Practice Free 200-201 Exam Online Questions
Question #71
Which signature impacts network traffic by causing legitimate traffic to be blocked?
- A . false negative
- B . true positive
- C . true negative
- D . false positive
Correct Answer: D
D
Explanation:
A false positive in network security is when a benign action is incorrectly flagged as malicious, leading to legitimate traffic being blocked. This can disrupt normal network operations and access to services, as the security system mistakenly identifies normal behavior as a threat1.
Reference: = The concept of false positives and their impact on network traffic is discussed in various cybersecurity resources, including Cisco’s own training materials and discussions on network security best practices1.
D
Explanation:
A false positive in network security is when a benign action is incorrectly flagged as malicious, leading to legitimate traffic being blocked. This can disrupt normal network operations and access to services, as the security system mistakenly identifies normal behavior as a threat1.
Reference: = The concept of false positives and their impact on network traffic is discussed in various cybersecurity resources, including Cisco’s own training materials and discussions on network security best practices1.
Question #72
An analyst is investigating an incident in a SOC environment.
Which method is used to identify a session from a group of logs?
- A . sequence numbers
- B . IP identifier
- C . 5-tuple
- D . timestamps
Correct Answer: C
Question #73
What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?
- A . DAC requires explicit authorization for a given user on a given object, and RBAC requires specific conditions.
- B . RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied on user and group levels.
- C . RBAC is an extended version of DAC where you can add an extra level of authorization based on time.
- D . DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups
Correct Answer: B
B
Explanation:
In RBAC, access is based on the roles that users have within an organization, and permissions to perform certain operations are assigned to specific roles. DAC, on the other hand, is a type of access control where the access rights are determined by the owner of the resource or the resource itself.
B
Explanation:
In RBAC, access is based on the roles that users have within an organization, and permissions to perform certain operations are assigned to specific roles. DAC, on the other hand, is a type of access control where the access rights are determined by the owner of the resource or the resource itself.
Question #74
What describes the concept of data consistently and readily being accessible for legitimate users?
- A . integrity
- B . availability
- C . accessibility
- D . confidentiality
Correct Answer: B
B
Explanation:
Availability is one of the three pillars of the CIA triad, a model that defines the principles of information security. Availability describes the concept of data consistently and readily being accessible for legitimate users. Availability ensures that the network and systems are operational and resilient to disruptions, such as denial-of-service attacks, hardware failures, or natural disasters. Availability also involves maintaining backup and recovery procedures, load balancing, and redundancy mechanisms.
Reference: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) – Cisco, Module 1: Security
Concepts, Lesson 1.1: Security Principles
200-201 CBROPS – Cisco, Exam Topics, 1.0 Security Concepts, 1.1 Explain the CIA triad
Cisco Certified CyberOps Associate Overview – Cisco Learning Network, Videos, 1.1 Explain the CIA triad
B
Explanation:
Availability is one of the three pillars of the CIA triad, a model that defines the principles of information security. Availability describes the concept of data consistently and readily being accessible for legitimate users. Availability ensures that the network and systems are operational and resilient to disruptions, such as denial-of-service attacks, hardware failures, or natural disasters. Availability also involves maintaining backup and recovery procedures, load balancing, and redundancy mechanisms.
Reference: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) – Cisco, Module 1: Security
Concepts, Lesson 1.1: Security Principles
200-201 CBROPS – Cisco, Exam Topics, 1.0 Security Concepts, 1.1 Explain the CIA triad
Cisco Certified CyberOps Associate Overview – Cisco Learning Network, Videos, 1.1 Explain the CIA triad
Question #75
What is the difference between the ACK flag and the RST flag?
- A . The RST flag approves the connection, and the ACK flag terminates spontaneous connections.
- B . The ACK flag confirms the received segment, and the RST flag terminates the connection.
- C . The RST flag approves the connection, and the ACK flag indicates that a packet needs to be resent
- D . The ACK flag marks the connection as reliable, and the RST flag indicates the failure within TCP Handshake
Correct Answer: B
B
Explanation:
In TCP/IP networking, the ACK flag is used to acknowledge the receipt of a packet. It’s a way to confirm that the previous packets have been received and that the connection is proceeding as expected. The RST flag, on the other hand, is used to reset the connection. It is sent if a segment arrives which is not intended for the current connection, or if a connection request is to be denied. Essentially, the ACK flag is about maintaining the established connection, while the RST flag is about aborting connections that are not valid or are no longer needed123.
Reference: The information provided is based on standard TCP/IP protocol behavior as described in networking resources and Cisco’s cybersecurity documentation
B
Explanation:
In TCP/IP networking, the ACK flag is used to acknowledge the receipt of a packet. It’s a way to confirm that the previous packets have been received and that the connection is proceeding as expected. The RST flag, on the other hand, is used to reset the connection. It is sent if a segment arrives which is not intended for the current connection, or if a connection request is to be denied. Essentially, the ACK flag is about maintaining the established connection, while the RST flag is about aborting connections that are not valid or are no longer needed123.
Reference: The information provided is based on standard TCP/IP protocol behavior as described in networking resources and Cisco’s cybersecurity documentation
Question #76
An engineer must investigate suspicious connections. Data has been gathered using a tcpdump command on a Linux device and saved as sandboxmatware2022-12-22.pcaps file. The engineer is trying to open the tcpdump in the Wireshark tool.
What is the expected result?
- A . The tool does not support Linux.
- B . The file is opened.
- C . The file has an incorrect extension.
- D . The file does not support the"-" character.
Correct Answer: B
B
Explanation:
Wireshark is a widely used network protocol analyzer that supports various capture file formats, including those generated by tcpdump.
The .pcap extension is a standard format for packet capture files and is fully supported by Wireshark.
The file extension or the inclusion of characters such as "-" in the file name does not impact Wireshark’s ability to open and read the file.
When the engineer opens the sandboxmatware2022-12-22.pcaps file in Wireshark, the tool will read the packet capture data, allowing for detailed analysis of network traffic.
Reference: Cisco Cybersecurity Operations Fundamentals
Wireshark User Guide
tcpdump and libpcap Documentation
B
Explanation:
Wireshark is a widely used network protocol analyzer that supports various capture file formats, including those generated by tcpdump.
The .pcap extension is a standard format for packet capture files and is fully supported by Wireshark.
The file extension or the inclusion of characters such as "-" in the file name does not impact Wireshark’s ability to open and read the file.
When the engineer opens the sandboxmatware2022-12-22.pcaps file in Wireshark, the tool will read the packet capture data, allowing for detailed analysis of network traffic.
Reference: Cisco Cybersecurity Operations Fundamentals
Wireshark User Guide
tcpdump and libpcap Documentation
Question #77
What is the purpose of command and control for network-aware malware?
- A . It contacts a remote server for commands and updates
- B . It takes over the user account for analysis
- C . It controls and shuts down services on the infected host.
- D . It helps the malware to profile the host
Correct Answer: A
A
Explanation:
The purpose of command and control (C&C) for network-aware malware is to allow an attacker to remotely control compromised systems. This includes sending commands to the malware, receiving data from the infected host, and updating the malware to evade detection or enhance its capabilities.
Reference: The CBROPS course materials cover the topic of network-aware malware and the role of command and control servers in managing such malware
A
Explanation:
The purpose of command and control (C&C) for network-aware malware is to allow an attacker to remotely control compromised systems. This includes sending commands to the malware, receiving data from the infected host, and updating the malware to evade detection or enhance its capabilities.
Reference: The CBROPS course materials cover the topic of network-aware malware and the role of command and control servers in managing such malware
Question #78
What is a difference between data obtained from Tap and SPAN ports?
- A . Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.
- B . SPAN passively splits traffic between a network device and the network without altering it, while Tap alters response times.
- C . SPAN improves the detection of media errors, while Tap provides direct access to traffic with lowered data visibility.
- D . Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination
Correct Answer: D
D
Explanation:
Tap and SPAN are two methods of capturing network traffic for analysis. Tap (Test Access Point) is a hardware device that is inserted between two network devices and sends a copy of all traffic to a monitoring device. SPAN (Switched Port Analyzer) is a software feature that allows a network switch to replicate traffic from one or more source ports to a destination port, where a monitoring device is connected. Both methods provide visibility into network traffic, but Tap is more reliable and less intrusive than SPAN, as it does not affect the network performance or introduce errors.
Reference: = Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) – Cisco, page 68.
Reference: https://www.gigamon.com/resources/resource-library/white-paper/to-tap-or-to-span.html
D
Explanation:
Tap and SPAN are two methods of capturing network traffic for analysis. Tap (Test Access Point) is a hardware device that is inserted between two network devices and sends a copy of all traffic to a monitoring device. SPAN (Switched Port Analyzer) is a software feature that allows a network switch to replicate traffic from one or more source ports to a destination port, where a monitoring device is connected. Both methods provide visibility into network traffic, but Tap is more reliable and less intrusive than SPAN, as it does not affect the network performance or introduce errors.
Reference: = Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) – Cisco, page 68.
Reference: https://www.gigamon.com/resources/resource-library/white-paper/to-tap-or-to-span.html
Question #79
DRAG DROP
Drag and drop the type of evidence from the left onto the description of that evidence on the right.
Correct Answer:
Question #80
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?
- A . ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
- B . ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
- C . ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods
- D . ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
Correct Answer: C
C
Explanation:
During the negotiation phase of the TLS handshake, the client sends a “ClientHello” message to the server which includes information about TLS versions it supports, cipher-suites it supports and suggested compression methods. This initiates communication protocols for secure connection.
Reference: = Cisco Cybersecurity source documents or study guide
C
Explanation:
During the negotiation phase of the TLS handshake, the client sends a “ClientHello” message to the server which includes information about TLS versions it supports, cipher-suites it supports and suggested compression methods. This initiates communication protocols for secure connection.
Reference: = Cisco Cybersecurity source documents or study guide