Questions and Answers PDF 1/101

Thank You for your purchase

om
Cisco 200-201 Exam Question & Answers
Understanding Cisco Cybersecurity Operations

.c
Fundamentals Exam

ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 2/101

Product Questions: 244

Version: 10.0

Question: 1

om
Which event is user interaction?

.c
A. gaining root access
B. executing remote code

ps
C. reading and writing file permission
D. opening a malicious file

m
du
Answer: D
Explanation:
am
Question: 2
ex
id

Which security principle requires more than one person is required to perform a critical task?
al

A. least privilege
.v

B. need to know
C. separation of duties
w

D. due diligence
w
w

Answer: C
//

Explanation:
s:
tp

Question: 3
ht

How is attacking a vulnerability categorized?

A. action on objectives
B. delivery
C. exploitation
D. installation

Answer: C
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 3/101

Question: 4

What is a benefit of agent-based protection when compared to agentless protection?

A. It lowers maintenance costs

B. It provides a centralized platform
C. It collects and detects all traffic locally
D. It manages numerous devices simultaneously

Answer: C

om
Explanation:

.c
Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every
protected machine. Agentless antivirus protection performs scans on hosts from a centralized

ps
system. Agentless systems have become popular for virtualized environments in which multiple OS
instances are running on a host simultaneously. Agent-based antivirus running in each virtualized

m
system can be a serious drain on system resources. Agentless antivirus for virtual hosts involves the

du
use of a special security virtual appliance that performs optimized scanning tasks on the virtual hosts.
An example of this is VMware’s vShield.
am
Question: 5
ex

Which principle is being followed when an analyst gathers information relevant to a security incident
id

to determine the appropriate course of action?

al

A. decision making
.v

B. rapid response
w

C. data mining
w

D. due diligence
w

Answer: B
//

Explanation:
s:
tp

Question: 6
ht

One of the objectives of information security is to protect the CIA of information and systems. What
does CIA mean in this context?

A. confidentiality, identity, and authorization

B. confidentiality, integrity, and authorization
C. confidentiality, identity, and availability
D. confidentiality, integrity, and availability

Answer: D
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 4/101

Question: 7

What is rule-based detection when compared to statistical detection?

A. proof of a user's identity

B. proof of a user's action
C. likelihood of user's action
D. falsification of a user's identity

Answer: B

om
Explanation:

.c
Question: 8

ps
m
A user received a malicious attachment but did not run it. Which category classifies the intrusion?

A. weaponization
du
am
B. reconnaissance
C. installation
ex

D. delivery
id

Answer: D
al

Explanation:
.v

Question: 9
w
w

Which process is used when IPS events are removed to improve data integrity?
// w

A. data availability
s:

B. data normalization
C. data signature
tp

D. data protection
ht

Answer: B
Explanation:

Question: 10

An analyst is investigating an incident in a SOC environment. Which method is used to identify a

session from a group of logs?

A. sequence numbers
B. IP identifier

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 5/101

C. 5-tuple
D. timestamps

Answer: C
Explanation:

Question: 11

What is a difference between SOAR and SIEM?

A. SOAR platforms are used for threat and vulnerability management, but SIEM applications are not

om
B. SIEM applications are used for threat and vulnerability management, but SOAR platforms are not
C. SOAR receives information from a single platform and delivers it to a SIEM

.c
D. SIEM receives information from a single platform and delivers it to a SOAR

ps
Answer: A

m
Explanation:

Question: 12 du
am
What is the difference between mandatory access control (MAC) and discretionary access control
ex

(DAC)?
id

A. MAC is controlled by the discretion of the owner and DAC is controlled by an administrator
al

B. MAC is the strictest of all levels of control and DAC is object-based access
.v

C. DAC is controlled by the operating system and MAC is controlled by an administrator

D. DAC is the strictest of all levels of control and MAC is object-based access
w
w

Answer: B
w

Explanation:
//
s:

Question: 13
tp

What is the practice of giving employees only those permissions necessary to perform their specific
ht

role within an organization?

A. least privilege
B. need to know
C. integrity validation
D. due diligence

Answer: A
Explanation:

Question: 14

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 6/101

What is the virtual address space for a Windows process?

A. physical location of an object in memory

B. set of pages that reside in the physical memory
C. system-level memory protection feature built into the operating system
D. set of virtual memory addresses that can be used

Answer: D
Explanation:

om
Question: 15

.c
Which security principle is violated by running all processes as root or administrator?

ps
A. principle of least privilege

m
B. role-based access control

du
C. separation of duties
D. trusted computing base
am
Answer: A
ex

Explanation:
id

Question: 16
al
.v

What is the function of a command and control server?

w

A. It enumerates open ports on a network device

w

B. It drops secondary payload into malware

w

C. It is used to regain control of the network after a compromise

D. It sends instruction to a compromised system
//
s:

Answer: D
tp

Explanation:
ht

Question: 17

What is the difference between deep packet inspection and stateful inspection?

A. Deep packet inspection is more secure than stateful inspection on Layer 4

B. Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at
Layer 7
C. Stateful inspection is more secure than deep packet inspection on Layer 7
D. Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer
4

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 7/101

Answer: D
Explanation:

Question: 18

Which evasion technique is a function of ransomware?

A. extended sleep calls

B. encryption
C. resource exhaustion

om
D. encoding

.c
Answer: B

ps
Explanation:

m
du
Question: 19
am
ex

Refer to the exhibit.

id
al
.v
w
w
// w
s:
tp
ht

Which two elements in the table are parts of the 5-tuple? (Choose two.)

A. First Packet
B. Initiator User
C. Ingress Security Zone
D. Source Port
E. Initiator IP

Answer: DE
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 8/101

Question: 20

DRAG DROP

Drag and drop the security concept on the left onto the example of that concept on the right.

om
.c
ps
m
Answer:

du
Explanation:
am
ex
id
al
.v
w
w
// w

Question: 21
s:

What is the difference between statistical detection and rule-based detection models?
tp

A. Rule-based detection involves the collection of data in relation to the behavior of legitimate users
ht

over a period of time

B. Statistical detection defines legitimate data of users over a period of time and rule-based
detection defines it on an IF/THEN basis
C. Statistical detection involves the evaluation of an object on its intended actions before it executes
that behavior
D. Rule-based detection defines legitimate data of users over a period of time and statistical
detection defines it on an IF/THEN basis

Answer: B
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 9/101

Question: 22

What is the difference between a threat and a risk?

A. Threat represents a potential danger that could take advantage of a weakness in a system
B. Risk represents the known and identified loss or danger in the system
C. Risk represents the nonintentional interaction with uncertainty in the system
D. Threat represents a state of being exposed to an attack or a compromise, either physically or
logically.

Answer: A

om
Explanation:

.c
A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited—
or, more importantly, it is not yet publicly known—the threat is latent and not yet realized.

ps
Question: 23

m
du
Which attack method intercepts traffic on a switched network?
am
A. denial of service
ex

B. ARP cache poisoning

C. DHCP snooping
id

D. command and control

al

Answer: B
.v

Explanation:
w
w

An ARP-based MITM attack is achieved when an attacker poisons the ARP cache of two devices with
w

the MAC address of the attacker's network interface card (NIC). Once the ARP caches have been
successfully poisoned, each victim device sends all its packets to the attacker when communicating
//

to the other device and puts the attacker in the middle of the communications path between the two
s:

victim devices. It allows an attacker to easily monitor all communication between victim devices. The
tp

intent is to intercept and view the information being passed between the two victim devices and
ht

potentially introduce sessions and traffic between the two victim devices

Question: 24

What does an attacker use to determine which network ports are listening on a potential target
device?

A. man-in-the-middle
B. port scanning
C. SQL injection
D. ping sweep

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 10/101

Answer: B
Explanation:

Question: 25

What is a purpose of a vulnerability management framework?

A. identifies, removes, and mitigates system vulnerabilities

B. detects and removes vulnerabilities in source code
C. conducts vulnerability scans on the network
D. manages a list of reported vulnerabilities

om
Answer: A

.c
Explanation:

ps
Question: 26

m
du
A network engineer discovers that a foreign government hacked one of the defense contractors in
their home country and stole intellectual property. What is the threat agent in this situation?
am
A. the intellectual property that was stolen
B. the defense contractor who stored the intellectual property
ex

C. the method used to conduct the attack

id

D. the foreign government that conducted the attack

al

Answer: D
.v

Explanation:
w
w

Question: 27
// w

What is the practice of giving an employee access to only the resources needed to accomplish their
s:

job?
tp

A. principle of least privilege

ht

B. organizational separation
C. separation of duties
D. need to know principle

Answer: A
Explanation:

Question: 28

Which metric is used to capture the level of access needed to launch a successful attack?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 11/101

A. privileges required
B. user interaction
C. attack complexity
D. attack vector

Answer: A
Explanation:

Question: 29

What is the difference between an attack vector and attack surface?

om
A. An attack surface identifies vulnerabilities that require user input or validation; and an attack

.c
vector identifies vulnerabilities that are independent of user actions.
B. An attack vector identifies components that can be exploited, and an attack surface identifies the

ps
potential path an attack can take to penetrate the network.
C. An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector

m
identifies which attacks are possible with these vulnerabilities.

du
D. An attack vector identifies the potential outcomes of an attack; and an attack surface launches an
attack using several methods against the identified vulnerabilities.
am
Answer: C
ex

Explanation:
id

Question: 30
al
.v

Which metric in CVSS indicates an attack that takes a destination bank account number and replaces
it with a different bank account number?
w
w
w

A. integrity
B. confidentiality
//

C. availability
s:

D. scope
tp
ht

Answer: A
Explanation:

Question: 31

A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers.
The agent in the requests contains PHP code that, if executed, creates and writes to a new PHP file
on the webserver. Which event category is described?

A. reconnaissance
B. action on objectives

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 12/101

C. installation
D. exploitation

Answer: C
Explanation:

Question: 32

What specific type of analysis is assigning values to the scenario to see expected outcomes?

A. deterministic

om
B. exploratory
C. probabilistic

.c
D. descriptive

ps
Answer: A

m
Explanation:

du
Question: 33
am
When trying to evade IDS/IPS devices, which mechanism allows the user to make the data
incomprehensible without a specific key, certificate, or password?
ex
id

A. fragmentation
B. pivoting
al

C. encryption
.v

D. stenography
w

Answer: C
w

Explanation:
// w

https://techdifferences.com/difference-between-steganography-and-
s:

cryptography.html#:~:text=The%20steganography%20and%20cryptography%20are,the%20structure
%20of%20the%20message.
tp
ht

Question: 34

Why is encryption challenging to security monitoring?

A. Encryption analysis is used by attackers to monitor VPN tunnels.

B. Encryption is used by threat actors as a method of evasion and obfuscation.
C. Encryption introduces additional processing requirements by the CPU.
D. Encryption introduces larger packet sizes to analyze and store.

Answer: B
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 13/101

Question: 35

An employee reports that someone has logged into their system and made unapproved changes,
files are out of order, and several documents have been placed in the recycle bin. The security
specialist reviewed the system logs, found nothing suspicious, and was not able to determine what
occurred. The software is up to date; there are no alerts from antivirus and no failed login attempts.
What is causing the lack of data visibility needed to detect the attack?

A. The threat actor used a dictionary-based password attack to obtain credentials.

B. The threat actor gained access to the system by known credentials.

om
C. The threat actor used the teardrop technique to confuse and crash login services.
D. The threat actor used an unknown vulnerability of the operating system that went undetected.

.c
Answer: C

ps
Explanation:

m
Question: 36

du
A company receptionist received a threatening call referencing stealing assets and did not take any
am
action assuming it was a social engineering attempt. Within 48 hours, multiple assets were breached,
affecting the confidentiality of sensitive information. What is the threat actor in this incident?
ex

A. company assets that are threatened

id

B. customer assets that are threatened

al

C. perpetrators of the attack

D. victims of the attack
.v
w

Answer: B
w

Explanation:
// w
s:

Question: 37
tp

What is the relationship between a vulnerability and a threat?

ht

A. A threat exploits a vulnerability

B. A vulnerability is a calculation of the potential loss caused by a threat
C. A vulnerability exploits a threat
D. A threat is a calculation of the potential loss caused by a vulnerability

Answer: A
Explanation:

Question: 38

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 14/101

What is the principle of defense-in-depth?

A. Agentless and agent-based protection for security are used.

B. Several distinct protective layers are involved.
C. Access control models are involved.
D. Authentication, authorization, and accounting mechanisms are used.

Answer: B
Explanation:

Question: 39

om
DRAG DROP

.c
Drag and drop the uses on the left onto the type of security system on the right.

ps
m
du
am
ex
id
al
.v

Answer:
w

Explanation:
w
// w
s:
tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 15/101

Question: 40
What is the difference between the rule-based detection when compared to behavioral detection?

A. Rule-Based detection is searching for patterns linked to specific types of attacks, while behavioral
is identifying per signature.
B. Rule-Based systems have established patterns that do not change with new data, while behavioral
changes.
C. Behavioral systems are predefined patterns from hundreds of users, while Rule-Based only flags
potentially abnormal patterns using signatures.
D. Behavioral systems find sequences that match a particular attack signature, while Rule-Based
identifies potential attacks.

om
Answer: D

.c
Explanation:

ps
Question: 41

m
Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?

A. NetScout
du
am
B. tcpdump
C. SolarWinds
ex

D. netsh
id

Answer: B
al

Explanation:
.v
w

Question: 42
w
// w
s:

Refer to the exhibit.

tp
ht

Which kind of attack method is depicted in this string?

A. cross-site scripting
B. man-in-the-middle
C. SQL injection
D. denial of service

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 16/101

Answer: A
Explanation:

Question: 43

Which two components reduce the attack surface on an endpoint? (Choose two.)

A. secure boot
B. load balancing
C. increased audit log levels
D. restricting USB ports

om
E. full packet captures at the endpoint

.c
Answer: AD

ps
Explanation:

m
Question: 44

du
What is an attack surface as compared to a vulnerability?
am
A. any potential danger to an asset
B. the sum of all paths for data into and out of the environment
ex

C. an exploitable weakness in a system or its design

id

D. the individuals who perform an attack

al

Answer: C
.v

Explanation:
w

An attack surface is the total sum of vulnerabilities that can be exploited to carry out a security
w

attack. Attack surfaces can be physical or digital. The term attack surface is often confused with the
w

term attack vector, but they are not the same thing. The surface is what is being attacked; the vector
//

is the means by which an intruder gains access.

s:
tp

Question: 45
ht

An intruder attempted malicious activity and exchanged emails with a user and received corporate
information, including email distribution lists. The intruder asked the user to engage with a link in an
email. When the fink launched, it infected machines and the intruder was able to access the
corporate network.

Which testing method did the intruder use?

A. social engineering
B. eavesdropping
C. piggybacking
D. tailgating

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 17/101

Answer: A
Explanation:

Question: 46

What are two social engineering techniques? (Choose two.)

A. privilege escalation
B. DDoS attack
C. phishing

om
D. man-in-the-middle
E. pharming

.c
Answer: CE

ps
Explanation:

m
Question: 47

du
am
Refer to the exhibit.
ex
id
al
.v
w
w
// w
s:

What does the output indicate about the server with the IP address 172.18.104.139?
tp
ht

A. open ports of a web server

B. open port of an FTP server
C. open ports of an email server
D. running processes of the server

Answer: C
Explanation:

Question: 48

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 18/101

How does certificate authority impact a security system?

A. It authenticates client identity when requesting SSL certificate

B. It validates domain identity of a SSL certificate
C. It authenticates domain identity when requesting SSL certificate
D. It validates client identity when communicating with the server

Answer: B
Explanation:

om
Question: 49

.c
When communicating via TLS, the client initiates the handshake to the server and the server
responds back with its certificate for identification.

ps
Which information is available on the server certificate?

m
du
A. server name, trusted subordinate CA, and private key
B. trusted subordinate CA, public key, and cipher suites
am
C. trusted CA name, cipher suites, and private key
D. server name, trusted CA, and public key
ex

Answer: D
id

Explanation:
al

Question: 50
.v
w

How does an SSL certificate impact security between the client and the server?
w
w

A. by enabling an authenticated channel between the client and the server

B. by creating an integrated channel between the client and the server
//

C. by enabling an authorized channel between the client and the server

s:

D. by creating an encrypted channel between the client and the server

tp
ht

Answer: D
Explanation:

Question: 51

Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same
key?

A. forgery attack

B. plaintext-only attack

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 19/101

C. ciphertext-only attack
D. meet-in-the-middle attack

Answer: C
Explanation:

Question: 52

Which list identifies the information that the client sends to the server in the negotiation phase of
the TLS handshake?

om
A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression

.c
methods
C. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression

ps
methods
D. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

m
du
Answer: C
Explanation:
am
Question: 53
ex
id
al

Refer to the exhibit.

.v
w
w
w

Which type of log is displayed?

//
s:

A. IDS
tp

B. proxy
C. NetFlow
ht

D. sys

Answer: D
Explanation:

Question: 54

Refer to the exhibit.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 20/101

What information is depicted?

A. IIS data
B. NetFlow data
C. network discovery event
D. IPS event data

om
Answer: B

.c
Explanation:

ps
Question: 55

m
du
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
am
A. The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the
data for the payload is complete
ex

B. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the
data for the payload is complete
id

C. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the
spontaneous termination of a connection
al

D. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the
.v

spontaneous termination of a connection

w

Answer: D
w

Explanation:
// w

Question: 56
s:
tp
ht

Refer to the exhibit.

Which type of log is displayed?

A. proxy
B. NetFlow
C. IDS

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 21/101

D. sys

Answer: B
Explanation:

Question: 57

How is NetFlow different from traffic mirroring?

A. NetFlow collects metadata and traffic mirroring clones data.

om
B. Traffic mirroring impacts switch performance and NetFlow does not.
C. Traffic mirroring costs less to operate than NetFlow.

.c
D. NetFlow generates more data than traffic mirroring.

ps
Answer: A

m
Explanation:

du
Question: 58
am
What makes HTTPS traffic difficult to monitor?
ex

A. SSL interception
id

B. packet header size

C. signature detection time
al

D. encryption
.v

Answer: D
w

Explanation:
w
w

Question: 59
//
s:

How does an attacker observe network traffic exchanged between two users?
tp

A. port scanning
ht

B. man-in-the-middle
C. command injection
D. denial of service

Answer: B
Explanation:

Question: 60

Which type of data consists of connection level, application-specific records generated from network
traffic?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 22/101

A. transaction data
B. location data
C. statistical data
D. alert data

Answer: A
Explanation:

Question: 61

om
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the

.c
network. What is the impact of this traffic?

ps
A. ransomware communicating after infection
B. users downloading copyrighted content

m
C. data exfiltration

du
D. user circumvention of the firewall
am
Answer: D
Explanation:
ex

Question: 62
id
al

What is an example of social engineering attacks?

.v

A. receiving an unexpected email from an unknown person with an attachment from someone in the
w

same company
w

B. receiving an email from human resources requesting a visit to their secure website to update
w

contact information
C. sending a verbal request to an administrator who knows how to change an account password
//

D. receiving an invitation to the department’s weekly WebEx meeting

s:
tp

Answer: C
ht

Explanation:

Question: 63

Refer to the exhibit.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 23/101

What is occurring in this network?

A. ARP cache poisoning

B. DNS cache poisoning
C. MAC address table overflow

om
D. MAC flooding attack

.c
Answer: A

ps
Explanation:

m
Question: 64
du
am
Which data format is the most efficient to build a baseline of traffic seen over an extended period of
ex

time?
id

A. syslog messages
B. full packet capture
al

C. NetFlow
.v

D. firewall event logs

w

Answer: C
w

Explanation:
// w

Question: 65
s:
tp

Which action prevents buffer overflow attacks?

ht

A. variable randomization
B. using web based applications
C. input sanitization
D. using a Linux operating system

Answer: C
Explanation:

Question: 66

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 24/101

Which type of attack occurs when an attacker is successful in eavesdropping on a conversation

between two IP phones?

A. known-plaintext
B. replay
C. dictionary
D. man-in-the-middle

Answer: D
Explanation:

om
Question: 67

.c
ps
m
Refer to the exhibit.

du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

What should be interpreted from this packet capture?

A. 81.179.179.69 is sending a packet from port 80 to port 50272 of IP address 192.168.122.100 using
UDP protocol.
B. 192.168.122.100 is sending a packet from port 50272 to port 80 of IP address 81.179.179.69 using
TCP protocol.
C. 192.168.122.100 is sending a packet from port 80 to port 50272 of IP address 81.179.179.69 using
UDP protocol.
D. 81.179.179.69 is sending a packet from port 50272 to port 80 of IP address 192.168.122.100 using
TCP UDP protocol.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 25/101

Answer: B
Explanation:

Question: 68

What are the two characteristics of the full packet captures? (Choose two.)

A. Identifying network loops and collision domains.

B. Troubleshooting the cause of security and performance issues.
C. Reassembling fragmented traffic from raw data.
D. Detecting common hardware faults and identify faulty assets.

om
E. Providing a historical record of a network transaction.

.c
Answer: CE

ps
Explanation:

m
Question: 69

du
am
ex

Refer to the exhibit.

id
al
.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 26/101

om
.c
ps
m
du
am
ex
id

An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an
al

email. What is the state of this file?

.v

A. The file has an embedded executable and was matched by PEiD threat signatures for further
w

analysis.
w

B. The file has an embedded non-Windows executable but no suspicious features are identified.
w

C. The file has an embedded Windows 32 executable and the Yara field lists suspicious features for
further analysis.
//

D. The file was matched by PEiD threat signatures but no suspicious features are identified since the
s:

signature list is up to date.

tp
ht

Answer: C
Explanation:

Question: 70

DRAG DROP

Drag and drop the technology on the left onto the data type the technology provides on the right.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 27/101

Answer:

om
Explanation:

.c
ps
m
du
am
ex
id
al
.v
w

Question: 71
w
// w

Refer to the exhibit.

s:
tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 28/101

om
.c
ps
m
What is occurring in this network traffic?

du
A. High rate of SYN packets being sent from a multiple source towards a single destination IP.
am
B. High rate of ACK packets being sent from a single source IP towards multiple destination IPs.
C. Flood of ACK packets coming from a single source IP to multiple destination IPs.
ex

D. Flood of SYN packets coming from a single source IP to a single destination IP.
id

Answer: D
al

Explanation:
.v

Question: 72
w
w

An engineer needs to have visibility on TCP bandwidth usage, response time, and latency, combined
w

with deep packet inspection to identify unknown software by its network traffic flow. Which two
//

features of Cisco Application Visibility and Control should the engineer use to accomplish this goal?
s:

(Choose two.)
tp

A. management and reporting

ht

B. traffic filtering
C. adaptive AVC
D. metrics collection and exporting
E. application recognition

Answer: AE
Explanation:

Question: 73

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 29/101

Which security technology guarantees the integrity and authenticity of all messages transferred to
and from a web application?

A. Hypertext Transfer Protocol

B. SSL Certificate
C. Tunneling
D. VPN

Answer: B
Explanation:

om
Question: 74

.c
An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis

ps
revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of
information did the malicious insider attempt to obtain?

m
du
A. tagged protocols being used on the network
B. all firewall alerts and resulting mitigations
am
C. tagged ports being used on the network
D. all information and data within the datagram
ex

Answer: C
id

Explanation:
al

Question: 75
.v
w

At a company party a guest asks questions about the company’s user account format and password
w

complexity. How is this type of conversation classified?

w

A. Phishing attack
//

B. Password Revelation Strategy

s:

C. Piggybacking
tp

D. Social Engineering
ht

Answer: B
Explanation:

Question: 76

Which security monitoring data type requires the largest storage space?

A. transaction data
B. statistical data
C. session data

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 30/101

D. full packet capture

Answer: D
Explanation:

Question: 77

What are two denial of service attacks? (Choose two.)

A. MITM

om
B. TCP connections
C. ping of death

.c
D. UDP flooding
E. code red

ps
Answer: CD

m
Explanation:

Question: 78 du
am
An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering
ex

intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?
id

A. nmap --top-ports 192.168.1.0/24

al

B. nmap –sP 192.168.1.0/24

.v

C. nmap -sL 192.168.1.0/24

D. nmap -sV 192.168.1.0/24
w
w

Answer: C
w

Explanation:
//
s:
tp

Question: 79
ht

An analyst is investigating a host in the network that appears to be communicating to a command

and control server on the Internet. After collecting this packet capture, the analyst cannot determine
the technique and payload used for the communication.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 31/101

om
.c
ps
m
du
am
ex

Which obfuscation technique is the attacker using?

id

A. Base64 encoding
B. transport layer security encryption
al

C. SHA-256 hashing
.v

D. ROT13 encryption
w

Answer: B
w

Explanation:
// w

ROT13 is considered weak encryption and is not used with TLS (HTTPS:443). Source:
s:

https://en.wikipedia.org/wiki/ROT13
tp

Question: 80
ht

What are two differences in how tampered and untampered disk images affect a security incident?
(Choose two.)

A. Untampered images are used in the security investigation process

B. Tampered images are used in the security investigation process
C. The image is tampered if the stored hash and the computed hash match
D. Tampered images are used in the incident recovery process
E. The image is untampered if the stored hash and the computed hash match

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 32/101

Answer: AE
Explanation:

Cert Guide by Omar Santos, Chapter 9 - Introduction to digital Forensics. "When you collect
evidence, you must protect its integrity. This involves making sure that nothing is added to the
evidence and that nothing is deleted or destroyed (this is known as evidence preservation)."

Question: 81

During which phase of the forensic process is data that is related to a specific event labeled and
recorded to preserve its integrity?

om
A. examination

.c
B. investigation
C. collection

ps
D. reporting

m
Answer: C

du
Explanation:
am
Question: 82
ex

Which step in the incident response process researches an attacking host through logs in a SIEM?
id

A. detection and analysis

al

B. preparation
.v

C. eradication
D. containment
w
w

Answer: A
w

Explanation:
//
s:

Preparation --> Detection and Analysis --> Containment, Erradicaion and Recovery --> Post-Incident
Activity
tp
ht

Detection and Analysis --> Profile networks and systems, Understand normal behaviors, Create a log
retention policy, Perform event correlation. Maintain and use a knowledge base of information.Use
Internet search engines for research. Run packet sniffers to collect additional data. Filter the data.
Seek assistance from others. Keep all host clocks synchronized. Know the different types of attacks
and attack vectors. Develop processes and procedures to recognize the signs of an incident.
Understand the sources of precursors and indicators. Create appropriate incident documentation
capabilities and processes. Create processes to effectively prioritize security incidents. Create
processes to effectively communicate incident information (internal and external communications).

Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 33/101

Question: 83

A malicious file has been identified in a sandbox analysis tool.

om
.c
ps
m
Which piece of information is needed to search for additional downloads of this file by other hosts?

A. file type
du
am
B. file size
C. file name
D. file hash value
ex
id

Answer: D
al

Explanation:
.v
w

Question: 84
w
// w

Refer to the exhibit.

s:
tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 34/101

om
.c
ps
m
du
am
What is the potential threat identified in this Stealthwatch dashboard?
ex

A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.

B. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
id

C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.

D. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
al
.v

Answer: D
w

Explanation:
w

Question: 85
// w
s:
tp

Refer to the exhibit.

ht

What is the potential threat identified in this Stealthwatch dashboard?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 35/101

A. A policy violation is active for host 10.10.101.24.

B. A host on the network is sending a DDoS attack to another inside host.
C. There are two active data exfiltration alerts.
D. A policy violation is active for host 10.201.3.149.

Answer: C
Explanation:

Question: 86

om
Which security technology allows only a set of pre-approved applications to run on a system?

.c
A. application-level blacklisting

ps
B. host-based IPS
C. application-level whitelisting

m
D. antivirus

du Answer: C
am
Explanation:
ex

Question: 87
id

An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence
al

is this file?
.v

A. data from a CD copied using Mac-based system

w

B. data from a CD copied using Linux system

w

C. data from a DVD copied using Windows system

w

D. data from a CD copied using Windows

//
s:

Answer: B
Explanation:
tp
ht

CDfs is a virtual file system for Unix-like operating systems; it provides access to data and audio
tracks on Compact Discs. When the CDfs driver mounts a Compact Disc, it represents each track as a
file. This is consistent with the Unix convention "everything is a file". Source:
https://en.wikipedia.org/wiki/CDfs

Question: 88

Which piece of information is needed for attribution in an investigation?

A. proxy logs showing the source RFC 1918 IP addresses

B. RDP allowed from the Internet

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 36/101

C. known threat actor behavior

D. 802.1x RADIUS authentication pass arid fail logs

Answer: C
Explanation:

Actually this is the most important thing: know who, what, how, why, etc.. attack the network.

Question: 89

om
What does cyber attribution identify in an investigation?

.c
A. cause of an attack
B. exploit of an attack

ps
C. vulnerabilities exploited
D. threat actors of an attack

m
du
Answer: D
Explanation:
am
https://www.techtarget.com/searchsecurity/definition/cyber-attribution
ex

Question: 90
id
al

A security engineer has a video of a suspect entering a data center that was captured on the same
.v

day that files in the same data center were transferred to a competitor.
w

Which type of evidence is this?

w
w

A. best evidence
B. prima facie evidence
//

C. indirect evidence
s:

D. physical evidence
tp
ht

Answer: C
Explanation:

There are three general types of evidence:

--> Best evidence: can be presented in court in the original form (for example, an exact copy of a hard
disk drive).
--> Corroborating evidence: tends to support a theory or an assumption deduced by some initial
evidence. This corroborating evidence confirms the proposition.
--> Indirect or circumstantial evidence: extrapolation to a conclusion of fact (such as fingerprints,
DNA evidence, and so on).

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 37/101

Question: 91

Refer to the exhibit.

Which event is occurring?

A. A binary named "submit" is running on VM cuckoo1.

om
B. A binary is being submitted to run on VM cuckoo1
C. A binary on VM cuckoo1 is being submitted for evaluation

.c
D. A URL is being evaluated to see if it has a malicious binary

ps
Answer: B

m
Explanation:

du
https://cuckoo.readthedocs.io/en/latest/usage/submit/
am

Question: 92
ex
id
al

Refer to the exhibit.

.v
w
w
// w
s:

In which Linux log file is this output found?

tp

A. /var/log/authorization.log
ht

B. /var/log/dmesg
C. var/log/var.log
D. /var/log/auth.log

Answer: D
Explanation:

Question: 93

An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 38/101

shows that outbound callouts were made post infection.

Which two pieces of information from the analysis report are needed to investigate the callouts?
(Choose two.)

A. signatures
B. host IP addresses
C. file size
D. dropped files
E. domain names

Answer: BE

om
Explanation:

.c
Question: 94

ps
An analyst is exploring the functionality of different operating systems.

m
du
What is a feature of Windows Management Instrumentation that must be considered when deciding
on an operating system?
am
A. queries Linux devices that have Microsoft Services for Linux installed
ex

B. deploys Windows Operating Systems in an automated fashion

C. is an efficient tool for working with Active Directory
id

D. has a Common Information Model, which describes installed hardware and software
al
.v

Answer: D
w

Explanation:
w

Question: 95
// w

What causes events on a Windows system to show Event Code 4625 in the log messages?
s:
tp

A. The system detected an XSS attack

ht

B. Someone is trying a brute force attack on the network

C. Another device is gaining root access to the system
D. A privileged user successfully logged into the system

Answer: B
Explanation:

Question: 96

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 39/101

Refer to the exhibit.

What does the message indicate?

A. an access attempt was made from the Mosaic web browser

B. a successful access attempt was made to retrieve the password file
C. a successful access attempt was made to retrieve the root of the website

om
D. a denied access attempt was made to retrieve the password file

.c
Answer: C

ps
Explanation:

m
Question: 97

du
am
Refer to the exhibit.
ex
id
al

This request was sent to a web application server driven by a database. Which type of web server
.v

attack is represented?
w

A. parameter manipulation
w

B. heap memory corruption

// w

C. command injection
s:

D. blind SQL injection

tp

Answer: D
ht

Explanation:

Question: 98

A SOC analyst is investigating an incident that involves a Linux system that is identifying specific
sessions. Which identifier tracks an active program?

A. application identification number

B. active process identification number
C. runtime identification number
D. process identification number

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 40/101

Answer: D
Explanation:

Question: 99

An offline audit log contains the source IP address of a session suspected to have exploited a
vulnerability resulting in system compromise.

Which kind of evidence is this IP address?

om
A. best evidence
B. corroborative evidence

.c
C. indirect evidence
D. forensic evidence

ps
Answer: B

m
Explanation:

Question: 100 du
am
Which system monitors local system operation and local network access for violations of a security
ex

policy?
id

A. host-based intrusion detection

al

B. systems-based sandboxing
.v

C. host-based firewall
D. antivirus
w
w

Answer: A
w

Explanation:
//
s:

HIDS is capable of monitoring the internals of a computing system as well as the network packets on
its network interfaces. Host-based firewall is a piece of software running on a single Host that can
tp

restrict incoming and outgoing Network activity for that host only.
ht

Question: 101

An analyst received an alert on their desktop computer showing that an attack was successful on the
host. After investigating, the analyst discovered that no mitigation action occurred during the attack.
What is the reason for this discrepancy?

A. The computer has a HIPS installed on it.

B. The computer has a NIPS installed on it.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 41/101

C. The computer has a HIDS installed on it.

D. The computer has a NIDS installed on it.

Answer: C
Explanation:

Question: 102

Refer to the exhibit.

om
.c
ps
m
du
am
ex
id
al

What is the potential threat identified in this Stealthwatch dashboard?

.v

A. A policy violation is active for host 10.10.101.24.

w

B. A host on the network is sending a DDoS attack to another inside host.

w

C. There are three active data exfiltration alerts.

D. A policy violation is active for host 10.201.3.149.
// w

Answer: C
s:

Explanation:
tp

"EX" = exfiltration
ht

And there are three.

Also the "suspect long flow" and "suspect data heading" suggest, for example, DNS exfiltration
<https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/smc_u
sers_guide/SW_6_9_0_SMC_Users_Guide_DV_1_2.pdf page 177>.

Question: 103

What is a difference between tampered and untampered disk images?

A. Tampered images have the same stored and computed hash.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 42/101

B. Untampered images are deliberately altered to preserve as evidence.

C. Tampered images are used as evidence.
D. Untampered images are used for forensic investigations.

Answer: D
Explanation:

The disk image must be intact for forensics analysis. As a cybersecurity professional, you may be
given the task of capturing an image of a disk in a forensic manner. Imagine a security incident has
occurred on a system and you are required to perform some forensic investigation to determine who
and what caused the attack. Additionally, you want to ensure the data that was captured is not

om
tampered with or modified during the creation of a disk image process. Ref: Cisco Certified CyberOps
Associate 200-201 Certification Guide

.c
Question: 104

ps
What is a sandbox interprocess communication service?

m
du
A. A collection of rules within the sandbox that prevent the communication between sandboxes.
B. A collection of network services that are activated on an interface, allowing for inter-port
am
communication.
C. A collection of interfaces that allow for coordination of activities among processes.
ex

D. A collection of host services that allow for communication between sandboxes.

id

Answer: C
al

Explanation:
.v

Inter-process communication (IPC) allows communication between different processes. A process is

w

one or more threads running inside its own, isolated address space.
w

https://docs.legato.io/16_10/basicIPC.html
w

Question: 105
//
s:

Which regular expression matches "color" and "colour"?

tp
ht

A. colo?ur
B. col[0−8]+our
C. colou?r
D. col[0−9]+our

Answer: C
Explanation:

Question: 106

Which artifact is used to uniquely identify a detected file?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 43/101

A. file timestamp
B. file extension
C. file size
D. file hash

Answer: D
Explanation:

Question: 107

om
A security engineer deploys an enterprise-wide host/endpoint technology for all of the company's

.c
corporate PCs. Management requests the engineer to block a selected set of applications on all PCs.

ps
Which technology should be used to accomplish this task?

m
A. application whitelisting/blacklisting

du
B. network NGFW
C. host-based IDS
am
D. antivirus/antispyware software
ex

Answer: A
Explanation:
id
al

Question: 108
.v

Which utility blocks a host portscan?

w
w

A. HIDS
w

B. sandboxing
C. host-based firewall
//

D. antimalware
s:
tp

Answer: C
ht

Explanation:

Question: 109

Which evasion technique is indicated when an intrusion detection system begins receiving an
abnormally high volume of scanning from numerous sources?

A. resource exhaustion
B. tunneling
C. traffic fragmentation
D. timing attack

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 44/101

Answer: A
Explanation:

Resource exhaustion is a type of denial-of-service attack; however, it can also be used to evade
detection by security defenses. A simple definition of resource exhaustion is “consuming the
resources necessary to perform an action.” Cisco CyberOps Associate CBROPS 200-201 Official Cert
Guide

Question: 110

om
.c
ps
Refer to the exhibit.

m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

Which application protocol is in this PCAP file?

A. SSH
B. TCP

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 45/101

C. TLS
D. HTTP

Answer: C
Explanation:

Question: 111

DRAG DROP

Refer to the exhibit.

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 46/101

om
.c
ps
m
Answer:

du
Explanation:
am
ex
id
al
.v
w
w
// w
s:
tp
ht

Question: 112

Refer to the exhibit.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 47/101

om
.c
ps
What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is
enabled?

m
du
A. insert TCP subdissectors
B. extract a file from a packet capture
am
C. disable TCP streams
D. unfragment TCP
ex

Answer: D
id

Explanation:
al

Question: 113
.v
w

Which type of data collection requires the largest amount of storage space?
w
w

A. alert data
B. transaction data
//

C. session data
s:

D. full packet capture

tp

Answer: D
ht

Explanation:

Question: 114

An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this
impact on network traffic?

A. true negative

B. false negative

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 48/101

C. false positive
D. true positive

Answer: B
Explanation:

A false negative occurs when the security system (usually a WAF) fails to identify a threat. It produces
a “negative” outcome (meaning that no threat has been observed), even though a threat exists.

Question: 115

om
Which signature impacts network traffic by causing legitimate traffic to be blocked?

.c
A. false negative
B. true positive

ps
C. true negative
D. false positive

m
du
Answer: D
Explanation:
am
Question: 116
ex
id

Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)
al

A. UDP port to which the traffic is destined

.v

B. TCP port from which the traffic was sourced

C. source IP address of the packet
w

D. destination IP address of the packet

w

E. UDP port from which the traffic is sourced

// w

Answer: CD
s:

Explanation:
tp

Question: 117
ht

Which HTTP header field is used in forensics to identify the type of browser used?

A. referrer
B. host
C. user-agent
D. accept-language

Answer: C
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 49/101

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 In computing, a

user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-
user interaction with Web content".[1] A user agent is therefore a special kind of software agent.
https://en.wikipedia.org/wiki/User_agent#User_agent_identification
A user agent is a computer program representing a person, for example, a browser in a Web context.
https://developer.mozilla.org/en-US/docs/Glossary/User_agent

Question: 118

Which event artifact is used to identify HTTP GET requests for a specific file?

om
A. destination IP address
B. TCP ACK

.c
C. HTTP status code

ps
D. URI

m
Answer: D

du
Explanation:
am
Question: 119
ex

What should a security analyst consider when comparing inline traffic interrogation with traffic
tapping to determine which approach to use in the network?
id
al

A. Tapping interrogation replicates signals to a separate port for analyzing traffic

B. Tapping interrogations detect and block malicious traffic
.v

C. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security
w

policies
w

D. Inline interrogation detects malicious traffic but does not block the traffic
w

Answer: A
//

Explanation:
s:
tp

A network TAP is a simple device that connects directly to the cabling infrastructure to split or copy
ht

packets for use in analysis, security, or general network management

Question: 120

At which layer is deep packet inspection investigated on a firewall?

A. internet
B. transport
C. application
D. data link

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 50/101

Answer: C
Explanation:

Deep packet inspection is a form of packet filtering usually carried out as a function of your firewall.
It is applied at the Open Systems Interconnection's application layer. Deep packet inspection
evaluates the contents of a packet that is going through a checkpoint.

Question: 121

DRAG DROP

om
Drag and drop the access control models from the left onto the correct descriptions on the right.

.c
ps
m
du
am
ex

Answer:
id

Explanation:
al
.v
w
w
// w
s:
tp
ht

Question: 122
What is a difference between inline traffic interrogation and traffic mirroring?

A. Inline inspection acts on the original traffic data flow

B. Traffic mirroring passes live traffic to a tool for blocking
C. Traffic mirroring inspects live traffic for analysis and mitigation
D. Inline traffic copies packets for analysis and security

Answer: A
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 51/101

Inline traffic interrogation analyzes traffic in real time and has the ability to prevent certain traffic
from being forwarded Traffic mirroring doesn't pass the live traffic instead it copies traffic from one
or more source ports and sends the copied traffic to one or more destinations for analysis by a
network analyzer or other monitoring device

Question: 123

A system administrator is ensuring that specific registry information is accurate.

Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?

om
A. file extension associations
B. hardware, software, and security settings for the system
C. currently logged in users, including folders and control panel settings

.c
D. all users on the system, including visual settings

ps
Answer: B

m
Explanation:

du
https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-
am
advanced-users
ex

Question: 124
id
al

Refer to the exhibit.

.v
w
w
// w
s:
tp

Which packet contains a file that is extractable within Wireshark?

ht

A. 2317
B. 1986
C. 2318
D. 2542

Answer: D
Explanation:

Question: 125

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 52/101

Which regex matches only on all lowercase letters?

A. [a−z]+
B. [^a−z]+
C. a−z+
D. a*z+

Answer: A
Explanation:

Question: 126

om
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for

.c
multiple devices by modifying the IP header.

ps
Which technology makes this behavior possible?

m
A. encapsulation

du
B. TOR
C. tunneling
am
D. NAT
ex

Answer: D
Explanation:
id
al

Network address translation (NAT) is a method of mapping an IP address space into another by
modifying network address information in the IP header of packets while they are in transit across a
.v

traffic routing device.

w
w

Question: 127
// w

Which action should be taken if the system is overwhelmed with alerts when false positives and false
s:

negatives are compared?

tp
ht

A. Modify the settings of the intrusion detection system.

B. Design criteria for reviewing alerts.
C. Redefine signature rules.
D. Adjust the alerts schedule.

Answer: A
Explanation:

Traditional intrusion detection system (IDS) and intrusion prevention system (IPS) devices need to be
tuned to avoid false positives and false negatives. Next-generation IPSs do not need the same level
of tuning compared to traditional IPSs. Also, you can obtain much deeper reports and functionality,
including advanced malware protection and retrospective analysis to see what happened after an

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 53/101

attack took place. Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide

Question: 128

What is the impact of false positive alerts on business compared to true positive?

A. True positives affect security as no alarm is raised when an attack has taken place, resulting in a
potential breach.
B. True positive alerts are blocked by mistake as potential attacks affecting application availability.
C. False positives affect security as no alarm is raised when an attack has taken place, resulting in a
potential breach.

om
D. False positive alerts are blocked by mistake as potential attacks affecting application availability.

Answer: C

.c
Explanation:

ps
Question: 129

m
du
An engineer needs to fetch logs from a proxy server and generate actual events according to the data
received. Which technology should the engineer use to accomplish this task?
am
A. Firepower
ex

B. Email Security Appliance

C. Web Security Appliance
id

D. Stealthwatch
al

Answer: D
.v

Explanation:
w
w
w

Question: 130
//
s:
tp
ht

Refer to the exhibit.

Which technology generates this log?

A. NetFlow

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 54/101

B. IDS
C. web proxy
D. firewall

Answer: D
Explanation:

Question: 131

Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only
showing the traffic for LAN 10.11.x.x, between workstations and servers without the Internet?

om
A. src=10.11.0.0/16 and dst=10.11.0.0/16

.c
B. ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16
C. ip.src=10.11.0.0/16 and ip.dst=10.11.0.0/16

ps
D. src==10.11.0.0/16 and dst==10.11.0.0/16

m
Answer: B

du
Explanation:
am
Question: 132
ex

Which tool provides a full packet capture from network traffic?

id

A. Nagios
al

B. CAINE
.v

C. Hydra
D. Wireshark
w
w

Answer: D
w

Explanation:
//
s:

Question: 133
tp

A company is using several network applications that require high availability and responsiveness,
ht

such that milliseconds of latency on network traffic is not acceptable. An engineer needs to analyze
the network and

identify ways to improve traffic movement to minimize delays. Which information must the engineer
obtain for this analysis?

A. total throughput on the interface of the router and NetFlow records

B. output of routing protocol authentication failures and ports used
C. running processes on the applications and their total network usage
D. deep packet captures of each application flow and duration

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 55/101

Answer: C
Explanation:

Question: 134

Refer to the exhibit.

om
.c
ps
m
What is depicted in the exhibit?

du
A. Windows Event logs
B. Apache logs
am
C. IIS logs
D. UNIX-based syslog
ex

Answer: B
id

Explanation:
al
.v

Question: 135
w

Which technology should be used to implement a solution that makes routing decisions based on
w

HTTP header, uniform resource identifier, and SSL session ID attributes?

// w

A. AWS
s:

B. IIS
C. Load balancer
tp

D. Proxy server
ht

Answer: C
Explanation:

Load Balancing: HTTP(S) load balancing is one of the oldest forms of load balancing. This form of load
balancing relies on layer 7, which means it operates in the application layer. This allows routing
decisions based on attributes like HTTP header, uniform resource identifier, SSL session ID, and HTML
form data.
Load balancing applies to layers 4-7 in the seven-layer Open System Interconnection (OSI) model. Its
capabilities are: L4. Directing traffic based on network data and transport layer protocols, e.g., IP
address and TCP port. L7. Adds content switching to load balancing, allowing routing decisions

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 56/101

depending on characteristics such as HTTP header, uniform resource identifier, SSL session ID, and
HTML form data. GSLB. Global Server Load Balancing expands L4 and L7 capabilities to servers in
different sites

Question: 136

An organization has recently adjusted its security stance in response to online threats made by a
known hacktivist group.

What is the initial event called in the NIST SP800-61?

om
A. online assault
B. precursor

.c
C. trigger

ps
D. instigator

m
Answer: B

du
Explanation:
am
A precursor is a sign that a cyber-attack is about to occur on a system or network. An indicator is the
actual alerts that are generated as an attack is happening. Therefore, as a security professional, it's
ex

important to know where you can find both precursor and indicator sources of information.
The following are common sources of precursor and indicator information:
id

Security Information and Event Management (SIEM)

al

Anti-virus and anti-spam software

.v

File integrity checking applications/software

w

Logs from various sources (operating systems, devices, and applications)

People who report a security incident
w
w

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
//
s:

Question: 137
tp

Which NIST IR category stakeholder is responsible for coordinating incident response among various
ht

business units, minimizing damage, and reporting to regulatory agencies?

A. CSIRT
B. PSIRT
C. public affairs
D. management

Answer: D
Explanation:

Question: 138

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 57/101

Which incidence response step includes identifying all hosts affected by an attack?

A. detection and analysis

B. post-incident activity
C. preparation
D. containment, eradication, and recovery

Answer: D
Explanation:

om
3.3.3 Identifying the Attacking Hosts During incident handling, system owners and others sometimes
want to or need to identify the attacking host or hosts. Although this information can be important,
incident handlers should generally stay focused on containment, eradication, and recovery.

.c
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

ps
The response phase, or containment, of incident response, is the point at which the incident
response team begins interacting with affected systems and attempts to keep further damage from

m
occurring as a result of the incident.

Question: 139
du
am
Which two elements are used for profiling a network? (Choose two.)
ex

A. session duration
id

B. total throughput
al

C. running processes
.v

D. listening ports
w

E. OS fingerprint
w

Answer: AB
w

Explanation:
//
s:

A network profile should include some important elements, such as the following:
tp

Total throughput – the amount of data passing from a given source to a given destination in a given
ht

period of time
Session duration – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or data
Profiling data are data that system has gathered, these data helps for incident response and to detect
incident Network profiling = throughput, sessions duration, port used, Critical Asset Address Space
Host profiling = Listening ports, logged in accounts, running processes, running tasks,applications

Question: 140

Which category relates to improper use or disclosure of PII data?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 58/101

A. legal
B. compliance
C. regulated
D. contractual

Answer: C
Explanation:

Question: 141

om
Which type of evidence supports a theory or an assumption that results from initial evidence?

.c
A. probabilistic
B. indirect

ps
C. best
D. corroborative

m
du
Answer: D
Explanation:
am
Corroborating evidence (or corroboration) is evidence that tends to support a theory or an
ex

assumption deduced by some initial evidence. This corroborating evidence confirms the proposition.
Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide
id
al

Question: 142
.v

Which two elements are assets in the role of attribution in an investigation? (Choose two.)
w
w

A. context
w

B. session
C. laptop
//

D. firewall logs
s:

E. threat actor
tp
ht

Answer: CD
Explanation:

The following are some factors that are used during attribution in an investigation: Assets, Threat
actor, Indicators of Compromise (IoCs), Indicators of Attack (IoAs), Chain of custody Asset: This factor
identifies which assets were compromised by a threat actor or hacker. An example of an asset can be
an organization's domain controller (DC) that runs Active Directory Domain Services (AD DS). AD is a
service that allows an administrator to manage user accounts, user groups, and policies across a
Microsoft Windows environment. Keep in mind that an asset is anything that has value to an
organization; it can be something physical, digital, or even people. Cisco Certified CyberOps
Associate 200-201 Certification Guide

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 59/101

Question: 143

What is personally identifiable information that must be safeguarded from unauthorized access?

A. date of birth
B. driver's license number
C. gender
D. zip code

Answer: B

om
Explanation:

.c
According to the Executive Office of the President, Office of Management and Budget (OMB), and the
U.S. Department of Commerce, Office of the Chief Information Officer, PII refers to “information

ps
which can be used to distinguish or trace an individual’s identity.”
The following are a few examples:

m
- An individual’s name

du
- Social security number
- Biological or personal characteristics, such as an image of distinguishing features, fingerprints,
am
Xrays, voice signature, retina scan, and the geometry of the face
- Date and place of birth
ex

- Mother’s maiden name

- Credit card numbers
id

- Bank account numbers

- Driver license number
al

- Address information, such as email addresses or street addresses, and telephone numbers for
.v

businesses or personal use

w

- Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide Omar Santos
w

Question: 144
// w

In a SOC environment, what is a vulnerability management metric?

s:
tp

A. code signing enforcement

B. full assets scan
ht

C. internet exposed devices

D. single factor authentication

Answer: C
Explanation:

Question: 145

A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which
type of evidence is this file?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 60/101

A. CD data copy prepared in Windows

B. CD data copy prepared in Mac-based system
C. CD data copy prepared in Linux system
D. CD data copy prepared in Android-based system

Answer: A
Explanation:

Question: 146

Which two elements of the incident response process are stated in NIST Special Publication 800-61

om
r2? (Choose two.)

.c
A. detection and analysis
B. post-incident activity

ps
C. vulnerability management

m
D. risk assessment

du
E. vulnerability scoring
am
Answer: AB
Explanation:
ex

Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
id
al

Question: 147
.v

DRAG DROP
w
w

Drag and drop the definition from the left onto the phase on the right to classify intrusion events
w

according to the Cyber Kill Chain model.

//
s:
tp
ht

Answer:
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 61/101

om
.c
ps
m
Question: 148 du
am
ex

Refer to the exhibit.

id
al
.v
w
w
// w
s:
tp
ht

What does this output indicate?

A. HTTPS ports are open on the server.

B. SMB ports are closed on the server.
C. FTP ports are open on the server.
D. Email ports are closed on the server.

Answer: D
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 62/101

Question: 149

DRAG DROP

Drag and drop the elements from the left into the correct order for incident handling on the right.

om
Answer:
Explanation:

.c
ps
m
du
am
ex
id
al
.v
w
w
w

Question: 150
//

Which metric should be used when evaluating the effectiveness and scope of a Security Operations
s:

Center?
tp

A. The average time the SOC takes to register and assign the incident.
ht

B. The total incident escalations per week.

C. The average time the SOC takes to detect and resolve the incident.
D. The total incident escalations per month.

Answer: C
Explanation:

Question: 151

A developer is working on a project using a Linux tool that enables writing processes to obtain these

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 63/101

required results:
If the process is unsuccessful, a negative value is returned.
If the process is successful, 0 value is returned to the child process, and the process ID is sent to the
parent process.

Which component results from this operation?

A. parent directory name of a file pathname

B. process spawn scheduled
C. macros for managing CPU sets
D. new process created by parent process

om
Answer: D
Explanation:

.c
ps
There are two tasks with specially distinguished process IDs: swapper or sched has process ID 0 and is
responsible for paging, and is actually part of the kernel rather than a normal user-mode process.

m
Process ID 1 is usually the init process primarily responsible for starting and shutting down the

du
system. Originally, process ID 1 was not specifically reserved for init by any technical measures: it
simply had this ID as a natural consequence of being the first process invoked by the kernel. More
am
recent Unix systems typically have additional kernel components visible as 'processes', in which case
PID 1 is actively reserved for the init process to maintain consistency with older systems
ex

Question: 152
id

An engineer discovered a breach, identified the threat’s entry point, and removed access. The
al

engineer was able to identify the host, the IP address of the threat actor, and the application the
.v

threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61
w

Incident handling guide?

w

A. Recover from the threat.

w

B. Analyze the threat.

//

C. Identify lessons learned from the threat.

s:

D. Reduce the probability of similar threats.

tp
ht

Answer: D
Explanation:

Question: 153

Refer to the exhibit.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 64/101

om
.c
ps
m
du
What is shown in this PCAP file?
am
A. Timestamps are indicated with error.
B. The protocol is TCP.
ex

C. The User-Agent is Mozilla/5.0.

D. The HTTP GET is encoded.
id

Answer: D
al

Explanation:
.v
w

Question: 154
w
w

What is a difference between tampered and untampered disk images?

//

A. Tampered images have the same stored and computed hash.

s:

B. Tampered images are used as evidence.

tp

C. Untampered images are used for forensic investigations.

ht

D. Untampered images are deliberately altered to preserve as evidence

Answer: B
Explanation:

Question: 155

The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has
narrowed the executable file's type to a new trojan family. According to the NIST Computer Security
Incident Handling Guide, what is the next step in handling this event?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 65/101

A. Isolate the infected endpoint from the network.

B. Perform forensics analysis on the infected endpoint.
C. Collect public information on the malware behavior.
D. Prioritize incident handling based on the impact.

Answer: C
Explanation:

Reference: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Question: 156

om
Which technology on a host is used to isolate a running application from other applications?

.c
A. sandbox

ps
B. application allow list
C. application block list

m
D. host-based firewall

du Answer: A
am
Explanation:
ex

Reference:
https://searchsecurity.techtarget.com/definition/sandbox#:~:text=Sandboxes%20can%20be%20used
id

%20to,be%20run%20inside%20a%20sandbox
al

Question: 157
.v
w

An analyst received a ticket regarding a degraded processing capability for one of the HR
w

department's servers. On the same day, an engineer noticed a disabled antivirus software and was
w

not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what
is the next phase of this investigation?
//
s:

A. Recovery
tp

B. Detection
ht

C. Eradication
D. Analysis

Answer: B
Explanation:

Reference: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Question: 158

Which data type is necessary to get information about source/destination ports?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 66/101

A. statistical data
B. session data
C. connectivity data
D. alert data

Answer: B
Explanation:

Session data provides information about the five tuples; source IP address/port number, destination
IP address/port number and the protocol

om
What is Connectivity Data? According to IBM - Connectivity data defines how entities are connected
in the network. It includes connections between different devices, and VLAN-related connections
within the same device https://www.ibm.com/docs/en/networkmanager/4.2.0?topic=relationships-

.c
connectivity-data

ps
Question: 159

m
du
Refer to the exhibit.
am
ex

Which type of attack is being executed?

id

A. SQL injection
al

B. cross-site scripting
.v

C. cross-site request forgery

w

D. command injection
w

Answer: A
w

Explanation:
//
s:

Reference: https://www.w3schools.com/sql/sql_injection.asp
tp

Question: 160
ht

Which attack represents the evasion technique of resource exhaustion?

A. SQL injection
B. man-in-the-middle
C. bluesnarfing
D. denial-of-service

Answer: D
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 67/101

Reference: https://www.ciscopress.com/articles/article.asp?p=3100055&seqNum=3

Question: 161

A threat actor penetrated an organization's network. Using the 5-tuple approach, which data points
should the analyst use to isolate the compromised host in a grouped set of logs?

A. event name, log source, time, source IP, and host name
B. protocol, source IP, source port, destination IP, and destination port
C. event name, log source, time, source IP, and username
D. protocol, log source, source IP, destination IP, and host name

om
Answer: B

.c
Explanation:

ps
Reference: https://blogs.cisco.com/security/the-dreaded-5-tuple

m
Question: 162

Which event is a vishing attack?

du
am
A. obtaining disposed documents from an organization
ex

B. using a vulnerability scanner on a corporate network

C. setting up a rogue access point near a public hotspot
id

D. impersonating a tech support agent during a phone call

al

Answer: D
.v

Explanation:
w
w

Reference: https://www.cisco.com/c/en/us/products/security/email-security/what-is-
w

phishing.html#~types-of-phishing-attacks
//
s:

Question: 163
tp

What is indicated by an increase in IPv4 traffic carrying protocol 41 ?

ht

A. additional PPTP traffic due to Windows clients

B. unauthorized peer-to-peer traffic
C. deployment of a GRE network on top of an existing Layer 3 network
D. attempts to tunnel IPv6 traffic through an IPv4 network

Answer: D
Explanation:

Question: 164

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 68/101

What is the impact of false positive alerts on business compared to true positive?

A. True positives affect security as no alarm is raised when an attack has taken place, while false
positives are alerts raised appropriately to detect and further mitigate them.
B. True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual
attacks Identified as harmless.
C. False-positive alerts are detected by confusion as potential attacks, while true positives are attack
attempts identified appropriately.
D. False positives alerts are manually ignored signatures to avoid warnings that are already
acknowledged, while true positives are warnings that are not yet acknowledged.

Answer: C

om
Explanation:

.c
Question: 165

ps
An organization's security team has detected network spikes coming from the internal network. An

m
investigation has concluded that the spike in traffic was from intensive network scanning How should

du
the analyst collect the traffic to isolate the suspicious host?
am
A. by most active source IP
B. by most used ports
ex

C. based on the protocols used

D. based on the most used applications
id

Answer: A
al

Explanation:
.v
w

Question: 166
w
w

What is an incident response plan?

//

A. an organizational approach to events that could lead to asset loss or disruption of operations
s:

B. an organizational approach to security management to ensure a service lifecycle and continuous

tp

improvements
ht

C. an organizational approach to disaster recovery and timely restoration of operational services

D. an organizational approach to system backup and data archiving aligned to regulations

Answer: C
Explanation:

Question: 167

An engineer is addressing a connectivity issue between two servers where the remote server is
unable to establish a successful session. Initial checks show that the remote server is not receiving an
SYN-ACK while establishing a session by sending the first SYN. What is causing this issue?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 69/101

A. incorrect TCP handshake

B. incorrect UDP handshake
C. incorrect OSI configuration
D. incorrect snaplen configuration

Answer: A
Explanation:

Reference: https://www.sciencedirect.com/topics/computer-science/three-way-
handshake#:~:text=The%20TCP%20handshake,as%20shown%20in%20Figure%203.8

om
Question: 168

.c
A security incident occurred with the potential of impacting business services. Who performs the

ps
attack?

m
A. malware author

du
B. threat actor
C. bug bounty hunter
am
D. direct competitor
ex

Answer: B
Explanation:
id
al

Reference: https://www.paubox.com/blog/what-is-threat-
actor/#:~:text=The%20term%20threat%20actor%20refers,CTA)%20when%20referencing%20cyberse
.v

curity%20issues
w
w

Question: 169
w

Refer to the exhibit.

//
s:
tp
ht

An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced.
How should this type of evidence be categorized?

A. indirect
B. circumstantial
C. corroborative
D. best

Answer: C
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 70/101

Indirect=circumstantail so there is no posibility to match A or B (only one answer is needed in this

question). For suer it's not a BEST evidence - this FW data inform only of DROPPED traffic. If smth
happend inside network, presented evidence could be used to support other evidences or make our
narreation stronger but alone it's mean nothing.
Question: 170

What is vulnerability management?

A. A security practice focused on clarifying and narrowing intrusion points.

B. A security practice of performing actions rather than acknowledging the threats.
C. A process to identify and remediate existing weaknesses.

om
D. A process to recover from service interruptions and restore business-critical applications

Answer: C

.c
Explanation:

ps
Reference: https://www.brinqa.com/vulnerability-management-primer-part-2-challenges/

m
du
Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing,
remediating, and mitigating" software vulnerabilities.[1] Vulnerability management is integral to
am
computer security and network security, and must not be confused with Vulnerability assessment"
source: https://en.wikipedia.org/wiki/Vulnerability_management
ex

Question: 171
id
al

A user received an email attachment named "Hr405-report2609-empl094.exe" but did not run it.
Which category of the cyber kill chain should be assigned to this type of event?
.v
w

A. installation
w

B. reconnaissance
C. weaponization
w

D. delivery
//
s:

Answer: A
tp

Explanation:
ht

Question: 172

An engineer needs to configure network systems to detect command and control communications by
decrypting ingress and egress perimeter traffic and allowing network security devices to detect
malicious outbound communications. Which technology should be used to accomplish the task?

A. digital certificates
B. static IP addresses
C. signatures
D. cipher suite

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 71/101

Answer: D
Explanation:

Reference: https://en.wikipedia.org/wiki/Cipher_suite
Cipher suites dictate which of these algorithms the server should use to make a secure and reliable
connection. But it’s important to remember that cipher suites do not just ensure the security, but
also the compatibility and performance of HTTPS connections.

Question: 173

What is a difference between data obtained from Tap and SPAN ports?

om
A. Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for

.c
deeper analysis.
B. SPAN passively splits traffic between a network device and the network without altering it, while

ps
Tap alters response times.
C. SPAN improves the detection of media errors, while Tap provides direct access to traffic with

m
lowered data visibility.

du
D. Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of
network traffic from switch to destination
am
Answer: D
ex

Explanation:
id

Reference: https://www.gigamon.com/resources/resource-library/white-paper/to-tap-or-to-
al

span.html
.v

Question: 174
w
w

Which metric in CVSS indicates an attack that takes a destination bank account number and replaces
w

it with a different bank account number?

//

A. availability
s:

B. confidentiality
tp

C. scope
ht

D. integrity

Answer: D
Explanation:

Question: 175

Refer to the exhibit.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 72/101

What is occurring within the exhibit?

om
A. regular GET requests
B. XML External Entities attack

.c
C. insecure deserialization

ps
D. cross-site scripting attack

m
Answer: A

du
Explanation:
am
Reference: https://www.tutorialspoint.com/http/http_requests.htm
ex

https://github.com/gwroblew/detectXSSlib/blob/master/test/attacks.txt
id

Question: 176
al

Refer to the exhibit.

.v
w
w
// w

Which component is identifiable in this exhibit?

s:

A. Trusted Root Certificate store on the local machine

tp

B. Windows PowerShell verb

ht

C. Windows Registry hive

D. local service in the Windows Services Manager

Answer: C
Explanation:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives

https://ldapwiki.com/wiki/HKEY_LOCAL_MACHINE#:~:text=HKEY_LOCAL_MACHINE%20Windows%2
0registry%20hive%20contains,detected%20hardware%20and%20device%20drivers.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 73/101

Question: 177

An engineer received an alert affecting the degraded performance of a critical server. Analysis
showed a heavy CPU and memory load. What is the next step the engineer should take to investigate
this resource usage?

A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
B. Run "ps -u" to find out who executed additional processes that caused a high load on a server.
C. Run "ps -ef" to understand which processes are taking a high amount of resources.
D. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.

om
Answer: C
Explanation:

.c
Reference: https://unix.stackexchange.com/questions/62182/please-explain-this-output-of-ps-ef-

ps
command

m
Question: 178

du
What is a difference between an inline and a tap mode traffic monitoring?
am
A. Inline monitors traffic without examining other devices, while a tap mode tags traffic and
ex

examines the data from monitoring devices.

B. Tap mode monitors traffic direction, while inline mode keeps packet data as it passes through the
id

monitoring devices.
al

C. Tap mode monitors packets and their content with the highest speed, while the inline mode draws
a packet path for analysis.
.v

D. Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode
w

monitors traffic as it crosses the network.

w

Answer: D
w

Explanation:
//
s:

Reference:
tp

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-
ht

guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html

Question: 179

DRAG DROP
Drag and drop the event term from the left onto the description on the right.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 74/101

Answer:
Explanation:

om
.c
ps
m
du
am
ex
id
al
.v

Question: 180
DRAG DROP
w

Drag and drop the definition from the left onto the phase on the right to classify intrusion events
w

according to the Cyber Kill Chain model.

// w
s:
tp
ht

Answer:
Explanation:

Delivery: This step involves transmitting the weapon to the target.

Weaponization: In this step, the intruder creates a malware weapon like a virus, worm or such in
order to exploit the vulnerabilities of the target. Depending on the target and the purpose of the

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 75/101

attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day

exploits) or it can focus on a combination of different vulnerabilities.
Reconnaissance: In this step, the attacker / intruder chooses their target. Then they conduct an in-
depth research on this target to identify its vulnerabilities that can be exploited.

Question: 181
Which regular expression is needed to capture the IP address 192.168.20.232?

A. ^ (?:[0-9]{1,3}\.){3}[0-9]{1,3}
B. ^ (?:[0-9]f1,3}\.){1,4}
C. ^ (?:[0-9]{1,3}\.)'

om
D. ^ ([0-9]-{3})

Answer: A

.c
Explanation:

ps
Reference: https://www.cisco.com/c/en/us/td/docs/security/security_management/cs-mars/4-

m
3/user/guide/local_controller/appreexp.html

Question: 182 du
am
How does a certificate authority impact security?
ex

A. It validates client identity when communicating with the server.

id

B. It authenticates client identity when requesting an SSL certificate.

al

C. It authenticates domain identity when requesting an SSL certificate.

D. It validates the domain identity of the SSL certificate.
.v
w

Answer: D
w

Explanation:
w

A certificate authority is a computer or entity that creates and issues digital certificates. CA do not
//

"authenticate" it validates. "D" is wrong because The digital certificate validate a user. CA --> DC -->
s:

user, server or whatever.

tp

Reference: https://en.wikipedia.org/wiki/Certificate_authority
ht

Question: 183

What is a difference between SIEM and SOAR?

A. SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the
mitigation.
B. SlEM's primary function is to collect and detect anomalies, while SOAR is more focused on security
operations automation and response.
C. SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the
mitigation.
D. SOAR's primary function is to collect and detect anomalies, while SIEM is more focused on security

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 76/101

operations automation and response.

Answer: B
Explanation:

Reference: https://www.cisco.com/c/en/us/products/security/what-is-a-security-platform.html

siem is log managment soar is vulnerability managment that automat and response

Question: 184

om
What is a difference between signature-based and behavior-based detection?

.c
A. Signature-based identifies behaviors that may be linked to attacks, while behavior-based has a

ps
predefined set of rules to match before an alert.
B. Behavior-based identifies behaviors that may be linked to attacks, while signature-based has a

m
predefined set of rules to match before an alert.

du
C. Behavior-based uses a known vulnerability database, while signature-based intelligently
summarizes existing data.
am
D. Signature-based uses a known vulnerability database, while behavior-based intelligently
summarizes existing data.
ex

Answer: B
id

Explanation:
al

Instead of searching for patterns linked to specific types of attacks, behavior-based IDS solutions
.v

monitor behaviors that may be linked to attacks, increasing the likelihood of identifying and
w

mitigating a malicious action before the network is compromised. https://accedian.com/blog/what-

w

is-the-difference-between-signature-based-and-behavior-based-ids/
w

Question: 185
//
s:

Refer to the exhibit.

tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 77/101

om
.c
ps
An engineer received an event log file to review. Which technology generated the log?

m
A. NetFlow
B. proxy

du
C. firewall
am
D. IDS/IPS

Answer: C
ex

Explanation:
id

Question: 186
al
.v

What is the difference between inline traffic interrogation and traffic mirroring?
w
w

A. Inline interrogation is less complex as traffic mirroring applies additional tags to data.
B. Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools
w

C. Inline replicates the traffic to preserve integrity rather than modifying packets before sending
//

them to other analysis tools.

s:

D. Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.
tp

Answer: A
ht

Explanation:

Question: 187

Refer to the exhibit.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 78/101

om
.c
A company employee is connecting to mail google.com from an endpoint device. The website is

ps
loaded but with an error. What is occurring?

m
A. DNS hijacking attack

du
B. Endpoint local time is invalid.
C. Certificate is not in trusted roots.
am
D. man-m-the-middle attack
ex

Answer: C
Explanation:
id
al

Question: 188
.v
w

An analyst is using the SIEM platform and must extract a custom property from a Cisco device and
capture the phrase, "File: Clean." Which regex must the analyst import?
w
w

A. File: Clean
//

B. ^Parent File Clean$

s:

C. File: Clean (.*)

D. ^File: Clean$
tp
ht

Answer: B
Explanation:

Question: 189

What describes the concept of data consistently and readily being accessible for legitimate users?

A. integrity
B. availability
C. accessibility
D. confidentiality

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 79/101

Answer: B
Explanation:

Question: 190

Refer to the exhibit.

om
.c
ps
m
du
am
ex

Which frame numbers contain a file that is extractable via TCP stream within Wireshark?
id

A. 7,14, and 21
B. 7 and 21
al

C. 14,16,18, and 19
.v

D. 7 to 21
w

Answer: B
w

Explanation:
// w

Question: 191
s:
tp

Refer to the exhibit.

ht

Which stakeholders must be involved when a company workstation is compromised?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 80/101

A. Employee 1 Employee 2, Employee 3, Employee 4, Employee 5, Employee 7

B. Employee 1, Employee 2, Employee 4, Employee 5
C. Employee 4, Employee 6, Employee 7
D. Employee 2, Employee 3, Employee 4, Employee 5

Answer: D
Explanation:

Question: 192

How does an attack surface differ from an attack vector?

om
A. An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing

.c
a method of an attack.
B. An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which

ps
attacks are feasible to those parts.
C. An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation

m
techniques and possible workarounds.

du
D. An attack vector matches components that can be exploited, and an attack surface classifies the
potential path for exploitation
am
Answer: C
ex

Explanation:
id

Question: 193
al
.v

A security analyst notices a sudden surge of incoming traffic and detects unknown packets from
unknown senders After further investigation, the analyst learns that customers claim that they
w

cannot access company servers According to NIST SP800-61, in which phase of the incident response
w

process is the analyst?

w

A. post-incident activity
//

B. detection and analysis

s:

C. preparation
tp

D. containment, eradication, and recovery

ht

Answer: D
Explanation:

Question: 194

Which vulnerability type is used to read, write, or erase information from a database?

A. cross-site scripting
B. cross-site request forgery
C. buffer overflow

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 81/101

D. SQL injection

Answer: D
Explanation:

Question: 195

An automotive company provides new types of engines and special brakes for rally sports cars. The
company has a database of inventions and patents for their engines and technical information
Customers can access the database through the company's website after they register and identify
themselves. Which type of protected data is accessed by customers?

om
A. IP data

.c
B. PII data
C. PSI data

ps
D. PHI data

m
Answer: B

du
Explanation:
am
Question: 196
ex

According to the September 2020 threat intelligence feeds a new malware called Egregor was
id

introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that
has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to
al

a command and control server. The data is used to force victims pay or lose it by publicly releasing it.
.v

Which type of attack is described?

w

A. malware attack
w

B. ransomware attack
w

C. whale-phishing
D. insider threat
//
s:

Answer: B
tp

Explanation:
ht

Question: 197

Syslog collecting software is installed on the server For the log containment, a disk with FAT type
partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is
exceeded. Which action resolves the issue?

A. Add space to the existing partition and lower the retention penod.
B. Use FAT32 to exceed the limit of 4 GB.
C. Use the Ext4 partition because it can hold files up to 16 TB.
D. Use NTFS partition for log file containment

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 82/101

Answer: D
Explanation:

Question: 198

What ate two categories of DDoS attacks? (Choose two.)

A. split brain
B. scanning
C. phishing

om
D. reflected
E. direct

.c
Answer: C, E

ps
Explanation:

m
Question: 199

du
am
What is an advantage of symmetric over asymmetric encryption?

A. A key is generated on demand according to data type.

ex

B. A one-time encryption key is generated for data transmission

id

C. It is suited for transmitting large amounts of data.

D. It is a faster encryption mechanism for sessions
al
.v

Answer: C
w

Explanation:
w

Question: 200
// w

What ate two denial-of-service (DoS) attacks? (Choose two)

s:
tp

A. port scan
B. SYN flood
ht

C. man-in-the-middle
D. phishing
E. teardrop

Answer: B, C
Explanation:

Question: 201

What is the difference between a threat and an exploit?

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 83/101

A. A threat is a result of utilizing flow in a system, and an exploit is a result of gaining control over the
system.
B. A threat is a potential attack on an asset and an exploit takes advantage of the vulnerability of the
asset
C. An exploit is an attack vector, and a threat is a potential path the attack must go through.
D. An exploit is an attack path, and a threat represents a potential vulnerability

Answer: B
Explanation:

Question: 202

om
How does TOR alter data content during transit?

.c
A. It spoofs the destination and source information protecting both sides.

ps
B. It encrypts content and destination information over multiple layers.
C. It redirects destination traffic through multiple sources avoiding traceability.

m
D. It traverses source traffic through multiple destinations before reaching the receiver

du Answer: B
am
Explanation:
ex

Question: 203
id

Refer to the exhibit.

al
.v
w
w
// w
s:
tp

What is occurring?
ht

A. Cross-Site Scripting attack

B. XML External Entitles attack
C. Insecure Deserialization
D. Regular GET requests

Answer: B
Explanation:

Question: 204

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 84/101

What is a collection of compromised machines that attackers use to carry out a DDoS attack?

A. subnet
B. botnet
C. VLAN
D. command and control

Answer: B
Explanation:

Question: 205

om
Which type of access control depends on the job function of the user?

.c
A. discretionary access control

ps
B. nondiscretionary access control
C. role-based access control

m
D. rule-based access control

du Answer: C
am
Explanation:
ex

Question: 206
id

The security team has detected an ongoing spam campaign targeting the organization. The team's
al

approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the
.v

cyber kill chain should the security team mitigate this type of attack?
w

A. actions
w

B. delivery
w

C. reconnaissance
D. installation
//
s:

Answer: B
tp

Explanation:
ht

Question: 207

What describes the defense-m-depth principle?

A. defining precise guidelines for new workstation installations

B. categorizing critical assets within the organization
C. isolating guest Wi-Fi from the focal network
D. implementing alerts for unexpected asset malfunctions

Answer: B

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 85/101

Explanation:

Question: 208

Refer to the exhibit.

om
.c
ps
m
A workstation downloads a malicious docx file from the Internet and a copy is sent to FTDv. The FTDv

du
sends the file hash to FMC and the tile event is recorded What would have occurred with stronger
data visibility?
am
A. The traffic would have been monitored at any segment in the network.
ex

B. Malicious traffic would have been blocked on multiple devices

C. An extra level of security would have been in place
id

D. Detailed information about the data in real time would have been provided
al

Answer: B
.v

Explanation:
w
w

Question: 209
w

What is the impact of encryption?

//
s:

A. Confidentiality of the data is kept secure and permissions are validated

tp

B. Data is accessible and available to permitted individuals

C. Data is unaltered and its integrity is preserved
ht

D. Data is secure and unreadable without decrypting it

Answer: A
Explanation:

Question: 210

An engineer is analyzing a recent breach where confidential documents were altered and stolen by
the receptionist Further analysis shows that the threat actor connected an externa USB device to
bypass security restrictions and steal data The engineer could not find an external USB device Which

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 86/101

piece of information must an engineer use for attribution in an investigation?

A. list of security restrictions and privileges boundaries bypassed

B. external USB device
C. receptionist and the actions performed
D. stolen data and its criticality assessment

Answer: A
Explanation:

Question: 211

om
Refer to the exhibit.

.c
ps
m
du
During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP
connection events Which technology provided these logs?
am
A. antivirus
ex

B. proxy
C. IDS/IPS
id

D. firewall
al

Answer: D
.v

Explanation:
w
w

Question: 212
// w

Refer to the exhibit.

s:
tp
ht

An analyst was given a PCAP file, which is associated with a recent intrusion event in the company
FTP server Which display filters should the analyst use to filter the FTP traffic?

A. dstport == FTP

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 87/101

B. tcp.port==21
C. tcpport = FTP
D. dstport = 21

Answer: C
Explanation:

Question: 213

Refer to the exhibit.

om
.c
ps
m
du
am
ex
id

A network administrator is investigating suspicious network activity by analyzing captured traffic. An

al

engineer notices abnormal behavior and discovers that the default user agent is present in the
.v

headers of requests and data being transmitted What is occurring?

w

A. indicators of denial-of-service attack due to the frequency of requests

w

B. garbage flood attack attacker is sending garbage binary data to open ports
w

C. indicators of data exfiltration HTTP requests must be plain text

D. cache bypassing attack: attacker is sending requests for noncacheable content
//
s:

Answer: C
tp

Explanation:
ht

Question: 214

DRAG DROP

Drag and drop the data source from the left onto the data type on the right.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 88/101

om
Answer:
Explanation:

.c
ps
m
du
am
ex
id
al
.v
w
w

Question: 215
w

A company encountered a breach on its web servers using IIS 7 5 Dunng the investigation, an
//

engineer discovered that an attacker read and altered the data on a secure communication using TLS
s:

1 2 and intercepted sensitive information by downgrading a connection to export-grade

cryptography. The engineer must mitigate similar incidents in the future and ensure that clients and
tp

servers always negotiate with the most secure protocol versions and cryptographic parameters.
ht

Which action does the engineer recommend?

A. Upgrade to TLS v1 3.
B. Install the latest IIS version.
C. Downgrade to TLS 1.1.
D. Deploy an intrusion detection system

Answer: B
Explanation:

Question: 216

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 89/101

What is the difference between discretionary access control (DAC) and role-based access control
(RBAC)?

A. DAC requires explicit authorization for a given user on a given object, and RBAC requires specific
conditions.
B. RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied
on user and group levels.
C. RBAC is an extended version of DAC where you can add an extra level of authorization based on
time.
D. DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to
specific groups

om
Answer: A

.c
Explanation:

ps
Question: 217

m
du
DRAG DROP
Drag and drop the type of evidence from the left onto the description of that evidence on the right.
am
ex
id
al
.v
w
w
w

Answer:
//

Explanation:
s:
tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 90/101

Question: 218
Which technology prevents end-device to end-device IP traceability?

A. encryption
B. load balancing
C. NAT/PAT
D. tunneling

Answer: C
Explanation:

om
Question: 219

.c
ps
What are the two differences between stateful and deep packet inspection? (Choose two )

m
A. Stateful inspection is capable of TCP state tracking, and deep packet filtering checks only TCP
source and destination ports

du
B. Deep packet inspection is capable of malware blocking, and stateful inspection is not
C. Deep packet inspection operates on Layer 3 and 4. and stateful inspection operates on Layer 3 of
am
the OSI model
D. Deep packet inspection is capable of TCP state monitoring only, and stateful inspection can inspect
ex

TCP and UDP.

E. Stateful inspection is capable of packet data inspections, and deep packet inspection is not
id
al

Answer: A, B
.v

Explanation:
w

Question: 220
w
w

Which type of verification consists of using tools to compute the message digest of the original and
//

copied data, then comparing the similarity of the digests?

s:

A. evidence collection order

tp

B. data integrity
ht

C. data preservation
D. volatile data collection

Answer: B
Explanation:

Question: 221

What is the difference between inline traffic interrogation (TAPS) and traffic mirroring (SPAN)?

A. APS interrogation is more complex because traffic mirroring applies additional tags to data and

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 91/101

SPAN does not alter integrity and provides full duplex network.
B. SPAN results in more efficient traffic analysis, and TAPS is considerably slower due to latency
caused by mirroring.
C. TAPS replicates the traffic to preserve integrity, and SPAN modifies packets before sending them to
other analysis tools
D. SPAN ports filter out physical layer errors, making some types of analyses more difficult, and TAPS
receives all packets, including physical errors.

Answer: A
Explanation:

om
Question: 222

.c
Which information must an organization use to understand the threats currently targeting the
organization?

ps
A. threat intelligence

m
B. risk scores

du
C. vendor suggestions
D. vulnerability exposure
am
Answer: A
ex

Explanation:
id

Question: 223
al
.v

What is threat hunting?

w

A. Managing a vulnerability assessment report to mitigate potential threats.

w

B. Focusing on proactively detecting possible signs of intrusion and compromise.

w

C. Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data.
D. Attempting to deliberately disrupt servers by altering their availability
//
s:

Answer: A
tp

Explanation:
ht

Question: 224

An engineer is working with the compliance teams to identify the data passing through the network.
During analysis, the engineer informs the compliance team that external penmeter data flows
contain records, writings, and artwork Internal segregated network flows contain the customer
choices by gender, addresses, and product preferences by age. The engineer must identify protected
dat
a. Which two types of data must be identified'? (Choose two.)
A. SOX
B. PII

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 92/101

C. PHI
D. PCI
E. copyright

Answer: B, C
Explanation:

Question: 225

What describes the impact of false-positive alerts compared to false-negative alerts?

om
A. A false negative is alerting for an XSS attack. An engineer investigates the alert and discovers that
an XSS attack happened A false positive is when an XSS attack happens and no alert is raised

.c
B. A false negative is a legitimate attack triggering a brute-force alert. An engineer investigates the
alert and finds out someone intended to break into the system A false positive is when no alert and

ps
no attack is occurring
C. A false positive is an event alerting for a brute-force attack An engineer investigates the alert and

m
discovers that a legitimate user entered the wrong credential several times A false negative is when

du
a threat actor tries to brute-force attack a system and no alert is raised.
D. A false positive is an event alerting for an SQL injection attack An engineer investigates the alert
am
and discovers that an attack attempt was blocked by IPS A false negative is when the attack gets
detected but succeeds and results in a breach.
ex

Answer: C
id

Explanation:
al

Question: 226
.v
w

Refer to the exhibit.

w
// w
s:
tp
ht

An engineer received a ticket about a slowed-down web application The engineer runs the #netstat -
an command. How must the engineer interpret the results?

A. The web application is receiving a common, legitimate traffic

B. The engineer must gather more data.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 93/101

C. The web application server is under a denial-of-service attack.

D. The server is under a man-in-the-middle attack between the web application and its database

Answer: C
Explanation:

Question: 227

When an event is investigated, which type of data provides the investigate capability to determine if
data exfiltration has occurred?

om
A. full packet capture
B. NetFlow data

.c
C. session data
D. firewall logs

ps
Answer: A

m
Explanation:

Question: 228 du
am
What is the difference between deep packet inspection and stateful inspection?
ex
id

A. Deep packet inspection gives insights up to Layer 7, and stateful inspection gives insights only up
to Layer 4.
al

B. Deep packet inspection is more secure due to its complex signatures, and stateful inspection
.v

requires less human intervention.

C. Stateful inspection is more secure due to its complex signatures, and deep packet inspection
w

requires less human intervention.

w

D. Stateful inspection verifies data at the transport layer and deep packet inspection verifies data at
w

the application layer

//
s:

Answer: B
Explanation:
tp
ht

Question: 229

What is obtained using NetFlow?

A. session data
B. application logs
C. network downtime report
D. full packet capture

Answer: A
Explanation:

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 94/101

Question: 230

How does statistical detection differ from rule-based detection?

A. Statistical detection involves the evaluation of events, and rule-based detection requires an
evaluated set of events to function.
B. Statistical detection defines legitimate data over time, and rule-based detection works on a
predefined set of rules
C. Rule-based detection involves the evaluation of events, and statistical detection requires an
evaluated set of events to function Rule-based detection defines

om
D. legitimate data over a period of time, and statistical detection works on a predefined set of rules

Answer: B

.c
Explanation:

ps
Question: 231

m
du
Refer to the exhibit.
am
ex
id
al

What must be interpreted from this packet capture?

.v
w

A. IP address 192.168.88 12 is communicating with 192 168 88 149 with a source port 74 to
w

destination port 49098 using TCP protocol

B. IP address 192.168.88.12 is communicating with 192 168 88 149 with a source port 49098 to
w

destination port 80 using TCP protocol.

//

C. IP address 192.168.88.149 is communicating with 192.168 88.12 with a source port 80 to

s:

destination port 49098 using TCP protocol.

tp

D. IP address 192.168.88.149 is communicating with 192.168.88.12 with a source port 49098 to

destination port 80 using TCP protocol.
ht

Answer: B
Explanation:

Question: 232

What is a benefit of using asymmetric cryptography?

A. decrypts data with one key

B. fast data transfer
C. secure data transfer

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 95/101

D. encrypts data with one key

Answer: B
Explanation:

Question: 233

An organization is cooperating with several third-party companies. Data exchange is on an unsecured

channel using port 80 Internal employees use the FTP service to upload and download sensitive data
An engineer must ensure confidentiality while preserving the integrity of the communication. Which
technology must the engineer implement in this scenario'?

om
A. X 509 certificates

.c
B. RADIUS server
C. CA server

ps
D. web application firewall

m
Answer: A

du
Explanation:
am
Question: 234
ex

A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-

id

895" address that is attributed to a known advanced persistent threat group The engineer discovers
that the activity is part of a real attack and not a network misconfiguration. Which category does this
al

event fall under as defined in the Cyber Kill Chain?

.v

A. reconnaissance
w

B. delivery
w

C. action on objectives
w

D. weaponization
//
s:

Answer: D
Explanation:
tp
ht

Question: 235

How does agentless monitoring differ from agent-based monitoring?

A. Agentless can access the data via API. while agent-base uses a less efficient method and accesses
log data through WMI.
B. Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports
to fetch the logs
C. Agent-based monitoring has a lower initial cost for deployment, while agentless monitoring
requires resource-intensive deployment.
D. Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 96/101

much higher network utilization

Answer: B
Explanation:

Question: 236

Which of these describes SOC metrics in relation to security incidents?

A. time it takes to detect the incident

B. time it takes to assess the risks of the incident

om
C. probability of outage caused by the incident
D. probability of compromise and impact caused by the incident

.c
Answer: A

ps
Explanation:

m
Question: 237

du
am
What is the difference between the ACK flag and the RST flag?

A. The RST flag approves the connection, and the ACK flag terminates spontaneous connections.
ex

B. The ACK flag confirms the received segment, and the RST flag terminates the connection.
id

C. The RST flag approves the connection, and the ACK flag indicates that a packet needs to be resent
D. The ACK flag marks the connection as reliable, and the RST flag indicates the failure within TCP
al

Handshake
.v

Answer: B
w

Explanation:
w
w

Question: 238
//
s:

Refer to the exhibit.

tp
ht

An engineer is analyzing a PCAP file after a recent breach An engineer identified that the attacker

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 97/101

used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis
showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact
data being transmitted over an encrypted channel and cannot identify how the attacker gained
access How did the attacker gain access?

A. by using the buffer overflow in the URL catcher feature for SSH
B. by using an SSH Tectia Server vulnerability to enable host-based authentication
C. by using an SSH vulnerability to silently redirect connections to the local host
D. by using brute force on the SSH service to gain access

Answer: C

om
Explanation:

Question: 239

.c
ps
Refer to the exhibit.

m
du
am
ex
id
al
.v
w

Which field contains DNS header information if the payload is a query or a response?
w
w

A. Z
//

B. ID
s:

C. TC
D. QR
tp
ht

Answer: B
Explanation:

Question: 240

Refer to the exhibit.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 98/101

om
What is occurring?

.c
ps
A. ARP flood
B. DNS amplification

m
C. ARP poisoning

du
D. DNS tunneling
am
Answer: D
Explanation:
ex

Question: 241
id
al

What is the difference between vulnerability and risk?

.v

A. A vulnerability is a sum of possible malicious entry points, and a risk represents the possibility of
w

the unauthorized entry itself.

w

B. A risk is a potential threat that an exploit applies to, and a vulnerability represents the threat itself
w

C. A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential
damage it might cause.
//

D. A risk is potential threat that adversaries use to infiltrate the network, and a vulnerability is an
s:

exploit
tp

Answer: B
ht

Explanation:

Question: 242

An engineer received a flood of phishing emails from HR with the source address
HRjacobm@companycom. What is the threat actor in this scenario?

A. phishing email
B. sender
C. HR

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 99/101

D. receiver

Answer: B
Explanation:

Question: 243

Refer to the exhibit.

om
.c
ps
m
du
am
ex

A security analyst is investigating unusual activity from an unknown IP address Which type of
evidence is this file1?
id
al

A. indirect evidence
B. best evidence
.v

C. corroborative evidence
w

D. direct evidence
w
w

Answer: A
//

Explanation:
s:

Question: 244
tp
ht

DRAG DROP

Drag and drop the security concept from the left onto the example of that concept on the right.

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 100/101

om
Answer:

.c
Explanation:

ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/200-201.html
Questions and Answers PDF 101/101

Thank you for your visit.

To try more exams, please visit below link
https://www.validexamdumps.com/200-201.html

om
.c
ps
m
du
am
ex
id
al
.v
w
w
// w
s:
tp
ht

https://www.validexamdumps.com/200-201.html