Understanding Network Security Principles
1. Where do most attacks on an organization’s computer resources originate?
a. From the Internet
b. From the inside network
c. From universities
d. From intruders who gain physical access to the computer resources
2. What are the three primary goals of network security? (Choose three.)
a. Confidentiality
b. Redundancy
c. Integrity
d. Availability
3. The U.S. government places classified data into which classes? (Choose three.)
a. SBU
b. Confidential
c. Secret
d. Top-secret
4. Cisco defines three categories of security controls: administrative, physical, and
technical. Individual controls within these categories can be further classified as what
three specific types of controls? (Choose three.)
a. Preventive
b. Deterrent
c. Detective
d. Reactive
5. Litigators typically require which three of the following elements to present an
effective argument when prosecuting information security violations? (Choose three.)
a. Audit trail
b. Motive
c. Means
d. Opportunity
6. Which type of law typically involves the enforcement of regulations by government
agencies?
a. Criminal law
b. Tort law
c. Administrative law
d. Civil law
7. Which of the following is a weakness in an information system that an attacker might
leverage to gain unauthorized access to the system or data on the system?
a. Risk
b. Exploit
c. Mitigation
d. Vulnerability
8. What type of hacker attempts to hack telephony systems?
a. Script kiddy
b. Hacktivist
c. Phreaker
d. White hat hacker
9. Which of the following is a method of gaining access to a system that bypasses normal
security measures?
a. Creating a back door
b. Launching a DoS attack
c. Starting a Smurf attack
d. Conducting social engineering
10. What security design philosophy uses a layered approach to eliminate single points of
failure and provide overlapping protection?
a. AVVID
b. Defense in Depth
c. SONA
d. IINS
11. What are two types of IP spoofing attacks? (Choose two.)
a. Nonblind spoofing
b. Promiscuous spoofing
c. Autonomous spoofing
d. Blind spoofing
12. What term refers to the electromagnetic interference (EMI) that can radiate from
network cables?
a. Doppler waves
b. Emanations
c. Gaussian distributions
d. Multimode distortion
13. What kind of integrity attack is a collection of small attacks that result in a larger attack
when combined?
a. Data diddling
b. Botnet attack
c. Hijacking a session
d. Salami attack
14. Which of the following best describes a Smurf attack?
a. It sends ping requests to a subnet, requesting that devices on that subnet send
ping replies to a target system.
b. It sends ping requests in segments of an invalid size.
c. It intercepts the third step in a TCP three-way handshake to hijack a session.
d. It uses Trojan horse applications to create a distributed collection of “zombie”
computers, which can be used to launch a coordinated DDoS attack.
15. Which of the following are Cisco best-practice recommendations for securing a
network? (Choose three.)
a. Deploy HIPS software on all end-user workstations.
b. Routinely apply patches to operating systems and applications.
c. Disable unneeded services and ports on hosts.
d. Require strong passwords, and enable password expiration.
Developing a Secure Network
1. What are the five phases of the System Development Life Cycle (SDLC)? (Choose
five.)
a. Termination
b. Operations and maintenance
c. Acquisition and development
d. Initiation
e. Implementation
f. Execution
g. Disposition
2. Which of the following attempts to ensure that no one employee becomes a pervasive
security threat, that data can be recovered from backups, and that information system
changes do not compromise a system’s security?
a. Strategic security planning
b. Implementation security
c. Disaster recovery
d. Operations security
3. Which three of the following are network evaluation techniques? (Choose three.)
a. Using Cisco SDM to perform a network posture validation
b. Scanning a network for active IP addresses and open ports on those IP addresses
c. Performing end-user training on the use of antispyware software
d. Using password-cracking utilities
e. Performing virus scans
4. What are three phases of disaster recovery? (Choose three.)
a. Emergency response phase
b. Return to normal operations phase
c. Threat isolation phase
d. Recovery phase
5. Which of the following is a continually changing document that dictates a set of
guidelines for network use?
a. Security policy
b. Best-practice recommendations
c. Identity-based networking policy
d. Acceptable-use executive summary
6. Which security policy component contains mandatory practices (as opposed to
recommendations or step-by-step instructions)?
a. Guidelines
b. Standards
c. Procedures
d. Tenets
7. Which three individuals are the most likely to be intimately involved with the creation
of a security policy? (Choose three.)
a. Chief Security Officer (CSO)
b. Chief Executive Officer (CEO)
c. Chief Information Officer (CIO)
d. Chief Information Security Officer (CISO)
8. The following formula can be used to calculate annualized loss expectancy:
ALE = AV * EF * ARO
Which component of the formula represents the percentage of loss of an asset that is
experienced if an anticipated threat occurs?
a. ALE
b. AV
c. EF
d. ARO
9. All of the following are common elements of a network design. Which one is the most
important?
a. Business needs
b. Risk analysis
c. Security policy
d. Best practices
e. Security operations
f. They are all equally important
10. Which of the following makes the end-user community conscious of security issues
without necessarily giving any in-depth procedural instruction?
a. Education
b. Training
c. Awareness
d. Remediation
11. What type of threat combines worm, virus, and Trojan horse characteristics?
a. Heuristic threat
b. Blended threat
c. Morphing threat
d. Integrated threat
12. What are the three core characteristics of a Cisco Self-Defending Network? (Choose
three.)
a. Integrated
b. Collaborative
c. Autonomous
d. Adaptive
13. Which of the following offers a variety of security solutions, including firewall, IPS,
VPN, antispyware, antivirus, and antiphishing features?
a. Cisco IOS router
b. Cisco ASA 5500 series security appliance
c. Cisco PIX 500 series security appliance
d. Cisco 4200 series IPS appliance
Defending the Perimeter
1. Which of the following are considered IOS security features? (Choose four.)
a. Stateful firewall
b. MARS
c. IPS
d. VRF-aware firewall
e. VPN
f. ACS
2. Some ISRs include a USB port, into which a flash drive can connect. What are three
common uses for the flash drive? (Choose three.)
a. Storing configuration files
b. Storing a digital certificate
c. Storing a copy of the IOS image
d. Storing a username/password database
3. The enable secret password appears as an MD5 hash in a router’s configuration file,
whereas the enable password is not hashed (or encrypted, if the password-encryption
service is not enabled). Why does Cisco still support the use of both enable secret and
enable passwords in a router’s configuration?
a. Because the enable secret password is a hash, it cannot be decrypted. Therefore,
the enable password is used to match the password that was entered, and the
enable secret is used to verify that the enable password has not been modified
since the hash was generated.
b. The enable password is used for IKE Phase I, whereas the enable secret password
is used for IKE Phase II.
c. The enable password is considered to be a router’s public key, whereas the enable
secret password is considered to be a router’s private key.
d. The enable password is present for backward compatibility.
4. What is an IOS router’s default response to multiple failed login attempts after the
security authentication failure command has been issued?
a. The login process is suspended for 10 seconds after 15 unsuccessful login attempts.
b. The login process is suspended for 15 seconds after 10 unsuccessful login attempts.
c. The login process is suspended for 30 seconds after 10 unsuccessful login attempts.
d. The login process is suspended for 10 seconds after 30 unsuccessful login attempts.
5. What line configuration mode command would you enter to prevent a line (such as a
console, aux, or vty line) connection from timing out because of inactivity?
a. no service timeout
b. timeout-line none
c. exec-timeout 0 0
d. service timeout default
6. An IOS router’s privileged mode, which you can access by entering the enable
command followed by the appropriate password, has which privilege level?
a. 0
b. 1
c. 15
d. 16
7. How is a CLI view different from a privilege level?
a. A CLI view supports only commands configured for that specific view, whereas a
privilege level supports commands available to that level and all the lower levels.
b. A CLI view can function without a AAA configuration, whereas a privilege level
requires AAA to be configured.
c. A CLI view supports only monitoring commands, whereas a privilege level
allows a user to make changes to an IOS configuration.
d. A CLI view and a privilege level perform the same function. However, a CLI
view is used on a Catalyst switch, whereas a privilege level is used on an IOS
router.
8. To protect a router’s image and configuration against an attacker’s attempt to erase
those files, the Cisco IOS Resilient Configuration feature keeps a secure copy of these
files. What are these files called?
a. The bootset
b. The configset
c. The backupset
d. The backup-config
9. When you configure Cisco IOS login enhancements for virtual connections, what is the
“quiet period”?
a. The period of time between successive login attempts
b. A period of time when no one is attempting to log in
c. The period of time in which virtual login attempts are blocked, following
repeated failed login attempts
d. The period of time in which virtual logins are blocked as security services fully
initialize
10. In the banner motd # command, what does # represent?
a. A single text character that will appear as the message of the day
b. A delimiter indicating the beginning and end of a message of the day
c. A reference to a system variable that contains a message of the day
d. The enable mode prompt from where the message of the day will be entered into
the IOS configuration
11. What Cisco IOS feature provides a graphical user interface (GUI) for configuring a
wide variety of features on an IOS router and also provides multiple “smart wizards”
and configuration tutorials?
a. QPM
b. SAA
c. SMS
d. SDM
12. What are two options for running Cisco SDM? (Choose two.)
a. Running SDM from a router’s flash
b. Running SDM from the Cisco web portal
c. Running SDM from within CiscoWorks
d. Running SDM from a PC
13. Which of the following are valid SDM configuration wizards? (Choose three.)
a. Security Audit
b. VPN
c. ACS
d. NAT
e. STP
Configuring AAA
1. Which of the following commands is used in global configuration mode to enable
AAA?
a. aaa EXEC
b. aaa new-model
c. configure aaa-model
d. configure-model aaa
2. How do you define the authentication method that will be used with AAA?
a. With a method list
b. With a method statement
c. With the method command
d. With the method aaa command
3. Which of the following are authentication methods that may be used with AAA?
(Choose three.)
a. Local
b. Remote
c. TACACS+
d. RADIUS
e. IPsec
4. To configure accounting in AAA, from which mode should the aaa accounting
command be issued?
a. Privileged EXEC
b. Command mode
c. Global configuration
d. Admin EXEC
5. What does the aaa authentication login console-in local command do?
a. It specifies the login authorization method list named console-in using the local
username-password database on the router.
b. It specifies the login authentication list named console-in using the local username-
password database on the router.
c. It specifies the login authentication method list named console-in using the local
user database on the router.
d. It specifies the login authorization method list named console-in using the local
RADIUS username-password database.
6. Which command should be used to enable AAA authentication to determine if a user
can access the privilege command level?
a. aaa authentication enable level
b. aaa authentication enable method default
c. aaa authentication enable default local
d. aaa authentication enable default
7. Which of the following are features provided by Cisco Secure ACS 4.0 for Windows?
(Choose three.)
a. Cisco NAC support
b. IPsec support
c. Network access profiles
d. NTVLM profiles
e. Machine access restrictions
8. Which of the following browsers are supported for use with Cisco Secure ACS?
(Choose three.)
a. Opera 9.2
b. Microsoft Internet Explorer 6 with SP1
c. Netscape 7.1
d. Firefox 2.0
e. Netscape 7.2
9. Which of the following ports are used with RADIUS authentication and authorization?
(Choose two.)
a. UDP port 2000
b. TCP port 2002
c. UDP port 1645
d. TCP port 49
e. UDP port 1812
10. Which of the following are valid responses that the TACACS+ daemon might provide
the NAS during the authentication process? (Choose three.)
a. Accept
b. Reject
c. Approved
d. Continue
e. Failed
11. Which RADIUS message type contains AV pairs for username and password?
a. Access-Request
b. Access-Accept
c. Access-Reject
d. Access-Allow
12. To enable AAA through the SDM, you choose which of the following?
a. Configure > Tasks > AAA
b. Configure > Authentication > AAA
c. Configure > Additional Tasks > AAA
d. Configure > Additional Authentication > AAA
Securing the Router
1. If you need to use Simple Network Management Protocol (SNMP) on your network,
what version does Cisco recommend?
a. Version 2
b. Version 2c
c. Version 3
d. Version 3c
2. What are two automated approaches for hardening the security of a Cisco IOS router?
(Choose two.)
a. AutoQoS
b. AutoSecure
c. Cisco SDM’s One-Step Lockdown
d. Cisco IPS Device Manager (IDM)
3. Which of the following router services can best help administrators correlate events
appearing in a log file?
a. Finger
b. TCP small services
c. CDP
d. NTP
4. What management topology keeps management traffic isolated from production
traffic?
a. OOB
b. OTP
c. SAFE
d. MARS
5. What syslog logging level is associated with warnings?
a. 3
b. 4
c. 5
d. 6
6. Information about a managed device’s resources and activity is defined by a series of
objects. What defines the structure of these management objects?
a. LDAP
b. CEF
c. FIB
d. MIB
7. When SSH is configured, what is the Cisco minimum recommended modulus value?
a. 256 bits
b. 512 bits
c. 1024 bits
d. 2048 bits
8. If you click the Configure button along the top of Cisco SDM’s graphical interface,
which Tasks button allows you to configure such features as SSH, NTP, SNMP, and
syslog?
a. Additional Tasks
b. Interfaces and Connections
c. Security Audit
d. Intrusion Prevention
Securing Layer 2 Devices
1. A Cisco Catalyst switch stores port MAC address assignments in what type of table?
a. ARP cache
b. FIB table
c. Adjacency database
d. CAM table
2. What Cisco Catalyst switch feature can isolate ports from one another, even though
those ports belong to the same VLAN?
a. Private VLAN
b. Policing
c. Per-VLAN Spanning Tree (PVST)
d. Dynamic ARP Inspection (DAI)
3. What are the two main approaches for launching a VLAN hopping attack? (Choose
two.)
a. Gratuitous ARP (GARP)
b. Switch spoofing
c. Double tagging
d. DHCP spoofing
4. What Spanning Tree Protocol (STP) protection mechanism disables a switch port if the
port receives a Bridge Protocol Data Unit (BPDU)?
a. Root Guard
b. BPDU Guard
c. PortFast
d. UplinkFast
5. What Cisco Catalyst switch feature can help protect against DHCP server spoofing?
a. DAI
b. GARP
c. DHCP snooping
d. VACLs
6. What type of message might an attacker send to a host to convince the host that the
attacker’s MAC address is the host’s next-hop MAC address?
a. GARP
b. DAI
c. BPDU
d. DHCPACK
7. If a switch is running in the fail-open mode, what happens when the switch’s CAM
table fills to capacity and a new frame arrives?
a. The frame is dropped.
b. A copy of the frame is forwarded out all switch ports other than the port the
frame was received on.
c. The frame is transmitted on the native VLAN.
d. The switch sends a NACK segment to the frame’s source MAC address.
8. What kind of MAC address is dynamically learned by a switch port and then added to
the switch’s running configuration?
a. Static secure MAC address
b. Dynamic secure MAC address
c. Sticky secure MAC address
d. Pervasive secure MAC address
9. What Cisco Catalyst switch feature can be used in an Intrusion Detection System (IDS)
solution to cause the switch to send a copy of traffic for analysis by an IDS sensor?
a. GARP
b. DHCP snooping
c. DAI
d. SPAN
10. What are three potential responses of a switch port to a port security violation?
(Choose three.)
a. Protect
b. Isolate
c. Restrict
d. Shut down
11. What two Cisco Catalyst switch features can be used to mitigate man-in-the-middle
attacks? (Choose the two best answers.)
a. DAI
b. Private VLANs
c. DHCP snooping
d. VACLs
12. In an IEEE 802.1x deployment, EAPOL messages typically are sent between which
two devices?
a. Between the authenticator and the authentication server
b. Between the supplicant and the authentication server
c. Between the RADIUS server and the authenticator
d. Between the supplicant and the authenticator
13. A RADIUS server acts as which component in an IEEE 802.1x deployment?
a. Supplicant
b. Authentication server
c. Authenticator
d. Method list
14. What EAP type usually leverages MS-CHAPv2 as its authentication protocol?
a. PEAP
b. EAP-TLS
c. EAP-MD5
d. LEAP
15. What happens to a client that successfully authenticates with a Cisco Catalyst switch
port using 802.1x but also creates a port security violation?
a. The client can transmit regardless of the port security settings, because of the
successful 802.1x authentication.
b. After the client authenticates, it is allowed to transmit on the network if the
switch is configured for AAA authorization, which explicitly permits network
access for the client.
c. The client cannot transmit because of the port security violation, even though it
successfully authenticated.
d. This is an invalid configuration, because port security and 802.1x features on a
port are mutually exclusive.
16. When is a Cisco Catalyst switch port placed in a restricted VLAN?
a. When a connected client fails to authenticate after a certain number of attempts
b. If a connected client does not support 802.1x
c. After a connected client exceeds a specified idle time
d. When 802.1x is not globally enabled on the Cisco Catalyst switch
17. Which command configures a Cisco Catalyst switch port to operate in multiple-host
mode?
a. Switch(config)# dot1x host-mode multi-host
b. Switch(config-if)# enable dot1x multi-host
c. Switch(config)# no host-mode single-host
d. Switch(config-if)# dot1x host-mode multi-host
Implementing Endpoint Security
1. Network containment is provided by which of the following Cisco Self-Defending
Network elements? (Choose all that apply.)
a. IPS
b. NAC
c. SDN
d. CSA
e. HNS
2. Which of the following is not a phase in a worm attack?
a. Paralyze
b. Propagate
c. Eradicate
d. Persist
3. During the probe phase of a worm attack, which of the following might be used?
a. Ping scans
b. File copy
c. Exploit code
d. E-mail
4. The great majority of software vulnerabilities that have been discovered are which of
the following?
a. Software overflows
b. Heap overflows
c. Stack vulnerabilities
d. Buffer overflows
5. Hardening your application software involves what? (Choose all that apply.)
a. Applying patches
b. Applying virus software
c. Applying security fixes
d. Upgrading firmware
6. The Dynamic Vector Streaming (DVS) engine is a scanning technology that enables
what?
a. Layer 4 virus detection
b. Signature-based virus filtering
c. Signature-based spyware filtering
d. Firmware-level virus detection
7. Which of the following are features provided by the Cisco NAC device to help secure
enterprise and endpoint systems? (Choose all that apply.)
a. Authentication and authorization
b. Posture assignment
c. Remediation of noncompliant systems
d. Quarantining of noncompliant applications
8. Which Cisco Security Agent Interceptor is responsible for intercepting all read/write
requests to the rc files in UNIX?
a. File system interceptor
b. Configuration interceptor
c. Network interceptor
d. Execution space interceptor
9. What does the Cisco Security Agent do when an operating system call to the kernel by
an application violates the security policy? (Choose all that apply.)
a. An appropriate error message is passed back to the operating system.
b. An alert is generated and sent to the Management Center for Cisco Security
Agent.
c. An appropriate error message is passed back to the application.
d. An alert is generated and sent to the Cisco S