CCNA Security Chapter 1 - 2014

1. What are the basic phases of attack that can be used by a virus or worm in sequential order?
		paralyze, probe, penetrate, persist, and propagate
	>>	probe, penetrate, persist, propagate, and paralyze
		penetrate, persist, propagate, paralyze, and probe
		persist, propagate, paralyze, probe, and penetrate
2. Which two are characteristics of DoS attacks? (Choose two.)
		They always precede access attacks.
	>>	They attempt to compromise the availability of a network, host, or application.
		They are difficult to conduct and are initiated only by very skilled attackers.
		They are commonly launched with a tool called L0phtCrack.
	>>	Examples include smurf attacks and ping of death attacks.
3. Users report to the helpdesk that icons usually seen on the menu bar are randomly appearing on their computer screens. What could be a reason that computers are displaying these random graphics?
		An access attack has occurred.
	>>	A virus has infected the computers.
		A DoS attack has been launched against the network.
		The computers are subject to a reconnaissance attack.

CCNA Security Chapter 2 - 2014

1. Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two. )
	>>	This message is a level five notification message.
		This message appeared because a minor error occurred requiring further investigation.
		This message appeared because a major error occurred requiring immediate action.
	>>	This message indicates that service timestamps have been globally enabled.
		This message indicates that enhanced security was configured on the vty ports.
2. By default, how many seconds of delay between virtual login attempts is invoked when the login block-for command is configured?
	>>	one
		two
		three
		four
		five
3. Refer to the exhibit. Routers R1 and R2 are connected via a serial link. One router is configured as the NTP master, and the other is an NTP client. Which two pieces of information can be obtained from the partial output of the show ntp associations detail command on R2? (Choose two. )
		Both routers are configured to use NTPv2.
	>>	Router R1 is the master, and R2 is the client.
		Router R2 is the master, and R1 is the client.
	>>	The IP address of R1 is 192. 168. 1. 2.
		The IP address of R2 is 192. 168. 1. 2.

CCNA Security Chapter 3 - 2014

1. Why is local database authentication preferred over a password-only login?
		It specifies a different password for each line or port.
	>>	It provides for authentication and accountability.
		It requires a login and password combination on console, vty lines, and aux ports.
		It is more efficient for users who only need to enter a password to gain entry to a device.
2. Which authentication method stores usernames and passwords in the router and is ideal for small networks?
	>>	local AAA
		local AAA over RADIUS
		local AAA over TACACS+
		server-based AAA
		server-based AAA over RADIUS
		server-based AAA over TACACS+
3. In regards to Cisco Secure ACS, what is a client device?
		a web server, email server, or FTP server.
		the computer used by a network administrator.
		network users who must access privileged EXEC commands.
	>>	a router, switch, firewall, or VPN concentrator.

CCNA Security Chapter 4 - 2014

1. Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.)
	>>	SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.
		Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.
		SSH connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.
	>>	Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.
		SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.
		Telnet connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.
2. Which two are characteristics of ACLs? (Choose two.)
	>>	Extended ACLs can filter on destination TCP and UDP ports.
		Standard ACLs can filter on source TCP and UDP ports.
	>>	Extended ACLs can filter on source and destination IP addresses.
		Standard ACLs can filter on source and destination IP addresses.
		Standard ACLs can filter on source and destination TCP and UDP ports.
3. Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?
	>>	self zone
		system zone
		local zone
		inside zone
		outside zone

CCNA Security Chapter 5 - 2014

1. Refer to the exhibit. When modifying an IPS signature action, which two check boxes should be selected to create an ACL that denies all traffic from the IP address that is considered the source of the attack and drops the packet and all future packets from the TCP flow? (Choose two.)
	>>	Deny Attacker Inline
	>>	Deny Connection Inline
		Deny Packet Inline
		Produce Alert
		Reset TCP Connection
2. Why is a network that deploys only IDS particularly vulnerable to an atomic attack?
		The IDS must track the three-way handshake of established TCP connections.
		The IDS must track the three-way handshake of established UDP connections.
	>>	The IDS permits malicious single packets into the network.
		The IDS requires significant router resources to maintain the event horizon.
		The stateful properties of atomic attacks usually require the IDS to have several pieces of data to match an attack signature.
3. Refer to the exhibit. What is the result of issuing the Cisco IOS IPS commands on router R1?
		A named ACL determines the traffic to be inspected.
		A numbered ACL is applied to S0/0/0 in the outbound direction.
		All traffic that is denied by the ACL is subject to inspection by the IPS.
	>>	All traffic that is permitted by the ACL is subject to inspection by the IPS.

CCNA Security Chapter 6 - 2014

1. As a recommended practice for Layer 2 security, how should VLAN 1 be treated?
		All access ports should be assigned to VLAN 1.
		All trunk ports should be assigned to VLAN 1.
		VLAN 1 should be used for management traffic.
	>>	VLAN 1 should not be used.
2. With IP voice systems on data networks, which two types of attacks target VoIP specifically? (Choose two.)
		CoWPAtty
		Kismet
	>>	SPIT
		virus
	>>	vishing
3. Which option best describes a MAC address spoofing attack?
		An attacker gains access to another host and masquerades as the rightful user of that device.
	>>	An attacker alters the MAC address of his host to match another known MAC address of a target host.
		An attacker alters the MAC address of the switch to gain access to the network device from a rogue host device.
		An attacker floods the MAC address table of a switch so that the switch can no longer filter network access based on MAC addresses.

CCNA Security Chapter 7 - 2014

1. The network administrator for an e-commerce website requires a service that prevents customers from claiming that legitimate orders are fake. What service provides this type of guarantee?
		authentication
		confidentiality
		integrity
	>>	nonrepudiation
2. How do modern cryptographers defend against brute-force attacks?
		Use statistical analysis to eliminate the most common encryption keys.
		Use an algorithm that requires the attacker to have both ciphertext and plaintext to conduct a successful attack.
	>>	Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack.
		Use frequency analysis to ensure that the most popular letters used in the language are not used in the cipher message.
3. What is the basic method used by 3DES to encrypt plaintext?
		The data is encrypted three times with three different keys.
	>>	The data is encrypted, decrypted, and encrypted using three different keys.
		The data is divided into three blocks of equal length for encryption.
		The data is encrypted using a key length that is three times longer than the key used for DES.

CCNA Security Chapter 8 - 2014

1. Refer to the exhibit. Based on the CCP screen that is shown, which two conclusions can be drawn about the IKE policy that is being configured? (Choose two.)
		It will use digital certificates for authentication.
	>>	It will use a predefined key for authentication.
	>>	It will use a very strong encryption algorithm.
		It will be the default policy with the highest priority.
		It is being created using the CCP VPN Quick Setup Wizard.
2. A network administrator is planning to implement centralized management of Cisco VPN devices to simplify VPN deployment for remote offices and teleworkers. Which Cisco IOS feature would provide this solution?
	>>	Cisco Easy VPN
		Cisco VPN Client
		Cisco IOS SSL VPN
		Dynamic Multipoint VPN
3. Which statement describes an important characteristic of a site-to-site VPN?
	>>	It must be statically set up.
		It is ideally suited for use by mobile workers.
		It requires using a VPN client on the host PC.
		It is commonly implemented over dialup and cable modem networks.
		After the initial connection is established, it can dynamically change connection information.

CCNA Security Chapter 9 - 2014

1. In which phase of the system development life cycle should security requirements be addressed?
		Add security requirements during the initiation phase.
	>>	Include a minimum set of security requirements at each phase.
		Apply critical security requirements during the implementation phase.
		Implement the majority of the security requirements at the acquisition phase.
2. Which type of analysis uses a mathematical model that assigns a monetary figure to the value of assets, the cost of threats being realized, and the cost of security implementations?
		Qualitative Risk Analysis
	>>	Quantitative Risk Analysis
		Qualitative Asset Analysis
		Quantitative Continuity Analysis
3. Which term describes a completely redundant backup facility, with almost identical equipment to the operational facility, that is maintained in the event of a disaster?
		backup site
		cold site
	>>	hot site
		reserve site

CCNA Security Chapter 10 - 2014

1. In what three ways do the 5505 and 5510 Adaptive Security Appliances differ? (Choose three.)
		in the method by which they can be configured using either CLI or ASDM
		in their compatibility with Cisco SecureX technology
	>>	in the maximum traffic throughput supported
		in the number of interfaces
		in operating system version support
	>>	in types of interfaces
2. Which three security features do ASA models 5505 and 5510 support by default? (Choose three.)
		content security and control module
		Cisco Unified Communications (voice and video) security
	>>	intrusion prevention system
	>>	stateful firewall
	>>	VPN concentrator
		Zone-Based Policy Firewall
3. Which option lists the ASA adaptive security algorithm session management tasks in the correct order?
		1) allocating NAT translations (xlates) 2) establishing sessions in the “fast path” 3) performing route lookups 4) performing the access list checks
		1) establishing sessions in the “fast path” 2) performing the access list checks 3) allocating NAT translations (xlates) 4) performing route lookups

CCNA Security Final exam answers - 2014

1. When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?
		topology-based switching
		autonomous switching
	>>	process switching
		optimum switching
2. Which statement is true about the One-Step lockdown feature of the CCP Security Audit wizard?
		It enables the Secure Copy Protocol (SCP).
		It supports AAA configuration.
		It enables TCP intercepts.
	>>	It sets an access class ACL on vty lines.
		It provides an option for configuring SNMPv3 on all routers.
3. What are three common examples of AAA implementation on Cisco routers? (Choose three.)
	>>	authenticating administrator access to the router console port, auxiliary port, and vty ports
	>>	authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
		implementing public key infrastructure to authenticate and authorize IPsec VPN peers using digital certificates
	>>	implementing command authorization with TACACS+
		securing the router by locking down all unused services
		tracking Cisco Netflow accounting statistics