100-160 Cisco Certified Support Technician (CCST) Cybersecurity Questions and Answers

TheCCST Cybersecurity Study GuideidentifiesSYN flood attacksas a type ofDenial of Service (DoS)attack that exploits the TCP three-way handshake. Attackers send many SYN requests without completing the handshake, leaving the server with numerous half-open connections and exhausting resources.

"A TCP SYN flood attack overwhelms a target server by initiating a high volume of TCP connections but never completing the handshake, resulting in numerous half-open connections that consume system resources and can render the service unavailable."

(CCST Cybersecurity,Incident Handling, Denial-of-Service Attacks section, Cisco Networking Academy)

Ais correct: The proper action is to stop the SYN flood, often using firewalls, intrusion prevention systems, or SYN cookies.

B(switching to HTTPS) does not address the flooding issue.

Cis incorrect because the excessive number of half-open connections indicates an attack, not normal operation.

D(flushing DNS cache) is unrelated to this type of attack.

TheCCST Cybersecuritycourse describes ransomware as a form of malicious software that encrypts or locks access to an organization’s data, demanding payment for its release.

"Ransomware is a type of malware that denies access to data by encrypting it and demands payment from the victim to restore access. Threat actors may deliver ransomware through phishing emails, malicious downloads, or exploiting vulnerabilities in exposed systems."

(CCST Cybersecurity,Essential Security Principles, Malware Types and Threats section, Cisco Networking Academy)

Adescribes spyware or information-stealing malware.

Bis website defacement, which is vandalism, not ransomware.

Cis correct: locking/encrypting data and demanding payment is the defining behavior of ransomware.

Dis more aligned with insider threat or espionage activities.

TheCCST Cybersecurity Study Guidestates thatAccess Control Lists (ACLs)can be used to filter traffic based on IP addresses and block packets that appear to originate from the internal network but arrive from external interfaces (IP spoofing).

"ACLs can prevent spoofing by dropping traffic from external sources that claim to have an internal source address. Configuring ACLs on the perimeter firewall or router is a common countermeasure for IP spoofing."

(CCST Cybersecurity,Basic Network Security Concepts, ACLs and Traffic Filtering section, Cisco Networking Academy)

A(NAT rule) changes IP addresses but does not inherently prevent spoofing.

B(ACL) is correct because it can enforce anti-spoofing filters.

C(host file) only affects name resolution locally.

D(DNS record) is for domain mapping, not spoofing prevention.

According to theCCST Cybersecuritycourse, Windows Event Viewer’sSecurity logsrecord authentication-related events that can help identify password-guessing attempts (also known as brute force attacks).

"The Account logon failure event indicates that an authentication attempt has failed, which may suggest incorrect credentials were used. Multiple such events in a short time frame can indicate a brute-force attack. The Account lockout success event confirms that an account has been locked due to repeated failed logon attempts, which further supports the suspicion of password-guessing attacks."

(CCST Cybersecurity,Incident Handling, Monitoring and Analyzing Security Events section, Cisco Networking Academy)

Object access failurerelates to unauthorized attempts to open or modify files, not login attempts.

Account logon failure (B)shows failed login attempts due to invalid credentials.

Account lockout success (C)confirms that repeated login failures have triggered a lockout.

Account logoff successis a normal event and does not indicate malicious activity.

TheCCST Cybersecuritymaterial explains that MAC address filtering is a wireless security measure that allows only devices with approved hardware addresses to connect. If the laptop’s MAC address is not on the allow list, the connection will be blocked even if the SSID is correct.

"Wireless access points can be configured with MAC address filters to limit network access to authorized devices. If a device's MAC address is not on the permitted list, the connection will fail regardless of credentials."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Security section, Cisco Networking Academy)

Ais unlikely because non-broadcast SSIDs can still be manually connected to.

Bis correct: MAC address filtering would block an unregistered device.

Cwould cause IP issues after association, not prevent initial connection.

D(open authentication) would allow connection, so it’s not the cause here.

TheCCST Cybersecurity Study Guide(based on the NIST Incident Response Lifecycle) outlines four phases:

Preparation–

"Develop and maintain an incident response capability to ensure organizational readiness. This includes tools, training, and security controls."

Detection and Analysis–

"Identify potential security incidents through monitoring, alerts, and analysis. Confirm whether suspicious activity is legitimate and assess the scope of the incident."

Containment, Eradication, and Recovery–

"Limit the impact of the incident, remove the threat, and restore systems to normal operation."

Post-Incident Activity–

"Document and review the incident to determine the root cause, evaluate response effectiveness, and implement measures to prevent recurrence."

(CCST Cybersecurity,Incident Handling, Incident Response Lifecycle section, Cisco Networking Academy)

TheCCST Cybersecurity Study GuidehighlightsFileVaultas the macOS full-disk encryption tool.

"FileVault is macOS’s built-in full-disk encryption feature. It encrypts the contents of the entire startup disk to help prevent unauthorized access to the information stored on the drive, even if the device is lost or stolen."

(CCST Cybersecurity,Endpoint Security Concepts, Disk Encryption section, Cisco Networking Academy)

Ais correct: FileVault provides complete volume encryption.

B(Gatekeeper) controls app installation by verifying code signatures.

C(System Integrity Protection) protects system files from modification.

D(XProtect) is macOS’s built-in malware detection system.

TheCCST Cybersecurity Study Guideoutlines worm mitigation as a four-step process:

Containment–

"Limit the spread of the worm by segmenting the network and restricting traffic from infected areas."

Inoculation–

"Apply patches or updates to uninfected systems to prevent them from being compromised."

Quarantine–

"Remove or block infected systems from the network to stop further infection."

Treatment–

"Clean and patch infected systems to remove the worm and fix vulnerabilities."

(CCST Cybersecurity,Incident Handling, Malware Mitigation Strategies section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guideexplains that aninsider threatis any threat to an organization that comes from people within the organization—employees, contractors, or business partners—who have inside information concerning the organization's security practices, data, and systems. Insider threats may be intentional or unintentional.

"An insider threat can be malicious or accidental. Employees may unintentionally cause data breaches by mishandling sensitive information, such as sending it to the wrong recipient."

(CCST Cybersecurity,Essential Security Principles, Threat Actor Types section, Cisco Networking Academy)

A(Logic bomb) is malicious code triggered by conditions.

B(Malware) is malicious software, unrelated to accidental email leaks.

C(Phishing) is an external social engineering attack.

Dis correct: This is anunintentional insider threat.

TheCCST Cybersecurity Study Guideoutlines common motivations for cyberattacks, which include:

Financial gain

Revenge or personal grievance(e.g., disgruntled employees)

Ideological or political purposes(hacktivism)

Espionage and intelligence gathering

"Cyberattack motivations range from financial and competitive advantage to personal vendettas and advancing political or social causes. Disgruntled insiders may misuse access privileges to harm an organization, while hacktivists target systems to promote social or political messages."

(CCST Cybersecurity,Essential Security Principles, Threat Actor Motivations section, Cisco Networking Academy)

Beingdisgruntled at work→ common insider threat motivation (True)

Wanting toprotect personal data→ defensive action, not a reason to commit an attack (False)

Wanting toadvance a social agenda→ hacktivist motivation (True)

TheCCST Cybersecurity Study Guideexplains that aBYOD policy(Bring Your Own Device) should outline security requirements for personally owned devices connecting to the corporate network. Common requirements include:

Device encryptionfor stored sensitive corporate data.

Strong password or PINconfiguration for device access.

Restriction to secure and approved applicationsto reduce malware risk.

"BYOD policies typically mandate strong authentication, encryption of sensitive corporate data on personal devices, and installation of secure or approved applications. The goal is to protect corporate information while respecting personal ownership of the device."

(CCST Cybersecurity,Endpoint Security Concepts, BYOD Security section, Cisco Networking Academy)

Ais incorrect: BYOD policies do not require deletion of personal data unless wiping after separation.

Bis not a common requirement due to privacy and technical limitations.

E(upgrading data plans) is unrelated to security.

TheCCST Cybersecurity Study Guidespecifies thatAES (Advanced Encryption Standard)is the encryption method used in modern WiFi security protocols like WPA2 and WPA3.

"WPA2 and WPA3 use the Advanced Encryption Standard (AES) for securing wireless traffic. AES provides strong symmetric encryption, replacing outdated methods like WEP and TKIP."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Security section, Cisco Networking Academy)

A(DES) is outdated and insecure.

B(Triple DES) is older and slower, rarely used in WiFi.

Cis correct: AES is the industry standard for WiFi security.

D(RSA) is asymmetric encryption used in key exchange, not bulk WiFi encryption.