CCNA Security Concepts Questions

75 of 80 questions · Page 1/2 · Security Concepts · Answers revealed

1
MCQeasy

A small business uses a cloud-based email service. The IT administrator wants to protect against phishing attacks that target employees. Which security control should be implemented first?

A.Conduct weekly security awareness training
B.Install antivirus software on all endpoints
C.Deploy a web application firewall (WAF)
D.Enable multi-factor authentication (MFA) on email accounts
AnswerC

WAF is not directly applicable to email; it protects web applications. MFA is a more direct control against phishing.

Why this answer

A Web Application Firewall (WAF) is the correct first control because it can inspect and filter HTTP/HTTPS traffic to the cloud-based email service, blocking malicious links, scripts, and known phishing payloads before they reach users. Since phishing attacks often rely on deceptive URLs and web-based content, a WAF provides a proactive, network-layer defense that reduces the attack surface immediately, without requiring user behavior changes or endpoint configuration.

Exam trap

Cisco often tests the concept that phishing is primarily a web-based attack vector, so candidates mistakenly choose user training (A) or MFA (D) as the first control, overlooking that a WAF provides immediate, automated filtering of malicious web content at the network perimeter.

How to eliminate wrong answers

Option A is wrong because weekly security awareness training, while valuable, is a reactive, human-centric control that relies on employee vigilance and does not block the initial phishing attempt; it should complement technical controls, not be the first line of defense. Option B is wrong because antivirus software on endpoints primarily detects and removes malware after delivery, but phishing attacks often bypass traditional signature-based AV by using social engineering or zero-day exploits, and it does not inspect the email service's web traffic. Option D is wrong because multi-factor authentication (MFA) protects against credential theft after a user is tricked, but it does not prevent the phishing email from reaching the inbox or block malicious links; it is a critical secondary control but not the first layer of defense against the attack vector itself.

2
MCQmedium

A help desk receives a phone call from someone claiming to be from IT and requesting a password reset. What type of attack is this?

A.Social engineering
B.Phishing
C.Malware
D.Vishing
AnswerD

Vishing is voice phishing conducted over phone calls.

Why this answer

Vishing (voice phishing) is a social engineering attack conducted over voice communication, such as a phone call, where the attacker impersonates a legitimate entity (e.g., IT support) to trick the victim into revealing sensitive information or performing an action like a password reset. This matches the scenario exactly: a phone call from someone claiming to be from IT requesting a password reset.

Exam trap

Cisco often tests the distinction between the general category (social engineering) and the specific attack vector (vishing, phishing, smishing), so the trap here is that candidates see 'social engineering' and select it without recognizing that the question asks for the specific type of attack based on the communication method (phone call).

How to eliminate wrong answers

Option A is wrong because social engineering is the broader category of psychological manipulation, not the specific attack vector (phone call) described; the question asks for the type of attack, not the general technique. Option B is wrong because phishing typically involves electronic communication like email or fraudulent websites, not a direct voice call. Option C is wrong because malware refers to malicious software (e.g., viruses, worms, trojans) and does not involve direct human interaction via a phone call.

3
MCQhard

Refer to the exhibit. A security analyst reviews this ACL on a firewall between a DMZ (10.0.1.0/24) and internal network (10.0.2.0/24). What is the effect of this ACL?

A.It allows MySQL traffic from internal network to DMZ
B.It allows MySQL traffic from DMZ to internal network and blocks all other traffic
C.It blocks all traffic from DMZ to internal network
D.It allows any traffic from DMZ to internal network
AnswerB

The first line permits MySQL (port 3306), the second denies everything else.

Why this answer

The ACL is applied inbound on the DMZ interface, meaning it filters traffic arriving from the DMZ (10.0.1.0/24) destined for the internal network (10.0.2.0/24). The first line permits TCP traffic from the DMZ to the internal network on port 3306 (MySQL). The second line is an explicit deny all, which blocks any other traffic from the DMZ to the internal network.

Therefore, the ACL allows only MySQL traffic from the DMZ to the internal network and denies everything else.

Exam trap

Cisco often tests the direction of ACL application—candidates frequently mistake inbound vs. outbound filtering, leading them to think the ACL controls traffic from the internal network when it actually controls traffic from the DMZ.

How to eliminate wrong answers

Option A is wrong because the ACL is applied inbound on the DMZ interface, so it controls traffic from the DMZ to the internal network, not from the internal network to the DMZ; MySQL traffic from internal to DMZ would require a different ACL on the internal interface. Option C is wrong because the ACL does not block all traffic; it explicitly permits MySQL (port 3306) traffic from the DMZ to the internal network. Option D is wrong because the ACL does not allow any traffic; it only permits MySQL and then denies all other traffic with the implicit deny any at the end.

4
Multi-Selecteasy

Which TWO of the following are common indicators of a denial-of-service (DoS) attack?

Select 2 answers
A.A low level of network utilization on the target server
B.A gradual increase in traffic from multiple geographic locations
C.A high number of DNS queries from diverse source IPs
D.A sudden increase in traffic from a single source IP address
E.A large number of incomplete TCP connections (SYN packets without ACK)
AnswersD, E

This indicates a potential DoS attack from that IP.

Why this answer

Option D is correct because a sudden increase in traffic from a single source IP address is a classic indicator of a direct DoS attack, where the attacker uses a single compromised host to flood the target with packets, overwhelming its resources. This contrasts with a distributed denial-of-service (DDoS) attack, which uses multiple sources. The abrupt spike in volume from one IP is a clear anomaly that network monitoring tools flag as a potential DoS event.

Exam trap

Cisco often tests the distinction between a single-source DoS attack (option D) and a distributed DDoS attack (options B and C), where candidates may confuse the gradual increase from multiple locations as a DoS indicator instead of recognizing it as a DDoS characteristic.

5
MCQeasy

What is the primary goal of the 'integrity' pillar of the CIA triad?

A.Keep data secret from unauthorized users
B.Ensure data is accessible when needed
C.Provide proof that a user performed an action
D.Protect data from unauthorized modification
AnswerD

Integrity prevents unauthorized changes.

Why this answer

The 'integrity' pillar of the CIA triad ensures that data is not altered or tampered with by unauthorized parties. This is achieved through mechanisms such as hashing (e.g., SHA-256), checksums, and digital signatures that detect any unauthorized modification. Option D correctly identifies this goal, as protecting data from unauthorized modification is the core purpose of integrity controls.

Exam trap

Cisco often tests the distinction between integrity and non-repudiation, as candidates may confuse 'proof of action' (non-repudiation) with 'data unchanged' (integrity), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because keeping data secret from unauthorized users is the goal of the 'confidentiality' pillar, not integrity. Option B is wrong because ensuring data is accessible when needed is the goal of the 'availability' pillar, not integrity. Option C is wrong because providing proof that a user performed an action is the goal of 'non-repudiation', which is often associated with digital signatures and audit logs, not the integrity pillar itself.

6
MCQmedium

A security analyst is investigating a potential data exfiltration incident. The analyst notices that a server is sending encrypted data to an external IP address during non-business hours. The server is supposed to only communicate with internal systems. What is the best immediate action?

A.Disconnect the server from the network
B.Block the external IP address at the firewall
C.Notify the server's administrator
D.Capture a packet capture (PCAP) of the traffic for analysis
AnswerA

This immediately stops data transfer, preserving evidence and preventing further loss.

Why this answer

Option A is correct because disconnecting the server from the network immediately stops the potential data exfiltration by severing all communication paths. This is the fastest way to contain the threat and prevent further data loss, aligning with the first step in incident response: containment. In a suspected exfiltration scenario, preserving the system state for forensic analysis is secondary to stopping the active data transfer.

Exam trap

Cisco often tests the principle that containment must precede analysis; the trap here is that candidates choose 'Capture a PCAP' (Option D) because they think evidence collection is the first step, but in an active exfiltration, stopping the data loss is the priority.

How to eliminate wrong answers

Option B is wrong because blocking the external IP address at the firewall only prevents traffic to that specific IP, but the server could still be compromised and may attempt to communicate with other external IPs or use alternate protocols (e.g., DNS tunneling) to exfiltrate data. Option C is wrong because notifying the server's administrator introduces unnecessary delay; the immediate priority is containment, not notification, and the administrator may not be available or may inadvertently alert an insider threat. Option D is wrong because capturing a packet capture (PCAP) of the traffic for analysis is a forensic step that should occur after containment; continuing to allow the traffic to flow while capturing could result in further data loss and gives the attacker more time to complete the exfiltration.

7
MCQmedium

Which security principle ensures that a user cannot deny having performed an action?

A.Availability
B.Confidentiality
C.Non-repudiation
D.Integrity
AnswerC

Non-repudiation provides undeniable evidence.

Why this answer

Non-repudiation ensures that a user cannot deny having performed an action, typically by using cryptographic mechanisms such as digital signatures or audit logs. In network security, this is often implemented through protocols like PKI (Public Key Infrastructure) where a sender signs data with their private key, and the receiver verifies it with the corresponding public key, providing irrefutable proof of origin.

Exam trap

Cisco often tests the distinction between integrity and non-repudiation, where candidates mistakenly choose integrity because they associate hashing with proof of origin, but integrity only verifies data has not changed, not who sent it.

How to eliminate wrong answers

Option A is wrong because availability ensures that systems and data are accessible when needed, often through redundancy and fault tolerance, but it does not prevent denial of actions. Option B is wrong because confidentiality protects data from unauthorized disclosure via encryption or access controls, but it does not provide proof of who performed an action. Option D is wrong because integrity ensures that data has not been altered in transit or at rest, typically via hashing or checksums, but it does not tie an action to a specific user in a non-repudiable way.

8
MCQmedium

An analyst reviews the Cisco ASA syslog message shown in the exhibit. What does this entry indicate?

A.A successful HTTP connection from the outside to the inside server
B.A VPN tunnel initiation that was rejected due to authentication failure
C.An attempted connection from an external host to an internal web server that was blocked by the firewall
D.A NAT translation failure for an outbound connection
AnswerC

Correctly describes the denied inbound TCP connection to port 80.

Why this answer

The syslog message shows a deny action for an HTTP connection (port 80) from an external IP (outside) to an internal IP (inside). The '%ASA-4-106023' message indicates a packet was denied by the firewall's access control list (ACL). This matches the scenario of an attempted external-to-internal web connection being blocked, which is option C.

Exam trap

Cisco often tests the ability to distinguish between different syslog message IDs (e.g., 106023 for ACL denies vs. 305006 for NAT failures) and to correctly interpret the 'Deny' keyword as a block, not a successful connection.

How to eliminate wrong answers

Option A is wrong because the syslog explicitly says 'Deny', not 'Allow', so a successful HTTP connection is not indicated. Option B is wrong because VPN tunnel initiation failures are typically logged with different syslog IDs (e.g., 713228 for IKE failure) and involve authentication or phase-1/phase-2 errors, not a simple TCP deny on port 80. Option D is wrong because NAT translation failures generate syslog messages like '%ASA-3-305006' for 'no translation group found', not a deny action on a specific port/protocol.

9
MCQhard

Refer to the exhibit. A security analyst is reviewing the ASA configuration. Which traffic will be permitted from the outside interface?

A.Any IP traffic to host 10.1.1.1
B.All traffic from the outside to the inside network
C.TCP traffic to host 10.1.1.1 on port 80
D.HTTP traffic from internal hosts to the outside
AnswerC

The first ACL line permits TCP to 10.1.1.1 port 80.

Why this answer

The correct answer is C because the ASA configuration shown includes an access-list entry that permits TCP traffic from any source to host 10.1.1.1 on port 80. This is the only rule that explicitly allows traffic from the outside interface to the inside network, and since the outside interface has the access-group applied inbound, only traffic matching this permit statement will be allowed.

Exam trap

Cisco often tests the distinction between 'any IP traffic' and 'any TCP traffic' — the trap here is that candidates may assume 'permit tcp any host 10.1.1.1 eq 80' allows all IP traffic to that host, but it strictly permits only TCP with destination port 80.

How to eliminate wrong answers

Option A is wrong because the access-list permits only TCP traffic to host 10.1.1.1, not any IP traffic (which would include UDP, ICMP, etc.). Option B is wrong because the access-list does not permit all traffic from outside to inside; it only permits TCP traffic to a specific host on a specific port. Option D is wrong because the question asks about traffic permitted from the outside interface, not traffic originating from internal hosts; HTTP traffic from internal hosts to the outside would be evaluated by a different access-list applied to the inside interface or by stateful inspection rules.

10
Multi-Selecteasy

Which TWO are examples of technical security controls? (Select two.)

Select 2 answers
A.Firewall
B.Security policy
C.Security awareness training
D.Background checks
E.Encryption
AnswersA, E

Firewalls are technical controls that filter network traffic.

Why this answer

A firewall is a technical security control because it is a hardware or software device that enforces access policies by inspecting network traffic based on rules (e.g., permit/deny IP addresses, ports, protocols). Encryption is a technical control that transforms plaintext data into ciphertext using algorithms like AES-256 or RSA, ensuring confidentiality during storage or transmission. Both are implemented through technology rather than administrative or physical means.

Exam trap

Cisco often tests the distinction between administrative, physical, and technical controls, and the trap here is that candidates confuse a security policy (a document) or training (a human process) with a technical control, because they are all part of a defense-in-depth strategy.

11
MCQhard

A security engineer is designing a network to prevent an attacker who gains access to a web server from easily pivoting to the internal database server. Which architecture best achieves this goal?

A.Place both servers on the internal network with host-based firewalls
B.Place the web server in a DMZ and the database server on the internal network, with a firewall blocking outbound traffic from DMZ to internal
C.Use a VPN between the web server and database server
D.Place both servers on the same VLAN with a firewall between them
AnswerB

DMZ isolates web server; blocking outbound from DMZ prevents pivot.

Why this answer

Placing the web server in a DMZ and the database server on the internal network, with a firewall blocking outbound traffic from the DMZ to internal, prevents an attacker who compromises the web server from initiating connections to the internal database server. This implements a default-deny rule for DMZ-to-internal traffic, forcing all database access to be initiated from the internal network only, which breaks the pivot chain. The DMZ acts as a buffer zone, isolating publicly accessible services from sensitive internal resources.

Exam trap

Cisco often tests the misconception that host-based firewalls or VLANs alone provide sufficient segmentation, when in fact network-level DMZ isolation with explicit direction-based firewall rules is required to prevent lateral movement after a perimeter breach.

How to eliminate wrong answers

Option A is wrong because placing both servers on the internal network with host-based firewalls still allows the compromised web server to directly reach the database server if the host firewall is misconfigured or bypassed, and it lacks network-level segmentation to prevent lateral movement. Option C is wrong because a VPN between the web server and database server encrypts traffic but does not restrict the direction of connection initiation; an attacker on the web server could still use the VPN tunnel to pivot to the database server. Option D is wrong because placing both servers on the same VLAN with a firewall between them still permits Layer 2 adjacency and potential ARP spoofing or VLAN hopping attacks, and the firewall would need to inspect all traffic, which is less effective than true network segmentation with a DMZ.

12
Multi-Selectmedium

Which TWO of the following are common network security protocols? (Choose two.)

Select 2 answers
A.IPsec
B.FTP
C.SSL
D.HTTP
E.SNMP
AnswersA, C

IPsec provides secure IP communications.

Why this answer

IPsec is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a data stream. It operates at the network layer (Layer 3) and is commonly used in VPNs to provide confidentiality, integrity, and authentication. This makes it a fundamental network security protocol.

Exam trap

Cisco often tests the distinction between protocols that are inherently secure (like IPsec and SSL/TLS) versus those that are not (like FTP, HTTP, and SNMPv1/v2c), leading candidates to mistakenly select common but insecure protocols as security protocols.

13
Multi-Selecthard

Which THREE of the following are key principles of zero trust security? (Choose three.)

Select 3 answers
A.Least privilege
B.Perimeter-based security
C.Never trust, always verify
D.Assume breach
E.Implicit trust
AnswersA, C, D

Least privilege limits access to only what is necessary.

Why this answer

Least privilege is a core principle of zero trust because it ensures users, devices, and applications are granted only the minimum permissions necessary to perform their functions. This limits the blast radius of a potential compromise by restricting lateral movement and access to sensitive resources. In zero trust, least privilege is enforced through granular policies, often using micro-segmentation and identity-based access controls, rather than relying on network location.

Exam trap

Cisco often tests whether candidates confuse zero trust with traditional perimeter defense, so the trap here is that 'perimeter-based security' sounds like a valid security principle but is actually the outdated model that zero trust aims to replace.

14
MCQhard

A network engineer is designing a segmented network to protect a sensitive database. The database must be accessible only from a specific application server. Which security concept best describes this design?

A.Defense in depth
B.Separation of duties
C.Weakest link
D.Least privilege
AnswerD

Least privilege ensures that entities have only the access necessary to perform their functions.

Why this answer

Option D, least privilege, is correct because the design restricts access to the sensitive database to only the specific application server that requires it. This principle dictates that users, processes, or systems should be granted the minimum permissions necessary to perform their functions, thereby reducing the attack surface. By implementing network access control lists (ACLs) or firewall rules that permit traffic solely from the application server's IP address to the database port, the engineer enforces least privilege at the network layer.

Exam trap

Cisco often tests least privilege by framing it as a network segmentation or access control question, and the trap here is confusing it with defense in depth because both involve multiple layers, but least privilege specifically focuses on granting only the necessary permissions rather than layering controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy that employs multiple, overlapping controls (e.g., firewalls, IDS/IPS, encryption) to protect assets, not a single restriction between two specific hosts. Option B is wrong because separation of duties divides critical tasks among different individuals to prevent fraud or error (e.g., one admin creates accounts, another approves them), which is unrelated to network segmentation for database access. Option C is wrong because the weakest link concept refers to the idea that a system's security is only as strong as its most vulnerable component, not a design principle for restricting access between a specific application server and a database.

15
MCQhard

Which type of traffic is most prominent in this NetFlow data?

A.SSH
B.HTTP
C.DNS
D.HTTPS
AnswerB

Port 80 is HTTP and has the most packets and bytes.

Why this answer

HTTP traffic is most prominent because the NetFlow data shows a high volume of packets and bytes on TCP port 80, which is the default port for HTTP. NetFlow records summarize traffic flows, and the large number of flows and bytes on port 80 indicates that HTTP is the dominant protocol in the captured data.

Exam trap

Cisco often tests the ability to distinguish between HTTP and HTTPS by port number, and the trap here is that candidates might assume HTTPS is more common due to modern encryption trends, but the NetFlow data explicitly shows higher traffic on port 80.

How to eliminate wrong answers

Option A is wrong because SSH uses TCP port 22, and the NetFlow data does not show significant traffic on that port. Option C is wrong because DNS primarily uses UDP port 53 (and sometimes TCP for zone transfers), and the data does not indicate a high volume of traffic on port 53. Option D is wrong because HTTPS uses TCP port 443, and while it may appear in the data, the question specifies that HTTP is the most prominent, meaning port 80 traffic exceeds port 443 traffic in this sample.

16
MCQhard

A large e-commerce company experiences a data breach where customer credit card numbers are stolen. The investigation reveals that an attacker exploited a SQL injection vulnerability in the web application to extract the data from the database. The company's web development team claims they use parameterized queries and prepared statements. However, the forensic analysis shows that the injection occurred through a search functionality that concatenates user input directly into the SQL query. The application logs indicate that the search function was developed by a third-party vendor and integrated into the application six months ago. The company wants to prevent such incidents in the future. Which of the following is the most effective long-term solution?

A.Replace the third-party search module with a custom-developed one.
B.Establish a secure software development lifecycle (SSDLC) that includes security reviews for all third-party components.
C.Implement a web application firewall (WAF) with OWASP rules.
D.Conduct regular vulnerability scans and patch management.
AnswerB

An SSDLC integrates security into every phase of development, preventing vulnerabilities from being introduced in the first place.

Why this answer

Option B is correct because the root cause is a failure in the security review process for third-party components. Even though the company uses parameterized queries elsewhere, the third-party search module concatenates user input directly into SQL queries, bypassing that protection. Establishing an SSDLC with mandatory security reviews for all third-party components ensures that such vulnerabilities are caught before integration, addressing the process gap rather than just the symptom.

Exam trap

Cisco often tests the distinction between reactive controls (WAF, patching) and proactive process improvements (SSDLC), leading candidates to choose a technical fix like a WAF instead of addressing the root cause of insecure third-party code integration.

How to eliminate wrong answers

Option A is wrong because simply replacing the third-party module with a custom-developed one does not guarantee security; the custom code could also contain SQL injection flaws if not developed under secure coding practices. Option C is wrong because a WAF is a reactive, signature-based control that can be bypassed by sophisticated SQL injection payloads (e.g., using encoding or obfuscation) and does not fix the underlying insecure code. Option D is wrong because vulnerability scans and patch management are point-in-time checks that may miss logic flaws like SQL injection in custom or third-party code, and they do not enforce secure coding or review processes.

17
MCQeasy

What is the meaning of this syslog message?

A.A TCP connection from outside to inside was denied.
B.A TCP connection from inside to outside was denied.
C.The access group name is incorrect.
D.A TCP connection was allowed from inside to outside.
AnswerA

The source is outside and destination inside, and it was denied.

Why this answer

The syslog message indicates that a TCP connection attempt from an outside (lower-security) zone to an inside (higher-security) zone was denied by the ASA's implicit or explicit access control. By default, the Cisco ASA denies all inbound traffic from a lower security level to a higher security level unless explicitly permitted by an access-list applied to the interface. The message 'denied' confirms the packet was dropped, not allowed.

Exam trap

Cisco often tests the default security-level behavior of the ASA, where candidates mistakenly assume that all denied traffic is from inside to outside, or that the message indicates an error in the access group name rather than a simple deny action.

How to eliminate wrong answers

Option B is wrong because the message specifies 'outside to inside' (inbound), not 'inside to outside' (outbound). Option C is wrong because the syslog message does not reference an access group name or any configuration error; it simply reports a denied connection. Option D is wrong because the message explicitly states 'denied', not 'allowed', and the direction is outside to inside, not inside to outside.

18
Multi-Selecteasy

A security analyst is implementing multifactor authentication. Which TWO are considered factors? (Select two.)

Select 2 answers
A.Password
B.Last login time
C.User ID
D.Security group membership
E.RSA token
AnswersA, E

Password is a knowledge factor.

Why this answer

A password is a knowledge factor (something you know), which is one of the three primary categories of authentication factors. Multifactor authentication requires combining two or more distinct factors, and a password satisfies the 'something you know' requirement. Without a password, the authentication process would lack the knowledge-based element needed for multifactor verification.

Exam trap

Cisco often tests the distinction between identification (user ID) and authentication (factors that prove identity), leading candidates to mistakenly select user ID as a factor when it is only an identifier.

19
MCQeasy

A company wants to protect its internal network from external threats. Which security principle involves deploying multiple layers of security controls?

A.Least privilege
B.Defense in depth
C.Risk management
D.Separation of duties
AnswerB

Defense in depth uses multiple security layers to provide redundancy.

Why this answer

Defense in depth (option B) is the correct answer because it describes the strategy of layering independent security controls—such as firewalls, intrusion prevention systems (IPS), endpoint protection, and access controls—so that if one layer fails, another can still block or mitigate an attack. This principle ensures that no single point of failure can compromise the entire network, which is essential for protecting internal assets from external threats.

Exam trap

Cisco often tests the distinction between a broad security strategy (defense in depth) and a specific access control principle (least privilege), so candidates mistakenly choose least privilege when they see 'multiple layers' because they confuse 'layers of permissions' with 'layers of controls.'

How to eliminate wrong answers

Option A (Least privilege) is wrong because it focuses on granting users only the minimum permissions needed to perform their tasks, not on deploying multiple layers of security controls. Option C (Risk management) is wrong because it is a broader process of identifying, assessing, and prioritizing risks, not a specific design principle for implementing layered defenses. Option D (Separation of duties) is wrong because it prevents fraud or error by dividing critical tasks among multiple individuals, which is an administrative control, not a technical architecture for layered security.

20
MCQhard

You are a security analyst for a mid-sized company with a flat network topology. The company uses a single firewall for internet access and has no internal segmentation. Recently, the IT team deployed a new file server running Windows Server 2019. The server was configured with default settings and placed in the same subnet as all user workstations. Two weeks later, the helpdesk receives multiple complaints about slow network performance. Upon investigation, you notice the file server's network interface is sending a high volume of broadcast traffic. Additionally, you find that the server's firewall is disabled and it is running an outdated SMBv1 protocol. The CEO is concerned about potential data loss and asks for immediate remediation. Which of the following is the most effective and immediate course of action to address the most critical security vulnerability?

A.Enable the Windows Firewall on the file server and create rules to allow only essential traffic.
B.Configure the switch to block broadcast traffic on the file server's port.
C.Create VLANs to segment the file server from user workstations.
D.Disable SMBv1 on the file server using PowerShell or Registry.
AnswerD

This directly removes the critical vulnerability exploited by malware.

Why this answer

D is correct because the most critical security vulnerability is the outdated SMBv1 protocol, which is known to be exploited by ransomware like WannaCry and EternalBlue. Disabling SMBv1 immediately removes this attack vector, addressing the CEO's concern about potential data loss. While the broadcast traffic and disabled firewall are issues, SMBv1 poses a direct and severe risk to data integrity and confidentiality.

Exam trap

Cisco often tests the concept that while network segmentation and firewalls are important security controls, they do not eliminate the underlying protocol vulnerability; the trap here is that candidates may focus on the broadcast traffic symptom or choose a slower, less direct solution like VLANs instead of the immediate fix of disabling the vulnerable service.

How to eliminate wrong answers

Option A is wrong because enabling the Windows Firewall, while beneficial, does not address the SMBv1 vulnerability; the firewall would still allow SMB traffic on port 445 if not explicitly blocked, and the outdated protocol remains exploitable. Option B is wrong because blocking broadcast traffic on the switch port would disrupt legitimate network discovery and communication (e.g., NetBIOS name resolution), and it does not mitigate the SMBv1 security flaw. Option C is wrong because creating VLANs is a longer-term segmentation strategy that requires network reconfiguration and does not provide immediate remediation; it also does not directly disable the vulnerable SMBv1 protocol.

21
MCQmedium

A user reports receiving an email with an urgent request to click a link and reset a password. The email appears to come from the company's IT department but has slight spelling errors. Which type of attack is this?

A.Phishing
B.Spear phishing
C.Whaling
D.Vishing
AnswerB

Spear phishing is targeted, often impersonating a trusted entity.

Why this answer

Spear phishing is a targeted phishing attack where the attacker customizes the email content for a specific individual or group, often using internal details (like the IT department) to increase credibility. The presence of slight spelling errors is a common indicator of a phishing attempt, but the targeted nature (appearing to come from the company's IT department) distinguishes this as spear phishing rather than generic phishing.

Exam trap

Cisco often tests the distinction between generic phishing and spear phishing by including a detail that indicates targeting (like referencing a specific department or role), leading candidates to incorrectly choose 'Phishing' when the scenario clearly shows targeted customization.

How to eliminate wrong answers

Option A is wrong because phishing is a broad, untargeted attack sent to many users, whereas this scenario describes a targeted email appearing to come from the company's IT department, which is characteristic of spear phishing. Option C is wrong because whaling targets high-profile executives (e.g., CEO, CFO) with highly personalized content, not a general user reporting an IT password reset request. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages, not email, to trick victims into revealing sensitive information.

22
MCQmedium

Refer to the exhibit. What traffic is the router permitting?

A.Telnet
B.HTTP
C.SSH
D.FTP
AnswerC

Port 22 is used by SSH.

Why this answer

The router is permitting SSH traffic because the access control list (ACL) matches TCP port 22, which is the default port for SSH. SSH provides encrypted remote administration, and the ACL entry permits inbound TCP connections to port 22, allowing secure shell access to the router.

Exam trap

Cisco often tests the association between common services and their default port numbers, and the trap here is confusing SSH (port 22) with Telnet (port 23) or assuming HTTP/HTTPS (ports 80/443) are permitted when only port 22 is explicitly allowed.

How to eliminate wrong answers

Option A is wrong because Telnet uses TCP port 23, not port 22, and the ACL specifically permits port 22. Option B is wrong because HTTP uses TCP port 80, which is not matched by the ACL. Option D is wrong because FTP uses TCP ports 20 and 21, neither of which is port 22.

23
MCQmedium

A security analyst reviews logs and finds multiple failed login attempts from a single IP. This is indicative of what type of attack?

A.Man-in-the-middle
B.Phishing
C.DDoS
D.Brute-force
AnswerD

Repeated failed login attempts from one source suggest a brute-force attack.

Why this answer

Multiple failed login attempts from a single IP address are characteristic of a brute-force attack, where an attacker systematically tries many passwords (or usernames) against a single account or service until successful. This pattern is distinct from other attack types because it involves repeated authentication attempts from one source, aiming to guess credentials rather than intercept traffic, deceive users, or overwhelm resources.

Exam trap

Cisco often tests the distinction between a brute-force attack (single source, many attempts) and a DDoS attack (many sources, high volume of traffic), so the trap here is confusing a single-source authentication attack with a distributed resource exhaustion attack.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack involves an attacker intercepting and potentially altering communications between two parties (e.g., ARP spoofing or SSL stripping), not repeated login attempts from a single IP. Option B is wrong because phishing relies on social engineering to trick users into revealing credentials or sensitive information via deceptive emails or websites, not on automated, repeated login attempts. Option C is wrong because a DDoS (Distributed Denial of Service) attack aims to overwhelm a target with traffic from multiple sources to disrupt service, not to guess passwords via repeated login failures from a single IP.

24
MCQeasy

A hospital's network security team has received reports from nurses that the patient record system has become unresponsive. Upon investigation, the IT administrator finds that the database server is experiencing extremely high disk I/O and the system logs show repeated failed login attempts from an internal IP address that belongs to a medical imaging device. The imaging device is known to run an outdated embedded OS that cannot be patched. The device is isolated on its own VLAN, but the VLAN is allowed to communicate with the database server on TCP port 1433 for legitimate purposes. The attack logs show that the database server is being targeted with a dictionary attack using the default 'sa' account. What should the security analyst do first to contain the incident without disrupting critical medical operations?

A.Block the imaging device's IP address at the core firewall.
B.Take the imaging device offline immediately and isolate it from the network.
C.Disable the VLAN allowing communication between the imaging device and the database server.
D.Change the database server's 'sa' account password and implement account lockout policies.
AnswerD

This stops the ongoing dictionary attack without disrupting other services, as it targets the specific compromised account.

Why this answer

Option D is correct because the immediate priority is to stop the ongoing dictionary attack against the database server's 'sa' account without disrupting critical medical operations. Changing the 'sa' password and implementing account lockout policies directly mitigates the brute-force attack at the authentication layer, while leaving the imaging device and its VLAN operational so that legitimate medical imaging traffic can continue. This containment step buys time for a more permanent solution, such as replacing or further isolating the vulnerable device.

Exam trap

Cisco often tests the principle of 'least disruption' in incident response, and the trap here is that candidates instinctively choose network-level blocks (firewall or VLAN disable) without considering that the attack is credential-based and can be contained at the application layer, preserving critical business functions.

How to eliminate wrong answers

Option A is wrong because blocking the imaging device's IP at the core firewall would disrupt legitimate communication on TCP port 1433, potentially halting critical medical imaging workflows and violating the requirement to not disrupt operations. Option B is wrong because taking the imaging device offline immediately would stop all legitimate imaging traffic, causing direct disruption to patient care; the device is isolated on its own VLAN and the attack is against the database, not the device itself. Option C is wrong because disabling the entire VLAN would cut off all communication between the imaging device and the database server, including legitimate traffic, which would disrupt medical operations and is not a targeted containment measure.

25
MCQhard

To protect sensitive data at rest, a company uses AES-256 encryption. This primarily ensures which security goal?

A.Confidentiality
B.Availability
C.Integrity
D.Non-repudiation
AnswerA

Encryption protects data from unauthorized disclosure.

Why this answer

AES-256 encryption transforms plaintext data into ciphertext using a 256-bit symmetric key, rendering it unreadable without the correct decryption key. This directly ensures confidentiality by preventing unauthorized access to the stored data, even if the storage medium is compromised.

Exam trap

Cisco often tests the distinction between encryption (confidentiality) and hashing (integrity), so the trap here is confusing AES-256's role in protecting data from unauthorized reading with the ability to detect tampering, which would require a separate integrity mechanism.

How to eliminate wrong answers

Option B is wrong because availability refers to ensuring data is accessible when needed, typically addressed by redundancy, backups, and fault tolerance, not encryption. Option C is wrong because integrity ensures data has not been tampered with, usually provided by hashing algorithms (e.g., SHA-256) or HMAC, not encryption alone. Option D is wrong because non-repudiation prevents a party from denying an action, achieved through digital signatures and public key infrastructure (PKI), not symmetric encryption like AES-256.

26
MCQhard

A company's security policy requires that all remote access connections be authenticated using a certificate. Which type of control is this?

A.Corrective
B.Preventive
C.Detective
D.Deterrent
AnswerB

Preventive controls block unauthorized access, as does certificate authentication.

Why this answer

Requiring a certificate for remote access authentication enforces a specific identity verification method before granting access. This is a preventive control because it stops unauthorized connections from being established by ensuring only devices with a valid certificate can initiate the session, directly blocking access before any data exchange occurs.

Exam trap

Cisco often tests the distinction between preventive and deterrent controls, where candidates mistakenly choose deterrent because they think a certificate requirement 'discourages' attackers, but the correct classification is preventive because it technically enforces authentication and blocks access without it.

How to eliminate wrong answers

Option A is wrong because corrective controls (e.g., restoring from backup after a breach) are applied after an incident to mitigate damage, not before access is granted. Option C is wrong because detective controls (e.g., logging failed authentication attempts) identify ongoing or past violations but do not block the initial connection. Option D is wrong because deterrent controls (e.g., warning banners) discourage malicious behavior through fear of consequences but do not technically enforce authentication like a certificate requirement does.

27
MCQeasy

An organization wants to classify data based on its sensitivity and impact if disclosed. Which security principle is being applied?

A.Defense in depth
B.Confidentiality, integrity, and availability (CIA)
C.Least privilege
D.Data loss prevention
AnswerB

Data classification directly supports confidentiality and integrity by applying appropriate controls.

Why this answer

The organization's goal is to classify data based on sensitivity and impact if disclosed, which directly aligns with the confidentiality component of the CIA triad. Confidentiality ensures that sensitive information is accessed only by authorized individuals, and classification is the foundational step to enforce this principle. The CIA triad (Confidentiality, Integrity, Availability) is the core security model that governs how data is protected based on its value and risk.

Exam trap

Cisco often tests the distinction between a security principle (CIA) and a security mechanism (DLP, least privilege, defense in depth), leading candidates to confuse the 'what' (classification) with the 'how' (implementation).

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a principle for classifying data by sensitivity. Option C is wrong because least privilege is an access control principle that grants only the minimum permissions needed to perform a task, which is applied after data classification, not the classification principle itself. Option D is wrong because data loss prevention (DLP) is a technology solution that monitors and prevents unauthorized data transfers, but it does not define how data should be classified based on sensitivity and impact.

28
MCQhard

During a forensic investigation, an analyst acquires a hard drive image using dd. What must be done to ensure the evidence is admissible in court?

A.Encrypt the image
B.Use a write blocker
C.Compress the image
D.Store the image in a shared folder
AnswerB

Write blockers prevent modification of the original evidence.

Why this answer

Using a write blocker ensures that the hard drive is not modified during acquisition, preserving the original data's integrity. This is critical for maintaining the chain of custody and demonstrating that the evidence has not been tampered with, which is a fundamental requirement for admissibility in court. The dd command itself does not prevent writes; a hardware or software write blocker must be used to guarantee read-only access.

Exam trap

Cisco often tests the distinction between integrity preservation (write blocker) and other security goals like confidentiality (encryption) or storage efficiency (compression), leading candidates to confuse admissibility requirements with general best practices.

How to eliminate wrong answers

Option A is wrong because encrypting the image protects confidentiality but does not preserve integrity or prevent modification during acquisition; it could even complicate verification of the original data. Option C is wrong because compressing the image reduces storage size but does not ensure the evidence was collected without alteration; compression may also introduce potential data integrity issues if not done correctly. Option D is wrong because storing the image in a shared folder increases the risk of unauthorized access or modification, which could break the chain of custody and make the evidence inadmissible.

29
MCQhard

A company implements a policy where users must authenticate with a password and a one-time code from a token. Which AAA component is strengthened by this policy?

A.Authentication
B.Accounting
C.Auditing
D.Authorization
AnswerA

Multi-factor authentication strengthens the authentication component of AAA.

Why this answer

Authentication is the AAA component that verifies the identity of a user. By requiring both a password (something you know) and a one-time code from a token (something you have), the policy implements multi-factor authentication (MFA), which directly strengthens the authentication process. This ensures that even if a password is compromised, an attacker cannot authenticate without the token.

Exam trap

Cisco often tests the distinction between authentication and authorization, where candidates mistakenly think that adding a token strengthens authorization (access control) rather than the identity verification step.

How to eliminate wrong answers

Option B (Accounting) is wrong because accounting tracks user activities and resource consumption (e.g., login/logout times, data transferred) for auditing or billing, not the verification of identity. Option C (Auditing) is wrong because auditing is a separate process of reviewing logs and records to detect security events or compliance violations, not a core AAA component that handles identity verification. Option D (Authorization) is wrong because authorization determines what resources or actions an authenticated user is permitted to access, not the method of proving identity.

30
Multi-Selectmedium

Which TWO are common indicators of a phishing email? (Select two.)

Select 2 answers
A.Urgent call to action
B.Personal salutation
C.Generic greeting
D.Proper spelling and grammar
E.Matching sender domain
AnswersA, C

Phishing creates urgency to trick victims into acting quickly.

Why this answer

Phishing emails often create a false sense of urgency to pressure recipients into acting without verifying the source. An urgent call to action, such as 'Your account will be suspended in 24 hours,' is a classic social engineering tactic that exploits fear or time pressure to bypass rational scrutiny.

Exam trap

Cisco often tests the distinction between generic phishing (mass, untargeted) and spear phishing (targeted, personalized), so candidates mistakenly select 'Personal salutation' as a common indicator when it actually indicates a more advanced attack, not a typical phishing email.

31
MCQeasy

Which type of malware is designed to spread automatically across networks without user interaction?

A.Ransomware
B.Virus
C.Trojan
D.Worm
AnswerD

Worms spread autonomously across networks.

Why this answer

A worm is a standalone malware program that replicates itself to spread to other computers over a network, often exploiting vulnerabilities without any user intervention. Unlike viruses, worms do not require a host file or user action to propagate, making them capable of rapid, automated spread across networks.

Exam trap

Cisco often tests the distinction between a virus and a worm, where the trap is that candidates confuse 'self-replicating' with 'requires a host file,' leading them to incorrectly choose virus instead of worm for autonomous network spread.

How to eliminate wrong answers

Option A is wrong because ransomware typically requires user interaction (e.g., clicking a link or opening an attachment) to execute and encrypt files; it does not self-propagate automatically. Option B is wrong because a virus attaches itself to a legitimate host file or program and relies on user action (e.g., running the infected file) to spread, not autonomous network propagation. Option C is wrong because a Trojan disguises itself as legitimate software to trick users into installing it, and it does not self-replicate or spread automatically across networks.

32
MCQeasy

Refer to the exhibit. Which security protocol is being configured?

A.IPsec VPN (IKE phase 1)
B.SSL VPN
C.MACsec
D.SSH
AnswerA

The crypto isakmp policy configures IKE phase 1 for IPsec.

Why this answer

The exhibit shows the configuration of an IPsec VPN IKE phase 1 policy using the `crypto isakmp policy` command. The parameters set—encryption algorithm (e.g., aes), hash algorithm (e.g., sha), Diffie-Hellman group (e.g., 2), and authentication method (e.g., pre-share)—are all specific to IKE phase 1, which establishes a secure authenticated channel for further key exchange. This is not used for SSL VPN, MACsec, or SSH, as those protocols have distinct configuration syntax and purposes.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 configuration commands, so the trap here is that candidates see 'crypto isakmp' and incorrectly associate it with SSL VPN or SSH because they overlook the specific protocol hierarchy.

How to eliminate wrong answers

Option B is wrong because SSL VPN is configured using `webvpn` or `crypto ssl` commands, not `crypto isakmp policy`. Option C is wrong because MACsec is configured under interface mode with `mka` or `macsec` commands, not with a global ISAKMP policy. Option D is wrong because SSH is configured using `ip ssh` or `crypto key generate rsa` commands, and it does not use IKE phase 1 parameters like Diffie-Hellman groups or encryption algorithms in a policy block.

33
MCQmedium

During an incident, the analyst finds that an attacker modified system files. Which security principle was primarily violated?

A.Confidentiality
B.Availability
C.Integrity
D.Non-repudiation
AnswerC

Integrity ensures data and systems are not tampered with; file modification violates this.

Why this answer

Integrity ensures that data and system files are not altered by unauthorized entities. When an attacker modifies system files, the trustworthiness and accuracy of those files are compromised, directly violating the integrity principle. This is distinct from confidentiality (unauthorized disclosure) or availability (denial of service).

Exam trap

Cisco often tests the distinction between integrity and availability by presenting a scenario where an attacker modifies files (integrity) rather than deleting them or causing a denial of service (availability), leading candidates to mistakenly choose availability.

How to eliminate wrong answers

Option A is wrong because confidentiality concerns unauthorized access to or disclosure of information, not unauthorized modification. Option B is wrong because availability ensures that systems and data are accessible when needed; file modification does not inherently prevent access. Option D is wrong because non-repudiation provides proof of origin or delivery of data (e.g., via digital signatures), not protection against unauthorized changes.

34
MCQhard

A security analyst reviews system logs and notices multiple failed login attempts from a single IP address to different user accounts over a short period. The analyst then sees a successful login for one account. Which type of attack is most likely occurring?

A.Brute force
B.Dictionary attack
C.Credential stuffing
D.Password spraying
AnswerD

Password spraying tries a few passwords across many accounts to avoid lockouts.

Why this answer

Password spraying (D) is the correct answer because the attacker attempts a small number of common passwords against many user accounts, avoiding account lockout thresholds. The pattern of multiple failed logins from a single IP across different accounts, followed by a single success, matches this low-and-slow technique rather than targeting one account with many passwords.

Exam trap

Cisco often tests the distinction between password spraying and credential stuffing by emphasizing the use of a single IP and multiple accounts versus reused breach data, leading candidates to confuse credential stuffing (which requires known pairs) with this broader password-guessing method.

How to eliminate wrong answers

Option A (Brute force) is wrong because it typically involves many password attempts against a single account, not multiple accounts from one IP. Option B (Dictionary attack) is wrong because it uses a list of likely passwords against one account, not spreading attempts across accounts. Option C (Credential stuffing) is wrong because it uses previously breached username/password pairs from other services, not a single IP trying common passwords across accounts.

35
MCQhard

An organization has implemented a security information and event management (SIEM) system. The SOC analyst receives an alert indicating a high number of failed login attempts from a single IP address targeting a critical server. The analyst checks the server logs and finds that the server is configured to lock the account after 5 failed attempts. However, the alert shows thousands of attempts. Which of the following explains this discrepancy?

A.The failed attempts are against different usernames, not the same account
B.The attacker is using a brute-force tool that bypasses account lockout
C.The server's logging is not capturing all authentication events
D.The SIEM alert is a false positive due to a misconfiguration
AnswerA

This is a common technique to avoid lockout; each account may have only a few attempts, but total attempts across many accounts are high.

Why this answer

The account lockout policy (5 failed attempts) applies per individual username, not per source IP address. If the attacker is attempting to authenticate with many different usernames from the same IP, each username can fail up to 5 times before being locked, allowing thousands of total failed attempts across different accounts. The SIEM aggregates all failed authentication events from that IP, while the server's lockout mechanism only triggers per user, explaining the discrepancy.

Exam trap

Cisco often tests the distinction between account lockout (per user) and failed login events (per source IP), trapping candidates who assume lockout limits total attempts from an IP rather than per-username attempts.

How to eliminate wrong answers

Option B is wrong because brute-force tools cannot bypass account lockout policies enforced by the authentication system (e.g., Windows Active Directory or Linux PAM); lockout is a server-side mechanism that applies regardless of the tool used. Option C is wrong because if the server were missing log entries, the SIEM would show fewer events than the server, not more; the alert shows thousands of attempts, indicating logging is capturing them. Option D is wrong because the alert is not a false positive—it accurately reflects the high volume of failed attempts from that IP; the misconfiguration would be in the analyst's interpretation, not in the SIEM rule.

36
Multi-Selectmedium

Which THREE are examples of social engineering attacks? (Select three.)

Select 3 answers
A.Man-in-the-middle
B.Smishing
C.SQL injection
D.Phishing
E.Spear phishing
AnswersB, D, E

Smishing uses SMS messages for deception.

Why this answer

Smishing is a form of social engineering attack that uses SMS (Short Message Service) text messages to trick recipients into revealing sensitive information or clicking malicious links. Unlike technical attacks that exploit system vulnerabilities, smishing relies on psychological manipulation, making it a classic social engineering vector.

Exam trap

Cisco often tests the distinction between technical attacks (like MITM or SQL injection) and social engineering attacks (like smishing, phishing, and spear phishing), where the trap is that candidates confuse a technical attack vector with a human-targeted manipulation technique.

37
MCQeasy

Which principle ensures that a user cannot deny having performed an action?

A.Authentication
B.Accountability
C.Authorization
D.Non-repudiation
AnswerD

Non-repudiation provides evidence that an action occurred, preventing denial.

Why this answer

Non-repudiation ensures that a user cannot deny having performed an action, typically by using digital signatures or cryptographic mechanisms. In network security, this is often achieved through protocols like HMAC or digital certificates that bind an action to a specific identity, providing irrefutable proof. Without non-repudiation, a user could claim they never sent a message or executed a command, undermining audit trails and legal accountability.

Exam trap

Cisco often tests the distinction between accountability and non-repudiation, where candidates confuse logging/tracking (accountability) with cryptographic proof (non-repudiation), leading them to select 'Accountability' instead of 'Non-repudiation'.

How to eliminate wrong answers

Option A is wrong because authentication verifies the identity of a user or device (e.g., via passwords, certificates, or biometrics) but does not prevent the user from later denying they performed an action. Option B is wrong because accountability refers to the ability to trace actions back to a specific entity through logging and auditing, but it does not inherently provide cryptographic proof to prevent denial. Option C is wrong because authorization controls what resources or actions a user is permitted to access (e.g., via ACLs or RBAC), but it does not address the issue of denying past actions.

38
MCQmedium

An organization has implemented a security policy requiring all employees to change their passwords every 90 days. Which security goal does this policy primarily support?

A.Accountability
B.Availability
C.Confidentiality
D.Integrity
AnswerC

Regular password changes help protect sensitive information from unauthorized access.

Why this answer

Requiring password changes every 90 days primarily supports confidentiality by reducing the window of opportunity for an attacker to use a compromised credential. If a password is stolen or guessed, the mandatory rotation ensures that the stolen credential becomes invalid after 90 days, limiting unauthorized access to sensitive data. This directly aligns with the confidentiality goal of preventing disclosure to unauthorized parties.

Exam trap

Cisco often tests the distinction between confidentiality and integrity by presenting password policies as a control for data modification, when in fact password rotation primarily limits the exposure of stolen credentials, directly supporting confidentiality.

How to eliminate wrong answers

Option A is wrong because accountability refers to the ability to trace actions to a specific user, typically through logging and auditing, not through password expiration policies. Option B is wrong because availability ensures that systems and data are accessible when needed, which is not directly enhanced by password rotation; in fact, frequent changes can sometimes hinder availability if users get locked out. Option D is wrong because integrity focuses on protecting data from unauthorized modification, whereas password rotation primarily protects against unauthorized access (confidentiality), not data tampering.

39
MCQmedium

A system administrator needs to grant access to a database for a new employee. According to the principle of least privilege, what should be done?

A.Grant only the minimum required permissions
B.Grant temporary admin access
C.Grant no access until manager approves
D.Grant full access and remove later
AnswerA

Least privilege means granting the minimum necessary to do the job.

Why this answer

Option B (Grant only the minimum required permissions) is correct. Option A (Grant full access) violates least privilege. Option C (Deny access until approval) is too restrictive and not a direct application of least privilege.

Option D (Grant temporary admin access) is excessive.

40
Multi-Selecthard

Which THREE are principles of the CIA triad? (Select three.)

Select 3 answers
A.Non-repudiation
B.Confidentiality
C.Accountability
D.Integrity
E.Availability
AnswersB, D, E

Confidentiality is a core principle of the CIA triad.

Why this answer

The CIA triad is the foundational security model consisting of Confidentiality, Integrity, and Availability. Option B (Confidentiality) is correct because it ensures that data is accessible only to authorized users, typically enforced through encryption (e.g., AES-256) and access control lists (ACLs).

Exam trap

Cisco often tests the distinction between the CIA triad and other security principles like non-repudiation or accountability, leading candidates to mistakenly include them as part of the triad when they are separate concepts.

41
MCQeasy

A security analyst needs to ensure data integrity. Which control best achieves this?

A.Logging
B.Encryption
C.Access control
D.Hashing
AnswerD

Hashing produces a unique hash that changes if data is altered, ensuring integrity.

Why this answer

Hashing is the correct control for ensuring data integrity because it produces a fixed-length digest (e.g., SHA-256) from the original data. Any change to the data, even a single bit, results in a completely different hash value, allowing the analyst to detect tampering or corruption. Unlike encryption, hashing is a one-way function that does not conceal the data but verifies its unchanged state.

Exam trap

Cisco often tests the distinction between confidentiality (encryption) and integrity (hashing), so the trap here is that candidates confuse encryption's ability to hide data with the ability to detect tampering, leading them to select encryption instead of hashing.

How to eliminate wrong answers

Option A is wrong because logging records events and provides an audit trail, but it does not verify that the data itself has not been altered. Option B is wrong because encryption protects confidentiality by transforming data into ciphertext, but it does not detect changes to the plaintext; a modified ciphertext may still decrypt to a different plaintext without alerting the analyst. Option C is wrong because access control restricts who can read or write data, but it does not provide a mechanism to verify that the data has remained unchanged after authorized access.

42
MCQmedium

Refer to the exhibit. An analyst examines the port security status on a switch interface. What action should the analyst take to restore connectivity to the device connected to this port?

A.Remove the port from the VLAN
B.Clear the MAC address table on the switch
C.Shut down and re-enable the interface
D.Increase the maximum number of MAC addresses allowed
AnswerC

Re-enabling the interface after a shutdown clears the errdisable state.

Why this answer

When a port security violation occurs (e.g., a MAC address limit is exceeded or a sticky MAC changes), the switch can be configured to err-disable the interface. The standard remediation is to administratively shut down the interface (shutdown) and then re-enable it (no shutdown), which clears the error condition and restores connectivity. This is the only action that directly addresses the err-disable state caused by the security violation.

Exam trap

Cisco often tests the misconception that clearing the MAC address table or adjusting the MAC limit will restore connectivity, but the trap here is that the interface is in an err-disabled state, which requires a manual or automatic interface reset, not a table or configuration change.

How to eliminate wrong answers

Option A is wrong because removing the port from the VLAN does not clear the err-disable state or the security violation; it would only isolate the port from the network without resolving the underlying issue. Option B is wrong because clearing the MAC address table on the switch removes all dynamically learned MAC entries across all interfaces, but it does not clear the specific port security violation or the err-disable state on the affected interface. Option D is wrong because increasing the maximum number of MAC addresses allowed does not fix the current violation; it only prevents future violations if the current number of MACs is below the new limit, but the port remains err-disabled until it is manually or automatically recovered.

43
Multi-Selecthard

A security analyst discovers that an attacker exfiltrated data using DNS tunneling. Which TWO controls should be implemented to detect or prevent this? (Select two.)

Select 2 answers
A.Monitor DNS query sizes and frequencies
B.Use a DNS sinkhole
C.Disable recursive DNS on the internal DNS server
D.Implement DNSSEC
E.Block all DNS queries to external servers
AnswersA, B

Unusually large or frequent queries may indicate tunneling.

Why this answer

Option A is correct because DNS tunneling often involves unusually large query sizes (e.g., encoded data in subdomains) and abnormal query frequencies (e.g., thousands of requests per minute). Monitoring these metrics allows analysts to spot deviations from baseline behavior, which is a key detection technique for exfiltration via DNS. Option B is correct because a DNS sinkhole redirects malicious or suspicious DNS queries to a controlled IP address, effectively blocking the resolution of domains used for tunneling and preventing data from reaching the attacker's command-and-control server.

Exam trap

Cisco often tests the misconception that DNSSEC or disabling recursion can stop DNS tunneling, but DNSSEC only signs records and does not inspect payloads, while disabling recursion breaks internal resolution without affecting external tunneling via forwarders.

44
MCQeasy

A security analyst notices that a user's account has been used to access sensitive data outside of normal working hours. Which security concept is being violated?

A.Non-repudiation
B.Confidentiality
C.Availability
D.Integrity
AnswerB

Confidentiality protects data from unauthorized access, which is the issue.

Why this answer

Option C is correct because confidential data was accessed by an unauthorized user, violating confidentiality. Option A is incorrect because availability refers to uptime, not data protection. Option B is incorrect because integrity ensures data is not altered, not that access is prevented.

Option D is incorrect because non-repudiation deals with proof of action, not access control.

45
MCQeasy

What is the purpose of a security baseline?

A.To define the minimum acceptable security posture
B.To respond to security incidents
C.To encrypt sensitive data
D.To detect malware infections
AnswerA

Baselines establish secure configurations.

Why this answer

A security baseline defines the minimum acceptable security posture for systems, networks, and devices. It establishes a standard configuration that must be met to ensure a consistent level of security across the organization, such as requiring specific patch levels, disabling unnecessary services, and enforcing password policies. Without a baseline, there is no reference point to measure compliance or identify deviations that could indicate a security weakness.

Exam trap

Cisco often tests the distinction between a security baseline (a static reference standard) and operational security controls (like incident response or encryption), leading candidates to confuse the baseline with the tools or processes that enforce or detect security issues.

How to eliminate wrong answers

Option B is wrong because responding to security incidents is the purpose of an incident response plan (IRP) and associated procedures, not a security baseline. Option C is wrong because encrypting sensitive data is a specific security control or mechanism, often implemented via protocols like AES or TLS, not the overarching definition of a minimum security posture. Option D is wrong because detecting malware infections is the function of antivirus software, intrusion detection systems (IDS), or endpoint detection and response (EDR) tools, not a security baseline.

46
MCQmedium

A security analyst is investigating a potential data exfiltration incident. The analyst notices that a large amount of data has been sent to an external IP address over port 443 during non-business hours. The company uses a proxy server that logs all outbound connections. Which action should the analyst take first to validate the suspicion?

A.Immediately block the external IP address at the firewall.
B.Run a packet capture on the internal server to analyze the payload.
C.Check the proxy logs to see the destination IP and user agent string.
D.Notify the security team lead and wait for further instructions.
AnswerC

Proxy logs provide details about the connection and can help identify if the traffic is suspicious.

Why this answer

Option C is correct because proxy logs contain the destination IP and user agent string, which are critical for validating whether the external IP is legitimate or malicious. By checking these logs first, the analyst can correlate the outbound connection with known threat intelligence or anomalous user agents without disrupting operations or consuming resources on unnecessary packet captures.

Exam trap

Cisco often tests the candidate's ability to prioritize log analysis over reactive actions, and the trap here is that candidates may jump to blocking the IP (Option A) or escalating (Option D) without first using available logs to validate the suspicion.

How to eliminate wrong answers

Option A is wrong because immediately blocking the external IP at the firewall could disrupt legitimate business traffic if the IP is later found to be benign, and it bypasses the validation step needed to confirm exfiltration. Option B is wrong because running a packet capture on the internal server is resource-intensive and may not be feasible if the server is remote or the traffic is already encrypted over TLS (port 443), making payload analysis ineffective without decryption keys. Option D is wrong because notifying the security team lead and waiting for further instructions delays the investigation and violates the principle of first validating the suspicion with available logs before escalating.

47
MCQhard

A mid-sized financial firm has a segmented network with a DMZ hosting a web server, an internal network with a database server, and an employee LAN. The security infrastructure includes a next-generation firewall (NGFW) with IPS, an endpoint detection and response (EDR) solution, and a SIEM. Over the past week, the SIEM has generated alerts for unusual outbound connections from the database server to an external IP address 198.51.100.33 on TCP port 443 during non-business hours. The EDR shows no malware on the database server, but a process named 'sqlsrv.exe' (the legitimate SQL Server process) is making these connections. The server's file integrity monitoring indicates that the sqlsrv.exe file has not been modified, but a memory dump reveals injected code that appears to be a reverse shell. The firewall logs show that the outbound connections are allowed because they match an existing rule permitting the database server to reach external update servers. The IP 198.51.100.33 is not on any threat intelligence feed as malicious, but it is geolocated to a country with known cybercrime activity. Which action should the security analyst take FIRST?

A.Isolate the database server from the network immediately to prevent data exfiltration.
B.Contact the software vendor to verify the digital signature of sqlsrv.exe.
C.Add a firewall rule to block outbound connections to 198.51.100.33.
D.Run a full antivirus scan on the database server using an updated signature database.
AnswerA

Containment is the first step in incident response to stop the attack.

Why this answer

The presence of injected reverse shell code in the memory of the legitimate sqlsrv.exe process indicates that the database server is actively compromised, regardless of the file integrity or EDR results. The immediate priority is to contain the threat by isolating the server from the network to prevent data exfiltration or lateral movement, as per incident response best practices (NIST SP 800-61).

Exam trap

The trap here is that candidates focus on the unchanged file hash or lack of malware alerts and choose a slower investigative step (like scanning or vendor contact), instead of recognizing that memory-resident code injection is an active compromise requiring immediate isolation.

How to eliminate wrong answers

Option B is wrong because verifying the digital signature of sqlsrv.exe is irrelevant; the file itself is unmodified, but the attack is via code injection into the running process, not file tampering. Option C is wrong because adding a firewall rule to block only the specific IP 198.51.100.33 is insufficient; the attacker could easily switch to a different C2 IP, and the immediate containment action should be network isolation. Option D is wrong because running a full antivirus scan is a secondary step; the EDR already shows no malware, and the attack is memory-resident (injected code), which may evade signature-based scans, so isolation must come first.

48
Multi-Selectmedium

Which TWO security concepts are fundamental to the principle of least privilege? (Choose two.)

Select 2 answers
A.Role-based access control (RBAC)
B.Mandatory access control (MAC)
C.Need-to-know
D.Separation of duties
E.Defense in depth
AnswersA, C

RBAC implements least privilege by assigning permissions to roles.

Why this answer

Role-based access control (RBAC) is fundamental to the principle of least privilege because it assigns permissions based on job functions rather than individual users, ensuring users receive only the access necessary for their roles. The 'need-to-know' concept restricts access to information strictly required for a user's tasks, directly enforcing least privilege by limiting data exposure. Together, RBAC provides a scalable framework for access management, while need-to-know ensures granular data-level control.

Exam trap

Cisco often tests the distinction between 'need-to-know' (a least privilege concept) and 'separation of duties' (a fraud-prevention concept), causing candidates to mistakenly select separation of duties because both involve limiting access, but only need-to-know directly enforces least privilege.

49
MCQhard

In a risk management process, after identifying risks, the next step is to determine the potential impact and likelihood. This is known as:

A.Risk acceptance
B.Risk mitigation
C.Risk assessment
D.Risk transfer
AnswerC

Risk assessment quantifies impact and likelihood to prioritize risks.

Why this answer

After risks have been identified, the next logical step in the risk management process is to evaluate their potential impact and likelihood. This evaluation is formally known as risk assessment (or risk analysis), which quantifies or qualifies the risk level to prioritize subsequent treatment decisions. In the context of the 200-201 exam, risk assessment is a core component of the NIST SP 800-30 risk management framework.

Exam trap

Cisco often tests the order of the risk management process steps, and the trap here is confusing risk assessment (the evaluation step) with risk mitigation (the treatment step), leading candidates to select 'Risk mitigation' because they think of 'doing something about the risk' immediately after identification.

How to eliminate wrong answers

Option A is wrong because risk acceptance is a risk treatment strategy where an organization acknowledges the risk and chooses to tolerate it without active mitigation, not the step of determining impact and likelihood. Option B is wrong because risk mitigation involves implementing controls to reduce the risk level (e.g., deploying a firewall or patching a vulnerability), which occurs after the risk assessment has been completed. Option D is wrong because risk transfer shifts the financial burden of a risk to a third party (e.g., purchasing cyber insurance), which is also a post-assessment treatment decision, not the evaluation of impact and likelihood.

50
MCQeasy

A security administrator needs to ensure that data transmitted between a web browser and a web server is encrypted. Which technology should be implemented?

A.HTTPS
B.TLS
C.SSH
D.IPsec
AnswerB

TLS is the standard protocol for encrypting web traffic, used by HTTPS.

Why this answer

TLS (Transport Layer Security) is the correct technology because it operates at the transport layer and provides encryption for data in transit between a web browser and a web server. HTTPS is not a separate encryption protocol but rather HTTP over TLS, meaning TLS is the underlying technology that actually performs the encryption. Therefore, the question asks for the technology to implement, and TLS is the direct answer.

Exam trap

The trap here is that candidates see 'HTTPS' and assume it is the encryption technology itself, but Cisco tests the understanding that HTTPS is merely HTTP over TLS, and the actual encryption mechanism is TLS.

How to eliminate wrong answers

Option A (HTTPS) is wrong because HTTPS is not a standalone encryption technology; it is HTTP running on top of TLS (or SSL), so the actual encryption is provided by TLS, not HTTPS itself. Option C (SSH) is wrong because SSH is used for secure remote administration and file transfers (e.g., SFTP, SCP), not for encrypting standard web browser-to-web server HTTP traffic. Option D (IPsec) is wrong because IPsec operates at the network layer and is typically used for securing VPN tunnels between networks or hosts, not for encrypting individual web sessions between a browser and a server.

51
MCQmedium

An analyst reviews the ACL applied to the outside interface of a router. The analyst notices that traffic from 192.168.1.0/24 to 10.10.10.10 on port 443 is permitted, but all other traffic is denied and logged. Which of the following is a potential security issue with this ACL?

A.The deny statement with logging may generate excessive logs, potentially masking attacks.
B.The ACL is applied inbound on the outside interface, which could allow external traffic.
C.The permit statement does not have logging enabled, so traffic is not monitored.
D.The ACL allows all traffic from 192.168.1.0/24 to 10.10.10.10 on any port.
AnswerA

Excessive logging can bury important alerts in noise.

Why this answer

The ACL has a single permit statement for traffic from 192.168.1.0/24 to 10.10.10.10 on port 443, followed by an implicit deny all that is logged. This means every packet that does not match the permit rule generates a log entry. In a production environment, even normal background noise (e.g., scans, broadcast traffic) can produce thousands of log messages per second, overwhelming syslog storage and masking malicious activity.

The core issue is that logging on the deny-all can cause log flooding, not that the permit lacks logging.

Exam trap

Cisco often tests the misconception that logging on a permit statement is necessary for monitoring, when in fact the critical security issue is that logging on a deny-all can cause log flooding that masks real attacks.

How to eliminate wrong answers

Option B is wrong because the ACL is applied to the outside interface, but the question does not specify inbound or outbound direction; even if inbound, the permit statement only allows traffic from a private RFC 1918 source (192.168.1.0/24), which should never originate from the outside, so the real issue is the logging volume, not the direction. Option C is wrong because logging on the permit statement is not required for security monitoring; the deny-all with logging already captures denied traffic, and enabling logging on the permit would add unnecessary overhead without addressing the log-flooding risk. Option D is wrong because the ACL explicitly restricts traffic to destination 10.10.10.10 on port 443 only, not any port; the statement 'permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 443' limits both destination IP and port.

52
Multi-Selectmedium

Which THREE of the following are common security controls used to defend against ransomware?

Select 3 answers
A.Implementing application whitelisting
B.Allowing macros in office documents
C.Disabling user accounts after 3 failed attempts
D.Regular offline backups
E.Network segmentation to limit lateral movement
AnswersA, D, E

Whitelisting prevents unauthorized executables, including ransomware, from running.

Why this answer

Application whitelisting is a security control that prevents unauthorized executables, scripts, and macros from running. By default allowing only approved software, it blocks ransomware payloads that arrive as unknown or untrusted files, even if a user inadvertently executes them.

Exam trap

Cisco often tests the distinction between preventive controls (like whitelisting) and reactive controls (like account lockout), and the trap here is confusing a brute-force mitigation with a ransomware defense, or assuming that enabling macros is a safe practice.

53
MCQmedium

A company is deploying a new web application and wants to ensure it is secure against common web attacks. Which of the following is the most effective approach to validate the security of the application before going live?

A.Conduct a penetration test by an external firm
B.Run a vulnerability scanner against the application
C.Implement a web application firewall (WAF)
D.Perform a code review with static analysis tools
AnswerA

Penetration testing simulates real attacks and uncovers vulnerabilities that automated tools might miss.

Why this answer

A penetration test by an external firm provides a comprehensive, real-world assessment of security vulnerabilities.

54
Matchingmedium

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and discovery

Packet capture and analysis

Intrusion detection and prevention

Exploitation framework for penetration testing

Security information and event management (SIEM)

Why these pairings

These tools are commonly used in security operations.

55
MCQhard

Refer to the exhibit. What does this log entry indicate?

A.A denied TCP packet
B.A permitted UDP packet
C.A permitted ICMP packet
D.A denied ICMP packet
AnswerC

The log explicitly states 'permitted icmp'.

Why this answer

The log entry shows an ICMP packet with a permit action, as indicated by the 'permit' keyword and the protocol number 1 (ICMP). The source and destination IP addresses, along with the ICMP type and code, confirm it is an ICMP echo request (type 8, code 0). Therefore, this is a permitted ICMP packet.

Exam trap

Cisco often tests the ability to distinguish between protocol numbers (TCP=6, UDP=17, ICMP=1) and to correctly interpret the 'permit' or 'deny' action in log entries, leading candidates to confuse the protocol or the action.

How to eliminate wrong answers

Option A is wrong because the log entry shows protocol 1 (ICMP), not TCP (protocol 6), and the action is 'permit', not 'deny'. Option B is wrong because the log entry shows protocol 1 (ICMP), not UDP (protocol 17), and the action is 'permit', not 'deny'. Option D is wrong because the log entry shows the action as 'permit', not 'deny', and the protocol is ICMP, so it is a permitted ICMP packet.

56
MCQhard

You are a security analyst at a financial institution. The network consists of three segments: internal corporate network (10.0.0.0/24), DMZ (192.168.1.0/24) hosting a web server and an email server, and a guest wireless network (172.16.0.0/24). The firewall is configured with the following rules: (1) permit inbound HTTP/HTTPS to the web server from any; (2) permit inbound SMTP to the email server from any; (3) deny all other inbound traffic; (4) permit all outbound traffic from internal network; (5) deny all outbound traffic from guest network to internal and DMZ, but permit to internet. Recently, an employee reported that sensitive files on an internal file server (10.0.0.10) were accessed without authorization. Logs show that the access originated from an IP address in the guest network (172.16.0.50) at 3:00 AM. The guest network is open (no authentication required). The internal file server is not directly accessible from the guest network per rule (5). However, the attacker used the web server as a pivot: they compromised the web server via an unpatched vulnerability, then from the web server they connected to the internal file server. Which of the following actions would BEST prevent this type of attack in the future?

A.Implement a firewall rule that denies all traffic from the DMZ to the internal network
B.Move the web server to the internal network and place a reverse proxy in the DMZ
C.Apply a patch to the web server and require authentication on the guest network
D.Add a firewall rule that permits only necessary traffic from the DMZ to specific internal servers, and deny all other DMZ-to-internal traffic
AnswerD

This limits lateral movement: even if the web server is compromised, it can only reach authorized internal systems.

Why this answer

Option D is correct because the attack leveraged the DMZ web server as a pivot to reach the internal file server. By implementing a firewall rule that permits only necessary traffic from the DMZ to specific internal servers (e.g., only allow the web server to communicate with a database server on TCP/3306) and denies all other DMZ-to-internal traffic, you enforce a least-privilege segmentation policy. This would block the web server from initiating arbitrary connections to the internal file server (10.0.0.10), even if the web server is compromised, directly preventing the pivot attack.

Exam trap

Cisco often tests the concept that simply patching a vulnerability or adding authentication does not prevent lateral movement; the trap is that candidates focus on the initial compromise vector (unpatched web server) rather than the missing segmentation rule that allowed the pivot.

How to eliminate wrong answers

Option A is wrong because denying all traffic from the DMZ to the internal network would break legitimate services such as the web server needing to query an internal database or authenticate against an internal directory server (e.g., LDAP), making the DMZ non-functional. Option B is wrong because moving the web server to the internal network and placing a reverse proxy in the DMZ does not prevent the pivot attack; if the reverse proxy is compromised, it could still be used to access the internal network, and the web server inside the internal network would be directly exposed to internal threats. Option C is wrong because while patching the web server and requiring authentication on the guest network are good security practices, they do not address the core issue of lateral movement from the DMZ to the internal network; the attacker could still compromise the web server via a future vulnerability or a different vector and pivot to the internal file server.

57
Multi-Selecteasy

Which TWO are goals of a security operations center (SOC)? (Choose two.)

Select 2 answers
A.Continuous monitoring of security events
B.Managing user passwords
C.Developing software applications
D.Performing penetration tests
E.Responding to security incidents
AnswersA, E

SOC monitors events 24/7.

Why this answer

Option A is correct because continuous monitoring of security events is a primary goal of a SOC, ensuring real-time detection of threats through log aggregation and analysis from sources like firewalls, IDS/IPS, and endpoints. This aligns with the SOC's responsibility to maintain situational awareness and identify indicators of compromise (IoCs) as part of the NIST incident response lifecycle.

Exam trap

Cisco often tests the distinction between operational SOC responsibilities (monitoring and response) and other security functions like IAM, development, or proactive testing, so candidates may mistakenly select penetration testing as a SOC goal because it is security-related, but it is not a continuous SOC function.

58
Drag & Dropmedium

Drag and drop the steps to perform a password recovery on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password recovery: enter ROMmon, change confreg, reset, boot, then restore config and change password.

59
Multi-Selecteasy

Which TWO of the following are characteristics of an advanced persistent threat (APT)?

Select 2 answers
A.Operates with low and slow tactics to avoid detection
B.Targets specific organizations for espionage or data theft
C.Is typically financially motivated
D.Uses only commodity malware
E.Attacks are short-lived and quickly detected
AnswersA, B

APTs use stealthy methods to maintain long-term access.

Why this answer

An advanced persistent threat (APT) is characterized by its use of low-and-slow tactics to evade detection over long periods. This involves spreading malicious activity across many small, seemingly benign actions to avoid triggering threshold-based alerts in security monitoring systems. APTs are also defined by their targeted nature, focusing on specific organizations for espionage or data theft rather than opportunistic, broad-scale attacks.

Exam trap

Cisco often tests the distinction between financially motivated threats (e.g., ransomware) and APTs, so the trap here is assuming that all persistent threats are driven by money rather than recognizing the espionage and state-sponsored nature of APTs.

60
Matchingmedium

Match each cybersecurity framework/standard to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cybersecurity risk management framework

Information security management system standard

Payment card industry data security standard

Knowledge base of adversary tactics and techniques

Prioritized set of security best practices

Why these pairings

These frameworks guide security posture.

61
MCQhard

A SOC analyst examines an alert generated by an IDS. The alert indicates a potential SQL injection attempt. However, the analyst finds that the source IP is a known internal web server that performs legitimate database queries. What is the most likely explanation?

A.The web server is compromised
B.The traffic is legitimate but the IDS has a false positive
C.The IDS is misconfigured
D.The analyst should ignore the alert
AnswerB

The IDS likely flagged normal database queries as malicious.

Why this answer

The correct answer is B because the source IP is a known internal web server that performs legitimate database queries. IDS signatures often trigger on SQL-like patterns in traffic, and when the traffic matches the signature but is actually benign (e.g., a web server sending parameterized queries), it constitutes a false positive. The analyst's verification that the source is a trusted internal server performing expected operations confirms the alert is not a true threat.

Exam trap

Cisco often tests the distinction between a false positive (benign traffic flagged as malicious) and a true positive (actual attack), where candidates mistakenly assume any SQL pattern in traffic indicates compromise or misconfiguration rather than recognizing legitimate database queries from a trusted internal server.

How to eliminate wrong answers

Option A is wrong because the source IP is a known internal web server performing legitimate database queries; compromise would typically show anomalous behavior or unexpected outbound connections, not just a SQL pattern match. Option C is wrong because misconfiguration would imply the IDS is not tuned to exclude known good traffic, but the alert itself is a signature match, not a configuration error—false positives are inherent to signature-based detection, not necessarily misconfiguration. Option D is wrong because ignoring alerts violates SOC procedures; the analyst must investigate and document the false positive to refine rules, not dismiss it outright.

62
MCQmedium

A company implements a policy requiring all employees to use a hardware token for remote access. This is an example of which type of security control?

A.Compensating
B.Deterrent
C.Preventive
D.Detective
AnswerC

Preventive controls block unauthorized access, as the token does.

Why this answer

A hardware token for remote access implements multifactor authentication (something you have), which directly prevents unauthorized access by requiring a physical device in addition to credentials. This is a preventive control because it stops the threat before it can occur, aligning with the NIST definition of preventive controls that block or mitigate attacks.

Exam trap

Cisco often tests the distinction between preventive and deterrent controls by using a technology that physically blocks access (like a token or firewall) and expecting candidates to recognize that 'deterrent' applies only to psychological discouragement, not technical enforcement.

How to eliminate wrong answers

Option A is wrong because compensating controls are alternative measures that provide equivalent protection when a primary control cannot be used (e.g., using software tokens instead of hardware tokens due to cost), not the primary control itself. Option B is wrong because deterrent controls discourage malicious behavior through fear of consequences (e.g., warning banners or surveillance signs), but a hardware token does not deter; it physically prevents access. Option D is wrong because detective controls identify and log incidents after they occur (e.g., intrusion detection systems or audit logs), whereas a hardware token actively blocks unauthorized access in real time.

63
Multi-Selecteasy

Which TWO of the following are symmetric encryption algorithms? (Choose two.)

Select 2 answers
A.AES
B.RSA
C.Diffie-Hellman
D.ECC
E.3DES
AnswersA, E

AES is a symmetric block cipher.

Why this answer

AES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning it uses the same key for both encryption and decryption. It is widely adopted due to its strong security and efficiency, with key sizes of 128, 192, or 256 bits. 3DES (Triple Data Encryption Standard) is also symmetric, applying the DES cipher three times to each data block, effectively increasing key length and security over single DES.

Exam trap

Cisco often tests the distinction between symmetric encryption, asymmetric encryption, and key exchange protocols, so candidates mistakenly select Diffie-Hellman or ECC as encryption algorithms when they are actually used for key agreement or asymmetric operations.

64
MCQmedium

Refer to the exhibit. A network analyst sees these firewall logs. What is the most likely interpretation?

A.An attacker is performing a port scan on internal hosts from the outside
B.The firewall rule OUTSIDE_IN is misconfigured and blocking all traffic
C.A malware is trying to phone home to an external C2 server
D.A user is trying to access internal web servers legitimately but is blocked by ACL
AnswerA

Repeated denies from same source to different destinations on common ports indicate a scan.

Why this answer

The firewall logs show multiple denied TCP connection attempts from a single external IP to various internal IPs on different ports (e.g., 80, 443, 22). This pattern of sequential probes across multiple destinations and ports is characteristic of a port scan, where an attacker systematically probes for open services. The rule OUTSIDE_IN is correctly logging and blocking these attempts, indicating the firewall is functioning as designed to prevent reconnaissance.

Exam trap

Cisco often tests the distinction between a port scan (multiple destinations/ports from one source) and a C2 beacon (single destination, periodic traffic), where candidates mistakenly interpret any blocked external traffic as malware callbacks.

How to eliminate wrong answers

Option B is wrong because the firewall is actively logging and blocking traffic, which shows the rule is working correctly, not misconfigured; a misconfigured rule would either allow all traffic or block all traffic without such selective logging. Option C is wrong because malware phoning home typically uses a single, consistent destination (C2 server) on a fixed port, not a broad scan across multiple internal hosts and ports. Option D is wrong because legitimate internal web server access would originate from internal IPs, not an external source, and the logs show the source is external (e.g., 203.0.113.5), not a user inside the network.

65
MCQhard

A cybersecurity firm is conducting a red team exercise for a client. The red team successfully gained access to the client's internal network through a phishing email and escalated privileges to domain administrator. During the exercise, the red team uses a tool to dump password hashes from the domain controller. The client's security team detects the hash dump activity and sends an alert to the SOC. The SOC analyst reviews the alert and sees that the source IP of the hash dump is from a server that is part of the red team's scope. However, the red team is not scheduled to perform hash dumping until the next phase. The analyst also notes that the activity uses a known red team tool. Which of the following actions is most appropriate?

A.Launch a full incident response procedure assuming a real attacker.
B.Assume the red team is acting out of scope and contact the red team lead for clarification.
C.Treat the alert as a false positive because the red team is authorized.
D.Immediately block the red team's IP addresses and escalate to management.
AnswerB

Given the source IP belongs to the red team and the tool is known, it is likely a schedule mismatch; contacting the lead is the best course.

Why this answer

Option B is correct because the red team is authorized to operate within the client's environment, but the activity occurred outside the scheduled phase, creating ambiguity. The most appropriate action is to contact the red team lead for clarification to determine if the hash dump was a deviation from the plan or a sign of a real attacker. This aligns with incident response best practices, which prioritize verification before escalation, especially when authorized testing is in progress.

Exam trap

Cisco often tests the concept that authorized red team activity can still be out of scope, and the trap is assuming that any activity from an authorized IP is automatically benign, leading candidates to choose Option C instead of verifying with the red team lead.

How to eliminate wrong answers

Option A is wrong because launching a full incident response procedure without first clarifying the red team's actions could waste resources and disrupt the authorized exercise, as the activity may be a legitimate part of the test. Option C is wrong because treating the alert as a false positive solely because the red team is authorized ignores the fact that the activity is out of scope and could indicate a real compromise or a miscommunication. Option D is wrong because immediately blocking the red team's IP addresses and escalating to management is an overreaction that could disrupt the authorized test and damage the relationship with the client, without first verifying the nature of the activity.

66
Drag & Dropmedium

Drag and drop the steps to configure SSH access on a Cisco IOS switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSH configuration requires domain name, RSA keys, a local user, and enabling SSH on vty lines.

67
MCQeasy

A small retail company uses a cloud-based point-of-sale (POS) system. The IT manager receives an alert from the cloud provider that the POS application is generating an unusually high number of outbound connections to an IP address in a foreign country. The POS application is only supposed to communicate with the cloud provider's servers in the United States. The IT manager checks the POS terminal logs and finds that a new user account was created locally on the terminal with administrative privileges two days ago. The terminal does not have antivirus installed. What should the IT manager do first to contain the incident and prevent data loss?

A.Reset the password for the new user account and disable it.
B.Install antivirus software on the terminal and run a full scan.
C.Contact the cloud provider to block the outbound IP address.
D.Disconnect the POS terminal from the network immediately.
AnswerD

This is the fastest way to stop the outbound connections and prevent further data exfiltration.

Why this answer

Disconnecting the POS terminal from the network immediately halts the suspected data exfiltration and prevents further loss.

68
MCQhard

Refer to the exhibit. A security analyst sees this syslog message repeatedly. Which change should the analyst make to reduce the log volume while still detecting the activity?

A.Change the access-group to inbound on the outside interface
B.Add an ACL permit statement for traffic from 10.0.0.2 to 192.168.1.1
C.Implement a shun for source IP 10.0.0.2
D.Disable logging for syslog message ID 106023
AnswerC

Shun drops all packets from that IP without logging further, reducing log volume.

Why this answer

Option C is correct because implementing a shun for source IP 10.0.0.2 will block all traffic from that specific host at the Cisco ASA, preventing the repeated syslog message ID 106023 (which indicates denied traffic) from being generated. This reduces log volume while still effectively detecting and stopping the malicious activity, as the shun action drops packets before they are logged.

Exam trap

Cisco often tests the distinction between suppressing logs (which hides all future activity) and blocking the source (which stops the activity while still allowing detection of other events), leading candidates to mistakenly choose disabling logging instead of implementing a shun.

How to eliminate wrong answers

Option A is wrong because changing the access-group to inbound on the outside interface would alter the traffic filtering direction but would not reduce the log volume for the specific denied traffic from 10.0.0.2; it might even increase log entries if the ACL is misapplied. Option B is wrong because adding an ACL permit statement for traffic from 10.0.0.2 to 192.168.1.1 would allow the traffic, which defeats the purpose of detecting the activity and could introduce a security risk by permitting potentially malicious traffic. Option D is wrong because disabling logging for syslog message ID 106023 would suppress all logs for denied traffic, preventing the analyst from detecting any such activity in the future, which violates the requirement to still detect the activity.

69
MCQmedium

What is the effect of this configuration on a Cisco device?

A.Users are authenticated using a TACACS+ server.
B.Authorization is done via RADIUS.
C.Users are authenticated using the local database.
D.No authentication is required.
AnswerC

The 'local' keyword means the local username database is used.

Why this answer

The configuration shown (not provided in the question, but implied by the correct answer) is a typical local authentication setup, such as 'aaa authentication login default local' or a username/password defined in the device's local database. This means the device uses its own stored credentials to authenticate users, not an external server. Option C is correct because local authentication is explicitly configured, bypassing any external AAA server.

Exam trap

Cisco often tests the distinction between authentication, authorization, and accounting (AAA) services, and the trap here is that candidates confuse the protocol used for authentication (TACACS+ or RADIUS) with the method (local vs. server-based), leading them to pick an option that assumes an external server is involved when only local authentication is configured.

How to eliminate wrong answers

Option A is wrong because TACACS+ authentication requires the 'aaa authentication login default group tacacs+' command and a configured TACACS+ server; the configuration in question does not reference TACACS+. Option B is wrong because RADIUS is used for authentication and accounting, but authorization via RADIUS requires specific 'aaa authorization' commands (e.g., 'aaa authorization network default group radius'); the configuration only deals with authentication, not authorization, and does not specify RADIUS. Option D is wrong because 'no authentication' would require the 'aaa authentication login default none' command or no AAA configuration at all; the presence of a local authentication configuration means authentication is required.

70
MCQmedium

A SOC analyst notices repeated failed login attempts from a single IP address against multiple user accounts. Which type of attack is most likely occurring?

A.Credential stuffing
B.Brute force attack
C.Password spraying
D.Man-in-the-middle attack
AnswerC

Password spraying tries a few common passwords across many accounts.

Why this answer

Password spraying (C) is correct because the attack involves a single IP address attempting the same common password against multiple user accounts. This technique avoids account lockout policies that typically trigger after a few failed attempts on a single account, making it distinct from brute force attacks that target one account with many passwords.

Exam trap

Cisco often tests the distinction between brute force (many passwords, one user) and password spraying (one password, many users), where candidates mistakenly choose brute force because they focus on the 'repeated failed login attempts' without noticing the attack is spread across multiple accounts.

How to eliminate wrong answers

Option A is wrong because credential stuffing uses previously leaked username/password pairs from one service to attempt access on another, not repeated attempts from a single IP against multiple accounts. Option B is wrong because a brute force attack targets a single account with many password guesses, not a single password against many accounts. Option D is wrong because a man-in-the-middle attack intercepts or relays communications between two parties, not directly related to failed login attempts from a single IP.

71
MCQeasy

Refer to the exhibit. A Windows security log shows several events with Event ID 4625 (failed logon). What type of attack is indicated?

A.Brute force attack
B.Pass-the-hash attack
C.Kerberos golden ticket attack
D.Man-in-the-middle attack
AnswerA

Multiple failed logons from same source indicates password guessing.

Why this answer

Event ID 4625 indicates a failed logon attempt. A high volume of these events in a short period is characteristic of a brute force attack, where an attacker systematically tries multiple username/password combinations to gain unauthorized access. This is a direct indicator of repeated authentication failures, not a more sophisticated attack.

Exam trap

Cisco often tests the distinction between brute force attacks (which generate many failed logon events) and pass-the-hash or golden ticket attacks (which succeed without repeated failures), so the trap is assuming any failed logon event indicates a credential theft or replay attack rather than a simple password guessing attempt.

How to eliminate wrong answers

Option B is wrong because a pass-the-hash attack uses captured NTLM hashes to authenticate without needing the plaintext password, and it would not generate a high volume of failed logon events (Event ID 4625) since the attacker already has a valid hash. Option C is wrong because a Kerberos golden ticket attack forges a Ticket Granting Ticket (TGT) using the KRBTGT account hash, allowing persistent access without triggering repeated failed logon events; it would instead show successful logon events (Event ID 4624). Option D is wrong because a man-in-the-middle attack intercepts and potentially modifies communications between two parties, but it does not inherently generate a high volume of failed logon events; it might cause a single failed logon if credentials are replayed, not a flood of 4625 events.

72
MCQeasy

Which of the following is a primary goal of the CIA triad?

A.Redundancy
B.Scalability
C.Availability
D.Maintainability
AnswerC

Availability ensures systems are accessible when needed.

Why this answer

The CIA triad's primary goals are confidentiality, integrity, and availability. Availability ensures that authorized users have reliable and timely access to data and resources when needed, which is a core security objective. Option C is correct because availability is explicitly one of the three pillars of the CIA triad.

Exam trap

Cisco often tests the distinction between a primary goal of the CIA triad and a supporting mechanism or operational characteristic, so candidates may confuse redundancy (a means to achieve availability) with availability itself.

How to eliminate wrong answers

Option A is wrong because redundancy is a design strategy to improve availability, not a primary goal of the CIA triad itself. Option B is wrong because scalability refers to the ability to handle increased load, which is a performance characteristic, not a security goal of the CIA triad. Option D is wrong because maintainability concerns the ease of updating or repairing a system, which is an operational concern, not a core security objective of the CIA triad.

73
Multi-Selecteasy

A healthcare organization uses an online patient portal where patients can view their medical records. Recently, it was discovered that patient records were being modified by an unauthorized insider, and the system suffered a ransomware attack that encrypted the database, making it inaccessible for three days. Which TWO security principles were primarily violated? (Choose two.)

Select 2 answers
A.Confidentiality
B.Authentication
C.Integrity
D.Availability
E.Non-repudiation
AnswersC, D

The unauthorized modification of patient records directly violates integrity.

Why this answer

The unauthorized modification of patient records violates integrity, which ensures data has not been altered by unauthorized entities. The ransomware attack that encrypted the database and made it inaccessible for three days violates availability, which ensures systems and data are accessible when needed. These two incidents directly compromise the CIA triad principles of integrity and availability.

Exam trap

Cisco often tests the distinction between confidentiality (unauthorized viewing) and integrity (unauthorized modification), so the trap here is confusing the insider's modification of records as a confidentiality breach rather than an integrity violation.

74
MCQmedium

You are a SOC analyst monitoring traffic on a corporate network. The network uses a next-generation firewall (NGFW) with intrusion prevention system (IPS). You receive an alert that the IPS detected a SQL injection attempt against the internal web application server (10.0.1.10) from an external IP (203.0.113.5). The IPS action was set to "alert" only, not "drop". Further investigation shows that the web server logs indicate the SQL injection succeeded and data was exfiltrated to 203.0.113.5. The web application is a custom application developed in-house. The database server (10.0.1.20) contains customer PII. Which of the following is the BEST immediate action to contain the incident?

A.Apply a software patch to the web application to fix the SQL injection vulnerability
B.Restore the web server from a known good backup
C.Block the attacker's IP address at the firewall and implement a temporary rule to drop all traffic from 203.0.113.5
D.Shut down the database server to prevent further data loss
AnswerC

This immediately cuts off the attacker's access and stops exfiltration.

Why this answer

The immediate priority is to stop the active data exfiltration and prevent further exploitation. Since the IPS was configured to 'alert' only, it did not block the malicious traffic. Blocking the attacker's IP at the firewall with a temporary drop rule is the fastest way to sever the attacker's access to the web server and stop the ongoing data theft, containing the incident while preserving forensic evidence.

Exam trap

Cisco often tests the distinction between containment, eradication, and recovery actions, and the trap here is that candidates confuse a long-term fix (patching) or a disruptive action (shutting down the database) with the immediate need to stop active data exfiltration.

How to eliminate wrong answers

Option A is wrong because applying a software patch is a remediation step, not an immediate containment action; it takes time to develop, test, and deploy, during which the attacker can continue exfiltrating data. Option B is wrong because restoring the web server from a known good backup is a recovery step that destroys volatile evidence (e.g., logs, active connections) and does not stop the attacker if they still have network access. Option D is wrong because shutting down the database server would cause immediate denial of service to legitimate users and may corrupt data; it also does not prevent the attacker from re-establishing access via the web server if the firewall remains open.

75
MCQmedium

A SOC analyst is monitoring network traffic and notices a large amount of data being transferred from the HR file server to an external IP address during off-hours. The server is supposed to be used only during business hours. The analyst checks the server logs and sees that a user account named 'backup_service' has been active and copying files. The 'backup_service' account is a service account that is normally used for automated backups, but the backup schedule is set to run at midnight, and the current time is 3 AM. The analyst suspects credential theft. Which of the following should the analyst do first?

A.Capture a memory dump of the server for forensic analysis.
B.Disable the 'backup_service' account immediately.
C.Take the HR file server offline.
D.Block the external IP address at the firewall.
AnswerA

A memory dump preserves evidence of the attacker's current activities, which is crucial for understanding the attack.

Why this answer

Option A is correct because capturing a memory dump preserves volatile evidence (e.g., running processes, network connections, and in-memory credentials) that is critical for forensic analysis of a suspected credential theft incident. This aligns with the NIST SP 800-86 forensic process, where memory acquisition is prioritized before any system shutdown or network changes to avoid losing evidence of the attacker's active session or malicious code.

Exam trap

Cisco often tests the principle of 'preservation of evidence' where candidates mistakenly choose immediate containment actions (disable account, take offline, block IP) instead of the forensic first step of capturing volatile data.

How to eliminate wrong answers

Option B is wrong because immediately disabling the 'backup_service' account could alert the attacker and cause them to destroy evidence or escalate privileges before a forensic snapshot is taken. Option C is wrong because taking the HR file server offline without first capturing memory would lose volatile data (e.g., active network connections, running processes, and encryption keys) that are essential for identifying the attack vector. Option D is wrong because blocking the external IP address at the firewall is a containment step that should occur after evidence collection; doing it first may tip off the attacker and does not preserve the in-memory state needed for attribution or root-cause analysis.

Page 1 of 2 · 80 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Concepts questions.