP is the most prominent, meaning port 80 traffic exceeds port 443 traffic in this sample.

92
MCQeasy

You are a security analyst at a mid-sized company. The company uses a SIEM to collect logs from firewalls, IDS, and servers. Recently, the SIEM generated an alert for a potential brute-force attack against the company's VPN server. The alert is based on a correlation rule that triggers when more than 30 failed authentication attempts from a single source IP occur within 10 minutes. You investigate and see that the source IP is 203.0.113.50, which is a known IP address of a partner company that uses the VPN for remote access. The failed attempts are all from the same username 'john.doe'. You also notice that the attempts are happening every 5 seconds, exactly 6 attempts per minute. The partner company has a policy that locks accounts after 3 failed attempts. Based on this scenario, what is the most likely cause of the alert?

A.The user 'john.doe' has forgotten his password and is repeatedly trying to log in.
B.A script or automated process at the partner site is misconfigured and repeatedly trying to authenticate with an incorrect password.
C.A man-in-the-middle attack is replaying captured authentication packets.
D.The partner's account 'john.doe' has been compromised and an attacker is attempting to gain access.
AnswerB

The exact timing and same username point to a script; the lockout policy would lock the account after 3 attempts, but the script may be retrying from the same source, causing the SIEM alert before the lockout.

Why this answer

The alert is triggered by a correlation rule that detects more than 30 failed authentication attempts from a single source IP within 10 minutes. The observed pattern—exactly 6 attempts per minute, every 5 seconds—is highly regular and mechanical, which is characteristic of an automated script or misconfigured process, not human behavior. Since the partner company locks accounts after 3 failed attempts, a human user would be locked out quickly and could not sustain 30+ attempts; only a script ignoring the lockout policy or using a cached incorrect password could produce this pattern.

Exam trap

Cisco often tests the distinction between human behavior and automated patterns by including precise timing data; the trap here is that candidates focus on the source IP being a 'known partner' and assume compromise or user error, ignoring the mechanical regularity that points to a script.

How to eliminate wrong answers

Option A is wrong because a human user forgetting their password would not produce exactly 6 attempts per minute at precise 5-second intervals; human behavior is irregular and would stop after the account is locked (3 failed attempts). Option C is wrong because a man-in-the-middle attack replaying captured authentication packets would not cause repeated failed attempts from a single source IP with the same username; replay attacks typically cause successful authentications or session hijacking, not a steady stream of failures. Option D is wrong because if the account were compromised, an attacker would likely use a password spraying or credential stuffing tool with multiple usernames or random timing, not a fixed 5-second interval with the same username; the regular pattern suggests a misconfigured script, not an active attacker.

93
MCQmedium

During an incident, an analyst needs to determine if a specific user account 'jsmith' was used from a remote IP during a breach window. Which log sources should the analyst check first?

A.NetFlow records from the core switch.
B.VPN concentrator logs.
C.File server audit logs.
D.Windows Security Event Logs (Event ID 4624, 4625).
AnswerD

Contains logon events with username and source IP.

Why this answer

Windows Security Event Logs with Event ID 4624 (successful logon) and 4625 (failed logon) are the authoritative source for interactive and remote logon events on a Windows system. They record the target user account (jsmith), the source IP address of the remote connection, and the timestamp, making them the direct and most reliable log source to determine if a specific user account was used from a remote IP during a breach window.

Exam trap

Cisco often tests the misconception that NetFlow or VPN logs can identify user-level authentication details, when in fact only Windows Security Event Logs (or equivalent OS authentication logs) contain the specific user account and source IP for a logon event.

How to eliminate wrong answers

Option A is wrong because NetFlow records provide metadata about network flows (IP addresses, ports, protocols, and byte counts) but do not log user account names or authentication events, so they cannot identify which user account was used. Option B is wrong because VPN concentrator logs show when a user establishes a VPN tunnel and the assigned IP, but they do not log individual authentication attempts to a specific Windows workstation or server, and the remote IP seen in the VPN logs is the VPN client's external IP, not the internal IP of the machine where the logon occurred. Option C is wrong because file server audit logs track access to files and folders (e.g., reads, writes, deletes) but do not record interactive or remote logon events for a specific user account on a different system; they only show file-level operations after authentication has already occurred.

94
MCQmedium

Based on the Cisco ASA syslog message, what does this event indicate?

A.A DNS response from an external server to an internal client was allowed.
B.An inbound UDP packet from an external source to an internal destination was denied.
C.The access-group "OUTSIDE_IN" is misconfigured.
D.An outbound UDP connection was denied.
AnswerB

The syslog clearly states 'Deny udp src outside:... dst inside:...'.

Why this answer

The syslog message indicates that an inbound UDP packet from an external source to an internal destination was denied by the Cisco ASA. The message includes the source and destination IP addresses and ports, and the action is 'denied' due to the access-group 'OUTSIDE_IN' applied to the outside interface. This matches option B, which correctly identifies the denied inbound UDP traffic.

Exam trap

Cisco often tests the ability to distinguish between inbound and outbound traffic based on source/destination IPs in syslog messages, leading candidates to confuse the direction when the access-group name suggests an inbound policy but the traffic flow is misinterpreted.

How to eliminate wrong answers

Option A is wrong because the event is a denial, not an allowance, and it involves UDP, not DNS specifically (though DNS uses UDP, the message does not indicate a response). Option C is wrong because the access-group 'OUTSIDE_IN' is correctly referenced in the syslog message; there is no evidence of misconfiguration—the denial is the expected behavior based on the ACL. Option D is wrong because the traffic is inbound (from external to internal), not outbound; the syslog shows source as external and destination as internal.

95
MCQeasy

Which Cisco tool provides network-wide visibility and can detect anomalies using NetFlow and behavioral analysis?

A.Cisco Firepower Threat Defense (FTD)
B.Cisco Catalyst 9300 Switch
C.Cisco Identity Services Engine (ISE)
D.Cisco Secure Network Analytics (Stealthwatch)
AnswerD

It uses NetFlow and behavioral analysis for anomaly detection.

Why this answer

Cisco Secure Network Analytics (formerly Stealthwatch) is the correct answer because it is a dedicated network visibility and security analytics platform that leverages NetFlow, IPFIX, and other telemetry sources to perform behavioral analysis and detect anomalies across the entire network. Unlike a firewall or switch, its primary function is to ingest flow data and apply machine learning models to identify threats such as lateral movement, data exfiltration, and command-and-control traffic.

Exam trap

The trap here is that candidates confuse a device that generates NetFlow data (like a Catalyst switch) with a tool that analyzes NetFlow data for security anomalies, leading them to select the switch instead of the dedicated analytics platform.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower Threat Defense (FTD) is a next-generation firewall and IPS appliance that inspects packets inline for threats, but it does not provide network-wide visibility or behavioral analysis based on NetFlow; its visibility is limited to traffic passing through the firewall. Option B is wrong because the Cisco Catalyst 9300 Switch is a network switching platform that can generate NetFlow data but lacks the analytics engine to perform behavioral analysis or detect anomalies itself; it is a data source, not an analysis tool. Option C is wrong because Cisco Identity Services Engine (ISE) focuses on identity management, policy enforcement, and network access control (e.g., 802.1X, profiling), not on flow-based anomaly detection or behavioral analysis of network traffic.

96
Multi-Selecteasy

A company is creating an incident response policy. Which TWO elements should be included to ensure proper handling of security incidents?

Select 2 answers
A.Contact information for law enforcement
B.A list of employee performance metrics
C.A step-by-step procedure for containment, eradication, and recovery
D.A schedule for quarterly vulnerability scans
E.List of approved vendors for forensic tools
AnswersA, C

Having contact information for law enforcement is a key part of an incident response communication plan.

Why this answer

Option A is correct because an incident response policy must include contact information for law enforcement to ensure timely reporting of crimes such as data breaches or ransomware attacks, as required by regulations like GDPR or state breach notification laws. This enables proper legal handling and chain-of-custody preservation. Option C is correct because a step-by-step procedure for containment, eradication, and recovery is the core operational framework of the NIST SP 800-61 incident response lifecycle, ensuring consistent and effective response actions.

Exam trap

Cisco often tests the distinction between proactive security controls (like vulnerability scans or vendor lists) and reactive incident response procedures, causing candidates to mistakenly include operational or procurement details as policy elements.

97
MCQmedium

Refer to the exhibit from a Cisco Firepower event. Which action is most appropriate for the analyst?

A.Escalate to law enforcement
B.Investigate the source host for compromise
C.Block the destination IP
D.Disable the intrusion signature
AnswerB

Correct. The source is internal and the alert indicates suspicious activity, so the host may be compromised.

Why this answer

The exhibit shows a single intrusion event from a specific source IP to a destination IP. The most appropriate first step is to investigate the source host for compromise because the event indicates a potential exploit attempt originating from that host. Without additional context (e.g., multiple events, confirmed data exfiltration), escalating to law enforcement or blocking the IP is premature, and disabling the signature would blind the sensor to future threats.

Exam trap

Cisco often tests the principle of 'investigate before act' — the trap here is that candidates see a security event and immediately choose a reactive action (block, disable, escalate) instead of the proper investigative step.

How to eliminate wrong answers

Option A is wrong because law enforcement escalation is reserved for confirmed, high-severity incidents (e.g., active data breach, child exploitation) with legal authority, not a single unverified intrusion event. Option C is wrong because blocking the destination IP without first verifying the source host's compromise could disrupt legitimate traffic and fails to address the root cause (the potentially compromised source). Option D is wrong because disabling the intrusion signature would prevent detection of that exploit across all hosts, weakening the security posture and violating the principle of maintaining detection coverage.

98
Multi-Selectmedium

Which TWO actions are recommended when tuning IDS signatures to reduce false positives?

Select 2 answers
A.Increase alert severity for all signatures
B.Replace IDS with a next-generation firewall
C.Modify signature thresholds to match typical traffic patterns
D.Disable signatures that generate frequent alerts
E.Whitelist known good behavior
AnswersC, E

Adjusting thresholds reduces false positives.

Why this answer

Options B and C are correct. Modifying thresholds and whitelisting known good behavior are standard tuning practices. Option A is too drastic.

Option D is ineffective. Option E is a different solution.

99
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments.

100
MCQhard

A multinational company has a security policy that all data at rest in cloud storage must be encrypted using company-managed keys. The cloud administrator, due to performance concerns, configured server-side encryption with AWS managed keys instead. The security team discovers this during an audit. The policy does not differentiate between encryption types. The data stored includes financial records. What should the security team do?

A.Perform a risk assessment and present options to management, including the risk of not using company-managed keys.
B.Require the administrator to migrate the data to use company-managed keys immediately.
C.Accept the current configuration and update the policy to allow AWS managed keys for performance.
D.Disable the cloud storage until compliance is achieved.
AnswerA

This informs decision-makers with proper analysis.

Why this answer

Option C is correct because a risk assessment and management decision balances security and business needs. Option A is premature; Option B might be too disruptive; Option D is extreme.

101
MCQmedium

During a security incident, an analyst captures network traffic and observes multiple connections from an internal host to a remote IP on port 4444, with irregular packet timing and small payloads. Which type of activity is most likely indicated?

A.C2 beaconing
B.DNS tunneling
C.File transfer
D.VoIP communication
AnswerA

Beaconing involves regular small packets to a command-and-control server.

Why this answer

The observed traffic—multiple connections from an internal host to a remote IP on TCP port 4444, with irregular timing and small payloads—is a classic signature of command-and-control (C2) beaconing. Attackers often use non-standard high ports like 4444 to evade detection, and the irregular intervals (jitter) are intentionally introduced to avoid pattern-based anomaly detection, while small payloads minimize data transfer and reduce the chance of triggering network thresholds.

Exam trap

Cisco often tests the distinction between C2 beaconing and DNS tunneling by presenting port 4444 (a common C2 port) and irregular timing, hoping candidates confuse it with DNS tunneling because both can use small payloads, but DNS tunneling specifically leverages DNS protocol fields and port 53, not a direct TCP connection on a high port.

How to eliminate wrong answers

Option B (DNS tunneling) is wrong because DNS tunneling typically uses UDP port 53 and encodes data within DNS queries/responses, not direct TCP connections to port 4444 with small payloads. Option C (File transfer) is wrong because file transfers usually involve larger, consistent payload sizes and predictable timing (e.g., SMB on port 445 or FTP on port 21), not the irregular, small-payload pattern described. Option D (VoIP communication) is wrong because VoIP uses protocols like SIP (UDP 5060) or RTP (dynamic UDP ports) with real-time, steady packet flows, not irregular TCP connections to a single high port like 4444.

102
MCQhard

An organization's security policy requires data classification labels to be applied to all documents. A manager sends a spreadsheet containing employee PII (personally identifiable information) to the entire company without labeling. Which policy has been violated?

A.Acceptable Use Policy
B.Data Classification Policy
C.Remote Access Policy
D.Incident Response Policy
AnswerB

Data classification mandates labeling based on sensitivity.

Why this answer

The data classification policy requires proper labeling. Sending unlabeled PII violates that policy. Option A is correct.

Option B (acceptable use) might be relevant but labeling is the core. Option C (incident response) is for after detection. Option D (remote access) is not relevant.

103
Multi-Selecteasy

Which two are common techniques used in network intrusion analysis? (Choose two.)

Select 2 answers
A.Threat intelligence feeds
B.Sandboxing
C.Signature-based detection
D.Heuristic analysis
E.Anomaly-based detection
AnswersC, E

Common network intrusion detection technique.

Why this answer

Signature-based detection (C) is a core technique in network intrusion analysis where predefined patterns (signatures) of known attacks—such as specific byte sequences in a packet payload or known malicious IP addresses—are matched against network traffic. This method is highly effective for detecting known threats with low false-positive rates, as it relies on exact pattern matching rather than behavioral baselines.

Exam trap

Cisco often tests the distinction between detection techniques (signature-based and anomaly-based) and supporting tools (threat intelligence feeds, sandboxing) or host-based methods (heuristic analysis), leading candidates to incorrectly select options that are not primary network intrusion analysis techniques.

104
Multi-Selecteasy

Which THREE of the following are common indicators of compromise (IOCs) that a security monitoring system might trigger on?

Select 3 answers
A.Unusual outbound network connections to unfamiliar IP addresses.
B.Packets with destination IP addresses from a threat intelligence feed.
C.High CPU usage on a server.
D.Successful logon from a domain administrator account.
E.Changes to critical system files or registry keys.
AnswersA, B, E

Common C2 indicator.

Why this answer

Unusual outbound network connections to unfamiliar IP addresses are a common indicator of compromise (IOC) because they often signal command-and-control (C2) communication, data exfiltration, or malware beaconing. Security monitoring systems analyze netflow or firewall logs to detect connections to IP addresses not in the organization's baseline or known threat intelligence feeds. This behavior deviates from normal traffic patterns and is a key trigger for alerts in SIEM or IDS/IPS systems.

Exam trap

Cisco often tests the distinction between performance metrics (like CPU usage) and true security indicators, so candidates mistakenly select high CPU usage as an IOC when it is actually a symptom that requires further investigation, not a direct compromise indicator.

105
Multi-Selecthard

Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)

Select 2 answers
A.The employee finds the policy inconvenient.
B.The policy is too new and employees are not yet trained.
C.The employee is a senior executive.
D.A business-critical application cannot function with the policy control.
E.Temporary exception to avoid disrupting operations during a migration.
AnswersD, E

If the control breaks a critical app, a temporary exception with compensatory controls may be needed.

Why this answer

Option D is correct because a business-critical application that cannot function with a security policy control represents a legitimate operational need that may require a temporary exception. Security policies should support business objectives, and if a control (e.g., a firewall rule, an antivirus exclusion, or an application whitelisting policy) prevents a critical application from running, an exception can be granted after a risk assessment and compensating controls are implemented. This aligns with the principle of balancing security with business continuity.

Exam trap

Cisco often tests the misconception that seniority or personal inconvenience can justify policy exceptions, but the correct reasoning must always tie back to business continuity or technical necessity, not status or preference.

106
MCQeasy

A junior analyst reports that the network-based intrusion detection system (NIDS) has been generating alerts for a signature that detects a known exploit of a web server. The alert triggers on every connection to the company's internal web server over port 80. The analyst has verified that the web server is fully patched and the traffic is normal HTTP requests. The analyst asks you for advice. What should you recommend as the first step?

A.Verify that the web server is fully patched and configure a patch management system.
B.Reconfigure the web server to use a non-standard port.
C.Run a packet capture to analyze the HTTP requests.
D.Disable the specific signature for the web server's IP address in the IDS.
AnswerD

This reduces false positives while keeping detection for other servers.

Why this answer

Option D is correct because the NIDS is generating false positives: the signature matches normal HTTP traffic to a fully patched web server. Disabling the signature for that specific IP address eliminates the noise without compromising security, as the server is not vulnerable to the exploit. This is a standard tuning action in intrusion detection to reduce alert fatigue while maintaining coverage for other hosts.

Exam trap

Cisco often tests the candidate's ability to distinguish between a true positive and a false positive, and the trap here is that candidates may choose to investigate further (Option C) or apply a security fix (Option A) instead of recognizing that the immediate priority is to tune the IDS to reduce alert noise.

How to eliminate wrong answers

Option A is wrong because the analyst has already verified the web server is fully patched; re-verifying and configuring a patch management system does not address the false positive alerts from the NIDS. Option B is wrong because changing the web server to a non-standard port is an unnecessary workaround that can break client configurations and does not solve the root cause of the signature triggering on legitimate HTTP traffic. Option C is wrong because running a packet capture to analyze HTTP requests is an investigative step that may be useful later, but it is not the first step; the analyst already confirmed the traffic is normal HTTP requests, so capturing packets adds delay without addressing the immediate false positive issue.

107
Multi-Selecteasy

Which TWO of the following are common sources of security events used in security monitoring?

Select 2 answers
A.Employee attendance records
B.Firewall logs
C.Marketing campaign results
D.Company newsletter subscriptions
E.DNS query logs
AnswersB, E

Firewall logs provide information on allowed and denied connections.

Why this answer

Firewall logs (B) are a primary source of security events because they record allowed and denied traffic based on access control lists (ACLs), providing critical data on attempted intrusions, policy violations, and reconnaissance scans. DNS query logs (E) are equally vital as they capture domain resolution requests, enabling detection of malware command-and-control (C2) communication, DNS tunneling, and connections to known malicious domains. Both are standard inputs for SIEM systems and security monitoring platforms.

Exam trap

Cisco often tests the distinction between operational business data (HR, marketing) and actual security telemetry sources, expecting candidates to recognize that only logs from network infrastructure (firewalls, DNS servers, IDS/IPS) generate actionable security events.

108
MCQhard

During a security awareness training session, an employee reports they clicked a link in a phishing email but did not enter credentials. Which policy violation is most likely involved?

A.Data classification policy
B.Acceptable use policy
C.Incident reporting policy
D.Password policy
AnswerC

Employees should report suspicious activity; failing to do so is a policy violation.

Why this answer

Option C is correct because clicking a suspected phishing link without reporting it violates the incident reporting policy. Option A is wrong because the employee did not enter credentials, so password policy is intact. Option B is wrong because the link itself is not necessarily prohibited by AUP unless it involves inappropriate content.

Option D is wrong because data classification policy is about handling data, not email links.

109
MCQhard

A large e-commerce company experiences a data breach where customer credit card numbers are stolen. The investigation reveals that an attacker exploited a SQL injection vulnerability in the web application to extract the data from the database. The company's web development team claims they use parameterized queries and prepared statements. However, the forensic analysis shows that the injection occurred through a search functionality that concatenates user input directly into the SQL query. The application logs indicate that the search function was developed by a third-party vendor and integrated into the application six months ago. The company wants to prevent such incidents in the future. Which of the following is the most effective long-term solution?

A.Replace the third-party search module with a custom-developed one.
B.Establish a secure software development lifecycle (SSDLC) that includes security reviews for all third-party components.
C.Implement a web application firewall (WAF) with OWASP rules.
D.Conduct regular vulnerability scans and patch management.
AnswerB

An SSDLC integrates security into every phase of development, preventing vulnerabilities from being introduced in the first place.

Why this answer

Option B is correct because the root cause is a failure in the security review process for third-party components. Even though the company uses parameterized queries elsewhere, the third-party search module concatenates user input directly into SQL queries, bypassing that protection. Establishing an SSDLC with mandatory security reviews for all third-party components ensures that such vulnerabilities are caught before integration, addressing the process gap rather than just the symptom.

Exam trap

Cisco often tests the distinction between reactive controls (WAF, patching) and proactive process improvements (SSDLC), leading candidates to choose a technical fix like a WAF instead of addressing the root cause of insecure third-party code integration.

How to eliminate wrong answers

Option A is wrong because simply replacing the third-party module with a custom-developed one does not guarantee security; the custom code could also contain SQL injection flaws if not developed under secure coding practices. Option C is wrong because a WAF is a reactive, signature-based control that can be bypassed by sophisticated SQL injection payloads (e.g., using encoding or obfuscation) and does not fix the underlying insecure code. Option D is wrong because vulnerability scans and patch management are point-in-time checks that may miss logic flaws like SQL injection in custom or third-party code, and they do not enforce secure coding or review processes.

110
MCQmedium

A security analyst is configuring a new SIEM platform. The organization has multiple log sources, including Windows Event Logs, Linux syslog, and firewall logs. The analyst wants to ensure that logs are not lost if the SIEM becomes unavailable. Which approach best addresses this requirement?

A.Configure the SIEM to pull logs from sources via Syslog over TCP.
B.Configure log sources to send logs to a centralized collector with local storage and forwarding capabilities.
C.Implement log replication between SIEM nodes.
D.Increase the storage capacity of the SIEM to hold more logs.
AnswerB

Collector can buffer logs and forward when SIEM recovers.

Why this answer

Option B is correct because deploying a centralized collector with local storage and forwarding capabilities creates a buffer that ensures logs are not lost during SIEM unavailability. The collector receives logs from sources, stores them locally (e.g., on disk or in a queue), and forwards them to the SIEM when it becomes available again. This decouples log generation from SIEM ingestion, preventing data loss even during extended outages.

Exam trap

Cisco often tests the distinction between reliable transport (TCP) and guaranteed delivery with buffering; the trap here is assuming that Syslog over TCP alone prevents data loss, when in fact it only ensures in-transit reliability, not resilience against SIEM unavailability.

How to eliminate wrong answers

Option A is wrong because Syslog over TCP provides reliable delivery only if the SIEM is reachable; if the SIEM goes down, the TCP connection fails and logs are dropped (unless the source has its own buffering, which is not guaranteed). Option C is wrong because log replication between SIEM nodes addresses high availability and redundancy of the SIEM itself, but does not protect against data loss if all SIEM nodes become unavailable simultaneously. Option D is wrong because increasing SIEM storage capacity only helps retain more logs once they are ingested; it does nothing to prevent loss during an outage when logs cannot be received.

111
MCQhard

An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?

A.Ping of death
B.Traceroute
C.Smurf attack
D.ICMP tunneling
AnswerD

ICMP tunneling uses the payload of ICMP packets for covert communication.

Why this answer

ICMP tunneling encapsulates non-ICMP data (e.g., command-and-control traffic) within ICMP echo request/reply packets. The random payload data and larger-than-typical payload size are hallmarks of this technique, as the attacker uses the ICMP protocol to bypass firewalls and exfiltrate data or establish covert communication.

Exam trap

Cisco often tests the distinction between attacks that exploit ICMP for denial of service (e.g., ping of death, Smurf) versus those that use ICMP for covert data transfer (ICMP tunneling), so candidates must focus on the presence of random payload data rather than just the protocol or packet size.

How to eliminate wrong answers

Option A is wrong because a ping of death exploits a buffer overflow by sending an oversized ICMP packet (typically >65535 bytes) to crash the target, not by using random data in normal-sized payloads. Option B is wrong because traceroute uses ICMP echo requests with varying TTL values to map network hops, not random payloads or large payload sizes. Option C is wrong because a Smurf attack sends ICMP echo requests to a broadcast address with a spoofed source IP, causing amplification, not random data in the payload.

112
Multi-Selectmedium

Which TWO of the following are key components of a security policy framework according to Cisco? (Choose two.)

Select 2 answers
A.Guidelines
B.Standards
C.Incident Response Plan
D.Audit Logs
E.Firewalls
AnswersA, B

Guidelines offer best practices for policies.

Why this answer

In Cisco's security policy framework, guidelines and standards are foundational components. Guidelines offer recommended practices and flexible advice for implementing security controls, while standards define mandatory, specific technical requirements (e.g., encryption algorithms, password complexity) that must be followed. Together, they provide the structure for consistent security enforcement across an organization.

Exam trap

Cisco often tests the distinction between policy framework components (guidelines, standards) and operational or technical elements (incident response plans, audit logs, firewalls), leading candidates to confuse procedural or tool-based answers with the written policy structure.

113
MCQeasy

A security policy mandates that all administrative access to network devices must be encrypted. Which of the following protocols should be used to comply with this policy?

A.Telnet
B.SSH
C.TFTP
D.SNMPv2c
AnswerB

SSH provides strong encryption for remote administrative sessions, ensuring compliance.

Why this answer

SSH provides encrypted remote access, meeting the policy requirement. Telnet sends passwords in clear text. TFTP and SNMPv2c are not used for administrative access.

114
Multi-Selectmedium

Which TWO of the following are valid sources of security monitoring data in a Cisco security architecture?

Select 2 answers
A.RADIUS accounting
B.SNMP traps
C.Syslog messages
D.WMI queries
E.NetFlow records
AnswersC, E

Syslog is a standard for security event logging.

Why this answer

Syslog messages (C) are a standard protocol for logging events from network devices, servers, and applications, making them a primary source of security monitoring data. NetFlow records (E) provide IP traffic flow statistics, enabling network behavior analysis and anomaly detection. Both are explicitly listed as valid data sources in Cisco's security monitoring architecture.

Exam trap

Cisco often tests the distinction between data sources used for security monitoring (Syslog, NetFlow) versus management or authentication protocols (RADIUS, SNMP, WMI), leading candidates to confuse RADIUS accounting or SNMP traps as valid monitoring inputs.

115
MCQmedium

During a security incident, an analyst uses Wireshark to examine a pcap. The TCP stream shows the string 'GET /malware.exe HTTP/1.1'. Which is the most likely type of attack?

A.Cross-site scripting
B.Trojan download
C.Directory traversal
D.SQL injection
AnswerB

Request to download an executable is typical of malware delivery.

Why this answer

The TCP stream shows an HTTP GET request for a file named 'malware.exe', which indicates the client is downloading an executable from a server. This is characteristic of a Trojan download attack, where a user is tricked into downloading and executing malicious software, often disguised as a legitimate file. The use of Wireshark to capture the HTTP request confirms the network-level activity of a file transfer, aligning with the Trojan's delivery mechanism.

Exam trap

Cisco often tests the distinction between attack types based on the specific HTTP method and payload; the trap here is that candidates may confuse a simple file download with injection-based attacks like XSS or SQLi, overlooking that the GET request for an executable directly indicates a Trojan download rather than an injection vector.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages, typically via parameters in HTTP requests or responses, not a direct GET request for an executable file. Option C is wrong because directory traversal attacks exploit path manipulation (e.g., '../') to access restricted files, not a straightforward download of a named executable. Option D is wrong because SQL injection targets database queries through input fields (e.g., in POST data or URL parameters), not a simple GET request for a static file.

116
MCQeasy

A company's security policy requires that all laptops accessing the corporate network must have full-disk encryption enabled. During a routine audit, an analyst discovers that a manager's laptop does not have encryption enabled. What is the most appropriate first step according to standard security incident response procedures?

A.Disconnect the laptop from the network immediately.
B.Document the finding and escalate to the incident response team.
C.Install encryption software on the laptop without notifying the user.
D.Wipe the laptop and reinstall the operating system.
AnswerB

Proper procedure is to document and escalate; the IR team will handle remediation.

Why this answer

Option B is correct because the first step in standard incident response procedures (as defined by NIST SP 800-61 and Cisco's IR framework) is to document the finding and escalate to the incident response team. This ensures that the potential policy violation is formally recorded and that trained responders can assess the risk, determine if sensitive data was exposed, and coordinate remediation without prematurely destroying evidence or causing operational disruption.

Exam trap

Cisco often tests the distinction between 'immediate containment' and 'proper escalation' in incident response, trapping candidates who confuse a policy violation with an active security breach requiring urgent network disconnection.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the laptop from the network is a reactive containment step that should only be taken after the incident response team has assessed the situation; doing so prematurely could destroy volatile evidence (e.g., active network connections, running processes) and disrupt legitimate business operations. Option C is wrong because installing encryption software without notifying the user violates change management policies and could overwrite existing data or trigger unintended system behavior, bypassing proper authorization and documentation. Option D is wrong because wiping the laptop and reinstalling the OS is a destructive remediation step that destroys all forensic evidence and should only be performed after a full investigation and data preservation have been completed.

117
MCQeasy

What is the meaning of this syslog message?

A.A TCP connection from outside to inside was denied.
B.A TCP connection from inside to outside was denied.
C.The access group name is incorrect.
D.A TCP connection was allowed from inside to outside.
AnswerA

The source is outside and destination inside, and it was denied.

Why this answer

The syslog message indicates that a TCP connection attempt from an outside (lower-security) zone to an inside (higher-security) zone was denied by the ASA's implicit or explicit access control. By default, the Cisco ASA denies all inbound traffic from a lower security level to a higher security level unless explicitly permitted by an access-list applied to the interface. The message 'denied' confirms the packet was dropped, not allowed.

Exam trap

Cisco often tests the default security-level behavior of the ASA, where candidates mistakenly assume that all denied traffic is from inside to outside, or that the message indicates an error in the access group name rather than a simple deny action.

How to eliminate wrong answers

Option B is wrong because the message specifies 'outside to inside' (inbound), not 'inside to outside' (outbound). Option C is wrong because the syslog message does not reference an access group name or any configuration error; it simply reports a denied connection. Option D is wrong because the message explicitly states 'denied', not 'allowed', and the direction is outside to inside, not inside to outside.

118
MCQhard

A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?

A.Incident Response Policy
B.Acceptable Use Policy
C.Data Retention Policy
D.Remote Access Policy
AnswerB

Software installation rules are part of acceptable use.

Why this answer

The Acceptable Use Policy (AUP) defines what activities and software are permitted on company devices. By installing an unapproved application without IT authorization, the employee violated the AUP, which directly led to the malware infection. This policy is the primary control for preventing unauthorized software installations that bypass security baselines.

Exam trap

Cisco often tests the distinction between a proactive policy (AUP) that prevents unauthorized actions and a reactive policy (Incident Response) that handles the aftermath, causing candidates to confuse the policy that was violated with the policy that describes the response to the violation.

How to eliminate wrong answers

Option A is wrong because the Incident Response Policy governs the procedures for detecting, containing, and remediating security incidents after they occur, not the prohibition of unauthorized software installations. Option C is wrong because the Data Retention Policy specifies how long data must be kept and when it should be deleted, and has no relation to software installation approvals. Option D is wrong because the Remote Access Policy controls how external users connect to the internal network (e.g., VPN authentication, split tunneling rules), not the installation of local applications.

119
Multi-Selecteasy

An analyst is investigating a host that was compromised via a web exploit. The analyst has a pcap file of the network traffic. Which TWO pieces of evidence would indicate that the attacker established a persistent backdoor?

Select 2 answers
A.A single large file upload to a cloud service
B.Regular beaconing to an external IP on a high port
C.A change in the host's registry
D.An SSH connection from an external IP
E.DNS queries with subdomains that encode data
AnswersB, E

Regular beaconing is a hallmark of persistent C2 communication, indicating a backdoor that periodically checks in.

Why this answer

Regular beaconing to an external IP on a high port (Option B) is a classic indicator of a persistent backdoor because the compromised host periodically initiates outbound connections to a command-and-control (C2) server, often using non-standard high ports (e.g., 4444, 8080, or 1337) to evade firewall rules. This behavior maintains a communication channel that allows the attacker to issue commands or exfiltrate data over time, even if the initial exploit vector is patched.

Exam trap

Cisco often tests the distinction between network-based evidence (pcap) and host-based evidence (registry changes), so candidates may incorrectly select Option C because they confuse persistence mechanisms with the type of data available in a packet capture.

120
Multi-Selecthard

Which THREE are typical sources of log data used in security monitoring? (Choose three.)

Select 3 answers
A.Printer spool logs.
B.HVAC system logs.
C.Windows Event Logs.
D.Firewall logs.
E.DNS server logs.
AnswersC, D, E

Contain authentication and system events.

Why this answer

Windows Event Logs are a primary source of security monitoring data because they record critical security events such as logon attempts, account changes, and process creation (Event IDs 4624, 4625, 4688). Security Information and Event Management (SIEM) systems ingest these logs to detect unauthorized access, privilege escalation, and malware execution.

Exam trap

Cisco often tests the distinction between logs that are security-relevant versus operational or environmental logs, so candidates mistakenly choose printer or HVAC logs because they are 'logs' in a general sense, but they lack the authentication, network, or system event data required for security monitoring.

121
Multi-Selectmedium

A network security monitoring analyst is analyzing firewall logs and sees the following traffic: Source IP 10.1.1.50 to Destination IP 203.0.113.5 on port 443, protocol TCP, with a large amount of data transferred in both directions during business hours. The analyst suspects data exfiltration. Which TWO additional indicators would most strongly support this suspicion? (Choose two.)

Select 2 answers
A.The traffic uses TLS encryption with a self-signed certificate.
B.The destination IP belongs to a cloud storage provider commonly used for backups.
C.The data transfer rate is consistently high for several hours.
D.The destination port is used by a well-known web service.
E.The source IP has never communicated with this destination IP before.
AnswersA, E

Self-signed certificates in data transfers can indicate attempts to hide exfiltration.

Why this answer

Option A is correct because a self-signed TLS certificate is often used by attackers to encrypt exfiltrated data without the overhead of obtaining a legitimate certificate from a trusted CA. Legitimate services typically use certificates signed by a recognized CA, so a self-signed certificate in traffic to an external IP on port 443 is a strong indicator of malicious activity, especially when combined with large data transfers.

Exam trap

Cisco often tests the misconception that any encrypted traffic or high data transfer is automatically suspicious, when in fact the context of the certificate type and communication history is what distinguishes malicious exfiltration from legitimate business use.

122
MCQhard

During an incident, a first responder pulls the network cable of a compromised server. Later, the incident response team is unable to collect volatile data such as running processes. Which policy or procedure was violated?

A.Chain of Custody Procedure
B.Incident Response Procedure for evidence preservation
C.Forensic Analysis Procedure
D.Escalation Procedure
AnswerB

Immediate disconnection prevented capture of volatile data.

Why this answer

Incident response procedures typically require preserving volatile data before disconnecting. Option A is correct. Option B (chain of custody) is about evidence handling.

Option C (forensic analysis) is a later step. Option D (escalation) is not the core issue.

123
Multi-Selecteasy

Which two pieces of evidence are strong indicators of compromise (IOC) in network traffic?

Select 2 answers
A.Communication with a known malicious IP address
B.Encrypted traffic using unrecognized SSL certificates
C.Regular DNS queries to corporate DNS servers
D.Normal SMTP traffic to internal mail server
E.Standard HTTP traffic to a known content delivery network
AnswersA, B

Malicious IPs are direct IOCs.

Why this answer

Communication with a known malicious IP address is a strong indicator of compromise because it directly suggests the host is interacting with a command-and-control (C2) server or a malware distribution point. Threat intelligence feeds and blocklists (e.g., AlienVault OTX, MISP) provide curated lists of known malicious IPs; matching traffic to these lists provides high-fidelity evidence of an active compromise.

Exam trap

Cisco often tests the distinction between 'normal' traffic and 'anomalous' traffic, and the trap here is that candidates may mistake encrypted traffic (Option B) as always suspicious, but the question asks for 'strong indicators' — and unrecognized SSL certificates are indeed a strong IOC, while regular DNS, SMTP, and CDN traffic are not.

124
Multi-Selecteasy

A security analyst is implementing multifactor authentication. Which TWO are considered factors? (Select two.)

Select 2 answers
A.Password
B.Last login time
C.User ID
D.Security group membership
E.RSA token
AnswersA, E

Password is a knowledge factor.

Why this answer

A password is a knowledge factor (something you know), which is one of the three primary categories of authentication factors. Multifactor authentication requires combining two or more distinct factors, and a password satisfies the 'something you know' requirement. Without a password, the authentication process would lack the knowledge-based element needed for multifactor verification.

Exam trap

Cisco often tests the distinction between identification (user ID) and authentication (factors that prove identity), leading candidates to mistakenly select user ID as a factor when it is only an identifier.

125
MCQhard

Refer to the exhibit. A security analyst reviews the access list. Senior management has authorized SSH access (port 22) to external servers only from the 10.1.1.0/24 and 10.1.2.0/24 subnets. What is the most significant security flaw in this ACL?

A.The destination 'any' allows SSH to any external server, which is too permissive
B.The ACL permits SSH from unauthorized IP addresses
C.The ACL sequence is illogical; line 30 should be before lines 10 and 20
D.The permit ip any any at the end allows all unexamined traffic, potentially bypassing other security controls
AnswerD

A broad permit all at the end can mask unintended traffic. Better practice is to explicitly deny any traffic not permitted.

Why this answer

Option D is correct. The ACL permits all other traffic (line 40) after denying SSH from other sources. This bypasses any additional restrictions; the intent might be to allow only specific IPs for SSH, but the permit ip any any at the end allows all other traffic, which could include other unwanted protocols.

Option A is incorrect because line 40 permits everything. Option B is wrong because the source is correctly the internal subnets. Option C is wrong because ACLs are sequence-dependent, but line 30 only denies SSH from other sources.

126
MCQmedium

What does this firewall log entry indicate?

A.Outbound HTTP connection denied
B.Inbound HTTP connection allowed
C.Inbound HTTP connection denied
D.Outbound HTTP connection allowed
AnswerC

Source outside, destination inside port 80, and action is deny.

Why this answer

The firewall log entry shows a packet with source IP 10.0.0.2 (internal) and destination IP 203.0.113.5 (external) on destination port 80 (HTTP). The action is 'DENY' and the direction is 'inbound', meaning the firewall denied an incoming connection attempt from the external host to the internal host. Since the destination port is HTTP, this is an inbound HTTP connection that was denied.

Exam trap

Cisco often tests the distinction between the source/destination IP addresses and the firewall's direction field; candidates mistakenly assume that if the source IP is internal, the traffic must be outbound, but the direction field indicates the flow relative to the firewall's interfaces, not the IP addresses.

How to eliminate wrong answers

Option A is wrong because the log indicates an inbound connection (external to internal), not outbound; the source is internal and destination is external, but the direction field says 'inbound', which refers to the traffic flow relative to the firewall's perspective. Option B is wrong because the action is 'DENY', not 'ALLOW', so the connection was not allowed. Option D is wrong because the connection is inbound, not outbound, and it was denied, not allowed.

127
MCQmedium

A company uses Microsoft Windows Event Logging for host monitoring. The security team receives an alert from a Windows 10 workstation 'WS-102' indicating multiple failed logon attempts (Event ID 4625) within a short period from an internal IP address 10.10.10.50, followed by a successful logon (Event ID 4624) for user 'jdoe'. Shortly after, Event ID 4688 (Process Creation) shows 'cmd.exe' started by 'explorer.exe' with a command line launching 'powershell.exe -EncodedCommand ...'. The encoded command decodes to a script that attempts to download a payload from a remote server. The analyst needs to determine the most effective immediate response to limit lateral movement and impact.

A.Restore WS-102 from a known good backup and ignore the alert as a false positive.
B.Immediately reset the password for user 'jdoe', block outbound traffic to the remote server at the firewall, and initiate an incident response process.
C.Run a full antivirus scan on WS-102 and isolate it.
D.Disable the user account 'jdoe' and investigate the source IP 10.10.10.50.
AnswerB

Resets credentials, stops C2 communication, and begins formal response.

Why this answer

Option B is correct because the sequence of events—brute-force logon attempts followed by a successful logon and then an encoded PowerShell command attempting to download a payload—indicates a confirmed compromise. Resetting the password for 'jdoe' immediately revokes the attacker's authenticated access, blocking outbound traffic to the remote server prevents the payload download and C2 communication, and initiating incident response ensures proper containment and investigation. This combination directly limits lateral movement by cutting off the attacker's credentials and network egress.

Exam trap

Cisco often tests the distinction between reactive steps (like scanning or disabling accounts) and proactive containment actions that immediately cut off the attacker's access and communication channels, leading candidates to choose a less effective response that does not address both credential compromise and network egress.

How to eliminate wrong answers

Option A is wrong because restoring from backup ignores the active compromise and fails to contain the threat; the alert is not a false positive given the clear indicators of attack (failed logons, successful logon, encoded PowerShell download). Option C is wrong because running a full antivirus scan is a slow, passive step that does not immediately stop the attacker's access or the ongoing download; isolation alone does not revoke the compromised credentials or block the outbound connection to the remote server. Option D is wrong because disabling only the user account 'jdoe' does not block the outbound traffic to the remote server, allowing the payload download to complete; investigating the source IP is important but not the most effective immediate response to limit lateral movement.

128
MCQeasy

A security analyst notices a sudden spike in NetFlow data from a single workstation to multiple external IP addresses on port 443. What is the most likely explanation for this traffic pattern?

A.Internal network scanning
B.Normal web browsing activity
C.Potential data exfiltration
D.A scheduled software update
AnswerC

Multiple connections to many external IPs on the same port (443) at a high rate suggests beaconing or data theft.

Why this answer

A single workstation sending a sudden spike of NetFlow data to multiple external IP addresses on port 443 (HTTPS) is a classic indicator of data exfiltration. Attackers often encrypt stolen data in HTTPS tunnels to evade detection, and the abrupt increase in outbound connections to many distinct external hosts is not typical of normal user behavior. NetFlow records showing a high volume of flows from one source to many destinations on the same port strongly suggest an automated process, such as a data theft tool, rather than legitimate traffic.

Exam trap

Cisco often tests the misconception that any HTTPS traffic is benign, but the trap here is that a sudden spike in outbound HTTPS flows from a single source to many external IPs is abnormal and indicates data exfiltration, not normal web browsing.

How to eliminate wrong answers

Option A is wrong because internal network scanning would target internal IP addresses, not external IP addresses, and would typically use ports like ICMP or TCP 445/3389, not exclusively port 443. Option B is wrong because normal web browsing activity is distributed across many users and times, not a sudden spike from a single workstation to multiple external IPs; a single user's browsing would not generate a sharp, sustained increase in NetFlow data volume. Option D is wrong because a scheduled software update usually contacts a single or few known update servers (e.g., Microsoft or Adobe CDNs), not multiple random external IPs, and updates typically use HTTP/HTTPS but with predictable patterns and destinations.

129
Multi-Selecteasy

A security policy requires that employees use strong passwords. Which TWO of the following are characteristics of a strong password? (Select two.)

Select 2 answers
A.Uses a mix of uppercase, lowercase, numbers, and special characters
B.Is changed every 90 days
C.Is a common dictionary word
D.Contains the user's username
E.At least 8 characters
AnswersA, E

Complexity increases entropy and resistance to cracking.

Why this answer

Options A and C are correct because password length and complexity increase strength. Option B is wrong because including the username weakens the password. Option D is wrong because dictionary words are easily guessed.

Option E is about password age, not strength.

130
MCQmedium

A network engineer configures a SPAN port to send traffic from a critical server to an IDS. After configuration, the IDS sees no traffic. What is the most likely issue?

A.The IDS is in a different subnet.
B.The monitor session source interface is incorrectly specified.
C.The SPAN destination interface is not connected to the IDS.
D.The server is using VLAN tagging.
AnswerB

Common misconfiguration; wrong VLAN or port.

Why this answer

The most likely issue is that the monitor session source interface is incorrectly specified. SPAN (Switched Port Analyzer) requires the engineer to designate the correct source interface (the port connected to the critical server) and a destination interface (the port connected to the IDS). If the source interface is misconfigured—for example, pointing to the wrong switch port or using a VLAN instead of a specific port—the IDS will receive no mirrored traffic.

This is a common configuration error when setting up local SPAN on Cisco switches.

Exam trap

Cisco often tests the distinction between source and destination misconfiguration in SPAN, trapping candidates who assume the IDS must be in the same subnet (Option A) or that VLAN tagging (Option D) would block mirrored traffic, when the real issue is an incorrect source interface specification.

How to eliminate wrong answers

Option A is wrong because the IDS being in a different subnet does not prevent SPAN from sending traffic to it; SPAN operates at Layer 2 and forwards frames regardless of IP subnet, as long as the destination interface is correctly connected and configured. Option C is wrong because if the SPAN destination interface were not connected to the IDS, the IDS would not be physically linked, which would be a cabling or connectivity issue, but the question states the IDS sees no traffic, implying a configuration problem rather than a physical disconnection. Option D is wrong because VLAN tagging on the server does not inherently block SPAN; SPAN can copy tagged frames, and the IDS would still see them if the source interface is correctly specified and the destination interface is configured to accept tagged traffic.

131
MCQeasy

A company wants to protect its internal network from external threats. Which security principle involves deploying multiple layers of security controls?

A.Least privilege
B.Defense in depth
C.Risk management
D.Separation of duties
AnswerB

Defense in depth uses multiple security layers to provide redundancy.

Why this answer

Defense in depth (option B) is the correct answer because it describes the strategy of layering independent security controls—such as firewalls, intrusion prevention systems (IPS), endpoint protection, and access controls—so that if one layer fails, another can still block or mitigate an attack. This principle ensures that no single point of failure can compromise the entire network, which is essential for protecting internal assets from external threats.

Exam trap

Cisco often tests the distinction between a broad security strategy (defense in depth) and a specific access control principle (least privilege), so candidates mistakenly choose least privilege when they see 'multiple layers' because they confuse 'layers of permissions' with 'layers of controls.'

How to eliminate wrong answers

Option A (Least privilege) is wrong because it focuses on granting users only the minimum permissions needed to perform their tasks, not on deploying multiple layers of security controls. Option C (Risk management) is wrong because it is a broader process of identifying, assessing, and prioritizing risks, not a specific design principle for implementing layered defenses. Option D (Separation of duties) is wrong because it prevents fraud or error by dividing critical tasks among multiple individuals, which is an administrative control, not a technical architecture for layered security.

132
MCQhard

You are a security analyst for a mid-sized company with a flat network topology. The company uses a single firewall for internet access and has no internal segmentation. Recently, the IT team deployed a new file server running Windows Server 2019. The server was configured with default settings and placed in the same subnet as all user workstations. Two weeks later, the helpdesk receives multiple complaints about slow network performance. Upon investigation, you notice the file server's network interface is sending a high volume of broadcast traffic. Additionally, you find that the server's firewall is disabled and it is running an outdated SMBv1 protocol. The CEO is concerned about potential data loss and asks for immediate remediation. Which of the following is the most effective and immediate course of action to address the most critical security vulnerability?

A.Enable the Windows Firewall on the file server and create rules to allow only essential traffic.
B.Configure the switch to block broadcast traffic on the file server's port.
C.Create VLANs to segment the file server from user workstations.
D.Disable SMBv1 on the file server using PowerShell or Registry.
AnswerD

This directly removes the critical vulnerability exploited by malware.

Why this answer

D is correct because the most critical security vulnerability is the outdated SMBv1 protocol, which is known to be exploited by ransomware like WannaCry and EternalBlue. Disabling SMBv1 immediately removes this attack vector, addressing the CEO's concern about potential data loss. While the broadcast traffic and disabled firewall are issues, SMBv1 poses a direct and severe risk to data integrity and confidentiality.

Exam trap

Cisco often tests the concept that while network segmentation and firewalls are important security controls, they do not eliminate the underlying protocol vulnerability; the trap here is that candidates may focus on the broadcast traffic symptom or choose a slower, less direct solution like VLANs instead of the immediate fix of disabling the vulnerable service.

How to eliminate wrong answers

Option A is wrong because enabling the Windows Firewall, while beneficial, does not address the SMBv1 vulnerability; the firewall would still allow SMB traffic on port 445 if not explicitly blocked, and the outdated protocol remains exploitable. Option B is wrong because blocking broadcast traffic on the switch port would disrupt legitimate network discovery and communication (e.g., NetBIOS name resolution), and it does not mitigate the SMBv1 security flaw. Option C is wrong because creating VLANs is a longer-term segmentation strategy that requires network reconfiguration and does not provide immediate remediation; it also does not directly disable the vulnerable SMBv1 protocol.

133
MCQmedium

A host-based analysis tool reports that a file has a digital signature that is valid but from an untrusted publisher. What should the analyst interpret from this?

A.The file is definitely malicious because the publisher is untrusted
B.The file's signature was revoked
C.The file may be malicious or legitimate; further analysis is needed
D.The file is definitely safe because the signature is valid
AnswerC

The signature chain is technically valid, but the publisher is not trusted by default. Requires contextual analysis.

Why this answer

A valid digital signature confirms the file has not been tampered with since signing, but it does not guarantee the publisher is trustworthy. An untrusted publisher means the signing certificate is not in the system's trusted root store or has been flagged by a security policy, so the file could be either legitimate (e.g., from a new or self-signed publisher) or malicious (e.g., signed with a stolen certificate). Therefore, further analysis—such as checking the file's reputation, behavior, or origin—is required to determine its safety.

Exam trap

Cisco often tests the distinction between signature validity (cryptographic integrity) and publisher trust (certificate chain trust), leading candidates to mistakenly equate a valid signature with safety or an untrusted publisher with guaranteed malice.

How to eliminate wrong answers

Option A is wrong because a valid signature from an untrusted publisher does not automatically mean the file is malicious; the publisher may simply not be in the trusted store (e.g., a self-signed certificate). Option B is wrong because a revoked signature would be reported as invalid, not as valid but from an untrusted publisher; revocation is checked via CRL or OCSP and would cause the signature to fail verification. Option D is wrong because a valid signature does not imply safety; the publisher could be malicious or compromised, and the signature only ensures integrity, not trustworthiness.

134
Drag & Dropmedium

Drag and drop the steps for initial configuration of a Cisco IOS device after booting into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After booting, you must enter privileged mode, then global config, set hostname, set enable secret, and save.

135
MCQmedium

A user reports receiving an email with an urgent request to click a link and reset a password. The email appears to come from the company's IT department but has slight spelling errors. Which type of attack is this?

A.Phishing
B.Spear phishing
C.Whaling
D.Vishing
AnswerB

Spear phishing is targeted, often impersonating a trusted entity.

Why this answer

Spear phishing is a targeted phishing attack where the attacker customizes the email content for a specific individual or group, often using internal details (like the IT department) to increase credibility. The presence of slight spelling errors is a common indicator of a phishing attempt, but the targeted nature (appearing to come from the company's IT department) distinguishes this as spear phishing rather than generic phishing.

Exam trap

Cisco often tests the distinction between generic phishing and spear phishing by including a detail that indicates targeting (like referencing a specific department or role), leading candidates to incorrectly choose 'Phishing' when the scenario clearly shows targeted customization.

How to eliminate wrong answers

Option A is wrong because phishing is a broad, untargeted attack sent to many users, whereas this scenario describes a targeted email appearing to come from the company's IT department, which is characteristic of spear phishing. Option C is wrong because whaling targets high-profile executives (e.g., CEO, CFO) with highly personalized content, not a general user reporting an IT password reset request. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages, not email, to trick victims into revealing sensitive information.

136
MCQhard

An analyst uses Wireshark to investigate a suspicious download. The TCP stream shows a GET request for a .exe file from an external IP, followed by a 200 OK response. The response contains the file but the last packet in the stream has a FIN flag set from the server. The client sends an ACK but then immediately sends a RST. What does this behavior suggest?

A.The client application crashed after receiving the file
B.Normal completion of download
C.The server is performing a delayed response
D.The client intentionally terminated the connection to evade detection
AnswerD

RST after receiving data can be used to avoid logging.

Why this answer

The client sending a RST immediately after acknowledging the FIN indicates an abnormal termination. In a normal TCP teardown, the client would send its own FIN to close the connection gracefully. The RST suggests the client application intentionally aborted the connection, which is a common evasion technique to avoid detection by network monitoring tools that may not fully process the RST.

Exam trap

Cisco often tests the difference between a graceful TCP teardown (FIN/ACK exchange) and an abrupt reset (RST), and the trap here is assuming that any ACK followed by a RST indicates a crash or normal behavior, rather than recognizing the RST as an intentional evasion tactic.

How to eliminate wrong answers

Option A is wrong because a crash would likely result in no ACK or a RST without a preceding ACK, but here the client properly ACKs the FIN before sending the RST, indicating intentional action. Option B is wrong because a normal completion involves a graceful four-way handshake (FIN from server, ACK from client, FIN from client, ACK from server), not a RST. Option C is wrong because a delayed response would manifest as a long gap before the server sends data or FIN, not as a client-initiated RST after the transfer completes.

137
MCQmedium

A security analyst notices repeated failed login attempts to a critical server from a single external IP address over the past 30 minutes. The SIEM has a correlation rule that triggers an alert when the threshold of 10 failed attempts in 5 minutes is exceeded. However, no alert was generated. What is the most likely cause?

A.The SIEM is not receiving logs from the authentication server.
B.The correlation rule uses a sliding window, and the failed attempts occurred over more than 5 minutes.
C.The analyst is monitoring the wrong log source.
D.The SIEM correlation rule requires a minimum of 15 failed attempts.
AnswerB

Threshold not met in any 5-minute window.

Why this answer

Option B is correct because the SIEM correlation rule uses a sliding window that triggers an alert only when 10 failed attempts occur within a 5-minute window. Since the analyst observed repeated failed attempts over 30 minutes, the attempts are spread across multiple 5-minute windows, so no single window exceeds the threshold. This is a classic case where the event frequency is high overall but does not meet the rule's temporal aggregation criteria.

Exam trap

Cisco often tests the distinction between event frequency over a long period versus event rate within a specific time window, trapping candidates who assume any repeated failed login attempts will trigger an alert regardless of the correlation rule's temporal constraints.

How to eliminate wrong answers

Option A is wrong because if the SIEM were not receiving logs from the authentication server, the analyst would not have observed any failed login attempts at all, but the analyst explicitly notes repeated failed attempts. Option C is wrong because the analyst is monitoring the correct log source (the critical server's authentication logs) as evidenced by the observed failed attempts; the issue is with the correlation rule's window, not the log source. Option D is wrong because the question states the threshold is 10 failed attempts in 5 minutes, not 15; the rule's threshold is clearly defined and not misconfigured to a higher value.

138
MCQmedium

Refer to the exhibit. A security analyst observes these syslog messages from an ASA firewall. Based on the messages, which type of activity is most likely occurring?

A.An inside host attempting to access a web server on the outside
B.A denial of service attack flooding the firewall
C.An external host scanning internal hosts for open port 80
D.Successful web traffic from an external client
AnswerC

Multiple connection attempts to the same IP and port indicate a scan.

Why this answer

Option B is correct. The messages show multiple connection attempts from the same source IP to the same destination IP and port, with increasing source ports. This pattern indicates a port scan, specifically a TCP port scan against port 80.

Option A is about hosts inside initiating connections. Option C would show success. Option D is for DoS, which would involve many destinations or bandwidth.

139
MCQeasy

A company wants to ensure that employees report security incidents immediately. Which policy element is most important to include?

A.Specify encryption standards for data at rest
B.List acceptable uses of company resources
C.Define mandatory reporting procedures and contact information
D.Require complex passwords for all accounts
AnswerC

Clear procedures encourage timely reporting.

Why this answer

Option C is correct because the core purpose of an incident response policy is to ensure timely reporting. Without mandatory reporting procedures and clear contact information, employees may delay or fail to report security incidents, increasing dwell time and potential damage. This directly supports the incident response lifecycle (NIST SP 800-61) by establishing a clear chain of communication for initial detection and reporting.

Exam trap

Cisco often tests the distinction between preventive/technical controls (encryption, passwords, acceptable use) and procedural/response controls (reporting procedures), leading candidates to confuse a security best practice with the specific policy element needed for incident reporting.

How to eliminate wrong answers

Option A is wrong because encryption standards for data at rest are a data protection control, not a reporting mechanism; they do not address the immediate notification of security incidents. Option B is wrong because acceptable use policies govern proper resource usage, not the process for reporting incidents when they occur. Option D is wrong because requiring complex passwords is an authentication strength measure, unrelated to the procedural requirement of reporting security events.

140
MCQmedium

Refer to the exhibit. What traffic is the router permitting?

A.Telnet
B.HTTP
C.SSH
D.FTP
AnswerC

Port 22 is used by SSH.

Why this answer

The router is permitting SSH traffic because the access control list (ACL) matches TCP port 22, which is the default port for SSH. SSH provides encrypted remote administration, and the ACL entry permits inbound TCP connections to port 22, allowing secure shell access to the router.

Exam trap

Cisco often tests the association between common services and their default port numbers, and the trap here is confusing SSH (port 22) with Telnet (port 23) or assuming HTTP/HTTPS (ports 80/443) are permitted when only port 22 is explicitly allowed.

How to eliminate wrong answers

Option A is wrong because Telnet uses TCP port 23, not port 22, and the ACL specifically permits port 22. Option B is wrong because HTTP uses TCP port 80, which is not matched by the ACL. Option D is wrong because FTP uses TCP ports 20 and 21, neither of which is port 22.

141
MCQmedium

A security analyst reviews logs and finds multiple failed login attempts from a single IP. This is indicative of what type of attack?

A.Man-in-the-middle
B.Phishing
C.DDoS
D.Brute-force
AnswerD

Repeated failed login attempts from one source suggest a brute-force attack.

Why this answer

Multiple failed login attempts from a single IP address are characteristic of a brute-force attack, where an attacker systematically tries many passwords (or usernames) against a single account or service until successful. This pattern is distinct from other attack types because it involves repeated authentication attempts from one source, aiming to guess credentials rather than intercept traffic, deceive users, or overwhelm resources.

Exam trap

Cisco often tests the distinction between a brute-force attack (single source, many attempts) and a DDoS attack (many sources, high volume of traffic), so the trap here is confusing a single-source authentication attack with a distributed resource exhaustion attack.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack involves an attacker intercepting and potentially altering communications between two parties (e.g., ARP spoofing or SSL stripping), not repeated login attempts from a single IP. Option B is wrong because phishing relies on social engineering to trick users into revealing credentials or sensitive information via deceptive emails or websites, not on automated, repeated login attempts. Option C is wrong because a DDoS (Distributed Denial of Service) attack aims to overwhelm a target with traffic from multiple sources to disrupt service, not to guess passwords via repeated login failures from a single IP.

142
MCQeasy

A security policy states that user activity logs must be retained for at least one year. What is the primary purpose of this requirement?

A.To support forensic investigations of security incidents
B.To improve system performance through log analysis
C.To comply with regulatory requirements only
D.To enable real-time monitoring of user behavior
AnswerA

Logs provide evidence for post-incident analysis.

Why this answer

The primary purpose of retaining user activity logs for at least one year is to support forensic investigations of security incidents. When a breach or policy violation occurs, security analysts need historical log data to reconstruct the timeline of events, identify the initial compromise vector, and determine the scope of damage. Without long-term retention, critical evidence may be overwritten or purged before an incident is discovered, making root cause analysis impossible.

Exam trap

Cisco often tests the distinction between the operational benefit (performance tuning) and the security purpose (forensic investigation), leading candidates to choose the compliance option because they confuse a regulatory driver with the underlying security objective.

How to eliminate wrong answers

Option B is wrong because log analysis for performance tuning is a secondary operational benefit, not the primary security-driven reason for a one-year retention mandate; performance analysis typically uses shorter-term metrics. Option C is wrong because while regulatory compliance (e.g., PCI DSS, HIPAA) often mandates retention periods, the question asks for the primary purpose, which is forensic investigation — compliance is a driver, not the purpose itself. Option D is wrong because real-time monitoring relies on current log streams, not historical data retained for a year; long-term retention is for post-incident analysis, not immediate alerting.

143
MCQeasy

A network engineer sees the following event in the firewall logs: 'STATUS: intrusion prevented, action: drop, signature: "SQL Injection - SELECT"' on traffic from internal IP to a web server. What type of attack was detected?

A.Command injection
B.Buffer overflow
C.Cross-site scripting
D.SQL injection
AnswerD

The signature name directly matches SQL injection attack.

Why this answer

The log entry explicitly states 'SQL Injection - SELECT' as the signature, which directly identifies the attack as SQL injection. The firewall detected a malicious SQL query (e.g., a SELECT statement with crafted input) in the traffic from an internal IP to a web server and dropped it, preventing the attack. SQL injection exploits improper input validation in web applications to manipulate backend databases.

Exam trap

Cisco often tests the ability to distinguish between web application attacks (SQL injection vs. XSS vs. command injection) by focusing on the specific payload or signature keywords in logs, where candidates may confuse 'injection' with command injection or misinterpret the 'SELECT' keyword as a generic query rather than SQL-specific.

How to eliminate wrong answers

Option A is wrong because command injection involves executing arbitrary OS commands on the server (e.g., via shell metacharacters like ';' or '|'), not SQL queries; the signature explicitly mentions 'SQL Injection', not command execution. Option B is wrong because a buffer overflow attack exploits memory corruption by overflowing a buffer (e.g., stack or heap) to execute arbitrary code, which is unrelated to SQL query manipulation. Option C is wrong because cross-site scripting (XSS) injects malicious client-side scripts (e.g., JavaScript) into web pages viewed by other users, not SQL statements targeting the database.

144
MCQhard

Which type of attack does this Snort rule detect?

A.Cross-site scripting
B.Buffer overflow
C.SQL injection
D.Directory traversal
AnswerC

UNION SELECT is a SQL injection technique used to combine query results.

Why this answer

Option C is correct because the Snort rule detects SQL injection by matching the pattern 'union select' in the HTTP request body. SQL injection attacks manipulate database queries by injecting malicious SQL statements, and the rule's content match for 'union select' is a classic indicator of a UNION-based SQL injection attempt.

Exam trap

Cisco often tests the ability to distinguish attack types by their payload signatures, and the trap here is that candidates may confuse SQL injection with cross-site scripting because both involve injecting code into web applications, but the specific payload (SQL keywords vs. HTML/JavaScript) is the key differentiator.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) typically involves injecting JavaScript or HTML tags (e.g., <script>alert('XSS')</script>) into web pages, not SQL keywords like 'union select'. Option B is wrong because buffer overflow attacks exploit memory corruption by sending excessive data to overflow buffers, often using patterns like long strings of 'A's or shellcode, not SQL syntax. Option D is wrong because directory traversal attacks use path manipulation sequences like '../' or '..\' to access restricted files, not SQL commands like 'union select'.

145
MCQmedium

You are a security analyst at a healthcare organization. The organization uses Cisco Stealthwatch for network visibility and a SIEM for event correlation. You receive an alert that a medical records database server (IP 10.0.3.20) is communicating with an external IP (198.51.100.100) on port 22 (SSH) at 2:00 AM. The database server should have no outbound SSH connections; only remote administration is allowed from a management subnet via VPN. You check Stealthwatch and see that the connection duration is 30 minutes and the volume of data transferred is 500 MB. The database server logs show no local account logins at that time. The firewall logs show that the connection was initiated from the database server. The incident response team has been alerted. What is the most likely scenario and your immediate action?

A.Change the database administrator password immediately
B.Check if the SSH connection was an authorized remote administration session
C.Investigate the database server logs for signs of compromise before taking action
D.Block the external IP 198.51.100.100 on the firewall and isolate the database server
AnswerD

Blocking the IP stops the exfiltration, and isolation prevents further compromise.

Why this answer

The database server is initiating an outbound SSH connection to an unknown external IP at an anomalous time, transferring 500 MB of data—far beyond typical administrative traffic. This behavior, combined with no local account logins and the server's policy prohibiting outbound SSH, strongly indicates compromise (e.g., an attacker using SSH for data exfiltration). Immediate isolation and blocking the external IP are critical to contain the threat and prevent further data loss, aligning with incident response best practices.

Exam trap

Cisco often tests the candidate's ability to prioritize containment over investigation in active incident response scenarios, trapping those who choose to investigate first (Option C) instead of immediately isolating the compromised asset.

How to eliminate wrong answers

Option A is wrong because changing the database administrator password is a reactive step that does not address the active, ongoing data exfiltration; the attacker may already have persistent access or credentials, and isolation must come first. Option B is wrong because the scenario explicitly states that remote administration is only allowed from a management subnet via VPN, and the connection is from the database server to an external IP at 2:00 AM—this cannot be an authorized session. Option C is wrong because while investigating logs is important, the immediate action must be containment (isolation and blocking) to stop the active data transfer; waiting to investigate first risks further data loss and gives the attacker time to cover tracks.

146
MCQeasy

An analyst sees an alert from the IDS: 'ET TROJAN Possible Zeus Variant Outbound Connection'. What action should the analyst take first?

A.Block the IP address on the firewall
B.Ignore the alert as a false positive
C.Investigate the source host for signs of compromise
D.Reimage the host immediately
AnswerC

Investigation confirms if the alert is valid.

Why this answer

Option C is correct because the first priority when an IDS alerts on a possible Zeus variant (a known Trojan) is to investigate the source host to confirm or rule out compromise. Zeus is a credential-stealing Trojan that often establishes outbound C2 (command-and-control) traffic; blindly blocking the IP (A) could disrupt the investigation and may not stop the malware if it uses domain flux or multiple IPs. Reimaging (D) destroys forensic evidence, and ignoring the alert (B) is negligent given the severity of Zeus.

The analyst must perform host-based analysis (e.g., check processes, registry, network connections) to validate the alert before taking containment actions.

Exam trap

Cisco often tests the principle that IDS/IPS alerts require verification before action—candidates mistakenly choose to block or reimage immediately, but the correct first step is always to investigate the affected host to confirm the alert and preserve evidence.

How to eliminate wrong answers

Option A is wrong because blocking the IP address on the firewall may disrupt the C2 channel but does not address the root cause—the host may still be compromised and could use other IPs or domains (e.g., via DGA). Additionally, blocking without investigation could alert the attacker and destroy forensic evidence. Option B is wrong because ignoring the alert as a false positive is premature; Zeus variants are high-severity threats, and IDS alerts should always be triaged—especially when the signature explicitly names a known Trojan family.

Option D is wrong because reimaging the host immediately destroys volatile data (e.g., memory, running processes, network connections) that are critical for understanding the infection vector and scope of compromise, and it may violate incident response procedures.

147
MCQeasy

A hospital's network security team has received reports from nurses that the patient record system has become unresponsive. Upon investigation, the IT administrator finds that the database server is experiencing extremely high disk I/O and the system logs show repeated failed login attempts from an internal IP address that belongs to a medical imaging device. The imaging device is known to run an outdated embedded OS that cannot be patched. The device is isolated on its own VLAN, but the VLAN is allowed to communicate with the database server on TCP port 1433 for legitimate purposes. The attack logs show that the database server is being targeted with a dictionary attack using the default 'sa' account. What should the security analyst do first to contain the incident without disrupting critical medical operations?

A.Block the imaging device's IP address at the core firewall.
B.Take the imaging device offline immediately and isolate it from the network.
C.Disable the VLAN allowing communication between the imaging device and the database server.
D.Change the database server's 'sa' account password and implement account lockout policies.
AnswerD

This stops the ongoing dictionary attack without disrupting other services, as it targets the specific compromised account.

Why this answer

Option D is correct because the immediate priority is to stop the ongoing dictionary attack against the database server's 'sa' account without disrupting critical medical operations. Changing the 'sa' password and implementing account lockout policies directly mitigates the brute-force attack at the authentication layer, while leaving the imaging device and its VLAN operational so that legitimate medical imaging traffic can continue. This containment step buys time for a more permanent solution, such as replacing or further isolating the vulnerable device.

Exam trap

Cisco often tests the principle of 'least disruption' in incident response, and the trap here is that candidates instinctively choose network-level blocks (firewall or VLAN disable) without considering that the attack is credential-based and can be contained at the application layer, preserving critical business functions.

How to eliminate wrong answers

Option A is wrong because blocking the imaging device's IP at the core firewall would disrupt legitimate communication on TCP port 1433, potentially halting critical medical imaging workflows and violating the requirement to not disrupt operations. Option B is wrong because taking the imaging device offline immediately would stop all legitimate imaging traffic, causing direct disruption to patient care; the device is isolated on its own VLAN and the attack is against the database, not the device itself. Option C is wrong because disabling the entire VLAN would cut off all communication between the imaging device and the database server, including legitimate traffic, which would disrupt medical operations and is not a targeted containment measure.

148
Matchingmedium

Match each log severity level to its description (syslog).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System is unusable

Immediate action required

Critical conditions

Error conditions

Warning conditions

Why these pairings

Syslog severity levels range from 0 (Emergency) to 7 (Debug).

149
MCQeasy

A financial firm uses Sysmon for endpoint monitoring on all Windows servers. One server, 'FIN-SRV-01', which hosts a critical database application, is exhibiting high CPU usage and unusual outbound network connections to a known malicious IP on port 8080. The Sysmon logs show Event ID 1 (Process Create) with a suspicious process 'rundll32.exe' spawned from 'winword.exe', and Event ID 3 (Network Connect) showing the connection to the malicious IP. The antivirus has not detected any threats. The analyst must decide the next immediate action to contain the threat while preserving evidence.

A.Reboot the server to clear any suspicious processes from memory.
B.Immediately format the server's hard drive and reinstall the OS.
C.Restore the server from the most recent backup taken yesterday.
D.Isolate the server by disconnecting its network cable and taking a memory dump for further analysis.
AnswerD

Preserves evidence and stops malicious activity.

Why this answer

Option D is correct because isolating the server by disconnecting its network cable immediately stops the outbound communication to the malicious IP on port 8080, containing the threat without destroying volatile evidence. Taking a memory dump preserves the running processes, including the suspicious rundll32.exe spawned from winword.exe, which is critical for forensic analysis of the attack chain. This approach aligns with incident response best practices: contain first, then analyze, while avoiding actions that could destroy evidence or alert the attacker.

Exam trap

Cisco often tests the principle that containment must preserve evidence, and the trap here is that candidates may choose a destructive action like rebooting or formatting, mistakenly thinking it removes the threat, when in fact it destroys the forensic data needed to understand the attack.

How to eliminate wrong answers

Option A is wrong because rebooting the server would clear the memory, destroying volatile evidence such as the running rundll32.exe process and any network connections, and would not remove the underlying persistence mechanism. Option B is wrong because immediately formatting the hard drive destroys all evidence, including logs, artifacts, and the root cause, making forensic analysis impossible and potentially violating legal or compliance requirements. Option C is wrong because restoring from a backup taken yesterday could reintroduce the same vulnerability or malware if the infection occurred before the backup, and it does not address the immediate need to stop the active outbound connection to the malicious IP.

150
MCQmedium

An organization's security policy states that all external connections must be authenticated using multi-factor authentication. Which type of policy is this?

A.Password Policy
B.Data Classification Policy
C.Remote Access Policy
D.Acceptable Use Policy
AnswerC

Remote access policy defines secure remote connection requirements.

Why this answer

Option C is correct because a Remote Access Policy specifically governs how external users or devices connect to an internal network, and requiring multi-factor authentication (MFA) for all external connections is a standard control within this policy. This policy defines authentication methods, encryption standards (e.g., IPsec, TLS), and access controls for remote access, directly addressing the security policy's mandate for MFA on external connections.

Exam trap

Cisco often tests the distinction between a Remote Access Policy (which mandates technical controls like MFA for external connections) and an Acceptable Use Policy (which governs user behavior), causing candidates to confuse the two when the question mentions 'authentication'.

How to eliminate wrong answers

Option A is wrong because a Password Policy focuses on password complexity, length, expiration, and reuse rules, not on requiring multiple authentication factors (e.g., something you know plus something you have) for external connections. Option B is wrong because a Data Classification Policy defines how data is categorized (e.g., public, confidential, restricted) and handled based on sensitivity, not the authentication mechanisms for external network access. Option D is wrong because an Acceptable Use Policy outlines what users are allowed to do with organizational resources (e.g., browsing restrictions, software installation), not the technical authentication requirements for external connections.

Page 1

Page 2 of 7

Page 3

All pages