200-201 Dumps
200-201 Braindumps
200-201 Real Questions
200-201 Practice Test
200-201 Actual Questions
Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)
https://killexams.com/pass4sure/exam-detail/200-201
Question: 252
Which regular expression matches "color" and "colour"?
colo?ur
col[0 − 8]+our
colou?r
col[0 − 9]+our
Answer: C Question: 253 Refer to the exhibit.
Which type of log is displayed?
proxy
NetFlow
IDS
sys
Answer: B
Question: 254
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
sequence numbers
IP identifier
5-tuple
timestamps
Answer: C
Question: 255
Which type of evidence supports a theory or an assumption that results from initial evidence?
probabilistic
indirect
best
corroborative
Answer: D
Question: 256
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
context
session
laptop
firewall logs
threat actor
Answer: AE
Question: 257
Which piece of information is needed for attribution in an investigation?
proxy logs showing the source RFC 1918 IP addresses
RDP allowed from the Internet
known threat actor behavior
802.1x RADIUS authentication pass arid fail logs
Answer: C
Question: 258
An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?
true negative
false negative
false positive
true positive
Answer: B
Question: 259
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)
detection and analysis
post-incident activity
vulnerability management
risk assessment
vulnerability scoring
Answer: AB Explanation:
Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Question: 260
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
Tapping interrogation replicates signals to a separate port for analyzing traffic
Tapping interrogations detect and block malicious traffic
Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
Inline interrogation detects malicious traffic but does not block the traffic
Answer: A
Question: 261
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete
The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete
The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection
The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection
Answer: D
Question: 262
Which event is user interaction?
gaining root access
executing remote code
reading and writing file permission
opening a malicious file
Answer: D
Question: 263
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network.
Which testing method did the intruder use?
social engineering
eavesdropping
piggybacking
tailgating
Answer: A
Question: 264
Which security principle requires more than one person is required to perform a critical task?
least privilege
need to know
separation of duties
due diligence
Answer: C
Question: 265
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
Untampered images are used in the security investigation process
Tampered images are used in the security investigation process
The image is tampered if the stored hash and the computed hash match
Tampered images are used in the incident recovery process
The image is untampered if the stored hash and the computed hash match
Answer: BE Question: 266 DRAG DROP
Answer:
Question: 267
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
data from a CD copied using Mac-based system
data from a CD copied using Linux system
data from a DVD copied using Windows system
data from a CD copied using Windows
Answer: B
Question: 268
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?
best evidence
prima facie evidence
indirect evidence
physical evidence
Answer: C
Question: 269
Which artifact is used to uniquely identify a detected file?
file timestamp
file extension
file size
file hash
Answer: D
Which two components reduce the attack surface on an endpoint? (Choose two.)
secure boot
load balancing
increased audit log levels
restricting USB ports
full packet captures at the endpoint
Answer: AD Question: 271 DRAG DROP
Refer to the exhibit.
Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.
Answer:
6$03/( 48(67,216
7KHVH TXHVWLRQV DUH IRU GHPR SXUSRVH RQO\ )XOO YHUVLRQ LV XS WR GDWH DQG FRQWDLQV DFWXDO TXHVWLRQV DQG DQVZHUV
.LOOH[DPV FRP LV DQ RQOLQH SODWIRUP WKDW RIIHUV D ZLGH UDQJH RI VHUYLFHV UHODWHG WR FHUWLILFDWLRQ H[DP SUHSDUDWLRQ 7KH SODWIRUP SURYLGHV DFWXDO TXHVWLRQV H[DP GXPSV DQG SUDFWLFH WHVWV WR KHOS LQGLYLGXDOV SUHSDUH IRU YDULRXV FHUWLILFDWLRQ H[DPV ZLWK FRQILGHQFH +HUH DUH VRPH NH\ IHDWXUHV DQG VHUYLFHV RIIHUHG E\ .LOOH[DPV FRP
'PS .PSF FYBNT WJTJU IUUQT LJMMFYBNT DPN WFOEPST FYBN MJTU
.LOO \RXU H[DP DW )LUVW $WWHPSW *XDUDQWHHG