153 With Answers

200-201 Exam
Exam 200-201
Understanding Cisco Cybersecurity

Title Operations Fundamentals (CBROPS)
Exam
Product
153 Q&A with explanations
Type
Exam A
QUESTION 1
Which event is user interaction?
A. gaining root access

B. executing remote code
C. reading and writing file permission
D. opening a malicious file
Correct Answer: D
Section: Security Concepts
Explanation
Explanation/Reference:
QUESTION 2
Which security principle requires more than one person is required to perform a critical task?
A. least privilege
B. need to know
C. separation of duties
D. due diligence
Correct Answer: C
Explanation
QUESTION 3
How is attacking a vulnerability categorized?
A. action on objectives
B. delivery
C. exploitation
D. installation
Correct Answer: C
Explanation
QUESTION 4
What is a benefit of agent-based protection when compared to agentless protection?
A. It lowers maintenance costs

B. It provides a centralized platform
C. It collects and detects all traffic locally
D. It manages numerous devices simultaneously
Correct Answer: B
Explanation
QUESTION 5
Which principle is being followed when an analyst gathers information relevant to a security incident to determine
the appropriate course of action?
A. decision making
B. rapid response
C. data mining
D. due diligence
Correct Answer: A
Explanation
QUESTION 6
One of the objectives of information security is to protect the CIA of information and systems.
What does CIA mean in this context?
A. confidentiality, identity, and authorization

B. confidentiality, integrity, and authorization
C. confidentiality, identity, and availability
D. confidentiality, integrity, and availability
Correct Answer: D
Explanation
QUESTION 7
What is rule-based detection when compared to statistical detection?
A. proof of a user's identity

B. proof of a user's action
C. likelihood of user's action
D. falsification of a user's identity
Correct Answer: B
Explanation
QUESTION 8
A user received a malicious attachment but did not run it.
Which category classifies the intrusion?
A. weaponization
B. reconnaissance
C. installation
D. delivery
Correct Answer: D
Explanation
QUESTION 9
Which process is used when IPS events are removed to improve data integrity?
A. data availability
B. data normalization
C. data signature
D. data protection
Correct Answer: B
Explanation
QUESTION 10
An analyst is investigating an incident in a SOC environment.
Which method is used to identify a session from a group of logs?
A. sequence numbers
B. IP identifier
C. 5-tuple
D. timestamps
Correct Answer: C
Explanation
QUESTION 11
What is a difference between SOAR and SIEM?
A. SOAR platforms are used for threat and vulnerability management, but SIEM applications are not
B. SIEM applications are used for threat and vulnerability management, but SOAR platforms are not
C. SOAR receives information from a single platform and delivers it to a SIEM
D. SIEM receives information from a single platform and delivers it to a SOAR
Correct Answer: A
Explanation
QUESTION 12
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
A. MAC is controlled by the discretion of the owner and DAC is controlled by an administrator
B. MAC is the strictest of all levels of control and DAC is object-based access
C. DAC is controlled by the operating system and MAC is controlled by an administrator
D. DAC is the strictest of all levels of control and MAC is object-based access
Correct Answer: B
Explanation
QUESTION 13
What is the practice of giving employees only those permissions necessary to perform their specific role within an
organization?
A. least privilege
B. need to know
C. integrity validation
D. due diligence
Correct Answer: A
Explanation
QUESTION 14
What is the virtual address space for a Windows process?
A. physical location of an object in memory

B. set of pages that reside in the physical memory
C. system-level memory protection feature built into the operating system
D. set of virtual memory addresses that can be used
Correct Answer: D
Explanation
QUESTION 15
Which security principle is violated by running all processes as root or administrator?
A. principle of least privilege
B. role-based access control
D. trusted computing base
Correct Answer: A
Explanation
QUESTION 16
What is the function of a command and control server?
A. It enumerates open ports on a network device

B. It drops secondary payload into malware
C. It is used to regain control of the network after a compromise
D. It sends instruction to a compromised system
Correct Answer: D
Explanation
QUESTION 17
What is the difference between deep packet inspection and stateful inspection?
A. Deep packet inspection is more secure than stateful inspection on Layer 4

B. Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7
C. Stateful inspection is more secure than deep packet inspection on Layer 7
D. Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4
Correct Answer: D
Explanation
QUESTION 18
Which evasion technique is a function of ransomware?
A. extended sleep calls

B. encryption
C. resource exhaustion
D. encoding
Correct Answer: B
Explanation
QUESTION 19
Refer to the exhibit. Which two elements in the table are parts of the 5-tuple? (Choose two.)
A. First Packet
B. Initiator User
C. Ingress Security Zone
D. Source Port
E. Initiator IP
Correct Answer: DE Section:

Security Concepts
Explanation
QUESTION 20
DRAG DROP
Drag and drop the security concept on the left onto the example of that concept on the right.
Select and Place:
Correct Answer:
Explanation
QUESTION 21
What is the difference between statistical detection and rule-based detection models?
A. Rule-based detection involves the collection of data in relation to the behavior of legitimate users over a
period of time
B. Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on
an IF/THEN basis
C. Statistical detection involves the evaluation of an object on its intended actions before it executes that
behavior
D. Rule-based detection defines legitimate data of users over a period of time and statistical detection defines it on
an IF/THEN basis
Correct Answer: B
Explanation
QUESTION 22
What is the difference between a threat and a risk?
A. Threat represents a potential danger that could take advantage of a weakness in a system
B. Risk represents the known and identified loss or danger in the system
C. Risk represents the nonintentional interaction with uncertainty in the system
D. Threat represents a state of being exposed to an attack or a compromise, either physically or logically.
Correct Answer: A
Explanation
QUESTION 23
Which attack method intercepts traffic on a switched network?
A. denial of service
B. ARP cache poisoning
C. DHCP snooping
D. command and control
Correct Answer: C
Explanation
QUESTION 24
What does an attacker use to determine which network ports are listening on a potential target device?
A. man-in-the-middle
B. port scanning
C. SQL injection
D. ping sweep
Correct Answer: B
Explanation
QUESTION 25
What is a purpose of a vulnerability management framework?
A. identifies, removes, and mitigates system vulnerabilities

B. detects and removes vulnerabilities in source code
C. conducts vulnerability scans on the network
D. manages a list of reported vulnerabilities
Correct Answer: A
Explanation
QUESTION 26
A network engineer discovers that a foreign government hacked one of the defense contractors in their home country
and stole intellectual property. What is the threat agent in this situation?
A. the intellectual property that was stolen

B. the defense contractor who stored the intellectual property
C. the method used to conduct the attack
D. the foreign government that conducted the attack
Correct Answer: D
Explanation
QUESTION 27
What is the practice of giving an employee access to only the resources needed to accomplish their job?
A. principle of least privilege

B. organizational separation
D. need to know principle
Correct Answer: A
Explanation
QUESTION 28
Which metric is used to capture the level of access needed to launch a successful attack?
A. privileges required
B. user interaction
C. attack complexity
D. attack vector
Correct Answer: A
Explanation
QUESTION 29
What is the difference between an attack vector and attack surface?
A. An attack surface identifies vulnerabilities that require user input or validation; and an attack vector
identifies vulnerabilities that are independent of user actions.
B. An attack vector identifies components that can be exploited; and an attack surface identifies the potential
path an attack can take to penetrate the network.
C. An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector
identifies which attacks are possible with these vulnerabilities.
D. An attack vector identifies the potential outcomes of an attack; and an attack surface launches an attack
using several methods against the identified vulnerabilities.
Correct Answer: C
Explanation
QUESTION 30
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a
different bank account number?
A. integrity
B. confidentiality
C. availability
D. scope
Correct Answer: A
Explanation
QUESTION 31
A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in
the requests contains PHP code that, if executed, creates and writes to a new PHP file on the webserver. Which
event category is described?
A. reconnaissance
B. action on objectives
C. installation
D. exploitation
Correct Answer: C
Explanation
QUESTION 32
What specific type of analysis is assigning values to the scenario to see expected outcomes?
A. deterministic
B. exploratory
C. probabilistic
D. descriptive
Correct Answer: A
Explanation
QUESTION 33
When trying to evade IDS/IPS devices, which mechanism allows the user to make the data incomprehensible without
a specific key, certificate, or password?
A. fragmentation
B. pivoting
C. encryption
D. stenography
Correct Answer: D
Explanation
QUESTION 34
Why is encryption challenging to security monitoring?
A. Encryption analysis is used by attackers to monitor VPN tunnels.

B. Encryption is used by threat actors as a method of evasion and obfuscation.
C. Encryption introduces additional processing requirements by the CPU.
D. Encryption introduces larger packet sizes to analyze and store.
Correct Answer: B
Explanation
QUESTION 35
An employee reports that someone has logged into their system and made unapproved changes, files are out of
order, and several documents have been placed in the recycle bin. The security specialist reviewed the system
logs, found nothing suspicious, and was not able to determine what occurred. The software is up to date; there are
no alerts from antivirus and no failed login attempts. What is causing the lack of data visibility needed to detect the
attack?
A. The threat actor used a dictionary-based password attack to obtain credentials.

B. The threat actor gained access to the system by known credentials.
C. The threat actor used the teardrop technique to confuse and crash login services.
D. The threat actor used an unknown vulnerability of the operating system that went undetected.
Correct Answer: B
Explanation
QUESTION 36
A company receptionist received a threatening call referencing stealing assets and did not take any action assuming
it was a social engineering attempt. Within 48 hours, multiple assets were breached, affecting the confidentiality of
sensitive information. What is the threat actor in this incident?
A. company assets that are threatened

B. customer assets that arethreatened
C. perpetrators of the attack
D. victims of the attack
Correct Answer: C
Explanation
QUESTION 37
What is the relationship between a vulnerability and a threat?
A. A threat exploits a vulnerability

B. A vulnerability is a calculation of the potential loss caused by a threat
C. A vulnerability exploits a threat
D. A threat is a calculation of the potential loss caused by a vulnerability
Correct Answer: A
Explanation
QUESTION 38
What is the principle of defense-in-depth?
A. Agentless and agent-based protection for security are used.

B. Several distinct protective layers are involved.
C. Access control models are involved.
D. Authentication, authorization, and accounting mechanisms are used.
Correct Answer: B
Explanation
QUESTION 39
DRAG DROP
Drag and drop the uses on the left onto the type of security system on the right.
Select and Place:
Correct Answer:
Explanation
QUESTION 40
What is the difference between the rule-based detection when compared to behavioral detection?
A. Rule-Based detection is searching for patterns linked to specific types of attacks, while behavioral is
identifying per signature.
B. Rule-Based systems have established patterns that do not change with new data, while behavioral
changes.
C. Behavioral systems are predefined patterns from hundreds of users, while Rule-Based only flags
potentially abnormal patterns using signatures.
D. Behavioral systems find sequences that match a particular attack signature, while Rule-Based identifies
potential attacks.
Correct Answer: D
Explanation
QUESTION 41
Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?
A. NetScout
B. tcpdump
C. SolarWinds
D. netsh
Correct Answer: B
Section: Security Monitoring
Explanation
QUESTION 42
Refer to the exhibit. Which kind of attack method is depicted in this string?
A. cross-site scripting
B. man-in-the-middle
C. SQL injection
D. denial of service
Correct Answer: A
Explanation
QUESTION 43
Which two components reduce the attack surface on an endpoint? (Choose two.)
A. secure boot
B. load balancing
C. increased audit log levels
D. restricting USB ports
E. full packet captures at the endpoint
Correct Answer: AD Section:

Security Monitoring
Explanation
QUESTION 44
What is an attack surface as compared to a vulnerability?
A. any potential danger to an asset

B. the sum of all paths for data into and out of the environment
C. an exploitable weakness in a system or its design
D. the individuals who perform an attack
Correct Answer: B
Explanation
QUESTION 45
An intruder attempted malicious activity and exchanged emails with a user and received corporate information,
including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink
launched, it infected machines and the intruder was able to access the corporate network.
Which testing method did the intruder use?
A. social engineering
B. eavesdropping
C. piggybacking
D. tailgating
Correct Answer: A
Explanation
QUESTION 46
What are two social engineering techniques? (Choose two.)
A. privilege escalation
B. DDoS attack
C. phishing
D. man-in-the-middle
E. pharming
Correct Answer: CE Section:

Security Monitoring
Explanation
QUESTION 47
Refer to the exhibit. What does the output indicate about the server with the IP address 172.18.104.139?
A. open ports of a web server

B. open port of an FTP server
C. open ports of an email server
D. running processes of the server
Correct Answer: C
Explanation
QUESTION 48
How does certificate authority impact a security system?
A. It authenticates client identity when requesting SSL certificate

B. It validates domain identity of a SSL certificate
C. It authenticates domain identity when requesting SSL certificate
D. It validates client identity when communicating with the server
Correct Answer: B
Explanation
QUESTION 49
When communicating via TLS, the client initiates the handshake to the server and the server responds back with
its certificate for identification.
Which information is available on the server certificate?
A. server name, trusted subordinate CA, and private key

B. trusted subordinate CA, public key, and cipher suites
C. trusted CA name, cipher suites, and private key
D. server name, trusted CA, and public key
Correct Answer: D
Explanation
QUESTION 50
How does an SSL certificate impact security between the client and the server?
A. by enabling an authenticated channel between the client and the server

B. by creating an integrated channel between the client and the server
C. by enabling an authorized channel between the client and the server
D. by creating an encrypted channel between the client and the server
Correct Answer: D
Explanation
QUESTION 51
Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?
A. forgery attack
B. plaintext-only attack
C. ciphertext-only attack
D. meet-in-the-middle attack
Correct Answer: C
Explanation
QUESTION 52
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS
handshake?
A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
C. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods
D. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
Correct Answer: C
Explanation
QUESTION 53
Refer to the exhibit. Which type of log is displayed?
A. IDS
B. proxy
C. NetFlow
D. sys
Correct Answer: D
Explanation
QUESTION 54
Refer to the exhibit. What information is depicted?
A. IIS data
B. NetFlow data
C. network discovery event
D. IPS event data
Correct Answer: B
Explanation
QUESTION 55
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
A. The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the
payload is complete
B. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the
payload is complete
C. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous
termination of a connection
D. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous
termination of a connection
Correct Answer: D
Explanation
QUESTION 56
Refer to the exhibit. Which type of log is displayed?
A. proxy
B. NetFlow
C. IDS
D. sys
Correct Answer: B
Explanation
QUESTION 57
How is NetFlow different from traffic mirroring?
A. NetFlow collects metadata and traffic mirroring clones data.
B. Traffic mirroring impacts switch performance and NetFlow does not.
C. Traffic mirroring costs less to operate than NetFlow.
D. NetFlow generates more data than traffic mirroring.
Correct Answer: A
Explanation
QUESTION 58
What makes HTTPS traffic difficult to monitor?
A. SSL interception
B. packet header size
C. signature detection time
D. encryption
Correct Answer: D
Explanation
QUESTION 59
How does an attacker observe network traffic exchanged between two users?
A. port scanning
B. man-in-the-middle
C. command injection
D. denial of service
Correct Answer: B
Explanation
QUESTION 60
Which type of data consists of connection level, application-specific records generated from network traffic?
A. transaction data
B. location data
C. statistical data
D. alert data
Correct Answer: A
Explanation
QUESTION 61
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is
the impact of this traffic?
A. ransomware communicating after infection

B. users downloading copyrighted content
C. data exfiltration
D. user circumvention of the firewall
Correct Answer: D
Explanation
QUESTION 62
What is an example of social engineering attacks?
A. receiving an unexpected email from an unknown person with an attachment from someone in the same
company
B. receiving an email from human resources requesting a visit to their secure website to update contact
information
C. sending a verbal request to an administrator who knows how to change an account password
D. receiving an invitation to the department’s weekly WebEx meeting
Correct Answer: B
Explanation
QUESTION 63
Refer to the exhibit. What is occurring in this network?
A. ARP cache poisoning

B. DNS cache poisoning
C. MAC address table overflow
D. MAC flooding attack
Correct Answer: A
Explanation
QUESTION 64
Which data format is the most efficient to build a baseline of traffic seen over an extended period of time?
A. syslog messages
B. full packet capture
C. NetFlow
D. firewall event logs
Correct Answer: C
Explanation
QUESTION 65
Which action prevents buffer overflow attacks?
A. variable randomization
B. using web based applications
C. input sanitization
D. using a Linux operating system
Correct Answer: C
Explanation
QUESTION 66
Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP
phones?
A. known-plaintext
B. replay
C. dictionary
D. man-in-the-middle
Correct Answer: D
Explanation
QUESTION 67
Refer to the exhibit. What should be interpreted from this packet capture?
A. 81.179.179.69 is sending a packet from port 80 to port 50272 of IP address 192.168.122.100 using UDP
protocol.
B. 192.168.122.100 is sending a packet from port 50272 to port 80 of IP address 81.179.179.69 using TCP
protocol.
C. 192.168.122.100 is sending a packet from port 80 to port 50272 of IP address 81.179.179.69 using UDP
protocol.
D. 81.179.179.69 is sending a packet from port 50272 to port 80 of IP address 192.168.122.100 using TCP UDP
protocol.
Correct Answer: B
Explanation
QUESTION 68
What are the two characteristics of the full packet captures? (Choose two.)
A. Identifying network loops and collision domains.

B. Troubleshooting the cause of security and performance issues.
C. Reassembling fragmented traffic from raw data.
D. Detecting common hardware faults and identify faulty assets.
E. Providing a historical record of a network transaction.

Security Monitoring
Explanation
QUESTION 69
Refer to the exhibit. An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded
from an email. What is the state of this file?
A. The file has an embedded executable and was matched by PEiD threat signatures for further analysis.
B. The file has an embedded non-Windows executable but no suspicious features are identified.
C. The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further
analysis.
D. The file was matched by PEiD threat signatures but no suspicious features are identified since the
signature list is up to date.
Correct Answer: C
Explanation
QUESTION 70
DRAG DROP
Drag and drop the technology on the left onto the data type the technology provides on the right.
Select and Place:

Correct Answer:

Explanation
QUESTION 71
Refer to the exhibit. What is occurring in this network traffic?
A. High rate of SYN packets being sent from a multiple source towards a single destination IP.
B. High rate of ACK packets being sent from a single source IP towards multiple destination IPs.
C. Flood of ACK packets coming from a single source IP to multiple destination IPs.
D. Flood of SYN packets coming from a single source IP to a single destination IP.
Correct Answer: D
Explanation
QUESTION 72
An engineer needs to have visibility on TCP bandwidth usage, response time, and latency, combined with deep
packet inspection to identify unknown software by its network traffic flow. Which two features of Cisco Application
Visibility and Control should the engineer use to accomplish this goal? (Choose two.)
A. management and reporting

B. traffic filtering
C. adaptive AVC
D. metrics collection and exporting
E. application recognition
Correct Answer: DE Section:

Security Monitoring
Explanation
QUESTION 73
Which security technology guarantees the integrity and authenticity of all messages transferred to and from a web
application?
A. Hypertext Transfer Protocol

B. SSL Certificate
C. Tunneling
D. VPN
Correct Answer: B
Explanation
QUESTION 74
An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a
malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider
attempt to obtain?
A. tagged protocols being used on the network

B. all firewall alerts and resulting mitigations
C. tagged ports being used on the network
D. all information and data within the datagram
Correct Answer: A
Explanation
QUESTION 75
At a company party a guest asks questions about the company’s user account format and password complexity.
How is this type of conversation classified?
A. Phishing attack
B. Password Revelation Strategy
C. Piggybacking
D. Social Engineering
Correct Answer: D
Explanation
QUESTION 76
Which security monitoring data type requires the largest storage space?
A. transaction data
B. statistical data
C. session data
D. full packet capture
Correct Answer: D
Explanation
QUESTION 77
What are two denial of service attacks? (Choose two.)
A. MITM
B. TCP connections
C. ping of death
D. UDP flooding
E. code red

Security Monitoring
Explanation
QUESTION 78
An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering intrusive portscan alerts
on the IDS device using Nmap. Which command will accomplish this goal?
A. nmap --top-ports 192.168.1.0/24

B. nmap –sP 192.168.1.0/24
C. nmap -sL 192.168.1.0/24
D. nmap -sV 192.168.1.0/24
Correct Answer: B
Explanation
QUESTION 79
An analyst is investigating a host in the network that appears to be communicating to a command and control server
on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for
the communication.
Which obfuscation technique is the attacker using?
A. Base64 encoding
B. transport layer security encryption
C. SHA-256 hashing
D. ROT13 encryption
Correct Answer: B
Section: Host-Based Analysis
Explanation
QUESTION 80
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
A. Untampered images are used in the security investigation process

B. Tampered images are used in the security investigation process
C. The image is tampered if the stored hash and the computed hash match
D. Tampered images are used in the incident recovery process
E. The image is untampered if the stored hash and the computed hash match
Correct Answer: BE
Explanation
QUESTION 81
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve
its integrity?
A. examination
B. investigation
C. collection
D. reporting
Correct Answer: C
Explanation
QUESTION 82
Which step in the incident response process researches an attacking host through logs in a SIEM?
A. detection and analysis

B. preparation
C. eradication
D. containment
Correct Answer: A
Explanation
QUESTION 83
A malicious file has been identified in a sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?
A. file type
B. file size
C. file name
D. file hash value
Correct Answer: D
Explanation
QUESTION 84
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.

B. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
D. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
Correct Answer: D
Explanation
QUESTION 85
A. A policy violation is active for host 10.10.101.24.
B. A host on the network is sending a DDoS attack to another inside host.
C. There are two active data exfiltration alerts.
D. A policy violation is active for host 10.201.3.149.
Correct Answer: C
Explanation
QUESTION 86
Which security technology allows only a set of pre-approved applications to run on a system?
A. application-level blacklisting
B. host-based IPS
C. application-level whitelisting
D. antivirus
Correct Answer: C
Explanation
QUESTION 87
An investigator is examining a copy of an ISO file that is stored in CDFS format.
What type of evidence is this file?
A. data from a CD copied using Mac-based system

B. data from a CD copied using Linux system
C. data from a DVD copied using Windows system
D. data from a CD copied using Windows
Correct Answer: B
Explanation
QUESTION 88
Which piece of information is needed for attribution in an investigation?
A. proxy logs showing the source RFC 1918 IP addresses

B. RDP allowed from the Internet
C. known threat actor behavior
D. 802.1x RADIUS authentication pass arid fail logs
Correct Answer: C
Explanation
QUESTION 89
What does cyber attribution identify in an investigation?
A. cause of an attack
B. exploit of an attack
C. vulnerabilities exploited
D. threat actors of an attack
Correct Answer: D
Explanation
QUESTION 90
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in
the same data center were transferred to a competitor.
Which type of evidence is this?
A. best evidence
B. prima facie evidence
C. indirect evidence
D. physical evidence
Correct Answer: C
Explanation
QUESTION 91
Refer to the exhibit. Which event is occurring?
A. A binary named "submit" is running on VM cuckoo1.

B. A binary is being submitted to run on VM cuckoo1
C. A binary on VM cuckoo1 is being submitted for evaluation
D. A URL is being evaluated to see if it has a malicious binary
Correct Answer: C
Explanation
QUESTION 92
Refer to the exhibit. In which Linux log file is this output found?
A. /var/log/authorization.log
B. /var/log/dmesg
C. var/log/var.log
D. /var/log/auth.log
Correct Answer: D
Explanation
QUESTION 93
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that
outbound callouts were made post infection.
Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)
A. signatures
B. host IP addresses
C. file size
D. dropped files
E. domain names
Correct Answer: BE
Explanation
QUESTION 94
An analyst is exploring the functionality of different operating systems.
What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating
system?
A. queries Linux devices that have Microsoft Services for Linux installed
B. deploys Windows Operating Systems in an automated fashion
C. is an efficient tool for working with Active Directory
D. has a Common Information Model, which describes installed hardware and software
Correct Answer: D
Explanation
QUESTION 95
What causes events on a Windows system to show Event Code 4625 in the log messages?
A. The system detected an XSS attack

B. Someone is trying a brute force attack on the network
C. Another device is gaining root access to the system
D. A privileged user successfully logged into the system
Correct Answer: B
Explanation
QUESTION 96
Refer to the exhibit. What does the message indicate?
A. an access attempt was made from the Mosaic web browser

B. a successful access attempt was made to retrieve the password file
C. a successful access attempt was made to retrieve the root of the website
D. a denied access attempt was made to retrieve the password file
Correct Answer: C
Explanation
QUESTION 97
Refer to the exhibit. This request was sent to a web application server driven by a database.
Which type of web server attack is represented?
A. parameter manipulation
B. heap memory corruption
C. command injection
D. blind SQLinjection
Correct Answer: D
Explanation
QUESTION 98
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which
identifier tracks an active program?
A. application identification number

B. active process identification number
C. runtime identification number
D. process identification number
Correct Answer: D
Explanation
QUESTION 99
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting
in system compromise.
Which kind of evidence is this IP address?
A. best evidence
B. corroborative evidence
C. indirect evidence
D. forensic evidence
Correct Answer: B
Explanation
QUESTION 100
Which system monitors local system operation and local network access for violations of a security policy?
A. host-based intrusion detection

B. systems-based sandboxing
C. host-based firewall
D. antivirus
Correct Answer: C
Explanation
QUESTION 101
An analyst received an alert on their desktop computer showing that an attack was successful on the host.
After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the
reason for this discrepancy?
A. The computer has a HIPS installed on it.

B. The computer has a NIPS installed on it.
C. The computer has a HIDS installed on it.
D. The computer has a NIDS installed on it.
Correct Answer: C
Explanation
QUESTION 102
A. A policy violation is active for host 10.10.101.24.

B. A host on the network is sending a DDoS attack to another inside host.
C. There are three active data exfiltration alerts.
D. A policy violation is active for host 10.201.3.149.
Correct Answer: B
Explanation
QUESTION 103
What is a difference between tampered and untampered disk images?
A. Tampered images have the same stored and computed hash.
B. Untampered images are deliberately altered to preserve as evidence.
C. Tampered images are used as evidence.
D. Untampered images are used for forensic investigations.
Correct Answer: C
Explanation
QUESTION 104
What is a sandbox interprocess communication service?
A. A collection of rules within the sandbox that prevent the communication between sandboxes.
B. A collection of network services that are activated on an interface, allowing for inter-port communication.
C. A collection of interfaces that allow for coordination of activities among processes.
D. A collection of host services that allow for communication between sandboxes.
Correct Answer: C
Explanation
QUESTION 105
Which regular expression matches "color" and "colour"?
A. colo?ur
B. col[0−
8]+our
C. colou?r
D. col[0−
9]+our
Correct Answer: C
Section: Network Intrusion Analysis
Explanation
QUESTION 106
Which artifact is used to uniquely identify a detected file?
A. file timestamp
B. file extension
C. file size
D. file hash
Correct Answer: D
Explanation
QUESTION 107
A security engineer deploys an enterprise-wide host/endpoint technology for all of the company's corporate PCs.
Management requests the engineer to block a selected set of applications on all PCs.
Which technology should be used to accomplish this task?
A. application whitelisting/blacklisting
B. network NGFW
C. host-based IDS
D. antivirus/antispyware software
Correct Answer: A
Explanation
QUESTION 108
Which utility blocks a host portscan?
A. HIDS
B. sandboxing
C. host-based firewall
D. antimalware
Correct Answer: C
Explanation
QUESTION 109
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high
volume of scanning from numerous sources?
A. resource exhaustion
B. tunneling
C. traffic fragmentation
D. timing attack
Correct Answer: A
Explanation
QUESTION 110
DRAG DROP
Drag and drop the technology on the left onto the data type the technology provides on the right.
Select and Place:
Correct Answer:

Explanation
QUESTION 111
Refer to the exhibit. Which application protocol is in this PCAP file?
A. SSH
B. TCP
C. TLS
D. HTTP
Correct Answer: B
Explanation
QUESTION 112
DRAG DROP
Refer to the exhibit. Drag and drop the element name from the left onto the appropriate piece of the PCAP file on
the right.
Select and Place:

Correct Answer:

Explanation
QUESTION 113
Refer to the exhibit. What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is
enabled?
A. insert TCP subdissectors

B. extract a file from a packet capture
C. disable TCP streams
D. unfragment TCP
Correct Answer: D
Explanation
QUESTION 114
Which type of data collection requires the largest amount of storage space?
A. alert data
B. transaction data
C. session data
D. full packet capture
Correct Answer: D
Explanation
QUESTION 115
An analyst discovers that a legitimate security alert has been dismissed.
Which signature caused this impact on network traffic?
A. true negative
B. false negative
C. false positive
D. true positive
Correct Answer: B
Explanation
QUESTION 116
Which signature impacts network traffic by causing legitimate traffic to be blocked?
A. false negative
B. true positive
C. true negative
D. false positive
Correct Answer: D
Explanation
QUESTION 117
Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)
A. UDP port to which the traffic is destined

B. TCP port from which the traffic was sourced
C. source IP address of the packet
D. destination IP address of the packet
E. UDP port from which the traffic is sourced
Correct Answer: CD
Explanation
QUESTION 118
Which HTTP header field is used in forensics to identify the type of browser used?
A. referrer
B. host
C. user-agent
D. accept-language
Correct Answer: C
Explanation
QUESTION 119
Which event artifact is used to identify HTTP GET requests for a specific file?
A. destination IP address
B. TCP ACK
C. HTTP status code
D. URI
Correct Answer: D
Explanation
QUESTION 120
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine
which approach to use in the network?
A. Tapping interrogation replicates signals to a separate port for analyzing traffic

B. Tapping interrogations detect and block malicious traffic
C. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
D. Inline interrogation detects malicious traffic but does not block the traffic
Correct Answer: A
Explanation
QUESTION 121
At which layer is deep packet inspection investigated on a firewall?
A. internet
B. transport
C. application
D. data link
Correct Answer: C
Explanation
QUESTION 122
DRAG DROP
Drag and drop the access control models from the left onto its corresponding descriptions on the right.
Select and Place:

Correct Answer:

Explanation
QUESTION 123
What is a difference between inline traffic interrogation and traffic mirroring?
A. Inline inspection acts on the original traffic data flow

B. Traffic mirroring passes live traffic to a tool for blocking
C. Traffic mirroring inspects live traffic for analysis and mitigation
D. Inline traffic copies packets for analysis and security
Correct Answer: B
Explanation
QUESTION 124
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
A. file extension associations

B. hardware, software, and security settings for the system
C. currently logged in users, including folders and control panel settings
D. all users on the system, including visual settings
Correct Answer: B
Explanation
QUESTION 125
Refer to the exhibit. Which packet contains a file that is extractable within Wireshark? A.
2317
B. 1986
C. 2318
D. 2542
Correct Answer: D
Explanation
QUESTION 126
Which regex matches only on all lowercase letters?
A. [a−
z]+
B. [^a−
z]+
C. a−z+
D. a*z+
Correct Answer: A
Explanation
QUESTION 127
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by
modifying the IP header.
Which technology makes this behavior possible?
A. encapsulation
B. TOR
C. tunneling
D. NAT
Correct Answer: D
Explanation
QUESTION 128
Which action should be taken if the system is overwhelmed with alerts when false positives and false negatives are
compared?
A. Modify the settings of the intrusion detection system.

B. Design criteria for reviewing alerts.
C. Redefine signature rules.
D. Adjust the alerts schedule.
Correct Answer: A
Explanation
QUESTION 129
What is the impact of false positive alerts on business compared to true positive?
A. True positives affect security as no alarm is raised when an attack has taken place, resulting in a potential
breach.
B. True positive alerts are blocked by mistake as potential attacks affecting application availability.
C. False positives affect security as no alarm is raised when an attack has taken place, resulting in a potential
breach.
D. False positive alerts are blocked by mistake as potential attacks affecting application availability.
Correct Answer: D
Explanation
QUESTION 130
An engineer needs to fetch logs from a proxy server and generate actual events according to the data
received. Which technology should the engineer use to accomplish this task?
A. Firepower
B. Email Security Appliance
C. Web Security Appliance
D. Stealthwatch
Correct Answer: D
Explanation
QUESTION 131
Refer to the exhibit. Which technology generates this log?
A. NetFlow
B. IDS
C. web proxy
D. firewall
Correct Answer: D
Explanation
QUESTION 132
Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic
for LAN 10.11.x.x, between workstations and servers without the Internet?
A. src=10.11.0.0/16 and dst=10.11.0.0/16

B. ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16
C. ip.src=10.11.0.0/16 and ip.dst=10.11.0.0/16
D. src==10.11.0.0/16 and dst==10.11.0.0/16
Correct Answer: B
Explanation
QUESTION 133
Which tool provides a full packet capture from network traffic?
A. Nagios
B. CAINE
C. Hydra
D. Wireshark
Correct Answer: D
Explanation
QUESTION 134
A company is using several network applications that require high availability and responsiveness, such that
milliseconds of latency on network traffic is not acceptable. An engineer needs to analyze the network and
identify ways to improve traffic movement to minimize delays. Which information must the engineer obtain for this
analysis?
A. total throughput on the interface of the router and NetFlow records

B. output of routing protocol authentication failures and ports used
C. running processes on the applications and their total network usage
D. deep packet captures of each application flow and duration
Correct Answer: D
Explanation
QUESTION 135
Refer to the exhibit. What is depicted in the exhibit?
A. Windows Event logs

B. Apache logs
C. IIS logs
D. UNIX-based syslog
Correct Answer: B
Explanation
QUESTION 136
Which technology should be used to implement a solution that makes routing decisions based on HTTP header,
uniform resource identifier, and SSL session ID attributes?
A. AWS
B. IIS
C. Load balancer
D. Proxy server
Correct Answer: D
Explanation
QUESTION 137
An organization has recently adjusted its security stance in response to online threats made by a known hacktivist
group.
What is the initial event called in the NIST SP800-61?
A. online assault
B. precursor
C. trigger
D. instigator
Correct Answer: B
Section: Security Policies and Procedures
Explanation
QUESTION 138
Which NIST IR category stakeholder is responsible for coordinating incident response among various business
units, minimizing damage, and reporting to regulatory agencies?
A. CSIRT
B. PSIRT
C. public affairs
D. management
Correct Answer: D
Explanation
QUESTION 139
Which incidence response step includes identifying all hosts affected by an attack?

B. post-incident activity
C. preparation
D. containment, eradication, and recovery
Correct Answer: D
Explanation
QUESTION 140
Which two elements are used for profiling a network? (Choose two.)
A. session duration
B. total throughput
C. running processes
D. listening ports
E. OS fingerprint
Correct Answer: DE
Explanation
QUESTION 141
Which category relates to improper use or disclosure of PII data?
A. legal
B. compliance
C. regulated
D. contractual
Correct Answer: C
Explanation
QUESTION 142
Which type of evidence supports a theory or an assumption that results from initial evidence?
A. probabilistic
B. indirect
C. best
D. corroborative
Correct Answer: D
Explanation
QUESTION 143
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
A. context
B. session
C. laptop
D. firewall logs
E. threat actor
Correct Answer: AE
Explanation
QUESTION 144
What is personally identifiable information that must be safeguarded from unauthorized access?
A. date of birth
B. driver's license number
C. gender
D. zip code
Correct Answer: B
Explanation
QUESTION 145
In a SOC environment, what is a vulnerability management metric?
A. code signing enforcement

B. full assets scan
C. internet exposed devices
D. single factor authentication
Correct Answer: C
Explanation
QUESTION 146
A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of
evidence is this file?
A. CD data copy prepared in Windows

B. CD data copy prepared in Mac-based system
C. CD data copy prepared in Linux system
D. CD data copy prepared in Android-based system
Correct Answer: A
Explanation
QUESTION 147
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose
two.)

B. post-incident activity
C. vulnerability management
D. risk assessment
E. vulnerability scoring
Correct Answer: AB
Explanation
Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
QUESTION 148
DRAG DROP
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the
Cyber Kill Chain model.
Select and Place:
Correct Answer:

Explanation
QUESTION 149
Refer to the exhibit. What does this output indicate?
A. HTTPS ports are open on the server.

B. SMB ports are closed on the server.
C. FTP ports are open on the server.
D. Email ports are closed on the server.
Correct Answer: D
Explanation
QUESTION 150
DRAG DROP
Drag and drop the elements from the left into the correct order for incident handling on the right.
Select and Place:
Correct Answer:
Explanation
QUESTION 151
Which metric should be used when evaluating the effectiveness and scope of a Security Operations Center?
A. The average time the SOC takes to register and assign the incident.
B. The total incident escalations per week.
C. The average time the SOC takes to detect and resolve the incident.
D. The total incident escalations per month.
Correct Answer: C
Explanation
QUESTION 152
A developer is working on a project using a Linux tool that enables writing processes to obtain these required
results:
If the process is unsuccessful, a negative value is returned.
If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent
process.
Which component results from this operation?
A. parent directory name of a file pathname

B. process spawn scheduled
C. macros for managing CPUsets
D. new process created by parent process
Correct Answer: B
Explanation
QUESTION 153
An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to
identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next
step the engineer should take according to the NIST SP 800-61 Incident handling guide?
A. Recover from the threat.

B. Analyze the threat.
C. Identify lessons learned from the threat.
D. Reduce the probability of similar threats.
Correct Answer: B
Explanation

153 With Answers

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

153 With Answers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

153 With Answers

Uploaded by

Copyright:

Available Formats

200-201 Exam

Understanding Cisco Cybersecurity

A. gaining root access

A. It lowers maintenance costs

What does CIA mean in this context?

A. confidentiality, identity, and authorization

A. proof of a user's identity

Which category classifies the intrusion?

Which method is used to identify a session from a group of logs?

A. physical location of an object in memory

A. It enumerates open ports on a network device

A. Deep packet inspection is more secure than stateful inspection on Layer 4

A. extended sleep calls

Correct Answer: DE Section:

Select and Place:

A. identifies, removes, and mitigates system vulnerabilities

A. the intellectual property that was stolen

A. principle of least privilege

A. Encryption analysis is used by attackers to monitor VPN tunnels.

A. The threat actor used a dictionary-based password attack to obtain credentials.

A. company assets that are threatened

A. A threat exploits a vulnerability

A. Agentless and agent-based protection for security are used.

Select and Place:

Correct Answer: AD Section:

A. any potential danger to an asset

Correct Answer: CE Section:

A. open ports of a web server

A. It authenticates client identity when requesting SSL certificate

Which information is available on the server certificate?

A. server name, trusted subordinate CA, and private key

A. by enabling an authenticated channel between the client and the server

A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

Refer to the exhibit. Which type of log is displayed?

Refer to the exhibit. Which type of log is displayed?

the impact of this traffic?

A. ransomware communicating after infection

Refer to the exhibit. What is occurring in this network?

A. ARP cache poisoning

A. Identifying network loops and collision domains.

Correct Answer: CE Section:

Select and Place:

Section: Security Monitoring

A. management and reporting

Correct Answer: DE Section:

A. Hypertext Transfer Protocol

A. tagged protocols being used on the network

Correct Answer: CE Section:

A. nmap --top-ports 192.168.1.0/24

Which obfuscation technique is the attacker using?

A. Untampered images are used in the security investigation process

A. detection and analysis

A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.

What type of evidence is this file?

A. data from a CD copied using Mac-based system

A. proxy logs showing the source RFC 1918 IP addresses

Which type of evidence is this?

Refer to the exhibit. Which event is occurring?