CCNA Cybersecurity Operations (Version 1.1) – CyberOps Chapter 7 Exam Answers

CCNA Cybersecurity Operations (Version 1.1) – CyberOps Chapter 7 Exam Answers 2019

  1. What are two monitoring tools that capture network traffic and forward it to network monitoring devices? (Choose two.)

    • SIEM
    • Wireshark
    • SNMP
    • SPAN
    • network tap
      Explanation:

      A network tap is used to capture traffic for monitoring the network. The tap is typically a passive splitting device implemented inline on the network and forwards all traffic including physical layer errors to an analysis device. SPAN is a port mirroring technology supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device.

  2. What network monitoring technology enables a switch to copy and forward traffic sent and received on multiple interfaces out another interface toward a network analysis device?

    • NetFlow
    • network tap
    • port mirroring
    • SNMP
      Explanation:

      When enabled on a switch, port mirroring copies frames sent and recieved by the switch and forwards them to another port, which has a analysis device attached.

  3. Which network monitoring capability is provided by using SPAN?

    • Network analysts are able to access network device log files and to monitor network behavior.
    • Real-time reporting and long-term analysis of security events are enabled.
    • Statistics on packets flowing through Cisco routers and multilayer switches can be captured.
    • Traffic exiting and entering a switch is copied to a network monitoring device.
      Explanation:

      When enabled on a switch, SPAN or port mirroring, copies frames that are sent and received by the switch and forwards them to another port, known as a Switch Port Analyzer port, which has a analysis device attached.

  4. Which technology is an open source SIEM system?

    • Splunk
    • Wireshark
    • ELK
    • StealWatch
      Explanation:

      There are many SIEM systems available to network administrators. The ELK suite is an open source option.

  5. Which network monitoring tool can provide a complete audit trail of basic information of all IP flows on a Cisco router and forward the data to a device?

    • SIEM
    • NetFlow
    • SPAN
    • Wireshark
      Explanation:

      NetFlow is a Cisco technology that provides statistics on packets flowing through a Cisco router or multilayer switch.

  6. Which SIEM function is associated with speeding up detection of security threats by examining logs and events from different systems?

    • correlation
    • forensic analysis
    • aggregation
    • retention
      Explanation:

      The correlation function of SIEM speeds the detection and reaction to security threats by examining logs and events from different systems.

  7. Which capability is provided by the aggregation function in SIEM?

    • increasing speed of detection and reaction to security threats by examining logs from many systems and applications
    • presenting correlated and aggregated event data in real-time monitoring
    • searching logs and event records of multiple sources for more complete forensic analysis
    • reducing the volume of event data by consolidating duplicate event records
      Explanation:

      The aggregation function of SIEM reduces the volume of event data by consolidating duplicate event records.

  8. Refer to the exhibit. A junior network administrator is inspecting the traffic flow of a particular server in order to make security recommendations to the departmental supervisor. Which recommendation should be made?

    CCNA Cybersecurity Operations (Version 1.1) - CyberOps Chapter 7 Exam Answers 2019 Full 100% 02

    CCNA Cybersecurity Operations (Version 1.1) – CyberOps Chapter 7 Exam Answers 2019 Full 100% 02

    • A more secure protocol should be used.
    • The total length (TL) field indicates an unsecure Layer 4 protocol is being used.
    • The person accessing the server should use the private IP address of the server.
    • The person accessing the server should never access it from a device using a private IP address.
      Explanation:

      FTP is an unsecure network protocol. Anyone capturing packets can obtain the username and password from the capture. A more secure protocol such as SFTP should be used.

  9. Refer to the exhibit. What protocol would be used by the syslog server service to create this type of output for security purposes?

    CCNA Cybersecurity Operations (Version 1.1) - CyberOps Chapter 7 Exam Answers 2019 Full 100% 01

    CCNA Cybersecurity Operations (Version 1.1) – CyberOps Chapter 7 Exam Answers 2019 Full 100% 01

    • AAA
    • ICMP
    • NTP
    • SNMP 
      Explanation:

      The Simple Network Management Protocol is used by network devices to send and log messages to a syslog server in order to monitor traffic and network device events.

  10. Which network monitoring tool saves captured packets in a PCAP file?

    • SNMP
    • NetFlow
    • SIEM
    • Wireshark 
      Explanation:

      Wireshark captures are saved as PCAP files, which contain frame, interface, and packet information, and also time stamps.

  11. How is optional network layer information carried by IPv6 packets?

    • inside an options field that is part of the IPv6 packet header
    • inside the Flow Label field
    • inside an extension header attached to the main IPv6 packet header
    • inside the payload carried by the IPv6 packet
      Explanation:

      IPv6 uses extension headers to carry optional network layer information. Extension headers are not part of the main IPv6 header but are separate headers placed between the IPv6 header and the payload.

  12. Which cyber attack involves a coordinated attack from a botnet of zombie computers?

    • DDoS
    • MITM
    • ICMP redirect
    • address spoofing
      Explanation:

      DDoS is a distributed denial-of-services attack. A DDoS attack is launched from multiple coordinated sources. The sources of the attack are zombie hosts that the cybercriminal has built into a botnet. When ready, the cybercriminal instructs the botnet of zombies to attack the chosen target.

  13. In which TCP attack is the cybercriminal attempting to overwhelm a target host with half-open TCP connections?

    • reset attack
    • port scan attack
    • SYN flood attack
    • session hijacking attack
      Explanation:

      In a TCP SYN flood attack, the attacker sends to the target host a continuous flood of TCP SYN session requests with a spoofed source IP address. The target host responds with a TCP-SYN-ACK to each of the SYN session requests and waits for a TCP ACK that will never arrive. Eventually the target is overwhelmed with half-open TCP connections.

  14. What are two methods used by cybercriminals to mask DNS attacks? (Choose two.)

    • reflection
    • tunneling
    • fast flux
    • domain generation algorithms
    • shadowing
      Explanation:

      Fast flux, double IP flux, and domain generation algorithms are used by cybercrimals to attack DNS servers and affect DNS services. Fast flux is a technique used to hide phishing and malware delivery sites behind a quickly-changing network of compromised DNS hosts (bots within botnets). The double IP flux technique rapidly changes the hostname to IP address mappings and the authoritative name server. Domain generation algorithms randomly generate domain names to be used as rendezvous points.

  15. What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

    • DHCP starvation
    • DHCP spoofing
    • IP address spoofing
    • CAM table attack
      Explanation:

      DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

  16. Which type of DNS attack involves the cybercriminal compromising a parent domain and creating multiple subdomains to be used during the attacks?

    • cache poisoning
    • amplification and reflection
    • tunneling
    • shadowing
      Explanation:

      Two threats to DNS are DNS shadowing and DNS tunneling attacks. DNS shadowing attacks compromise a parent domain and then the cybercriminal creates subdomains to be used in attacks. DNS tunneling attacks build botnets to bypass traditional security solutions. Three threats to DNS open resolvers are cache poisoning, amplification and reflection, and resource utilization attacks.

  17. Which protocol is attacked when a cybercriminal provides an invalid gateway in order to create a man-in-the-middle attack?

    • DNS
    • ICMP
    • HTTP or HTTPS
    • DHCP
      Explanation:

      A cybercriminal could set up a rogue DHCP server that provides one or more of the following:Wrong default gateway that is used to create a man-in-the-middle attack and allow the attacker to intercept data
      Wrong DNS server that results in the user being sent to a malicious website
      Invalid default gateway IP address that results in a denial of service attack on the DHCP client

  18. What is the result of a passive ARP poisoning attack?

    • Confidential information is stolen.
    • Data is modified in transit or malicious data is inserted in transit.
    • Multiple subdomains are created.
    • Network clients experience a denial of service.
      Explanation:

      ARP poisoning attacks can be passive or active. The result of a passive attack is that cybercriminals steal confidential information. With an active attack, cybercriminals modify data in transit or they inject malicious data.

  19. In which type of attack is falsified information used to redirect users to malicious Internet sites?

    • DNS cache poisoning
    • ARP cache poisoning
    • DNS amplification and reflection
    • domain generation
      Explanation:

      In a DNS cache poisoning attack, falsified information is used to redirect users from legitimate to malicious internet sites.

  20. What type of attack targets an SQL database using the input field of a user?

    • XML injection
    • Cross-site scripting
    • SQL injection
    • buffer overflow
      Explanation:

      A criminal can insert a malicious SQL statement in an entry field on a website where the system does not filter the user input correctly.

  21. Which term is used for bulk advertising emails flooded to as many end users as possible?

    • phishing
    • brute force
    • spam
    • adware
      Explanation:

      Spam is annoying and unwanted bulk email that is sent to as many end users as possible.

  22. Which protocol is exploited by cybercriminals who create malicious iFrames?

    • DNS
    • DHCP
    • HTTP
    • ARP
      Explanation:

      An HTML element known as an inline frame or iFrame allows the browser to load a different web page from another source.

  23. Which protocol would be the target of a cushioning attack?

    • DNS
    • HTTP
    • ARP
    • DHCP
      Explanation:

      The HTTP 302 cushioning attack is used by cybercriminals to take advantage of the 302 Found HTTP response status code to redirect the browser of the user to a new location, usually a malicious site.

  24. Match the monitoring tool to the description.

    CCNA Cybersecurity Operations (Version 1.1) - CyberOps Chapter 7 Exam Answers 2019 Full 100% 001

    CCNA Cybersecurity Operations (Version 1.1) – CyberOps Chapter 7 Exam Answers 2019 Full 100% 001

  25. Match the attack to the definition. (Not all options are used.)

    CCNA Cybersecurity Operations (Version 1.1) - CyberOps Chapter 7 Exam Answers 2019 Full 100% 002

    CCNA Cybersecurity Operations (Version 1.1) – CyberOps Chapter 7 Exam Answers 2019 Full 100% 002