600-199 - Securing Cisco Networks with Threat Detection and Analysis

Go back to Cisco

Example Questions

In what sequence do the proper eradicate/recovery steps take place? 1) Re-image 2) Restore 3) Patch 4) Backup Which is considered to be anomalous activity? Which two types of data are relevant to investigating network security issues? (Choose two.) In the context of a network security device like an IPS, which event would qualify as having the highest severity? In a network security policy, which procedure should be documented ahead of time to speed the communication of a network attack? Which network management protocol relies on multiple connections between a managed device and the management station where such connections can be independently initiated by either side? Which event is actionable? Which describes the best method for preserving the chain of evidence? Which protocol is typically considered critical for LAN operation? Which data is the most useful to determine if a network attack was occurring from inbound Internet traffic? If an alert that pertains to a remote code execution attempt is seen on your network, which step is unlikely to help? Which source should be used to recommend preventative measures against security vulnerabilities regardless of operating system or platform? Which publication from the ISO covers security incident response? Which two measures would you recommend to reduce the likelihood of a successfully executed network attack from the Internet? (Choose two.) What is the most effective way to save the data on a system for later forensic use? The IHL is a 4-bit field containing what measurement? What does the acronym "CSIRT" stand for? Which event is likely to be a false positive? Given the signature "SQL Table Manipulation Detected", which site may trigger a false positive? What is the most important reason for documenting an incident? What is the maximum size of an IP datagram? As a part of incident response, which action should be performed? Where should you report suspected security vulnerability in Cisco router software? Which two statements about the IPv4 TTL field are true? (Choose two.) Which would be classified as a remote code execution attempt? Which data from previous network attacks should be used to recommend architectural changes based on potential future impact? Which step should be taken first when a server on a network is compromised? Which attack exploits incorrect boundary checking in network software? For TCP and UDP, what is the correct range of well-known port numbers? Which three statements are true about the IP fragment offset? (Choose three.) If a company has a strict policy to limit potential confidential information leakage, which three alerts would be of concern? (Choose three.) Which will be provided as output when issuing the show processes cpu command on a Cisco IOS router? A server administrator tells you that the server network is potentially under attack. Which piece of information is critical to begin your network investigation? When investigating potential network security issues, which two pieces of useful information would be found in a syslog message? (Choose two.) Which command would provide you with interface status information on a Cisco IOS router? When is it recommended to establish a traffic profile baseline for your network? Given a Linux machine running only an SSH server, which chain of alarms would be most concerning? Which three symptoms are best used to detect a TCP SYN flood attack? (Choose three.) What is the purpose of the TCP SYN flag? When an IDS generates an alert for a correctly detected network attack, what is this event called? Which action is recommended to prevent an incident from spreading? Which two activities would you typically be expected to perform as a Network Security Analyst? (Choose two.) After an attack has occurred, which two options should be collected to help remediate the problem? (Choose two.)