100-160 Cisco Certified Support Technician (CCST) Cybersecurity Questions and Answers

TheCCST Cybersecurity Study Guidecovers major privacy and security frameworks:

GDPR (General Data Protection Regulation)–

"EU regulation that protects personal data and privacy for individuals within the European Union."

HIPAA (Health Insurance Portability and Accountability Act)–

"US law that protects sensitive patient health information from being disclosed without the patient’s consent or knowledge."

PCI-DSS (Payment Card Industry Data Security Standard)–

"Security standard to protect credit card data and reduce fraud."

FERPA (Family Educational Rights and Privacy Act)–

"US law that protects the privacy of student education records."

FISMA (Federal Information Security Management Act)–

"US law that requires federal agencies to protect information and information systems."

(CCST Cybersecurity,Essential Security Principles, Regulatory Compliance section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guidespecifies that bothWiresharkandtcpdumpare packet capture tools that can record network traffic to a file for later analysis.

"Wireshark provides a graphical interface for packet capture and analysis. Tcpdump is a command-line tool that captures packets for detailed offline review."

(CCST Cybersecurity,Incident Handling, Network Traffic Analysis section, Cisco Networking Academy)

Ais correct: Wireshark is widely used for packet capture and analysis.

Bis correct: tcpdump is a CLI-based packet capture tool.

C(Nmap) is for network scanning, not packet capture.

D(netstat) displays network connections and ports but does not capture packets.

TheCCST Cybersecurity Study Guide(based on the NIST Incident Response Lifecycle) outlines four phases:

Preparation–

"Develop and maintain an incident response capability to ensure organizational readiness. This includes tools, training, and security controls."

Detection and Analysis–

"Identify potential security incidents through monitoring, alerts, and analysis. Confirm whether suspicious activity is legitimate and assess the scope of the incident."

Containment, Eradication, and Recovery–

"Limit the impact of the incident, remove the threat, and restore systems to normal operation."

Post-Incident Activity–

"Document and review the incident to determine the root cause, evaluate response effectiveness, and implement measures to prevent recurrence."

(CCST Cybersecurity,Incident Handling, Incident Response Lifecycle section, Cisco Networking Academy)

TheCCST Cybersecuritymaterial explains that MAC address filtering is a wireless security measure that allows only devices with approved hardware addresses to connect. If the laptop’s MAC address is not on the allow list, the connection will be blocked even if the SSID is correct.

"Wireless access points can be configured with MAC address filters to limit network access to authorized devices. If a device's MAC address is not on the permitted list, the connection will fail regardless of credentials."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Security section, Cisco Networking Academy)

Ais unlikely because non-broadcast SSIDs can still be manually connected to.

Bis correct: MAC address filtering would block an unregistered device.

Cwould cause IP issues after association, not prevent initial connection.

D(open authentication) would allow connection, so it’s not the cause here.

In theCCST Cybersecuritycourse, Windows Event ViewerErrorevents in the Application log indicate a severe problem that caused an application or component to fail. This usually requires investigation or repair.

"Error events indicate a significant problem such as a loss of functionality in an application or system component. Errors are often critical and need immediate attention."

(CCST Cybersecurity,Incident Handling, Event Logging and Analysis section, Cisco Networking Academy)

Ais incorrect: Performance slowness would usually generate warnings, not errors.

Bis correct: An "Error" level in Event Viewer means the application failed in some way.

Cis incorrect: That describes an "Information" event, not an error.

Dis incorrect: That also corresponds to an "Information" event.

TheCCST Cybersecuritycourse teaches that vulnerability scan results should be reviewed for misconfigurations and exposures that can be exploited by attackers.

"Disabled firewalls expose systems to direct network attacks and should be treated as critical findings. Open ports can indicate unnecessary or unsecured services running, which may provide entry points for attackers. These findings should be escalated for remediation or further security hardening."

(CCST Cybersecurity,Vulnerability Assessment and Risk Management, Analyzing and Responding to Scan Results section, Cisco Networking Academy)

Encrypted passwords (A)are good practice, not a vulnerability.

Disabled firewalls (B)leave systems defenseless against incoming attacks.

Open ports (C)can be exploited if the services they expose are vulnerable or misconfigured.

SSH packets (D)are normal in secure remote administration and are not inherently a vulnerability.

TheCCST Cybersecurity Study Guideexplains thatSOAR (Security Orchestration, Automation, and Response)platforms integrate data from multiple tools and sources, support case management, and automate security workflows for faster incident response.

"SOAR solutions provide orchestration, automation, and response capabilities. They collect security data from multiple systems, enable analysts to manage incidents, and automate repetitive tasks in the response process."

(CCST Cybersecurity,Incident Handling, Security Automation Tools section, Cisco Networking Academy)

A(SIEM) collects and correlates security logs but lacks full orchestration and automated response capabilities.

Bis correct: SOAR adds orchestration, case management, and automated incident response.

C(NextGen IPS) focuses on intrusion prevention, not orchestration.

D(Snort) is an open-source intrusion detection/prevention tool, not an orchestration platform.

According to theCCST Cybersecuritycourse, NIST guidelines (SP 800-63B) recommend aminimum password length of 8 charactersfor user-generated passwords, without requiring overly complex composition rules, but encouraging longer passphrases for increased security.

"NIST guidelines specify that user-generated passwords must be at least 8 characters in length, and systems should allow passwords up to at least 64 characters."

(CCST Cybersecurity,Essential Security Principles, Authentication Best Practices section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guideexplains that disabling SSID broadcast hides the network from casual scanning, adding a layer of obscurity. While not a complete security measure, when combined with WPA2/WPA3 encryption and strong passwords, it can help protect private wireless networks, especially in environments with separate employee and guest access.

"Disabling SSID broadcast can reduce the visibility of a wireless network, making it less likely to be detected by casual attackers. This should be combined with strong encryption and authentication."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Security section, Cisco Networking Academy)

A(IP filtering) provides limited protection and is harder to manage for employee devices.

Bis correct: Disabling SSID broadcast adds an extra layer of obscurity for the employee network.

Cwould make the network easier to access from outside the premises, which is less secure.

Dwould cause network conflicts and make segmentation impossible.

TheCCST Cybersecurity Study Guidenotes that HIPAA (Health Insurance Portability and Accountability Act) requires that ePHI be protected both in storage and when devices are decommissioned or repurposed. This includes implementingdata removal policiesfor mobile devices.

"HIPAA requires procedures for the removal of electronic protected health information (ePHI) from devices before disposal, reuse, or reassignment."

(CCST Cybersecurity,Essential Security Principles, Regulatory Compliance section, Cisco Networking Academy)

TheCCST Cybersecurity Study GuideidentifiesSYN flood attacksas a type ofDenial of Service (DoS)attack that exploits the TCP three-way handshake. Attackers send many SYN requests without completing the handshake, leaving the server with numerous half-open connections and exhausting resources.

"A TCP SYN flood attack overwhelms a target server by initiating a high volume of TCP connections but never completing the handshake, resulting in numerous half-open connections that consume system resources and can render the service unavailable."

(CCST Cybersecurity,Incident Handling, Denial-of-Service Attacks section, Cisco Networking Academy)

Ais correct: The proper action is to stop the SYN flood, often using firewalls, intrusion prevention systems, or SYN cookies.

B(switching to HTTPS) does not address the flooding issue.

Cis incorrect because the excessive number of half-open connections indicates an attack, not normal operation.

D(flushing DNS cache) is unrelated to this type of attack.

TheCCST Cybersecurity Study Guideexplains that HTTP (port 80) transmits data in cleartext, making it susceptible to interception. Even if data is stored securely in an encrypted database, sensitive information can be compromised during transmission if HTTPS (port 443) is not used.

"When HTTP is used instead of HTTPS, all form inputs and transmitted data are sent in plaintext over the network, where they can be intercepted by attackers."

(CCST Cybersecurity,Basic Network Security Concepts, Secure Protocols section, Cisco Networking Academy)