Modules 24 – 25: Protocols and Log Files Group Exam Answers

How to find: Press “Ctrl + F” in the browser and fill in whatever wording is in the question to find that question/answer. If the question is not here, find it in Questions Bank.
NOTE: If you have the new question on this test, please comment Question and Multiple-Choice list in form below this article. We will update answers for you in the shortest time. Thank you! We truly value your contribution to the website.

CyberOps Associate (Version 1.0) – Modules 24 – 25: Protocols and Log Files Group Exam

1. What is a feature of the tcpdump tool?

  • It provides real-time reporting and long-term analysis of security events.
  • It records metadata about packet flows.
  • It uses agents to submit host logs to centralized management servers.
  • It can display packet captures in real time or write them to a file.

2. Which Windows tool can be used to review host logs?

  • Services
  • Event Viewer
  • Task Manager
  • Device Manager

3. Which type of security data can be used to describe or predict network behavior?

  • alert
  • transaction
  • session
  • statistical

4. Which function is provided by the Sguil application?

  • It reports conversations between hosts on the network.
  • It makes Snort-generated alerts readable and searchable.
  • It detects potential network intrusions.
  • It prevents malware from attacking a host.
Explanation: Applications such as Snorby and Sguil can be used to read and search alert messages generated by NIDS/NIPS.

5. Which ICMP message type should be stopped inbound?

  • source quench
  • echo-reply
  • echo
  • unreachable
Explanation: The echo ICMP packet should not be allowed inbound on an interface. The echo-reply should be allowed so that when an internal device pings an external device, the reply is allowed to return.

6. How can IMAP be a security threat to a company?

  • Someone inadvertently clicks on a hidden iFrame.
  • Encrypted data is decrypted.
  • An email can be used to bring malware to a host.
  • It can be used to encode stolen data and send to a threat actor.
Explanation: IMAP, SMTP, and POP3 are email protocols. SMTP is used to send data from a host to a server or to send data between servers. IMAP and POP3 are used to download email messages and can be responsible for bringing malware to the receiving host.

7. Which two technologies are primarily used on peer-to-peer networks? (Choose two.)

  • Bitcoin
  • BitTorrent
  • Wireshark
  • Darknet
  • Snort
Explanation: Bitcoin is used to share a distributed database or ledger. BitTorrent is used for file sharing.

8. Which protocol is exploited by cybercriminals who create malicious iFrames?

  • HTTP
  • ARP
  • DHCP
  • DNS
Explanation: An HTML element known as an inline frame or iFrame allows the browser to load a different web page from another source.

9. Which method is used by some malware to transfer files from infected hosts to a threat actor host?

  • UDP infiltration
  • ICMP tunneling
  • HTTPS traffic encryption
  • iFrame injection
Explanation: ICMP traffic from inside the company is also a threat. Some varieties of malware use ICMP packets to transfer files from infected hosts to threat actors via ICMP tunneling.

10. Why does HTTPS technology add complexity to network security monitoring?

  • HTTPS dynamically changes the port number on the web server.
  • HTTPS uses tunneling technology for confidentiality.
  • HTTPS hides the true source IP address using NAT/PAT.
  • HTTPS conceals data traffic through end-to-end encryption.
Explanation: With HTTPS, a symmetric key is generated by the client after the client verifies the trustworthiness of the web server. The symmetric key is encrypted with the public key of the web server and then sent to the web server. The web server uses its public key to decrypt the key. The key is then used to encrypt the data requested by the client and the data is sent to the client. This end-to-end encryption complicates inline network security monitoring. The HTTPS port number, typically 443, is configured statically on the web server.

11. Which approach is intended to prevent exploits that target syslog?

  • Use a Linux-based server.
  • Use syslog-ng.
  • Create an ACL that permits only TCP traffic to the syslog server.
  • Use a VPN between a syslog client and the syslog server.
Explanation: Hackers may try to block clients from sending data to the syslog server, manipulate or erase logged data, or manipulate the software used to transmit messages between the clients and the server. Syslog-ng is the next generation of syslog and it contains improvements to prevent some of the exploits.

12. Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs?

  • phishing
  • denial of service
  • reconnaissance
  • social engineering
Explanation: Packet filtering ACLs use rules to filter incoming and outgoing traffic. These rules are defined by specifying IP addresses, port numbers, and protocols to be matched. Threat actors can use a reconnaissance attack involving port scanning or penetration testing to determine which IP addresses, protocols, and ports are allowed by ACLs.

13. Which two application layer protocols manage the exchange of messages between a client with a web browser and a remote web server? (Choose two.)

  • HTTP
  • HTTPS
  • DNS
  • DHCP
  • HTML
Explanation: Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) are two application layer protocols that manage the content requests from clients and the responses from the web server. HTML (Hypertext Mark-up Language) is the encoding language that describes the content and display features of a web page. DNS is for domain name to IP address resolution. DHCP manages and provides dynamic IP configurations to clients.

14. What is Tor?

  • a rule created in order to match a signature of a known exploit
  • a software platform and network of P2P hosts that function as Internet routers
  • a way to share processors between network devices across the Internet
  • a type of Instant Messaging (IM) software used on the darknet

15. Which Windows log contains information about installations of software, including Windows updates?

  • system logs
  • application logs
  • setup logs
  • security logs
Explanation: On a Windows host, setup logs record information about the installation of software, including Windows updates.

16. Match the Windows host log to the messages contained in it. (Not all options are used.)

  • events logged by various applications : application logs
  • events related to the web server access and activity :
  • events related to the operation of drivers, processes, and hardware : system logs
  • information about the installation of software, including Windows updates : setup logs
  • events related to logon attempts and operations related to file or object management and access : security logs

17. Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation?

  • WSA
  • AVC
  • ASA
  • ESA
Explanation: The Cisco Web Security Appliance (WSA) acts as a web proxy for an enterprise network. WSA can provide many types of logs related to web traffic security including ACL decision logs, malware scan logs, and web reputation filtering logs. The Cisco Email Security Appliance (ESA) is a tool to monitor most aspects of email delivery, system functioning, antivirus, antispam operations, and blacklist and whitelist decisions. The Cisco ASA is a firewall appliance. The Cisco Application Visibility and Control (AVC) system combines multiple technologies to recognize, analyze, and control over 1000 applications.

18. Which technique would a threat actor use to disguise traces of an ongoing exploit?

  • Create an invisible iFrame on a web page.
  • Corrupt time information by attacking the NTP infrastructure.
  • Encapsulate other protocols within DNS to evade security measures.
  • Use SSL to encapsulate malware.
Explanation: The Network Time Protocol (NTP) uses a hierarchy of time sources to provide a consistent time clock to network infrastructure devices. Threat actors may attack the NTP infrastructure in order to corrupt time information that is used in network logs.

19. A system administrator runs a file scan utility on a Windows PC and notices a file lsass.exe in the Program Files directory. What should the administrator do?

  • Delete the file because it is probably malware.
  • Move it to Program Files (x86) because it is a 32bit application.
  • Uninstall the lsass application because it is a legacy application and no longer required by Windows.
  • Open the Task Manager, right-click on the lsass process and choose End Task .
Explanation: On Windows computers, security logging and security policies enforcement are carried out by the Local Security Authority Subsystem Service (LSASS), running as lsass.exe. It should be running from the Windows\System32 directory. If a file with this name, or a camouflaged name, such as 1sass.exe, is running or running from another directory, it could be malware.

20. Refer to the exhibit. A network administrator is viewing some output on the Netflow collector. What can be determined from the output of the traffic flow shown?

  • This is a UDP DNS request to a DNS server.
  • This is a UDP DNS response to a client machine.
  • This is a TCP DNS request to a DNS server.
  • This is a TCP DNS response to a client machine.
Explanation: The traffic flow shown has a source port of 53 and a destination port of 1025. Port 53 is used for DNS and because the source port is 53, this traffic is responding to a client machine from a DNS server. The IP PROTOCOL is 17 and specifies that UDP is being used and the TCP flag is set to 0.

21 In a Cisco AVC system, in which module is NetFlow deployed?

  • Management and Reporting
  • Control
  • Application Recognition
  • Metrics Collection
Explanation: NetFlow technology is deployed in the Metrics Collection module of a Cisco AVC system to collect network flow metrics and to export to management tools.

22. What does it indicate if the timestamp in the HEADER section of a syslog message is preceded by a period or asterisk symbol?

  • There is a problem associated with NTP.
  • The timestamp represents the round trip duration value.
  • The syslog message should be treated with high priority.
  • The syslog message indicates the time an email is received.
Explanation: The HEADER section of the message contains the timestamp. If the timestamp is preceded by the period (.) or asterisk (*) symbols, a problem is indicated with NTP.

23. Which protocol is a name resolution protocol often used by malware to communicate with command-and-control (CnC) servers?

  • IMAP
  • DNS
  • HTTPS
  • ICMP
Explanation: Domain Name Service (DNS) is used to convert domain names into IP addresses. Some organizations have less stringent policies in place to protect against DNS-based threats than they have in place for other exploits.

24. Which technique is necessary to ensure a private transfer of data using a VPN?

  • authorization
  • scalability
  • encryption
  • virtualization
Explanation: Confidential and secure transfers of data with VPNs require data encryption.

25. Which technology would be used to create the server logs generated by network devices and reviewed by an entry level network person who works the night shift at a data center?

  • syslog
  • NAT
  • ACL
  • VPN
Explanation: Syslog is a daemon or service run on a server that accepts messages sent by network devices. These logs are frequently examined to detect inconsistencies and issues within the network.

26. Which statement describes a Cisco Web Security Appliance (WSA)?

  • It protects a web server by preventing security threats from accessing the server.
  • It provides high performance web services.
  • It acts as an SSL-based VPN server for an enterprise.
  • It functions as a web proxy.
Explanation: Cisco Web Security Appliance (WSA) devices provide a wide range of functionalities for security monitoring. WSA effectively acts as a web proxy. It logs all inbound and outbound transaction information for HTTP traffic.

27. Which statement describes statistical data in network security monitoring processes?

  • It is created through an analysis of other forms of network data.
  • It contains conversations between network hosts.
  • It shows the results of network activities between network hosts.
  • It lists each alert message along with statistical information.

28. Match the SIEM function with the description.

  • links logs and events from disparate systems or applications, speeding detection of and reaction to security threats : correlation
  • satisfies the requirements of various compliance regulations :
  • reduces the volume of event data by consolidating duplicate event records : aggregation
  • maps log messages from different systems into a common data model : normalization

29. Which two tools have a GUI interface and can be used to view and analyze full packet captures? (Choose two.)

  • nfdump
  • Wireshark
  • Cisco Prime Network Analysis Module
  • tcpdump
  • Splunk
Explanation: The Network Analysis Module of the Cisco Prime Infrastructure system and Wireshark have GUI interfaces and can display full packet captures. The tcpdump tool is a command-line packet analyzer.

30. Which statement describes session data in security logs?

  • It can be used to describe or predict network behavior.
  • It shows the result of network sessions.
  • It is a record of a conversation between network hosts.
  • It reports detailed network activities between network hosts.
Explanation: Session data is a record of a conversation between two network endpoints.

31. Which two options are network security monitoring approaches that use advanced analytic techniques to analyze network telemetry data? (Choose two.)

  • NBAD
  • Sguil
  • NetFlow
  • IPFIX
  • Snorby
  • NBA
Explanation: Network behavior analysis (NBA) and network behavior anomaly detection (NBAD) are approaches to network security monitoring that use advanced analytical techniques to analyze NetFlow or IPFIX network telemetry data.

32. How does a web proxy device provide data loss prevention (DLP) for an enterprise?

  • by functioning as a firewall
  • by inspecting incoming traffic for potential exploits
  • by scanning and logging outgoing traffic
  • by checking the reputation of external web servers
Explanation: A web proxy device can inspect outgoing traffic as means of data loss prevention (DLP). DLP involves scanning outgoing traffic to detect whether the data that is leaving the enterprise network contains sensitive, confidential, or secret information.

33. Which information can be provided by the Cisco NetFlow utility?

  • security and user account restrictions
  • IDS and IPS capabilities
  • peak usage times and traffic routing
  • source and destination UDP port mapping
Explanation: NetFlow efficiently provides an important set of services for IP applications including network traffic accounting, usage-based network billing, network planning, security, denial of service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.

Leave a Reply

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Translate »