Download New Updated (July) Cisco 640-554 Actual Test 11-20

Ensurepass

 

QUESTION 11

Which three items are Cisco best-practice recommendations for securing a network? (Choose three.)

 

A.

Routinely apply patches to operating systems and applications.

B.

Disable unneeded services and ports on hosts.

C.

Deploy HIPS software on all end-user workstations.

D.

Require strong passwords, and enable password expiration.

 

Correct Answer: ABD

Explanation:

Disable Unused Services

As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use User Datagram Protocol (UDP), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.

The TCP and UDP small services must be disabled. These services include:

It is also recommended to routinely apply patches to fix bugs and other vulnerabilities and to require strong passwords with password expiration

Reference: Cisco Guide to Harden Cisco IOS Devices

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

 

 

 

 

QUESTION 12

What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX?

 

A.

Configuration interceptor

B.

Network interceptor

C.

File system interceptor

D.

Execution space interceptor

 

Correct Answer: A

Explanation:

Configuration interceptor: Read/write requests to the Registry in Windows or to rc configuration files on UNIX are intercepted. This interception occurs because modification of the operating system configuration can have serious consequences. Therefore, Cisco Security Agent tightly controls read/write requests to the Registry.

 

 

QUESTION 13

Information about a managed device’s resources and activity is defined by a series of objects. What defines the structure of these management objects?

 

A.

MIB

B.

FIB

C.

LDAP

D.

CEF

 

Correct Answer: A

Explanation:

Management Information Base (MIB) is the database of configuration variables that resides on the networking device.

 

 

QUESTION 14

Which statement is true about vishing?

 

A.

Influencing users to forward a call to a toll number (for example, a long distance or international number)

B.

Influencing users to provide personal information over a web page

C.

Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number)

D.

Influencing users to provide personal information over the phone

 

Correct Answer: D

Explanation:

Vishing (voice phishing) uses telephony to glean information, such as account details, directly from users. Because many users tend to trust the security of a telephone versus the security of the web, some users are more likely to provide condential information over the telephone. User education is the most effective method to combat vishing attacks.

 

 

 

 

 

 

QUESTION 15

Which item is the great majority of software vulnerabilities that have been discovered?

 

A.

Stack vulnerabilities

B.

Heap overflows

C.

Software overflows

D.

Buffer overflows

 

Correct Answer: D

Explanation:

A majority of software vulnerabilities that are discovered are buffer overflows. Reports suggest that two out of every three software vulnerabilities that are identified by the CERT team are buffer overflows.

Reference: Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide, By Catherine Paquet

 

 

QUESTION 16

Which one of the following items may be added to a password stored in MD5 to make it more secure?

 

A.

Ciphertext

B.

Salt

C.

Cryptotext

D.

Rainbow table

 

Correct Answer: B

Explanation:

Making an Md5 Hash More Secure

To make the md5 hash more secure we need to add what is called “salt”. Salt in this sense of the meaning is random data appended to the password to make the hash more complicated and difficult to reverse engineer. Without knowing what the salt is, rainbow table attacks are mostly useless.

Reference: http://www.marksanborn.net/php/creating-a-secure-md5-hash-for-storing-passwords-in-a-database/

 

 

QUESTION 17

Which option is a feature of Cisco ScanSafe technology?

 

A.

spam protection

B.

consistent cloud-based policy

C.

DDoS protection

D.

RSA Email DLP

 

Correct Answer: B

Explanation:

Cisco Enterprise Branch Web Security

The Cisco® Integrated Services Router G2 (ISR G2) Family delivers numerous security services, including firewall, intrusion prevention, and VPN. These security capabilities have been extended with Cisco ISR Web Security with Cisco ScanSafe for a simple, cost-effective, on-demand web security solution that requires no additional hardware. Organizations can deploy and enable market-leading web security quickly and easily, and can enable secure local Internet access for all sites and users, saving bandwidth, money, and resources. Figure 1. Typical Cisco ISR Web Security with Cisco ScanSafe Deployment

 

clip_image002

 

Cisco ISR Web Security with Cisco ScanSafe enables branch offices to intelligently redirect web traffic to the cloud to enforce granular security and control policy over dynamic Web 2.0 content, protecting branch office users from threats such as Trojans, back doors, rogue scanners, viruses, and worms. The Cisco ISR Web Security with Cisco ScanSafe feature will be available in the Security SEC K9 license bundle

Reference: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps6538/ps6540/data_sheet_c78-655324.html

 

 

QUESTION 18

Refer to the exhibit. What does the option secret 5 in the username global configuration mode command indicate about the user password?

 

clip_image004

 

A.

It is hashed using SHA.

B.

It is encrypted using DH group 5.

C.

It is hashed using MD5.

D.

It is encrypted using the service password-encryption command.

E.

It is hashed using a proprietary Cisco hashing algorithm.

F.

It is encrypted using a proprietary Cisco encryption algorithm.

 

Correct Answer: C

Explanation:

Feature Overview

Using the Enhanced Password Security feature, you can configure MD5 encryption for username passwords.

Before the introduction of this feature there were two types of passwords associated with usernames. Type 0 is a clear text password visible to any user who has access to privileged mode on the router. Type 7 is a password with a weak, exclusive-or type encryption. Type 7 passwords can be retrieved from the encrypted text by using publicly available tools.

 

MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear text passwords. MD5 encrypted passwords cannot be used with protocols that require that the clear text password be retrievable, such as Challenge Handshake Authentication Protocol (CHAP).

 

Use the username (secret) command to configure a user name and an associated MD5 encrypted secret.

Configuring Enhanced Security Password

Router(config)# username name secret 0 password

Configures a username and encrypts a clear text password with MD5 encryption.

or

Router(config)# username name secret 5 encrypted-secret

Configures a username and enters an MD5 encrypted text string which is stored as the MD5 encrypted password for the specified username.

 

Reference: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/120s_md5.html

 

 

QUESTION 19

What does level 5 in this enable secret global configuration mode command indicate?

 

router#enable secret level 5 password

 

A.

The enable secret password is hashed using MD5.

B.

The enable secret password is hashed using SHA.

C.

The enable secret password is encrypted using Cisco proprietary level 5 encryption.

D.

Set the enable secret command to privilege level 5.

E.

The enable secret password is for accessing exec privilege level 5.

 

Correct Answer: D

Explanation:

To configure the router to require an enable password, use either of the following commands in global configuration mode:

Router(config)# enable password [level level] {password| encryption-type encrypted-password}

Establishes a password for a privilege command mode.

Router(config)# enable secret [level level] {password | encryption-type encrypted-password}

Specifies a secret password, saved using a non-reversible encryption method. (If enable password and enable secret are both set, users must enter the enable secret password.)

Use either of these commands with the level option to define a password for a specific privilege level.

After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level configuration command to specify commands accessible at various levels.

Reference: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html

 

QUESTION 20

Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D?

 

A.

2001::150c::41b1:45a3:041d

B.

2001:0:150c:0::41b1:45a3:04d1

C.

2001:150c::41b1:45a3::41d

D.

2001:0:150c::41b1:45a3:41d

 

Correct Answer: D

Explanation:

Address Representation

The first area to address is how to represent these 128 bits. Due to the size of the numbering space, hexadecimal numbers and colons were chosen to represent IPv6 addresses. An example IPv6 address is:

2001:0DB8:130F:0000:0000:7000:0000:140B

Note the following:

There is no case sensitivity. Lower case “a” means the same as capital “A”.

There are 16 bits in each grouping between the colons.

– 8 fields * 16 bits/field = 128 bits

There are some accepted ways to shorten the representation of the above address:

Leading zeroes can be omitted, so a field of zeroes can be represented by a single 0.

Trailing zeroes must be represented.

Successive fields of zeroes can be shortened down to “::”. This shorthand representation can only occur once in the address.

Taking these rules into account, the address shown above can be shortened to:

2001:0DB8:130F:0000:0000:7000:0000:140B

2001:DB8:130F:0:0:7000:0:140B (Leading zeroes)

2001:DB8:130F:0:0:7000:0:140B (Trailing zeroes)

2001:DB8:130F::7000:0:140B (Successive field of zeroes)

Reference: http://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf

 

Free VCE & PDF File for Cisco 640-554 Real Exam

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …