100-160 Cisco Certified Support Technician (CCST) Cybersecurity Questions and Answers

TheCCST Cybersecurity Study Guideexplains thatWPA3is the most current and secure Wi-Fi Protected Access protocol, offering stronger encryption and better protection against brute-force attacks compared to earlier versions.

"WPA3 improves wireless security by using more robust encryption methods and protections against offline password guessing, making it the recommended protocol for securing modern Wi-Fi networks."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Security Protocols section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guidedefines common attacker types:

Cyber criminal–

"An individual or group engaging in illegal activities for financial gain, such as selling stolen data or running spam campaigns."

State-sponsored attacker–

"Operates with the support or direction of a nation-state, often for espionage or political objectives."

Insider threat–

"A person within the organization, such as an employee or contractor, who misuses access to cause harm or steal data."

Hacktivist–

"Uses hacking techniques to promote political, social, or ideological causes."

(CCST Cybersecurity,Essential Security Principles, Threat Actor Types section, Cisco Networking Academy)

TheCCST Cybersecuritycourse notes that isolation is a key part of thecontainment phaseof incident response. The goal is to prevent the compromised system from communicating with the attacker or spreading malware, while preserving it for analysis.

"Containment often involves removing an affected system from the production network and connecting it to a controlled forensic environment to preserve evidence and prevent further compromise."

(CCST Cybersecurity,Incident Handling, Containment Procedures section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guide(based on the NIST Incident Response Lifecycle) outlines four phases:

Preparation–

"Develop and maintain an incident response capability to ensure organizational readiness. This includes tools, training, and security controls."

Detection and Analysis–

"Identify potential security incidents through monitoring, alerts, and analysis. Confirm whether suspicious activity is legitimate and assess the scope of the incident."

Containment, Eradication, and Recovery–

"Limit the impact of the incident, remove the threat, and restore systems to normal operation."

Post-Incident Activity–

"Document and review the incident to determine the root cause, evaluate response effectiveness, and implement measures to prevent recurrence."

(CCST Cybersecurity,Incident Handling, Incident Response Lifecycle section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guideexplains that hard disk encryption is a method used to protectdata stored on a physical devicefrom unauthorized access.

"Data at rest refers to data stored on a device, such as files on a hard drive, SSD, or removable media. Hard disk encryption protects data at rest by converting it into an unreadable format unless accessed with the correct decryption key."

(CCST Cybersecurity,Essential Security Principles, Data States and Protection Methods section, Cisco Networking Academy)

Data in processrefers to data actively being handled by applications in memory (RAM), which is not the primary target of disk encryption.

Data in transitis protected via encryption methods such as TLS, not disk encryption.

Data in useis accessed and manipulated by programs in real-time, also not the primary scope of disk encryption.

Data at restis the correct answer, as hard disk encryption directly safeguards stored files.

TheCCST Cybersecurity Study Guidespecifies that bothWiresharkandtcpdumpare packet capture tools that can record network traffic to a file for later analysis.

"Wireshark provides a graphical interface for packet capture and analysis. Tcpdump is a command-line tool that captures packets for detailed offline review."

(CCST Cybersecurity,Incident Handling, Network Traffic Analysis section, Cisco Networking Academy)

Ais correct: Wireshark is widely used for packet capture and analysis.

Bis correct: tcpdump is a CLI-based packet capture tool.

C(Nmap) is for network scanning, not packet capture.

D(netstat) displays network connections and ports but does not capture packets.

TheCCST Cybersecurity Study Guidedistinguishes betweenDisaster Recovery Plans (DRP)andBusiness Continuity Plans (BCP):

ABCPfocuses on keeping the business running during a disruption.

ADRPfocuses on restoring IT services and data after a disaster has occurred.

"A disaster recovery plan outlines procedures for restoring data and critical IT infrastructure to operational status following a disruptive incident. The goal is to resume normal IT operations as quickly as possible."

(CCST Cybersecurity,Essential Security Principles, Business Continuity and Disaster Recovery section, Cisco Networking Academy)

Ais a general effect of both BCP and DRP.

BandDdescribe business continuity, not disaster recovery.

Cis correct: DRP’s main purpose isrestoring IT systems and data quicklyafter disruption

According to theCCST Cybersecuritycourse, NIST guidelines (SP 800-63B) recommend aminimum password length of 8 charactersfor user-generated passwords, without requiring overly complex composition rules, but encouraging longer passphrases for increased security.

"NIST guidelines specify that user-generated passwords must be at least 8 characters in length, and systems should allow passwords up to at least 64 characters."

(CCST Cybersecurity,Essential Security Principles, Authentication Best Practices section, Cisco Networking Academy)

TheCCST Cybersecuritycourse teaches that vulnerability scan results should be reviewed for misconfigurations and exposures that can be exploited by attackers.

"Disabled firewalls expose systems to direct network attacks and should be treated as critical findings. Open ports can indicate unnecessary or unsecured services running, which may provide entry points for attackers. These findings should be escalated for remediation or further security hardening."

(CCST Cybersecurity,Vulnerability Assessment and Risk Management, Analyzing and Responding to Scan Results section, Cisco Networking Academy)

Encrypted passwords (A)are good practice, not a vulnerability.

Disabled firewalls (B)leave systems defenseless against incoming attacks.

Open ports (C)can be exploited if the services they expose are vulnerable or misconfigured.

SSH packets (D)are normal in secure remote administration and are not inherently a vulnerability.

TheCCST Cybersecurity Study Guideexplains thatport securityon switches can be configured to limit the number of MAC addresses allowed on a port, or to restrict it to specific devices.

"Port security can prevent unauthorized access by limiting or specifying the MAC addresses allowed to connect through a given switch port. This mitigates risks from rogue devices connecting to the network."

(CCST Cybersecurity,Basic Network Security Concepts, Switch Security section, Cisco Networking Academy)

According to theCCST Cybersecuritycourse, Windows Event Viewer’sSecurity logsrecord authentication-related events that can help identify password-guessing attempts (also known as brute force attacks).

"The Account logon failure event indicates that an authentication attempt has failed, which may suggest incorrect credentials were used. Multiple such events in a short time frame can indicate a brute-force attack. The Account lockout success event confirms that an account has been locked due to repeated failed logon attempts, which further supports the suspicion of password-guessing attacks."

(CCST Cybersecurity,Incident Handling, Monitoring and Analyzing Security Events section, Cisco Networking Academy)

Object access failurerelates to unauthorized attempts to open or modify files, not login attempts.

Account logon failure (B)shows failed login attempts due to invalid credentials.

Account lockout success (C)confirms that repeated login failures have triggered a lockout.

Account logoff successis a normal event and does not indicate malicious activity.

TheCCST Cybersecurity Study Guideoutlines common motivations for cyberattacks, which include:

Financial gain

Revenge or personal grievance(e.g., disgruntled employees)

Ideological or political purposes(hacktivism)

Espionage and intelligence gathering

"Cyberattack motivations range from financial and competitive advantage to personal vendettas and advancing political or social causes. Disgruntled insiders may misuse access privileges to harm an organization, while hacktivists target systems to promote social or political messages."

(CCST Cybersecurity,Essential Security Principles, Threat Actor Motivations section, Cisco Networking Academy)

Beingdisgruntled at work→ common insider threat motivation (True)

Wanting toprotect personal data→ defensive action, not a reason to commit an attack (False)

Wanting toadvance a social agenda→ hacktivist motivation (True)