200-201 Exam Dumps - Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

An Intrusion Prevention System (IPS) is a security control designed to both detect and actively prevent malicious network activity. Unlike an Intrusion Detection System (IDS), which only monitors and alerts, an IPS must be able to block or drop traffic immediately when a threat is identified. This functional requirement directly determines the appropriate traffic integration method.

Inline deployment places the IPS directly in the path of network traffic, meaning all packets must pass through the device before reaching their destination. This positioning allows the IPS to inspect packets in real time, compare them against known attack signatures, and take immediate action such as dropping packets, resetting connections, or blocking traffic altogether. Because the requirement explicitly states that suspicious traffic must be blocked in real life, inline integration is mandatory.

The other options do not meet the operational requirements of an IPS. Traffic mirroring (SPAN) sends a copy of traffic to a monitoring device but does not allow the IPS to influence or stop traffic flow. Network TAPs also duplicate traffic for analysis but are passive by design and incapable of enforcing security decisions. Passive deployments, by definition, only observe traffic and generate alerts without prevention capabilities.

Placing the IPS inline behind the DMZ firewall and before the core switches ensures that malicious traffic can be stopped before it reaches internal network resources. This approach aligns with cybersecurity operations best practices for protecting sensitive network segments such as the DMZ.

Therefore, inline traffic integration is the correct and verified solution.

Personally Identifiable Information (PII) refers to any data that can be used to identify a specific individual. Safeguarding PII is critical to protect individuals’ privacy and prevent identity theft. A driver’s license number (B) is considered PII because it is unique to an individual and can be used to confirm their identity. Other examples of PII include social security numbers, passport numbers, and financial account numbers. It is important to protect such information from unauthorized access to maintain personal privacy and security.

Identifying and Safeguarding Personally Identifiable Information (PII)2.

 The virtual address space for a Windows process is the set of virtual memory addresses that can be used by the process. Each process has its own virtual address space that is isolated from other processes. The virtual address space is divided into regions that have different attributes, such as read-only, read-write, execute, and so on. The virtual address space is mapped to the physical memory by the operating system using a data structure called a page table. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 4: Host-Based Analysis, Lesson 4.1: Windows Operating System

Virtual Address Space

When a company workstation is compromised, the stakeholders that must be involved are the ones who are responsible for the security incident response process. According to the table, these are Employee 4 (Security Operation Center Analyst), Employee 6 (Head of Network and Security Infrastructure Services), and Employee 7 (Technical Director). The other employees have different roles that are not directly related to the incident response process, such as accounting, financial management, or system administration. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.4: Security Monitoring, Topic 1.4.1: Security Operations Center

Persistence mechanisms allow attackers to maintain access to a compromised system across reboots, logoffs, or security events. In Windows environments, two of the most common and well-documented persistence techniques involve Registry Run keys and scheduled tasks.

The exhibit highlights several indicators of compromise, including new Registry entries under the Run key and newly created scheduled tasks that execute during non-business hours. Registry Run keys enable programs to execute automatically when the system or user starts, making them a frequent target for malware and attackers seeking long-term access. Similarly, Task Scheduler allows attackers to execute malicious code at predefined times or events, often designed to evade detection.

Analyzing both the Windows Registry changes and Task Scheduler tasks directly targets these persistence mechanisms. This aligns with host-based analysis best practices, which prioritize startup execution points and scheduled execution artifacts when persistence is suspected.

The other options are incomplete or misaligned. Windows Defender status and login attempts may indicate security tampering or brute-force activity, but they do not directly reveal persistence techniques. User account logins alone do not explain automated re-execution of malicious code, and deleting Run keys without full analysis risks destroying forensic evidence.

Therefore, focusing on Registry changes and Task Scheduler tasks provides the most accurate and operationally sound method for uncovering attacker persistence.

SQL injection is a type of vulnerability that allows an attacker to execute malicious SQL statements on a database server. This can result in reading, writing, or erasing information from the database, as well as bypassing authentication, executing commands, or compromising the server. SQL injection exploits the lack of input validation or output encoding in web applications that interact with databases. References := Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.3:Common Network Application Operations and Attacks, Topic 1.3.2: Web Application Attacks

An untampered disk image is one that has not been altered since its creation. This is verified by comparing the stored hash of the image at the time of creation with a newly computed hash; if they match, the image is considered untampered. Tampered images, on the other hand, may be used during the root cause analysis process to understand how and what was altered12. References: The differences between tampered and untampered disk images are discussed in cybersecurity literature, including Cisco’scertification guides, which explain the importance of hash matching for verifying the integrity of disk images