Security Certification

CyberOps Associate v1.0

Amal Sayari

2022-2023
Course Outline
Module Title

1 The Danger 15 Network Monitoring and Tools

2 Fighters in the War Against Cybercrime 16 Attacking the Foundation

3 The Windows Operating System 17 Attacking What We Do

4 Linux Overview 18 Understanding Defense

5 Network Protocols 19 Access Control

6 Ethernet and Internet Protocol (IP) 20 Threat Intelligence

7 Connectivity Verification 21 Cryptography

8 Address Resolution Protocol 22 Endpoint Protection

9 The Transport Layer 23 Endpoint Vulnerability Assessment

10 Network Services 24 Technologies and Protocols

11 Network Communication Devices 25 Network Security Data

12 Network Security Infrastructure 26 Evaluating Alerts

13 Attackers and their Tools 27 Working with Network Security Data

14 Common Threats and Attacks 28 Digital Forensics and Incident Analysis Response

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
▪ What are three goals of a port scan attack? (Choose three.)

▪ to discover system passwords

▪ to identify operating systems

▪ to identify active services

▪ to identify peripheral configurations

▪ to determine potential vulnerabilities

▪ to disable used ports and services

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
▪ When establishing a network profile for an ▪ Answers Explanation:
organization, which element describes the time
between the establishment of a data flow and its ▪ A network profile should include some important
termination? elements, such as the following:

• Total throughput – the amount of data passing

▪ routing protocol convergence from a given source to a given destination in a
given period of time
▪ total throughput
• Session duration – the time between the
▪ session duration establishment of a data flow and its termination
▪ bandwidth of the Internet connection • Ports used – a list of TCP or UDP processes that
are available to accept data

• Critical asset address space – the IP addresses

or the logical location of essential systems or
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
data
 Answers Explanation & Hints:
▪ In addressing an identified risk, which strategy
aims to shift some of the risk to other parties? There are four potential strategies for
responding to risks that have been
identified:
▪ risk avoidance Risk avoidance – Stop performing the
▪ risk retention activities that create risk.
Risk reduction – Decrease the risk by
▪ risk reduction
taking measures to reduce vulnerability.
▪ risk sharing Risk sharing – Shift some of the risk to
other parties.
Risk retention – Accept the risk and its
consequences.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
▪ A computer is presenting a user with a screen
requesting payment before the user data is
allowed to be accessed by the same user.
What type of malware is this?
Answers Explanation:

▪ a type of virus
Ransomware commonly
encrypts data on a computer and
▪ a type of worm makes the data unavailable until
▪ a type of ransomware the computer user pays a
specific sum of money
▪ a type of logic bomb

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
▪ What characterizes a threat actor?

▪ They are all highly-skilled individuals.

▪ They always try to cause some harm to an individual or organization.

▪ They always use advanced tools to launch attacks.

▪ They all belong to organized crime.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
▪ A device has been assigned the IPv6 address of
2001:0db8:cafe:4500:1000:00d8:0058:00ab/64.
Which is the network identifier of the device? Answers Explanation &
Hints:
▪ 1000:00d8:0058:00ab
The address has a prefix
▪ 2001 length of /64. Thus the
▪ 2001:0db8:cafe:4500:1000:00d8:0058:00ab first 64 bits represent the
network portion, whereas
▪ 2001:0db8:cafe:4500:1000
the last 64 bits represent
▪ 2001:0db8:cafe:4500 the host portion of the
IPv6 address.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
▪ Which type of data would be considered
an example of volatile data?
Answers Explanation & Hints:

▪ web browser cache Volatile data is data stored in

▪ log files
memory such as registers,
cache, and RAM, or it is data
▪ memory registers that exists in transit. Volatile
▪ temp files memory is lost when the
computer loses power.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
▪ What type of attack targets an SQL
database using the input field of a user?

Answers Explanation &

▪ XML injection Hints:
▪ SQL injection
A criminal can insert a
▪ buffer overflow malicious SQL statement in an
▪ Cross-site scripting entry field on a website where
the system does not filter the
user input correctly.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
▪ What network attack seeks to create a
DoS for clients by preventing them from
being able to obtain a DHCP lease? Answers Explanation & Hints:

DCHP starvation attacks are

▪ CAM table attack
launched by an attacker with the
▪ DHCP spoofing intent to create a DoS for DHCP
▪ IP address spoofing clients. To accomplish this goal, the
attacker uses a tool that sends
▪ DHCP starvation many DHCPDISCOVER messages
in order to lease the entire pool of
available IP addresses, thus
denying them to legitimate hosts.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
▪ Which wireless parameter is used by an
access point to broadcast frames that
include the SSID? Answers Explanation & Hints:

The two scanning or probing modes an

▪ passive mode
access point can be placed into are
▪ active mode passive or active. In passive mode, the
▪ channel setting AP advertises the SSID, supported
standards, and security settings in
▪ security mode
broadcast beacon frames. In active
mode, the wireless client must be
manually configured for the same
wireless parameters as the AP has
configured.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
▪ How can statistical data be used to describe or
predict network behavior?
Answers Explanation & Hints:

▪ by displaying alert messages that are Statistical data is created through the
generated by Snort analysis of other forms of network
▪ by comparing normal network behavior to data. Statistical characteristics of
current network behavior normal network behavior can be
compared to current network traffic in
▪ by recording conversations between network
endpoints an effort to detect anomalies.
Conclusions resulting from analysis
▪ by listing results of user web surfing activities can be used to describe or predict
network behavior.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
▪ Which Windows Event Viewer log Answers Explanation & Hints:
includes events regarding the
operation of drivers, processes, By default Windows keeps four types of host
and hardware? logs:

Application logs – events logged by various

▪ application logs applications
System logs – events about the operation of
▪ security logs
drivers, processes, and hardware
▪ setup logs Setup logs – information about the installation
of software, including Windows updates
▪ system logs
Security logs – events related to security,
such as logon attempts and operations related
to file or object management and access

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
▪ What is the primary objective of a threat intelligence platform (TIP)?

▪ to provide a specification for an application layer protocol that allows the communication of CTI
over HTTPS

▪ to provide a security operations platform that integrates and enhances diverse security tools and
threat intelligence

▪ to aggregate the data in one place and present it in a comprehensible and usable format

▪ to provide a standardized schema for specifying, capturing, characterizing, and communicating

events and properties of network operations

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
▪ Which two statements describe the use of
asymmetric algorithms? (Choose two.) Answers Explanation & Hints:

Asymmetric algorithms use two keys: a

▪ If a private key is used to encrypt the data, a
private key must be used to decrypt the data.
public key and a private key. Both keys
are capable of the encryption process,
▪ If a public key is used to encrypt the data, a but the complementary matched key is
public key must be used to decrypt the data.
required for decryption. If a public key
▪ Public and private keys may be used encrypts the data, the matching private
interchangeably. key decrypts the data. The opposite is
▪ If a private key is used to encrypt the data, a also true. If a private key encrypts the
public key must be used to decrypt the data. data, the corresponding public key
decrypts the data.
▪ If a public key is used to encrypt the data, a
private key must be used to decrypt the data.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
▪ Which two ICMPv6 messages are used
during the Ethernet MAC address resolution
process? (Choose two.)
Answers Explanation & Hints:
▪ router solicitation
IPv6 uses neighbor solicitation
▪ neighbor advertisement (NS) and neighbor advertisement
▪ router advertisement (NA) ICMPv6 messages for MAC
address resolution.
▪ neighbor solicitation

▪ echo request

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
▪ Which application layer protocol is used to
provide file-sharing and print services to Microsoft
applications?
Answers Explanation & Hints:
▪ SMB
SMB is used in Microsoft
▪ DHCP networking for file-sharing and print
▪ HTTP services. The Linux operating
system provides a method of
▪ SMTP sharing resources with Microsoft
networks by using a version of
SMB called SAMBA.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
▪ Which device in a layered defense-in-depth
approach denies connections initiated from Answers Explanation & Hints:
untrusted networks to internal networks,
but allows internal users within an A firewall is typically a second line of
organization to connect to untrusted
networks? defense in a layered defense-in-depth
approach to network security. The
▪ internal router firewall typically connects to an edge
▪ IPS router that connects to the service
provider. The firewall tracks connections
▪ access layer switch
initiated within the company going out of
▪ firewall the company and denies initiation of
connections from external untrusted
networks going to internal trusted
networks.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
▪ A network administrator is configuring an AAA server to manage RADIUS
authentication. Which two features are included in RADIUS authentication?
(Choose two.)

▪ single process for authentication and authorization

▪ separate processes for authentication and authorization

▪ hidden passwords during transmission

▪ encryption for all communication

▪ encryption for only the data

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
▪ A company has a file server that shares a folder
named Public. The network security policy specifies
that the Public folder is assigned Read-Only rights
to anyone who can log into the server while the Edit
rights are assigned only to the network admin Answers Explanation & Hints:
group. Which component is addressed in the AAA
network service framework?
After a user is successfully
authenticated (logged into the
▪ authentication server), the authorization is the
process of determining what
▪ accounting network resources the user can
▪ automation access and what operations
(such as read or edit) the user
▪ authorization
can perform.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
▪ What are the three core functions provided by
the Security Onion? (Choose three.)
Answers Explanation & Hints:

▪ business continuity planning Security Onion is an open source suite of

▪ alert analysis Network Security Monitoring (NSM) tools
for evaluating cybersecurity alerts. For
▪ security device management
cybersecurity analysts the Security Onion
▪ threat containment provides full packet capture, network-based
▪ intrusion detection and host-based intrusion detection
systems, and alert analysis tools.
▪ full packet capture

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
▪ What is a characteristic of a Trojan horse as it
relates to network security?
Answers Explanation & Hints:
A Trojan horse carries out
malicious operations under the
▪ Malware is contained in a seemingly guise of a legitimate program.
legitimate executable program. Denial of service attacks send
▪ Extreme quantities of data are sent to a
extreme quantities of data to a
particular network device interface. particular host or network device
interface. Password attacks use
▪ Too much information is destined for a
electronic dictionaries in an
particular memory block, causing additional
memory areas to be affected. attempt to learn passwords.
Buffer overflow attacks exploit
▪ An electronic dictionary is used to obtain a
memory buffers by sending too
password to be used to infiltrate a key network
device. much information to a host to
render the system inoperable.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
▪ What technique is used in social engineering
attacks?
Answers Explanation &
Hints:
▪ man-in-the-middle
A threat actor sends
▪ phishing
fraudulent email which is
▪ buffer overflow disguised as being from a
▪ sending junk email legitimate, trusted source to
trick the recipient into
installing malware on their
device, or to share personal
or financial information.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
▪ What are two evasion Answers Explanation & Hints:
techniques that are used by
hackers? (Choose two.)
The following methods are used by hackers to avoid
detection:Encryption and tunneling – hide or
▪ phishing scramble the malware content
Resource exhaustion – keeps the host device too
▪ Trojan horse busy to detect the invasion
▪ reconnaissance Traffic fragmentation – splits the malware into
multiple packets
▪ rootkit
Protocol-level misinterpretation – sneaks by the
▪ pivot firewall
Pivot – uses a compromised network device to
attempt access to another device
Rootkit – allows the hacker to be undetected and
hides software installed by the hacker
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
▪ What are three functions provided by the
syslog service? (Choose three.)
Answers Explanation & Hints:

▪ to gather logging information for monitoring There are three primary functions
and troubleshooting provided by the syslog service:
▪ to provide statistics on packets that are
flowing through a Cisco device gathering logging information
selection of the type of
▪ to periodically poll agents for data information to be logged
▪ to specify the destinations of captured selection of the destination of the
messages logged information
▪ to provide traffic analysis

▪ to select the type of logging information that

is captured © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
▪ Why would a network administrator choose Linux as an
operating system in the Security Operations Center (SOC)?

▪ It is easier to use than other server operating systems.

▪ The administrator has control over specific security functions,

but not standard applications.

▪ More network applications are created for this environment.

▪ It can be acquired at no charge.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
▪ Which protocol or service uses UDP for a
client-to-server communication and TCP
for server-to-server communication?

Answers Explanation &

▪ DNS Hints:
▪ HTTP
Some applications may use
▪ FTP both TCP and UDP. DNS uses
▪ SMTP UDP when clients send
requests to a DNS server, and
TCP when two DNS serves
directly communicate.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
▪ Which two statements describe the characteristics
of symmetric algorithms? (Choose two.)
Answers Explanation & Hints:
▪ They provide confidentiality, integrity, and
availability. Symmetric encryption algorithms
use the same key (also called
▪ They are commonly used with VPN traffic.
shared secret) to encrypt and
▪ They use a pair of a public key and a private key. decrypt the data. In contrast,
asymmetric encryption
▪ They are referred to as a pre-shared key or
secret key. algorithms use a pair of keys,
one for encryption and another
▪ They are commonly implemented in the SSL and
for decryption.
SSH protocols.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
▪ What are two properties of a cryptographic hash function? (Choose two.)

▪ The hash function is one way and irreversible.

▪ The input for a particular hash algorithm has to have a fixed size.
▪ Hash functions can be duplicated for authentication purposes.

▪ Complex inputs will produce complex hashes.

▪ The output is a fixed length.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
▪ Which two statements are characteristics of a virus?
(Choose two.)
Answers Explanation & Hints:

▪ A virus provides the attacker with sensitive data,

The type of end user
such as passwords. interaction required to launch
a virus is typically opening an
▪ A virus has an enabling vulnerability, a propagation
application, opening a web
mechanism, and a payload.
page, or powering on the
▪ A virus typically requires end-user activation. computer. Once activated, a
▪ A virus replicates itself by independently exploiting virus may infect other files
vulnerabilities in networks. located on the computer or
other computers on the same
▪ A virus can be dormant and then activate at a
specific time or date. network.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
▪ What is a network tap?

▪ a Cisco technology that provides statistics Answers Explanation &

on packets flowing through a router or Hints:
multilayer switch

▪ a passive device that forwards all traffic and A network tap is used to
physical layer errors to an analysis device capture traffic for monitoring
▪ a technology used to provide real-time the network. The tap is
reporting and long-term analysis of security typically a passive splitting
events device implemented inline on
▪ a feature supported on Cisco switches that the network and forwards all
enables the switch to copy frames and forward traffic, including physical layer
them to an analysis device errors, to an analysis device.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
 Answers Explanation & Hints:

▪ According to NIST, which NIST describes the digital forensics process as involving
step in the digital forensics the following four steps:
process involves preparing
and presenting information Collection – the identification of potential sources of
that resulted from scrutinizing forensic data and acquisition, handling, and storage of
data? that data
Examination – assessing and extracting relevant
information from the collected data. This may involve
decompression or decryption of the data
▪ examination Analysis – drawing conclusions from the data. Salient
features, such as people, places, times, events, and so
▪ collection on should be documented
▪ reporting Reporting – preparing and presenting information that
resulted from the analysis. Reporting should be impartial
▪ analysis and alternative explanations should be offered if
appropriate

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
▪ What is privilege escalation?

▪ Everyone is given full rights by default to Answers Explanation & Hints:

everything and rights are taken away only when
someone abuses privileges.
With privilege escalation,
▪ A security problem occurs when high ranking vulnerabilities are exploited to
corporate officials demand rights to systems or files grant higher levels of privilege.
that they should not have.
After the privilege is granted,
▪ Vulnerabilities in systems are exploited to grant the threat actor can access
higher levels of privilege than someone or some sensitive information or take
process should have. control of the system.
▪ Someone is given rights because she or he has
received a promotion.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
▪ Which PDU format is used when bits
are received from the network medium
by the NIC of a host? Answers Explanation & Hints:

When received at the physical

▪ frame layer of a host, the bits are
formatted into a frame at the
▪ segment
data link layer. A packet is the
▪ packet PDU at the network layer. A
▪ file segment is the PDU at the
transport layer. A file is a data
structure that may be used at
the application layer.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
▪ In network security assessments, which type of test is used to evaluate the risk posed by
vulnerabilities to a specific organization including assessment of the likelihood of attacks and the
impact of successful exploits on the organization?

▪ vulnerability assessment

▪ risk analysis

▪ port scanning

▪ penetration testing

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
▪ What is a characteristic of CybOX?

▪ It is the specification for an application layer protocol that allows the communication of CTI over
HTTPS.

▪ It enables the real-time exchange of cyberthreat indicators between the U.S. Federal
Government and the private sector.

▪ It is a set of standardized schemata for specifying, capturing, characterizing, and communicating

events and properties of network operations.

▪ It is a set of specifications for exchanging cyberthreat information between organizations.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
▪ In NAT terms, what
address type refers to the
globally routable IPv4 Answers Explanation & Hints:
address of a destination
host on the Internet? From the perspective of a NAT device,
inside global addresses are used by
external users to reach internal hosts.
▪ inside local
Inside local addresses are the addresses
▪ outside local assigned to internal hosts. Outside global
▪ inside global
addresses are the addresses of
destinations on the external network.
▪ outside global Outside local addresses are the actual
private addresses of destination hosts
behind other NAT devices.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
▪ A piece of malware has gained access to
a workstation and issued a DNS lookup Answers Explanation & Hints:
query to a CnC server. What is the
purpose of this attack?
A piece of malware, after accessing a host,
may exploit the DNS service by
▪ to send stolen sensitive data with
communicating with command-and-control
encoding (CnC) servers and then exfiltrate data in
traffic disguised as normal DNS lookup
▪ to request a change of the IP address
queries. Various types of encoding, such as
▪ to masquerade the IP address of the base64, 8-bit binary, and hex can be used
workstation to camouflage the data and evade basic
▪ to check the domain name of the data loss prevention (DLP) measures.
workstation

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
▪ What are two ways that ICMP can be a
security threat to a company? (Choose
two.)
Answers Explanation & Hints:

▪ by corrupting network IP data packets ICMP can be used as a conduit for DoS
attacks. It can be used to collect information
▪ by providing a conduit for DoS attacks
about a network such as the identification of
▪ by the infiltration of web pages hosts and network structure, and by
▪ by collecting information about a determining the operating systems being
network used on the network.
▪ by corrupting data between email
servers and email recipients

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
▪ A technician is troubleshooting a network
connectivity problem. Pings to the local
wireless router are successful but pings to a Answers Explanation & Hints:
server on the Internet are unsuccessful. Which
CLI command could assist the technician to
find the location of the networking problem? The tracert utlility (also known as the tracert
command or tracert tool) will enable the
technician to locate the link to the server
▪ ipconfig that is down. The ipconfig command
displays the computer network
▪ ipconfig/renew
configuration details. The ipconfig/renew
▪ tracert command requests an IP address from a
▪ msconfig DHCP server. Msconfig is not a network
troubleshooting command.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
▪ Which three IP addresses are considered private addresses? (Choose three.)

▪ 172.17.254.4

▪ 128.37.255.6
▪ 10.234.2.1

▪ 198.168.6.18

▪ 172.68.83.35
▪ 192.168.5.29

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
▪ A user opens three browsers on the same Answers Explanation & Hints:
PC to access www.cisco.com to search
for certification course information. The Each web browser client application opens
Cisco web server sends a datagram as a a randomly generated port number in the
reply to the request from one of the web
browsers. Which information is used by
range of the registered ports and uses this
the TCP/IP protocol stack in the PC to number as the source port number in the
identify which of the three web browsers datagram that it sends to a server. The
should receive the reply? server then uses this port number as the
destination port number in the reply
datagram that it sends to the web browser.
▪ the source IP address
The PC that is running the web browser
▪ the destination port number application receives the datagram and uses
the destination port number that is
▪ the source port number
contained in this datagram to identify the
▪ the destination IP address client application.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
▪ A cybersecurity analyst needs to collect alert data. What are three detection tools to perform this
task in the Security Onion architecture? (Choose three.)

▪ Wazuh

▪ CapME

▪ Zeek

▪ Kibana

▪ Sguil

▪ Wireshark

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
 Answers Explanation & Hints:

▪ Which two net commands The net command is a very important command. Some
are associated with common net commands include these:
network resource sharing?
(Choose two.) net accounts – sets password and logon requirements
for users
net session – lists or disconnects sessions between a
▪ net start computer and other computers on the network
net share – creates, removes, or manages shared
▪ net accounts
resources
▪ net share net start – starts a network service or lists running
network services
▪ net stop
net stop – stops a network service
▪ net use net use – connects, disconnects, and displays
information about shared network resources

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
▪ What is a key difference between the data captured by NetFlow
and data captured by Wireshark?

Answers Explanation &

▪ NetFlow collects metadata from a network flow whereas Hints:
Wireshark captures full data packets.

▪ NetFlow provides transaction data whereas Wireshark Wireshark captures the

provides session data. entire contents of a
▪ NetFlow data shows network flow contents whereas packet. NetFlow does
Wireshark data shows network flow statistics. not. Instead, NetFlow
▪ NetFlow data is analyzed by tcpdump whereas Wireshark
collects metadata, or
data is analyzed by nfdump . data about the flow.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
▪ Which method can be used to Answers Explanation & Hints:
harden a device?
The basic best practices for device
hardening are as follows:
▪ allow USB auto-detection
Ensure physical security.
▪ maintain use of the same Minimize installed packages.
passwords Disable unused services.
▪ use SSH and disable the Use SSH and disable the root account login
root account access over SSH over SSH.
▪ allow default services to Keep the system updated.
remain enabled Disable USB auto-detection.
Enforce strong passwords.
Force periodic password changes.
Keep users from re-using old passwords.
Review logs regularly
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
▪ Which step in the
Vulnerability Management
Life Cycle determines a Answers Explanation & Hints:
baseline risk profile to The steps in the Vulnerability Management Life Cycle include these:
eliminate risks based on
asset criticality, vulnerability Discover – inventory all assets across the network and identify host
threat, and asset details, including operating systems and open services, to identify
vulnerabilities
classification? Prioritize assets – categorize assets into groups or business units, and
assign a business value to asset groups based on their criticality to business
operations
Assess – determine a baseline risk profile to eliminate risks based on
▪ assess asset criticality, vulnerability threats, and asset classification
Report – measure the level of business risk associated with assets
▪ discover according to security policies. Document a security plan, monitor suspicious
activity, and describe known vulnerabilities.
▪ verify Remediate – prioritize according to business risk and fix vulnerabilities in
order of risk
▪ prioritize assets Verify – verify that threats have been eliminated through follow-up audits
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48