Latest Cisco 200-201 Exam questions and answers [Q24-Q44]

Share

Latest Cisco 200-201 Exam questions and answers

VCEEngine 200-201 Exam Practice Test Questions (Updated 379 Questions)


Cisco 200-201 certification exam is an excellent way to demonstrate your competence in the field of cybersecurity operations. It is a globally recognized certification that is valued by employers around the world. Passing the exam will help you stand out in a competitive job market and increase your chances of landing a high-paying job in the cybersecurity field.


Cisco 200-201 exam is a multiple-choice exam that consists of 95-105 questions. 200-201 exam is timed, and candidates have 120 minutes to complete it. 200-201 exam is administered by Pearson VUE and can be taken at one of their testing centers or online. To pass the exam, candidates must score at least 750 out of 1000.

 

NEW QUESTION # 24
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.

Answer:

Explanation:

Explanation:
Exploitation - The targeted Environment is taken advantage of triggering the threat actor's code Installation - Backdoor is placed on the victim system allowing the threat actor to maintain the persistence.
Command and Control - An outbound connection is established to an Internet-based controller server.
Actions and Objectives - The threat actor takes actions to violate data integrity and availability


NEW QUESTION # 25
Which signature impacts network traffic by causing legitimate traffic to be blocked?

  • A. true negative
  • B. false negative
  • C. true positive
  • D. false positive

Answer: D


NEW QUESTION # 26
Which incidence response step includes identifying all hosts affected by an attack'?

  • A. preparation
  • B. detection and analysis
  • C. containment eradication and recovery
  • D. post-incident activity

Answer: D


NEW QUESTION # 27
An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?

  • A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
  • B. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.
  • C. Run "ps -u" to find out who executed additional processes that caused a high load on a server.
  • D. Run "ps -ef" to understand which processes are taking a high amount of resources.

Answer: B


NEW QUESTION # 28
An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?

  • A. nmap -sP 192.168.1.0/24
  • B. nmap -sV 192.168.1.0/24
  • C. nmap --top-ports 192.168.1.0/24
  • D. nmap -sL 192.168.1.0/24

Answer: D


NEW QUESTION # 29
Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)

  • A. UDP port to which the traffic is destined
  • B. source IP address of the packet
  • C. UDP port from which the traffic is sourced
  • D. destination IP address of the packet
  • E. TCP port from which the traffic was sourced

Answer: B,D


NEW QUESTION # 30
An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?

  • A. false positive
  • B. true negative
  • C. true positive
  • D. false negative

Answer: D

Explanation:
A false negative occurs when an intrusion detection system (IDS) fails to detect and report actual malicious activity. This means that a legitimate security alert has been dismissed or overlooked, allowing potentially harmful traffic to pass through the network undetected. The impact of false negatives can be significant as they represent missed opportunities to stop or mitigate security threats1.


NEW QUESTION # 31
The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?

  • A. Isolate the infected endpoint from the network.
  • B. Perform forensics analysis on the infected endpoint.
  • C. Prioritize incident handling based on the impact.
  • D. Collect public information on the malware behavior.

Answer: D


NEW QUESTION # 32
Refer to the exhibit.

What should be interpreted from this packet capture?

  • A. IP address 192.168.122.100/50272/81.179.179.69/80/6 is sending a packet from port 80 of IP address
    192.168.122.100 that is going to port 50272 of IP address 81.179.179.69 using IP protocol 6.7E503B693763E0113BE0CD2E4A16C9C4
  • B. IP address 179.179.69/50272/192.168.122.100/80/6 is sending a packet from port 50272 of IP address
    192.168.122.100 that is going to port 80 of IP address 81.179.179.69 using IP protocol 6.
  • C. IP address 192.168.122.100/50272/81.179.179.69/80/6 is sending a packet from port 50272 of IP address
    192.168.122.100 that is going to port 80 of IP address 81.179.179.69 using IP protocol 6.
  • D. IP address 179.179.69/50272/192.168.122.100/80/6 is sending a packet from port 80 of IP address
    192.168.122.100 that is going to port 50272 of IP address 81.179.179.69 using IP protocol 6.

Answer: C


NEW QUESTION # 33
Drag and drop the technology on the left onto the data type the technology provides on the right.

Answer:

Explanation:


NEW QUESTION # 34
Refer to the exhibit.

Which alert is identified from this packet capture?

  • A. brute-force attack
  • B. ARP poisoning
  • C. man-in-the-middle attack
  • D. SQL injection

Answer: A

Explanation:
The screenshot shows multiple POP requests with the command PASS, which is typically used for password entry. The rapid succession and variation of these requests suggest an attempt to guess the password, characteristic of a brute-force attack. Remember, always verify with additional data or context when possible, as packet captures can contain vast amounts of information and may require thorough analysis for accurate interpretation.


NEW QUESTION # 35
How is NetFlow different from traffic mirroring?

  • A. NetFlow generates more data than traffic mirroring.
  • B. Traffic mirroring costs less to operate than NetFlow.
  • C. Traffic mirroring impacts switch performance and NetFlow does not.
  • D. NetFlow collects metadata and traffic mirroring clones data.

Answer: D

Explanation:
NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. It collects metadata of the IP traffic flowing across networking devices like routers and switches. On the other hand, Traffic mirroring involves capturing all the data packets that flow through a particular point in the network to analyze or inspect them later. References := Cisco Cybersecurity Operations Fundamentals


NEW QUESTION # 36
Refer to the exhibit.

An engineer is analyzing a PCAP file after a recent breach An engineer identified that the attacker used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact data being transmitted over an encrypted channel and cannot identify how the attacker gained access How did the attacker gain access?

  • A. by using brute force on the SSH service to gain access
  • B. by using an SSH vulnerability to silently redirect connections to the local host
  • C. by using the buffer overflow in the URL catcher feature for SSH
  • D. by using an SSH Tectia Server vulnerability to enable host-based authentication

Answer: B


NEW QUESTION # 37
An organization that develops high-end technology is going through an internal audit The organization uses two databases The main database stores patent information and a secondary database stores employee names and contact information A compliance team is asked to analyze the infrastructure and identify protected data Which two types of protected data should be identified? (Choose two)

  • A. Intellectual Property (IP)
  • B. Payment Card Industry (PCI)
  • C. Personally Identifiable Information (Pll)
  • D. Sarbanes-Oxley (SOX)
  • E. Protected Hearth Information (PHI)

Answer: A,C

Explanation:
Protected data refers to any information that is legally guarded or sensitive due to its nature. In the context of the organization described, the main database contains Intellectual Property (IP), which includes patents that are legally protected forms of inventions and designs. The secondary database holds Personally Identifiable Information (PII), which comprises data that can be used to identify individuals, such as names and contact details. Both IP and PII are considered protected data and should be identified during an internal audit to ensure they are handled according to legal and regulatory standards. Reference:: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)


NEW QUESTION # 38
Which are two denial-of-service attacks? (Choose two.)

  • A. ping of death
  • B. man-in-the-middle
  • C. TCP connections
  • D. code-red
  • E. UDP flooding

Answer: A,E

Explanation:
* The ping of death is a type of attack that involves sending oversized or malformed packets using the ICMP protocol to crash, freeze, or reboot the target system1.
* UDP flooding is an attack method that sends a large number of User Datagram Protocol (UDP) packets to random ports on a remote host, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process can saturate the network and the resources of the host, leading to denial of service2.
References:
* Cloudflare's explanation of common DoS attacks1.
* Wikipedia's description of denial-of-service attack methods


NEW QUESTION # 39
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)

  • A. Untampered images are used in the security investigation process
  • B. The image is tampered if the stored hash and the computed hash match
  • C. Tampered images are used in the incident recovery process
  • D. The image is untampered if the stored hash and the computed hash match
  • E. Tampered images are used in the security investigation process

Answer: D,E


NEW QUESTION # 40
Refer to the exhibit.

An attacker scanned the server using Nmap.
What did the attacker obtain from this scan?

  • A. Identified open SMB ports on the server
  • B. Gathered a list of Active Directory users.
  • C. Identified a firewall device preventing the port state from being returned
  • D. Gathered information on processes running on the server

Answer: C


NEW QUESTION # 41
What is the difference between authentication and authorization?

  • A. Authorization allows an engineer to control the user access level privileges to the router, and authentication is the process of giving the user-specific permissions.
  • B. Authentication is coupled with authorization so that the server knows who the requestor is, and authorization is used by a requestor that knows the server.
  • C. Authentication allows an engineer to identify who can connect to a router, and authorization is the function of specifying access rights and privileges to resources.
  • D. Authorization is used by a server when the server needs to know exactly who is accessing resources, and authentication is a process by which a server determines the permissions.

Answer: C


NEW QUESTION # 42
Refer to the exhibit.
Which tool was used to generate this data?

  • A. firewall
  • B. NetFlow
  • C. tcpdump
  • D. dnstools

Answer: C

Explanation:
The data shown in the exhibit is typical of what can be captured and displayed using tcpdump, a command-line packet analyzer that allows users to display TCP/IP and other packets being transmitted or received over a network.


NEW QUESTION # 43
Refer to the exhibit. Where is the executable file?

  • A. info
  • B. tags
  • C. name
  • D. MIME

Answer: C

Explanation:
The executable file is identified in the "name" section of the exhibit, which lists the file name "VAC-Bypass-Loader.exe". This indicates that the file is an executable, as denoted by the ".exe" extension commonly associated with executable files in Windows operating systems.


NEW QUESTION # 44
......


Cisco 200-201 exam is a valuable certification for individuals looking to start or advance their careers in cybersecurity operations. It is a recognized industry certification that demonstrates a candidate’s knowledge and skills in this field. By passing the exam, candidates can demonstrate to employers that they have the skills and knowledge necessary to identify and respond to security incidents in a network environment.

 

Pass Your Cisco Exam with 200-201 Exam Dumps: https://www.vceengine.com/200-201-vce-test-engine.html

Pass 200-201 Exam Info and Free Practice Test: https://drive.google.com/open?id=1WzEYaBIsrRCaCAAEPXJ6Kxjl5azYul1R