Cisco 200-201 Dumps PDF Study Tips And Information 2023

Jonnie Karnath2023-03-24T20:19:10+00:00

Cisco 200-201 exam is a highly sought-after certification that can open doors to new job opportunities and career advancements. But passing the exam can be a challenge, especially if you’re not well-prepared. That’s where Certspot comes in with their Cisco 200-201 dumps PDF which are designed to help you prepare for the exam by providing you with a realistic testing experience. Cisco 200-201 dumps PDF are up-to-date, accurate, and designed to cover all the topics and concepts that you’ll need to know to pass the Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) exam. By studying Certspot’s Cisco 200-201 dumps PDF, you’ll be able to identify any knowledge gaps and focus your studying efforts on those areas, leading to a better chance of passing the exam.

Page 1 of 8

1. An analyst is investigating an incident in a SOC environment.

Which method is used to identify a session from a group of logs?

sequence numbers

IP identifier

5-tuple

timestamps

2. An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.

Which obfuscation technique is the attacker using?

Base64 encoding

TLS encryption

SHA-256 hashing

ROT13 encryption

3. What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)

Untampered images are used in the security investigation process

Tampered images are used in the security investigation process

The image is tampered if the stored hash and the computed hash match

Tampered images are used in the incident recovery process

The image is untampered if the stored hash and the computed hash match

4. In a SOC environment, what is a vulnerability management metric?

code signing enforcement

full assets scan

internet exposed devices

single factor authentication

5. Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID attributes?

AWS

IIS

Load balancer

Proxy server

6. Refer to the exhibit.

Which type of log is displayed?

proxy

NetFlow

IDS

sys

7. Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?

integrity

confidentiality

availability

scope

8. Refer to the exhibit.

What must be interpreted from this packet capture?

IP address 192.168.88 12 is communicating with 192 168 88 149 with a source port 74 to destination port 49098 using TCP protocol

IP address 192.168.88.12 is communicating with 192 168 88 149 with a source port 49098 to destination port 80 using TCP protocol.

IP address 192.168.88.149 is communicating with 192.168 88.12 with a source port 80 to destination port 49098 using TCP protocol.

IP address 192.168.88.149 is communicating with 192.168.88.12 with a source port 49098 to destination port 80 using TCP protocol.

9. An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap.

Which command will accomplish this goal?

nmap --top-ports 192.168.1.0/24

nmap CsP 192.168.1.0/24

nmap -sL 192.168.1.0/24

nmap -sV 192.168.1.0/24

10. Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?

NetScout

tcpdump

SolarWinds

netsh

Page 2 of 8

11. Which are two denial-of-service attacks? (Choose two.)

TCP connections

ping of death

man-in-the-middle

code-red

UDP flooding

12. An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.

Which kind of evidence is this IP address?

best evidence

corroborative evidence

indirect evidence

forensic evidence

13. An engineer needs to have visibility on TCP bandwidth usage, response time, and latency, combined with deep packet inspection to identify unknown software by its network traffic flow.

Which two features of Cisco Application Visibility and Control should the engineer use to accomplish this goal? (Choose two.)

management and reporting

traffic filtering

adaptive AVC

metrics collection and exporting

application recognition

14. What should an engineer use to aid the trusted exchange of public keys between user tom0411976943 and dan1968754032?

central key management server

web of trust

trusted certificate authorities

registration authority data

15. What is the difference between vulnerability and risk?

A vulnerability is a sum of possible malicious entry points, and a risk represents the possibility of the unauthorized entry itself.

A risk is a potential threat that an exploit applies to, and a vulnerability represents the threat itself

A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential damage it might cause.

A risk is potential threat that adversaries use to infiltrate the network, and a vulnerability is an exploit

16. Which technology prevents end-device to end-device IP traceability?

encryption

load balancing

NAT/PAT

tunneling

17. An analyst is exploring the functionality of different operating systems.

What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?

queries Linux devices that have Microsoft Services for Linux installed

deploys Windows Operating Systems in an automated fashion

is an efficient tool for working with Active Directory

has a Common Information Model, which describes installed hardware and software

18. Refer to the exhibit.

What is shown in this PCAP file?

Timestamps are indicated with error.

The protocol is TC

The User-Agent is Mozilla/5.0.

The HTTP GET is encoded.

19. DRAG DROP

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.

20. Refer to the exhibit.

Which kind of attack method is depicted in this string?

cross-site scripting

man-in-the-middle

SQL injection

denial of service

Page 3 of 8

21. Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

A policy violation is active for host 10.10.101.24.

A host on the network is sending a DDoS attack to another inside host.

There are two active data exfiltration alerts.

A policy violation is active for host 10.201.3.149.

22. Which tool gives the ability to see session data in real time?

tcpdstat

trafdump

tcptrace

trafshow

23. An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load.

What is the next step the engineer should take to investigate this resource usage?

Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.

Run "ps -u" to find out who executed additional processes that caused a high load on a server.

Run "ps -ef" to understand which processes are taking a high amount of resources.

Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.

24. A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-895" address that is attributed to a known advanced persistent threat group. The engineer discovers that the activity is part of a real attack and not a network misconfiguration.

Which category does this event fall under as defined in the Cyber Kill Chain?

reconnaissance

delivery

action on objectives

weaponization

25. Refer to the exhibit.

A workstation downloads a malicious docx file from the Internet and a copy is sent to FTDv. The FTDv sends the file hash to FMC and the tile event is recorded.

What would have occurred with stronger data visibility?

The traffic would have been monitored at any segment in the network.

Malicious traffic would have been blocked on multiple devices

An extra level of security would have been in place

Detailed information about the data in real time would have been provided

26. Refer to the exhibit.

A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted.

What is occurring?

indicators of denial-of-service attack due to the frequency of requests

garbage flood attack attacker is sending garbage binary data to open ports

indicators of data exfiltration HTTP requests must be plain text

cache bypassing attack: attacker is sending requests for noncacheable content

27. A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions.

Which identifier tracks an active program?

application identification number

active process identification number

runtime identification number

process identification number

28. What is the impact of encryption?

Confidentiality of the data is kept secure and permissions are validated

Data is accessible and available to permitted individuals

Data is unaltered and its integrity is preserved

Data is secure and unreadable without decrypting it

29. What is threat hunting?

Managing a vulnerability assessment report to mitigate potential threats.

Focusing on proactively detecting possible signs of intrusion and compromise.

Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data.

Attempting to deliberately disrupt servers by altering their availability

30. What is the virtual address space for a Windows process?

physical location of an object in memory

set of pages that reside in the physical memory

system-level memory protection feature built into the operating system

set of virtual memory addresses that can be used

Page 4 of 8

31. Which system monitors local system operation and local network access for violations of a security policy?

host-based intrusion detection

systems-based sandboxing

host-based firewall

antivirus

32. Refer to the exhibit.

Which type of attack is being executed?

SQL injection

cross-site scripting

cross-site request forgery

command injection

33. Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?

decision making

rapid response

data mining

due diligence

34. A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.

Which type of evidence is this?

best evidence

prima facie evidence

indirect evidence

physical evidence

35. When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.

Which information is available on the server certificate?

server name, trusted subordinate CA, and private key

trusted subordinate CA, public key, and cipher suites

trusted CA name, cipher suites, and private key

server name, trusted CA, and public key

36. Which type of data consists of connection level, application-specific records generated from network traffic?

transaction data

location data

statistical data

alert data

37. Which category relates to improper use or disclosure of PII data?

legal

compliance

regulated

contractual

38. Which process is used when IPS events are removed to improve data integrity?

data availability

data normalization

data signature

data protection

39. What is the principle of defense-in-depth?

Agentless and agent-based protection for security are used.

Several distinct protective layers are involved.

Access control models are involved.

Authentication, authorization, and accounting mechanisms are used.

40. What describes the concept of data consistently and readily being accessible for legitimate users?

integrity

availability

accessibility

confidentiality

Page 5 of 8

41. Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded.

Which action resolves the issue?

Add space to the existing partition and lower the retention penod.

Use FAT32 to exceed the limit of 4 G

Use the Ext4 partition because it can hold files up to 16 T

Use NTFS partition for log file containment

42. What is a collection of compromised machines that attackers use to carry out a DDoS attack?

subnet

botnet

VLAN

command and control

43. What is the difference between inline traffic interrogation and traffic mirroring?

Inline interrogation is less complex as traffic mirroring applies additional tags to data.

Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools

Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.

Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.

44. Refer to the exhibit.

An engineer received an event log file to review.

Which technology generated the log?

NetFlow

proxy

firewall

IDS/IPS

45. Why is HTTPS traffic difficult to screen?

HTTPS is used internally and screening traffic (or external parties is hard due to isolation.

The communication is encrypted and the data in transit is secured.

Digital certificates secure the session, and the data is sent at random intervals.

Traffic is tunneled to a specific destination and is inaccessible to others except for the receiver.

46. How is attacking a vulnerability categorized?

action on objectives

delivery

exploitation

installation

47. DRAG DROP

Drag and drop the uses on the left onto the type of security system on the right.

48. Refer to the exhibit.

Which stakeholders must be involved when a company workstation is compromised?

Employee 1 Employee 2, Employee 3, Employee 4, Employee 5, Employee 7

Employee 1, Employee 2, Employee 4, Employee 5

Employee 4, Employee 6, Employee 7

Employee 2, Employee 3, Employee 4, Employee 5

49. At which layer is deep packet inspection investigated on a firewall?

internet

transport

application

data link

50. An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning.

How should the analyst collect the traffic to isolate the suspicious host?

by most active source IP

by most used ports

based on the protocols used

based on the most used applications

Page 6 of 8

51. What describes the defense-m-depth principle?

defining precise guidelines for new workstation installations

categorizing critical assets within the organization

isolating guest Wi-Fi from the focal network

implementing alerts for unexpected asset malfunctions

52. What are the two characteristics of the full packet captures? (Choose two.)

Identifying network loops and collision domains.

Troubleshooting the cause of security and performance issues.

Reassembling fragmented traffic from raw data.

Detecting common hardware faults and identify faulty assets.

Providing a historical record of a network transaction.

53. Refer to the exhibit.

Which type of log is displayed?

IDS

proxy

NetFlow

sys

54. Refer to the exhibit.

What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?

insert TCP subdissectors

extract a file from a packet capture

disable TCP streams

unfragment TCP

55. What makes HTTPS traffic difficult to monitor?

SSL interception

packet header size

signature detection time

encryption

56. Refer to the exhibit.

A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?

indirect evidence

best evidence

corroborative evidence

direct evidence

57. An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection.

Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)

signatures

host IP addresses

file size

dropped files

domain names

58. Refer to the exhibit.

What is occurring in this network traffic?

High rate of SYN packets being sent from a multiple source towards a single destination I

High rate of ACK packets being sent from a single source IP towards multiple destination IPs.

Flood of ACK packets coming from a single source IP to multiple destination IPs.

Flood of SYN packets coming from a single source IP to a single destination I

59. An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean."

Which regex must the analyst import?

File: Clean

^Parent File Clean$

File: Clean (.*)

^File: Clean$

60. Which information must an organization use to understand the threats currently targeting the organization?

threat intelligence

risk scores

vendor suggestions

vulnerability exposure

Page 7 of 8

61. An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin. The security specialist reviewed the system logs, found nothing suspicious, and was not able to determine what occurred. The software is up to date; there are no alerts from antivirus and no failed login attempts.

What is causing the lack of data visibility needed to detect the attack?

The threat actor used a dictionary-based password attack to obtain credentials.

The threat actor gained access to the system by known credentials.

The threat actor used the teardrop technique to confuse and crash login services.

The threat actor used an unknown vulnerability of the operating system that went undetected.

62. Refer to the exhibit.

An employee received an email from an unknown sender with an attachment and reported it as a phishing attempt. An engineer uploaded the file to Cuckoo for further analysis.

What should an engineer interpret from the provided Cuckoo report?

Win32.polip.a.exe is an executable file and should be flagged as malicious.

The file is clean and does not represent a risk.

Cuckoo cleaned the malicious file and prepared it for usage.

MD5 of the file was not identified as malicious.

63. DRAG DROP

Drag and drop the type of evidence from the left onto the description of that evidence on the right.

64. The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?

Isolate the infected endpoint from the network.

Perform forensics analysis on the infected endpoint.

Collect public information on the malware behavior.

Prioritize incident handling based on the impact.

65. Which action prevents buffer overflow attacks?

variable randomization

using web based applications

input sanitization

using a Linux operating system

66. An organization is cooperating with several third-party companies. Data exchange is on an unsecured channel using port 80 Internal employees use the FTP service to upload and download sensitive data. An engineer must ensure confidentiality while preserving the integrity of the communication.

Which technology must the engineer implement in this scenario'?

X 509 certificates

RADIUS server

CA server

web application firewall

67. What is the difference between statistical detection and rule-based detection models?

Rule-based detection involves the collection of data in relation to the behavior of legitimate users over a period of time

Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis

Statistical detection involves the evaluation of an object on its intended actions before it executes that behavior

Rule-based detection defines legitimate data of users over a period of time and statistical detection defines it on an IF/THEN basis

68. What does cyber attribution identify in an investigation?

cause of an attack

exploit of an attack

vulnerabilities exploited

threat actors of an attack

69. How is NetFlow different from traffic mirroring?

NetFlow collects metadata and traffic mirroring clones data.

Traffic mirroring impacts switch performance and NetFlow does not.

Traffic mirroring costs less to operate than NetFlow.

NetFlow generates more data than traffic mirroring.

70. When an event is investigated, which type of data provides the investigate capability to determine if data exfiltration has occurred?

full packet capture

NetFlow data

session data

firewall logs

Page 8 of 8

71. DRAG DROP

Refer to the exhibit.

Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.

72. Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?

known-plaintext

replay

dictionary

man-in-the-middle

73. What is the difference between deep packet inspection and stateful inspection?

Deep packet inspection gives insights up to Layer 7, and stateful inspection gives insights only up to Layer 4.

Deep packet inspection is more secure due to its complex signatures, and stateful inspection requires less human intervention.

Stateful inspection is more secure due to its complex signatures, and deep packet inspection requires less human intervention.

Stateful inspection verifies data at the transport layer and deep packet inspection verifies data at the application layer

74. How does certificate authority impact a security system?

It authenticates client identity when requesting SSL certificate

It validates domain identity of a SSL certificate

It authenticates domain identity when requesting SSL certificate

It validates client identity when communicating with the server

75. An engineer must compare NIST vs ISO frameworks. The engineer deeded to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison

The engineer tried to watch the video, but there 'was an audio problem with OS so the engineer had to troubleshoot it At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved.

Which two components of the OS did the engineer touch? (Choose two)

permissions

PowerShell logs

service

MBR

process and thread

76. Which attack represents the evasion technique of resource exhaustion?

SQL injection

man-in-the-middle

bluesnarfing

denial-of-service

77. An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom.

What is the threat actor in this scenario?

phishing email

sender

receiver

78. A security analyst notices a sudden surge of incoming traffic and detects unknown packets from unknown senders.

After further investigation, the analyst learns that customers claim that they cannot access company servers According to NIST SP800-61, in which phase of the incident response process is the analyst?

post-incident activity

detection and analysis

preparation

containment, eradication, and recovery

79. Which two elements are used for profiling a network? (Choose two.)

session duration

total throughput

running processes

listening ports

OS fingerprint

80. How does an SSL certificate impact security between the client and the server?

by enabling an authenticated channel between the client and the server

by creating an integrated channel between the client and the server

by enabling an authorized channel between the client and the server

by creating an encrypted channel between the client and the server

Facebook Twitter LinkedIn Google + Email