CCNA Security 210-260 - certification book 20170128 Number: 000-001 Passing Score: 860 Time Limit: 110 File Version: 1.0 Cisco CCNA Security 210-260: certification book questions Version 28.01.2017 Certification Book Questions QUESTION Which security term refers to a person, property, or data of value to a company? A B C D Risk Asset Threat prevention Mitigation technique Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION Which asset characteristic refers to risk that results from a threat and lack of a countermeasure? A B C D High availability Liability Threat prevention Vulnerability Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION Which three items are the primary network security objectives for a company? A B C D Revenue generation Confidentiality Integrity Availability Correct Answer: BCD Section: (none) Explanation Explanation/Reference: QUESTION Which data classification label is usually not found in a government organization? A B C D E Unclassified Classified but not important Sensitive but unclassified For official use only Secret Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION Which of the following represents a physical control? A B C D Change control policy Background checks Electronic lock Access lists Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION What is the primary motivation for most attacks against networks today? A B C D Political Financial Theological Curiosity Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION Which type of an attack involves lying about the source address of a frame or packet? A B C D Man-in-the-middle attack Denial-of-service attack Reconnaissance attack Spoofing attack Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION Which two approaches to security provide the most secure results on day one? A B C D Role based Defense in depth Authentication Least privilege Correct Answer: BD Section: (none) Explanation Explanation/Reference: QUESTION Which of the following might you find in a network that is based on a defense-indepth security implementation? (Choose all that apply.) A B C D Firewall IPS Access lists Current patches on servers Correct Answer: ABCD Section: (none) Explanation Explanation/Reference: QUESTION 10 In relation to production networks, which of the following are viable options when dealing with risk? (Choose all that apply.) A B C D Ignore it Transfer it Mitigate it Remove it Correct Answer: BCD Section: (none) Explanation Explanation/Reference: QUESTION 11 Which of the following is not a motivation of malicious actors? A B C D Disruption Bug bounty award Financial Geopolitical Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 12 Which of the following is not considered a type of DDoS attack? A B C D Directed Cached Reflected Amplified Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 13 Why is UDP the “protocol of choice” for reflected DDoS attacks? A B C D There are more application choices when using UDP UDP requires a three-way handshake to establish a connection UDP is much more easily spoofed TCP cannot be used in DDoS attacks Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 14 Which of the following is leveraged in social engineering? A B C D Software vulnerabilities Human nature Protocol violations Application issues Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 15 Which of the following is not a form of social engineering? A Phone scams B Phishing C Denial of service (DoS) D Malvertising Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 16 Which of the following is not a valid defense against social engineering? A B C D Two-factor authentication Information classification Infrastructure hardening Physical security Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 17 Which tool provides the most granular information to help in the identification of malware? A B C D NetFlow Syslog Packet capture Server logs Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 18 NetFlow provides which of the following? A B C D Detailed data about each packet on the network Troubleshooting messages about the network devices Information on the types of traffic traversing the network Network names of routers, end hosts, servers Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 19 Which of the following is not used for identification of malware on the network? A B C D NetFlow IPS events Routing Information Base (RIB) Packet captures Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 20 Which type of data is not often attractive to malicious actors? A B C D Personally identifiable information (PII) Training schedules Credit and debit card data Intellectual property (IP Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 21 Which of the following are most likely to be used for authentication of a network administrator accessing the CLI of a Cisco router? (Choose all that apply.) A B C D TACACS+ Diameter RADIUS ACS Correct Answer: AD Section: (none) Explanation Explanation/Reference: QUESTION 22 Which of the following allows for granular control related to authorization of specific Cisco IOS commands that are being attempted by an authenticated and authorized Cisco router administrator? A B C D RADIUS Diameter TACACS+ ISE Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 23 Which devices or users would be clients of an ACS server? (Choose all that apply.) A B C D Routers Switches VPN users Administrators Correct Answer: AB Section: (none) Explanation Explanation/Reference: QUESTION 24 On the router, what should be created and applied to a vty line to enforce a specific set of methods for identifying who a user is? A B C D RADIUS server TACACS+ server Authorization method list Authentication method list Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 25 What is the minimum size for an effective TACACS+ group of servers? A B C D Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 26 With what can you configure AAA on the router? (Choose all that apply.) A ACS B CCP C CLI D TACACS+ Correct Answer: BC Section: (none) Explanation Explanation/Reference: QUESTION 27 Which statement is true for ACS 5.x and later? A User groups are nested in network device groups B Authorization policies can be associated with user groups that are accessing specific network device groups C There must be at least one user in a user group D User groups can be used instead of device groups for simplicity Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 28 Where in the ACS you go to create a new group of administrators? A B C D Users and Identity Stores > Identity Groups Identity Stores > Identity Groups Identity Stores and Groups > Identity Groups Users and Groups > Identity Groups Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 29 From the router, which method tests the most about the ACS configuration, without forcing you to log in again at the router? A B C D ping traceroute test aaa telnet Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 30 Which of the following could likely cause an ACS authentication failure, even when the user is using the correct credentials? (Choose all that apply.) A B C D Incorrect secret on the ACS Incorrect IP address of the ACS configured on the router Incorrect routing Incorrect filtering between the ACS and the router Correct Answer: ABCD Section: (none) Explanation Explanation/Reference: QUESTION 31 Which of the following is not a business driver for a BYOD solution? A B C D Need for employees to work anywhere and anytime Increase in the type of devices needed and used by employees to connect to the corporate network The lack of IPv4 address space Fluidity of today’s work schedules Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 32 Which component provides Wi-Fi access for employees in home offices, branch offices, and on the corporate campus? A B C D WLAN controllers (WLC) Cisco AnyConnect Client Wireless access points (AP) Identity Services Engine (ISE) Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 33 The Identity Services Engine (ISE) provides which of the following? A Access, authentication, accounting B Authentication, authorization, accounting Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 148 What does application layer inspection provide? A Packet filtering at Layer and higher B Enables a firewall to listen in on a client/server communication, looking for information regarding communication channels C Proxy server functionality D Application layer gateway functionality Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 149 Which one of the following is true about a transparent firewall? A B C D Implemented at Layer Implemented at Layer Implemented at Layer Implemented at Layer and higher Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 150 What is the specific term for performing Network Address Translation for multiple inside devices but optimizing the number of global addresses required? A B C D NAT-T NAT PAT PAT-T Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 151 What term refers to the internal IP address of a client using NAT as seen from other devices on the same internal network as the client? A B C D Inside local Inside global Outside local Outside global Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 152 Which of the following describes a rule on the firewall which will never be matched because of where the firewall is in the network? A B C D Orphaned rule Redundant rule Shadowed rule Promiscuous rule Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 153 What is the long-term impact of providing a promiscuous rule as a short-term test in an attempt to get a network application working? A B C D The promiscuous rule may be left in place, leaving a security hole The rule cannot be changed later to more accurately filter based on the business requirement It should be a shadowed rule Change control documentation may not be completed for this test Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 154 Which zone is implied by default and does not need to be manually created? A B C D Inside Outside DMZ Self Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 155 If interface number is in zone A, and interface number is in zone B, and there are no policy or service commands applied yet to the configuration, what is the status of transit traffic that is being routed between these two interfaces? A B C D Denied Permitted Inspected Logged Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 156 When creating a specific zone pair and applying a policy to it, policy is being implemented on initial traffic in how many directions? A B C D Depends on the policy Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 157 What is the default policy between an administratively created zone and the self zone? A B C D Deny Permit Inspect Log Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 158 What is one of the added configuration elements that the Advanced security setting has in the ZBF Wizard that is not included in the Low security setting? A B C D Generic TCP inspection Generic UDP inspection Filtering of peer-to-peer networking applications NAT Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 159 Why is it that the return traffic, from previously inspected sessions, is allowed back to the user, in spite of not having a zone pair explicitly configured that matches on the return traffic? A B C D Stateful entries (from the initial flow) are matched, which dynamically allows return traffic Return traffic is not allowed because it is a firewall Explicit ACL rules need to be placed on the return path to allow the return traffic A zone pair in the opposite direction of the initial zone pair (including an applied policy) must be applied for return traffic to be allowed Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 160 Which of the following commands shows the current NAT translations on the router? A B C D show translations show nat translations show ip nat translations show ip nat translations * Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 161 What does the keyword overload imply in a NAT configuration? A B C D NAT is willing to take up to 100 percent of available CPU PAT is being used NAT will provide “best effort” but not guaranteed service, due to an overload Static NAT is being used Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 162 Which of the following features does the Cisco ASA provide? (Choose all that apply.) A B C D Simple packet filtering using standard or extended access lists Layer transparent implementation Support for remote-access SSL VPN connections Support for site-to-site SSL VPN connections Correct Answer: ABC Section: (none) Explanation Explanation/Reference: QUESTION 163 Which of the following Cisco ASA models are designed for small and branch offices? (Choose all that apply.) A B C D 5505 5512-X 5555-X 5585-X with SSP10 Correct Answer: AB Section: (none) Explanation Explanation/Reference: QUESTION 164 When used in an access policy, which component could identify multiple servers? A B C D Stateful filtering Application awareness Object groups DHCP services Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 165 Which of the following is an accurate description of the word inbound as it relates to an ASA? (Choose all that apply.) A Traffic from a device that is located on a high-security interface B Traffic from a device that is located on a low-security interface C Traffic that is entering any interface D Traffic that is exiting any interface Correct Answer: BC Section: (none) Explanation Explanation/Reference: QUESTION 166 When is traffic allowed to be routed and forwarded if the source of the traffic is from a device located off of a low-security interface if the destination device is located off of a high-security interface? (Choose all that apply.) A B C D This traffic is never allowed This traffic is allowed if the initial traffic was inspected and this traffic is the return traffic If there is an access list that is permitting this traffic This traffic is always allowed by default Correct Answer: BC Section: (none) Explanation Explanation/Reference: QUESTION 167 Which of the following tools could be used to configure or manage an ASA? (Choose all that apply.) A B C D Cisco Security Manager (CSM) ASA Security Device Manager (ASDM) Cisco Configuration Professional (CCP) The command-line interface (CLI) Correct Answer: ABD Section: (none) Explanation Explanation/Reference: QUESTION 168 Which of the following elements, which are part of the Modular Policy Framework on the ASA, are used to classify traffic? A B C D Class maps Policy maps Service policies Stateful filtering Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 169 When you configure the ASA as a DHCP server for a small office, what default gateway will be assigned for the DHCP clients to use? A B C D The service provider’s next-hop IP address The ASA’s outside IP address The ASA’s inside IP address Clients need to locally configure a default gateway value Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 170 When you configure network address translation for a small office, devices on the Internet will see the ASA inside users as coming from which IP address? A B C D The inside address of the ASA The outside address of the ASA The DMZ address of the ASA Clients will each be assigned a unique global address, one for each user Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 171 You are interested in verifying whether the security policy you implemented is having the desired effect How can you verify this policy without involving end users or their computers? A B C D Run the policy check tool, which is built in to the ASA The ASA automatically verifies that policy matches intended rules Use the Packet Tracer tool You must manually generate the traffic from an end-user device to verify that the firewall will forward it or deny it based on policy Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 172 Which method should you implement when it is not acceptable for an attack to reach its intended victim? A B C D IDS IPS Out of band Hardware appliance Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 173 A company has hired you to determine whether attacks are happening against the server farm, and it does not want any additional delay added to the network Which deployment method should be used? A B C D Appliance-based inline IOS software-based inline Appliance-based IPS IDS Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 174 Why does IPS have the ability to prevent an ICMP-based attack from reaching the intended victim? A B C D Policy-based routing TCP resets are used The IPS is inline with the traffic The IPS is in promiscuous mode Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 175 Which method of IPS uses a baseline of normal network behavior and looks for deviations from that baseline? A B C D Reputation-based IPS Policy-based IPS Signature-based IPS Anomaly-based IPS Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 176 Which type of implementation requires custom signatures to be created by the administrator? A B C D Reputation-based IPS Policy-based IPS Engine-based IPS Anomaly-based IPS Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 177 Which method requires participation in global correlation involving groups outside your own enterprise? A B C D Reputation-based IPS Policy-based IPS Signature-based IPS Anomaly-based IPS Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 178 Which of the micro-engines contains signatures that can only match on a single packet, as opposed to a flow of packets? A B C D Atomic String Flood Other Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 179 Which of the following are properties directly associated with a signature? (Choose all that apply.) A ASR B SFR C TVR D RR Correct Answer: AB Section: (none) Explanation Explanation/Reference: QUESTION 180 Which of the following is not a best practice? A B C D Assign aggressive IPS responses to specific signatures Assign aggressive IPS responses based on the resulting risk rating generated by the attack Tune the IPS and revisit the tuning process periodically Use correlation within the enterprise and globally for an improved security posture Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 181 What is the name of Cisco cloud-based services for IPS correlation? A B C D SIO EBAY ISO OSI Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 182 Which of the following is not a Next-Generation IPS (NGIPS) solution? A B C D NGIPSv ASA with FirePOWER SIO IPS FirePOWER 8000 series appliances Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 183 Which of the following features does the Cisco ESA provide? (Choose all that apply.) A B C D Network antivirus capabilities E-mail encryption Threat outbreak prevention Support for remote access SSL VPN connections Correct Answer: ABC Section: (none) Explanation Explanation/Reference: QUESTION 184 Which of the following Cisco ESA models are designed for mid-sized organizations? (Choose all that apply.) A B C D Cisco C380 Cisco C670 Cisco C680 Cisco X1070 Correct Answer: AB Section: (none) Explanation Explanation/Reference: QUESTION 185 What is a spear phishing attack? A Unsolicited e-mails sent to an attacker B A denial-of-service (DoS) attack against an e-mail server C E-mails that are directed to specific individuals or organizations An attacker may obtain information about the targeted individual or organization from social media sites and other sources D Spam e-mails sent to numerous victims with the purpose of making money Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 186 Which of the following e-mail authentication mechanisms are supported by the Cisco ESA? (Choose all that apply.) A B C D Sender Policy Framework (SPF) Sender ID Framework (SIDF) DomainKeys Identified Mail (DKIM) DomainKeys Mail Protection (DMP) Correct Answer: ABC Section: (none) Explanation Explanation/Reference: QUESTION 187 Which of the following is the operating system used by the Cisco WSA ? A B C D E Cisco AsyncOS operating system Cisco IOS-XR Software Cisco IOS-XE Software Cisco IOS Software Cisco ASA Software Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 188 Which of the following connectors are supported by the Cisco CWS service? (Choose all that apply.) A B C D E Cisco Security Manager (CSM) Cisco ASA Cisco ISR G2 routers Cisco AnyConnect Secure Mobility Client Cisco WSA Correct Answer: BCDE Section: (none) Explanation Explanation/Reference: QUESTION 189 Which of the following features are supported by the Cisco WSA? (Choose all that apply.) A B C D E File reputation File sandboxing Layer traffic monitor Real-time e-mail scanning Third-party DLP integration Correct Answer: ABCE Section: (none) Explanation Explanation/Reference: QUESTION 190 Cisco WSA can be deployed using the Web Cache Communication Protocol (WCCP) configured in which of the following modes? (Choose all that apply.) A B C D Multiple context mode Explicit proxy mode Transparent proxy mode Virtualized mode Correct Answer: BC Section: (none) Explanation Explanation/Reference: QUESTION 191 Which of the following are examples of the most common types of malware? (Choose all that apply.) A B C D viruses worms file encryption software Trojan horses Correct Answer: ABD Section: (none) Explanation Explanation/Reference: QUESTION 192 Which of the following are open source antivirus software? (Choose all that apply.) A B C D ClamAV Immunet ImuniSec ClamSoft Correct Answer: AB Section: (none) Explanation Explanation/Reference: QUESTION 193 Which of the following statements is correct about back doors? A Back doors are created when a buffer overflow is exploited B Back doors can open a network port on the affected system so that the attacker can connect and control such system C Back doors can open a network firewall port in the network D Back doors are used to legitimately configure system configurations Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 194 Cisco AMP for Endpoints provides advanced malware protection for which of the following operating systems? (Choose all that apply.) A B C D E Windows MAC OS X Android Solaris HP-UX Correct Answer: ABC Section: (none) Explanation Explanation/Reference: QUESTION 195 Which of the following are examples of e-mail encryption solutions? (Choose all that apply.) A B C D E Secure/Multipurpose Internet Mail Extensions (S/MIME ) VPNs Pretty Good Privacy (PGP) GNU Privacy Guard (GnuPG) Web-based encryption e-mail service like Sendinc or JumbleMe Correct Answer: ACDE Section: (none) Explanation Explanation/Reference: QUESTION 196 Which of the following file types are supported by Cisco AMP for Endpoints? (Choose all that apply.) A B C D E PDF ASC MSCAB ZIP MACHO Correct Answer: ACDE Section: (none) Explanation Explanation/Reference: QUESTION 197 Which of the following are examples of full disk encryption legitimate software? (Choose all that apply.) A B C D E FileVault Cisco FileEncryptor BitLocker CryptoWall CryptoLocker Correct Answer: AC Section: (none) Explanation Explanation/Reference: QUESTION 198 VPN implementations can be categorized into which of the following two distinct groups? A B C D Site-to-site VPNs Free VPNs Commercial VPNs Remote-access VPNs Correct Answer: AD Section: (none) Explanation Explanation/Reference: ... Man-in-the-middle attack Denial-of-service attack Reconnaissance attack Spoofing attack Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION Which two approaches to security. .. from a hotel room from a laptop What type of VPN is used for this? A B C D Site-to-site VPN Dial-up VPN PPP VPN Remote-access VPN Correct Answer: D Section: (none) Explanation Explanation/Reference:... and discards ARP packets with invalid IP-to-MAC address bindings B DAI helps to mitigate MITM attacks C DAI determines validity of ARP packets based on IP-to-MAC address bindings found in the DHCP