100-160 Cisco Certified Support Technician (CCST) Cybersecurity Question and Answers

TheCCST Cybersecurity Study Guidedescribes aman-in-the-middle (MITM)attack as an attack where the adversary secretly intercepts and possibly alters communications between two parties, making them believe they are communicating directly. A rogue AP configured to pass traffic through itself before sending it on is a classic wireless MITM method.

"In a MITM attack, the attacker places themselves between the sender and receiver, intercepting and possibly altering data in transit. Rogue access points can facilitate MITM attacks in wireless environments."

(CCST Cybersecurity,Basic Network Security Concepts, Wireless Threats section, Cisco Networking Academy)

Ais incorrect: Reconnaissance is information gathering, not active interception.

Bis correct: This is a wireless MITM attack.

Cis incorrect: DDoS aims to overwhelm a service, not intercept data.

Dis incorrect: Ransomware encrypts data for extortion.

TheCCST Cybersecurity Study Guideoutlines common motivations for cyberattacks, which include:

Financial gain

Revenge or personal grievance(e.g., disgruntled employees)

Ideological or political purposes(hacktivism)

Espionage and intelligence gathering

"Cyberattack motivations range from financial and competitive advantage to personal vendettas and advancing political or social causes. Disgruntled insiders may misuse access privileges to harm an organization, while hacktivists target systems to promote social or political messages."

(CCST Cybersecurity,Essential Security Principles, Threat Actor Motivations section, Cisco Networking Academy)

Beingdisgruntled at work→ common insider threat motivation (True)

Wanting toprotect personal data→ defensive action, not a reason to commit an attack (False)

Wanting toadvance a social agenda→ hacktivist motivation (True)

TheCCST Cybersecuritycourse describes ransomware as a form of malicious software that encrypts or locks access to an organization’s data, demanding payment for its release.

"Ransomware is a type of malware that denies access to data by encrypting it and demands payment from the victim to restore access. Threat actors may deliver ransomware through phishing emails, malicious downloads, or exploiting vulnerabilities in exposed systems."

(CCST Cybersecurity,Essential Security Principles, Malware Types and Threats section, Cisco Networking Academy)

Adescribes spyware or information-stealing malware.

Bis website defacement, which is vandalism, not ransomware.

Cis correct: locking/encrypting data and demanding payment is the defining behavior of ransomware.

Dis more aligned with insider threat or espionage activities.

According to theCCST Cybersecurity Study Guide, firmware updates are a critical security maintenance task because vulnerabilities in firmware can be exploited by attackers to gain persistent control over hardware.

"Keeping firmware up to date is necessary to patch security vulnerabilities and weaknesses that could be exploited by threat actors. Vendors release firmware updates to correct security flaws, enhance stability, and ensure compatibility with updated security protocols."

(CCST Cybersecurity,Endpoint Security Concepts, System and Firmware Maintenance section, Cisco Networking Academy)

Ais partially true but not the primary security reason for updates.

Bis incorrect because firmware is not part of the OS kernel; it’s embedded in the hardware.

Cis correct: patching vulnerabilities in firmware is essential for endpoint protection.

Dmay occur as a side benefit, but it’s not the main reason from a cybersecurity perspective.

In theCCST Cybersecuritycourse, Windows Event ViewerErrorevents in the Application log indicate a severe problem that caused an application or component to fail. This usually requires investigation or repair.

"Error events indicate a significant problem such as a loss of functionality in an application or system component. Errors are often critical and need immediate attention."

(CCST Cybersecurity,Incident Handling, Event Logging and Analysis section, Cisco Networking Academy)

Ais incorrect: Performance slowness would usually generate warnings, not errors.

Bis correct: An "Error" level in Event Viewer means the application failed in some way.

Cis incorrect: That describes an "Information" event, not an error.

Dis incorrect: That also corresponds to an "Information" event.

TheCCST Cybersecurity Study Guideexplains that aBYOD policy(Bring Your Own Device) should outline security requirements for personally owned devices connecting to the corporate network. Common requirements include:

Device encryptionfor stored sensitive corporate data.

Strong password or PINconfiguration for device access.

Restriction to secure and approved applicationsto reduce malware risk.

"BYOD policies typically mandate strong authentication, encryption of sensitive corporate data on personal devices, and installation of secure or approved applications. The goal is to protect corporate information while respecting personal ownership of the device."

(CCST Cybersecurity,Endpoint Security Concepts, BYOD Security section, Cisco Networking Academy)

Ais incorrect: BYOD policies do not require deletion of personal data unless wiping after separation.

Bis not a common requirement due to privacy and technical limitations.

E(upgrading data plans) is unrelated to security.

TheCCST Cybersecurity Study Guideexplains that sandboxing is a security technique that executes suspicious programs in a controlled and isolated environment, preventing them from affecting production systems while enabling behavior analysis.

"Sandboxing isolates a suspected application in a secure, controlled environment where it can be executed and analyzed without risking damage to the host system or network."

(CCST Cybersecurity,Endpoint Security Concepts, Malware Analysis Techniques section, Cisco Networking Academy)

TheCCST Cybersecurity Study Guideexplains thatport securityon switches can be configured to limit the number of MAC addresses allowed on a port, or to restrict it to specific devices.

"Port security can prevent unauthorized access by limiting or specifying the MAC addresses allowed to connect through a given switch port. This mitigates risks from rogue devices connecting to the network."

(CCST Cybersecurity,Basic Network Security Concepts, Switch Security section, Cisco Networking Academy)

According to theCCST Cybersecuritycourse, Windows Event Viewer’sSecurity logsrecord authentication-related events that can help identify password-guessing attempts (also known as brute force attacks).

"The Account logon failure event indicates that an authentication attempt has failed, which may suggest incorrect credentials were used. Multiple such events in a short time frame can indicate a brute-force attack. The Account lockout success event confirms that an account has been locked due to repeated failed logon attempts, which further supports the suspicion of password-guessing attacks."

(CCST Cybersecurity,Incident Handling, Monitoring and Analyzing Security Events section, Cisco Networking Academy)

Object access failurerelates to unauthorized attempts to open or modify files, not login attempts.

Account logon failure (B)shows failed login attempts due to invalid credentials.

Account lockout success (C)confirms that repeated login failures have triggered a lockout.

Account logoff successis a normal event and does not indicate malicious activity.

TheCCST Cybersecurity Study GuidehighlightsFileVaultas the macOS full-disk encryption tool.

"FileVault is macOS’s built-in full-disk encryption feature. It encrypts the contents of the entire startup disk to help prevent unauthorized access to the information stored on the drive, even if the device is lost or stolen."

(CCST Cybersecurity,Endpoint Security Concepts, Disk Encryption section, Cisco Networking Academy)

Ais correct: FileVault provides complete volume encryption.

B(Gatekeeper) controls app installation by verifying code signatures.

C(System Integrity Protection) protects system files from modification.

D(XProtect) is macOS’s built-in malware detection system.

TheCCST Cybersecurity Study Guidestates that vulnerability scanning is an automated process used to identify known security weaknesses in systems, software, and network devices. These scans compare system configurations and software versions against databases of known vulnerabilities, such as the Common Vulnerabilities and Exposures (CVE) list.

"A vulnerability scan is an automated test that checks systems and networks for known weaknesses by matching them against a database of vulnerabilities such as CVEs. This allows administrators to identify exploitable conditions before they are leveraged by attackers."

(CCST Cybersecurity,Vulnerability Assessment and Risk Management, Vulnerability Scanning section, Cisco Networking Academy)

Ais asset discovery, not vulnerability scanning.

Bmay be part of remediation planning but is not the primary purpose.

Cis correct: Scans detect if systems have vulnerabilities associated with CVEs.

Ddescribes SIEM (Security Information and Event Management) log correlation, not vulnerability scanning.

TheCCST Cybersecuritycourse notes that isolation is a key part of thecontainment phaseof incident response. The goal is to prevent the compromised system from communicating with the attacker or spreading malware, while preserving it for analysis.

"Containment often involves removing an affected system from the production network and connecting it to a controlled forensic environment to preserve evidence and prevent further compromise."

(CCST Cybersecurity,Incident Handling, Containment Procedures section, Cisco Networking Academy)