Cisco CyberOps Associate 200-201 Questions & Answers

• Question 191:

  Refer to the exhibit.

  

  What does the output indicate about the server with the IP address 172.18.104.139?

  A. open ports of a web server

  B. open port of an FTP server

  C. open ports of an email server

  D. running processes of the server

  Correct Answer: C

• Question 192:

  An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?

  A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.

  B. Run "ps -u" to find out who executed additional processes that caused a high load on a server.

  C. Run "ps -ef" to understand which processes are taking a high amount of resources.

  D. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.

  Correct Answer: C

  Reference: https://unix.stackexchange.com/questions/62182/please-explain-this-output-of-ps-ef-command

• Question 193:

  Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?

  A. Add space to the existing partition and lower the retention penod.

  B. Use FAT32 to exceed the limit of 4 GB.

  C. Use the Ext4 partition because it can hold files up to 16 TB.

  D. Use NTFS partition for log file containment

  Correct Answer: D

• Question 194:

  Refer to the exhibit.

  

  An engineer is analyzing a PCAP file after a recent breach An engineer identified that the attacker used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact data being transmitted over an encrypted channel and cannot identify how the attacker gained access How did the attacker gain access?

  A. by using the buffer overflow in the URL catcher feature for SSH

  B. by using an SSH Tectia Server vulnerability to enable host-based authentication

  C. by using an SSH vulnerability to silently redirect connections to the local host

  D. by using brute force on the SSH service to gain access

  Correct Answer: D

• Question 195:

  Refer to the exhibit.

  

  Which two elements in the table are parts of the 5-tuple? (Choose two.)

  A. First Packet

  B. Initiator User

  C. Ingress Security Zone

  D. Source Port

  E. Initiator IP

  Correct Answer: DE

• Question 196:

  What is the difference between a threat and an exploit?

  A. An exploit is an attack path, and a threat represents a potential vulnerability.

  B. An exploit is an attack vector, and a threat is a potential path the attack must go through.

  C. A threat is a potential attack on an asset, and an exploit takes advantage of the vulnerability of the asset.

  D. A threat is a result of utilizing flow in a system, and an exploit is a result of gaining control over the system.

  Correct Answer: C

• Question 197:

  An organization is cooperating with several third-party companies. Data exchange is on an unsecured channel using port 80 Internal employees use the FTP service to upload and download sensitive data An engineer must ensure confidentiality while preserving the integrity of the communication. Which technology must the engineer implement in this scenario'?

  A. X 509 certificates

  B. RADIUS server

  C. CA server

  D. web application firewall

  Correct Answer: A

• Question 198:

  An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. What is the initial event called in the NIST SP800-61?

  A. online assault

  B. precursor

  C. trigger

  D. instigator

  Correct Answer: B

  A precursor is a sign that a cyber-attack is about to occur on a system or network. An indicator is the actual alerts that are generated as an attack is happening. Therefore, as a security professional, it's important to know where you can find

  both precursor and indicator sources of information.

  The following are common sources of precursor and indicator information:

  Security Information and Event Management (SIEM) Anti-virus and anti-spam software

  File integrity checking applications/software

  Logs from various sources (operating systems, devices, and applications) People who report a security incident

  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

• Question 199:

  Refer to the exhibit.

  

  What is depicted in the exhibit?

  A. Windows Event logs

  B. Apache logs

  C. IIS logs

  D. UNIX-based syslog

  Correct Answer: B

• Question 200:

  Which HTTP header field is used in forensics to identify the type of browser used?

  A. referrer

  B. host

  C. user-agent

  D. accept-language

  Correct Answer: C

  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content".[1] A user agent is therefore a special kind of software agent. https://en.wikipedia.org/wiki/User_agent#User_agent_identification A user agent is a computer program representing a person, for example, a browser in a Web context. https://developer.mozilla.org/en-US/docs/Glossary/User_agent