210-250-

Understanding Cisco Cybersecurity Fundamentals Number: 210-250 Passing Score: 800 Time Limit: 120 min File Version: 10.0

Exam A QUESTION 1 What is PHI? A. Protected HIPAA information information B. Protected Protected health health informat information ion C. Persona Personall health health informati information on D. Persona Personall human human informat information ion Correct Answer: B Section: (none) Explanation Explanation/Reference: The Health Insurance Portability and Accountability Accountability Act, a U.S. legislation, introduces introduces the concept of Protected Health Information. Information . PHI and PII are closely related. Under U.S. law, PHI is any information about health status, provision of health care, or payment for health care that is created or collected by a "covered entity" (or a business associate of a covered entity), and can be linked to a specific individual. A covered entity is any health plan, health care clearing house, or health care provider who transmits any health information in electronic form in connection with a qualified t ransaction and their business associates. QUESTION 2 Which of the following are Cisco cloud security solutions? A. B. C. D.

CloudDLP OpenDNS nDNS Clou CloudL dLoc ock k Clou CloudS dSLS LS

Correct Answer: BC Section: (none) Explanation Explanation/Reference: https://www.opendns.com/cisco-opendns/ August 2015 — Cisco completed completed its acquisition of of OpenDNS. You can learn more more about this exciting exciting announcement on this page. Please find an FAQ below, and links to Cisco’s press release, a letter from our CEO, and other important resources. https://www.cisco.com/c/en/us/products/secu https://www.cisco.com/c/en /us/products/security/cloudlock/in rity/cloudlock/index.html dex.html Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock's simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. With Cloudlock you can more easily combat data breaches while meeting compliance regulations.

QUESTION 3 Which evasion method involves performing actions slower than normal to prevent detection? A. traffic fragmentation fragmentation B. tunn tunnel elin ing g C. timi timing ng atta attack ck D. resou resource rce exha exhaust ustion ion Correct Answer: C Section: (none)

Exam A QUESTION 1 What is PHI? A. Protected HIPAA information information B. Protected Protected health health informat information ion C. Persona Personall health health informati information on D. Persona Personall human human informat information ion Correct Answer: B Section: (none) Explanation Explanation/Reference: The Health Insurance Portability and Accountability Accountability Act, a U.S. legislation, introduces introduces the concept of Protected Health Information. Information . PHI and PII are closely related. Under U.S. law, PHI is any information about health status, provision of health care, or payment for health care that is created or collected by a "covered entity" (or a business associate of a covered entity), and can be linked to a specific individual. A covered entity is any health plan, health care clearing house, or health care provider who transmits any health information in electronic form in connection with a qualified t ransaction and their business associates. QUESTION 2 Which of the following are Cisco cloud security solutions? A. B. C. D.

CloudDLP OpenDNS nDNS Clou CloudL dLoc ock k Clou CloudS dSLS LS

Correct Answer: BC Section: (none) Explanation Explanation/Reference: https://www.opendns.com/cisco-opendns/ August 2015 — Cisco completed completed its acquisition of of OpenDNS. You can learn more more about this exciting exciting announcement on this page. Please find an FAQ below, and links to Cisco’s press release, a letter from our CEO, and other important resources. https://www.cisco.com/c/en/us/products/secu https://www.cisco.com/c/en /us/products/security/cloudlock/in rity/cloudlock/index.html dex.html Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock's simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. With Cloudlock you can more easily combat data breaches while meeting compliance regulations.

QUESTION 3 Which evasion method involves performing actions slower than normal to prevent detection? A. traffic fragmentation fragmentation B. tunn tunnel elin ing g C. timi timing ng atta attack ck D. resou resource rce exha exhaust ustion ion Correct Answer: C Section: (none)

Explanation Explanation/Reference: If a port scan is done rapidly or in sequence, it is fairly easy to detect. By monitoring logs such as hostbased firewall logs, a security analyst may be able to see it as activity targeting many different ports on the same host during a short time. However, attackers discovered long ago that they can avoid detection by using slow, random scans, scans , and other stealth techniques. Modern tools such as IPSs can help detect these types of scans. QUESTION 4 Wich encryption algorithm is the strongest? A. B. C. D.

AES CES DES 3DES

Correct Answer: A Answer: A Section: (none) Explanation Explanation/Reference: Existing technology and computing power has resulted in cracking machines that are able to crack DES in just a few hours. hours. It is estimated that it would would take 149 trillion trillion years to crack crack AES using the same same method. QUESTION 5 What is a trunk link used for? A. B. C. D.

To pass multiple multiple virtual LANs To conne connect ct more more than than two switch switches es To enable enable Spanning Spanning Tree Protocol Protocol To encaps encapsulate ulate Layer Layer 2 frames frames

Correct Answer: A Answer: A Section: (none) Explanation Explanation/Reference: A port normally normally carries only only the traffic for the single single VLAN to which it belongs. For For a VLAN to span across multiple switches, a trunk must be configured to connect the two switches together. A trunk can carry traffic for multiple VLANs as VLANs as shown in the following figure. A trunk allows multiple VLANs to share the port connection.

QUESTION 6 Which type of exploit normally requires the culprit to have prior access to the t arget system? A. B. C. D.

local exploit deni denial al of of serv servic ice e system system vuln vulner erab abili ility ty remo remote te expl exploi oitt

Correct Answer: A Answer: A Section: (none) Explanation Explanation/Reference: Remote Exploits vs. Local Exploits A remote exploit exploit is one that works works over the network network without any prior prior access to the target system. The The threat actor does not need an account on the vulnerable system to exploit the vulnerability. A l ocal oc al ex pl oit oi t r equir equ ir es p ri or acc ess to th e vuln vu ln erabl e sy st em. em . Generally, the threat actor has access to an account on the system. Using their access to that account, they implement the local exploit. Most commonly, local exploits lead to privilege escalation. Either the account is given privileges beyond the intended policy for the account, or other access methods are enabled and those methods allow privileges beyond the intended policy for the account. Note that a local exploit does not necessarily require physical physical access to the system. Also, an attacker may use social engineering engineering techniques to trick an authorized user into performing the local exploit. QUESTION 7 Which security monitoring data type is associated with application server logs? A. alert data

B. statistical data C. session data D. transaction data Correct Answer: D Section: (none) Explanation Explanation/Reference: 13.3 Describing Security Data Collection Network Security Monitoring Data Types Transaction Data Transaction data highlights operations that occur as a result of network sessions and system activities. For example, an HTTP daemon may produce log files that document all the client requests it receives along with its own responses to those requests. An SMTP daemon may produce log files to document connections from other SMTP systems, the forwarding of email messages to other SMTP systems, and the storage of email messages in local mail boxes. A Linux system may produce a log file that documents all OS login and logoff activities. Each of these log files contain transaction data. Note that there is not a oneto-one relationship between session data and transaction data. An individual network session may not produce any transactions or it may be associated with several transactions. Transactions may also document local activities on a system which do not involve network communications. QUESTION 8 Which network device is used to separate broadcast domains? A. router B. repeater C. switch D. bridge Correct Answer: A Section: (none) Explanation Explanation/Reference: 2.8 Understanding the Network Infrastructure Routers Routing is the process that routers, OSI network layer devices, use to forward data packets between networks or subnetworks. The routing process uses network routing tables, protocols, and algorithms to determine the most efficient path for forwarding an IP packet. Routers gather routing information and update other routers about changes in the network. Routers greatly expand the scalability of networks by terminating Layer 2 collisions and broadcast domains. QUESTION 9 Which term represents a weakness in a system that could lead to the system being compromised? A. vulnerability B. threat C. exploit D. risk Correct Answer: A Section: (none) Explanation Explanation/Reference: 5.4 Describing Information Security Concepts

Risk A vulnerability is the weakness that makes the resource susceptible to the threat. An attack surface is the total sum of the vulnerabilities in a given system that is accessible to an attacker. The attack surface describes different points where an attacker could get into a system, and where they could get data out of the system. QUESTION 10 Which option is an advantage to using network-based anti-virus versus host-based anti-virus? A. B. C. D.

Network-based has the ability to protect unmanaged devices and unsupported operating systems. here are no advantages compared to host-based antivirus. Host-based antivirus does not have the ability to collect newly created signatures. Network-based can protect against infection from malicious files at rest.

Correct Answer: D Section: (none) Explanation Explanation/Reference: REVISAR QUESTION 11 Which two protocols are used for email (Choose two) A. B. C. D. E.

NTP DNS HTTP IMAP SMTP

Correct Answer: DE Section: (none) Explanation Explanation/Reference:

QUESTION 12 At which OSI layer does a router typically operate? A. B. C. D.

Transport Network Data link Application

Correct Answer: B Section: (none) Explanation Explanation/Reference:

QUESTION 13 While viewing packet capture data, you notice that one IP is sending and receiving traffic for multiple devices by modifying the IP header, Which option is making this behaivior possible? A. TOR

B. NAT C. encapsulation D. tunneling Correct Answer: B Section: (none) Explanation Explanation/Reference:

QUESTION 14 Which option is a purpose of port scanning? A. B. C. D.

Identify the Internet Protocol of the target system. Determine if the network is up or down Identify which ports and services are open on the target host. Identify legitimate users of a system.

Correct Answer: C Section: (none) Explanation Explanation/Reference:

QUESTION 15 An intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources. Which evasion technique does this attempt indicate? A. B. C. D.

traffic fragmentation resource exhaustion timing attack tunneling


QUESTION 16 Which two activities are examples of social engineering? (Choose two) A. receiving call from the IT department asking you to verify your username/password to maintain the account B. receiving an invite to your department's weekly WebEx meeting C. sending a verbal request to an administrator to change the password to the account of a user the administratos does know D. receiving an email form MR requesting that you visit the secure HR resource website and update your contract information E. receiving an unexpected email from an unknown person with an uncharacteristic attachment from someone in the same company Correct Answer: AC Section: (none) Explanation

Explanation/Reference:

QUESTION 17 Cisco pxGrid has unified framework with an open API designed in hub-and-spoke architecture. pxGrid is used to enable the sharing of contextual-based information from which devices? A. From a Cisco ASA to the CIsco OpenDNS service B. From a Cisco ASA to the Cisco WSA C. From a Cisco ASA to the Cisco FMC D. From a Ciso ISE session directory to other policy network systems, such as Cisco IOS devices and the ASA Correct Answer: D Section: (none) Explanation Explanation/Reference: Stop any attack, anywhere in the network, immediately and automatically. With pxGrid, any connected technology can instruct the Cisco Identity Services Engine (ISE) to contain a threat. https://www.cisco.com/c/en/us/products/security/pxgrid.html QUESTION 18 Which definition of daemon on Linux is true? A. B. C. D.

error check right after the call to fork a process new process created by duplicating the calling process program that runs unobtrusively in the background set of basic CPU instructions


QUESTION 19 A user reports difficulties accessing certain external web pages, When examining traffic to and from the external domain in full packet captures, you notice many SYNs that have the same sequence number, source, and destination IP address, but have different payloads. Which problem is a possible explanation of this situation? A. in sufficient network resources B. failure of full packet capture solution C. missconfiguration of web filter D. TCP injection Correct Answer: D Section: (none) Explanation Explanation/Reference:

QUESTION 20 Which definition describes the main purpose of a Security Information and Event Management solution?

A. a database that collects and categorizes indicators of compromise to evaluate and search for potential security threats B. a monitoring interface that manages firewall access control lists for duplicate firewall filtering C. a relay server or device collects then forward event log to another log collection device D. a security product that collects, normalizes and correlates event log data to provide holistic views of the security posture Correct Answer: D Section: (none) Explanation Explanation/Reference: REVISAR, no veo en ningun lado que pueda normalizar el trafico ni que tome desiciones me gusta mas la A Why SIEM? Security monitoring and incident response Anomaly detection Real-time rules-based alerts Data correlation Compliance or regulatory mandated logging and reporting Automated reports QUESTION 21 Which information security property is supported by encryption? A. B. C. D.

sustainability integrity confidentiality availability


QUESTION 22 Which term describes the act of a user, without authority or permission, obtaining rights on a system, beyond what were assigned? A. authentication tunneling B. administrative abuse C. rights explotation D. privilege escalation Correct Answer: D Section: (none) Explanation Explanation/Reference:

QUESTION 23 Wich definition of the IIS Log Parser tool is true? A. a logging module for IIS that allows you to log to a database B. a data source control to connect to your data source

C. a powerfull, versatile tool that makes it possible to run SQL-Like queries against log files D. a powerful versatile tool that verifies the integrity of the log files Correct Answer: C Section: (none) Explanation Explanation/Reference:

QUESTION 24 What are the advantages of a full-duplex transmission mode compared to half-duplex mode? (Select all that apply.) A. Each station can transmit and receive at the same time. B. It avoids collisions. C. It makes use of backoff time. D. It uses a collision avoidance algorithm to transmit Correct Answer: AB Section: (none) Explanation Explanation/Reference:

QUESTION 25 Where is a host-bassed intrusion detection system located? A. B. C. D.

on a particular end-point as an agent or a dektop application on a dedicated proxy server monitoring egress traffic on a span switch port on a tap switch port

Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 26 According to RFC 1035 which transport protocol is recommended for use with DNS queries A. B. C. D.

Transmision Control Protocol Reliable Data Protocol Hpertext Transfer Protocol User Datagram Protocol

Correct Answer: D Section: (none) Explanation Explanation/Reference: https://www.ietf.org/rfc/rfc1035.txt 4.2. Transport The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be

used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance . Zone refresh activities must use virtual circuits because of the need for reliable transfer. The Internet supports name server access using TCP [RFC-793] on server port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP port 53 (decimal). QUESTION 27 Which cryptographic key is contained in a X.509 certificate? A. B. C. D.

symmetruc public private asymmetruc

Correct Answer: B Section: (none) Explanation Explanation/Reference: 4.12 Understanding Basic Cryptography Concepts PKI Overview Entities enroll with a PKI and receive identity certificates that are signed by a certificate authority. Among the identity information included in the certificate is the entity's public key. QUESTION 28 Which concern is important when monitoring NTP server for abnormal level of traffic? A. B. C. D.

Being the cause of a distributed reflection denial of service attack. Users changing the time settings on their systems. A critical server may not hace the correct time synchronized. Watching for rogue devices that have been added to the network.


QUESTION 29 Which definition of permissions in Linux is true? A. B. C. D.

rules that allow network traffic to go in anda out table maintenance program written affidavit that you have to sign before using the system attributes of ownership and control of an object

Correct Answer: D Section: (none) Explanation Explanation/Reference:

QUESTION 30 Which type of attack occurs when an attacker utilizes a botnet reflect requests of an NTP server to overwhelm their target?

A. B. C. D.

man in the middle denial of service distributed denial of service replay


QUESTION 31 In computer security, which information is the term PHI used to describe? A. B. C. D.

privete host information protected helth information personal health information protected host information

Correct Answer: B Section: (none) Explanation Explanation/Reference: https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/ HIPAA ‘Protected Health Information’: What Does PHI Include? [...] QUESTION 32 Which hash algotithm is the weakest? A. B. C. D.

SHA-512 RSA-4096 SHA-1 SHA-256

Correct Answer: C Section: (none) Explanation Explanation/Reference: RSA se descarta por tratarse de un sistema de cifrado. Del resto de los listados SHA-1 es el que utiliza una cantidad menor de bits para representar el digest y se han encontrado colisiones en el mismo. QUESTION 33 For witch reason can HTTPS traffic make security monitoring difficult? A. B. C. D.

encryption large packet headers Signature detection takes longer SSL interception

Correct Answer: D Section: (none) Explanation

Explanation/Reference: REVISAR A. encryption SSL interception lo conozco como una herramienta en los proxys para revisar el trafico QUESTION 34 Which two options are recognized forms of phishing? (Choose two) A. B. C. D. E.

spear whaling mailbomb hooking mailnet

Correct Answer: AB Section: (none) Explanation Explanation/Reference: 10.8 Understanding Common Endpoint Attacks Social Engineering Example: Phishing Spear phishing: Emails are sent to smaller, more targeted groups. Spear phishing may even target a single individual. Knowing more about the target community allows the attacker to craft an email that is more likely to successfully deceive the target. Whaling: Like spear phishing, whaling uses the concept of targeted emails; however, it increases the profile of the target. The target of a whaling attack is often one or more of the top executives of an organization. The content of the whaling email is something that is designed to get an executive’s attention, such as a subpoena request or a complaint from an important customer. QUESTION 35 Which protocol is expected to have NTP a user agent, host, and referrer headers in a packet capture? A. B. C. D.

NTP HTTP DNS SSH

Correct Answer: B Section: (none) Explanation Explanation/Reference: No entiendo que cosa pregunta pero supongo que hace referencia al header referer de HTTP QUESTION 36

Refer to the exhibiti. A TFTP server has recently been installed in the Altanta office. The network administrator is located in the NY office and has attempted to make a connection to the TFTP server. They are unable to backup the configuration file and Cisco IOS of the NY router to the TFTP server. Which cause of this problem is true? A. The TFTP server cannot obtain an address from a DHCP Server. B. The TFTP server has an incorrect IP address. C. The network administrator computer has an incorrect IP address. D. The TFTP server has an incorrect subnet mask Correct Answer: A Section: (none) Explanation Explanation/Reference: Abstract To participate in wide-area IP networking, a host needs to be configured with IP addresses for its interfaces, either manually by the user or automatically from a source on the network such as a Dynamic Host Configuration Protocol (DHCP) server. Unfortunately, such address configuration information may not always be available. It is therefore beneficial for a host to be able to depend on a useful subset of IP networking functions even when no address configuration is available. This document describes how a host may automatically configure an interface with an IPv4 address within the

169.254/16 prefix that is valid for communication with other devices connected to the same physical (or logical) link. https://tools.ietf.org/html/rfc3927 QUESTION 37 Which data can be obtained using NetFlow? A. B. C. D.

session data application logs network downtime report full packet capture

Correct Answer: A Section: (none) Explanation Explanation/Reference: 13.15 Describing Security Data Collection NetFlow From a network security monitoring perspective, NetFlow provides session data. NetFlow captures basic information about every IP conversation that takes place through the monitored network device, including the identities of the systems involved in the conversation, the time of the communication, and the amount of data transferred. QUESTION 38 Drag the technology on the left t o the data type technology provides on the right. Exhibit:

Select and Place:

Correct Answer:

Section: (none) Explanation Explanation/Reference: netflow = sesion data tcpdump = full packet capture web content filtering = transaction data traditional statefull firewall = connection event QUESTION 39 Which protocol is primarily supported by the third layer of the Open System Intercomunication reference model? A. B. C. D.

HTTP/TLS IPv4/IPv6 TCP/UDP ATM/MPLS


QUESTION 40 Drag the data source on the left to the correct data type on the right. Select and Place:

Correct Answer:

Section: (none) Explanation Explanation/Reference: netflow = session data ips = alert data Wireshark = full packet capture server log = transaction data QUESTION 41 Which directory is commonly used on Linux systems t o store log files, including syslog and apache logs? A. /etc/log B. /root/log C. /lib/log D. /var/log Correct Answer: D Section: (none) Explanation


QUESTION 42 Which security monitoring data type requires the most storage space? A. full packet capture B. transaction data C. statical data D. session data Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 43 Stateful and traditional firewalls can analyze packets and judge them against a set of predetermined rules called access control lists (ACLs). They inspect which of the following elements within packet? (Choose Two) A. B. C. D.

Session header NetFlow flow information Source and destination ports and source and destination IP addresses Protocol information

Correct Answer: CD Section: (none) Explanation Explanation/Reference: 11.6 Understanding Network Security Technologies Stateful Firewall Where a stateless packet filter, such as an ACL, accesses on a packet-by-packet basis, a stateful firewall allows or blocks traffic based on the connection state, port, and protocol. Stateful firewalls inspect all activity from the opening of a connection until the connection is closed. Data that is associated with each connection is stored in the firewall connection's state table. Stateful firewalls can also provide stateful inspection of applications that use a control channel to facilitate the dynamically negotiated data connection. The FTP protocol is an example that uses a control and data channel. QUESTION 44 Which definition of a fork in Linux is true? A. daemon to execute scheduled commands B. parent directory name of a file pathname C. macros for manipulating CPU sets D. new process created by a parent process Correct Answer: D Section: (none) Explanation Explanation/Reference:

QUESTION 45 Which definition of Windows Registry is true? A. B. C. D.

set of pages that are currently resident in physical memory basic unit to which the operationg system allocates processor time set of virtual memory addresses database that stores low-level settings for the operating system


QUESTION 46 Which two tasks can be performed by analyzing the logs of a traditional stateful firewall? (Choose two.) A. B. C. D.

Confirm the timing of network connections differentiated by the TCP 5-tuple Audit the applications used within a social network web site. Determine the user IDs involved in an instant messaging exchange. Map internal private IP addresses to dinamically translated external public IP addresses

E. Identify the malware variant carried by an SMTP connection Correct Answer: AD Section: (none) Explanation Explanation/Reference:

QUESTION 47 Which two terms are types of cross site scripting attacks? (Choose two) A. directed B. C. D. E.

encoded stored reflected cascaded

Correct Answer: CD Section: (none) Explanation Explanation/Reference: 7.12 Understanding Common Network Application Attacks Cross-Site Scripting and Request Forgery Types of XSS attacks include: Stored (persistent): Stored XSS is the most damaging type because it is permanently stored in the XSS-infected server. The victim receives the malicious script from the server whenever they visit the infected web page. Reflected (non-persistent) : Reflected XSS is the most common type of XSS attack. Unlike the stored XSS, where the attacker must f ind a web site that allows for permanent injection of the malicious scripts, reflected XSS attacks only require that the malicious script is embedded in a link. In order for the attack to succeed, the victim needs to click the infected link. Reflected XSS attacks are typically delivered to the victims via an email message, or through some other web site. When the victim is

tricked into clicking the infected link, the malicious script is reflected back to the victim's browser, where it is executed. Vigilant users can avoid reflected attacks. QUESTION 48 Which term represents the practice of giving employees only those permissions necessary to perform their specific role within an organization? A. B. C. D.

integrity validation due diligence need to know least privilege


QUESTION 49 Which identifier is used to describe the application or process that submitted a log message? A. B. C. D.

action selector priority facility

Correct Answer: D Section: (none) Explanation Explanation/Reference: 13.3 Describing Security Data Collection Network Security Monitoring Data Types System logs are displayed in a standard format that allow you to easily navigate through the logs for pertinent information. All information that is provided in the syslog can be valuable to someone. Analysts can use the severity levels and facilities to quickly narrow down events. The facility field in the syslog messages roughly defines the source of the message. From those results, they can look at the mnemonic and description to get valuable information such as IP addresses, MAC addresses, and protocols.

QUESTION 50 Which term represents the chronological record of how evidence was collected- analyzed, preserved, and transferred? A. B. C. D.

chain of evidence evidence chronology chain of custody record of safekeeping

Correct Answer: C Section: (none) Explanation Explanation/Reference: 14.8 Describing Security Event Analysis Chain of Custody Chain of custody, in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. QUESTION 51

Refer to the exhibit. During an analysis this list of email attachments is found. Which files contain the same content? A. B. C. D.

1 and 4 3 and 4 1 and 3 1 and 2

Correct Answer: C

Section: (none) Explanation Explanation/Reference: Al pasarlo por SHA-1 devuelven el mismo resultado. QUESTION 52 In wich case should an employee return his laptop to the organization? A. B. C. D.

When moving to a different role Upon termination of the employment As described in the asset return policy When the laptop is end of lease


QUESTION 53 A firewall requires deep packet inspection to evaluate which layer? A. B. C. D.

application Internet link transport


QUESTION 54 Which event occurs when a signature-based IDS encounters network traffic that triggers an alert? A. B. C. D.

connection event endpoint event NetFlow event intrusion event


QUESTION 55 Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones? A. replay B. man-in-the-middle C. dictionary D. known-plaintext

Correct Answer: B Section: (none) Explanation Explanation/Reference: 3.3 Understanding Common TCP/IP Attacks IP Vulnerabilities Man-in-the-middle attack: An MITM attack intercepts a communication between two systems. Essentially, the attacker inserts a device into a network that grabs packets that are streaming past. Those packets are then modified and placed back on the network for forwarding to their original destination. An MITM attack can completely defeat sophisticated authentication mechanisms because the attacker waits until after a communication session is established, which means that authentication has been completed, before starting to intercept packets. An MITM attack does not directly threaten your network's stability, but it is an exploit that can target a specific destination IP address. A form of MITM is called "eavesdropping." Eavesdropping differs only in that the perpetrator just copies IP packets off the network without modifying them in any way. QUESTION 56 Which situation indicates application-level white listing? A. B. C. D.

Allow everithing and deny specific executable files. Allow specific executable files and deny specific executable files. Writting current application attacks on a whiteboard daily. Allow specific files and deny everything else.

Correct Answer: B Section: (none) Explanation Explanation/Reference: REVISAR PARA MI ES LA D(Allow specific files and deny everything else.) 12.5 Understanding Endpoint Security Technologies Application Whitelists and Blacklists Blacklisting allows all traffic that is not explicitly denied. Another technique, called whitelisting, does the opposite. It denies all traffic t hat is not explicitly permitted (listed on the whitelist). QUESTION 57 Which definition of an antivirus program is true? A. program used to detect and remove unwanted malicious software from the system. B. program that provides real time analysis of security alerts fenerated by network hardware and application C. program that scans a running application for vulnerabilities D. rules that allow network traffic to go in and out Correct Answer: A Section: (none) Explanation Explanation/Reference: 12.3 Understanding Endpoint Security Technologies Host-Based Anti-Virus As the name suggests, antivirus software was originally developed to detect and remove computer viruses. QUESTION 58

Which two features must a next generation firewall include? (Choose two.) A. B. C. D. E.

data minig host-based-antivirus application visibility and control Security Information and Event Management intrusion detection system

Correct Answer: CE Section: (none) Explanation Explanation/Reference: REVISAR 11.18 Understanding Network Security Technologies Next Generation Firewall Let's look at some of the typical next generation requirements of a next-generation firewall. Granular application visibility and control: Example, allowing IM but blocking file transfers over IM <-- OK Intrusion prevention system: Example, identify and potentially block malicious data that is carried in network sessions. <-- palo y adentro? Reputation-based filtering: Example, automatic blocking to suspected bad web sites Enforce acceptable user policy: Example, blocking employees from browsing to unacceptable web sites SSL/TLS traffic decryption: Example, decrypting Facebook traffic so it can be inspected and controlled User- or user group-based policies: Example, allowing only the engineering employees to access the development servers Real-time contextual awareness : Example, automatic passive network, hosts, operating systems, applications, and users discoveries Intelligent security automation: Example, automatic correlation of different events data and impact assessment QUESTION 59 Which of the following are metrics that can measure the effectiveness of a runbook? A. B. C. D.

Mean time to repair (MTTR) Mean time between failures (MTBF) Mean time to discover a security incident All the adobe

Correct Answer: D Section: (none) Explanation Explanation/Reference: 14.6 Describing Security Event Analysis SOC Runbook Automation A runbook, also known as playbook, typically contains a combination of workflows, tools, and processes. A runbook is a prescriptive collection of repeatable methods to detect and respond to security incidents . The use of a runbook ensures that the responses by the security analysts can change and adapt in real time to detect and resolve security events efficiently.

https://en.wikipedia.org/wiki/Runbook According to Gartner, the growth of RBA has coincided with the need for IT operations executives to enhance IT operations efficiency measures—including reducing mean time to repair ( MTTR), increasing

mean time between failures (MTBF), and automating the provisioning of IT resources. In addition, it is necessary to have the mechanisms to implement best practices (for example, implement and manage IT operations processes in line with the ITIL, increase the effectiveness of IT personnel (for example, automate repetitive tasks associated with IT operations processes), and have the tools to report on how well the processes are executed in line with established policies and service levels.

QUESTION 60 Which of the following access control model use security labels to make access decisions? A. Mandatory access control (MAC) B. Role-based access control (RBAC) C. Identity-based access control (IBAC) Correct Answer: A Section: (none) Explanation Explanation/Reference: 5.7 Describing Information Security Concepts Access Control Models

QUESTION 61 One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context? A. B. C. D.

Confidentiality, Integrity, and Availability. Confidentiality, Identity, and Availability. Confidentiality, Integrity, and Authorization Confidentiality, Identity, and Authorization.

Correct Answer: A Section: (none) Explanation Explanation/Reference: 5.2 Describing Information Security Concepts Information Security Confidentiality, Integrity, and Availability

The confidentiality, integrity, and availability triad (also known as the CIA triad) is a fundamental information security concept. It is these three elements of the information system that each organization is trying to protect. QUESTION 62 Where are configuration records stored? A. B. C. D.

In a CMDB In a MySQL DB In a XLS file There is no need to store them

Correct Answer: A Section: (none) Explanation Explanation/Reference: REVISAR Parece incompleta la pregunta pero sin ningún contexto tiene logica. CMDB = Configuration Management DataBase (ITIL – ISO 20000) QUESTION 63 Which two actions are valid uses of public key infrastructure? (Choose two) A. B. C. D. E.

ensuring the privacy of a certificate revoking the validation of a certificate validating the authenticity of a certificate creating duplicate copies of a certificate changing ownership of a certificate

Correct Answer: BC Section: (none) Explanation Explanation/Reference:

QUESTION 64 Which protocol maps IP network addresses to MAC hardware addresses so that IP packets can be sent acreoss networks? A. B. C. D.

Internet Control Message Protocol Address Resolution Protocol Session Intimation Protocol Transmission Control Protocol/Internet Protocol

Correct Answer: B Section: (none) Explanation Explanation/Reference: ARP, del inglés Address Resolution Protocol, es un protocolo responsable de encontrar la dirección de hardware (Ethernet MAC) que corresponde a una determinada dirección IP. QUESTION 65 Which if the following is true about heuristic-based algorithms? A. Heuristic-based algorithms require fine tunning to adpat to network traffic and minimize

the possiblity of false positives. B. Heuristic-based algorithms do not require fine tunning. C. Heuristic-based algorithms support advanced malware protection. D. Heuristic-based algorithms provide capabilities for the automation of IPS signature creation and tunning. Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 66 Which security priciple states that more than one person is required to perform a critical task? A. due diligence B. separation of duties C. need to know D. least privilege Correct Answer: B Section: (none) Explanation Explanation/Reference:

QUESTION 67 Which tool is commonly used by threat actors on a webpage to take advantage of the software vulnerabilities of a system to spread malware? A. B. C. D.

exploit kit root kit vulnerability kit script kiddie kit

Correct Answer: A Section: (none) Explanation Explanation/Reference: 10.10 Understanding Common Endpoint Attacks Exploit Kits An exploit kit is an automated framework attackers use to discover and exploit vulnerabilities in an endpoint, infect it with malware, and execute malicious code on it. QUESTION 68 If a web server accepts input from the user and passes it to a bash shell, to which attack method is it vulnerable? A. B. C. D.

input validation hash collision command injection integer overflow

Correct Answer: C Section: (none)

Explanation Explanation/Reference: 7.10 Understanding Common Network Application Attacks Command Injections Command injection is an attack whereby an attacker's goal is to execute arbitrary commands on the web server's OS via a vulnerable web application. Command injection vulnerability occurs when the web application supplies vulnerable, unsafe input fields to the malicious users to input malicious data. QUESTION 69 Based on wich statement does the discretionary access control security model grant or restrict access? A. discretion of the system administrator B. security policy defined by the owner of an object C. security policy defined by the system administrator D. role of a user within an organization Correct Answer: B Section: (none) Explanation Explanation/Reference:

QUESTION 70 Which definition of the virtual address space for a Windows process is true? A. B. C. D.

actual physical location of an object in memory set of virtual memory addresses that it can use set of pages that are currently resident in physical memory system-level memory protection feature that is built into the operating system


QUESTION 71 Which statement about digitally-signing a document is true? A. B. C. D.

The document is hashed and than the document is encrypted with the private key. The document is hashed and than the hash is encrypted with the private key. The document is encrypted and then the document is hashd with the public key The document is hashed and than the document is encrypted with the public key.

Correct Answer: B Section: (none) Explanation Explanation/Reference: 4.11 Understanding Basic Cryptography Concepts Digital Signatures

QUESTION 72 You must create a vulnerability management framework. Which main purpose of this framework is true? A. B. C. D.

Conduct vulnerability scans on the network. Manage a list of reported vulnerabilities. Identify remove and mitigate system vulnerabilities. Detect and remove vulenrabilities in source code.

Correct Answer: B Section: (none) Explanation Explanation/Reference: REVISAR ME GUSTA LA C(Identify remove and mitigate system vulnerabilities.) 5.9 Describing Information Security Concepts Information Security Management

The list below details some of the common security management systems/processes: IT asset management entails collecting inventory, financial, and contractual data to manage the IT asset throughout its life cycle. IT asset management depends on robust processes, with tools to automate manual processes. Configuration management is the process for establishing and maintaining consistency of a product's performance, functional requirements, and design throughout the product's life cycle. Patch management involves acquiring, testing, and the installing of patches or code changes to the IT systems. Vulnerability management is the practice of identifying, classifying, remediating, and mitigating vulnerabilities in software, firmware, and hardware. MDM is a type of security management software that is utilized by IT to monitor, manage, and secure employees' mobile devices. QUESTION 73 In NetFlow records, which flags indicate that an HTTP connection was stopped by a security appliance, like a firewall, before it could be built fully? A. B. C. D.

ACK SYN ACK RST PSH,ACK


QUESTION 74 How many broadcast domains are created if three hosts are connected to a Layer 2 switch in full-duplex mode? A. B. C. D.

4 3 None 1


QUESTION 75 Which hashing algorithm is the least secure? A. B. C. D.

MD5 RC4 SHA-3 SHA-2


Se los sistemas de hash listados solamente se conocen colisiones en MD5. RC4, aunque es vulnerable, es un sistema de cifrado. QUESTION 76 What is one of the advantafes of the mandatory access control (MAC) model? A. Stricter control over the information access. B. Easy and scalable. C. The owner can decibe whom to grant access to. Correct Answer: A Section: (none) Explanation Explanation/Reference: 5.7 Describing Information Security Concepts Access Control Models Mandatory access control: MAC is the strictest control. QUESTION 77 Which definition of vulnerability is true? A. B. C. D.

an exploitable unpatched and unmitigated weakness in software an incompatible piece of software software that does not have the most current patch applied software that was not approved for installation

Correct Answer: A Section: (none) Explanation Explanation/Reference: 5.4 Describing Information Security Concepts Risk

QUESTION 78 Which definition of a process in Windows is true? A. running program B. unit of execution that must be manually scheduled by the application C. database that stores low-level settings for the OS and for certain applications

D. basic unit to which the operating system allocates processor time Correct Answer: A Section: (none) Explanation Explanation/Reference: 8.4 Understanding Windows Operating System Basics Windows Processes, Threads, and Handles A Windows application consists of one or more processes. In the simplest terms, a "process" is an instance of an executing program. QUESTION 79 According to the attribute-based access control (ABAC) model, what is the subject location considered? A. B. C. D.

Part of the enviromental attributes Part of the object attributes Part of the access control attributes None of the adove

Correct Answer: A Section: (none) Explanation Explanation/Reference: https://en.wikipedia.org/wiki/Attribute-based_access_control Attributes can be about anything and anyone. They tend to fall into 4 different categories or functions (as in grammatical function) Subject attributes: attributes that describe the user attempting the access e.g. age, clearance, department, role, job title... Action attributes: attributes that describe the action being attempted e.g. read, delete, view, approve... Resource (or object) attributes : attributes that describe the object being accessed e.g. the object type (medical record, bank account...), the department, the classification or sensitivity, the location... Contextual (environment) attributes : attributes that deal with time, location or dynamic aspects of the access control scenario

QUESTION 80 Which term represents a potential danger that could take advantage of a weakness in a system? A. vulnerability B. risk C. threat D. exploit Correct Answer: B Section: (none) Explanation Explanation/Reference: 5.4 Describing Information Security Concepts Risk

QUESTION 81 You get an alert on your desktop computer showing that an attack was successful on the host but up on investigation you see that occurred duration the attack. Which reason is true? A. The computer has HIDS installed on it B. The computer has NIDS installed on it C. The computer has HIPS installed on it D. The computer has NIPS installed on it Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 82 which international standard is for general risk management, including the principles and guidelines for managing risk? A. B. C. D.

ISO 27001 ISO 27005 ISP 31000 ISO 27002


QUESTION 83 which process continues to be recorded in the process table after it has ended and the status is returned to the parent? A. B. C. D.

daemon zombie orphan child


QUESTION 84 For which kind of attack does an attacker use known information in encrypted files to break the encryption scheme for the rest of A. B. C. D.

known-plaintext known-ciphertext unknown key man in the middle


QUESTION 85 in which technology is network level encrypted not natively incorporated? A. Kerberos B. ssl C. tls D. IPsec Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 86 which purpose of command and control for network aware malware is true? A. B. C. D.

It helps the malware to profile the host It takes over the user account It contacts a remote server for command and updates It controls and down services on the infected host


QUESTION 87 Which action is an attacker taking when they attempt to gain root access on the victims system? A. privilege escalation B. command injections C. root kit

D. command and control Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 88 Which vulnerability is an example of Shellshock? A. B. C. D.

SQL injection heap Overflow cross site scripting command injection


QUESTION 89 which statement about the difference between a denial-of-service attack and a distributed denial-of service attack is true? A. dos attacks only use flooding to compromise a network, and DDOS attacks m=only use other methods? B. Dos attacks are lunched from one host, and DDOS attacks are lunched from multiple hosts C. DDos attacks are lunched from one host, and DOS attacks are lunched from multiple hosts D. Dos attacks and DDOS attacks have no differences? Correct Answer: B Section: (none) Explanation Explanation/Reference:

QUESTION 90 A foreign government attacks your defense weapons contractor and stole intellectual property, that foreign government is defined as what? A. B. C. D.

Defense Weapons Contractor who stole intellectual property Foreign government who conduct attack Intellectual property got stolen method used by foreign government to hack


QUESTION 91 Which identifier is used to describe the application or process that submitted a log message?

A. B. C. D.

action selector priority facility


QUESTION 92 Which NTP command configures the local device as an NTP reference clock source? A. ntp peer B. ntp broadcast C. ntp master D. ntp server Correct Answer: C Section: (none) Explanation Explanation/Reference:

QUESTION 93 Which three options are types of Layer 2 network attack? (Choose three.) A. ARP attacks B. C. D. E. F.

brute force attacks spoofing attacks DDOS attacks VLAN hopping botnet attacks

Correct Answer: ACE Section: (none) Explanation Explanation/Reference:

QUESTION 94 Where does routing occur within the DoD TCP/IP reference model? A. B. C. D.

application internet network transport


QUESTION 95 Which two features must a next generation firewall include? (Choose two.) A. B. C. D. E.

data mining host-based antivirus application visibility and control Security Information and Event Management intrusion detection system

Correct Answer: CE Section: (none) Explanation Explanation/Reference:

QUESTION 96 Which definition of the IIS Log Parser tool is true? A. a logging module for IIS that allows you to log to a database B. a data source control to connect to your data source C. a powerful, versatile tool that makes it possible to run SQL-like queries against log flies D. a powerful versatile tool that verifies the integrity of the log files Correct Answer: C Section: (none) Explanation Explanation/Reference:

QUESTION 97 Which of the following access control models use security labels to make access decisions? A. Mandatory access control (MAC) B. Role-based access control (RBAC) C. Identity-based access control (IBAC) D. Discretionary access control (DAC) Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 98 Which of the following is true about heuristic-based algorithms? A. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives. B. Heuristic-based algorithms do not require fine tuning. C. Heuristic-based algorithms support advanced malware protection D. Heuristic-based algorithms provide capabilities for the automation of IPS signature creation and tuning. Correct Answer: A Section: (none)

Explanation Explanation/Reference:

QUESTION 99 According to the attribute-based access control (ABAC) model, what is the subject location considered? A. B. C. D.

Part of the environmental attributes Part of the object attributes Part of the access control attributes None of the above


QUESTION 100 What type of algorithm uses the same key to encryp and decrypt data? A. B. C. D.

a symmetric algorithm an asymetric algorithm a Public Key infrastructure algorithm an IP Security algorithm


QUESTION 101 Which actions can a promiscuous IPS take to mitigate an attack? A. B. C. D. E. F.

modifying packets requesting connection blocking denying packets resetting the TCP connection requesting host blocking denying frames

Correct Answer: BDE Section: (none) Explanation Explanation/Reference:

QUESTION 102 Which Statement about personal firewalls is true? A. They are resilient against kernal attacks B. They can protect email messages and private documents in a similar way to a VPN C. They can protect the network against attacks

D. They can protect a system by denying probing requests Correct Answer: D Section: (none) Explanation Explanation/Reference:

QUESTION 103 Which three statements about host-based IPS are true? (Choose three) A. B. C. D. E. F.

It can view encrypted files It can be deployed at the perimeter It uses signature-based policies It can have more restrictive policies than network-based IP It works with deployed firewalls It can generate alerts based on behavior at the desktop level.

Correct Answer: ADF Section: (none) Explanation Explanation/Reference:

QUESTION 104 An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity? A. B. C. D.

The switch could offer fake DHCP addresses The switch could become the root bridge. The switch could be allowed to join the VTP domain The switch could become a transparent bridge.


QUESTION 105 Which definition describes the main purpose of a Security Information and Event Management solution ? A. a database that collects and categorizes indicators of compromise to evaluate and search for potential security threats B. a monitoring interface that manages firewall access control lists for duplicate firewall filtering C. a relay server or device that collects then forwards event logs to another log collection device D. a security product that collects, normalizes, and correlates event log data to provide holistic views of the security posture Correct Answer: D Section: (none) Explanation Explanation/Reference:

QUESTION 106 which definition of common event format is terms of a security information and event management solution is true? A. B. C. D.

a type of event log used to identify a successful user login. a TCP network media protocol. Event log analysis certificate that stands for certified event forensics. a standard log event format that is used for log collection.


QUESTION 107 a standard log event format that is used for log collection. A. B. C. D.

It is the sum of all paths for data/commands into and out of the application It is an exploitable weakness in a system or design It is the individual who perform an attack. It is any potential danger to an asset.


QUESTION 108 For which purpose can Windows management instrumentation be used? A. Remote viewing of a computer B. Remote blocking of malware on a computer C. Remote reboot of a computer D. Remote start of a computer Correct Answer: C Section: (none) Explanation Explanation/Reference:

QUESTION 109 According to the common vulnerability scoring system, which term is associated with scoring multiple vulnerabilities that are exploit in the course of a single attack? A. B. C. D.

chained score risk analysis Vulnerability chaining confidentiality

Correct Answer: C Section: (none) Explanation


QUESTION 110 You discover that a foreign government hacked one of the defense contractors in your country and stole intellectual property. in this situation, which option is considered the threat agent?

A. Threat Actor B. C. D. Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 111 RC4 is stream cipher, what attacks is it vulnerable to when the same key is used twice. A. Cipher-text-only Attack, when an attacker uses cipher text from several messages and tries to deduce the plaintext or key from just that information, using statistical analysis B. C. D. Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 112 There was a question asking what is an example of Whaling. A. The answer was a malicious email sent to the companies CEO. B. C. D. Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 113 Netflow Format (ASCII most probabaly/check hexadecimal) A. B. C. D.

Correct Answer: Section: (none) Explanation Explanation/Reference:

QUESTION 114 Question about SIEM provide HTML, PDF and CSV format and asked what is it (Instrusion) A. B. C. D. Correct Answer: Section: (none) Explanation Explanation/Reference:

QUESTION 115 The other one was, something similar to, what cryptography is used on Digital Certificates? The answers included: A. SHA-256 B. SHA-512 C. RSA 4096 D. Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 116 After a large influx of network traffic to externally facing devices, you begin investigating what appear to be a denial of service attack. when you review packets capture data, you notice that the traffic is a single SYN packet to each port. which kind of attack is this? A. B. C. D.

SYN flood. Host porfiling. traffic fragmentation. port scanning.


QUESTION 117 You get an alert on your desktop computer showing that an attack was successful on the host but up on investigation you see that occurred duration the attack. Which reason is true? A. The computer has HIDS installed on it

B. The computer has NIDS installed on it C. The computer has HIPS installed on it D. The computer has NIPS installed on it Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 118 6-which purpose of command and control for network aware malware is true? A. B. C. D.

It helps the malware to profile the host It takes over the user account It contacts a remote server for command and updates It controls and down services on the infected host


QUESTION 119 Which action is an attacker taking when they attempt to gain root access on the victims system? A. privilege escalation B. command injections C. root kit D. command and control Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 120 Which vulnerability is an example of Shellshock? A. B. C. D.

SQL injection heap Overflow cross site scripting command injection


QUESTION 121 which definition of common event format is terms of a security information and event management solution is true?

A. B. C. D.



QUESTION 122 Which definition of a Linux daemon is true? A. Process that is causing harm to the system by either using up system resources or causing a critical crash. B. Long – running process that is the child at the init process C. process that has no parent process D. process that is starved at the CPU. Correct Answer: B Section: (none) Explanation Explanation/Reference:

QUESTION 123 Which action is an attacker taking when they attempt to gain root access on the victims system? A. B. C. D.

privilege escalation command injections root kit command and control


QUESTION 124 What is used to analyze logs and view disks remotely. A. WMI. I selected that one B. C. D. Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 125 which definition of common event format is terms of a security information and event management solution is true? A. B. C. D.



QUESTION 126 What is a security Risk in an Application A. Vulnerability B. C. D. Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 127 which Linux terminal command can be used to display all the processes? A. ps -m B. ps -u C. ps -d D. ps –ef Correct Answer: D Section: (none) Explanation Explanation/Reference:

QUESTION 128 How does NTP help with monitoring? A. B. C. D.

Using TCP allows you to view HTTP connections between servers and clients. By synchronizing the time of day allows correlation of events from different system logs. To receive system generated emails To look up IP addresses in the system using the FQDN.


210-250-

Recommend Documents