Deck 3: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

A) man-in-the-middle
B) port scanning
C) SQL injection
D) ping sweep

A) SOAR platforms are used for threat and vulnerability management, but SIEM applications are not
B) SIEM applications are used for threat and vulnerability management, but SOAR platforms are not
C) SOAR receives information from a single platform and delivers it to a SIEM
D) SIEM receives information from a single platform and delivers it to a SOAR

A) least privilege
B) need to know
C) integrity validation
D) due diligence

A) reconnaissance
B) action on objectives
C) installation
D) exploitation

A) data availability
B) data normalization
C) data signature
D) data protection

A) principle of least privilege
B) organizational separation
C) separation of duties
D) need to know principle

A) Deep packet inspection is more secure than stateful inspection on Layer 4
B) Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7
C) Stateful inspection is more secure than deep packet inspection on Layer 7
D) Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4

A) principle of least privilege
B) role-based access control
C) separation of duties
D) trusted computing base

A) sequence numbers
B) IP identifier
C) 5-tuple
D) timestamps

A) weaponization
B) reconnaissance
C) installation
D) delivery

A) MAC is controlled by the discretion of the owner and DAC is controlled by an administrator
B) MAC is the strictest of all levels of control and DAC is object-based access
C) DAC is controlled by the operating system and MAC is controlled by an administrator
D) DAC is the strictest of all levels of control and MAC is object-based access

A) denial of service
B) ARP cache poisoning
C) DHCP snooping
D) command and control

A) least privilege
B) need to know
C) separation of duties
D) due diligence

A) An attack surface identifies vulnerabilities that require user input or validation; and an attack vector identifies vulnerabilities that are independent of user actions.
B) An attack vector identifies components that can be exploited; and an attack surface identifies the potential path an attack can take to penetrate the network.
C) An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector identifies which attacks are possible with these vulnerabilities.
D) An attack vector identifies the potential outcomes of an attack; and an attack surface launches an attack using several methods against the identified vulnerabilities.

A) fragmentation
B) pivoting
C) encryption
D) stenography

A) extended sleep calls
B) encryption
C) resource exhaustion
D) encoding

A) confidentiality, identity, and authorization
B) confidentiality, integrity, and authorization
C) confidentiality, identity, and availability
D) confidentiality, integrity, and availability

A) First Packet
B) Initiator User
C) Ingress Security Zone
D) Source Port
E) Initiator IP

A) Encryption analysis is used by attackers to monitor VPN tunnels.
B) Encryption is used by threat actors as a method of evasion and obfuscation.
C) Encryption introduces additional processing requirements by the CPU.
D) Encryption introduces larger packet sizes to analyze and store.

A) high rate of SYN packets being sent from a multiple source towards a single destination IP
B) high rate of SYN packets being sent from a single source IP towards multiple destination IPs
C) flood of ACK packets coming from a single source IP to multiple destination IPs
D) flood of SYN packets coming from a single source IP to a single destination IP

A) Identifying network loops and collision domains.
B) Troubleshooting the cause of security and performance issues.
C) Reassembling fragmented traffic from raw data.
D) Detecting common hardware faults and identify faulty assets.
E) Providing a historical record of a network transaction.

A) transaction data
B) location data
C) statistical data
D) alert data

A) IIS data
B) NetFlow data
C) network discovery event
D) IPS event data

A) ransomware communicating after infection
B) users downloading copyrighted content
C) data exfiltration
D) user circumvention of the firewall

A) server name, trusted subordinate CA, and private key
B) trusted subordinate CA, public key, and cipher suites
C) trusted CA name, cipher suites, and private key
D) server name, trusted CA, and public key

A) best evidence
B) prima facie evidence
C) indirect evidence
D) physical evidence

A) Untampered images are used in the security investigation process
B) Tampered images are used in the security investigation process
C) The image is tampered if the stored hash and the computed hash match
D) Tampered images are used in the incident recovery process
E) The image is untampered if the stored hash and the computed hash match

A) cause of an attack
B) exploit of an attack
C) vulnerabilities exploited
D) threat actors of an attack

A) syslog messages
B) full packet capture
C) NetFlow
D) firewall event logs

A) NetFlow collects metadata and traffic mirroring clones data
B) Traffic mirroring impacts switch performance and NetFlow does not
C) Traffic mirroring costs less to operate than NetFlow
D) NetFlow generates more data than traffic mirroring

A) application-level blacklisting
B) host-based IPS
C) application-level whitelisting
D) antivirus

A) any potential danger to an asset
B) the sum of all paths for data into and out of the application
C) an exploitable weakness in a system or its design
D) the individuals who perform an attack

A) by enabling an authenticated channel between the client and the server
B) by creating an integrated channel between the client and the server
C) by enabling an authorized channel between the client and the server
D) by creating an encrypted channel between the client and the server

A) IP address 179.179.69/50272/192.168.122.100/80/6 is sending a packet from port 80 of IP address 192.168.122.100 that is going to port 50272 of IP address 81.179.179.69 using IP protocol 6.
B) IP address 192.168.122.100/50272/81.179.179.69/80/6 is sending a packet from port 50272 of IP address 192.168.122.100 that is going to port 80 of IP address 81.179.179.69 using IP protocol 6.
C) IP address 192.168.122.100/50272/81.179.179.69/80/6 is sending a packet from port 80 of IP address 192.168.122.100 that is going to port 50272 of IP address 81.179.179.69 using IP protocol 6.
D) IP address 179.179.69/50272/192.168.122.100/80/6 is sending a packet from port 50272 of IP address 192.168.122.100 that is going to port 80 of IP address 81.179.179.69 using IP protocol 6.

A) social engineering
B) eavesdropping
C) piggybacking
D) tailgating

A) Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.
B) Host 152.46.6.91 is being identified as a watchlist country for data transfer.
C) Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
D) Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.

A) IDS
B) proxy
C) NetFlow
D) sys

A) open ports of a web server
B) open port of an FTP server
C) open ports of an email server
D) running processes of the server

A) A policy violation is active for host 10.10.101.24.
B) A host on the network is sending a DDoS attack to another inside host.
C) There are two active data exfiltration alerts.
D) A policy violation is active for host 10.201.3.149.

A) false negative
B) true positive
C) true negative
D) false positive

A) application whitelisting/blacklisting
B) network NGFW
C) host-based IDS
D) antivirus/antispyware software

A) host-based intrusion detection
B) systems-based sandboxing
C) host-based firewall
D) antivirus

A) SSH
B) TCP
C) TLS
D) HTTP

A) [a?z]+
B) [^a?z]+
C) a?z+
D) a*z+

A) detection and analysis
B) post-incident activity
C) preparation
D) containment, eradication, and recovery

A) alert data
B) transaction data
C) session data
D) full packet capture

A) encapsulation
B) TOR
C) tunneling
D) NAT

A) an access attempt was made from the Mosaic web browser
B) a successful access attempt was made to retrieve the password file
C) a successful access attempt was made to retrieve the root of the website
D) a denied access attempt was made to retrieve the password file

A) application identification number
B) active process identification number
C) runtime identification number
D) process identification number

A) referrer
B) host
C) user-agent
D) accept-language

A) Inline inspection acts on the original traffic data flow
B) Traffic mirroring passes live traffic to a tool for blocking
C) Traffic mirroring inspects live traffic for analysis and mitigation
D) Inline traffic copies packets for analysis and security

A) true negative
B) false negative
C) false positive
D) true positive

A) CSIRT
B) PSIRT
C) public affairs
D) management

A) insert TCP subdissectors
B) extract a file from a packet capture
C) disable TCP streams
D) unfragment TCP

A) UDP port to which the traffic is destined
B) TCP port from which the traffic was sourced
C) source IP address of the packet
D) destination IP address of the packet
E) UDP port from which the traffic is sourced

A) online assault
B) precursor
C) trigger
D) instigator

A) The computer has a HIPS installed on it.
B) The computer has a NIPS installed on it.
C) The computer has a HIDS installed on it.
D) The computer has a NIDS installed on it.

A) /var/log/authorization.log
B) /var/log/dmesg
C) var/log/var.log
D) /var/log/auth.log

A) parameter manipulation
B) heap memory corruption
C) command injection
D) blind SQL injection

A) SSL interception
B) packet header size
C) signature detection time
D) encryption

A) colo?ur
B) col[0?8]+our
C) colou?r
D) col[0?9]+our

A) gaining root access
B) executing remote code
C) reading and writing file permission
D) opening a malicious file

A) destination IP address
B) TCP ACK
C) HTTP status code
D) URI

A) detection and analysis
B) post-incident activity
C) vulnerability management
D) risk assessment
E) vulnerability scoring

A) session duration
B) total throughput
C) running processes
D) listening ports
E) OS fingerprint

A) secure boot
B) load balancing
C) increased audit log levels
D) restricting USB ports
E) full packet captures at the endpoint

A) code signing enforcement
B) full assets scan
C) internet exposed devices
D) single factor authentication

A) NetScout
B) tcpdump
C) SolarWinds
D) netsh

A) context
B) session
C) laptop
D) firewall logs
E) threat actor

A) HIDS
B) sandboxing
C) host-based firewall
D) antimalware

A) Base64 encoding
B) transport layer security encryption
C) SHA-256 hashing
D) ROT13 encryption

A) legal
B) compliance
C) regulated
D) contractual

A) Tapping interrogation replicates signals to a separate port for analyzing traffic
B) Tapping interrogations detect and block malicious traffic
C) Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
D) Inline interrogation detects malicious traffic but does not block the traffic

A) date of birth
B) driver's license number
C) gender
D) zip code

A) proof of a user's identity
B) proof of a user's action
C) likelihood of user's action
D) falsification of a user's identity

A) data from a CD copied using Mac-based system
B) data from a CD copied using Linux system
C) data from a DVD copied using Windows system
D) data from a CD copied using Windows

A) action on objectives
B) delivery
C) exploitation
D) installation

A) probabilistic
B) indirect
C) best
D) corroborative

A) The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete
B) The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete
C) The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection
D) The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection