600-199 Securing Cisco Networks with Threat Detection and Analysis

Page 1   
Question 1

Which two types of data are relevant to investigating network security issues? (Choose
two.)

  • A. NetFlow
  • B. device model numbers
  • C. syslog
  • D. routing tables
  • E. private IP addresses


Answer : A,C

Question 2

In the context of a network security device like an IPS, which event would qualify as having
the highest severity?

  • A. remote code execution attempt
  • B. brute force login attempt
  • C. denial of service attack
  • D. instant messenger activity


Answer : A

Question 3

Which event is likely to be a false positive?

  • A. Internet Relay Chat signature with an alert context buffer containing #IPS_ROCS Yay
  • B. a signature addressing an ActiveX vulnerability alert on a Microsoft developer network documentation page
  • C. an alert for a long HTTP request with an alert context buffer containing a large HTTP GET request
  • D. BitTorrent activity detected on ephemeral ports


Answer : B

Question 4

Given a Linux machine running only an SSH server, which chain of alarms would be most
concerning?

  • A. brute force login attempt from outside of the network, followed by an internal network scan
  • B. root login attempt followed by brute force login attempt
  • C. Microsoft RPC attack against the server
  • D. multiple rapid login attempts


Answer : A

Question 5

If a company has a strict policy to limit potential confidential information leakage, which
three alerts would be of concern? (Choose three.)

  • A. P2P activity detected
  • B. Skype activity detected
  • C. YouTube viewing activity detected
  • D. Pastebin activity detected
  • E. Hulu activity detected


Answer : A,B,D

Question 6

Which event is actionable?

  • A. SSH login failed
  • B. Telnet login failed
  • C. traffic flow started
  • D. reverse shell detected


Answer : D

Question 7

Which would be classified as a remote code execution attempt?

  • A. OLE stack overflow detected
  • B. null login attempt
  • C. BitTorrent activity detected
  • D. IE ActiveX DoS


Answer : A

Question 8

Given the signature "SQL Table Manipulation Detected", which site may trigger a false
positive?

  • A. a company selling discount dining-room table inserts
  • B. a large computer hardware company
  • C. a small networking company
  • D. a biotech company


Answer : A

Question 9

Which is considered to be anomalous activity?

  • A. an alert context buffer containing traffic to amazon.com
  • B. an alert context buffer containing SSH traffic
  • C. an alert context buffer containing an FTP server SYN scanning your network
  • D. an alert describing an anonymous login attempt to an FTP server


Answer : C

Question 10

If an alert that pertains to a remote code execution attempt is seen on your network, which
step is unlikely to help?

  • A. looking for anomalous traffic
  • B. looking for reconnaissance activity
  • C. restoring the machine to a known good backup
  • D. clearing the event store to see if future events indicate malicious activity


Answer : D

Question 11

Refer to the exhibit.
In the tcpdump output, what is the sequence number that is represented by XXXXX?

  • A. 82080
  • B. 82081
  • C. 83448
  • D. 83449
  • E. 98496
  • F. 98497


Answer : C

Question 12

Refer to the exhibit.
Based on the traffic captured in the tcpdump, what is occurring?

  • A. The device is powered down and is not on the network.
  • B. The device is reachable and a TCP connection was established on port 23.
  • C. The device is up but is not responding on port 23.
  • D. The device is up but is not responding on port 51305.
  • E. The resend flag is requesting the connection again.


Answer : C

Question 13

Which three statements are true about the IP fragment offset? (Choose three.)

  • A. A fragment offset of 0 indicates that it is the first in a series of fragments.
  • B. A fragment offset helps determine the position of the fragment within the reassembled datagram.
  • C. A fragment offset number refers to the number of fragments.
  • D. A fragment offset is measured in 8-byte units.
  • E. A fragment offset is measured in 16-byte units.


Answer : A,B,D

Question 14

Which two tools are used to help with traffic identification? (Choose two.)

  • A. network sniffer
  • B. ping
  • C. traceroute
  • D. route table
  • E. NetFlow
  • F. DHCP


Answer : A,E

Question 15

Refer to the exhibit.
Based on the tcpdump capture, which three statements are true? (Choose three.)

  • A. Host 10.10.10.20 is requesting the MAC address of host 10.10.10.10 using ARP.
  • B. Host 10.10.10.10 is requesting the MAC address of host 10.10.10.20.
  • C. The ARP request is unicast.
  • D. The ARP response is unicast.
  • E. The ARP request is broadcast.
  • F. Host 10.10.10.20 is using the MAC address of ffff.ffff.ffff.


Answer : B,D,E

Page 1