Cisco 100-160 Cisco Certified Support Technician (CCST) Cybersecurity Exam Practice Test

TheCCST Cybersecuritycourse notes that isolation is a key part of thecontainment phaseof incident response. The goal is to prevent the compromised system from communicating with the attacker or spreading malware, while preserving it for analysis.

"Containment often involves removing an affected system from the production network and connecting it to a controlled forensic environment to preserve evidence and prevent further compromise."

(CCST Cybersecurity,Incident Handling, Containment Procedures section, Cisco Networking Academy)

According to theCCST Cybersecuritycourse, anti-malware solutions withreal-time protectionscan files as they are downloaded or opened, blocking malicious code before it runs.

"Real-time protection automatically inspects files, applications, and scripts as they are accessed or downloaded, preventing execution of malicious code."

(CCST Cybersecurity,Endpoint Security Concepts, Malware Protection section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guideexplains thatSOAR (Security Orchestration, Automation, and Response)platforms integrate data from multiple tools and sources, support case management, and automate security workflows for faster incident response.

"SOAR solutions provide orchestration, automation, and response capabilities. They collect security data from multiple systems, enable analysts to manage incidents, and automate repetitive tasks in the response process."

(CCST Cybersecurity,Incident Handling, Security Automation Tools section, Cisco Networking Academy)

A(SIEM) collects and correlates security logs but lacks full orchestration and automated response capabilities.

Bis correct: SOAR adds orchestration, case management, and automated incident response.

C(NextGen IPS) focuses on intrusion prevention, not orchestration.

D(Snort) is an open-source intrusion detection/prevention tool, not an orchestration platform.

TheCCST Cybersecurity Study Guideexplains that disabling SSID broadcast hides the network from casual scanning, adding a layer of obscurity. While not a complete security measure, when combined with WPA2/WPA3 encryption and strong passwords, it can help protect private wireless networks, especially in environments with separate employee and guest access.

"Disabling SSID broadcast can reduce the visibility of a wireless network, making it less likely to be detected by casual attackers. This should be combined with strong encryption and authentication."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Security section, Cisco Networking Academy)

A(IP filtering) provides limited protection and is harder to manage for employee devices.

Bis correct: Disabling SSID broadcast adds an extra layer of obscurity for the employee network.

Cwould make the network easier to access from outside the premises, which is less secure.

Dwould cause network conflicts and make segmentation impossible.

TheCCST Cybersecurity Study Guideoutlines the standardrisk management processin the following sequence:

Identify the risks–

"Determine potential threats and vulnerabilities that could negatively impact organizational assets."

Prioritize the risks–

"Assess each risk in terms of likelihood and potential impact to rank them for remediation."

Implement a response–

"Apply the appropriate mitigation, transfer, acceptance, or avoidance strategy to address each prioritized risk."

Monitor results–

"Continuously assess the effectiveness of implemented controls and make adjustments as needed."

(CCST Cybersecurity,Vulnerability Assessment and Risk Management, Risk Management Process section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guideexplains thatWPA3is the most current and secure Wi-Fi Protected Access protocol, offering stronger encryption and better protection against brute-force attacks compared to earlier versions.

"WPA3 improves wireless security by using more robust encryption methods and protections against offline password guessing, making it the recommended protocol for securing modern Wi-Fi networks."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Security Protocols section, Cisco Networking Academy)

TheCCST Cybersecuritycourse describes ransomware as a form of malicious software that encrypts or locks access to an organization’s data, demanding payment for its release.

"Ransomware is a type of malware that denies access to data by encrypting it and demands payment from the victim to restore access. Threat actors may deliver ransomware through phishing emails, malicious downloads, or exploiting vulnerabilities in exposed systems."

(CCST Cybersecurity,Essential Security Principles, Malware Types and Threats section, Cisco Networking Academy)

Adescribes spyware or information-stealing malware.

Bis website defacement, which is vandalism, not ransomware.

Cis correct: locking/encrypting data and demanding payment is the defining behavior of ransomware.

Dis more aligned with insider threat or espionage activities.

TheCCST Cybersecuritycourse states that anIntrusion Detection System (IDS)passively monitors network or system traffic and analyzes it against a database of known threat signatures or behavioral patterns.

"IDS devices inspect network traffic, compare it to known malicious signatures or anomalies, and generate alerts for suspicious activity without actively blocking traffic."

(CCST Cybersecurity,Basic Network Security Concepts, IDS and IPS section, Cisco Networking Academy)

Ais correct: IDS is passive and signature-based.

B(IPS) is active and can block traffic.

C(Proxy Server) handles requests between clients and servers.

D(Honeypot) is a decoy system to attract attackers.

In theCCST Cybersecuritycourse, Windows Event ViewerErrorevents in the Application log indicate a severe problem that caused an application or component to fail. This usually requires investigation or repair.

"Error events indicate a significant problem such as a loss of functionality in an application or system component. Errors are often critical and need immediate attention."

(CCST Cybersecurity,Incident Handling, Event Logging and Analysis section, Cisco Networking Academy)

Ais incorrect: Performance slowness would usually generate warnings, not errors.

Bis correct: An "Error" level in Event Viewer means the application failed in some way.

Cis incorrect: That describes an "Information" event, not an error.

Dis incorrect: That also corresponds to an "Information" event.

TheCCST Cybersecurity Study Guidecovers major privacy and security frameworks:

GDPR (General Data Protection Regulation)–

"EU regulation that protects personal data and privacy for individuals within the European Union."

HIPAA (Health Insurance Portability and Accountability Act)–

"US law that protects sensitive patient health information from being disclosed without the patient’s consent or knowledge."

PCI-DSS (Payment Card Industry Data Security Standard)–

"Security standard to protect credit card data and reduce fraud."

FERPA (Family Educational Rights and Privacy Act)–

"US law that protects the privacy of student education records."

FISMA (Federal Information Security Management Act)–

"US law that requires federal agencies to protect information and information systems."

(CCST Cybersecurity,Essential Security Principles, Regulatory Compliance section, Cisco Networking Academy)

According to theCCST Cybersecuritycourse, Windows Event Viewer’sSecurity logsrecord authentication-related events that can help identify password-guessing attempts (also known as brute force attacks).

"The Account logon failure event indicates that an authentication attempt has failed, which may suggest incorrect credentials were used. Multiple such events in a short time frame can indicate a brute-force attack. The Account lockout success event confirms that an account has been locked due to repeated failed logon attempts, which further supports the suspicion of password-guessing attacks."

(CCST Cybersecurity,Incident Handling, Monitoring and Analyzing Security Events section, Cisco Networking Academy)

Object access failurerelates to unauthorized attempts to open or modify files, not login attempts.

Account logon failure (B)shows failed login attempts due to invalid credentials.

Account lockout success (C)confirms that repeated login failures have triggered a lockout.

Account logoff successis a normal event and does not indicate malicious activity.

TheCCST Cybersecurity Study Guidedescribes the CIA Triad as the foundational model for information security:

Confidentiality

"Confidentiality ensures that sensitive information is accessed only by authorized individuals and is protected from unauthorized disclosure."

Integrity

"Integrity ensures that data remains accurate, complete, and unaltered except by authorized processes or users."

Availability

"Availability ensures that information and systems are accessible to authorized users when needed."

(CCST Cybersecurity,Essential Security Principles, CIA Triad section, Cisco Networking Academy)

According to theCCST Cybersecurity Study Guide, firmware updates are a critical security maintenance task because vulnerabilities in firmware can be exploited by attackers to gain persistent control over hardware.

"Keeping firmware up to date is necessary to patch security vulnerabilities and weaknesses that could be exploited by threat actors. Vendors release firmware updates to correct security flaws, enhance stability, and ensure compatibility with updated security protocols."

(CCST Cybersecurity,Endpoint Security Concepts, System and Firmware Maintenance section, Cisco Networking Academy)

Ais partially true but not the primary security reason for updates.

Bis incorrect because firmware is not part of the OS kernel; it’s embedded in the hardware.

Cis correct: patching vulnerabilities in firmware is essential for endpoint protection.

Dmay occur as a side benefit, but it’s not the main reason from a cybersecurity perspective.

TheCCST Cybersecuritycourse teaches that vulnerability scan results should be reviewed for misconfigurations and exposures that can be exploited by attackers.

"Disabled firewalls expose systems to direct network attacks and should be treated as critical findings. Open ports can indicate unnecessary or unsecured services running, which may provide entry points for attackers. These findings should be escalated for remediation or further security hardening."

(CCST Cybersecurity,Vulnerability Assessment and Risk Management, Analyzing and Responding to Scan Results section, Cisco Networking Academy)

Encrypted passwords (A)are good practice, not a vulnerability.

Disabled firewalls (B)leave systems defenseless against incoming attacks.

Open ports (C)can be exploited if the services they expose are vulnerable or misconfigured.

SSH packets (D)are normal in secure remote administration and are not inherently a vulnerability.

TheCCST Cybersecurity Study Guide(based on the NIST Incident Response Lifecycle) outlines four phases:

Preparation–

"Develop and maintain an incident response capability to ensure organizational readiness. This includes tools, training, and security controls."

Detection and Analysis–

"Identify potential security incidents through monitoring, alerts, and analysis. Confirm whether suspicious activity is legitimate and assess the scope of the incident."

Containment, Eradication, and Recovery–

"Limit the impact of the incident, remove the threat, and restore systems to normal operation."

Post-Incident Activity–

"Document and review the incident to determine the root cause, evaluate response effectiveness, and implement measures to prevent recurrence."

(CCST Cybersecurity,Incident Handling, Incident Response Lifecycle section, Cisco Networking Academy)