1. A cyberanalyst is reviewing an entry-point ACL. What three types of ICMP traffic should be allowed to access an internal network from the internet? (Choose three.)

  • A. Reply
  • B. Request
  • C. Ping
  • D. Squelch
  • E. Destination unreachable
  • F. Time exceeded

ACLs should only permit special types of ICMP messages to enter an internal network. Allowed ICMP traffic includes an ICMP reply, source quench, and any ICMP unreachable messages. All other ICMP traffic types should be denied.

2. A company decides to purchase a device capable of managing load balancing so that traffic will be distributed between their servers. What could be a potential problem using the new device on the network?

  • A. The traffic will require more bandwidth to send to multiple servers.
  • B. The LBM probe messages may appear as suspicious traffic.
  • C. It will cause extra traffic going to a server resource that is not available.
  • D. All links to redundant servers will require encrypted tunneling protocols.

Load balancing manager (LBM) devices distribute traffic between devices or network paths to prevent overwhelming network resources. LBM devices may send probes to different servers to detect that the servers are operating. These probes can appear to be suspicious traffic.

3. What method allows VPN traffic to remain confidential?

  • A. Verification
  • B. Authentication
  • C. Encapsulation
  • D. Encryption

Plain text data that is transported over the Internet can be intercepted and read. The data should be encrypted to keep it private.

4. To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?

  • A. Time-stamp reply
  • B. Echo request
  • C. Time-stamp request
  • D. Router advertisement
  • E. Echo reply

By allowing the ICMP echo reply message inbound to the organization, internal users are allowed to ping external addresses (and the reply message allowed to return).

5. In which way does the use of HTTPS increase the security monitoring challenges within enterprise networks?

  • A. HTTPS traffic enables end-to-end encryption.
  • B. HTTPS traffic does not require authentication.
  • C. HTTPS traffic is much faster than HTTP traffic.
  • D. HTTPS traffic can carry a much larger data payload than HTTP can carry.

HTTPS enables end-to-end encrypted network communication, which adds further challenges for network administrators to monitor the content of packets to catch malicious attacks.

6. Which type of server would support the SMTP, POP, and IMAP protocols?

  • A. Email
  • B. DHCP
  • C. Proxy
  • D. Syslog

The Simple Mail Transfer Protocol (SMTP) is used to send email. The Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) are used to retrieve email. All three protocols are application layer protocols.

7. Which network service synchronizes the time across all devices on the network?

  • A. NetFlow
  • B. NTP
  • C. Syslog
  • D. SNMP

There are two methods that can be used to set date and time settings on network devices. Manual configuration and automatically using the Network Time Protocol (NTP). The NTP keeps the time across all devices synchronized by using a hierarchical system of sources.

8. What port number would be used if a threat actor was using NTP to direct DDoS attacks?

  • A. 69
  • B. 123
  • C. 443
  • D. 25

NTP uses UDP port number 123. Threat actors could use port 123 on NTP systems in order to direct DDoS attacks through vulnerabilities in client or server software.

9. Which protocol is used to send e-mail messages between two servers that are in different e-mail domains?

  • A. POP3
  • B. HTTP
  • C. SMTP
  • D. IMAP4

SMTP is used to send data between mail servers and to send data from a host to a mail server. The other two protocols that can be used for email are IMAP and POP3. IMAP and POP3 are used to download email messages from a mail server.

10. How do cybercriminals make use of a malicious iFrame?

  • A. The attacker embeds malicious content in business appropriate files.
  • B. The attacker redirects traffic to an incorrect DNS server.
  • C. The iFrame allows the browser to load a web page from another source.
  • D. The iFrame allows multiple DNS subdomains to be used.

An inline frame or iFrame is an HTML element that allows the browser to load a different web page from another source.

11. Which type of server daemon accepts messages sent by network devices to create a collection of log entries?

  • A. Syslog
  • B. NTP
  • C. SSH
  • D. AAA

Syslog is important to security monitoring because network devices send periodic messages to the syslog server. These logs can be examined to detect inconsistencies and issues within the network.

12. What type of server can threat actors use DNS to communicate with?

  • A. Database
  • B. NTP
  • C. CnC
  • D. Web

Some malware uses DNS to communicate with command-and-control (CnC) servers to exfiltrate data in traffic that is disguised as normal DNS query traffic.

13. Which statement describes the function provided by the Tor network?

  • A. It allows users to browse the Internet anonymously.
  • B. It conceals packet contents by establishing end-to-end tunnels.
  • C. It distributes user packets through load balancing.
  • D. It manipulates packets by mapping IP addresses between two networks.

Tor is a software platform and network of P2P hosts that function as Internet routers on the Tor network. The Tor network allows users to browse the Internet anonymously.

14. How can NAT/PAT complicate network security monitoring if NetFlow is being used?

  • A. It disguises the application initiated by a user by manipulating port numbers.
  • B. It changes the source and destination MAC addresses.
  • C. It hides internal IP addresses by allowing them to share one or a few outside IP addresses.
  • D. It conceals the contents of a packet by encrypting the data payload.

NAT/PAT maps multiple internal IP addresses with only a single or a few outside IP addresses breaking end-to-end flows. The result makes it difficult to log the inside device that

is requesting and receiving the traffic. This is especially a problem with a NetFlow application because NetFlow flows are unidirectional and are defined by the addresses and ports that they share.