Sample Questions and Answers
What is the purpose of Cisco’s Talos?
A) Automate penetration testing
B) Provide threat intelligence and research
C) Manage Wi-Fi networks
D) Train cybersecurity professionals
Answer: B
Explanation: Talos provides threat intelligence feeds and analysis used across Cisco’s security ecosystem.
Which metric in Cisco Stealthwatch indicates a potential data exfiltration event?
A) High packet loss rate
B) High flow count with low byte count
C) Long-duration flow with high outbound data volume
D) DNS over TCP usage
Answer: C
Explanation: Long-duration outbound flows with large data volume may indicate exfiltration of sensitive data.
51. Which technique is used in data exfiltration through DNS tunneling?
A) Encrypting payload with SSL
B) Embedding data into DNS queries
C) Using ARP spoofing
D) Injecting JavaScript into webpages
Answer: B
Explanation: DNS tunneling hides data inside DNS requests, allowing attackers to bypass firewalls and extract data covertly.
52. What is the primary function of a security information and event management (SIEM) system?
A) Conduct vulnerability scans
B) Automate OS patching
C) Collect, normalize, and correlate security data
D) Prevent phishing attacks
Answer: C
Explanation: SIEM systems aggregate logs and use correlation rules to detect anomalies and trigger alerts for incident response.
53. Which of the following is a proactive measure for detecting insider threats?
A) User Behavior Analytics (UBA)
B) Patch management
C) Static NAT
D) DNSSEC
Answer: A
Explanation: UBA identifies deviations from normal user behavior that may indicate malicious intent from insiders.
54. Which of the following logs would most likely show evidence of privilege escalation?
A) DNS query logs
B) Authentication and authorization logs
C) NetFlow logs
D) Email metadata
Answer: B
Explanation: These logs reveal changes in user access levels or use of administrator credentials.
55. What is the impact of a low severity alert in a SOC triage process?
A) It always results in incident escalation
B) It indicates immediate compromise
C) It may be deprioritized but still requires contextual analysis
D) It should be ignored
Answer: C
Explanation: Even low severity alerts can be linked to broader campaigns and should be reviewed in context.
56. Which phase of the incident response lifecycle involves gathering evidence and determining the scope?
A) Preparation
B) Containment
C) Detection and Analysis
D) Post-Incident Activity
Answer: C
Explanation: Detection and analysis involve validating incidents, gathering logs, and determining the extent of compromise.
57. Which tool is commonly used for passive traffic monitoring on a network?
A) Wireshark
B) Nmap
C) Nessus
D) Metasploit
Answer: A
Explanation: Wireshark captures packets without altering the flow, making it ideal for passive network monitoring.
58. What does a high number of TCP reset (RST) flags in a flow suggest?
A) Secure connection
B) Port scanning or abnormal termination of sessions
C) DNS poisoning
D) VPN negotiation
Answer: B
Explanation: An excess of RSTs often indicates scanning, session interruption, or misconfigurations.
59. Which protocol is used to collect logs from various systems into a centralized server?
A) HTTP
B) FTP
C) Syslog
D) SMTP
Answer: C
Explanation: Syslog is a standard protocol for sending log messages from devices to a central logging server.
60. Which Cisco tool uses machine learning to detect encrypted traffic threats?
A) Cisco Secure Firewall
B) Cisco Stealthwatch
C) Cisco AMP for Endpoints
D) Cisco ISE
Answer: B
Explanation: Cisco Stealthwatch uses behavioral modeling and ML to detect threats in encrypted traffic without decryption.
61. What is a common symptom of a compromised endpoint?
A) Increased DNS TTL
B) Unexpected outbound connections to rare domains
C) Excessive CPU use by trusted software
D) Static IP assignment
Answer: B
Explanation: Malware often connects to rare or newly registered domains controlled by attackers.
62. Which of the following is a host-based indicator of compromise?
A) NetFlow anomaly
B) DNS request volume spike
C) Presence of known malware hash
D) Multiple ARP replies
Answer: C
Explanation: Malware hashes found in endpoint file systems are strong indicators of host compromise.
63. Which tool provides deep packet inspection and signature-based intrusion detection?
A) SNMP
B) Snort
C) Ping
D) SSH
Answer: B
Explanation: Snort is a widely-used open-source intrusion detection/prevention system.
64. What is the primary concern when using shared accounts in a secure environment?
A) DNS leaks
B) Lack of attribution and accountability
C) Increased latency
D) File fragmentation
Answer: B
Explanation: Shared accounts hinder tracking user activity, weakening accountability and audit capabilities.
65. In endpoint security, what does EDR stand for?
A) Extended Detection and Recovery
B) Endpoint Detection and Response
C) Encrypted Data Routing
D) Enhanced Device Rules
Answer: B
Explanation: EDR tools detect threats on endpoints and provide response capabilities, like isolating devices or killing processes.
66. What does a reverse shell provide to an attacker?
A) Spoofed DNS records
B) Access to encrypted credentials
C) Remote control over the victim’s machine
D) Detection of open ports
Answer: C
Explanation: A reverse shell lets attackers remotely execute commands on the victim’s system once the connection is initiated by the host.
67. What does the term “zero-day vulnerability” mean?
A) It has no exploit yet
B) It is discovered and patched on the same day
C) It is publicly known but not yet patched
D) It is unknown to the vendor and actively exploited
Answer: D
Explanation: Zero-day vulnerabilities are exploited before the vendor has released a fix, posing high risk.
68. What is the benefit of tokenization in data security?
A) Encrypts all traffic
B) Replaces sensitive data with non-sensitive equivalents
C) Creates backup images
D) Rewrites firewall rules
Answer: B
Explanation: Tokenization protects sensitive data by substituting it with unrelated, harmless tokens that preserve format.
69. What is an example of a reconnaissance activity by an attacker?
A) Injecting SQL into a login form
B) Scanning the network using Nmap
C) Delivering malware via USB
D) Creating persistence with a registry key
Answer: B
Explanation: Reconnaissance involves information gathering, and tools like Nmap help attackers identify targets.
70. Which of the following is a best practice in securing endpoint devices?
A) Disable host-based firewalls
B) Grant local admin rights to all users
C) Apply least privilege and enforce regular patching
D) Use open Wi-Fi for updates
Answer: C
Explanation: Applying the principle of least privilege and maintaining updates are essential for securing endpoints.
Reviews
There are no reviews yet.