Nama Tes:PenyisihanLombaKeamananJaringanGemastik7 Nama Tim: nyanpasu

Nilai per soal jawaban tunggal : 2 Nilai per soal jawaban ganda : 3Nilai salah: -0.5 dari nilai per soalTidak menjawab: 0

1. Dapat memilih beberapa jawaban untuk pertanyaan yang sama.2. Jika memilih jawaban yang salah akan mengurangi setengah nilai per soal.3. Jika menjawab dua jawaban yang salah pada pertanyaan yang sama, nilai maksimal 0 per soal.

Nilai Anda: 185.08333333333334

Log out

1. Level 1

1.1. Which type of encryption algorithm uses public and private keys to provide authentication, integrity, and confidentiality?

[ ] IPsec[ ] symmetric[x] asymmetric[ ] shared secret

1.2. Which type of IPS signature detection is used to distract and confuse attackers?

[ ] pattern-based detection[x] honey pot-based detection[ ] policy-based detection[ ] anomaly-based detection

1.3. Refer to the exhibit. Which three things occur if a user attempts to log in four times within 10 seconds using an incorrectpassword? (Choose three.)

[ ] No user can log in virtually from any host for 60 seconds.[ ] implementing command authorization with TACACS+[ ] Subsequent virtual login attempts from the user are blocked for 60 seconds.[ ] Subsequent console login attempts are blocked for 60 seconds.[ ] During the quiet mode, an administrator can virtually log in from any host on network 172.16.1.0/24.[ ] authenticating remote users who are accessing the corporate LAN through IPsec VPN connections

1.4. What are three goals of a port scan attack? (Choose three.)

[ ] discover system passwords[x] identify operating systems[ ] disable used ports and services[ ] identify peripheral configurations[x] identify active services[x] determine potential vulnerabilities

1.5. When configuring a site-to-site IPsec VPN using the CLI, the authentication pre-share command is configured in the ISAKMPpolicy. Which additional peer authentication configuration is required?

[ ] Configure the DH group identifier with the group number ISAKMP policy configuration command.[ ] Configure a hostname with the crypto isakmp identity hostname global configuration command.[ ] Configure the message encryption algorithm with the encryption type ISAKMP policy configuration command.[x] Configure a PSK with the crypto isakmp key global configuration command.

1.6. Which of the following mechanism is used to achieve non-repudiation of a message delivery?

[x] Sender gets a digitally signed acknowledgment from the recipient containing a copy or digest of the message.[ ] Sender computes a digest of the message and sends it to a Trusted Third Party (TTP) who signs it and stores it for laterreference.

[ ] Sender sends the message to a TTP who signs it together with a time stamp and sends it on to the recipient.[ ] Sender encrypts the message with the recipients public key and signs it with their own private key.

1.7. For what reason would a network administrator leverages promiscuous mode on a network interface?

[x] To monitor the network to gain a complete statistical picture of activity.[ ] To screen out all network errors that affect network statistical information.[ ] To monitor only unauthorized activity and use.[ ] To capture only unauthorized internal/external use.

1.8. Refer to the exhibit. Which interface configuration completes the CBAC configuration on router R1?

[ ] R1(config)# interface fa0/1R1(config-if)# ip inspect INSIDE inR1(config-if)# ip access-group OUTBOUND in[x] R1(config)# interface fa0/1R1(config-if)# ip inspect OUTBOUND inR1(config-if)# ip access-group INSIDE in[ ] R1(config)# interface fa0/1R1(config-if)# ip inspect OUTBOUND inR1(config-if)# ip access-group INSIDE out[ ] R1(config)# interface fa0/0R1(config-if)# ip inspect OUTBOUND inR1(config-if)# ip access-group INSIDE in[ ] R1(config)# interface fa0/0R1(config-if)# ip inspect INSIDE inR1(config-if)# ip access-group OUTBOUND in

1.9. The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?

[x] confidentiality[ ] authentication[ ] integrity[ ] nonrepudiation[ ] Diffie-Hellman

1.10. 36

[ ] A reference monitor.[ ] A security model.[ ] A security kernel.[ ] A trusted computing base.

1.11. What is the trusted registry that guarantees the authenticity of client and server public keys?

[ ] Key revocation certificate.[ ] Key distribution center.[ ] Public key notary.[x] Certification authority.

1.12. Which statement describes the operation of the IKE protocol?

[x] It calculates shared keys based on the exchange of a series of data packets.[ ] It uses sophisticated hashing algorithms to transmit keys directly across a network.[ ] It uses IPsec to establish the key exchange process.

[ ] It uses TCP port 50 to exchange IKE information between the security gateways.

1.13. Which component of AAA is used to determine which resources a user can access and which operations the user is allowedto perform?

[ ] authentication[ ] auditing[ ] accounting[x] authorization

1.14. What is a characteristic of AAA accounting?

[ ] Accounting can only be enabled for network connections.[x] Possible triggers for the aaa accounting exec default command include start-stop and stop-only.[ ] Users are not required to be authenticated before AAA accounting logs their activities on the network.[ ] Accounting is concerned with allowing and disallowing authenticated users access to certain areas and programs on thenetwork.

1.15. During a disaster or emergency, how does a closed-circuit television (CCTV) help management and security to minimizeloss?

[ ] It documents shortcomings of plans and procedures.[ ] It captures the exposure of assets to physical risk.[ ] It records instances of looting and other criminal activities.[x] It helps the management to direct resources to the hardest hit area.

1.16. Refer to the exhibit. What information can be obtained from the AAA configuration statements?

[ ] The authentication method list used by the console port is named ACCESS.[ ] If the TACACS+ AAA server is not available, no users can establish a Telnet session with the router.[ ] The local database is checked first when authenticating console and Telnet access to the router.[x] The authentication method list used for Telnet is named ACCESS.[ ] If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database.

1.17. What are three common examples of AAA implementation on routers? (Choose three.)

[ ] implementing public key infrastructure to authenticate and authorize IPsec VPN peers using digital certificates[ ] securing the router by locking down all unused services[ ] authenticating administrator access to the router console port, auxiliary port, and vty ports[ ] tracking netflow accounting statistics

1.18. Which type of Layer 2 attack makes a host appear as the root bridge for a LAN?

[ ] MAC address table overflow[ ] LAN storm[ ] MAC address spoofing[ ] VLAN attack[x] STP manipulation

1.19. Which access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host192.168.30.10?

[ ] access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.0 eq www[ ] access-list 101 permit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255[x] access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www[ ] access-list 101 permit tcp any eq 4300[ ] access-list 101 permit tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300

1.20. What will be disabled as a result of the no service password-recovery command?

[ ] changes to the configuration register[ ] aaa new-model global configuration command[x] ability to access ROMmon[ ] password encryption service

1.21. Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic movingbetween zone member interfaces? (Choose three.)

[ ] Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone.[x] To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured betweenthat zone and any other zone.[ ] Interfaces can be assigned to a zone before the zone is created.[ ] An interface can be assigned to multiple security zones.[x] Pass, inspect, and drop options can only be applied between two zones.[x] If traffic is to flow between all interfaces in a router, each interface must be a member of a zone.

1.22. Which type of packets exiting the network of an organization should be blocked by an ACL?

[x] packets with source IP addresses outside of the organization's network address space[ ] packets that are not translated with NAT[ ] packets that are not encrypted[ ] packets with destination IP addresses outside of the organization's network address space

1.23. After signing out a laptop computer from the company loaner pool, you discovered there is a memorandum stored in theloaner laptop written to a competitor containing sensitive information about a new product your company is about to release. Basedon the (ISC)2 Code of Ethics, what is the first action you should take?

[x] Immediately inform your company’s management of your findings and its potential ramifications.[ ] Inform the security awareness trainers that data disclosure prevention in a mobile computing environment needs to beadded to their classes.[ ] Contact the author of the memorandum to let him/her know the memorandum was on the laptop.[ ] Delete the memorandum from the laptop to ensure no one else will see it.

1.24. An administrator has been asked to configure basic access security on a router, including creating secure passwords anddisabling unattended connections. Which three actions accomplish this using recommended security practices? (Choose three.)

[x] Set the minimum password length to 10 characters.[x] Enable the password encryption service for the router.[ ] Enable login using the Aux port with the executive timeout set to 0 and 0.[ ] Create passwords with only alphanumeric characters.[x] Set the executive timeout parameters on the vty lines to 3 and 0.[ ] Set the executive timeout parameters on the console port to 120 and 0.

1.25. What must be configured before any Role-Based CLI views can be created?

[ ] secret password for the root user[ ] multiple privilege levels[ ] usernames and passwords[x] aaa new-model command

2. Level 2

2.1. What principle recommends division of responsibilities so that one person cannot commit an undetected fraud?

[ ] Need to know[x] Separation of duties[ ] Mutual exclusion[ ] Least privilege

2.2. Which statement correctly describes a type of filtering firewall?

[x] A stateful firewall monitors the state of connections, whether the connection is in an initiation, data transfer, or terminationstate.[ ] An application gateway firewall (proxy firewall) is typically implemented on a router to filter Layer 3 and Layer 4information.[ ] A transparent firewall is typically implemented on a PC or server with firewall software running on it.[ ] A packet-filtering firewall expands the number of IP addresses available and hides network addressing design.

2.3. A person in possession of a sample of ciphertext and corresponding plaintext is capable of what type of attack?

[ ] Plaintext[ ] Known-plaintext[ ] Chosen-plaintext[ ] Ciphertext only

2.4. Act of obtaining information of a higher level of sensitivity by combining information from lower level of sensitivity is called?

[ ] Inference[x] Aggregation[ ] Data mining[ ] Polyinstantiation

2.5. Which two commands are needed on every IPv6 ACL to allow IPv6 neighbor discovery? (Choose two.)

[ ] permit ipv6 any any fragments[ ] permit icmp any any echo-reply[x] permit icmp any any nd-na[x] permit icmp any any nd-ns[ ] permit ipv6 any any routing[ ] permit tcp any any ack

2.6. What type of controls is not utilized to achieve management directives to protect company assets?

[ ] Administrative controls[ ] Technical controls[x] Financial controls[ ] Physical controls

2.7. Which statement describes the Security Audit wizard?

[ ] The wizard is enabled by using the Intrusion Prevention task.[ ] The wizard autosenses the inside trusted and outside untrusted interfaces to determine possible security problems thatmight exist.[ ] After the wizard identifies the vulnerabilities, it automatically makes all security-related configuration changes.[ ] After the wizard identifies the vulnerabilities, the One-Step Lockdown feature must be used to make all security-relatedconfiguration changes.[ ] The wizard is based on the IOS AutoSecure feature.

2.8. If a switch is configured with the storm-control command and the action shutdown and action trap parameters, which twoactions does the switch take when a storm occurs on a port? (Choose two.)

[ ] The switch forwards control traffic only.[ ] The port is placed in a blocking state.[ ] The switch is rebooted.[ ] The port is disabled.[ ] An SNMP log message is sent.

2.9. Which attack allows the attacker to see all frames on a broadcast network by causing a switch to flood all incoming traffic?

[ ] 802.1q double tagging[ ] MAC table overflow[ ] VLAN hopping[ ] LAN storm[x] STP manipulation

2.10. Sales representatives of an organization use computers in hotel business centers to occasionally access corporate e-mailand the inventory database. What would be the best VPN solution to implement on an Adaptive Security Appliance to support theseusers?

[ ] site-to-site IPsec VPN[ ] clientless IPsec VPN using a web browser[x] clientless SSL VPN using a web browser[ ] client-based SSL VPN using AnyConnect[ ] client-based IPsec VPN using AnyConnect

2.11. Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to therouter using the password gemastik7ugm. What is a possible cause of the problem?

[ ] The administrator does not have enough rights on the PC that is being used.[ ] The Telnet connection between RouterA and RouterB is not working correctly.[ ] The enable password and the Telnet password need to be the same.[ ] The password gemastik7ugm is wrong.

2.12. Which three statements should be considered when applying ACLs to a router? (Choose three.)

[ ] Router-generated packets pass through ACLs on the router without filtering.[ ] An access list applied to any interface without a configured ACL allows all traffic to pass.[ ] ACLs always search for the most specific entry before taking any filtering action.[ ] A maximum of three IP access lists can be assigned to an interface per direction (in or out).[ ] Place generic ACL entries at the top of the ACL.[ ] Place more specific ACL entries at the top of the ACL.

2.13. A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?

[ ] authenticates a packet by a string match of the username or community string[ ] authenticates a packet using the SHA algorithm only[ ] authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using either theDES, 3DES or AES algorithms[x] authenticates a packet by using either the HMAC with MD5 method or the SHA method

2.14. Which of the following virus types changes its characteristics as it spreads?

[ ] Parasitic[ ] Boot sector[ ] Stealth[x] Polymorphic

2.15. Which of the following is not true regarding security policy?

[ ] It is broad[ ] It describes the role of security in the organization[ ] It is promulgated by senior IT security staff[ ] It is a general statement

2.16. When verifying key control objectives of a system design, the security specialist should ensure that the…?

[ ] impact assessment has been approved.[ ] vulnerability assessment has been completed.[ ] auditing procedures have been defined.[ ] final system design has security administrator approval.

2.17. Security management practice focuses on the continual protection of:

[ ] Company data[ ] Security-related hardware and software[x] Classified information[ ] Company assets

2.18. Which two configuration requirements are needed for remote access VPNs using Easy VPN Server, but are not required forsite-to-site VPNs? (Choose two.)

[ ] IKE policies[ ] transform sets[ ] IPsec translations[ ] group policy lookup[ ] virtual template interface

2.19. Which action best describes a MAC address spoofing attack?

[ ] forcing the election of a rogue root bridge[ ] flooding the LAN with excessive traffic[x] altering the MAC address of an attacking host to match that of a legitimate host[ ] bombarding a switch with fake source MAC addresses

2.20. Refer to the exhibit. The indicated window has appeared in the web browser of a remote user. What is the cause of thismessage?

[ ] The user has timed out of an AnyConnect SSL VPN installation.[ ] The user has logged out of an AnyConnect SSL VPN session.[ ] The user has logged out of an AnyConnect IPsec VPN session.[x] The user has logged out of a clientless SSL VPN session.

2.21. What can be used as a VPN gateway when setting up a site-to-site VPN?

[ ] Unified Communications Manager[ ] AnyConnect[ ] switch[x] router

2.22. Which type of VPN may require the VPN Client software?

[x] remote access VPN[ ] site-to-site VPN[ ] MPLS VPN[ ] SSL VPN

2.23. The accounting branch of a large organization requires an application to process expense vouchers. Each voucher must beinput by one of many accounting clerks, verified by the clerk’s applicable supervisor, then reconciled by an auditor before thereimbursement check is produced. Which access control technique should be built into the application to best serve theserequirements?

[ ] Password Security[ ] Terminal Access Controller Access System (TACACS)[x] Role-based Access Control (RBAC)[ ] Mandatory Access Control (MAC)

2.24. An instance of being exposed to losses is called?

[x] Exposure[ ] Vulnerably[ ] Threat[ ] Risk

2.25. All of the followings are hashing algorithms except…?

[ ] HAVAL[ ] IDEA

[ ] MD2[ ] SHA

3. Level 3

3.1. Which of the following characteristics is not of a good stream cipher?

[x] Statistically predictable.[ ] Statistically unbiased keystream.[ ] Long periods of no repeating patterns.[ ] Keystream is not linearly related to the key.

3.2. When a security administrator wants to conduct regular test on the strength of user passwords, what may be the best setupfor this test?

[ ] A networked laptop with Rainbow table that have direct access to the live password database.[ ] This is not possible, because the password database is encrypted.[ ] A networked workstation with Rainbow table and a copied password database.[x] A standalone workstation with Rainbow table and a copied password database.

3.3. Which two are characteristics of DoS attacks? (Choose two.)

[ ] They always precede access attacks.[ ] They are commonly launched with a tool called L0phtCrack.[x] They attempt to compromise the availability of a network, host, or application.[x] Examples include smurf attacks and ping of death attacks.[ ] They are difficult to conduct and are initiated only by very skilled attackers.

3.4. Which phase of worm mitigation requires compartmentalization and segmentation of the network to slow down or stop theworm and prevent currently infected hosts from targeting and infecting other systems?

[ ] inoculation phase[x] containment phase[ ] treatment phase[ ] quarantine phase

3.5. Which of the following evidence collection method is most likely accepted in a court case?

[ ] Create a file-level archive of all files.[x] Provide a mirror image of the hard drive.[ ] Copy all files accessed at the time of the incident.[ ] Provide a full system backup inventory.

3.6. Prior to installation of an intrusion prevention system (IPS), a network engineer would place a packet sniffer on the network,what is the purpose for using a packet sniffer?

[ ] It tracks network connections.[x] It monitors network traffic.[ ] It scans network segments for cabling faults.[ ] It detects illegal packets on the network.

3.7. A port scan is classified as what type of attack?

[ ] Denial of Service attack[x] reconnaissance attack[ ] access attack[ ] spoofing attack

3.8. A type cryptographic attack where it is based on the probability of two different messages using the same hash function toproduce the same message digest is?

[ ] Known ciphertext attack[ ] Statistic attack[x] Birthday attack[ ] Differential cryptanalysis attack

3.9. Which answer lists the proper steps required to develop a disaster recovery and business continuity plan (DRP/BCP)?

[x] Project initiation, plan development, business impact analysis, strategy development, testing, maintenance.[ ] Business impact analysis, project initiation, strategy development, plan development, testing, maintenance.[ ] Project initiation, business impact analysis, strategy development, plan development, testing, maintenance.[ ] Strategy development, project initiation, business impact analysis, plan development, testing, maintenance.

3.10. An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attackis this?

[ ] port redirection[x] man in the middle[ ] buffer overflow[ ] trust exploitation

3.11. A disgruntled employee is using Wireshark to discover administrative Telnet usernames and passwords. What type ofnetwork attack does this describe?

[ ] trust exploitation[ ] Denial of Service[x] reconnaissance[ ] port redirection

3.12. Under what circumstance might a certification authority (CA) revoke a certificate?

[ ] The certificate owner public key has been compromised.[ ] The certificate owner has not utilized the certificate for an extended period.[ ] The certificate owner has upgraded his/her web browser.[x] The certificate owner’ private key has been compromised.

3.13. What are the three major components of a worm attack? (Choose three.)

[ ] penetration mechanism[ ] infecting vulnerability[x] enabling vulnerability[ ] probing mechanism[x] propagation mechanism[x] payload

3.14. Users report to the helpdesk that icons usually seen on the menu bar are randomly appearing on their computer screens.What could be a reason that computers are displaying these random graphics?

[ ] The computers are subject to a reconnaissance attack.[ ] A virus has infected the computers.[ ] A DoS attack has been launched against the network.[x] An access attack has occurred.

3.15. Which of the followings is an example of simple substitution algorithm?

[ ] Rivest, Shamir, Adleman (RSA)[x] Caesar cipher[ ] Data Encryption Standard (DES)[ ] Blowfish

3.16. All of the following methods ensure the stored data are unreadable except…?

[ ] physical alteration of media[ ] writing random data over the old file.[ ] degaussing the disk or tape.[x] removing the volume header information.

3.17. Which two network security solutions can be used to mitigate DoS attacks? (Choose two.)

[ ] applying user authentication[x] intrusion protection systems

[ ] virus scanning[ ] data encryption[x] anti-spoofing technologies

3.18. What is a characteristic of a Trojan Horse?

[ ] A proxy Trojan Horse opens port 21 on the target system.[x] A Trojan Horse can be carried in a virus or worm.[ ] A Trojan Horse can be hard to detect because it closes when the application that launched it closes.[ ] An FTP Trojan Horse stops anti-virus programs or firewalls from functioning.

3.19. Which two statements describe access attacks? (Choose two.)

[ ] Port redirection attacks use a network adapter card in promiscuous mode to capture all network packets that are sentacross a LAN.[ ] Port scanning attacks scan a range of TCP or UDP port numbers on a host to detect listening services.[ ] Password attacks can be implemented using brute-force attack methods, Trojan Horses, or packet sniffers.[ ] Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or exploit systems to executemalicious code.[ ] Port scanning attacks scan a range of TCP or UDP port numbers on a host to detect listening services.

3.20. Which of the following refers to a series of characters used to verify a user’s identity?

[ ] User ID[ ] Token serial number[ ] Security ticket[ ] Password

3.21. Which statement is true about the One-Step lockdown feature of the Security Audit wizard?

[ ] It sets an access class ACL on vty lines.[x] It supports AAA configuration.[ ] It enables TCP intercepts.[ ] It enables the Secure Copy Protocol (SCP).[ ] It provides an option for configuring SNMPv3 on all routers.

3.22. What is a ping sweep?

[ ] A ping sweep is a software application that enables the capture of all network packets sent across a LAN.[ ] A ping sweep is a scanning technique that examines a range of TCP or UDP port numbers on a host to detect listeningservices.[ ] A ping sweep is a query and response protocol that identifies information about a domain, including the addressesassigned to that domain.[x] A ping sweep is a network scanning technique that indicates the live hosts in a range of IP addresses.

3.23. An information security program should include the following elements:

[ ] Senior management organizational structure, message distribution standards, and procedures for the operation of securitymanagement systems.[ ] Disaster recovery and business continuity planning, and definition of access control requirements and human resourcespolicies.[ ] Business impact, threat and vulnerability analysis, delivery of an information security awareness program, and physicalsecurity of key installations.[ ] Security policy implementation, assignment of roles and responsibilities, and information asset classification.

3.24. In business continuity planning, which of the following is an advantage of a “hot site” over a “cold site”

[ ] Cost[ ] Air Conditioning[x] A and C[ ] Short period to become operational

3.25. Which access attack method involves a software program attempting to discover a system password by using an electronicdictionary?

[ ] packet sniffer attack

[ ] IP spoofing attack[ ] buffer overflow attack[x] brute-force attack[ ] port redirection attack[ ] Denial of Service attack

4. Level 4

4.1. An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additionalsteps are required to configure R1 to accept only encrypted SSH connections? (Choose three.)

[ ] configure the IP domain name on the router[ ] configure DNS on the router[ ] generate the SSH keys[ ] enable inbound vty Telnet sessions[ ] enable inbound vty SSH sessions[ ] generate two-way pre-shared keys

4.2. Which statement accurately characterizes the evolution of network security?

[ ] Internet architects planned for network security from the beginning.[ ] Threats have become less sophisticated while the technical knowledge needed by an attacker has grown.[ ] Internal threats can cause even greater damage than external threats.[ ] Early Internet users often engaged in activities that would harm other users.

4.3. Computer security is generally considered to be the responsibility of…?

[ ] the corporate security staff.[x] corporate management.[ ] everyone with computer access.[ ] everyone in the organization.

4.4. What are two reasons for securing the data plane in the NFP framework? (Choose two.)

[ ] to force technicians to use SSH and HTTPS when managing devices[ ] to allow users to control the flow of traffic that is managed by the route processor of their network devices[ ] to protect against DoS attacks[ ] to provide a record of who accessed the device, what occurred, and when it occurred[ ] to provide bandwidth control

4.5. Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)

[ ] This message indicates that enhanced security was configured on the vty ports.[ ] This message is a level five notification message.[ ] This message appeared because a major error occurred requiring immediate action.[ ] This message appeared because a minor error occurred requiring further investigation.[ ] This message indicates that service timestamps have been globally enabled.

4.6. Which recommended security practice prevents attackers from performing password recovery on an IOS router for thepurpose of gaining access to the privileged EXEC mode?

[ ] Disable all unused ports and interfaces to reduce the number of ways that the router can be accessed.[ ] Configure secure administrative control to ensure that only authorized personnel can access the router.[ ] Keep a secure copy of the router IOS image and router configuration file as a backup.[ ] Provision the router with the maximum amount of memory possible.[ ] Locate the router in a secure locked room that is accessible only to authorized personnel.

4.7. Refer to the exhibit. Routers R1 and R2 are connected via a serial link. One router is configured as the NTP master, and theother is an NTP client. Which two pieces of information can be obtained from the partial output of the show ntp associations detailcommand on R2? (Choose two.)

[ ] Router R2 is the master, and R1 is the client.[ ] The IP address of R1 is 192.168.1.2.[ ] Both routers are configured to use NTPv2.[x] The IP address of R2 is 192.168.1.2.[x] Router R1 is the master, and R2 is the client.

4.8. Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)

[ ] operating system security[ ] zone isolation[ ] remote access security[ ] flash security[ ] router hardening[ ] physical security

4.9. Refer to the exhibit. Based on the output of the show running-config command, which type of view is SUPPORT?

[ ] CLI view, containing SHOWVIEW and VERIFYVIEW commands[x] superview, containing SHOWVIEW and VERIFYVIEW views[ ] root view, with a level 5 encrypted secret password[ ] secret view, with a level 5 encrypted password

4.10. From a legal perspective, which rule must be addressed when investigating a computer crime?

[ ] Data protection[ ] Search and seizure[ ] Engagement[x] Evidence

4.11. What are two characteristics of SNMP community strings? (Choose two.)

[ ] A vulnerability of SNMPv1, SNMPv2, and SNMPv3 is that they send the community strings in plaintext.[ ] If the manager sends one of the correct read-only community strings, it can get information and set information in anagent.[ ] Commonly known community strings should be used when configuring secure SNMP.[ ] SNMP read-only community strings can be used to get information from an SNMP-enabled device.[ ] SNMP read-write community strings can be used to set information on an SNMP-enabled device.

4.12. Which of the following transaction processing properties ensures once a transaction completes successfully (commits), theupdates survive even if there is a system failure?

[ ] Atomicity.[ ] Isolation.[ ] Consistency.[x] Durability.

4.13. If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.)

[ ] Create a superview using the parser view view-name command.[ ] Associate the view with the root view.[ ] Assign users who can use the view.

4.14. Which two statements describe the initial deployed services of routers and recommended security configuration changes?(Choose two.)

[ ] Configuration autoloading is disabled by default but should be enabled, even when the service is not required.[ ] CDP is disabled by default and should be enabled on all interfaces, even when the service is not required.[ ] ICMP unreachable notifications are enabled by default but should be disabled on untrusted interfaces.[ ] TCP keepalives are disabled by default but should be enabled globally to prevent certain DoS attacks.[ ] FTP is enabled by default and should be disabled.[ ] ICMP mask reply is disabled by default but should be enabled on untrusted interfaces.

4.15. A security policy provides a way to…?

[ ] identify and clarify security goals and objectives.[ ] establish a cost model for security activities.[ ] allow management to define system recovery requirements.[ ] enable management to define system access rules.

4.16. When downloading software from Internet, why do vendors publish MD5 hash values when they provide software tocustomers?

[ ] Recipients can confirm the authenticity of the site from which they are downloading the patch.[ ] Recipients need the hash value to successfully activate the new software.[ ] Recipients can request future updates to the software by using the assigned hash value.[x] Recipients can verify the software’s integrity after downloading.

4.17. In IPsec, what is the standard format that helps to establish and manage the security association (SA) between twointernetworking entities?

[ ] Authentication Header (AH)[ ] Diffie-Hellman Key Exchange[ ] Internet Key Exchange (IKE)[x] Internet Security Association and Key Management Protocol (ISAKMP)

4.18. Refer to the exhibit. Which statement regarding the JR-Admin account is true?

[ ] JR-Admin can issue only ping commands.[x] JR-Admin can issue show, ping, and reload commands.[ ] JR-Admin can issue ping and reload commands.[ ] JR-Admin can issue debug and reload commands.[ ] JR-Admin cannot issue any command because the privilege level does not match one of those defined.

4.19. Why is the username name secret password command preferred over the username name password password command?

[ ] It does not require the login local command to enable the local database for authentication.[x] It uses the MD5 algorithm for encrypting passwords.[ ] It uses the standard type 7 algorithm for encrypting passwords.[ ] It allows the administrator to configure passwords of any length.

4.20. Separation of duties should be…?

[ ] determined by the availability of trained staff.[ ] enforced in the program testing phase of application development.[x] cost justified for the potential for loss.[ ] enforced in all organizational areas.

4.21. What is considered a valid method of securing the control plane in the NFP framework?

[ ] DHCP snooping[ ] login and password policy[ ] dynamic ARP inspection[ ] DHCP snooping[ ] role-based access control[ ] authorization of actions

4.22. Which three options can be configured by AutoSecure? (Choose three.)

[x] enable secret password[ ] SNMP[ ] interface IP address[x] CBAC[ ] syslog[x] security banner

4.23. Which type of security threat can be described as software that attaches to another program to execute a specific unwantedfunction?

[ ] worm[ ] Denial of Service Trojan Horse[ ] proxy Trojan Horse[ ] virus

4.24. What are three requirements that must be met if an administrator wants to maintain device configurations via secure in-bandmanagement? (Choose three.)

[ ] direct access to the console ports of all network devices[ ] at least one router acting as a terminal server[ ] a separate network segment connecting all management devices[ ] connection to network devices through a production network or the Internet[ ] encryption of all remote access management traffic[ ] network devices configured to accommodate SSH

4.25. When securing Internet connections which of the following should be used to protect internal routing and labeling schemes?

[ ] Layer 2 Tunneling Protocol (L2TP)[ ] Virtual Private Networks (VPN)[ ] Domain Name Systems (DNS)[x] Network Address Translation (NAT)