Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
All Vendors
  2. Home
  3. Exams
  4. Cisco®
  5. 100-160

Free Cisco® 100-160 Exam Questions (page: 2)

Page 2 of 8
PDF with 50 Questions

How does a honeypot enhance network security?

  1. It monitors network traffic and sends alerts when potential threats are detected.
  2. It acts as a decoy and diverts malicious traffic away from important systems.
  3. It isolates external-facing services from the Internet and protects them from attack.
  4. It detects and prevents identified threats through real-time packet inspection.

Answer(s): B

Explanation:

According to the Cisco Certified Support Technician (CCST) Cybersecurity Study Guide, a honeypot is a security mechanism that appears to be a legitimate system or resource but is intentionally made vulnerable to attract attackers. Its purpose is not to serve legitimate users but to detect, study, and sometimes divert malicious activity.
"A honeypot is a decoy system or service designed to attract and engage attackers. By simulating a target of interest, it allows security teams to monitor attack methods, collect intelligence, and sometimes divert threats away from production systems. Honeypots do not prevent attacks but help in identifying them and understanding adversary tactics." (CCST Cybersecurity, Basic Network Security Concepts, Honeypots and Honey Nets section, Cisco Networking Academy)
In this context:
Option A describes an IDS (Intrusion Detection System), not a honeypot. Option C refers to a DMZ (Demilitarized Zone), not a honeypot.

Option D describes an IPS (Intrusion Prevention System). Option B correctly identifies a honeypot's role as a decoy to divert or engage attackers.



Which data type is protected through hard disk encryption?

  1. Data in process
  2. Data in transit
  3. Data in use
  4. Data at rest

Answer(s): D

Explanation:

The CCST Cybersecurity Study Guide explains that hard disk encryption is a method used to protect data stored on a physical device from unauthorized access. "Data at rest refers to data stored on a device, such as files on a hard drive, SSD, or removable media. Hard disk encryption protects data at rest by converting it into an unreadable format unless accessed with the correct decryption key."
(CCST Cybersecurity, Essential Security Principles, Data States and Protection Methods section, Cisco Networking Academy)
Data in process refers to data actively being handled by applications in memory (RAM), which is not the primary target of disk encryption.
Data in transit is protected via encryption methods such as TLS, not disk encryption. Data in use is accessed and manipulated by programs in real-time, also not the primary scope of disk encryption.
Data at rest is the correct answer, as hard disk encryption directly safeguards stored files.



Your supervisor suspects that someone is attempting to gain access to a Windows computer by guessing user account IDs and passwords. The supervisor asks you to use the Windows Event Viewer security logs to verify the attempts.
Which two audit policy events provide information to determine whether someone is using invalid credentials to attempt to log in to the computer? (Choose 2.)
Note: You will receive partial credit for each correct selection.

  1. Object access failure
  2. Account logon failure
  3. Account lockout success
  4. Account logoff success

Answer(s): B,C

Explanation:

According to the CCST Cybersecurity course, Windows Event Viewer's Security logs record authentication-related events that can help identify password-guessing attempts (also known as brute force attacks).
"The Account logon failure event indicates that an authentication attempt has failed, which may suggest incorrect credentials were used. Multiple such events in a short time frame can indicate a brute-force attack. The Account lockout success event confirms that an account has been locked due to repeated failed logon attempts, which further supports the suspicion of password-guessing attacks."
(CCST Cybersecurity, Incident Handling, Monitoring and Analyzing Security Events section, Cisco Networking Academy)
Object access failure relates to unauthorized attempts to open or modify files, not login attempts. Account logon failure (B) shows failed login attempts due to invalid credentials. Account lockout success (C) confirms that repeated login failures have triggered a lockout. Account logoff success is a normal event and does not indicate malicious activity.



You are going to perform a penetration test on a company LAN. As part of your preparation, you access the company's websites, view webpage source code, and run internet searches to uncover domain information. You also use social media to gather details about the company and its employees.
Which type of reconnaissance activities are you performing?

  1. Passive
  2. Active
  3. Offline
  4. Invasive

Answer(s): A

Explanation:

The CCST Cybersecurity Study Guide explains that reconnaissance is the process of collecting information about a target before attempting exploitation. "Passive reconnaissance is conducted without directly engaging with the target systems. Examples include reviewing public websites, examining HTML source code, querying public DNS records, and using social media to gather information. Since no packets are sent directly to the target system, it reduces the risk of detection."
(CCST Cybersecurity, Vulnerability Assessment and Risk Management, Reconnaissance Techniques section, Cisco Networking Academy)
Passive (A) is correct because all actions described -- viewing public pages, searching online, and checking social media -- involve no direct interaction that could alert the target. Active (B) would involve direct probing, like port scans or vulnerability scans. Offline (C) is not an official reconnaissance classification in this context.

Invasive (D) is a general term and not used as a standard reconnaissance category in CCST material.



Your manager asks you to review the output of some vulnerability scans and report anything that may require escalation.
Which two findings should you report for further investigation as potential security vulnerabilities? (Choose 2.)

  1. Encrypted passwords
  2. Disabled firewalls
  3. Open ports
  4. SSH packets

Answer(s): B,C

Explanation:

The CCST Cybersecurity course teaches that vulnerability scan results should be reviewed for misconfigurations and exposures that can be exploited by attackers. "Disabled firewalls expose systems to direct network attacks and should be treated as critical findings. Open ports can indicate unnecessary or unsecured services running, which may provide entry points for attackers. These findings should be escalated for remediation or further security hardening."
(CCST Cybersecurity, Vulnerability Assessment and Risk Management, Analyzing and Responding to Scan Results section, Cisco Networking Academy)
Encrypted passwords (A) are good practice, not a vulnerability. Disabled firewalls (B) leave systems defenseless against incoming attacks. Open ports (C) can be exploited if the services they expose are vulnerable or misconfigured. SSH packets (D) are normal in secure remote administration and are not inherently a vulnerability.



A client cannot connect to the corporate web server. You discover a large number of half-open TCP connections to the server.
What should you do?

  1. Take action to stop the TCP SYN flood attack.
  2. Change the connection protocol from HTTP to HTTPS.
  3. Ignore the half-open connections because this is a normal part of the TCP three-way handshake.
  4. Flush the DNS cache information.

Answer(s): A

Explanation:

The CCST Cybersecurity Study Guide identifies SYN flood attacks as a type of Denial of Service (DoS) attack that exploits the TCP three-way handshake. Attackers send many SYN requests without completing the handshake, leaving the server with numerous half-open connections and exhausting resources.
"A TCP SYN flood attack overwhelms a target server by initiating a high volume of TCP connections but never completing the handshake, resulting in numerous half-open connections that consume system resources and can render the service unavailable." (CCST Cybersecurity, Incident Handling, Denial-of-Service Attacks section, Cisco Networking Academy)
A is correct: The proper action is to stop the SYN flood, often using firewalls, intrusion prevention systems, or SYN cookies.
B (switching to HTTPS) does not address the flooding issue. C is incorrect because the excessive number of half-open connections indicates an attack, not normal operation.
D (flushing DNS cache) is unrelated to this type of attack.



Which two basic metrics should be taken into consideration when assigning a severity to a vulnerability during an assessment? (Choose 2.)

  1. The likelihood that an adversary can and will exploit the vulnerability
  2. The impacts that an exploit of the vulnerability will have on the organization
  3. The time involved in choosing replacement software to replace older systems
  4. The age of the hardware running the software that contains the vulnerability

Answer(s): A,B

Explanation:

The CCST Cybersecurity course describes that risk scoring for vulnerabilities often involves likelihood and impact -- similar to the CVSS (Common Vulnerability Scoring System) model. "When prioritizing vulnerabilities, assess both the likelihood of exploitation and the potential impact to the organization. Likelihood measures how easy or probable it is for an adversary to exploit the weakness, while impact measures the consequences to confidentiality, integrity, and availability if exploitation occurs."
(CCST Cybersecurity, Vulnerability Assessment and Risk Management, Risk Assessment and Prioritization section, Cisco Networking Academy)
A is correct: Likelihood is a fundamental part of severity assessment. B is correct: Impact determines how damaging an exploit would be. C is incorrect: Time to choose replacement software is an operational consideration, not a severity metric.
D is incorrect: Hardware age may influence performance but does not directly define vulnerability severity.



Which Windows app is a command-line interface that includes a sophisticated scripting language used to automate Windows tasks?

  1. PowerShell
  2. Microsoft Management Console
  3. Vim
  4. MS-DOS

Answer(s): A

Explanation:

The CCST Cybersecurity course identifies Windows PowerShell as both a command-line interface (CLI) and a robust scripting environment. It is used by system administrators for automation, configuration, and task scheduling.
"PowerShell is a Windows command-line shell and scripting language built on the .NET framework. It allows administrators to automate administrative tasks, manage system configurations, and execute complex scripts for system management."
(CCST Cybersecurity, Endpoint Security Concepts, System Administration Tools section, Cisco Networking Academy)
A is correct: PowerShell provides both interactive command execution and scripting capabilities. B (MMC) is a GUI-based management console, not a CLI.
C (Vim) is a text editor, not a Windows-native CLI.
D (MS-DOS) is a legacy command shell with no advanced scripting features comparable to PowerShell.



Viewing page 2 of 8



Post your Comments and Discuss Cisco® 100-160 exam prep with other Community members:

100-160 Exam Discussions & Posts