March Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

200-201 Exam Dumps - Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS)

Question # 4

Refer to the exhibit.

What is the outcome of the command?

A.

TCP rule that detects TCP packets with the SYN flag in an external FTP server

B.

TCP rule that detects TCP packets with a SYN flag in the internal network

C.

TCP rule that detects TCP packets with a ACK flag in the internal network

D.

TCP rule that detects TCP packets with the ACK flag in an external FTP server

Full Access
Question # 5

Which process is used when IPS events are removed to improve data integrity?

A.

data availability

B.

data normalization

C.

data signature

D.

data protection

Full Access
Question # 6

What is the difference between deep packet inspection and stateful inspection?

A.

Deep packet inspection is more secure than stateful inspection on Layer 4

B.

Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7

C.

Stateful inspection is more secure than deep packet inspection on Layer 7

D.

Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4

Full Access
Question # 7

What is the impact of encryption?

A.

Confidentiality of the data is kept secure and permissions are validated

B.

Data is accessible and available to permitted individuals

C.

Data is unaltered and its integrity is preserved

D.

Data is secure and unreadable without decrypting it

Full Access
Question # 8

Which information must an organization use to understand the threats currently targeting the organization?

A.

threat intelligence

B.

risk scores

C.

vendor suggestions

D.

vulnerability exposure

Full Access
Question # 9

An engineer received an alert affecting the degraded performance of a critical server Analysis showed a heavy CPU and memory load What is the next step the engineer should take to investigate this resource usage7

A.

Run "ps -ef to understand which processes are taking a high amount of resources

B.

Run "ps -u" to find out who executed additional processes that caused a high load on a server

C.

Run "ps -m" to capture the existing state of daemons and map the required processes to find the gap

D.

Run "ps -d" to decrease the priority state of high-load processes to avoid resource exhaustion

Full Access
Question # 10

What is the relationship between a vulnerability and a threat?

A.

A threat exploits a vulnerability

B.

A vulnerability is a calculation of the potential loss caused by a threat

C.

A vulnerability exploits a threat

D.

A threat is a calculation of the potential loss caused by a vulnerability

Full Access
Question # 11

What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?

A.

MAC is controlled by the discretion of the owner and DAC is controlled by an administrator

B.

MAC is the strictest of all levels of control and DAC is object-based access

C.

DAC is controlled by the operating system and MAC is controlled by an administrator

D.

DAC is the strictest of all levels of control and MAC is object-based access

Full Access
Question # 12

How does an attacker observe network traffic exchanged between two users?

A.

port scanning

B.

man-in-the-middle

C.

command injection

D.

denial of service

Full Access
Question # 13

Refer to the exhibit. An attacker scanned the server using Nmap. What did the attacker obtain from this scan?

A.

Identified a firewall device preventing the pert state from being returned.

B.

Identified open SMB ports on the server

C.

Gathered information on processes running on the server

D.

Gathered a list of Active Directory users

Full Access
Question # 14

An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?

A.

phishing email

B.

sender

C.

HR

D.

receiver

Full Access
Question # 15

Which two elements are used for profiling a network? (Choose two.)

A.

session duration

B.

total throughput

C.

running processes

D.

listening ports

E.

OS fingerprint

Full Access
Question # 16

An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?

A.

data from a CD copied using Mac-based system

B.

data from a CD copied using Linux system

C.

data from a DVD copied using Windows system

D.

data from a CD copied using Windows

Full Access
Question # 17

Why is encryption challenging to security monitoring?

A.

Encryption analysis is used by attackers to monitor VPN tunnels.

B.

Encryption is used by threat actors as a method of evasion and obfuscation.

C.

Encryption introduces additional processing requirements by the CPU.

D.

Encryption introduces larger packet sizes to analyze and store.

Full Access
Question # 18

What is indicated by an increase in IPv4 traffic carrying protocol 41 ?

A.

additional PPTP traffic due to Windows clients

B.

unauthorized peer-to-peer traffic

C.

deployment of a GRE network on top of an existing Layer 3 network

D.

attempts to tunnel IPv6 traffic through an IPv4 network

Full Access
Question # 19

Refer to the exhibit.

In which Linux log file is this output found?

A.

/var/log/authorization.log

B.

/var/log/dmesg

C.

var/log/var.log

D.

/var/log/auth.log

Full Access
Question # 20

Which tool provides a full packet capture from network traffic?

A.

Nagios

B.

CAINE

C.

Hydra

D.

Wireshark

Full Access
Question # 21

What are two differences between tampered disk images and untampered disk images'? (Choose two.)

A.

Tampered Images are used in a security investigation process

B.

Untampered images can be used as law enforcement evidence.

C.

The image is untampered if the existing stored hash matches the computed one

D.

The image is tampered if the stored hash and the computed hash are identical

E.

Tampered images are used as an element for the root cause analysis report

Full Access
Question # 22

What is a benefit of agent-based protection when compared to agentless protection?

A.

It lowers maintenance costs

B.

It provides a centralized platform

C.

It collects and detects all traffic locally

D.

It manages numerous devices simultaneously

Full Access
Question # 23

Refer to the exhibit.

A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?

A.

indirect evidence

B.

best evidence

C.

corroborative evidence

D.

direct evidence

Full Access
Question # 24

Refer to the exhibit.

An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data Which two elements can an attacker identify from the scan? (Choose two.)

A.

workload and the configuration details

B.

user accounts and SID

C.

number of users and requests that the server is handling

D.

functionality and purpose of the server

E.

running services

Full Access
Question # 25

Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?

A.

ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

B.

ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods

C.

ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods

D.

ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

Full Access
Question # 26

A system administrator is ensuring that specific registry information is accurate.

Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?

A.

file extension associations

B.

hardware, software, and security settings for the system

C.

currently logged in users, including folders and control panel settings

D.

all users on the system, including visual settings

Full Access
Question # 27

An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.

Which kind of evidence is this IP address?

A.

best evidence

B.

corroborative evidence

C.

indirect evidence

D.

forensic evidence

Full Access
Question # 28

Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)

A.

UDP port to which the traffic is destined

B.

TCP port from which the traffic was sourced

C.

source IP address of the packet

D.

destination IP address of the packet

E.

UDP port from which the traffic is sourced

Full Access
Question # 29

A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:

  • If the process is unsuccessful, a negative value is returned.
  • If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent process.

Which component results from this operation?

A.

parent directory name of a file pathname

B.

process spawn scheduled

C.

macros for managing CPU sets

D.

new process created by parent process

Full Access
Question # 30

An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?

A.

Firepower

B.

Email Security Appliance

C.

Web Security Appliance

D.

Stealthwatch

Full Access
Question # 31

Drag and drop the elements from the left into the correct order for incident handling on the right.

Full Access
Question # 32

Which attack method intercepts traffic on a switched network?

A.

denial of service

B.

ARP cache poisoning

C.

DHCP snooping

D.

command and control

Full Access
Question # 33

An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?

A.

digital certificates

B.

static IP addresses

C.

signatures

D.

cipher suite

Full Access
Question # 34

Which two components reduce the attack surface on an endpoint? (Choose two.)

A.

secure boot

B.

load balancing

C.

increased audit log levels

D.

restricting USB ports

E.

full packet captures at the endpoint

Full Access
Question # 35

Refer to the exhibit.

A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error. What is occurring?

A.

DNS hijacking attack

B.

Endpoint local time is invalid.

C.

Certificate is not in trusted roots.

D.

man-m-the-middle attack

Full Access
Question # 36

Which option describes indicators of attack?

A.

spam emails on an employee workstation

B.

virus detection by the AV software

C.

blocked phishing attempt on a company

D.

malware reinfection within a few minutes of removal

Full Access
Question # 37

Which utility blocks a host portscan?

A.

HIDS

B.

sandboxing

C.

host-based firewall

D.

antimalware

Full Access
Question # 38

A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within 48 hours, multiple assets were breached, affecting the confidentiality of sensitive information. What is the threat actor in this incident?

A.

company assets that are threatened

B.

customer assets that are threatened

C.

perpetrators of the attack

D.

victims of the attack

Full Access
Question # 39

Which attack represents the evasion technique of resource exhaustion?

A.

SQL injection

B.

man-in-the-middle

C.

bluesnarfing

D.

denial-of-service

Full Access
Question # 40

Which event artifact is used to identify HTTP GET requests for a specific file?

A.

destination IP address

B.

TCP ACK

C.

HTTP status code

D.

URI

Full Access
Question # 41

What ate two categories of DDoS attacks? (Choose two.)

A.

split brain

B.

scanning

C.

phishing

D.

reflected

E.

direct

Full Access
Question # 42

Drag and drop the security concept from the left onto the example of that concept on the right.

Full Access
Question # 43

What is a collection of compromised machines that attackers use to carry out a DDoS attack?

A.

subnet

B.

botnet

C.

VLAN

D.

command and control

Full Access
Question # 44

Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

A.

Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.

B.

Host 152.46.6.91 is being identified as a watchlist country for data transfer.

C.

Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.

D.

Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.

Full Access
Question # 45

A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?

A.

application identification number

B.

active process identification number

C.

runtime identification number

D.

process identification number

Full Access
Question # 46

Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)

A.

detection and analysis

B.

post-incident activity

C.

vulnerability management

D.

risk assessment

E.

vulnerability scoring

Full Access
Question # 47

What is a description of a social engineering attack?

A.

fake offer for free music download to trick the user into providing sensitive data

B.

package deliberately sent to the wrong receiver to advertise a new product

C.

mistakenly received valuable order destined for another person and hidden on purpose

D.

email offering last-minute deals on various vacations around the world with a due date and a counter

Full Access
Question # 48

Which action should be taken if the system is overwhelmed with alerts when false positives and false negatives are compared?

A.

Modify the settings of the intrusion detection system.

B.

Design criteria for reviewing alerts.

C.

Redefine signature rules.

D.

Adjust the alerts schedule.

Full Access
Question # 49

What makes HTTPS traffic difficult to monitor?

A.

SSL interception

B.

packet header size

C.

signature detection time

D.

encryption

Full Access
Question # 50

According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?

A.

malware attack

B.

ransomware attack

C.

whale-phishing

D.

insider threat

Full Access
Question # 51

An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection.

Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)

A.

signatures

B.

host IP addresses

C.

file size

D.

dropped files

E.

domain names

Full Access
Question # 52

What is a difference between SIEM and SOAR?

A.

SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation.

B.

SlEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.

C.

SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation.

D.

SOAR's primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.

Full Access
Question # 53

Refer to the exhibit.

Which type of attack is being executed?

A.

SQL injection

B.

cross-site scripting

C.

cross-site request forgery

D.

command injection

Full Access
Question # 54

Refer to the exhibit.

What is shown in this PCAP file?

A.

Timestamps are indicated with error.

B.

The protocol is TCP.

C.

The User-Agent is Mozilla/5.0.

D.

The HTTP GET is encoded.

Full Access
Question # 55

What is the practice of giving an employee access to only the resources needed to accomplish their job?

A.

principle of least privilege

B.

organizational separation

C.

separation of duties

D.

need to know principle

Full Access
Question # 56

Refer to the exhibit.

Which application protocol is in this PCAP file?

A.

SSH

B.

TCP

C.

TLS

D.

HTTP

Full Access
Question # 57

An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin. The security specialist reviewed the system logs, found nothing suspicious, and was not able to determine what occurred. The software is up to date; there are no alerts from antivirus and no failed login attempts. What is causing the lack of data visibility needed to detect the attack?

A.

The threat actor used a dictionary-based password attack to obtain credentials.

B.

The threat actor gained access to the system by known credentials.

C.

The threat actor used the teardrop technique to confuse and crash login services.

D.

The threat actor used an unknown vulnerability of the operating system that went undetected.

Full Access
Question # 58

Refer to the exhibit.

Which stakeholders must be involved when a company workstation is compromised?

A.

Employee 1 Employee 2, Employee 3, Employee 4, Employee 5, Employee 7

B.

Employee 1, Employee 2, Employee 4, Employee 5

C.

Employee 4, Employee 6, Employee 7

D.

Employee 2, Employee 3, Employee 4, Employee 5

Full Access
Question # 59

What is an example of social engineering attacks?

A.

receiving an unexpected email from an unknown person with an attachment from someone in the same company

B.

receiving an email from human resources requesting a visit to their secure website to update contact information

C.

sending a verbal request to an administrator who knows how to change an account password

D.

receiving an invitation to the department’s weekly WebEx meeting

Full Access
Question # 60

A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-895" address that is attributed to a known advanced persistent threat group The engineer discovers that the activity is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Cyber Kill Chain?

A.

reconnaissance

B.

delivery

C.

action on objectives

D.

weaponization

Full Access
Question # 61

Which security monitoring data type requires the largest storage space?

A.

transaction data

B.

statistical data

C.

session data

D.

full packet capture

Full Access
Question # 62

What is rule-based detection when compared to statistical detection?

A.

proof of a user's identity

B.

proof of a user's action

C.

likelihood of user's action

D.

falsification of a user's identity

Full Access
Question # 63

An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?

A.

Recovery

B.

Detection

C.

Eradication

D.

Analysis

Full Access
Question # 64

Which event is a vishing attack?

A.

obtaining disposed documents from an organization

B.

using a vulnerability scanner on a corporate network

C.

setting up a rogue access point near a public hotspot

D.

impersonating a tech support agent during a phone call

Full Access
Question # 65

How does an attack surface differ from an attack vector?

A.

An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.

B.

An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

C.

An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.

D.

An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

Full Access
Question # 66

What describes the defense-m-depth principle?

A.

defining precise guidelines for new workstation installations

B.

categorizing critical assets within the organization

C.

isolating guest Wi-Fi from the focal network

D.

implementing alerts for unexpected asset malfunctions

Full Access
Question # 67

Refer to the exhibit.

What should be interpreted from this packet capture?

A.

81.179.179.69 is sending a packet from port 80 to port 50272 of IP address 192.168.122.100 using UDP protocol.

B.

192.168.122.100 is sending a packet from port 50272 to port 80 of IP address 81.179.179.69 using TCP protocol.

C.

192.168.122.100 is sending a packet from port 80 to port 50272 of IP address 81.179.179.69 using UDP protocol.

D.

81.179.179.69 is sending a packet from port 50272 to port 80 of IP address 192.168.122.100 using TCP UDP protocol.

Full Access
Question # 68

An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?

A.

Recover from the threat.

B.

Analyze the threat.

C.

Identify lessons learned from the threat.

D.

Reduce the probability of similar threats.

Full Access
Question # 69

What is the communication channel established from a compromised machine back to the attacker?

A.

man-in-the-middle

B.

IDS evasion

C.

command and control

D.

port scanning

Full Access
Question # 70

Which step in the incident response process researches an attacking host through logs in a SIEM?

A.

detection and analysis

B.

preparation

C.

eradication

D.

containment

Full Access
Question # 71

Which are two denial-of-service attacks? (Choose two.)

A.

TCP connections

B.

ping of death

C.

man-in-the-middle

D.

code-red

E.

UDP flooding

Full Access
Question # 72

An analyst is exploring the functionality of different operating systems.

What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?

A.

queries Linux devices that have Microsoft Services for Linux installed

B.

deploys Windows Operating Systems in an automated fashion

C.

is an efficient tool for working with Active Directory

D.

has a Common Information Model, which describes installed hardware and software

Full Access
Question # 73

What is obtained using NetFlow?

A.

session data

B.

application logs

C.

network downtime report

D.

full packet capture

Full Access
Question # 74

Which type of data must an engineer capture to analyze payload and header information?

A.

frame check sequence

B.

alert data

C.

full packet

D.

session logs

Full Access
Question # 75

Refer to the exhibit.

Which alert is identified from this packet capture?

A.

man-in-the-middle attack

B.

ARP poisoning

C.

brute-force attack

D.

SQL injection

Full Access
Question # 76

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.

Full Access
Question # 77

Which regex matches only on all lowercase letters?

A.

[a−z]+

B.

[^a−z]+

C.

a−z+

D.

a*z+

Full Access
Question # 78

During which phase of the forensic process are tools and techniques used to extract information from the collected data?

A.

investigation

B.

examination

C.

reporting

D.

collection

Full Access
Question # 79

At which layer is deep packet inspection investigated on a firewall?

A.

internet

B.

transport

C.

application

D.

data link

Full Access
Question # 80

How is NetFlow different from traffic mirroring?

A.

NetFlow collects metadata and traffic mirroring clones data.

B.

Traffic mirroring impacts switch performance and NetFlow does not.

C.

Traffic mirroring costs less to operate than NetFlow.

D.

NetFlow generates more data than traffic mirroring.

Full Access
Question # 81

How does a certificate authority impact security?

A.

It validates client identity when communicating with the server.

B.

It authenticates client identity when requesting an SSL certificate.

C.

It authenticates domain identity when requesting an SSL certificate.

D.

It validates the domain identity of the SSL certificate.

Full Access
Question # 82

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

A.

examination

B.

investigation

C.

collection

D.

reporting

Full Access
Question # 83

Which security technology guarantees the integrity and authenticity of all messages transferred to and from a web application?

A.

Hypertext Transfer Protocol

B.

SSL Certificate

C.

Tunneling

D.

VPN

Full Access
Question # 84

Refer to the exhibit.

What is occurring within the exhibit?

A.

regular GET requests

B.

XML External Entities attack

C.

insecure deserialization

D.

cross-site scripting attack

Full Access
Question # 85

What describes the impact of false-positive alerts compared to false-negative alerts?

A.

A false negative is alerting for an XSS attack. An engineer investigates the alert and discovers that an XSS attack happened A false positive is when an XSS attack happens and no alert is raised

B.

A false negative is a legitimate attack triggering a brute-force alert. An engineer investigates the alert and finds out someone intended to break into the system A false positive is when no alert and no attack is occurring

C.

A false positive is an event alerting for a brute-force attack An engineer investigates the alert and discovers that a legitimate user entered the wrong credential several times A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.

D.

A false positive is an event alerting for an SQL injection attack An engineer investigates the alert and discovers that an attack attempt was blocked by IPS A false negative is when the attack gets detected but succeeds and results in a breach.

Full Access
Question # 86

An engineer received an alert affecting the degraded performance of a critical server Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?

A.

Run "ps -ef to understand which processes are taking a high amount of resources

B.

Run "ps -u" to find out who executed additional processes that caused a high load on a server

C.

Run "ps -m" to capture the existing state of daemons and map the required processes to find the gap

D.

Run "ps -d" to decrease the priority state of high-load processes to avoid resource exhaustion

Full Access
Question # 87

Which of these describes SOC metrics in relation to security incidents?

A.

time it takes to detect the incident

B.

time it takes to assess the risks of the incident

C.

probability of outage caused by the incident

D.

probability of compromise and impact caused by the incident

Full Access
Question # 88

Which type of data consists of connection level, application-specific records generated from network traffic?

A.

transaction data

B.

location data

C.

statistical data

D.

alert data

Full Access
Question # 89

An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?

A.

true negative

B.

false negative

C.

false positive

D.

true positive

Full Access
Question # 90

How is attacking a vulnerability categorized?

A.

action on objectives

B.

delivery

C.

exploitation

D.

installation

Full Access
Question # 91

Which security model assumes an attacker within and outside of the network and enforces strict verification before connecting to any system or resource within the organization?

A.

Biba

B.

Object-capability

C.

Take-Grant

D.

Zero Trust

Full Access
Question # 92

Which type of verification consists of using tools to compute the message digest of the original and copied data, then comparing the similarity of the digests?

A.

evidence collection order

B.

data integrity

C.

data preservation

D.

volatile data collection

Full Access
Question # 93

What is a difference between SOAR and SIEM?

A.

SOAR platforms are used for threat and vulnerability management, but SIEM applications are not

B.

SIEM applications are used for threat and vulnerability management, but SOAR platforms are not

C.

SOAR receives information from a single platform and delivers it to a SIEM

D.

SIEM receives information from a single platform and delivers it to a SOAR

Full Access