Showing posts with label CyberOpsExam. Show all posts
Showing posts with label CyberOpsExam. Show all posts

Tuesday, May 21, 2019

CCNA (Version 1.1) - Cyberops Skill Exam


Maybe you have been looking for where the answer to cyberops exam skills is, and finally takes you to this article. Let me be clear, the cyberops exam that I posted earlier is the result of my own exam that I documented. Cyberops Quiz until I posted Cyberops final exam. But the problem here is that there are lots of questions from you about where the answers from Cyberops skill exam.

So like this, when I was in college in semester 5, we got courses on network security which led us to cyberops. The lecturer also provided lecture material from Cyberops skill exam that we have had an account. During learning, lecturers usually give practical assignments apart from material on CCNA cyberops such as "How to hack ...", "Examine data on wireshark", "How to operate snort ..." and others. The task given by the lecturer is to complete the value of our assignments. As for the quiz and test scores taken from the exam in the CCNA. 

Therefore, by saying a big apology, I can't post an answer about the Cyberops Exam because I can't open the skill. If seen in the picture it might look like the image below. picture

I could not work on the skill exam because the lecturer did not open the skill at the CCNA cyberops because of the above reasons. Maybe I can help you by sending me the exam skill for me to try. Remember, I'm just trying to help.

Note: Please comment politely and do not put direct links, or spam. Thank you very much.


1. Batas akhir penyerahan jawaban SBA adalah hari Selasa, .. 2019, pkl 23.59.
2. Jawaban diketik menggunakan WARNA BIRU.
3. File jawaban yang akan di upload harus menggunakan format PDF.

1. Download dan install software VirtualBox versi 5.
   a. Jangan menggunakan VirtualBox versi 6
   b. Klik link ini untuk mendownload
   c. Silahkan download versi 5.2.32, pilih link yang sesuai dengan sistem operasi yang
   digunakan oleh komputer anda.
   d. Install sesuai dengan petunjuk instalasi VirtualBox
2. Download OVA file untuk SBA [Ukuran file 3GB]
   a. Klik link dibawah ini untuk mendownload
   b. Pastikan internet anda stabil, karena besar file adalah 3GB.
3. Import OVA file ke dalam VirtualBox
   a. Klik link dibawah ini dan ikuti petunjuknya
4. Download file soal SBA.
Klik link dibawah ini untuk mendownload file soal.

Friday, February 15, 2019

Quiz Chapter 11-13 CyberOps Version 1 CCNA

1. Which statement describes an operational characteristic of NetFlow?
NetFlow collects metadata about the packet flow, not the flow data itself.

2. What is the purpose of Tor?
to allow users to browse the Internet anonymously

3. Threat actors may attack the    infrastructure in order to corrupt network log timestamps and disguise any traces that they have left behind.

4. Which type of server daemon accepts messages sent by network devices to create a collection of log entries?

5. A NIDS/NIPS has identified a threat. Which type of security data will be generated and sent to a logging device?

6. Which statement describes the tcpdump tool?
It is a command-line packet analyzer.

7. What type of server can threat actors use DNS to communicate with?

8.  A security analyst reviews network logs. The data shows user network activities such as user name, IP addresses, web pages accessed, and timestamp. Which type of data is the analyst reviewing?

9. Which Windows host log event type describes the successful operation of an application, driver, or service?

10. Which two protocols may devices use in the application process that sends email? (Choose two.)

11. In a Cisco AVC system, in which module is NBAR2 deployed?
Application Recognition

12. True or False?
ICMP can be used inside the corporation to pose a threat.

13. Which Windows tool can be used to review host logs?
Event Viewer

14. Which type of security data can be used to describe or predict network behavior?

15. Refer to the exhibit. A network administrator is reviewing an Apache access log message. What does the hyphen symbol (-) before "jsmith" indicate?
The client information is unavailable or unreliable.

16. True of False?
Sguil is optimized to provide cyberoperations workflow management to large operations with many employees.

17. What is the host-based intrusion detection tool that is integrated into Security Onion?

18. Which alert classification indicates that exploits are not being detected by installed security systems?
false negative

19. Which two technologies are used in the Enterprise Log Search and Archive (ELSA) tool? (Choose two.)
Sphinx Search

20. Fill in the blank.
Cisco  provides an interactive dashboard that allows investigation of the threat landscape.

21. True or False?
Modern cybersecurity tools are sophisticated enough to detect and prevent all exploits.

22. Fill in the blank.
The act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident is known as threat  ?

23. What is the purpose for data normalization?
to simplify searching for correlated events

24. Which two strings will be matched by the regular expression? (Choose two.)

25. Which term describes evidence that is in its original state?
 best evidence

26.  Fill in the blank.
A  positive alert classification wastes the time of cybersecurity analysts who end up investigating events that turn out not to pose a threat.

27. True or False?
Source and destination MAC addresses are part of the five-tuple used to track the conversation between a source and destination application.

28. A cybersecurity analyst is going to verify security alerts using the Security Onion. Which tool should the analyst visit first?

29. Fill in the blank.
Decision makers can use deterministic analysis to evaluate risk based on what is known about a vulnerability.

30. According to NIST, which step in the digital forensics process involves drawing conclusions from data?

31. Which field in the Sguil application window indicates the priority of an event or set of correlated events?

32.Which top-level element of the VERIS schema would allow a company to document the incident timeline?
incident tracking

33. What is a chain of custody?
the documentation surrounding the preservation of evidence related to an incident

34. When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)
Train web developers for securing code.
 Perform regular vulnerability scanning and penetration testing.

35. VERIS……. is a set of metrics designed to create a way to describe security incidents in a structured and repeatable way.

36. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?

37. Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?
detection and analysis

 38. What type of CSIRT organization is responsible for determining trends to help predict and provide warning of future security incidents?
analysis center

39. Which NIST incident response life cycle phase includes training for the computer security incident response team on how to respond to an incident?

40. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?

41. Match the intrusion event defined in the Diamond Model of intrusion to the description.

42. In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?

43. According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?

44. Which three aspects of a target system are most likely to be exploited after a weapon is delivered? (Choose three.)
user accounts
OS vulnerabilities

45. Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server?
Analyze the infrastructure storage path used for files.

46. Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?
Install a web shell on the target web server for persistent access.

Wednesday, February 13, 2019

Quiz Chapter 9-10 CyberOps CCNA 1

1. If an asymmetric algorithm uses a public key to encrypt data, what is used to decrypt it?
a private key

2. Which IETF standard defines the PKI digital certificate format?

3. Which statement describes the use of hashing?
Hashing can be used to detect accidental changes, but does not protect against deliberate changes.

4. What is the purpose of the DH algorithm?
to generate a shared secret between two hosts that have not communicated before

5. Fill in the blank.
The SHA-224, SHA-256, SHA-384, and SHA-512 hash functions are known collectively as SHA-2 algorithms.

6. Alice and Bob want to use a CA authentication procedure to authenticate each other. What must be obtained first?
CA self-signed certificate

7. Which two statements correctly describe certificate classes used in the PKI? (Choose two.)
A class 0 certificate is for testing purposes.
A class 4 certificate is for online business transactions between companies.

8. What is the purpose of code signing?
integrity of source .EXE files

9. In a hierarchical CA topology, where can a subordinate CA obtain a certificate for itself?
from the root CA or another subordinate CA at a higher level

10. Which cryptographic technique provides both data integrity and nonrepudiation?

11. Which objective of secure communications is achieved by encrypting data?

12. Which algorithm can ensure data confidentiality?

13. What are two symmetric encryption algorithms? (Choose two.)

14. Refer to the exhibit of a partial window within the Windows operating system. What type of cryptographic process is shown?
digital signature

15.In profiling a server, what defines what an application is allowed to do or run on a server?
service accounts

16. In addressing an identified risk, which strategy aims to decrease the risk by taking measures to reduce vulnerability?
risk reduction

17. In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?
risk analysis

18. Which antimalware software approach can recognize various characteristics of known malware files to detect a threat?

19. Which class of metric in the CVSS Base Metric Group defines the features of the exploit such as the vector, complexity, and user interaction required by the exploit?

20. As described by the SANS Institute, which attack surface includes the exploitation of vulnerabilities in wired and wireless protocols used by IoT devices?
network attack surface

21. Which step in the Vulnerability Management Life Cycle performs inventory of all assets across the network and identifies host details, including operating system and open services?

22. Fill in the blank.

An application blacklist can specify which user applications are not permitted to run on a host.

23. In Windows Firewall, when is the Domain profile applied?
when the host is connected to a trusted network such as an internal business network

24. Which HIDS is an open-source based product?

25. Which regulatory compliance regulation specifies security standards for U.S. government systems and contractors to the U.S. government?
Federal Information Security Management Act of 2002 (FISMA)

26. Which three devices are possible examples of network endpoints? (Choose three.)
IoT controller
network security camera 

27. Which function does CVSS provide?
risk assessment

Thursday, February 7, 2019

Quiz Chapter 7-8 CyberOps Version 1 CCNA

1. Which monitoring technology mirrors traffic flowing through a switch to an analysis device connected to another switch port?
  • NetFlow
  • SNMP
  • SIEM
  • SPAN

2. Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device?
  • NetFlow
  • network tap
  • SNMP
  • IDS

3. What technique is a security attack that depletes the pool of IP addresses available for legitimate hosts?
  • reconnaissance attack
  • DHCP spoofing
  • DHCP snooping
  • DHCP starvation

4. Which language is used to query a relational database?
  • Python
  • C++
  • Java
  • SQL

5. Which network monitoring technology collects IP operational data on packets flowing through Cisco routers and multilayer switches?
  • Wireshark
  • NetFlow
  • SNMP
  • SIEM

6. In what type of attack is a cybercriminal attempting to prevent legitimate users from accessing network services?
  • DoS
  • MITM
  • session hijacking
  • address spoofing

7. Which network monitoring tool saves captured network frames in PCAP files?
  • Wireshark
  • SNMP
  • NetFlow
  • SIEM

8. Which term is used to describe legitimate traffic that is mistaken for unauthorized traffic by firewalls and IPSs?
  • false positive
  • true positive
  • false negative
  • true negative

9. Which network monitoring tool is in the category of network protocol analyzers?
  • SNMP
  • SPAN
  • Wireshark
  • SIEM

10. Which technology is a proprietary SIEM system?
  • StealthWatch
  • SNMP agent
  • NetFlow collector
  • Splunk

11. A DNS tunnel attack is used to build botnets to bypass traditional security solutions.

12. Which SIEM function is associated with examining the logs and events of multiple systems to reduce the amount of time of detecting and reacting to security events?
  • aggregation
  • correlation
  • forensic analysis
  • retention 

13. Which of the following offers a free service called Automated Indicator that enables the real-time exchange of cyberthreat indicators?
Department of Homeland Security

14. Refer to the exhibit. The security policy of an organization allows employees to connect to the office intranet from their homes. Which type of security policy is this?
remote access

15. Passwords, passphrases, and PINs are examples of which security term?

16. Which component of AAA allows an administrator to track individuals who access network resources and any changes that are made to those resources?

17. What is a characteristic of a layered defense-in-depth security approach?
One safeguard failure does not affect the effectiveness of other safeguards.

18. Fill in the blank.
The acronym BYOD is about end users having the freedom to use their personal devices
(laptops, tablets, smartphones) to access information and communicate across the corporate network.

19. During the AAA process, when will authorization be implemented?
immediately after successful authentication against an AAA data source

20. With the evolution of borderless networks, which vegetable is now used to describe a defense-in-depth approach?

21. Fill in the blank.
The principle of least privilege specifies a limited, as-needed approach to granting users the minimum amount of access required to perform work.

22. Which type of business policy establishes the rules of conduct and the responsibilities of employees and employers?

23. What are two characteristics of the RADIUS protocol? (Choose two.)
the use of UDP ports for authentication and accounting encryption of the password only

24. Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform?

25. Fill in the blank.
asset is anything within IT that is of value that needs protection including information, and infrastructure devices such as servers, routers, access points, switches, and firewalls.

26. What is privilege escalation?
Vulnerabilities in systems are exploited to grant higher levels of privilege than someone or some process should have.

Saturday, February 2, 2019

Quiz Chapter 5-6 CyberOps Version 1 CCNA

1. Which network service synchronizes the time across all devices on the network?

  • NTP
  • SNMP
  • NetFlow
  • syslog

2. Fill in the blank.
The distribution layer of the three-layer network design model aggregates data from the access layer.

3. Which network service allows administrators to monitor and manage network devices?

  • NTP
  • SNMP
  • syslog
  • NetFlow

4. True or False?
A standard ACL filters network traffic based on the destination MAC address.
true false

5. Fill in the blank.
An ACL permits or denies traffic through a router based on specific defined criteria.

6. A static route route is created when a network administrator manually configures a route and the exit interface is active.

7. True or False?
In a star LAN topology, every end system must be connected to every other end system.
true False

8. What type of physical topology can be created by connecting all Ethernet cables to a
central device?

  • Bus
  • Ring
  • Star
  • mesh

9. What specialized network device is responsible for enforcing access control policies
between networks?

  • switch
  • IDS
  • bridge
  • firewall

10. Which device is an intermediary device?

  • firewall
  • PC
  • server
  • smart device

11. True or False?
A WLAN frame sent by a wireless client is formatted differently than a wired Ethernet frame.
true false

12. Which statement describes a difference between RADIUS and TACACS+?

  • RADIUS uses TCP whereas TACACS+ uses UDP.
  • RADIUS is supported by the Cisco Secure ACS software whereas TACACS+ is not.
  • RADIUS encrypts only the password whereas TACACS+ encrypts all communication.
  • RADIUS separates authentication and authorization whereas TACACS+ combines them as one process.

13. What information does an Ethernet switch examine and use to build its address table?

  • source IP address
  • source MAC address
  • destination IP address
  • destination MAC address

14. Which wireless parameter refers to the frequency bands used to transmit data to a
wireless access point?

  • SSID
  • channel settings
  • security mode
  • scanning mode

15. What specialized network device uses signatures to detect patterns in network traffic?

  • IDS
  • firewalls
  • bridges
  • switches

16. Which type of security threat can be described as software that attaches itself to another program to execute a specific unwanted function?
  • virus
  • worm
  • proxy Trojan horse
  • denial of service Trojan horse
17. A network administrator detects unknown sessions involving port 21 on the network.
What could be causing this security breach?
  • An FTP Trojan horse is executing.
  • A reconnaissance attack is occurring.
  • A denial of service attack is occurring.
  • Cisco Security Agent is testing the network.
18. Which term is used to describe the act of sending an email message in an attempt to
divulge sensitive information from someone?
  • hacktivisim
  • script kiddie
  • phishing
  • DoS attack
19. What type of attack uses zombies?
  • Trojan horse
  • DDoS
  • SEO poisoning
  • spear phishing
20. What is the purpose of a reconnaissance attack on a computer network?
  • to steal data from the network servers
  • to redirect data traffic so that it can be monitored
  • to prevent users from accessing network resources
  • to gather information about the target network and system
21. Which example illustrates how malware might be concealed?
  • A botnet of zombies carry personal information back to the hacker.
  • A hacker uses techniques to improve the ranking of a website so that users are redirected to a malicious site.
  • An attack is launched against the public website of an online retailer with the objective of blocking its response to visitors.
  • An email is sent to the employees of an organization with an attachment that looks like an antivirus update, but the attachment actually consists of spyware.
22. Which tool is used to provide a list of open ports on network devices?
  • Whois
  • Nmap
  • Ping
  • Tracert
23. What is the purpose of a rootkit?
  • to masquerade as a legitimate program
  • to deliver advertisements without user consent
  • to replicate itself independently of any other programs
  • to gain privileged access to a device while concealing itself
24. True or False?
The primary objective of a DoS attack is to penetrate systems and steal data.
true false

25. When describing malware, what is a difference between a virus and a worm?
  • A virus focuses on gaining privileged access to a device, whereas a worm does not.
  • A virus can be used to deliver advertisements without user consent, whereas a worm cannot.
  • A virus replicates itself by attaching to another file, whereas a worm can replicate itself independently.
  • A virus can be used to launch a DoS attack (but not a DDoS), but a worm can be used to launch both DoS and DDoS attacks.
26. What is the significant characteristic of worm malware?
  • Worm malware disguises itself as legitimate software.
  • A worm can execute independently of the host system.
  • A worm must be triggered by an event on the host system.
  • Once installed on a host system, a worm does not replicate itself.
27. Which type of attack allows an attacker to use a brute force approach?
  • social engineering
  • packet sniffing
  • denial of service
  • password cracking
28. What is the best description of Trojan horse malware?
  • It is the most easily detected form of malware.
  • It is malware that can only be distributed over the Internet.
  • It is software that causes annoying but not fatal computer problems.
  • It appears as useful software but hides malicious code.
29. What is an example of "hacktivism"?
  • Criminals use the Internet to attempt to steal money from a banking company.
  • A country tries to steal defense secrets from another country by infiltrating government networks.
  • A teenager breaks into the web server of a local newspaper and posts a picture of a favorite cartoon character.
  • A group of environmentalists launch a denial of service attack against an oil company that is responsible for a large oil spill.

Thursday, January 31, 2019

Quiz Chapter 3-4 CyberOps Version 1 CCNA

1. Fill in the blank.
A Linux administrator will use either the CLI or the GUI when communicating with the operating system.

2. What is the outcome when a Linux administrator enters the man man command?

  • The man man command configures the network interface with a manual address
  • The man man command provides a list of commands available at the current prompt
  • The man man command provides documentation about the man command
  • The man man command opens the most recent log file

3. Fill in the blank.
A short name of the X Window System is X .

4. Fill in the blank.
A process that runs in the background without the need for user interaction is known as
a daemon

5. Which term is used to describe a running instance of a computer program?

  • fork
  • package manager
  • patch
  • process

6. Which method can be used to harden a computing device?

  • Force periodic password changes.
  • Allow USB auto-detection.
  • Allow default services to remain enabled.
  • Update patches on a strict annual basis irrespective of release date.

7. Which Linux component would be used to access a short list of tasks the application can

  • Dash Search Box
  • Launcher
  • Quicklist
  • System and Notification Menu

8. Which type of tool is used by a Linux administrator to attack a computer or network to
find vulnerabilities?

  • PenTesting
  • malware analysis
  • intrusion detection system
  • firewall

9. Which working environment is more user-friendly?

  • a CLI
  • a GUI
  • the command prompt
  • a hybrid GUI and CLI interface

10. True or False?
The Linux GUI is the same across different distributions.
true false

11. Which types of files are used to manage services in a Linux system?

  • device files
  • configuration files
  • system files
  • directory files

12. What is a benefit of Linux being an open source operating system?

  • Linux distributions are maintained by a single organization.
  • Linux distribution source code can be modified and then recompiled.
  • Linux distributions must include free support without cost.
  • Linux distributions are simpler operating systems since they are not designed to be connected to a network.

13. Fill in the blank.
The process of assigning a directory to a partition is known as mount .

14. Consider the result of the ls -l command in the Linux output below. What are the group
file permissions assigned to the analyst.txt file?
ls –l analyst.txt
-rwxrw-r-- sales staff 1028 May 28 15:50 analyst.txt

  • read, write, execute
  • read only
  • read, write
  • full access

15. Fill in the blank.
An application package is a specific program and all its supported files.

16. A client application needs to terminate a TCP communication session with a server. Place
the termination process steps in the order that they will occur. (Not all options are used.)

  • step 1 client sends FIN
  • step 2 server sends ACK
  • step 3 server sends FIN
  • step 4 client sends ACK

17. What is the most compressed representation of the IPv6 address

  • 2001:0:abcd::1
  • 2001:0:0:abcd::1
  • 2001::abcd::1
  • 2001:0000:abcd::1
  • 2001::abcd:0:1

18. Which message delivery option is used when all devices need to receive the same
message simultaneously?

  • duplex
  • unicast
  • multicast
  • broadcast

19. What three application layer protocols are part of the TCP/IP protocol suite? (Choose

  • ARP
  • DHCP
  • DNS
  • FTP
  • NAT
  • PPP

20. Which message does an IPv4 host use to reply when it receives a DHCPOFFER message
from a DHCP server?


21. What addresses are mapped by ARP?

  • destination MAC address to a destination IPv4 address
  • destination IPv4 address to the source MAC address
  • destination IPv4 address to the destination host name
  • destination MAC address to the source IPv4 address

22. Which statement is true about FTP?

  • The client can choose if FTP is going to establish one or two connections with the server.
  • The client can download data from or upload data to the server.
  • FTP is a peer-to-peer application.
  • FTP does not provide reliability during data transmission.

23. Which two OSI model layers have the same functionality as two layers of the TCP/IP
model? (Choose two.)

  • data link
  • network
  • physical
  • session
  • transport

24. Refer to the exhibit. What is the destination MAC address of the Ethernet frame as it
leaves the web server if the final destination is PC1?

  • 00-60-2F-3A-07-AA
  • 00-60-2F-3A-07-BB
  • 00-60-2F-3A-07-CC
  • 00-60-2F-3A-07-DD

25. Fill in the blank.
ARP spoofing is a technique that is used to send fake ARP messages to other hosts
in the LAN. The aim is to associate IP addresses to the wrong MAC addresses.

26. Which statement is true about the TCP/IP and OSI models?

  • The TCP/IP transport layer and OSI Layer 4 provide similar services and functions.
  • The TCP/IP network access layer has similar functions to the OSI network layer.
  • The OSI Layer 7 and the TCP/IP application layer provide identical functions.
  • The first three OSI layers describe general services that are also provided by the TCP/IP internet layer.

27. What OSI layer is responsible for establishing a temporary communication session
between two applications and ensuring that transmitted data can be reassembled in proper

  • transport
  • network
  • data link
  • session

28. If the default gateway is configured incorrectly on the host, what is the impact on

  • The host is unable to communicate on the local network.
  • The host can communicate with other hosts on the local network, but is unable to communicate with hosts on remote networks.
  • The host can communicate with other hosts on remote networks, but is unable to communicate with hosts on the local network.
  • There is no impact on communications.

29. Refer to the exhibit. PC1 issues an ARP request because it needs to send a packet to PC3. In
this scenario, what will happen next?

  • RT1 will forward the ARP request to PC3.
  • RT1 will send an ARP reply with its own Fa0/0 MAC address.
  • RT1 will send an ARP reply with the PC3 MAC address.
  • SW1 will send an ARP reply with its Fa0/1 MAC address.
  • RT1 will send an ARP reply with its own Fa0/1 MAC address.

30. Refer to the exhibit. Consider the IP address configuration shown from PC1. What is a
description of the default gateway address?

  • It is the IP address of the Router1 interface that connects the company to the Internet.
  • It is the IP address of the Router1 interface that connects the PC1 LAN to Router1.
  • It is the IP address of Switch1 that connects PC1 to other devices on the same LAN.
  • It is the IP address of the ISP network device located in the cloud.

Friday, January 25, 2019

Quiz Chapter 1-2 CyberOps Version 1 CCNA

QUIZ 1-2 CyberOPS Version 1 CCNA

1. After a security incident is verified in a SOC, an incident responder reviews the incident
but cannot identify the source of the incident and form an effective mitigation procedure.
To whom should the incident ticket be escalated?
a SME for further investigation
a cyberoperations analyst for help
an alert analyst for further analysis
the SOC manager to ask for other personnel to be assigned

2. Which three technologies should be included in a SOC security information and event
management system? (Choose three.)
proxy service
threat intelligence
security monitoring
user authentication
intrusion prevention
event collection, correlation, and analysis

3. What name is given to hackers who hack for a politcal or social cause?
white hat
blue hat

What is cyberwarfare?
It is an attack only on military targets.
It is an attack designed to disrupt, corrupt, or exploit national interests.
It is an attack on a major corporation.
It is an attack that only involves robots and bots.

5. The term cyber operations analyst refers to which group of personnel in a SOC?
SOC managers
Tier 1 personnel
Tier 2 personnel
Tier 3 personnel

6. Match the job titles to SOC personnel positions. (Not all options are used.)
Tier 1 Alert Analyst –
Tier 2 Incident Responder –
Tier 3 Subject Matter Expert –

7. What is a rogue wireless hotspot?
It is a hotspot that was set up with outdated devices.
It is a hotspot that does not encrypt network user traffic.
It is a hotspot that does not implement strong user authentication mechanisms.
It is a hotspot that appears to be from a legitimate business but was actually set
up by someone without the permission from the business.

8. How can a security information and event management system in a SOC be used to help personnel fight against security threats?
by filtering network traffic
by collecting and filtering data
by authenticating users to network resources
by encrypting communications to remote sites

9. Which organization is an international nonprofit organization that offers the CISSP

10. A computer is presenting a user with a screen requesting payment before the user data is
allowed to be accessed by the same user. What type of malware is this?
a type of virusou Answered
a type of logic bomb
a type of worm
a type of ransomware

11. Fill in the blank.
vurnerability is a flaw or weakness in a computer operating system that can be
exploited by an attacker.

12. Which net command is used on a Windows PC to establish a connection to a shared
directory on a remote server?
net use
net start
net share
net session

13. When a user makes changes to the settings of a Windows system, where are these
changes stored?
Control Panel

14. Two pings were issued from a host on a local network. The first ping was issued to the IP address of the default gateway of the host and it failed. The second ping was issued to the IP address of a host outside the local network and it was successful. What is a possible cause for the failed ping?
The default gateway device is configured with the wrong IP address.
Security rules are applied to the default gateway device, preventing it from processing ping requests.
The default gateway is not operational.
The TCP/IP stack on the default gateway is not working properly.

15. True or False?
For ease of administration, it is recommended that the Everyone group in Windows have
Full Control permissions.
True False

16. Which Windows version was the first to introduce a 64-bit Windows operating system?
Windows NT
Windows XP
Windows 7
Windows 10

17. Which type of startup must be selected for a service that should run each time the
computer is booted?

18. How much RAM is addressable by a 32-bit version of Windows?
4 GB
8 GB
16 GB
32 GB

19. What contains information on how hard drive partitions are organized?
Windows Registry

20. A user creates a file with .ps1 extension in Windows. What type of file is it? PowerShell script
PowerShell cmdlet
PowerShell function
PowerShell documentation

21. What is the purpose of the cd\ command?
changes directory to the root directory
changes directory to the next highest directory
changes directory to the previous directory
changes directory to the next lower directory

22. How can a user prevent specific applications from accessing a Windows computer over a network?
Enable MAC address filtering.
Disable automatic IP address assignment.
Block specific TCP or UDP ports in
Windows Firewall. Change default usernames and passwords.

23. Fill in the blank.
When a
restrictive security policy is implemented on a firewall, only certain
required ports are opened. The rest are closed.

24. What utility is used to show the system resources consumed by each user?
Task Manager
User Accounts
Device Manager
Event Viewer

25. Which command is used to manually query a DNS server to resolve a specific host
ipconfig /displaydns

Sunday, January 6, 2019

CCNA SECOPS (210-255) Cert Practice Exam Answers

SECOPS (210-255) Cert Practice Exam
Grade Score 99.1%

1.Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident?
human resources
IT support
the legal department

2.What is defined in the policy element of the NIST incident response plan?
how to handle incidents based on the mission and functions of an organization
a roadmap for updating the incident response capability
the metrics used for measuring incident response capability in an organization
how the incident response team of an organization will communicate with organization stakeholders

3.Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)
fragment offset

4.What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?
Add services and autorun keys.
Obtain an automated tool to deliver the malware payload.
Open a two-way communications channel to the CnC infrastructure.
Collect and exfiltrate data.

5.Refer to the exhibit. A security specialist is checking if files in the directory contain ADS data. Which switch should be used to show that a file has ADS attached?

6.What is the responsibility of the human resources department when handing a security incident as defined by NIST?
Review the incident policies, plans, and procedures for local or federal guideline violations.
Perform disciplinary actions if an incident is caused by an employee.
Coordinate the incident response with other stakeholders and minimize the damage of an incident.
Perform actions to minimize the effectiveness of the attack and preserve evidence.

7.In which top-level element of the VERIS schema does VERIS use the A4 threat model to describe an incident?
incident tracking
incident description
discovery and response
impact assessment

8.A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor? (Choose two.)
multiple failed logins from an unknown source
log entries that show a response to a port scan
an IDS alert message being sent
a newly-discovered vulnerability in Apache web servers
a host that has been verified as infected with malware

9.What is a goal of deploying an in-line security device that can analyze data as a normalized stream?
reduce the amount of event data
satisfy compliance requirements
detect and block intrusions
decrease network latency and jitter

10.What is the VERIS Community Database (VCDB)?
a collection of research of trend and potential security intrusions
a central location for the security community to learn from experience and help with decision making before, during, and after a security incident
a collection of incident data collected and categorized by a selected group of cybersecurity professionals
an open and free collection of publicly-reported security incidents posted in a variety of data formats

11.According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take?
action on objectives

12.Which metric in the CVSS Base Metric Group is used with an attack vector?
the determination whether the initial authority changes to a second authority during the exploit
the presence or absence of the requirement for user interaction in order for an exploit to be successful
the proximity of the threat actor to the vulnerability
the number of components, software, hardware, or networks, that are beyond the control of the attacker and that must be present in order for a vulnerability to be successfully exploited

13.Which statement describes the card verification value (CVV) for a credit card?
It is the credit card account number.
It is a security feature of the card.
It is a PIN number for the card.
It is the bank account number.

14.Which three fields are found in both the TCP and UDP headers? (Choose three.)
sequence number
destination port
source port

15.Which specification provides a common language for describing security incidents in a structured and repeatable way?
VERIS schema
Cyber Kill Chain
NIST Incident Response Life Cycle
Diamond model

16.What is the responsibility of the IT support group when handing an incident as defined by NIST?
reviews the incident policies, plans, and procedures for local or federal guideline violations
performs actions to minimize the effectiveness of the attack and preserve evidence
coordinates the incident response with other stakeholders and minimizes the damage of an incident
performs disciplinary measures if an incident is caused by an employee

17.During the detection and analysis phase of the NIST incident response process life cycle, which sign category is used to describe that an incident might occur in the future?

18.After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis?
It can calculate the probability of a future incident.
It can identify how the malware originally entered the network.
It can determine which network host was first affected.
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.

19.Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?
flow label
traffic class
next header

20.Refer to the exhibit. A security analyst issues the cat command to review the content of the file confidential2. Which encoding method was used to encode the file?
8-bit binary

21.How much overhead does the TCP header add to data from the application layer?
8 bytes
16 bytes
20 bytes
40 bytes

22.In which step of the NIST incident response process does the CSIRT perform an analysis to determine which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring?
incident notification
attacker identification

23.Refer to the exhibit. Which techology generated the event log?
web proxy

24.When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server?
listening ports
service accounts
critical asset address space
software environment

25.Refer to the exhibit. A network administrator is examining a NetFlow record. Why would the record indicate that both TRNS SOURCE PORT and TRNS DESTINATION PORT are 0?
The flow contains four packets and they use varying port numbers.
The flow does not include transport layer protocols.
The Gig0/0 interface has not transmitted any packets.
The source host uses a different transport layer protocol from the one used by the destination host.

26.When establishing a server profile for an organization, which element describes the type of service that an application is allowed to run on the server?
listening port
user account
software environment
service account

27.Refer to the exhibit. A security specialist is using Wireshark to review a PCAP file generated by tcpdump. When the client initiated a file download request, which source socket pair was used?

28.A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur?
integrity requirement
availability requirement
user interaction

29.What is the benefit of converting log file data into a common schema?
creates a data model based on fields of data from a source
allows the implementation of partial normalization and inspection
allows easy processing and analysis of datasets
creates a set of regex-based field extractions

30.What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)
remediation level
attack vector

31.Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?

32.When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?
routing protocol convergence
session duration
bandwidth of the Internet connection
total throughput

33.When attempting to improve system performance for Linux computers with a limited amount of memory, why is increasing the size of the swap file system not considered the best solution?
A swap file system cannot be mounted on an MBR partition.
A swap file system only supports the ex2 file system.
A swap file system does not have a specific file system.
A swap file system uses hard disk space to store inactive RAM content.

34.What will match the regular expression ^83?
any string that includes 83
any string that begins with 83
any string with values greater than 83
any string that ends with 83

35.Which type of evidence cannot prove an IT security fact on its own?

36.Which type of computer security incident response team is responsible for determining trends to help predict and provide warning of future security incidents?
coordination centers
analysis centers
vendor teams
national CSIRT

37.Which two actions should be taken during the preparation phase of the incident response life cycle defined by NIST? (Choose two.)
Fully analyze the incident.
Meet with all involved parties to discuss the incident that took place.
Detect all the incidents that occurred.
Acquire and deploy the tools that are needed to investigate incidents.
Create and train the CSIRT

38.Which technology is used by Cisco Advanced Malware Protection (AMP) in defending and protecting against known and emerging threats?
threat intelligence
network admission control
network profiling
website filtering and blacklisting

39.Which two actions can help identify an attacking host during a security incident? (Choose two.)
Use an Internet search engine to gain additional information about the attack.
Log the time and date that the evidence was collected and the incident remediated.
Determine the location of the recovery and storage of all evidence.
Validate the IP address of the threat actor to determine if it is viable.
Develop identifying criteria for all evidence such as serial number, hostname, and IP address

40.What classification is used for an alert that correctly identifies that an exploit has occurred?
false negative
false positive
true positive
true negative

41.Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?

42.What are security event logs commonly based on when sourced by traditional firewalls?
application analysis
static filtering

43.Using Tcpdump and Wireshark, a security analyst extracts a downloaded file from a pcap file. The analyst suspects that the file is a virus and wants to know the file type for further examination. Which Linux command can be used to determine the file type?
ls -l

44.Which three things will a threat actor do to prepare a DDoS attack against a target system on the Internet? (Choose three.)
Install a black door on the target system.
Collect and exfiltrate data.
Compromise many hosts on the Internet.
Obtain an automated tool to deliver the malware payload.
Establish two-way communications channels to the CnC infrastructure with zombies.
Install attack software on zombies.

45.After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication? (Choose three.)
Change assigned names and passwords for all devices.
Update and patch the operating system and installed software of all hosts.
Rebuild hosts with installation media if no backups are available.
Rebuild DHCP servers using clean installation media.
Disconnect or disable all wired and wireless network adapters until the remediation is complete.
Use clean and recent backups to recover hosts.

46.A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court?
log collection
unaltered disk image

47.What is specified in the plan element of the NIST incident response plan?
incident handling based on the mission of the organization
organizational structure and the definition of roles, responsibilities, and levels of authority
priority and severity ratings of incidents
metrics for measuring the incident response capability and effectiveness

48.A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?
the TCP and UDP daemons and ports that are allowed to be open on the server
the IP addresses or the logical location of essential systems or data
the list of TCP or UDP processes that are available to accept data
the time between the establishment of a data flow and its termination

49.What are two sources of data in the operation of a security information and event management (SIEM) system? (Choose two.)
dashboards and reports
antimalware devices
automation and alerts
incident management systems

50.What are two of the 5-tuples? (Choose two.)
source port

51.Refer to the exhibit. A network administrator is examining a NetFlow record. Which protocol is in use in the flow shown?

52.When real-time reporting of security events from multiple sources is being received, which function in SIEM provides capturing and processing of data in a common format?
log collection

53.What is the role of vendor teams as they relate to a computer security incident response team?
They handle customer reports concerning security vulnerabilities.
They provide incident handling to other organizations as a fee-based service.
They coordinate incident handling across multiple teams.
They use data from many sources to determine incident activity trends.

54.At the request of investors, a company is proceeding with cyber attribution with a particular attack that was conducted from an external source. Which security term is used to describe the person or device responsible for the attack?
threat actor

55.What are three of the four interactive landscapes that VERIS schema use to define risk?