Download Implementing Cisco Cybersecurity Operations.Pass4sure.210-255.2019-07-23.1e.27q.vcex

Download Exam

File Info

Exam Implementing Cisco Cybersecurity Operations
Number 210-255
File Name Implementing Cisco Cybersecurity Operations.Pass4sure.210-255.2019-07-23.1e.27q.vcex
Size 323 Kb
Posted July 23, 2019
Downloads 42
Download Implementing Cisco Cybersecurity Operations.Pass4sure.210-255.2019-07-23.1e.27q.vcex

How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.


With discount: 20%


Demo Questions

Question 1

What is the term for an operation that purges redundant data while maintaining data integrity?

  • A: modularization
  • B: aggregation
  • C: warehousing
  • D: normalization

Correct Answer: D

Normalization is the process of eliminating redundancy and protecting integrity of the data. When data normalization is utilized with IPS systems, the IPS manages multiple incoming streams of data and ensures that all data exists only in one form. This eliminates redundant data. Normalization is the part of the security analysis process that reduces the sheer amount of data and makes the process cleaner and more efficient. 
Modularization is the breaking of a process into modules. A great example is the OSI model, which breaks the communication process down into seven modules or layers. 
Aggregation is the process of taking data from multiple sources, such as IPS, firewall and router, and combining into a single integrated log file. A Security Information and Event (SIEM) system collects data from the different security devices in the system, such as firewalls and IPSs, and then aggregates the log files for analysis. 
Data warehousing is the combination of data from multiple data sources or databases into a single repository for analysis and manipulation. 

Question 2

Which statement is FALSE with respect to listening ports? 

  • A: Port 443, when set to default, is encrypted.
  • B: Ports can be numbered 1 to 65535.
  • C: The port number does not always identify the service.
  • D: They are closed.

Correct Answer: D

Ports can be open, closed, or filtered. When they are open, they are said to be listening. When closed, they are not listening. While ports do have default port numbers, it is possible to run a service on a non-default port number. 
Software ports can be numbered from 1 to 65535. The first 1024 or so are called well-known. Some of these well-known port numbers as their defaults are:
TCP 20 and 21: File transfer Protocol (FTP)
TCP 22: Secure Shell (SSH)
TCP 23: Telnet
TCP 25: Simple mail Transfer Protocols (SMTP)
TCP and UDP 53: Domain Name System (DNS)
UDP 69: Trivial File Transfer Protocol (TFTP)
TCP 79: Finger
TCP 80: Hypertext Transfer Protocol (HTTP)
TCP 110: Post Office Protocol v3 (POP3)
TCP 119: Network News Protocol (NNTP)
UDP 161 and 162: Simple Network Management Protocol (SNMP)
UDP 443: Secure Sockets Layer over HTTP (HTTPS)
Port 443 is SSL over HTTP, which is encrypted.

Question 3

Which evidence is always considered the best evidence? 

  • A: hearsay
  • B: indirect
  • C: direct
  • D: corroborative

Correct Answer: C

Direct evidence is always considered the best because it does not require any reasoning or inference to arrive at the conclusion to be drawn from the evidence. An eyewitness account is direct evidence. 
Hearsay is never admissible in court. This is when someone testifies they heard someone else say something they witnessed (also called second hand). 
Corroborative evidence is that which supports other evidence. For example, is someone testifies they saw it raining and another said they heard rain, that is considered corroborative evidence. Indirect evidence suggests but does not prove anything. For example, if a man is accused of gambling and has been seen with gamblers, that is indirect evidence. 

Question 4

Which of the following offers incident handling services for a fee to other organizations?

  • A: Coordination centers
  • B: MISSP
  • C: PSIRT
  • D: national CSIRT

Correct Answer: B

Managed Security Service Providers (MSSPs) provide incident response and managed security services to their customers. The Cisco Incident Response Service is an example. Another example is Cisco Active Threat Analysis. 
Coordination centers around the world also help with the coordination of security vulnerability disclosures to vendors, hardware and software providers, and security researchers. One of the best examples is the CERT Division of the Software Engineering Institute (SEI). 
Product security incident response teams (PSIRTs) handle the investigation, resolution, and disclosure of security vulnerabilities in their products and services. 
National CSIRTS provide incident handling for a country. Examples include the US-CERT. 

Question 5

You have been asked to collect all the usernames from an access log. According to policy, usernames must be at least six characters and no more than sixteen characters. Usernames can only include lowercase letters, numbers, underscores, and hyphens, such as the following:


Which regular expression will locate all valid usernames?

  • A:
  • B:
  • C:
  • D:

Correct Answer: C


Question 6

After compromising a host and escalating privileges, the attacker installs a remote access Trojan (RAT). What step of the Cyber Kill Chain framework has just occurred?

  • A: Reconnaissance
  • B: Exploitation
  • C: Installation
  • D: Weaponization

Correct Answer: C

It is the installation step. Installation comes after exploitation and involves the installation tools and resources the hacker will use. These tools allow the attacker to maintain persistence while plotting the next step. Installation of a remote access Trojan (RAT) would be part of the installation step. 
It is not the reconnaissance step when information is gathered. For example, consider an exploit takes advantage of an injection vulnerability in an exploitable php by sending an HTTP POST with specific variables. If the hacker sends an HTTP GET request the page, the attack is still in reconnaissance. 
It is not the weaponization step. Weaponization occurs when the attacker turns some utility or function into a weapon he can use in the attack. It occurs after reconnaissance. Using Metasploit to craft an exploit is an example. 
It is not the exploitation step. Exploitation comes after the attacker creates a weapon and delivers the weapon. It occurs when the weapon executes. Were the user to execute the attachment we would be in the exploitation stage.

Question 7

Which of the following represents the software that is acting on behalf of a user?

  • A: representative agent field
  • B: cookie
  • C: type field
  • D: host field
  • E: user agent

Correct Answer: E

The user agent is an HTTP header inside the software that is acting on behalf of a user. For example, it might indicate the browser type and capability. The User-Agent (UA) string is intended to identify devices requesting online content, which helps with intrusion analysis. 
The host field indicates the domain name of the server (for virtual hosting), and the TCP port number on which the server is listening. 
Other examples of HTTP header fields are:
Accept – Media type(s) that is(are) acceptable for the response 
Content-Length – The length of the request body in octets (8-bit bytes) 
From – The email address of the user making the request 
Referrer – The address of the previous web page from which a link to the currently requested page was followed 
Host – The domain name of the server (for virtual hosting), and the TCP port number on which the server is listening 
Date – The date and time that the message was originated 
Authorization – Authentication credentials for HTTP authentication 
Cookies are text files with information with stored information about the user. They are not HTTP header fields. There is no representative agent field in the HTTP header. There is no type field in the HTTP header. The type field is the first field in an Internet Control Message Protocol (ICMP) header, and is used to indicate the function or purpose of the communication. A control message is the function or purpose of the ICMP communication.  
Common examples of Types are:
8 for Echo Request 
0 for Echo Reply 
11 for Timeout Exceeded 
3 for Destination Unreachable 
There are about sixteen formally defined Types for ICMP. The remaining fields in the ICMP header are Code, Checksum, and Rest of Header. The Code field is used to define or reference a sub-type (i.e., a more specific sub-meaning of the indicated control message). The Checksum field is used to verify that the ICMP communication was not corrupted in transit. The Rest of Header field may hold values when needed based on the Type, or is set to all zeros when unused. For example, a Type 5 Redirect will place an IP address in the Rest of Header field. 

Question 8

According to SP 800-86, which of the following is NOT an important factor when prioritizing potential data sources if evidence?

  • A: volatility
  • B: time involved
  • C: likely value
  • D: effort required

Correct Answer: B

The amount of time involved in the collection is NOT one of the three considerations covered by SP 800-86. They are (quoted directly from SP 800-86):
Likely Value. Based on the analysts understanding of the situation and previous experience in similar situations, the analyst should be able to estimate the relative likely value of each potential data source. 
Volatility. Volatile data refers to data on a live system that is lost after a computer is powered down or due to the passage of time. Volatile data may also be lost as a result of other actions performed on the system. In many cases, acquiring volatile data should be given priority over non-volatile data. However, non-volatile may also be somewhat dynamic in nature (e.g., log files that are overwritten as new events occur). 
Amount of Effort Required. The amount of effort required to acquire different data sources may vary widely. The effort involves not only the time spent by analyst and others within the organization (including legal advisors) but also the cost of equipment and services (e.g., outside experts). For example, acquiring data from a network router would probably require much less effort than acquiring data from an ISP. 

Question 9

Which statement is true with regard to evidence collection?

  • A: Allow full access to the crime scene.
  • B: Always shut the computer down first.
  • C: Always call police.
  • D: Always protect the integrity of the evidence.

Correct Answer: D

You should always protect the confidentiality and the integrity of all evidence collected and ensure that a proper chain of custody is maintained. You should never shut the computer down until all volatile (memory) evidence is collected. You should tightly control access to the crime scene. You should always consider calling the police carefully as they will take control of the investigation. 
In summary, guidelines for evidence collection are:
Upon seizing digital evidence, actions taken should not change that evidence. 
When it is necessary for a person to access original digital evidence, that person must be forensically competent. 
All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. 
An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. 
Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles. 

Question 10

Which of the following is NOT reconnaissance?

  • A: scanning without completing the three way handshake
  • B: installation of a RAT
  • C: searching for the robots.txt file
  • D: communicating over social media

Correct Answer: B

Installation comes after exploitation and involves the installation of additional tools and resources the hacker will use. These tools allow the attacker to maintain persistence while plotting the next step. 
The first and most important step is reconnaissance when information is gathered that helps penetrate the network. For example, consider an exploit takes advantage of an injection vulnerability in an exploitable Hypertext Preprocessor php file by sending an HTTP POST with specific variables. If the hacker sends an HTTP GET request to the page, the attack is still in reconnaissance. 
Other examples of reconnaissance include obtaining IP blocks, researching social media accounts and obtaining DNS records. 
The seven steps in the kill chain are:
Reconnaissance is the attacker gathers information to aid in penetrating the network 
Weaponization is the attacker turns a legitimate utility or function into a weapon that can be used in the attack 
Delivery is the attacker transmits the crafted exploit to the target 
Exploitation is the exploit is executed 
Installation is the hacker installs additional tools and resources on the target device or in the target network 
Command and control is the attacker takes remote control of the target device from the Command and Control server 
Actions on objectives is the attacker takes action (deletes data, steals data, defaces website)





You can buy ProfExam with a 20% discount!


Use ProfExam Simulator to open VCEX and EXAM files