600-199 - Securing Cisco Networks with Threat Detection and Analysis
Go back to Cisco
In what sequence do the proper eradicate/recovery steps take place? 1) Re-image 2) Restore 3) Patch 4) Backup
4, 1, 3, 2
Which is considered to be anomalous activity?
an alert context buffer containing an FTP server SYN scanning your network
Which two types of data are relevant to investigating network security issues? (Choose two.)
In the context of a network security device like an IPS, which event would qualify as having the highest severity?
remote code execution attempt
In a network security policy, which procedure should be documented ahead of time to speed the communication of a network attack?
a method of communication and who to contact
Which network management protocol relies on multiple connections between a managed device and the management station where such connections can be independently initiated by either side?
Which event is actionable?
reverse shell detected
Which describes the best method for preserving the chain of evidence?
Identify the infected machine, disconnect from the network, and contact the local authorities.
Which protocol is typically considered critical for LAN operation?
Which data is the most useful to determine if a network attack was occurring from inbound Internet traffic?
NetfFow data from border firewall(s)
If an alert that pertains to a remote code execution attempt is seen on your network, which step is unlikely to help?
clearing the event store to see if future events indicate malicious activity
Which source should be used to recommend preventative measures against security vulnerabilities regardless of operating system or platform?
Common Vulnerabilities and Exposure website
Which publication from the ISO covers security incident response?
Which two measures would you recommend to reduce the likelihood of a successfully executed network attack from the Internet? (Choose two.)
Deploy a stateful edge firewall.
Implement a password management policy for remote users.
What is the most effective way to save the data on a system for later forensic use?
Use a hard duplicator with write-block capabilities.
The IHL is a 4-bit field containing what measurement?
the number of 32-bit words in the IP header
What does the acronym "CSIRT" stand for?
Computer Security Incident Response Team
Which event is likely to be a false positive?
a signature addressing an ActiveX vulnerability alert on a Microsoft developer network documentation page
Given the signature "SQL Table Manipulation Detected", which site may trigger a false positive?
a company selling discount dining-room table inserts
What is the most important reason for documenting an incident?
It could be used as evidence for a criminal case.
What is the maximum size of an IP datagram?
As a part of incident response, which action should be performed?
maintain data security and custody for future forensics use
Where should you report suspected security vulnerability in Cisco router software?
Which two statements about the IPv4 TTL field are true? (Choose two.)
Each router that forwards an IP datagram reduces the TTL value by one.
It is used to limit the lifetime of an IP datagram on the Internet.
Which would be classified as a remote code execution attempt?
OLE stack overflow detected
Which data from previous network attacks should be used to recommend architectural changes based on potential future impact?
Which step should be taken first when a server on a network is compromised?
Refer to the company security policy.
Which attack exploits incorrect boundary checking in network software?
For TCP and UDP, what is the correct range of well-known port numbers?
0 - 1023
Which three statements are true about the IP fragment offset? (Choose three.)
A fragment offset of 0 indicates that it is the first in a series of fragments.
A fragment offset helps determine the position of the fragment within the reassembled datagram.
A fragment offset is measured in 8-byte units.
If a company has a strict policy to limit potential confidential information leakage, which three alerts would be of concern? (Choose three.)
P2P activity detected
Skype activity detected
Pastebin activity detected
Which will be provided as output when issuing the show processes cpu command on a Cisco IOS router?
CPU utilization of device
A server administrator tells you that the server network is potentially under attack. Which piece of information is critical to begin your network investigation?
IP addresses/subnets used for the servers
When investigating potential network security issues, which two pieces of useful information would be found in a syslog message? (Choose two.)
Which command would provide you with interface status information on a Cisco IOS router?
show ip interface brief
When is it recommended to establish a traffic profile baseline for your network?
during normal production hours
Given a Linux machine running only an SSH server, which chain of alarms would be most concerning?
brute force login attempt from outside of the network, followed by an internal network scan
Which three symptoms are best used to detect a TCP SYN flood attack? (Choose three.)
large number of sockets in SYN_RECV state on target server
network monitoring devices report large number of unACKed SYNs sent to target server
user experience with target server is slow or unresponsive
What is the purpose of the TCP SYN flag?
to synchronize the initial sequence number contained in the Sequence Number header field with the other end of the connection
When an IDS generates an alert for a correctly detected network attack, what is this event called?
Which action is recommended to prevent an incident from spreading?
Shut down the switch port.
Which two activities would you typically be expected to perform as a Network Security Analyst? (Choose two.)
Troubleshoot firewall performance.
Create security policies on routers.
After an attack has occurred, which two options should be collected to help remediate the problem? (Choose two.)
syslogs from affected devices