Tuesday, July 7, 2015

CCNA Security 640-553 - Quiz

Understanding Network Security Principles  

1. Where do most attacks on an organization’s computer resources originate?
a. From the Internet
b. From the inside network
c. From universities
d. From intruders who gain physical access to the computer resources

2. What are the three primary goals of network security? (Choose three.)
a. Confidentiality
b. Redundancy
c. Integrity
d. Availability

3. The U.S. government places classified data into which classes? (Choose three.)
a. SBU
b. Confidential
c. Secret
d. Top-secret

4. Cisco defines three categories of security controls: administrative, physical, and
technical. Individual controls within these categories can be further classified as what
three specific types of controls? (Choose three.)
a. Preventive
b. Deterrent
c. Detective
d. Reactive

5. Litigators typically require which three of the following elements to present an
effective argument when prosecuting information security violations? (Choose three.)
a. Audit trail
b. Motive
c. Means
d. Opportunity

6. Which type of law typically involves the enforcement of regulations by government
a. Criminal law
b. Tort law
c. Administrative law
d. Civil law

7. Which of the following is a weakness in an information system that an attacker might
leverage to gain unauthorized access to the system or data on the system?
a. Risk
b. Exploit
c. Mitigation
d. Vulnerability

8. What type of hacker attempts to hack telephony systems?
a. Script kiddy
b. Hacktivist
c. Phreaker
d. White hat hacker

9. Which of the following is a method of gaining access to a system that bypasses normal
security measures?
a. Creating a back door
b. Launching a DoS attack
c. Starting a Smurf attack
d. Conducting social engineering

10. What security design philosophy uses a layered approach to eliminate single points of
failure and provide overlapping protection?
b. Defense in Depth

11. What are two types of IP spoofing attacks? (Choose two.)
a. Nonblind spoofing
b. Promiscuous spoofing
c. Autonomous spoofing
d. Blind spoofing

12. What term refers to the electromagnetic interference (EMI) that can radiate from
network cables?
a. Doppler waves
b. Emanations
c. Gaussian distributions
d. Multimode distortion

13. What kind of integrity attack is a collection of small attacks that result in a larger attack
when combined?
a. Data diddling
b. Botnet attack
c. Hijacking a session
d. Salami attack

14. Which of the following best describes a Smurf attack?
a. It sends ping requests to a subnet, requesting that devices on that subnet send
ping replies to a target system.
b. It sends ping requests in segments of an invalid size.
c. It intercepts the third step in a TCP three-way handshake to hijack a session.
d. It uses Trojan horse applications to create a distributed collection of “zombie”
computers, which can be used to launch a coordinated DDoS attack.

15. Which of the following are Cisco best-practice recommendations for securing a
network? (Choose three.)
a. Deploy HIPS software on all end-user workstations.
b. Routinely apply patches to operating systems and applications.
c. Disable unneeded services and ports on hosts.
d. Require strong passwords, and enable password expiration.

Developing a Secure Network
1. What are the five phases of the System Development Life Cycle (SDLC)? (Choose
a. Termination
b. Operations and maintenance
c. Acquisition and development
d. Initiation
e. Implementation
f. Execution
g. Disposition

2. Which of the following attempts to ensure that no one employee becomes a pervasive
security threat, that data can be recovered from backups, and that information system
changes do not compromise a system’s security?
a. Strategic security planning
b. Implementation security
c. Disaster recovery
d. Operations security

3. Which three of the following are network evaluation techniques? (Choose three.)
a. Using Cisco SDM to perform a network posture validation
b. Scanning a network for active IP addresses and open ports on those IP addresses
c. Performing end-user training on the use of antispyware software
d. Using password-cracking utilities
e. Performing virus scans

4. What are three phases of disaster recovery? (Choose three.)
a. Emergency response phase
b. Return to normal operations phase
c. Threat isolation phase
d. Recovery phase

5. Which of the following is a continually changing document that dictates a set of
guidelines for network use?
a. Security policy
b. Best-practice recommendations
c. Identity-based networking policy
d. Acceptable-use executive summary

6. Which security policy component contains mandatory practices (as opposed to
recommendations or step-by-step instructions)?
a. Guidelines
b. Standards
c. Procedures
d. Tenets

7. Which three individuals are the most likely to be intimately involved with the creation
of a security policy? (Choose three.)
a. Chief Security Officer (CSO)
b. Chief Executive Officer (CEO)
c. Chief Information Officer (CIO)
d. Chief Information Security Officer (CISO)

8. The following formula can be used to calculate annualized loss expectancy:
Which component of the formula represents the percentage of loss of an asset that is
experienced if an anticipated threat occurs?
a. ALE
b. AV
c. EF
d. ARO

9. All of the following are common elements of a network design. Which one is the most
a. Business needs
b. Risk analysis
c. Security policy
d. Best practices
e. Security operations
f. They are all equally important

10. Which of the following makes the end-user community conscious of security issues
without necessarily giving any in-depth procedural instruction?
a. Education
b. Training
c. Awareness
d. Remediation

11. What type of threat combines worm, virus, and Trojan horse characteristics?
a. Heuristic threat
b. Blended threat
c. Morphing threat
d. Integrated threat

12. What are the three core characteristics of a Cisco Self-Defending Network? (Choose
a. Integrated
b. Collaborative
c. Autonomous
d. Adaptive

13. Which of the following offers a variety of security solutions, including firewall, IPS,
VPN, antispyware, antivirus, and antiphishing features?
a. Cisco IOS router
b. Cisco ASA 5500 series security appliance
c. Cisco PIX 500 series security appliance
d. Cisco 4200 series IPS appliance

Defending the Perimeter
1. Which of the following are considered IOS security features? (Choose four.)
a. Stateful firewall
c. IPS
d. VRF-aware firewall
e. VPN
f. ACS

2. Some ISRs include a USB port, into which a flash drive can connect. What are three
common uses for the flash drive? (Choose three.)
a. Storing configuration files
b. Storing a digital certificate
c. Storing a copy of the IOS image
d. Storing a username/password database

3. The enable secret password appears as an MD5 hash in a router’s configuration file,
whereas the enable password is not hashed (or encrypted, if the password-encryption
service is not enabled). Why does Cisco still support the use of both enable secret and
enable passwords in a router’s configuration?
a. Because the enable secret password is a hash, it cannot be decrypted. Therefore,
the enable password is used to match the password that was entered, and the
enable secret is used to verify that the enable password has not been modified
since the hash was generated.
b. The enable password is used for IKE Phase I, whereas the enable secret password
is used for IKE Phase II.
c. The enable password is considered to be a router’s public key, whereas the enable
secret password is considered to be a router’s private key.
d. The enable password is present for backward compatibility.

4. What is an IOS router’s default response to multiple failed login attempts after the
security authentication failure command has been issued?
a. The login process is suspended for 10 seconds after 15 unsuccessful login attempts.
b. The login process is suspended for 15 seconds after 10 unsuccessful login attempts.
c. The login process is suspended for 30 seconds after 10 unsuccessful login attempts.
d. The login process is suspended for 10 seconds after 30 unsuccessful login attempts.

5. What line configuration mode command would you enter to prevent a line (such as a
console, aux, or vty line) connection from timing out because of inactivity?
a. no service timeout
b. timeout-line none
c. exec-timeout 0 0
d. service timeout default

6. An IOS router’s privileged mode, which you can access by entering the enable
command followed by the appropriate password, has which privilege level?
a. 0
b. 1
c. 15
d. 16

7. How is a CLI view different from a privilege level?
a. A CLI view supports only commands configured for that specific view, whereas a
privilege level supports commands available to that level and all the lower levels.
b. A CLI view can function without a AAA configuration, whereas a privilege level
requires AAA to be configured.
c. A CLI view supports only monitoring commands, whereas a privilege level
allows a user to make changes to an IOS configuration.
d. A CLI view and a privilege level perform the same function. However, a CLI
view is used on a Catalyst switch, whereas a privilege level is used on an IOS

8. To protect a router’s image and configuration against an attacker’s attempt to erase
those files, the Cisco IOS Resilient Configuration feature keeps a secure copy of these
files. What are these files called?
a. The bootset
b. The configset
c. The backupset
d. The backup-config

9. When you configure Cisco IOS login enhancements for virtual connections, what is the
“quiet period”?
a. The period of time between successive login attempts
b. A period of time when no one is attempting to log in
c. The period of time in which virtual login attempts are blocked, following
repeated failed login attempts
d. The period of time in which virtual logins are blocked as security services fully

10. In the banner motd # command, what does # represent?
a. A single text character that will appear as the message of the day
b. A delimiter indicating the beginning and end of a message of the day
c. A reference to a system variable that contains a message of the day
d. The enable mode prompt from where the message of the day will be entered into
the IOS configuration

11. What Cisco IOS feature provides a graphical user interface (GUI) for configuring a
wide variety of features on an IOS router and also provides multiple “smart wizards”
and configuration tutorials?
a. QPM
b. SAA
c. SMS
d. SDM

12. What are two options for running Cisco SDM? (Choose two.)
a. Running SDM from a router’s flash
b. Running SDM from the Cisco web portal
c. Running SDM from within CiscoWorks
d. Running SDM from a PC

13. Which of the following are valid SDM configuration wizards? (Choose three.)
a. Security Audit
b. VPN
c. ACS
d. NAT
e. STP

Configuring AAA
1. Which of the following commands is used in global configuration mode to enable
a. aaa EXEC
b. aaa new-model
c. configure aaa-model
d. configure-model aaa

2. How do you define the authentication method that will be used with AAA?
a. With a method list
b. With a method statement
c. With the method command
d. With the method aaa command

3. Which of the following are authentication methods that may be used with AAA?
(Choose three.)
a. Local
b. Remote
e. IPsec

4. To configure accounting in AAA, from which mode should the aaa accounting
command be issued?
a. Privileged EXEC
b. Command mode
c. Global configuration
d. Admin EXEC

5. What does the aaa authentication login console-in local command do?
a. It specifies the login authorization method list named console-in using the local
username-password database on the router.
b. It specifies the login authentication list named console-in using the local username-
password database on the router.
c. It specifies the login authentication method list named console-in using the local
user database on the router.
d. It specifies the login authorization method list named console-in using the local
RADIUS username-password database.

6. Which command should be used to enable AAA authentication to determine if a user
can access the privilege command level?
a. aaa authentication enable level
b. aaa authentication enable method default
c. aaa authentication enable default local
d. aaa authentication enable default

7. Which of the following are features provided by Cisco Secure ACS 4.0 for Windows?
(Choose three.)
a. Cisco NAC support
b. IPsec support
c. Network access profiles
d. NTVLM profiles
e. Machine access restrictions

8. Which of the following browsers are supported for use with Cisco Secure ACS?
(Choose three.)
a. Opera 9.2
b. Microsoft Internet Explorer 6 with SP1
c. Netscape 7.1
d. Firefox 2.0
e. Netscape 7.2

9. Which of the following ports are used with RADIUS authentication and authorization?
(Choose two.)
a. UDP port 2000
b. TCP port 2002
c. UDP port 1645
d. TCP port 49
e. UDP port 1812

10. Which of the following are valid responses that the TACACS+ daemon might provide
the NAS during the authentication process? (Choose three.)
a. Accept
b. Reject
c. Approved
d. Continue
e. Failed

11. Which RADIUS message type contains AV pairs for username and password?
a. Access-Request
b. Access-Accept
c. Access-Reject
d. Access-Allow

12. To enable AAA through the SDM, you choose which of the following?
a. Configure > Tasks > AAA
b. Configure > Authentication > AAA
c. Configure > Additional Tasks > AAA
d. Configure > Additional Authentication > AAA

Securing the Router
1. If you need to use Simple Network Management Protocol (SNMP) on your network,
what version does Cisco recommend?
a. Version 2
b. Version 2c
c. Version 3
d. Version 3c

2. What are two automated approaches for hardening the security of a Cisco IOS router?
(Choose two.)
a. AutoQoS
b. AutoSecure
c. Cisco SDM’s One-Step Lockdown
d. Cisco IPS Device Manager (IDM)

3. Which of the following router services can best help administrators correlate events
appearing in a log file?
a. Finger
b. TCP small services
c. CDP
d. NTP

4. What management topology keeps management traffic isolated from production
a. OOB
b. OTP

5. What syslog logging level is associated with warnings?
a. 3
b. 4
c. 5
d. 6

6. Information about a managed device’s resources and activity is defined by a series of
objects. What defines the structure of these management objects?
b. CEF
c. FIB
d. MIB

7. When SSH is configured, what is the Cisco minimum recommended modulus value?
a. 256 bits
b. 512 bits
c. 1024 bits
d. 2048 bits

8. If you click the Configure button along the top of Cisco SDM’s graphical interface,
which Tasks button allows you to configure such features as SSH, NTP, SNMP, and
a. Additional Tasks
b. Interfaces and Connections
c. Security Audit
d. Intrusion Prevention

Securing Layer 2 Devices
1. A Cisco Catalyst switch stores port MAC address assignments in what type of table?
a. ARP cache
b. FIB table
c. Adjacency database
d. CAM table

2. What Cisco Catalyst switch feature can isolate ports from one another, even though
those ports belong to the same VLAN?
a. Private VLAN
b. Policing
c. Per-VLAN Spanning Tree (PVST)
d. Dynamic ARP Inspection (DAI)

3. What are the two main approaches for launching a VLAN hopping attack? (Choose
a. Gratuitous ARP (GARP)
b. Switch spoofing
c. Double tagging
d. DHCP spoofing

4. What Spanning Tree Protocol (STP) protection mechanism disables a switch port if the
port receives a Bridge Protocol Data Unit (BPDU)?
a. Root Guard
b. BPDU Guard
c. PortFast
d. UplinkFast

5. What Cisco Catalyst switch feature can help protect against DHCP server spoofing?
a. DAI
c. DHCP snooping
d. VACLs

6. What type of message might an attacker send to a host to convince the host that the
attacker’s MAC address is the host’s next-hop MAC address?
b. DAI

7. If a switch is running in the fail-open mode, what happens when the switch’s CAM
table fills to capacity and a new frame arrives?
a. The frame is dropped.
b. A copy of the frame is forwarded out all switch ports other than the port the
frame was received on.
c. The frame is transmitted on the native VLAN.
d. The switch sends a NACK segment to the frame’s source MAC address.

8. What kind of MAC address is dynamically learned by a switch port and then added to
the switch’s running configuration?
a. Static secure MAC address
b. Dynamic secure MAC address
c. Sticky secure MAC address
d. Pervasive secure MAC address

9. What Cisco Catalyst switch feature can be used in an Intrusion Detection System (IDS)
solution to cause the switch to send a copy of traffic for analysis by an IDS sensor?
b. DHCP snooping
c. DAI

10. What are three potential responses of a switch port to a port security violation?
(Choose three.)
a. Protect
b. Isolate
c. Restrict
d. Shut down

11. What two Cisco Catalyst switch features can be used to mitigate man-in-the-middle
attacks? (Choose the two best answers.)
a. DAI
b. Private VLANs
c. DHCP snooping
d. VACLs

12. In an IEEE 802.1x deployment, EAPOL messages typically are sent between which
two devices?
a. Between the authenticator and the authentication server
b. Between the supplicant and the authentication server
c. Between the RADIUS server and the authenticator
d. Between the supplicant and the authenticator

13. A RADIUS server acts as which component in an IEEE 802.1x deployment?
a. Supplicant
b. Authentication server
c. Authenticator
d. Method list

14. What EAP type usually leverages MS-CHAPv2 as its authentication protocol?
c. EAP-MD5

15. What happens to a client that successfully authenticates with a Cisco Catalyst switch
port using 802.1x but also creates a port security violation?
a. The client can transmit regardless of the port security settings, because of the
successful 802.1x authentication.
b. After the client authenticates, it is allowed to transmit on the network if the
switch is configured for AAA authorization, which explicitly permits network
access for the client.
c. The client cannot transmit because of the port security violation, even though it
successfully authenticated.
d. This is an invalid configuration, because port security and 802.1x features on a
port are mutually exclusive.

16. When is a Cisco Catalyst switch port placed in a restricted VLAN?
a. When a connected client fails to authenticate after a certain number of attempts
b. If a connected client does not support 802.1x
c. After a connected client exceeds a specified idle time
d. When 802.1x is not globally enabled on the Cisco Catalyst switch

17. Which command configures a Cisco Catalyst switch port to operate in multiple-host
a. Switch(config)# dot1x host-mode multi-host
b. Switch(config-if)# enable dot1x multi-host
c. Switch(config)# no host-mode single-host
d. Switch(config-if)# dot1x host-mode multi-host

Implementing Endpoint Security
1. Network containment is provided by which of the following Cisco Self-Defending
Network elements? (Choose all that apply.)
a. IPS
b. NAC
c. SDN
d. CSA
e. HNS

2. Which of the following is not a phase in a worm attack?
a. Paralyze
b. Propagate
c. Eradicate
d. Persist

3. During the probe phase of a worm attack, which of the following might be used?
a. Ping scans
b. File copy
c. Exploit code
d. E-mail

4. The great majority of software vulnerabilities that have been discovered are which of
the following?
a. Software overflows
b. Heap overflows
c. Stack vulnerabilities
d. Buffer overflows

5. Hardening your application software involves what? (Choose all that apply.)
a. Applying patches
b. Applying virus software
c. Applying security fixes
d. Upgrading firmware

6. The Dynamic Vector Streaming (DVS) engine is a scanning technology that enables
a. Layer 4 virus detection
b. Signature-based virus filtering
c. Signature-based spyware filtering
d. Firmware-level virus detection

7. Which of the following are features provided by the Cisco NAC device to help secure
enterprise and endpoint systems? (Choose all that apply.)
a. Authentication and authorization
b. Posture assignment
c. Remediation of noncompliant systems
d. Quarantining of noncompliant applications

8. Which Cisco Security Agent Interceptor is responsible for intercepting all read/write
requests to the rc files in UNIX?
a. File system interceptor
b. Configuration interceptor
c. Network interceptor
d. Execution space interceptor

9. What does the Cisco Security Agent do when an operating system call to the kernel by
an application violates the security policy? (Choose all that apply.)
a. An appropriate error message is passed back to the operating system.
b. An alert is generated and sent to the Management Center for Cisco Security
c. An appropriate error message is passed back to the application.
d. An alert is generated and sent to the Cisco Security Agent.

10. What is the name of the e-mail traffic monitoring service that underlies that
architecture of IronPort?
a. E-Base
b. TrafMon
c. IronPort M-Series
d. SenderBase

Providing SAN Security
1. Which of the following is not a reason for an organization to incorporate a SAN in its
enterprise infrastructure?
a. To meet changing business priorities, applications, and revenue growth
b. To decrease the threat of viruses and worm attacks against data storage devices
c. To increase the performance of long-distance replication, backup, and recovery
d. To decrease both capital and operating expenses associated with data storage

2. Which of the following is the basis of all the major SAN transport technologies?
a. ATA
b. IDE

3. Which of the following represent SAN transport technologies? (Choose all that apply.)
a. Fibre Channel
d. iSCSI

4. Which of the following are classes of SAN attacks? (Choose all that apply.)
a. Viruses
b. Snooping
c. Worms
d. Spoofing
e. Denial of service (DoS)

5. Spoofing represents an attack against data ____________.
a. Confidentiality
b. Availability
c. Accuracy
d. Integration

6. A LUN is used by which of the following protocols as a way to differentiate the individual disk
drives that comprise a target device?
a. HBA
b. iSCSI
d. ATA

7. At what level is LUN masking implemented?
a. Drive
b. Disk
c. Controller
d. Host Bus Adapter

8. Which of the following statements correctly describes Fibre Channel zoning?
a. Combining a Fibre Channel fabric into larger subsets
b. Partitioning a Fibre Channel fabric into smaller subsets
c. Segmenting a Fibre Channel fabric through the use of a LUN mask into smaller
d. Combining the Fibre Channel fabric, through the use of LUN masks, into larger

9. Which of the following is perceived as a drawback of implementing Fibre Channel
Authentication Protocol (FCAP)?
a. It requires the use of netBT as the network protocol.
b. It is restricted in size to only three segments.
c. It relies on an underlying Public Key Infrastructure (PKI).
d. It requires the implementation of IKE.

10. Which of the following are the two primary port authentication protocols used with
VSANs? (Choose two.)
d. ESP
e. MSCHAP v2

Exploring Secure Voice Solutions
1. You administer a network that contains analog telephony devices connected to voice
gateways. These voice gateways connect to the Public Switched Telephone Network
(PSTN). Which of the following best describes this type of network?
a. VoIP
b. IP telephony
c. Converged communications
d. Unified communications

2. Which of the following are justifications for migrating from a traditional telephony
network to a VoIP network? (Choose all that apply.)
a. Reduced recurring expenses
b. Reduced end-to-end delay
c. Advanced functionality
d. Adaptability

3. Which of the following VoIP components can permit or deny a call attempt based on a
network’s available bandwidth?
a. Gateway
b. Gatekeeper
c. MCU
d. Application server

4. Which two protocols can be used to carry voice media packets? (Choose two.)
b. RTP
d. SIP

5. Which of the following attacks against a VoIP network attempts to deplete the
resources available on a server (for example, processing resources)?
a. Accessing VoIP resources without appropriate credentials
b. Gleaning information from unsecured VoIP network resources
c. Launching a denial-of-service (DoS) attack
d. Capturing telephone conversations

6. VoIP spam is also known by which of the following acronyms?
b. cRTP

7. Which of the following best describes vishing?
a. Influencing users to provide personal information over a web page
b. Influencing users to provide personal information over the phone
c. Influencing users to forward a call to a toll number (for example, a long distance
or international number)
d. Using an inside facilitator to intentionally forward a call to a toll number (for
example, a long distance or international number)

8. Which of the following Cisco Catalyst switch mechanisms can be used to prevent a
man-in-the-middle attack launched against a SIP network?
b. DAI
c. PAgP
d. DTP

9. A Cisco IP phone can send traffic from an attached PC in a data VLAN while sending
voice packets in a separate VLAN. What is the name given to this separate voice
b. Auxiliary VLAN
c. Native VLAN
d. Access VLAN

10. What type of firewall is required to open appropriate UDP ports required for RTP
a. Stateless firewall
b. Proxy firewall
c. Stateful firewall
d. Packet filtering firewall

11. Which two of the following statements are true about a Cisco IP phone’s web access
feature? (Choose two.)
a. It is enabled by default.
b. It requires login credentials, based on the UCM user database.
c. It can provide IP address information about other servers in the network.
d. It uses HTTPS.

Using Cisco IOS Firewalls to Defend the Network
1. A static packet-filtering firewall does which of the following?
a. It analyzes network traffic at the network and transport protocol layers.
b. It evaluates network packets for valid data at the application layer before allowing
c. It validates the fact that a packet is either a connection request or a data packet
belonging to a connection.
d. It keeps track of the actual communication process through the use of a state

2. Which of the following are advantages of an application layer firewall? (Choose all that
a. It authenticates individuals, not devices.
b. It makes it more difficult to spoof and implement DoS attacks.
c. It allows monitoring and filtering transport data.
d. It provides verbose auditing.

3. Application inspection firewalls are aware of the state of which layers? (Choose all that
a. Layer 2 connections
b. Layer 3 connections
c. Layer 4 connections
d. Layer 5 connections

4. Which of the following is not a limitation of a stateful firewall?
a. It does not work well with applications that open multiple connections.
b. It cannot defend against spoofing and DoS attacks.
c. User authentication is not supported.
d. It does not prevent application layer attacks.

5. Which of the following firewall best practices can help mitigate worm and other
automated attacks?
a. Segment security zones
b. Use logs and alerts
c. Restrict access to firewalls
d. Set connection limits

6. When creating an extended ACL, which of the following number ranges may be used?
(Choose all that apply.)
a. 1 to 99
b. 100 to 199
c. 1300 to 1999
d. 2000 to 2699

7. Each Cisco ACL ends with which of the following?
a. An explicit allow all
b. An implicit deny all
c. An implicit allow all
d. An explicit deny all

8. To view the status of your Turbo ACLs, which command would you use?
a. show access-list status
b. show access-list turbo compiled
c. show access-list compiled
d. show access-list complete

9. Which of the following are true of the Turbo ACL feature? (Choose all that apply.)
a. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.
b. Turbo ACLs increase the CPU load by matching the packet to a predetermined
c. The Turbo ACL feature leads to reduced latency, because the time it takes to
match the packet is fixed and consistent.
d. The Turbo ACL feature leads to increased latency, because the time it takes to
match the packet is variable.

10. You examine your IDS Event Viewer and find that the IP address keeps
appearing. You determine that your web server is under attack from this IP and would
like to resolve this permanently. What happens if you place this address at the bottom
of the ACL?
a. Attacks from this IP address will be blocked because of the line you have added.
b. Attacks will continue. This line will never be reached, because above this line is a
permit any statement.
c. ACLs may not be used to block traffic originating outside your network address
d. ACLs may not be modified after they are created.

11. Cisco IOS classic firewall can provide network protection on multiple levels using all
of the following except which item?
a. Traffic zoning
b. Traffic filtering
c. Traffic inspection
d. Intrusion prevention

12. Cisco IOS Release 12.4(6)T added which of the following capabilities to the Cisco IOS
Firewall? (Choose all that apply.)
a. Application inspection
b. A default deny-all policy
c. URL filtering
d. Subnet and host inspection policies

13. Interfaces may be assigned to how many security zones?
a. Four
b. One
c. Two
d. Subnets are assigned to zones, not interfaces.

14. Which two actions can be configured to permit traffic to traverse an interface when
zone-based security is being employed? (Choose two.)
a. Allow
b. Inspect
c. Pass
d. Flow

15. Creating Cisco IOS zone-based firewall policies involve which of the following
constructs? (Choose all that apply.)
a. Class map
b. Class policy
c. Policy map
d. Parameter map
e. Policy action

Using Cisco IOS IPS to Secure the Network
1. Which two statements are true about the differences between IDS and IPS? (Choose two.)
a. IPS operates in promiscuous mode.
b. IPS receives a copy of the traffic to be analyzed.
c. IPS operates in inline mode.
d. IDS receives a copy of the traffic to be analyzed.

2. What is the primary method used to detect and prevent attacks using IDS and/or IPS
a. Signature-based detection
b. Policy-based detection
c. Anomaly-based detection
d. Honey pot detection

3. What two types of interfaces are found on all network-based IPS sensors? (Choose two.)
a. Management interface
b. Monitoring interface
c. Command and control interface
d. Loopback interface

4. Which type of signatures use a set of rules that state how certain protocols should
behave on the network?
a. String signatures
b. DoS signatures
c. Exploit signatures
d. Connection signatures

5. Which protocol used by IPS is preferred over syslog, because it provides a secure
communications channel, and it can be used to communicate between IPS clients and
servers (for example, a management workstation that collects and correlates events
from multiple IPS sensors in the network)?
c. TLS

6. Which four of the following are configurable responses to an IPS alarm being
triggered? (Choose four.)
a. Create a log entry
b. Drop the offending packet
c. Reset the TCP connection
d. Send an ICMP Source Quench to the attacker’s IP address
e. Block the attacker’s IP address

7. The Intrusion Prevention Wizard is launched from within which administrative utility?
a. SMS
b. QPM
c. SDM
d. IPM

8. The IPS Policies Wizard helps you with which three of the following tasks? (Choose three.)
a. Selecting the interface to which the IPS rule will be applied
b. Selecting the direction of traffic that will be inspected
c. Selecting the inspection policy that will be applied to the interface
d. Selecting the Signature Definition File (SDF) that the router will use

9. Which of the following is an implicit command that is the last rule in a list of IPS rules?
a. permit ip any any
b. deny ip any any
c. permit tcp any
d. deny tcp any

10. When editing global IPS settings, which option determines if the IOS-based IPS
feature will drop or permit traffic for a particular IPS signature engine while a new
signature for that engine is being compiled?
a. Enable Engine Fail Closed
b. Enable Default IOS Signature
c. Enable Fail Opened
d. Enable Signature Default

11. In SDM’s Edit Signature window, you click a green square next to the parameter you
want to configure to make it editable. What color and symbol does the green square
change into after you click it?
a. Blue circle
b. Yellow triangle
c. Red diamond
d. Orange oval

Designing a Cryptographic Solution
1. What form of attack are all algorithms susceptible to?
a. Meet-in-the-middle
b. Spoofing
c. Stream cipher
d. Brute-force

2. Which type of cipher achieves security by rearranging the letters in a string of text?
a. Vigenère cipher
b. Stream cipher
c. Transposition cipher
d. Block cipher

3. In terms of constructing a good encryption algorithm, what does it mean to create an
avalanche effect?
a. Changing only a few bits of a plain-text message causes the ciphertext to be completely
b. Altering the key length causes the ciphertext to be completely different.
c. Changing only a few bits of a ciphertext message causes the plain text to be completely
d. Altering the key length causes the plain text to be completely different.

4. Which of the following are techniques used by symmetric encryption cryptography?
(Choose all that apply.)
a. Block ciphers
b. Message Authentication Codes (MAC)
c. One-time pad
d. Stream ciphers
e. Vigenère ciphers

5. Which of the following is not a common stream cipher?
a. RC4
b. RSA
d. DES

6. Which of the following characteristics accurately describe symmetric encryption
algorithms? (Choose all that apply.)
a. They are faster than asymmetric algorithms.
b. They have longer key lengths than asymmetric encryption algorithms.
c. They are stronger than asymmetric algorithms.
d. They are less complex mathematically than asymmetric algorithms.
e. They are slower than asymmetric algorithms.
f. They are weaker than asymmetric algorithms.

7. DES typically operates in block mode, where it encrypts data in what size blocks?
a. 56-bit blocks
b. 40-bit blocks
c. 128-bit blocks
d. 64-bit blocks

8. Stream ciphers operate on which of the following?
a. Fixed-length groups of bits called blocks
b. Individual digits, one at a time, with the transformations varying during the
c. Individual blocks, one at a time, with the transformations varying during the
d. Fixed-length groups of digits called blocks

9. Which statement accurately describes ECB mode?
a. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise
with the previous ciphertext block.
b. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text
c. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text
d. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise
with the previous ciphertext block.

10. What method does 3DES use to encrypt plain text?

11. Which of the following is not considered a trustworthy symmetric encryption
a. 3DES
c. EDE
d. AES

12. In a brute-force attack, generally an attacker has to search through what percentage of
the keyspace until he or she finds the key that decrypts the data?
a. Roughly 10 percent
b. Roughly 75 percent
c. Roughly 66 percent
d. Roughly 50 percent

13. How many weak keys are a part of the overall DES keyspace?
a. Five
b. One
c. Four
d. None

14. Which of the following is not a component of the key management life cycle?
a. Key verification
b. Key transposition
c. Key generation
d. Key exchange
e. Key storage

15. Hashing is used to provide which of the following?
a. Data consistency
b. Data binding
c. Data checksums
d. Data integrity

Implementing Digital Signatures
1. Cryptographic hashes can be used to provide which of the following? (Choose all that
a. Message integrity
b. Functional analysis
c. Security checks
d. Message lists
e. Digital signatures

2. Which of the following is an example of a function intended for cryptographic
a. MD65
b. XR12
c. SHA-135
d. MD5

3. An HMAC provides which of the following benefits? (Choose all that apply.)
a. It may be used to verify data integrity.
b. It may be used to calculate a checksum.
c. It may be used to verify a message’s authenticity.
d. It may be used to examine a message header.

4. What may be added to a password stored in MD5 to make it more secure?
a. Cryptotext
b. Ciphertext
c. Rainbow table
d. Salt

5. Which of the following employ SHA-1? (Choose all that apply.)
b. SSL
c. TLS
e. IPsec

6. A digital signature provides which of the following?
a. Auditing
b. Authentication
c. Authorization
d. Analysis

7. Digital signatures employ a pair of keys made up of which of the following? (Choose
a. A personal key
b. A public key
c. A private key
d. A universal key

8. A digital signature scheme is made up of which of the following? (Choose all that
a. Authentication algorithm
b. Key generation algorithm
c. Encryption algorithm
d. Signing algorithm
e. Signature verification algorithm

9. Which of the following algorithms was the first to be found suitable for both digital
signing and encryption?
a. MD5
c. SHA-1
d. RSA

10. Which of the following attacks focus on RSA? (Choose all that apply.)
a. Man-in-the-middle attack
b. BPA attack
c. Adaptive chosen ciphertext attack
d. DDoS attack

11. The Digital Signature Standard outlines the use of which of the following algorithms
in the creation of digital signatures?
a. LSA
b. DSA
c. PGP
d. MD5

Exploring PKI and Asymmetric Encryption
1. Which of the following is not a popular public-key encryption algorithm?
a. Digital Signature Algorithm (DSA)
b. DAH
c. RSA
d. Diffie-Hellman

2. RSA employs keys that generally have what bit length?
a. 129 to 256 bits
b. 256 to 512 bits
c. 512 to 2048 bits
d. 1024 to 2048 bits

3. Before a Diffie-Hellman exchange may begin, the two parties involved must agree on
a. Two secret numbers
b. Two secret keys
c. Two nonsecret keys
d. Two nonsecret numbers

4. Modern digital signatures generally rely on which of the following? (Choose all that
a. A public-key algorithm
b. A private-key algorithm
c. An encryption function
d. A hash function

5. Which of the following are distinctions between asymmetric and symmetric
algorithms? (Choose all that apply.)
a. Asymmetric algorithms are based on more complex mathematical computations.
b. Only symmetric algorithms have a key exchange technology built in.
c. Symmetric algorithms are based on more complex computations.
d. Only asymmetric algorithms have a key exchange technology built in.
e. Asymmetric algorithms are used quite often as key exchange protocols for symmetric
f. Symmetric algorithms are used quite often as key exchange protocols for asymmetric

6. A Public Key Infrastructure serves as a basis for providing which of the following
security services? (Choose all that apply.)
a. Encryption
b. Virus protection
c. Intrusion prevention
d. Authentication
e. Nonrepudiation

7. Which of the following best describes a certificate authority (CA)?
a. An agency responsible for granting and revoking public-private key pairs
b. A trusted third party responsible for signing the public keys of entities in a PKIbased
c. A trusted third party responsible for signing the private keys of entities in a PKIbased
d. An entity responsible for registering the private key encryption used in a PKI

8. Which of the following are valid certificate authority (CA) architectures? (Choose all
that apply.)
a. Certified CA
b. Single-root CA
c. Bidirectional CA
d. Cross-certified CA
e. Hierarchical CA

9. Which of the following Public Key Cryptographic Standards (PKCS) defines the
syntax for encrypted messages and messages with digital signatures?
a. PKCS #10
b. PKCS #8
c. PKCS #12
d. PKCS #7

10. Which of the following is not one of the five main areas that constitute a PKI?
a. Storage and Protocols
b. User Authentication through Local Registration Authorities (LRA)
c. CAs to Provide Management of Passwords
d. Supporting Legal Framework

Building a Site-to-Site IPsec VPN Solution
1. Which of the following acts as a VPN termination device and is located at a primary
network location?
a. Headend VPN device
b. VPN access device
c. Tunnel
d. Broadband service

2. Which of the following ensures that data is not modified in transit?
a. Confidentiality
b. Integrity
c. Authentication
d. Authorization

3. What two IKE modes can negotiate an IKE Phase 1 (that is, an ISAKMP) tunnel?
(Choose two.)
a. Main mode
b. Quick mode
c. Aggressive mode
d. Promiscuous mode

4. What are two modes of operation for both Authentication Header (AH) and
Encapsulating Security Payload (ESP)? (Choose two.)
a. Transmission mode
b. Transport mode
c. Transparent mode
d. Tunnel mode

5. Which of the following licenses dictates the number of allowed concurrent connections
on an ASA 5500 series appliance?
a. Feature license
b. Encryption license
c. Platform license
d. Expansion license

6. Which hashing algorithm does Cisco recommend as a best practice because of its
increased security and speed?
a. 3DES
b. SHA
c. AES
d. MD5

7. An IPsec tunnel is negotiated within the protection of which type of tunnel?
a. L2TP tunnel
b. L2F tunnel
c. GRE tunnel
d. ISAKMP tunnel

8. What component of an IPsec configuration identifies “interesting” traffic—traffic that
should be protected within the IPsec tunnel?
a. Transform set
b. ISAKMP policy
c. ACL
d. Diffie-Hellman group

9. Which command is used to specify Diffie-Hellman group 2 as part of an IKE Phase 1
a. group 2
b. diffie-hellman 2
c. df group 2
d. pre-share group 2

10. From what configuration mode would you enter the set peer ip-address command to
specify the IP address of an IPsec peer?
a. Transform set configuration mode
b. Crypto map configuration mode
c. ISAKMP configuration mode
d. Interface configuration mode

11. To what entity is a crypto map applied to make the crypto map active?
a. Transform set
b. Interface
c. Virtual template
d. ISAKMP proposal

12. What two site-to-site VPN wizards are available in the Cisco SDM interface? (Choose
a. Easy VPN Setup
b. Quick Setup
c. Step-by-Step
d. DMVPN Setup

13. What three parameters do you configure when using the Cisco SDM Quick Setup Siteto-
Site VPN wizard? (Choose three.)
a. Interface for the VPN connection
b. IP address for the remote peer
c. Transform set for the IPsec tunnel
d. Source interface where encrypted traffic originates

14. What command displays all existing IPsec security associations (SA)?
a. show crypto isakmp sa
b. show crypto ipsec sa
c. show crypto ike active
d. show crypto sa active

No comments:

Post a Comment