CCNA Cyber Ops FAQ: Network and Host Profiling

CCNA Cyber Ops FAQ: Network and Host Profiling

Q1. Which of the following is true about NetFlow?
A. NetFlow typically provides more details than sFlow.
B. NetFlow typically contains more details than packet capturing.
C. NetFlow is not available in virtual networking environments.
D. NetFlow is only used as a network performance measurement.

Answer: A. sFlow (also called sampled flow) provides fewer details than NetFlow.

Q2. Which of the following is not used to establish a network baseline?
A. Determining the time to collect data
B. Selecting the type of data to collect
C. Developing a list of users on the network
D. Identifying the devices that can provide data

Answer: C. Developing a list of users on the network is not necessary for developing a network baseline.

Q3. Which of the following is an advantage of port security over automated NAC?
A. Device profiling
B. Ease of deployment
C. Management requirements
D. Technology cost

Answer: D. Port security is a feature that is available with most modern switches, meaning it does not have an additional cost. Automated NAC typically is purchased, meaning it has a higher cost to acquire the technology.

Q4. What is the best definition of session duration in terms of network profiling?
A. The total time the user or device requests services from the network

B. The total time the user connects to the network

C. The total time a user or device connects to a network and later disconnects from it

D. The total time the user logs in to a system and logs out of the system

Answer: C. Session is the total time a user or device connects to a network and later disconnects from a network.

Q5. Which of the following is not a tool or option for monitoring a host session on the network?
A. Use firewall logs to monitor user connections to the network
B. Use NetFlow to monitor user connections to the network
C. Capture network packets and monitor user connections to the network
D. Use SNMP tools to monitor user connections to the network

Answer: A. Answer A would not help with monitoring connections to the network because firewalls tend not to see switch layer data, depending on how they are deployed.

Q6. Which of the following is not true about listening ports?
A. A listening port is a port held open by a running application in order to accept inbound connections.

B. Seeing traffic from a known port will identify the associated service.

C. Listening ports use values that can range between 1 and 65535.

D. TCP port 80 is commonly known for Internet traffic.

Answer: B. Although the statement in answer B is usually true, this is not always the case. Administrators can choose to use other ports. Although it is common to use industry ports, this is not required.

Q7. A traffic substitution and insertion attack does which of the following?
A. Substitutes the traffic with data in a different format but with the same meaning

B. Substitutes the payload with data in the same format but with a different meaning

C. Substitutes the payload with data in a different format but with the same meaning

D. Substitutes the traffic with data in the same format but with a different meaning

Answer: C. Answer C is the best answer. Answers A and D do not include a payload, meaning there isn’t an associated attack. Answer B is incorrect because if the same payload is used, it will be detected by most security solutions.

Q8. Which of the following is not a method for identifying running processes?
A. Reading network traffic from a SPAN port with the proper technology
B. Reading port security logs
C. Reading traffic from inline with the proper technology
D. Using port scanner technology

Answer: B. Answer B has nothing to do with running processes due to port security being only MAC address based.

Q9. Which of the following is not a tool that can identify applications on hosts?
A. Web proxy
B. Application layer firewall
C. Using NBAR
D. Using NetFlow

Answer: D. NetFlow does not have application layer data.

Q10. Which of the following statements is incorrect?
A. Latency is a delay in throughput detected at the gateway of the network.

B. Throughput is typically measured in bandwidth.

C. A valley is when there is an unusually low amount of throughput compared to the normal baseline.

D. A peak is when there is a spike in throughput compared to the normal baseline

Answer: A. Answer A is not always true, meaning latency can be introduced anywhere in the network.

Q11. Which statement is true?
A. NetFlow provides more details than capturing network packets.
B. Capturing network packets provides more details than NetFlow.
C. Capturing packets provides the same data as NetFlow.
D. Technology cannot offer both packet capture and NetFlow capabilities.

Answer: B. Capturing network packets offers more details than NetFlow.

Q12. Which of the following is not used to collect data for measuring throughput?
A. Pulling data from a SPAN port
B. Capturing data from a device that is in the line of traffic
C. Gathering the number of routers, switches, and hosts on the network
D. Capturing traffic from a gateway firewall

Answer: C. Knowing the number of devices can help; however, devices can have different impacts on throughput. An example would be comparing a user browsing the Internet versus another user streaming video. The video user would have a larger impact on the network; hence, it’s more important to see the type of traffic versus types of devices when establishing throughput requirements.

Q13. Which of the following protocols would provide the least value in explaining the type of device connected to a port?
A. CDP
B. LLDP
C. DHCP
D. DNS

Answer: D. DNS provides name resolution when searching the web; however, it doesn’t have the same value as the others in regard to identifying the types of devices connected to the network.

Q14. What is the least valuable benefit for using session duration?
A. Triggering when a critical system goes down
B. Baselining network performance
C. Detecting network breaches
D. Identifying unusual network behavior

Answer: B. Baselining typically is about how users impact network performance versus how long they use a system. This can help with baselining, but the other answers are more valuable uses of session duration data.

Q15. Which is not a reason for controlling asset address space?
A. Segmenting hosts
B. Network resource management
C. Protecting critical assets
D. Reducing costs

Answer: A. Segmenting hosts has to do with controlling traffic between address spaces versus provisioning addresses to hosts.

Q16. Which of the following is not an IPAM factor to consider?
A. IP address inventory
B. Endpoint posture
C. Dynamic IP address services management
D. IP name services management

Answer: B. Endpoint posture is a good thing to consider for an access control policy; however, it is not required for IP address management (IPAM).

Q17. Which of the following is not a value from profiling hosts on the network?
A. Identifying devices that are potentially compromised
B. Alerting to internal threats
C. Understanding bandwidth utilization
D. Identifying installed applications

Answer: C. Understanding bandwidth utilization could possibly help a little; however, bandwidth utilization is typically something developed from a network baseline versus the types of devices on the network.

Q18. Which of the following is not a method for identifying and securing listening ports?
A. Implementing firewall technology
B. Implementing strong access control policies
C. Periodically scanning the network for listening ports
D. Evaluating listening ports for risk

Answer: B. Implementing strong access control policies is helpful for controlling access to the network, but this does not help with securing systems already authorized that have listening ports.

Q19. Which of the following is not a tool used for profiling host applications?
A. Nmap version scanning
B. Using content filters
C. Using NetFlow
D. Using NBAR

Answer: C. Native NetFlow does not have application layer data.

Q20. Which is not a tool for seeing running processes on a host?
A. who
B. tasklist
C. ps -e
D. Task Manager

Answer: A. Answer A shows who is logged in, not what is running.

More Resources

About the author

Scott

Leave a Comment