What Virtual 200-201 Pdf Exam Is

NEW QUESTION 1
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?

• A. application identification number
• B. active process identification number
• C. runtime identification number
• D. process identification number

Answer: D

NEW QUESTION 2
Which step in the incident response process researches an attacking host through logs in a SIEM?

• A. detection and analysis
• B. preparation
• C. eradication
• D. containment

Answer: A

Explanation:
Preparation --> Detection and Analysis --> Containment, Erradicaion and Recovery --> Post-Incident Activity Detection and Analysis --> Profile networks and systems, Understand normal behaviors, Create a log retention policy, Perform event correlation. Maintain and use a knowledge base of information.Use Internet search engines for research. Run packet sniffers to collect additional data. Filter the data. Seek assistance from others. Keep all host clocks synchronized. Know the different types of attacks and attack vectors. Develop processes and procedures to recognize the signs of an incident. Understand the sources of precursors and indicators. Create appropriate incident documentation capabilities and processes. Create processes to effectively prioritize security incidents. Create processes to effectively communicate incident information (internal and external communications).
Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide

NEW QUESTION 3
An engineer is analyzing a recent breach where confidential documents were altered and stolen by the receptionist Further analysis shows that the threat actor connected an externa USB device to bypass security restrictions and steal data The engineer could not find an external USB device Which piece of information must an engineer use for attribution in an investigation?

• A. list of security restrictions and privileges boundaries bypassed
• B. external USB device
• C. receptionist and the actions performed
• D. stolen data and its criticality assessment

Answer: C

NEW QUESTION 4
Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?

• A. known-plaintext
• B. replay
• C. dictionary
• D. man-in-the-middle

Answer: D

NEW QUESTION 5
What is a difference between tampered and untampered disk images?

• A. Tampered images have the same stored and computed hash.
• B. Untampered images are deliberately altered to preserve as evidence.
• C. Tampered images are used as evidence.
• D. Untampered images are used for forensic investigations.

Answer: D

Explanation:
The disk image must be intact for forensics analysis. As a cybersecurity professional, you may be given the task of capturing an image of a disk in a forensic manner. Imagine a security incident has occurred on a system and you are required to perform some forensic investigation to determine who and what caused the attack. Additionally, you want to ensure the data that was captured is not tampered with or modified during the creation of a disk image process. Ref: Cisco Certified CyberOps Associate 200-201 Certification Guide

NEW QUESTION 6
A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:
If the process is unsuccessful, a negative value is returned.
If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent process.
Which component results from this operation?

• A. parent directory name of a file pathname
• B. process spawn scheduled
• C. macros for managing CPU sets
• D. new process created by parent process

Answer: D

Explanation:
There are two tasks with specially distinguished process IDs: swapper or sched has process ID 0 and is responsible for paging, and is actually part of the kernel rather than a normal user-mode process. Process ID 1 is usually the init process primarily responsible for starting and shutting down the system. Originally, process ID 1 was not specifically reserved for init by any technical measures: it simply had this ID as a natural consequence of being the first process invoked by the kernel. More recent Unix systems typically have additional kernel components visible as 'processes', in which case PID 1 is actively reserved for the init process to maintain consistency with older systems

NEW QUESTION 7
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?

• A. ransomware communicating after infection
• B. users downloading copyrighted content
• C. data exfiltration
• D. user circumvention of the firewall

Answer: D

NEW QUESTION 8
Refer to the exhibit.

What is occurring within the exhibit?

• A. regular GET requests
• B. XML External Entities attack
• C. insecure deserialization
• D. cross-site scripting attack

Answer: A

NEW QUESTION 9
An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?

• A. Firepower
• B. Email Security Appliance
• C. Web Security Appliance
• D. Stealthwatch

Answer: C

NEW QUESTION 10
Which regular expression matches "color" and "colour"?

• A. colo?ur
• B. col[08]+our
• C. colou?r
• D. col[09]+our

Answer: C

NEW QUESTION 11
How does an attacker observe network traffic exchanged between two users?

• A. port scanning
• B. man-in-the-middle
• C. command injection
• D. denial of service

Answer: B

NEW QUESTION 12
Which security principle requires more than one person is required to perform a critical task?

• A. least privilege
• B. need to know
• C. separation of duties
• D. due diligence

Answer: C

NEW QUESTION 13
Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?

• A. Add space to the existing partition and lower the retention penod.
• B. Use FAT32 to exceed the limit of 4 GB.
• C. Use the Ext4 partition because it can hold files up to 16 TB.
• D. Use NTFS partition for log file containment

Answer: D

NEW QUESTION 14
Which attack method intercepts traffic on a switched network?

• A. denial of service
• B. ARP cache poisoning
• C. DHCP snooping
• D. command and control

Answer: B

Explanation:
An ARP-based MITM attack is achieved when an attacker poisons the ARP cache of two devices with the MAC address of the attacker's network interface card (NIC). Once the ARP caches have been successfully poisoned, each victim device sends all its packets to the attacker when communicating to the other device and puts the attacker in the middle of the communications path between the two victim devices. It allows an attacker to easily monitor all communication between victim devices. The intent is to intercept and view the information being passed between the two victim devices and potentially introduce sessions and traffic between the two victim devices

NEW QUESTION 15
What is the difference between deep packet inspection and stateful inspection?

• A. Stateful inspection verifies contents at Layer 4. and deep packet inspection verifies connection at Layer 7.
• B. Stateful inspection is more secure than deep packet inspection on Layer 7.
• C. Deep packet inspection is more secure than stateful inspection on Layer 4.
• D. Deep packet inspection allows visibility on Layer 7, and stateful inspection allows visibility on Layer 4.

Answer: D

NEW QUESTION 16
What is the impact of encryption?

• A. Confidentiality of the data is kept secure and permissions are validated
• B. Data is accessible and available to permitted individuals
• C. Data is unaltered and its integrity is preserved
• D. Data is secure and unreadable without decrypting it

Answer: A

NEW QUESTION 17
......