CCNA Security Concepts Questions

5 of 80 questions · Page 2/2 · Security Concepts · Answers revealed

76
MCQhard

During a vulnerability assessment, a security team discovers that a web application allows users to upload files without proper validation. An attacker could upload a malicious file and execute it on the server. Which type of vulnerability is this?

A.Cross-site scripting (XSS)
B.SQL injection
C.Remote code execution (RCE)
D.Insecure direct object reference
AnswerC

Improper file validation can lead to arbitrary code execution on the server.

Why this answer

The vulnerability allows an attacker to upload a malicious file (e.g., a web shell) and then execute it on the server, which is the definition of remote code execution (RCE). This occurs because the application fails to validate file types, contents, or execution permissions, enabling arbitrary code to run in the server's context.

Exam trap

Cisco often tests the distinction between client-side attacks (XSS) and server-side attacks (RCE), so candidates may confuse file upload RCE with XSS because both involve malicious file or script injection, but the execution context (server vs. client) is the key differentiator.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not executing code on the server. Option B is wrong because SQL injection targets database queries by manipulating input to alter SQL statements, not file uploads or server-side code execution. Option D is wrong because insecure direct object reference (IDOR) allows unauthorized access to resources by manipulating object references (e.g., user IDs in URLs), not file uploads or code execution.

77
Multi-Selecthard

Which THREE are common indicators of a distributed denial-of-service (DDoS) attack? (Choose three.)

Select 3 answers
A.Slow network performance and service unavailability
B.A single IP address generating excessive traffic
C.High bandwidth consumption on the network link
D.Unusual traffic patterns from many different sources
E.Encrypted traffic from a known malware C2 server
AnswersA, C, D

Overwhelmed resources cause slowdowns.

Why this answer

Option A is correct because a DDoS attack floods the target with traffic from multiple sources, overwhelming network resources and causing legitimate requests to time out or be dropped. This results in slow network performance and service unavailability as the system struggles to process the excessive load. The distributed nature of the attack makes it difficult to mitigate with simple IP-based filtering.

Exam trap

Cisco often tests the distinction between a single-source DoS and a multi-source DDoS, so candidates may incorrectly select 'a single IP address generating excessive traffic' as a DDoS indicator, but the key is the distributed nature of the attack.

78
MCQmedium

A security analyst is asked to assess the risk of a new web application. The analyst calculates the likelihood of a SQL injection as 0.3 and the impact as $100,000. What is the annualized loss expectancy (ALE) if the asset value is $500,000 and the exposure factor is 0.2?

A.$100,000
B.$50,000
C.$15,000
D.$30,000
AnswerD

ALE = SLE * ARO = ($500,000 * 0.2) * 0.3 = $30,000.

Why this answer

The annualized loss expectancy (ALE) is calculated as ALE = SLE × ARO, where SLE = AV × EF. Here, AV = $500,000 and EF = 0.2, so SLE = $100,000. The likelihood of 0.3 represents the annualized rate of occurrence (ARO), so ALE = $100,000 × 0.3 = $30,000.

Option D is correct because it correctly multiplies the single loss expectancy by the annualized rate of occurrence.

Exam trap

Cisco often tests the distinction between SLE and ALE, tricking candidates into stopping at the SLE calculation ($100,000) or misapplying the exposure factor to the impact instead of the asset value.

How to eliminate wrong answers

Option A is wrong because $100,000 is the single loss expectancy (SLE), not the annualized loss expectancy (ALE); it fails to multiply by the ARO of 0.3. Option B is wrong because $50,000 would result from multiplying the impact ($100,000) by 0.5, which is not the given ARO or any correct calculation step. Option C is wrong because $15,000 would result from multiplying the asset value ($500,000) by the likelihood (0.3) and then by 0.1, or from incorrectly using the exposure factor as a multiplier on the impact; it ignores the correct SLE calculation.

79
MCQmedium

A manufacturing company's ICS network was infected with ransomware that encrypted files on the file server. The company has offline backups and restores the files. However, during the investigation, the security analyst finds that the ransomware entered through an RDP connection from an infected workstation on the corporate network. The corporate network and ICS network are separated by a firewall that allows RDP from specific corporate IPs to the ICS file server. The analyst wants to prevent a recurrence. Which of the following is the most effective long-term control?

A.Require multi-factor authentication for all RDP connections.
B.Disable RDP on the ICS file server and use a jump box.
C.Implement network segmentation with a DMZ for file transfers.
D.Install antivirus on all corporate workstations.
AnswerA

MFA significantly reduces the risk of unauthorized RDP access even if passwords are compromised.

Why this answer

Requiring multi-factor authentication for all RDP connections adds a critical layer of security, making it much harder for attackers to gain access even if credentials are compromised.

80
MCQeasy

An organization deploys a firewall to block unauthorized traffic. This is an example of which type of security control?

A.Detective
B.Physical
C.Technical
D.Administrative
AnswerC

Firewalls are technical controls that prevent unauthorized access.

Why this answer

A firewall is a technical control because it uses software or hardware mechanisms—such as packet filtering, stateful inspection, or application-layer filtering—to enforce security policies and block unauthorized traffic. Technical controls are implemented through technology systems (e.g., routers, firewalls, IDS/IPS) rather than through physical barriers or administrative procedures.

Exam trap

Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates may confuse a firewall's logging capability (detective) with its primary function of blocking traffic (preventive/technical).

How to eliminate wrong answers

Option A is wrong because detective controls are designed to identify and log security events after they occur (e.g., intrusion detection systems, audit logs), whereas a firewall actively prevents unauthorized traffic in real time. Option B is wrong because physical controls involve tangible barriers like locks, fences, or security guards, not network-level packet filtering. Option D is wrong because administrative controls are policies, procedures, and training (e.g., acceptable use policies, background checks), not technology-based enforcement mechanisms.

← PreviousPage 2 of 2 · 80 questions total

Ready to test yourself?

Try a timed practice session using only Security Concepts questions.