Cisco CyberOps Associate 200-201 (200-201) — Questions 226300

507 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

A Security Operations Center (SOC) uses Security Information and Event Management (SIEM) with event correlation. Analysts notice that alerts for a specific malware signature have decreased sharply after a new firewall rule was deployed. However, endpoint scans still show infections on several hosts. What is the most likely explanation for the decrease in SIEM alerts?

A.The firewall rule blocks the malware's C2 traffic, so SIEM no longer receives network alerts, but endpoint infections persist
B.The SIEM correlation rules were accidentally disabled during the firewall update
C.The SIEM is not receiving logs from the endpoint detection and response (EDR) tool
D.The malware has mutated into a different variant that evades detection
AnswerA

The SIEM relies on network events for that signature; blocking C2 traffic stops the alerts but does not remediate existing infections.

Why this answer

The firewall rule specifically blocks command-and-control (C2) traffic, which is the network communication channel the malware uses to send data or receive instructions. Since the SIEM relies on network-based alerts (e.g., from intrusion detection systems or firewall logs) to detect this traffic, blocking the C2 traffic eliminates those network alerts. However, the malware remains on the endpoints because the firewall does not remove the infection; it only prevents outbound communication, so endpoint scans still detect the malware files or processes.

Exam trap

Cisco often tests the concept that blocking C2 traffic reduces network alerts but does not remediate endpoint infections, leading candidates to mistakenly think the firewall rule eliminated the malware entirely.

How to eliminate wrong answers

Option B is wrong because if SIEM correlation rules were accidentally disabled, the SIEM would stop generating alerts for all events, not just for this specific malware signature, and the sharp decrease would be broad, not isolated to one signature. Option C is wrong because the SIEM not receiving logs from the EDR tool would cause a loss of endpoint-based alerts, but the question states that endpoint scans still show infections, implying the EDR is still functioning and reporting; the decrease is in SIEM alerts, which are primarily network-based in this context. Option D is wrong because if the malware mutated into a different variant, it would evade detection by both network and endpoint tools, but endpoint scans still detect the infections, indicating the original signature is still present on the hosts.

227
Multi-Selecteasy

Which TWO of the following are key elements that should be included in an incident response plan?

Select 2 answers
A.Requirements for antivirus software on endpoints
B.List of approved forensic tools
C.Roles and responsibilities of the incident response team
D.Step-by-step technical remediation instructions for specific attack types
E.Communication and escalation procedures
AnswersC, E

Essential for coordination during an incident.

Why this answer

Options A and D are correct. An incident response plan should include roles and responsibilities (A) and communication protocols (D). Options B and E are operational procedures, not plan elements.

Option C is a general security control.

228
MCQhard

You are a security analyst at a financial institution. The network consists of a traditional perimeter firewall, an internal IDS (Snort), and a separate network monitoring tool that captures full packet data. Recently, the bank experienced a breach where an attacker exfiltrated customer data via DNS tunneling. The attack went undetected for weeks. The CISO wants to improve detection of data exfiltration and has tasked you with proposing a new monitoring strategy. The current IDS has signatures for common malware C2 channels but no specific DNS tunneling rules. You have access to the full packet capture archive. Which approach would be most effective in detecting DNS tunneling while minimizing false positives?

A.Write custom Snort rules that monitor DNS query size, frequency, and domain name entropy, and use full packet capture to baseline typical DNS behavior.
B.Block all DNS queries to external domains not on a whitelist, and log all blocked queries for review.
C.Increase the Snort signature sensitivity for all DNS-related alerts to maximum.
D.Deploy NetFlow monitoring on the DNS server and look for traffic volume anomalies.
AnswerA

DNS tunneling exhibits abnormal characteristics that can be detected with tailored rules and baselines.

Why this answer

Option A is correct because DNS tunneling exploits legitimate DNS protocol behavior by encoding data in query payloads, making it invisible to signature-based detection. By writing custom Snort rules that monitor query size (typically > 255 bytes for TXT records), frequency (abnormally high query rates per domain), and domain name entropy (random-looking subdomains), and using full packet capture to baseline normal DNS traffic, you can detect anomalies indicative of tunneling with high precision and low false positives.

Exam trap

Cisco often tests the distinction between detection and prevention—candidates may incorrectly choose a blocking strategy (Option B) or a volume-based approach (Option D) instead of a detection method that leverages packet-level analysis and behavioral baselines.

How to eliminate wrong answers

Option B is wrong because blocking all DNS queries to external domains not on a whitelist is a restrictive, policy-based approach that would break normal internet access for users and services, and it does not detect tunneling—it only prevents it, which is not a monitoring strategy. Option C is wrong because increasing Snort signature sensitivity for all DNS-related alerts to maximum would generate an overwhelming number of false positives from legitimate DNS traffic (e.g., normal lookups, NXDOMAIN responses), rendering the IDS alerts useless for actual threat detection. Option D is wrong because NetFlow monitoring on the DNS server for traffic volume anomalies is too coarse—DNS tunneling often uses low-and-slow data transfer that does not create significant volume spikes, and NetFlow lacks the packet-level detail (e.g., query payload size, entropy) needed to distinguish tunneling from normal DNS traffic.

229
MCQmedium

An analyst is reviewing this configuration. What is the most significant security concern?

A.The access-list permits all traffic to 192.168.1.100 on ports 80 and 443.
B.The access-list is missing a rule to deny all other traffic.
C.The access-list only permits traffic to a single host.
D.The access-list does not specify source IPs, allowing any source.
E.The access-list should permit traffic to the entire subnet.
AnswerD

Best practice is to restrict source addresses.

Why this answer

Option D is correct because allowing any source IP is a security risk; source restriction is missing. Option A is the purpose. Option B is present (deny any).

Option C is a design choice. Option E is not recommended.

230
Multi-Selecthard

A security analyst is reviewing the firewall log exhibit. The analyst suspects that this traffic might be part of a command-and-control (C2) communication based on the packet size and the timing of similar events. Which TWO additional pieces of evidence would most strongly support the suspicion of C2 traffic?

Select 2 answers
A.The packet size is consistently 1452 bytes across multiple connections.
B.The destination IP is listed in a threat intelligence feed as a known C2 server.
C.The same source IP makes similar connections to the same destination IP every 60 seconds.
D.The source IP also connected to multiple other external IPs on port 443 within the same hour.
E.The traffic is using HTTPS (port 443) which is commonly used for covert channels.
AnswersB, C

Threat intelligence provides direct evidence of malicious intent.

Why this answer

Option B is correct because a destination IP listed in a threat intelligence feed as a known C2 server directly indicates that the endpoint is associated with malicious command-and-control infrastructure. This external corroboration is strong evidence that the traffic is part of a C2 channel, as threat feeds aggregate confirmed indicators of compromise (IoCs) from multiple sources.

Exam trap

Cisco often tests the distinction between generic network behavior (like consistent packet sizes or common port usage) and specific indicators of compromise (like threat intelligence matches or periodic beaconing), trapping candidates who mistake normal traffic patterns for malicious activity.

231
MCQmedium

An organization has implemented a security policy requiring all employees to change their passwords every 90 days. Which security goal does this policy primarily support?

A.Accountability
B.Availability
C.Confidentiality
D.Integrity
AnswerC

Regular password changes help protect sensitive information from unauthorized access.

Why this answer

Requiring password changes every 90 days primarily supports confidentiality by reducing the window of opportunity for an attacker to use a compromised credential. If a password is stolen or guessed, the mandatory rotation ensures that the stolen credential becomes invalid after 90 days, limiting unauthorized access to sensitive data. This directly aligns with the confidentiality goal of preventing disclosure to unauthorized parties.

Exam trap

Cisco often tests the distinction between confidentiality and integrity by presenting password policies as a control for data modification, when in fact password rotation primarily limits the exposure of stolen credentials, directly supporting confidentiality.

How to eliminate wrong answers

Option A is wrong because accountability refers to the ability to trace actions to a specific user, typically through logging and auditing, not through password expiration policies. Option B is wrong because availability ensures that systems and data are accessible when needed, which is not directly enhanced by password rotation; in fact, frequent changes can sometimes hinder availability if users get locked out. Option D is wrong because integrity focuses on protecting data from unauthorized modification, whereas password rotation primarily protects against unauthorized access (confidentiality), not data tampering.

232
MCQmedium

During an investigation, an analyst finds that an internal host has been communicating with a known malicious IP on port 445. Which protocol is most likely involved?

A.SSH
B.RDP
C.SMB
D.HTTP
AnswerC

SMB uses port 445.

Why this answer

Port 445 is the default port for Microsoft SMB (Server Message Block) over TCP, used for file sharing, printer sharing, and other network services. Communication with a known malicious IP on this port strongly indicates SMB-based activity, such as exploitation of vulnerabilities like EternalBlue (MS17-010) or unauthorized file access.

Exam trap

Cisco often tests the association of well-known ports with their protocols, and the trap here is that candidates may confuse port 445 with HTTP (80) or RDP (3389) due to common attack narratives, but the specific port 445 uniquely identifies SMB.

How to eliminate wrong answers

Option A is wrong because SSH (Secure Shell) uses port 22, not 445, and is used for secure remote administration, not file sharing. Option B is wrong because RDP (Remote Desktop Protocol) uses port 3389, not 445, and is used for remote graphical desktop access. Option D is wrong because HTTP uses port 80 (or 443 for HTTPS), not 445, and is used for web traffic, not direct file sharing or SMB operations.

233
MCQmedium

A system administrator needs to grant access to a database for a new employee. According to the principle of least privilege, what should be done?

A.Grant only the minimum required permissions
B.Grant temporary admin access
C.Grant no access until manager approves
D.Grant full access and remove later
AnswerA

Least privilege means granting the minimum necessary to do the job.

Why this answer

Option B (Grant only the minimum required permissions) is correct. Option A (Grant full access) violates least privilege. Option C (Deny access until approval) is too restrictive and not a direct application of least privilege.

Option D (Grant temporary admin access) is excessive.

234
MCQmedium

A company's endpoint detection and response (EDR) agent is reporting a file that was created with a name matching a known ransomware pattern. The analyst suspects the file is malicious. What is the best first step to contain the threat?

A.Create a new firewall rule
B.Isolate the host from the network
C.Run a full antivirus scan
D.Delete the file
AnswerB

Isolation prevents lateral movement and C2 communication.

Why this answer

Isolating the host from the network is the best first step because it immediately stops the ransomware from communicating with its command-and-control (C2) server and prevents lateral movement to other systems. The EDR agent has already flagged the file as suspicious, so the priority is containment, not further analysis or deletion, which could trigger the ransomware to encrypt data. Network isolation breaks the attack chain at the host level, buying time for forensic analysis and remediation.

Exam trap

Cisco often tests the principle of 'containment before eradication' — the trap here is that candidates choose to delete the file or run a scan, thinking that removing the artifact stops the threat, but they overlook that the ransomware may already be executing in memory or have established persistence.

How to eliminate wrong answers

Option A is wrong because creating a new firewall rule is a network-level control that takes time to implement and may not block all outbound traffic from the already-compromised host, especially if the ransomware uses dynamic ports or encrypted tunnels. Option C is wrong because running a full antivirus scan is a detection and remediation step that occurs after containment; the file is already suspected malicious, and scanning could trigger the ransomware to execute and encrypt files. Option D is wrong because deleting the file without first isolating the host may not stop the ransomware if it is already running in memory, and it could also trigger a failsafe mechanism that encrypts data immediately.

235
MCQmedium

A company uses a SIEM with correlation rules. They notice that a rule designed to detect brute-force attacks is not triggering even though failed logins are occurring. Which is the most likely cause?

A.The SIEM is receiving too many logs and dropping events.
B.The correlation rule threshold is set too high.
C.The SIEM time zone is misconfigured.
D.The log source is not sending syslog data.
AnswerB

The number of failed attempts may be below the threshold.

Why this answer

A SIEM correlation rule for brute-force attacks typically triggers when the number of failed login attempts from a single source exceeds a defined threshold within a specific time window. If the threshold is set too high, the rule will not fire even though failed logins are occurring, because the count never reaches the required value. This is the most direct and common cause for a correlation rule not triggering when expected.

Exam trap

Cisco often tests the concept that a correlation rule's threshold is a direct control over its sensitivity, and candidates may mistakenly attribute the issue to data ingestion problems (like dropped logs or misconfigured time zones) rather than the rule's own configuration.

How to eliminate wrong answers

Option A is wrong because while a SIEM can drop events when overwhelmed, this would typically cause incomplete or missing data, not a consistent failure of a specific correlation rule to trigger; the rule would still fire if the threshold were met in the logs that are processed. Option C is wrong because a time zone misconfiguration would cause timestamps to be offset, potentially affecting time-window calculations, but it would not prevent the rule from triggering entirely if the raw count of failed logins still exceeds the threshold within the adjusted window. Option D is wrong because if the log source were not sending syslog data, the SIEM would not receive any failed login events at all, and the question explicitly states that failed logins are occurring, meaning the logs are being received.

236
MCQmedium

Your organization recently deployed a new web application that uses HTTPS. The security team notices that the IDS is generating a large number of alerts for 'SSL/TLS handshake anomalies' and 'self-signed certificates'. After investigating, you find that many of these alerts are coming from a legitimate internal scanning tool that uses a self-signed certificate. The IDS also reports a high rate of 'TLS renegotiation' attempts from the same source. The CISO wants to reduce false positives while maintaining visibility. The IDS is based on Suricata and uses a default rule set. What is the best course of action?

A.Create a custom Suricata pass rule that excludes traffic from the specific IP address of the scanning tool.
B.Add a whitelist rule that ignores any traffic from any host using self-signed certificates.
C.Disable the Suricata rules that match self-signed certificates and TLS renegotiation.
D.Recommend removing the scanning tool from the network and using a different tool that uses a trusted certificate.
AnswerA

This precisely reduces false positives from a known source while keeping detection for others.

Why this answer

Option A is correct because creating a custom Suricata pass rule for the specific IP address of the legitimate scanning tool will suppress alerts for that known source while maintaining full visibility into all other traffic. This approach reduces false positives without disabling broader security monitoring, as the IDS continues to inspect and alert on SSL/TLS anomalies and self-signed certificates from all other hosts.

Exam trap

Cisco often tests the distinction between a targeted exclusion (like a pass rule for a specific IP) and a broad configuration change (like disabling rules or whitelisting entire categories), where candidates mistakenly choose the latter because they think it is simpler, not realizing it sacrifices security visibility.

How to eliminate wrong answers

Option B is wrong because whitelisting any traffic from hosts using self-signed certificates would broadly disable alerts for all self-signed certificate traffic, including potential malicious activity, thereby creating a significant security blind spot. Option C is wrong because disabling the Suricata rules for self-signed certificates and TLS renegotiation would globally remove detection for these events across all traffic, not just the scanning tool, which undermines the CISO's requirement to maintain visibility. Option D is wrong because removing the scanning tool is an unnecessary operational change; the tool is legitimate and can be safely excluded via a targeted pass rule, preserving both security and functionality.

237
MCQmedium

A security policy requires that all remote access be authenticated using a one-time password (OTP) token. Which technology should be implemented?

A.SSH key pairs
B.RADIUS with token server
C.LDAP with username and password
D.VPN with pre-shared key
AnswerB

RADIUS can authenticate users against an OTP token server, meeting the requirement.

Why this answer

Option A is correct because RADIUS can integrate with an OTP token server. Option B is wrong because LDAP with password does not provide OTP. Option C is wrong because SSH keys are not OTP.

Option D is wrong because pre-shared keys are not OTP.

238
Matchingmedium

Match each network device to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on security rules

Detects suspicious activity and alerts

Detects and blocks malicious traffic inline

Forwards packets between networks

Forwards frames within a LAN

Why these pairings

These devices are fundamental to network security architecture.

239
MCQhard

Based on the exhibit, what condition triggers an alert?

A.More than 1000 DNS queries from a single source within 60 seconds.
B.A single DNS query to a known malicious domain.
C.Any UDP traffic to port 53 exceeding 1000 packets per second.
D.More than 1000 UDP connections to port 53 within 60 seconds.
AnswerA

This matches typical DNS anomaly detection for excessive queries.

Why this answer

The exhibit shows a rule configured to trigger an alert when the number of DNS queries from a single source IP exceeds 1000 within a 60-second sliding window. This is a rate-based threshold designed to detect DNS amplification or tunneling attacks, where a single host generates an abnormally high volume of DNS requests. Option A correctly describes this condition.

Exam trap

Cisco often tests the distinction between a rate-based threshold (counting events over time) and a signature-based match (single event), leading candidates to confuse a single malicious query with a volumetric anomaly.

How to eliminate wrong answers

Option B is wrong because a single DNS query to a known malicious domain would typically be detected by a signature-based or threat-intelligence rule, not by a rate-based threshold as shown in the exhibit. Option C is wrong because the rule specifically counts DNS queries (typically UDP packets to port 53), not all UDP traffic to port 53; the threshold is based on queries, not raw packets, and the exhibit shows a query count, not a packet-per-second rate. Option D is wrong because the rule counts DNS queries, not UDP connections; DNS queries are typically stateless UDP datagrams, not connections, and the exhibit does not reference connection tracking or a 60-second window for connections.

240
MCQmedium

A critical security patch for a widely exploited vulnerability is released. The patch requires a system reboot during business hours. According to change management policy, what is the best procedure?

A.Deploy the patch only at the end of the business day
B.Wait for the next scheduled change window
C.Submit an emergency change request for immediate approval
D.Install the patch without approval
AnswerC

Emergency change processes are designed for critical security updates.

Why this answer

Option C is correct because when a critical security patch addresses a widely exploited vulnerability, the immediate risk to the organization outweighs standard change windows. Change management policy typically includes an emergency change process that bypasses normal scheduling to allow rapid deployment with expedited approval, even if a reboot during business hours is required. This aligns with the principle of prioritizing security over availability in high-severity scenarios.

Exam trap

Cisco often tests the misconception that change management always requires waiting for a scheduled window, but the trap here is that emergency change processes exist specifically to handle critical security patches that cannot wait.

How to eliminate wrong answers

Option A is wrong because delaying deployment until the end of the business day leaves the system exposed to active exploitation for several hours, which is unacceptable for a widely exploited vulnerability. Option B is wrong because waiting for the next scheduled change window could mean days or weeks of exposure, violating the urgency required for critical patches. Option D is wrong because installing the patch without any approval bypasses change management controls entirely, risking unauthorized changes that could lead to compliance violations or operational disruptions.

241
MCQhard

A large enterprise has a security policy that mandates data classification and strict access controls. An IT administrator, John, has been granted temporary administrative privileges to resolve a server issue. During the maintenance window, John accesses a file server and downloads a spreadsheet containing customer PII (Personally Identifiable Information) classified as 'Confidential'. John then emails the spreadsheet to his personal email account to work from home. The security team receives an alert from the DLP system indicating the email transmission. According to the company's incident response policy, which of the following is the FIRST action the security team should take?

A.Block the email transmission and restore the file from backup
B.Revoke John's network access immediately and escalate to HR for disciplinary action
C.Interview John to determine his intent and whether it was accidental
D.Preserve evidence, isolate the affected systems, and initiate the incident response process
AnswerD

This aligns with standard incident response procedures: first preserve evidence, then initiate the formal process.

Why this answer

The correct first action is to preserve evidence, isolate affected systems, and initiate the incident response process. This aligns with NIST SP 800-61 and ISO 27035, which mandate that containment and evidence preservation precede any investigative or disciplinary steps. Jumping to revocation or interviews risks spoliation of logs, email metadata, and forensic artifacts critical to determining the scope of the data exfiltration.

Exam trap

Cisco often tests the distinction between reactive containment (e.g., blocking/revoking) and the mandated first step of evidence preservation and incident initiation, causing candidates to confuse operational urgency with proper forensic procedure.

How to eliminate wrong answers

Option A is wrong because blocking the email and restoring from backup is a containment step that should occur only after evidence is preserved and the incident response plan is formally activated; premature blocking may destroy forensic data (e.g., email headers, DLP logs). Option B is wrong because revoking network access and escalating to HR before evidence preservation violates the incident response chain of custody and could alert the insider, leading to data destruction or tampering. Option C is wrong because interviewing John before preserving evidence risks contaminating the investigation and is not the first action per standard incident response frameworks; intent is determined after forensic analysis.

242
MCQhard

An analyst is investigating a potential data exfiltration. The logs show a series of DNS queries with subdomains that appear to be base64-encoded strings. Which technique is likely being used?

A.DNS tunneling
B.DNS amplification
C.Fast flux
D.Domain generation algorithm
AnswerA

DNS tunneling encapsulates data in DNS queries to exfiltrate information.

Why this answer

DNS tunneling encodes data (e.g., exfiltrated files) into subdomains of DNS queries, which are then sent to a malicious authoritative DNS server controlled by the attacker. The base64-encoded subdomains in the logs are a classic indicator of this technique, as the attacker uses the DNS protocol to bypass network security controls and covertly transmit data.

Exam trap

Cisco often tests the distinction between DNS tunneling (data exfiltration via subdomain encoding) and DNS amplification (a volumetric DDoS attack), so candidates must recognize that base64-encoded subdomains point to tunneling, not amplification.

How to eliminate wrong answers

Option B is wrong because DNS amplification is a reflection-based DDoS attack that uses open resolvers to flood a victim with large DNS responses, not a data exfiltration technique. Option C is wrong because fast flux uses rapid changes in DNS A records to hide the IP addresses of malicious servers, not to encode data in subdomains. Option D is wrong because a domain generation algorithm (DGA) is used to periodically generate random domain names for command-and-control communication, not to encode exfiltrated data in subdomain labels.

243
MCQmedium

A company's incident response policy defines four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity. During an active ransomware outbreak, the IR team is unable to contain the spread because the containment plan did not account for the malware's use of PowerShell for lateral movement. Which phase had a deficiency?

A.Containment Eradication & Recovery
B.None of the above
C.Preparation
D.Post-Incident Activity
E.Detection & Analysis
AnswerC

Preparation must anticipate attack vectors.

Why this answer

Option A is correct because Preparation should include threat modeling and playbooks for common TTPs. Options B, C, D are later phases that rely on preparation.

244
MCQmedium

A security analyst is reviewing IDS alerts and notices multiple TCP resets sent from an internal host with IP 10.10.10.25 to various external IPs on port 443. The alerts indicate that these resets occur immediately after the corresponding SYN-ACK from the external server, before any data exchange. The analyst suspects a TCP reset attack. Which action is most likely occurring?

A.A firewall is sending RST packets to block outbound traffic.
B.A client is properly closing a session after receiving data.
C.The client is retransmitting lost TCP segments.
D.An attacker is spoofing the client IP to send forged RST packets.
AnswerD

This is a classic TCP reset attack where the attacker spoofs the client's IP to terminate a connection.

Why this answer

The described behavior—TCP RST packets sent immediately after the SYN-ACK, before any data exchange, from an internal host to multiple external IPs on port 443—is characteristic of a TCP reset attack. In this attack, an adversary spoofs the source IP of the legitimate client (10.10.10.25) and sends forged RST segments to the external servers, causing them to abort the TCP handshake prematurely. This prevents the completion of the three-way handshake and disrupts the connection before any application data can be exchanged.

Exam trap

Cisco often tests the distinction between a legitimate RST (sent by a host to abort a connection due to an error or policy) and a spoofed RST (sent by an attacker to disrupt a connection), and the trap here is that candidates may assume the RST is from a firewall or a normal closure without considering the timing and source IP spoofing.

How to eliminate wrong answers

Option A is wrong because a firewall sending RST packets to block outbound traffic would typically do so in response to a policy violation, not immediately after every SYN-ACK from external servers, and the RST would originate from the firewall's IP, not from the internal host's IP. Option B is wrong because a client properly closing a session after receiving data would send a FIN packet, not a RST, and the RSTs here occur before any data exchange, which is not a normal closure. Option C is wrong because retransmitting lost TCP segments involves sending data packets (with sequence numbers), not RST packets; RST is used to abort a connection, not to retransmit data.

245
MCQhard

A security analyst is reviewing the company's incident response plan. The plan states that 'all incidents must be contained within 30 minutes.' During a recent ransomware incident, the analyst identified the affected systems but could not contain them because the containment procedures required manual steps that took over an hour. What is the most likely gap in the plan?

A.The ransomware was too sophisticated.
B.The plan does not provide automated containment options.
C.The analyst lacked proper training.
D.The analyst did not have proper authorization.
AnswerB

The manual procedures are too slow to meet the 30-minute goal; automation or simpler steps are needed.

Why this answer

The plan's requirement to contain incidents within 30 minutes is unachievable because the containment procedures rely solely on manual steps that take over an hour. The most likely gap is the absence of automated containment options, such as pre-configured firewall ACLs, host-based IPS policies, or SOAR playbooks that can isolate affected systems in seconds. Without automation, the response time objective (RTO) for containment is fundamentally mismatched with the procedural capability.

Exam trap

Cisco often tests the distinction between a plan's stated objective and the operational capability to achieve it, trapping candidates who blame the analyst's performance or the threat's complexity instead of recognizing the missing automation in the procedures.

How to eliminate wrong answers

Option A is wrong because the sophistication of the ransomware is irrelevant to the plan's procedural gap; the issue is that the plan lacks automated containment mechanisms, not that the malware was too advanced to contain. Option C is wrong because the analyst correctly identified the affected systems, indicating adequate training; the failure was in the plan's reliance on slow manual steps, not in the analyst's skill. Option D is wrong because authorization is not the bottleneck—the analyst had the authority to execute the manual steps, but those steps themselves were too slow to meet the 30-minute containment window.

246
Multi-Selecthard

Which THREE are principles of the CIA triad? (Select three.)

Select 3 answers
A.Non-repudiation
B.Confidentiality
C.Accountability
D.Integrity
E.Availability
AnswersB, D, E

Confidentiality is a core principle of the CIA triad.

Why this answer

The CIA triad is the foundational security model consisting of Confidentiality, Integrity, and Availability. Option B (Confidentiality) is correct because it ensures that data is accessible only to authorized users, typically enforced through encryption (e.g., AES-256) and access control lists (ACLs).

Exam trap

Cisco often tests the distinction between the CIA triad and other security principles like non-repudiation or accountability, leading candidates to mistakenly include them as part of the triad when they are separate concepts.

247
MCQeasy

A security analyst needs to ensure data integrity. Which control best achieves this?

A.Logging
B.Encryption
C.Access control
D.Hashing
AnswerD

Hashing produces a unique hash that changes if data is altered, ensuring integrity.

Why this answer

Hashing is the correct control for ensuring data integrity because it produces a fixed-length digest (e.g., SHA-256) from the original data. Any change to the data, even a single bit, results in a completely different hash value, allowing the analyst to detect tampering or corruption. Unlike encryption, hashing is a one-way function that does not conceal the data but verifies its unchanged state.

Exam trap

Cisco often tests the distinction between confidentiality (encryption) and integrity (hashing), so the trap here is that candidates confuse encryption's ability to hide data with the ability to detect tampering, leading them to select encryption instead of hashing.

How to eliminate wrong answers

Option A is wrong because logging records events and provides an audit trail, but it does not verify that the data itself has not been altered. Option B is wrong because encryption protects confidentiality by transforming data into ciphertext, but it does not detect changes to the plaintext; a modified ciphertext may still decrypt to a different plaintext without alerting the analyst. Option C is wrong because access control restricts who can read or write data, but it does not provide a mechanism to verify that the data has remained unchanged after authorized access.

248
Multi-Selecthard

According to the principles of least privilege, which THREE of the following access controls should be implemented for a typical user account? (Choose three.)

Select 3 answers
A.Administrative rights to the local machine
B.Ability to change their own password
C.Ability to install software
D.Write access to their own home directory
E.Read access to shared company calendar
AnswersB, D, E

Users need to manage their own passwords.

Why this answer

Least privilege means users get only necessary rights. Typical users need write access to home directory, read access to shared calendar, and ability to change own password. They do not need software installation rights or local administrative rights.

249
MCQeasy

A network administrator wants to detect SQL injection attacks against web servers. Which type of IDS/IPS sensor placement would be most effective?

A.Outside the firewall
B.At the core switch
C.On the internal network
D.Inside the firewall on the DMZ
AnswerD

Monitors traffic to web servers after firewall filtering, reducing noise.

Why this answer

Option D is correct because placing the IDS/IPS inside the firewall on the DMZ allows it to inspect traffic that has already passed the firewall's initial access controls but is still destined for the web servers. SQL injection attacks target application-layer vulnerabilities in web services, and the DMZ is the network segment where these servers reside. This placement ensures the sensor can analyze decrypted HTTP/HTTPS payloads for malicious SQL patterns without being overwhelmed by general internet noise, while the firewall provides a first line of defense against non-web threats.

Exam trap

Cisco often tests the misconception that placing the IDS/IPS outside the firewall provides the best visibility, but the trap is that this ignores the need to filter out irrelevant traffic and focus on the specific segment (DMZ) where the targeted servers and their application-layer vulnerabilities exist.

How to eliminate wrong answers

Option A is wrong because placing the IDS/IPS outside the firewall exposes it to unprocessed internet traffic, including floods, scans, and encrypted noise, which can cause false positives and resource exhaustion before the firewall filters legitimate traffic. Option B is wrong because the core switch handles internal VLAN routing and high-speed backbone traffic; placing a sensor there would miss the specific HTTP/HTTPS traffic to web servers in the DMZ and could introduce latency in critical switching paths. Option C is wrong because the internal network is typically for trusted users and internal resources; SQL injection attacks originate from external or untrusted sources targeting web servers, so a sensor on the internal network would not see the attack traffic unless it has already passed through the DMZ and been redirected, which is inefficient and misses the point of early detection.

250
MCQmedium

An analyst discovers that an employee has been using company-issued laptops to run a personal cryptocurrency mining software. Which policy violation has occurred?

A.Incident Response Policy
B.Change Management Policy
C.Acceptable Use Policy
D.Data classification policy
AnswerC

AUP defines permitted use of company assets; mining is unauthorized.

Why this answer

Cryptocurrency mining typically violates the Acceptable Use Policy (AUP) because it consumes company resources for non-work purposes. Option B is correct. Option A (data classification policy) is about labeling data.

Option C (incident response policy) is about handling security events. Option D (change management policy) is about modifying systems.

251
MCQeasy

An IDS generates an alert for a signature that matches HTTP traffic containing 'cmd.exe' in the URI. The analyst checks the packet and sees the URI is actually 'cmd.exe?help'. What should the analyst do?

A.Block the source IP
B.Tune the signature to reduce false positives
C.Disable the signature
D.Escalate to incident response
AnswerB

Tuning allows the signature to still detect malicious usage while ignoring benign occurrences.

Why this answer

The IDS signature triggered on the presence of 'cmd.exe' in the URI, but the actual traffic was 'cmd.exe?help', which is a legitimate help request and not an exploitation attempt. Tuning the signature to account for the query string reduces false positives without losing detection capability for actual attacks. This aligns with best practices for IDS management, where signatures are adjusted to match real threat patterns rather than exact strings.

Exam trap

Cisco often tests the distinction between a false positive and a true positive, and the trap here is that candidates may assume any match for 'cmd.exe' is malicious, leading them to choose escalation or blocking instead of recognizing the need for signature tuning.

How to eliminate wrong answers

Option A is wrong because blocking the source IP would be an overreaction to a false positive; the traffic is benign and does not indicate malicious intent. Option C is wrong because disabling the signature entirely would remove detection for actual 'cmd.exe' exploitation attempts, leaving the network vulnerable. Option D is wrong because escalating to incident response is unnecessary for a confirmed false positive; incident response is reserved for verified security incidents, not benign traffic that triggered a signature.

252
MCQhard

A vendor security policy requires that all third-party remote access be limited to specific IP addresses and use multi-factor authentication. During an audit, it is discovered that a vendor's entire office subnet is allowed instead of individual IPs. The vendor argues that the broader range is necessary for redundancy. What is the best way to handle this from a policy perspective?

A.Amend the policy to allow entire subnets for vendors with multi-factor authentication
B.Accept the subnet as long as multi-factor authentication is used
C.Require the vendor to comply with the existing policy exactly as written
D.Work with the vendor to define a list of specific IPs that cover their redundancy needs while adhering to policy
AnswerD

This balances security requirements with operational needs and ensures policy compliance.

Why this answer

Option C is correct because it acknowledges the vendor's need while insisting on compliance through technical controls (e.g., restricting to specific IPs within the subnet). Option A forces the vendor to comply without flexibility. Option B risks security.

Option D allows non-compliance.

253
Multi-Selecthard

Which THREE types of network traffic anomalies are strong indicators of a data exfiltration attempt?

Select 3 answers
A.TCP connections with unusual port numbers (e.g., using SSH on port 80)
B.DNS queries with long subdomains encoding data
C.Frequent ARP requests from a single host
D.High number of SYN packets without corresponding ACKs
E.Large amounts of outbound traffic to a single destination during non-business hours
AnswersA, B, E

Unusual port usage can indicate covert channels.

Why this answer

Option A is correct because data exfiltration often involves tunneling covert traffic over non-standard ports to bypass firewall rules. For example, using SSH on TCP port 80 (HTTP) allows an attacker to hide command-and-control or file transfer traffic within allowed web traffic, making it difficult for basic port-based ACLs to detect.

Exam trap

Cisco often tests the distinction between network anomalies that indicate data exfiltration versus those that indicate denial-of-service or reconnaissance; the trap here is confusing a SYN flood (Option D) with a covert channel, when exfiltration requires established, often stealthy, outbound connections.

254
MCQmedium

An organization uses Windows 10 Enterprise workstations with standard user accounts (no local admin). Users run daily tasks including web browsing, document editing, and accessing a corporate intranet. Recently, the security team detected anomalous outbound traffic from one workstation to an IP address in a foreign country. The workstation's host-based firewall shows that a process named 'svch0st.exe' initiated the connection. Additionally, a scheduled task named 'UpdateTask' runs every hour with SYSTEM privileges, executing a script from a hidden folder. The user reports no unusual behavior except occasional system slowdowns. The analyst must determine the best immediate course of action. Which action should the analyst take first?

A.Run an antivirus scan and if nothing is found, ignore the alert as a false positive
B.Immediately disconnect the workstation from the network and perform a full system restore from a known good backup
C.Delete the scheduled task and the script from the hidden folder, then reboot the workstation
D.Disable the scheduled task and terminate the svch0st.exe process, then collect a forensic image of the workstation for further analysis
AnswerD

This stops malicious activity while preserving the script and other evidence on disk for later analysis.

Why this answer

Option D is correct because the immediate priority is to contain the threat by disabling the scheduled task and terminating the malicious process (svch0st.exe) to stop further outbound communication, while preserving the system state for forensic analysis. Collecting a forensic image ensures that evidence (e.g., the script, scheduled task artifacts, and network logs) is not destroyed, allowing the security team to perform root-cause analysis and determine the full scope of the compromise. This approach balances containment with evidence preservation, which is critical in incident response.

Exam trap

Cisco often tests the distinction between containment (stopping the active threat) and eradication (removing files), where candidates mistakenly choose to delete artifacts immediately (Option C) instead of first containing the process and preserving evidence for analysis.

How to eliminate wrong answers

Option A is wrong because relying solely on an antivirus scan is insufficient; the process 'svch0st.exe' mimics legitimate 'svchost.exe' and may evade signature-based detection, and ignoring the alert could allow persistent access. Option B is wrong because immediately disconnecting and restoring from backup destroys volatile evidence (e.g., running processes, memory contents, and scheduled task details) needed for forensic analysis, and may not remove the threat if the backup is also compromised. Option C is wrong because deleting the scheduled task and script without first containing the active process (svch0st.exe) allows the malware to continue running and potentially re-establish persistence or exfiltrate data; also, rebooting may destroy evidence in memory.

255
MCQeasy

You are monitoring network traffic and notice a sudden spike in outbound UDP traffic from a single internal host to various external IPs on port 123 (NTP). The traffic pattern shows a high volume of small packets. The host in question is a Linux server that does not run any NTP services. The IDS does not generate any alerts for this traffic. Which type of attack is most likely occurring?

A.The host is participating in an NTP amplification DDoS attack.
B.The host is scanning for open NTP servers.
C.Data exfiltration via NTP tunneling.
D.The host is performing an NTP time synchronization query.
AnswerA

NTP amplification uses small queries to generate large responses; the outbound traffic is the queries.

Why this answer

The sudden spike in outbound UDP traffic from a single internal host to multiple external IPs on port 123 (NTP) with small packets indicates the host is being used as a reflector in an NTP amplification DDoS attack. The attacker spoofs the victim's IP address and sends small queries to open NTP servers, which respond with large replies directed at the victim, but in this scenario the internal host is the one sending the queries (likely due to malware or misconfiguration), making it the amplifier. The lack of IDS alerts suggests the traffic matches normal NTP patterns, but the volume and destination diversity confirm the attack.

Exam trap

Cisco often tests the distinction between being a victim of amplification (receiving large responses) versus being the amplifier (sending queries), and candidates mistakenly assume the host is the victim when the outbound traffic indicates it is the source of the queries.

How to eliminate wrong answers

Option B is wrong because scanning for open NTP servers would involve sending probes to multiple hosts and analyzing responses, not generating a high volume of outbound traffic from a single host to many external IPs; the pattern described is characteristic of an amplification attack, not a scan. Option C is wrong because data exfiltration via NTP tunneling would require encapsulating data in NTP packets, which typically results in irregular packet sizes or timing, not a high volume of small packets to many external IPs; the described pattern lacks the stealth and consistency of tunneling. Option D is wrong because an NTP time synchronization query would involve a small number of packets to a few NTP servers (e.g., pool.ntp.org), not a high volume of small packets to numerous external IPs; the host does not run NTP services, making this behavior anomalous.

256
MCQeasy

Refer to the exhibit. An analyst sees repeated ICMP echo requests from a host to the broadcast address. What is this an example of?

A.Ping sweep
B.Smurf attack
C.ICMP tunneling
D.Denial of service
AnswerB

Smurf attack uses broadcast ICMP to amplify traffic.

Why this answer

A Smurf attack sends ICMP echo requests to a network broadcast address with the source IP spoofed to the victim's address. All hosts on the network reply to the victim, overwhelming it with traffic. This is a classic amplification-based denial-of-service attack.

Exam trap

Cisco often tests the distinction between a generic DoS and a specific named attack (Smurf) to see if candidates recognize the unique broadcast amplification mechanism rather than just the outcome of service disruption.

How to eliminate wrong answers

Option A is wrong because a ping sweep sends ICMP echo requests to multiple individual hosts to map live systems, not to a broadcast address. Option C is wrong because ICMP tunneling encapsulates non-ICMP data (e.g., DNS, HTTP) inside ICMP packets to bypass firewalls, not to flood a victim via broadcast amplification. Option D is wrong because while a Smurf attack results in denial of service, the specific technique described (ICMP echo requests to a broadcast address) is the Smurf attack, not a generic DoS; Cisco expects the precise attack name.

257
Matchingmedium

Match each Linux command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Search text using patterns

Capture and analyze network packets

Display network connections and statistics

Configure firewall rules

Change file permissions

Why these pairings

These commands are essential for Linux system administration and security analysis.

258
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address to the company's VPN gateway. Which action should the analyst take first?

A.Escalate to the incident response team immediately.
B.Block the IP at the firewall immediately.
C.Investigate the source IP for malicious activity.
D.Ignore the activity as it may be a user error.
AnswerC

Investigation helps determine the nature of the failed attempts before taking action.

Why this answer

Option C is correct because the first step in security monitoring is to investigate the source IP to determine if the failed login attempts are part of a brute-force attack, a misconfigured client, or a legitimate user error. Without context, blocking the IP or escalating prematurely could disrupt legitimate access or waste resources. The analyst should gather evidence (e.g., logs, timestamps, user accounts targeted) before taking further action.

Exam trap

Cisco often tests the principle that investigation must precede action, tempting candidates to choose immediate blocking (Option B) because it seems proactive, but the correct first step is always to gather context to avoid disrupting legitimate traffic.

How to eliminate wrong answers

Option A is wrong because escalating to the incident response team immediately without investigation is premature; the analyst must first confirm malicious intent to avoid unnecessary escalation. Option B is wrong because blocking the IP at the firewall immediately could deny service to a legitimate user if the IP is shared (e.g., NAT) or if the attempts are due to a forgotten password, and it bypasses the required investigative step. Option D is wrong because ignoring the activity violates security monitoring best practices; repeated failed login attempts are a common indicator of brute-force attacks and must be investigated, not dismissed as user error.

259
MCQmedium

Refer to the exhibit. An analyst examines the port security status on a switch interface. What action should the analyst take to restore connectivity to the device connected to this port?

A.Remove the port from the VLAN
B.Clear the MAC address table on the switch
C.Shut down and re-enable the interface
D.Increase the maximum number of MAC addresses allowed
AnswerC

Re-enabling the interface after a shutdown clears the errdisable state.

Why this answer

When a port security violation occurs (e.g., a MAC address limit is exceeded or a sticky MAC changes), the switch can be configured to err-disable the interface. The standard remediation is to administratively shut down the interface (shutdown) and then re-enable it (no shutdown), which clears the error condition and restores connectivity. This is the only action that directly addresses the err-disable state caused by the security violation.

Exam trap

Cisco often tests the misconception that clearing the MAC address table or adjusting the MAC limit will restore connectivity, but the trap here is that the interface is in an err-disabled state, which requires a manual or automatic interface reset, not a table or configuration change.

How to eliminate wrong answers

Option A is wrong because removing the port from the VLAN does not clear the err-disable state or the security violation; it would only isolate the port from the network without resolving the underlying issue. Option B is wrong because clearing the MAC address table on the switch removes all dynamically learned MAC entries across all interfaces, but it does not clear the specific port security violation or the err-disable state on the affected interface. Option D is wrong because increasing the maximum number of MAC addresses allowed does not fix the current violation; it only prevents future violations if the current number of MACs is below the new limit, but the port remains err-disabled until it is manually or automatically recovered.

260
MCQmedium

A network engineer is configuring a Cisco Firepower IPS. To reduce false positives from legitimate updates, which action should be taken?

A.Use a whitelist for the update server
B.Enable adaptive profile
C.Disable the signature
D.Set the signature to generate only alert
AnswerB

Adaptive profiles adjust detection based on baseline traffic, reducing false positives.

Why this answer

Enabling adaptive profile allows the IPS to learn normal traffic patterns and reduce false positives. Whitelisting is also useful but adaptive profiles are specifically designed to reduce false positives dynamically.

261
MCQeasy

A SOC analyst receives an alert for 'Malware Detected' from an endpoint sensor. The analyst checks the endpoint and sees a file named 'invoice.exe' in the Downloads folder. What should the analyst do first?

A.Escalate to a senior analyst.
B.Run a full antivirus scan.
C.Isolate the host from the network.
D.Delete the file immediately.
AnswerC

Contains the threat and prevents spread.

Why this answer

The correct first step is to isolate the host from the network (C) because the alert indicates active malware ('invoice.exe' in Downloads). Containment is the immediate priority in incident response to prevent lateral movement and data exfiltration. Isolating the host stops any ongoing C2 communication or propagation over the network, aligning with the NIST SP 800-61 containment strategy.

Exam trap

Cisco often tests the incident response priority of containment over eradication or escalation, and the trap here is that candidates may choose to delete the file (D) or run a scan (B) first, mistaking remediation for the initial response step.

How to eliminate wrong answers

Option A is wrong because escalation to a senior analyst should occur after initial containment, not before; the SOC analyst has the authority and responsibility to isolate the host first. Option B is wrong because running a full antivirus scan is a secondary step that could alert the malware or consume time while the threat remains active on the network. Option D is wrong because deleting the file immediately destroys forensic evidence and does not stop potential in-memory or persistence mechanisms that may already be active.

262
MCQeasy

An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?

A.The email has a company logo.
B.The email was sent from a domain that looks like 'arnazon.com'.
C.The attachment is a PDF file.
D.The email was sent during business hours.
AnswerB

Typo-squatting domain indicates phishing.

Why this answer

The most definitive indicator of a phishing attempt is a spoofed sender domain that mimics a legitimate company (e.g., 'arnazon.com' instead of 'amazon.com'). This is a classic typosquatting technique used to deceive users into trusting the email's origin. While other elements like logos or PDF attachments can be part of a phishing campaign, they are not inherently malicious and are commonly used in legitimate business communications.

Exam trap

Cisco often tests the distinction between a suspicious element (like a PDF attachment) and a definitive indicator of phishing (like a spoofed domain), leading candidates to incorrectly choose the attachment type as the answer.

How to eliminate wrong answers

Option A is wrong because a company logo can be easily copied and embedded in any email; its presence does not confirm phishing and is often used in both legitimate and malicious emails. Option C is wrong because PDF files are a standard, legitimate file format used for invoices; the attachment type alone is not an indicator of phishing. Option D is wrong because phishing emails can be sent at any time, including business hours, to blend in with normal traffic; timing is not a reliable indicator of malicious intent.

263
MCQhard

An organization uses Cisco AMP for Endpoints. A file with a low prevalence score is executed on multiple endpoints, and AMP identifies it as malicious after behavioral analysis. The analyst needs to ensure that all endpoints are protected from this file. Which action should be taken?

A.Create a custom IOC for the file hash and apply it to an outbreak policy.
B.Isolate all endpoints that executed the file.
C.Disable cloud connectivity for AMP to prevent recurrence.
D.Run a scan on each endpoint using the local AMP engine.
AnswerA

Outbreak policy blocks the file across all endpoints.

Why this answer

Creating a custom IOC for the file hash and applying it to an outbreak policy is correct because Cisco AMP for Endpoints uses outbreak policies to rapidly deploy protections across all endpoints. Once behavioral analysis identifies the file as malicious, the IOC (based on the file's SHA-256 hash) can be pushed via an outbreak policy to block execution, quarantine, or remediate the file on every endpoint, regardless of prior prevalence. This ensures immediate, global protection without waiting for cloud signature updates.

Exam trap

Cisco often tests the distinction between reactive containment (isolation) and proactive prevention (outbreak policies), leading candidates to choose isolation because it seems immediate, but the question asks for ensuring all endpoints are protected, which requires a policy-based push, not just isolating affected systems.

How to eliminate wrong answers

Option B is wrong because isolating all endpoints that executed the file is a reactive containment step that does not prevent the file from executing on other endpoints that have not yet encountered it; it also disrupts user productivity unnecessarily. Option C is wrong because disabling cloud connectivity for AMP would prevent the endpoints from receiving real-time threat intelligence and outbreak policies, leaving them vulnerable to new threats and defeating the purpose of AMP's cloud-based analysis. Option D is wrong because running a local scan using the AMP engine only checks for known signatures already present on the endpoint; it cannot detect or remediate a file that was just identified as malicious via behavioral analysis unless the local signatures are updated, which is slower and less reliable than an outbreak policy.

264
Drag & Dropmedium

Drag and drop the steps for the DHCP DORA process (dynamic host configuration) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DORA: Discover, Offer, Request, Acknowledge.

265
Multi-Selecthard

An organization's security policy requires that all security incidents be reported within 1 hour. A system administrator discovers a potential data breach but delays reporting by 3 hours because they were trying to contain it. Which TWO are the most likely consequences of this delay?

Select 2 answers
A.The incident will be automatically closed.
B.The administrator will be terminated.
C.The incident response team loses valuable time for analysis.
D.The breach may escalate due to lack of containment.
E.The organization may face regulatory fines for late reporting.
AnswersC, E

Delayed reporting reduces response effectiveness.

Why this answer

Options A and D are correct. Option A: lost time for analysis. Option D: potential regulatory fines.

Option B: termination is possible but not most likely. Option C: escalation due to lack of containment (delay may worsen, but not a direct consequence of delay itself). Option E: incident will not be automatically closed.

266
Multi-Selectmedium

Which THREE of the following are common types of security policies that organizations typically implement?

Select 3 answers
A.ISO 27001 Standard
B.Data Classification Policy
C.Password Policy
D.Patch Management Procedure
E.Acceptable Use Policy (AUP)
AnswersB, C, E

Categorizes data based on sensitivity and handling requirements.

Why this answer

Options A, C, and D are correct. Acceptable use policy (A), data classification policy (C), and password policy (D) are standard. Option B is a procedure, not a policy.

Option E is a specific framework, not a policy type.

267
MCQeasy

Refer to the exhibit. An analyst runs the command 'tasklist /svc /fi "PID eq 1234"' on a Windows host and receives the output shown. Which conclusion can the analyst draw from this output?

A.The process is a third-party application
B.The process is using excessive CPU resources
C.The process is a legitimate Windows service host
D.The process is likely malware masquerading as svchost.exe
AnswerC

svchost.exe is a legitimate Windows process that hosts multiple system services.

Why this answer

The 'tasklist /svc /fi "PID eq 1234"' command filters for a specific PID and displays the associated services. The output shows 'svchost.exe' with the service 'DcomLaunch', which is a core Windows component responsible for launching COM and DCOM services. This confirms the process is a legitimate Windows service host, not a third-party application or malware.

Exam trap

Cisco often tests the misconception that any svchost.exe process is suspicious or malware, but the key is to recognize that legitimate svchost.exe instances host specific Windows services and are identified by their associated service names and standard system paths.

How to eliminate wrong answers

Option A is wrong because the output shows 'svchost.exe', which is a native Windows system binary, not a third-party application. Option B is wrong because the 'tasklist /svc' command does not display CPU usage; it only shows process name, PID, and associated services, so no conclusion about CPU resource consumption can be drawn. Option D is wrong because while malware can masquerade as svchost.exe, the presence of the legitimate 'DcomLaunch' service and the process running from the standard 'C:\Windows\System32' directory (implied by the output) strongly indicates it is not masquerading; a masquerading process would typically not have the correct service association or path.

268
MCQeasy

An analyst is verifying a VPN configuration. Which of the following is true about this configuration?

A.The VPN uses AES-128 encryption and SHA-1 authentication.
B.The VPN uses AES-256 encryption and SHA-2 authentication.
C.The VPN uses AES-256 encryption and SHA-1 authentication.
D.The VPN uses 3DES encryption and SHA-256 authentication.
E.The VPN uses DES encryption and MD5 authentication.
AnswerC

Correct interpretation of transform set.

Why this answer

Option A is correct because 'esp-aes 256' uses AES-256, and 'esp-sha-hmac' uses SHA-1. Option B uses DES/MD5. Option C uses 3DES/SHA-256.

Option D uses AES-128/SHA-1. Option E uses AES-256/SHA-2, but SHA-2 is not specified.

269
MCQmedium

An security auditor finds that the company's backup policy does not include offsite storage. The security policy requires that backups be stored in a geographically separate location. What should the company do?

A.Store backups in a fireproof safe on-site
B.Implement RAID on the backup server
C.Increase backup retention period
D.Use encrypted cloud backup in a different region
AnswerD

Encrypted cloud backup in a different region meets the requirement for geographically separate storage.

Why this answer

Option D is correct because encrypted offsite cloud storage satisfies the geographical separation requirement. Option A is wrong because onsite storage is not geographically separate. Option B is wrong because increasing retention does not change location.

Option C is wrong because RAID provides redundancy but not offsite storage.

270
Multi-Selecthard

A security analyst discovers that an attacker exfiltrated data using DNS tunneling. Which TWO controls should be implemented to detect or prevent this? (Select two.)

Select 2 answers
A.Monitor DNS query sizes and frequencies
B.Use a DNS sinkhole
C.Disable recursive DNS on the internal DNS server
D.Implement DNSSEC
E.Block all DNS queries to external servers
AnswersA, B

Unusually large or frequent queries may indicate tunneling.

Why this answer

Option A is correct because DNS tunneling often involves unusually large query sizes (e.g., encoded data in subdomains) and abnormal query frequencies (e.g., thousands of requests per minute). Monitoring these metrics allows analysts to spot deviations from baseline behavior, which is a key detection technique for exfiltration via DNS. Option B is correct because a DNS sinkhole redirects malicious or suspicious DNS queries to a controlled IP address, effectively blocking the resolution of domains used for tunneling and preventing data from reaching the attacker's command-and-control server.

Exam trap

Cisco often tests the misconception that DNSSEC or disabling recursion can stop DNS tunneling, but DNSSEC only signs records and does not inspect payloads, while disabling recursion breaks internal resolution without affecting external tunneling via forwarders.

271
MCQmedium

You are the cybersecurity analyst for a small business that has a security policy requiring all network traffic to pass through a proxy server for content filtering. Recently, employees have been complaining that some websites are not loading correctly. You check the proxy logs and see that the proxy is blocking traffic that appears to be from non-standard ports. However, upon investigation, you find that the blocked sites are legitimate business tools that use custom ports. Which action aligns with the security policy?

A.Instruct employees to access the tools via HTTP instead.
B.Configure the proxy to allow all traffic on custom ports for those specific tools.
C.Disable content filtering for the affected employees.
D.Create a security exception based on business need and document it.
AnswerD

This balances security and usability while maintaining audit trail.

Why this answer

Option C is correct because creating a documented exception addresses the legitimate need while maintaining policy control. Option A bypasses policy by allowing all traffic on custom ports; Option B disables content filtering entirely; Option D may not be feasible.

272
MCQhard

A company uses a SIEM that collects logs from firewalls, servers, and endpoints. The SIEM is generating a high volume of low-priority events, causing analysts to miss critical alerts. Which approach would best improve the signal-to-noise ratio?

A.Implement event filtering and correlation rules to reduce false positives.
B.Deploy additional sensors to collect more data.
C.Hire more analysts to review all events.
D.Increase the storage capacity of the SIEM.
AnswerA

Filtering and correlation reduce noise and highlight relevant events.

Why this answer

The SIEM's high volume of low-priority events indicates a poor signal-to-noise ratio, where benign or irrelevant events drown out critical alerts. Implementing event filtering and correlation rules directly reduces false positives by discarding known noise (e.g., repeated benign scans) and grouping related events into meaningful alerts, allowing analysts to focus on genuine threats. This is the standard approach in SIEM tuning to improve detection fidelity without adding resources or data.

Exam trap

Cisco often tests the misconception that 'more data equals better security' (Option B), but the real goal is to reduce noise through intelligent filtering and correlation, not to increase data volume.

How to eliminate wrong answers

Option B is wrong because deploying additional sensors would increase the total volume of events, likely worsening the noise problem rather than improving the signal-to-noise ratio. Option C is wrong because hiring more analysts does not address the root cause of excessive low-priority events; it merely shifts the bottleneck from missing alerts to manual review, which is inefficient and unsustainable. Option D is wrong because increasing storage capacity only allows the SIEM to retain more events, but does nothing to reduce the volume of low-priority alerts or improve alert prioritization.

273
MCQmedium

A security analyst is reviewing logs from a network-based IPS that detected traffic from an internal host connecting to a known malicious IP address on port 6667. The traffic is encrypted IRC. Which conclusion is most likely?

A.The traffic is a normal application update
B.The host is running a legitimate IRC client
C.The host is compromised and part of a botnet
D.The IPS is generating a false positive
AnswerC

Encrypted IRC to a malicious IP is a strong botnet indicator.

Why this answer

Port 6667 is the default port for IRC (Internet Relay Chat), and encrypted IRC traffic to a known malicious IP strongly indicates command-and-control (C2) communication. Botnets commonly use IRC over TLS/SSL to evade detection and issue commands to compromised hosts. Therefore, the host is most likely compromised and part of a botnet.

Exam trap

Cisco often tests the misconception that encrypted traffic is always benign or that port 6667 is only used for legitimate chat, leading candidates to overlook the known malicious IP indicator.

How to eliminate wrong answers

Option A is wrong because normal application updates typically use HTTP/HTTPS on ports 80/443 or vendor-specific ports, not port 6667 with encrypted IRC. Option B is wrong because a legitimate IRC client would not connect to a known malicious IP address; legitimate IRC servers are not blacklisted. Option D is wrong because the IPS signature matched encrypted IRC traffic to a known malicious IP, which is a strong indicator of compromise, not a false positive.

274
MCQmedium

A Cisco Firepower sensor is generating an alert for a known benign application. The analyst has verified it is a false positive. What is the first step to suppress this alert?

A.Create a network analysis policy exception.
B.Increase the severity threshold.
C.Submit a false positive report to Talos.
D.Disable the intrusion rule globally.
AnswerA

This suppresses the alert for the specific benign traffic without affecting other detections.

Why this answer

A network analysis policy (NAP) exception is the correct first step because it allows you to suppress alerts for specific benign applications without affecting the overall detection posture. In Cisco Firepower, NAP exceptions are applied before intrusion rules are evaluated, so they can filter out known false positives at the preprocessor level, preventing the rule from even triggering. This is more efficient than modifying the intrusion rule itself, as it avoids disabling detection for other traffic.

Exam trap

Cisco often tests the distinction between preprocessor-level suppression (NAP exceptions) and rule-level suppression (disabling rules), where candidates mistakenly choose to disable the rule globally instead of creating a targeted exception.

How to eliminate wrong answers

Option B is wrong because increasing the severity threshold would suppress all alerts below that severity level, not just the specific benign application, potentially missing real threats. Option C is wrong because submitting a false positive report to Talos is a feedback mechanism for improving future rule updates, not an immediate operational step to suppress an alert. Option D is wrong because disabling the intrusion rule globally would stop all alerts from that rule, including for malicious traffic that the rule is designed to detect, which is too broad and risky.

275
MCQmedium

An analyst reviews Snort alert logs and sees many alerts for 'SQL Injection Attempt' from a single external IP to a public-facing web server. Which analysis step is most effective?

A.Block the IP at the firewall immediately
B.Check the web server logs for the same IP
C.Run a port scan against the IP
D.Disable the SQL injection signature
AnswerB

Correct. Web server logs show the actual HTTP requests and can confirm if the attacks were attempted.

Why this answer

Checking the web server logs for the same IP is the most effective step because it allows the analyst to correlate the Snort alerts with actual HTTP requests. This confirms whether the SQL injection attempts were successful or merely reconnaissance, and provides context such as the specific URI, parameters, and response codes (e.g., 200 vs 500) needed to assess impact.

Exam trap

The trap here is that candidates often choose to block the IP immediately (Option A) as a 'quick fix' without realizing that incident response requires validation and evidence collection before taking containment actions.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the firewall is a reactive measure that may disrupt legitimate traffic (e.g., shared NAT IPs) and does not provide forensic evidence or confirm the attack's success. Option C is wrong because running a port scan against the IP is an active reconnaissance technique that could be illegal without authorization, and it does not help analyze the existing alerts or validate the SQL injection attempts. Option D is wrong because disabling the SQL injection signature would suppress all future alerts for that attack vector, leaving the web server vulnerable and eliminating visibility into ongoing or future SQL injection attempts.

276
MCQmedium

You are a security analyst for a medium-sized enterprise. You notice that the network monitoring system has flagged an unusual amount of traffic between two internal hosts: 192.168.1.10 (a file server) and 192.168.1.20 (a workstation in the sales department). The traffic is occurring on port 445 (SMB) and is happening outside of normal business hours. The volume of data transferred is significantly higher than typical usage. The file server logs show that the sales workstation has been accessing a large number of files in quick succession. The sales employee reports that they have been working late, but they cannot explain the high volume of file access. You have access to the file server logs, network flow data, and the workstation's event logs. The workstation has antivirus software installed that is up to date. What should you do FIRST?

A.Isolate the workstation from the network immediately
B.Reimage the workstation to ensure it is clean
C.Run a full antivirus scan on the workstation
D.Analyze network flow data to identify the destination of the data
AnswerA

Isolation stops potential ransomware spread or data theft.

Why this answer

Option A is correct because the anomalous SMB traffic on port 445, occurring outside business hours with a high volume of file access in quick succession, strongly indicates a ransomware or data exfiltration attack. Isolating the workstation immediately contains the threat, preventing lateral movement and further encryption or exfiltration of sensitive data. This aligns with the first step in incident response: containment before analysis.

Exam trap

Cisco often tests the incident response priority of containment over analysis; the trap here is that candidates choose analysis (Option D) or remediation (Option B/C) first, forgetting that immediate isolation prevents further damage and preserves evidence for later investigation.

How to eliminate wrong answers

Option B is wrong because reimaging the workstation destroys forensic evidence (e.g., memory artifacts, logs, malware samples) needed for root cause analysis and attribution. Option C is wrong because running a full antivirus scan is a secondary step after containment; the antivirus is up to date but may not detect a zero-day or fileless malware, and scanning could trigger further malicious activity. Option D is wrong because analyzing network flow data to identify the destination is a post-containment analysis step; delaying isolation risks data exfiltration or encryption completion.

277
Multi-Selectmedium

Which two characteristics are commonly associated with a distributed denial-of-service (DDoS) attack?

Select 2 answers
A.High volume of traffic from multiple sources
B.Multiple failed login attempts
C.Slow application response time
D.Unusual increase in ICMP echo requests
E.Traffic from a single IP address
AnswersA, D

Multiple sources are a defining feature of DDoS.

Why this answer

A DDoS attack is characterized by a high volume of traffic originating from multiple compromised sources (a botnet) to overwhelm a target. This distributed nature distinguishes it from a DoS attack, which typically uses a single source. The goal is to exhaust the target's bandwidth, processing capacity, or application resources, causing denial of service for legitimate users.

Exam trap

Cisco often tests the distinction between a DoS (single source) and a DDoS (multiple sources), so the trap here is that candidates may incorrectly select 'Traffic from a single IP address' (option E) as a DDoS characteristic, confusing the two attack types.

278
MCQmedium

A security analyst is reviewing logs from a web proxy and sees that a user's machine is making frequent connections to a domain that is registered recently and has a low reputation score. What is the best action?

A.Check if the user has a legitimate need to access the domain.
B.Disable the user's network access.
C.Block the domain immediately.
D.Ignore because it might be a false positive.
AnswerA

Investigating the purpose of the connection helps determine if the activity is malicious.

Why this answer

The best action is to check if the user has a legitimate need to access the domain because a recently registered domain with a low reputation score is a strong indicator of potential malicious activity, but it could also be a false positive or a legitimate new service. Security analysts must validate the context through user inquiry or additional log correlation before taking irreversible actions like blocking or disabling access. This aligns with the principle of least disruption and evidence-based decision-making in security monitoring.

Exam trap

Cisco often tests the misconception that a low reputation score alone justifies immediate blocking, but the trap here is that the question requires you to prioritize investigation over reaction, as the best action is to gather context before applying a control.

How to eliminate wrong answers

Option B is wrong because disabling the user's network access is an overly aggressive response that disrupts productivity without confirming malicious intent, and it violates the principle of verifying before acting. Option C is wrong because blocking the domain immediately could break legitimate business operations if the domain is a newly registered but legitimate service, and it bypasses the necessary validation step. Option D is wrong because ignoring the alert dismisses a high-risk indicator (recent registration + low reputation) that commonly correlates with command-and-control (C2) traffic or phishing domains, and false positives should be investigated, not ignored.

279
Multi-Selecteasy

Which TWO actions should an analyst take when a critical alert is triggered?

Select 2 answers
A.Delete the alert to reduce noise
B.Verify the alert with other sources
C.Escalate to incident response team
D.Search for similar alerts in the past
E.Immediately power off the affected system
AnswersB, C

Correct. Corroborating the alert with other logs confirms its validity.

Why this answer

Option B is correct because verifying a critical alert with other sources (e.g., correlating with firewall logs, NetFlow data, or endpoint detection responses) is a fundamental step to confirm the alert is a true positive and not a false positive. This cross-validation reduces the risk of acting on inaccurate information and ensures that the incident response process is based on reliable evidence. Without verification, an analyst might escalate a non-threatening event, wasting resources and potentially missing a real threat.

Exam trap

Cisco often tests the misconception that immediate containment actions like powering off a system are always the correct first step, when in fact verification and preservation of evidence are prioritized to avoid destroying critical forensic data.

280
MCQeasy

Which of the following is a common indicator of a brute-force attack on an SSH server?

A.A single failed login attempt.
B.Multiple successful logins from the same user.
C.Repeated login attempts with different usernames and passwords in a short period.
D.High CPU usage on the server.
AnswerC

This pattern matches brute-force attacks trying to guess credentials.

Why this answer

A brute-force attack on an SSH server is characterized by a high volume of authentication attempts, typically using different usernames and passwords, in a short time window. This pattern aims to guess valid credentials through repeated trial and error, which is distinct from a single failure or a few successful logins. The rapid, automated nature of the attempts is the key indicator that distinguishes brute-force activity from normal user behavior.

Exam trap

Cisco often tests the distinction between a single failed login (normal) and a pattern of repeated failures (attack), leading candidates to mistakenly choose Option A because they focus on the word 'failed' rather than the volume and pattern of attempts.

How to eliminate wrong answers

Option A is wrong because a single failed login attempt is a normal event that can occur due to a typo or forgotten password, and does not indicate a systematic attack. Option B is wrong because multiple successful logins from the same user could indicate legitimate concurrent sessions or a compromised account, but it is not a direct sign of a brute-force attack, which focuses on failed attempts. Option D is wrong because high CPU usage on the server can have many causes, such as resource-intensive processes or denial-of-service attacks, and is not a specific or reliable indicator of SSH brute-force attempts.

281
MCQeasy

A SOC analyst is reviewing a firewall log and sees a large number of outbound connections from an internal server to a known command-and-control (C2) domain. The connections are on port 443, and the packets have irregular timing. What should the analyst do first?

A.Isolate the server from the network and escalate to incident response.
B.Check the server's logs for signs of compromise.
C.Ignore the alert because port 443 is normal traffic.
D.Block the domain at the firewall immediately.
AnswerA

Containment first.

Why this answer

The irregular timing and outbound connections to a known C2 domain on port 443 strongly indicate a compromised host using HTTPS to blend in with normal traffic. Isolating the server first prevents further data exfiltration or lateral movement while preserving forensic evidence, which aligns with the NIST incident response framework. Escalating to incident response ensures proper handling and analysis.

Exam trap

Cisco often tests the principle of containment before investigation, where candidates mistakenly choose to investigate logs first instead of isolating the compromised host to prevent further damage.

How to eliminate wrong answers

Option B is wrong because checking the server's logs before containment risks the attacker destroying evidence or continuing malicious activity; isolation must come first. Option C is wrong because while port 443 is used for legitimate HTTPS, the combination of a known C2 domain and irregular timing is a clear indicator of compromise, not normal traffic. Option D is wrong because blocking the domain at the firewall alone does not stop the compromised server from using other C2 domains or IPs, and it may alert the attacker without containing the host.

282
MCQhard

A financial services company has a security policy that all remote access must be through VPN with two-factor authentication. An employee on a business trip uses a hotel Wi-Fi to connect to the corporate network but claims the VPN client was not working, so they used RDP directly over the internet to access their desktop. The employee's manager approved this as a temporary measure. The security team discovers this during a log review. The policy has no provision for temporary exceptions. What should be the security team's first action?

A.Investigate whether any data was compromised during the session.
B.Report the violation to the security officer and recommend disciplinary action.
C.Disable RDP access from the internet for all users immediately.
D.Accept the manager's approval as sufficient authorization.
AnswerA

Understanding the risk helps guide subsequent actions appropriately.

Why this answer

Option D is correct because the first step is to investigate whether any data was compromised during the session. Option A might be too harsh without evidence; Option B is premature; Option C ignores the policy violation.

283
MCQmedium

A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?

A.Whitelist all external IP addresses that belong to business partners.
B.Reduce the time window to 2 minutes to catch attacks faster.
C.Change the rule to block the source IP after 5 failed attempts.
D.Increase the threshold to 15 failed logins within a 10-minute window.
AnswerD

Higher threshold and longer window reduce false positives from occasional mistypes while still detecting sustained attacks.

Why this answer

Option D is correct because increasing the threshold to 15 failed logins within a 10-minute window reduces false positives by allowing more mistyped attempts from legitimate users before triggering an alert, while still detecting brute-force attacks. The longer time window and higher threshold smooth out transient user errors without significantly delaying detection of sustained attack patterns.

Exam trap

Cisco often tests the misconception that reducing the time window or lowering the threshold improves detection, when in fact it increases false positives, and that whitelisting or blocking IPs is a proper tuning action rather than adjusting the rule's parameters.

How to eliminate wrong answers

Option A is wrong because whitelisting external IPs of business partners would bypass security monitoring entirely, allowing those IPs to conduct unlimited failed logins without triggering alerts, which could mask compromised partner accounts. Option B is wrong because reducing the time window to 2 minutes would increase false positives by making the rule more sensitive to brief bursts of legitimate mistypes, and it would not address the root cause of user errors. Option C is wrong because changing the rule to block the source IP after 5 failed attempts would aggressively block legitimate users after a few mistypes, causing denial-of-service for valid users and potentially blocking shared IPs (e.g., NAT) used by multiple people.

284
MCQeasy

A security analyst notices that a user's account has been used to access sensitive data outside of normal working hours. Which security concept is being violated?

A.Non-repudiation
B.Confidentiality
C.Availability
D.Integrity
AnswerB

Confidentiality protects data from unauthorized access, which is the issue.

Why this answer

Option C is correct because confidential data was accessed by an unauthorized user, violating confidentiality. Option A is incorrect because availability refers to uptime, not data protection. Option B is incorrect because integrity ensures data is not altered, not that access is prevented.

Option D is incorrect because non-repudiation deals with proof of action, not access control.

285
MCQhard

During a threat hunt, an analyst discovers sustained outbound traffic from a workstation to multiple IP addresses in different countries on port 443. The traffic patterns show periodic spikes at 5-minute intervals. The workstation is used by a sales representative who frequently accesses cloud CRM. Which additional evidence would most strongly suggest the workstation is compromised?

A.The CRM application uses port 443
B.The sales representative reported slow performance
C.The outbound traffic includes connections to IPs not associated with the CRM
D.The workstation has antivirus installed and up-to-date
AnswerC

Unknown IPs suggest malicious communication.

Why this answer

Option C is correct because outbound traffic to IP addresses not associated with the CRM application indicates the workstation is communicating with unknown or malicious destinations. Since the CRM is accessed via a known domain or IP range, connections to unrelated IPs on port 443 (HTTPS) suggest the workstation may be part of a botnet or exfiltrating data, especially given the periodic spikes at 5-minute intervals, which are characteristic of beaconing behavior used by malware to maintain command-and-control (C2) communications.

Exam trap

Cisco often tests the concept that legitimate application traffic (e.g., CRM on port 443) can be used as a smokescreen, and candidates mistakenly assume that any traffic on a standard port is benign, overlooking the importance of destination IP analysis and traffic patterns like beaconing.

How to eliminate wrong answers

Option A is wrong because the CRM application legitimately uses port 443 for HTTPS traffic, so this alone does not indicate compromise; it is expected behavior. Option B is wrong because slow performance is a subjective symptom that can be caused by many benign factors (e.g., network congestion, resource-heavy applications) and is not a definitive indicator of compromise. Option D is wrong because having antivirus installed and up-to-date does not guarantee the workstation is not compromised; malware can evade detection through techniques like polymorphism or zero-day exploits, and antivirus is not a real-time indicator of current infection status.

286
MCQeasy

What is the purpose of a security baseline?

A.To define the minimum acceptable security posture
B.To respond to security incidents
C.To encrypt sensitive data
D.To detect malware infections
AnswerA

Baselines establish secure configurations.

Why this answer

A security baseline defines the minimum acceptable security posture for systems, networks, and devices. It establishes a standard configuration that must be met to ensure a consistent level of security across the organization, such as requiring specific patch levels, disabling unnecessary services, and enforcing password policies. Without a baseline, there is no reference point to measure compliance or identify deviations that could indicate a security weakness.

Exam trap

Cisco often tests the distinction between a security baseline (a static reference standard) and operational security controls (like incident response or encryption), leading candidates to confuse the baseline with the tools or processes that enforce or detect security issues.

How to eliminate wrong answers

Option B is wrong because responding to security incidents is the purpose of an incident response plan (IRP) and associated procedures, not a security baseline. Option C is wrong because encrypting sensitive data is a specific security control or mechanism, often implemented via protocols like AES or TLS, not the overarching definition of a minimum security posture. Option D is wrong because detecting malware infections is the function of antivirus software, intrusion detection systems (IDS), or endpoint detection and response (EDR) tools, not a security baseline.

287
Multi-Selecthard

Which THREE of the following are common evasion techniques used by attackers?

Select 3 answers
A.Slow scans
B.Fragmentation
C.Using high ports
D.Patching vulnerabilities
E.Encryption
AnswersA, B, E

Correct. Slow scans avoid triggering threshold-based alerts.

Why this answer

Slow scans are a common evasion technique used by attackers to avoid detection by intrusion detection systems (IDS) and intrusion prevention systems (IPS). By sending packets at a very low rate, often over hours or days, the scan falls below the threshold of time-based detection algorithms that trigger alerts on rapid port sweeps. This technique exploits the fact that many security devices rely on timing heuristics to identify reconnaissance activity.

Exam trap

Cisco often tests the distinction between evasion techniques and general security practices; the trap here is that candidates may mistake 'patching vulnerabilities' as an attacker action, when in reality it is a defender's mitigation strategy, not an evasion method.

288
MCQhard

A security analyst notices that an employee is accessing the corporate network from an unauthorized device. According to the security policy, which action should the analyst take first?

A.Report the employee to human resources for disciplinary action
B.Ignore the incident because it is a minor violation
C.Disable the device's network access immediately
D.Update the security policy to allow personal devices
AnswerC

Immediate containment is a typical first step.

Why this answer

Option C is correct because the immediate priority when an unauthorized device is detected on the corporate network is to contain the threat by disabling network access. This aligns with the principle of least privilege and incident response procedures, where the first step is to stop the unauthorized access to prevent potential data breaches or malware propagation. The security policy typically mandates such immediate action to enforce access control, often implemented via 802.1X or MAC address filtering at the switch or NAC (Network Access Control) level.

Exam trap

Cisco often tests the distinction between immediate containment actions (like disabling network access) versus long-term administrative or policy changes, trapping candidates who confuse incident response phases or prioritize HR reporting over security controls.

How to eliminate wrong answers

Option A is wrong because reporting to HR for disciplinary action is a secondary step that should occur after the immediate security threat is neutralized; it does not address the active unauthorized access. Option B is wrong because ignoring the incident violates the security policy and could lead to a significant security breach, as unauthorized devices may introduce malware or bypass security controls. Option D is wrong because updating the policy to allow personal devices is a strategic decision that requires risk assessment and implementation of proper controls (e.g., MDM, VPN), not an immediate response to a violation.

289
Matchingmedium

Match each analysis type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Examining file without executing it

Running file in a sandbox to observe behavior

Matching patterns against known threats

Detecting deviations from baseline behavior

Using rules to detect unknown threats

Why these pairings

These are key analysis methodologies in cybersecurity.

290
MCQhard

Refer to the exhibit. An analyst sees these log messages on a Cisco router. The source IP 10.0.0.2 is an internal server. What is the most likely explanation?

A.An external host is scanning the router.
B.The router is under a brute-force attack on the HTTP server.
C.The internal server is trying to access the router's web interface, which is blocked by an ACL.
D.The router is infected with malware and generating traffic.
AnswerC

The router's own IP is being targeted on HTTP; this is likely management access.

Why this answer

The log messages show repeated TCP connection attempts from internal server 10.0.0.2 to the router's IP on port 443 (HTTPS) and port 80 (HTTP), which are denied by an ACL. Since the source is an internal server and the destination is the router's own IP, this indicates the server is trying to reach the router's web interface, but the ACL is blocking those packets. Option C correctly identifies this scenario.

Exam trap

Cisco often tests the distinction between inbound vs. outbound traffic and internal vs. external sources, so the trap here is assuming any denied traffic to a router must be an external attack, when the source IP clearly shows it is an internal host.

How to eliminate wrong answers

Option A is wrong because the source IP 10.0.0.2 is internal, not external, so this is not an external host scanning the router. Option B is wrong because a brute-force attack on the HTTP server would typically show repeated authentication failures (e.g., HTTP 401 or 403 responses) or many login attempts, not simple TCP connection denials by an ACL. Option D is wrong because malware on the router would generate traffic from the router to other hosts, not inbound connection attempts to the router's own web interface; the logs show inbound packets being denied, not outbound traffic.

291
MCQmedium

An analyst is handling a data breach involving sensitive customer information (PII) stored in a database. According to data classification policy, what is the most critical step to take first?

A.Classify the data as high impact
B.Review the data classification policy
C.Notify affected customers immediately
D.Contain the breach and preserve evidence
AnswerD

Containment and evidence preservation are the first actions in incident response.

Why this answer

Option C is correct because containing the breach and preserving evidence is the immediate priority. Option A is wrong because notifying customers before understanding the scope may cause panic. Option B is wrong while important, the policy on customer notification has specific triggers that require investigation first.

Option D is wrong because updating the data classification policy is a separate long-term action.

292
MCQmedium

Refer to the exhibit. What does this Snort rule detect?

A.A NetBIOS name service query
B.A vulnerability in Microsoft RPC
C.Normal SMB traffic
D.Exploit code for a buffer overflow
AnswerD

Correct. The null-byte pattern is indicative of a buffer overflow exploit.

Why this answer

The Snort rule detects a buffer overflow attempt by matching a specific pattern (e.g., a long string of 'A' characters or a shellcode pattern) in the payload, which is characteristic of exploit code targeting a vulnerable service. Buffer overflow exploits often send oversized data to trigger memory corruption, and Snort rules use content matching and byte_test to identify such anomalies. This rule likely targets a known overflow in a protocol like SMB or RPC, but the signature is specific to the exploit payload, not the protocol itself.

Exam trap

Cisco often tests the distinction between protocol-specific signatures (e.g., 'this is SMB traffic') and exploit-specific signatures (e.g., 'this is a buffer overflow payload'), so the trap here is that candidates see 'SMB' in the rule and assume it's normal SMB traffic, missing the exploit pattern in the payload.

How to eliminate wrong answers

Option A is wrong because a NetBIOS name service query uses UDP port 137 and has a specific packet structure (e.g., name query transaction ID), not the payload pattern of a buffer overflow. Option B is wrong because a vulnerability in Microsoft RPC would be detected by a rule matching the RPC interface UUID or opnum, not a generic exploit payload pattern. Option C is wrong because normal SMB traffic follows protocol state machines and does not contain oversized or malformed payloads that trigger buffer overflow signatures.

293
Multi-Selecthard

Which THREE of the following are indicators that a network may be compromised by a botnet?

Select 3 answers
A.Unusual outbound traffic to known command-and-control servers.
B.Multiple systems communicating with the same external IP at regular intervals.
C.High volume of ICMP echo requests.
D.Endpoint alerts of known malware signatures.
E.Increase in legitimate business traffic.
AnswersA, B, D

C&C communication is a hallmark of botnet activity.

Why this answer

Option A is correct because botnet-infected systems typically communicate with command-and-control (C2) servers to receive instructions or exfiltrate data. Unusual outbound traffic to known C2 IPs or domains is a strong indicator of botnet activity, as legitimate traffic rarely targets these addresses. Security monitoring tools often use threat intelligence feeds to flag such connections.

Exam trap

Cisco often tests the distinction between generic attack symptoms (like high ICMP volume) and specific botnet indicators (like C2 communication and beaconing), so candidates mistakenly select Option C because they associate any unusual traffic with botnets without considering the precise behavioral patterns.

294
MCQmedium

A security analyst is creating a policy for handling sensitive customer data. The policy must ensure data is encrypted at rest and in transit. Which type of policy most directly addresses this requirement?

A.Incident Response Policy
B.Data Protection Policy
C.Access Control Policy
D.Physical Security Policy
AnswerB

Data protection policy mandates encryption at rest and in transit.

Why this answer

A data protection policy specifically covers encryption, storage, and transmission controls. Option B is correct. Option A (access control) is about permissions.

Option C (incident response) is about breaches. Option D (physical security) is about facilities.

295
MCQeasy

An organization's security policy requires that all data at rest on laptops be encrypted. An employee reports that their laptop was stolen. Which control would most likely prevent data exposure?

A.Remote wipe
B.Biometric authentication
C.Full disk encryption
D.Screen lock with password
AnswerC

Full disk encryption encrypts all data on the drive, preventing access even if the drive is removed.

Why this answer

Option B is correct because full disk encryption ensures data cannot be read from the drive. Option A is wrong because remote wipe requires network connectivity. Option C is wrong because screen lock only protects while unattended.

Option D is wrong because biometric authentication does not encrypt data.

296
MCQhard

A company is implementing a security policy that requires all employees to use multi-factor authentication (MFA) when accessing corporate resources remotely. However, during a recent security audit, it was found that several employees have been using app passwords for legacy applications that do not support MFA. What is the best practice under this policy?

A.Allow app passwords as they provide a second factor.
B.Implement a VPN requirement for legacy application access.
C.Discontinue use of legacy applications until they support MFA.
D.Create a separate policy for legacy applications with compensating controls.
AnswerD

This balances security and business needs by applying additional controls like network isolation and monitoring.

Why this answer

Option C is correct because a separate policy with compensating controls (like network segmentation, monitoring) is appropriate. App passwords are not true MFA and can bypass security. Discontinuing legacy apps is too disruptive, allowing app passwords violates the policy, and VPN does not address the MFA requirement.

297
MCQmedium

A SOC analyst is monitoring network traffic using Cisco Stealthwatch. An alert is generated indicating a large volume of data being transferred from a critical server to an external IP address during off-hours. The analyst observes that the data transfer is using encrypted HTTPS traffic to a cloud storage provider. The server is known to host sensitive customer data. The analyst reviews the server's outbound firewall rules and finds that HTTPS traffic to any destination is allowed. The analyst checks the server's recent login logs and sees an authentication from a user account that is typically used by a contractor who only works during business hours. The contractor's account has not been disabled after the contract ended last week. What should the analyst do first?

A.Ignore the alert because the traffic is encrypted and cannot be inspected.
B.Immediately block the external IP address at the firewall to stop the data transfer.
C.Investigate the alert further by checking the server for any signs of malware or unauthorized access, and then escalate to the incident response team.
D.Disable the contractor's user account and notify the IT manager.
AnswerC

This is the correct first action. The analyst should collect additional evidence (e.g., process lists, network connections, file system changes) to confirm the incident. Only after validation should escalation and containment occur, following the incident response plan.

Why this answer

The correct first step is to investigate the alert further to confirm whether it is a genuine security incident. Option C is correct because it follows established incident response procedures: gather more evidence (e.g., check for malware, unauthorized access) before taking containment or eradication actions. Prematurely blocking the IP (A) could disrupt legitimate business operations if the transfer is authorized.

Disabling the account (B) is a valid remediation step but should occur after confirming the incident and as part of a coordinated response. Ignoring the alert (D) is dangerous because encryption does not automatically indicate benign activity; exfiltration often uses HTTPS to evade detection.

298
Matchingmedium

Match each network attack type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Social engineering via email to steal credentials

Overwhelming a target with traffic from multiple sources

Intercepting communications between two parties

Injecting malicious SQL queries into input fields

Associating attacker's MAC with victim's IP

Why these pairings

These are common attack techniques.

299
MCQmedium

A network analyst is troubleshooting a false positive alert from an IPS that blocks traffic to a legitimate database server. The alert signature is triggered by the pattern 'OR 1=1'. The analyst determines that the traffic is from a web application that uses dynamic SQL queries. Which action best reduces false positives while maintaining security?

A.Increase the sensitivity of the signature
B.Add the database server IP to an exception list
C.Change the signature to alert-only mode
D.Disable the signature entirely
AnswerB

Whitelisting known good traffic reduces false positives.

Why this answer

Option B is correct because adding the database server IP to an exception list allows the IPS to ignore traffic matching the 'OR 1=1' pattern specifically when it is destined for the legitimate database server. This preserves security by continuing to block the same pattern when it targets other servers, while eliminating the false positive caused by the web application's dynamic SQL queries. Whitelisting by destination IP is a targeted exception that does not weaken overall detection.

Exam trap

Cisco often tests the distinction between 'reducing false positives' and 'reducing security' — candidates mistakenly choose alert-only mode (option C) thinking it stops the blocking, but fail to realize it also stops blocking real attacks, which is not a security-maintaining action.

How to eliminate wrong answers

Option A is wrong because increasing the sensitivity of the signature would make it trigger on even more benign traffic, worsening the false positive problem. Option C is wrong because changing the signature to alert-only mode would stop blocking the false positive but would also prevent the IPS from blocking actual SQL injection attacks using the same pattern, reducing security. Option D is wrong because disabling the signature entirely removes protection against all 'OR 1=1' attacks across the network, which is an overreaction to a single false positive.

300
MCQhard

A company's security policy requires that all network devices be managed using SSHv2. An auditor finds that some older switches are still using Telnet. The network team claims they cannot upgrade due to budget constraints. What is the best immediate action to mitigate risk?

A.Implement an ACL to restrict Telnet access to only the management subnet.
B.Use SSHv1 as a compromise.
C.Create a VLAN for management and enforce Telnet only on that VLAN.
D.Implement port security on the switches.
E.Disable Telnet and rely on console access only.
AnswerA

Compensating control reduces attack surface.

Why this answer

Option A is correct because an ACL restricting Telnet to the management subnet reduces exposure. Option B is impractical for remote management. Option C still uses Telnet.

Option D uses insecure SSHv1. Option E is unrelated.

Page 3

Page 4 of 7

Page 5

All pages