A threat actor penetrated an organization's network. Using the 5-tuple approach, which data points should the analyst use to isolate the compromised host in a grouped set of logs?

protocol, source IP, source port, destination IP, and destination port

event name, log source, time, source IP, and host name

protocol, source IP, source port, destination IP, and destination port

event name, log source, time, source IP, and username

protocol, log source, source IP, destination IP, and host name

Which event is a vishing attack?

impersonating a tech support agent during a phone call

obtaining disposed documents from an organization

using a vulnerability scanner on a corporate network

setting up a rogue access point near a public hotspot

impersonating a tech support agent during a phone call

What is indicated by an increase in IPv4 traffic carrying protocol 41 ?

attempts to tunnel IPv6 traffic through an IPv4 network

additional PPTP traffic due to Windows clients

unauthorized peer-to-peer traffic

deployment of a GRE network on top of an existing Layer 3 network

attempts to tunnel IPv6 traffic through an IPv4 network

What is the impact of false positive alerts on business compared to true positive?

False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.

True positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.

True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks Identified as harmless.

False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.

False positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.

An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning How should the analyst collect the traffic to isolate the suspicious host?

based on the most used applications

What is an incident response plan?

an organizational approach to events that could lead to asset loss or disruption of operations

an organizational approach to security management to ensure a service lifecycle and continuous improvements

an organizational approach to disaster recovery and timely restoration of operational services

an organizational approach to system backup and data archiving aligned to regulations

An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by sending the first SYN. What is causing this issue?

incorrect snaplen configuration

What is vulnerability management?

A process to identify and remediate existing weaknesses.

A security practice focused on clarifying and narrowing intrusion points.

A security practice of performing actions rather than acknowledging the threats.

A process to identify and remediate existing weaknesses.

A process to recover from service interruptions and restore business-critical applications

What is a difference between data obtained from Tap and SPAN ports?

Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination

Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.

SPAN passively splits traffic between a network device and the network without altering it, while Tap alters response times.

SPAN improves the detection of media errors, while Tap provides direct access to traffic with lowered data visibility.

Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination

How does agentless monitoring differ from agent-based monitoring?

Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization

Agentless can access the data via API. While agent-base uses a less efficient method and accesses log data through WMI.

Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs

Agent-based monitoring has a lower initial cost for deployment, while agentless monitoring requires resource-intensive deployment.

Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization

Which of these describes SOC metrics in relation to security incidents?

time it takes to detect the incident

time it takes to assess the risks of the incident

probability of outage caused by the incident

probability of compromise and impact caused by the incident

What is the difference between the ACK flag and the RST flag?

The ACK flag confirms the received segment, and the RST flag terminates the connection.

The RST flag approves the connection, and the ACK flag terminates spontaneous connections.

The ACK flag confirms the received segment, and the RST flag terminates the connection.

The RST flag approves the connection, and the ACK flag indicates that a packet needs to be resent

The ACK flag marks the connection as reliable, and the RST flag indicates the failure within TCP Handshake

Refer to the exhibit. An engineer is analyzing a PCAP file after a recent breach An engineer identified that the attacker used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact data being transmitted over an encrypted channel and cannot identify how the attacker gained access How did the attacker gain access?

by using brute force on the SSH service to gain access

by using the buffer overflow in the URL catcher feature for SSH

by using an SSH Tectia Server vulnerability to enable host-based authentication

by using an SSH vulnerability to silently redirect connections to the local host

by using brute force on the SSH service to gain access

Refer to the exhibit. Which component is identifiable in this exhibit?

Trusted Root Certificate store on the local machine

local service in the Windows Services Manager

An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?

Run 'ps -ef' to understand which processes are taking a high amount of resources.

Run 'ps -d' to decrease the priority state of high load processes to avoid resource exhaustion.

Run 'ps -u' to find out who executed additional processes that caused a high load on a server.

Run 'ps -ef' to understand which processes are taking a high amount of resources.

Run 'ps -m' to capture the existing state of daemons and map required processes to find the gap.

What is a difference between an inline and a tap mode traffic monitoring?

Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode monitors traffic as it crosses the network.

Inline monitors traffic without examining other devices, while a tap mode tags traffic and examines the data from monitoring devices.

Tap mode monitors traffic direction, while inline mode keeps packet data as it passes through the monitoring devices.

Tap mode monitors packets and t heir content with the highest speed, while the inline mode draws a packet path for analysis.

Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode monitors traffic as it crosses the network.

Which regular expression is needed to capture the IP address 192.168.20.232?

^ (?:[0-9]{1,3}\.){3}[0-9]{1,3}

How does a certificate authority impact security?

It validates the domain identity of the SSL certificate.

It validates client identity when communicating with the server.

It authenticates client identity when requesting an SSL certificate.

It authenticates domain identity when requesting an SSL certificate.

It validates the domain identity of the SSL certificate.

What is a difference between SIEM and SOAR?

SlEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.

SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation.

SlEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.

SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation.

SOAR's primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.

What is a difference between signature-based and behavior-based detection?

Behavior-based identifies behaviors that may be linked to attacks, while signature-based has a predefined set of rules to match before an alert.

Signature-based identifies behaviors that may be linked to attacks, while behavior-based has a predefined set of rules to match before an alert.

Behavior-based identifies behaviors that may be linked to attacks, while signature-based has a predefined set of rules to match before an alert.

Behavior-based uses a known vulnerability database, while signature-based intelligently summarizes existing data.

Signature-based uses a known vulnerability database, while behavior-based intelligently summarizes existing data.

What is the difference between inline traffic interrogation and traffic mirroring?

Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools

Inline interrogation is less complex as traffic mirroring applies additional tags to data.

Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools

Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.

Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.

Refer to the exhibit. A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error. What is occurring?

Endpoint local time is invalid.

Certificate is not in trusted roots.

Refer to the exhibit. Which stakeholders must be involved when a company workstation is compromised?

Employee 4, Employee 6, Employee 7

Employee 1 Employee 2, Employee 3, Employee 4, Employee 5, Employee 7

Employee 1, Employee 2, Employee 4, Employee 5

Employee 4, Employee 6, Employee 7

Employee 2, Employee 3, Employee 4, Employee 5

How does an attack surface differ from an attack vector?

An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.

An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.

An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

How does TOR alter data content during transit?

It encrypts content and destination information over multiple layers.

It spoofs the destination and source information protecting both sides.

It encrypts content and destination information over multiple layers.

It redirects destination traffic through multiple sources avoiding traceability.

It traverses source traffic through multiple destinations before reaching the receiver

Cisco 200-201 Practice Test 5 - Free Online Exam Prep & Questions

Question 1 / 40

Refer to the exhibit.

Cisco 200-201 image Question 161 109338 10072024004349000000

Which type of attack is being executed?

SQL injection

cross-site scripting

cross-site request forgery

command injection

Comment (0)

Cisco 200-201 Practice Test 5

Question

Cisco 200-201 Practice Tests

Practice Tests