Cisco CyberOps Associate 200-201 Questions & Answers

• Question 61:

  How does statistical detection differ from rule-based detection?

  A. Statistical detection involves the evaluation of events, and rule-based detection requires an evaluated set of events to function.

  B. Statistical detection defines legitimate data over time, and rule-based detection works on a predefined set of rules

  C. Rule-based detection involves the evaluation of events, and statistical detection requires an evaluated set of events to function Rule-based detection defines

  D. legitimate data over a period of time, and statistical detection works on a predefined set of rules

  Correct Answer: B

• Question 62:

  During which phase of the forensic process are tools and techniques used to extract information from the collected data?

  A. investigation

  B. examination

  C. reporting

  D. collection

  Correct Answer: D

• Question 63:

  Which step in the incident response process researches an attacking host through logs in a SIEM?

  A. detection and analysis

  B. preparation

  C. eradication

  D. containment

  Correct Answer: A

  Preparation --> Detection and Analysis --> Containment, Erradicaion and Recovery --> Post-Incident Activity

  Detection and Analysis --> Profile networks and systems, Understand normal behaviors, Create a log retention policy, Perform event correlation. Maintain and use a knowledge base of information.Use Internet search engines for research. Run packet sniffers to collect additional data. Filter the data. Seek assistance from others. Keep all host clocks synchronized. Know the different types of attacks and attack vectors. Develop processes and procedures to recognize the signs of an incident. Understand the sources of precursors and indicators. Create appropriate incident documentation capabilities and processes. Create processes to effectively prioritize security incidents. Create processes to effectively communicate incident information (internal and external communications).

  Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide

• Question 64:

  How does certificate authority impact a security system?

  A. It authenticates client identity when requesting SSL certificate

  B. It validates domain identity of a SSL certificate

  C. It authenticates domain identity when requesting SSL certificate

  D. It validates client identity when communicating with the server

  Correct Answer: B

• Question 65:

  Which system monitors local system operation and local network access for violations of a security policy?

  A. host-based intrusion detection

  B. systems-based sandboxing

  C. host-based firewall

  D. antivirus

  Correct Answer: A

  HIDS is capable of monitoring the internals of a computing system as well as the network packets on its network interfaces. Host-based firewall is a piece of software running on a single Host that can restrict incoming and outgoing Network activity for that host only.

• Question 66:

  Which evasion technique is a function of ransomware?

  A. extended sleep calls

  B. encryption

  C. resource exhaustion

  D. encoding

  Correct Answer: B

• Question 67:

  An employee received an email from a colleague's address asking for the password for the domain controller. The employee noticed a missing letter within the sender's address. What does this incident describe?

  A. brute-force attack

  B. insider attack

  C. shoulder surfing

  D. social engineering

  Correct Answer: B

• Question 68:

  Which utility blocks a host portscan?

  A. HIDS

  B. sandboxing

  C. host-based firewall

  D. antimalware

  Correct Answer: C

• Question 69:

  What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?

  A. Tapping interrogation replicates signals to a separate port for analyzing traffic

  B. Tapping interrogations detect and block malicious traffic

  C. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies

  D. Inline interrogation detects malicious traffic but does not block the traffic

  Correct Answer: A

  A network TAP is a simple device that connects directly to the cabling infrastructure to split or copy packets for use in analysis, security, or general network management

• Question 70:

  What is the difference between inline traffic interrogation and traffic mirroring?

  A. Inline interrogation is less complex as traffic mirroring applies additional tags to data.

  B. Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools

  C. Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.

  D. Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.

  Correct Answer: B

  Inline inspection - Inline traffic interrogation is a technique in which traffic flows through a device that inspects the traffic and makes decisions about how to handle it. The inspection takes place in real-time and in-line with the traffic flow.

  Traffic mirroring - Traffic mirroring, also known as port mirroring or SPAN (Switched Port Analyzer), is a technique for forwarding a copy of network traffic to a monitoring device. The copy of the traffic is sent to a separate tool for analysis, security or other purposes.