200-201 CBROPS

100% Valid and Newest Version 200-201 Questions & Answers shared by Certleader
https://www.certleader.com/200-201-dumps.html (263 Q&As)
200-201 Dumps
Understanding Cisco Cybersecurity Operations Fundamentals
https://www.certleader.com/200-201-dumps.html
The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 1
Which regex matches only on all lowercase letters?
A. [az]+
B. [^az]+
C. az+
D. a*z+
Answer: A
NEW QUESTION 2
An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled
antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this
investigation?
A. Recovery
B. Detection
C. Eradication
D. Analysis
Answer: B
NEW QUESTION 3
What is a difference between inline traffic interrogation and traffic mirroring?
A. Inline inspection acts on the original traffic data flow

B. Traffic mirroring passes live traffic to a tool for blocking
C. Traffic mirroring inspects live traffic for analysis and mitigation
D. Inline traffic copies packets for analysis and security
Answer: A
Explanation:
Inline traffic interrogation analyzes traffic in real time and has the ability to prevent certain traffic from being forwarded Traffic mirroring doesn't pass the live traffic
instead it copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other
monitoring device
NEW QUESTION 4
What is the difference between deep packet inspection and stateful inspection?
A. Stateful inspection verifies contents at Layer 4. and deep packet inspection verifies connection at Layer 7.
B. Stateful inspection is more secure than deep packet inspection on Layer 7.
C. Deep packet inspection is more secure than stateful inspection on Layer 4.
D. Deep packet inspection allows visibility on Layer 7, and stateful inspection allows visibility on Layer 4.
Answer: D
NEW QUESTION 5
Which incidence response step includes identifying all hosts affected by an attack?
A. detection and analysis

B. post-incident activity
C. preparation
D. containment, eradication, and recovery
Answer: D
Explanation:
* 3.3.3 Identifying the Attacking Hosts During incident handling, system owners and others sometimes want to or need to identify the attacking host or hosts.
Although this information can be important, incident handlers should generally stay focused on containment, eradication, and recovery.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
The response phase, or containment, of incident response, is the point at which the incident response team begins interacting with affected systems and attempts
to keep further damage from occurring as a result of the incident.
NEW QUESTION 6
What is an advantage of symmetric over asymmetric encryption?
A. A key is generated on demand according to data type.

B. A one-time encryption key is generated for data transmission
C. It is suited for transmitting large amounts of data.
D. It is a faster encryption mechanism for sessions
Answer: D

NEW QUESTION 7
What is a collection of compromised machines that attackers use to carry out a DDoS attack?
A. subnet
B. botnet
C. VLAN
D. command and control
Answer: B
NEW QUESTION 8
Drag and drop the type of evidence from the left onto the description of that evidence on the right.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Graphical user interface, application Description automatically generated
NEW QUESTION 9
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
A. file extension associations

B. hardware, software, and security settings for the system
C. currently logged in users, including folders and control panel settings
D. all users on the system, including visual settings
Answer: B
Explanation:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users
NEW QUESTION 10
What is a benefit of using asymmetric cryptography?
A. decrypts data with one key

B. fast data transfer
C. secure data transfer
D. encrypts data with one key
Answer: C
NEW QUESTION 10
An automotive company provides new types of engines and special brakes for rally sports cars. The company has a database of inventions and patents for their
engines and technical information Customers can access the database through the company's website after they register and identify themselves. Which type of
protected data is accessed by customers?
A. IP data
B. PII data
C. PSI data
D. PHI data
Answer: B
NEW QUESTION 13
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
A. resource exhaustion
B. tunneling
C. traffic fragmentation

D. timing attack
Answer: A
Explanation:
Resource exhaustion is a type of denial-of-service attack; however, it can also be used to evade detection by security defenses. A simple definition of resource
exhaustion is “consuming the resources necessary to
perform an action.” Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide
NEW QUESTION 18
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
A. context
B. session
C. laptop
D. firewall logs
E. threat actor
Answer: CD
Explanation:
The following are some factors that are used during attribution in an investigation: Assets, Threat actor, Indicators of Compromise (IoCs), Indicators of Attack
(IoAs), Chain of custody Asset: This factor identifies which assets were compromised by a threat actor or hacker. An example of an asset can be an organization's
domain controller (DC) that runs Active Directory Domain Services (AD DS). AD is a service that allows an administrator to manage user accounts, user groups,
and policies across a Microsoft Windows environment. Keep in mind that an asset is anything that has value to an organization; it can be something physical,
digital, or even people. Cisco Certified CyberOps Associate 200-201 Certification Guide
NEW QUESTION 22
Which piece of information is needed for attribution in an investigation?
A. proxy logs showing the source RFC 1918 IP addresses

B. RDP allowed from the Internet
C. known threat actor behavior
D. 802.1x RADIUS authentication pass arid fail logs
Answer: C
Explanation:
Actually this is the most important thing: know who, what, how, why, etc.. attack the network.
NEW QUESTION 26
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a
competitor.
Which type of evidence is this?
A. best evidence
B. prima facie evidence
C. indirect evidence
D. physical evidence
Answer: C
Explanation:
There are three general types of evidence:
--> Best evidence: can be presented in court in the original form (for example, an exact copy of a hard disk drive).
--> Corroborating evidence: tends to support a theory or an assumption deduced by some initial evidence. This corroborating evidence confirms the proposition.
--> Indirect or circumstantial evidence: extrapolation to a conclusion of fact (such as fingerprints, DNA evidence, and so on).
NEW QUESTION 29
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
A. data from a CD copied using Mac-based system

B. data from a CD copied using Linux system
C. data from a DVD copied using Windows system
D. data from a CD copied using Windows
Answer: B
Explanation:
CDfs is a virtual file system for Unix-like operating systems; it provides access to data and audio tracks on Compact Discs. When the CDfs driver mounts a
Compact Disc, it represents each track as a file. This is consistent with the Unix convention "everything is a file". Source: https://en.wikipedia.org/wiki/CDfs
NEW QUESTION 30
Refer to the exhibit.

Which field contains DNS header information if the payload is a query or a response?
A. Z
B. ID
C. TC
D. QR
Answer: B
NEW QUESTION 35
What is the difference between inline traffic interrogation and traffic mirroring?
A. Inline interrogation is less complex as traffic mirroring applies additional tags to data.
B. Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools
C. Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.
D. Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.
Answer: A
NEW QUESTION 36
Which two elements in the table are parts of the 5-tuple? (Choose two.)
A. First Packet
B. Initiator User
C. Ingress Security Zone
D. Source Port
E. Initiator IP
Answer: DE
NEW QUESTION 40
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?
A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
C. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods
D. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
Answer: C

NEW QUESTION 45
A user received a targeted spear-phishing email and identified it as suspicious before opening the content. To which category of the Cyber Kill Chain model does
to this type of event belong?
A. weaponization
B. delivery
C. exploitation
D. reconnaissance
Answer: B
NEW QUESTION 50
Which information must an organization use to understand the threats currently targeting the organization?
A. threat intelligence
B. risk scores
C. vendor suggestions
D. vulnerability exposure
Answer: A
NEW QUESTION 54
A malicious file has been identified in a sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?
A. file header type

B. file size
C. file name
D. file hash value
Answer: D
NEW QUESTION 55
An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to
accomplish this task?
A. Firepower
B. Email Security Appliance
C. Web Security Appliance
D. Stealthwatch
Answer: C
NEW QUESTION 58
According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is
pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control
server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
A. malware attack
B. ransomware attack
C. whale-phishing
D. insider threat
Answer: B

NEW QUESTION 60
An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a malicious insider attempted to sniff traffic on a
specific interface. What type of information did the malicious insider attempt to obtain?
A. tagged protocols being used on the network

B. all firewall alerts and resulting mitigations
C. tagged ports being used on the network
D. all information and data within the datagram
Answer: C
NEW QUESTION 65
Drag and drop the security concept on the left onto the example of that concept on the right.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 66
Which step in the incident response process researches an attacking host through logs in a SIEM?

B. preparation
C. eradication
D. containment
Answer: A
Explanation:
Preparation --> Detection and Analysis --> Containment, Erradicaion and Recovery --> Post-Incident Activity Detection and Analysis --> Profile networks and
systems, Understand normal behaviors, Create a log retention policy, Perform event correlation. Maintain and use a knowledge base of information.Use Internet
search engines for research. Run packet sniffers to collect additional data. Filter the data. Seek assistance from others. Keep all host clocks synchronized. Know
the different types of attacks and attack vectors. Develop processes and procedures to recognize the signs of an incident. Understand the sources of precursors
and indicators. Create appropriate incident documentation capabilities and processes. Create processes to effectively prioritize security incidents. Create
processes to effectively communicate incident information (internal and external communications).
Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide
NEW QUESTION 68
What does cyber attribution identify in an investigation?
A. cause of an attack
B. exploit of an attack
C. vulnerabilities exploited
D. threat actors of an attack
Answer: D
Explanation:
https://www.techtarget.com/searchsecurity/definition/cyber-attribution

NEW QUESTION 70
Which evasion technique is a function of ransomware?
A. extended sleep calls

B. encryption
C. resource exhaustion
D. encoding
Answer: B
NEW QUESTION 71
Which process is used when IPS events are removed to improve data integrity?
A. data availability
B. data normalization
C. data signature
D. data protection
Answer: B
NEW QUESTION 75
What is rule-based detection when compared to statistical detection?
A. proof of a user's identity

B. proof of a user's action
C. likelihood of user's action
D. falsification of a user's identity
Answer: B
NEW QUESTION 77
Drag and drop the uses on the left onto the type of security system on the right.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 81

What describes the defense-m-depth principle?
A. defining precise guidelines for new workstation installations

B. categorizing critical assets within the organization
C. isolating guest Wi-Fi from the focal network
D. implementing alerts for unexpected asset malfunctions
Answer: B
NEW QUESTION 84
Which technology prevents end-device to end-device IP traceability?
A. encryption
B. load balancing
C. NAT/PAT
D. tunneling
Answer: C
NEW QUESTION 89
Which event artifact is used to identify HTTP GET requests for a specific file?
A. destination IP address
B. TCP ACK
C. HTTP status code
D. URI
Answer: D
NEW QUESTION 90
Which data type is necessary to get information about source/destination ports?
A. statistical data
B. session data
C. connectivity data
D. alert data
Answer: B
Explanation:
Session data provides information about the five tuples; source IP address/port number, destination IP address/port number and the protocol
What is Connectivity Data? According to IBM - Connectivity data defines how entities are connected in the network. It includes connections between different
devices, and VLAN-related connections within the same
device https://www.ibm.com/docs/en/networkmanager/4.2.0?topic=relationships-connectivity-data
NEW QUESTION 92
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
A. sequence numbers
B. IP identifier
C. 5-tuple
D. timestamps
Answer: C
NEW QUESTION 95
A security analyst notices a sudden surge of incoming traffic and detects unknown packets from unknown senders After further investigation, the analyst learns
that customers claim that they cannot access company servers According to NIST SP800-61, in which phase of the incident response process is the analyst?
A. post-incident activity
B. detection and analysis
C. preparation
D. containment, eradication, and recovery
Answer: B
NEW QUESTION 97
What is occurring in this network?

A. ARP cache poisoning

B. DNS cache poisoning
C. MAC address table overflow
D. MAC flooding attack
Answer: A
NEW QUESTION 101

What is a difference between tampered and untampered disk images?
A. Tampered images have the same stored and computed hash.

B. Tampered images are used as evidence.
C. Untampered images are used for forensic investigations.
D. Untampered images are deliberately altered to preserve as evidence
Answer: D
NEW QUESTION 106

Which HTTP header field is used in forensics to identify the type of browser used?
A. referrer
B. host
C. user-agent
D. accept-language
Answer: C
Explanation:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 In computing, a user agent is any software, acting on behalf of a user, which
"retrieves, renders and facilitates end-user interaction with Web content".[1] A user agent is therefore a special kind of software agent.
https://en.wikipedia.org/wiki/User_agent#User_agent_identification
A user agent is a computer program representing a person, for example, a browser in a Web context. https://developer.mozilla.org/en-
US/docs/Glossary/User_agent
NEW QUESTION 109

An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the
engineer should take to investigate this resource usage?
A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
B. Run "ps -u" to find out who executed additional processes that caused a high load on a server.
C. Run "ps -ef" to understand which processes are taking a high amount of resources.
D. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.
Answer: C
NEW QUESTION 113

What is the principle of defense-in-depth?
A. Agentless and agent-based protection for security are used.

B. Several distinct protective layers are involved.
C. Access control models are involved.
D. Authentication, authorization, and accounting mechanisms are used.
Answer: B
NEW QUESTION 116

What information is depicted?
A. IIS data
B. NetFlow data
C. network discovery event
D. IPS event data
Answer: B
NEW QUESTION 118

An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?
A. ransomware communicating after infection

B. users downloading copyrighted content

C. data exfiltration
D. user circumvention of the firewall
Answer: D
NEW QUESTION 119

What is occurring within the exhibit?
A. regular GET requests

B. XML External Entities attack
C. insecure deserialization
D. cross-site scripting attack
Answer: A
NEW QUESTION 124

This request was sent to a web application server driven by a database. Which type of web server attack is represented?
A. parameter manipulation
B. heap memory corruption
C. command injection
D. blind SQL injection
Answer: D
NEW QUESTION 127

Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?
A. NetScout
B. tcpdump
C. SolarWinds
D. netsh
Answer: B
NEW QUESTION 128

An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked
the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network.
Which testing method did the intruder use?
A. social engineering
B. eavesdropping
C. piggybacking
D. tailgating
Answer: A
NEW QUESTION 130

What is the difference between vulnerability and risk?
A. A vulnerability is a sum of possible malicious entry points, and a risk represents the possibility of the unauthorized entry itself.
B. A risk is a potential threat that an exploit applies to, and a vulnerability represents the threat itself
C. A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential damage it might cause.
D. A risk is potential threat that adversaries use to infiltrate the network, and a vulnerability is an exploit
Answer: C

NEW QUESTION 132

Which security technology allows only a set of pre-approved applications to run on a system?
A. application-level blacklisting
B. host-based IPS
C. application-level whitelisting
D. antivirus
Answer: C
NEW QUESTION 137

How does TOR alter data content during transit?
A. It spoofs the destination and source information protecting both sides.

B. It encrypts content and destination information over multiple layers.
C. It redirects destination traffic through multiple sources avoiding traceability.
D. It traverses source traffic through multiple destinations before reaching the receiver
Answer: B
NEW QUESTION 141

What is the practice of giving an employee access to only the resources needed to accomplish their job?
A. principle of least privilege

B. organizational separation
C. separation of duties
D. need to know principle
Answer: A
NEW QUESTION 143

Drag and drop the security concept from the left onto the example of that concept on the right.
A. Mastered
B. Not Mastered
Answer: A
Explanation:
Table Description automatically generated
NEW QUESTION 146

Drag and drop the technology on the left onto the data type the technology provides on the right.
A. Mastered
B. Not Mastered

Answer: A
Explanation:
NEW QUESTION 148

Which two elements are used for profiling a network? (Choose two.)
A. session duration
B. total throughput
C. running processes
D. listening ports
E. OS fingerprint
Answer: AB
Explanation:
A network profile should include some important elements, such as the following:
Total throughput – the amount of data passing from a given source to a given destination in a given period of time
Session duration – the time between the establishment of a data flow and its termination Ports used – a list of TCP or UDP processes that are available to accept
data
Critical asset address space – the IP addresses or the logical location of essential systems or data
Profiling data are data that system has gathered, these data helps for incident response and to detect incident Network profiling = throughput, sessions duration,
port used, Critical Asset Address Space Host profiling = Listening ports, logged in accounts, running processes, running tasks,applications
NEW QUESTION 150

What is occurring in this network traffic?
A. High rate of SYN packets being sent from a multiple source towards a single destination IP.
B. High rate of ACK packets being sent from a single source IP towards multiple destination IPs.
C. Flood of ACK packets coming from a single source IP to multiple destination IPs.
D. Flood of SYN packets coming from a single source IP to a single destination IP.
Answer: D
NEW QUESTION 155


A workstation downloads a malicious docx file from the Internet and a copy is sent to FTDv. The FTDv sends the file hash to FMC and the tile event is recorded
What would have occurred with stronger data visibility?
A. The traffic would have been monitored at any segment in the network.
B. Malicious traffic would have been blocked on multiple devices
C. An extra level of security would have been in place
D. Detailed information about the data in real time would have been provided
Answer: B
NEW QUESTION 160

Which type of log is displayed?
A. IDS
B. proxy
C. NetFlow
D. sys
Answer: A
Explanation:
You also see the 5-tuple in IPS events, NetFlow records, and other event data. In fact, on the exam you may need to differentiate between a firewall log versus a
traditional IPS or IDS event. One of the things to remember is that traditional IDS and IPS use signatures, so an easy way to differentiate is by looking for a
signature ID (SigID). If you see a signature ID, then most definitely the event is a traditional IPS or IDS event.
NEW QUESTION 162

What describes the impact of false-positive alerts compared to false-negative alerts?
A. A false negative is alerting for an XSS attac

B. An engineer investigates the alert and discovers that an XSS attack happened A false positive is when an XSS attack happens and no alert is raised
C. A false negative is a legitimate attack triggering a brute-force aler
D. An engineer investigates the alert and finds out someone intended to break into the system A false positive is when no alert and no attack is occurring
E. A false positive is an event alerting for a brute-force attack An engineer investigates the alert and discovers that a legitimate user entered the wrong credential
several times A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.
F. A false positive is an event alerting for an SQL injection attack An engineer investigates the alert and discovers that an attack attempt was blocked by IPS A
false negative is when the attack gets detected but succeeds and results in a breach.
Answer: C
NEW QUESTION 165


An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?
A. The file has an embedded executable and was matched by PEiD threat signatures for further analysis.
B. The file has an embedded non-Windows executable but no suspicious features are identified.
C. The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.
D. The file was matched by PEiD threat signatures but no suspicious features are identified since the signature list is up to date.
Answer: C
NEW QUESTION 168

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
A. examination
B. investigation
C. collection
D. reporting
Answer: C
NEW QUESTION 172

An engineer needs to have visibility on TCP bandwidth usage, response time, and latency, combined with deep packet inspection to identify unknown software by
its network traffic flow. Which two features of Cisco Application Visibility and Control should the engineer use to accomplish this goal? (Choose two.)
A. management and reporting

B. traffic filtering
C. adaptive AVC
D. metrics collection and exporting
E. application recognition
Answer: AE
NEW QUESTION 173

Which security principle requires more than one person is required to perform a critical task?
A. least privilege
B. need to know
C. separation of duties
D. due diligence
Answer: C
NEW QUESTION 177

Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)
A. UDP port to which the traffic is destined

B. TCP port from which the traffic was sourced
C. source IP address of the packet
D. destination IP address of the packet
E. UDP port from which the traffic is sourced

Answer: CD
NEW QUESTION 182

What is depicted in the exhibit?
A. Windows Event logs

B. Apache logs
C. IIS logs
D. UNIX-based syslog
Answer: B
NEW QUESTION 187

Which security monitoring data type requires the largest storage space?
A. transaction data
B. statistical data
C. session data
D. full packet capture
Answer: D
NEW QUESTION 188

Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID
attributes?
A. AWS
B. IIS
C. Load balancer
D. Proxy server
Answer: C
Explanation:
Load Balancing: HTTP(S) load balancing is one of the oldest forms of load balancing. This form of load balancing relies on layer 7, which means it operates in the
application layer. This allows routing decisions based on attributes like HTTP header, uniform resource identifier, SSL session ID, and HTML form data.
Load balancing applies to layers 4-7 in the seven-layer Open System Interconnection (OSI) model. Its capabilities are: L4. Directing traffic based on network data
and transport layer protocols, e.g., IP address and TCP port. L7. Adds content switching to load balancing, allowing routing decisions depending on characteristics
such as HTTP header, uniform resource identifier, SSL session ID, and HTML form data. GSLB. Global Server Load Balancing expands L4 and L7 capabilities to
servers in different sites
NEW QUESTION 193

An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet
capture, the analyst cannot determine the technique and payload used for the communication.

Which obfuscation technique is the attacker using?
A. Base64 encoding
B. TLS encryption
C. SHA-256 hashing
D. ROT13 encryption
Answer: B
Explanation:
ROT13 is considered weak encryption and is not used with TLS (HTTPS:443). Source: https://en.wikipedia.org/wiki/ROT13
NEW QUESTION 194

What is a difference between data obtained from Tap and SPAN ports?
A. Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.
B. SPAN passively splits traffic between a network device and the network without altering it, while Tap alters response times.
C. SPAN improves the detection of media errors, while Tap provides direct access to traffic with lowered data visibility.
D. Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination
Answer: D
NEW QUESTION 199

A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of evidence is this file?
A. CD data copy prepared in Windows

B. CD data copy prepared in Mac-based system
C. CD data copy prepared in Linux system
D. CD data copy prepared in Android-based system
Answer: A
NEW QUESTION 202

Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)

B. post-incident activity
C. vulnerability management
D. risk assessment
E. vulnerability scoring
Answer: AB
NEW QUESTION 207


What is shown in this PCAP file?
A. Timestamps are indicated with error.

B. The protocol is TCP.
C. The User-Agent is Mozilla/5.0.
D. The HTTP GET is encoded.
Answer: D
NEW QUESTION 209

Which type of data collection requires the largest amount of storage space?
A. alert data
B. transaction data
C. session data
D. full packet capture
Answer: D
NEW QUESTION 213

Which regular expression is needed to capture the IP address 192.168.20.232?
A. ^ (?:[0-9]{1,3}\.){3}[0-9]{1,3}
B. ^ (?:[0-9]f1,3}\.){1,4}
C. ^ (?:[0-9]{1,3}\.)'
D. ^ ([0-9]-{3})
Answer: A
NEW QUESTION 215

What is a purpose of a vulnerability management framework?
A. identifies, removes, and mitigates system vulnerabilities

B. detects and removes vulnerabilities in source code
C. conducts vulnerability scans on the network
D. manages a list of reported vulnerabilities
Answer: A
NEW QUESTION 216

Drag and drop the event term from the left onto the description on the right.

A. Mastered
B. Not Mastered
Answer: A
Explanation:
NEW QUESTION 217

Which security model assumes an attacker within and outside of the network and enforces strict verification
before connecting to any system or resource within the organization?
A. Biba
B. Object-capability
C. Take-Grant
D. Zero Trust
Answer: D
Explanation:
Zero Trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network,
regardless of whether they are sitting within or outside of the network perimeter.
NEW QUESTION 219

What is the difference between indicator of attack (loA) and indicators of compromise (loC)?
A. loA is the evidence that a security breach has occurred, and loC allows organizations to act before the vulnerability can be exploited.
B. loA refers to the individual responsible for the security breach, and loC refers to the resulting loss.
C. loC is the evidence that a security breach has occurred, and loA allows organizations to act before the vulnerability can be exploited.
D. loC refers to the individual responsible for the security breach, and loA refers to the resulting loss.
Answer: C
NEW QUESTION 220

An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?
A. phishing email
B. sender
C. HR
D. receiver
Answer: B
NEW QUESTION 221


Which technology generates this log?
A. NetFlow
B. IDS
C. web proxy
D. firewall
Answer: D
NEW QUESTION 226

What are two denial-of-service (DoS) attacks? (Choose two)
A. port scan
B. SYN flood
C. man-in-the-middle
D. phishing
E. teardrop
Answer: BC
NEW QUESTION 227

What does the output indicate about the server with the IP address 172.18.104.139?
A. open ports of a web server

B. open port of an FTP server
C. open ports of an email server
D. running processes of the server
Answer: C
NEW QUESTION 232

What is a difference between SIEM and SOAR?
A. SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation.
B. SlEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.
C. SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation.
D. SOAR's primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.
Answer: B
NEW QUESTION 235

......

Thank You for Trying Our Product
* 100% Pass or Money Back

All our products come with a 90-day Money Back Guarantee.
* One year free update
You can enjoy free update one year. 24x7 online support.
* Trusted by Millions
We currently serve more than 30,000,000 customers.
* Shop Securely
All transactions are protected by VeriSign!
100% Pass Your 200-201 Exam with Our Prep Materials Via below:
https://www.certleader.com/200-201-dumps.html

Powered by TCPDF (www.tcpdf.org)

200-201 CBROPS

Uploaded by

Document Informationclick to expand document information200-201 CBROPS

Document Informationclick to expand document information

Copyright:

Available Formats

200-201 CBROPS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

200-201 CBROPS

Uploaded by

Copyright:

Available Formats

100% Valid and Newest Version 200-201 Questions & Answers shared by Certleader

https://www.certleader.com/200-201-dumps.html (263 Q&As)

Understanding Cisco Cybersecurity Operations Fundamentals

The Leader of IT Certification visit - https://www.certleader.com

A. Inline inspection acts on the original traffic data flow

A. detection and analysis

A. A key is generated on demand according to data type.

The Leader of IT Certification visit - https://www.certleader.com

A. file extension associations

A. decrypts data with one key

The Leader of IT Certification visit - https://www.certleader.com

A. proxy logs showing the source RFC 1918 IP addresses

A. data from a CD copied using Mac-based system

The Leader of IT Certification visit - https://www.certleader.com

A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

The Leader of IT Certification visit - https://www.certleader.com

A. file header type

The Leader of IT Certification visit - https://www.certleader.com

A. tagged protocols being used on the network

A. detection and analysis

The Leader of IT Certification visit - https://www.certleader.com

A. extended sleep calls

A. proof of a user's identity

The Leader of IT Certification visit - https://www.certleader.com

What describes the defense-m-depth principle?

A. defining precise guidelines for new workstation installations

What is occurring in this network?

The Leader of IT Certification visit - https://www.certleader.com

A. ARP cache poisoning

NEW QUESTION 101

A. Tampered images have the same stored and computed hash.

NEW QUESTION 106

NEW QUESTION 109

NEW QUESTION 113

A. Agentless and agent-based protection for security are used.

NEW QUESTION 116

What information is depicted?

NEW QUESTION 118

A. ransomware communicating after infection

The Leader of IT Certification visit - https://www.certleader.com

B. users downloading copyrighted content

NEW QUESTION 119

What is occurring within the exhibit?

A. regular GET requests

NEW QUESTION 124

NEW QUESTION 127

NEW QUESTION 128

NEW QUESTION 130

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 132

NEW QUESTION 137

A. It spoofs the destination and source information protecting both sides.

NEW QUESTION 141

A. principle of least privilege

NEW QUESTION 143

NEW QUESTION 146

The Leader of IT Certification visit - https://www.certleader.com

NEW QUESTION 148