200-201 Practice Dumps - Verified By CertkingdomPDF Updated 452 Questions [Q251-Q275]

200-201 Practice Dumps - Verified By CertkingdomPDF Updated 452 Questions

Updated 200-201 Exam Dumps - PDF Questions and Testing Engine

Cisco 200-201 (Understanding Cisco Cybersecurity Operations Fundamentals) Certification Exam is a globally recognized certification that validates the skills and knowledge of cybersecurity professionals who are responsible for monitoring and defending the network infrastructure of their organizations. Understanding Cisco Cybersecurity Operations Fundamentals certification exam is designed to provide a foundational understanding of the principles of cybersecurity operations and the best practices for implementing effective cybersecurity measures.

Security Procedures & Policies

This is the last topic that consists of 15% of the exam questions. To answer them, the interested individuals need to know how to perform the following tasks:

• Identifying listening ports, apps, running processes & tasks, and logged in service accounts applied for the server profiling.
• Applying the event-handling method to an incident;
• Describing the concepts of evidence collection order, data integrity and preservation, and volatile data collection;
• Mapping the elements for preparation, analysis & detection, eradication, containment, and recovery, as well as post-incident analysis;
• Describing the management concepts, including mobile device management, patch management, as well as asset, configuration, and vulnerability management;
• Identifying the session duration, total throughput, and ports used for the network profiling;

 

NEW QUESTION # 251

Refer to the exhibit. A SOC engineer is analyzing Cuckoo Sandbox report for a file that has been identified as suspicious by the endpoint security system. What is the state of the file?

• A. The file was identified as PE32 executable with a high level of entropy to bypass AV via encryption.
• B. The file was detected as executable and was marked by the SSDeep hashing algorithm as suspicious.
• C. The file was detected as an executable binary file, but no suspicious activity was detected and it is false positive.
• D. The file identified as an executable binary for Microsoft Word with macros creating hidden process via PowerShell.

Answer: A

NEW QUESTION # 252
An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by sending the first SYN. What is causing this issue?

• A. incorrect OSI configuration
• B. incorrect TCP handshake
• C. incorrect UDP handshake
• D. incorrect snaplen configuration

Answer: B

Explanation:
A TCP handshake is a three-way exchange of messages between a client and a server to establish a TCP connection. The client initiates the handshake by sending a SYN packet with a sequence number to the server. The server responds with a SYN-ACK packet with its own sequence number and an acknowledgment number that is the client's sequence number plus one. The client completes the handshake by sending an ACK packet with an acknowledgment number that is the server's sequence number plus one. If the remote server is not receiving an SYN-ACK packet from the local server, it means that the TCP handshake is not completed and the connection is not established. This could be caused by various factors, such as network congestion, firewall rules, packet filtering, or misconfiguration of the TCP parameters on either end. Reference:= Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 177; TCP 3-Way Handshake Process - GeeksforGeeks

NEW QUESTION # 253
Refer to the exhibit.

An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?

• A. corroborative
• B. indirect
• C. circumstantial
• D. best

Answer: C

Explanation:
The alert from the Cisco ASA device and the numerous activity logs are examples of circumstantial evidence.
Circumstantial evidence is evidence that relies on an inference or deduction to connect it to a conclusion of fact, such as a security incident or an attack. Circumstantial evidence does not directly prove the fact in question, but rather suggests or implies it. In this case, the alert and the logs indicate that a TCP connection attempt was denied by an access group, but they do not directly prove that an attack occurred or who was behind it. There could be other explanations for the denied connection, such as a misconfiguration, a network error, or a legitimate request. Therefore, this type of evidence is circumstantial and requires further investigation and analysis to confirm or rule out the possibility of an attack. References := Circumstantial evidence - Wikipedia; Circumstantial Evidence - Definition, Examples, Cases, Processes; Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 92.

NEW QUESTION # 254
What do host-based firewalls protect workstations from?

• A. viruses
• B. unwanted traffic
• C. malicious web scripts
• D. zero-day vulnerabilities

Answer: B

Explanation:
Host-based firewalls are designed to protect individual workstations from unwanted traffic by filtering incoming and outgoing network communications based on predefined security rules. They can block unauthorized access attempts and prevent potentially harmful traffic from reaching the system.

NEW QUESTION # 255
Refer to the exhibit.

Refer to the exhibit. Which alert is identified from this packet?

• A. TCP fragmentation attack
• B. SYN flood
• C. SSDP amplification
• D. Fraggle attack

Answer: B

NEW QUESTION # 256
Drag and drop the security concept on the left onto the example of that concept on the right.

Answer:

Explanation:

NEW QUESTION # 257
An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning How should the analyst collect the traffic to isolate the suspicious host?

• A. by most used ports
• B. based on the protocols used
• C. by most active source IP
• D. based on the most used applications

Answer: C

Explanation:
To isolate the suspicious host that is performing intensive network scanning, the analyst should collect the traffic by most active source IP. This will help to identify the IP address of the host that is generating the most traffic and sending the most packets or bytes. The analyst can then apply filters or queries to analyze the traffic from that source IP and determine the nature and scope of the scanning activity. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 72; [Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide], page 468

NEW QUESTION # 258
Which two elements are assets in the role of attribution in an investigation? (Choose two.)

• A. context
• B. session
• C. laptop
• D. threat actor
• E. firewall logs

Answer: C,E

Explanation:
The following are some factors that are used during attribution in an investigation: Assets, Threat actor, Indicators of Compromise (IoCs), Indicators of Attack (IoAs), Chain of custody Asset: This factor identifies which assets were compromised by a threat actor or hacker. An example of an asset can be an organization's domain controller (DC) that runs Active Directory Domain Services (AD DS). AD is a service that allows an administrator to manage user accounts, user groups, and policies across a Microsoft Windows environment.
Keep in mind that an asset is anything that has value to an organization; it can be something physical, digital, or even people. Cisco Certified CyberOps Associate 200-201 Certification Guide

NEW QUESTION # 259
Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?

• A. Use FAT32 to exceed the limit of 4 GB.
• B. Use the Ext4 partition because it can hold files up to 16 TB.
• C. Use NTFS partition for log file containment
• D. Add space to the existing partition and lower the retention penod.

Answer: A

Explanation:
FAT is a file system that organizes and stores data on a disk. However, FAT has a limitation of 4 GB for the maximum file size, which means that any file larger than that will be corrupted. To resolve this issue, the engineer can use FAT32, which is an improved version of FAT that supports files up to 32 GB. Alternatively, the engineer can use other file systems that have higher file size limits, such as Ext4 or NTFS. References := Cisco Cybersecurity Operations Fundamentals, Module 5: Security Policies and Procedures, Lesson 5.1: Data Retention, Topic 5.1.1: Data Retention Policies and Procedures

NEW QUESTION # 260
Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

• A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.
• B. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
• C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
• D. Host 152.46.6.91 is being identified as a watchlist country for data transfer.

Answer: B

Explanation:
The exhibit shows a Stealthwatch dashboard displaying information on alarming hosts, alarms by type, and today's alarms. On the left side under "Top Alarming Hosts," there are five host IP addresses listed with their respective categories indicating different types of alerts including 'Data Hoarding' and 'Exfiltration.' In "Alarms by Type" section at center top part of image shows bar graphs representing various alarm types including 'Crypto Violation' with their respective counts. On right side under "Today's Alarms," there's a table showing the details of each alarm such as the host IP, the alarm type, the severity, and the time. The potential threat identified in this dashboard is that host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91, which is a sign of data exfiltration. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a command and control server or a malicious actor. This can result in data loss, breach of confidentiality, and damage to the organization's reputation and assets. Reference := Cisco Cybersecurity Operations Fundamentals - Module 7: Network and Host Forensics

NEW QUESTION # 261
Refer to the exhibit.
Which tool was used to generate this data?

• A. firewall
• B. NetFlow
• C. tcpdump
• D. dnstools

Answer: C

Explanation:
The data shown in the exhibit is typical of what can be captured and displayed using tcpdump, a command-line packet analyzer that allows users to display TCP/IP and other packets being transmitted or received over a network.

NEW QUESTION # 262
Drag and drop the elements from the left into the correct order for incident handling on the right.

Answer:

Explanation:

NEW QUESTION # 263
Refer to the exhibit.

Which alert is identified from this packet capture?

• A. brute-force attack
• B. SQL injection
• C. ARP poisoning
• D. man-in-the-middle attack

Answer: A

Explanation:
The screenshot shows multiple POP requests with the command PASS, which is typically used for password entry. The rapid succession and variation of these requests suggest an attempt to guess the password, characteristic of a brute-force attack. Remember, always verify with additional data or context when possible, as packet captures can contain vast amounts of information and may require thorough analysis for accurate interpretation.

NEW QUESTION # 264
Which two elements are assets in the role of attribution in an investigation? (Choose two.)

• A. firewall logs
• B. threat actor
• C. context
• D. session
• E. laptop

Answer: B,E

Explanation:
In the context of cybersecurity, an asset is anything that has value to the organization, its business operations and their continuity, including data and physical devices. In the role of attribution in an investigation, which is the process of associating an action or event with a particular individual or entity, certain assets are particularly relevant. A laptop can be an asset because it may contain data or clues that can help trace the origin of a cyber attack. Similarly, identifying the threat actor (E) is crucial for attribution, as it involves understanding who is behind the attack and their motives, which can be essential for preventing future attacks and for legal proceedings.

NEW QUESTION # 265
What is a difference between tampered and untampered disk images?

• A. Tampered images are used as evidence.
• B. Untampered images are used for forensic investigations.
• C. Tampered images have the same stored and computed hash.
• D. Untampered images are deliberately altered to preserve as evidence.

Answer: A

NEW QUESTION # 266
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?

• A. tunneling
• B. timing attack
• C. resource exhaustion
• D. traffic fragmentation

Answer: C

NEW QUESTION # 267
Refer to the exhibit.

Which application-level protocol is being targeted?

• A. HTTPS
• B. FTP
• C. HTTP
• D. TCP

Answer: C

NEW QUESTION # 268
Which classification of cross-site scripting attack executes the payload without storing it for repeated use?

• A. CSRF
• B. DOM
• C. stored
• D. reflective

Answer: D

Explanation:
Reflective XSS, also known as Non-Persistent XSS, occurs when an attacker sends a malicious script to a user through a web application, and the script is executed immediately in the user's browser without being stored on the server. This type of attack is typically carried out by including the malicious script in a URL, which is then sent to the victim. When the victim clicks on the link, the script runs in their browser, reflecting the attacker's actions without storing the payload for repeated use12. Reference:: OWASP Foundation's documentation on Cross-Site Scripting (XSS) provides detailed information on the different types of XSS attacks, including Reflective XSS

NEW QUESTION # 269
Refer to the exhibit.

Which packet contains a file that is extractable within Wireshark?

• A. 0
• B. 1
• C. 2
• D. 3

Answer: C

NEW QUESTION # 270
Which attack method intercepts traffic on a switched network?

• A. command and control
• B. ARP cache poisoning
• C. DHCP snooping
• D. denial of service

Answer: B

Explanation:
ARP cache poisoning is a type of attack that intercepts traffic on a switched network by sending spoofed ARP messages to associate the attacker's MAC address with the IP address of a legitimate host or gateway.
This way, the attacker can redirect the traffic intended for the legitimate host or gateway to his own device and perform a man-in-the-middle attack. References := Cisco Cybersecurity Operations Fundamentals

NEW QUESTION # 271
An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?

• A. Detection
• B. Analysis
• C. Eradication
• D. Recovery

Answer: B

Explanation:
According to the NIST Incident Handling Guide, the analysis phase is the next phase of this investigation. The analysis phase involves examining the evidence and determining the impact, scope, and cause of the incident. The analyst should also identify the attacker's methods, tools, and objectives, as well as any indicators of compromise or malicious activity. The analysis phase may also involve collecting additional data, such as logs, network traffic, or malware samples, to support the investigation. The analysis phase is crucial for developing an effective response and recovery strategy, as well as preventing or mitigating future incidents. Reference:
NIST Special Publication 800-61 Revision 2, Computer Security Incident Handling Guide, Section 3.2.4, Analysis (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 5: Security Incident Response, Lesson 5.2: Incident Response Process, Topic 5.2.3: Analysis Phase (https://learningnetworkstore.cisco.com/on-demand-e-learning/understanding-cisco-cybersecurity-operations-fundamentals-cbrops-v1-0/CSCU-LP-CBROPS-V1-028093.html)

NEW QUESTION # 272
Refer to the exhibit.

An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data Which two elements can an attacker identify from the scan? (Choose two.)

• A. workload and the configuration details
• B. number of users and requests that the server is handling
• C. functionality and purpose of the server
• D. running services
• E. user accounts and SID

Answer: C,D

Explanation:
An Nmap scan can provide detailed information about a network including the functionality and purpose of servers on that network as well as any services that are currently running on those servers. This information can be used by an attacker to identify potential vulnerabilities or targets for exploitation during a cyber attack.
References := Cisco Cybersecurity Training

NEW QUESTION # 273

Refer to the exhibit. Which set of actions must an engineer perform to identify and fix this issue?

• A. Reinstall the IIS server to reset certificate details to default and try to connect to the server.
• B. Add client authentication to the certificate template, reissue, and apply the certificate.
• C. Remove the intermediate certificates and install the CA root certificate on each server.
• D. Implement a different version of CA authority and install intermediate certificates.

Answer: B

NEW QUESTION # 274
What is a purpose of a vulnerability management framework?

• A. identifies, removes, and mitigates system vulnerabilities
• B. conducts vulnerability scans on the network
• C. detects and removes vulnerabilities in source code
• D. manages a list of reported vulnerabilities

Answer: A

Explanation:
A vulnerability management framework is a set of processes and tools that helps an organization identify, assess, prioritize, remediate, and mitigate system vulnerabilities. A vulnerability management framework aims to reduce the attack surface and the risk of compromise by applying security patches, hardening configurations, implementing security controls, and monitoring the system status. A vulnerability management framework is an essential component of a security operations center (SOC). References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 2-14; 200-201 CBROPS - Cisco, exam topic
1.2.b

NEW QUESTION # 275
......

Cisco 200-201 exam consists of 100 questions that candidates must complete within 120 minutes. 200-201 exam fee is $300, and it is available in English and Japanese. Candidates who pass the exam will earn the Cisco Certified CyberOps Associate certification, which demonstrates their ability to identify and remediate cybersecurity threats, and work effectively in a SOC environment. Understanding Cisco Cybersecurity Operations Fundamentals certification is a valuable asset for individuals who want to start their career in cybersecurity and for those who want to advance their skills in this field.

 

New (2025) Cisco 200-201 Exam Dumps: https://www.certkingdompdf.com/200-201-latest-certkingdom-dumps.html

Best Way To Study For Cisco 200-201 Exam Brilliant 200-201 Exam Questions PDF: https://drive.google.com/open?id=1xMuojloAtkIEZ1q7f6PBR8TgKN1J0CyG