Practice 200-201 Questions With Certification guide Q&A from Training Expert [Q11-Q33]

Practice 200-201 Questions With Certification guide Q&A from Training Expert TrainingDumps

Free Cisco 200-201 Test Practice Test Questions Exam Dumps

Cisco 200-201 exam covers a range of topics, including security concepts, security monitoring, network intrusion analysis, endpoint threat analysis and computer forensics. It is a 120-minute exam that consists of 60-70 multiple-choice and drag-and-drop questions. To pass the exam, candidates need to demonstrate their understanding of the core concepts and principles of cybersecurity operations and their ability to apply this knowledge in real-world scenarios. Understanding Cisco Cybersecurity Operations Fundamentals certification is valid for three years and serves as a stepping stone for higher-level certifications in the field of cybersecurity.

 

NEW QUESTION # 11
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?

• A. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
• B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
• C. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
• D. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods

Answer: D

Explanation:
During the negotiation phase of the TLS handshake, the client sends a "ClientHello" message to the server which includes information about TLS versions it supports, cipher-suites it supports and suggested compression methods. This initiates communication protocols for secure connection. Reference:= Cisco Cybersecurity source documents or study guide

NEW QUESTION # 12
How does TOR alter data content during transit?

• A. It spoofs the destination and source information protecting both sides.
• B. It redirects destination traffic through multiple sources avoiding traceability.
• C. It encrypts content and destination information over multiple layers.
• D. It traverses source traffic through multiple destinations before reaching the receiver

Answer: C

Explanation:
TOR is a network that enables anonymous communication over the internet by routing the traffic through a series of relays or nodes. TOR alters the data content during transit by encrypting it and the destination information over multiple layers, using a technique called onion routing. Each layer of encryption can only be decrypted by a specific relay in the network, which reveals the next destination. This way, no single relay knows the complete path or the content of the data, making it difficult to trace or monitor the communication. References := Cisco Cybersecurity Operations Fundamentals, Module 2: Security Monitoring, Lesson 2.1: The Network as a Sensor, Topic 2.1.3: Network Data Exfiltration Techniques

NEW QUESTION # 13
How does statistical detection differ from rule-based detection?

• A. legitimate data over a period of time, and statistical detection works on a predefined set of rules
• B. Statistical detection involves the evaluation of events, and rule-based detection requires an evaluated set of events to function.
• C. Rule-based detection involves the evaluation of events, and statistical detection requires an evaluated set of events to function Rule-based detection defines
• D. Statistical detection defines legitimate data over time, and rule-based detection works on a predefined set of rules

Answer: D

Explanation:
Statistical detection relies on analyzing data over time to identify patterns and anomalies, without predefined rules. It uses algorithms and statistical models to determine normal behavior and identify deviations. Rule-based detection uses predefined rules or patterns to identify known threats or vulnerabilities, often based on signatures or behaviors associated with specific attacks.

NEW QUESTION # 14
How is NetFlow different than traffic mirroring?

• A. NetFlow collects metadata and traffic mirroring clones data
• B. Traffic mirroring impacts switch performance and NetFlow does not
• C. Traffic mirroring costs less to operate than NetFlow
• D. NetFlow generates more data than traffic mirroring

Answer: A

NEW QUESTION # 15
Which two elements are assets in the role of attribution in an investigation? (Choose two.)

• A. firewall logs
• B. context
• C. session
• D. threat actor
• E. laptop

Answer: D,E

Explanation:
In the context of cybersecurity, an asset is anything that has value to the organization, its business operations and their continuity, including data and physical devices. In the role of attribution in an investigation, which is the process of associating an action or event with a particular individual or entity, certain assets are particularly relevant. A laptop can be an asset because it may contain data or clues that can help trace the origin of a cyber attack. Similarly, identifying the threat actor (E) is crucial for attribution, as it involves understanding who is behind the attack and their motives, which can be essential for preventing future attacks and for legal proceedings.

NEW QUESTION # 16
Refer to the exhibit.

An engineer is analyzing a PCAP file after a recent breach An engineer identified that the attacker used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact data being transmitted over an encrypted channel and cannot identify how the attacker gained access How did the attacker gain access?

• A. by using brute force on the SSH service to gain access
• B. by using the buffer overflow in the URL catcher feature for SSH
• C. by using an SSH vulnerability to silently redirect connections to the local host
• D. by using an SSH Tectia Server vulnerability to enable host-based authentication

Answer: C

NEW QUESTION # 17
Refer to the exhibit.

A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?

• A. corroborative evidence
• B. direct evidence
• C. best evidence
• D. indirect evidence

Answer: D

Explanation:
The file in question, which contains logs of unsuccessful login attempts from an unknown IP address, is considered indirect evidence. It suggests that there may have been an attempt to gain unauthorized access, but it does not directly prove who was responsible for the attempts. Indirect evidence can be used to support other evidence that may lead to a direct identification of the threat actor. References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) and other Cisco cybersecurity resources provide information on how to analyze and categorize different types of evidence in the context of security incidents.

NEW QUESTION # 18
What describes the usage of a rootkit in endpoint based attacks?

• A. set of vulnerabilities used by an attacker lo disable root access on the system
• B. remote code execution that causes a denial-of-service on the system
• C. set of tools used by an attacker to maintain control of a compromised system while avoiding detection
• D. exploit that can be used to perform remote code execution

Answer: C

NEW QUESTION # 19

Refer to the exhibit. An engineer must map these events to the source technology that generated the event logs. To which technology do the generated logs belong?

• A. antivirus
• B. proxy
• C. IPS
• D. firewall

Answer: C

NEW QUESTION # 20

Refer to the exhibit A SOC analyst is examining the Auth.log file logs of one the breached systems What is the possible reason for this event log?

• A. regular Linux log and 10.10.10.10 is legitimate host
• B. brute force attack on Windows from 10.10.10.10
• C. password cracking DoS attack on Windows endpoint
• D. brute force attack on Linux from 10.10.10.10

Answer: B

NEW QUESTION # 21
Drag and drop the elements from the left into the correct order for incident handling on the right.

Answer:

Explanation:

NEW QUESTION # 22
Refer to the exhibit.

Which stakeholders must be involved when a company workstation is compromised?

• A. Employee 4, Employee 6, Employee 7
• B. Employee 1 Employee 2, Employee 3, Employee 4, Employee 5, Employee 7
• C. Employee 2, Employee 3, Employee 4, Employee 5
• D. Employee 1, Employee 2, Employee 4, Employee 5

Answer: A

Explanation:
When a company workstation is compromised, the stakeholders that must be involved are the ones who are responsible for the security incident response process. According to the table, these are Employee 4 (Security Operation Center Analyst), Employee 6 (Head of Network and Security Infrastructure Services), and Employee 7 (Technical Director). The other employees have different roles that are not directly related to the incident response process, such as accounting, financial management, or system administration. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.4: Security Monitoring, Topic 1.4.1: Security Operations Center

NEW QUESTION # 23
Refer to the exhibit.

What is occurring within the exhibit?

• A. cross-site scripting attack
• B. XML External Entities attack
• C. insecure deserialization
• D. regular GET requests

Answer: D

Explanation:
Based on the image details, the exhibit shows a series of HTTP requests with the method GET, which are used to retrieve data from a web server. There is no evidence of any malicious payload or parameter in these requests, so they are likely regular GET requests. The other options are types of web application attacks that exploit different vulnerabilities, such as XML External Entities, insecure deserialization, and cross-site scripting. References := Cisco Cybersecurity Reference:https://www.tutorialspoint.com/http/http_requests.htm
https://github.com/gwroblew/detectXSSlib/blob/master/test/attacks.txt

NEW QUESTION # 24
What is the principle of defense-in-depth?

• A. Agentless and agent-based protection for security are used.
• B. Access control models are involved.
• C. Authentication, authorization, and accounting mechanisms are used.
• D. Several distinct protective layers are involved.

Answer: D

Explanation:
Defense-in-depth is a security strategy where multiple layers of defense are placed throughout an information technology (IT) system. It addresses physical, technical, and administrative controls to provide redundancy and ensure that if one layer fails, others will be in place to thwart an attack. References: Cisco Tech Roles - CyberOps Engineer

NEW QUESTION # 25
Which attack represents the evasion technique of resource exhaustion?

• A. bluesnarfing
• B. SQL injection
• C. denial-of-service
• D. man-in-the-middle

Answer: C

Explanation:
A denial-of-service attack represents the evasion technique of resource exhaustion, where the attacker overwhelms a system's resources, making the system unusable and unable to handle legitimate requests.
References := Cisco Cybersecurity Source Documents
Reference:https://www.ciscopress.com/articles/article.asp?p=3100055&seqNum=3

NEW QUESTION # 26
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)

• A. The image is untampered if the stored hash and the computed hash match
• B. Tampered images are used in the incident recovery process
• C. Tampered images are used in the security investigation process
• D. The image is tampered if the stored hash and the computed hash match
• E. Untampered images are used in the security investigation process

Answer: A,E

Explanation:
Explanation
Cert Guide by Omar Santos, Chapter 9 - Introduction to digital Forensics. "When you collect evidence, you must protect its integrity. This involves making sure that nothing is added to the evidence and that nothing is deleted or destroyed (this is known as evidence preservation)."

NEW QUESTION # 27
What is the difference between indicator of attack (loA) and indicators of compromise (loC)?

• A. loC is the evidence that a security breach has occurred, and loA allows organizations to act before the vulnerability can be exploited.
• B. loA refers to the individual responsible for the security breach, and loC refers to the resulting loss.
• C. loC refers to the individual responsible for the security breach, and loA refers to the resulting loss.
• D. loA is the evidence that a security breach has occurred, and loC allows organizations to act before the vulnerability can be exploited.

Answer: A

Explanation:
Indicators of Compromise (IoC) are pieces of forensic data, such as system log entries or files, that suggest an intrusion may have occurred. Indicators of Attack (IoA) are signs that an attack may be underway, allowing organizations to take action before any potential breach occurs.
References: The CBROPS course materials cover the concepts of IoC and IoA, explaining how they are used in cybersecurity operations to detect and prevent security incidents.

NEW QUESTION # 28
Refer to the exhibit.

What is occurring in this network traffic?

• A. Flood of SYN packets coming from a single source IP to a single destination IP.
• B. Flood of ACK packets coming from a single source IP to multiple destination IPs.
• C. High rate of SYN packets being sent from a multiple source towards a single destination IP.
• D. High rate of ACK packets being sent from a single source IP towards multiple destination IPs.

Answer: C

Explanation:
The exhibit shows a high rate of SYN packets being sent from multiple sources towards a single destination IP. This is indicative of a SYN flood attack, where the attacker sends a succession of SYN requests to a target' s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. References := Cisco Cybersecurity Operations Fundamentals - Module 4: Network Intrusion Analysis

NEW QUESTION # 29
Which event artifact is used to identify HTTP GET requests for a specific file?

• A. HTTP status code
• B. TCP ACK
• C. destination IP address
• D. URI

Answer: D

Explanation:
The Uniform Resource Identifier (URI) is used to identify specific resources on the internet, including files. In the context of HTTP GET requests, the URI specifies the path to the file being requested.

NEW QUESTION # 30
When an event is investigated, which type of data provides the investigate capability to determine if data exfiltration has occurred?

• A. firewall logs
• B. full packet capture
• C. session data
• D. NetFlow data

Answer: B

Explanation:
Full packet capture provides the complete recording of all the packets that are transmitted over the network. This data is essential for in-depth analysis during an investigation, as it allows investigators to reconstruct the session, observe the content of the traffic, and determine if data exfiltration has occurred.

NEW QUESTION # 31

Refer to the exhibit. Which type of log is displayed?

• A. NetFlow
• B. proxy
• C. IDS
• D. sys

Answer: D

NEW QUESTION # 32
Refer to the exhibit.

A SOC analyst received a message from SIEM about abnormal activity on the Windows server The analyst checked the Windows event log and saw numerous Audit Failures logs. What is occurring?

• A. brute-force attack
• B. regular Windows log
• C. DoS attack
• D. Windows failed to audit the logs

Answer: A

Explanation:
Windows Security Event ID 4625 is generated when an account fails to log on. When a SOC analyst observes a large number of Audit Failure events occurring in rapid succession, this is a strong indicator of a brute- force authentication attack.
Brute-force attacks involve repeatedly attempting different username and password combinations to gain unauthorized access to a system. These attacks commonly target Windows servers exposed to internal or external networks and often focus on privileged or commonly used accounts. The repeated failures shown in the exhibit indicate that authentication attempts are being made unsuccessfully over a short time period, which is abnormal for standard user behavior.
Option A is incorrect because the logs clearly show that Windows auditing is functioning correctly and recording failures. Option B is incorrect because normal Windows activity does not generate large volumes of failed authentication events in a short time frame. Option D is incorrect because a Denial-of-Service (DoS) attack targets system availability and resource exhaustion, not authentication mechanisms.
Cybersecurity operations documentation highlights failed login storms as one of the most common indicators of credential-based attacks. SIEM platforms are designed to alert analysts on such patterns because they often precede account compromise or lateral movement attempts.

NEW QUESTION # 33
......

Cybersecurity is a critical concern in today's digital world, and the importance of the cybersecurity profession is increasing day by day. With the rise of cyber-attacks and data breaches, it has become crucial to protect sensitive data and networks from unauthorized access. To meet this need, Cisco offers a certification program for cybersecurity professionals known as the Cisco 200-201 exam.

Cisco 200-201 exam, also known as Understanding Cisco Cybersecurity Operations Fundamentals, is an entry-level certification exam designed for aspiring cybersecurity professionals. 200-201 exam tests the candidate’s knowledge and understanding of basic cybersecurity concepts, including security concepts, network concepts, security monitoring, host-based analysis, and security policies and procedures.

 

Prepare Top Cisco 200-201 Exam Audio Study Guide Practice Questions Edition: https://pdfvce.trainingdumps.com/200-201-valid-vce-dumps.html