Recommend!!

Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Cisco
Exam Questions 200-201
Understanding Cisco Cybersecurity Operations Fundamentals

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

NEW QUESTION 1
What is a difference between an inline and a tap mode traffic monitoring?

A. Inline monitors traffic without examining other devices, while a tap mode tags traffic and examines the data from monitoring devices.
B. Tap mode monitors traffic direction, while inline mode keeps packet data as it passes through the monitoring devices.
C. Tap mode monitors packets and their content with the highest speed, while the inline mode draws a packet path for analysis.
D. Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode monitors traffic as it crosses the network.

Answer: D

NEW QUESTION 2
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.
Which information is available on the server certificate?

A. server name, trusted subordinate CA, and private key

B. trusted subordinate CA, public key, and cipher suites
C. trusted CA name, cipher suites, and private key
D. server name, trusted CA, and public key

Answer: D

NEW QUESTION 3
What is the difference between the ACK flag and the RST flag in the NetFlow log session?

A. The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the datafor the payload is complete
B. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete
C. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection
D. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection

Answer: D

NEW QUESTION 4
What is the difference between deep packet inspection and stateful inspection?

A. Stateful inspection verifies contents at Layer 4. and deep packet inspection verifies connection at Layer 7.
B. Stateful inspection is more secure than deep packet inspection on Layer 7.
C. Deep packet inspection is more secure than stateful inspection on Layer 4.
D. Deep packet inspection allows visibility on Layer 7, and stateful inspection allows visibility on Layer 4.

Answer: D

NEW QUESTION 5
A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in the requests contains PHP code that, if
executed, creates and writes to a new PHP file on the webserver. Which event category is described?

A. reconnaissance
B. action on objectives
C. installation
D. exploitation

Answer: D

NEW QUESTION 6
Which incidence response step includes identifying all hosts affected by an attack?

A. detection and analysis

B. post-incident activity
C. preparation
D. containment, eradication, and recovery

Answer: D

Explanation:
* 3.3.3 Identifying the Attacking Hosts During incident handling, system owners and others sometimes want to or need to identify the attacking host or hosts.
Although this information can be important, incident handlers should generally stay focused on containment, eradication, and recovery.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
The response phase, or containment, of incident response, is the point at which the incident response team begins interacting with affected systems and attempts
to keep further damage from occurring as a result of the incident.

NEW QUESTION 7
What makes HTTPS traffic difficult to monitor?

A. SSL interception
B. packet header size

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

C. signature detection time

D. encryption

Answer: D

NEW QUESTION 8
Refer to the exhibit.

Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.

A. Mastered
B. Not Mastered

Answer: A

Explanation:

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

NEW QUESTION 9
Drag and drop the type of evidence from the left onto the description of that evidence on the right.

A. Mastered
B. Not Mastered

Answer: A

Explanation:
Graphical user interface, application Description automatically generated

NEW QUESTION 10
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?

A. file extension associations

B. hardware, software, and security settings for the system
C. currently logged in users, including folders and control panel settings
D. all users on the system, including visual settings

Answer: B

Explanation:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users

NEW QUESTION 10
Refer to the exhibit.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

An engineer received an event log file to review. Which technology generated the log?

A. NetFlow
B. proxy
C. firewall
D. IDS/IPS

Answer: C

NEW QUESTION 14
What describes a buffer overflow attack?

A. injecting new commands into existing buffers

B. fetching data from memory buffer registers
C. overloading a predefined amount of memory
D. suppressing the buffers in a process

Answer: C

NEW QUESTION 17
What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?

A. DAC requires explicit authorization for a given user on a given object, and RBAC requires specific conditions.
B. RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied on user and group levels.
C. RBAC is an extended version of DAC where you can add an extra level of authorization based on time.
D. DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups

Answer: A

NEW QUESTION 20
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?

A. Tapping interrogation replicates signals to a separate port for analyzing traffic

B. Tapping interrogations detect and block malicious traffic
C. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
D. Inline interrogation detects malicious traffic but does not block the traffic

Answer: A

Explanation:
A network TAP is a simple device that connects directly to the cabling infrastructure to split or copy packets for use in analysis, security, or general network
management

NEW QUESTION 21
Refer to the exhibit.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

What is the potential threat identified in this Stealthwatch dashboard?

A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.

B. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
D. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.

Answer: D

NEW QUESTION 22
A company is using several network applications that require high availability and responsiveness, such that milliseconds of latency on network traffic is not
acceptable. An engineer needs to analyze the network and identify ways to improve traffic movement to minimize delays. Which information must the engineer
obtain for this analysis?

A. total throughput on the interface of the router and NetFlow records

B. output of routing protocol authentication failures and ports used
C. running processes on the applications and their total network usage
D. deep packet captures of each application flow and duration

Answer: C

NEW QUESTION 23
Which piece of information is needed for attribution in an investigation?

A. proxy logs showing the source RFC 1918 IP addresses

B. RDP allowed from the Internet
C. known threat actor behavior
D. 802.1x RADIUS authentication pass arid fail logs

Answer: C

Explanation:
Actually this is the most important thing: know who, what, how, why, etc.. attack the network.

NEW QUESTION 26
Which signature impacts network traffic by causing legitimate traffic to be blocked?

A. false negative
B. true positive
C. true negative
D. false positive

Answer: D

NEW QUESTION 31
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?

A. data from a CD copied using Mac-based system

B. data from a CD copied using Linux system

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

C. data from a DVD copied using Windows system

D. data from a CD copied using Windows

Answer: B

Explanation:
CDfs is a virtual file system for Unix-like operating systems; it provides access to data and audio tracks on Compact Discs. When the CDfs driver mounts a
Compact Disc, it represents each track as a file. This is consistent with the Unix convention "everything is a file". Source: https://en.wikipedia.org/wiki/CDfs

NEW QUESTION 33
Refer to the exhibit.

An analyst was given a PCAP file, which is associated with a recent intrusion event in the company FTP server Which display filters should the analyst use to filter
the FTP traffic?

A. dstport == FTP
B. tcp.port==21
C. tcpport = FTP
D. dstport = 21

Answer: B

NEW QUESTION 36
An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to identify the host, the IP address of the threat
actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?

A. Recover from the threat.

B. Analyze the threat.
C. Identify lessons learned from the threat.
D. Reduce the probability of similar threats.

Answer: A

Explanation:
Per: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

NEW QUESTION 41
Refer to the exhibit.

Which two elements in the table are parts of the 5-tuple? (Choose two.)

A. First Packet
B. Initiator User
C. Ingress Security Zone
D. Source Port
E. Initiator IP

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Answer: DE

NEW QUESTION 46
Refer to the exhibit.

Where is the executable file?

A. info
B. tags
C. MIME
D. name

Answer: C

NEW QUESTION 48
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)

A. Untampered images are used in the security investigation process

B. Tampered images are used in the security investigation process
C. The image is tampered if the stored hash and the computed hash match
D. Tampered images are used in the incident recovery process
E. The image is untampered if the stored hash and the computed hash match

Answer: AE

Explanation:
Cert Guide by Omar Santos, Chapter 9 - Introduction to digital Forensics. "When you collect evidence, you must protect its integrity. This involves making sure that
nothing is added to the evidence and that nothing is deleted or destroyed (this is known as evidence preservation)."

NEW QUESTION 49
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?

A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
C. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods
D. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

Answer: C

NEW QUESTION 53
Which artifact is used to uniquely identify a detected file?

A. file timestamp
B. file extension
C. file size
D. file hash

Answer: D

NEW QUESTION 55
How does agentless monitoring differ from agent-based monitoring?

A. Agentless can access the data via AP

B. while agent-base uses a less efficient method and accesses log data through WMI.
C. Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs
D. Agent-based monitoring has a lower initial cost for deployment, while agentless monitoring requires resource-intensive deployment.
E. Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization

Answer: B

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

NEW QUESTION 58
A malicious file has been identified in a sandbox analysis tool.

Which piece of information is needed to search for additional downloads of this file by other hosts?

A. file header type

B. file size
C. file name
D. file hash value

Answer: D

NEW QUESTION 61
What describes the concept of data consistently and readily being accessible for legitimate users?

A. integrity
B. availability
C. accessibility
D. confidentiality

Answer: B

NEW QUESTION 66
According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is
pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control
server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?

A. malware attack
B. ransomware attack
C. whale-phishing
D. insider threat

Answer: B

NEW QUESTION 69
During which phase of the forensic process are tools and techniques used to extract information from the collected data?

A. investigation
B. examination
C. reporting
D. collection

Answer: D

NEW QUESTION 70
The security team has detected an ongoing spam campaign targeting the organization. The team's approach is to push back the cyber kill chain and mitigate
ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?

A. actions
B. delivery
C. reconnaissance
D. installation

Answer: B

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

NEW QUESTION 71
One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context?

A. confidentiality, identity, and authorization

B. confidentiality, integrity, and authorization
C. confidentiality, identity, and availability
D. confidentiality, integrity, and availability

Answer: D

NEW QUESTION 75
Which evasion technique is a function of ransomware?

A. extended sleep calls

B. encryption
C. resource exhaustion
D. encoding

Answer: B

NEW QUESTION 77
Refer to the exhibit.

A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?

A. indirect evidence
B. best evidence
C. corroborative evidence
D. direct evidence

Answer: A

NEW QUESTION 78
Which type of access control depends on the job function of the user?

A. discretionary access control

B. nondiscretionary access control
C. role-based access control
D. rule-based access control

Answer: C

NEW QUESTION 79
An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no
mitigation action occurred during the attack. What is the reason for this discrepancy?

A. The computer has a HIPS installed on it.

B. The computer has a NIPS installed on it.
C. The computer has a HIDS installed on it.
D. The computer has a NIDS installed on it.

Answer: C

NEW QUESTION 83
Which category relates to improper use or disclosure of PII data?

A. legal
B. compliance
C. regulated

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

D. contractual

Answer: C

NEW QUESTION 86
Refer to the exhibit.

What must be interpreted from this packet capture?

A. IP address 192.168.88 12 is communicating with 192 168 88 149 with a source port 74 to destination port 49098 using TCP protocol
B. IP address 192.168.88.12 is communicating with 192 168 88 149 with a source port 49098 to destination port 80 using TCP protocol.
C. IP address 192.168.88.149 is communicating with 192.168 88.12 with a source port 80 to destination port 49098 using TCP protocol.
D. IP address 192.168.88.149 is communicating with 192.168.88.12 with a source port 49098 to destination port 80 using TCP protocol.

Answer: B

NEW QUESTION 90
Which system monitors local system operation and local network access for violations of a security policy?

A. host-based intrusion detection

B. systems-based sandboxing
C. host-based firewall
D. antivirus

Answer: A

Explanation:
HIDS is capable of monitoring the internals of a computing system as well as the network packets on its network interfaces. Host-based firewall is a piece of
software running on a single Host that can restrict incoming and outgoing Network activity for that host only.

NEW QUESTION 95
Which two elements of the incident response process are stated in NIST SP 800-61 r2? (Choose two.)

A. detection and analysis

B. post-incident activity
C. vulnerability scoring
D. vulnerability management
E. risk assessment

Answer: AB

NEW QUESTION 98
A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within 48
hours, multiple assets were breached, affecting the confidentiality of sensitive information. What is the threat actor in this incident?

A. company assets that are threatened

B. customer assets that are threatened
C. perpetrators of the attack
D. victims of the attack

Answer: C

NEW QUESTION 100

Which HTTP header field is used in forensics to identify the type of browser used?

A. referrer
B. host
C. user-agent
D. accept-language

Answer: C

Explanation:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 In computing, a user agent is any software, acting on behalf of a user, which
"retrieves, renders and facilitates end-user interaction with Web content".[1] A user agent is therefore a special kind of software agent.
https://en.wikipedia.org/wiki/User_agent#User_agent_identification
A user agent is a computer program representing a person, for example, a browser in a Web context. https://developer.mozilla.org/en-
US/docs/Glossary/User_agent

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

NEW QUESTION 101

What is threat hunting?

A. Managing a vulnerability assessment report to mitigate potential threats.

B. Focusing on proactively detecting possible signs of intrusion and compromise.
C. Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data.
D. Attempting to deliberately disrupt servers by altering their availability

Answer: B

NEW QUESTION 106

An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the
engineer should take to investigate this resource usage?

A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
B. Run "ps -u" to find out who executed additional processes that caused a high load on a server.
C. Run "ps -ef" to understand which processes are taking a high amount of resources.
D. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.

Answer: C

NEW QUESTION 111

What is the principle of defense-in-depth?

A. Agentless and agent-based protection for security are used.

B. Several distinct protective layers are involved.
C. Access control models are involved.
D. Authentication, authorization, and accounting mechanisms are used.

Answer: B

NEW QUESTION 112

Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being
corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?

A. Add space to the existing partition and lower the retention penod.
B. Use FAT32 to exceed the limit of 4 GB.
C. Use the Ext4 partition because it can hold files up to 16 TB.
D. Use NTFS partition for log file containment

Answer: D

NEW QUESTION 115

According to the NIST SP 800-86. which two types of data are considered volatile? (Choose two.)

A. swap files
B. temporary files
C. login sessions
D. dump files
E. free space

Answer: CE

NEW QUESTION 120

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.

A. Mastered
B. Not Mastered

Answer: A

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Explanation:
Exploitation - The targeted Environment is taken advantage of triggering the threat actor's code Installation - Backdoor is placed on the victim system allowing the
threat actor to maintain the persistence. Command and Control - An outbound connection is established to an Internet-based controller server. Actions and
Objectives - The threat actor takes actions to violate data integrity and availability

NEW QUESTION 124

Why is encryption challenging to security monitoring?

A. Encryption analysis is used by attackers to monitor VPN tunnels.

B. Encryption is used by threat actors as a method of evasion and obfuscation.
C. Encryption introduces additional processing requirements by the CPU.
D. Encryption introduces larger packet sizes to analyze and store.

Answer: B

NEW QUESTION 127

What are two social engineering techniques? (Choose two.)

A. privilege escalation
B. DDoS attack
C. phishing
D. man-in-the-middle
E. pharming

Answer: CE

NEW QUESTION 130

Refer to the exhibit.

Which packet contains a file that is extractable within Wireshark?

A. 2317
B. 1986
C. 2318
D. 2542

Answer: D

NEW QUESTION 134

An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap. Which
command will accomplish this goal?

A. nmap --top-ports 192.168.1.0/24

B. nmap –sP 192.168.1.0/24
C. nmap -sL 192.168.1.0/24
D. nmap -sV 192.168.1.0/24

Answer: B

Explanation:
https://explainshell.com/explain?cmd=nmap+-sP

NEW QUESTION 138

What is the difference between vulnerability and risk?

A. A vulnerability is a sum of possible malicious entry points, and a risk represents the possibility of the unauthorized entry itself.
B. A risk is a potential threat that an exploit applies to, and a vulnerability represents the threat itself
C. A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential damage it might cause.
D. A risk is potential threat that adversaries use to infiltrate the network, and a vulnerability is an exploit

Answer: C

NEW QUESTION 139

Which technology on a host is used to isolate a running application from other applications?

A. sandbox
B. application allow list
C. application block list

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

D. host-based firewall

Answer: A

NEW QUESTION 140

What should an engineer use to aid the trusted exchange of public keys between user tom0411976943 and dan1968754032?

A. central key management server

B. web of trust
C. trusted certificate authorities
D. registration authority data

Answer: C

NEW QUESTION 142

Refer to the exhibit.

In which Linux log file is this output found?

A. /var/log/authorization.log
B. /var/log/dmesg
C. var/log/var.log
D. /var/log/auth.log

Answer: D

NEW QUESTION 143

What is the difference between a threat and a risk?

A. Threat represents a potential danger that could take advantage of a weakness in a system
B. Risk represents the known and identified loss or danger in the system
C. Risk represents the nonintentional interaction with uncertainty in the system
D. Threat represents a state of being exposed to an attack or a compromise, either physically or logically.

Answer: A

Explanation:
A threat is any potential danger to an asset. If a vulnerability exists but has not yet been exploited—or, more importantly, it is not yet publicly known—the threat is
latent and not yet realized.

NEW QUESTION 146

Refer to the exhibit.

What does this output indicate?

A. HTTPS ports are open on the server.

B. SMB ports are closed on the server.
C. FTP ports are open on the server.
D. Email ports are closed on the server.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Answer: D

NEW QUESTION 151

Which utility blocks a host portscan?

A. HIDS
B. sandboxing
C. host-based firewall
D. antimalware

Answer: C

NEW QUESTION 152

Refer to the exhibit.

Which application protocol is in this PCAP file?

A. SSH
B. TCP
C. TLS
D. HTTP

Answer: D

NEW QUESTION 156

Drag and drop the technology on the left onto the data type the technology provides on the right.

A. Mastered
B. Not Mastered

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Answer: A

Explanation:

NEW QUESTION 159

What is the difference between a threat and an exploit?

A. A threat is a result of utilizing flow in a system, and an exploit is a result of gaining control over the system.
B. A threat is a potential attack on an asset and an exploit takes advantage of the vulnerability of the asset
C. An exploit is an attack vector, and a threat is a potential path the attack must go through.
D. An exploit is an attack path, and a threat represents a potential vulnerability

Answer: B

NEW QUESTION 164

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.

A. Mastered
B. Not Mastered

Answer: A

Explanation:
Delivery: This step involves transmitting the weapon to the target.
Weaponization: In this step, the intruder creates a malware weapon like a virus, worm or such in order to exploit the vulnerabilities of the target. Depending on the
target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or it can focus on a
combination of different vulnerabilities.
Reconnaissance: In this step, the attacker / intruder chooses their target. Then they conduct an in-depth research on this target to identify its vulnerabilities that
can be exploited.

NEW QUESTION 169

What describes the impact of false-positive alerts compared to false-negative alerts?

A. A false negative is alerting for an XSS attac

B. An engineer investigates the alert and discovers that an XSS attack happened A false positive is when an XSS attack happens and no alert is raised
C. A false negative is a legitimate attack triggering a brute-force aler
D. An engineer investigates the alert and finds out someone intended to break into the system A false positive is when no alert and no attack is occurring
E. A false positive is an event alerting for a brute-force attack An engineer investigates the alert and discovers that a legitimate user entered the wrong credential
several times A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.
F. A false positive is an event alerting for an SQL injection attack An engineer investigates the alert and discovers that an attack attempt was blocked by IPS A
false negative is when the attack gets detected but succeeds and results in a breach.

Answer: C

NEW QUESTION 172

Refer to the exhibit.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?

A. The file has an embedded executable and was matched by PEiD threat signatures for further analysis.
B. The file has an embedded non-Windows executable but no suspicious features are identified.
C. The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.
D. The file was matched by PEiD threat signatures but no suspicious features are identified since the signature list is up to date.

Answer: C

NEW QUESTION 173

What are the two differences between stateful and deep packet inspection? (Choose two )

A. Stateful inspection is capable of TCP state tracking, and deep packet filtering checks only TCP source and destination ports
B. Deep packet inspection is capable of malware blocking, and stateful inspection is not
C. Deep packet inspection operates on Layer 3 and 4. and stateful inspection operates on Layer 3 of the OSI model
D. Deep packet inspection is capable of TCP state monitoring only, and stateful inspection can inspect TCP and UDP.
E. Stateful inspection is capable of packet data inspections, and deep packet inspection is not

Answer: AB

NEW QUESTION 178

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

A. examination
B. investigation
C. collection
D. reporting

Answer: C

NEW QUESTION 183

Refer to the exhibit.

An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?

A. indirect
B. circumstantial
C. corroborative
D. best

Answer: C

Explanation:
Indirect=circumstantail so there is no posibility to match A or B (only one answer is needed in this question). For suer it's not a BEST evidence - this FW data
inform only of DROPPED traffic. If smth happend inside network, presented evidence could be used to support other evidences or make our narreation stronger
but alone it's mean nothing.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

NEW QUESTION 184

At a company party a guest asks questions about the company’s user account format and password complexity. How is this type of conversation classified?

A. Phishing attack
B. Password Revelation Strategy
C. Piggybacking
D. Social Engineering

Answer: D

NEW QUESTION 186

Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?

A. availability
B. confidentiality
C. scope
D. integrity

Answer: D

NEW QUESTION 191

What is the difference between deep packet inspection and stateful inspection?

A. Deep packet inspection is more secure than stateful inspection on Layer 4

B. Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7
C. Stateful inspection is more secure than deep packet inspection on Layer 7
D. Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4

Answer: D

NEW QUESTION 195

How does an attack surface differ from an attack vector?

A. An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.
B. An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.
C. An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.
D. An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

Answer: B

NEW QUESTION 200

What is the difference between an attack vector and attack surface?

A. An attack surface identifies vulnerabilities that require user input or validation; and an attack vector identifies vulnerabilities that are independent of user actions.
B. An attack vector identifies components that can be exploited, and an attack surface identifies the potential path an attack can take to penetrate the network.
C. An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector identifies which attacks are possible with these
vulnerabilities.
D. An attack vector identifies the potential outcomes of an attack; and an attack surface launches an attack using several methods against the identified
vulnerabilities.

Answer: C

NEW QUESTION 201

Which security monitoring data type requires the largest storage space?

A. transaction data
B. statistical data
C. session data
D. full packet capture

Answer: D

NEW QUESTION 203

Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID
attributes?

A. AWS
B. IIS
C. Load balancer
D. Proxy server

Answer: C

Explanation:
Load Balancing: HTTP(S) load balancing is one of the oldest forms of load balancing. This form of load balancing relies on layer 7, which means it operates in the
application layer. This allows routing decisions based on attributes like HTTP header, uniform resource identifier, SSL session ID, and HTML form data.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Load balancing applies to layers 4-7 in the seven-layer Open System Interconnection (OSI) model. Its capabilities are: L4. Directing traffic based on network data
and transport layer protocols, e.g., IP address and TCP port. L7. Adds content switching to load balancing, allowing routing decisions depending on characteristics
such as HTTP header, uniform resource identifier, SSL session ID, and HTML form data. GSLB. Global Server Load Balancing expands L4 and L7 capabilities to
servers in different sites

NEW QUESTION 208

An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group.
What is the initial event called in the NIST SP800-61?

A. online assault
B. precursor
C. trigger
D. instigator

Answer: B

Explanation:
A precursor is a sign that a cyber-attack is about to occur on a system or network. An indicator is the actual alerts that are generated as an attack is happening.
Therefore, as a security professional, it's important to know where you can find both precursor and indicator sources of information.
The following are common sources of precursor and indicator information:
Security Information and Event Management (SIEM)
Anti-virus and anti-spam software
File integrity checking applications/software
Logs from various sources (operating systems, devices, and applications)
People who report a security incident https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

NEW QUESTION 213

Refer to the exhibit.

What is occurring?

A. ARP flood
B. DNS amplification
C. ARP poisoning
D. DNS tunneling

Answer: D

NEW QUESTION 216

What is an incident response plan?

A. an organizational approach to events that could lead to asset loss or disruption of operations
B. an organizational approach to security management to ensure a service lifecycle and continuous improvements
C. an organizational approach to disaster recovery and timely restoration of operational services
D. an organizational approach to system backup and data archiving aligned to regulations

Answer: C

NEW QUESTION 220

A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of evidence is this file?

A. CD data copy prepared in Windows

B. CD data copy prepared in Mac-based system
C. CD data copy prepared in Linux system
D. CD data copy prepared in Android-based system

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Answer: A

NEW QUESTION 225

Refer to the exhibit.

What is shown in this PCAP file?

A. Timestamps are indicated with error.

B. The protocol is TCP.
C. The User-Agent is Mozilla/5.0.
D. The HTTP GET is encoded.

Answer: D

NEW QUESTION 226

A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?

A. application identification number

B. active process identification number
C. runtime identification number
D. process identification number

Answer: D

NEW QUESTION 231

Which tool provides a full packet capture from network traffic?

A. Nagios
B. CAINE
C. Hydra
D. Wireshark

Answer: D

NEW QUESTION 236

What is a purpose of a vulnerability management framework?

A. identifies, removes, and mitigates system vulnerabilities

B. detects and removes vulnerabilities in source code
C. conducts vulnerability scans on the network
D. manages a list of reported vulnerabilities

Answer: A

NEW QUESTION 237

Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?

A. known-plaintext
B. replay
C. dictionary

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

D. man-in-the-middle

Answer: D

NEW QUESTION 240

Which vulnerability type is used to read, write, or erase information from a database?

A. cross-site scripting
B. cross-site request forgery
C. buffer overflow
D. SQL injection

Answer: D

NEW QUESTION 241

Drag and drop the event term from the left onto the description on the right.

A. Mastered
B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 246

What is indicated by an increase in IPv4 traffic carrying protocol 41 ?

A. additional PPTP traffic due to Windows clients

B. unauthorized peer-to-peer traffic
C. deployment of a GRE network on top of an existing Layer 3 network
D. attempts to tunnel IPv6 traffic through an IPv4 network

Answer: D

NEW QUESTION 248

Which security technology guarantees the integrity and authenticity of all messages transferred to and from a web application?

A. Hypertext Transfer Protocol

B. SSL Certificate
C. Tunneling
D. VPN

Answer: B

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

NEW QUESTION 249

An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?

A. phishing email
B. sender
C. HR
D. receiver

Answer: B

NEW QUESTION 254

Refer to the exhibit.

Which technology generates this log?

A. NetFlow
B. IDS
C. web proxy
D. firewall

Answer: D

NEW QUESTION 255

An employee received an email from a colleague’s address asking for the password for the domain controller. The employee noticed a missing letter within the
sender’s address. What does this incident describe?

A. brute-force attack
B. insider attack
C. shoulder surfing
D. social engineering

Answer: B

NEW QUESTION 260

What are two denial-of-service (DoS) attacks? (Choose two)

A. port scan
B. SYN flood
C. man-in-the-middle
D. phishing
E. teardrop

Answer: BC

NEW QUESTION 263

What is the difference between the rule-based detection when compared to behavioral detection?

A. Rule-Based detection is searching for patterns linked to specific types of attacks, while behavioral is identifying per signature.
B. Rule-Based systems have established patterns that do not change with new data, while behavioral changes.
C. Behavioral systems are predefined patterns from hundreds of users, while Rule-Based only flags potentially abnormal patterns using signatures.
D. Behavioral systems find sequences that match a particular attack signature, while Rule-Based identifies potential attacks.

Answer: D

NEW QUESTION 265

What is vulnerability management?

A. A security practice focused on clarifying and narrowing intrusion points.

B. A security practice of performing actions rather than acknowledging the threats.
C. A process to identify and remediate existing weaknesses.
D. A process to recover from service interruptions and restore business-critical applications

Answer: C

NEW QUESTION 267

......

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

 Recommend!! Get the Full 200-201 dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/200-201-exam-dumps.html (263 New Questions)

Thank You for Trying Our Product

We offer two products:

1st - We have Practice Tests Software with Actual Exam Questions

2nd - Questons and Answers in PDF Format

200-201 Practice Exam Features:

* 200-201 Questions and Answers Updated Frequently

* 200-201 Practice Questions Verified by Expert Senior Certified Staff

* 200-201 Most Realistic Questions that Guarantee you a Pass on Your FirstTry

* 200-201 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year

100% Actual & Verified — Instant Download, Please Click

Order The 200-201 Practice Test Here

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Powered by TCPDF (www.tcpdf.org)