Cisco 200-201 Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) Exam Practice Test

by enabling an authenticated channel between the client and the server

by creating an integrated channel between the client and the server

by enabling an authorized channel between the client and the server

by creating an encrypted channel between the client and the server

weaponization

delivery

exploitation

reconnaissance

malware attack

ransomware attack

whale-phishing

insider threat

cause of an attack

exploit of an attack

vulnerabilities exploited

threat actors of an attack

IDS

proxy

NetFlow

sys

The file has an embedded executable and was matched by PEiD threat signatures for further analysis.

The file has an embedded non-Windows executable but no suspicious features are identified.

The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.

The file was matched by PEiD threat signatures but no suspicious features are identified since the signature list is up to date.

data from a CD copied using Mac-based system

data from a CD copied using Linux system

data from a DVD copied using Windows system

data from a CD copied using Windows

detection and analysis

post-incident activity

vulnerability management

risk assessment

vulnerability scoring

secure boot

load balancing

increased audit log levels

restricting USB ports

full packet captures at the endpoint

File: Clean

^Parent File Clean$

File: Clean (.*)

^File: Clean$

forgery attack

plaintext-only attack

ciphertext-only attack

meet-in-the-middle attack

Untampered images are used in the security investigation process

Tampered images are used in the security investigation process

The image is tampered if the stored hash and the computed hash match

Tampered images are used in the incident recovery process

The image is untampered if the stored hash and the computed hash match

reconnaissance

action on objectives

installation

exploitation

Recovery

Detection

Eradication

Analysis

fake offer for free music download to trick the user into providing sensitive data

package deliberately sent to the wrong receiver to advertise a new product

mistakenly received valuable order destined for another person and hidden on purpose

email offering last-minute deals on various vacations around the world with a due date and a counter

file header type

file size

file name

file hash value

actions

delivery

reconnaissance

installation

Nagios

CAINE

Hydra

Wireshark

MITM

TCP connections

ping of death

UDP flooding

code red

swap files

temporary files

login sessions

dump files

free space

A security practice focused on clarifying and narrowing intrusion points.

A security practice of performing actions rather than acknowledging the threats.

A process to identify and remediate existing weaknesses.

A process to recover from service interruptions and restore business-critical applications

investigation

examination

reporting

collection

Win32.polip.a.exe is an executable file and should be flagged as malicious.

The file is clean and does not represent a risk.

Cuckoo cleaned the malicious file and prepared it for usage.

MD5 of the file was not identified as malicious.

Firepower

Email Security Appliance

Web Security Appliance

Stealthwatch

transaction data

statistical data

session data

full packet capture

permissions

PowerShell logs

service

MBR

process and thread

It validates client identity when communicating with the server.

It authenticates client identity when requesting an SSL certificate.

It authenticates domain identity when requesting an SSL certificate.

It validates the domain identity of the SSL certificate.

src=10.11.0.0/16 and dst=10.11.0.0/16

ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16

ip.src=10.11.0.0/16 and ip.dst=10.11.0.0/16

src==10.11.0.0/16 and dst==10.11.0.0/16

phishing email

sender

HR

receiver

allowing everything and denying specific applications protocols

allowing everything and denying specific executable files

allowing specific format files and deny executable files

allowing specific files and deny everything else

malware author

threat actor

bug bounty hunter

direct competitor

A key is generated on demand according to data type.

A one-time encryption key is generated for data transmission

It is suited for transmitting large amounts of data.

It is a faster encryption mechanism for sessions

nmap --top-ports 192.168.1.0/24

nmap –sP 192.168.1.0/24

nmap -sL 192.168.1.0/24

nmap -sV 192.168.1.0/24

workload and the configuration details

user accounts and SID

number of users and requests that the server is handling

functionality and purpose of the server

running services

man-in-the-middle

IDS evasion

command and control

port scanning

spam emails on an employee workstation

virus detection by the AV software

blocked phishing attempt on a company

malware reinfection within a few minutes of removal

CSIRT

PSIRT

public affairs

management

It spoofs the destination and source information protecting both sides.

It encrypts content and destination information over multiple layers.

It redirects destination traffic through multiple sources avoiding traceability.

It traverses source traffic through multiple destinations before reaching the receiver

MAC is controlled by the discretion of the owner and DAC is controlled by an administrator

MAC is the strictest of all levels of control and DAC is object-based access

DAC is controlled by the operating system and MAC is controlled by an administrator

DAC is the strictest of all levels of control and MAC is object-based access

date of birth

driver's license number

gender

zip code

The traffic would have been monitored at any segment in the network.

Malicious traffic would have been blocked on multiple devices

An extra level of security would have been in place

Detailed information about the data in real time would have been provided

A threat is a sum of risks and a risk itself represents a specific danger toward the asset

A threat can be people property, or information, and risk is a probability by which these threats may bring harm to the business

A risk is a flaw or hole in security, and a threat is what is being used against that flaw

A risk is an intersection between threat and vulnerabilities, and a threat is what a security engineer is trying to protect against

open ports of a web server

open port of an FTP server

open ports of an email server

running processes of the server

resource exhaustion

tunneling

traffic fragmentation

timing attack

tagged protocols being used on the network

all firewall alerts and resulting mitigations

tagged ports being used on the network

all information and data within the datagram

Cross-Site Scripting attack

XML External Entitles attack

Insecure Deserialization

Regular GET requests

Z

ID

TC

QR

Inline interrogation is less complex as traffic mirroring applies additional tags to data.

Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools

Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.

Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.

weaponization

reconnaissance

installation

delivery

man-in-the-middle attack

ARP poisoning

brute-force attack

SQL injection

[a−z]+

[^a−z]+

a−z+

a*z+

injecting new commands into existing buffers

fetching data from memory buffer registers

overloading a predefined amount of memory

suppressing the buffers in a process

server name, trusted subordinate CA, and private key

trusted subordinate CA, public key, and cipher suites

trusted CA name, cipher suites, and private key

server name, trusted CA, and public key

session duration

total throughput

running processes

listening ports

OS fingerprint

NetFlow collects metadata and traffic mirroring clones data.

Traffic mirroring impacts switch performance and NetFlow does not.

Traffic mirroring costs less to operate than NetFlow.

NetFlow generates more data than traffic mirroring.

Inline inspection acts on the original traffic data flow

Traffic mirroring passes live traffic to a tool for blocking

Traffic mirroring inspects live traffic for analysis and mitigation

Inline traffic copies packets for analysis and security

Signature-based identifies behaviors that may be linked to attacks, while behavior-based has a predefined set of rules to match before an alert.

Behavior-based identifies behaviors that may be linked to attacks, while signature-based has a predefined set of rules to match before an alert.

Behavior-based uses a known vulnerability database, while signature-based intelligently summarizes existing data.

Signature-based uses a known vulnerability database, while behavior-based intelligently summarizes existing data.

Identifying network loops and collision domains.

Troubleshooting the cause of security and performance issues.

Reassembling fragmented traffic from raw data.

Detecting common hardware faults and identify faulty assets.

Providing a historical record of a network transaction.

IP address 192.168.88 12 is communicating with 192 168 88 149 with a source port 74 to destination port 49098 using TCP protocol

IP address 192.168.88.12 is communicating with 192 168 88 149 with a source port 49098 to destination port 80 using TCP protocol.

IP address 192.168.88.149 is communicating with 192.168 88.12 with a source port 80 to destination port 49098 using TCP protocol.

IP address 192.168.88.149 is communicating with 192.168.88.12 with a source port 49098 to destination port 80 using TCP protocol.

false negative

true positive

true negative

false positive

True positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.

True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks Identified as harmless.

False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.

False positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.

A binary named "submit" is running on VM cuckoo1.

A binary is being submitted to run on VM cuckoo1

A binary on VM cuckoo1 is being submitted for evaluation

A URL is being evaluated to see if it has a malicious binary

reconnaissance

delivery

weaponization

exploitation

Base64 encoding

TLS encryption

SHA-256 hashing

ROT13 encryption

encapsulation

TOR

tunneling

NAT

integrity

availability

accessibility

confidentiality

The RST flag approves the connection, and the ACK flag terminates spontaneous connections.

The ACK flag confirms the received segment, and the RST flag terminates the connection.

The RST flag approves the connection, and the ACK flag indicates that a packet needs to be resent

The ACK flag marks the connection as reliable, and the RST flag indicates the failure within TCP Handshake

Tampered Images are used in a security investigation process

Untampered images can be used as law enforcement evidence.

The image is untampered if the existing stored hash matches the computed one

The image is tampered if the stored hash and the computed hash are identical

Tampered images are used as an element for the root cause analysis report

static IP addresses

signatures

digital certificates

cipher suite

SOAR ingests numerous types of logs and event data infrastructure components and SIEM can fetch data from endpoint security software and external threat intelligence feeds

SOAR collects and stores security data at a central point and then converts it into actionable intelligence, and SIEM enables SOC teams to automate and orchestrate manual tasks

SIEM raises alerts in the event of detecting any suspicious activity, and SOAR automates investigation path workflows and reduces time spent on alerts

SIEM combines data collecting, standardization, case management, and analytics for a defense-in-depth concept, and SOAR collects security data antivirus logs, firewall logs, and hashes of downloaded files

the intellectual property that was stolen

the defense contractor who stored the intellectual property

the method used to conduct the attack

the foreign government that conducted the attack

Timestamps are indicated with error.

The protocol is TCP.

The User-Agent is Mozilla/5.0.

The HTTP GET is encoded.

The threat actor used a dictionary-based password attack to obtain credentials.

The threat actor gained access to the system by known credentials.

The threat actor used the teardrop technique to confuse and crash login services.

The threat actor used an unknown vulnerability of the operating system that went undetected.

SSL interception

packet header size

signature detection time

encryption

Scan a host to find open ports and vulnerabilities

Construct the appropriate malware and deliver it to the victim.

Test and construct the appropriate malware to launch the attack

Research data on a specific vulnerability

TAPS interrogation is more complex because traffic mirroring applies additional tags to data and SPAN does not alter integrity and provides full duplex network.

SPAN results in more efficient traffic analysis, and TAPS is considerably slower due to latency caused by mirroring.

TAPS replicates the traffic to preserve integrity, and SPAN modifies packets before sending them to other analysis tools

SPAN ports filter out physical layer errors, making some types of analyses more difficult, and TAPS receives all packets, including physical errors.

antivirus

IPS/IDS

proxy

firewall

stored

reflective

DOM

CSRF

DAC requires explicit authorization for a given user on a given object, and RBAC requires specific conditions.

RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied on user and group levels.

RBAC is an extended version of DAC where you can add an extra level of authorization based on time.

DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups

Encryption analysis is used by attackers to monitor VPN tunnels.

Encryption is used by threat actors as a method of evasion and obfuscation.

Encryption introduces additional processing requirements by the CPU.

Encryption introduces larger packet sizes to analyze and store.

least privilege

need to know

separation of duties

due diligence

best evidence

prima facie evidence

indirect evidence

physical evidence

Add space to the existing partition and lower the retention penod.

Use FAT32 to exceed the limit of 4 GB.

Use the Ext4 partition because it can hold files up to 16 TB.

Use NTFS partition for log file containment

command injection

man in the middle attack

evasion methods

phishing

availability

confidentiality

scope

integrity

Agentless can access the data via API. while agent-base uses a less efficient method and accesses log data through WMI.

Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs

Agent-based monitoring has a lower initial cost for deployment, while agentless monitoring requires resource-intensive deployment.

Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization

TCP connections

ping of death

man-in-the-middle

code-red

UDP flooding

action on objectives

delivery

exploitation

installation

Managing a vulnerability assessment report to mitigate potential threats.

Focusing on proactively detecting possible signs of intrusion and compromise.

Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data.

Attempting to deliberately disrupt servers by altering their availability