1. Which of the following spreads malware-infected files and creates vulnerabilities on a network?

ACL

Encryption

Tunneling

NAT/Pat

P2P
2. Which of the following can be defeated by packets containing spoofed IP addresses?

P2P

TOR

ACL

encryption

NAT/PAT
3. Which of the following makes message contents and file attachments unreadable?

NAT/PAT

TOR

Load balancing

Encryption
 ACL
4. Which of the following hides identity details of users who are browsing the web?

TOR

P2P

ACL

NAT/PAT

Load balancing

1. Which of the following can carry malware payloads into the network?

DNS

HTTPS

IMAP

syslog

SMTP
2. Which of the following presents challenges to decoding packet captures?

HTTPS

DNS
 SMTP

syslog

NTP
3. Which of the following can be used to exfiltrate data hidden in the query messages?

IMAP

NTP

SMTP

DNS

syslog
4. Time stamps that are provided by which protocol may be corrupted to complicate event correlation?

syslog

SMTP

NTP

DNS

HTTPS

1. A cyberanalyst is reviewing an entry-point ACL. What three types of ICMP traffic should be allowed
to access an internal network from the internet? (Choose three.)
 reply

squelch

request

time exceeded

destination unreachable

ping
2. A company decides to purchase a device capable of managing load balancing so that traffic will be
distributed between their servers. What could be a potential problem using the new device on the
network?

The LBM probe messages may appear as suspicious traffic.

All links to redundant servers will require encrypted tunneling protocols.

The traffic will require more bandwidth to send to multiple servers.

It will require the purchase of more servers so that existing servers are not overwhelmed.

It will cause extra traffic going to a server resource that is not available.
3. What method allows VPN traffic to remain confidential?

authentication

encryption

verification
 encapsulation
4. To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an
outside interface?

router advertisement

echo reply

echo request

time-stamp request

time-stamp reply
5. In which way does the use of HTTPS increase the security monitoring challenges within enterprise
networks?

HTTPS traffic can carry a much larger data payload than HTTP can carry.

HTTPS traffic is much faster than HTTP traffic.

HTTPS traffic enables end-to-end encryption.

HTTPS traffic does not require authentication.

6. Which type of server would support the SMTP, POP, and IMAP protocols?

proxy

email

DHCP
 syslog
7. Which network service synchronizes the time across all devices on the network?

SNMP

NetFlow

syslog

NTP
8. What port number would be used if a threat actor was using NTP to direct DDoS attacks?

69

25

123

443
9. Which protocol is used to send e-mail messages between two servers that are in different e-mail
domains?

HTTP

POP3

IMAP4

SMTP
10. How do cybercriminals make use of a malicious iFrame?

The attacker embeds malicious content in business appropriate files.

 The attacker redirects traffic to an incorrect DNS server.

The iFrame allows multiple DNS subdomains to be used.

The iFrame allows the browser to load a web page from another source.
11. Which type of server daemon accepts messages sent by network devices to create a collection of
log entries?

AAA

NTP

SSH

syslog
12. What type of server can threat actors use DNS to communicate with?

database

CnC

NTP

web
13. Which statement describes the function provided by the Tor network?

It conceals packet contents by establishing end-to-end tunnels.

It manipulates packets by mapping IP addresses between two networks.

It allows users to browse the Internet anonymously.

 It distributes user packets through load balancing.
14. How can NAT/PAT complicate network security monitoring if NetFlow is being used?

It disguises the application initiated by a user by manipulating port numbers.

It conceals the contents of a packet by encrypting the data payload.

It hides internal IP addresses by allowing them to share one or a few outside IP addresses.

It changes the source and destination MAC addresses.

1. Which type of network monitoring data includes detailed protocol and payload information for all
traffic on a network segment?

full-packet capture

transaction data

session data

alert data

extracted content

statistical data
2. What type of network monitoring data summarizes or analyzes network flow or performance data?

full-packet capture

transaction data
 session data

alert data

extracted content

statistical data
3. What type of network monitoring data includes device-specific server and host logs?

full-packet capture

transaction data

session data

alert data

extracted content

statistical data
4. What type of network monitoring data includes files that are attached to emails or that were
downloaded from the internet?

full-packet capture

transaction data

session data

alert data
 extracted content

statistical data
5. What type of network monitoring data contains details of network flows including the 5-tuples the
amount of data transmitted and the duration of data transmission?

full-packet capture

transaction data

session data

alert data

extracted content

statistical data
6. What type of network monitoring data is generated by IPS or IDS devices when suspicious traffic is
detected?

full-packet capture

transaction data

session data

alert data

extracted content

statistical data
1. What Windows security level is logged when a remote login was unsuccessfully attempted by an
unauthorized user?

Error

Fatal

Warning

Information

Success Audit

Failure Audit
2. What Windows security level is logged when a process that is required has successfully loaded on a
workstation?

Error

Fatal

Warning

Information

Success Audit

Failure Audit
3. What Windows security level is logged when a disk error has occurred during a backup operation?

Error
 Fatal

Warning

Information

Success Audit

Failure Audit
4. What Windows security level is logged when disk space is getting low?

Error

Fatal

Warning

Information

Success Audit

Failure Audit
5. What Windows security level is logged when an authorized user logs in remotely to a system?

Error

Fatal

Warning
 Information

Success Audit

Failure Audit

1. What is used to generate and view full packet captures?

NetFlow

tcpdump

Proxy Logs

Syslog
2. What two values are part of all NetFlow flow records? (Choose two.)

beginning timestamp

full packet details

ending timestamp

DNS server requests

application identifiers
3. What does Application Visibility and Control (AVC) use to discover the applications that are
responsible for network traffic?

NBAR2
 full packet captures

DNS logs

NetFlow flow records

firewall packet logs

4. Which two devices will create logs of suspicious content that has been detected in application
traffic? (Choose two.)

NetFlow

Email security appliance

Web security appliance

tcpdump

NBAR2

1. What type of event occurs when malicious activity that can affect the availability, integrity and
confidentiality of a host and its data occurs?

Intrusion

Host or Endpoint

NetFlow

Configuration
 Network Discovery

Connection
2. What kind of event is logged when a host first appears on the network?

Intrusion

Host or Endpoint

NetFlow

Configuration

Network Discovery

Connection
3. What type of event is used when NetFlow detects a new host on the network?

Intrusion

Host or Endpoint

NetFlow

Configuration

Network Discovery

Connection
4. Which type of events concern sessions between hosts that is discovered by the NextGen Firewall
directly?
 Intrusion

Host or Endpoint

NetFlow

Configuration

Network Discovery

Connection
5. What type of event occurs when changes are detected to network hosts and applications that are
known to the network?

Intrusion

Host or Endpoint

NetFlow

Configuration

Network Discovery

Connection

1. What is a feature of the tcpdump tool?

It can display packet captures in real time or write them to a file.

It records metadata about packet flows.

 It uses agents to submit host logs to centralized management servers.

It provides real-time reporting and long-term analysis of security events.

2. Which Windows tool can be used to review host logs?

Task Manager

Device Manager

Event Viewer

Services
3. Which type of security data can be used to describe or predict network behavior?

alert

session

statistical

transaction
4. Which statement describes the tcpdump tool?

It accepts and analyzes data captured by Wireshark.

It is a command-line packet analyzer.

It is used to control multiple TCP-based applications.

It can be used to analyze network log data in order to describe and predict network behavior.
5. What are two popular SIEM platforms? (Choose two.)
 Splunk

Security Onion with ELK

NetFlow

Cisco Umbrella

tcpdump
6. Which Windows host log event type describes the successful operation of an application, driver, or
service?

error

information

success audit

warning
7. Which Windows log records events related to login attempts and operations related to file or object
access?

system logs

security logs

setup logs

application logs
8. What are two of the 5-tuples? (Choose two.)
 IDS

protocol

source port

IPS

ACL
9. In a Cisco AVC system, in which module is NBAR2 deployed?

Application Recognition

Control

Management and Reporting

Metrics Collection
10. A NIDS/NIPS has identified a threat. Which type of security data will be generated and sent to a
logging device?

transaction

session

statistical

alert
11. Which statement describes an operational characteristic of NetFlow?

NetFlow can provide services for user access control.

 NetFlow captures the entire contents of a packet.

NetFlow flow records can be viewed by the tcpdump tool.

NetFlow collects basic information about the packet flow, not the flow data itself.
12. Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has
bypassed security controls, or entered through unmonitored channels, and is operating inside an
enterprise network?

session

alert

transaction

statistical