100-160 Cisco Certified Support Technician (CCST) Cybersecurity Questions and Answers

The CCST Cybersecurity Study Guide explains that HTTP (port 80) transmits data in cleartext, making it susceptible to interception. Even if data is stored securely in an encrypted database, sensitive information can be compromised during transmission if HTTPS (port 443) is not used.

"When HTTP is used instead of HTTPS, all form inputs and transmitted data are sent in plaintext over the network, where they can be intercepted by attackers."

(CCST Cybersecurity, Basic Network Security Concepts , Secure Protocols section, Cisco Networking Academy)

The CCST Cybersecurity Study Guide states that Access Control Lists (ACLs) can be used to filter traffic based on IP addresses and block packets that appear to originate from the internal network but arrive from external interfaces (IP spoofing).

"ACLs can prevent spoofing by dropping traffic from external sources that claim to have an internal source address. Configuring ACLs on the perimeter firewall or router is a common countermeasure for IP spoofing."

(CCST Cybersecurity, Basic Network Security Concepts , ACLs and Traffic Filtering section, Cisco Networking Academy)

A (NAT rule) changes IP addresses but does not inherently prevent spoofing.

B (ACL) is correct because it can enforce anti-spoofing filters.

C (host file) only affects name resolution locally.

D (DNS record) is for domain mapping, not spoofing prevention.

The CCST Cybersecurity Study Guide specifies that both Wireshark and tcpdump are packet capture tools that can record network traffic to a file for later analysis.

"Wireshark provides a graphical interface for packet capture and analysis. Tcpdump is a command-line tool that captures packets for detailed offline review."

(CCST Cybersecurity, Incident Handling , Network Traffic Analysis section, Cisco Networking Academy)

A is correct: Wireshark is widely used for packet capture and analysis.

B is correct: tcpdump is a CLI-based packet capture tool.

C (Nmap) is for network scanning, not packet capture.

D (netstat) displays network connections and ports but does not capture packets.

The CCST Cybersecurity Study Guide states that vulnerability scanning is an automated process used to identify known security weaknesses in systems, software, and network devices. These scans compare system configurations and software versions against databases of known vulnerabilities, such as the Common Vulnerabilities and Exposures (CVE) list.

"A vulnerability scan is an automated test that checks systems and networks for known weaknesses by matching them against a database of vulnerabilities such as CVEs. This allows administrators to identify exploitable conditions before they are leveraged by attackers."

(CCST Cybersecurity, Vulnerability Assessment and Risk Management , Vulnerability Scanning section, Cisco Networking Academy)

A is asset discovery, not vulnerability scanning.

B may be part of remediation planning but is not the primary purpose.

C is correct: Scans detect if systems have vulnerabilities associated with CVEs.

D describes SIEM (Security Information and Event Management) log correlation, not vulnerability scanning.

The CCST Cybersecurity Study Guide explains that an insider threat is any threat to an organization that comes from people within the organization—employees, contractors, or business partners—who have inside information concerning the organization's security practices, data, and systems. Insider threats may be intentional or unintentional.

"An insider threat can be malicious or accidental. Employees may unintentionally cause data breaches by mishandling sensitive information, such as sending it to the wrong recipient."

(CCST Cybersecurity, Essential Security Principles , Threat Actor Types section, Cisco Networking Academy)

A (Logic bomb) is malicious code triggered by conditions.

B (Malware) is malicious software, unrelated to accidental email leaks.

C (Phishing) is an external social engineering attack.

D is correct: This is an unintentional insider threat .

The CCST Cybersecurity Study Guide specifies that AES (Advanced Encryption Standard) is the encryption method used in modern WiFi security protocols like WPA2 and WPA3.

"WPA2 and WPA3 use the Advanced Encryption Standard (AES) for securing wireless traffic. AES provides strong symmetric encryption, replacing outdated methods like WEP and TKIP."

(CCST Cybersecurity, Basic Network Security Concepts , Wireless Security section, Cisco Networking Academy)

A (DES) is outdated and insecure.

B (Triple DES) is older and slower, rarely used in WiFi.

C is correct: AES is the industry standard for WiFi security.

D (RSA) is asymmetric encryption used in key exchange, not bulk WiFi encryption.

The CCST Cybersecurity Study Guide outlines the standard risk management process in the following sequence:

Identify the risks –

"Determine potential threats and vulnerabilities that could negatively impact organizational assets."

Prioritize the risks –

"Assess each risk in terms of likelihood and potential impact to rank them for remediation."

Implement a response –

"Apply the appropriate mitigation, transfer, acceptance, or avoidance strategy to address each prioritized risk."

Monitor results –

"Continuously assess the effectiveness of implemented controls and make adjustments as needed."

(CCST Cybersecurity, Vulnerability Assessment and Risk Management , Risk Management Process section, Cisco Networking Academy)

The CCST Cybersecurity Study Guide defines common attacker types:

Cyber criminal –

"An individual or group engaging in illegal activities for financial gain, such as selling stolen data or running spam campaigns."

State-sponsored attacker –

"Operates with the support or direction of a nation-state, often for espionage or political objectives."

Insider threat –

"A person within the organization, such as an employee or contractor, who misuses access to cause harm or steal data."

Hacktivist –

"Uses hacking techniques to promote political, social, or ideological causes."

(CCST Cybersecurity, Essential Security Principles , Threat Actor Types section, Cisco Networking Academy)

The CCST Cybersecurity Study Guide describes the CIA Triad as the foundational model for information security:

Confidentiality

"Confidentiality ensures that sensitive information is accessed only by authorized individuals and is protected from unauthorized disclosure."

Integrity

"Integrity ensures that data remains accurate, complete, and unaltered except by authorized processes or users."

Availability

"Availability ensures that information and systems are accessible to authorized users when needed."

(CCST Cybersecurity, Essential Security Principles , CIA Triad section, Cisco Networking Academy)

The CCST Cybersecurity Study Guide describes the Diamond Model of Intrusion Analysis as a framework to map the relationships between four core features of an intrusion:

Adversary – The threat actor or group conducting the attack.

Example: Ransomware Group

Capability – The tools, techniques, or malware the adversary uses.

Example: Phishing Email, Malware

Infrastructure – The physical or logical communication and delivery systems the adversary uses.

Example: Email Server, Domain Name

Victim – The target of the attack, such as systems, organizations, or individuals.

Example: Customer and Product Databases

"The Diamond Model helps analysts connect the attacker, the tools they use, the infrastructure supporting the attack, and the victim, providing a holistic view of the intrusion event."

(CCST Cybersecurity, Incident Handling , Threat Modeling section, Cisco Networking Academy)

The CCST Cybersecurity Study Guide explains that reconnaissance is the process of collecting information about a target before attempting exploitation.

"Passive reconnaissance is conducted without directly engaging with the target systems. Examples include reviewing public websites, examining HTML source code, querying public DNS records, and using social media to gather information. Since no packets are sent directly to the target system, it reduces the risk of detection."

(CCST Cybersecurity, Vulnerability Assessment and Risk Management , Reconnaissance Techniques section, Cisco Networking Academy)

Passive (A) is correct because all actions described — viewing public pages, searching online, and checking social media — involve no direct interaction that could alert the target.

Active (B) would involve direct probing, like port scans or vulnerability scans.

Offline (C) is not an official reconnaissance classification in this context.

Invasive (D) is a general term and not used as a standard reconnaissance category in CCST material.

The CCST Cybersecurity material explains that MAC address filtering is a wireless security measure that allows only devices with approved hardware addresses to connect. If the laptop’s MAC address is not on the allow list, the connection will be blocked even if the SSID is correct.

"Wireless access points can be configured with MAC address filters to limit network access to authorized devices. If a device's MAC address is not on the permitted list, the connection will fail regardless of credentials."

(CCST Cybersecurity, Basic Network Security Concepts , Wireless Security section, Cisco Networking Academy)

A is unlikely because non-broadcast SSIDs can still be manually connected to.

B is correct: MAC address filtering would block an unregistered device.

C would cause IP issues after association, not prevent initial connection.

D (open authentication) would allow connection, so it’s not the cause here.