Attention Please:Professional new version Cisco 640-553 PDF and VCE dumps can now free download on Flydumps.com,all are updated timely by our experts covering all Cisco 640-553 new questions and questions.100 percent pass your Cisco 640-553 exam.

QUESTION 1
Which of the following constitutes the elements in the C-I-A triad?
A. Consolidation, Integration, Authentication
B. Confidentiality, Integrity, Availability
C. Confusion, Impact, Animosity
D. Central, Intelligence, Agency
E. None of the above.
Correct Answer: B
QUESTION 2
Cisco says that there are two major categories of threats to network security. Pick them from the following list:
A. External threats
B. Viruses
C. Social engineering
D. Internal threats
E. Unauthorized access
F. Network misuse
Correct Answer: AD
QUESTION 3
Which of the following is the best definition for integrity safeguards:
A. Ensuring that only authorized users have access to sensitive data.
B. Ensuring that only authorized entities can change sensitive data.
C. Ensuring that systems and the data that they provide access to remain available for authorized users.
D. Ensuring that only legitimate users can access the network subject to time of day (ToD) controls.
E. Configuring access control lists (ACLs), such that only specified protocols are allowed through the perimeter.
Correct Answer: B
QUESTION 4
Match the following data classification levels for the public sector with their definitions:
Select and Place:

Correct Answer:

QUESTION 5
Which of the following are not considered categories of security controls? (Choose three that apply.)
A. Preventative control
B. Physical control
C. Deterrent control
D. Administrative control
E. Technical control
F. Detective control
Correct Answer: ACF
QUESTION 6
Match the three types of laws found in most countries with their definitions:
Hot Area:

Correct Answer:

QUESTION 7
True or False:
An exploit is the likelihood that a vulnerability might be exploited by a specific attack.

A. True
B. False
Correct Answer: B QUESTION 8
Put the following seven steps for compromising targets and applications in the correct order:
Build List and Reorder: Correct Answer:
QUESTION 9
Fill in the blank for the following definition with the letter corresponding to the correct answer below:
If an attacker were simply guessing at sequence numbers—essentially using tools to calculate them—then the attack would be called _________ spoofing. Physical access to your network is not required.
A. Statistical
B. Invasive
C. Blind
D. Nonblind
E. Stochastic
Correct Answer: C
QUESTION 10
True or False: Man-in-the-Middle (MiM) attacks attack a network or system’s availability.
A. True
B. False
Correct Answer: B

QUESTION 11
Which of the following strategies help mitigate against trust exploits?
A. Installing a firewall or IPS that can examine inbound traffic to ensure that it is protocol compliant, block traffic that isn’t, and also alert a custodian.
B. Installing Host Intrusion Protection System (HIPS) software on inside hosts.
C. Using ACLs on an IOS firewall.
D. All of these.
Correct Answer: D
Exam D
QUESTION 1
Put the following steps in the Cisco Secure Network Life Cycle in the right order:
Build List and Reorder:

Correct Answer:
QUESTION 2
Which of the following are elements of the Separation of Duties (SoD) principle of Operations Security? (Choose two that apply.)
A. Individuals rotate security-related duties so that no one person is permanently responsible for a sensitive function.
B. Continuous retraining of personnel.
C. Includes two-man and dual operator controls.
D. Ensures that no one person can compromise the whole system.
E. Operators maintain an arms-length relationship with security controls.
Correct Answer: CD
QUESTION 3
Which of the following is not considered a type of testing technique? (Choose all that apply.)
A. Network scanning
B. War driving
C. Penetration testing
D. Log analysis
E. Password cracking
F. None of these.
Correct Answer: F
QUESTION 4
Fill in the blanks in the following definition with a letter corresponding to the correct technology from the list below.
_________ probe a network for vulnerabilities and can even simulate an attack, whereas _______ monitor a network for signs of probes and attacks.
A. Firewalls
B. Syslog servers
C. Sensors
D. Scanners
E. Monitoring and reporting systems
Correct Answer: CD QUESTION 5
In the context of the Initiation Phase of the Cisco System Development Cycle for Secure Networks, we have seen that the Initiation Phase is used to categorize risks. Which of the following are considered disruption categories? (Choose three that apply.)
A. Catastrophe
B. Act of God
C. Man-made calamity
D. Nondisaster
E. Disaster

Correct Answer: ADE QUESTION 6
True or False:
Warm sites are redundant sites without real-time copies of data and software. The disaster recovery team needs to pay a physical site visit to restore data to the site for it to become fully operational.
A. True
B. False

Correct Answer: A QUESTION 7
Match the following words with their definitions:
Select and Place:

Correct Answer:

QUESTION 8
Choose the one answer that correctly fills in the blanks.
There are two categories of risk analysis, __________________ and _____________________.
A. Mathematical, statistical
B. Predictive, scenario-based
C. Qualitative, quantitative
D. Idiomatic, stochastic
E. General, specific

Correct Answer: C
QUESTION 9
Fill in the blank:
A company is having a difficult time with compromises that have resulted with several internal systems being compromised with viruses, worms, trojans, and corrupt data. Although the company has a reasonable disaster recovery plan in place and regular backups are being made, they can’t understand why this is necessary in the first place; the only traffic they are allowing inbound through their old reliable firewall product is HTTP to a server in the DMZ. This is an example of the ________ of the perimeter.
A. Evolution
B. Strengthening
C. Devolution
D. Blurring
E. Targeting
Correct Answer: D QUESTION 10
Match the following Cisco devices with the type of threat control they provide. (Hint: Some devices provide more than one type of threat control.)
Hot Area:

Correct Answer:
Exam E
QUESTION 1
Match the following deployment scenarios for a Cisco IOS router with the correct description:
Select and Place:

Correct Answer:
QUESTION 2
Which of the following is not a feature of Cisco Integrated Services routers? (Choose two that apply.)
A. USB Port (most models)
B. Unified Network Services
C. Integrated PoE VoIP port
D. Integrated Security
E. Firewire port
Correct Answer: CE
QUESTION 3
True or False.
By default, Cisco router passwords must contain at least 10 characters.
A. True
B. False
Correct Answer: B
QUESTION 4
Which statement about the service password-encryption command is correct?
A. It encrypts all passwords in the router’s configuration file with an AES (Advanced Encryption Standard) 256-bit level encryption.
B. With the exception of the hashed enable secret, all passwords on the router are encrypted.
C. All passwords on the router are encrypted.
D. It has no effect unless the service password secret-encrypt command is also issued.
E. None of these.
Correct Answer: B
QUESTION 5
You have entered the following commands to create a view called ISP:
CiscoISR(config)parser view ISP CiscoISR(config-view)#secret 0 hardtoguess
Which one of the following commands enable users of this view to access the configure mode from a terminal?
A. commands configure include all terminal
B. commands exec include all configure
C. commands include exec configure
D. commands exec include configure terminal
E. none of these
Correct Answer: B
QUESTION 6
Referring to the following list, select the five items that comprise the five basic services that SDM manages:
A. Wireless
B. Intrusion Protection Services (IPS)
C. Routing
D. Switching
E. Security
F. Interfaces
G. AAA
H. QoS
Correct Answer: ACDEH
QUESTION 7
What (in the right order) does AAA stand for?
A. Access, accountability, administration
B. Administration, access, accounting
C. Accounting, access, administration
D. Authentication, authorization, accounting
E. Authorization, accounting, administration
F. None of these
Correct Answer: D
QUESTION 8
Which of the following is true about the Cisco Secure ACS Solution Engine?
A. Must be installed on an existing installation of Windows Server
B. Must be installed on an existing installation of Windows Server or Sun Solaris
C. An appliance-based solution that supports up to 50 AAA clients, as well as 350 unique user logons in a 24-hour period
D. An appliance-based solution
E. TACACS+ only
F. None of these
Correct Answer: D
QUESTION 9
Fill in the blanks with the correct words from the list:
When designing an AAA solution, remote administrative access is also known as _____ mode. Another name for remote network access is _____ mode.
A. Packet, character
B. Character, network
C. Network, character
D. Character, packet
E. Packet, network
Correct Answer: D

QUESTION 10
What command will display a list of all local AAA users who have been locked out?
A. show aaa local user lockout
B. show aaa user all
C. show aaa sessions
D. show aaa local lockout
E. None of these
Correct Answer: A QUESTION 11

Which protocols are supported in the AAA dialog between a Cisco IOS router and Cisco Secure ACS? (Choose two that apply.)
A. LDAP
B. Active Directory
C. OBDC
D. RADIUS
E. TACACS+
F. Kerberos
Correct Answer: DE
QUESTION 12
Which of the following statements is most correct concerning RADIUS and TACACS+? (Choose two that apply)
A. RADIUS has rich accounting and TACACS+ is capable of customizable userlevel policies such as command authorization
B. RADIUS encrypts the whole communication between the AAA client and server, whereas TACACS+ only encrypts the password
C. RADIUS uses UDP for transport and TACACS+ uses TCP
D. RADIUS is a proprietary standard, whereas TACACS+ is Open Source
E. RADIUS uses UDP ports 1645 and 1646 exclusively
Correct Answer: AC
QUESTION 13
Which of the following are not included in the three main task areas in setting up for external AAA? (Choose two that apply.)
A. Configure the AAA network
B. Install AAA supplicant software on IP hosts that will authenticate to the IOS router
C. Identify traffic to which AAA is applied
D. Set up users
E. Install Cisco Secure ACS Solution Engine module on the Cisco IOS router
Correct Answer: BE

QUESTION 14
Select the one answer with the correct two terms to fill in the following blanks in the correct order.
There are two distinct types of AAA authorization policies: .________ policies that define access rules to the router. .________ policies that define access rules through the router.
A. Network, Exec
B. Packet, Character
C. Character, Packet
D. Exec, Network
E. Administrative, User
Correct Answer: D Exam F

QUESTION 1
Which of the following is not a consideration for setting up technical controls in support of secure logging?
A. How can the confidentiality of logs as well as communicating log messages be assured?
B. How do you log events from several devices in one central place?
C. What are the most critical events to log?
D. What are the most important logs?
E. None of these.
Correct Answer: E QUESTION 2
Fill in the blank with the correct term from the choices.
One communication path between management hosts and the devices they manage is __________, meaning that the traffic flows within a network separate from the production network.
A. In-band
B. Inter-vlan
C. Private
D. Out-of-band
E. Intranet

Correct Answer: D QUESTION 3
True or False:
A general management guideline is to ensure that clocks on network devices are not synchronized with an external time source because this is a known vulnerability.
A. True
B. false

Correct Answer: B QUESTION 4
To what menus do you have to navigate to setup logging in the SDM?
A. Configure->Router Management->Additional Tasks->Logging
B. Configure->Additional Tasks->Router Properties->Logging
C. Monitor->System Properties->Configure->Syslog
D. Configure->Additional Tasks->Router Properties->Syslog
E. Monitor->Logging Options->Syslog Setup

Correct Answer: B QUESTION 5
Match the following SNMP terms with their definitions:
Select and Place: Correct Answer:
QUESTION 6
True or False.
Secure Network Time Protocol (SNTP) is more secure than regular NTP as it requires authentication.

A. True
B. False
Correct Answer: B QUESTION 7
Which of the following is part of Cisco’s list of seven categories of vulnerable router services and
interfaces?
(Choose all that apply.)

A. Disable unnecessary services and interfaces.
B. Disable commonly configured management services.
C. Ensure path integrity.
D. Disable probes and scans.
E. All of these.

Correct Answer: E QUESTION 8
Fill in the blank with the correct term.
The Cisco SDM Security Audit Wizard and One-Step Lockdown tools are based on the Cisco _________ feature.
A. Auto-Initiate
B. SafeAudit
C. AuditMany-SecureOnce
D. AutoSecure
E. None of the above.

Correct Answer: D QUESTION 9
True or False:
SNMPv3 is implemented in the Cisco SDM Security Audit Wizard but notin the auto secure CLI command.

A. True

B. False Correct Answer: B Exam G
QUESTION 1
Which of the following is the best description of a firewall?
A. Firewalls statefully inspect reply packets to determine whether they match the expected state of a connection in the state table.
B. Firewalls statically inspect packets in both directions and filter on layer 3 and layer 4 information.
C. A firewall is a system or a group of systems that enforce an access control policy between two networks.
D. A firewall is any device that blocks access to a protected network.
E. None of these.
Correct Answer: C
QUESTION 2
Which three of the following define characteristics of a firewall? (Choose all that apply.)
A. Enforces the access control policy of an organization.
B. Must be hardened against attacks.
C. Must be the only transit point between networks.
D. Completely eliminates the risk of network compromise.
E. All of these.
Correct Answer: ABC
QUESTION 3
True or False.
Transparent firewalls mitigate the risk of attack by applying rich layer 3 through 7 inspection services to the traffic transiting the firewall.
A. True
B. False
Correct Answer: B
QUESTION 4
Consider the following output for your answer: What sequence of commands would you enter to
add a line at the beginning of the ACL that permits packets for established TCP sessions?

CiscoISR# show access-list 101
Extended IP access list 101
10 permit tcp any 10.10.10.0 0.0.0.255 eq www (12032 matches)
20 permit tcp any 10.10.10.0 0.0.0.255 eq 22 (25000 matches)

A. configure terminal ip access-list extended 101 5 permit tcp any any established
B. configure terminal ip access-list name 101 5 permit tcp any any established
C. configure terminal ip access-list extended 101 line 5 permit tcp any any established
D. configure nacl 10 permit tcp any any established
E. configure extended-nacl permit line 5 session-established
F. None of these.
Correct Answer: A QUESTION 5
Fill in the blank in the sequence below for editing an existing access control list in the Cisco SDM. Configure->__________->ACL Editor->Access Rules
A. Firewall rules
B. Additional tasks
C. Policy editor
D. Perimeter security
E. None of the above.

Correct Answer: B QUESTION 6
Drag ‘n’ Drop the IP packet below with their corresponding to their protocol ID in an IP packet.
Select and Place:

Correct Answer: QUESTION 7

Certain source IP addresses should be filtered using ACLs to prevent IP spoofing attacks. Which of the
following list should be filtered?
(Choose all that apply.)

A. All 1’s source IP addresses
B. Any address starting with a zero
C. IP multicast addresses
D. Reserved private IP addresses
E. All of these.
Correct Answer: E QUESTION 8
True or False:
Cisco specifically recommends against allowing ICMP echoes and ICMP redirects inbound.

A. True
B. False

Correct Answer: A QUESTION 9
True or False.
The Cisco IOS Zone-Based Policy Firewall (ZPF) is not used solely to implement a Stateful Packet

Inspection (SPI) firewall.
A. True
B. False

Correct Answer: A QUESTION 10
Consider the following scenario:
A firewall has five interfaces, two of which are not associated with security zones:
. Two interfaces are in the INTERNET zone. . One interface is in the INSIDE zone. . Two interfaces are not in any zone.
What is the default rule for traffic that originates from one of the two interfaces that are not in any zone and is destined for an interface in the INTERNET security zone?
A. The traffic is dropped.
B. The traffic is passed because it’s going to the Internet.
C. The traffic is either permitted or denied based on the actions in the policy map if it has been applied to the zone pair.
D. The traffic is passed because the default policy map action is to pass traffic that doesn’t have a specific match.
E. None of these. Correct Answer: A

Exam H
QUESTION 1
Fill in the blanks with the best choice from the list in the correct order.
Cryptography is the art of code __________ and cryptanalysis is the art of code __________.
A. Graphing, analyzing
B. Generation, cracking
C. Making, breaking
D. Breaking, making
E. None of these.
Correct Answer: C
QUESTION 2
Read the following sentence and choose the type of attack that is being described from the list of choices.
Several examples of ciphertext created by the same cryptosystem are statistically analyzed to deduce underlying plaintext by pattern analysis.
A. Known-Plaintext
B. Meet-in-the-Middle
C. Brute Force
D. Ciphertext-Only
E. Chosen-Ciphertext
Correct Answer: D
QUESTION 3

Select and Place:

Correct Answer:

QUESTION 4
True or False.
AES is considered a trusted encryption algorithm by virtue of its strong 128-bit encryption keys and its 20+ years of use in crypto systems.
A. True
B. False

Correct Answer: B QUESTION 5
What is the best choice of category of encryption algorithm for situations where large volumes of data are transmitted and speed is important?
A. Block cipher
B. Stream cipher
C. Symmetric key encryption
D. Asymmetric key encryption
E. DES

Correct Answer: C QUESTION 6
What type of PKI topology?

A. Subordinate-Tiered CA
B. Cross-Certified CA
C. Central CA
D. Hierarchical CA
E. Independent-Mesh CA

Correct Answer: D
QUESTION 7
Figure illustrates the part of the enrollment process that occurs after a PKI participant has retrieved and
validated the CA’s certificate.
What is always contained in the PKCS #7 message that the PKI participant is retrieving from the CA?
(Choose all the correct answers.)
What is contained in the PKCS #7 message?
A. X.509 certificate
B. CA’s private key
C. CA’s public key
D. PKI participant’s signed public key
E. CA’s encryption usage keys
F. None of these
Correct Answer: AD
QUESTION 8
Which of the following list of protocols are part of NIST’s Digital Signature Standard (DSS)? (Choose three that apply.)
A. DSA
B. Digital Signatures using Reversible Public Key Cryptography
C. SEAL
D. Blowfish
E. ECDSA
Correct Answer: ABE

QUESTION 9
Fill in the blanks in the following sentence with the letter corresponding to the best choice. (Choose three.)

Hashing functions are used to validate a message’s __________ but do not provide for __________ like
HMACs.
If __________ is required, the use of digital signatures is specified.

A. Confidentiality
B. Integrity
C. Authentication
D. Non-repudiation
E. Origin authentication
Correct Answer: BDE
QUESTION 10
Which one of the following statements best compares MD5 and SHA-1 as hashing algorithms?
A. MD5 theoretically has higher security than SHA-1; however, SHA-1 remains more commonly used.
B. MD5 is not recommended for new cryptosystems because SHA-1 is preferred for its theoretically higher security.
C. SHA-1 is less resistant to a brute force attack than MD5, and its 32-bit longer buffer makes it faster than MD5.
D. SHA-1 and MD5’s security is not based on encryption keys.
E. None of these.
Correct Answer: B Exam I

QUESTION 1
True or False.
Site-to-site IPsec VPNs are an evolution of dial-up networking.

A. True
B. False
Correct Answer: B QUESTION 2
Which of the following two is not considered a feature that can be configured as part of an IPsec VPN?
A. Authorization
B. Auditing
C. Confidentiality
D. Integrity
E. Authentication

Correct Answer: AB QUESTION 3
What are two disadvantages of Cisco IOS SSL VPNs when compared with IPsec VPNs?
A. Hardware-only. The solution is implemented in hardware on either the VPN gateway or the client making the solution Cisco-proprietary.
B. Software-only. The solution is implemented in software on the VPN gateway and client.
C. Cryptographic security. Does not support the same level of encryption security as IPsec.
D. Incompatibility. Creating rules to allow SSL VPN traffic over intermediate routers and other gateways is difficult.
E. None of these.

Correct Answer: BC QUESTION 4
Fill in the following table with the letter corresponding to the most correct answer for devices’ role in the context of remote-access and site-to-site VPNs. (The same letter can be used more than once.)
Select and Place:

Correct Answer:

QUESTION 5
Which of the following list is not considered to be a VPN feature of Cisco VPN-enabled IOS routers?
A. Stateful Switchover (SSO)
B. AnyConnect standalone SSL VPN client
C. IPsec Stateful Failover
D. Voice and Video Enabled VPN (V3PN)
E. Cisco Easy VPN Remote

Correct Answer: B
QUESTION 6
Fill in the blanks in the description below with choices from the list.
At a high-level, IKE Phase I handles all _____ and _____ between VPN peers, whereas the main task of IKE Phase II is the transmission and _____ of data by applying confidentiality, integrity, authentication, and anti-replay services to it.
A. Transformation
B. Authentication
C. Negotiation
D. Verification
Correct Answer: ABC
QUESTION 7
Which four of the following encryption algorithms (ciphers) is supported on VPN-enabled Cisco IOS
routers?
(Choose all that apply.)

A. Blowfish
B. DUAL
C. SEAL
D. 3DES
E. AES
F. RSA
Correct Answer: CDEF
QUESTION 8
Fill in the blanks in the paragraph below with a letter corresponding to the correct choice from the list:
IKE Phase I uses a _____ to group elements together, whereas IKE Phase II groups ciphers and HMACs and other parameters in a _____.
A. Negotiation set
B. Encryption set
C. HMAC (Hashing Media Authentication Code) set
D. Transform set
E. Policy set
Correct Answer: DE
QUESTION 9
Which of the following is true about a crypto map? (Choose two that apply.)
A. You can only have one crypto map per interface.
B. You can only have one crypto map per router.
C. A single crypto map can support multiple peers.
D. A single crypto map can support only one peer.
E. Crypto maps group all the policy elements of a transform set.
Correct Answer: AC

QUESTION 10
Which of the following statements is true about using the Cisco SDM VPN Wizard?
A. You cannot configure to the same level of granularity as with the CLI.
B. There is no SDM item to test the VPN once it is created, and you must use the CLI to generate traffic to launch the VPN.
C. You can test the VPN once it is created and use the SDM to generate traffic to launch the VPN if needed.
D. The SDM cannot create a site-to-site VPN. This must be accomplished through the CLI, though a new version of the SDM is planned that will have wizards to accomplish this task.
E. None of these.
Correct Answer: C Exam J QUESTION 1
True or False.
An IDS is a passive technology that only reports when events trigger signatures, whereas an IPS not only
reports but also blocks the intrusion.

A. True
B. False

Correct Answer: B QUESTION 2
Which in the following three are examples of where an IDS or IPS may be deployed? (Choose all that apply.)
A. Separate network device.
B. Option card in a router or security appliance.
C. Software on a router.
D. Add-on blade module on Cisco VPN 3000 Series Concentrator.
E. All of these.

Correct Answer: ABC QUESTION 3
Match the list of IPS technologies below with the letter corresponding to the platform to which it belongs. Letters may be used more than once.
Select and Place:

Correct Answer:

QUESTION 4
Which of the following is part of Cisco’s suite of IPS Management Software?
A. Cisco IPS Device Manager (IDM)
B. Cisco IPS Event Viewer (IEV)
C. Cisco Security Monitoring, Analysis, and Response System (MARS)
D. Cisco Router Security Device Manager (SDM)
E. All of these

Correct Answer: E
QUESTION 5
Fill in the blank.
Cisco _____ Agent is Cisco’s Host IPS (HIPS) software solution.
A. Integrity
B. Accountability
C. Information
D. Security
E. Trust
Correct Answer: D QUESTION 6

Which of the following two is not considered an advantage of Network IPS? (Choose all that apply.)
A. New end system hosts and devices can be added without the need for new sensors.
B. A single sensor can monitor traffic from many hosts.
C. Network IPS can be deployed on every end system in the network.
D. Network IPS can see all traffic inside encrypted data streams.
E. None of these.
Correct Answer: CD
QUESTION 7
Review the information in Figure.

Configure->Intrusion Prevention System (IPS)->Edit IPS window.
Which of the following statements is correct about the information it contains?
(Choose two that apply.)

A. Only inbound traffic from untrusted to trusted zones will be scanned for signs of intrusion since only the Inbound Filter radio button is pressed in the bottom pane.
B. VFR (Virtual Fragmentation Reassembly) is enabled on every interface.
C. Inbound inspection of packets for intrusive activity is enabled on every interface.
D. You cannot tell whether the IPS is active or not by looking at this screenshot.
E. None of these.

Correct Answer: BC
QUESTION 8
Fill in the blanks in the following sentence with a choice from the list below in the correct order.
The IPS signature file that you download to your PC will end with a _____ file extension, whereas the file that you push to the IOS IPS will end with a _____ file extension. Both can be downloaded from Cisco.
A. .zip, .pkg
B. .cab, .zip
C. .tar, .zip
D. .pkg, .zip
E. .cab, .pkg
Correct Answer: A
QUESTION 9
View the CLI output below of an incomplete IPS configuration. Which of the following statements best describes what is missing?
ip ips config location flash:/ips/ retries 1 ip ips notify SDEE ip ips name sdm_ips_rule ! ip ips signature-category category all retired true category ios ips basic retired false !
A. The basic category of IPS signatures should not be used because it is unlikely to capture trigger packets.
B. The basic category of IPS signatures should not be used because it is known to cause memory allocation errors on IOS IPS routers with less than 128MB of DRAM.
C. Only retired signatures are being used.
D. The IPS is inactive because the configuration has not been applied to an interface.
E. The IPS is inactive because the configuration has not been applied globally to the device.
Correct Answer: D

QUESTION 10
True or False.
SDEE is a push-logging protocol that can optionally use encryption, whereas syslog uses a pull-logging protocol.
A. True
B. False
Correct Answer: B Exam K

QUESTION 1
Which two are not one of the three prongs of the Cisco Host Security Strategy?
A. Endpoint protection
B. Cisco network admission control
C. Network infection containment
D. Comprehensive network security policy
E. Cisco routers
Correct Answer: DE QUESTION 2
What are the two main software elements that must be secured in order that an endpoint proves its trustworthiness?
A. Applications, operating system
B. Encrypted code, peer review
C. Cisco NAC, CSA
D. Anti-virus software, host firewall
E. None of these.

Correct Answer: A QUESTION 3
Applications and operating systems are susceptible to DoS and access attacks in the same way that network devices are. What are some specific attacks that endpoints may be susceptible to? (Choose two)
A. Brute force attacks
B. Known cipher attacks
C. Buffer overflows
D. Worms, viruses, and Trojan horses

Correct Answer: CD QUESTION 4
True or False.
Worms are like microorganisms that invade a human host, attaching to other programs and executing
unwanted functions on that host.

A. True
B. False

Correct Answer: B QUESTION 5
Put the five Ps of the phases of a worm attack in the correct order.
Build List and Reorder: Correct Answer:
QUESTION 6
Match the following descriptions of NAC components with the letter corresponding to its name from the list of choices.
Select and Place:

Correct Answer: QUESTION 7
Cisco Security Agent (CSA) comprises four interceptors to intercept application calls to the operating
system kernel.
Fill in the blanks in the description of two of these interceptors with the choices from the list.

The ________ interceptor ensures that each application plays by the rules by only allowing write access to
memory that is owned by that application.
The ________ interceptor intercepts read/write requests to the system registry or (in Unix) the run control
(rc) files.

A. Execution space
B. Network
C. File System
D. Configuration
Correct Answer: AD

QUESTION 8
Which one of the following SAN interconnection technologies is used for SAN-to-SAN connectivity?
A. FCIP
B. iSCSI
C. Fiber Channel
D. Zoning
E. None of these.
Correct Answer: A QUESTION 9
Fiber Channel VSANs are most analogous to what security feature?
A. VLANs
B. ACLs
C. 802.1X
D. None of these
Correct Answer: A QUESTION 10
True or False.
SPIT (SPAM over IP Telephony) is a very real and current threat for VoIP networks.

A. True

B. False Correct Answer: B Exam L
QUESTION 1
Examine the following partial switch configuration and choose three statements that correctly describe what is being accomplished.
interface GigabitEthernet0/1 storm-control broadcast level 62.50 storm-control multicast level pps 3k 2k storm-control unicast level bps 50m 25m storm-control action shutdown
A. When the level of broadcasts has reached 62.5% of total traffic, the multicasts will be limited to 3,000 packets per second (pps) and unicast traffic will be limited to 50 Mbps.
B. Broadcast traffic will be allowed up to 62.5% of total bandwidth on the interface. When this is exceeded, frames will be discarded until the broadcast traffic falls back below that level.
C. Multicast traffic will be discarded above 3,000 packets per second (pps) on this port, and will only start being forwarded again after it has fallen below the 2,000 pps lower threshold.
D. Unicast traffic will be discarded above 50 Mbps on this port, and will only start being forwarded again after it has fallen below the 25 Mbps lower threshold.
E. A shutdown notification message will be sent to the SNMP NMS when all of the three configured thresholds (broadcast, multicast, and unicast) have been reached.
Correct Answer: BCD
QUESTION 2
True or False.

A CAM table overflow attack is an attack whereby the attacker injects frames into a switch port with the
source address of a known station.
This is done in an attempt to fool the switch into forwarding frames that are supposed to go to the known
station to the attacker’s switch port instead.

A. True
B. False
Correct Answer: B
QUESTION 3
Which statements best describe the effect or application of the following interface configuration command?
Catalyst1(config-if)#spanning-tree portfast
(Choose two that apply.)
A. BPDU guard is enabled, ensuring that the switch will refuse BPDUs on this port.
B. Root guard is enabled, ensuring that the switch will refuse root bridge BPDUs that have a superior Bridge ID (BID) to the current root bridge.
C. The port immediately transitions to a forwarding state when a link is established, bypassing spanning tree blocking mode.
D. The assumption is that there is no possibility of topological loops on this port as this command will prevent the root bridge from blocking on this port.

Correct Answer: CD
QUESTION 4
True or False.
The switchport port-security interface configuration command cannot be used on a trunk port.

A. True
B. False
Correct Answer: A QUESTION 5
What are the two methods for bringing a port out of the err-disabled state?
A. Enter the errdisable recovery cause psecure-violation command in global configuration.
B. Enter the recover-lockout enable command in global configuration.
C. Enter the shutdown and no shutdown commands in order in interface configuration mode on the affected port.
D. Enter the no port-shutdown sticky-learn command in interface configuration mode on the affected port.

Correct Answer: AC QUESTION 6
True or False.
The switched port analyzer (SPAN) feature on Cisco Catalyst switches can be configured to copy all the traffic only from a specific VLAN to a dedicated monitoring port.
A. True

B. False Correct Answer: B Exam M
QUESTION 1
What is the goal of an overall security challenge when planning a security strategy?
A. to harden all exterior-facing networks components
B. to install firewalls at all critical points in the network
C. to find a balance between the need to open networks to support evolving business requirements and to need to inform
D. to educate employees to be on the lookout for suspicious behaviour
Correct Answer: C
QUESTION 2
Which threat are the most serious?
A. inside threats
B. outside threats
C. unknown threats
D. reconnaissance threats
Correct Answer: A
QUESTION 3
Network security aims to provide which three key services? (choose three)
A. data integrity
B. data strategy
C. data & system availability
D. data mining
E. data storage
F. data confidentiality
Correct Answer: ACF
QUESTION 4
Which option is the term for a weakness in a system or its design that can be exploited by a threat?
A. a vulnerability
B. a risk
C. an exploit
D. an attack
E. a joke
Correct Answer: A
QUESTION 5
Which option is the term for the likelihood that a particular threat using a specific attack will exploit a particular vulnerability of a system that results in an undesirable consequence?
A. a vulnerability
B. a risk
C. an exploit
D. an attack
E. a joke
Correct Answer: B QUESTION 6

Which option is the term for what happens when a computer code is developed to take advantage of vulnerability? For example, suppose that a vulnerability exists in a piece of software, but nobody knows about this vulnerability.
A. a vulnerability
B. a risk
C. an exploit
D. an attack
E. a joke
Correct Answer: C
QUESTION 7
What is the first step you should take when considering securing your network?
A. install a firewall
B. install an intrusion prevention system
C. update servers and user PCs with the latest patches
D. Develop a security policy
E. go drink beer and don?t worry about it
Correct Answer: D
QUESTION 8
Which option is a key principal of the Cisco Self-Defending Network strategy?
A. security is static and should prevent most know attack on the network
B. the self-defending network should be the key point of your security policy
C. integrate security throughout the existing infracture
D. upper management is ultimately responsible for policy implementation
Correct Answer: C
QUESTION 9
Which three option are areas of router security?
A. physical security
B. access control list security
C. zone-base firewall security
D. operating system security
E. router hardening
F. cisco IOS-IPS security
Correct Answer: ADE
QUESTION 10
You have several operating groups in your enterprise that require different access restrictions to the routers to perform their jobs roles. These groups range from Help Desk personnel to advanced troubleshooters. What is one methodology for controlling access rights to the router in these situation?
A. configure ACLs to control access for these different groups
B. configure multiple privilege level access
C. implement syslogging to monitor the activities of these groups
D. configure TACACS+ to perform scalable authentication
Correct Answer: B
QUESTION 11
Which of these is a GUI tool for performing security configuration on Cisco routers?
A. security appliance device manager
B. cisco CLI configuration management tool
C. cisco security device manager
D. cisco security manager
Correct Answer: C
QUESTION 12
When implementing network security, what is an important configuration task that you should perform to assist in correlating network and security events?
A. configure network time protocol
B. configure synchronized syslog reporting
C. configure a common repository of all network events for ease of monitoring
D. configure an automated network monitoring system for event correlation
Correct Answer: A
QUESTION 13
Which of these options is a Cisco IOS feature that lets you more easily configure security features on your router?
A. cisco self-defending network
B. implementing AAA command authorization
C. the auto secure CLI command
D. performing a security audit via SDM
Correct Answer: C
QUESTION 14
Which three of these options are some of the best practices when you implement an effective firewall
security policy?
(choose three)

A. position firewalls at a strategic inside locations to help mitigate nontechnical attacks
B. configure logging to capture all events for forensic purposes
C. use firewalls as a primary security defense; other security measures and devices shoulde be implemented to enhance your network security
D. position firewalls at key security boundeeries
E. deny all traffic by default and permit only necessary services
Correct Answer: CDE

QUESTION 15
Which is true when configuring access control list (ACLs) on a Cisco router?
A. ACLs filter all traffic through and sourced from the router
B. apply the ACL to the interface prior to configuring access control entries to ensure that controls are applied immediately upon configuration
C. an ?implicit deny? is applied to the start of the ACL entry by default
D. only one ACL per protocol, per direction, and per interface
Correct Answer: QUESTION 16
Which option correctly defines asymmetric encryption?
A. uses the same keys to encrypt and decrypt data
B. uses MD5 hashing algorithms for digital signage encryption
C. uses different keys to encrypt and decrypt data
D. uses SHA-1 hashing algorithms for digital signage encryption

Correct Answer: C QUESTION 17
Which option is a desirable feature of using symmetric encryption algorithms?
A. they are often used for wire-speed encryption in data networks
B. they are based on complex mathematical operations and can easily be accelerated by hardware
C. they offer simple key management properties
D. they are best used for one-time encryption needs

Correct Answer: A QUESTION 18
Which option is true of using cryptography hashes?
A. they are easily reversed to decipher the message context
B. they convert arbitrary data into fixed length digits
C. they are based on a two-way mathematical function
D. they are used for encrypting bulk data communications

Correct Answer: B QUESTION 19
Which option is true of intrusion prevention systems?
A. they operate in promiscuous mode
B. they operate in inline mode
C. they have no potential impact on the data segment being monitored
D. they are more vulnerable to evasion techniques than IDS

Correct Answer: B QUESTION 20
Which statement is true when using zone-based firewalls on a Cisco router?
A. policies are applied to traffic moving between zones, not between interfaces
B. the firewalls can be configured simultaneously on the same interface as classic CBAC using the ip inspect CLI command
C. interface ACLs are applied before zone-based policy firewalls when they are applied outbond
D. when configuring with the ?PASS? action, stateful inspection is applied to all traffic passing between the configured zones
Correct Answer: A

Flydumps Cisco 640-553 Questions and Answers Products basically comprise of the simulated Cisco 640-553 exam questions AND their most correct answers, accompanied with a methodical elucidation of the Cisco 640-553 answers and the probable wrong answers.The extent to which Cisco 640-553 Questions and Answers Products cover their Cisco subject is so thorough, that once you are done with a Cisco product, passing the Cisco 640-553 exam in first attempt should be a piece of cake.