Cisco CyberOps Associate 200-201 (200-201) — Questions 301375

507 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQhard

Refer to the exhibit. What does this packet capture indicate?

A.SYN flood
B.Port scan
C.Session hijack
D.Normal HTTP traffic
AnswerB

Correct. The pattern matches a TCP connect scan.

Why this answer

The packet capture shows multiple TCP SYN packets sent to a single host (10.10.10.10) targeting different ports (80, 443, 22, 21) with no subsequent ACK or RST responses. This pattern is characteristic of a port scan, specifically a SYN scan, where the attacker sends SYN packets to probe for open ports without completing the three-way handshake.

Exam trap

Cisco often tests the distinction between a SYN flood (volume-based attack on a single port) and a SYN scan (probing multiple ports), where candidates mistakenly associate any SYN traffic with a flood rather than recognizing the multi-port pattern as reconnaissance.

How to eliminate wrong answers

Option A is wrong because a SYN flood involves sending a high volume of SYN packets to a single port to exhaust server resources, not probing multiple ports. Option C is wrong because session hijacking requires an established TCP session with sequence number prediction, which is absent here. Option D is wrong because normal HTTP traffic would show completed three-way handshakes (SYN, SYN-ACK, ACK) and subsequent data transfer, not isolated SYN packets to multiple ports.

302
MCQhard

Refer to the exhibit. A host-based analysis tool outputs a JSON report. Which persistence mechanism is being used?

A.Windows Service
B.Startup Folder
C.Registry Run Key
D.Scheduled Task
AnswerC

The HKLM...Run key is a common startup persistence location.

Why this answer

The JSON report shows a registry key modification under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, which is a standard Registry Run Key. This key automatically launches the specified executable (`C:\Users\malware\app.exe`) at user logon, making it a persistence mechanism. The `"Value":"C:\\Users\\malware\\app.exe"` confirms the payload path, and the key name `"MaliciousService"` is irrelevant to the actual mechanism.

Exam trap

Cisco often tests the distinction between registry-based persistence (Run keys) and service-based persistence, where candidates mistakenly associate the word 'Service' in a key name with a Windows Service, but the actual mechanism is determined by the registry path, not the value name.

How to eliminate wrong answers

Option A is wrong because a Windows Service requires installation via `sc create` or the Service Control Manager, and the JSON shows no `ImagePath` under `SYSTEM\CurrentControlSet\Services` or `Start` type values; a Run key is not a service. Option B is wrong because the Startup Folder uses a shortcut file in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`, not a registry key; the JSON explicitly references a registry path. Option D is wrong because a Scheduled Task is defined in `\Windows\System32\Tasks` or via `schtasks.exe` with XML triggers, not a simple registry value under `Run`; the JSON lacks task-specific fields like `Triggers` or `Actions`.

303
Drag & Dropmedium

Drag and drop the steps to configure a Cisco ASA firewall for basic network access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ASA config: global config, set interfaces, create ACL, apply ACL, verify.

304
Multi-Selectmedium

Which TWO of the following are essential components of an effective security policy framework according to Cisco best practices?

Select 2 answers
A.A high-level security policy that defines management's intent.
B.A network diagram showing all security devices.
C.Standards that define mandatory rules for technology use.
D.A password policy that specifies minimum length and complexity.
E.A log analysis procedure for detecting anomalies.
AnswersA, C

This is the top-level document that sets direction.

Why this answer

A high-level security policy is essential because it defines management's intent, establishes the organization's security philosophy, and provides the authoritative foundation for all subordinate policies, standards, and procedures. According to Cisco best practices, this top-tier document must be approved by senior leadership and sets the strategic direction for the entire security program, ensuring alignment with business objectives and regulatory requirements.

Exam trap

Cisco often tests the distinction between policy framework components (high-level intent and mandatory standards) versus operational or procedural documents, leading candidates to mistakenly select specific technical controls (like password policies or log procedures) as essential framework elements.

305
MCQmedium

A security analyst is investigating a potential data exfiltration incident. The analyst notices that a large amount of data has been sent to an external IP address over port 443 during non-business hours. The company uses a proxy server that logs all outbound connections. Which action should the analyst take first to validate the suspicion?

A.Immediately block the external IP address at the firewall.
B.Run a packet capture on the internal server to analyze the payload.
C.Check the proxy logs to see the destination IP and user agent string.
D.Notify the security team lead and wait for further instructions.
AnswerC

Proxy logs provide details about the connection and can help identify if the traffic is suspicious.

Why this answer

Option C is correct because proxy logs contain the destination IP and user agent string, which are critical for validating whether the external IP is legitimate or malicious. By checking these logs first, the analyst can correlate the outbound connection with known threat intelligence or anomalous user agents without disrupting operations or consuming resources on unnecessary packet captures.

Exam trap

Cisco often tests the candidate's ability to prioritize log analysis over reactive actions, and the trap here is that candidates may jump to blocking the IP (Option A) or escalating (Option D) without first using available logs to validate the suspicion.

How to eliminate wrong answers

Option A is wrong because immediately blocking the external IP at the firewall could disrupt legitimate business traffic if the IP is later found to be benign, and it bypasses the validation step needed to confirm exfiltration. Option B is wrong because running a packet capture on the internal server is resource-intensive and may not be feasible if the server is remote or the traffic is already encrypted over TLS (port 443), making payload analysis ineffective without decryption keys. Option D is wrong because notifying the security team lead and waiting for further instructions delays the investigation and violates the principle of first validating the suspicion with available logs before escalating.

306
MCQeasy

Refer to the exhibit. An analyst runs tasklist /SVC on a suspected host. Which process is most suspicious?

A.svchost.exe with PID 1500
B.svchost.exe with PID 1240
C.notmalware.exe with PID 2300
D.svchost.exe with PID 1780
AnswerC

Unusual name and no services; likely malware disguised.

Why this answer

Option C is correct because 'notmalware.exe' is a deliberately suspicious process name that does not correspond to any legitimate Windows system binary. The tasklist /SVC command displays processes and their associated services; a process named 'notmalware.exe' is a clear indicator of potential malware attempting to disguise itself with an ironic name, whereas svchost.exe is a legitimate Windows host process for services.

Exam trap

Cisco often tests the misconception that multiple svchost.exe processes are inherently suspicious, when in fact Windows normally runs many svchost instances, and the real red flag is a process with a clearly fabricated name like 'notmalware.exe'.

How to eliminate wrong answers

Option A is wrong because svchost.exe with PID 1500 is a legitimate Windows system process that hosts multiple services; its presence alone is not suspicious without additional indicators like unusual parent process or high resource usage. Option B is wrong because svchost.exe with PID 1240 is also a normal svchost instance; multiple svchost.exe processes are expected in Windows as each hosts one or more services. Option D is wrong because svchost.exe with PID 1780 is another legitimate svchost instance; the tasklist /SVC output shows these are associated with standard services, making them not inherently suspicious.

307
MCQhard

Which type of attack does this Snort alert most likely indicate?

A.Buffer overflow
B.SQL injection
C.Directory traversal
D.Cross-site scripting
AnswerC

Unicode bypass of './' and '../' filters is a known directory traversal technique.

Why this answer

The Snort alert signature 'ET WEB_SERVER ATTACKS Directory Traversal Attempt' specifically detects patterns like '../' or encoded variants (e.g., '%2e%2e%2f') in HTTP requests. This indicates an attempt to access files outside the web root directory, which is the hallmark of a directory traversal attack. The alert triggers on the URI path, not on SQL syntax or script injection patterns.

Exam trap

Cisco often tests the ability to distinguish between web application attacks by focusing on the specific payload pattern in the alert signature, where candidates confuse directory traversal with SQL injection or XSS because all three involve HTTP requests.

How to eliminate wrong answers

Option A is wrong because a buffer overflow attack typically triggers alerts based on oversized payloads or specific shellcode patterns (e.g., NOP sleds, long strings in protocol fields), not directory traversal strings. Option B is wrong because SQL injection alerts would match SQL keywords like 'UNION', 'SELECT', or 'OR 1=1' in query parameters, not path traversal sequences. Option D is wrong because cross-site scripting alerts detect script tags (e.g., '<script>', 'onerror=') or encoded JavaScript in user input, not '../' path manipulation.

308
MCQhard

An organization uses Cisco Stealthwatch for network traffic analysis. The analyst observes a sudden increase in traffic from a workstation to multiple external IPs on port 443. The traffic pattern shows consistent packet sizes of 1500 bytes, and the destination IPs are spread across different geographic regions. Which type of activity is most likely indicated?

A.VoIP call initiation.
B.Normal web browsing activity.
C.A DDoS attack originating from the workstation.
D.Data exfiltration via HTTPS.
AnswerD

Consistent large packets and many destinations suggest exfiltration.

Why this answer

The consistent 1500-byte packet size indicates maximum-sized TCP segments, which is atypical for interactive web browsing but common when data is being padded to fill MTU for efficient exfiltration. Cisco Stealthwatch detects this anomalous volumetric pattern to external IPs on HTTPS (port 443) as a sign of data exfiltration, where an internal host sends large, uniform chunks of data to multiple external destinations to evade detection.

Exam trap

Cisco often tests the misconception that any traffic to multiple external IPs on port 443 is normal web browsing, but the trap here is the consistent 1500-byte packet size, which is a key indicator of data exfiltration rather than typical HTTPS activity.

How to eliminate wrong answers

Option A is wrong because VoIP call initiation uses protocols like SIP (port 5060/5061) or RTP (dynamic ports), not HTTPS on port 443, and VoIP traffic typically shows variable packet sizes with small, frequent packets for voice codecs. Option B is wrong because normal web browsing generates a mix of packet sizes (e.g., small ACKs, variable HTTP responses) and does not produce a sustained stream of maximum-sized 1500-byte packets to numerous geographically diverse IPs. Option C is wrong because a DDoS attack originating from the workstation would target a single or few destinations with high-volume traffic, not multiple external IPs, and the workstation would be the attacker, not the victim; Stealthwatch would flag this as a compromised host generating outbound attack traffic, but the pattern of uniform packet sizes to many IPs is more characteristic of data exfiltration.

309
Multi-Selecthard

Which TWO of the following are best practices when configuring a SIEM correlation rule to detect lateral movement?

Select 2 answers
A.Include a time window to limit the correlation to a few minutes between events.
B.Exclude the source IP address from the correlation to focus on user identity.
C.Use only a single log source, such as domain controller logs, to simplify the rule.
D.Set the rule to trigger on any Event ID 4624 (successful logon) regardless of type.
E.Correlate successful logons across different systems from the same user within a short time window.
AnswersA, E

Reduces false positives from normal activity.

Why this answer

Option A is correct because including a time window (e.g., 5 minutes) in a SIEM correlation rule ensures that only events occurring within a short, defined interval are correlated. This is critical for detecting lateral movement, where an attacker must quickly pivot from one host to another; without a time window, the rule would match events that are too far apart in time, generating excessive false positives. The time window aligns with the typical speed of automated tools like PsExec or RDP brute-force scripts, which execute logons in rapid succession.

Exam trap

Cisco often tests the misconception that any successful logon (Event ID 4624) is suspicious, when in fact only specific logon types and patterns (e.g., multiple logons from the same user across different systems in a short time) indicate lateral movement.

310
MCQmedium

A network administrator is implementing a new security policy that requires all employees to use multi-factor authentication (MFA) when accessing email from external networks. However, several employees report that they cannot receive SMS codes while traveling internationally. Which design change best balances security and usability?

A.Allow the use of authenticator apps that generate time-based one-time passwords (TOTP).
B.Allow email access without MFA from trusted countries.
C.Provide hardware tokens to all traveling employees.
D.Disable MFA for users who travel frequently.
AnswerA

TOTP apps work offline and are a common alternative to SMS.

Why this answer

Option A is correct because TOTP authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) generate one-time passwords locally on the user's device without requiring cellular network connectivity. This solves the international SMS delivery problem while maintaining strong MFA security, as the TOTP algorithm (RFC 6238) uses a shared secret and the current time to produce codes that are valid for a short window (typically 30 seconds).

Exam trap

Cisco often tests the distinction between 'something you have' (phone/authenticator app) and 'something you receive' (SMS), where candidates mistakenly think SMS is the only 'something you have' factor, missing that TOTP apps provide the same factor without network dependency.

How to eliminate wrong answers

Option B is wrong because allowing email access without MFA from 'trusted countries' violates the core security policy of requiring MFA for all external access and introduces risk from compromised accounts in those regions. Option C is wrong because hardware tokens (e.g., YubiKey) require physical distribution, management, and replacement logistics that are impractical for all traveling employees, and they still rely on USB/NFC compatibility which may not be available on all devices. Option D is wrong because disabling MFA for frequent travelers completely removes the second authentication factor, exposing the organization to credential theft and unauthorized access from any external network.

311
MCQhard

A mid-sized financial firm has a segmented network with a DMZ hosting a web server, an internal network with a database server, and an employee LAN. The security infrastructure includes a next-generation firewall (NGFW) with IPS, an endpoint detection and response (EDR) solution, and a SIEM. Over the past week, the SIEM has generated alerts for unusual outbound connections from the database server to an external IP address 198.51.100.33 on TCP port 443 during non-business hours. The EDR shows no malware on the database server, but a process named 'sqlsrv.exe' (the legitimate SQL Server process) is making these connections. The server's file integrity monitoring indicates that the sqlsrv.exe file has not been modified, but a memory dump reveals injected code that appears to be a reverse shell. The firewall logs show that the outbound connections are allowed because they match an existing rule permitting the database server to reach external update servers. The IP 198.51.100.33 is not on any threat intelligence feed as malicious, but it is geolocated to a country with known cybercrime activity. Which action should the security analyst take FIRST?

A.Isolate the database server from the network immediately to prevent data exfiltration.
B.Contact the software vendor to verify the digital signature of sqlsrv.exe.
C.Add a firewall rule to block outbound connections to 198.51.100.33.
D.Run a full antivirus scan on the database server using an updated signature database.
AnswerA

Containment is the first step in incident response to stop the attack.

Why this answer

The presence of injected reverse shell code in the memory of the legitimate sqlsrv.exe process indicates that the database server is actively compromised, regardless of the file integrity or EDR results. The immediate priority is to contain the threat by isolating the server from the network to prevent data exfiltration or lateral movement, as per incident response best practices (NIST SP 800-61).

Exam trap

The trap here is that candidates focus on the unchanged file hash or lack of malware alerts and choose a slower investigative step (like scanning or vendor contact), instead of recognizing that memory-resident code injection is an active compromise requiring immediate isolation.

How to eliminate wrong answers

Option B is wrong because verifying the digital signature of sqlsrv.exe is irrelevant; the file itself is unmodified, but the attack is via code injection into the running process, not file tampering. Option C is wrong because adding a firewall rule to block only the specific IP 198.51.100.33 is insufficient; the attacker could easily switch to a different C2 IP, and the immediate containment action should be network isolation. Option D is wrong because running a full antivirus scan is a secondary step; the EDR already shows no malware, and the attack is memory-resident (injected code), which may evade signature-based scans, so isolation must come first.

312
Multi-Selectmedium

Which TWO of the following are best practices for configuring syslog to ensure reliable security event logging?

Select 2 answers
A.Use UDP for faster transmission and lower overhead.
B.Enable debug-level logging for all devices to capture maximum detail.
C.Disable log filtering to ensure all messages are sent.
D.Use TCP (port 514) instead of UDP for log transmission.
E.Configure syslog to send logs to at least two different servers.
AnswersD, E

TCP provides acknowledgment and retransmission, ensuring delivery.

Why this answer

Option D is correct because syslog over TCP (port 514) provides reliable, connection-oriented delivery, ensuring that log messages are not lost during transmission. Unlike UDP, TCP includes acknowledgment and retransmission mechanisms, which are critical for security event logging where message integrity and completeness are paramount.

Exam trap

Cisco often tests the misconception that UDP is always preferred for syslog due to lower overhead, but the exam emphasizes that for security event logging, reliability (TCP) outweighs speed, and that debug-level logging is a dangerous practice that can crash a device.

313
MCQeasy

A company's data classification policy defines "Confidential" data. Which of the following is an example of Confidential data?

A.Public marketing brochures
B.Customer payment card information
C.Company cafeteria menu
D.Employee phone numbers
AnswerB

Such data is sensitive and protected by regulations, thus Confidential.

Why this answer

Customer payment card information is typically classified as Confidential due to regulatory requirements like PCI DSS. The other options are lower sensitivity.

314
Multi-Selectmedium

Which TWO security concepts are fundamental to the principle of least privilege? (Choose two.)

Select 2 answers
A.Role-based access control (RBAC)
B.Mandatory access control (MAC)
C.Need-to-know
D.Separation of duties
E.Defense in depth
AnswersA, C

RBAC implements least privilege by assigning permissions to roles.

Why this answer

Role-based access control (RBAC) is fundamental to the principle of least privilege because it assigns permissions based on job functions rather than individual users, ensuring users receive only the access necessary for their roles. The 'need-to-know' concept restricts access to information strictly required for a user's tasks, directly enforcing least privilege by limiting data exposure. Together, RBAC provides a scalable framework for access management, while need-to-know ensures granular data-level control.

Exam trap

Cisco often tests the distinction between 'need-to-know' (a least privilege concept) and 'separation of duties' (a fraud-prevention concept), causing candidates to mistakenly select separation of duties because both involve limiting access, but only need-to-know directly enforces least privilege.

315
MCQmedium

A security engineer reviews syslog data and sees multiple authentication failures from a single source IP to different SSH servers. The source IP is internal. What does this indicate?

A.Brute-force attack
B.User error
C.Misconfigured client
D.Network scan
AnswerA

Repeated failed attempts from one source to multiple targets is a classic brute-force pattern.

Why this answer

Multiple authentication failures from a single internal source IP to different SSH servers is a classic indicator of a brute-force attack. The attacker is systematically attempting to guess credentials across multiple targets, which is distinct from a single misconfiguration or user error. This pattern is commonly seen in post-compromise lateral movement or initial foothold attempts within the network.

Exam trap

Cisco often tests the distinction between a network scan (which only checks for open ports) and an actual authentication attack (which generates syslog auth failures), causing candidates to confuse the two.

How to eliminate wrong answers

Option B is wrong because user error typically results in repeated failures to a single server (e.g., mistyped password), not to multiple different SSH servers from the same IP. Option C is wrong because a misconfigured client would likely fail authentication to a specific server due to key mismatch or protocol version, not generate failures across multiple distinct servers. Option D is wrong because a network scan (e.g., using Nmap) would probe for open ports (TCP 22) without attempting SSH authentication, so it would not produce authentication failure logs.

316
MCQeasy

An analyst notices a series of SYN packets sent to a host at increasing speed, with no SYN-ACK replies. What kind of attack is this?

A.SYN flood
B.SSL stripping
C.ARP spoofing
D.Smurf attack
AnswerA

SYN flood exploits the TCP handshake by sending many SYN packets.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a rapid succession of SYN packets to a target host without completing the handshake. The target allocates resources for each half-open connection, eventually exhausting its connection table and denying service to legitimate traffic. The absence of SYN-ACK replies confirms the attacker is not responding to the handshake, a hallmark of this volumetric denial-of-service technique.

Exam trap

Cisco often tests the distinction between a SYN flood (TCP handshake exhaustion) and a Smurf attack (ICMP broadcast amplification), so candidates mistakenly associate any flood of packets with ICMP-based attacks rather than recognizing the specific TCP SYN behavior described.

How to eliminate wrong answers

Option B is wrong because SSL stripping is a man-in-the-middle attack that downgrades HTTPS connections to HTTP, not a network-layer flood using SYN packets. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, enabling traffic interception, not a flood of TCP SYN segments. Option D is wrong because a Smurf attack uses ICMP echo requests sent to a broadcast address with a spoofed source IP, causing all hosts on the network to reply to the victim, which is an ICMP-based amplification attack, not a TCP SYN-based flood.

317
MCQhard

An organization is implementing monitoring for encrypted traffic without decrypting it. Which approach would be most effective for detecting malicious activity?

A.Deploy SSL/TLS inspection to decrypt traffic
B.Use NetFlow analysis to identify unusual connection patterns
C.Monitor SNMP traffic from endpoints
D.Block all encrypted traffic except from known good sources
AnswerB

NetFlow metadata can indicate malicious behavior even in encrypted traffic.

Why this answer

NetFlow analysis examines metadata (source/destination IPs, ports, protocols, byte counts) without decrypting the payload. Unusual patterns like beaconing to a known C2 server, data exfiltration via non-standard ports, or unexpected volumetric flows can indicate malicious activity even when the traffic is encrypted. This approach preserves privacy and compliance while still enabling threat detection through behavioral anomalies.

Exam trap

Cisco often tests the distinction between 'monitoring without decryption' and 'decryption-based inspection'—the trap is that candidates assume encrypted traffic is invisible to security tools, but metadata analysis (NetFlow) can reveal malicious patterns without ever seeing the plaintext.

How to eliminate wrong answers

Option A is wrong because SSL/TLS inspection decrypts the traffic, which violates the requirement to monitor without decrypting and introduces privacy, compliance, and performance overhead. Option C is wrong because SNMP traffic is used for network device management (e.g., polling OIDs for interface stats, CPU load) and does not provide visibility into encrypted session metadata or connection patterns between endpoints. Option D is wrong because blocking all encrypted traffic except from known good sources is overly restrictive, breaks legitimate encrypted services (e.g., HTTPS, VPNs), and is not a monitoring approach—it is an access control policy that fails to detect malicious activity within allowed encrypted flows.

318
Multi-Selectmedium

Which THREE of the following are best practices for creating and maintaining security policies? (Choose three.)

Select 3 answers
A.Develop policies in isolation by the security team.
B.Obtain approval from senior management.
C.Provide training on policies to all employees.
D.Review and update policies annually.
E.Store policies in a secure location accessible only to security staff.
AnswersB, C, D

Management support is critical for enforcement.

Why this answer

Option B is correct because security policies require executive endorsement to ensure organization-wide compliance and resource allocation. Senior management approval establishes authority and accountability, making the policy enforceable across all departments, not just IT. Without this buy-in, policies lack the legal and organizational weight needed for disciplinary actions or budget justification.

Exam trap

Cisco often tests the misconception that security policies should be restricted to security staff only, but the correct approach is that policies must be accessible to all employees to ensure awareness and compliance.

319
MCQeasy

An organization's security policy specifies that all configuration changes must be approved through a change management process. An analyst discovers that a firewall rule was added without approval. What is the appropriate action?

A.Remove the rule immediately.
B.Change the policy to allow emergency changes without approval.
C.Report the unauthorized change to management.
D.Document the change and ignore it.
E.Analyze the rule to see if it's needed, then either approve or remove.
AnswerC

Policy requires reporting violations.

Why this answer

Option C is correct because reporting the unauthorized change is required by policy. Option A is too hasty without impact analysis. Option B might follow reporting.

Option D violates policy. Option E is inappropriate.

320
Multi-Selectmedium

Which TWO of the following are typically included in a security policy's scope statement?

Select 2 answers
A.Threat intelligence sources to be used
B.Encryption algorithms to be used
C.List of systems and networks covered
D.User roles and responsibilities affected
E.Minimum password length requirements
AnswersC, D

Scope identifies which assets are covered.

Why this answer

The scope statement of a security policy defines the boundaries of the policy's applicability. Option C is correct because explicitly listing the systems and networks covered ensures that all stakeholders understand which assets fall under the policy's requirements, preventing gaps or overlaps in security controls.

Exam trap

Cisco often tests the distinction between a policy's scope (what it covers) and the specific technical controls or standards that implement the policy, so candidates mistakenly select granular technical details like encryption algorithms or password lengths as part of the scope statement.

321
MCQeasy

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

A.Remote administration
B.DNS query
C.FTP file transfer
D.Data exfiltration via SSH
AnswerD

SSH on port 22 can be used to tunnel data out.

Why this answer

SSH (TCP port 22) is commonly used for secure remote administration, but the scenario describes large data transfers to an external IP during non-business hours, which is a classic indicator of data exfiltration. Attackers often use SSH tunneling to bypass security controls and exfiltrate data because SSH encrypts the traffic, making it difficult for network monitoring tools to inspect the payload. The combination of high volume, external destination, and off-hours activity strongly suggests malicious data theft rather than legitimate administrative tasks.

Exam trap

Cisco often tests the misconception that SSH is only used for remote administration, causing candidates to overlook the data exfiltration angle when large data transfers occur on port 22 during suspicious hours.

How to eliminate wrong answers

Option A is wrong because remote administration via SSH typically involves interactive sessions or small control commands, not large data transfers; legitimate admins would also likely operate during business hours. Option B is wrong because DNS queries use UDP/TCP port 53, not port 22, and are small packets for name resolution, not bulk data transfer. Option C is wrong because FTP file transfer uses TCP ports 20 and 21, not port 22; while SFTP (SSH File Transfer Protocol) runs over SSH, the question specifies 'FTP file transfer' which refers to the standard FTP protocol.

322
MCQhard

In a risk management process, after identifying risks, the next step is to determine the potential impact and likelihood. This is known as:

A.Risk acceptance
B.Risk mitigation
C.Risk assessment
D.Risk transfer
AnswerC

Risk assessment quantifies impact and likelihood to prioritize risks.

Why this answer

After risks have been identified, the next logical step in the risk management process is to evaluate their potential impact and likelihood. This evaluation is formally known as risk assessment (or risk analysis), which quantifies or qualifies the risk level to prioritize subsequent treatment decisions. In the context of the 200-201 exam, risk assessment is a core component of the NIST SP 800-30 risk management framework.

Exam trap

Cisco often tests the order of the risk management process steps, and the trap here is confusing risk assessment (the evaluation step) with risk mitigation (the treatment step), leading candidates to select 'Risk mitigation' because they think of 'doing something about the risk' immediately after identification.

How to eliminate wrong answers

Option A is wrong because risk acceptance is a risk treatment strategy where an organization acknowledges the risk and chooses to tolerate it without active mitigation, not the step of determining impact and likelihood. Option B is wrong because risk mitigation involves implementing controls to reduce the risk level (e.g., deploying a firewall or patching a vulnerability), which occurs after the risk assessment has been completed. Option D is wrong because risk transfer shifts the financial burden of a risk to a third party (e.g., purchasing cyber insurance), which is also a post-assessment treatment decision, not the evaluation of impact and likelihood.

323
Multi-Selecthard

Which THREE actions are mandatory in the evidence handling process according to standard forensic procedures?

Select 3 answers
A.Document the chain of custody
B.Delete any malware found immediately
C.Use a write blocker when imaging
D.Create a forensic image of the device
E.Reboot the device to clear temporary files
AnswersA, C, D

Required to maintain integrity and admissibility.

Why this answer

Options A, B, and D are mandatory: documenting chain of custody, creating a forensic image, and using write blockers. Option C (rebooting) is avoided to preserve evidence. Option E (deleting malware) destroys evidence.

324
MCQeasy

A security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?

A.SYN flood
B.Port scanning
C.Man-in-the-middle
D.DNS amplification
AnswerA

A SYN flood sends many TCP SYN packets to exhaust resources.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to multiple hosts without completing the handshake, exhausting server resources. The alert describes a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443, which matches the behavior of a distributed SYN flood targeting HTTPS services. This is the most likely attack because the IPS is detecting the initial connection attempts characteristic of a SYN flood.

Exam trap

Cisco often tests the distinction between a SYN flood and port scanning by emphasizing that a SYN flood targets multiple hosts on the same port, while port scanning targets multiple ports on a single host.

How to eliminate wrong answers

Option B is wrong because port scanning typically involves a single source sending SYN packets to multiple ports on a single host to discover open services, not to multiple hosts on the same port. Option C is wrong because a man-in-the-middle attack requires intercepting and potentially modifying traffic between two parties, which does not align with a spike in unsolicited SYN packets. Option D is wrong because DNS amplification attacks use spoofed source IPs to send small queries to open DNS resolvers, which then send large responses to the victim, and they rely on UDP, not TCP SYN packets.

325
MCQhard

A security analyst is reviewing a series of failed login attempts on a critical server. The logs show that the source IP addresses are from multiple geographic regions and the usernames tried are all valid employees. The attempts occur every 5 minutes for the past hour. According to the company's security policy, which type of attack is most likely occurring, and what is the best immediate response?

A.Password spraying; enforce multi-factor authentication immediately.
B.Credential stuffing; implement rate limiting.
C.Brute-force attack; add the IPs to a blocklist.
D.Dictionary attack; reset all employee passwords.
AnswerA

Password spraying uses a few passwords against many users; MFA mitigates this effectively.

Why this answer

The attack pattern—valid usernames with low-frequency attempts from diverse IPs—is characteristic of password spraying, where an attacker tries a single common password against many accounts to avoid lockout thresholds. The best immediate response is to enforce multi-factor authentication (MFA), which renders the stolen or guessed password insufficient for access, mitigating the attack without relying on IP-based blocking that is ineffective against distributed sources.

Exam trap

Cisco often tests the distinction between password spraying and credential stuffing by focusing on the source of credentials—password spraying uses guessed common passwords, while credential stuffing uses stolen credential pairs from data breaches.

How to eliminate wrong answers

Option B is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a single password tried across many valid usernames; rate limiting would help but is not the best immediate response as MFA directly neutralizes the credential misuse. Option C is wrong because a brute-force attack targets a single account with many password attempts, not multiple valid usernames from diverse IPs every 5 minutes; adding IPs to a blocklist is ineffective when the source IPs are numerous and geographically distributed. Option D is wrong because a dictionary attack tries many common passwords against a single account, not a single password across many accounts; resetting all employee passwords is disruptive and unnecessary when MFA can stop the attack immediately.

326
MCQeasy

A security administrator needs to ensure that data transmitted between a web browser and a web server is encrypted. Which technology should be implemented?

A.HTTPS
B.TLS
C.SSH
D.IPsec
AnswerB

TLS is the standard protocol for encrypting web traffic, used by HTTPS.

Why this answer

TLS (Transport Layer Security) is the correct technology because it operates at the transport layer and provides encryption for data in transit between a web browser and a web server. HTTPS is not a separate encryption protocol but rather HTTP over TLS, meaning TLS is the underlying technology that actually performs the encryption. Therefore, the question asks for the technology to implement, and TLS is the direct answer.

Exam trap

The trap here is that candidates see 'HTTPS' and assume it is the encryption technology itself, but Cisco tests the understanding that HTTPS is merely HTTP over TLS, and the actual encryption mechanism is TLS.

How to eliminate wrong answers

Option A (HTTPS) is wrong because HTTPS is not a standalone encryption technology; it is HTTP running on top of TLS (or SSL), so the actual encryption is provided by TLS, not HTTPS itself. Option C (SSH) is wrong because SSH is used for secure remote administration and file transfers (e.g., SFTP, SCP), not for encrypting standard web browser-to-web server HTTP traffic. Option D (IPsec) is wrong because IPsec operates at the network layer and is typically used for securing VPN tunnels between networks or hosts, not for encrypting individual web sessions between a browser and a server.

327
MCQhard

A host inside the network has a connection to a known malicious IP with TCP state TIME_WAIT. What is the most likely interpretation?

A.The host has finished its communication
B.The connection was terminated by the remote host
C.The host is being scanned
D.The host is actively infected and communicating
AnswerA

Correct. TIME_WAIT means the local side has sent FIN and received ACK, waiting for potential retransmission.

Why this answer

The TIME_WAIT TCP state indicates that the local host has initiated the closure of the connection and is waiting for any delayed packets to arrive before fully releasing the socket. This state is entered after the local host sends the final ACK in the four-way handshake, meaning the host has completed its communication with the remote IP. Therefore, the connection is finished, not ongoing.

Exam trap

Cisco often tests the misconception that TIME_WAIT implies ongoing activity or remote termination, when in fact it specifically indicates the local host has completed the connection closure.

How to eliminate wrong answers

Option B is wrong because TIME_WAIT is entered by the host that initiates the active close, not by the remote host; if the remote host terminated the connection, the local host would see CLOSE_WAIT or LAST_ACK states. Option C is wrong because a scanning tool typically uses SYN, SYN-ACK, or RST packets to probe ports, and TIME_WAIT is a normal termination state that does not indicate scanning activity. Option D is wrong because an active infection with ongoing communication would show ESTABLISHED state, not TIME_WAIT, which signifies that the TCP session has already been closed.

328
Drag & Dropmedium

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

TCP handshake: SYN, SYN-ACK, ACK, then data transfer.

329
MCQmedium

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

A.DNS amplification attack
B.ARP spoofing
C.Brute force attempt on Telnet service
D.ICMP flood attack
AnswerC

Multiple connection attempts to port 23 (Telnet) from the same source indicate a brute force or scanning activity.

Why this answer

The log shows repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23, which is the default port for Telnet. Multiple failed connection attempts to a Telnet service indicate a brute force attack, where an attacker tries to guess credentials by repeatedly attempting to log in.

Exam trap

Cisco often tests the association of default port numbers with services (port 23 = Telnet) and expects candidates to recognize that repeated connection attempts to a login service indicate a brute force attack, not a flood or spoofing attack.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses spoofed source IPs to send small queries to open DNS resolvers, causing large responses to flood a victim; it does not involve repeated direct connections to port 23. Option B is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, enabling man-in-the-middle attacks, not repeated Telnet login attempts. Option D is wrong because an ICMP flood attack overwhelms a target with ICMP echo request packets (ping floods), not with TCP connection attempts to port 23.

330
MCQmedium

An analyst needs to configure syslog to forward logs from multiple network devices to a central SIEM. Which syslog severity level should be used to ensure security-relevant events are sent while minimizing bandwidth usage?

A.Level 0 (Emergency)
B.Level 7 (Debug)
C.Level 6 (Informational)
D.Level 4 (Warning)
AnswerD

Warning and above includes most security events while filtering noise.

Why this answer

Option D (Level 4, Warning) is correct because it captures security-relevant events such as authentication failures, configuration changes, and interface errors while filtering out lower-severity informational and debug messages. This balances visibility of potential threats with minimal bandwidth consumption, as Warning-level logs are typically concise and less frequent than lower severity levels.

Exam trap

Cisco often tests the misconception that higher severity (lower number) is always better for security, leading candidates to choose Emergency (Level 0) or Alert (Level 1), but the question explicitly asks to minimize bandwidth while ensuring security events are sent, so Warning (Level 4) is the optimal balance.

How to eliminate wrong answers

Option A is wrong because Level 0 (Emergency) is reserved for system-wide catastrophic failures (e.g., kernel panic) and is too rare to provide adequate security monitoring; relying on it would miss most security events. Option B is wrong because Level 7 (Debug) generates verbose, high-volume logs intended for troubleshooting, which would overwhelm bandwidth and storage, and is not suitable for production security forwarding. Option C is wrong because Level 6 (Informational) includes routine operational messages (e.g., interface up/down, normal user logins) that are not inherently security-relevant, leading to unnecessary bandwidth usage without focusing on actual threats.

331
MCQmedium

A company has implemented a role-based access control (RBAC) policy for its network devices. A network engineer needs temporary access to configure a router in a different region. According to the RBAC policy, what is the appropriate procedure?

A.Have the root password shared via encrypted email to the engineer
B.Use the shared admin account for the duration of the task
C.Ask another engineer with access to perform the configuration changes
D.Submit a request to the security team for temporary role elevation with a specified time limit
AnswerD

This follows the principle of least privilege with an approval workflow.

Why this answer

Option D is correct because RBAC policies require that any deviation from assigned roles, such as temporary access to a router in a different region, must be handled through a formal privilege elevation process. This typically involves submitting a request to the security team, who can grant temporary role elevation with a specified time limit, ensuring that access is auditable, time-bound, and revoked automatically. This aligns with the principle of least privilege and maintains the integrity of the RBAC model by avoiding permanent or shared credentials.

Exam trap

Cisco often tests the misconception that sharing credentials or using a shared admin account is acceptable for temporary access, when in reality RBAC mandates formal, auditable, and time-limited role elevation to maintain security and accountability.

How to eliminate wrong answers

Option A is wrong because sharing the root password, even via encrypted email, violates RBAC principles by granting permanent, unmonitored superuser access that bypasses role-based controls and audit trails. Option B is wrong because using a shared admin account undermines RBAC by providing non-repudiation issues and lacks the time-bound, role-specific elevation required for temporary tasks. Option C is wrong because asking another engineer to perform the changes does not resolve the need for the requesting engineer to have direct access; it also introduces potential miscommunication and still requires the other engineer to have appropriate role elevation if they lack the required permissions.

332
Multi-Selecteasy

Which TWO types of data are commonly used for network forensics? (Choose two.)

Select 1 answer
A.Application code
B.Hard drive images
C.NetFlow records
D.Full packet captures
E.Network logs
AnswersE

Network logs capture events and are key for forensic analysis.

Why this answer

Network logs (E) are a primary source of evidence in network forensics because they record events such as authentication attempts, firewall actions, and system access. These logs provide a chronological trail of activity that can be correlated with other data to reconstruct an incident. They are commonly used due to their availability and the critical context they offer for identifying malicious behavior.

Exam trap

Cisco often tests the distinction between metadata-only sources (like NetFlow) and full-content sources (like packet captures and logs), leading candidates to incorrectly select NetFlow as a primary forensic data type when the question requires evidence with payload or detailed event context.

333
Multi-Selectmedium

Which three data sources are commonly used in a SIEM for threat hunting? (Choose three.)

Select 3 answers
A.Firewall logs.
B.Social media feeds.
C.Physical access logs.
D.NetFlow records.
E.DNS query logs.
AnswersA, D, E

Firewall logs show permitted and denied connections.

Why this answer

Firewall logs are a primary data source in SIEM for threat hunting because they record all allowed and denied traffic flows, including source/destination IPs, ports, and protocols. Analyzing these logs helps identify unauthorized access attempts, policy violations, and patterns indicative of lateral movement or data exfiltration.

Exam trap

Cisco often tests the distinction between direct log sources (firewall, NetFlow, DNS) and external threat intelligence or physical security logs, so candidates mistakenly include social media feeds or physical access logs as SIEM data sources.

334
MCQhard

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

A.The ACL is working correctly; traffic to the malicious host is blocked.
B.The ACL is not blocking traffic because the deny line has 0 matches.
C.The ACL needs to be applied outbound to work.
D.The ACL is blocking all traffic because the permit line is never used.
AnswerB

Indicates the rule is not being hit; possible wrong direction.

Why this answer

Option B is correct because the ACL counters show 0 matches for the deny line that is intended to block traffic to the malicious host on port 443. This indicates that no traffic matching the deny condition has been processed by the ACL, meaning the rule is not being triggered. Since the ACL is applied inbound on the external interface, traffic from the external network destined for the malicious host should match the deny line if it is correctly configured; the 0 matches suggest the ACL is not blocking the intended traffic.

Exam trap

Cisco often tests the misconception that an ACL with 0 matches on a deny line is still blocking traffic, when in fact the counters prove the rule is not being hit, so the traffic is passing through unblocked.

How to eliminate wrong answers

Option A is wrong because the ACL counters show 0 matches on the deny line, which means traffic to the malicious host is not being blocked; the ACL is not working correctly. Option C is wrong because applying the ACL outbound would not change the fact that the deny line has 0 matches; the issue is with the ACL rule itself or the traffic not matching, not the direction. Option D is wrong because the permit line being unused does not indicate that all traffic is blocked; the ACL only blocks traffic matching the deny rule, and the permit line is a default implicit permit at the end of the ACL, not a configured line that would be counted.

335
MCQmedium

Refer to the exhibit. An analyst observes that the router's ACL is allowing all traffic to the web server at 192.168.1.100 on ports 80 and 443, but blocking all other TCP ports below 1024. However, the web server is also running an SSH service on port 22. What will happen to SSH traffic from the outside?

A.SSH will be permitted because of the last line 'permit ip any any'.
B.SSH will be denied because the ACL does not have an explicit permit for SSH.
C.SSH will be permitted because it is not blocked by any rule.
D.SSH will be denied because of the deny line range.
AnswerD

The deny line covers port 22, so SSH traffic is denied.

Why this answer

The ACL denies all TCP ports below 1024 except ports 80 and 443, which are explicitly permitted. Since SSH uses TCP port 22, which falls within the denied range (below 1024) and is not explicitly permitted, it is blocked by the deny line. The last line 'permit ip any any' only applies to traffic not already denied, but SSH traffic is already denied by the earlier rule, so it never reaches that permit statement.

Exam trap

Cisco often tests the misconception that a final 'permit ip any any' overrides earlier deny statements, when in fact ACLs stop processing after the first match, so traffic denied earlier never reaches the final permit.

How to eliminate wrong answers

Option A is wrong because the 'permit ip any any' line is processed only after the deny rules; since SSH traffic on port 22 is already denied by the explicit deny range, it never reaches the final permit. Option B is wrong because the ACL does not need an explicit deny for SSH; the deny line covering ports below 1024 implicitly blocks SSH port 22. Option C is wrong because SSH is blocked by the deny rule that covers all TCP ports below 1024 except those explicitly permitted (80 and 443).

336
MCQeasy

A security analyst is monitoring network traffic and notices a sudden increase in outbound connections from a single workstation to multiple IP addresses on port 443 at regular intervals. The workstation is used for standard office applications. Which action should the analyst take first?

A.Correlate the connections with firewall logs and endpoint telemetry
B.Immediately block all outbound traffic from the workstation
C.Escalate to the incident response team immediately
D.Isolate the workstation from the network
AnswerA

Correlation helps identify if the traffic is malicious or caused by legitimate software like updates or VoIP.

Why this answer

Option A is correct because the sudden increase in outbound connections to multiple IPs on port 443 (HTTPS) from a single workstation could indicate command-and-control (C2) traffic, data exfiltration, or a compromised system. The first step should be to correlate these connections with firewall logs and endpoint telemetry to gather contextual evidence—such as process names, parent processes, and connection durations—before taking any disruptive action. This aligns with the NIST incident response process (Preparation, Detection & Analysis, Containment, Eradication, Recovery) where analysis precedes containment.

Exam trap

Cisco often tests the candidate's understanding of the incident response process by presenting a plausible but premature containment action (like isolation or blocking) as a distractor, when the correct first step is always to gather and correlate evidence to confirm the threat.

How to eliminate wrong answers

Option B is wrong because immediately blocking all outbound traffic from the workstation is overly aggressive and could disrupt legitimate business operations, such as software updates or cloud application access, without confirming malicious intent. Option C is wrong because escalation to the incident response team should occur after initial analysis and triage, not as the first action; the analyst must first verify the anomaly to avoid false alarms. Option D is wrong because isolating the workstation from the network is a containment step that should be taken only after confirming malicious activity through correlation with logs and telemetry, as premature isolation can hinder forensic data collection and impact productivity.

337
MCQeasy

A security analyst analyzes an IDS alert that triggered on the string '/etc/passwd'. What type of signature is this?

A.Stateful signature
B.Composite signature
C.Atomic signature
D.Anomaly signature
AnswerC

Correct. An atomic signature triggers on a single packet or string pattern.

Why this answer

The string '/etc/passwd' is a single, fixed pattern that the IDS matches against a single packet payload. This is the definition of an atomic signature: it looks for a specific content string without requiring any state or context from previous packets. Option C is correct because the alert is triggered solely by the presence of that literal string in a packet, not by any sequence of events or statistical deviation.

Exam trap

Cisco often tests the distinction between atomic and stateful signatures by presenting a single-packet pattern and expecting candidates to recognize that no session tracking is involved, leading some to mistakenly choose 'stateful' because they associate '/etc/passwd' with a multi-step exploit.

How to eliminate wrong answers

Option A is wrong because a stateful signature tracks connection state (e.g., TCP handshake or session flags) and matches patterns across multiple packets, not a single static string. Option B is wrong because a composite signature combines multiple atomic or stateful conditions (e.g., pattern A AND pattern B) to trigger an alert, whereas this is a single condition. Option D is wrong because an anomaly signature uses baseline statistical models (e.g., traffic volume or protocol deviations) to detect outliers, not a fixed literal string like '/etc/passwd'.

338
MCQmedium

An analyst reviews the ACL applied to the outside interface of a router. The analyst notices that traffic from 192.168.1.0/24 to 10.10.10.10 on port 443 is permitted, but all other traffic is denied and logged. Which of the following is a potential security issue with this ACL?

A.The deny statement with logging may generate excessive logs, potentially masking attacks.
B.The ACL is applied inbound on the outside interface, which could allow external traffic.
C.The permit statement does not have logging enabled, so traffic is not monitored.
D.The ACL allows all traffic from 192.168.1.0/24 to 10.10.10.10 on any port.
AnswerA

Excessive logging can bury important alerts in noise.

Why this answer

The ACL has a single permit statement for traffic from 192.168.1.0/24 to 10.10.10.10 on port 443, followed by an implicit deny all that is logged. This means every packet that does not match the permit rule generates a log entry. In a production environment, even normal background noise (e.g., scans, broadcast traffic) can produce thousands of log messages per second, overwhelming syslog storage and masking malicious activity.

The core issue is that logging on the deny-all can cause log flooding, not that the permit lacks logging.

Exam trap

Cisco often tests the misconception that logging on a permit statement is necessary for monitoring, when in fact the critical security issue is that logging on a deny-all can cause log flooding that masks real attacks.

How to eliminate wrong answers

Option B is wrong because the ACL is applied to the outside interface, but the question does not specify inbound or outbound direction; even if inbound, the permit statement only allows traffic from a private RFC 1918 source (192.168.1.0/24), which should never originate from the outside, so the real issue is the logging volume, not the direction. Option C is wrong because logging on the permit statement is not required for security monitoring; the deny-all with logging already captures denied traffic, and enabling logging on the permit would add unnecessary overhead without addressing the log-flooding risk. Option D is wrong because the ACL explicitly restricts traffic to destination 10.10.10.10 on port 443 only, not any port; the statement 'permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 443' limits both destination IP and port.

339
MCQeasy

Refer to the exhibit. A network administrator is configuring TACACS+ on a switch. Based on the configuration snippet, what is the expected behavior if the TACACS+ server becomes unreachable?

A.Users cannot log in because TACACS+ is required.
B.Users can still log in using local credentials.
C.Users can log in but accounting logs are not generated.
D.The switch falls back to no authentication.
AnswerB

The command 'aaa authentication login default local' specifies that local authentication is used by default.

Why this answer

The configuration snippet shows the 'tacacs-server host' command but does not include the 'tacacs-server directed-request' or 'aaa authentication login default group tacacs+ local' statement. By default, when 'aaa authentication login default group tacacs+' is configured without the 'local' fallback method, the switch will use local authentication if the TACACS+ server is unreachable. Option B is correct because the switch is configured to fall back to local credentials when the TACACS+ server becomes unreachable, as indicated by the presence of 'local' in the authentication list.

Exam trap

Cisco often tests the distinction between 'authentication failure' (server reachable but rejects credentials) and 'server unreachable' (no response), where fallback to local only occurs in the latter case when 'local' is explicitly configured as a secondary method.

How to eliminate wrong answers

Option A is wrong because the configuration includes 'local' as a fallback method, so TACACS+ is not required; if the server is unreachable, local authentication is used. Option C is wrong because accounting logs are generated by the 'aaa accounting' command, which is independent of authentication fallback; the question focuses on authentication behavior, not accounting. Option D is wrong because the switch does not fall back to no authentication; it explicitly falls back to local authentication as configured in the 'aaa authentication login default group tacacs+ local' command.

340
MCQmedium

A network intrusion detection system (NIDS) generates an alert for a known exploit against a web server. The analyst verifies that the server is patched. What is the next best step?

A.Reconfigure the NIDS to block the traffic
B.Tune the signature to ignore the server
C.Dismiss the alert as a false positive
D.Investigate if the exploit was actually attempted
AnswerD

Correct. Investigating the attempt can reveal attacker behavior and prevent future incidents.

Why this answer

Even if the server is patched, the exploit attempt may indicate a broader attack or reconnaissance. Investigating the attempt helps determine intent and identify other compromised systems.

341
Multi-Selecteasy

A security policy requires multifactor authentication for all administrative access. Which TWO of the following are examples of factors used in MFA? (Choose two.)

Select 2 answers
A.MAC address
B.Password
C.Fingerprint
D.Smart card
E.Username
AnswersC, D

A fingerprint is an inherence (biometric) factor.

Why this answer

MFA requires two distinct factors: something you have (smart card) and something you are (fingerprint). Password is a single factor, username and MAC address are not valid factors.

342
MCQmedium

An analyst is reviewing Snort alerts and notices repeated 'ET SCAN Potential SSH Scan' alerts from the same source IP. Which action should the analyst take next?

A.Correlate with authentication logs to confirm unsuccessful attempts.
B.Run a vulnerability scan on the destination.
C.Ignore because it is a false positive.
D.Immediately block the IP on the firewall.
AnswerA

This provides evidence of actual brute force attempts, enabling informed decision-making.

Why this answer

Option A is correct because Snort alerts for 'ET SCAN Potential SSH Scan' indicate a pattern of connection attempts to the SSH port (TCP/22), but the alert alone does not confirm whether the attempts were successful or malicious. Correlating with authentication logs (e.g., /var/log/auth.log or Windows Event ID 4625) allows the analyst to verify failed login attempts, which is the definitive evidence of an actual SSH brute-force attack. This step aligns with the network intrusion analysis methodology of validating alerts before taking action.

Exam trap

Cisco often tests the principle that alerts must be validated with additional data sources (like logs) before taking action, trapping candidates who jump to blocking or ignoring based on the alert alone.

How to eliminate wrong answers

Option B is wrong because running a vulnerability scan on the destination does not help confirm or deny the SSH scan activity; it assesses system weaknesses, not the legitimacy of the incoming connection attempts. Option C is wrong because dismissing the alert as a false positive without investigation is premature; repeated SSH scan alerts from the same source IP often indicate a real reconnaissance or brute-force attempt, and ignoring them could lead to a security breach. Option D is wrong because immediately blocking the IP on the firewall is an overly aggressive response without first verifying that the activity is malicious; the source IP could be a legitimate scanner or a misconfigured monitoring tool, and blocking it prematurely could disrupt operations or hide the true nature of the traffic.

343
MCQmedium

A company uses Cisco Firepower NGFW with intrusion prevention. The security team notices that some legitimate traffic is being blocked by the IPS, causing application outages. The analyst reviews the IPS signature events and finds false positives. What is the best approach to handle this without reducing security posture?

A.Lower the severity of the signature to informational.
B.Disable the IPS signature that is causing the false positives.
C.Create a custom rule to exclude the affected traffic based on source/destination, while monitoring the signature for true positives.
D.Update the IPS signature database to the latest version.
AnswerC

Allows traffic while enabling detection.

Why this answer

Option C is correct because it allows the security team to selectively exclude only the specific legitimate traffic causing false positives, using source/destination criteria in a custom rule, while keeping the IPS signature active for all other traffic. This approach maintains the overall security posture by still detecting true positives from the same signature against other traffic flows. Disabling or lowering the signature's severity would globally reduce detection capability, and updating the database may not address a signature that is inherently too broad for the environment.

Exam trap

Cisco often tests the misconception that disabling or lowering the severity of a false-positive signature is an acceptable quick fix, but the correct approach is to use custom rule exclusions to preserve detection for true positives.

How to eliminate wrong answers

Option A is wrong because lowering the severity to informational would suppress all alerts from that signature, effectively disabling its detection capability and reducing security posture, as the signature would no longer generate actionable alerts for true positives. Option B is wrong because disabling the IPS signature entirely removes its protection for all traffic, including potential true positives, which directly reduces security posture and is an overly aggressive response to false positives. Option D is wrong because updating the IPS signature database to the latest version does not resolve false positives caused by a signature that is too broadly matching legitimate traffic; the signature's behavior is defined by its rule logic, not by the database version, and updates typically add or modify signatures for new threats, not tune existing ones for false positives.

344
MCQeasy

A security analyst is reviewing the incident response plan for a small business. The plan states that after an incident is contained, the next step is to preserve evidence. The CISO wants to ensure that the plan follows NIST guidelines. Which step should be added between containment and evidence preservation according to NIST?

A.Lessons learned
B.Recovery
C.Evidence collection and analysis
D.Eradication
AnswerD

NIST places eradication after containment.

Why this answer

According to NIST SP 800-61 Rev. 2, the incident response lifecycle includes Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Activity (Lessons Learned). Eradication (option D) must follow containment to remove artifacts such as malware, backdoors, or compromised accounts before evidence is preserved for legal or forensic purposes. Without eradication, residual threats could tamper with or destroy evidence during collection.

Exam trap

Cisco often tests the NIST incident response phase order, and the trap here is that candidates confuse 'evidence collection and analysis' with 'evidence preservation' or assume recovery immediately follows containment, when in fact eradication is the mandatory intermediate step.

How to eliminate wrong answers

Option A (Lessons learned) is wrong because it occurs after recovery in the NIST framework, not between containment and evidence preservation. Option B (Recovery) is wrong because recovery (restoring systems to normal operation) comes after eradication and before lessons learned; placing it before evidence preservation risks overwriting forensic data. Option C (Evidence collection and analysis) is wrong because evidence preservation is a prerequisite for collection and analysis; the NIST order is contain, eradicate, then preserve evidence, then collect and analyze.

345
MCQeasy

A company uses Cisco Stealthwatch to monitor network traffic. Which type of data does Stealthwatch primarily rely on for visibility?

A.SNMP traps
B.Full packet captures
C.Syslog messages
D.NetFlow data
AnswerD

Stealthwatch collects and analyzes NetFlow to detect anomalies.

Why this answer

Cisco Stealthwatch is designed for network traffic analysis and relies on NetFlow data (including IPFIX and other flow protocols) to provide visibility into network behavior, traffic patterns, and anomalies. Unlike full packet captures, NetFlow metadata (source/destination IP, ports, protocols, byte counts) is lightweight and scalable for monitoring large networks, making it the primary data source for Stealthwatch's behavioral analytics and threat detection.

Exam trap

Cisco often tests the distinction between flow-based monitoring (NetFlow) and packet-based monitoring (full packet capture), and the trap here is that candidates mistakenly think full packet captures are required for security monitoring, overlooking that Stealthwatch's efficiency and scalability come from using metadata-rich flow data instead.

How to eliminate wrong answers

Option A is wrong because SNMP traps are used for device status and fault management (e.g., interface up/down, CPU spikes), not for detailed traffic flow analysis that Stealthwatch requires. Option B is wrong because full packet captures provide deep packet inspection but are resource-intensive and not scalable for continuous monitoring across large networks; Stealthwatch uses flow data for efficiency. Option C is wrong because syslog messages are event logs from devices (e.g., authentication failures, configuration changes) and do not contain the traffic metadata (flows) needed for Stealthwatch's network visibility and anomaly detection.

346
MCQhard

An analyst is reviewing Sysmon logs from a compromised host. They see Event ID 1 (Process creation) for cmd.exe with parent process winword.exe. What does this indicate?

A.The Windows Update service initiated cmd from Word
B.The user launched cmd.exe manually from within Word using a shortcut
C.Word crashed and created a dump file using cmd
D.A macro in a Word document executed cmd.exe as part of the attack
AnswerD

Common technique: macro calls cmd to download or execute payload.

Why this answer

Event ID 1 (Process creation) with parent process winword.exe spawning cmd.exe is a classic indicator of a macro-based attack. Microsoft Word is not designed to launch command-line interpreters under normal operation; when cmd.exe appears as a child of winword.exe, it strongly suggests that a malicious macro within the document executed a shell command, often to download payloads, escalate privileges, or perform reconnaissance. This aligns with common phishing and malware delivery techniques where attackers embed VBA macros to execute system commands.

Exam trap

Cisco often tests the distinction between normal application behavior and process injection or parent-child anomalies; the trap here is assuming that any cmd.exe launch is benign or user-initiated, when the parent process (winword.exe) is the key indicator of macro-based compromise.

How to eliminate wrong answers

Option A is wrong because Windows Update runs as a system service (svchost.exe or trustedinstaller.exe), not as a child of winword.exe; there is no mechanism for Windows Update to initiate cmd.exe from Word. Option B is wrong because manually launching cmd.exe from within Word via a shortcut would still show the parent process as explorer.exe or the user's shell, not winword.exe; Word does not become the parent process for user-initiated commands outside its own UI. Option C is wrong because Word crash dumps are typically created by Windows Error Reporting (WerFault.exe) or the process itself, not by spawning cmd.exe; a crash dump does not involve launching a command shell.

347
MCQhard

An analyst sees an alert for 'SQL injection' but the target is an internal application that only accepts POST requests with JSON data. The alert was triggered by a parameter in the URL. What is the most likely issue?

A.Application vulnerability
B.False positive due to mismatch
C.True positive SQL injection
D.Signature misconfiguration
AnswerB

The signature triggered on a non-relevant parameter.

Why this answer

The alert was triggered by a parameter in the URL, but the target application only accepts POST requests with JSON data. Since SQL injection via a URL parameter is impossible against an application that does not process URL parameters, the alert is a false positive caused by a mismatch between the signature's expected attack vector and the actual application behavior.

Exam trap

Cisco often tests the concept that a signature alert is not automatically a true positive—candidates must correlate the alert's trigger (e.g., URL parameter) with the application's actual input processing (e.g., only accepting JSON POST data) to identify a false positive due to vector mismatch.

How to eliminate wrong answers

Option A is wrong because the application only accepts POST requests with JSON data, so a URL parameter cannot be processed as an SQL injection vector; this indicates no actual vulnerability exists in that context. Option C is wrong because a true positive SQL injection would require the application to interpret the injected SQL in a query, but here the injection vector (URL parameter) is not used by the application, making exploitation impossible. Option D is wrong because signature misconfiguration would imply the signature is incorrectly tuned or enabled, but the issue is that the signature correctly detects a pattern in the URL parameter while the application ignores that parameter, so the signature is functioning as designed—the mismatch is between the alert and the application's behavior, not a signature configuration error.

348
MCQhard

Based on the exhibit, what is the most likely type of attack being observed?

A.ARP spoofing
B.DNS amplification attack
C.Port scan
D.SYN flood
AnswerD

Rapid SYN packets without completing handshake indicates SYN flood.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets with spoofed source IP addresses, causing the target to allocate resources for half-open connections until it exhausts its backlog queue and denies legitimate traffic. The exhibit likely shows a massive spike in SYN packets without corresponding SYN-ACK or ACK completions, which is the hallmark of this attack.

Exam trap

Cisco often tests the distinction between a SYN flood (which targets the TCP handshake state table) and a port scan (which probes for open ports), so the trap here is that candidates see many SYN packets and assume it's a port scan rather than recognizing the volumetric nature of the attack.

How to eliminate wrong answers

Option A is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host, which would not produce a flood of TCP SYN packets but rather ARP traffic. Option B is wrong because a DNS amplification attack uses small DNS queries with spoofed source IPs to generate large responses from open resolvers, resulting in high UDP traffic on port 53, not TCP SYN floods. Option C is wrong because a port scan typically sends a small number of packets (e.g., SYN, FIN, or NULL) to multiple ports to discover open services, not a massive volume of SYN packets to a single port that overwhelms the connection queue.

349
Multi-Selectmedium

An incident response plan includes steps to contain a ransomware outbreak. Which TWO actions are typically performed during the containment phase? (Select two.)

Select 2 answers
A.Notify law enforcement
B.Identify the initial infection vector
C.Restore data from backups
D.Disconnect infected systems from the network
E.Quarantine the malware samples
AnswersD, E

Isolation prevents further spread of ransomware.

Why this answer

Options A and D are correct containment actions: disconnecting infected systems and quarantining malware. Option B is recovery, not containment. Option C is analysis.

Option E is a post-incident action.

350
Multi-Selecthard

Which two actions should an analyst take when a security monitoring tool generates a high number of false positives for a specific signature? (Choose two.)

Select 2 answers
A.Create a whitelist for known benign traffic.
B.Tune the signature parameters (e.g., threshold).
C.Increase the sensitivity of the signature.
D.Escalate to management without analysis.
E.Immediately disable the signature.
AnswersA, B

Whitelisting exempts known good traffic from triggering the signature.

Why this answer

Option A is correct because creating a whitelist for known benign traffic allows the analyst to suppress alerts for traffic that is confirmed safe, reducing false positives without losing visibility into actual threats. This approach leverages the security monitoring tool's ability to filter based on source/destination IPs, ports, or application signatures, ensuring that only truly malicious traffic triggers the signature.

Exam trap

Cisco often tests the misconception that disabling a signature or increasing sensitivity is a valid first step for handling false positives, but the correct response is always to tune or whitelist to preserve detection capability.

351
Multi-Selectmedium

Which TWO actions are appropriate when analyzing network traffic to identify a potential data exfiltration attempt?

Select 2 answers
A.Look for connections to known malicious IP addresses or domains.
B.Clear the network logs to ensure accurate analysis.
C.Focus exclusively on inbound traffic from external sources.
D.Immediately block all outbound traffic from the suspect host.
E.Identify unusually large outbound data transfers to external hosts.
AnswersA, E

Connections to malicious destinations are suspicious.

Why this answer

Connections to known malicious IP addresses or domains are a strong indicator of data exfiltration, as attackers often use command-and-control (C2) servers to receive stolen data. This aligns with the principle of threat intelligence-based detection, where security feeds (e.g., Cisco Talos, AlienVault OTX) provide reputation scores for external hosts. Identifying such outbound connections helps confirm that data is being sent to an adversary-controlled destination.

Exam trap

Cisco often tests the distinction between inbound and outbound traffic analysis, trapping candidates who forget that data exfiltration is an outbound activity, not an inbound one.

352
Multi-Selectmedium

Which THREE of the following are common security controls used to defend against ransomware?

Select 3 answers
A.Implementing application whitelisting
B.Allowing macros in office documents
C.Disabling user accounts after 3 failed attempts
D.Regular offline backups
E.Network segmentation to limit lateral movement
AnswersA, D, E

Whitelisting prevents unauthorized executables, including ransomware, from running.

Why this answer

Application whitelisting is a security control that prevents unauthorized executables, scripts, and macros from running. By default allowing only approved software, it blocks ransomware payloads that arrive as unknown or untrusted files, even if a user inadvertently executes them.

Exam trap

Cisco often tests the distinction between preventive controls (like whitelisting) and reactive controls (like account lockout), and the trap here is confusing a brute-force mitigation with a ransomware defense, or assuming that enabling macros is a safe practice.

353
MCQeasy

A company's security policy requires that all employees change their passwords every 90 days. Which type of security control does this policy enforce?

A.Compensating
B.Detective
C.Corrective
D.Preventive
AnswerD

Password aging reduces the chance of using stolen credentials long-term.

Why this answer

Password aging is a preventive control because it reduces the window of opportunity for credential theft. Option A is correct. Option B (detective) is incorrect because password changes do not detect attacks.

Option C (corrective) is incorrect because it does not fix a breach. Option D (compensating) is incorrect because it is not an alternative control.

354
MCQeasy

A security analyst receives an alert that an employee's workstation is generating outbound traffic to a known malware command-and-control IP address at 3:00 AM. According to the company's incident response policy, what is the FIRST action the analyst should take?

A.Isolate the workstation from the network by disabling the switch port.
B.Reimage the workstation immediately to remove the malware.
C.Apply the latest security patches to the workstation.
D.Call the employee to ask if they are working late.
AnswerA

Containment stops the malicious traffic and prevents lateral spread.

Why this answer

The first action is to isolate the workstation from the network by disabling the switch port. This immediately stops the outbound command-and-control (C2) traffic, preventing data exfiltration and further compromise, while preserving the system state for forensic analysis. According to the incident response policy, containment takes precedence over eradication or recovery to limit damage.

Exam trap

Cisco often tests the containment-first principle in incident response, and the trap here is that candidates rush to eradicate the malware (reimage) or fix the vulnerability (patch) instead of stopping the active threat by isolating the host.

How to eliminate wrong answers

Option B is wrong because reimaging destroys volatile evidence (e.g., memory, logs, malware artifacts) needed for root-cause analysis and violates the containment-first principle. Option C is wrong because applying patches does not stop active C2 communication and assumes the vulnerability is known, which may not be the case; containment must occur first. Option D is wrong because calling the employee at 3:00 AM wastes critical time, may alert the attacker if the user is compromised, and does not address the active threat.

355
MCQmedium

During a security audit, it is discovered that several users have passwords set to never expire. According to the security policy, passwords must be changed every 90 days. What is the best course of action?

A.Disable accounts that violate the policy
B.Notify users to change their passwords voluntarily
C.Immediately reset all user passwords
D.Update the password policy in Active Directory to enforce 90-day expiration
AnswerD

A Group Policy change enforces compliance automatically.

Why this answer

Option D is correct because the most efficient and enforceable way to ensure all users comply with the 90-day password expiration policy is to configure a Group Policy Object (GPO) in Active Directory that sets the 'Maximum password age' to 90 days. This automatically forces password changes at login after the expiration period, ensuring uniform enforcement without manual intervention or disruption.

Exam trap

Cisco often tests the distinction between reactive manual fixes (like resetting all passwords) and proactive policy-based enforcement, where candidates mistakenly choose a disruptive action instead of the scalable, automated solution that aligns with security policy management.

How to eliminate wrong answers

Option A is wrong because disabling accounts that violate the policy would cause unnecessary downtime and administrative overhead, and it does not address the root cause—the lack of enforced expiration—while potentially locking out legitimate users. Option B is wrong because relying on voluntary compliance is ineffective in a security audit context; users may ignore notifications, leaving the organization non-compliant and vulnerable. Option C is wrong because immediately resetting all user passwords is disruptive, does not prevent users from setting the same password again (unless complexity/history policies are enforced), and fails to implement a sustainable, automated enforcement mechanism.

356
MCQhard

During a merger, two companies have different security policies. Company A uses a discretionary access control (DAC) model, while Company B uses a mandatory access control (MAC) model. The merged entity must adopt a single policy. Which approach is most likely to be adopted and why?

A.DAC because it is more flexible
B.Both can coexist
C.MAC because it is more secure
D.A new hybrid model combining both
AnswerC

MAC offers stronger security enforcement, suitable for merged policies.

Why this answer

MAC provides stricter, system-enforced controls based on classification, which is often adopted in higher-security environments. DAC relies on user discretion and is less secure.

357
MCQeasy

An analyst is monitoring network traffic and sees a sudden spike in outbound data transfer from an internal server to an external IP that is known to be malicious. What is the most likely scenario?

A.Software update.
B.Data exfiltration.
C.User downloading a large file.
D.Normal backup operation.
AnswerB

Data exfiltration involves sending sensitive data to an attacker-controlled IP.

Why this answer

A sudden spike in outbound data transfer from an internal server to a known malicious external IP is a classic indicator of data exfiltration. Attackers often use compromised servers to siphon sensitive data (e.g., credentials, databases) to a command-and-control (C2) server. This behavior aligns with the post-compromise phase of an attack, where the goal is to extract data without triggering immediate alarms.

Exam trap

Cisco often tests the distinction between outbound and inbound traffic direction; candidates may confuse a user downloading a file (inbound) with a server sending data out (outbound), leading them to incorrectly choose option C.

How to eliminate wrong answers

Option A is wrong because software updates typically originate from the internal server to trusted, legitimate update servers (e.g., Microsoft, Red Hat), not to a known malicious IP; the traffic pattern would be periodic and signed, not a sudden spike to an untrusted destination. Option C is wrong because a user downloading a large file would show inbound traffic from the external IP to the user's workstation, not outbound traffic from an internal server to a malicious IP. Option D is wrong because normal backup operations usually target internal backup servers or trusted cloud storage providers (e.g., AWS S3, Azure Blob) over encrypted channels like SMB or HTTPS, not a known malicious external IP.

358
MCQeasy

A Cisco ASA firewall is configured to send syslog messages to a SIEM. Which logging level includes 'informational' messages?

A.Level 5
B.Level 3
C.Level 6
D.Level 0
AnswerC

Level 6 is informational.

Why this answer

C is correct because Cisco ASA syslog messages use the standard syslog severity levels defined in RFC 5424. 'Informational' messages correspond to severity Level 6, which provides normal operational information such as connection teardowns or configuration changes. This level is commonly used for monitoring without overwhelming the SIEM with debug-level data.

Exam trap

Cisco often tests the specific mapping of syslog severity names to numeric levels, and the trap here is confusing 'Informational' (Level 6) with 'Notice' (Level 5) or 'Debugging' (Level 7), as candidates may misremember the order or assume 'Informational' is a lower number.

How to eliminate wrong answers

Option A is wrong because Level 5 is 'Notice', not 'Informational'; Notice messages indicate normal but significant events (e.g., interface up/down). Option B is wrong because Level 3 is 'Error', which indicates error conditions that require attention. Option D is wrong because Level 0 is 'Emergency', the highest severity indicating system is unusable.

Only Level 6 matches 'Informational'.

359
MCQeasy

A user reports that they cannot access a file server. The security policy requires that all access be logged and monitored. What is the most likely reason for the access failure?

A.The user's account is locked
B.The file server is down
C.The user's IP address is not in the allowed list
D.The user's password has expired
AnswerC

Policy might restrict access based on IP, causing failure and triggering logs.

Why this answer

Option C is correct because the user's IP address might not be in the allowed list per policy. Options A, B, and D are plausible but less directly related to the policy requirement.

360
MCQmedium

A company is deploying a new web application and wants to ensure it is secure against common web attacks. Which of the following is the most effective approach to validate the security of the application before going live?

A.Conduct a penetration test by an external firm
B.Run a vulnerability scanner against the application
C.Implement a web application firewall (WAF)
D.Perform a code review with static analysis tools
AnswerA

Penetration testing simulates real attacks and uncovers vulnerabilities that automated tools might miss.

Why this answer

A penetration test by an external firm provides a comprehensive, real-world assessment of security vulnerabilities.

361
Matchingmedium

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and discovery

Packet capture and analysis

Intrusion detection and prevention

Exploitation framework for penetration testing

Security information and event management (SIEM)

Why these pairings

These tools are commonly used in security operations.

362
MCQmedium

An IDS detected the following signature match: "ET TROJAN Zeus variant outbound connection to C2 server". The destination IP is flagged as a known malicious host. What should the analyst do FIRST?

A.Block the destination IP at the firewall
B.Open the packet capture associated with the alert
C.Ignore the alert because signatures can produce false positives
D.Isolate the source host from the network immediately
AnswerB

Packet analysis confirms the threat and identifies the affected host.

Why this answer

Option B is correct because the first step in incident response after an IDS alert is to validate the alert by examining the associated packet capture (PCAP). This allows the analyst to confirm whether the traffic truly matches the Zeus C2 signature, check for false positives, and gather contextual details such as payload content, timing, and protocol behavior. Without this validation, any subsequent action (blocking, isolating) could be premature or based on incomplete information.

Exam trap

Cisco often tests the principle that validation via packet capture must precede any containment or blocking action, trapping candidates who jump to immediate remediation without confirming the alert's accuracy.

How to eliminate wrong answers

Option A is wrong because blocking the destination IP at the firewall without first verifying the alert could disrupt legitimate traffic if the IP is shared or if the alert is a false positive; it also bypasses the need to confirm the threat. Option C is wrong because ignoring the alert outright dismisses a potential high-severity threat without investigation; while false positives are possible, the correct response is to validate, not ignore. Option D is wrong because isolating the source host immediately may be too aggressive before confirming the alert is valid; isolation can cause unnecessary operational impact and should be based on confirmed evidence from the PCAP analysis.

363
MCQhard

You are a cybersecurity analyst at a large enterprise. The NOC team reports that users are experiencing intermittent connectivity to the company's internal web application hosted on 192.168.1.100:443. You review the IPS logs and see repeated alerts for signature 'ET WEB_SERVER Possible HTTP Response Splitting' triggered by traffic from the web server to internal clients. The signature fires on responses containing CRLF sequences. You examine a packet capture and observe that the web server sends HTTP responses with legitimate headers but occasionally includes extra CRLF sequences in the body. The application developers confirm that the web application is custom and uses unfiltered user input in HTTP headers. The security policy requires that all internal traffic be inspected and blocked by the IPS. What is the best course of action?

A.Increase the threshold for the signature to require multiple occurrences before alerting, but keep blocking enabled.
B.Disable the HTTP Response Splitting signature entirely to restore connectivity, as the issue is a false positive.
C.Whitelist the web server IP address in the IPS policy so that traffic from that server is not inspected.
D.Request that the development team sanitize user input in HTTP headers to prevent CRLF injection, and in the meantime, create a custom signature that ignores CRLF sequences in the response body but alerts on header injection.
AnswerD

This fixes the vulnerability and reduces false positives temporarily.

Why this answer

Option D is correct because the root cause is a vulnerability in the custom web application that allows CRLF injection into HTTP headers, which the IPS correctly detects as a potential HTTP Response Splitting attack. Simply disabling or bypassing the signature (options A, B, C) would leave the network exposed to a real security risk. The best course is to fix the application code to sanitize user input, and in the interim, create a custom IPS signature that differentiates between benign CRLF sequences in the response body (which are not exploitable) and malicious CRLF sequences in headers, thus maintaining security while reducing false positives.

Exam trap

Cisco often tests the concept that false positives should be addressed by tuning the signature or fixing the underlying application, not by disabling or bypassing security controls, and candidates may mistakenly choose to disable the signature or whitelist the server thinking it is a simple false positive.

How to eliminate wrong answers

Option A is wrong because increasing the threshold would still allow the IPS to block legitimate traffic when the signature fires multiple times, and it does not address the underlying vulnerability or the false positive caused by CRLF sequences in the response body. Option B is wrong because disabling the signature entirely removes protection against a real HTTP Response Splitting vulnerability, violating the security policy that requires all internal traffic to be inspected and blocked by the IPS. Option C is wrong because whitelisting the web server IP address would bypass all IPS inspection for that server, which contradicts the security policy and would allow any malicious traffic from that server to go undetected, including potential exploitation of the CRLF injection flaw.

364
MCQhard

Given the syslog message, which additional data would best confirm the event as a true positive?

A.VPN logs for user authentication
B.URL filtering logs for traffic to 203.0.113.10
C.Antivirus logs on 10.0.0.5
D.NetFlow data showing other connections from 10.0.0.5
AnswerB

URL filtering can reveal if the destination is a known malicious site.

Why this answer

The syslog message likely indicates a security event such as a connection to a known malicious IP (203.0.113.10). URL filtering logs provide the specific HTTP/HTTPS request details (e.g., URI, user agent, category) that can confirm whether the traffic was intentional and malicious, rather than a false positive from a benign service or misconfiguration.

Exam trap

Cisco often tests the difference between network-layer metadata (NetFlow) and application-layer logs (URL filtering), trapping candidates who think flow data alone can confirm a malicious event.

How to eliminate wrong answers

Option A is wrong because VPN logs for user authentication only show who logged in and from where, not the actual traffic to the suspicious IP, so they cannot confirm the event as a true positive. Option C is wrong because antivirus logs on 10.0.0.5 would only show local file-based threats, not network connections to 203.0.113.10, and the event is network-based. Option D is wrong because NetFlow data showing other connections from 10.0.0.5 provides metadata about flows but lacks the application-layer detail (e.g., full URL, HTTP method) needed to confirm the specific malicious request.

365
Multi-Selecteasy

Which TWO host-based analysis techniques are most effective for detecting fileless malware?

Select 2 answers
A.Process memory analysis to detect injected code
B.Network traffic analysis
C.Signature-based file scanning
D.Registry analysis for persistence
E.PowerShell script block logging
AnswersA, E

Fileless malware often injects code into memory.

Why this answer

Process memory analysis (A) is effective because fileless malware resides in memory without writing to disk, so examining running processes for injected code, suspicious memory regions, or anomalous API calls can directly detect the malicious payload. PowerShell script block logging (E) captures the full text of PowerShell commands executed, including obfuscated or encoded scripts that fileless malware often uses to load payloads directly into memory, making it a powerful host-based detection technique.

Exam trap

Cisco often tests the distinction between host-based and network-based analysis techniques, and the trap here is that candidates may select network traffic analysis (B) because it can detect fileless malware's network activity, but the question specifically asks for host-based techniques, making B incorrect.

366
MCQhard

During a security incident, the incident response team isolates a compromised workstation from the network. The security policy requires that all actions taken during the incident be documented and approved. However, the team lead isolates the workstation without waiting for formal approval. Which principle of incident response is being prioritized?

A.Rapid containment
B.Chain of custody
C.Speed of containment
D.Preservation of evidence
AnswerC

Immediate containment limits damage and is often prioritized over formal approval in policies.

Why this answer

Option B is correct because speed of containment is prioritized to limit damage, even if it means bypassing formal approval. Option A is wrong because isolation does preserve evidence, but the question emphasizes the lack of approval. Option C is wrong because preservation of evidence is a separate priority.

Option D is wrong because rapid containment is not a distinct principle from speed.

367
MCQhard

Refer to the exhibit. What does this log entry indicate?

A.A denied TCP packet
B.A permitted UDP packet
C.A permitted ICMP packet
D.A denied ICMP packet
AnswerC

The log explicitly states 'permitted icmp'.

Why this answer

The log entry shows an ICMP packet with a permit action, as indicated by the 'permit' keyword and the protocol number 1 (ICMP). The source and destination IP addresses, along with the ICMP type and code, confirm it is an ICMP echo request (type 8, code 0). Therefore, this is a permitted ICMP packet.

Exam trap

Cisco often tests the ability to distinguish between protocol numbers (TCP=6, UDP=17, ICMP=1) and to correctly interpret the 'permit' or 'deny' action in log entries, leading candidates to confuse the protocol or the action.

How to eliminate wrong answers

Option A is wrong because the log entry shows protocol 1 (ICMP), not TCP (protocol 6), and the action is 'permit', not 'deny'. Option B is wrong because the log entry shows protocol 1 (ICMP), not UDP (protocol 17), and the action is 'permit', not 'deny'. Option D is wrong because the log entry shows the action as 'permit', not 'deny', and the protocol is ICMP, so it is a permitted ICMP packet.

368
MCQhard

An organization uses a SIEM that ingests logs from multiple sources. The analysts are overwhelmed with alerts, many of which are false positives. Which strategy best reduces alert fatigue without increasing risk?

A.Implement a ticketing system for alerts.
B.Disable all correlation rules except critical ones.
C.Increase the number of analysts on shift.
D.Fine-tune correlation rules and thresholds based on historical data.
AnswerD

Reduces false positives while retaining detection.

Why this answer

Fine-tuning correlation rules and thresholds (option D) reduces false positives by aligning detection logic with the organization's normal baseline, derived from historical data. This directly addresses alert fatigue without disabling security coverage, as it retains the SIEM's ability to detect genuine threats while filtering out noise. In contrast, simply disabling rules or adding staff fails to address the root cause of poor alert quality.

Exam trap

Cisco often tests the misconception that reducing alerts means disabling rules or adding more staff, when the correct approach is to refine detection logic through tuning and baselining to maintain security coverage while minimizing noise.

How to eliminate wrong answers

Option A is wrong because implementing a ticketing system for alerts does not reduce the volume of false positives; it only manages the workflow, potentially increasing analyst burden by creating tickets for every alert. Option B is wrong because disabling all correlation rules except critical ones removes detection for many legitimate threats, increasing risk by creating blind spots in the security monitoring posture. Option C is wrong because increasing the number of analysts on shift does not solve the underlying problem of excessive false positives; it merely distributes the workload, leading to burnout and potential missed true positives due to alert fatigue.

369
Multi-Selecthard

Which THREE of the following are common elements of an incident response policy?

Select 3 answers
A.Data classification levels
B.Procedures for containment and eradication
C.Roles and responsibilities of the incident response team
D.Acceptable use of company resources
E.Definition of what constitutes a security incident
AnswersB, C, E

Core steps in incident response.

Why this answer

Option B is correct because containment and eradication are core phases of the NIST SP 800-61 incident response lifecycle. Containment limits the scope of the incident (e.g., isolating a compromised host via VLAN access control lists), while eradication removes the root cause (e.g., deleting malware, patching vulnerabilities). These procedures are explicitly documented in an incident response policy to ensure consistent, repeatable actions during a security event.

Exam trap

Cisco often tests the distinction between an incident response policy (which includes definitions, roles, and procedures) and other security policies like data classification or acceptable use, leading candidates to mistakenly include elements from adjacent policies.

370
Multi-Selectmedium

Which THREE indicators in Windows Event Log are most commonly associated with a successful compromise?

Select 3 answers
A.Event ID 4740: A user account was locked out
B.Event ID 4720: A user account was created
C.Event ID 7045: A service was installed in the system
D.Event ID 4624: An account was successfully logged on
E.Event ID 5156: The Windows Filtering Platform allowed a connection
AnswersB, C, D

Creation of new accounts by attacker for persistence.

Why this answer

Event ID 4720 indicates a new user account was created, which is a common post-compromise action where an attacker establishes persistence by adding a backdoor account. Event ID 7045 logs when a new service is installed, often used by malware or attackers to maintain persistence or execute code with system privileges. Event ID 4624 records successful logon events, which after a compromise may show anomalous logons (e.g., from unexpected IPs, off-hours, or using compromised credentials).

Exam trap

Cisco often tests the distinction between events that indicate a successful compromise (e.g., account creation, service installation, successful logon) versus events that indicate failed attempts or normal operations, leading candidates to mistakenly select lockout or firewall allow events as compromise indicators.

371
MCQmedium

A SOC analyst receives an alert from the SIEM indicating a high number of failed login attempts on a domain controller from a single IP address over the last 10 minutes. The source IP is a known internal workstation. What should be the analyst's FIRST action?

A.Block the source IP at the firewall
B.Escalate to the incident response team
C.Ignore the alert because it is from an internal IP
D.Contact the user to verify if they are experiencing login issues
AnswerD

Contacting the user helps determine if the activity is intentional or a misconfiguration.

Why this answer

The analyst's first priority is to verify the legitimacy of the failed login attempts before taking any disruptive action. Since the source IP is a known internal workstation, the most likely cause is a user error, such as a forgotten password or a locked account. Contacting the user allows the analyst to quickly confirm whether the activity is benign, avoiding unnecessary escalation or network disruption.

Exam trap

Cisco often tests the candidate's ability to follow the proper incident response triage process, where the trap is to jump to a technical action (like blocking or escalating) before performing the simplest verification step.

How to eliminate wrong answers

Option A is wrong because immediately blocking the source IP at the firewall could disrupt a legitimate user's access and is premature without first verifying the cause of the failed logins. Option B is wrong because escalation to the incident response team is a later step, taken only after initial triage confirms suspicious or malicious activity, not as a first action. Option C is wrong because ignoring the alert based solely on the IP being internal is a dangerous assumption; internal IPs can be compromised or misconfigured, and the alert requires investigation.

372
MCQhard

You are a security analyst at a financial institution. The network consists of three segments: internal corporate network (10.0.0.0/24), DMZ (192.168.1.0/24) hosting a web server and an email server, and a guest wireless network (172.16.0.0/24). The firewall is configured with the following rules: (1) permit inbound HTTP/HTTPS to the web server from any; (2) permit inbound SMTP to the email server from any; (3) deny all other inbound traffic; (4) permit all outbound traffic from internal network; (5) deny all outbound traffic from guest network to internal and DMZ, but permit to internet. Recently, an employee reported that sensitive files on an internal file server (10.0.0.10) were accessed without authorization. Logs show that the access originated from an IP address in the guest network (172.16.0.50) at 3:00 AM. The guest network is open (no authentication required). The internal file server is not directly accessible from the guest network per rule (5). However, the attacker used the web server as a pivot: they compromised the web server via an unpatched vulnerability, then from the web server they connected to the internal file server. Which of the following actions would BEST prevent this type of attack in the future?

A.Implement a firewall rule that denies all traffic from the DMZ to the internal network
B.Move the web server to the internal network and place a reverse proxy in the DMZ
C.Apply a patch to the web server and require authentication on the guest network
D.Add a firewall rule that permits only necessary traffic from the DMZ to specific internal servers, and deny all other DMZ-to-internal traffic
AnswerD

This limits lateral movement: even if the web server is compromised, it can only reach authorized internal systems.

Why this answer

Option D is correct because the attack leveraged the DMZ web server as a pivot to reach the internal file server. By implementing a firewall rule that permits only necessary traffic from the DMZ to specific internal servers (e.g., only allow the web server to communicate with a database server on TCP/3306) and denies all other DMZ-to-internal traffic, you enforce a least-privilege segmentation policy. This would block the web server from initiating arbitrary connections to the internal file server (10.0.0.10), even if the web server is compromised, directly preventing the pivot attack.

Exam trap

Cisco often tests the concept that simply patching a vulnerability or adding authentication does not prevent lateral movement; the trap is that candidates focus on the initial compromise vector (unpatched web server) rather than the missing segmentation rule that allowed the pivot.

How to eliminate wrong answers

Option A is wrong because denying all traffic from the DMZ to the internal network would break legitimate services such as the web server needing to query an internal database or authenticate against an internal directory server (e.g., LDAP), making the DMZ non-functional. Option B is wrong because moving the web server to the internal network and placing a reverse proxy in the DMZ does not prevent the pivot attack; if the reverse proxy is compromised, it could still be used to access the internal network, and the web server inside the internal network would be directly exposed to internal threats. Option C is wrong because while patching the web server and requiring authentication on the guest network are good security practices, they do not address the core issue of lateral movement from the DMZ to the internal network; the attacker could still compromise the web server via a future vulnerability or a different vector and pivot to the internal file server.

373
MCQmedium

Based on the exhibit, which traffic is permitted?

A.All IP traffic from the host 198.51.100.10.
B.Only HTTPS traffic from the host 198.51.100.10.
C.All TCP traffic from any host to any host.
D.All HTTPS traffic to the host 198.51.100.10.
AnswerD

The ACL permits TCP any to host on port 443 (HTTPS).

Why this answer

The exhibit shows an access control list (ACL) entry 'permit tcp any host 198.51.100.10 eq 443'. This permits TCP traffic with a destination port of 443 (HTTPS) to the specific host 198.51.100.10 from any source. Therefore, only HTTPS traffic destined to that host is permitted, making option D correct.

Exam trap

Cisco often tests the directionality of ACL rules, and the trap here is confusing the source and destination fields, leading candidates to mistakenly think the rule permits traffic from the host rather than to the host.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all IP traffic from the host; it only permits TCP traffic with destination port 443 to the host, not from it. Option B is wrong because the ACL permits HTTPS traffic to the host, not from the host; the source is 'any' and the destination is the specific host, so traffic originating from the host is not matched. Option C is wrong because the ACL is not a blanket permit for all TCP traffic; it is restricted to traffic destined to port 443 on host 198.51.100.10 only.

374
Drag & Dropmedium

Drag and drop the steps to implement a disaster recovery plan for a critical server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disaster recovery: identify, backup, test, document, execute.

375
Multi-Selecteasy

Which TWO are goals of a security operations center (SOC)? (Choose two.)

Select 2 answers
A.Continuous monitoring of security events
B.Managing user passwords
C.Developing software applications
D.Performing penetration tests
E.Responding to security incidents
AnswersA, E

SOC monitors events 24/7.

Why this answer

Option A is correct because continuous monitoring of security events is a primary goal of a SOC, ensuring real-time detection of threats through log aggregation and analysis from sources like firewalls, IDS/IPS, and endpoints. This aligns with the SOC's responsibility to maintain situational awareness and identify indicators of compromise (IoCs) as part of the NIST incident response lifecycle.

Exam trap

Cisco often tests the distinction between operational SOC responsibilities (monitoring and response) and other security functions like IAM, development, or proactive testing, so candidates may mistakenly select penetration testing as a SOC goal because it is security-related, but it is not a continuous SOC function.

Page 4

Page 5 of 7

Page 6

All pages