1. (0.

200 Point) 1
The three concepts that form what is often referred to as the CIA triad are ________. These three
concepts embody the fundamental security objectives for both data and for information and
computing services.
A. confidentiality, integrity and availability
B. communication, integrity and authentication
C. confidentiality, integrity, access control
D. communication, information and authenticity
2. (0.200 Point)
A loss of __________ is the unauthorized disclosure of information.
A. authenticity
B. confidentiality
C. reliability
D. integrity
3. (0.200 Point)
Verifying that users are who they say they are and that each input arriving at the system came
from a trusted source is _________.
A. authenticity
B. credibility
C. accountability
D. integrity
4. (0.200 Point)
A __________ is any action that compromises the security of information owned by an
organization.
A. security attack
B. security service
C. security alert
D. security mechanism
5. (0.200 Point)
A __________ takes place when one entity pretends to be a different entity.

A. replay
B. masquerade
C. service denial 2
D. passive attack
6. (0.200 Point)
__________ is the protection of transmitted data from passive attacks.
A. Access control
B. Data control
C. Nonrepudiation
D. Confidentiality
7. (0.200 Point)
A(n) __________ service is one that protects a system to ensure its availability and addresses the
security concerns raised by denial-of-service attacks.
A. replay
B. availability
C. masquerade
D. integrity
8. (0.200 Point)
__________ threats exploit service flaws in computers to inhibit use by legitimate users.
A. Information access
B. Reliability
C. Passive
D. Service
9. (0.200 Point)
A(n) __________ is a potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and cause harm.
A. threat
B. attack
C. risk
D. attack vector
10. (0.200 Point)
The protection of the information that might be derived from the observation of traffic flows is
_________ .
A. connectionless confidentiality
B. connection confidentiality
C. traffic-flow confidentiality 3
D. selective-field confidentiality
11. (0.200 Point)
Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the
data unit to prove the source and integrity of the data unit and protect against forgery is a(n)
___________.
A. security audit trail
B. digital signature
C. encipherment
D. authentication exchange
12. (0.200 Point)
__________ techniques map plaintext elements (characters, bits) into ciphertext elements.
A. Transposition
B. Substitution
C. Traditional
D. Symmetric
13. (0.200 Point)
An original intelligible message fed into the algorithm as input is known as _________, while the
coded message produced as output is called the __________.
A. decryption, encryption
B. plaintext, ciphertext
C. deciphering, enciphering
D. cipher, plaintext
14. (0.200 Point)
Restoring the plaintext from the ciphertext is __________.
A. deciphering
B. transposition
C. steganography
D. encryption
15. (0.200 Point)
A __________ attack involves trying every possible key until an intelligible translation of the
ciphertext is obtained.
A. brute-force
B. Caesar attack 4
C. ciphertext only
D. chosen plaintext
16. (0.200 Point)
Techniques used for deciphering a message without any knowledge of the enciphering details is
___________.
A. blind deciphering
B. steganography
C. cryptanalysis
D. transposition
17. (0.200 Point)
The ___________ takes the ciphertext and the secret key and produces the original plaintext. It is
essentially the encryption algorithm run in reverse.
A. Voronoi algorithm
B. decryption algorithm
C. cryptanalysis
D. diagram algorithm
18. (0.200 Point)
If both sender and receiver use the same key, the system is referred to as:
A. public-key encryption
B. two-key
C. asymmetric
D. conventional encryption
19. (0.200 Point)
__________ attacks exploit the characteristics of the algorithm to attempt to deduce a specific
plaintext or to deduce the key being used.
A. Brute-force
B. Cryptanalytic
C. Block cipher
D. Transposition
20. (0.200 Point)
The __________ attack is the easiest to defend against because the opponent has the least amount
of information to work with.
A. ciphertext-only 5
B. chosen ciphertext
C. known plaintext
D. chosen plaintext
21. (0.200 Point)
_________ refer to common two-letter combinations in the English language.
A. Streaming
B. Transposition
C. Diagrams
D. Polyalphabetic cipher
22. (0.200 Point)
A way to improve on the simple monoalphabetic technique is to use different monoalphabetic
substitutions as one proceeds through the plaintext message. The general name for this approach
is ___________.
A. rail fence cipher
B. cryptanalysis
C. polyalphabetic substitution cipher
D. polyanalysis cipher
23. (0.200 Point)
A technique referred to as a __________ is a mapping achieved by performing some sort of
permutation on the plaintext letters.
A. transposition cipher
B. polyalphabetic cipher
C. Caesar cipher
D. monoalphabetic cipher
24. (0.200 Point)
The methods of __________ conceal the existence of the message in a graphic image.
A. steganography
B. decryptology
C. cryptology
D. cryptograph
25. (0.200 Point) 6
DES exhibits the classic __________ block cipher structure, which consists of a number of
identical rounds of processing.
A. Feistel
B. SAC
C. Shannon
D. Rendell
26. (0.200 Point)
A sequence of plaintext elements is replaced by a __________ of that sequence which means that
no elements are added, deleted or replaced in the sequence, but rather the order in which the
elements appear in the sequence is changed.
A. permutation
B. diffusion
C. stream
D. substitution
27. (0.200 Point)
A __________ cipher is one that encrypts a digital data stream one bit or one byte at a time.
A. product
B. block
C. key
D. stream
28. (0.200 Point)
The vast majority of network-based symmetric cryptographic applications make use of ________
ciphers.
A. linear
B. block
C. permutation
D. stream
29. (0.200 Point)
A __________ cipher is one in which a block of plaintext is treated as a whole and used to
produce a ciphertext block of equal length.
A. bit
B. product
C. stream 7
D. block
30. (0.200 Point)
__________ is when each plaintext element or group of elements is uniquely replaced by a
corresponding ciphertext element or group of elements.
A. Substitution
B. Diffusion
C. Streaming
D. Permutation
31. (0.200 Point)
Key sizes of __________ or less are now considered to be inadequate.
A. 128 bits
B. 32 bits
C. 16 bits
D. 64 bits
32. (0.200 Point)
Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of a
__________ cipher, which is the execution of two or more simple ciphers in sequence in such a
way that the final result or product is cryptographically stronger than any of the component
ciphers.
A. linear
B. permutation
C. differential
D. product
33. (0.200 Point)
The criteria used in the design of the __________ focused on the design of the S-boxes and on
the P function that takes the output of the S-boxes.
A. Avalanche Attack
B. Data Encryption Standard
C. Product Cipher
D. Substitution Key
34. (0.200 Point)
The greater the number of rounds, the __________ it is to perform cryptanalysis.
A. easier 8
B. less difficult
C. equally difficult
D. harder
35. (0.200 Point)
The function F provides the element of __________ in a Feistel cipher.
A. clarification
B. alignment
C. confusion
D. stability
36. (0.200 Point)
One of the most intense areas of research in the field of symmetric block ciphers is __________
design.
A. S-box
B. F-box
C. E-box
D. D-box
37. (0.200 Point)
Mister and Adams proposed that all linear combinations of S-box columns should be _________
which are a special class of Boolean functions that are highly nonlinear according to certain
mathematical criteria.
A. horizontal functions
B. angular functions
C. bent functions
D. vertical functions
38. (0.200 Point)
The Nyberg approach that is more or less a manual approach with only simple mathematics to
support it is __________.
A. human-made
B. random
C. math-made
D. random with testing
39. (0.200 Point) 9
Allowing for the maximum number of possible encryption mappings from the plaintext block is
referred to by Feistel as the __________.
A. ideal substitution cipher
B. round function
C. ideal block cipher
D. diffusion cipher
40. (0.200 Point)
Authentication applied to the entire original IP packet is _________.
A. security mode
B. cipher mode
C. tunnel mode
D. transport mode
41. (0.200 Point)
Asymmetric encryption is also known as ___________.
A. public-key encryption
B. private-key encryption
C. optimal encryption
D. digital-key encryption
42. (0.200 Point)
Public-key encryption is also known as ___________.
A. digital-key encryption
B. asymmetric encryption
C. one-way time exchange encryption
D. optimal-key encryption
43. (0.200 Point)
Asymmetric encryption can be used for __________.
A. both confidentiality and authentication
B. neither confidentiality nor authentication
C. confidentiality
D. authentication
44. (0.200 Point)
The plaintext is recovered from the ciphertext using the paired key and a _____________.
A. digital signature 10
B. recovery encryption
C. decryption algorithm
D. encryption algorithm
45. (0.200 Point)
The most widely used public-key cryptosystem is __________.
A. optimal asymmetric encryption
B. asymmetric encryption
C. RSA
D. DES
46. (0.200 Point)
Public-key algorithms are based on __________.
A. permutation
B. mathematical functions
C. substitution
D. symmetry
47. (0.200 Point)
__________ are two related keys, a public key and a private key that are used to perform
complementary operations, such as encryption and decryption or signature generation and
signature verification.
A. Asymmetric keys
B. Key exchanges
C. Symmetric keys
D. Cipher keys
48. (0.200 Point)
The __________ indicates that the subscriber identified in the certificate has sole control and
access to the private key.
A. OAEP
B. Public Key Certificate
C. Digital Signature
D. PKI
49. (0.200 Point) 11
A __________ is a cryptographic algorithm that uses two related keys, a public key, and a private
key. The two keys have the property that deriving the private key from the public key is
computationally infeasible.
A. Private Key (Symmetric) Cryptographic Algorithm
B. Key Exchange Cryptographic Algorithm
C. Public Key (Asymmetric) Cryptographic Algorithm
D. RSA Digital Cryptographic Algorithm
50. (0.200 Point)
A public-key encryption scheme has __________ ingredients.
A. six
B. four
C. eight
D. two
51. (0.200 Point)
The key used in symmetric encryption is referred to as a __________ key.
A. public
B. secret
C. private
D. decryption
52. (0.200 Point)
The readable message or data that is fed into the algorithm as input is the ____________.
A. ciphertext
B. exchange
C. plaintext
D. encryption
53. (0.200 Point)
Two issues to consider with the computation required to use RSA are encryption/decryption and
__________.
A. time complexity
B. trap-door one-way functions
C. key generation
D. asymmetric encryption padding
54. (0.200 Point) 12
__________ depend on the running time of the decryption algorithm.
A. Mathematical attacks
B. Timing attacks
C. Chosen ciphertext attacks
D. Brute-force attacks
55. (0.200 Point)
We define the ___________ of an algorithm to be f(n) if, for all n and all inputs of length n the
execution of the algorithm takes at most f(n) steps. This is a common measure of the efficiency of
an algorithm.
A. time complexity
B. one-way function
C. timing attack
D. OAEP
56. (0.200 Point)
Authentication applied to all of the packet except for the IP header is _________.
A. tunnel mode
B. transport mode
C. association mode
D. security mode
57. (0.200 Point)
_________ consists of an encapsulating header and trailer used to provide encryption or
combined encryption/authentication. The current specification is RFC 4303.
A. SPI
B. ESP
C. ISA
D. IPsec
58. (0.200 Point)
The _________ payload allows peers to identify packet flows for processing by IPsec services.
A. Configuration
B. Vendor ID
C. Traffic Selector
D. Extensible Authentication Protocol
59. (0.200 Point) 13
Which technology is a primary method that IPsec uses to implement data integrity?
A. MD5
B. AES
C. RSA
D. DH
60. (0.200 Point)
What are the source and destination addresses used for an encrypted IPsec packet?
A. Original sender and receiver IP addresses
B. Original sender’s and outbound VPN gateway’s addresses
C. Sending and receiving VPN gateways
D. Sending VPN gateway and original destination address in the packet
61. (0.200 Point)
Which phase is used for private management traffic between the two VPN peers?
A. IPsec
B. IKE Phase 1
C. IKE Phase 2
D. IKE Phase 3
62. (0.200 Point)
Which of the following are negotiated during IKE Phase 1?
A. Hashing
B. DH group
C. Encryption
D. Authentication method
63. (0.200 Point)
What method is used to allow two VPN peers to establish shared secret keys and to establish
those keys over an untrusted network?
A. AES
B. SHA
C. RSA
D. DH
64. (0.200 Point) 14
What are the two main methods for authenticating a peer as the last step of IKE Phase 1? (Choose
all that apply.)
A. RSA signatures, using digital certificates to exchange public keys
B. PSK (pre-shared key)
C. DH Group 2
D. TCP three-way handshake
65. (0.200 Point)
A customer has asked for its wireless equipment to be managed as securely as possible. Which
three management protocols will provide encrypted access to the equipment? (Choose three)
A. Secure Shell
B. HTTPS
C. SNMPv3
D. Telnet
E. SNMPv2c
F. HTTP
66. (0.200 Point)
A customer has completed the installation of an 802.11ac greenfield deployment at their
corporate headquarters. They would like to leverage 802.11ac enhanced speeds on the trusted
employee WLAN. In order to configure the employee WLAN, what Layer 2 security policies are
valid?
A. WPA2 (TKIP)
B. WPA(AES)
C. OPEN
D. WEP
67. (0.200 Point)
An engineer wants to set up guest wireless that requires users to log in via a splash page prior to
accessing the network. Which authentication method should be configured?
A. LDAP
B. RADIUS
C. local authentication
D. WebAuth
E. PSK
68. (0.200 Point) 15
An engineer would like to setup secure authentication for a wireless network that will utilize
single sign-on. Which two authentication methods can be used to accomplish this? (Choose two.)
A. LDAP
B. RADIUS
C. Local authentication
D. WEP
E. PSK
69. (0.200 Point)
While undergoing a security audit, a network administrator is told to set up the WLANs with at
least 128-bit encryption but also keeping the 802.11n speeds. What WLAN configuration would
meet the requirements?
A. Static WEP
B. WPA-TKIP
C. WPA2-AES
D. CKIP
70. (0.200 Point)
What Cisco Catalyst switch feature can be used to define ports as trusted for DHCP server
connections?
A. DHCP snooping
B. port security
C. 802.1x
D. private VLANs
71. (0.200 Point)
Which statement about named ACLs (Access Control Lists) is true?
A. They support standard and extended ACLs.
B. They are used to filter usernames and passwords for Telnet and SSH.
C. They are used to filter Layer 7 traffic.
D. They support standard ACLs only.
E. They are used to rate limit traffic destined to targeted networks.
72. (0.200 Point)
Which identification number is valid for an extended ACL?
A. 1
B. 64 16
C. 99
D. 100
E. 299
F. 1099
73. (0.200 Point)
R1# show access-lists
Extended IP access list 175
10 deny tcp any any time-range nonworkhours (active)
20 permit tcp any any time-range nonworkhours (inactive)

Refer to the exhibit. While you troubleshoot a connectivity issue to a PC behind R1, you enter the
show access-lists command to generate this output. Which reason for the problem is most likely
true?
A. The permit all ACL entry on R1 is inactive.
B. The ACL of R1 is misconfigured.
C. A deny all ACL entry is currently active on R1.
D. An implicit deny is causing R1 to block network traffic.
74. (0.200 Point)
When you are troubleshooting an ACL issue on a router, which command can help you to verify
which interfaces are affected by the ACL?
A. show ip access-lists
B. show access-lists
C. show interface
D. show ip interface
E. list ip interface
75. (0.200 Point) 17
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on
networks [Link], [Link], [Link], and [Link] only. Which two
ACL statements, when combined, are the best for accomplishing this task? (Choose two.)
A. access-list 10 permit ip [Link] [Link]
B. access-list 10 permit ip [Link] [Link]
C. access-list 10 permit ip [Link] [Link]
D. access-list 10 permit ip [Link] [Link]
E. access-list 10 permit ip [Link] [Link]
F. access-list 10 permit ip [Link] [Link]
76. (0.200 Point)
In which solution is a router ACL used?
A. filtering packets that are passing through a router
B. to change the default administrative distance of a route in the route table
C. protecting a server from unauthorized access
D. controlling path selection, based on the route metric
77. (0.200 Point)
Which IPsec security protocol should be used when confidentiality is required?
A. MD5
B. PSK
C. AH
D. ESP
78. (0.200 Point)
A network administrator needs to configure port security on a switch. Which two statements are
true? (Choose two.)
A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new
addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running
configuration.
E. The network administrator can configure static secure or sticky secure MAC addresses in the
voice VLAN.
 18
79. (0.200 Point)
On which options are standard access lists based?
A. destination address and wildcard mask
B. destination address and subnet mask
C. source address and subnet mask
D. source address and wildcard mask
80. (0.200 Point)
Which component of VPN technology ensures that data is unaltered between the sender and
recipient?
A. encryption
B. authentication
C. key exchange
D. data integrity
81. (0.200 Point)
How does using the service password-encryption command on a router provide additional
security?
A. by encrypting all passwords passing through the router
B. by encrypting passwords in the plain text configuration file
C. by requiring entry of encrypted passwords for access to the device
D. by configuring an MD5 encrypted key to be used by routing protocols to validate routing
exchanges
E. by automatically suggesting encrypted passwords for use in configuring the router
82. (0.200 Point)
When are packets processed by an inbound access list?
A. before they are routed to an outbound interface
B. after they are routed to an outbound interface
C. before and after they are routed to an outbound interface
D. after they are routed to an outbound interface but before being placed in the outbound queue
83. (0.200 Point)
The company internetwork is subnetted using 29 bits. Which wildcard mask should be used to
configure an extended access list to permit or deny access to an
entire subnetwork?
A. [Link] 19
B. [Link]
C. [Link]
D. [Link]
E. [Link]
F. [Link]
84. (0.200 Point)
What are three valid reasons to assign ports to VLANs on a switch? (Choose three.)
A. to make VTP easier to implement
B. to isolate broadcast traffic
C. to increase the size of the collision domain
D. to allow more devices to connect to the network
E. to logically group hosts according to function
F. to increase network security
85. (0.200 Point)
Which protocol should be used to establish a secure terminal connection to a remote network
device?
A. ARP
B. SSH
C. Telnet
D. WEP
E. SNMPv1
F. SNMPv2
86. (0.200 Point)
What three pieces of information can be used in an extended access list to filter traffic? (Choose
three.)
A. protocol
B. VLAN number
C. TCP or UDP port numbers
D. source switch port number
E. source IP address and destination IP address
F. source MAC address and destination MAC address
87. (0.200 Point) 20
Which command is necessary to permit SSH or Telnet access to a Cisco switch that is otherwise
configured for these vty line protocols?
A. transport output all
B. transport preferred all
C. transport type all
D. transport input all
88. (0.200 Point)
What features can protect the data plane? (Choose three.)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping
89. (0.200 Point)
Which of the following statements is true regarding a stateless packetfiltering firewall? (Select
the best answer.)
A. It can operate at Layer 4 of the OSI model.
B. It is more secure than a stateful packetfiltering firewall.
C. It tracks packets as a part of a stream.
D. It is not susceptible to IP spoofing attacks.
90. (0.200 Point)
Which of the following statements is true of all firewalls? (Select the best answer.)
A. They maintain a state table.
B. They hide the source of network connections.
C. They operate at Layer 7 of the OSI model.
D. They are multihomed devices.
91. (0.200 Point)
Which feature can validate address requests and filter out invalid messages?
A. IP Source Guard
B. port security
C. DHCP snooping
D. dynamic ARP inspection 21
92. (0.200 Point)
Select the action that results from executing these commands.
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky

A. A dynamically learned MAC address is saved in the startup-configuration file.

B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from
that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames
from that address are received.
93. (0.200 Point)
A network administrator needs to configure port security on a switch. Which two statements are
true? (Choose two)
A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new
addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running
configuration.
E. The network administrator can configure static secure or sticky secure MAC addresses in the
voice VLAN.
94. (0.200 Point)
What are three reasons that an organization with multiple branch offices and roaming users might
implement a Cisco VPN solution instead of point-to-point WAN links? (Choose three.)
A. reduced cost
B. better throughput
C. broadband incompatibility
D. increased security
E. scalability
F. reduced latency
95. (0.200 Point) 22
Which feature can you use to monitor traffic on a switch by replicating it to another port or ports
on the same switch?
A. copy run start
B. traceroute
C. the ICMP Echo IP SLA
D. SPAN
96. (0.200 Point)
Which keywords can be substituted for access list wildcards while configuring access lists?
(Choose two.)
A. all
B. any
C. host
D. range
E. subnet
97. (0.200 Point)
Which IEEE mechanism is responsible for the authentication of devices when they attempt to
connect to a local network?
A. 802.1x
B. 802.11
C. 802.2x
D. 802.3x
98. (0.200 Point)
Where does a switch maintain DHCP snooping information ?
A. in the MAC address table
B. in the CAM table
C. in the DHCP binding database
D. in the VLAN database
99. (0.200 Point)
Which command can you enter in a network switch configuration so that learned mac addresses
are saved in configuration as they connect?
A. Switch(confg-if)#Switch port-security
B. Switch(confg-if)#Switch port-security Mac-address sticky
C. Switch(confg-if)#Switch port-security maximum 10 23
D. Switch(confg-if)#Switch mode access
100. (0.200 Point)
Which two security appliances will you use in a network? (Choose two.)
A. ATM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM
101. (0.200 Point)
Which one of the following follows best practices for a secure password?
A. ABC123!
B. SlE3peR1#
C. tough-passfraze
D. InterEstIng-PaSsWoRd