CCNA Cyber Ops Certification


“The CCNA Cyber Ops certification prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.”

You should see the chaos out there, both at the personal security level and at the enterprise level. I am surprised that hackers don’t do more damage, well maybe they do and we don’t know about it.

My CCNA Datacenter is close to the renewal date, so I think it is a good idea to work on this certification because Cisco will renew my Datacenter while achieving this one. There will be a couple of nice books to study for sale on Amazon, but let’s make it fun a create a study guide. You can find the blueprints for these two tests here: Understanding Cisco Cybersecurity Fundamentals (210-250) and here: Implementing Cisco Cybersecurity Operations (210-255).

I warn you, I will not write anything for this one, I will just point to the location of the useless knowledge, think of this page as your central command on where to find the information you need to study, in other words, I saved you the time to google it.

1.0 Network Concepts

1.1 Describe the function of the network layers as specified by the OSI and the TCP/IP network models.

1.2 Describe the operation of the following

1.2.a From Cisco: IP From Wikipedia: IP
1.2.b From Cisco: TCP From Wikipedia: TCP
1.2.c UDP
1.2.d ICMP

1.3 Describe the operation of these network services

1.3.a From Cisco: ARP From Wikipedia: ARP
1.3.b From Cisco: DNS From Wikipedia: DNS
1.3.c DHCP

1.4 Describe the basic operation of these network device types

1.4.a From Cisco: Router From Wikipedia: Router
1.4.b From Cisco: Switch From Wikipedia: Switch
1.4.c Hub
1.4.d Bridge
1.4.e Wireless access point (WAP)
1.4.f Wireless LAN controller (WLC)

1.5 Describe the functions of these network security systems as deployed on the host, network, or the cloud:

1.5.a Firewall: A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
1.5.b Cisco Intrusion Prevention System (IPS): An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. (Generic IPS)
1.5.c Cisco Advanced Malware Protection (AMP): Malware, short for “malicious software,” refers to a type of computer program designed to infect a legitimate user’s computer and inflict harm on it in multiple ways. Malware can infect computers and devices in several ways and comes in a number of forms, just a few of which include viruses, worms, Trojans, spyware, or any type of malicious code that infiltrates a computer. To find more information about the Cisco AMP click here. Cisco AMP is a next-generation endpoint security software that prevent breaches and continuously monitor all file behavior to uncover stealthy attacks. Detect, block, and remediate advanced malware across all endpoints.
1.5.d Web Security Appliance (WSA): A security appliance is any form of server appliance that is designed to protect computer networks from unwanted traffic. Cisco Cloud Web Security (CWS): As a cloud-delivered web proxy, our Cloud Web Security product provides security and control for the distributed enterprise across one of the top attack vectors: the web. Users are protected on any device and in any location through Cisco worldwide threat intelligence and advanced threat defense capabilities.
1.5.e Email Security Appliance (ESA): Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing. Cisco Cloud Email Security (CES)

1.6 Describe IP subnets and communication within an IP subnet and between IP subnets

1.7 Describe the relationship between VLAN‘s and data visibility: When properly configured, VLAN segmentation severely hinders access to system attack surfaces. It reduces packet-sniffing capabilities and increases threat agent effort. Finally, authorized users only “see” the servers and other devices necessary to perform their daily tasks. (See an example of data visibility from the security point of view here)

1.8 Describe the operation of ACLs applied as packet filters on the interfaces of network devices: Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces.

1.9 Compare and contrast deep packet inspection (Deep packet inspection (DPI) provides the ability to look into the packet past the basic header information. DPI intelligently determines the contents of a particular packet, and then either records that information for statistical purposes or performs an action on the packet) with packet filtering (Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports) and stateful firewall operation(tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall)

1.10 Compare and contrast inline traffic interrogation (An inline tool passes live traffic directly through a tool to process the live traffic before it is forwarded on to its final destination) and taps (A network TAP is a simple device that connects directly to the cabling infrastructure to split or copy packets for use in analysis, security, or general network management) or traffic mirroring (SPAN, Switch Port ANalyzer, is a software function of a switch or router that duplicates traffic from incoming or outgoing ports and forwards the copied traffic to a special SPAN, or sometimes called mirror, port)

1.11 Compare and contrast the characteristics of data obtained from taps or traffic mirroring and NetFlow in the analysis of network traffic. (IEEE paper on NetFlow)

1.12 Identify potential data loss from provided traffic profiles: an inline tool, such as Intrusion Prevention Systems (IPS), can drop or even add packets into the production network. Since it is running as an inline application, a tool failure could be devastating
and bring down the entire system.

Note: Not sure if “Data Loss” means the potential problems with the monitoring or the data lost to unauthorize users. The Following paragraph was taken from the Cisco Cloud Security 1.0, Design Guide => Chapter: End-To-End Visibility

Detecting Data Loss
Data loss describes the loss of critical business data to unauthorized users. Data loss typically involves a data breach and back end transmission of sensitive data such as credit-card data, patient or financial information. Detecting data loss is imperative for implementing security controls for various compliance regimes such as PCI DSS and HIPAA. However, data loss incidents are unintentionally undetectable.

Data loss incidents normally involve asymmetrical outbound flows, in which outbound flows significantly outweigh a few inbound packets. Cisco CTD can trigger data loss alarms on such conditions. NetFlow generated flows contain flow direction, so Cisco CTD can leverage NetFlow generated flows and trigger data loss alarms on asymmetrical flows. Data loss events can be viewed using the data loss pane of the Cyber Threats Dashboard, as shown in Figure 4-13.

Figure 4-13 Detected Data Loss


Now that we’ve covered the basics, in future posts I will write about the remaining topics:

12 thoughts on “CCNA Cyber Ops Certification

  1. Hi javirodz, I am going to take my SECFND soon, just want to say thank you for your efforts! best, Tzu-Che

  2. I just glanced at this and noticed your description on 1.5.c on CAMP is incorrect. Other than that this study blue print is excellent. Definitely use this material for the SecFnd test next week. Thank You

  3. Appreciate your time and post of your approach and your take on the definitions and topics described for both SECFND and SECOPS. As you probably came across a number of these topics are not as clear cut as a definition, I was able to use this as a reference for things I could not find or recall as quickly.

    Best of luck the exams!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.