200-201 Exam

Exam 200-201 Exam

Understanding Cisco Cybersecurity

Title Operations Fundamentals (CBROPS)
Exam

Product
119 Q&A with explanations
Type
Exam A

QUESTION 1
Which type of algorithm encrypts data bit by bit?

A. block
B. asymmetric
C. stream
D. symmetric

QUESTION 2
Which of the following is true of privilege escalation?

A. vertical movement to a different level

B. horizontal movement to the same level
C. obtained without authorization
D. granted freely
QUESTION 3
Examine the diagram below, which contains all devices currently connected to Switch0.

Which of the following statements is true of this scenario?

A. PC0 can communicate with PC1

B. is we change the VLAN of Fa0/15 to VLAN 2, PC0 will be able to connect with PC1
C. if we change the IP address of PC1 to 192.168.6.4, it will be able to connect with PC0
D. if we change the VLAN of Fa0/2 to VLAN 3 and change the IP address of PC1 to 192.168.6.5, PC1 will be able
to connect with PC0
QUESTION 4
Which of the following is deployed on an endpoint as an agent or standalone application?

A. NIPS
B. NGFW
C. HIDS
D. NIDS
QUESTION 5
Which of the following represents an exploitable, unpatched, and unmitigated weakness in software?

A. vulnerability
B. exploit
C. threat
D. breach

QUESTION 6
Which of the following describes a TCP injection attack?

A. Many TCP SYN packets are captures with the same sequence number, source, and destinationIP
address, but different payloads.
B. there is an abnormally high volume of scanning from numerous sources
C. many TCP SYN packets are captured with the same sequence number, but different source and
destination IP addresses and different payloads
D. an attacker performs actions slower than normal
QUESTION 7
How are attributes of ownership and control of an object managed in Linux?

A. permissions
B. rights
C. iptables
D. processes

QUESTION 8
What is the standard for digital certificates?

A. IEEE 802.3af
B. IEEE 802.11
C. X.509
D. X.500

QUESTION 9
Which of the following is used to validate and in some cases revoke certificates?

A. PKI
B. DHCP
C. PGP
D. POP
QUESTION 10
Which of the following describes a timing attack?

A. delays attack for an amount of time

B. waits for an opportunemoment
C. performs actions slower thannormal
D. performs actions faster thannormal

QUESTION 11
Your organization uses both the users location and the time of a day when assessing a connection request.

What type of access control model is this?

A. RBAC
B. DAC
C. ABAC
D. MAC
QUESTION 12
At what layer of the OSI model Internet Protocol (IP) operate?

A. Layer 3
B. Layer 1
C. Layer 2
D. Layer 4
QUESTION 13
Which of the following is a compilation of routine procedures and operations that the system administrator or
operator carries out?

A. workflow
B. script
C. agenda
D. runbook

QUESTION 14
Which of the following occurs at Layer 7 of the OSI model?

A. VLANs
B. Packet filtering
C. Stateful firewall operation
D. Deep packet inspection
QUESTION 15
What occurs when you allow specific executable files while denying all others?

A. whitelisting
B. blacklisting
C. greylisting
D. redlisting
QUESTION 16
Which operation has as its goal the identification of all available services on a device?

A. port scan
B. banner grabbing
C. OS fingerprinting
D. ping scan

QUESTION 17
Which cross-site scripting attack is sometimes called persistent?

A. reflected
B. stored
C. directed
D. DOM based
QUESTION 18
Quantitative and qualitative are two types of which of the following?

A. risk analysis
B. business impact analysis
C. disaster recovery plan
D. heuristics

QUESTION 19
What is the primary function of routers?

A. To separate collisiondomains only

B. To separate DNSdomains
C. To separate broadcast domainsonly
D. To separate collisiondomains and broadcast domains

QUESTION 20
OpenDNS is a Cisco security solution designed to protect which component?

A. LAN
B. Cloud
C. WAN
D. DMZ
QUESTION 21
Which of the following provides non-repudiation?

A. hashing
B. redundancy
C. digital signature
D. encryption

QUESTION 22
Which of the following is NOT a feature of a next generation firewall?

A. application visibility andcontrol

B. stateless firewall
C. URL filtering
D. advanced malware protection

QUESTION 23
A host is sending a ping packet to another host in the same subnet.

For which IP address does the sending host perform an ARP broadcast to resolve?

A. its own IPaddress

B. the IP address of the router
C. the IP address of the DNSserver
D. the IP address of the destination host
QUESTION 24
At which layer does switching occur in the Cisco modified TCP/IP model?

A. Internet
B. Transport
C. Data Link
D. Physical
QUESTION 25
Which of the following is used to prevent malicious software systems?

A. HIDS
B. HIPS
C. network AV
D. host AV
QUESTION 26
What terms represents the leveraging of a security weakness present in a system?

A. breach
B. threat
C. vulnerability
D. exploit

QUESTION 27
Which of the following uses port 443?

A. DNS
B. SSH
C. SSL
D. Telnet
E. HTTP
QUESTION 28
What is the process of scoring risks by their likelihood and their impact?

A. quantitative risk analysis

B. qualitative risk analysis
C. business impact analysis
D. disaster recovery
QUESTION 29
Which of the following is not a hashing algorithm?

A. DES
B. MD5
C. SHA-1
D. SHA-3

QUESTION 30
Which of the following is the most widely used public key cipher?
A. 3DES
B. EI Gamal
C. RSA
D. AES

QUESTION 31
Which of the following provides the ability to allow scripting languages to manage Windows computers both
locally and remotely?

A. STP
B. RMI
C. EMI
D. WMI
QUESTION 32
What is the function of ARP?

A. resolves IP addresses to MAC addresses

B. resolves host names to IP addresses
C. resolves MAC addresses to IP addresses
D. resolves port numbers to IP addresses
QUESTION 33
Which hashing algorithm is the strongest?

A. SHA-1
B. MD5
C. SHA-256
D. SHA-512

QUESTION 34
Which of the following is NOT an email protocol?

A. SMTP
B. IMAP
C. NTP
D. POP
QUESTION 35
Which of the following is Layer 3 attack?

A. ARP attacks
B. IP spoofing
C. VLANhopping
D. MACspoofing
QUESTION 36
Which of the following describes a resource exhaustion attack?

A. receiving an abnormally low volume of scanning from numerous source

B. performing actionsslower than normal
C. waiting for an opportune moment
D. receiving an abnormally high volume of scanning from numerous source

QUESTION 37
Which attack requires a botnet?

A. DDoS
B. password theft
C. DoS
D. man in the middle
QUESTION 38
When the facility has a fence, guards, a locked front door and locked interior doors, it called what?

A. AUP
B. separation of duties
C. defense in depth
D. piggybacking
QUESTION 39
You are reading the output of a Syslog message.

What type of information is contained in the facility section?

A. message type (UDP or TCP)

B. process that submitted the message
C. relationship to other messages
D. security level

QUESTION 40
Which of the following is NOT an event category in the Windows Security Log?

A. Account management
B. Logoff events
C. Object access
D. Directory service access
QUESTION 41
Which of the following is most likely to be used in a reflected DoS attack?

A. NTP
B. STP
C. ARP
D. IGMP

QUESTION 42
Which of the following represents a single set of sequential machine-code instructions that the processor
executes?
A. forks
B. processes
C. threads
D. handles

QUESTION 43
Which algorithm is a symmetric cipher?

A. ECC
B. EI Gamai
C. 3DES
D. RSA
QUESTION 44
Which statement is FALSE with respect to access lists?

A. every rule is examined before a decision is made

B. the order of the rules is important
C. the rule in the list are examined from top to bottom
D. the first rule match is applied

QUESTION 45
What type of data is displayed in the following output?

Date flow start Duration Proto Scr IP Addr:Port Dst IP Addr: Port Packets Bytes Flows
2010-09-01 00:00:00.459 0.000 UDP 127.0.0.1:24920 -> 192.168.0.1:22126 1 46 1
2010-09-01 00:00:00.363 0.000 UDP 192.168.0.1:22126 > 127.0.0.1:24920 1 80 1

A. firewall log
B. traffic froma tap
C. mirrored traffic
D. NetFlow traffic

QUESTION 46
Which of the following provides the C in CIA?

A. redundancy
B. hashing
C. encryption
D. multiple components
QUESTION 47
Which of the following increases when additional functionality is added to an application?

A. threats
B. vulnerabilities
C. risk
D. attack surface
QUESTION 48
What is the term for program or service in Linux?

A. handles
B. forks
C. processes
D. thread

QUESTION 49
Which of the following is the technique used by Java that prevents certain functions when the applet is sent as part
of a Webpage?

A. segmentation
B. process isolation
C. sandboxing
D. reference monitor
QUESTION 50
Which of the following would one NOT expect to find in a packet capture of an HTTP packet?

A. referrer header
B. SYN flag
C. user agent
D. host

QUESTION 51
When TCP packet is sent to an open port with the SYN flag set, what response would be expected from the open
port?

A. a packet with the SYN and ACK flags set

B. a packet with an RST flag
C. no response
D. a packet with the ACK flag set
QUESTION 52
Which of the following is a file that contains a reference to another file or directory in the form of an absolute or
relative path?

A. symlink
B. handle
C. thread
D. fork
QUESTION 53
You have been tasked with protecting user’s medical records.

What type of information are you protecting?

A. PCI-DSS
B. PII
C. PHI
D. HIPAA

QUESTION 54
What is DNS poisoning?

A. the practice of dispending IP addresses and host names with the goal of traffic diversion
B. the practice of many computers transmitting malformed packets to the DNS server to cause the server to
crash
C. the practice of one computer transmitting malformed packets to the DNS server to cause the server to
crash
D. the practice of continually sending a DNS server synchronization messages with spoofed packets
QUESTION 55
Which of the following is defined by the NIST in the FIPS 180-4 standard?

A. SHA-1
B. MD5
C. SHA-256
D. SHA-512

.
QUESTION 56
You are examining NetFlow records.

What is the state of the connection when you receive a packet with the RST flag set in response to a packet with
the SYN flag set?

A. the port isopen

B. the port is blocked by the firewall
C. the connection is set up
D. the port isclosed
QUESTION 57
In which access control model does the owner of the resource decide who has access to the resource?

A. MAC
B. RBAC
C. DAC
D. NDAC

QUESTION 58
Which of the following makes a command injection possible?

A. unneeded service ports left open

B. input is accepted without bounds checking
C. web server that accepts input from the user and passes it to a bash shell
D. two passwords that hash to the same value
QUESTION 59
What is the recommended range of setting for virtual memory allocation in Windows?

A. 4 times the installed RAM

B. half of the installed RAM
C. 1 to 3 times installed RAM
D. the same as the installed RAM

QUESTION 60
Which of the following metrics used to measure the effectiveness of a run book represents the average time to
recover a system from a hardware failure?

A. MTTF
B. MTBF
C. MTTR
D. FIT
QUESTION 61
Which of the following represents an attack source?

A. threat actor
B. attack vector
C. action on objectives
D. host file
QUESTION 62
Which of the following is NOT an element of the NIST.SP800-61 r2 incident response plan?

A. organizational mission
B. organizational approach
C. siloed approach to communication
D. strategies and goals

QUESTION 63
Which of the following Cisco tools makes retrospective analysis possible?

A. Cisco AMP
B. Cisco Ironport
C. Cisco Talos
D. Cisco ASA
QUESTION 64
What is the first step in establishing an internal CSIRT?

A. Defining theCSIRT constituency

B. Developing the process and policies for the CSIRT
C. Making sure that the proper budget is allocated
D. Deciding where the CSIRT will reside within the organization’s hierarchy

QUESTION 65
Which section of the IP header defines the entire packet size in bytes, including header and data?

A. Identification
B. Total length
C. IP address
D. Version

QUESTION 66
In the HTTP header, which of the following header fields indicates the domain name of the server (for virtual
hosting) and the TCP port number on which the server is listening?

A. urgent pointer
B. referrer
C. authorization
D. date
E. host
QUESTION 67
The IDS alerted you there was an attack when there was none.

What is called?

A. True negative
B. False positive
C. False negative
D. True positive

QUESTION 68
Which netstat command displays Ethernet statistics?

A. netstat –a
B. netstat –b
C. netstat –f
D. netstat –e
QUESTION 69
What application protocol is in use in this capture?
A. HTTP
B. DHCP
C. SSL
D. DNS
QUESTION 70
You suspect there is a threat against your DNS server that makes use of the query process.

What type of traffic should you monitor?

A. UDP
B. ARP
C. TCP
D. HTTP
QUESTION 71
Which statement is FALSE with respect to open ports?

A. If it is listening, it is open
B. Ports use values that range between 1 and 65535.
C. Port 23 is FTP
D. If you send a TCP packet with the SYN flag set, you will receive one with the SYN and ACK flags back.

QUESTION 72
Which of the following CVSS scores measures the extent to which the information resource can be changed due
to an attack?

A. Availability
B. Confidentiality
C. Integrity
D. Attack vector
QUESTION 73
You are assessing application or service availability with a port scan. All services use default ports.

This is an example of what type of exploit analysis?

A. deterministic
B. predictive
C. probabilistic
D. intuitive

QUESTION 74
Which action would be supportive of the concept of volatile data collection as describe in SP 800-86?

A. collect memory data first

B. collect volatile data after rebooting
C. collect malware data
D. collect hard drive data first

QUESTION 75
Which of the following is NOT one of the five tuples?

A. source Ip address
B. source port number
C. destination IP address
D. device name

QUESTION 76
According to SP 800-86, which of the following is NOT volatile data?

A. hibernation file
B. slack space
C. network configuration
D. network connections

QUESTION 77
Which organizational stakeholders are responsible for installing anti-malware software?

A. System and network administrators

B. CEO
C. CISO
D. CSIRT team

QUESTION 78
Cisco Active Threat Analysis is an example of which of the following?

A. MSSP
B. PSIRT
C. Coordination centers
D. National CSIRT
QUESTION 79
What is the final step in the Cyber Kill Chain framework?

A. exploitation
B. command and control
C. action on objectives
D. installation
QUESTION 80
Which of the following is the latest Linux file system?

A. ext3
B. ext2
C. ext4
D. ext5

QUESTION 81
Which of the following activities would be a part of retrospective analysis?

A. scanning for vulnerabilities withNESSUS

B. using historical data to identify an infected host
C. using nmap to determine open ports
D. attempting to exploit a vulnerability you found
QUESTION 82
What is the term for an operation that purges redundant data while maintaining data integrity?

A. modularization
B. aggregation
C. warehousing
D. normalization

QUESTION 83
Which statement is FALSE with respect to listening ports?

A. Port 443, when set to default, is encrypted.

B. Ports can be numbered 1 to 65535.
C. The port number does not always identify the service.
D. They areclosed.
QUESTION 84
Which evidence is always considered the best evidence?

A. hearsay
B. indirect
C. direct
D. corroborative

QUESTION 85
Which of the following offers incident handling services for a fee to other organizations?

A. Coordination centers
B. MISSP
C. PSIRT
D. national CSIRT
QUESTION 86
You have been asked to collect all the usernames from an access log. According to policy, usernames must be at
least six characters and no more than sixteen characters. Usernames can only include lowercase letters, numbers,
underscores, and hyphens, such as the following:

Which regular expression will locate all valid usernames?

A.
B.

C.

D.
QUESTION 87
After compromising a host and escalating privileges, the attacker installs a remote access Trojan (RAT).

What step of the Cyber Kill Chain framework has just occurred?

A. Reconnaissance
B. Exploitation
C. Installation
D. Weaponization

QUESTION 88
Which of the following represents the software that is acting on behalf of a user?

A. representative agent field

B. cookie
C. type field
D. host field
E. user agent
QUESTION 89
According to SP 800-86, which of the following is NOT an important factor when prioritizing potential data
sources if evidence?

A. volatility
B. time involved
C. likely value
D. effort required
QUESTION 90
Which statement is true with regard to evidence collection?

A. Allow full access to the crime scene.

B. Always shut the computer down first.
C. Always call police.
D. Always protect the integrity of the evidence.

QUESTION 91
Which of the following is NOT reconnaissance?

A. scanning without completing the three way handshake

B. installation of aRAT
C. searching for the robots.txt file
D. communicating over social media
QUESTION 92
Examine the following NetFlow entry:

Which statement is FALSE?

A. The destination port is 236744.

B. The bytes are 82.
C. This is a single packet.
D. The protocol is UDP

QUESTION 93
In which stage of incident handling is the extent of the incident determined?

A. lessons learned
B. containment
C. scoping
D. identification

QUESTION 94
Which of the following is NOT one of the 5 tuples?

A. source port number

B. source Ip address
C. destination IP address
D. netflow record ID
QUESTION 95
According to NIST, what goal are you supporting when you hash both evidence data and backup of the data and
compare the hashes?

A. integrity
B. availability
C. confidentiality
D. authentication

QUESTION 96
You are investigating suspicious communication between two devices in your environment. The source socket is
205.16.3.74:5696 and the destination socket is 192.168.5.3:53.

What service should you suspect is under attack?

A. DHCP
B. NTP
C. DNS
D. HTTP

QUESTION 97
You have discovered a vulnerability to your web service that if leveraged would cause data to be changed in the
attack.
Which CVSS metric will increase if this attack is realized?

A. complexity
B. confidentiality
C. Availability
D. integrity

QUESTION 98
Examine the following ASA system message:

Which statement is FALSE?

A. The destination port is 302015.
B. The destination IP is 192.168.5.20
C. The source IP is 192.168.5.5
D. The source port is 36214.

QUESTION 99
What statement is FALSE about probabilistic analysis?

A. The answer is not definitive.

B. All data is known beforehand.
C. It is used in decision-making scenarios.
D. It indicates how likely the event is.

QUESTION 100
What tool or command can be used to determine details of a used account?
A. nbtstat
B. Task Manager
C. netstat –a
D. net user
QUESTION 101
Which of the following would provide cybersecurity training and incident response to both a federal executive
branch agency and foreign company?

A. National CSIRT
B. Coordination center
C. Internal CSIRT
D. PSIRT
QUESTION 102
Which of the following would help multiple CSIRTS facilitate incident handling?

A. MSSP
B. national CSIRT
C. Coordination center
D. Analysis center
QUESTION 103
Which of the following represents a step in the second normal form in the process of normalization?

A. Create a separate table for each set of related data.

B. Eliminate repeating groups in individual tables.
C. Create separate tables for sets of values that apply to multiple records.
D. Eliminate fields that do not depend on the key.
QUESTION 104
Which of the following is the second step in incident handling, according to NIST.SP 800-61 r2?

A. detection and analysis

B. post incident analysis
C. preparation
D. containment, eradication, andrecovery

QUESTION 105
What information can be discovered from the user agent field in an HTTP packet?

A. IP address ofattacker
B. domain name ofattacker
C. browser version
D. destination site
QUESTION 106
In which stage of incident is the environment returned to a secure state?

A. remediation
B. Identification
C. containment
D. lesson-based hardening

QUESTION 107
What is the term for any evasion attempt where the attacker splits malicious traffic to avoid detection or
filtering?

A. fragmentation
B. SYN flood
C. LAND attack
D. network mapping
QUESTION 108
Actors and actions are part of which VERIS schema category?

A. discovery and response

B. incident tracking
C. victim demographics
D. incident description
QUESTION 109
When discontinuous free space is created by the adding and removing of data on a hard drive, what has
occurred?

A. steganography
B. alternative datastreams
C. forking
D. fragmentation

QUESTION 110
Which process is used to increase data accuracy and integrity and to support data visualization?

A. data aggregation
B. data warehousing
C. data normalization
D. data mapping
QUESTION 111
Which of the following is a standard for port-based access control?

A. X.509
B. 802.11n
C. 802.3
D. 802.1x

QUESTION 112
You discover several client machines are infected with malware that begins to make outbound calls
(connection attempts) to a remote server after infection. You run a malware analysis tool.

What information could you derive from any domain names and host IP addresses in the malware analysis
report?

A. the next machine that will be infected

B. destination of the callouts
C. signature of the malware
D. the first machineinfected

QUESTION 113
Which of the following Wireshark filters excludes an IP address?

A. gateway host <host>

B. !ip.addr ==192.168.1.2
C. eth.addr == 00:60:0e:53:13:d5
D. ip.addr==192.168.1.0/24
QUESTION 114
What is the main purpose of data normalization?

A. synchronize of timestamps
B. duplicate datastreams
C. eliminate redundancy
D. aggregate data

QUESTION 115
What is the first step in the Cyber Kill Chain framework?

A. exploitation
B. weaponization
C. reconnaissance
D. installation

QUESTION 116
Which of the following is part of the 5 tuple?

A. web software
B. NetFlow record ID
C. source IP address
D. operating system
E. device name
QUESTION 117
When an email with a malicious attachment is delivered to a mailbox, what step in the Cyber Kill Chain
framework has occurred?

A. Reconnaissance
B. Exploitation
C. Weaponization
D. Delivery
QUESTION 118
Which of the following is NOT of interest during server profiling?

A. Applications
B. Logged-in Users/Service Accounts
C. Running Processes
D. Closed ports
QUESTION 119
According to NIST.SP800-61 r2, which of the following is NOT a question to ask during post mortem?

A. Exactly what happened and at what time?

B. How could information sharing with other organizations be improved?
C. Whose fault was theattack?
D. Were any steps or actions taken that might have inhibited the recovery?