Cisco CyberOps Associate 200-201 Questions & Answers

• Question 101:

  What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)

  A. Untampered images are used in the security investigation process

  B. Tampered images are used in the security investigation process

  C. The image is tampered if the stored hash and the computed hash match

  D. Tampered images are used in the incident recovery process

  E. The image is untampered if the stored hash and the computed hash match

  Correct Answer: AE

  Cert Guide by Omar Santos, Chapter 9 - Introduction to digital Forensics. "When you collect evidence, you must protect its integrity. This involves making sure that nothing is added to the evidence and that nothing is deleted or destroyed (this is known as evidence preservation)."

• Question 102:

  The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?

  A. Isolate the infected endpoint from the network.

  B. Perform forensics analysis on the infected endpoint.

  C. Collect public information on the malware behavior.

  D. Prioritize incident handling based on the impact.

  Correct Answer: C

  ference: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

• Question 103:

  What is the relationship between a vulnerability and a threat?

  A. A threat exploits a vulnerability

  B. A vulnerability is a calculation of the potential loss caused by a threat

  C. A vulnerability exploits a threat

  D. A threat is a calculation of the potential loss caused by a vulnerability

  Correct Answer: A

• Question 104:

  Which incidence response step includes identifying all hosts affected by an attack?

  A. detection and analysis

  B. post-incident activity

  C. preparation

  D. containment, eradication, and recovery

  Correct Answer: A

  The correct answer is A, detection and analysis.

  The detection and analysis phase of an incident response process involves identifying and confirming the presence of a security incident. This includes identifying all hosts that may have been affected by the attack.

  During this phase, incident responders collect and analyze information about the incident, such as network traffic, system logs, and other data, to determine the nature and scope of the incident. This information is used to develop an initial

  understanding of the incident, including which hosts have been affected.

• Question 105:

  Refer to the exhibit.

  

  What is occurring?

  A. ARP flood

  B. DNS amplification

  C. ARP poisoning

  D. DNS tunneling

  Correct Answer: B

• Question 106:

  Refer to the exhibit.

  

  A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?

  A. indirect evidence

  B. best evidence

  C. corroborative evidence

  D. direct evidence

  Correct Answer: D

• Question 107:

  What are the two differences between stateful and deep packet inspection? (Choose two )

  A. Stateful inspection is capable of TCP state tracking, and deep packet filtering checks only TCP source and destination ports

  B. Deep packet inspection is capable of malware blocking, and stateful inspection is not

  C. Deep packet inspection operates on Layer 3 and 4. and stateful inspection operates on Layer 3 of the OSI model

  D. Deep packet inspection is capable of TCP state monitoring only, and stateful inspection can inspect TCP and UDP.

  E. Stateful inspection is capable of packet data inspections, and deep packet inspection is not

  Correct Answer: BD

• Question 108:

  Refer to the exhibit.

  

  Which type of attack is being executed?

  A. SQL injection

  B. cross-site scripting

  C. cross-site request forgery

  D. command injection

  Correct Answer: A

  Reference: https://www.w3schools.com/sql/sql_injection.asp

• Question 109:

  What is rule-based detection when compared to statistical detection?

  A. proof of a user's identity

  B. proof of a user's action

  C. likelihood of user's action

  D. falsification of a user's identity

  Correct Answer: B

• Question 110:

  Refer to the exhibit.

  

  A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted What is occurring?

  A. indicators of denial-of-service attack due to the frequency of requests

  B. garbage flood attack attacker is sending garbage binary data to open ports

  C. indicators of data exfiltration HTTP requests must be plain text

  D. cache bypassing attack: attacker is sending requests for noncacheable content

  Correct Answer: C