210-260 CCNA Security – IINS Exam Questions with Answers – Q136 to Q150

210-260 CCNA Security – IINS Exam Questions with Answers – Q136 to Q150

Question 136.
Your security team has discovered a malicious program that has been harvesting the CEO’s email messages and the company’s user database for the last 6 months. What type of attack did your team discover? (Choose two)
A. advanced persistent threat
B. targeted malware
C. drive-by spyware
D. social activism
Correct Answer: AB
Section: (none)


An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.
The target can be a person, an organization or a business.

Source: https://blog.malwarebytes.com/cybercrime/malware/2016/07/explained-advanced-persistent-threat-apt/

One new malware threat has emerged as a definite concern, namely, targeted malware. Instead of blanketing the Internet with a worm, targeted attacks concentrate on a single high-value target.

Source: http://crissp.poly.edu/wissp08/panel_malware.htm

Question 137.
Which statement provides the best definition of malware?
A. Malware is unwanted software that is harmful or destructive.
B. Malware is software used by nation states to commit cyber crimes.
C. Malware is a collection of worms, viruses, and Trojan horses that is distributed as a single package.
D. Malware is tools and applications that remove unwanted programs.
Correct Answer: A
Section: (none)


Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.[1] Before the term malware was coined by Yisrael Radai in 1990, malicious software was referred to as computer viruses.

Source: https://en.wikipedia.org/wiki/Malware

Question 138.
What mechanism does asymmetric cryptography use to secure data?
A. a public/private key pair
B. shared secret keys
C. an RSA nonce
D. an MD5 hash
Correct Answer: A
Section: (none)


Public key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.

Source: https://en.wikipedia.org/wiki/Public-key_cryptography

Question 139.
Refer to the exhibit.
With which NTP server has the router synchronized?
Correct Answer: A
Section: (none)


The output presented is generated by the show ntp association detail command. Attributes:
+ configured: This NTP clock source has been configured to be a server. This value can also be dynamic, where the peer/server was dynamically discovered.
+ our_master: The local client is synchronized to this peer
+ valid: The peer/server time is valid. The local client accepts this time if this peer becomes the master.

Source: http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-trouble-ntp-00.html

Question 140.
Refer to the exhibit.
Which statement about the given configuration is true?
A. The single-connection command causes the device to establish one connection for all TACACS transactions.
B. The single-connection command causes the device to process one TACACS request and then move to the next server.
C. The timeout command causes the device to move to the next server after 20 seconds of TACACS inactivity.
D. The router communicates with the NAS on the default port, TCP 1645.
Correct Answer: A
Section: (none)


tacacs-server host host-name [port integer] [timeout integer] [key string] [single-connection] [nat]

The single-connection keyword specifies a single connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router and the server. The single connection is more efficient because it allows the server to handle a higher number of TACACS operations.

Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srftacs.html

Question 141.
What is the best way to confirm that AAA authentication is working properly?
A. Use the test aaa command.
B. Ping the NAS to confirm connectivity.
C. Use the Cisco-recommended configuration for AAA authentication.
D. Log into and out of the router, and then check the NAS authentication log.
Correct Answer: A
Section: (none)


#test aaa group tacacs+ admin cisco123 legacy – A llow verification of the authentication function working between the AAA client (the router) and the ACS server (the AAA server).

Source: Cisco Official Certification Guide, Table 3-6 Command Reference, p.68

Question 142.
How does PEAP protect the EAP exchange?
A. It encrypts the exchange using the server certificate.
B. It encrypts the exchange using the client certificate.
C. It validates the server-supplied certificate, and then encrypts the exchange using the client certificate.
D. It validates the client-supplied certificate, and then encrypts the exchange using the server certificate.
Correct Answer: A
Section: (none)


PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server’s public key.

Source: https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

Question 143.
What improvement does EAP-FASTv2 provide over EAP-FAST?
A. It allows multiple credentials to be passed in a single EAP exchange.
B. It supports more secure encryption protocols.
C. It allows faster authentication by using fewer packets.
D. It addresses security vulnerabilities found in the original protocol.
Correct Answer: A
Section: (none)


As an enhancement to EAP-FAST, a differentiation was made to have a User PAC and a Machine PAC. After a successful machine-authentication, ISE will issue a Machine-PAC to the client. Then, when processing a user authentication, ISE will request the Machine-PAC to prove that the machine was successfully authenticated, too. This is the first time in 802.1X history that multiple credentials have been able to be authenticated within a single EAP transaction, and it is known as “EAP Chaining”.

Source: http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-whichidentity projects.html

Question 144.
How does a device on a network using ISE receive its digital certificate during the new-device registration process?
A. ISE issues a pre-defined certificate from a local database
B. The device requests a new certificate directly from a central CA
C. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server
D. ISE issues a certificate from its internal CA server
Correct Answer: C
Section: (none)


Answer: C
Confidence level: 0%

Note: Never bothered to research this question.


SCEP Profile Configuration on ISE
Within this design, ISE is acting as a Simple Certificate Enrollment Protocol (SCEP) proxy server, thereby allowing mobile clients to obtain their digital certificates from the CA server. This important feature of ISE allows all endpoints, such as iOS, Android, Windows, and MAC, to obtain digital certificates through the ISE. This feature combined with the initial registration process greatly simplifies the provisioning of digital certificates on endpoints.

Source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/ BYOD_Design_Guide/BYOD_ISE.html

Question 145.
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?
A. It requests the administrator to choose between erasing all device data or only managed corporate data.
B. It requests the administrator to enter the device PIN or password before proceeding with the operation.
C. It notifies the device user and proceeds with the erase operation.
D. It immediately erases all data on the device.
Correct Answer: A
Section: (none)


Cisco ISE allows you to wipe or turn on pin lock for a device that is lost. From the MDM Access drop-down list, choose any one of the following options:
+ Full Wipe — Depending on the MDM vendor, this option either removes the corporate apps or resets the device to the factory settings.
+ Corporate Wipe — Removes applications that you have configured in the MDM server policies
+ PIN Lock — Locks the device

Source: http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/ b_ise_admin_guide_14_chapter_01001.html#task_820C9C2A1A6647E995CA5AAB01E1CDEF

Question 146.
What configuration allows AnyConnect to automatically establish a VPN session when a user logs in to the computer?
A. always-on
B. proxy
C. transparent mode
D. Trusted Network Detection
Correct Answer: A
Section: (none)


You can configure AnyConnect to establish a VPN session automatically after the user logs in to a computer. The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer expires. The group policy assigned to the session specifies these timer values. If AnyConnect loses the connection with the ASA, the ASA and the client retain the resources assigned to the session until one of these timers expire. AnyConnect continually attempts to reestablish the connection to reactivate the session if it is still open; otherwise, it continually attempts to establish a new VPN session.

Source: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/ guide/anyconnectadmin30/ac03vpn.pdf

Question 147.
What security feature allows a private IP address to access the Internet by translating it to a public address?
B. hairpinning
C. Trusted Network Detection
D. Certification Authority
Correct Answer: A
Section: (none)


Now the router itself does not have a problem with IP connectivity to the Internet because the router has a globally reachable IP address ( in this example. The users are not so fortunate, however, because they are using private IP address space, and that kind of address is not allowed directly on the Internet by the service providers. So, if the users want to access a server on the Internet, they forward their packets to the default gateway, which in this case is R1, and if configured to do so, R1 modifies the IP headers in those packets and swaps out the original source IP addresses with either its own global address or a global address
from a pool of global addresses (which R1 is responsible for managing, meaning that if a packet was destined to one of those addresses, the routing to those addresses on the Internet would forward the packets back to R1). These are global addresses assigned by the service provider for R1’s use.

Source: Cisco Official Certification Guide, NAT Is About Hiding or Changing the Truth About Source Addresses, p.366

Question 148.
Refer to the exhibit.
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?
A. Edit the crypto keys on R1 and R2 to match.
B. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
C. Set a valid value for the crypto key lifetime on each router.
D. Edit the crypto isakmp key command on each router with the address value of its own interface.
Correct Answer: A
Section: (none)


Five basic items need to be agreed upon between the two VPN devices/gateways (in this case, the two routers) for the IKE Phase 1 tunnel to succeed, as follows:
+ Hash algorithm
+ Encryption algorithm
+ Diffie-Hellman (DH) group
+ Authentication method: sed for verifying the identity of the VPN peer on the other side of the tunnel. Options include a pre-shared key (PSK) used only for the authentication or RSA signatures (which leverage the public keys contained in digital certificates).
+ Lifetime

The PSK used on the routers are different: test67890 and test12345

Source: Cisco Official Certification Guide, The Play by Play for IPsec, p.124

Question 149.
Refer to the exhibit.
What is the effect of the given command?
A. It merges authentication and encryption methods to protect traffic that matches an ACL.
B. It configures the network to use a different transform set between peers.
C. It configures encryption for MD5 HMAC.
D. It configures authentication as AES 256.
Correct Answer: A
Section: (none)


A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html#wp1017694

To define a transform set — an acceptable combination of security protocols and algorithms — use the crypto ipsec transform-set global configuration command.
ESP Encryption Transform
+ esp-aes 256: ESP with the 256-bit AES encryption algorithm. ESP Authentication Transform
+ esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended)

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-crc3.html#wp2590984165

Question 150.
Refer to the exhibit.
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
A. IKE Phase 1 main mode was created on, but it failed to negotiate with
B. IKE Phase 1 main mode has successfully negotiated between and
C. IKE Phase 1 aggressive mode was created on, but it failed to negotiate with
D. IKE Phase 1 aggressive mode has successfully negotiated between and
Correct Answer: A
Section: (none)


This is the output of the #show crypto isakmp sa command. This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers – IPsec Phase1 . MM_NO_STATE means that main mode has failed. QM_IDLE – this is what we want to see.

More on this
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug- 00.html


About the author


Leave a Comment