ExamGecko
Search Search Login
Home Home / Cisco / 200-201

Cisco 200-201 Practice Test - Questions Answers, Page 27

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An organization that develops high-end technology is going through an internal audit The organization uses two databases The main database stores patent information and a secondary database stores employee names and contact information A compliance team is asked to analyze the infrastructure and identify protected data Which two types of protected data should be identified? (Choose two)
Which security principle is violated by running all processes as root or administrator?
DRAG DROP Drag and drop the technology on the left onto the data type the technology provides on the right.
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network. Which testing method did the intruder use?
A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints via Cisco StealthWatch. What are the two next steps of the SOC team according to the NISTSP800-61 incident handling process? (Choose two)
Which statement describes indicators of attack?
What is a difference between SIEM and SOAR?
What describes the impact of false-positive alerts compared to false-negative alerts?
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
What is the difference between statistical detection and rule-based detection models?

Question 261

Report
Export
Collapse

Refer to the exhibit.

Which application-level protocol is being targeted?

A.

HTTPS

A.

HTTPS

Answers
B.

FTP

B.

FTP

Answers
C.

HTTP

C.

HTTP

Answers
D.

TCP

D.

TCP

Answers
Suggested answer: C

Question 262

Report
Export
Collapse

Which statement describes patch management?

A.

scanning servers and workstations for missing patches and vulnerabilities

A.

scanning servers and workstations for missing patches and vulnerabilities

Answers
B.

managing and keeping previous patches lists documented for audit purposes

B.

managing and keeping previous patches lists documented for audit purposes

Answers
C.

process of appropriate distribution of system or software updates

C.

process of appropriate distribution of system or software updates

Answers
D.

workflow of distributing mitigations of newly found vulnerabilities

D.

workflow of distributing mitigations of newly found vulnerabilities

Answers
Suggested answer: C

Explanation:

Patch management is the process of distributing and managing updates to software and systems. These updates can include patches for security vulnerabilities, bug fixes, and enhancements to improve performance or add new features. It ensures that systems are up-to-date, secure, and performing optimally.Reference:=Cisco Cybersecurity Training

Question 263

Report
Export
Collapse

Refer to the exhibit.

An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data. Which two elements can an attacker identify from the scan? (Choose two.)

A.

workload and the configuration details

A.

workload and the configuration details

Answers
B.

user accounts and SID

B.

user accounts and SID

Answers
C.

number of users and requests that the server is handling

C.

number of users and requests that the server is handling

Answers
D.

functionality and purpose of the server

D.

functionality and purpose of the server

Answers
E.

running services

E.

running services

Answers
Suggested answer: D, E

Explanation:

An Nmap scan can provide detailed information about a network including the functionality and purpose of servers on that network as well as any services that are currently running on those servers. This information can be used by an attacker to identify potential vulnerabilities or targets for exploitation during a cyber attack.Reference:=Cisco Cybersecurity Training

Question 264

Report
Export
Collapse

Why should an engineer use a full packet capture to investigate a security breach?

A.

It captures the TCP flags set within each packet for the engineer to focus on suspicious packets to identify malicious activity

A.

It captures the TCP flags set within each packet for the engineer to focus on suspicious packets to identify malicious activity

Answers
B.

It collects metadata for the engineer to analyze, including IP traffic packet data that is sorted, parsed, and indexed.

B.

It collects metadata for the engineer to analyze, including IP traffic packet data that is sorted, parsed, and indexed.

Answers
C.

It provides the full TCP streams for the engineer to follow the metadata to identify the incoming threat.

C.

It provides the full TCP streams for the engineer to follow the metadata to identify the incoming threat.

Answers
D.

It reconstructs the event allowing the engineer to identify the root cause by seeing what took place during the breach

D.

It reconstructs the event allowing the engineer to identify the root cause by seeing what took place during the breach

Answers
Suggested answer: D

Explanation:

Full packet capture (FPC) is a valuable tool for investigating security breaches because it provides comprehensive data that can be used to reconstruct the event and identify the root cause. By capturing every packet, FPC allows engineers to see exactly what took place during the breach, including the TCP flags set within each packet, which can help focus on suspicious packets to identify malicious activity.It also collects metadata, including IP traffic packet data that is sorted, parsed, and indexed, and provides the full TCP streams to follow the metadata to identify the incoming threat

Question 265

Report
Export
Collapse

Refer to the exhibit.

Which technology produced the log?

A.

antivirus

A.

antivirus

Answers
B.

IPS/IDS

B.

IPS/IDS

Answers
C.

proxy

C.

proxy

Answers
D.

firewall

D.

firewall

Answers
Suggested answer: B

Explanation:

The log in the exhibit is generated by an Intrusion Prevention System (IPS) or Intrusion Detection System (IDS). It contains information about a TCP connection attempt, including the source IP address, destination IP address, and other details related to the connection. The presence of ''TCP MISS'' indicates that the system detected an anomaly or potential threat during the connection attempt.Reference:=Cisco Cybersecurity Operations Fundamentals

Question 266

Report
Export
Collapse

A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints via Cisco StealthWatch. What are the two next steps of the SOC team according to the NISTSP800-61 incident handling process? (Choose two)

A.

Isolate affected endpoints and take disk images for analysis

A.

Isolate affected endpoints and take disk images for analysis

Answers
B.

Provide security awareness training to HR managers and employees

B.

Provide security awareness training to HR managers and employees

Answers
C.

Block connection to this C&C server on the perimeter next-generation firewall

C.

Block connection to this C&C server on the perimeter next-generation firewall

Answers
D.

Update antivirus signature databases on affected endpoints to block connections to C&C

D.

Update antivirus signature databases on affected endpoints to block connections to C&C

Answers
E.

Detect the attack vector and analyze C&C connections

E.

Detect the attack vector and analyze C&C connections

Answers
Suggested answer: A, C

Explanation:

According to the NIST SP 800-61 incident handling process, the SOC team should first isolate the affected endpoints to prevent further spread of the attack and take disk images for analysis (A). This helps in preserving evidence for a thorough investigation.The next step would be to block the connection to the C&C server on the perimeter next-generation firewall , which helps to cut off the communication between the compromised endpoint and the attacker's server, thereby mitigating the threat123.

Question 267

Report
Export
Collapse

Exhibit.

An engineer received a ticket about a slowdown of a web application, Drug analysis of traffic, the engineer suspects a possible attack on a web server. How should the engineer interpret the Wiresharat traffic capture?

A.

10.0.0.2 sends GET/ HTTP/1.1 And Post request and the target responds with HTTP/1.1. 200 OC and HTTP/1.1 403 accordingly. This is an HTTP flood attempt.

A.

10.0.0.2 sends GET/ HTTP/1.1 And Post request and the target responds with HTTP/1.1. 200 OC and HTTP/1.1 403 accordingly. This is an HTTP flood attempt.

Answers
B.

10.0.0.2 sends HTTP FORBIDDEN /1.1 And Post request, while the target responds with HTTP/1.1 200 Get and HTTP/1.1 403. This is an HTTP GET flood attack.

B.

10.0.0.2 sends HTTP FORBIDDEN /1.1 And Post request, while the target responds with HTTP/1.1 200 Get and HTTP/1.1 403. This is an HTTP GET flood attack.

Answers
C.

10.128.0.2 sends POST/1.1 And POST requests, and the target responds with HTTP/1.1 200 Ok and HTTP/1.1 403 accordingly. This is an HTTP Reserve Bandwidth flood.

C.

10.128.0.2 sends POST/1.1 And POST requests, and the target responds with HTTP/1.1 200 Ok and HTTP/1.1 403 accordingly. This is an HTTP Reserve Bandwidth flood.

Answers
D.

10.128.0.2 sends HTTP/FORBIDDEN/ 1.1 and Get requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403. This is an HTTP cache bypass attack.

D.

10.128.0.2 sends HTTP/FORBIDDEN/ 1.1 and Get requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403. This is an HTTP cache bypass attack.

Answers
Suggested answer: B

Explanation:

When analyzing Wireshark traffic for potential attacks, an engineer should look for patterns that indicate abnormal behavior, such as:

Excessive Requests: A high number of requests over a short period could suggest an attempt to overwhelm the server, known as an HTTP flood.

Status Codes: Repeated403 Forbiddenresponses may indicate that the server is rejecting requests due to a security rule being triggered.

Request Types: A mix ofGETandPOSTrequests could be used in various attack scenarios, including bandwidth flooding or cache bypassing.

Question 268

Report
Export
Collapse

Refer to the exhibit.

An attacker scanned the server using Nmap.

What did the attacker obtain from this scan?

A.

Identified a firewall device preventing the port state from being returned

A.

Identified a firewall device preventing the port state from being returned

Answers
B.

Identified open SMB ports on the server

B.

Identified open SMB ports on the server

Answers
C.

Gathered information on processes running on the server

C.

Gathered information on processes running on the server

Answers
D.

Gathered a list of Active Directory users.

D.

Gathered a list of Active Directory users.

Answers
Suggested answer: A

Question 269

Report
Export
Collapse

Which classification of cross-site scripting attack executes the payload without storing it for repeated use?

A.

stored

A.

stored

Answers
B.

reflective

B.

reflective

Answers
C.

DOM

C.

DOM

Answers
D.

CSRF

D.

CSRF

Answers
Suggested answer: B

Explanation:

Reflective XSS, also known as Non-Persistent XSS, occurs when an attacker sends a malicious script to a user through a web application, and the script is executed immediately in the user's browser without being stored on the server. This type of attack is typically carried out by including the malicious script in a URL, which is then sent to the victim.When the victim clicks on the link, the script runs in their browser, reflecting the attacker's actions without storing the payload for repeated use12.Reference:: OWASP Foundation's documentation on Cross-Site Scripting (XSS) provides detailed information on the different types of XSS attacks, including Reflective XSS

Question 270

Report
Export
Collapse

An engineer received an alert affecting the degraded performance of a critical server Analysis showed a heavy CPU and memory load What is the next step the engineer should take to investigate this resource usage7

A.

Run 'ps -ef to understand which processes are taking a high amount of resources

A.

Run 'ps -ef to understand which processes are taking a high amount of resources

Answers
B.

Run 'ps -u' to find out who executed additional processes that caused a high load on a server

B.

Run 'ps -u' to find out who executed additional processes that caused a high load on a server

Answers
C.

Run 'ps -m' to capture the existing state of daemons and map the required processes to find the gap

C.

Run 'ps -m' to capture the existing state of daemons and map the required processes to find the gap

Answers
D.

Run 'ps -d' to decrease the priority state of high-load processes to avoid resource exhaustion

D.

Run 'ps -d' to decrease the priority state of high-load processes to avoid resource exhaustion

Answers
Suggested answer: A

Explanation:

When a server is experiencing high CPU and memory load, the first step is to identify the processes that are consuming the most resources. The command ''ps -ef'' is used to display information about all the running processes, including their IDs, memory and CPU usage, and the commands that started them.This allows the engineer to pinpoint which processes are responsible for the high load and take appropriate action, such as terminating unnecessary processes or optimizing resource usage345.Reference:: Various resources on server management and troubleshooting recommend using the ''ps -ef'' command as a starting point for investigating high resource usage on servers

Total 331 questions
Go to page: of 34
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms