Cisco CyberOps Associate 200-201 (200-201) — Questions 376450

507 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Drag & Dropmedium

Drag and drop the steps to perform a password recovery on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password recovery: enter ROMmon, change confreg, reset, boot, then restore config and change password.

377
MCQeasy

A company's security policy requires that all system logs be retained for at least one year. A security analyst discovers that log files are being overwritten after 30 days. What is the most likely cause?

A.Logs are being manually deleted by an administrator
B.Malware infection
C.The log rotation policy is set to 30 days
D.Insufficient disk space
AnswerC

Log rotation settings control how logs are overwritten; a 30-day policy directly explains the behavior.

Why this answer

Option C is correct because the log rotation setting is likely set to 30 days, causing overwrites. Option A is wrong while disk space may contribute, the direct cause is the rotation policy. Option B is wrong because malware is less likely.

Option D is wrong because an administrator deleting logs would be a deliberate act.

378
MCQhard

An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?

A.Allow encrypted traffic to bypass the IPS
B.Require all internal traffic to use unencrypted protocols
C.Implement SSL/TLS decryption at the network perimeter
D.Exclude encrypted traffic from the security policy scope
AnswerC

Decryption enables the IPS to inspect encrypted payloads.

Why this answer

Option C is correct because implementing SSL/TLS decryption at the network perimeter allows the IPS to inspect the plaintext content of encrypted traffic. By terminating the encrypted session at a dedicated decryption device (e.g., a next-generation firewall or proxy), the device can re-encrypt the traffic after inspection, ensuring that threats hidden in HTTPS, SMTPS, or other TLS-encrypted flows are detected without violating the policy's requirement that all traffic be inspected.

Exam trap

Cisco often tests the misconception that encrypted traffic is inherently safe or that bypassing inspection is acceptable, when in fact attackers commonly use encryption to hide malware, command-and-control traffic, or data exfiltration, making decryption a necessary security control.

How to eliminate wrong answers

Option A is wrong because allowing encrypted traffic to bypass the IPS directly violates the security policy's requirement that all network traffic be inspected, leaving a blind spot for threats hidden in encrypted tunnels. Option B is wrong because requiring all internal traffic to use unencrypted protocols would severely degrade security by exposing sensitive data to eavesdropping and tampering, contradicting best practices and likely violating compliance standards. Option D is wrong because excluding encrypted traffic from the security policy scope simply ignores the problem, failing to address the inspection gap and leaving the organization vulnerable to attacks that leverage encryption to evade detection.

379
Multi-Selecteasy

Which TWO of the following are characteristics of an advanced persistent threat (APT)?

Select 2 answers
A.Operates with low and slow tactics to avoid detection
B.Targets specific organizations for espionage or data theft
C.Is typically financially motivated
D.Uses only commodity malware
E.Attacks are short-lived and quickly detected
AnswersA, B

APTs use stealthy methods to maintain long-term access.

Why this answer

An advanced persistent threat (APT) is characterized by its use of low-and-slow tactics to evade detection over long periods. This involves spreading malicious activity across many small, seemingly benign actions to avoid triggering threshold-based alerts in security monitoring systems. APTs are also defined by their targeted nature, focusing on specific organizations for espionage or data theft rather than opportunistic, broad-scale attacks.

Exam trap

Cisco often tests the distinction between financially motivated threats (e.g., ransomware) and APTs, so the trap here is assuming that all persistent threats are driven by money rather than recognizing the espionage and state-sponsored nature of APTs.

380
MCQhard

An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?

A.The host is acting as a DNS server
B.The host is performing recursive DNS lookups
C.The host is the victim of a DNS amplification attack
D.The host is scanning for open DNS resolvers
AnswerC

The host's IP is spoofed as the source of queries to many open resolvers, causing replies to flood the host.

Why this answer

The internal host is not a DNS server, yet it is sending small UDP packets to many external IPs on port 53. This is characteristic of a DNS amplification attack, where the attacker spoofs the victim's IP address and sends small queries to open DNS resolvers, which then send large responses to the victim. The NetFlow data shows the victim receiving the amplified traffic, not initiating it, making C correct.

Exam trap

Cisco often tests the distinction between the victim and the attacker in amplification attacks; the trap here is that candidates see many small UDP packets and assume the host is initiating queries (e.g., scanning or DNS lookups), rather than recognizing that the host is the victim receiving the amplified responses.

How to eliminate wrong answers

Option A is wrong because the host is not a DNS server (explicitly stated), and a DNS server would typically listen on port 53 and respond to queries, not send small UDP packets to many external IPs. Option B is wrong because recursive DNS lookups involve the host sending queries to a single DNS resolver (e.g., 8.8.8.8) and receiving responses, not communicating with many external IPs simultaneously. Option D is wrong because scanning for open DNS resolvers would involve the host sending probes to many IPs and waiting for responses, but the NetFlow data shows the host receiving traffic from many external IPs, not initiating it.

381
Matchingmedium

Match each cybersecurity framework/standard to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cybersecurity risk management framework

Information security management system standard

Payment card industry data security standard

Knowledge base of adversary tactics and techniques

Prioritized set of security best practices

Why these pairings

These frameworks guide security posture.

382
MCQhard

An analyst is performing host-based analysis on a machine that is part of a botnet. The machine is communicating with a C2 server over HTTPS. Which host-based evidence would be most useful to identify the C2 communication?

A.Packet capture showing the unencrypted payload
B.A memory dump of the process showing encryption keys
C.DNS logs showing queries to the C2 domain
D.Windows Event ID 5157 (Filtering Platform connection) showing the process ID
AnswerC

DNS queries often precede HTTPS connections. The domain may be unique or malicious.

Why this answer

Option C is correct because DNS logs can reveal the domain name used for C2 communication even when the traffic is encrypted over HTTPS. Since the analyst is performing host-based analysis, DNS query logs on the host itself (e.g., from the DNS client service or a local DNS resolver) will show the host attempting to resolve the C2 domain, providing a direct indicator of the C2 server's address without needing to decrypt the HTTPS traffic.

Exam trap

Cisco often tests the misconception that encrypted traffic cannot be analyzed at all, leading candidates to choose options like packet capture or memory dumps, when in fact DNS logs provide a clear, host-based indicator of C2 communication without requiring decryption.

How to eliminate wrong answers

Option A is wrong because HTTPS traffic is encrypted, so a packet capture on the host would not show the unencrypted payload; the analyst would need to decrypt the session, which is not feasible without the private key or a man-in-the-middle proxy. Option B is wrong because while a memory dump might contain encryption keys if the process stores them in plaintext, this is not a reliable or standard method for identifying C2 communication; it requires deep forensic analysis and the keys may not be present or easily extractable. Option D is wrong because Windows Event ID 5157 (Filtering Platform connection) logs the process ID and connection details, but it does not include the domain name or URL; it only shows IP addresses and ports, which may not directly identify the C2 server if it uses dynamic IPs or CDN fronting.

383
MCQeasy

Refer to the exhibit. An ASA security policy is configured as shown. A user from the internet tries to access 192.168.1.5 via HTTP. What will happen?

A.Traffic will be allowed, but logged
B.Traffic will be denied
C.Traffic will be allowed only if it matches the subnet
D.Traffic will be permitted
AnswerB

The access list does not permit traffic to 192.168.1.5.

Why this answer

The ASA security policy shown uses an access control list (ACL) that implicitly denies all traffic unless explicitly permitted. Since the exhibit does not show any ACL entry permitting HTTP traffic from the internet to 192.168.1.5, the traffic is denied by default. The correct answer is B because the ASA's default behavior for inbound traffic on an interface is to deny it unless a matching permit ACE exists.

Exam trap

Cisco often tests the implicit deny principle in ASA ACLs, where candidates mistakenly assume that traffic is allowed by default or that a missing permit statement still allows traffic if it matches a subnet or is logged.

How to eliminate wrong answers

Option A is wrong because traffic is not allowed; the ACL does not contain a permit statement for HTTP from any source to 192.168.1.5, so logging is irrelevant. Option C is wrong because the ACL does not specify a subnet match for HTTP traffic; even if it did, the implicit deny would still apply to non-matching traffic. Option D is wrong because the ASA does not permit traffic by default; it requires an explicit permit rule in the ACL to allow inbound HTTP traffic.

384
Multi-Selecteasy

Which TWO components are essential in a well-written security policy?

Select 2 answers
A.Scope
B.Cost estimates
C.Enforcement
D.Technology stack
E.Vendor names
AnswersA, C

Defines who and what the policy covers.

Why this answer

A security policy must define its scope to specify which systems, users, and data are covered. Without a clear scope, the policy cannot be consistently applied, leading to gaps in enforcement. The scope ensures that all relevant assets are protected and that the policy's boundaries are understood by all stakeholders.

Exam trap

Cisco often tests the distinction between a policy (high-level, principle-based) and a procedure or standard (detailed, implementation-specific), leading candidates to mistakenly include technical details like technology stacks or vendor names as essential policy components.

385
MCQhard

A SOC analyst examines an alert generated by an IDS. The alert indicates a potential SQL injection attempt. However, the analyst finds that the source IP is a known internal web server that performs legitimate database queries. What is the most likely explanation?

A.The web server is compromised
B.The traffic is legitimate but the IDS has a false positive
C.The IDS is misconfigured
D.The analyst should ignore the alert
AnswerB

The IDS likely flagged normal database queries as malicious.

Why this answer

The correct answer is B because the source IP is a known internal web server that performs legitimate database queries. IDS signatures often trigger on SQL-like patterns in traffic, and when the traffic matches the signature but is actually benign (e.g., a web server sending parameterized queries), it constitutes a false positive. The analyst's verification that the source is a trusted internal server performing expected operations confirms the alert is not a true threat.

Exam trap

Cisco often tests the distinction between a false positive (benign traffic flagged as malicious) and a true positive (actual attack), where candidates mistakenly assume any SQL pattern in traffic indicates compromise or misconfiguration rather than recognizing legitimate database queries from a trusted internal server.

How to eliminate wrong answers

Option A is wrong because the source IP is a known internal web server performing legitimate database queries; compromise would typically show anomalous behavior or unexpected outbound connections, not just a SQL pattern match. Option C is wrong because misconfiguration would imply the IDS is not tuned to exclude known good traffic, but the alert itself is a signature match, not a configuration error—false positives are inherent to signature-based detection, not necessarily misconfiguration. Option D is wrong because ignoring alerts violates SOC procedures; the analyst must investigate and document the false positive to refine rules, not dismiss it outright.

386
MCQmedium

Based on the exhibit, what action should the analyst take to further investigate this alert?

A.Extract the URL from the alert and check the file hash.
B.Search the PCAP for the same signature ID.
C.Perform a DNS lookup on the destination IP.
D.Check the firewall logs for any blocked connections.
AnswerA

The reference URL provides direct access to potential malware.

Why this answer

The analyst should extract the URL from the alert and check the file hash because the alert indicates a potential malware download via HTTP. By retrieving the file referenced in the URL, the analyst can compute its hash (e.g., MD5, SHA256) and compare it against known threat intelligence databases (e.g., VirusTotal) to confirm maliciousness and identify the specific malware family. This directly validates whether the detected event is a true positive and provides actionable indicators for containment.

Exam trap

Cisco often tests the misconception that signature-based alerts are definitive, leading candidates to choose options like searching the PCAP for the same signature ID, when the real next step is to pivot from the alert's metadata (e.g., URL) to retrieve and analyze the actual payload.

How to eliminate wrong answers

Option B is wrong because searching the PCAP for the same signature ID would only find identical alerts, not provide additional context about the file or its behavior; signature IDs are static and do not reveal the payload's hash or content. Option C is wrong because performing a DNS lookup on the destination IP only resolves the domain name, which does not confirm whether the downloaded file is malicious or provide the file hash needed for further analysis. Option D is wrong because checking firewall logs for blocked connections would only show if the traffic was denied, but the alert already indicates the connection was allowed (since it triggered an alert), so firewall logs would not help analyze the file's content or hash.

387
MCQeasy

A security analyst is analyzing a memory dump from a compromised Linux server. Which tool is most appropriate for extracting running processes and network connections from the dump?

A.volatility
B.nmap
C.Wireshark
D.tcpdump
AnswerA

Volatility can analyze memory dumps to extract process and network information.

Why this answer

Volatility is the correct tool because it is a specialized memory forensics framework designed to analyze RAM dumps. It can extract a list of running processes (via the `pslist` or `pstree` plugins) and active network connections (via the `netscan` or `connscan` plugins) directly from the memory image, without relying on the live system's kernel data structures which may be compromised.

Exam trap

Cisco often tests the distinction between live network analysis tools (nmap, Wireshark, tcpdump) and memory forensics tools (Volatility), expecting candidates to recognize that only Volatility can extract process and connection artifacts from a static memory dump.

How to eliminate wrong answers

Option B (nmap) is wrong because it is a network scanning tool used to discover hosts and services on a live network, not for analyzing a static memory dump. Option C (Wireshark) is wrong because it captures and analyzes live network traffic from a network interface, not from a memory dump file. Option D (tcpdump) is wrong because it is a command-line packet analyzer that captures live network packets, and it cannot parse a memory dump to extract processes or connections.

388
MCQhard

A business impact analysis (BIA) for a critical enterprise application reveals a maximum tolerable downtime (MTD) of 4 hours and a recovery time objective (RTO) of 2 hours. The current backup solution can restore the application in 3 hours under optimal conditions. Which of the following is the most appropriate action from a policy perspective?

A.Upgrade the backup solution to achieve a restore time of 2 hours or less
B.Accept the current restore time because it is within the MTD of 4 hours
C.Reduce the RTO to 1 hour to make the backup solution acceptable
D.Increase the MTD to 5 hours to match the backup restore time
AnswerA

This aligns the recovery capability with the defined RTO, meeting policy requirements.

Why this answer

Option C is correct because the backup restore time (3 hours) exceeds the RTO (2 hours), so the plan fails. The MTD is 4 hours, but RTO must be met to avoid significant impact. Option A is incorrect because the RTO is not satisfied.

Option B might not address the core issue. Option D ignores the policy requirement.

389
MCQeasy

A security policy requires that all remote access be through a VPN using strong authentication. A user calls the help desk saying they cannot connect to the VPN. The analyst checks and sees that the user's token is not synchronized. What should the analyst do?

A.Disable VPN access for the user.
B.Provide a temporary static password.
C.Reset the user's token and have them re-sync.
D.Escalate to the security team.
E.Have the user connect without a token.
AnswerC

Resolves token sync issue.

Why this answer

Option A is correct because resetting the token is standard procedure. Option B is too severe. Option C compromises strong auth.

Option D violates policy. Option E is unnecessary.

390
MCQhard

A company uses Cisco Firepower NGFW with intrusion prevention. An analyst notices that many legitimate HTTPS connections are being blocked by an IPS rule. What is the best approach to reduce false positives?

A.Create a custom rule exception for the specific destination IPs.
B.Increase the severity threshold of the rule.
C.Disable the IPS rule entirely.
D.Change the rule action from 'Drop' to 'Alert'.
AnswerA

Exceptions preserve protection while allowing legitimate traffic.

Why this answer

Creating a custom rule exception for the specific destination IPs is the best approach because it allows the IPS to continue blocking malicious traffic while exempting legitimate HTTPS connections that are incorrectly flagged. This maintains security posture by not weakening the rule globally, and it directly addresses the false positive without affecting detection of other threats.

Exam trap

Cisco often tests the misconception that changing the rule action to 'Alert' is a safe compromise, but this actually disables blocking for all traffic matching the rule, not just the false positives.

How to eliminate wrong answers

Option B is wrong because increasing the severity threshold would cause the rule to only trigger on higher-severity events, potentially missing real threats that match the rule but are not false positives. Option C is wrong because disabling the IPS rule entirely removes protection against the actual threat the rule was designed to detect, leaving the network vulnerable. Option D is wrong because changing the rule action from 'Drop' to 'Alert' would stop blocking the legitimate traffic but would also stop blocking malicious traffic matching the same rule, effectively disabling enforcement and reducing security.

391
MCQhard

Refer to the exhibit. A security policy requires that network traffic be classified and prioritized to ensure critical applications get bandwidth. A network engineer implements this QoS policy. However, after deployment, a security scanner reports that SSH traffic is starved. Which of the following is the most likely cause?

A.The priority percent for VOIP is too high.
B.The fair-queue algorithm does not work with this policy.
C.The critical data class includes SSH traffic.
D.SSH traffic is not classified and falls into class-default, which may not get enough bandwidth.
AnswerD

Since SSH is not in a priority class, it competes with other default traffic.

Why this answer

Option D is correct because SSH traffic is not explicitly matched by any class map in the policy, so it falls into the class-default. The class-default in this policy uses fair-queue, which does not guarantee a minimum bandwidth; if higher-priority classes (like VOIP and critical data) consume most of the link, class-default can be starved. This results in SSH sessions timing out or experiencing severe packet loss.

Exam trap

Cisco often tests the misconception that traffic not explicitly classified will still get fair treatment, when in reality class-default can be starved if higher-priority classes consume all bandwidth, especially when priority is used without proper policing or shaping.

How to eliminate wrong answers

Option A is wrong because the priority percent for VOIP is set to 30%, which is a reasonable allocation for voice traffic and would not inherently starve SSH unless the link is fully saturated by VOIP alone—but the policy also allocates bandwidth to critical data, so the starvation is more likely due to SSH not being classified. Option B is wrong because the fair-queue algorithm does work with this policy; it is applied to the class-default, which is a standard behavior for class-default when no explicit bandwidth is configured, and it does not prevent other classes from functioning. Option C is wrong because the critical data class is explicitly defined to match traffic with DSCP AF21, which is typically used for mission-critical data, not SSH (which uses TCP port 22 and is not marked with AF21 by default); thus SSH is not included in that class.

392
Multi-Selecteasy

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Select 2 answers
A.ICMP echo requests
B.HTTP request headers
C.HTTP request body
D.DNS query responses
E.TCP three-way handshake
AnswersB, C

Headers may reveal suspicious patterns like custom user-agents.

Why this answer

HTTP request headers contain metadata such as User-Agent, Content-Type, and custom headers that can be manipulated to encode and exfiltrate data. The HTTP request body carries the payload, such as POST data, where stolen information can be embedded in form fields, JSON, or XML. Analyzing both allows detection of anomalous patterns indicative of data exfiltration.

Exam trap

Cisco often tests the distinction between layers of the OSI model, trapping candidates who confuse transport-layer handshakes (TCP) or network-layer diagnostics (ICMP) with application-layer HTTP traffic analysis.

393
MCQmedium

A security analyst is reviewing logs from a Cisco Firepower Management Center and notices that many legitimate SSL connections are being blocked by the intrusion policy. Which configuration change should the analyst make to reduce false positives without compromising security?

A.Increase the severity threshold for SSL-related rules.
B.Add the affected servers to a network analysis policy exception.
C.Change the intrusion policy to "Connectivity Over Security".
D.Disable SSL inspection globally.
AnswerB

This allows specific traffic to bypass inspection while keeping security for others.

Why this answer

Adding the affected servers to a network analysis policy (NAP) exception allows the Firepower system to bypass intrusion inspection for traffic to and from those specific hosts while still performing SSL decryption and other security checks. This reduces false positives from legitimate SSL connections without completely disabling SSL inspection or weakening the overall security posture.

Exam trap

Cisco often tests the distinction between modifying intrusion policy rules versus using network analysis policy exceptions, tempting candidates to choose a global or severity-based change instead of the targeted exception that preserves security for other traffic.

How to eliminate wrong answers

Option A is wrong because increasing the severity threshold for SSL-related rules would suppress alerts based on severity, not address the root cause of false positives from legitimate traffic; it could also cause real threats to be missed. Option C is wrong because changing the intrusion policy to 'Connectivity Over Security' disables most intrusion prevention features, severely compromising security rather than selectively reducing false positives. Option D is wrong because disabling SSL inspection globally would prevent the system from decrypting and inspecting any SSL traffic, leaving the network blind to threats hidden in encrypted connections.

394
MCQeasy

A security analyst notices that a workstation is generating multiple DNS queries to a known malicious domain. Which host-based analysis technique would be most effective in confirming the infection?

A.Review the Windows Firewall logs to see blocked connections
B.Check the scheduled tasks for suspicious entries
C.Use Process Explorer to examine the process responsible for the DNS queries
D.Analyze the Windows Event Log for Event ID 5156
AnswerC

Process Explorer can show network activity per process, directly linking the DNS queries to a specific executable.

Why this answer

Process Explorer is a host-based analysis tool that provides detailed information about running processes, including their network connections and DNS queries. By examining the process responsible for the DNS queries to the known malicious domain, the analyst can directly identify the infected executable or script, confirming the infection at the process level.

Exam trap

Cisco often tests the distinction between host-based analysis tools (like Process Explorer) and log-based analysis (like firewall or event logs), trapping candidates who choose a log-based option when a process-level tool is needed to confirm the infection source.

How to eliminate wrong answers

Option A is wrong because Windows Firewall logs only show blocked connections, but the DNS queries are likely succeeding (generating traffic), so blocked connections would not capture the malicious activity. Option B is wrong because scheduled tasks are a persistence mechanism, not the immediate source of active DNS queries; the infection may not rely on scheduled tasks. Option D is wrong because Event ID 5156 logs successful outbound connections, but it does not link the connection to a specific process or DNS query, making it less effective for pinpointing the responsible process.

395
MCQeasy

An analyst needs to determine if a host is infected with malware that is attempting to contact a known malicious domain. Which log source is most appropriate for this analysis?

A.Syslog from the host
B.NetFlow records
C.DNS server logs
D.Data loss prevention (DLP) logs
AnswerC

DNS logs record all domain name queries, allowing detection of malicious domain lookups.

Why this answer

DNS server logs are the most appropriate source because they record all DNS queries made by hosts on the network. If a host is attempting to contact a known malicious domain, the DNS query for that domain will appear in the logs, allowing the analyst to identify the infected host by its source IP address and the timestamp of the query.

Exam trap

Cisco often tests the distinction between network-level logs that contain domain names (DNS logs) versus those that only contain IP addresses (NetFlow), leading candidates to mistakenly choose NetFlow because they think it captures all network activity.

How to eliminate wrong answers

Option A is wrong because syslog from the host may not capture outbound DNS queries at the network level and can be tampered with by malware if the host is compromised. Option B is wrong because NetFlow records show IP-level traffic metadata but do not include the domain name being resolved; they only show the destination IP, which may belong to a CDN or shared hosting and not directly reveal the malicious domain. Option D is wrong because DLP logs focus on detecting and preventing the exfiltration of sensitive data, not on monitoring DNS resolution attempts to known malicious domains.

396
MCQhard

An IPS sensor is configured inline and drops traffic that triggers the signature 'OVERFLOW-ICMP-ECHO', which triggers on ICMP packets with size > 1024 bytes. A network administrator reports that legitimate network monitoring tools using large ICMP packets are being blocked. What is the best course of action?

A.Increase the threshold to 2048
B.Create a whitelist for the monitoring tool's source IP
C.Disable the signature entirely
D.Change the sensor mode to IDS for that signature
AnswerB

A whitelist permits specific IPs to bypass the signature while keeping detection for others.

Why this answer

Option B is correct because creating a whitelist for the monitoring tool's source IP allows the IPS to continue dropping malicious oversized ICMP packets while permitting legitimate traffic from known, trusted sources. This maintains security for the rest of the network without disabling the signature or changing its mode, which would reduce protection.

Exam trap

Cisco often tests the misconception that you should adjust the signature threshold (option A) to fix false positives, but the correct approach is to use a whitelist or exception rule to allow known legitimate traffic without weakening the overall security posture.

How to eliminate wrong answers

Option A is wrong because simply increasing the threshold to 2048 would still block legitimate monitoring tools that send packets between 1025 and 2048 bytes, and it does not address the root cause of false positives. Option C is wrong because disabling the signature entirely removes protection against real overflow attacks using oversized ICMP packets, leaving the network vulnerable. Option D is wrong because changing the sensor mode to IDS for that signature would only alert on the traffic rather than dropping it, but the administrator's issue is that legitimate traffic is being blocked; switching to IDS would stop the blocking but also fail to block malicious oversized ICMP packets, which defeats the purpose of an inline IPS.

397
MCQhard

Refer to the exhibit. An analyst sees repeated denied TCP connections from the same source to the same destination web server. Which of the following actions should the analyst take first?

A.Increase the logging level to get more details.
B.Create a permit rule for the source IP to allow legitimate traffic.
C.Investigate the source IP for malicious activity.
D.Block the source IP globally.
AnswerC

Investigation helps determine intent and whether the source is a threat.

Why this answer

Repeated denied TCP connections from the same source to the same destination web server are a classic indicator of a potential reconnaissance or attack pattern, such as a port scan or brute-force attempt. The first priority in security monitoring is to investigate the source IP for malicious activity (Option C) to determine intent and scope before taking any irreversible action. This aligns with the incident response process of identification and analysis before containment or eradication.

Exam trap

Cisco often tests the candidate's understanding of the incident response order of operations, where the trap is to jump to a containment action (like blocking or permitting) without first performing analysis and validation of the threat.

How to eliminate wrong answers

Option A is wrong because increasing the logging level may provide more detail but does not address the immediate need to determine if the source IP is malicious; it delays the investigative step and could overwhelm the analyst with noise. Option B is wrong because creating a permit rule for the source IP would allow all traffic from that IP, which could enable an attacker to bypass security controls if the source is indeed malicious; this action should only be taken after confirming the source is legitimate. Option D is wrong because blocking the source IP globally is a premature containment action that could disrupt legitimate business operations if the source is a false positive; it should only be performed after investigation confirms malicious intent.

398
MCQeasy

A security policy mandates that all employees complete annual security awareness training. Which of the following metrics best demonstrates the effectiveness of this training?

A.Results of a post-training quiz
B.Percentage of employees who completed the training
C.Number of help desk tickets related to phishing
D.Decrease in security incidents attributed to user error
AnswerD

A decline in user-caused incidents is a direct indicator that training is modifying behavior.

Why this answer

Option D is correct because a reduction in incidents caused by user error directly indicates improved awareness. Option A may reflect adherence but not effectiveness. Option B measures volume, not effectiveness.

Option C could be due to other factors.

399
MCQmedium

Refer to the exhibit. A security analyst sees this syslog message from the ASA. Which statement best describes what is occurring?

A.An inside host is initiating a connection to a web server
B.Traffic is being denied by the access list
C.An external host is connecting to an internal host
D.The connection is being torn down
AnswerC

The log shows the connection from outside to inside.

Why this answer

Option C is correct because the log shows a connection built from an outside host (203.0.113.1) to an inside host (192.168.1.100). This indicates a normal outbound connection from the internal host to the external web server. Option A is wrong because the source is outside.

Option B is wrong because the destination is inside. Option D is wrong because the connection is allowed (built), not denied.

400
MCQmedium

A company implements a policy requiring all employees to use a hardware token for remote access. This is an example of which type of security control?

A.Compensating
B.Deterrent
C.Preventive
D.Detective
AnswerC

Preventive controls block unauthorized access, as the token does.

Why this answer

A hardware token for remote access implements multifactor authentication (something you have), which directly prevents unauthorized access by requiring a physical device in addition to credentials. This is a preventive control because it stops the threat before it can occur, aligning with the NIST definition of preventive controls that block or mitigate attacks.

Exam trap

Cisco often tests the distinction between preventive and deterrent controls by using a technology that physically blocks access (like a token or firewall) and expecting candidates to recognize that 'deterrent' applies only to psychological discouragement, not technical enforcement.

How to eliminate wrong answers

Option A is wrong because compensating controls are alternative measures that provide equivalent protection when a primary control cannot be used (e.g., using software tokens instead of hardware tokens due to cost), not the primary control itself. Option B is wrong because deterrent controls discourage malicious behavior through fear of consequences (e.g., warning banners or surveillance signs), but a hardware token does not deter; it physically prevents access. Option D is wrong because detective controls identify and log incidents after they occur (e.g., intrusion detection systems or audit logs), whereas a hardware token actively blocks unauthorized access in real time.

401
MCQmedium

A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?

A.Change the IPS to fail-open mode.
B.Increase the number of IPS sensors.
C.Disable or modify signatures causing false positives.
D.Reduce the IPS sensitivity level to lower.
AnswerC

Directly addresses the root cause of legitimate traffic being blocked.

Why this answer

Option C is correct because false positives occur when IPS signatures incorrectly match legitimate traffic. The most direct and effective tuning approach is to disable or modify the specific signatures causing the false positives, which reduces unnecessary blocking without compromising overall security posture.

Exam trap

Cisco often tests the distinction between tuning signatures (which addresses false positives directly) versus changing operational modes or sensitivity levels, which are broader, less precise adjustments that can introduce new risks.

How to eliminate wrong answers

Option A is wrong because changing the IPS to fail-open mode would cause the device to pass all traffic if it fails, but this does not address the root cause of false positives; it merely bypasses the IPS functionality, potentially allowing attacks through. Option B is wrong because increasing the number of IPS sensors does not resolve signature misclassification; it would only distribute the same false-positive traffic across more sensors, amplifying the problem. Option D is wrong because reducing the IPS sensitivity level to lower may decrease false positives but also increases the risk of missing real threats (false negatives), as sensitivity controls the threshold for alerting, not the specific signature logic.

402
Multi-Selecteasy

Which TWO of the following are symmetric encryption algorithms? (Choose two.)

Select 2 answers
A.AES
B.RSA
C.Diffie-Hellman
D.ECC
E.3DES
AnswersA, E

AES is a symmetric block cipher.

Why this answer

AES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning it uses the same key for both encryption and decryption. It is widely adopted due to its strong security and efficiency, with key sizes of 128, 192, or 256 bits. 3DES (Triple Data Encryption Standard) is also symmetric, applying the DES cipher three times to each data block, effectively increasing key length and security over single DES.

Exam trap

Cisco often tests the distinction between symmetric encryption, asymmetric encryption, and key exchange protocols, so candidates mistakenly select Diffie-Hellman or ECC as encryption algorithms when they are actually used for key agreement or asymmetric operations.

403
Drag & Dropmedium

Drag and drop the steps to analyze a packet capture for suspicious activity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Packet analysis: open, filter, examine, correlate, document.

404
MCQeasy

Which Windows registry hive is most likely to contain evidence of malware persistence via a service?

A.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
B.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
C.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
D.HKEY_LOCAL_MACHINE\SAM
AnswerB

This hive stores service configurations, including the path to the executable.

Why this answer

The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry hive stores the configuration for all Windows services, including their executable paths and startup types. Malware often installs itself as a service to achieve persistence, and evidence of this can be found by examining the ImagePath value under a suspicious service subkey. This is the correct location for service-based persistence, unlike the Run keys which handle startup programs for users.

Exam trap

Cisco often tests the distinction between Run keys (user logon persistence) and Services keys (system service persistence), and the trap here is that candidates confuse the Run keys with service persistence because both are common persistence mechanisms, but only the Services hive stores service-specific configurations.

How to eliminate wrong answers

Option A is wrong because HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is used for auto-starting programs at user logon, not for services; malware using this key persists via Run registry entries, not as a service. Option C is wrong because HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is a per-user Run key that only affects the currently logged-in user, not system-wide service persistence. Option D is wrong because HKEY_LOCAL_MACHINE\SAM stores Security Account Manager data (user and group hashes) and is not related to service configuration or persistence mechanisms.

405
MCQmedium

Refer to the exhibit. A network analyst sees these firewall logs. What is the most likely interpretation?

A.An attacker is performing a port scan on internal hosts from the outside
B.The firewall rule OUTSIDE_IN is misconfigured and blocking all traffic
C.A malware is trying to phone home to an external C2 server
D.A user is trying to access internal web servers legitimately but is blocked by ACL
AnswerA

Repeated denies from same source to different destinations on common ports indicate a scan.

Why this answer

The firewall logs show multiple denied TCP connection attempts from a single external IP to various internal IPs on different ports (e.g., 80, 443, 22). This pattern of sequential probes across multiple destinations and ports is characteristic of a port scan, where an attacker systematically probes for open services. The rule OUTSIDE_IN is correctly logging and blocking these attempts, indicating the firewall is functioning as designed to prevent reconnaissance.

Exam trap

Cisco often tests the distinction between a port scan (multiple destinations/ports from one source) and a C2 beacon (single destination, periodic traffic), where candidates mistakenly interpret any blocked external traffic as malware callbacks.

How to eliminate wrong answers

Option B is wrong because the firewall is actively logging and blocking traffic, which shows the rule is working correctly, not misconfigured; a misconfigured rule would either allow all traffic or block all traffic without such selective logging. Option C is wrong because malware phoning home typically uses a single, consistent destination (C2 server) on a fixed port, not a broad scan across multiple internal hosts and ports. Option D is wrong because legitimate internal web server access would originate from internal IPs, not an external source, and the logs show the source is external (e.g., 203.0.113.5), not a user inside the network.

406
MCQeasy

A security monitoring tool generates an alert for a user accessing a sensitive file at an unusual hour. What is the most appropriate next step?

A.Ignore the alert since it is likely a false positive.
B.Contact the user to confirm if the access was legitimate.
C.Escalate the alert to the incident response team.
D.Block the user's account immediately.
AnswerB

Direct verification is a quick way to triage the alert.

Why this answer

Option B is correct because the alert indicates an anomaly (unusual hour), but not necessarily malicious activity. The most appropriate first step is to verify the user's intent through direct communication, as this aligns with the principle of validation before escalation. In security monitoring, contacting the user helps confirm whether the access was authorized, reducing false positives and unnecessary incident response activation.

Exam trap

Cisco often tests the distinction between triage and escalation, trapping candidates who jump to escalation or containment without first performing the basic verification step of contacting the user.

How to eliminate wrong answers

Option A is wrong because ignoring the alert outright violates the fundamental security monitoring principle of investigating anomalies; even if it is a false positive, the alert must be triaged, not dismissed without analysis. Option C is wrong because escalating directly to the incident response team bypasses the initial triage step; escalation should occur only after preliminary verification (e.g., user confirmation or log correlation) indicates a genuine security incident. Option D is wrong because immediately blocking the user's account is an overreaction that could disrupt legitimate business operations; account lockdown should be reserved for confirmed threats, not based solely on a single anomalous access time.

407
MCQhard

MedSecure is a healthcare organization with a security policy that requires all security incidents to be handled following the NIST framework. A system administrator discovers that an unauthorized user has accessed a database containing patient records. The administrator immediately disconnects the server from the network. The security analyst is called to investigate. The analyst finds that the server was not part of the centralized logging system, and the only logs available are the database audit logs. The security policy mandates preservation of evidence and chain of custody. The analyst needs to collect the database audit logs. Which action should the analyst take to ensure proper evidence collection?

A.Make a bit-for-bit copy of the audit log files using a forensic tool, hash the original and copy, and document the process
B.Export the logs to a CSV file and email them to the security team
C.Use a write-blocker to create a forensic image of the entire hard drive
D.Copy the audit logs to a USB drive and store it in a locked drawer
AnswerA

This ensures integrity, authenticity, and proper chain of custody.

Why this answer

Option C is correct because creating a forensic copy with hashing preserves integrity and chain of custody. Option A lacks chain of custody. Option B is overkill for log files.

Option D does not preserve integrity.

408
Multi-Selecthard

An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)

Select 2 answers
A.Delete the malicious files found on the host
B.Isolate the host from the network
C.Collect a forensic image of the host's hard drive
D.Reboot the host to clear any malware from memory
E.Run a full antivirus scan on the host
AnswersB, C

Isolating the host stops ongoing malicious activity and prevents lateral movement.

Why this answer

Option B is correct because isolating the host from the network immediately stops the outbound connections to known malicious destinations, preventing further data exfiltration, lateral movement, or command-and-control (C2) communication. This containment step is critical in incident response to limit the blast radius before any other investigative or remediation actions are taken.

Exam trap

Cisco often tests the misconception that immediate remediation (deleting files, running antivirus) is the priority, when in fact containment (isolation) and evidence preservation (forensic imaging) are the correct first steps in a structured incident response process.

409
MCQhard

A company operating in the EU experiences a data breach involving personal data of EU citizens. Under GDPR, what is the maximum timeframe to notify the supervisory authority?

A.96 hours
B.72 hours
C.24 hours
D.48 hours
AnswerB

GDPR Article 33 requires notification within 72 hours.

Why this answer

Option B is correct because GDPR requires notification within 72 hours of becoming aware of the breach. Option A is wrong because 24 hours is too short. Option C is wrong because 48 hours is not the specified timeframe.

Option D is wrong because 96 hours exceeds the allowed period.

410
MCQmedium

A Linux server is configured with auditd to monitor file access. Which audit rule will detect any attempt to read the /etc/shadow file?

A.-w /etc/shadow -p x
B.-w /etc/shadow -p a
C.-w /etc/shadow -p w
D.-w /etc/shadow -p r
AnswerD

The -p r flag monitors read access exactly.

Why this answer

Option D is correct because the `-p r` flag in an auditd rule specifies that the rule should monitor for read access attempts. The `/etc/shadow` file contains hashed passwords, and reading it is a common post-exploitation reconnaissance step. The `-w` flag watches a file, and `-p r` triggers an audit event when the file is opened for reading.

Exam trap

Cisco often tests the specific meaning of auditd permission flags (`r`, `w`, `x`, `a`) and expects candidates to know that `-p r` is for read access, not `-p x` which is for execute, a common confusion because both involve accessing a file.

How to eliminate wrong answers

Option A is wrong because `-p x` monitors for execute access, not read access; while `/etc/shadow` is not an executable, this rule would only catch attempts to execute it, which is not the typical attack vector. Option B is wrong because `-p a` monitors for attribute changes (e.g., permissions or ownership), not read operations; this would miss the actual reading of the file. Option C is wrong because `-p w` monitors for write access, which would detect modifications but not read attempts; reading is the more common reconnaissance action against `/etc/shadow`.

411
MCQeasy

A company's security policy states that all employees must use multi-factor authentication (MFA) when accessing the corporate network remotely. Which policy is being applied?

A.Incident Response Policy
B.Remote Access Policy
C.Acceptable Use Policy
D.Access Control Policy
AnswerD

Access Control Policy defines authentication requirements like MFA.

Why this answer

MFA is an authentication control, often part of an Access Control Policy. Option B is correct. Option A (remote access policy) is a subset but the stem directly says 'accessing the corporate network.' Option C (acceptable use) is about behavior.

Option D (incident response) is about handling incidents.

412
Multi-Selectmedium

Which TWO are common indicators of a compromised host? (Choose two.)

Select 2 answers
A.User logging in during business hours.
B.Scheduled tasks running at regular intervals.
C.Unusual spikes in outbound network traffic at odd hours.
D.Unexpected outbound connections to known malicious IPs.
E.Antivirus updates occurring daily.
AnswersC, D

May indicate data exfiltration.

Why this answer

Unusual spikes in outbound network traffic at odd hours (Option C) are a common indicator of a compromised host because they often signal data exfiltration, command-and-control (C2) beaconing, or botnet activity. Attackers frequently schedule malicious traffic during off-peak hours to evade detection, and the abnormal volume or timing relative to baseline behavior is a key anomaly in security monitoring.

Exam trap

Cisco often tests the distinction between normal administrative activity (scheduled tasks, daily updates) and true behavioral anomalies (unusual timing, unexpected destinations), so candidates must avoid confusing routine operations with compromise indicators.

413
MCQhard

A cybersecurity firm is conducting a red team exercise for a client. The red team successfully gained access to the client's internal network through a phishing email and escalated privileges to domain administrator. During the exercise, the red team uses a tool to dump password hashes from the domain controller. The client's security team detects the hash dump activity and sends an alert to the SOC. The SOC analyst reviews the alert and sees that the source IP of the hash dump is from a server that is part of the red team's scope. However, the red team is not scheduled to perform hash dumping until the next phase. The analyst also notes that the activity uses a known red team tool. Which of the following actions is most appropriate?

A.Launch a full incident response procedure assuming a real attacker.
B.Assume the red team is acting out of scope and contact the red team lead for clarification.
C.Treat the alert as a false positive because the red team is authorized.
D.Immediately block the red team's IP addresses and escalate to management.
AnswerB

Given the source IP belongs to the red team and the tool is known, it is likely a schedule mismatch; contacting the lead is the best course.

Why this answer

Option B is correct because the red team is authorized to operate within the client's environment, but the activity occurred outside the scheduled phase, creating ambiguity. The most appropriate action is to contact the red team lead for clarification to determine if the hash dump was a deviation from the plan or a sign of a real attacker. This aligns with incident response best practices, which prioritize verification before escalation, especially when authorized testing is in progress.

Exam trap

Cisco often tests the concept that authorized red team activity can still be out of scope, and the trap is assuming that any activity from an authorized IP is automatically benign, leading candidates to choose Option C instead of verifying with the red team lead.

How to eliminate wrong answers

Option A is wrong because launching a full incident response procedure without first clarifying the red team's actions could waste resources and disrupt the authorized exercise, as the activity may be a legitimate part of the test. Option C is wrong because treating the alert as a false positive solely because the red team is authorized ignores the fact that the activity is out of scope and could indicate a real compromise or a miscommunication. Option D is wrong because immediately blocking the red team's IP addresses and escalating to management is an overreaction that could disrupt the authorized test and damage the relationship with the client, without first verifying the nature of the activity.

414
Drag & Dropmedium

Drag and drop the steps to configure SSH access on a Cisco IOS switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSH configuration requires domain name, RSA keys, a local user, and enabling SSH on vty lines.

415
MCQhard

An organization's security policy requires that all traffic between the corporate network and the internet be inspected by an IPS. However, encrypted traffic (HTTPS) cannot be inspected without breaking encryption. Which solution best meets the policy requirement?

A.Allow all HTTPS traffic without inspection
B.Implement SSL/TLS interception using a proxy with a trusted certificate
C.Rely on endpoint security only
D.Disable HTTPS for internal users
AnswerB

SSL inspection decrypts, inspects, and re-encrypts traffic, enabling IPS visibility.

Why this answer

SSL/TLS interception using a trusted proxy allows inspection of encrypted traffic while maintaining security, though it requires careful implementation and user acceptance.

416
MCQmedium

During a host-based investigation, an analyst finds a process named 'svchost.exe' consuming high CPU. The process path is 'C:\Windows\Temp\svchost.exe'. What should the analyst conclude?

A.It is a legitimate Windows service host process
B.It is a third-party application that requires investigation
C.It is likely malware disguised as a legitimate process
D.It is a temporary file created by Windows Update
AnswerC

Malware often uses common names in non-standard locations to evade detection.

Why this answer

The legitimate svchost.exe (Service Host) runs from C:\Windows\System32, not C:\Windows\Temp. The Temp directory is a common location for malware to masquerade as system processes to evade detection. High CPU usage combined with an anomalous path strongly indicates malicious activity, as legitimate svchost.exe instances are signed by Microsoft and reside in System32.

Exam trap

Cisco often tests the misconception that any process named 'svchost.exe' is automatically legitimate, but the trap here is that the file path is the critical differentiator—malware frequently uses the same name as a trusted system binary but runs from an unauthorized location.

How to eliminate wrong answers

Option A is wrong because the legitimate svchost.exe is located in C:\Windows\System32, not C:\Windows\Temp; any svchost.exe outside System32 is not a genuine Windows service host. Option B is wrong because while third-party applications can run from Temp, the name 'svchost.exe' is specifically chosen to impersonate a Windows system process, making it far more likely to be malware than a benign third-party app. Option D is wrong because Windows Update does not create svchost.exe in the Temp directory; it uses trusted binaries in System32 and may create temporary files with different names (e.g., .tmp) in C:\Windows\Temp.

417
MCQmedium

Refer to the exhibit. A host-based analyst reviews auth.log. What does the accepted password log entry indicate?

A.The root account was successfully compromised
B.The system prevented a brute-force attack on the admin account
C.The admin login is legitimate because it was accepted
D.The admin account was accessed by an attacker after brute-forcing root
AnswerD

The IP tried root multiple times, then succeeded with admin, likely guessing the password.

Why this answer

The log entry shows 'Accepted password for admin from 10.10.10.10 port 22 ssh2' followed by 'Failed password for root from 10.10.10.10 port 22 ssh2'. The sequence indicates that the attacker first successfully logged in as 'admin' (accepted password), then attempted to escalate privileges by brute-forcing the 'root' account. Option D correctly identifies that the admin account was accessed by an attacker who then attempted to brute-force root, as evidenced by the failed root attempts after a successful admin login.

Exam trap

Cisco often tests the trap that 'Accepted password' automatically implies a legitimate user, but in host-based analysis, the context of subsequent failed attempts reveals malicious intent, so candidates must correlate multiple log entries rather than evaluating them in isolation.

How to eliminate wrong answers

Option A is wrong because the log shows 'Failed password for root', meaning the root account was not compromised—only an attempt was made. Option B is wrong because the system did not prevent a brute-force attack on the admin account; in fact, the admin login was accepted, indicating a successful authentication, not a prevention. Option C is wrong because the admin login being 'accepted' does not automatically make it legitimate—it could be an attacker using a valid credential, and the subsequent failed root attempts suggest malicious intent.

418
MCQeasy

Refer to the exhibit. A security analyst views these log entries from a Cisco router. What conclusion can be drawn about ACL 101?

A.ACL 101 blocks HTTP traffic
B.ACL 101 applies only to inbound traffic
C.ACL 101 denies Telnet and permits HTTP
D.ACL 101 permits all traffic
AnswerC

Denied to port 23, permitted to port 80.

Why this answer

The log shows a denied packet to port 23 (Telnet) and a permitted packet to port 80 (HTTP). This indicates the ACL denies Telnet and permits HTTP. Option B is correct.

Option A is incorrect because some traffic is denied. Option C is incorrect because the ACL likely allows other ports. Option D is incorrect because HTTP is permitted.

419
MCQeasy

A small retail company uses a cloud-based point-of-sale (POS) system. The IT manager receives an alert from the cloud provider that the POS application is generating an unusually high number of outbound connections to an IP address in a foreign country. The POS application is only supposed to communicate with the cloud provider's servers in the United States. The IT manager checks the POS terminal logs and finds that a new user account was created locally on the terminal with administrative privileges two days ago. The terminal does not have antivirus installed. What should the IT manager do first to contain the incident and prevent data loss?

A.Reset the password for the new user account and disable it.
B.Install antivirus software on the terminal and run a full scan.
C.Contact the cloud provider to block the outbound IP address.
D.Disconnect the POS terminal from the network immediately.
AnswerD

This is the fastest way to stop the outbound connections and prevent further data exfiltration.

Why this answer

Disconnecting the POS terminal from the network immediately halts the suspected data exfiltration and prevents further loss.

420
MCQeasy

An intrusion detection system (IDS) generates an alert for a packet containing the string '/etc/passwd'. What type of attack is likely detected?

A.Directory traversal
B.Cross-site scripting
C.Buffer overflow
D.SQL injection
AnswerA

/etc/passwd is a common target for directory traversal.

Why this answer

The string '/etc/passwd' is a classic indicator of a directory traversal attack, where an attacker attempts to access files outside the web root directory by manipulating path parameters. An IDS detecting this string in a packet payload (e.g., in a URL or HTTP request) suggests the attacker is trying to read the Unix password file, which is a common target in path traversal exploits. This attack exploits insufficient input validation to navigate the file system using '../' sequences or absolute paths.

Exam trap

Cisco often tests the distinction between attack types by using a specific string like '/etc/passwd' to mislead candidates into thinking of SQL injection or XSS, when the key is recognizing that file path references in payloads indicate directory traversal.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) involves injecting malicious scripts (e.g., JavaScript) into web pages viewed by other users, not file path strings like '/etc/passwd'. Option C is wrong because a buffer overflow attack exploits memory corruption by overflowing a buffer with excessive data, not by referencing a specific file path in a request. Option D is wrong because SQL injection targets database queries by inserting SQL commands (e.g., ' OR 1=1 --) into input fields, not by requesting a file path like '/etc/passwd'.

421
Multi-Selectmedium

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Select 2 answers
A.High bandwidth usage during business hours
B.A single failed login attempt from an internal user
C.Regular ICMP echo requests to external hosts
D.A sudden increase in DNS queries to unknown domains from a single host
E.Multiple outbound connections from a server to an external IP on port 445
AnswersD, E

This could indicate malware beaconing or DNS tunneling.

Why this answer

Option D is correct because a sudden spike in DNS queries to unknown domains from a single host is a classic sign of DNS tunneling or command-and-control (C2) activity. Attackers often use DNS to exfiltrate data or communicate with external servers by encoding data in DNS queries, bypassing traditional firewall rules that allow DNS traffic.

Exam trap

Cisco often tests the distinction between normal administrative traffic (like ICMP pings or a single failed login) and true indicators of compromise (like anomalous DNS queries or outbound SMB connections), trapping candidates who mistake benign activity for malicious.

422
Multi-Selecthard

Which TWO of the following are essential requirements for a security policy to be effective?

Select 2 answers
A.It should be as long and detailed as possible
B.It must be communicated to all relevant parties
C.It must be enforceable
D.It must comply with all applicable laws
E.It should be updated only when an incident occurs
AnswersB, C

Effective policies require awareness and understanding.

Why this answer

Options B and E are correct. A policy must be enforceable (B) and communicated (E). Option A may be helpful but not essential.

Option C is often legally required but not a policy effectiveness requirement. Option D reduces motivation.

423
MCQhard

Refer to the exhibit. A security analyst sees this syslog message repeatedly. Which change should the analyst make to reduce the log volume while still detecting the activity?

A.Change the access-group to inbound on the outside interface
B.Add an ACL permit statement for traffic from 10.0.0.2 to 192.168.1.1
C.Implement a shun for source IP 10.0.0.2
D.Disable logging for syslog message ID 106023
AnswerC

Shun drops all packets from that IP without logging further, reducing log volume.

Why this answer

Option C is correct because implementing a shun for source IP 10.0.0.2 will block all traffic from that specific host at the Cisco ASA, preventing the repeated syslog message ID 106023 (which indicates denied traffic) from being generated. This reduces log volume while still effectively detecting and stopping the malicious activity, as the shun action drops packets before they are logged.

Exam trap

Cisco often tests the distinction between suppressing logs (which hides all future activity) and blocking the source (which stops the activity while still allowing detection of other events), leading candidates to mistakenly choose disabling logging instead of implementing a shun.

How to eliminate wrong answers

Option A is wrong because changing the access-group to inbound on the outside interface would alter the traffic filtering direction but would not reduce the log volume for the specific denied traffic from 10.0.0.2; it might even increase log entries if the ACL is misapplied. Option B is wrong because adding an ACL permit statement for traffic from 10.0.0.2 to 192.168.1.1 would allow the traffic, which defeats the purpose of detecting the activity and could introduce a security risk by permitting potentially malicious traffic. Option D is wrong because disabling logging for syslog message ID 106023 would suppress all logs for denied traffic, preventing the analyst from detecting any such activity in the future, which violates the requirement to still detect the activity.

424
MCQmedium

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

A.The access-group 'OUTSIDE_IN' permitted the traffic.
B.An internal host attempted to connect to an external web server.
C.An external host attempted to connect to an internal web server and was blocked.
D.The ASA allowed the connection because it is a stateful firewall.
AnswerC

Matches the deny action and direction.

Why this answer

The syslog message shows a deny action for traffic from an external IP (10.10.10.10) to an internal IP (192.168.1.100) on TCP port 443 (HTTPS). The access-group 'OUTSIDE_IN' is applied to the outside interface, and the deny indicates the packet was blocked by an ACL entry. This matches the scenario of an external host attempting to connect to an internal web server and being blocked.

Exam trap

Cisco often tests the ability to interpret syslog message fields (source/destination IPs and ports) to determine traffic direction and action, and the trap here is assuming that any syslog message from an ASA implies a permitted connection, when the 'deny' keyword clearly indicates a block.

How to eliminate wrong answers

Option A is wrong because the log entry explicitly shows 'deny', meaning the access-group 'OUTSIDE_IN' blocked the traffic, not permitted it. Option B is wrong because the source IP (10.10.10.10) is external (not RFC 1918), and the destination IP (192.168.1.100) is internal, indicating an inbound connection from outside to inside, not an internal host connecting outbound. Option D is wrong because while the ASA is stateful, the log entry shows a deny action, meaning the connection was not allowed; stateful inspection would only permit traffic that matches an existing session or an explicit permit ACL.

425
MCQhard

You are a SOC analyst for a financial services firm. The firm uses a combination of Cisco Firepower IPS, Windows Event Log collection, and a custom SIEM. At 10:00 AM, the SIEM generates an alert: 'Event ID 4625: Multiple failed logins for user 'jdoe' from IP 10.0.0.100'. The alert fires 10 times within 5 minutes. The source IP is a file server. You check the file server's logs and see that it is running a scheduled script that attempts to map a network drive using jdoe's credentials. The script is legitimate and has been running for months. However, the script's credentials may have expired or changed. The user jdoe is currently on leave. The file server administrator confirms that the script is part of a backup process. What is the best course of action?

A.Escalate the alert to the incident response team for investigation
B.Disable user jdoe's account immediately to prevent further attempts
C.Block the file server's IP address in the firewall
D.Update the script with correct credentials and clear the alert
AnswerD

The root cause is expired credentials; updating the script resolves the issue without unnecessary action.

Why this answer

The alert is a false positive triggered by a legitimate scheduled script that has been running for months. The root cause is expired or changed credentials for user 'jdoe'. Updating the script with the correct credentials resolves the issue without disrupting operations.

Clearing the alert removes the noise from the SIEM, allowing the SOC to focus on genuine threats.

Exam trap

Cisco often tests the ability to distinguish between a true security incident and a false positive caused by a legitimate process, where the trap is to immediately escalate or take reactive security actions without first verifying the context and root cause of the alert.

How to eliminate wrong answers

Option A is wrong because escalating to the incident response team is unnecessary for a known, legitimate process; incident response should be reserved for confirmed security incidents, not false positives. Option B is wrong because disabling jdoe's account would disrupt the legitimate backup script and potentially other services, and the user is on leave, so the account is not actively being used maliciously. Option C is wrong because blocking the file server's IP in the firewall would break the backup process and potentially other legitimate services hosted on that server, as the source IP is a trusted internal asset.

426
Multi-Selecteasy

Which TWO actions are characteristic of a port scan performed by an attacker? (Choose two.)

Select 2 answers
A.Using TCP SYN packets without completing the three-way handshake.
B.Sending multiple connection requests to various ports on a single host.
C.Randomly selecting target ports without any pattern.
D.Spoofing the source IP address to evade detection.
E.Sending packets at a very low rate to avoid triggering threshold-based alerts.
AnswersA, B

SYN scans are a common stealth scanning technique.

Why this answer

A is correct because a TCP SYN scan sends a SYN packet to initiate a connection but never completes the three-way handshake by sending the final ACK. This allows the attacker to determine if a port is open (SYN-ACK received) or closed (RST received) without establishing a full connection, which helps evade some logging mechanisms.

Exam trap

Cisco often tests the distinction between a port scan's core mechanism (SYN packets without completing the handshake) and optional evasion techniques (like low rate or IP spoofing), leading candidates to mistakenly choose evasion methods as defining characteristics.

427
MCQeasy

As a SOC analyst, you are reviewing alerts from a network-based IDS. One alert is for 'ET TROJAN Zeus Trojan Check-in' triggered by traffic from an internal host to an external IP on port 8080. The IDS packet capture shows the traffic is encrypted. You check the host's antivirus logs and find that the host has not been scanned in 30 days. The host belongs to the HR department and typically accesses only internal resources and a few external HR portals. What should be your first action?

A.Ignore the alert because it is encrypted and likely a false positive.
B.Block the external IP address at the firewall.
C.Immediately isolate the host from the network by disabling its switch port.
D.Perform a full antivirus scan on the host and review recent process activity.
AnswerD

This verifies if the host is actually compromised.

Why this answer

Option C is correct because the alert indicates possible trojan activity; verifying with a scan and process review is appropriate before taking more drastic action. Option A is too aggressive without confirmation. Option B may be done but first need to verify host compromise.

Option D is dangerous.

428
MCQmedium

An analyst sees this syslog message on the Cisco ASA. What is the most likely cause of this alert?

A.Normal traffic spike
B.A routing loop
C.A DoS attack
D.A misconfigured firewall
AnswerC

The high burst rate exceeding the configured max is consistent with a DoS attack overwhelming the firewall.

Why this answer

The syslog message likely indicates a high rate of connection attempts or incomplete sessions (e.g., %ASA-4-106017: Deny TCP due to SYN flood or %ASA-4-733100: Drop rate exceeded). This is characteristic of a Denial of Service (DoS) attack, where an attacker overwhelms the firewall with traffic to exhaust resources or disrupt service. Option C is correct because the ASA's threshold-based alerting specifically triggers on abnormal traffic volumes that match DoS patterns.

Exam trap

Cisco often tests the distinction between a DoS attack and a misconfiguration by embedding syslog messages that reference rate-based thresholds (e.g., 'Drop rate exceeded') rather than explicit ACL deny messages, leading candidates to mistakenly choose 'misconfigured firewall' when the alert is actually a security event.

How to eliminate wrong answers

Option A is wrong because a normal traffic spike would not typically exceed the ASA's configured connection or rate limits unless the baseline is misestimated, and the syslog message explicitly flags a security event rather than a mere statistical anomaly. Option B is wrong because a routing loop would manifest as TTL-exceeded ICMP messages or routing protocol instability, not as a syslog message about denied connections or rate limits on the ASA. Option D is wrong because a misconfigured firewall might cause legitimate traffic to be blocked, but the alert specifically indicates an attack-level volume or pattern (e.g., SYN flood), not a configuration error like an incorrect ACL or NAT rule.

429
MCQmedium

You are monitoring a network segment that hosts a public-facing web server. The NIDS alerts on a signature 'ET WEB_SERVER SQL Injection Attempt' triggered by traffic to the web server. The alert details show a GET request with the parameter 'id=1 OR 1=1'. The web server responds with a 200 OK and returns data. You check the web server logs and find that the application is a legacy system that does not use prepared statements. The security team has a policy to block all SQL injection attempts at the network level. However, you notice that the web server is also receiving legitimate traffic with similar patterns from internal monitoring tools that use dynamic queries. What is the most appropriate response?

A.Add the internal monitoring tools' IP addresses to the whitelist and ensure that the network blocks the suspicious external request.
B.Disable the SQL injection signature for the web server because it causes false positives.
C.Immediately block all traffic from the external source IP that triggered the alert.
D.Request that the internal monitoring tools stop using dynamic queries, and leave the signature as is.
AnswerA

Whitelisting internal tools reduces false positives; blocking external malicious traffic maintains security.

Why this answer

Option A is correct because it balances security policy compliance with operational continuity. The internal monitoring tools' IP addresses should be whitelisted at the NIDS to prevent false positives, while the suspicious external request (which matches the SQL injection signature) should be blocked at the network level, as per policy. This approach ensures that legitimate internal traffic is not disrupted, while the external threat is mitigated.

Exam trap

Cisco often tests the candidate's ability to distinguish between a true positive and a false positive in the context of security policy, where the trap is to immediately block the external IP (Option C) without considering that the alert might be a false positive or that a whitelist for legitimate internal traffic is the more appropriate first step.

How to eliminate wrong answers

Option B is wrong because disabling the entire SQL injection signature for the web server would leave the system vulnerable to actual attacks, violating the security team's policy to block all SQL injection attempts. Option C is wrong because immediately blocking all traffic from the external source IP could be too aggressive; the alert may be a false positive or a reconnaissance attempt, and a more measured response (e.g., rate-limiting or further investigation) is appropriate before a permanent block. Option D is wrong because requesting internal monitoring tools to stop using dynamic queries is impractical and unnecessary; the tools are legitimate and their traffic can be whitelisted, while the signature should remain active for external threats.

430
MCQeasy

During network intrusion analysis, an analyst observes a TCP connection with the SYN flag set but no subsequent ACK. This pattern is indicative of:

A.SYN flood attack
B.DNS resolution
C.Normal three-way handshake
D.ICMP echo request
AnswerA

Incomplete SYN handshakes are a sign of SYN flood.

Why this answer

A SYN flood attack is a type of denial-of-service (DoS) attack where the attacker sends a high volume of TCP SYN packets to a target server but never completes the three-way handshake by sending the final ACK. This leaves the server with half-open connections, consuming resources and potentially exhausting the connection backlog, which prevents legitimate clients from establishing connections.

Exam trap

Cisco often tests the distinction between a normal three-way handshake and an incomplete handshake pattern, where candidates mistakenly think any SYN packet indicates a legitimate connection attempt rather than recognizing the missing ACK as the hallmark of a SYN flood.

How to eliminate wrong answers

Option B is wrong because DNS resolution uses UDP (or TCP for zone transfers) and does not involve TCP SYN flags; it relies on query/response pairs over port 53. Option C is wrong because a normal three-way handshake requires a SYN, SYN-ACK, and then an ACK; the absence of the final ACK indicates an incomplete handshake, not a normal one. Option D is wrong because ICMP echo request is a network-layer diagnostic message (type 8) that does not use TCP flags or ports; it operates at the Internet layer and is not part of TCP connection establishment.

431
MCQhard

A company uses syslog for logging from all network devices. The SOC notices that logs from a critical router are not appearing in the SIEM for the past hour, but other devices are sending logs normally. Which step should the analyst take FIRST to troubleshoot?

A.Ping the SIEM server from the router
B.Restart the router syslog service
C.Check the router logging configuration
D.Check the SIEM server's log receiver status
AnswerA

Verifying network connectivity helps isolate if the issue is network or device related.

Why this answer

The SOC sees that only one router's logs are missing while all other devices are sending logs normally. This strongly suggests the issue is isolated to that router, not the SIEM server. The quickest first step is to verify basic IP connectivity from the router to the SIEM server using ping.

If the router cannot reach the SIEM server (e.g., due to a routing problem, ACL, or firewall change), no syslog UDP packets (port 514) will arrive, and no amount of local configuration checking or service restarting will fix it. This aligns with the standard troubleshooting methodology of verifying Layer 3 reachability before diving into application-layer settings.

Exam trap

Cisco often tests the principle of 'start with the simplest, least disruptive test'—candidates mistakenly jump to checking configuration or restarting services because they assume the problem is software-related, when the most common cause is a network connectivity issue that can be verified with a single ping.

How to eliminate wrong answers

Option B is wrong because restarting the router's syslog service is a disruptive action that should only be taken after confirming connectivity and configuration; it assumes the service is hung, which is unlikely given that other devices are fine. Option C is wrong because checking the router logging configuration is a valid step, but it should come after confirming basic network connectivity—if the router can't reach the SIEM, the configuration is irrelevant. Option D is wrong because the SIEM server's log receiver status is not the likely root cause since all other devices are successfully sending logs, indicating the SIEM receiver is operational.

432
MCQmedium

An analyst needs to collect volatile data from a live host before performing a memory dump. Which data is most volatile?

A.Registry data
B.Network connections
C.File system metadata
D.Event logs
AnswerB

Network state changes with every packet, making it highly volatile.

Why this answer

Network connections are the most volatile data because they change rapidly as packets flow and sessions are established or torn down. In live response, the current state of TCP/UDP connections (e.g., via netstat -ano) can be lost the instant the system is powered off or the network cable is pulled, making them more ephemeral than registry data, file system metadata, or event logs.

Exam trap

Cisco often tests the order of volatility (RFC 3227) by making candidates confuse persistent disk-based data (registry, logs, file metadata) with transient memory-based data, so the trap is assuming that any system artifact is equally volatile when network state is actually the most ephemeral.

How to eliminate wrong answers

Option A is wrong because registry data persists on disk and changes only when software is installed, configured, or uninstalled, making it less volatile than active network connections. Option C is wrong because file system metadata (e.g., timestamps, permissions) is stored on disk and remains relatively stable until files are explicitly modified, so it is not as transient as network state. Option D is wrong because event logs are written to disk and persist across reboots, so they are far less volatile than live network connection tables.

433
Multi-Selecteasy

Which TWO of the following are commonly used protocols for network security monitoring? (Select 2)

Select 2 answers
A.SMTP
B.SNMP
C.TLS
D.Syslog
E.NetFlow
AnswersB, E

SNMP is used for device monitoring.

Why this answer

SNMP (Simple Network Management Protocol) is correct because it is a standard protocol used to collect and organize information about managed devices on IP networks, enabling network monitoring and alerting via traps and polls. NetFlow is correct because it is a Cisco-developed protocol that captures metadata about network traffic flows, providing visibility into bandwidth usage, top talkers, and security anomalies for monitoring purposes.

Exam trap

Cisco often tests the distinction between protocols used for monitoring (SNMP, NetFlow) versus protocols used for transport or security (TLS, SMTP) or logging (Syslog), leading candidates to mistakenly select Syslog because it is associated with security logs, even though it is not a monitoring protocol in the same sense as SNMP or NetFlow.

434
Multi-Selectmedium

Which three types of data are commonly collected and analyzed for network intrusion detection? (Choose three.)

Select 3 answers
A.Syslog messages
B.NetFlow records
C.Full packet captures
D.Windows event logs
E.DNS query logs
AnswersA, B, C

Logs from network devices are critical.

Why this answer

Syslog messages are a standard protocol (RFC 5424) used to forward log messages from network devices, servers, and applications to a central logging server. In intrusion detection, syslog data provides critical event information such as authentication failures, interface status changes, and security policy violations, which analysts correlate with other data sources to identify malicious activity.

Exam trap

Cisco often tests the distinction between network-based and host-based data sources, and the trap here is that candidates may incorrectly include Windows event logs (host-based) or DNS query logs (specialized) as primary network intrusion detection data, when the exam expects the three foundational types: syslog, NetFlow, and full packet captures.

435
Multi-Selecthard

An analyst is examining the Windows Registry on a host suspected of persistence via a malicious service. Which two registry keys are most relevant to investigate?

Select 2 answers
A.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
B.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_CLASSES_ROOT\exefile\shell\open\command
D.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
E.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AnswersA, D

This key lists all system services.

Why this answer

Option A is correct because the Services key under CurrentControlSet lists all registered Windows services, including their executable paths and startup types. Malicious services often register here to achieve persistence by starting automatically with the system. Examining this key allows an analyst to identify suspicious service names, image paths, or startup configurations that indicate persistence.

Exam trap

Cisco often tests the distinction between service persistence (Services key) and other autorun mechanisms (Run, RunOnce, AppInit_DLLs), so candidates may confuse the Services key with the Run key or other startup locations.

436
MCQeasy

During a security audit, an analyst discovers that several employees have shared their login credentials with colleagues to expedite work. Which policy enforcement mechanism would be most effective in preventing this behavior?

A.Implement a password complexity policy.
B.Implement multi-factor authentication.
C.Enforce a password change policy every 30 days.
D.Conduct annual security awareness training.
AnswerB

MFA requires a physical token or biometric, making sharing impractical.

Why this answer

Multi-factor authentication (MFA) is the most effective enforcement mechanism because it requires a second factor (e.g., a one-time passcode from an authenticator app, a hardware token, or a biometric) in addition to the password. Even if employees share their passwords, MFA prevents unauthorized access because the second factor is tied to the individual's device or identity and cannot be easily shared. This directly addresses the root cause of credential sharing by making shared credentials useless without the additional factor.

Exam trap

The trap here is that candidates often choose security awareness training (Option D) because it seems like a logical educational fix, but Cisco tests the distinction between administrative controls (training) and technical enforcement mechanisms (MFA) that actually prevent the behavior at the authentication layer.

How to eliminate wrong answers

Option A is wrong because a password complexity policy only enforces the strength of the password (e.g., length, character types) but does nothing to prevent users from voluntarily sharing those strong passwords with colleagues. Option C is wrong because enforcing a password change every 30 days may reduce the window of exposure but does not prevent sharing; users can simply share the new password after each change. Option D is wrong because annual security awareness training educates users about policy but relies on voluntary compliance and does not technically enforce or prevent the behavior; users may still share credentials despite knowing the policy.

437
MCQmedium

Refer to the exhibit. A security analyst reviews the configuration of a router and notices the access list applied to the internal interface. Which traffic from the source network 10.0.0.0/8 will be permitted? (Assume typical web traffic.)

A.HTTP and HTTPS traffic only
B.All TCP traffic
C.All IP traffic from 10.0.0.0/8
D.Only HTTP traffic
AnswerA

The ACL explicitly permits TCP traffic to ports 80 and 443.

Why this answer

Option A is correct because the ACL permits TCP traffic from 10.0.0.0/8 to any destination on ports 80 (HTTP) and 443 (HTTPS). Option B is wrong because only these two ports are permitted. Option C is wrong because it permits only HTTP and HTTPS.

Option D is wrong because both HTTP and HTTPS are allowed.

438
MCQmedium

A change management policy requires that all network configuration changes be approved by a change advisory board (CAB) before implementation. An urgent security vulnerability requires an immediate firewall rule change to block an active exploit. What should the network administrator do?

A.Convene an emergency CAB meeting before making the change
B.Apply the change immediately and then submit an emergency change request for post-approval
C.Ignore the vulnerability until the next scheduled CAB meeting
D.Wait for CAB approval to ensure compliance with policy
AnswerB

Emergency changes are permitted with later documentation and approval.

Why this answer

Option A is correct because emergency change procedures should allow immediate action with retroactive approval. Option B violates policy. Option C is unnecessary if emergency procedure exists.

Option D is unrealistic for an urgent fix.

439
MCQmedium

Refer to the exhibit. A security analyst notices repeated login failures. According to the company's security policy, what action should be taken?

A.Block the source IP at the firewall
B.Ignore because it's only three failures
C.Investigate for brute force attack
D.Disable the user account
AnswerC

The pattern suggests a brute-force attempt; investigation is the first step per incident response procedures.

Why this answer

Repeated login failures are a classic indicator of a brute-force attack, where an attacker attempts to guess credentials by trying many passwords. The security policy should require investigation to confirm the attack pattern (e.g., frequency, source, target accounts) before taking irreversible actions like blocking or disabling. Option C is correct because it follows the principle of verify-then-act, aligning with incident response procedures.

Exam trap

Cisco often tests the candidate's ability to distinguish between reactive actions (block, disable) and proper incident response steps (investigate first), where the trap is to jump to a technical fix without following the security policy's investigation requirement.

How to eliminate wrong answers

Option A is wrong because blocking the source IP at the firewall may be premature without confirming the attack is malicious (e.g., a user with a forgotten password could trigger failures) and could cause denial of service to legitimate users. Option B is wrong because three failures can be part of a larger brute-force attempt; security policies typically define thresholds (e.g., 5 failures in 5 minutes) that trigger investigation, not dismissal. Option D is wrong because disabling the user account without investigation could lock out a legitimate user and does not address the root cause (e.g., the account may not be the target; the attacker could be targeting multiple accounts).

440
MCQmedium

During a PCAP analysis, an analyst sees an ICMP echo reply packet that is larger than usual (2000 bytes). What is this likely indicating?

A.ICMP flood
B.Fragmented packet
C.Smurf attack
D.Ping of death attempt
AnswerD

Ping of death uses oversized ICMP packets to crash systems.

Why this answer

A standard ICMP echo reply packet has a payload of 56 bytes (or 64 bytes including the ICMP header) for a total IP packet size of 84 bytes. A 2000-byte ICMP echo reply exceeds the maximum allowed size for an ICMP packet (65535 bytes for IPv4, but typical implementations limit the data portion to much smaller values). This oversized packet is characteristic of a Ping of Death attack, where the attacker sends a malformed ICMP packet that, when reassembled, causes a buffer overflow on the target system, leading to a crash or denial of service.

Exam trap

Cisco often tests the distinction between a high-volume attack (like an ICMP flood or Smurf attack) and a malformed-packet attack (like Ping of Death), where the key indicator is the abnormal size of a single packet rather than the rate of packets.

How to eliminate wrong answers

Option A is wrong because an ICMP flood involves sending a high volume of ICMP packets, not a single oversized packet; the size of individual packets in a flood is typically normal. Option B is wrong because a fragmented packet is a normal IP mechanism for handling packets larger than the MTU (usually 1500 bytes), and a 2000-byte packet would be fragmented into smaller pieces, not sent as a single large unfragmented packet. Option C is wrong because a Smurf attack uses ICMP echo requests with a spoofed source IP to cause a flood of replies to the victim, but the individual reply packets are of normal size, not oversized.

441
MCQmedium

A security policy requires that all changes to firewall rules be approved by two administrators. This is an example of which security principle?

A.Need to know
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerC

Two-person rule prevents unauthorized changes.

Why this answer

The requirement that two administrators must approve firewall rule changes enforces separation of duties, a security principle that prevents any single individual from having exclusive control over a critical operation. This reduces the risk of unauthorized or malicious rule modifications by ensuring collusion or independent review is required. In firewall management, this is often implemented via change management workflows with distinct approval and implementation roles.

Exam trap

Cisco often tests separation of duties by contrasting it with least privilege, where candidates mistakenly think limiting who can change rules is the same as limiting what they can access, but the key difference is that separation of duties focuses on dividing critical tasks among multiple people to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because 'need to know' restricts access to information based on job requirements, not the approval process for changes. Option B is wrong because 'defense in depth' involves multiple layers of security controls (e.g., firewall, IDS, antivirus), not a procedural check on administrative actions. Option D is wrong because 'least privilege' limits user permissions to the minimum necessary for their role, whereas this policy controls how changes are authorized, not the baseline access level.

442
MCQmedium

A company's security policy states that all remote access must be through a VPN. An employee complains that the VPN is too slow and asks for an exception to access a specific internal server directly over the internet. What should the security analyst recommend?

A.Configure a separate VPN profile with lower encryption.
B.Allow direct access but only from the employee's home IP.
C.Grant the exception temporarily and monitor the connection.
D.Investigate the VPN performance issue and optimize if possible.
AnswerD

Performance issues should be resolved; exceptions should be a last resort with formal risk acceptance.

Why this answer

Option D is correct because the security policy mandates VPN for all remote access, and bypassing it would violate the principle of least privilege and expose the internal server directly to the internet. The analyst should first investigate the VPN performance issue—common causes include MTU mismatch, high latency, or encryption overhead—and optimize it (e.g., adjusting MTU, using split tunneling, or upgrading hardware) rather than granting an exception that undermines security.

Exam trap

Cisco often tests the principle that security policies must be enforced consistently, and the trap here is that candidates think a temporary or IP-based exception is acceptable, when in fact any direct access bypasses the VPN's encryption and authentication, violating the core security requirement.

How to eliminate wrong answers

Option A is wrong because lowering encryption (e.g., from AES-256 to AES-128 or disabling PFS) weakens confidentiality and integrity, violating security policy and potentially compliance requirements like PCI DSS. Option B is wrong because allowing direct access from the employee's home IP still exposes the internal server to the public internet, bypassing the VPN's authentication and encryption, and the home IP can change or be spoofed. Option C is wrong because a temporary exception still creates a security gap—attackers could exploit the window, and monitoring does not prevent a direct attack on the exposed server.

443
MCQhard

A Snort rule is configured: alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:'NTP DDoS'; content:'|17 00 03 2a|'; depth:4;). What does this rule detect?

A.SNMP community string
B.NTP server misconfiguration
C.DNS amplification attack
D.NTP amplification attack
AnswerD

Correct. The rule detects NTP monlist requests used in DDoS amplification.

Why this answer

The rule triggers on UDP traffic from port 123 (NTP) on the internal network to any port on an external network, with a payload starting with the bytes `17 00 03 2a`. These bytes correspond to the NTP control message header for a `MON_GETLIST` request (opcode 0x17, sequence 0x00, status 0x03, association ID 0x002a), which is the classic pattern used in NTP amplification attacks. This detects an outgoing NTP query that attempts to exploit the `monlist` command to reflect a large volume of traffic toward a victim, making D correct.

Exam trap

Cisco often tests the distinction between the protocol and port used in the attack (NTP on UDP 123) versus other amplification vectors (DNS on UDP 53, SNMP on UDP 161), so the trap here is confusing the NTP amplification attack with DNS amplification because both use reflection, but the rule's port and content bytes uniquely identify NTP.

How to eliminate wrong answers

Option A is wrong because SNMP community strings are carried in SNMP packets (UDP ports 161/162) and use different payload patterns (e.g., version, community string), not the NTP control message bytes `17 00 03 2a`. Option B is wrong because an NTP server misconfiguration (e.g., allowing open queries) is a vulnerability, not a specific attack signature; the rule detects the actual exploit attempt (the `monlist` request), not the configuration state. Option C is wrong because DNS amplification attacks use DNS queries (UDP port 53) with specific opcodes and flags (e.g., ANY query with recursion desired), not NTP control messages on port 123.

444
MCQeasy

You are a SOC analyst at a medium-sized enterprise. The company uses a SIEM that collects logs from firewalls, endpoints, and Active Directory. At 2:00 AM, the SIEM generates a high-priority alert: 'Multiple Failed Logins for Administrator Account from Remote IP 198.51.100.20'. The analyst on the night shift reviews the alert and sees that there were 50 failed attempts in 10 minutes, followed by a successful login at 2:12 AM. The successful login originated from the same IP. The account is a domain administrator. The analyst checks the firewall logs and sees that the IP is from a known VPN provider. The analyst also checks the endpoint logs and sees that no unusual activity has occurred after the login. The company has a policy that remote administration is allowed only from a specific jump server with IP 203.0.113.10. The analyst suspects a brute-force attack succeeded. What should the analyst do first?

A.Block the IP address 198.51.100.20 on the firewall
B.Disable the compromised administrator account immediately
C.Perform a full network scan of the VPN provider's entire IP range
D.Reset the password of the compromised administrator account
AnswerB

Disabling the account stops all access by the attacker and is the fastest containment action.

Why this answer

Option B is correct because the immediate priority is to contain the breach by disabling the compromised domain administrator account. The successful login from an unauthorized IP (198.51.100.20) after 50 failed attempts indicates a successful brute-force attack, and the account has domain-level privileges. Disabling the account stops any further lateral movement or privilege escalation, which is the first step in incident response containment before any remediation or investigation.

Exam trap

Cisco often tests the distinction between containment (disabling the account) and remediation (resetting the password), where candidates mistakenly choose password reset first because they think it solves the problem, but disabling is the correct immediate action to cut off access.

How to eliminate wrong answers

Option A is wrong because blocking the IP address alone does not address the fact that the attacker already has valid credentials and could reconnect from a different IP or VPN endpoint, leaving the compromised account active for further abuse. Option C is wrong because performing a full network scan of the VPN provider's entire IP range is an inefficient, broad, and potentially disruptive action that does not immediately contain the threat; it also violates typical incident response procedures by focusing on reconnaissance rather than containment. Option D is wrong because resetting the password, while necessary later, is not the first action; the account must be disabled first to prevent the attacker from using the current session or any cached credentials before the password change takes effect.

445
MCQhard

A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?

A.A denial-of-service attack is occurring
B.A TCP connection is being established
C.A port scan is in progress
D.A TCP reset attack is being performed
AnswerD

Forged RST packets terminate connections prematurely.

Why this answer

A TCP reset attack (also known as a forged RST attack) occurs when an attacker sends spoofed TCP RST packets to disrupt an existing connection. The key clue is that the internal hosts are not sending any corresponding packets, indicating the RST packets are unsolicited and likely forged, which is characteristic of this attack rather than a normal network event.

Exam trap

Cisco often tests the distinction between a TCP reset attack and a port scan, where candidates mistakenly associate RST packets with port scanning (e.g., receiving RST from a closed port) rather than recognizing unsolicited RST packets as an active attack.

How to eliminate wrong answers

Option A is wrong because a denial-of-service attack typically involves overwhelming a target with traffic (e.g., SYN flood or volumetric attack), but here the RST packets are directed to multiple internal hosts without corresponding traffic, which is more specific to a reset attack. Option B is wrong because establishing a TCP connection involves a three-way handshake (SYN, SYN-ACK, ACK), not RST packets; RST packets are used to abort connections, not initiate them. Option C is wrong because a port scan (e.g., SYN scan) sends SYN packets to probe open ports, and while RST packets may be sent in response to closed ports, the scenario describes unsolicited RST packets from an external IP to internal hosts, which is not how a scan operates.

446
MCQmedium

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

A.Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
B.Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.
C.Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.
D.Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.
AnswerA

The -b flag shows the binary involved in creating each connection, directly correlating the connection to the process.

Why this answer

Running 'netstat -b' on a Windows host displays active TCP connections along with the executable name of the process that created each connection. This directly correlates the outbound connection to the malicious IP with the specific process, which is exactly what the analyst needs to identify the pivot point.

Exam trap

Cisco often tests the distinction between network-level logs (firewall logs) and host-level process-to-connection correlation, and the trap here is that candidates may choose 'Get-NetTCPConnection' (Option D) because it lists connections, but they overlook that it does not show the associated process executable without additional scripting.

How to eliminate wrong answers

Option B is wrong because the Windows Firewall log records source/destination IPs and ports but does not associate traffic with a specific process executable; it only logs network-level metadata. Option C is wrong because Event ID 4688 logs process creation events but does not include network connection details, so it cannot correlate a specific outbound connection to a process. Option D is wrong because 'Get-NetTCPConnection' lists TCP connections and their states but does not show the associated process executable; it lacks the -b flag's process-to-connection mapping.

447
MCQhard

A security auditor reviews a company's security policies and finds that the password policy requires a minimum length of 8 characters and complexity including uppercase, lowercase, digit, and special character. However, the policy does not mandate password expiration. Which of the following is the most significant risk due to this omission?

A.Stolen credentials could be used for extended periods without detection
B.Users may choose weak passwords that are easy to guess
C.Help desk will receive an increased number of password reset requests
D.Users might reuse passwords across different systems
AnswerA

No expiration means compromised passwords stay valid until changed, allowing prolonged unauthorized access.

Why this answer

Option B is correct because without expiration, compromised credentials remain valid indefinitely, increasing risk. Option A is less likely if complexity is enforced. Option C is not directly related.

Option D is a minor inconvenience compared to credential theft.

448
MCQmedium

You are a security operations analyst for a medium-sized enterprise. The company's security policy requires that all endpoint devices have antivirus software installed and updated. During a routine check, you find that a group of 50 laptops used by the sales team have not received antivirus updates for over three months. The policy also states that any non-compliant devices must be quarantined from the network until they are remediated. The sales team manager argues that quarantining the laptops will disrupt critical sales activities. The company's incident response policy has a clause that allows for temporary exceptions in business-critical situations, but requires approval from the CISO. What is the best course of action?

A.Ignore the issue to avoid disrupting sales activities
B.Quarantine the laptops immediately as per policy
C.Request a temporary exception from the CISO while expediting the updates
D.Update the antivirus without quarantining, then report to management
AnswerC

The exception process allows business continuity while addressing the issue.

Why this answer

Option C is correct because it balances security policy compliance with business continuity. The incident response policy explicitly allows temporary exceptions for business-critical situations with CISO approval, and expediting the updates ensures the 50 laptops are remediated quickly. Quarantining without considering the business impact could violate the company's own exception clause, while ignoring the issue or updating without quarantining bypasses the security controls required by policy.

Exam trap

Cisco often tests the balance between strict policy enforcement and business continuity, trapping candidates who choose immediate quarantine (Option B) without considering documented exception processes, or who choose to update without quarantine (Option D) thinking it's a practical workaround.

How to eliminate wrong answers

Option A is wrong because ignoring the issue violates the security policy requiring quarantine of non-compliant devices, leaving the network exposed to potential malware outbreaks from outdated antivirus definitions. Option B is wrong because while quarantine is the default policy, it fails to leverage the incident response policy's exception clause for business-critical situations, potentially causing unnecessary disruption without CISO oversight. Option D is wrong because updating antivirus without quarantining bypasses the policy's quarantine requirement and does not address the root cause of non-compliance; reporting after the fact does not obtain the required prior approval for an exception.

449
Multi-Selectmedium

A security policy mandates that all network devices must have logging enabled and that logs must be reviewed regularly. Which TWO practices are essential for effective log review?

Select 2 answers
A.Aggregating logs from all devices into a central server.
B.Reviewing logs only when an incident occurs.
C.Automated log analysis with correlation tools.
D.Storing logs for at least one year.
E.Ensuring logs are in a common format like Syslog.
AnswersA, C

Centralization enables comprehensive analysis and correlation across the network.

Why this answer

Automated log analysis (A) and central aggregation (E) are essential for effective and efficient log review. Retention (B) and format (C) are supporting but not core to review process. Reactive review (D) is not effective.

450
MCQmedium

What is the effect of this configuration on a Cisco device?

A.Users are authenticated using a TACACS+ server.
B.Authorization is done via RADIUS.
C.Users are authenticated using the local database.
D.No authentication is required.
AnswerC

The 'local' keyword means the local username database is used.

Why this answer

The configuration shown (not provided in the question, but implied by the correct answer) is a typical local authentication setup, such as 'aaa authentication login default local' or a username/password defined in the device's local database. This means the device uses its own stored credentials to authenticate users, not an external server. Option C is correct because local authentication is explicitly configured, bypassing any external AAA server.

Exam trap

Cisco often tests the distinction between authentication, authorization, and accounting (AAA) services, and the trap here is that candidates confuse the protocol used for authentication (TACACS+ or RADIUS) with the method (local vs. server-based), leading them to pick an option that assumes an external server is involved when only local authentication is configured.

How to eliminate wrong answers

Option A is wrong because TACACS+ authentication requires the 'aaa authentication login default group tacacs+' command and a configured TACACS+ server; the configuration in question does not reference TACACS+. Option B is wrong because RADIUS is used for authentication and accounting, but authorization via RADIUS requires specific 'aaa authorization' commands (e.g., 'aaa authorization network default group radius'); the configuration only deals with authentication, not authorization, and does not specify RADIUS. Option D is wrong because 'no authentication' would require the 'aaa authentication login default none' command or no AAA configuration at all; the presence of a local authentication configuration means authentication is required.

Page 5

Page 6 of 7

Page 7

All pages