642-566
Security Solutions for Systems Engineers Exam
QUESTION NO: 1
You are the network consultant from Your company. Please point out two requirements call for the deployment of 802.1X.
A. Authenticate users on switch or wireless ports
B. Grant or Deny network access at the port level, based on configured authorization policies
C. Allow network access during thequeit period
D. Verify security posture using TACAS+
Answer: A,B
QUESTION NO: 2
Open Shortest Path First (OSPF) is a dynamic routing protocol for use in Internet Protocol (IP) networks. An OSPF router on the network is running at an abnormally high CPU rate. By use of different OSPF debug commands on Router, the network administrator determines that router is receiving many OSPF link state packets from an unknown OSPF neighbor, thus forcing many OSPF path recalculations and affecting router's CPU usage. Which OSPF configuration should the administrator enable to preent this kind of attack on the Router?
A. Multi-Area OSPF
B. OSPF stub Area
C. OSPF MD5 Authentication
D. OSPF not-so-stubby Area
Answer: C
QUESTION NO: 3
Which one of the following Cisco Security Management products is able to perform (syslog) events normalization?
A. Cisco IME
B. Cisco Security Manager
C. Cisco ASDM
D. Cisco Security MARS
Answer: D
QUESTION NO: 4
Can you tell me which one of the following platforms has the highest IPSec throughput and can support the highest number of tunnels?
A. Cisco 6500/7600 + VPN SPA
B. Cisco ASR 1000-5G
C. Cisco 7200 NPE-GE+VSA
D. Cisco 7200 NPE-GE+VAM2+
Answer: A
QUESTION NO: 5
Which two methods can be used to perform IPSec peer authentication? (Choose two.)
A. One-time Password
B. AAA
C. Pre-shared key
D. Digital Certificate
Answer: C,D
QUESTION NO: 6
Cisco Security Agent is the first endpoint security solution that combines zero-update attack protection, data loss prevention and signature-based antivirus in a single agent. This unique blend of capabilities defends servers and desktops against sophisticated day-zero attacks and enforces acceptable-use and compliance policies within a simple management infrastructure. What are three functions of CSA in helping to secure customer environments?
A. Control of executable content
B. Identification of vulnerabilities
C. Application Control
D. System hardening
Answer: A,C,D
QUESTION NO: 7
Cisco Secure Access Control Server (ACS) is an access policy control platform that helps you comply with growing regulatory and corporate requirements. Which three of these items are features of the Cisco Secure Access Control Server?
A. NDS
B. RSA Certificates
C. LDAP
D. Kerberos
Answer: A,B,C
QUESTION NO: 8
Observe the following protocols carefully, which one is used to allow the utilization of Cisco Wide Area Application Engines or Cisco IronPort S-Series web security appliances to localize web traffic patterns I the network and to enable the local fulfillment of content requests?
A. TLS
B. DTLS
C. WCCP
D. HTTPS
Answer: C
QUESTION NO: 9
Which one is not the factor can affect the risk rating of an IPS alert?
A. Relevance
B. Attacker location
C. Event severity
D. Signature fidelity
Answer: B
QUESTION NO: 10
For the following items, which two are differences between symmetric and asymmetric encryption algorithms? (Choose two.)
A. Asymmetric encryption is slower than symmetric encryption
B. Asymmetric encryption is more suitable than symmetric encryption for real-time bulk encryption
C. Symmetric encryption is used in digital signatures and asymmetric encryption is used in HMACs
D. Asymmetric encryption requires a much larger key size to achieve the same level of protection as asymmetric encryption
Answer: A,D
QUESTION NO: 11
Deploying the NAC appliance in in-band mode is better than out-of-band mode. Why?
A. Nessus scanning
B. Higher number of users per NAC Appliance
C. Bandwidth enforcement policy
D. NAC Appliance Agent deployment
Answer: C
QUESTION NO: 12
IPSec-based site-to-site VPNs is better than traditional WAN networks what?
A. Delay guarantees, span, performance, security and low cost
B. Bandwidth guarantees, support for non-IP protocols, scalability and modular design guidelines
C. Bandwidth guarantees, flexibility, security and low cost
D. Span, flexibility, security and low cost
Answer: D
QUESTION NO: 13
Which VPN technology can not be used over the internet?
A. VTI
B. GRE overIPsec
C. IPsec direct encapsulation
D. GET VPN
Answer: D
QUESTION NO: 14 DRAG DROP
Match each IKE component to its supported option:
Answer:
Explanation:
best security controls for a web server having
QUESTION NO: 15 DRAG DROP
Which item is correct about the relationship between the VPN types and their descriptions?
Answer:
Explanation:
QUESTION NO: 16 DRAG DROP
Select the best security control to minimize the WAN security threats. Not all the security controls are required.
Answer:
QUESTION NO: 17
Which is the primary benefit that DTLS offers over TLS?
A. Both the application and TLS can retransmit loss packets
B. Improves security
C. Provides low latency for real-time applications
D. Uses TCP instead of UDP to provide a reliable Transport mechanism
Answer: C
QUESTION NO: 18 DRAG DROP
Which option is correct about the relationship between the terms and their description?
Answer:
Explanation: QUESTION NO: 19
Cisco AutoSecure is a new Cisco IOS Security Command Line Interface (CLI) command, which two are statements are true regarding the Cisco AutoSecure? (Choose two.)
A. Enabletcp-keeplive-in and tcp-keepalives-out
B. Disabletcp-keeplives-in and tcp-keepalives-out
C. Enables log messages to include sequence numbers and time stamps
D. Blocks all IANA-reserved IP address blocks
Answer: C,D
QUESTION NO: 20
See the Exhibit:
Exhibit: In order to support IPSec VPN, which three traffic types should ACL1 permit on the firewall in front of the IPSec VPN gateway? (Choose three.)
A. IP Protocol 50
B. UDP port 4500
C. UDP Port 10000
D. UDP Port 5000
Answer: A,B,D
QUESTION NO: 21
Which of these items is a feature of a system-level approach to security management?
A. Multiple cross-vendor management platforms
B. Complex Operations
C. Responsibility sharing
D. Single-element management
E. High Availability
Answer: E
QUESTION NO: 22
Which typical design choices should be taken into consideration while designing Cisco solution-based enterprise remote-access solutions?
A. Authentication: one-time passwords, digital certificates
B. EndpointSecurity : Managed endponts versus unmanaged endpoints protection (Cisco Security Agent, Cisco NAC Agent, Cisco Secure Desktop)
C. Traffic protection: IPSec versus SSL
D. Central Site aggregation device: ISR versus Cisco ASA, high-availability options
Answer: A,B,C,D
QUESTION NO: 23
What can be used to enable IPSec Usage across Port Address Translation (PAT) devices?
A. Port Forwarding
B. IPSec Tunnel Mode
C. PRI
D. NAT-T
Answer: D
QUESTION NO: 24
Cisco NAC Appliance, formerly Cisco Clean Access (CCA) is a network access control solution developed by Cisco Systems that helps ensure a secure and clean network environment. Which Cisco NAC Appliance design is the most scalable architecture for campus LANs because it offers high performance after posture verification?
A. In-band real-ip gateway
B. Layer 2 out-of-band
C. In-band virtual gateway
D. Layer 3 centraldeployment
Answer: B
QUESTION NO: 25
Which functionality can be used by the Cisco Security MARS security appliance to achieve events aggregation?
A. Sessionalization
B. Events action filters
C. Summarization
D. Cisco Security Managerpolicy correlations
Answer: A
QUESTION NO: 26
Which one of the following elements is essential to perform events analysis and correlation?
A. Implementation of a centralized provisioning system, such as Cisco Security Manager
B. Elimination of all the true positive events
C. Implementation of different security controls and platforms when using the defense-in-depth approach
D. Time synchronization between all the devices
Answer: D
QUESTION NO: 27
You are network engineer at Your company. Please point out two functions of Cisco Security Agent.
A. Spam filtering
B. Authentication
C. Resource Protection
D. Control of executable content
Answer: C,D
QUESTION NO: 28 DRAG DROP
Which option is correct about the relationship between the malware type and its description? Make the appropriate matches.
Answer:
Explanation:
QUESTION NO: 29
Which one of the following platforms could support the highest number of SSL sessions?
A. Cisco 7200 NPE-GE+VAM2+
B. Cisco ASA 5580
C. Cisco 6500/7600 + VPN SPA
D. Cisco ASR 1000-5G
Answer: B
QUESTION NO: 30
What will happen if a preconfigured usage threshold is exceeded while using the Cisco IOS Network Foundation Protection (NFP) Memory Thresholding Notification and CPU Thresholding Notification features?
A. The router will send an SNMP trap to a management station
B. The router will reboot
C. The router will switch from process switching to Cisco Express Forwarding switching
D. The router will switch from Cisco Express Forwarding switching to process switching
Answer: A
QUESTION NO: 31
Select the advantage of the Cisco ASA phone proxy feature:
A. Enables advanced H.323 inspection services that support H.323 versions 1 along with Direct Call Signaling (DCS) and Gatekeeper-Routed Call Signaling (GKRCS) to provide flexible security integration in a variety of H.323-driven VoIP environments
B. Enables inspection of the RTSP protocols that are used to control communications between the client and server for streaming applications
C. Allows telecommuters to connect their IP phones to the corporate IP telephony network securely over the Internet, without the need to connect over a VPN tunnel
D. Allows businesses to configure granular policies for SCCP traffic, such as enforcing only registered phone calls to send traffic through the Cisco ASA security appliance and filtering to message IDs to allow or disallow specific messages
Answer: C
QUESTION NO: 32
Which two Cisco products/feature provide the best security controls for a web server having applications running on it that perform inadequate input data validation? (Choose two.)
A. Cisco Application Velocity System (AVS)
B. Cisco IOS Flexible Packet Matching (FPM)
C. Cisco Security Agent data access controls
D. Cisco ACE XML Gateway
Answer: C,D
QUESTION NO: 33
Which two protocols can perform high-availability IPS design by use of the Cisco IPS 4200 Series Sensor appliance?(Choose two.)
A. HSRP
B. Spanning Tree
C. EtherChannel load balancing
D. SDEE
Answer: B,C
QUESTION NO: 34
______________ are needed for a device to join a certificate-authenticated network?
A. The certificates of the certificate authority and the peer
B. The certificates of the device and its peer
C. The certificates of the certificate authority, the device and the peer
D. The certificates of the certificate authority and the device
Answer: D
QUESTION NO: 35
An incident in MARS is _______________.
A. A series of raw message sent to the MARS viasyslog, SNMP
B. A series of events that is correlated to represent a single occurrence using related information within a given timeframe
C. A series of events that triggered a defined rule in the system
D. A series of behaviors in a session that describe an anomaly, worm or virus
Answer: C
QUESTION NO: 36
You are working as a Network Engineer at Your company. Please suggest one encryption protocol to your customer from an enterprise with standard security requirements.
A. WEP
B. DES EAP-TLS bidirectional authentication
C. MD5
D. AES-128
Answer: D
QUESTION NO: 37
Which item can authenticate remote IPSec VPN Users?
A. PFS
B. Pre-shared Key
C. Diffie-Hellman (DH)
D. XUATH
Answer: D
QUESTION NO: 38
Which is the best countermeasure to protect against rogue access points that are outside the enterprise physical perimeter and that attempt to attract legitimate clients?
A. Wireless IDS/IPS
B. EAP-TLS bidirectional authentication
C. Personal firewall
D. Management Frame Protection
Answer: B
QUESTION NO: 39
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks. A component of the Cisco IOS Integrated Threat Control Framework and complemented by Cisco IOS Flexible Packet Matching feature. Cisco IOS IPS provides your network with the intelligence to accurately identify, classify and stop or block malicious traffic in real time. Which statement is true regarding Cisco IOS IPS performance and capabilities?
A. It offersa wider signature coverage than the IDSM-2 Module
B. It uses a parallel signature-scanning engine to scan for multiple patterns within a signature micro-engine at any given time
C. It has a minimal impact on router memory
D. It should be enabled to maximize the coverage, except for false-positives reduction
Answer: B
QUESTION NO: 40
Which one can be used to provide logical separation between the voice and data traffic at the access layer?
A. Protected Ports
B. Firewall
C. Port Security
D. Auxiliary VLAN
Answer: D
QUESTION NO: 41
Which type of native encryption is supported by the LWAPP protocol?
A. RC5
B. AES
C. ECC
D. IDEA
Answer: B
QUESTION NO: 42
Which three descriptions are true with regard to the perimeter-endpoint security architecture? (Choose three.)
A. The architecture is easy to operate and to maintain and is flexible for adding new services
B. The network is partitioned into security domains
C. The architecture uses a restrictive access model
D. The architecture offers integration of network and endpoint security
Answer: B,C,D
QUESTION NO: 43
Which Cisco product can provide endpoint-based trusted-traffic marking while implementing QoS?
A. Cisco Trust Agent
B. Cisco Secure Services Client
C. Cisco Secure Desktop
D. Cisco Security Agent
Answer: D
QUESTION NO: 44
What will the NAC Appliance Agent check on the client Machine? (Choose thee.)
A. IP Address
B. Presence of Cisco Security Agent
C. Registry Keys
D. Microsofthotfixes
Answer: B,C,D
QUESTION NO: 45
In reconnaissance attacks, which two attack methods are typically used? (Choose two.)
A. Operating system and application fingerprinting
B. Buffer overflows
C. TCP/UDP port scanning and sweeping
D. APR spoofing
Answer: A,C
QUESTION NO: 46
Which functions can be provided by Cisco SSL VPN solution by use of the Cisco Secure Desktop? (Select All that apply.)
A. Secure Vault
B. Cache Cleaner
C. Pre-login assessment
D. Advanced Endpoint Assessment
Answer: A,B,C,D
QUESTION NO: 47
Which description is true about the hybrid user authentication model for remote-access IPSec VPNs?
A. VPN Servers and users authenticate by using digital certificates
B. VPN servers authenticate by using digital certificates and users authenticate by using pre-shared keys
C. VPN Servers and users authenticate by using pre-shared keys
D. VPN servers authenticate by using digital certificates and users authenticate by using usernames and passwords
Answer: D
QUESTION NO: 48
Which two of the following settings can be monitored by the Cisco Security Agent (release 5.2 and later) to control user's wireless access? (Choose two.)
A. Antivirus Version
B. Protection types such as WEP, TKIP
C. Wireless card type (802.11a,b or g)
D. SSIDs
Answer: B,D
QUESTION NO: 49
What should be taken into consideration while performing Cisco NAC Appliance design? Select all that apply.
A. edge deployment versus central deployment
B. in-band versus out-of-band
C. Real-IP Gateway versus virtual gateway
D. Layer 2 versus Layer 3
E. None of the other alternatives apply.
Answer: A,B,C,D
QUESTION NO: 50
You are the network consultant from Your company. Please point out two technologies address ISO 17799 requirements to detecting, preventing and responding to attacks and intrusions.
A. Cisco Security Agent
B. 802.1X
C. Cisco Security MARS
D. Cisco Secure Access Control Server
Answer: A,C
QUESTION NO: 51
In today's typical single-tier firewall system, which three security components can be found? (Choose three.)
A. Network Admission Control
B. IPS
C. Stateful Packet filtering with Application Inspection and Control
D. Application Proxy
Answer: B,C,D
QUESTION NO: 52
Before damage can occur to the network, Cisco Security Agent block malicious behavior through
A. Firewall
B. Interception of operation system calls
C. User query and response
D. Third-party Anti-virus software
Answer: B
QUESTION NO: 53
Cisco IOS Control Plane Protection is able to be used to protect traffic to which three router control plane subinterfaces? (Choose three.)
A. transit
B. cpu
C. host
D. CEF-exception
Answer: A,C,D
QUESTION NO: 54
Which item will be performed on Cisco IP Phones so that they can authenticate it before obtaining network access?
A. Cisco Security Agent
B. One-time Password
C. IEEE 802.1X Supplicant
D. AAA Client
Answer: C
QUESTION NO: 55
Can you tell me which authentication protocol can provide single sign-on (SSO) services?
A. EAP
B. TACACS+
C. RADIUS
D. Kerberos
Answer: D
QUESTION NO: 56
Why GET VPN is not deployed over the public Internet?
A. Because the GET VPN group members use multicast to register with the key servers
B. Because the GET VPN key servers and group members to requires a secure path to exchange the Key Encryption Key (KEK) and the traffic Encryption Key (TEK)
C. Because the GET VPN uses IPSec transport mode, which would expose the IP Addresses to the public if using the Internet
D. Because the GET VPN preserves the original source and destination IP addresses, which may be private addresses that are not routable over the Internet
Answer: D
QUESTION NO: 57
The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash), What is the objective of the Cisco IOS resilient configuration?
A. Improve the speed of Cisco IOS image or configuration recovery process
B. Allow a compromise of the router
C. Enable primary and backup operations of two Cisco IOS routers
D. Enable redundant Cisco IOS images for fault tolerance router operations
Answer: A
QUESTION NO: 58
While implementing a proxy component within a firewall system, which method will be used?
A. In-band or out-of-band
B. Layer 2 or Layer 3
C. Transparent or non-transparent
D. Routed or bridged
Answer: C
QUESTION NO: 59
The Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) is an appliance-based, all-inclusive solution that provides unmatched insight and control of your existing security deployment. What is not the advantage of Cisco Security MARS?
A. Contains scalable, distributed event and analysis architecture
B. Is network topologyaware
C. Performs automatic Mitigation on Layer 2 devices
D. Provides rapid profile-based provisioning capabilities
Answer: D
QUESTION NO: 60
Adaptive Threat Defense or ATD encompasses three areas: Anti-X defense, application security and network control and containment. Identify three components of the anit-X defense pillar.
A. URL filtering
B. Application-level role-based access control
C. Distributed denial of service mitigation
D. Anomaly detection
Answer: A,C,D
QUESTION NO: 61
Refer to the following EAP authentication methods, which one needs both a client and a server digital certificate?
A. EAP-FAST
B. PEAP-GTC
C. EAP-TLS
D. EAP-MS-CHAP
Answer: C
QUESTION NO: 62
Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network Admission Control (NAC) product that allows network administrator to authenticate, authorize, evaluate and remediate wired, wireless and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops and other corporate assets are compliant with a network's security policies and it repairs any vulnerabilities before permitting access to the network. Which two of these statements describe features of the NAC Appliance Architecture? (Choose two.)
A. NAC Appliance Client evaluates the endpoint security information
B. NAC Appliance Manager acts as an authentication proxy for external authentication servers
C. NAC Appliance Server acts as an authentication proxy for internal user authentication
D. NAC Appliance Manager determines the appropriate access policy
Answer: B,D
QUESTION NO: 63
Refer to the following Cisco products, which two are best positioned for data loss prevention? (Choose two.)
A. Cisco Security Agent 6.0
B. Cisco IPS 6.0
C. Cisco NAC Appliance
D. CiscoIronPort C-Series Appliances
Answer: A,D
QUESTION NO: 64
_______________ is a valid method to verify a network security desing?
A. Network Audit
B. Computer Simulation
C. Pilot or prototype network
D. Network Security
Answer: C
QUESTION NO: 65
Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network Admission Control (NAC) product that allows network administrator to authenticate, authorize, evaluate and remediate wired, wireless and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops and other corporate assets are compliant with a network's security policies and it repairs any vulnerabilities before permitting access to the network. In which way do components of the NAC Appliance architecture communicate?
A. Sending check-up instructions to the NAC Appliance Server
B. Sending remediation instructions to the NAC Appliance Agent
C. Sending procedure instructions to the NAC Appliance Server
D. Sending sends block instructions to the NAC Appliance Agent
Answer: B
QUESTION NO: 66
You are the network engineer at Your company. Which component should not be included in a security policy?
A. Identification and authentication policy
B. Incident handling procedure
C. Security best practice
D. Statement of authority and scope
Answer: C
QUESTION NO: 67
While using the Gateway Load Balancing Protocol to enable high-availability Cisco IOS Firewalls, what should be configured to maintain symmetric flow of traffic?
A. Static Routing
B. CEF
C. Dynamic Routing
D. Network Address Translation (NAT)
Answer: D
QUESTION NO: 68
You are the network engineer at Your company. Please point out two components included in a detailed design document for a security solution.
A. Proof of Concept
B. IDS
C. Existing Network Infrastructure
D. WEP
Answer: A,C
QUESTION NO: 69
IPS platform ________ can operate in inline mode only.
A. Cisco IOS IPS
B. Cisco IPS 4200 Series Sensor
C. IDSM-2
D. Cisco ASA AIP SSM
Answer: A
QUESTION NO: 70
You are the network consultant from Your company. Please point out two keys features of the collaborative security approach.
A. Network Admission Control
B. Automated event and action filters
C. Coordinated defense of potential entry points
D. Integration of security features in network equipment
Answer: A,C QUESTION NO: 71
The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and Flash). What is the objective of the Cisco IOS resilient configuration?
A. Improve the sped of Cisco IOS image or configuration recovery process
B. Enable primary and backup operations of two Cisco IOS routers
C. Allow a compromise of the router
D. Enable redundant Cisco IOS images for fault tolerance router operations
Answer: A
QUESTION NO: 72
Which three functions can be provided by the Cisco ACE 4710 Appliance in the enterprise data center? (Choose three.)
A. HTTPS session decryption through SSL/TLS termination
B. SYN flooding attacks protection
C. XML firewalling
D. HTTP protocol verification
Answer: A,B,D
QUESTION NO: 73
Secure Sockets Layer (SSL) is a cryptographic protocol that provides security and data integrity for communications over TCP/IP networks such as the interne. When SSL uses TCP encapsulation on Cisco SSL VPNs, the user's TCP session is transported over another TCP session, thus making flow control inefficient if a packet is lost. Which is the best solution of this problem?
A. DAP
B. Cisco Secure Desktop
C. DTLS
D. SSL Traversal
Answer: C QUESTION NO: 74
Which method can be used by Cisco SSL VPN solution to provide connections between a Winsock2, TCP-based application and a private site without requiring administrative privileges?
A. Application plug-ins
B. Port Forwarding
C. Cisco Secure Desktop
D. Smart tunnels
Answer: D
QUESTION NO: 75
Study the exhibit below carefully, which statement is true about the security architecture, which is used to protect the multi-tiered web application?
A. The firewall systems in the first and second tiers should be implemented with identical security controls to provide defense in depth.
B. This architecture supports application tiers that are dual homed.
C. All the servers are protected by the dual-tier firewall systems and do not require additional endpoint security controls.
D. The second-tier Cisco ASA AIP-SSM should be tuned for inspecting Oracle attack signatures
Answer: D
QUESTION NO: 76
You work as a network operator for an IT company. You have just detected a distributed DoS attack which appears to have sources from many hosts in network X/24. You must take preventive action to block all offending traffic, so you announce a BGP route, with the next-hop attribute of 172.31.1.1, for the X/24 network of the attacker. Which two methods will be adopted by the routers at the regional office, branch office, and telecommuter location to prevent traffic going to and from the attacker? (Choose two.)
A. a prefix list to block routing updates about the X/24 network
B. a static route to 172.31.1.1/32, which points to a null interface
C. a dynamic ACL entry to block any traffic that is sourced from the X/24 network
D. strict uRPF
Answer: B,D
QUESTION NO: 77
You are a network engineer of your company. Study the following exhibit carefully, which three Cisco IOS features could be used on the VPN gateways (Cisco IOS routers) to implement high availability for remote-access IPsec VPN? (Choose three.)
A. Dynamic VTIs
B. Reverse Route Injection (RRI)
C. cooperative key servers
D. Dead Peer Detection (DPD)
Answer: A,B,D
QUESTION NO: 78
Which Cisco Security product is used to perform a Security Posture Assessment of client workstations?
A. Adaptive Security Appliance
B. Cisco Security Agent
C. Cisco Security Posture Assessment Tool
D. Cisco NAS Appliance
E. Cisco ACS
Answer: D
QUESTION NO: 79
Which three policy types can be assigned to a network user role in the Cisco NAC Appliance architecture? (Choose three.)
A. Allowed IP Address ranges
B. Network Port Scanning Plug-ins
C. VPN and roaming policies
D. Inactivity period
E. Session Duration
F. Minimum Password length
Answer: B,C,E
QUESTION NO: 80
Which two components should be included in a network design document? (Choose two.)
A. Complete network blueprint
B. Operating Expense
C. Risk Analysis
D. Configuration for each device
E. Detailed part list
Answer: A,E
QUESTION NO: 81 DRAG DROP
Look at the picture.
Answer:
QUESTION NO: 82
Which statement is true about the Cisco Security MARS Global Controller?
A. Rules that are created on a Local Controller can be pushed to the Global Controller
B. Most data archiving is done by the Global Controller
C. The Global Controller receives detailed incidents information from the Local Controllers and correlates the incidents between multiple Local Controllers
D. The Global Controller Centrally Manages of a group of Local Controllers
Answer: D QUESTION NO: 83
Which certificates are needed for a device to join a certificate-authenticated network?
A. The Certificates of the device and its peer
B. The Certificates of the certificate authority, the device and the peer
C. The Certificates of the certificate authority and the peer
D. The Certificates of the certificate authority and the device
Answer: D
QUESTION NO: 84
Which three Cisco Security products help to prevent application misuse and abuse? (Choose three.)
A. Cisco ASA 5500 Series Adaptive Security Appliances
B. Cisco IOS FW and IPS
C. Cisco Traffic Anomaly Detector
D. Cisco Security Agent
E. Cisco Trust Agent
F. NAC Appliance (Cisco Clean Access)
Answer: A,B,D
QUESTION NO: 85 DRAG DROP
You work as a network engineer at Your company. Your boss, , is interested attack methodologies. Match the descriptions with the proper methodology. Use only options that apply.
Answer:
Explanation:
QUESTION NO: 86
Which two of these features are integrated security components of the Cisco Adaptive Security Appliance? (Chose two.)
A. VRF-aware firewall
B. Cisco ASA AIP SSM
C. VTI
D. Control Plane Policing
E. Anti-X
F. DMVPN
Answer: B,E
QUESTION NO: 87
Which two of these statements describes features of the NAC Appliance architecture? (Choose two.)
A. NAC Appliance Servers managed by the same NAC Appliance Manager can run in mixed mode (inline or out-of-band)
B. NAC Appliance Agent has the auto-upgrade feature
C. NAC Appliance High Availability uses VRRP D. The standard NAC Appliance Managercan mange up to 40 NAC Appliance Servers failover pairs
E. The NAC Appliance Agent is bundled with the NAC Appliance Server Software
Answer: A,B
QUESTION NO: 88
Which three of these security products complement each other to achieve a secure remote-access solution? (Choose three.)
A. Cisco GET VPN
B. Cisco Security MARS
C. URL Filtering Server
D. Cisco Secure Access Control Server
E. NAC Appliance
F. Adaptive Security Appliance
Answer: D,E,F
QUESTION NO: 89
What are two functions of Cisco Security Agent? (Choose two.)
A. Span Filtering
B. Authentication
C. Resource Protection
D. User tracking
E. Control of Executable Content
Answer: C,E
QUESTION NO: 90
Which two should be included in an analysis of a security posture assessment? (Choose two.)
A. Identification of bottlenecks inside the network
B. Recommendations based on security best practice
C. Identification of critical deficiencies
D. Service offer
E. Detailed action plan
Answer: B,C
QUESTION NO: 91
Which three of these security products complement each other to achieve a secure-e-banking solution? (Choose three.)
A. Cisco Trust Agent
B. CCA Agent
C. Cisco Security Agent
D. Cisco IOS DMVPN
E. Cisco Intrusion Prevention System
F. Cisco Adaptive Security Appliance
Answer: C,E,F
QUESTION NO: 92
Your company, wants to implement the PCI Data Security Standard to protect sensitive cardholder information. They are planning to use RSA to ensure data privacy, integrity and origin authentication. Which two of these statements describe features of the RSA keys? (Choose two.)
A. The private key only decrypts
B. The private key both encrypts and decrypts
C. The public key only decrypts
D. The public key both encrypts and decrypts
E. The private key only encrypts
F. The public key only encrypts
Answer: B,D
QUESTION NO: 93
Which three technologies address SO 17799 requirements for unauthorized access prevention? (Choose three.)
A. Cisco Secure Access Control Server
B. 802.1X
C. SSL VPN
D. Network Admission Control
E. Intrusion Prevention System
F. Cisco Security MARS
Answer: A,B,D
QUESTION NO: 94
Which two of these features are supported by Cisco Security MARS running software version 4.2.x? (Choose two.)
A. Attack capture and playback
B. Use login authentication using external AAA Server
C. Inline or promiscuous mode operation
D. NetFlow for Network profiling and anomaly detection
E. Role-based access and dashboards
F. Hierarchical Design using global and local controllers
Answer: D,F
QUESTION NO: 95
Which of these characteristics is a feature of AES?
A. It is not supported by hardware accelerators but runs very fast in software
B. It provides strong encryption and authentication
C. It has a variable key length
D. It should be used with key lengths greater than 1024 bits
Answer: C
QUESTION NO: 96
Which protocol should be used to provide secure communications when performing shunning on a network device?
A. SSH
B. Telnet
C. SNMPV2
D. SSL
E. SNMPv3
Answer: A
QUESTION NO: 97 DRAG DROP
Look at the picture.
Answer:
QUESTION NO: 98
How does CSA protect endpoints?
A. Uses deep-packet application inspection to control application misuse and abuse
B. Uses file system, network, registry and execution space interceptors to stop malicious activity
C. Works at the application layer to provide buffer overflow protection
D. Uses signatures to detect and stop attacks
E. Works in conjunction with antivirus software to lock down the OS
Answer: B
QUESTION NO: 99
What are the advantages of IPSec-based site-to-site VPNs over traditional WAN networks?
A. Delay guarantees, span, performance, security and low cost
B. Span, flexibility, security and low cost
C. Bandwidth guarantees, support for non-IP protocols, scalability and modular design guidelines
D. Bandwidth guarantees, flexibility, security and low cost
Answer: B
QUESTION NO: 100
Identify two ways to create a long-duration query on the Cisco Security MARS Appliance. (Choose two.)
A. By Modifying an existing report
B. By submitting a query inline
C. By Submitting a batch query
D. By saving a query as a rule
E. By saving a query as a report
Answer: A,C
QUESTION NO: 101
Which two features work together to provide anti-X defense? (Choose two.)
A. Enhanced Security state assessment
B. Network Security event correlation
C. CiscoAutoSecure
D. Enhanced Application inspection engines
E. Cisco IPS Sensors
Answer: D,E
QUESTION NO: 102
Which IPS platform can operate in inline mode only?
A. Cisco ASA AIP SSM
B. IDSM-2
C. Cisco IPS 4200 Series Sensor
D. Cisco IOS IPS
Answer: D
QUESTION NO: 103
Which three components should be included in a security policy? (Choose three.)
A. Security best practice
B. Incident handling procedure
C. Software Specifications
D. Statement of authority and scope
E. Security product recommendation
F. Identification and authentication policy
Answer: B,D,F
QUESTION NO: 104
What is the purpose of SNMP community strings when adding reporting devices into a newly installed Cisco Security MARS Appliance?
A. To pull the log information from devices
B. To reconfigure managed devices
C. To discover and display the full topology
D. To import the device configuration
Answer: C
QUESTION NO: 105
What are three advantages of Cisco Security MARS? (Choose three.)
A. Fixes Vulnerable and infected devices automatically
B. Is network topologyaware
C. Provides rapid profile-based provisioning capabilities
D. Contains scalable, distributed event analysis architecture
E. Performs automatic mitigation on Layer 2 devices
F. Ensures that he user device is not vulnerable
Answer: B,D,E QUESTION NO: 106
What is the security issue in classic packet filtering of active FTP sessions?
A. The established keyword can't be used for control or data sessions
B. Allowing control sessions to the client opens up all the high ports on the client
C. Allowing data sessions to the clientopens up all the high ports on the client
D. The control session can't be adequately filtered
Answer: C
QUESTION NO: 107
Which two components should be included in a detailed design documents for a security solution? (Choose two.)
A. Traffic growth forecast
B. Data Source
C. Proof of concept
D. Existing Network Infrastructure
E. Weak-link description
F. Organizational Chart
Answer: C,D
QUESTION NO: 108
Which statement is true regarding Cisco IOS IPS performance and capabilities?
A. Cisco IOS IPS signatures have a minimal impact on router memory
B. Cisco IOS IPS offersa wider signature coverage than the IDSM-2 module
C. All Cisco IOS IPS signatures should be enabled to maximize the coverage, except for false-positives reduction
D. Cisco IOS IPS uses a parallel signature-scanning engine to scan for multiple patterns within a signature micro-engine at any given time
Answer: D
QUESTION NO: 109
How is Cisco IOS Control Plane Policing Achieved?
A. By usingAutoQoS to rate-limit Control Plane traffic
B. By adding a server-policy to virtual terminal lines and the console port
C. By Applying a QoS policy in control plane configuration mode
D. By disabling unused services
E. By Rate limiting the exchange of routing protocol updates
Answer: C
QUESTION NO: 110
What are three functions of Cisco Security Agent? (Choose three.)
A. Local Shunning
B. Device-based registry scans
C. Malicious mobile code protection
D. Flexibility against new attacks through customizable signature "on the fly"
E. Spyware and adware protection
F. Protection against buffer overflows
Answer: C,E,F
QUESTION NO: 111
What are two main reasons for customer to implement Cisco Clean Access? (Choose Two.)
A. Integrated network intelligence for superior event aggregation, reduction and correlation
B. Enforcement of Security Policies by making compliance a condition of access
C. Provision of secure remote access
D. Significant cost savings by automating the process of repairing and updating user machines
E. Focus on validated incidents, not investigating isolated events
F. Implementation of NAC Phase-1
Answer: B,D
QUESTION NO: 112
Which two statements are true about symmetric key encryption? (Choose two.)
A. RSA is an example of symmetric key encryption B. The key exchange can take place via anonsecure channel
C. It is typically used to encrypt the content of a message
D. It uses secret-key cryptography
E. Encryption and decryption use different keys
Answer: C,D
QUESTION NO: 113
Which three elements does the NAC Appliance Agent check on the client machine? (Choose three.)
A. Presence of Cisco Trust Agent
B. Presence of Cisco Security Agent
C. Registry Keys
D. IP Address
E. Microsofthotfixes
Answer: B,C,E
QUESTION NO: 114
In which two ways do Cisco ASA 5500 Series Adaptive Security Apliance achieve containment and control? (Choose two.)
A. By probing end systems for compliance
B. By Enabling business to create secure connections
C. By preventing unauthorized network access
D. By performing traffic anomaly detection
E. By tracking the state of all network communications
Answer: C,E
QUESTION NO: 115
Which two statements mitigate the threat of a SYN flood attack? (Choose two.)
A. MARS floodautomitigation
B. Cisco IOS IPS
C. NAC Appliance Security Posture Validation
D. ASA TCP Intercept
E. ASA Enhanced application inspection
F. Cisco IOS FPM
Answer: B,D
QUESTION NO: 116
Which three of these features are key elements of the Adaptive Threat Defense? (Choose three.)
A. Ability of a network to identify, prevent and adapt to security threats
B. Active management and mitigation
C. Multilayer intelligence
D. Blend of IP and Security technologies
E. Dynamic adjustment of risk ratings
F. Feature consistency
Answer: B,C,E
QUESTION NO: 117
Which two technologies can prevent the Slammer worm from compromising a host? (Choose two.)
A. NAC Appliance Security posture validation
B. ASAstateful firewall
C. Cisco IOS IPS
D. ASA enhanced application inspection
E. Cisco IOS FPM
F. Cisco Trust Agent
Answer: C,E
QUESTION NO: 118
Which two features work together to provide anti-X defense? (Choose two.)
A. Enhanced Application inspection engines
B. Enhanced Security state assessment
C. CiscoAutoSecure
D. Network Security event correlation
E. Cisco IPS Sensors
Answer: A,E
QUESTION NO: 119
Which primary security design components should be addressed while implementing secure WAN solutions?(Not all design components are required.)
1.
authentication and transmission protection
2.
network infrastructure device hardening
3.
boundary access control
4.
topology
5.
high availability
6.
performance and scalability
7.
resource separation
A. 1, 2, 4, 5, 6
B. 1, 2, 3, 4, 5
C. 1, 2, 3, 5, 6
D. 2, 3, 4, 5, 6
Answer: A
QUESTION NO: 120
Which two technologies mitigate the threat of a SYN Flood attack? (Choose two.)
A. NAC Appliance Security Posture Validation
B. Cisco IOS IPS
C. ASA Enhanced Application inspection
D. Cisco IOS FPM
E. ASA TCP intercept
F. MARS Floodautomitigation
Answer: B,E
QUESTION NO: 121
Which two of these features are the most appropriate test parameters for the acceptance test plan of a secure connectivity solution? (Choose two.)
A. Certificate enrollment and revocation
B. High availability
C. Privacy of key exchange
D. Duration of the key refresh operation
E. Resistance Against brute-force attacks
Answer: A,B
QUESTION NO: 122
Which two technologies address ISO 17799 requirements in detecting, preventing and responding to attacks and intrusion? (Choose two.)
A. Cisco Trust Agent
B. 802.1X
C. Cisco Security MARS
D. Cisco Security Agent
E. Cisco NAC Appliance
F. DMVPN
Answer: C,D
QUESTION NO: 123
When a FWSM is operating in transparent mode, what is true?
A. The FWSM does not support multiple security contexts
B. Each directly connected network must be on the same subnet
C. The FWSM supports up to 256 VLANs
D. Each interface must be on the same LAN
Answer: B
QUESTION NO: 124
Which encryption protocol is suitable for an enterprise with standard security requirements?
A. SHA-256
B. 768-bit RSA encryption
C. DES
D. MD5
E. AES-128
Answer: E
QUESTION NO: 125
Which three factors can affect the risk of an IPS alert? (Choose three.)
A. Attacker Location
B. Relevance
C. Signature Fidelity
D. Event Severity
E. Signature Priority
F. Asset Integrity
Answer: B,C,D
QUESTION NO: 126
Which encryption protocol is suitable for an enterprise with standard security requirements?
A. 768-bit RSA encryption
B. SHA-256
C. AES-128
D. MD5
E. DES
Answer: C
QUESTION NO: 127
Which three of these items are features of the Cisco Secure Access Control Server? (Choose three.)
A. CA Database
B. LDAP
C. RSA Certificates
D. Kerberos
E. NDS
F. Local OTP
Answer: B,C,E QUESTION NO: 128
Which two of these characteristics apply to promiscuous IPS operation? (Choose two.)
A. Invisible to the attacker
B. Impacts connectivity in case of failure or overload
C. Increase latency
D. Can use stream normalization techniques
E. Typically used with SPAN on the Switches
F. Less vulnerable to evasion techniques than inline mode
Answer: A,E
QUESTION NO: 129
Your company whishes to adopt the Adaptive Threat Defense Architecture in their security policy. Identify three components of the anti-X defense paillar. (Choose three.)
A. URL filtering
B. Distributed denial-of-servicemitifation
C. Anomaly detection
D. Application-level role-based access control
E. Network auditing
F. Transaction privacy
Answer: A,B,C
QUESTION NO: 130
Which three security controls can be provided by digital signatures? (Choose three.)
A. Anti-replay
B. Integrity
C. Authenticity
D. Nonrepudiation
Answer: B,C,D
QUESTION NO: 131
What are three advantages of Cisco Security MARS? (Choose three.)
A. Performs automatic mitigation on Layer 2 devices
B. Contains scalable, distributed event analysis architecture
C. Is network topologyaware
D. Fixes Vulnerable and infected devices automatically
E. Provides rapid profile-based provisioning capabilities
F. Ensures that he user device is not vulnerable
Answer: A,B,C
QUESTION NO: 132
Which two of these statements describe feature of the NAC Appliance Architecture? (Choose two.)
A. The standard NAC Appliance Manger can manage up to 40 NAC Appliance Servers failover pairs
B. The NAC Appliance Agent is bundled with the NAC Appliance Server Software
C. NAC Appliance Agent has the auto-upgrade feature
D. NAC Appliance Servers managed by the same NAC Appliance Manager can run in mixed mode (inline or out-of-band)
E. NAC Appliance high availability VRRP
Answer: C,D
QUESTION NO: 133
Which IPS feature models worm behavior and correlates the specific time between events, network behavior and multiple exploit behavior to more accurately identify and stop worms?
A. Meta Event Generator
B. Security Device Event Exchange support
C. Risk Rating
D. Traffic normalization
Answer: A
QUESTION NO: 134
Which two are main security drivers? (Choose two.)
A. Business needs
B. Optimal network operation
C. Compliance with company policy
D. Increased productivity
E. Security legislation
Answer: C,E
QUESTION NO: 135
What are the major characteristics for designing a VPN for existing networks?
A. Performance, topology and price
B. Topology, high availability, security, scalability, manageability and performance
C. Intended use, existing installation and desired functionality
D. Vendors and the functionality of the installed equipment
Answer: B
QUESTION NO: 136
What are the advantage of IPSec-based Site-to-Site VPNS over traditional WAN networks?
A. Span, flexibility, security and low cost
B. Delay guarantees, span, performance, security and low cost
C. Bandwidth guarantees, support for non-IP Protocols, Scalability and modular design guidelines
D. Bandwidth guarantees, flexibility, security and low cost
Answer: A
QUESTION NO: 137
Refer to the following Cisco products, which two can provide a captive portal to authenticate wireless users? (Choose two.)
A. Cisco NAC Profiler
B. WLAN Controller
C. Cisco NAC Guest Server
D. Cisco ASA
Answer: B,C QUESTION NO: 138
Which option is correct about the relationship between the terms and their descriptions? Term
1.
true positives
2.
false positives
3.
ture negatives
4.
false negatives
a.
security control has not acted,even though there was malicious activity
b.
security control has not acted,as there was no malicious activity
c.
security control acted as a consequence of non-malicious activity
d.
security control acted as a consequence of malicious activity
A.
a-4,b-3,c-2,d-1
B.
a-4,b-3,c-1,d-2
C.
a-4,b-2,c-1,d-3
D.
a-4,b-2,c-3,d-1
Answer: A
QUESTION NO: 139
Observe the following Cisco software agents carefully, can you tell me which one uses content scanning to identify sensitive content and controls the transfer of sensitive content off the local endpoint over removable storage, locally or network-attached hardware, or network applications?
A. CiscoIronPort Agent 3.0
B. Cisco Trust Agent 2.0
C. Cisco NAC Appliance Agent 4.1.3
D. Cisco Security Agent 6.0
Answer: D
QUESTION NO: 140
Look at the following items carefully, which Cisco ASA's Unified Communications proxy feature manipulates both the signaling and the media channels?
A. CUMA Proxy
B. TLS Proxy
C. H.323 Proxy
D. Phone Proxy
Answer: D
QUESTION NO: 141
Which Cisco product can provide endpoint-based trusted-traffic marking while implementing QoS?
A. Cisco Trust Agent
B. Cisco Secure Services Client
C. Cisco Secure Desktop
D. Cisco Security Agent
Answer: D
QUESTION NO: 142
In multi-tier applications and multi-tier firewall designs, which additional security control can be used to force an attacker to compromise the exposed server before the attacker attempts to penetrate the more protected domains?
A. Implement host IPS on the exposed servers in the DMZs.
B. Make exposed servers in the DMZs dual homed.
C. At each tier, implement a transparent proxy component within the firewall system.
D. Implement in-band network admission control at the first tier.
Answer: B
QUESTION NO: 143
You are the network consultant from Company.com. Please point out three technologies address ISO 17799 requirements for unauthorized access prevention.
A. VPN
B. Cisco Secure Access Control Server
C. 802.1X
D. Network Admission Control
Answer: B,C,D QUESTION NO: 144
Which Cisco Catalyst Series switch feature can be used to integrate a tap-mode (promiscuous mode) IDS/IPS sensor into the network?
A. PVLAN Trunk
B. PVLAN Edge
C. Cisco Express Forwarding Switching
D. Switch Port ANalyzer (SPAN)
Answer: D
QUESTION NO: 145
Cisco Security MARS and Cisco Security Manager could work together to implement which two functions? (Choose two.)
A. False-positive tuning
B. Incident-vector analysis
C. Firewall events-to-Cisco Security MARS events correlations
D. IPS events-to-Cisco Security MARS events correlations
Answer: C,D
QUESTION NO: 146
Which item is correct about the relationship between the VPN types and their descriptions?
1.
DMVPN
2.
GET VPN
3.
DGVPN
4.
Dynamic VTI
5.
Crypto maps
a.
supported on Cisco IOS routers and ASAs
b.
provides on-demand virtual access interface cloned from a virtual template configuration
c.
combines two VPN technologies
d.
provides tunnel-less any-to-any connectivity
e.
supports routing protocol over VPN tunnels
A.
a-5,b-4,c-1,d-2,e-3
B.
a-5,b-4,c-3,d-1,e-2
C.
a-5,b-3,c-2,d-4,e-1
D.
a-5,b-4,c-3,d-2,e-1
Answer: D
QUESTION NO: 147
Which Cisco ASA configuration is needed to perform active/active failover?
A. Policy-based routing
B. Redundant interfaces
C. Virtual contexts
D. VLANs
Answer: C
QUESTION NO: 148
Which two key criteria will be used while sizing Cisco Security MARS model to deploy? (Choose two.)
A. Auto-mitigation requirements
B. Using a one-, two-, or three-tier Cisco Security MARS architecture
C. Events-storage requirements
D. Incoming events per second rate
Answer: C,D
QUESTION NO: 149
By use of Cisco ASA active/active stateful failover, what happens if the return packet of an existing connection is not found in the local Cisco ASA connection table?
A. The local Cisco ASA will forward the packet if it is permitted by the inbound ACL.
B. The local Cisco ASA will perform a reverse path forwarding check to determine whether to forward or drop the packet.
C. The local Cisco ASA will determine, based on its routing table, whether to forward or drop the packet.
D. The local Cisco ASA will examine the copy of the other Cisco ASA's connection table and, if a match is found, will forward the packet to the other Cisco ASA.
Answer: D
QUESTION NO: 150
Which statement best describes the Cisco ASA encrypted voice inspection capability?
A. The Cisco ASA decrypts, inspects, then re-encrypts voice-signaling traffic; all of the existing VoIP inspection functions for SCCP and SIP protocols are preserved.
B. TLS proxy applies to the encryption layer and is configured by using a Layer 3/4 inspection policy on the Cisco ASA.
C. The Cisco ASA does not support PAT and NAT for SCCP inspection.
D. The Cisco ASA serves as a proxy for both client and server, with the Cisco IP Phone and the Session Border Controller.
Answer: A
QUESTION NO: 151
Which one of the following uRPF options allows for asymmetrical routing?
A. DynamicuRPF
B. StrictuRPF
C. LooseuRPF
D. UnidirectionaluRPF
Answer: C
QUESTION NO: 152
MPLS VPN provides or supports all of the following items except which one?
A. Any-to-any connectivity
B. Customer's IGP routing
C. Confidentiality
D. Customer's isolation
Answer: C
QUESTION NO: 153
Look at the following Cisco ASA SSL VPN pre-login checks carefully, which five are supported by the Cisco Secure Desktop ?(Not all the checks are required.)
1.
Register check
2.
File check
3.
Antivirus check
4.
Antispam check
5.
Personal firewall check
6.
Certificate check
7.
Windows version check
A. 1,2,3,7,5
B. 1,2,6,7,5
C. 1,2,3,4,5
D. 1,2,4,5,6
Answer: B
QUESTION NO: 154
While performing point-to-point secure WAN solutions over the Internet, which alternative Cisco IOS method is available if GRE-over-IPsec tunnels could not be used?
A. Dynamic crypto maps
B. Virtual Tunnel Interfaces (VTIs)
C. GET VPN
D. MPLS VPN
Answer: B
QUESTION NO: 155
Which one of the following methods can be used to scale Cisco Security MARS deployments?
A. Use the Cisco Security MARSsyslog forwarding feature to offload the syslog storage requirement to an external server.
B. Migrate from the Gen1 to Gen2 Cisco Security MARS platforms.
C. Use redundant or duplicated Cisco Security MARS appliances to implement a multi-tier architecture.
D. Divide the network into multiple zones,then use the global/local controllers approach.
Answer: D QUESTION NO: 156
Which functionality can be used by the Cisco Security MARS security appliance to achieve events aggregation?
A. Events action filters
B. Cisco Security Managerpolicy correlations
C. Summarization
D. Sessionization
Answer: D
QUESTION NO: 157
Which of these items is a feature of a system-level approach to security management?
A. Multiple cross-vendor management platforms
B. Complex Operations
C. Responsibility sharing
D. Single-element management
E. High Availability
Answer: E
QUESTION NO: 158
Which primary security design components should be addressed while performing EnterpriseInternet Access protection?(Not all design components are required.)
1.
resource separation
2.
network infrastructure device hardening
3.
network signaling protection
4.
boundary access control
5.
compliance assessment
6.
endpoint protection
A. 1, 3, 4, 6
B. 1, 4, 5, 6
C. 1, 2, 4, 6
D. 1, 2, 3, 6
Answer: C
QUESTION NO: 159
For the following items, which two are differences between symmetric and asymmetric encryption algorithms? (Choose two.)
A. Asymmetric encryption is slower than symmetric encryption
B. Asymmetric encryption is more suitable than symmetric encryption for real-time bulk encryption
C. Symmetric encryption is used in digital signatures and asymmetric encryption is used in HMACs
D. Asymmetric encryption requires a much larger key size to achieve the same level of protection as asymmetric encryption
Answer: A,D
QUESTION NO: 160
Which items are the most common methods used for managing risk?
A. Risk reduction
B. Risk avoidance
C. Risk transfer
D. Risk retention/acceptance
Answer: A,B,C,D
QUESTION NO: 161
Which option is correct about the relationship between the malware type and its description?
1.
virus
2.
worms
3.
botnets
4.
spyware
5.
Trojan horses
6.
rootkits
a.
collection of compromised computers under a common command-and-control infrastructure
b.
typically used to monitor user actions
c.
autonomously spreads to other systems without user interaction
d.
malware that hides through evasion of the operating system security mechanisms
e.
requires some user action to infect the system
f.
malware that hides inside anoter legitimate looking application
A.
a-3,b-4,c-2,d-6,e-1,f-5
B.
a-3,b-2,c-1,d-4,e-6,f-5
C.
a-3,b-4,c-2,d-6,e-5,f-1
D.
a-3,b-4,c-6,d-2,e-1,f-5
Answer: A
QUESTION NO: 162
Which item is correct about the relationship between the security risk management related term and its proper definition?
1.asset 2.threat 3.vulnerability 4.risk
a.
anything that has value to an organization
b.
A weakness in a system or its design that could be exploited
c.
The likelihood of a particular attack occurring and resulting in an undesirable consequence
d.
Any circumstance or event with the potential to cause harm to an information system
A.
a-4, b-3, c-2, d-1
B.
a-1, b-4, c-3, d-2
C.
a-1, b-3, c-4, d-2
D.
a-1, b-3, c-2, d-4
Answer: C
QUESTION NO: 163
Which function can be implemented by the Cisco Security Agent data access control feature?
A. Enables trustedQoS marking at the end host
B. Detects changes to system files by examining the file signature
C. Detects attempts to modify the file registry
D. Detects malformed HTTP requests by examining the URI in the HTTP request
Answer: D
QUESTION NO: 164
Which series of steps correctly describes how a challenge-and-response authentication protocol functions?
A. The authenticator sends a random challenge string to the subject being authenticated.
2.
The subject being authenticated hashes the challenge using a shared secret password to form a response back to the authenticator.
3.
The authenticator performs the same hash method with the same shared secret password to calculate a local response and compare it with the received response.
4.
If these match, the subject is authenticated.
B. . The subject being authenticated sends a random challenge string to the authenticator.
2.
The authenticator encrypts the challenge string with a private key and sends the encrypted random challenge string back to the subject being authenticated.
3.
The subject being authenticated decrypts the random challenge string with the public key and compare it to the original random challenge.
4.
If these match, the subject is authenticated.
C. 1. The subject being authenticated sends a random challenge string to the authenticator.
2.
The authenticator encrypts the challenge string with a shared secret password and sends the encrypted random challenge string back to the subject being authenticated.
3.
The subject being authenticated decrypts the random challenge string using the same shared secret key and compare it to the original random challenge.
4.
If these match, the subject is authenticated..
Answer: A
QUESTION NO: 165
Which is the primary benefit that DTLS offers over TLS?
A. Both the application and TLS can retransmit loss packets
B. Improves security
C. Provides low latency for real-time applications
D. Uses TCP instead of UDP to provide a reliable Transport mechanism
Answer: C
QUESTION NO: 166
Which attack method is typically used by Pharming attacks that are used to fool users into submitting sensitive information to malicious servers?
A. DHCP exhaustion
B. DNS cache poisoning
C. DHCP server spoofing
D. IP spoofing
Answer: B
QUESTION NO: 167
Match each IKE component to its supported option.
1.
IKE authentication
2.
IKE encryption
3.
IKE data authentication/integrity
4.
IKE key negotiation
a.3DES or AES b.MD5 or SHA-1
c.
pre-shared key or digital certificates d.DH Group 1,2,or5
A.
a-1, b-2, c-3, d-4
B.
a-2, b-3, c-4, d-1
C.
a-2, b-1, c-3, d-4
D.
a-2, b-3, c-1, d-4
Answer: D
QUESTION NO: 168
Which one of the following Cisco Security Management products is able to perform (syslog) events normalization?
A. Cisco Security Manager
B. Cisco ASDM
C. Cisco Security MARS
D. Cisco IME
Answer: C