Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 101:

  Which concept describes the total number of points where an attacker can attempt to enter or extract data from a system?

  A. attack vector
  B. vulnerability
  C. attack surface
  D. threat actor
  C. attack surface

  ---

  Explanation

  The attack surface refers to the sum of all possible entry and exit points within a system that an attacker can exploit. This includes hardware, software, network interfaces, and even human factors such as social engineering. A larger attack surface increases the likelihood of successful attacks because there are more opportunities for exploitation. An attack vector (A) is the method or path used to exploit a vulnerability. A vulnerability (B) is a specific weakness in a system. A threat actor (D) is the individual or group carrying out the attack. Reducing the attack surface is a key security strategy, achieved through measures such as disabling unnecessary services, applying patches, and enforcing strict access controls. Understanding the attack surface helps organizations prioritize risk management efforts and improve overall security posture.

• Question 102:

  What is the function of a command and control server?

  A. It enumerates open ports on a network device
  B. It drops secondary payload into malware
  C. It is used to regain control of the network after a compromise
  D. It sends instruction to a compromised system
  D. It sends instruction to a compromised system

  ---

  Explanation

  A command and control server (C2 or C&C) is a server that is used by attackers to communicate with and control compromised systems, such as bots, zombies, or backdoors. The C2 server can send instructions to the compromised systems, such as executing commands, downloading files, uploading data, or launching attacks. The C2 server can also receive information from the compromised systems, such as system information, keystrokes, screenshots, or credentials.

  References:

  Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 3: Network Intrusion Analysis, Lesson 3.4: Malware Cisco Certified CyberOps Associate Overview, Exam Topics, 3.4 Compare and contrast types of malware

• Question 103:

  An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred.

  According to the NIST Incident Handling Guide, what is the next phase of this investigation?

  A. Recovery
  B. Detection
  C. Eradication
  D. Analysis
  D. Analysis

• Question 104:

  What is an attack surface as compared to a vulnerability?

  A. any potential danger to an asset
  B. the sum of all paths for data into and out of the environment
  C. an exploitable weakness in a system or its design
  D. the individuals who perform an attack
  C. an exploitable weakness in a system or its design

  ---

  Explanation

  An attack surface is the total sum of vulnerabilities that can be exploited to carry out a security attack. Attack surfaces can be physical or digital. The term attack surface is often confused with the term attack vector, but they are not the same thing. The surface is what is being attacked; the vector is the means by which an intruder gains access.

• Question 105:

  What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?

  A. DAC requires explicit authorization for a given user on a given object, and RBAC requires specific conditions.
  B. RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied on user and group levels.
  C. RBAC is an extended version of DAC where you can add an extra level of authorization based on time.
  D. DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups
  D. DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups

• Question 106:

  An engineer is analyzing a recent breach where confidential documents were altered and stolen by the receptionist Further analysis shows that the threat actor connected an externa USB device to bypass security restrictions and steal data

  The engineer could not find an external USB device.

  Which piece of information must an engineer use for attribution in an investigation?

  A. list of security restrictions and privileges boundaries bypassed
  B. external USB device
  C. receptionist and the actions performed
  D. stolen data and its criticality assessment
  C. receptionist and the actions performed

• Question 107:

  Which vulnerability allows attackers to execute arbitrary code by overwriting memory?

  A. SQL injection
  B. cross-site scripting
  C. buffer overflow
  D. phishing
  C. buffer overflow

  ---

  Explanation

  A buffer overflow vulnerability occurs when a program writes more data to a buffer than it can hold, causing adjacent memory to be overwritten. This can allow attackers to execute arbitrary code, crash the system, or gain unauthorized access. Buffer overflows typically result from improper input validation and memory management. SQL injection (A) targets databases, XSS (B) targets web users, and phishing (D) is a social engineering attack. Buffer overflow attacks can be exploited using techniques such as stack smashing or heap spraying. Modern systems implement protections like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate these attacks. Understanding buffer overflows is essential for secure software development and vulnerability assessment.

• Question 108:

  Which two elements of the incident response process are stated in NIST SP 800-61 r2? (Choose two.)

  A. detection and analysis
  B. post-incident activity
  C. vulnerability scoring
  D. vulnerability management
  E. risk assessment
  A. detection and analysis
  B. post-incident activity

• Question 109:

  Refer to exhibit.

  

  An analyst performs the analysis of the pcap file to detect the suspicious activity.

  What challenges did the analyst face in terms of data visibility?

  A. data encapsulation
  B. code obfuscation
  C. data encryption
  D. IP fragmentation
  C. data encryption

• Question 110:

  An analyst discovers that a legitimate security alert has been dismissed.

  Which signature caused this impact on network traffic?

  A. true negative
  B. false negative
  C. false positive
  D. true positive
  B. false negative

  ---

  Explanation

  A false negative occurs when the security system (usually a WAF) fails to identify a threat. It produces a "negative" outcome (meaning that no threat has been observed), even though a threat exists.