Hi just taken exam yesterday may 18, 2018 and just failed 813/1000
the dumps in the 80q downloaded is not semi valid, BUT: the questions is still there what is in the dump, so you need to really review the blueprint and i encountered new questions i remembered:
what does the v509v3 indicatess to? ( i remember the choices choose 3)
a.publice key of the certificate
b.private key of the certificate
c.subject of the certificate
d.(cant remember the two)
what is a heartbleed attack?
a.)command injection
b.) buffer overlow
c.)i dont know
d.) i cant remmber
how can you correlacte ntp in a accurate time something
a.) asynchronous
b.) get time from each network device
c.)get from ad/ domain controller
d.)synchronous time
what access control is from the root administrator far as i remember the choices is
Here some question recopiled of other post, some new that here not see.
The FMC can share HTML, PDF and CSV data type that relate to a specific event type data. Which specific event type data?
A. Connection
B. Host
C. Netflow
D. Intrusion
Answer: D
Which of the following are metrics that can measure the effectiveness of a runbook?
A. Mean time to repair (MTTR)
B. Mean time between failures (MTBF)
C. Mean time to discover a security incident
D. All of the above
Answer: D
In which case should an employee return his laptop to the organization?
A. When moving to a different role
B. Upon termination of the employment
C. As described in the asset return policy
D. When the laptop is end of lease
Answer: C
What are the advantages of a full-duplex transmission mode compared to half-duplex mode?
(Select all that apply.)
A. Each station can transmit and receive at the same time.
B. It avoids collisions.
C. It makes use of backoff time.
D. It uses a collision avoidance algorithm to transmit.
Answer: AB
Stateful and traditional firewalls can analyze packets and judge them against a set of
predetermined rules called access control lists (ACLs).
They inspect which of the following elements within a packet? (Choose Two)
A. Session headers
B. NetFlow flow information
C. Source and destination ports and source and destination IP addresses
D. Protocol information
Answer: CD
Cisco pxGrid has a unified framework with an open API designed in a hub-and-spoke
architecture. pxGrid is used to enable the sharing of contextual-based information from which
devices?
A. From a Cisco ASA to the Cisco OpenDNS service
B. From a Cisco ASA to the Cisco WSA
C. From a Cisco ASA to the Cisco FMC
D. From a Cisco ISE session directory to other policy network systems, such as Cisco IOS devices
and the Cisco ASA
For which purpose can Windows management instrumentation be used?
A. Remote viewing of a computer
B. Remote blocking of malware on a computer
C. Remote reboot of a computer
D. Remote start of a computer
Answer: A
Which international standard is for general risk management, including the principles and guideline for managing risk?
A. ISO 31000
B. ISO 27001
C. ISO 27005
D. ISO 27002
Answer: A
Which statement about the difference between a denial-of-service attack and a distributed denial of service attack is true?
A. Dos attack are launched from one host, and DDoS attack are launched from multiple host.
B. DoS attack and DDoS attack have no differences.
C. DDoS attacks are launched from one host, and DoS attacks are launched from multiple host.
D. Dos attack only use flooding to compromise a network, and DDoS attacks only use other methods.
Answer: A
You discover that a foreign government hacked one of the defense contractors in your country and stole intellectual property. In this situation, which option is considered the threat agent?
A. method in which the hack occurred
B. defense contractor that stored the intellectual property
C. intellectual property that was stolen
D. foreign government that conducted the attack
Answer: A
After a large influx of network traffic to externally facing devices, you begin investigating what appear to be a denial of service attack. When you review packets capture data, you notice that the
traffic is a single SYN packet to each port. Which kind of attack is this?
A. SYN flood.
B. Host profiling.
C. Traffic fragmentation.
D. Port scanning.
Answer: D
Which definition of common event format is terms of a security information and event management solution is true?
A. A type of event log used to identify a successful user login.
B. A TCP network media protocol.
C. Event log analysis certificate that stands for certified event forensics.
D. A standard log event format that is used for log collection.
Answer: D
Which definition of a Linux daemon is true?
A. Process that is causing harm to the system by either using up system resources or causing a critical crash.
B. Long – running process that is the child at the init process.
C. Process that has no parent process.
D. Process that is starved at the CPU.
Answer: B
Which term describes reasonable effort that must be made to obtain relevant information to facilitate appropriate courses of action?
A. Due diligence.
B. Ethical behavior.
C. Decision making.
D. Data mining.
Answer: A
According to the common vulnerability scoring system, which term is associated with scoring multiple vulnerabilities that are exploit in the course of a single attack?
A. chained score
B. risk analysis
C. vulnerability chaining
D. confidentiality
Answer: C
In which format are NetFlow records stored?
A. hexadecimal
B. base 10
C. binary
D. ASCII
Answer: C
Which purpose of Command and Control for network aware malware is true?
A. It contacts a remote server for commands and updates.
B. It controls and shuts down services on the infected host.
C. It helps the malware to profile the host
D. It takes over the user account.
Answer: A
Which of the following access control models use security labels to make access decisions?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Identity-based access control (IBAC)
Answer: B
Passed my Test today with 865.. thing that ‘ndndn’ mention was on the test as well as other dump question from this website. another thing i could add to that the list of new question is that they asked about what type of attack is shell shock? i think the answer is command injection since the word shell is in the name.
ASCII…I missed that question too, thought it was worded poorly using the word “stored”….I brought this up to my class and everyone agreed…but the answer is, Netflow stores information in ASCII format, it’s the only one that could possibly work given the other options.
These are new questions I’ve found on some forums from people recently did the exam. It does not have an exact wording:
– Which format Netflow uses?
Base10
ASCII
Binary
Hexadecimal
– A question about SYN flood. Gives the scenario that using a Full Packet Capture tool, you notice multiple SYN messages, this is an example of what?
Possible answer: SYN flood
– There was a question about ciphers. The scenario was attacker known some information in the cipher text of several messages and also knows something about the plaintext that underlies the cipher-text. (This scenario describes both a Known-plaintext Attack and a Meet-in-the-middle Attack). Question ask which type ot attack of it.
A possible answer was man-in-the-middle, which is obviously wrong. Leaving Known-plaintext Attack as the best option.
– Question ask about daemon process.
a processes that detaches themselves from the script that starts them and continue to run in the background. The answer ended with something like, ‘it is spawned from an parent init process.’
– Question ask about zombie process.
the answer was something like, completed processes that are not yet removed from the kernel’s process table
– Question about SIEM provide HTML, PDF and CSV format and asked what is it?
(I don’t know what this question means)
– Question said that a foreign government attacks your defense weapons contractor and stole intellectual property, that foreign government is defined as what?
1) Defense Weapons Contractor who stole intellectual property
2) Foreign government who conduct attack
3) Intellectual property got stolen
4) method used by foreign government to hack
(Don’t sure the correct answer, maybe 2)? Don’t understand very well)
– Question making a statement like Microsoft PPTP used RC4 is stream cipher, what attacks is it vulnerable to when the same key is used twice.
Cipher-text-only Attack, when an attacker uses cipher text from several messages and tries to deduce the plaintext or key from just that information, using statistical analysis
– A question about CVSS was how is scoring handled when multiple vulnerabilities are found in the same attack.
Vulnerability Chaining (While not a formal metric, guidance on scoring multiple vulnerabilities is provided with Vulnerability Chaining. https://www.first.org/cvss/cvss-v30-user_guide_v1.1.pdf)
– Several question and/or answers had RFC numbers.
The ones about DNS you really only need to know that DNS queries use UDP port 53 and Zone transfers used TCP port 53, in the quoted RFCs.
Answer given include UDP 53 and TCP 53
– There was an ISO implementing guidance for general risk management question.
Answer given
ISO 27001 to 27005. This person selected 270002, which he thought is correct after memorizing the titles for IS0 27001 – 27005
– There was question about what is the command to see every process on the Linux system.
Maybe this answer is ps -ef
– one that asked something like, what event types does FMC record? FMC = Firepower Management Center
– something similar to, what cryptography is used on Digital Certificates? The answers included:
SHA-256
SHA-512
RSA 4096
I think answers are SHA-256 and SHA-384 if it appears on the answers list.
– SIEM Common Event Format, what is it?
He didn’t remember the exact question but given that syslog message format is used as a transport mechanism for a Common Event Format, He’d look for something related to that in an answer.
– A question about what device terminate broadcast domains.
Router is the answer
– A question making a statement like, RC4 is stream cipher, what attacks is it vulnerable to when the same key is used twice.
Cipher-text-only Attack, when an attacker uses cipher text from several messages and tries to deduce the plaintext or key from just that information, using statistical analysis
Hope it helps and someone can correct some answers
I cleared the exam today
Here are some new questions I had in my exam.
Netflow data type–binary, hexadecimal, base10 or decimal.
Standards helps organizations keep information assets secure- iso 27001
Read about hashing attacks like known plain text, known cypher text, cypher txt only and meet in the middle.
Read about ps -ef Linux command..
Read about Linux zombie process, parent process, child process, orphan process…
Read about cvss.
More than 15 new questions which are not included here. Do not go without covering/reading 210-250 exam blueprint.
Questions will seem easy if you have gone through the cert books.
Unfortunately I couldn’t remember most questions as I completed my exam in 30 minutes.
Yes, these questions are valid. I passed today the exam and the majority of the questions were form here. There were 1-2 questions about ciphertext-only attacks and meet-in-the middle attacks. Also 2 questions about due-diligence and decision making. One question about the difference between DoS and DDos attack and one about CVSSv3. Generally, all questions were straight forward. The most difficult one was one question about ps command in linux and the syntax.
My initial response was because how the “answer” still retained the original keywords to the left and made it appear to be like the following below, as if they were matching from left – right. I’m certain this is probably why another person thought it was incorrect, but this is what it looked like to me below.
1) Wireshark – Netflow
2) Netflow – IPS
3) Server Log – Wireshark
4) IPS – Server Log
*Now I realize it was correct all along, but the answer retained the original keywords, beside the answer, if that makes sense?
@ kazmisahb Can u send me those question
Hi just taken exam yesterday may 18, 2018 and just failed 813/1000
the dumps in the 80q downloaded is not semi valid, BUT: the questions is still there what is in the dump, so you need to really review the blueprint and i encountered new questions i remembered:
what does the v509v3 indicatess to? ( i remember the choices choose 3)
a.publice key of the certificate
b.private key of the certificate
c.subject of the certificate
d.(cant remember the two)
what is a heartbleed attack?
a.)command injection
b.) buffer overlow
c.)i dont know
d.) i cant remmber
how can you correlacte ntp in a accurate time something
a.) asynchronous
b.) get time from each network device
c.)get from ad/ domain controller
d.)synchronous time
what access control is from the root administrator far as i remember the choices is
1.)mandatory
b.)discressionary
c) least priviledge
d.) RBAC
Here some question recopiled of other post, some new that here not see.
The FMC can share HTML, PDF and CSV data type that relate to a specific event type data. Which specific event type data?
A. Connection
B. Host
C. Netflow
D. Intrusion
Answer: D
Which of the following are metrics that can measure the effectiveness of a runbook?
A. Mean time to repair (MTTR)
B. Mean time between failures (MTBF)
C. Mean time to discover a security incident
D. All of the above
Answer: D
In which case should an employee return his laptop to the organization?
A. When moving to a different role
B. Upon termination of the employment
C. As described in the asset return policy
D. When the laptop is end of lease
Answer: C
What are the advantages of a full-duplex transmission mode compared to half-duplex mode?
(Select all that apply.)
A. Each station can transmit and receive at the same time.
B. It avoids collisions.
C. It makes use of backoff time.
D. It uses a collision avoidance algorithm to transmit.
Answer: AB
Stateful and traditional firewalls can analyze packets and judge them against a set of
predetermined rules called access control lists (ACLs).
They inspect which of the following elements within a packet? (Choose Two)
A. Session headers
B. NetFlow flow information
C. Source and destination ports and source and destination IP addresses
D. Protocol information
Answer: CD
Cisco pxGrid has a unified framework with an open API designed in a hub-and-spoke
architecture. pxGrid is used to enable the sharing of contextual-based information from which
devices?
A. From a Cisco ASA to the Cisco OpenDNS service
B. From a Cisco ASA to the Cisco WSA
C. From a Cisco ASA to the Cisco FMC
D. From a Cisco ISE session directory to other policy network systems, such as Cisco IOS devices
and the Cisco ASA
For which purpose can Windows management instrumentation be used?
A. Remote viewing of a computer
B. Remote blocking of malware on a computer
C. Remote reboot of a computer
D. Remote start of a computer
Answer: A
Which international standard is for general risk management, including the principles and guideline for managing risk?
A. ISO 31000
B. ISO 27001
C. ISO 27005
D. ISO 27002
Answer: A
Which statement about the difference between a denial-of-service attack and a distributed denial of service attack is true?
A. Dos attack are launched from one host, and DDoS attack are launched from multiple host.
B. DoS attack and DDoS attack have no differences.
C. DDoS attacks are launched from one host, and DoS attacks are launched from multiple host.
D. Dos attack only use flooding to compromise a network, and DDoS attacks only use other methods.
Answer: A
You discover that a foreign government hacked one of the defense contractors in your country and stole intellectual property. In this situation, which option is considered the threat agent?
A. method in which the hack occurred
B. defense contractor that stored the intellectual property
C. intellectual property that was stolen
D. foreign government that conducted the attack
Answer: A
After a large influx of network traffic to externally facing devices, you begin investigating what appear to be a denial of service attack. When you review packets capture data, you notice that the
traffic is a single SYN packet to each port. Which kind of attack is this?
A. SYN flood.
B. Host profiling.
C. Traffic fragmentation.
D. Port scanning.
Answer: D
Which definition of common event format is terms of a security information and event management solution is true?
A. A type of event log used to identify a successful user login.
B. A TCP network media protocol.
C. Event log analysis certificate that stands for certified event forensics.
D. A standard log event format that is used for log collection.
Answer: D
Which definition of a Linux daemon is true?
A. Process that is causing harm to the system by either using up system resources or causing a critical crash.
B. Long – running process that is the child at the init process.
C. Process that has no parent process.
D. Process that is starved at the CPU.
Answer: B
Which term describes reasonable effort that must be made to obtain relevant information to facilitate appropriate courses of action?
A. Due diligence.
B. Ethical behavior.
C. Decision making.
D. Data mining.
Answer: A
According to the common vulnerability scoring system, which term is associated with scoring multiple vulnerabilities that are exploit in the course of a single attack?
A. chained score
B. risk analysis
C. vulnerability chaining
D. confidentiality
Answer: C
In which format are NetFlow records stored?
A. hexadecimal
B. base 10
C. binary
D. ASCII
Answer: C
Which purpose of Command and Control for network aware malware is true?
A. It contacts a remote server for commands and updates.
B. It controls and shuts down services on the infected host.
C. It helps the malware to profile the host
D. It takes over the user account.
Answer: A
Which of the following access control models use security labels to make access decisions?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Identity-based access control (IBAC)
Answer: B
I Hope it useful for you.
Best Regards, Since Colombia country
Passed my Test today with 865.. thing that ‘ndndn’ mention was on the test as well as other dump question from this website. another thing i could add to that the list of new question is that they asked about what type of attack is shell shock? i think the answer is command injection since the word shell is in the name.
Passed today with 8xx !! Questions mentioned by @ndndn were there !! Best wishes for new test takers !! Good luck !!!
Guys, I check the answer for netflow stored data. it’s binary store! the tool that view the data is in clear text or ASCII
Click the >> blue color sign which is under Q50.
ASCII…I missed that question too, thought it was worded poorly using the word “stored”….I brought this up to my class and everyone agreed…but the answer is, Netflow stores information in ASCII format, it’s the only one that could possibly work given the other options.
These are new questions I’ve found on some forums from people recently did the exam. It does not have an exact wording:
– Which format Netflow uses?
Base10
ASCII
Binary
Hexadecimal
– A question about SYN flood. Gives the scenario that using a Full Packet Capture tool, you notice multiple SYN messages, this is an example of what?
Possible answer: SYN flood
– There was a question about ciphers. The scenario was attacker known some information in the cipher text of several messages and also knows something about the plaintext that underlies the cipher-text. (This scenario describes both a Known-plaintext Attack and a Meet-in-the-middle Attack). Question ask which type ot attack of it.
A possible answer was man-in-the-middle, which is obviously wrong. Leaving Known-plaintext Attack as the best option.
– Question ask about daemon process.
a processes that detaches themselves from the script that starts them and continue to run in the background. The answer ended with something like, ‘it is spawned from an parent init process.’
– Question ask about zombie process.
the answer was something like, completed processes that are not yet removed from the kernel’s process table
– Question about SIEM provide HTML, PDF and CSV format and asked what is it?
(I don’t know what this question means)
– Question said that a foreign government attacks your defense weapons contractor and stole intellectual property, that foreign government is defined as what?
1) Defense Weapons Contractor who stole intellectual property
2) Foreign government who conduct attack
3) Intellectual property got stolen
4) method used by foreign government to hack
(Don’t sure the correct answer, maybe 2)? Don’t understand very well)
– Question making a statement like Microsoft PPTP used RC4 is stream cipher, what attacks is it vulnerable to when the same key is used twice.
Cipher-text-only Attack, when an attacker uses cipher text from several messages and tries to deduce the plaintext or key from just that information, using statistical analysis
– A question about CVSS was how is scoring handled when multiple vulnerabilities are found in the same attack.
Vulnerability Chaining (While not a formal metric, guidance on scoring multiple vulnerabilities is provided with Vulnerability Chaining. https://www.first.org/cvss/cvss-v30-user_guide_v1.1.pdf)
– Several question and/or answers had RFC numbers.
The ones about DNS you really only need to know that DNS queries use UDP port 53 and Zone transfers used TCP port 53, in the quoted RFCs.
Answer given include UDP 53 and TCP 53
– There was an ISO implementing guidance for general risk management question.
Answer given
ISO 27001 to 27005. This person selected 270002, which he thought is correct after memorizing the titles for IS0 27001 – 27005
– There was question about what is the command to see every process on the Linux system.
Maybe this answer is ps -ef
– one that asked something like, what event types does FMC record? FMC = Firepower Management Center
– something similar to, what cryptography is used on Digital Certificates? The answers included:
SHA-256
SHA-512
RSA 4096
I think answers are SHA-256 and SHA-384 if it appears on the answers list.
– SIEM Common Event Format, what is it?
He didn’t remember the exact question but given that syslog message format is used as a transport mechanism for a Common Event Format, He’d look for something related to that in an answer.
– A question about what device terminate broadcast domains.
Router is the answer
– A question making a statement like, RC4 is stream cipher, what attacks is it vulnerable to when the same key is used twice.
Cipher-text-only Attack, when an attacker uses cipher text from several messages and tries to deduce the plaintext or key from just that information, using statistical analysis
Hope it helps and someone can correct some answers
why cant i see question 50 to 70
I cleared the exam today
Here are some new questions I had in my exam.
Netflow data type–binary, hexadecimal, base10 or decimal.
Standards helps organizations keep information assets secure- iso 27001
Read about hashing attacks like known plain text, known cypher text, cypher txt only and meet in the middle.
Read about ps -ef Linux command..
Read about Linux zombie process, parent process, child process, orphan process…
Read about cvss.
More than 15 new questions which are not included here. Do not go without covering/reading 210-250 exam blueprint.
Questions will seem easy if you have gone through the cert books.
Unfortunately I couldn’t remember most questions as I completed my exam in 30 minutes.
Netflow data type–binary, hexadecimal, base10 or decimal.
cant find any info about this !
There was also a question on what sort of an attack on the CEO of a company
R: phishing-based attack called “whaling” specifically targets executives and high-profile users
How could you leave such a response
are these still valid 210-250 exam?
Yes, these questions are valid. I passed today the exam and the majority of the questions were form here. There were 1-2 questions about ciphertext-only attacks and meet-in-the middle attacks. Also 2 questions about due-diligence and decision making. One question about the difference between DoS and DDos attack and one about CVSSv3. Generally, all questions were straight forward. The most difficult one was one question about ps command in linux and the syntax.
This isn’t correct. Someone correct me if I’m wrong, but I’m certain it’s:
1) Wireshark – Full Packet Capture
2) Netflow – Session Data
3) Server Log – Transaction Data
4) IPS – Alert Data
This is exactly as shown in the answer.
My initial response was because how the “answer” still retained the original keywords to the left and made it appear to be like the following below, as if they were matching from left – right. I’m certain this is probably why another person thought it was incorrect, but this is what it looked like to me below.
1) Wireshark – Netflow
2) Netflow – IPS
3) Server Log – Wireshark
4) IPS – Server Log
*Now I realize it was correct all along, but the answer retained the original keywords, beside the answer, if that makes sense?
why cant i see question 50 to 70?
This is not correct