Cisco CyberOps Associate 200-201 (200-201) — Questions 451507

507 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
Multi-Selectmedium

Which THREE are essential components of a security monitoring strategy? (Choose three.)

Select 3 answers
A.Antivirus software on all endpoints.
B.Data encryption at rest.
C.Defined incident response procedures.
D.Centralized log collection from critical systems.
E.Correlation rules to identify suspicious patterns.
AnswersC, D, E

Ensures proper handling.

Why this answer

Defined incident response procedures (Option C) are essential because they provide a structured, repeatable workflow for detecting, analyzing, and containing security incidents. Without pre-defined procedures, a security team cannot consistently execute the 'Respond' phase of the NIST SP 800-61 incident response lifecycle, leading to delayed containment and increased dwell time.

Exam trap

Cisco often tests the distinction between preventive controls (antivirus, encryption) and detective/monitoring controls (log collection, correlation, incident response procedures), causing candidates to mistakenly include security hygiene measures as monitoring components.

452
MCQeasy

A SOC analyst is reviewing a security alert generated by the SIEM. The alert indicates a successful login from an unusual geographic location for a user who typically logs in from the corporate office. The analyst verifies that the user is currently on vacation and should not be accessing the network. What should the analyst do next?

A.Ignore the alert because the user might be using a VPN
B.Block the IP address in the firewall
C.Start a full incident investigation before taking any action
D.Disable the user account and begin an investigation
AnswerD

Disabling the account stops the immediate threat, then investigation can determine the scope.

Why this answer

Option D is correct because the alert indicates a clear security incident: a successful login from an unusual geographic location for a user who is on vacation and should not be accessing the network. Disabling the user account immediately contains the threat by preventing further unauthorized access, and beginning an investigation allows the analyst to determine if the account was compromised or if credentials were stolen. This aligns with the NIST SP 800-61 incident response process, where containment is a priority before proceeding to eradication and recovery.

Exam trap

Cisco often tests the candidate's understanding of the incident response lifecycle, specifically the need to contain a threat immediately (by disabling the account) rather than jumping to investigation or assuming benign intent, which is a common mistake in SOC workflows.

How to eliminate wrong answers

Option A is wrong because ignoring the alert based on a VPN assumption is a dangerous guess; the SIEM alert specifically indicates an unusual geographic location, and the user is on vacation, so the analyst must not assume benign activity without verification. Option B is wrong because blocking the IP address in the firewall is a reactive measure that does not address the root cause; the attacker could use multiple IPs or proxies, and the compromised user account remains active, allowing further unauthorized access. Option C is wrong because starting a full incident investigation without any containment action first violates the incident response principle of 'contain before investigate'; the attacker could continue to use the account during the investigation, escalating the breach.

453
MCQmedium

A SOC analyst notices repeated failed login attempts from a single IP address against multiple user accounts. Which type of attack is most likely occurring?

A.Credential stuffing
B.Brute force attack
C.Password spraying
D.Man-in-the-middle attack
AnswerC

Password spraying tries a few common passwords across many accounts.

Why this answer

Password spraying (C) is correct because the attack involves a single IP address attempting the same common password against multiple user accounts. This technique avoids account lockout policies that typically trigger after a few failed attempts on a single account, making it distinct from brute force attacks that target one account with many passwords.

Exam trap

Cisco often tests the distinction between brute force (many passwords, one user) and password spraying (one password, many users), where candidates mistakenly choose brute force because they focus on the 'repeated failed login attempts' without noticing the attack is spread across multiple accounts.

How to eliminate wrong answers

Option A is wrong because credential stuffing uses previously leaked username/password pairs from one service to attempt access on another, not repeated attempts from a single IP against multiple accounts. Option B is wrong because a brute force attack targets a single account with many password guesses, not a single password against many accounts. Option D is wrong because a man-in-the-middle attack intercepts or relays communications between two parties, not directly related to failed login attempts from a single IP.

454
MCQeasy

An organization's data classification policy defines four levels: Public, Internal, Confidential, and Restricted. An employee accidentally sends an email containing customer payment card information (PCI) to the entire company mailing list. The data should have been classified as which level?

A.Public
B.Restricted
C.Internal
D.Confidential
AnswerB

Restricted is for data whose disclosure would cause severe harm, such as PCI data.

Why this answer

Option D is correct because PCI data is highly sensitive and legally protected, warranting Restricted classification. Option A is for non-sensitive data. Option B is for internal use but not as sensitive.

Option C is sensitive but not as high as Restricted.

455
Multi-Selecthard

Which THREE are required steps in a proper incident response procedure? (Choose three.)

Select 3 answers
A.Change Management Processing
B.Containment, Eradication, and Recovery
C.Post-Incident Activity (Lessons Learned)
D.Detection and Analysis
E.System Hardening
AnswersB, C, D

These are core phases of IR.

Why this answer

The IR process includes preparation, detection, containment, eradication, recovery, and lessons learned. Options A, C, and D are direct steps. Option B (system hardening) is a preventive measure.

Option E (change management) is a separate process.

456
MCQeasy

Refer to the exhibit. A Windows security log shows several events with Event ID 4625 (failed logon). What type of attack is indicated?

A.Brute force attack
B.Pass-the-hash attack
C.Kerberos golden ticket attack
D.Man-in-the-middle attack
AnswerA

Multiple failed logons from same source indicates password guessing.

Why this answer

Event ID 4625 indicates a failed logon attempt. A high volume of these events in a short period is characteristic of a brute force attack, where an attacker systematically tries multiple username/password combinations to gain unauthorized access. This is a direct indicator of repeated authentication failures, not a more sophisticated attack.

Exam trap

Cisco often tests the distinction between brute force attacks (which generate many failed logon events) and pass-the-hash or golden ticket attacks (which succeed without repeated failures), so the trap is assuming any failed logon event indicates a credential theft or replay attack rather than a simple password guessing attempt.

How to eliminate wrong answers

Option B is wrong because a pass-the-hash attack uses captured NTLM hashes to authenticate without needing the plaintext password, and it would not generate a high volume of failed logon events (Event ID 4625) since the attacker already has a valid hash. Option C is wrong because a Kerberos golden ticket attack forges a Ticket Granting Ticket (TGT) using the KRBTGT account hash, allowing persistent access without triggering repeated failed logon events; it would instead show successful logon events (Event ID 4624). Option D is wrong because a man-in-the-middle attack intercepts and potentially modifies communications between two parties, but it does not inherently generate a high volume of failed logon events; it might cause a single failed logon if credentials are replayed, not a flood of 4625 events.

457
MCQeasy

Which of the following is a primary goal of the CIA triad?

A.Redundancy
B.Scalability
C.Availability
D.Maintainability
AnswerC

Availability ensures systems are accessible when needed.

Why this answer

The CIA triad's primary goals are confidentiality, integrity, and availability. Availability ensures that authorized users have reliable and timely access to data and resources when needed, which is a core security objective. Option C is correct because availability is explicitly one of the three pillars of the CIA triad.

Exam trap

Cisco often tests the distinction between a primary goal of the CIA triad and a supporting mechanism or operational characteristic, so candidates may confuse redundancy (a means to achieve availability) with availability itself.

How to eliminate wrong answers

Option A is wrong because redundancy is a design strategy to improve availability, not a primary goal of the CIA triad itself. Option B is wrong because scalability refers to the ability to handle increased load, which is a performance characteristic, not a security goal of the CIA triad. Option D is wrong because maintainability concerns the ease of updating or repairing a system, which is an operational concern, not a core security objective of the CIA triad.

458
Multi-Selecthard

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Select 2 answers
A.Disable all alerts that generate more than 100 events per day.
B.Use a separate SIEM for each department.
C.Regularly tune correlation rules based on feedback.
D.Increase the number of log sources.
E.Maintain a whitelist of known benign activity.
AnswersC, E

Adapts to environment.

Why this answer

Option C is correct because SIEM correlation rules must be regularly tuned based on feedback from incident investigations and alert reviews. This iterative process adjusts thresholds, filters, and logic to match the actual threat landscape, reducing noise from benign events that match rule patterns but are not malicious.

Exam trap

Cisco often tests the misconception that more data (Option D) or volume-based suppression (Option A) is a valid way to reduce false positives, when in fact proper tuning and whitelisting are the correct approaches.

459
MCQmedium

An analyst is examining a Linux host suspected of being compromised. The file /etc/passwd shows unusual entries. Which host-based analysis tool is best for verifying if the accounts are actively being used?

A.lsof tool
B.ps aux command
C.last command output
D.auditd logs
AnswerC

last reads /var/log/wtmp and shows login sessions, indicating active use.

Why this answer

The `last` command reads the /var/log/wtmp file to display a list of all users who have logged in and out, including their login times and durations. Since the question asks whether suspicious accounts from /etc/passwd are actively being used, `last` directly shows recent login activity, making it the best tool for verification.

Exam trap

Cisco often tests the distinction between tools that show current state (like `ps` or `lsof`) versus tools that show historical activity (like `last`), trapping candidates who confuse 'active processes' with 'active user accounts'.

How to eliminate wrong answers

Option A is wrong because `lsof` lists open files and network connections, not user login history; it cannot show whether an account has logged in. Option B is wrong because `ps aux` shows currently running processes, not historical or recent login sessions; an account could be active without a running process. Option D is wrong because `auditd` logs system calls and security events but requires pre-configured rules to track logins; it is not a simple, immediate command to check active account usage like `last`.

460
MCQhard

An intrusion analyst is analyzing a series of alerts from a network-based IDS. The alerts are triggered by the signature 'OVERFLOW-ICMP-ECHO' with a payload size of 65535 bytes. The source IP is a trusted internal server. What is the most likely explanation?

A.The server is performing a ping sweep
B.There is a network error causing packet fragmentation
C.The IDS signature is incorrectly configured
D.The server is under a DDoS attack
AnswerC

The payload size exceeds the maximum possible, so it's a false positive.

Why this answer

The ICMP Echo (ping) payload size is limited to 65535 bytes, but the actual data portion of an ICMP packet cannot exceed 65535 minus the IP and ICMP header sizes (typically 20 + 8 = 28 bytes), making a payload of exactly 65535 bytes impossible under normal operation. Since the source IP is a trusted internal server, the most plausible cause is that the IDS signature is misconfigured—likely with an incorrect payload size threshold or a false positive trigger—rather than an actual overflow attempt.

Exam trap

The trap here is that candidates assume a large ICMP payload must indicate an attack (like a Ping of Death or DDoS), but Cisco tests the understanding that a payload of exactly 65535 bytes is impossible in a single unfragmented ICMP packet, pointing to a signature misconfiguration rather than a real threat.

How to eliminate wrong answers

Option A is wrong because a ping sweep involves sending multiple ICMP Echo requests to different hosts, not a single oversized payload; the signature specifically flags payload size, not volume or destination range. Option B is wrong because network errors causing fragmentation would result in fragmented packets with smaller payloads per fragment, not a single packet claiming a 65535-byte payload; fragmentation occurs at the IP layer and does not change the total payload size reported in the ICMP header. Option D is wrong because a DDoS attack would typically involve a high volume of traffic from multiple sources, not a single oversized ICMP packet from a trusted internal server; the signature is triggered by payload size, not traffic volume or source diversity.

461
MCQhard

Refer to the exhibit. Based on the intrusion event, what is the likely intent of the traffic?

A.Denial of service
B.Normal web browsing
C.Port scan
D.Buffer overflow attempt
AnswerD

Shellcode and NOOP sleds are characteristic of buffer overflow exploits.

Why this answer

The intrusion event shows a long string of 'A' characters (0x41) being sent to an HTTP server, which is a classic pattern for a buffer overflow attack. The intent is to overflow a buffer in the web server software, potentially overwriting memory and executing arbitrary code, making D the correct answer.

Exam trap

Cisco often tests the ability to distinguish between attack types by focusing on payload characteristics—candidates may confuse a buffer overflow with a DoS because both involve excessive data, but the structured pattern of repeated characters is the key differentiator.

How to eliminate wrong answers

Option A is wrong because denial of service (DoS) typically involves flooding the target with traffic to exhaust resources, not sending a specific pattern of data to exploit a memory vulnerability. Option B is wrong because normal web browsing does not involve sending repeated, non-standard characters like a long string of 'A's; HTTP requests are structured with valid headers and payloads. Option C is wrong because a port scan uses techniques like SYN, FIN, or NULL packets to probe open ports, not a single connection with a malformed payload to a specific service.

462
MCQhard

A security policy states that all portable media must be encrypted. An employee loses a USB drive containing customer data. The drive was encrypted with AES-256. Which of the following is true regarding policy compliance?

A.The policy was followed, but the incident still needs to be reported per incident response procedures
B.The employee violated policy because the drive was lost
C.The policy was followed because the data was encrypted, so a breach is not reportable
D.Encryption is not sufficient, the employee should have used a different media
AnswerA

Encryption mitigates exposure but does not negate the need for incident reporting.

Why this answer

Option A is correct because the security policy mandates encryption for portable media, and AES-256 encryption was applied to the USB drive, so the policy was technically followed. However, the loss of a device containing customer data still triggers incident response procedures, as the encryption key or the possibility of decryption could be compromised, and reporting is required to assess risk and comply with breach notification laws.

Exam trap

Cisco often tests the distinction between policy compliance and incident response obligations, trapping candidates who assume encryption alone eliminates the need to report a lost device.

How to eliminate wrong answers

Option B is wrong because the policy does not prohibit loss of media; it requires encryption, which was applied, so the employee did not violate the policy itself. Option C is wrong because encryption does not automatically exempt an incident from reporting; many regulations (e.g., GDPR, HIPAA) require breach notification if there is any risk of data exposure, and the loss of the drive must be evaluated. Option D is wrong because AES-256 is a strong, approved encryption standard, and the policy does not specify a different media type; the issue is not the encryption strength but the physical loss and reporting obligation.

463
MCQeasy

An analyst sees an alert with source IP 10.0.0.1 and destination IP 192.168.1.100 on port 80. The alert type is 'WEB-MISC Attempt to execute command on server'. Which action is most appropriate?

A.Verify if the target host is vulnerable
B.Ignore because it's a false positive
C.Immediately block the source IP
D.Escalate to law enforcement
AnswerA

Correct. Checking the vulnerability status helps determine if the alert is a real threat.

Why this answer

Option A is correct because the alert 'WEB-MISC Attempt to execute command on server' from source IP 10.0.0.1 to destination IP 192.168.1.100 on port 80 indicates a potential command injection attempt against a web server. The most appropriate first action is to verify if the target host is actually vulnerable to such an attack, as this determines whether the alert is a true positive requiring remediation or a false positive that can be dismissed. This aligns with the network intrusion analysis process of validating alerts before taking irreversible actions.

Exam trap

Cisco often tests the candidate's ability to prioritize verification over immediate action, trapping those who choose to block or escalate without confirming the alert's validity, especially when the alert type suggests a high-severity attack like command injection.

How to eliminate wrong answers

Option B is wrong because ignoring the alert outright assumes it is a false positive without any verification, which could leave a real command injection vulnerability unaddressed and the server compromised. Option C is wrong because immediately blocking the source IP is a reactive measure that may disrupt legitimate traffic if the alert is a false positive, and it bypasses the necessary step of verifying the target's vulnerability first. Option D is wrong because escalating to law enforcement is premature and disproportionate for a single command injection attempt on an internal network (10.0.0.1 to 192.168.1.100), which is typically a security incident handled internally unless there is evidence of a broader attack or legal requirement.

464
MCQeasy

An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?

A.Search the SIEM for events with destination port 22 and source IP.
B.Review all firewall logs for the past hour.
C.Run a packet capture on the server's network interface.
D.Check the server's auth.log file manually.
AnswerA

Directly retrieves SSH events for that IP.

Why this answer

Option A is correct because a SIEM indexes and correlates log data from multiple sources, allowing an analyst to quickly filter events by destination port 22 (SSH) and source IP without manually sifting through raw logs. This approach leverages the SIEM's search capabilities to retrieve only relevant events from the past hour, making it the most efficient method for targeted threat hunting.

Exam trap

Cisco often tests the distinction between centralized log analysis (SIEM) and raw data inspection (packet capture or manual log review), trapping candidates who overlook the efficiency of indexed search versus unfiltered data retrieval.

How to eliminate wrong answers

Option B is wrong because reviewing all firewall logs for the past hour would include irrelevant traffic (e.g., web, DNS) and lacks the specific filter for SSH (port 22) and the external IP, requiring manual parsing and wasting time. Option C is wrong because running a packet capture on the server's network interface captures all traffic in real-time or from a buffer, but it does not provide historical data for the past hour unless a capture was already running, and it generates large volumes of data that must be analyzed with tools like tcpdump or Wireshark, which is inefficient for a quick check. Option D is wrong because checking the server's auth.log file manually is a host-based approach that only shows authentication attempts on that specific server, not all SSH-related events from the IP (e.g., connection attempts blocked by a firewall), and it requires direct access to the server, which may not be scalable or centralized.

465
MCQeasy

A NetFlow analysis shows a single internal host communicating with many external IP addresses on port 443, but the traffic volumes are very low (small packets). What is the most likely explanation?

A.Phishing
B.Web browsing
C.Port scanning
D.C2 communication
AnswerD

Malware beacons often use low-volume periodic connections on port 443.

Why this answer

The combination of a single internal host communicating with many external IPs on port 443 (HTTPS) with very low traffic volumes and small packets is a classic indicator of command-and-control (C2) beaconing. C2 malware often uses HTTPS to blend in with legitimate web traffic, but the small, periodic packets (e.g., keep-alive or heartbeat messages) distinguish it from normal web browsing, which would involve larger data transfers and consistent payload sizes.

Exam trap

Cisco often tests the distinction between 'many destinations with low volume' (C2 beaconing) and 'many destinations with high volume' (normal web browsing or data exfiltration), trapping candidates who overlook the packet size and volume clues.

How to eliminate wrong answers

Option A is wrong because phishing typically involves a single or limited number of external servers hosting malicious content, not a pattern of many external IPs, and phishing traffic often includes larger payloads (e.g., email attachments or web page downloads). Option B is wrong because normal web browsing to many external HTTPS sites would generate larger, variable-sized packets due to page content, images, and scripts, not consistently small packets. Option C is wrong because port scanning on port 443 would involve a high volume of SYN packets (often without completing the TCP handshake) or other probe packets, not established HTTPS sessions with small data exchanges.

466
MCQhard

You are a security analyst at a mid-sized company that uses a mix of on-premises servers and cloud services. The company's security policy requires all sensitive data to be encrypted at rest and in transit, and all access to be logged and monitored. Recently, the company experienced a data breach where an attacker exfiltrated a database containing customer PII. The investigation revealed that the attacker gained access using a compromised VPN account that had been inactive for 6 months. The account belonged to a former employee who left the company but the account was never disabled. The VPN logs show that the account was used from an unusual IP address, but no alert was triggered because the account was not on any watchlist. The breach occurred over a weekend when the security team was not monitoring. Which of the following would have most effectively prevented this breach?

A.Deploy a SIEM with anomaly detection for unusual VPN login locations.
B.Implement multi-factor authentication on all VPN accounts.
C.Increase the frequency of log reviews to daily.
D.Automate the de-provisioning of user accounts upon employee termination.
AnswerD

This directly addresses the root cause: the account should have been disabled when the employee left.

Why this answer

The root cause of the breach was that the former employee's VPN account remained active after termination, allowing the attacker to use it. Automating the de-provisioning of user accounts upon employee termination (Option D) directly addresses this by ensuring that accounts are disabled or removed as part of the offboarding process, eliminating the attack vector entirely. This aligns with the principle of least privilege and identity lifecycle management, which are foundational to access control policies.

Exam trap

Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates choose a detective solution (like SIEM or log review) because it sounds more technical, overlooking the fundamental preventive control of account lifecycle management that would have stopped the breach at its source.

How to eliminate wrong answers

Option A is wrong because deploying a SIEM with anomaly detection would only alert on unusual login locations after the fact; it does not prevent the use of an inactive account that should have been disabled. Option B is wrong because multi-factor authentication (MFA) would not have prevented the breach if the attacker already had the compromised VPN credentials and the account was still active; MFA can be bypassed if the attacker has access to the second factor (e.g., via phishing or session hijacking), and the core issue is the account's existence, not the authentication method. Option C is wrong because increasing the frequency of log reviews to daily would still leave a window of opportunity (e.g., over a weekend) and relies on human analysis, which is reactive and does not prevent the initial compromise; the account should have been disabled before the attacker could use it.

467
MCQhard

You are a security analyst at a financial services company. The company's security policy mandates that all sensitive data must be encrypted at rest and in transit. A recent internal audit reveals that a database containing customer personally identifiable information (PII) is stored on a server that uses unencrypted storage volumes. The database is accessed by internal applications via unencrypted connections. The policy also requires quarterly vulnerability scans, and the latest scan shows that the server has a critical vulnerability in the database software. Additionally, the server's firewall rules permit inbound traffic from the entire corporate network to the database port. The company's incident response policy requires that any violation of data protection policies be escalated within 24 hours. The IT manager asks you to prioritize actions. What should you do first?

A.Enable encryption on the storage volumes and database connections
B.Apply the critical security patch to the database software
C.Escalate the violation to management within 24 hours
D.Restrict firewall access to only authorized application servers
AnswerB

Patching the critical vulnerability reduces immediate risk of exploitation.

Why this answer

The most immediate threat is the critical vulnerability in the database software, which could allow remote code execution or data exfiltration without any authentication. Patching this vulnerability directly reduces the risk of exploitation, which is the highest priority in a security incident. Encryption and firewall restrictions are important but do not address an actively exploitable software flaw.

Exam trap

Cisco often tests the concept that patching a critical vulnerability takes precedence over other security controls, even when policy mandates encryption or escalation, because the vulnerability represents an active, exploitable risk that can bypass all other defenses.

How to eliminate wrong answers

Option A is wrong because enabling encryption on storage volumes and database connections protects data at rest and in transit but does not remediate the critical software vulnerability that could allow an attacker to bypass those controls entirely. Option C is wrong because while escalation is required by policy, it is a procedural step that should occur after or in parallel with immediate technical remediation; the priority is to stop the active threat first. Option D is wrong because restricting firewall access reduces the attack surface but does not fix the underlying vulnerable software that could be exploited from any allowed source, including authorized application servers.

468
MCQeasy

Which best practice helps ensure accurate network intrusion analysis when reviewing logs from multiple sources?

A.Use synchronized time across all devices.
B.Disable all logging except firewall logs.
C.Rely solely on automated analysis tools.
D.Store logs in different formats for each source.
AnswerA

Time synchronization enables accurate correlation of events.

Why this answer

Synchronized time (via NTP) ensures that logs from different sources share a consistent timestamp, which is critical for correlating events across network devices during intrusion analysis. Without time synchronization, an attacker's actions might appear out of order or be missed entirely, leading to inaccurate incident reconstruction.

Exam trap

Cisco often tests the misconception that log format consistency is more important than time synchronization, but without synchronized time, even identical formats cannot provide accurate event correlation.

How to eliminate wrong answers

Option B is wrong because disabling all logging except firewall logs eliminates valuable data from sources like IDS/IPS, servers, and endpoints, which are essential for detecting multi-stage attacks. Option C is wrong because relying solely on automated analysis tools can miss context-dependent attacks or generate false positives; human analysis is needed to validate alerts. Option D is wrong because storing logs in different formats for each source increases parsing complexity and hinders correlation, whereas standardized formats (e.g., syslog, CEF) simplify analysis.

469
MCQmedium

A company is developing a new security policy for cloud storage. Which principle should be the foundation of the policy to ensure data confidentiality and integrity?

A.Access logs must be retained for at least one year.
B.Only authorized users can access the cloud storage.
C.All data must be encrypted at rest and in transit.
D.Data must be backed up daily.
AnswerC

Encryption provides confidentiality and integrity regardless of location.

Why this answer

Option C is correct because encryption at rest and in transit directly protects data confidentiality and integrity by rendering data unreadable without the proper decryption keys and by ensuring data is not tampered with during transmission. In cloud storage, encryption at rest (e.g., AES-256) safeguards data stored on disk, while encryption in transit (e.g., TLS 1.2/1.3) prevents interception or modification during upload/download. This dual-layer approach is the foundational security control for meeting confidentiality and integrity objectives, as defined in the CIA triad.

Exam trap

Cisco often tests the distinction between foundational security principles (encryption) and supporting controls (logging, access control, backups), trapping candidates who confuse a necessary but insufficient measure like 'only authorized users' with the core requirement for confidentiality and integrity.

How to eliminate wrong answers

Option A is wrong because retaining access logs for one year supports auditing and incident response but does not directly enforce data confidentiality or integrity; logs are a detective control, not a preventive or protective measure. Option B is wrong because only allowing authorized users to access cloud storage addresses confidentiality through access control, but it does not ensure integrity (e.g., authorized users could still modify data) and provides no protection against data exposure if the storage medium is compromised. Option D is wrong because daily backups ensure availability and disaster recovery, not confidentiality or integrity; backups can be encrypted, but the act of backing up alone does not protect data from unauthorized access or tampering.

470
MCQeasy

A security analyst detects a host infected with ransomware on the corporate network. According to incident response procedures, what should be the first action?

A.Reimage the host immediately
B.Update antivirus signatures
C.Notify the IT management team
D.Isolate the host from the network
AnswerD

Isolation stops lateral movement and is the first containment step.

Why this answer

Option A is correct because isolating the host prevents the ransomware from spreading to other systems. Option B is wrong because reimaging without isolation could fail if network propagation continues. Option C is wrong because notifying management is important but not the immediate technical first step.

Option D is wrong because updating signatures is a preventive measure, not a containment step.

471
MCQeasy

Which data source provides the most detailed information about the application layer payload in network traffic?

A.NetFlow
B.Syslog
C.Full packet capture (PCAP)
D.SNMP
AnswerC

PCAP captures the entire packet including payload.

Why this answer

Full packet capture (PCAP) provides the most detailed information because it records the entire raw network packet, including headers and the complete application-layer payload. This allows deep inspection of protocols like HTTP, DNS, or SMTP at the byte level, which is essential for detecting malware, data exfiltration, or application-specific anomalies.

Exam trap

Cisco often tests the misconception that NetFlow provides deep packet inspection because it can report application information via NBAR, but NBAR is a classification engine that still does not capture the raw payload; the trap is confusing flow metadata with full packet content.

How to eliminate wrong answers

Option A is wrong because NetFlow only exports metadata (e.g., IP addresses, ports, protocol, byte counts) and never includes the application payload; it summarizes flows rather than capturing full packet contents. Option B is wrong because Syslog is a logging protocol for system events and messages from devices or applications, not a network traffic capture mechanism; it cannot provide packet-level payload data. Option D is wrong because SNMP is used for monitoring and managing network device status (e.g., CPU, interface counters) via MIBs, and it does not capture or transmit network traffic payloads.

472
MCQhard

Refer to the exhibit. A Cisco router is configured with the shown access list applied inbound on the external interface. An external attacker sends a packet with source IP 10.0.0.1, destination IP 192.168.1.100, destination port 22. What will the router do?

A.Forward the packet to the next hop
B.Permit the packet only if it is HTTP
C.Permit the packet
D.Drop the packet
AnswerD

The packet is denied by the first ACE.

Why this answer

Option A is correct because the ACL has a specific deny for SSH (port 22) to host 192.168.1.100, which matches this packet. The packet will be dropped. Option B is wrong because the permit any any only applies if no previous deny matches.

Option C is wrong because there is no such rule about port 80. Option D is wrong because the packet is not forwarded.

473
Multi-Selectmedium

A security analyst is investigating a host that may have been compromised via a drive-by download. Which three indicators of compromise should the analyst look for in the host's logs and artifacts?

Select 3 answers
A.Unusual outbound network connections
B.Modified system files in %SystemRoot%\System32
C.A new user account added to the local Administrators group
D.A large number of 404 errors in the web server log
E.Presence of a scheduled task that runs an unknown executable
AnswersA, B, E

Malware often communicates with C2 servers.

Why this answer

A drive-by download typically exploits a browser or plugin vulnerability to silently execute code on the host. Once compromised, the malware often establishes command-and-control (C2) communication, which manifests as unusual outbound network connections to suspicious IP addresses or domains on non-standard ports (e.g., TCP 4444, 8080). Analyzing netstat output or firewall logs for unexpected outbound traffic is a primary indicator of such post-exploitation activity.

Exam trap

Cisco often tests the distinction between host-based and network-based indicators, and the trap here is that candidates confuse web server logs (network-based) with host-based artifacts, or they assume that any post-exploitation action like adding an admin user is a direct indicator of the initial compromise vector rather than a later persistence step.

474
MCQhard

An organization is developing a new cloud-based application. The security policy requires that all data be encrypted in transit and at rest. Which combination of controls meets this requirement?

A.Use a VPN for all connections
B.Encrypt the database using Transparent Data Encryption (TDE)
C.Use HTTPS for all communication
D.Use HTTPS and encrypt the database with TDE
AnswerD

Combining HTTPS (transit) and TDE (at rest) satisfies both requirements.

Why this answer

Option D is correct because HTTPS encrypts data in transit and TDE encrypts data at rest. Option A is wrong because HTTPS alone does not encrypt data at rest. Option B is wrong because database encryption alone does not encrypt in transit.

Option C is wrong because VPN encrypts in transit but not at rest.

475
Multi-Selecteasy

A healthcare organization uses an online patient portal where patients can view their medical records. Recently, it was discovered that patient records were being modified by an unauthorized insider, and the system suffered a ransomware attack that encrypted the database, making it inaccessible for three days. Which TWO security principles were primarily violated? (Choose two.)

Select 2 answers
A.Confidentiality
B.Authentication
C.Integrity
D.Availability
E.Non-repudiation
AnswersC, D

The unauthorized modification of patient records directly violates integrity.

Why this answer

The unauthorized modification of patient records violates integrity, which ensures data has not been altered by unauthorized entities. The ransomware attack that encrypted the database and made it inaccessible for three days violates availability, which ensures systems and data are accessible when needed. These two incidents directly compromise the CIA triad principles of integrity and availability.

Exam trap

Cisco often tests the distinction between confidentiality (unauthorized viewing) and integrity (unauthorized modification), so the trap here is confusing the insider's modification of records as a confidentiality breach rather than an integrity violation.

476
Multi-Selectmedium

A security policy requires that all data at rest be encrypted. Which TWO of the following are considered best practices for implementing encryption?

Select 2 answers
A.Implement encryption at the application layer only.
B.Store encryption keys separately from the encrypted data.
C.Use weak encryption algorithms to reduce performance impact.
D.Use hardware-based encryption if available.
E.Use the same key for all data to simplify management.
AnswersB, D

Essential for key security.

Why this answer

Options A and C are correct. Option A: hardware-based encryption is more secure. Option C: separate key storage.

Option B: same key weakens security. Option D: weak encryption is poor practice. Option E: encryption should be at multiple layers.

477
MCQmedium

You are a SOC analyst monitoring traffic on a corporate network. The network uses a next-generation firewall (NGFW) with intrusion prevention system (IPS). You receive an alert that the IPS detected a SQL injection attempt against the internal web application server (10.0.1.10) from an external IP (203.0.113.5). The IPS action was set to "alert" only, not "drop". Further investigation shows that the web server logs indicate the SQL injection succeeded and data was exfiltrated to 203.0.113.5. The web application is a custom application developed in-house. The database server (10.0.1.20) contains customer PII. Which of the following is the BEST immediate action to contain the incident?

A.Apply a software patch to the web application to fix the SQL injection vulnerability
B.Restore the web server from a known good backup
C.Block the attacker's IP address at the firewall and implement a temporary rule to drop all traffic from 203.0.113.5
D.Shut down the database server to prevent further data loss
AnswerC

This immediately cuts off the attacker's access and stops exfiltration.

Why this answer

The immediate priority is to stop the active data exfiltration and prevent further exploitation. Since the IPS was configured to 'alert' only, it did not block the malicious traffic. Blocking the attacker's IP at the firewall with a temporary drop rule is the fastest way to sever the attacker's access to the web server and stop the ongoing data theft, containing the incident while preserving forensic evidence.

Exam trap

Cisco often tests the distinction between containment, eradication, and recovery actions, and the trap here is that candidates confuse a long-term fix (patching) or a disruptive action (shutting down the database) with the immediate need to stop active data exfiltration.

How to eliminate wrong answers

Option A is wrong because applying a software patch is a remediation step, not an immediate containment action; it takes time to develop, test, and deploy, during which the attacker can continue exfiltrating data. Option B is wrong because restoring the web server from a known good backup is a recovery step that destroys volatile evidence (e.g., logs, active connections) and does not stop the attacker if they still have network access. Option D is wrong because shutting down the database server would cause immediate denial of service to legitimate users and may corrupt data; it also does not prevent the attacker from re-establishing access via the web server if the firewall remains open.

478
Multi-Selectmedium

Which TWO of the following are indicators of a potential data exfiltration attempt?

Select 2 answers
A.An internal host transferring large amounts of data to an unknown external IP at 3 AM.
B.A user accessing an internal file server during business hours.
C.An internal host sending large DNS TXT queries to an external server.
D.A failed login attempt from an internal workstation.
E.A spike in ICMP echo requests from an external IP.
AnswersA, C

Unusual time and volume strongly suggest exfiltration.

Why this answer

Option A is correct because data exfiltration often involves transferring large volumes of data to an unknown external IP during off-hours (e.g., 3 AM) to evade detection. This behavior deviates from normal business patterns and is a classic indicator of a data breach or insider threat.

Exam trap

Cisco often tests the distinction between normal network activity (e.g., file server access during business hours) and anomalous patterns (e.g., off-hours bulk transfers or DNS tunneling), so candidates must focus on the context of time, volume, and protocol misuse rather than just the action itself.

479
MCQhard

A security analyst at a financial firm is investigating a potential data breach. The company uses Cisco Firepower NGFW and Stealthwatch for network visibility. Over the past week, an internal server with IP 10.10.10.50 has been sending large amounts of data to an external IP 203.0.113.55 on TCP port 443. The Stealthwatch flow records show that the server typically communicates with only internal hosts and a few known external update servers. The analyst checks the Firepower events and sees no alerts for this traffic. The server is running a custom web application that handles financial transactions. The analyst suspects data exfiltration. What should the analyst do next?

A.Capture a packet trace of the suspicious traffic and analyze the SSL/TLS handshake to determine if the traffic is legitimate.
B.Immediately block the destination IP on the firewall and quarantine the server.
C.Review the server's web server logs for any unusual requests or responses.
D.Check the server's running processes and network connections with a command line tool like netstat.
AnswerA

Deep packet inspection of the encrypted handshake can reveal certificate details or anomalies indicating a covert channel.

Why this answer

Option A is correct because the traffic is encrypted over TCP port 443 (HTTPS), so the analyst cannot determine the content or legitimacy of the data transfer without decrypting or inspecting the SSL/TLS handshake. Capturing a packet trace allows the analyst to examine the TLS handshake details, such as the server certificate, cipher suites, and SNI, which can reveal whether the external IP is a legitimate service or an unauthorized endpoint. This step is non-disruptive and provides forensic evidence before taking any blocking or quarantine actions.

Exam trap

Cisco often tests the distinction between flow/event data and full packet inspection, trapping candidates who think firewall logs or netstat alone can confirm exfiltration over encrypted channels.

How to eliminate wrong answers

Option B is wrong because immediately blocking the destination IP and quarantining the server could disrupt legitimate business operations and destroy forensic evidence; the analyst should first verify the traffic is malicious. Option C is wrong because reviewing web server logs only shows HTTP-level requests and responses, but the traffic is encrypted over TLS, so the logs would not reveal the actual data being exfiltrated. Option D is wrong because checking running processes and netstat connections only provides a snapshot of current connections, not the historical flow data or encrypted payload details needed to confirm exfiltration.

480
MCQmedium

Refer to the exhibit. What is the effect of this ACL applied to an interface?

A.Allows all traffic to host 10.0.1.10
B.Allows any TCP traffic
C.Allows only HTTP traffic to host 10.0.1.10 and denies all else
D.Denies all traffic
AnswerC

The permit line specifically allows HTTP; the deny line blocks other traffic.

Why this answer

The ACL in the exhibit (assuming it is a standard or extended ACL with a permit statement for TCP port 80 to host 10.0.1.10 and an implicit deny all) explicitly permits only HTTP traffic (TCP port 80) to the destination host 10.0.1.10. All other traffic is denied by the implicit deny all at the end of the ACL, making option C correct.

Exam trap

Cisco often tests the implicit deny all behavior, where candidates mistakenly think an ACL with only a permit statement allows all other traffic, when in fact it denies everything not explicitly permitted.

How to eliminate wrong answers

Option A is wrong because the ACL does not allow all traffic to host 10.0.1.10; it only permits HTTP (TCP/80) and denies everything else, including other protocols and ports. Option B is wrong because the ACL does not allow any TCP traffic; it specifically restricts TCP traffic to only port 80 (HTTP) to host 10.0.1.10, blocking all other TCP ports. Option D is wrong because the ACL does not deny all traffic; it explicitly permits HTTP traffic to host 10.0.1.10, so some traffic is allowed.

481
MCQmedium

A SOC analyst is monitoring network traffic and notices a large amount of data being transferred from the HR file server to an external IP address during off-hours. The server is supposed to be used only during business hours. The analyst checks the server logs and sees that a user account named 'backup_service' has been active and copying files. The 'backup_service' account is a service account that is normally used for automated backups, but the backup schedule is set to run at midnight, and the current time is 3 AM. The analyst suspects credential theft. Which of the following should the analyst do first?

A.Capture a memory dump of the server for forensic analysis.
B.Disable the 'backup_service' account immediately.
C.Take the HR file server offline.
D.Block the external IP address at the firewall.
AnswerA

A memory dump preserves evidence of the attacker's current activities, which is crucial for understanding the attack.

Why this answer

Option A is correct because capturing a memory dump preserves volatile evidence (e.g., running processes, network connections, and in-memory credentials) that is critical for forensic analysis of a suspected credential theft incident. This aligns with the NIST SP 800-86 forensic process, where memory acquisition is prioritized before any system shutdown or network changes to avoid losing evidence of the attacker's active session or malicious code.

Exam trap

Cisco often tests the principle of 'preservation of evidence' where candidates mistakenly choose immediate containment actions (disable account, take offline, block IP) instead of the forensic first step of capturing volatile data.

How to eliminate wrong answers

Option B is wrong because immediately disabling the 'backup_service' account could alert the attacker and cause them to destroy evidence or escalate privileges before a forensic snapshot is taken. Option C is wrong because taking the HR file server offline without first capturing memory would lose volatile data (e.g., active network connections, running processes, and encryption keys) that are essential for identifying the attack vector. Option D is wrong because blocking the external IP address at the firewall is a containment step that should occur after evidence collection; doing it first may tip off the attacker and does not preserve the in-memory state needed for attribution or root-cause analysis.

482
MCQhard

During a vulnerability assessment, a security team discovers that a web application allows users to upload files without proper validation. An attacker could upload a malicious file and execute it on the server. Which type of vulnerability is this?

A.Cross-site scripting (XSS)
B.SQL injection
C.Remote code execution (RCE)
D.Insecure direct object reference
AnswerC

Improper file validation can lead to arbitrary code execution on the server.

Why this answer

The vulnerability allows an attacker to upload a malicious file (e.g., a web shell) and then execute it on the server, which is the definition of remote code execution (RCE). This occurs because the application fails to validate file types, contents, or execution permissions, enabling arbitrary code to run in the server's context.

Exam trap

Cisco often tests the distinction between client-side attacks (XSS) and server-side attacks (RCE), so candidates may confuse file upload RCE with XSS because both involve malicious file or script injection, but the execution context (server vs. client) is the key differentiator.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not executing code on the server. Option B is wrong because SQL injection targets database queries by manipulating input to alter SQL statements, not file uploads or server-side code execution. Option D is wrong because insecure direct object reference (IDOR) allows unauthorized access to resources by manipulating object references (e.g., user IDs in URLs), not file uploads or code execution.

483
MCQeasy

An analyst notices an intrusion alert triggered by an internal host scanning multiple ports on a single external IP address. The signature is 'Port Scan'. Which of the following is the most likely cause?

A.Misconfigured service
B.Malware spreading
C.Network mapping tool
D.Normal user activity
AnswerC

Network mapping tools like Nmap perform port scans for reconnaissance.

Why this answer

A port scan targeting multiple ports on a single external IP is the classic behavior of network mapping tools like Nmap or Masscan. These tools systematically probe ports to discover open services, which is distinct from the random or sequential scanning patterns of malware or the limited connections of normal user activity.

Exam trap

Cisco often tests the distinction between scanning a single external IP (network mapping) versus scanning many internal IPs (malware spreading), causing candidates to confuse the target scope with the scanning pattern.

How to eliminate wrong answers

Option A is wrong because a misconfigured service typically causes repeated connections to a single port (e.g., DNS or SMTP retries), not a systematic scan across many ports. Option B is wrong because malware spreading usually scans random or sequential internal IPs for vulnerable services (e.g., SMB on 445/tcp), not a single external IP across many ports. Option D is wrong because normal user activity, such as a web browser or email client, connects to a few well-known ports (80, 443, 25) on a server, not a broad sweep of hundreds of ports.

484
Multi-Selecthard

Which THREE are common indicators of a distributed denial-of-service (DDoS) attack? (Choose three.)

Select 3 answers
A.Slow network performance and service unavailability
B.A single IP address generating excessive traffic
C.High bandwidth consumption on the network link
D.Unusual traffic patterns from many different sources
E.Encrypted traffic from a known malware C2 server
AnswersA, C, D

Overwhelmed resources cause slowdowns.

Why this answer

Option A is correct because a DDoS attack floods the target with traffic from multiple sources, overwhelming network resources and causing legitimate requests to time out or be dropped. This results in slow network performance and service unavailability as the system struggles to process the excessive load. The distributed nature of the attack makes it difficult to mitigate with simple IP-based filtering.

Exam trap

Cisco often tests the distinction between a single-source DoS and a multi-source DDoS, so candidates may incorrectly select 'a single IP address generating excessive traffic' as a DDoS indicator, but the key is the distributed nature of the attack.

485
MCQeasy

A network administrator is tasked with creating a security policy for handling sensitive data. Which of the following is the most critical element to include?

A.Detailed network topology diagrams.
B.List of antivirus software versions.
C.Data classification and handling procedures.
D.Vendor contact information.
AnswerC

This defines how data should be categorized and protected, which is essential for any data security policy.

Why this answer

Data classification and handling procedures are fundamental to any data security policy. Topology, antivirus, and contacts are supporting but not the most critical.

486
MCQhard

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

A.DNS logs from the internal DNS server.
B.NetFlow records from the border router.
C.Full packet capture of all outbound traffic.
D.Host-based firewall logs.
AnswerB

Shows flow timestamps and destinations; reveals periodic connections.

Why this answer

NetFlow records from the border router provide aggregated metadata (source/destination IP, port, protocol, timestamps) that can reveal the periodic 60-second beaconing pattern to the malicious domain and the volume of outbound connections on port 443. Unlike DNS logs, NetFlow captures the actual connection attempts regardless of DNS resolution, making it ideal for identifying regular, repetitive outbound flows.

Exam trap

Cisco often tests the distinction between DNS logs (which show name resolution) and NetFlow (which shows actual traffic flows), leading candidates to mistakenly choose DNS logs because they associate beaconing with domain names, not realizing that the beaconing is confirmed by the connection pattern itself.

How to eliminate wrong answers

Option A is wrong because DNS logs only show queries for domain resolution, not the actual TCP connections; if the host uses cached DNS or direct IP connections, the beaconing pattern may be missed. Option C is wrong because full packet capture, while thorough, is resource-intensive and impractical for continuous monitoring of all outbound traffic; NetFlow provides sufficient metadata to confirm the beaconing pattern without the overhead. Option D is wrong because host-based firewall logs only record allowed or blocked connections at the host level, but they may not capture the precise timing and destination IPs of outbound flows if the firewall is configured to permit all outbound traffic, and they lack the network-wide perspective of the border router.

487
Multi-Selecteasy

Which TWO activities are typically part of a security policy review cycle? (Choose two.)

Select 2 answers
A.Reviewing regulatory updates
B.Delivering security awareness training
C.Conducting periodic policy audits
D.Handling a security incident
E.Applying system patches
AnswersA, C

Laws change, policies must adapt.

Why this answer

Policy review includes identifying changes in regulatory requirements and periodic audits. Options A and B are correct. Option C (patching) is operational.

Option D (user training) is part of awareness, not review. Option E (incident handling) is not review.

488
MCQmedium

A security analyst is asked to assess the risk of a new web application. The analyst calculates the likelihood of a SQL injection as 0.3 and the impact as $100,000. What is the annualized loss expectancy (ALE) if the asset value is $500,000 and the exposure factor is 0.2?

A.$100,000
B.$50,000
C.$15,000
D.$30,000
AnswerD

ALE = SLE * ARO = ($500,000 * 0.2) * 0.3 = $30,000.

Why this answer

The annualized loss expectancy (ALE) is calculated as ALE = SLE × ARO, where SLE = AV × EF. Here, AV = $500,000 and EF = 0.2, so SLE = $100,000. The likelihood of 0.3 represents the annualized rate of occurrence (ARO), so ALE = $100,000 × 0.3 = $30,000.

Option D is correct because it correctly multiplies the single loss expectancy by the annualized rate of occurrence.

Exam trap

Cisco often tests the distinction between SLE and ALE, tricking candidates into stopping at the SLE calculation ($100,000) or misapplying the exposure factor to the impact instead of the asset value.

How to eliminate wrong answers

Option A is wrong because $100,000 is the single loss expectancy (SLE), not the annualized loss expectancy (ALE); it fails to multiply by the ARO of 0.3. Option B is wrong because $50,000 would result from multiplying the impact ($100,000) by 0.5, which is not the given ARO or any correct calculation step. Option C is wrong because $15,000 would result from multiplying the asset value ($500,000) by the likelihood (0.3) and then by 0.1, or from incorrectly using the exposure factor as a multiplier on the impact; it ignores the correct SLE calculation.

489
MCQmedium

A manufacturing company's ICS network was infected with ransomware that encrypted files on the file server. The company has offline backups and restores the files. However, during the investigation, the security analyst finds that the ransomware entered through an RDP connection from an infected workstation on the corporate network. The corporate network and ICS network are separated by a firewall that allows RDP from specific corporate IPs to the ICS file server. The analyst wants to prevent a recurrence. Which of the following is the most effective long-term control?

A.Require multi-factor authentication for all RDP connections.
B.Disable RDP on the ICS file server and use a jump box.
C.Implement network segmentation with a DMZ for file transfers.
D.Install antivirus on all corporate workstations.
AnswerA

MFA significantly reduces the risk of unauthorized RDP access even if passwords are compromised.

Why this answer

Requiring multi-factor authentication for all RDP connections adds a critical layer of security, making it much harder for attackers to gain access even if credentials are compromised.

490
Multi-Selecteasy

Which TWO are common sources of security event data in a Security Information and Event Management (SIEM) system?

Select 2 answers
A.SMTP logs
B.NetFlow records
C.SNMP traps
D.Syslog from network devices
E.DNS queries
AnswersB, D

NetFlow provides metadata on network traffic flows.

Why this answer

NetFlow records (B) are a common source of security event data in a SIEM because they provide detailed metadata about network flows, including source/destination IPs, ports, protocols, and byte counts. SIEMs ingest NetFlow to detect anomalies, such as data exfiltration or beaconing, by analyzing flow patterns rather than full packet payloads. This makes NetFlow a standard telemetry source for network visibility and threat hunting.

Exam trap

Cisco often tests the distinction between network management protocols (SNMP) and security monitoring sources (syslog, NetFlow), leading candidates to mistakenly select SNMP traps as a security event source because they associate 'traps' with alerts, when in fact SNMP is for device health, not security event logging.

491
MCQmedium

A network administrator configures an IPS to drop packets that match a signature for SQL injection. However, legitimate web traffic is being blocked. What is the most likely cause?

A.IPS hardware failure
B.Network congestion
C.Signature false positive
D.Signature false negative
AnswerC

The signature incorrectly matches legitimate SQL-like patterns in normal traffic.

Why this answer

Option C is correct because a false positive occurs when the IPS incorrectly identifies legitimate traffic as malicious based on its signature. In this case, the SQL injection signature is matching benign web requests that contain patterns resembling SQL syntax (e.g., 'SELECT', 'DROP'), causing the IPS to drop valid packets. This is a common issue with signature-based detection systems that lack contextual analysis.

Exam trap

Cisco often tests the distinction between false positives and false negatives, and the trap here is that candidates may confuse 'blocking legitimate traffic' with a false negative, not realizing that a false positive is the correct term for incorrectly flagged benign traffic.

How to eliminate wrong answers

Option A is wrong because an IPS hardware failure would typically cause complete loss of inspection or system crashes, not selective blocking of specific traffic patterns. Option B is wrong because network congestion might cause packet loss or latency, but it would not cause the IPS to drop packets based on signature matching; congestion does not alter detection logic. Option D is wrong because a false negative means the IPS fails to detect actual malicious traffic, which would allow SQL injection attacks to pass, not block legitimate traffic.

492
MCQeasy

An organization deploys a firewall to block unauthorized traffic. This is an example of which type of security control?

A.Detective
B.Physical
C.Technical
D.Administrative
AnswerC

Firewalls are technical controls that prevent unauthorized access.

Why this answer

A firewall is a technical control because it uses software or hardware mechanisms—such as packet filtering, stateful inspection, or application-layer filtering—to enforce security policies and block unauthorized traffic. Technical controls are implemented through technology systems (e.g., routers, firewalls, IDS/IPS) rather than through physical barriers or administrative procedures.

Exam trap

Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates may confuse a firewall's logging capability (detective) with its primary function of blocking traffic (preventive/technical).

How to eliminate wrong answers

Option A is wrong because detective controls are designed to identify and log security events after they occur (e.g., intrusion detection systems, audit logs), whereas a firewall actively prevents unauthorized traffic in real time. Option B is wrong because physical controls involve tangible barriers like locks, fences, or security guards, not network-level packet filtering. Option D is wrong because administrative controls are policies, procedures, and training (e.g., acceptable use policies, background checks), not technology-based enforcement mechanisms.

493
MCQmedium

Refer to the exhibit. An administrator sees many alerts for DNS tunneling. The current DNS inspection policy is shown. What change would most likely help detect DNS tunneling?

A.Remove the dns-guard command.
B.Lower the message-length maximum to 128 bytes.
C.Raise the message-length maximum to 4096 bytes.
D.Disable DNS inspection entirely.
AnswerC

Larger messages allow tunneling to be observed; also, correlating with frequency can detect anomalies.

Why this answer

DNS tunneling exploits the DNS protocol to exfiltrate data by encoding it in DNS queries and responses. Raising the message-length maximum to 4096 bytes allows the DNS inspection engine to inspect larger DNS payloads, which is necessary to detect tunneling attempts that use long TXT or other resource records to carry data. The current lower limit may allow tunneled data to pass undetected because the inspection engine truncates or ignores oversized messages.

Exam trap

Cisco often tests the misconception that lowering the message-length maximum would block tunneling, when in fact tunneling uses large payloads that would be ignored or passed through if the limit is too low, so raising the limit is required to inspect and detect the oversized messages.

How to eliminate wrong answers

Option A is wrong because the dns-guard command prevents DNS spoofing and cache poisoning by ensuring DNS responses match outstanding queries; removing it would weaken security, not help detect tunneling. Option B is wrong because lowering the message-length maximum to 128 bytes would cause the inspection engine to drop or ignore legitimate DNS messages and would not help detect tunneling, as tunneled data often uses larger payloads. Option D is wrong because disabling DNS inspection entirely would remove all DNS anomaly detection, making it impossible to detect DNS tunneling through the firewall.

494
MCQhard

A SIEM correlation rule triggers when a user account is created and then added to a privileged group within 10 minutes. Which activity does this rule detect?

A.Malicious insider data theft.
B.Privileged account creation and elevation.
C.Privilege escalation via token manipulation.
D.Lateral movement using pass-the-hash.
AnswerB

The rule specifically matches account creation followed by group membership change.

Why this answer

The SIEM rule specifically correlates the creation of a user account followed by its addition to a privileged group within a short time window. This sequence directly maps to the definition of privileged account creation and elevation, where a new account is granted administrative rights. The rule does not require any other malicious activity like data theft or lateral movement to trigger.

Exam trap

Cisco often tests the distinction between the administrative action of adding a user to a privileged group (privileged account creation/elevation) and the exploitation of system tokens or authentication protocols, leading candidates to confuse the SIEM rule's trigger with token manipulation or pass-the-hash attacks.

How to eliminate wrong answers

Option A is wrong because malicious insider data theft typically involves exfiltration of sensitive data, not just account creation and group membership changes; the rule does not monitor data access or transfer events. Option C is wrong because privilege escalation via token manipulation involves exploiting operating system mechanisms like SeDebugPrivilege or token duplication, not the administrative action of adding a user to a group via directory services. Option D is wrong because lateral movement using pass-the-hash relies on NTLM hash reuse to authenticate to remote systems, which is unrelated to account creation or group membership modifications.

495
MCQhard

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

A.svchost.exe (PID 1420) because it is connecting to an external IP on port 80.
B.cmd.exe (PID 2568) because it could be used to launch other processes.
C.powershell.exe (PID 2792) because it has an established HTTPS connection to an external server.
D.notepad.exe (PID 2344) because it is not expecting to make any network connections.
AnswerC

PowerShell making an outbound HTTPS connection is atypical and often used for malicious purposes.

Why this answer

PowerShell.exe (PID 2792) is the likely malicious process because it has an established HTTPS connection (TCP port 443) to an external server at 192.168.1.50. PowerShell is a powerful scripting tool often abused by attackers to execute arbitrary code, download payloads, or establish command-and-control (C2) channels over encrypted HTTPS, which can evade detection by traditional signature-based security tools.

Exam trap

Cisco often tests the misconception that any process connecting to an external IP is malicious, but the trap here is that candidates overlook the context of the process—PowerShell is a legitimate tool that is frequently abused, whereas svchost.exe making HTTP connections is normal system behavior.

How to eliminate wrong answers

Option A is wrong because svchost.exe (PID 1420) connecting to an external IP on port 80 is normal behavior for Windows services that perform HTTP-based updates or telemetry; svchost.exe is a legitimate system process. Option B is wrong because cmd.exe (PID 2568) could be used to launch other processes, but the exhibit does not show any network connection or suspicious activity from cmd.exe, making it not directly indicative of malicious behavior. Option D is wrong because notepad.exe (PID 2344) is not expected to make network connections, but the exhibit does not show any network connection from notepad.exe, so there is no evidence of malicious activity from that process.

496
MCQeasy

An analyst receives a syslog message with facility 'authpriv' and severity '3'. What does severity 3 indicate?

A.Error
B.Emergency
C.Critical
D.Alert
AnswerA

Error is severity 3.

Why this answer

Syslog severity levels range from 0 (Emergency) to 7 (Debug). Severity 3 corresponds to 'Error', which indicates error conditions that require attention but are not immediately critical. This is defined in RFC 5424, where level 3 is explicitly labeled 'Error' and is used for conditions such as configuration failures or service degradation.

Exam trap

Cisco often tests the specific numeric-to-name mapping of syslog severity levels, and the trap here is that candidates confuse severity 3 (Error) with severity 2 (Critical) or severity 1 (Alert) because they assume any 'high' severity number means more urgent, when in fact lower numbers indicate higher urgency.

How to eliminate wrong answers

Option B is wrong because Emergency (severity 0) indicates a system is unusable, such as a kernel panic or complete service failure. Option C is wrong because Critical (severity 2) denotes critical conditions like hard disk errors or major component failures. Option D is wrong because Alert (severity 1) requires immediate action, such as a security breach or loss of backup connectivity.

497
MCQmedium

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

A.The alerts are false positives because the user-agent is common
B.The host is being scanned
C.The host is likely infected with malware
D.The host is downloading a large file
AnswerC

Multiple alerts to a known malicious domain suggest infection.

Why this answer

The correct answer is C because the IDS alerts indicate the same source IP is communicating with a known malicious domain (evil.com) using a suspicious user-agent string. This pattern of repeated connections to a known bad destination is characteristic of malware beaconing or command-and-control (C2) traffic, not a false positive or benign activity.

Exam trap

Cisco often tests the distinction between a false positive and a true positive by making candidates focus on the user-agent being common, but the key is that the destination is known malicious, not the user-agent's commonality.

How to eliminate wrong answers

Option A is wrong because a common user-agent does not automatically make an alert a false positive; malware often uses common user-agents to evade detection, and the destination (evil.com) is known malicious. Option B is wrong because scanning typically involves multiple destinations or ports from a single source, not repeated connections to the same malicious domain. Option D is wrong because downloading a large file would show a single sustained connection with high data transfer, not multiple separate alerts with the same source and destination.

498
MCQeasy

Which security policy defines the process for reporting discovered security vulnerabilities to the organization?

A.Vulnerability Disclosure Policy
B.Acceptable Use Policy
C.Incident Response Policy
D.Change Management Policy
AnswerA

This policy guides reporting of vulnerabilities.

Why this answer

A vulnerability disclosure policy outlines how to report and handle security weaknesses. Option C is correct. Option A (incident response) is for active attacks.

Option B (acceptable use) is for employee behavior. Option D (change management) is for changes.

499
Multi-Selecthard

Which TWO characteristics are typical of host-based intrusion detection systems (HIDS) compared to network-based intrusion detection systems (NIDS)?

Select 2 answers
A.Better suited for protecting a large number of devices simultaneously.
B.Visibility into local system events such as file system changes and registry modifications.
C.Ability to inspect encrypted traffic at the host level.
D.Less susceptible to host-based attacks.
E.Lower latency in detecting network attacks.
AnswersB, C

HIDS monitors host-specific activities.

Why this answer

Option B is correct because HIDS are installed directly on a host and have direct access to the host's operating system, allowing them to monitor local system events such as file system changes, registry modifications, and process activity. This granular visibility is a key advantage over NIDS, which only sees network traffic and cannot inspect internal host state.

Exam trap

Cisco often tests the misconception that HIDS are better at detecting network attacks or scaling to many devices, but the key differentiator is that HIDS provide host-level visibility (like registry and file changes) and can inspect decrypted traffic, while NIDS are network-focused and cannot see internal host events.

500
MCQeasy

A security policy requires that all email attachments be scanned for malware. An employee receives a legitimate PDF from a customer that is flagged as malicious. What should the analyst do first?

A.Allow the email through since it's from a known sender.
B.Contact the customer to verify the file is intended.
C.Quarantine the email and delete the attachment.
D.Escalate to the incident response team.
E.Update the antivirus signatures and rescan.
AnswerB

Verification with sender is the appropriate first step.

Why this answer

Option C is correct because verifying with the sender prevents unnecessary actions. Option A is too aggressive without confirmation. Option B escalates prematurely.

Option D might be done later. Option E violates policy.

501
Multi-Selecthard

An analyst is investigating a potential data exfiltration. Which two indicators in network traffic are most indicative of data exfiltration over DNS? (Choose two.)

Select 2 answers
A.Use of standard DNS ports
B.Large DNS response packets
C.DNSSEC enabled
D.Frequent DNS query retransmissions
E.High volume of DNS queries to unusual domains
AnswersB, E

Used to carry exfiltrated data in DNS responses.

Why this answer

Large DNS response packets (Option B) are indicative of data exfiltration because attackers often encode stolen data into DNS TXT or other record types, causing response sizes to exceed the typical 512-byte limit and triggering EDNS0 extensions. This anomaly stands out against normal DNS traffic, where most responses are small.

Exam trap

Cisco often tests the misconception that any deviation from normal DNS behavior (like retransmissions or non-standard ports) is malicious, but the key indicators for exfiltration are unusually large response sizes and a high volume of queries to suspicious domains.

502
Multi-Selecteasy

Which two Sysmon Event IDs are most commonly associated with code injection techniques?

Select 2 answers
A.Event ID 3 (Network connect)
B.Event ID 8 (CreateRemoteThread)
C.Event ID 1 (Process creation)
D.Event ID 7 (Image loaded)
E.Event ID 10 (ProcessAccess)
AnswersB, E

CreateRemoteThread is a common method for code injection.

Why this answer

Sysmon Event ID 8 (CreateRemoteThread) is directly associated with code injection because it logs when a thread is created in a remote process, a common technique used by malware to inject malicious code into a legitimate process. Event ID 10 (ProcessAccess) is also critical as it records when a process opens a handle to another process, often a precursor to injecting code via APIs like OpenProcess and WriteProcessMemory.

Exam trap

Cisco often tests the distinction between direct indicators of injection (Event ID 8 and 10) versus indirect artifacts (Event ID 1 or 7), leading candidates to mistakenly choose process creation or image load events as primary injection indicators.

503
MCQhard

Given a packet capture showing TCP packets with flags: first packet SYN, second packet SYN-ACK, third packet ACK, then a fourth packet with RST flag. What should the analyst suspect?

A.Port scan
B.Normal traffic
C.SYN flood
D.Denial of service
AnswerA

Correct. The completed handshake followed by RST is characteristic of a connect scan.

Why this answer

The three-way handshake (SYN, SYN-ACK, ACK) completes a TCP connection, but the immediate RST after the ACK indicates the client terminated the connection without sending any application data. This pattern is characteristic of a port scan (e.g., using nmap's connect scan), where the scanner verifies the port is open by completing the handshake and then immediately resets to avoid leaving the connection half-open.

Exam trap

Cisco often tests the distinction between a completed three-way handshake followed by a reset (port scan) versus an incomplete handshake (SYN flood) or sustained data transfer (normal traffic).

How to eliminate wrong answers

Option B is wrong because normal traffic would continue with data exchange (e.g., HTTP GET) after the ACK, not an immediate RST. Option C is wrong because a SYN flood involves sending a high volume of SYN packets without completing the handshake, not a full handshake followed by a reset. Option D is wrong because a denial of service (DoS) attack typically aims to overwhelm resources with traffic or exploit vulnerabilities, not to perform a single, clean handshake-and-reset sequence.

504
MCQeasy

A SOC analyst receives an alert from the SIEM indicating a high number of outbound DNS queries from an internal host to a domain known for malicious activity. The analyst reviews the logs and finds that the host is a DNS server. What should be the analyst's first action?

A.Isolate the DNS server from the network and escalate to incident response.
B.Check the baseline of DNS traffic to confirm it is anomalous.
C.Block the domain at the firewall and close the alert.
D.Restart the DNS service on the server and monitor.
AnswerA

Immediate containment to prevent further compromise.

Why this answer

The correct first action is to isolate the DNS server from the network and escalate to incident response. A DNS server generating outbound DNS queries to a known malicious domain indicates a likely compromise (e.g., DNS tunneling or malware command-and-control), not normal recursive resolution. Immediate containment prevents further data exfiltration or lateral movement, aligning with incident response best practices.

Exam trap

Cisco often tests the misconception that a DNS server's outbound queries are always benign recursive lookups, leading candidates to choose baseline checking or simple blocking instead of recognizing the need for immediate containment and escalation.

How to eliminate wrong answers

Option B is wrong because checking a baseline assumes the activity might be normal, but a DNS server should not be making outbound queries to a known malicious domain; this wastes critical time during an active compromise. Option C is wrong because blocking the domain at the firewall without investigation may stop the immediate symptom but does not address the root cause (e.g., a backdoor or persistent threat), and closing the alert prematurely violates proper incident handling procedures. Option D is wrong because restarting the DNS service could destroy volatile evidence (e.g., in-memory artifacts, active connections) and does not remediate the underlying compromise, potentially allowing the threat to persist.

505
MCQhard

A security policy requires that all endpoints have host-based firewalls enabled. A user reports that an application stopped working after a recent update. What should the analyst do?

A.Escalate to the application vendor.
B.Create an exception rule for the application.
C.Roll back the update.
D.Disable the host firewall for that user.
E.Reinstall the application.
AnswerB

Aligns with policy while solving issue.

Why this answer

Option B is correct because creating an exception maintains firewall policy while allowing the app. Option A violates policy. Option C may revert security patches.

Options D and E are less direct.

506
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address against multiple user accounts. What is the best immediate action to take?

A.Increase logging verbosity for the authentication server.
B.Change all user passwords immediately.
C.Disable the affected user accounts.
D.Block the source IP address on the firewall.
AnswerD

Blocking the IP address stops the brute-force attempt immediately.

Why this answer

Blocking the source IP address on the firewall is the best immediate action because it stops the ongoing brute-force attack at the network perimeter, preventing further authentication attempts from that IP without disrupting legitimate users. This aligns with the principle of containment before investigation, as the firewall ACL can be updated quickly to deny traffic from the offending source.

Exam trap

Cisco often tests the candidate's ability to prioritize containment over investigation or remediation; the trap here is that candidates may choose to increase logging (Option A) to gather evidence, but the immediate action must stop the active attack first.

How to eliminate wrong answers

Option A is wrong because increasing logging verbosity does not stop the attack; it only generates more log data, which could overwhelm storage and delay response. Option B is wrong because changing all user passwords is disruptive, time-consuming, and does not address the source of the attack—the attacker can simply continue trying new passwords against the same accounts. Option C is wrong because disabling affected user accounts would deny service to legitimate users and does not prevent the attacker from targeting other accounts from the same IP.

507
MCQhard

A company is implementing a new data classification policy. The policy defines three levels: Public, Internal, and Confidential. An employee accidentally emails a spreadsheet marked 'Confidential' to an external partner. The email system automatically encrypts all outbound emails containing 'Confidential' classification. Which security control is being demonstrated?

A.Auditing
B.Encryption at rest
C.Data Loss Prevention (DLP)
D.Access control
AnswerC

DLP controls can automatically encrypt outbound emails containing sensitive data based on classification.

Why this answer

Option D is correct because the email system is automatically encrypting outbound emails based on classification, which is a type of data loss prevention (DLP). Option A is wrong because access control restricts who can access data, not how it is transmitted. Option B is wrong because encryption at rest occurs when data is stored.

Option C is wrong because auditing records events but does not prevent data loss.

Page 6

Page 7 of 7

All pages