Cisco Study Guide

Cisco CCST Cybersecurity Study Guide

The Cisco Certified Support Technician (CCST) Cybersecurity is an entry-level certification that validates foundational knowledge of security principles, network and endpoint defense, vulnerability and risk management, and incident handling. It is aimed at students, early-career IT staff, and anyone seeking to demonstrate baseline cybersecurity literacy before pursuing role-based certifications. The 50-minute exam has roughly 50 multiple-choice and interactive questions, with a passing score around 700 on a scaled basis.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice Cisco CCST Cybersecurity questions free Create free account

Domain 1: Essential Security Principles

Key concepts you must know · 136 practice questions

The CIA triad is the core model: Confidentiality (only authorized parties can read data), Integrity (data is not altered by unauthorized parties), and Availability (systems and data are accessible to legitimate users when needed).
Least privilege (PoLP) grants every user, process, or service only the minimum permissions required for its job, limiting the blast radius of accidents, errors, and compromised accounts.
Authentication factors fall into three categories: something you know (password, PIN), something you have (token, smart card, phone), and something you are (biometric such as a fingerprint).
Multi-factor authentication (MFA) requires two or more factors from different categories - for example a password plus a code from an authenticator app - so stealing one factor alone is not enough to log in.
Defense in depth layers multiple independent security controls so that no single control failure results in compromise.
Social engineering exploits human psychology rather than technical flaws; examples include phishing (email), vishing (voice), pretexting (fabricated scenario), and tailgating (following someone through a door).
Encryption protects confidentiality by turning plaintext into ciphertext readable only with the key; authenticated modes like AES-GCM and HMACs add integrity by detecting tampering.
Separation of duties splits a sensitive task so one person cannot both initiate and approve the same change, reducing fraud and error.
Secure by default means everything (ports, services, permissions) starts closed or denied and is only opened when explicitly required.
Data classification matches controls and storage tiers to data sensitivity, so high-value data gets strong protection and low-value data is not over-protected.
openssl genrsa -out key.pem 2048 generates a 2048-bit RSA private key; openssl req -new -x509 -key key.pem -out cert.pem -days 365 creates a self-signed certificate.
sha256sum file.iso computes a SHA-256 hash on Linux to verify file integrity; openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc symmetrically encrypts a file.
On Windows, net localgroup Administrators jdoe /add adds a user to the local Administrators group; on Linux, editing minlen in pwquality.conf and running chage -M 90 enforce stronger password policy.
Just-in-time privileged access grants elevated rights only when needed and revokes them afterward, eliminating standing always-on admin risk; automatic deprovisioning and SSO with centralized policy reduce identity risk.

Domain 2: Basic Network Security Concepts

Key concepts you must know · 131 practice questions

A firewall inspects traffic and permits or denies packets based on rules that match source/destination IP, port, protocol, or application; it is a primary perimeter control.
A VPN creates an encrypted tunnel across an untrusted network (such as the Internet), protecting confidentiality and integrity of data in transit; an IPsec site-to-site VPN gives cost-effective secure connectivity between offices.
An IDS passively detects and alerts on suspicious activity, while an IPS sits inline in the traffic path and can actively block or drop malicious traffic in real time.
Common network attacks include man-in-the-middle (intercepting/altering communications) and DoS/DDoS (flooding a target to exhaust resources and deny service).
Network segmentation using VLANs and subnets, with access control between zones, limits lateral movement, contains breaches, and can also improve performance.
NAT maps private internal addresses to public IPs, so internal hosts are not directly reachable from the Internet by their private address, reducing the attack surface.
Role-based access control (RBAC) assigns permissions to roles rather than individuals, simplifying administration and enforcing least privilege.
For suspicious emails, do not click links or attachments; verify with the sender or IT through a separate known channel.
A WAF or API gateway with rate limiting and bot filtering blocks abuse and protects application-layer resources; a CDN caches content closer to users and can absorb or filter malicious traffic.
An upstream DDoS scrubbing service plus autoscaling with sensible upper limits absorbs volumetric attacks while capping cost impact.
switchport port-security maximum 1 limits an access port to a single learned MAC address to prevent unauthorized devices.
iptables -A INPUT -p tcp --dport 23 -j DROP blocks incoming Telnet (port 23) traffic on Linux.
In a Cisco ACL, permit tcp host 10.1.1.5 any eq 443 permits HTTPS from one specific host to any destination.
nmap -sS performs a stealthy TCP SYN (half-open) scan; securing VTY lines uses line vty 0 4 with login local and transport input ssh to force encrypted SSH access only.

Domain 3: Endpoint Security

Key concepts you must know · 149 practice questions

Antivirus and EDR (Endpoint Detection and Response) monitor endpoints in real time, use signature and behavioral analysis to detect malware, block threats, and provide tools to investigate and remediate incidents on the device.
Timely patching closes publicly disclosed vulnerabilities before attackers can exploit the known weakness on unpatched systems.
Endpoint hardening combines least-privilege accounts, MFA, and full-disk encryption to reduce attack surface and protect data if a device is lost or stolen.
Ransomware is malware that encrypts a victim's files or whole drive with strong cryptography and demands payment (often cryptocurrency) for the decryption key.
A host-based firewall enforces inbound and outbound rules on the device itself, providing defense in depth even when the host is inside the corporate perimeter or on an untrusted network.
Indicators of compromise on an endpoint include unknown processes consuming high CPU (possible cryptominer or backdoor) and unexpected outbound connections to unfamiliar hosts (possible command-and-control).
Good Wi-Fi security practices include using WPA3 or WPA2 encryption and changing default administrator credentials on access points and routers.
Staging patches in rings - testing on a pilot group first, then rolling out during maintenance windows - balances security with availability and avoids breaking production.
A centrally enforced golden-image baseline plus automated software/patch deployment reduces both security risk and operational cost.
Collecting only high-value security events instead of all verbose logs reduces ingestion and storage cost while keeping detection signal.
Enable native full-disk encryption included with the OS; PowerShell Enable-BitLocker -MountPoint C: -TpmProtector enables BitLocker bound to the TPM.
On Linux, chmod 600 sets read and write permission for the owner only, removing all group and other access.
gpupdate /force immediately reapplies all Group Policy settings on a Windows endpoint.
ufw deny 3389/tcp blocks all incoming connections on port 3389 (RDP) using the Linux Uncomplicated Firewall.

Domain 4: Vulnerability Assessment and Risk Management

Key concepts you must know · 98 practice questions

A vulnerability is a weakness or flaw (software bug, misconfiguration, design error) that a threat could exploit; it is distinct from the threat (the actor/event) and the risk (likelihood and impact).
Risk is characterized as a function of likelihood and impact, often expressed as Risk = Likelihood x Impact.
A CVE (Common Vulnerabilities and Exposures) identifier, maintained by MITRE (e.g. CVE-2021-44228), uniquely names a specific publicly known vulnerability so tools and teams can reference the same flaw.
CVSS (Common Vulnerability Scoring System) rates severity on a 0.0 to 10.0 scale based on metrics like attack vector, complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability.
A zero-day is a vulnerability unknown to the vendor or not yet patched, so defenders have had zero days to fix it; signature-based defenses often miss it.
Prioritize remediation by risk - combine CVSS severity with real-world exposure and asset criticality - rather than patching purely by score.
Timely patch management plus regular vulnerability scanning together reduce vulnerability risk; scanning compares versions and configurations against vulnerability databases.
Reducing attack surface by disabling unneeded services and applying least privilege lowers the number of exploitable entry points.
Catching flaws before deployment is far cheaper than remediating them in production; an accurate asset inventory prevents wasted spend and avoids missing real systems.
Risk responses include mitigate (apply a control), transfer (insurance), avoid (stop the activity), and accept (formally sign off, often with a cheaper compensating control).
Annualized Loss Expectancy (ALE = SLE x ARO) helps leaders decide whether a control's cost is justified by the expected annual loss it would reduce.
Scheduling vulnerability scans off-peak reduces production load while still surfacing accurate findings; tuning scan policy and suppressing validated false positives focuses effort on actionable risk.
nmap -sV 10.0.0.20 performs service and version detection; nmap -sC runs the default NSE scripts against a target.
In CVSS, AV:N means the attack vector is Network (remotely exploitable); dpkg -l (Debian/Ubuntu) and rpm -qa (RHEL) list installed packages for vulnerability comparison.

Domain 5: Incident Handling

Key concepts you must know · 120 practice questions

The NIST SP 800-61 incident response lifecycle has four phases in order: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity (lessons learned).
Containment isolates affected systems to stop the incident from spreading; it is performed before eradication so responders can preserve evidence and understand the full scope.
Eradication removes the threat (malware, attacker accounts, persistence) and recovery restores systems to normal, validated operation.
Chain of custody is the documented record of who collected, handled, and transferred evidence and when, proving it was not tampered with so it is admissible in court or regulatory proceedings.
Order of volatility dictates collecting the most volatile evidence first - memory (RAM) and running processes before disk and archived logs.
An incident response plan defines roles, responsibilities, and procedures so everyone knows who does what during an incident.
The post-incident lessons-learned review documents what happened, what worked, and what failed, feeding back into improved detection rules, patched gaps, and updated plans to prevent recurrence.
SOAR (Security Orchestration, Automation, and Response) automates triage and routine response steps so analysts focus on complex decisions; tested runbooks and alert tuning improve efficiency and reduce cost.
Isolating only the affected network segment limits the breach while preserving availability of unaffected services; immutable tiered log storage preserves tamper-proof evidence while controlling archive cost.
On Linux, netstat -tunap shows all active connections with the owning process and PID; on Windows, netstat -ano displays active TCP/UDP connections with owning PIDs.
dd if=/dev/sdb of=image.dd bs=4M conv=noerror,sync creates a forensic bit-for-bit disk image, and sha256sum image.dd verifies the image has not been altered.
Capturing process memory maps and saving running process lists preserve volatile evidence before a system is powered off.
wevtutil epl System exports the Windows System event log to a file for offline analysis.
ip link set eth0 down immediately isolates a compromised Linux host by disabling its network interface without powering it off (preserving memory evidence).

Cisco CCST Cybersecurity exam tips

Watch for IDS vs IPS distinctions: IDS only detects and alerts (passive), while IPS sits inline and can actively block. Likewise know that containment comes before eradication in the incident lifecycle.
Memorize the order of the four NIST incident response phases and the order of volatility (memory before disk) - these sequence questions appear frequently and trip up candidates.
Expect command-line interpretation questions across Windows (PowerShell, net, gpupdate, wevtutil), Linux (openssl, iptables, ufw, chmod, nmap, dd), and Cisco IOS (switchport, ACLs, line vty). Recognize what each command does at a glance.
When a question describes an attack scenario, classify it first (social engineering vs network attack vs malware) - the correct control usually follows directly from the category.
The exam is only 50 minutes for roughly 50 questions, so budget about a minute each; flag long interactive or drag-and-drop items and return to them rather than stalling.

Study guide FAQ

What background do I need before taking the CCST Cybersecurity exam?

It is an entry-level certification with no formal prerequisites, but basic familiarity with networking concepts (IP addresses, ports, protocols) and general computer literacy helps a great deal. It pairs naturally with the CCST Networking certification and serves as a foundation before role-based certs like CyberOps Associate.

How is the exam structured and what score do I need to pass?

The exam runs about 50 minutes with roughly 50 questions in multiple-choice and interactive formats (such as drag-and-drop and matching). It uses a scaled scoring model with a passing score around 700, and results are reported immediately after you finish.

Do I need to write or memorize code and commands?

You do not write scripts, but you must recognize and interpret common commands across Windows, Linux, and Cisco IOS - for example knowing that ufw deny 3389/tcp blocks RDP or that nmap -sV does version detection. Focus on what each command accomplishes rather than rote syntax.

How much math or formal risk calculation is involved?

The math is light and conceptual. You should understand that Risk = Likelihood x Impact, recognize CVSS scores on a 0-10 scale, and grasp the idea of Annualized Loss Expectancy (ALE = SLE x ARO) for justifying control cost, but you will not perform heavy calculations under time pressure.

Test yourself: 634 Cisco CCST Cybersecurity practice questions