Questions and answers 100% correct.

CCNA Security Chapter 6

1. When configuring a switch port for port security, what is the default violation mode?

(A) protect

(B) reset

(C) restrict

(D) shutdown

2. As a recommended practice for Layer 2 security, how should VLAN 1 be treated?

(A) All access ports should be assigned to VLAN 1.

(B) All trunk ports should be assigned to VLAN 1.

(C) VLAN 1 should be used for management traffic.

(D) VLAN 1 should not be used.

3. What happens when the MAC address notification feature is enabled on a switch?

(A) An SDEE alert is generated, and the switch resets the interface when an invalid MAC address is detected.

(B) An STP multicast notification packet is forwarded to all switches any time a change in the network topology is detected.

(C) A port violation occurs when a MAC address outside of the range of allowed addresses transmits traffic over a secure port.

(D) An SNMP trap is sent to the network management system whenever a new MAC address is added to or an old address is deleted from the forwarding tables.

4. How is a reflector port used in an RSPAN configuration?

(A) It provides a dedicated connection for the IDS device.

(B) It allows an RSPAN session to be backward compatible with a SPAN session.

(C) It acts like a loopback interface in that it reflects the captured traffic to the RSPAN VLAN.

(D) It allows an IDS device to direct malicious traffic to it, isolating that traffic from other areas of the network.

5. Refer to the exhibit. Based on the output generated by the show monitor session 1 command, how will SPAN operate on the switch?

(A) All traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1.

(B) All traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1.

(C) Native VLAN traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1.

(D) Native VLAN traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1.

6. Which Cisco endpoint security product helps maintain network stability by providing posture assessment, quarantining of noncompliant systems, and remediation of noncompliant systems?

(A) Cisco Access Control Server

(B) Cisco Security Agent workstation

(C) Cisco Intrusion Prevention System router

(D) Cisco Network Admission Control appliance

7. Which two elements are part of the Cisco strategy for addressing endpoint security? (Choose two.)

(A) policy compliance using products such as Cisco NAC

(B) network infection monitoring using products such as Cisco Secure ACS

(C) threat protection using products such as Cisco Security Agent

(D) attack detection using products such as Cisco NAC

(E) risk assessment compliance using products such as Cisco Security Agent

8. With IP voice systems on data networks, which two types of attacks target VoIP specifically? (Choose two.)

(A) CoWPAtty

(B) Kismet

(C) SPIT

(D) virus

(E) vishing

9. Which three statements are true regarding SPAN and RSPAN? (Choose three.)

(A) SPAN can send a copy of traffic to a port on another switch.

(B) RSPAN is required for syslog and SNMP implementation.

(C) SPAN can be configured to send a copy of traffic to a destination port on the same switch.

(D) SPAN can copy traffic on a source port or source VLAN to a destination port on the same switch.

(E) RSPAN is required to copy traffic on a source VLAN to a destination port on the same switch.

(F) RSPAN can be used to forward traffic to reach an IDS that is analyzing traffic for malicious behavior.

10. How many Cisco Security Agent clients can one Management Center for CSA console support?

(A) 1,000

(B) 10,000

(C) 100,000

(D) 1,000,000

11. Which option best describes a MAC address spoofing attack?

(A) An attacker gains access to another host and masquerades as the rightful user of that device.

(B) An attacker alters the MAC address of his host to match another known MAC address of a target host.

(C) An attacker alters the MAC address of the switch to gain access to the network device from a rogue host device.

(D) An attacker floods the MAC address table of a switch so that the switch can no longer filter network access based on MAC addresses.

12. Which software tool can a hacker use to flood the MAC address table of a switch?

(A) macof

(B) Cisco SDM

(C) kiwi syslog server

(D) protocol analyzer

13. Which attack relies on the default automatic trunking configuration on most Cisco switches?

(A) LAN storm attack

(B) VLAN hopping attack

(C) STP manipulation attack

(D) MAC address spoofing attack

14. Which attack is mitigated by using port security?

(A) LAN storm

(B) VLAN hopping

(C) STP manipulation

(D) MAC address table overflow

15. Which two measures are recommended to mitigate VLAN hopping attacks? (Choose two.)

(A) Use a dedicated native VLAN for all trunk ports.

(B) Place all unused ports in a separate guest VLAN.

(C) Disable trunk negotiation on all ports connecting to workstations.

(D) Enable DTP on all trunk ports.

(E) Ensure that the native VLAN is used for management traffic.

16. Which three are SAN transport technologies? (Choose three.)

(A) Fibre Channel

(B) SATA

(C) iSCSI

(D) IP PBX

(E) FCIP

(F) IDE

17. Which technology is used to protect the switched infrastructure from problems caused by receiving BPDUs on ports that should not be receiving them?

(A) RSPAN

(B) PortFast

(C) Root guard

(D) Loop guard

(E) BPDU guard

18. If a switch is configured with the storm-control command and the action shutdown and action trap parameters, which two actions does the switch take when a storm occurs on a port? (Choose two.)

(A) The port is disabled.

(B) The switch is rebooted.

(C) An SNMP log message is sent.

(D) The port is placed in a blocking state.

(E) The switch forwards control traffic only.

19. An administrator wants to prevent a rogue Layer 2 device from intercepting traffic from multiple VLANs on a network. Which two actions help mitigate this type of activity? (Choose two.)

(A) Disable DTP on ports that require trunking.

(B) Place unused active ports in an unused VLAN.

(C) Secure the native VLAN, VLAN 1, with encryption.

(D) Set the native VLAN on the trunk ports to an unused VLAN.

(E) Turn off trunking on all trunk ports and manually configure each VLAN as required on each port.

20. Which three switch security commands are required to enable port security on a port so that it will dynamically learn a single MAC address and disable the port if a host with any other MAC address is connected? (Choose three.)

(A) switchport mode access

(B) switchport mode trunk

(C) switchport port-security

(D) switchport port-security maximum 2

(E) switchport port-security mac-address sticky

(F) switchport port-security mac-address mac-address

CCNA Security Chapter 5

1. What are two major drawbacks to using HIPS? (Choose two.)

(A) HIPS has difficulty constructing an accurate network picture or coordinating the events happening across the entire network.

(B) HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks.

(C) With HIPS, the network administrator must verify support for all the different operating systems used in the network.

(D) If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic.

(E) With HIPS, the success or failure of an attack cannot be readily determined.

2. Why is a network that deploys only IDS particularly vulnerable to an atomic attack?

(A) The IDS must track the three-way handshake of established TCP connections.

(B) The IDS must track the three-way handshake of established UDP connections.

(C) The IDS permits malicious single packets into the network.

(D) The IDS requires significant router resources to maintain the event horizon.

(E) The stateful properties of atomic attacks usually require the IDS to have several pieces of data to match an attack signature.

3. Refer to the exhibit. What is the result of issuing the Cisco IOS IPS commands on router R1?

(A) A named ACL determines the traffic to be inspected.

(B) A numbered ACL is applied to S0/0/0 in the outbound direction.

(C) All traffic that is denied by the ACL is subject to inspection by the IPS.

(D) All traffic that is permitted by the ACL is subject to inspection by the IPS.

4. Which two files could be used to implement Cisco IOS IPS with version 5.x format signatures? (Choose two.)

(A) IOS-Sxxx-CLI.bin

(B) IOS-Sxxx-CLI.pkg

(C) IOS-Sxxx-CLI.sdf

(D) realm-cisco.priv.key.txt

(E) realm-cisco.pub.key.txt

5. What are two IPS configuration best practices that can help improve IPS efficiency in a network? (Choose two.)

(A) Configure all sensors to check the server for new signature packs at the same time to ensure that they are all synchronized.

(B) Configure the sensors to simultaneously check the FTP server for new signature packs.

(C) Ensure that signature levels that are supported on the management console are synchronized with the signature packs on the sensors.

(D) Update signature packs manually rather than automatically to maintain close control when setting up a large deployment of sensors.

(E) Place signature packs on a dedicated FTP server within the management network.

6. Which Cisco IOS configuration option instructs the IPS to compile a signature category named ios_ips into memory and use it to scan traffic?

(A) R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired false

(B) R1(config)# ip ips signature-category
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false

(C) R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# enabled true

(D) R1(config)# ip ips signature-category
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# enabled true

7. A network administrator tunes a signature to detect abnormal activity that might be malicious and likely to be an immediate threat. What is the perceived severity of the signature?

(A) high

(B) medium

(C) low

(D) informational

8. When editing IPS signatures with SDM, which action drops all future packets from a TCP flow?

(A) Deny Packet Inline

(B) Deny TCP Connection

(C) Deny Attacker Inline

(D) Deny Connection Inline

9. Which two benefits does the IPS version 5.x signature format provide over the version 4.x signature format? (Choose two.)

(A) addition of signature micro engines

(B) support for IPX and AppleTalk protocols

(C) addition of a signature risk rating

(D) support for comma-delimited data import

(E) support for encrypted signature parameters

10. Which type of intrusion detection triggers an action if excessive activity occurs beyond a specified threshold of normal activity?

(A) pattern-based detection

(B) anomaly-based detection

(C) policy-based detection

(D) honey pot-based detection

11. Refer to the exhibit. Which option tab on the SDM IPS screen is used to view the Top Threats table and deploy signatures associated with those threats?

(A) Create IPS

(B) Edit IPS

(C) Security Dashboard

(D) IPS Migration

12. Which two statements characterize a network-based IPS implementation? (Choose two.)

(A) It makes hosts visible to attackers.

(B) It is unable to examine encrypted traffic.

(C) It monitors to see if an attack was successful.

(D) It provides application-level encryption protection.

(E) It is independent of the operating system on hosts.

13. An IPS sensor has detected the string confidential across multiple packets in a TCP session. Which type of signature trigger and signature type does this describe?

(A) Trigger: Anomaly-based detection
Type: Atomic signature

(B) Trigger: Anomaly-based detection
Type: Composite signature

(C) Trigger: Pattern-based detection
Type: Atomic signature

(D) Trigger: Pattern-based detection
Type: Composite signature

(E) Trigger: Policy-based detection
Type: Atomic signature

(F) Trigger: Policy-based detection
Type: Composite signature

14. Which type of IPS signature detection is used to distract and confuse attackers?

(A) pattern-based detection

(B) anomaly-based detection

(C) policy-based detection

(D) honey pot-based detection

15. Which two Cisco IOS commands are required to enable IPS SDEE message logging? (Choose two.)

(A) logging on

(B) ip ips notify log

(C) ip http server

(D) ip ips notify sdee

(E) ip sdee events 500

16. Refer to the exhibit. What is the significance of the number 10 in the signature 6130 10 command?

(A) It is the alert severity.

(B) It is the signature number.

(C) It is the signature version.

(D) It is the subsignature ID.

(E) It is the signature fidelity rating.

17. Refer to the exhibit. When modifying an IPS signature action, which two check boxes should be selected to create an ACL that denies all traffic from the IP address that is considered the source of the attack and drops the packet and all future packets from the TCP flow? (Choose two.)

(A) Deny Attacker Inline

(B) Deny Connection Inline

(C) Deny Packet Inline

(D) Produce Alert

(E) Reset TCP Connection

18. Refer to the exhibit. What is the significance of the small red flag waving in the Windows system tray?

(A) Cisco Security Agent is installed but inactive.

(B) Network-based IPS is active and has detected a potential security problem.

(C) Cisco Security Agent is active and has detected a potential security problem.

(D) A network-based IPS sensor has pushed an alert to a host running Cisco Security Agent.

19. Refer to the exhibit. A user was installing a Flash Player upgrade when the CSA displayed the dialog box shown. Which default action is taken by CSA if the user does not respond within 4 minutes and 20 seconds?

(A) The action is allowed, and a log entry is recorded.

(B) The action is allowed, and CSA does not prompt the user again.

(C) The action is denied, and a log entry is recorded.

(D) The action is denied, and the FlashPlayerUpdate.exe application is terminated.

20. Which type of intrusion prevention technology is primarily used by Cisco IPS security appliances?

(A) rule-based

(B) profile-based

(C) signature-based

(D) NetFlow anomaly-based

(E) protocol analysis-based

CCNA Security Chapter 4

1. When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?

(A) topology-based switching

(B) autonomous switching

(C) process switching

(D) optimum switching

2. Which two are characteristics of ACLs? (Choose two.)

(A) Extended ACLs can filter on destination TCP and UDP ports.

(B) Standard ACLs can filter on source TCP and UDP ports.

(C) Extended ACLs can filter on source and destination IP addresses.

(D) Standard ACLs can filter on source and destination IP addresses.

(E) Standard ACLs can filter on source and destination TCP and UDP ports.

3. Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.)

(A) SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.

(B) Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.

(C) SSH connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.

(D) Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.

(E) SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.

(F) Telnet connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.

4. Which location is recommended for extended numbered or extended named ACLs?

(A) a location as close to the destination of traffic as possible

(B) a location as close to the source of traffic as possible

(C) a location centered between traffic destinations and sources to filter as much traffic as possible

(D) if using the established keyword, a location close to the destination to ensure that return traffic is allowed

5. Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model?

(A) Both stateful and packet-filtering firewalls can filter at the application layer.

(B) A stateful firewall can filter application layer information, while a packet-filtering firewall cannot filter beyond the network layer.

(C) A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer.

(D) A packet-filtering firewall uses session layer information to track the state of a connection, while a stateful firewall uses application layer information to track the state of a connection.

6. Which statement correctly describes a type of filtering firewall?

(A) A transparent firewall is typically implemented on a PC or server with firewall software running on it.

(B) A packet-filtering firewall expands the number of IP addresses available and hides network addressing design.

(C) An application gateway firewall (proxy firewall) is typically implemented on a router to filter Layer 3 and Layer 4 information.

(D) A stateful firewall monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.

7. For a stateful firewall, which information is stored in the stateful session flow table?

(A) TCP control header and trailer information associated with a particular session

(B) TCP SYN packets and the associated return ACK packets

(C) inside private IP address and the translated inside global IP address

(D) outbound and inbound access rules (ACL entries)

(E) source and destination IP addresses, and port numbers and sequencing information associated with a particular session

8. A router has CBAC configured and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?

(A) A dynamic ACL entry is added to the external interface in the inbound direction.

(B) The internal interface ACL is reconfigured to allow the host IP address access to the Internet.

(C) The entry remains in the state table after the session is terminated so that it can be reused by the host.

(D) When traffic returns from its destination, it is reinspected, and a new entry is added to the state table.

9. Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.)

(A) source port

(B) protocol ID

(C) sequence number

(D) destination port

(E) SYN and ACK flags

10. Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?

(A) The packet is forwarded, and an alert is generated.

(B) The packet is forwarded, and no alert is generated.

(C) The initial packet is dropped, but subsequent packets are forwarded.

(D) The packet is dropped.

11. Which statement accurately describes Cisco IOS zone-based policy firewall operation?

(A) The pass action works in only one direction.

(B) A router interface can belong to multiple zones.

(C) Service policies are applied in interface configuration mode.

(D) Router management interfaces must be manually assigned to the self zone.

12. When configuring a Cisco IOS zone-based policy firewall, which three actions can be applied to a traffic class? (Choose three.)

(A) drop

(B) inspect

(C) pass

(D) reroute

(E) queue

(F) shape

13. Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?

(A) self zone

(B) system zone

(C) local zone

(D) inside zone

(E) outside zone

14. Which three actions can a Cisco IOS zone-based policy firewall take if configured with Cisco SDM? (Choose three.)

(A) inspect

(B) evaluate

(C) drop

(D) analyze

(E) pass

(F) forward

15. Refer to the exhibit. Based on the SDM screen shown, which statement describes the zone-based firewall component being configured?

(A) a class map that inspects all traffic that uses the HTTP, IM, P2P, and email protocols

(B) a class map that prioritizes traffic that uses HTTP first, followed by SMTP, and then DNS

(C) a class map that denies all traffic that uses the HTTP, SMTP, and DNS protocols

(D) a class map that inspects all traffic that uses the HTTP, SMTP, and DNS protocols

(E) a class map that inspects all traffic, except traffic that uses the HTTP, SMTP, and DNS protocols

16. Refer to the exhibit. Based on the SDM screen shown, which two statements describe the effect this zone-based policy firewall has on traffic? (Choose two.)

(A) HTTP traffic from the in-zone to the out-zone is inspected.

(B) Unmatched traffic to the router from the out-zone is permitted.

(C) ICMP replies from the router to the out-zone are denied.

(D) Traffic from the in-zone to the out-zone is denied if the source address is in the 127.0.0.0/8 range.

(E) Traffic from the in-zone to the out-zone is denied if the destination address is in the 10.1.1.0/29 range.

17. Which type of packet is unable to be filtered by an outbound ACL?

(A) ICMP packet

(B) broadcast packet

(C) multicast packet

(D) router-generated packet

18. Which type of packets exiting the network of an organization should be blocked by an ACL?

(A) packets that are not encrypted

(B) packets that are not translated with NAT

(C) packets with source IP addresses outside of the organization’s network address space

(D) packets with destination IP addresses outside of the organization’s network address space

19. When using Cisco IOS zone-based policy firewall, where is the inspection policy applied?

(A) a global service policy

(B) an interface

(C) a zone

(D) a zone pair

20. Refer to the exhibit. In a two-interface CBAC implementation, where should ACLs be applied?

(A) inside interface

(B) outside interface

(C) inside and outside interfaces

(D) no interfaces

21. What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI?

(A) Create zones.

(B) Define traffic classes.

(C) Define firewall policies.

(D) Assign policy maps to zone pairs.

(E) Assign router interfaces to zones.

CCNA Security Chapter 3

1. Why is local database authentication preferred over a password-only login?

(A) It specifies a different password for each line or port.

(B) It provides for authentication and accountability.

(C) It requires a login and password combination on console, vty lines, and aux ports.

(D) It is more efficient for users who only need to enter a password to gain entry to a device.

2. In regards to Cisco Secure ACS, what is a client device?

(A) a web server, email server, or FTP server

(B) the computer used by a network administrator

(C) network users who must access privileged EXEC commands

(D) a router, switch, firewall, or VPN concentrator

3. When configuring a Cisco Secure ACS, how is the configuration interface accessed?

(A) A Web browser is used to configure a Cisco Secure ACS.

(B) The Cisco Secure ACS can be accessed from the router console.

(C) Telnet can be used to configure a Cisco Secure ACS server after an initial configuration is complete.

(D) The Cisco Secure ACS can be accessed remotely after installing ACS client software on the administrator workstation.

4. What is a difference between using the login local command and using local AAA authentication for authenticating administrator access?

(A) Local AAA authentication supports encrypted passwords; login local does not.

(B) Local AAA provides a way to configure backup methods of authentication; login local does not.

(C) A method list must be configured when using the login local command, but is optional when using local AAA authentication.

(D) The login local command supports the keyword none, which ensures that authentication succeeds, even if all methods return an error.

5. What is a characteristic of AAA?

(A) Authorization can only be implemented after a user is authenticated.

(B) Accounting services are implemented prior to authenticating a user.

(C) Accounting services determine which resources the user can access and which operations the user is allowed to perform.

(D) Authorization records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made.

6. Due to implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?

(A) Accessibility

(B) Accounting

(C) Auditing

(D) Authentication

(E) Authorization

7. Which two AAA access method statements are true? (Choose two.)

(A) Character mode provides remote users with access to network resources and requires use of the console, vty, or tty ports.

(B) Character mode provides remote users with access to network resources and requires use of dialup or VPN.

(C) Character mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.

(D) Packet mode provides users with administrative privilege EXEC access and requires use of dialup or VPN.

(E) Packet mode provides remote users with access to network resources and requires use of dialup or VPN.

(F) Packet mode provides users with administrative privilege EXEC access and requires use of the console, vty, or tty ports.

8. What is a characteristic of TACACS+?

(A) TACACS+ is an open IETF standard.

(B) TACACS+ is backward compatible with TACACS and XTACACS.

(C) TACACS+ provides authorization of router commands on a per-user or per-group basis.

(D) TACACS+ uses UDP port 1645 or 1812 for authentication, and UDP port 1646 or 1813 for accounting.

9. Which two statements describe AAA authentication? (Choose two.)

(A) Server-based AAA authentication is more scalable than local AAA authentication.

(B) Local AAA is ideal for large complex networks because it uses the local database of the router for authentication.

(C) Server-based AAA authentication can use the RADIUS or TACACS+ protocols to communicate between the router and a AAA server.

(D) Server-based AAA authentication is ideal for large complex networks because it uses the local database of the router for authentication.

(E) Local AAA authentication requires the services of an external server, such as the Cisco Secure ACS for Windows Server.

10. Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information presented, which two AAA authentication statements are true? (Choose two.)

(A) The locked-out user failed authentication.

(B) The locked-out user is locked out for 10 minutes by default.

(C) The locked-out user should have used the username Admin and password Pa55w0rd.

(D) The locked-out user should have used the username admin and password Str0ngPa55w0rd.

(E) The locked-out user stays locked out until the clear aaa local user lockout Admin command is issued.

11. Refer to the exhibit. Router R1 is configured as shown. An administrative user attempts to use Telnet from router R2 to router R1 using the interface IP address 10.10.10.1. However, Telnet access is denied. Which option corrects this problem?

(A) The R1 10.10.10.1 router interface must be enabled.

(B) The vty lines must be configured with the login authentication default command.

(C) The aaa local authentication attempts max-fail command must be set to 2 or higher.

(D) The administrative user should use the username Admin and password Str0ngPa55w0rd.

12. Refer to the exhibit. Which AAA command must be configured to allow authenticated users administrative access to commands such as configure terminal?

(A) aaa authorization exec default group radius

(B) aaa authorization exec default group tacacs+

(C) aaa accounting network default start-stop

(D) aaa accounting exec default start-stop

13. Refer to the exhibit. In the network shown, which AAA command logs the use of EXEC session commands?

(A) aaa accounting connection start-stop group radius

(B) aaa accounting connection start-stop group tacacs+

(C) aaa accounting exec start-stop group radius

(D) aaa accounting exec start-stop group tacacs+

(E) aaa accounting network start-stop group radius

(F) aaa accounting network start-stop group tacacs+

14. When configuring a method list for AAA authentication, what is the effect of the keyword local?

(A) It accepts a locally configured username, regardless of case.

(B) It defaults to the vty line password for authentication.

(C) The login succeeds, even if all methods return an error.

(D) It uses the enable password for authentication.

15. What is the result if an administrator configures the aaa authorization command prior to creating a user with full access rights?

(A) The administrator is immediately locked out of the system.

(B) The administrator is denied all access except to aaa authorization commands.

(C) The administrator is allowed full access using the enable secret password.

(D) The administrator is allowed full access until a router reboot, which is required to apply changes.

16. Which statement identifies an important difference between TACACS+ and RADIUS?

(A) TACACS+ provides extensive accounting capabilities when compared to RADIUS.

(B) The RADIUS protocol encrypts the entire packet transmission.

(C) The TACACS+ protocol allows for separation of authentication from authorization.

(D) RADIUS can cause delays by establishing a new TCP session for each authorization request.

17. Which feature of AAA allows an administrator to track individuals who access network resources, when those resources are accessed, and any changes that are made?

(A) Accounting

(B) Authorization

(C) Accessibility

(D) Authentication

18. Which AAA protocol and feature best support a large ISP that needs to implement detailed accounting for customer invoicing?

(A) TACACS+ because it combines authentication and authorization, but separates accounting

(B) RADIUS because it supports detailed accounting that is required for billing users

(C) TACACS+ because it requires select authorization policies to be applied on a per-user or per-group basis

(D) RADIUS because it requires select authorization policies to be applied on a per-user or per-group basis

19. Refer to the exhibit. Which Cisco Secure ACS menu is required to configure the IP address and secure password of an AAA client?

(A) User Setup

(B) Group Setup

(C) Network Configuration

(D) System Configuration

(E) Interface Configuration

(F) Administration Control

20. Which aaa accounting command enables logging of both the start and stop records for vty sessions on the router?

(A) aaa accounting commands 15 start-stop group tacacs+

(B) aaa accounting connection start-stop group tacacs+

(C) aaa accounting exec start-stop group tacacs+

(D) aaa accounting network start-stop group tacacs+

(E) aaa accounting system start-stop tacacs+

CCNA Security Chapter 1

1. A disgruntled employee is using Wireshark to discover administrative Telnet usernames and passwords. What type of network attack does this describe?

(A) Denial of Service

(B) Port redirection

(C) Reconnaissance

(D) Trust exploitation

2. Which two are characteristics of DoS attacks? (Choose two.)

(A) They always precede access attacks.

(B) They attempt to compromise the availability of a network, host, or application.

(C) They are difficult to conduct and are initiated only by very skilled attackers.

(D) They are commonly launched with a tool called L0phtCrack.

(E) Examples include smurf attacks and ping of death attacks.

3. Which two statements describe access attacks? (Choose two.)

(A) Port redirection attacks use a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN.

(B) Password attacks can be implemented using brute-force attack methods, Trojan Horses, or packet sniffers.

(C) Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or exploit systems to execute malicious code.

(D) Port scanning attacks scan a range of TCP or UDP port numbers on a host to detect listening services.

(E) Trust exploitation attacks can use a laptop acting as a rogue access point to capture and copy all network traffic in a public location on a wireless hotspot.

4. Which two statements are characteristics of a virus? (Choose two.)

(A) A virus typically requires end-user activation.

(B) A virus has an enabling vulnerability, a propagation mechanism, and a payload.

(C) A virus replicates itself by independently exploiting vulnerabilities in networks.

(D) A virus provides the attacker with sensitive data, such as passwords.

(E) A virus can be dormant and then activate at a specific time or date.

5. Which phase of worm mitigation involves terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability that the worm used to exploit the system?

(A) Containment

(B) Inoculation

(C) Quarantine

(D) Treatment

6. What is a characteristic of a Trojan Horse?

(A) A Trojan Horse can be carried in a virus or worm.

(B) A proxy Trojan Horse opens port 21 on the target system.

(C) An FTP Trojan Horse stops anti-virus programs or firewalls from functioning.

(D) A Trojan Horse can be hard to detect because it closes when the application that launched it closes.

7. Which phase of worm mitigation requires compartmentalization and segmentation of the network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems?

(A) Containment phase

(B) Inoculation phase

(C) Quarantine phase

(D) Treatment phase

8. What are three goals of a port scan attack? (Choose three.)

(A) Disable used ports and services

(B) Determine potential vulnerabilities

(C) Identify active services

(D) Identify peripheral configurations

(E) Identify operating systems

(F) Discover system passwords

9. What are three types of access attacks? (Choose three.)

(A) Buffer overflow

(B) Ping sweep

(C) Port redirection

(D) Trust exploitation

(E) Port scan

(F) Internet information query

10. Which type of security threat can be described as software that attaches to another program to execute a specific unwanted function?

(A) Virus

(B) Worm

(C) Proxy Trojan horse

(D) Denial of Service Trojan horse

11. An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attack is this?

(A) Trust exploitation

(B) Buffer overflow

(C) Man in the middle

(D) Port redirection

12. Which type of software typically uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN?

(A) Port scanner

(B) Ping sweeper

(C) Packet sniffer

(D) Internet information query

13. Which characteristic best describes the network security Compliance domain as specified by the ISO/IEC?

(A) The integration of security into applications

(B) An inventory and classification scheme for information assets

(C) The restriction of access rights to networks, systems, applications, functions, and data

(D) The process of ensuring conformance with security information policies, standards, and regulations

14. Which statement describes phone freaking?

(A) A hacker uses password-cracking programs to gain access to a computer via a dialup account.

(B) A hacker gains unauthorized access to networks via wireless access points.

(C) A hacker mimics a tone using a whistle to make free long-distance calls on an analog telephone network.

(D) A hacker uses a program that automatically scans telephone numbers within a local area, dialing each one in search of computers, bulletin board systems, and fax machines.

15. What are the three major components of a worm attack? (Choose three.)

(A) Enabling vulnerability

(B) Infecting vulnerability

(C) Payload

(D) Penetration mechanism

(E) Probing mechanism

(F) Propagation mechanism

16. What occurs during the persist phase of a worm attack?

(A) Identification of vulnerable targets

(B) Modification of system files and registry settings to ensure that the attack code is running

(C) Transfer of exploit code through an attack vector

(D) Extension of the attack to vulnerable neighboring targets

17. Which technology is an example of a host-based intrusion prevention system?

(A) MARS

(B) NAC

(C) CSA

(D) VPN

18. How is a Smurf attack conducted?

(A) By sending a large number of packets, overflowing the allocated buffer memory of the target device

(B) By sending an echo request in an IP packet larger than the maximum packet size of 65,535 bytes

(C) By sending a large number of ICMP requests to directed broadcast addresses from a spoofed source address on the same network

(D) By sending a large number of TCP SYN packets to a target device from a spoofed source address

19. What is a ping sweep?

(A) A ping sweep is a network scanning technique that indicates the live hosts in a range of IP addresses.

(B) A ping sweep is a software application that enables the capture of all network packets sent across a LAN.

(C) A ping sweep is a scanning technique that examines a range of TCP or UDP port numbers on a host to detect listening services.

(D) A ping sweep is a query and response protocol that identifies information about a domain, including the addresses assigned to that domain.

20. What occurs during a spoofing attack?

(A) One device falsifies data to gain access to privileged information.

(B) Large amounts of network traffic are sent to a target device to make resources unavailable to intended users.

(C) Improperly formatted packets are forwarded to a target device to cause the target system to crash.

(D) A program writes data beyond the allocated memory to enable the execution of malicious code.

All answers are 100% correct!