 IT Questions Bank  IOS Command List  Ebooks  IP Calculators »  Donations

Search the site 

World-class AI for writing.

30M people use Grammarly daily to write sharpe
work smarter. Try it for free today.

Grammarly Learn Mo

 Home  CCNA » Security » CyberOps »

 IT Questions Bank  IOS Command List CCNA » CCNA Security v2.0 » Cybersecurity »

Networking Essentials IP Subnet Calculators » Donation Contact

CCNA v5 + v6.0 Exam Answers

CCNA 1 CCNA 2 CCNA 3 CCNA 4

CCNA 1 - Pretest

CCNA 1 - Chapter 1


CCNA 1 - Chapter 2

CCNA 1 - Chapter 3

CCNA 1 - Chapter 4

CCNA 1 - Chapter 5

CCNA 1 - Chapter 6

CCNA 1 - Chapter 6 Skills PT

CCNA 1 - Chapter 7
49
CCNA 1 - Chapter 8

CCNA 1 - Chapter 9

Close CCNA 1 - Chapter 10

CCNA 1 - Chapter 11
 Network Defense (NetDef) Course Final Exam CCNA 1 PT Practice Skills

Answers CCNA 1 - Practice Final

 Jul 14, 2022 |  Last Updated: Nov 6, 2023 |  Network Defense |  49 Comments
CCNA 1 - Final Exam
 Share  Tweet  Share  Pin it

Network Defense (NetDef) Course Final Exam Answers

Modules 1 – 11 of the Network Defense (NetDef) course

Final Answers

How to find: Press “Ctrl + F” in the browser and fill in whatever

wording is in the question to find that question/answer. If the question is
not here, find it in Questions Bank.


NOTE: If you have the new question on this test, please comment
Question and Multiple-Choice list in form below this article. We will Related Posts
update answers for you in the shortest time. Thank you! We truly 4.8.2 Access Control Lists Quiz Answers
value your contribution to the website.
1.4.2 Module 1: Understanding Defense Quiz
Answers

2.8.2 Module 2 – System and Network

1. What is a characteristic of a layered defense-in-depth security
Defense Quiz Answers
approach?
9.3.2 Technologies and Protocols Quiz
49 Answers

Checkpoint Exam: Principles, Practices, and

Processes of Network Defense Answers

Close 3.5.2 Module 3 – Access Control Quiz

Answers

7.7.2 Cloud Security Quiz Answers

When one device fails, another one takes over.
 One safeguard failure does not affect the effectiveness of other Network Defense (NetDef) Module 4 – 8
Group Test Online
safeguards.
Three or more devices are used. Network Defense (NetDef) Module 9 – 11
Routers are replaced with firewalls. Group Test Online

Checkpoint Exam: Evaluating Security Alerts

Explanation: When a layered defense-in-depth security approach is Answers

used, layers of security are placed through the organization-at the edge,
within the network, and on endpoints. The layers work together to create
the security architecture. In this environment, a failure of one safeguard
does not affect the effectiveness of other safeguards.

2. What device would be used as the third line of defense in a defense-

in-depth approach?

internal router
edge router
host
firewall

Explanation: In a defense-in-depth approach, the edge router would

form the first line of defense. The firewall would be the second line of
defense followed by the internal router making up the third line of
defense.

3. Match the Security Onion tool with the description.

Recent Comments
coco on CCNA 3 – ENSA Practice PT Skills
Network Defense (NetDef) Course Final Exam Assessment (PTSA) Answers

Thaddeus on 11.6.1 Packet Tracer – Switch

Explanation: Place the options in the following order:
network-based intrusion detection system
Security Configuration – Instructions Answer
jean rene on 2.5.5 Packet Tracer – Configure
Snort
Initial Switch Settings (Instructions Answers)

packet 49
capture application Wireshark Dan on Lab 11: Configuring Advanced Static
Switch Access Port Security
host-based intrusion detection system OSSEC
John on CCNA (200-301) Certification
Close high-level cybersecurity analysis console Sguil Practice Exam Answers (ENSA v7.0)

4. Which wireless standard made AES and CCM mandatory?

 WEP ___
WEP2
WPA
WPA2

Explanation: Wireless security depends on several industry standards

and has progressed from WEP to WPA and finally WPA2. Become a member online

Apply Now
5. In a comparison of biometric systems, what is the crossover error Ad By Coast Capital Savings

rate?

rate of acceptability and rate of false negatives

rate of rejection and rate of false negatives
rate of false negatives and rate of false positives
rate of false positives and rate of acceptability

Explanation: In comparing biometric systems, there are several


important factors to consider including accuracy, speed or throughput
rate, and acceptability to users.

6. What are two recommended steps to protect and secure a wireless

network? (Choose two.)

Use WPA2-AES encryption.

Use the default SSID.
Update firmware.
Locate the wireless router where it is accessible to users.
Enable49
remote management.

Explanation: Two best practices for securing wireless networks are to

encrypt the wireless traffic with WPA2 encryption and to keep the
Close
wireless router firmware updated. This prevents data from being
readable by an attacker and fixes any known bugs and vulnerabilities in
the router.
 7. What is a feature of virtual LANs (VLANs)?

A single collision domain is enabled on a switch that is shared between

VLANs.
Communication between different VLANs on the one switch is enabled
by default.
Switch port utilization is decreased because each port is only associated
with one broadcast domain.
Logical segmentation is provided by creating multiple broadcast
domains on a single switch.

Explanation: Virtual LANs (VLANs) provide a logical segmentation by

creating multiple broadcast domains on the same network switch.
VLANs provide higher utilization of switch ports because a port could be
associated to the necessary broadcast domain, and multiple broadcast
domains can reside on the same switch. Network devices in one VLAN
cannot communicate with devices in a different VLAN without the
implementation of inter-VLAN routing.

8. What is an example of privilege escalation attack?

A DDoS attack is launched against a government server and causes the

server to crash.
A port scanning attack finds that the FTP service is running on a server
that allows anonymous access.
A threat actor sends an email to an IT manager to request the root
access.
A threat actor performs an access attack and gains the
administrator password.

Explanation: With the privilege escalation exploit, vulnerabilities in
servers or access control systems are exploited to grant an unauthorized
user, or software process, higher levels of privilege than either should
have. After the higher privilege is granted, the threat actor can access
sensitive information or take control of a system.

9. What is the principle behind the nondiscretionary access control

model?

49

Close

It applies the strictest access control possible.

It allows access based on attributes of the object be to accessed.
 It allows access decisions to be based on roles and responsibilities
of a user within the organization.
It allows users to control access to their data as owners of that data.

Explanation: The nondiscretionary access control model used the roles

and responsibilities of the user as the basis for access decisions.

10. Which two features are included by both TACACS+ and RADIUS
protocols? (Choose two.)

utilization of transport layer protocols

separate authentication and authorization processes
password encryption
802.1X support
SIP support

Explanation: Both TACACS+ and RADIUS support password encryption

(TACACS+ encrypts all communication) and use Layer 4 protocol
(TACACS+ uses TCP and RADIUS uses UDP). TACACS+ supports
separation of authentication and authorization processes, while RADIUS
combines authentication and authorization as one process. RADIUS
supports remote access technology, such as 802.1x and SIP; TACACS+
does not.

11. Refer to the exhibit. A router has an existing ACL that permits all
traffic from the 172.16.0.0 network. The administrator attempts to add a
new ACE to the ACL that denies packets from host 172.16.0.1 and
receives the error message that is shown in the exhibit. What action can
the administrator take to block packets from host 172.16.0.1 while still

permitting all other traffic from the 172.16.0.0 network?

Create a second access list denying the host and apply it to the same
interface.
Manually
49 add the new deny ACE with a sequence number of 15.
Manually add the new deny ACE with a sequence number of 5.
Add a deny any any ACE to access-list 1.

Close
Explanation: Because the new deny ACE is a host address that falls
within the existing 172.16.0.0 network that is permitted, the router rejects
the command and displays an error message. For the new deny ACE to
 take effect, it must be manually configured by the administrator with a
sequence number that is less than 10.

12. Which command is used to activate an IPv6 ACL named ENG_ACL

on an interface so that the router filters traffic prior to accessing the
routing table?

ipv6 traffic-filter ENG_ACL in

ipv6 traffic-filter ENG_ACL out
ipv6 access-class ENG_ACL out
ipv6 access-class ENG_ACL in

Explanation: For the purpose of applying an access list to a particular

interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-
group IPv4 command. The direction in which the traffic is examined (in
or out) is also required.

13. In which configuration would an outbound ACL placement be

preferred over an inbound ACL placement?

when the ACL is applied to an outbound interface to filter packets

coming from multiple inbound interfaces before the packets exit the
interface 
when an outbound ACL is closer to the source of the traffic flow
when an interface is filtered by an outbound ACL and the network
attached to the interface is the source network being filtered within the
ACL
when a router has more than one ACL

Explanation: An outbound ACL should be utilized when the same ACL

filtering rules will be applied to packets coming from more than one
inbound interface before exiting a single outbound interface. The
outbound ACL will be applied on the single outbound interface.
49

14. What are two differences between stateful and stateless firewalls?
(Choose two.)
Close A stateless firewall is able to filter sessions that use dynamic port
negotiations while a stateful firewall cannot.
A stateless firewall will examine each packet individually while a
stateful firewall observes the state of a connection.
 stateless firewall provides more stringent control over security than a
stateful firewall.
A stateless firewall will provide more logging information than a stateful
firewall.
A stateful firewall will prevent spoofing by determining whether
packets belong to an existing connection while a stateless firewall
follows pre-configured rule sets.

Explanation: There are many differences between a stateless and

stateful firewall.
Stateless firewalls:
are susceptible to IP spoofing
do not reliably filter fragmented packets
use complex ACLs, which can be difficult to implement and maintain
cannot dynamically filter certain services
examine each packet individually rather than in the context of the
state of a connection

Stateful firewalls:
are often used as a primary means of defense by filtering unwanted,
unnecessary, or undesirable traffic
strengthen packet filtering by providing more stringent control over
security
improve performance over packet filters or proxy servers
defend against spoofing and DoS attacks by determining whether
packets belong to an existing connection or are from an
unauthorized source
provide more log information than a packet filtering firewall


15. Which statement describes a typical security policy for a DMZ
firewall configuration?

Traffic that originates from the inside interface is generally blocked

entirely or very selectively permitted to the outside interface.
Traffic that originates from the DMZ interface is selectively
permitted to the outside interface.
Return traffic from the inside that is associated with traffic originating
from the outside is permitted to traverse from the inside interface to the
outside interface.
Traffic that originates from the outside interface is permitted to traverse
49
the firewall to the inside interface with few or no restrictions.
Return traffic from the outside that is associated with traffic originating
from the inside is permitted to traverse from the outside interface to the
Close
DMZ interface.

Explanation: With a three interface firewall design that has internal,

external, and DMZ connections, typical configurations include the
 following:
Traffic originating from DMZ destined for the internal network is normally
blocked.
Traffic originating from the DMZ destined for external networks is
typically permitted based on what services are being used in the DMZ.
Traffic originating from the internal network destined from the DMZ is
normally inspected and allowed to return.
Traffic originating from external networks (the public network) is typically
allowed in the DMZ only for specific services.

16. Which type of firewall makes use of a proxy server to connect to

remote servers on behalf of clients?

stateless firewall
application gateway firewall
stateful firewall
packet filtering firewall

Explanation: An application gateway firewall, also called a proxy

firewall, filters information at Layers 3, 4, 5, and 7 of the OSI model. It
uses a proxy server to connect to remote servers on behalf of clients.
Remote servers will see only a connection from the proxy server, not
from the individual clients.

17. What is the result in the self zone if a router is the source or
destination of traffic?


World-class AI
writing.
30M people use Gramm
write sharper and work
free today.

Grammarly

49
Only traffic that is destined for the router is permitted.
Only traffic that originates in the router is permitted.
No traffic is permitted.
Close All traffic is permitted.
 Explanation: All traffic is permitted in the self zone if the traffic
originates from, or is destined for, the router.

18. Designing a ZPF requires several steps. Which step involves

dictating the number of devices between most-secure and least-secure
zones and determining redundant devices?

identify subsets within zones and merge traffic requirements

design the physical infrastructure
establish policies between zones
determine the zones

Explanation: Designing ZPFs involves several steps:

Step 1 . Determine the zones – The administrator focuses on the
separation of the network into zones. Zones establish the security
borders of a network.
Step 2 . Establish policies between zones – For each pair of “source-
destination” zones, define the sessions that clients in the source zones
can request from servers in destination zones.
Step 3 . Design the physical infrastructure – After the zones have been
identified, and the traffic requirements between them documented, the
administrator must design the physical infrastructure. This includes
dictating the number of devices between most-secure and least-secure
zones and determining redundant devices.
Step 4 . Identify subsets within zones and merge traffic requirements –
For each firewall device in the design, the administrator must identify
zone subsets that are connected to its interfaces and merge the traffic
requirements for those zones.


19. Which statement describes Cisco IOS Zone-Based Policy Firewall

operation?

The pass action works in only one direction.

Router management interfaces must be manually assigned to the self
zone.
Service policies are applied in interface configuration mode.
A router interface can belong to multiple zones.

Explanation: The pass action allows traffic only in one direction.

49
Interfaces automatically become members of the self zone. Interfaces
are assigned to zones in interface configuration mode, but most
configuration takes place in global configuration mode and associated
Closesubmodes. Interfaces can belong to only one zone at any time.

20. Which cloud security domain describes controls related to securing

the data itself?
 Data Security and Encryption
Application Security
Security as a Service
Infrastructure Security

Explanation: The Security Guidance for Critical Areas of Focus in Cloud

Computing v4 document developed by the Cloud Security Alliance
(CSA) covers 14 domains of cloud security. Some of these domains are:
Infrastructure Security – describes cloud-specific aspects of
infrastructure security and the foundation for operating securely in
the cloud.
Data Security and Encryption – describes those controls related to
securing the data itself, of which encryption is one of the most
important.
Application Security – provides guidance on how to securely build
and deploy applications in cloud computing environments,
specifically for PaaS and IaaS.
Security as a Service – covers the continually evolving security
services delivered from the cloud.

21. Which two advantages in security controls are provided by

software-defined networks (SDN) over traditional network security
solutions? (Choose two.)

World-class AI
writing. 

30M people use Gramm

write sharper and work
free today.

Grammarly

offer more security features than hardware firewalls

easier insertion into the traffic path
49
apply to assets based on more flexible criteria than hardware
firewalls
easier network isolation without constraints of physical hardware
Close higher performance than hardware firewalls

Explanation: Software-defined networks (SDN) enable new types of

security controls and provide an overall gain for network security
 including:
easy network isolation without the constraints of physical hardware
SDN firewalls (security groups in cloud computing) apply to assets
based on more flexible criteria than hardware firewalls

22. What is the function of SDKs in application development?

to provide a repository of code to reduce time and cost of

application development
to maintain data integrity and identify malicious input
to store precompiled SQL statements that execute tasks
to verify software can run under required security settings
to prevent software from being reverse engineered by replacing sensitive
data with fictional data

Explanation: SDKs, or Software Development Kits, provide a repository

of useful code to make application development faster and cheaper.

23. A company is using a public cloud provider to host its software

development and distribution processes. What two cloud resources is
the company solely responsible for in the shared security responsibility
model? (Choose two.)

network control
customer endpoints
application
data
identity management

Explanation: Hosting software development and distribution processes
is an example of the PaaS model. In the shared security responsibility
model, the cloud customer is responsible for data and endpoints
security.

24. A company implements a security policy that ensures that a file sent
from the headquarters office to the branch office can only be opened
with a predetermined code. This code is changed every day. Which two
algorithms can be used to achieve this task? (Choose two.)

MD5 49
AES
SHA-1
HMAC
Close 3DES
 Explanation: The task to ensure that only authorized personnel can
open a file is data confidentiality, which can be implemented with
encryption. AES and 3DES are two encryption algorithms. HMAC can be
used for ensuring origin authentication. MD5 and SHA-1 can be used to
ensure data integrity.

25. What are two methods to maintain certificate revocation status?

(Choose two.)

CRL
OCSP
subordinate CA
LDAP
DNS

Explanation: A digital certificate might need to be revoked if its key is 

compromised or it is no longer needed. The certificate revocation list
(CRL) and Online Certificate Status Protocol (OCSP), are two common
methods to check a certificate revocation status.

26. Before data is sent out for analysis, which technique can be used to
replace sensitive data in nonproduction environments to protect the
underlying information?

steganography
steganalysis
software obfuscation
49
data masking substitution

Explanation: Technologies exist to confuse attackers by changing data

Closeand using techniques to hide the original data.

27. Which technology would be used to create the server logs

generated by network devices and reviewed by an entry level network
 person who works the night shift at a data center?

ACL
VPN
NAT
syslog

Explanation: Syslog is a daemon or service run on a server that

accepts messages sent by network devices. These logs are frequently
examined to detect inconsistencies and issues within the network.

28. Which two application layer protocols manage the exchange of

messages between a client with a web browser and a remote web
server? (Choose two.)

HTTPS
DNS
HTML
DHCP
HTTP

Explanation: Hypertext Transfer Protocol (HTTP) and HTTP Secure

(HTTPS) are two application layer protocols that manage the content
requests from clients and the responses from the web server. HTML
(Hypertext Mark-up Language) is the encoding language that describes
the content and display features of a web page. DNS is for domain name
to IP address resolution. DHCP manages and provides dynamic IP
configurations to clients.


29. How can IMAP be a security threat to a company?

World-class AI
writing.
30M people use Gramm
write sharper and work
free today.

49

Grammarly

Close
It can be used to encode stolen data and send to a threat actor.
An email can be used to bring malware to a host.
Encrypted data is decrypted.
 Someone inadvertently clicks on a hidden iFrame.

Explanation: IMAP, SMTP, and POP3 are email protocols. SMTP is

used to send data from a host to a server or to send data between
servers. IMAP and POP3 are used to download email messages and
can be responsible for bringing malware to the receiving host.

30. Refer to the exhibit. Which technology generated the event log?

web proxy
syslog
Netflow
Wireshark

Explanation: The source of the output is Netflow.

31. Which two tools have a GUI interface and can be used to view and
analyze full packet captures? (Choose two.)
49
Wireshark
Splunk
Cisco Prime Network Analysis Module
Close nfdump
tcpdump
 Explanation: The Network Analysis Module of the Cisco Prime
Infrastructure system and Wireshark have GUI interfaces and can
display full packet captures. The tcpdump tool is a command-line packet
analyzer.

32. Which information can be provided by the Cisco NetFlow utility?

source and destination UDP port mapping

security and user account restrictions
peak usage times and traffic routing
IDS and IPS capabilities

Explanation: NetFlow efficiently provides an important set of services

for IP applications including network traffic accounting, usage-based
network billing, network planning, security, denial of service monitoring
capabilities, and network monitoring. NetFlow provides valuable
information about network users and applications, peak usage times,
and traffic routing.

33. A network administrator is reviewing server alerts because of

reports of network slowness. The administrator confirms that an alert
was an actual security incident. What is the security alert classification
of this type of scenario?

false positive
true negative
true positive
false negative

Explanation: True Positive: The alert has been verified to be an actual

security incident.
False Positive: The alert does not indicate an actual security incident.
Benign activity
49 that results in a false positive is sometimes referred to as
a benign trigger.
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.
Close

34. A network administrator is trying to download a valid file from an

internal server. However, the process triggers an alert on a NMS tool.
 What condition describes this alert?

false positive
true positive
false negative
true negative

Explanation: Alerts can be classified as follows:

True Positive: The alert has been verified to be an actual security
incident.
False Positive: The alert does not indicate an actual security incident.
Benign activity that results in a false positive is sometimes referred to as
a benign trigger.
An alternative situation is that an alert was not generated. The absence
of an alert can be classified as:
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.

35. What is indicated by a Snort signature ID that is below 3464?

This is a custom signature developed by the organization to address

locally observed rules.
The SID was created by Sourcefire and distributed under a GPL
agreement.
The SID was created by the Snort community and is maintained in
Community Rules.
The SID was created by members of EmergingThreats.

Explanation: Snort is an open source network intrusion prevention


system (NIPS) and network intrusion detection system (NIDS)
developed by Sourcefire. It has the ability to perform real time traffic
analysis and packet logging on Internet Protocol (IP) networks and can
also be used to detect probes or attacks.

36. A network administrator is setting up a web server for a small

advertising office and is concerned with data availability. The
administrator wishes to implement disk fault tolerance using the
minimum number of disks required. Which RAID level should the
administrator choose?

RAID 549
RAID 0
RAID 1
RAID 6
Close

Explanation: Both RAID 0 and RAID 1 require at least 2 disks.

However, RAID 0 does not provide fault tolerance. The minimum
 numbers of disks for RAID 5 and RAID 6 are 3 and 4 respectively.

37. Which three security services are provided by digital signatures?

(Choose three.)

World-class AI
writing.
30M people use Gramm
write sharper and work
free today.

Grammarly

authenticates the source

guarantees data has not changed in transit
provides data encryption
provides nonrepudiation using HMAC functions
provides confidentiality of digitally signed data
authenticates the destination

Explanation: Digital signatures are a mathematical technique used to

provide three basic security services. Digital signatures have specific
properties that enable entity authentication and data integrity. In addition,
digital signatures provide nonrepudiation of the transaction. In other 
words, the digital signature serves as legal proof that the data exchange
did take place.

38. A company is deploying a customer service web application on

AWS. A network administrator is installing and configuring a VM
instance. Which three actions should the administrator take to protect
the VM? (Choose three.)

Disable unneeded ports and services.

Enforce account management policies.
Configure
49 RAID to ensure storage fault tolerance.
Plan subnet placement.
Deploy an advanced firewall appliance.
Install an IPS appliance in the VM.
Close

Explanation: This scenario is a typical SaaS cloud service model. The

company is responsible for data security. The company also shares the
 security responsibilities for endpoints and identity management in the
cloud with AWS. AWS is responsible for physical infrastructure
implementation and security. Some techniques that the company should
consider to protect VMs in the cloud include:
Plan subnet placement.
Disable unneeded ports and services.
Enforce account management policies.
Install antivirus/anti-malware software and keep it updated.
Install host-based/software firewalls and IDS/IPS.

39. What is the purpose of mobile device management (MDM) software?

It is used to create a security policy.

It is used to identify potential mobile device vulnerabilities.
It is used by threat actors to penetrate the system.
It is used to implement security policies, setting, and software
configurations on mobile devices.

Explanation: Mobile device management (MDM) software is used with

mobile devices so that corporate IT personnel can track the devices,
implement security settings, as well as control software configurations.

40. Which protocol would be used to provide security for employees

that access systems remotely from home?

Telnet
WPA
SSH
SCP 

Explanation: Various application layer protocols are used to for

communications between systems. A secure protocol provides a secure
channel over an unsecured network.

41. A company has a file server that shares a folder named Public. The
network security policy specifies that the Public folder is assigned
Read-Only rights to anyone who can log into the server while the Edit
rights are assigned only to the network admin group. Which component
is addressed in the AAA network service framework?
49

Close
 automation
authorization
accounting
authentication

Explanation: After a user is successfully authenticated (logged into the

server), the authorization is the process of determining what network
resources the user can access and what operations (such as read or
edit) the user can perform.

42. To facilitate the troubleshooting process, which inbound ICMP

message should be permitted on an outside interface?

echo request
echo reply
time-stamp reply
time-stamp request
router advertisement 

Explanation: By allowing the ICMP echo reply message inbound to the

organization, internal users are allowed to ping external addresses (and
the reply message allowed to return).

43. Which two statements describe the effect of the access control list
wildcard mask 0.0.0.15? (Choose two.)

The last four bits of a supplied IP address will be ignored.

The first 32 bits of a supplied IP address will be matched.
The first
49 28 bits of a supplied IP address will be matched.
The first 28 bits of a supplied IP address will be ignored.
The last five bits of a supplied IP address will be ignored.
The last four bits of a supplied IP address will be matched.
Close

Explanation: A wildcard mask uses 0s to indicate that bits must match.

0s in the first three octets represent 24 bits and four more zeros in the
 last octet, represent a total of 28 bits that must match. The four 1s
represented by the decimal value of 15 represents the four bits to ignore.

44. When implementing components into an enterprise network, what is

the purpose of a firewall?

A firewall is a system that stores vast quantities of sensitive and

business-critical information.
A firewall is a system that enforces an access control policy
between internal corporate networks and external networks.
A firewall is a system that is designed to secure, monitor, and manage
mobile devices, including corporate-owned devices and employee-
owned devices.
A firewall is a system that inspects network traffic and makes forwarding
decisions based solely on Layer 2 Ethernet MAC addresses.

Explanation: A firewall is a system that enforces an access control

policy and prevents the exposure of sensitive hosts, resources, and
applications to untrusted users.

45. Which ICMP message type should be stopped inbound?

___

unreachable 
source quench
echo-reply
echo

Explanation: The echo ICMP packet should not be allowed inbound on

an interface. The echo-reply should be allowed so that when an internal
device pings an external device, the reply is allowed to return.

46. When ACLs are configured to block IP address spoofing and DoS
flood attacks, which ICMP message should be allowed both inbound
49
and outbound?

source quench
echo
Close unreachable
echo reply
 Explanation: Source quench ICMP messages provide the ability to have
the sender throttle down the rate of messages when necessary. These
messages should be allowed through the firewall in both inbound and
outbound directions.​

47. What are two elements that form the PRI value in a syslog message?
(Choose two.)

header
timestamp
facility
severity
hostname

Explanation: The PRI in a syslog message consists of two elements,

the facility and severity of the message.

48. Which two options are network security monitoring approaches that
use advanced analytic techniques to analyze network telemetry data?
(Choose two.)

NBAD
NBA
IPFIX
Snorby
Sguil
NetFlow


Explanation: Network behavior analysis (NBA) and network behavior
anomaly detection (NBAD) are approaches to network security
monitoring that use advanced analytical techniques to analyze NetFlow
or IPFIX network telemetry data.

49. What is a characteristic of a probabilistic analysis in an alert

evaluation?

49

Close
 World-class AI
writing.
30M people use Gramm
write sharper and work
free today.

Grammarly

each event an inevitable result of antecedent causes

random variables that create difficulty in knowing the outcome of
any given event with certainty
precise methods that yield the same result every time by relying on
predefined conditions
analysis of applications that conform to application/networking standards

Explanation: Statistical techniques can be used to evaluate the risk that

exploits will be successful in a given network. This type of analysis can
help decision makers to better evaluate the cost of mitigating a threat
and the damage that an exploit could cause. Two general approaches
used to do this are as follows:
Deterministic Analysis: For an exploit to be successful, all prior
steps in the exploit must also be successful. The cybersecurity
analyst knows the steps for a successful exploit.
Probabilistic Analysis: Statistical techniques are used to determine

the probability that a successful exploit will occur based on the
likelihood that each step in the exploit will succeed.

50. Match the security policy with the description.

49

Close

Explanation: Place the options in the following order:

 identifies network applications and uses acceptable use policy
that are acceptable to the organization (AUP)

identifies how remote users can access a remote access policy

network and what is accessible via remote
connectivity

specifies authorized persons that can identification and

have access to network resources and authentication policy
identity verification procedures

specifies network device operating network maintenance

systems and end user application update policy
procedures

51. What are two physical security precautions that a business can take
to protect its computers and systems? (Choose two.)

Replace software firewalls with hardware firewalls.

Perform daily data backups.
Ensure that all operating system and antivirus software is up to date.
Lock doors to telecommunications rooms.
Implement biometric authentication.

Explanation: Firewalls (software and hardware), up to date software,

and backing up data are all security measures designed to protect data.
However, these are not physical security precautions. Physical security
precautions prevent theft, damage, or unauthorized access to physical
computer equipment. 

52. Which hashing technology requires keys to be exchanged?

49

Close

salting
 AES
MD5
HMAC

Explanation: The difference between HMAC and hashing is the use of

keys.

53. The IT department is tasked to implement a system that controls

what a user can and cannot do on the corporate network. Which
process should be implemented to meet the requirement?

a set of attributes that describes user access rights

observations to be provided to all employees
a biometric fingerprint reader
user login auditing

Explanation: Access control prevents unauthorized user from gaining

access to sensitive data and networked systems. There are several
technologies used to implement effective access control strategies.

54. Which two keywords can be used in an access control list to replace
a wildcard mask or address and wildcard mask pair? (Choose two.)

any
gt
some
all
host
most 

Explanation: The host keyword is used when using a specific device IP

address in an ACL. For example, the deny host 192.168.5.5 command
is the same is the deny 192.168.5.5 0.0.0.0 command. The any keyword
is used to allow any mask through that meets the criteria. For example,
the permit any command is the same as permit 0.0.0.0
255.255.255.255 command.

55. What is the function of the pass action on a Cisco IOS Zone-Based
Policy Firewall?
49
tracking the state of connections between zones
inspecting traffic between zones for traffic control
logging of rejected or dropped packets
Close forwarding traffic from one zone to another

Explanation: The pass action performed by Cisco IOS ZPF permits

forwarding of traffic in a manner similar to the permit statement in an
 access control list.

56. Which statement describes the threat to a public cloud due to a poor
cloud security architecture strategy?

World-class AI
writing.
30M people use Gramm
write sharper and work
free today.

Grammarly

when a cloud customer does not have full visibility into the cloud services
when user accounts or access privileges are not properly secured and
are hijacked by threat actors
when a cloud customer employee, contractor, or business partner
maliciously or unintentionally compromise the cloud service
when the shared security responsibilities between a cloud
customer and cloud provider are not implemented correctly

Explanation: There are many threats associated with cloud computing

including:
inside threat – occurs when a cloud customer employee, 
contractor, or business partner maliciously or unintentionally
compromise the cloud service.
compromised account credentials – occurs when user accounts
or access privileges are not properly secured and are hijacked by
threat actors.
cloud misconfiguration – occurs when the cloud computing
resource is set up incorrectly making it vulnerable to attacks.
poor cloud security architecture strategy – when the shared
security responsibilities between a cloud customer and cloud
provider are not implemented correctly.
49

57. A company is developing a security policy for secure

communication. In the exchange of critical messages between a
headquarters
Close office and a branch office, a hash value should only be
recalculated with a predetermined code, thus ensuring the validity of
data source. Which aspect of secure communications is addressed?
 origin authentication
data integrity
non-repudiation
data confidentiality

Explanation: Secure communications consists of four elements:

Data confidentiality – guarantees that only authorized users can
read the message
Data integrity – guarantees that the message was not altered
Origin authentication – guarantees that the message is not a
forgery and does actually come from whom it states
Data nonrepudiation – guarantees that the sender cannot
repudiate, or refute, the validity of a message sent

58. Which Windows log contains information about installations of

software, including Windows updates?

security logs
application logs
setup logs
system logs

Explanation: On a Windows host, setup logs record information about

the installation of software, including Windows updates.

59. For network systems, which management system addresses the

inventory and control of hardware and software configurations?

vulnerability management 
risk management
asset management
configuration management

Explanation: Configuration management addresses the inventory and

control of hardware and software configurations of network systems.

60. What are two uses of an access control list? (Choose two.)

49

Close
 Get 1TB Storag
- $8
Now Consolidate All You
Photos & Videos To One
Photobucket.

Photobucket

ACLs can permit or deny traffic based upon the MAC address originating
on the router.
Standard ACLs can restrict access to specific applications and ports.
ACLs can control which areas a host can access on a network.
ACLs assist the router in determining the best path to a destination.
ACLs provide a basic level of security for network access.

Explanation: – Limit network traffic in order to provide adequate

network performance
– Restrict the delivery of routing updates
– Provide a basic level of security
– Filter traffic based on the type of traffic being sent
– Filter traffic based on IP addressing

61. When implementing a ZPF, what is the default security setting when
forwarding traffic between two interfaces in the same zone? 
Traffic between interfaces in the same zone is not subject to any
policy and passes freely.
Traffic between interfaces in the same zone is blocked.
Traffic between interfaces in the same zone is selectively forwarded
based on Layer 3 information.
Traffic between interfaces in the same zone is selectively forwarded
based on the default policy restrictions.

Explanation: A zone-based policy firewall uses the concept of zones to

specify where firewall rules and policies should be applied. By default,
the traffic49
between interfaces that exist in the same zone is not subject to
any policy and passes freely.

62.
Close You have been asked to implement a data integrity program to
protect data files that need to be electronically downloaded by the sales
staff. You have decided to use the strongest hashing algorithm
available on your systems. Which hash algorithm would you select?
 AES
SHA-1
SHA-256
MD5

Explanation: MD5 and SHA are the two most popular hashing
algorithms. SHA-256 uses a 256-bit hash, whereas MD5 produces a
128-bit hash value.

63. What is the purpose of a digital certificate?

It authenticates a website and establishes a secure connection to

exchange confidential data.
It guarantees that a website has not been hacked.
It ensures that the person who is gaining access to a network device is
authorized.
It provides proof that data has a traditional signature attached.

Explanation: Digital signatures commonly use digital certificates that

are used to verify the identity of the originator in order to authenticate a
vendor website and establish an encrypted connection to exchange
confidential data. One such example is when a person logs into a
financial institution from a web browser.

64. Which network logs contain information that a security analyst can
use to determine if packets received from the web are in response to
legitimate requests or are part of an exploit?

NetFlow logs
content filter logs
NBAR logs
proxy logs

65. Why can ACLs give a false sense of security if overly relied upon as
49
a network security technology?

ACLs can be applied to network interfaces in one direction only.

ACLs only log denied traffic, not permitted traffic.
Close
Packets are permitted by default when ACL statements don’t match.
Attackers can determine which IP addresses, protocols, and ports
are allowed by ACLs.
 66. Why must a network administrator consider more security features
in addition to firewalls to achieve the best possible network security?

Experienced firewall specialists may not always be available, requiring

the deployment of less complex security technologies.
Firewalls are expensive to implement, given that there are less
expensive security technologies.
Firewall configuration often takes too much time, and network
technicians are more effective if deployed in other security areas.
Firewalls typically do not stop intrusions from hosts within a
network or zone.

67. What is one of the first actions performed on Internet-connected

smart devices before being put into service?

Connect the device to the network and download firmware updates.

Change the default administrator credentials.
Install the device in a physically secure environment.
Configure the device to communicate with a central server

68. What is an example of transaction data recorded by a network

security monitoring tool?

Get 1TB Storag

- $8
Now Consolidate All You
Photos & Videos To One
Photobucket.


Photobucket

source and destination port numbers of two network endpoints

requests and replies between the two network endpoints
source and destination IP addresses of two network endpoints
the IP code for the protocol in use

Explanation: The transactions that represent the requests and replies

49
would be logged in an access log on the server or by a NIDS like Zeek.

69. Which two statements describe the effects of the access control list
wildcard
Close mask 0.0.0.31? (Choose two.)

The first 27 bits of a supplied IP address will be matched.

The first 31 bits of a supplied IP address will be ignored.
 The last 5 bits of a supplied IP address will be matched.
The last 5 bits of a supplied IP address will be ignored.
The last 27 bits of a supplied IP address will be ignored.
The first 31 bits of a supplied IP address will be matched.

Explanation: Unlike a subnet mask, in which binary 1 is equal to a

match and binary 0 is not a match, in a wildcard mask, the reverse is
true.

70. A cybersecurity analyst is going to verify security alerts using the

Security Onion. Which tool should the analyst visit first?

Bro
ELK
CapME
Sguil

Explanation: The primary duty of a cybersecurity analyst is the

verification of security alerts. In the Security Onion, the first place that a
cybersecurity analyst will go to verify alerts is Sguil because it provides a
high-level console for investigating security alerts from a wide variety of
sources.

71. Which term describes the ability of a web server to keep a log of the
users who access the server, as well as the length of time they use it?

assigning permissions
authentication
accounting 
authorization

Write sharper in
seconds.

49
Grammarly

Close

Explanation: Accounting records what users do and when they do it,

including what is accessed, the amount of time the resource is
 accessed, and any changes that were made. Accounting keeps track of
how network resources are used.

72. An investigator finds a USB drive at a crime scene and wants to

present it as evidence in court. The investigator takes the USB drive
and creates a forensic image of it and takes a hash of both the original
USB device and the image that was created. What is the investigator
attempting to prove about the USB drive when the evidence is
submitted in court?

The data is all there.

An exact copy cannot be made of a device.
The investigator found a USB drive and was able to make a copy of it.
The data in the image is an exact copy and nothing has been
altered by the process.

Explanation: A hash function ensures the integrity of a program, file, or

device.

73. Refer to the exhibit. A security analyst is reviewing an alert message

generated by Snort. What does the number 2100498 in the message
indicate?

the message length in bits


the Snort rule that is triggered
the session number of the message
the id of the user that triggers the alert

49
Explanation: The sid field in a Snort alert message indicates the Snort
security rule that is triggered.

Close
74. What does it indicate if the timestamp in the HEADER section of a
syslog message is preceded by a period or asterisk symbol?

The timestamp represents the round trip duration value.

 The syslog message indicates the time an email is received.
The syslog message should be treated with high priority.
There is a problem associated with NTP.

Explanation: The HEADER section of the message contains the

timestamp. If the timestamp is preceded by the period (.) or asterisk (*)
symbols, a problem is indicated with NTP.

75. A SOHO office is using a public cloud provider to host their website.
The IT technician is choosing an approach to protect transaction data
between the website and visitors from the internet. Which type of
encryption key management method should the technician choose?

public key encryption

private key encryption
secret key encryption
shared-secret key encryption

Explanation: The two classes of encryption approaches are symmetric

and asymmetric encryption. Symmetric encryption algorithms use the
same key, called pre-shared key or shared-secret key, to encrypt and
decrypt data. Asymmetric encryption algorithms use one key to encrypt
data and a different key to decrypt data. One key is public and the other
is private. Asymmetric encryption is also called public key encryption. In
this scenario, web visitors are unknown therefore public key encryption
should be used.

76. What are two benefits offered by a zone-based policy firewall on a

Cisco router? (Choose two.)


Any interface can be configured with both a ZPF and an IOS Classic
Firewall.
Policies are applied to unidirectional traffic between zones.
Virtual and physical interfaces are put in different zones to enhance
security.
Policies are defined exclusively with ACLs.
Policies provide scalability because they are easy to read and
troubleshoot.

Explanation:
49 There are several benefits of a ZPF:
– It is not dependent on ACLs.
– The router security posture is to block unless explicitly allowed.
– Policies are easy to read and troubleshoot. This provides scalability
Close
because one policy affects any given traffic, instead of needing multiple
ACLs and inspection actions for different types of traffic.
– Virtual and physical interfaces can be grouped into zones.
– Policies are applied to unidirectional traffic between zones.
 Both IOS Classic Firewalls and ZPFs can be enabled concurrently on a
Cisco router. However, the models cannot be combined on a single
interface.

77. Why could network Syslog servers be a target for threat actors?

World-class AI
writing.
30M people use Gramm
write sharper and work
free today.

Grammarly

Syslog servers are usually not installed behind a firewall.

Syslog servers contain configurations and passwords for all devices on
the network.
Syslog data could be encrypted by the attacker and used as
ransomware.
Syslog servers could contain information that could lead to the
detection of an exploit by a hacker.

78. What effect does the use of hashing have on stored passwords?

Less digital storage is required for user credentials that include hashed 
passwords.
Enforces the use of complex passwords.
The recovery of forgotten passwords is faster.
The password cannot be restored from the stored unique hash.

Explanation: Nobody can reverse a digital hash to discover the original

input. If the input changes at all, it results in a different hash. The system
never writes the user’s password to the hard drive, it only stores the
digital hash. This way, the password is truly only known to the user who
set it.
49

79. What is used by an application layer gateway to connect to remote

servers on behalf of clients?

Close packet filter

stateful firewall
intrusion detection system
proxy server
 Explanation: When a client needs to access a remote server, it
connects to a proxy server. The proxy server connects to the remote
server on behalf of the client. Therefore, the server only sees a
connection from the proxy server.

80. Which component of the zero trust security model focuses on

secure access when an API, a microservice, or a container is accessing
a database within an application?

workplace
workload
workflow
workforce

Explanation: The workload pillar focuses on applications that are

running in the cloud, in data centers, and other virtualized environments
that interact with one another. It focuses on secure access when an API,
a microservice, or a container is accessing a database within an
application.

81. Match the security concept to the description.

A new way of
working.
49

Grammarly

Close

Explanation: Place the options in the following order:

 the likelihood of undesireable consequences risk

a mechanism used to compromise an asset exploit

a weakness in a system vulnerability

a potential danger to an asset threat

82. Place the steps for configuring zone-based policy (ZPF) firewalls in
order from first to last.

Explanation: Place the options in the following order:

Apply policies. 4th

Assign zones to interfaces. 5th

Create policies. 3rd

Create zones. 1st 

Define traffic classes. 2nd

83. In a hierarchical CA topology, where can a subordinate CA obtain a

certificate for itself?

49

Close
 Find your way w
words.

Grammarly

from the root CA or another subordinate CA at the same level

from the root CA or another subordinate CA at a higher level
from the root CA or from self-generation
from the root CA only
from the root CA or another subordinate CA anywhere in the tree

Explanation: In a hierarchical CA topology, CAs can issue certificates to

end users and to subordinate CAs, which in turn issue their certificates
to end users, other lower level CAs, or both. In this way, a tree of CAs
and end users is built in which every CA can issue certificates to lower
level CAs and end users. Only the root CA can issue a self-signing
certificate in a hierarchical CA topology.

← Previous Article Next Article →

Checkpoint Exam: Evaluating Network Defense (NetDef) Module
Security Alerts Answers 1 – 3 Group Test Online 

 Subscribe 

Join the discussion

49
{} [+] 

49 COMMENTS
Close

snz  4 months ago