Exam Prep Questions

A network security policy provides the following benefits. (Choose four.)

• A. It provides a basis for auditing.

• B. It defines which behavior is allowed and prohibited .

• C. It supports a constant methodology for the choice of tools and procedures.

• D. It defines roles and responsibilities.

• E. It enables enterprisewide enforcement of security policy.

Answers A, B, D, and E are all valid functions of the security policy and are therefore correct. Answer C is incorrect because the security policy is continuously evolving rather than constant.

The four steps of the Cisco Security Wheel are

• A. Protect, Monitor, Detect, Log

• B. Secure, Test, Tune, Adjust

• C. Secure, Monitor, Test, Improve

• D. Defend, Block, Log, Reconfigure

Answer C is correct. The four steps of the Cisco Security Wheel are Secure, Monitor, Test, and Improve. Answers A, B, and D do not describe the four steps of the Cisco Security Wheel and are therefore incorrect.

The use of a login sequence that mimics a legitimate application to gain backdoor access into a host is called

• A. Reconnaissance attack

• B. Management protocol exploit

• C. Trojan horse

• D. Access attack

Answer C is correct. Applications that mimic legitimate applications to allow future backdoor access to a host are called Trojan horses. A reconnaissance attack occurs when an unauthorized person observes and maps network systems, services, and vulnerabilities; Answer A is therefore incorrect. Exploitation of management protocols occurs when an attacker takes advantage of weaknesses in protocols such as Telnet, NTP, or SNMP or logging to perform an attack; Answer B is therefore incorrect. An access attack occurs when someone achieves privilege escalation or access to restricted resources to perform an attack. Answer D is therefore incorrect.

RFC 2827 filtering specifies that

• A. Any traffic originating from outside a network is not allowed to traverse the firewall inbound.

• B. Only external inbound traffic that responds to an internal request may traverse the firewall inbound.

• C. Only traffic with a valid source address from the internal network is allowed outbound.

• D. Any traffic originating from a valid internal address is allowed outbound.

Answer C is correct. RFC 2827 filtering blocks outbound traffic that has a source address that doesn't fall within the organization's valid range of internal addresses. Answers A, B, and D describe policies that may be enforced by ACLs but do not describe RFC 2827 and are therefore incorrect.

A shared folder on a public drive can result in which kind of attack?

• A. Reconnaissance attack

• B. Password attack

• C. Access attack

• D. Man-in-the-middle attack

• E. DoS attack

Answer C is correct. An attacker can easily gain access to highly confidential internal company data by finding a shared folder with public read access and use this information to perform an access attack. A reconnaissance attack occurs when an attacker maps and observes network services and vulnerabilities; Answer A is therefore incorrect. A password attack occurs when a hacker uses a dictionary tool, Trojan horse, or brute force to acquire password information. Answer B is therefore incorrect. A man-in-the-middle attack describes the use of a sniffer to intercept traffic as it traverses the network. Answer D is therefore incorrect. A DoS attack occurs when network services are disrupted or compromised. Answer E is therefore incorrect.

You can use the following to describe application layer attacks. (Choose two.)

• A. Trust exploitation

• B. Interception of cleartext data transfer

• C. Capture of login and password information through a Trojan horse

• D. Use of well-known ports to traverse a firewall

• E. Attack of public service host in the DMZ

• F. Testing and installation of security patches

Answers C and D are correct. The capture of login and password information using a Trojan horse is an example of an application layer attack. Therefore, Answer C is correct. Application layer attacks often used well-known ports such as TCP port 23 to traverse a firewall, so Answer D is correct. Answers A and E describe attacks that are not application layer attacks, so those answers are incorrect. Answer F describes a way to mitigate the risks of an application layer attack and is therefore incorrect.

Logging with syslog can introduce the following vulnerabilities. (Choose two.)

• A. Unencrypted syslog data that is intercepted might allow the hacker to reconfigure a network device.

• B. Syslog data is sent as cleartext, potentially exposing backup configuration files.

• C. Syslog uses TCP port 514 and is vulnerable to session hijacking.

• D. False syslog data flooding a syslog server can be used as a distraction during an attack.

• E. Syslog does not perform packet-level integrity checking.

Answers D and E are correct. A hacker can use false syslog data to distract a network administrator during an attack, so Answer D is correct. Syslog also lacks packet-level integrity checking, making syslog data subject to alteration. Answer E is therefore correct. Intercepting syslog data will only give hackers access to log files and not allow them to directly reconfigure a device; therefore, Answer A is incorrect. Although syslog data is sent as cleartext, TFTP would be far more likely to expose backup configuration files than syslog. Answer B is therefore incorrect. Finally, syslog uses UDP port 514 and not TCP port 514. Answer C is therefore incorrect.

The Cisco Secure Posture Assessment group (SPA) can be described as

• A. A professional services organization providing network security implementation and integration services

• B. A third-party network security testing group that provides comprehensive and objective network security assessments

• C. A research organization developing new signature updates based on recently discovered hacks

• D. A professional services organization defining a framework for security over integrated voice, audio, and data networks

Answer B is correct. The Cisco Secure Posture Assessment group is a third-party network security testing group whose services ensure that your technical security implementation supports your security policy. The SPA does not provide implementation and integration services for network security; therefore, Answer A is incorrect. The SPA does not conduct research into new signature updates, nor does it define a framework for security over integrated audio, voice, and data networks; therefore, Answers C and D are also incorrect.

Which of the following is NOT a way to prevent against DoS attacks? (Choose one.)

• A. Antispoofing features such as RFC 2827 filtering

• B. Limiting the number of allowed embryonic connections

• C. Implementing traffic rate limiting on ICMP

• D. Enforcing the use of strong passwords

• E. Using ACLs to deny traffic with a source address falling within the range of internal network addresses

Answer D is correct. Answer D describes a technique to limit the effects of access and password attacks, rather than direct prevention of a DoS attack. Answers A and E both describe anti-IP spoofing techniques that can help to protect against DoS attacks. Answers B and C describe measures that you can take to limit the volume of traffic that might result in a DoS attack and are therefore incorrect.

Management protocols such as FTP, Telnet, SNMP, and HTTP transfer data in cleartext. What encryption techniques can you use to mitigate the risk of cleartext data transfer? (Choose three.)

• A. SSL

• B. OTP

• C. SSH

• D. IPSec

• E. CSACS

Answers A, C, and D are correct. SSL, SSH, and IPSec are all encryption techniques that provide a more secure means of data transfer than those that use cleartext. Answer B, OTP, refers to the use of one-time-passwords. Answer E, CSACS, is the Cisco Secure Access Control Server. Although both provide more secure means of authentication, they are not encryption techniques and are therefore incorrect.