Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 141:

  What is the name of the technology that searches for and reports on known weaknesses and flaws present in an organization's IT infrastructure?

  A. vulnerability scanner
  B. identity and access management
  C. configuration management
  D. mobile device management
  A. vulnerability scanner

  ---

  Explanation

  A vulnerability scanner is a core security technology used to identify known weaknesses, misconfigurations, and exploitable flaws within an organization's IT infrastructure. These tools systematically scan systems, networks, applications, and devices to compare them against databases of known vulnerabilities, such as missing patches, insecure services, outdated software versions, and weak configurations. Vulnerability scanners operate by probing systems using signatures, checks, and authenticated or unauthenticated methods to determine exposure to threats. The results are typically presented in detailed reports that include severity ratings, affected assets, and remediation guidance. This makes vulnerability scanning an essential foundational activity in cybersecurity operations, risk management, and compliance programs. The other options do not fulfill this function. Identity and access management focuses on user authentication, authorization, and access control, not weakness detection. Configuration management ensures systems remain in a desired state but does not actively discover vulnerabilities. Mobile device management is limited to controlling and securing mobile endpoints rather than assessing infrastructure-wide weaknesses. From an operational perspective, vulnerability scanning supports proactive defense by allowing organizations to identify and remediate issues before attackers exploit them. It is commonly integrated into continuous monitoring programs, patch management workflows, and security assessments. As emphasized in cybersecurity operations documentation, vulnerability scanners are a primary mechanism for visibility into an organization's attack surface.

• Question 142:

  A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints, via Cisco StealthWatch.

  What are the two next steps of the SOC team according to the NIST.SP800- 61 incident handling process? (Choose two.)

  A. Update antivirus signature databases on affected endpoints to block connections to C&C.
  B. Isolate affected endpoints and take disk images for analysis.
  C. Block connection to this C&C server on the perimeter next-generation firewall.
  D. Provide security awareness training to HR managers and employees
  E. Detect the attack vector and analyze C&C connections.
  B. Isolate affected endpoints and take disk images for analysis.
  C. Block connection to this C&C server on the perimeter next-generation firewall.

• Question 143:

  What are two denial of service attacks? (Choose two.)

  A. MITM
  B. TCP connections
  C. ping of death
  D. UDP flooding
  E. code red
  C. ping of death
  D. UDP flooding

• Question 144:

  

  Refer to the exhibit. A security engineer receives several alerts from the SNORT IPS/IDS reporting malicious traffic.

  What should the engineer understand by examining the SNORT logs?

  A. A remote threat performs an EternalBlue attack on a Windows system on several ports.
  B. An inside threat performs an EternalBlue attack on hosts 192.168.2.101 and 192.168.200.10 on port 445.
  C. A remote threat performs an EternalBlue attack on several hosts and different ports.
  D. An inside threat performs an EternalBlue attack on a Windows system on port 445.
  C. A remote threat performs an EternalBlue attack on several hosts and different ports.

  ---

  Explanation

• Question 145:

  Which scenario describes a social engineering attack?

  A. Malicious insider trying to gather information on company security
  B. Text message pretending to be from a legitimate company with a malicious URL inside
  C. Suspicious file detected on a workstation
  D. Company with a recent data breach where confidential information was stolen
  B. Text message pretending to be from a legitimate company with a malicious URL inside

• Question 146:

  Which action matches the weaponization step of the Cyber Kill Chain Model?

  A. Develop a specific malware to exploit a vulnerable server.
  B. Construct a trojan and deliver it to the victim.
  C. Match a known script to a vulnerability.
  D. Scan open services and ports on a server.
  A. Develop a specific malware to exploit a vulnerable server.

  ---

  Explanation

  The weaponization step in the Cyber Kill Chain Model involves the creation or use of a specific weapon (malware, exploit) designed to leverage a vulnerability. This phase follows the reconnaissance phase where the attacker gathers information and precedes the delivery phase where the weapon is delivered to the target.

  Developing specific malware to exploit a vulnerable server is a precise example of weaponization.

  References

  Lockheed Martin Cyber Kill Chain Model

  Understanding the Weaponization Phase in Cyber Attacks Steps in the Cyber Kill Chain

• Question 147:

  Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded.

  Which action resolves the issue?

  A. Add space to the existing partition and lower the retention penod.
  B. Use FAT32 to exceed the limit of 4 GB.
  C. Use the Ext4 partition because it can hold files up to 16 TB.
  D. Use NTFS partition for log file containment
  D. Use NTFS partition for log file containment

• Question 148:

  Refer to the exhibit.

  

  What is the potential threat identified in this Stealthwatch dashboard?

  A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.
  B. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
  C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
  D. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
  D. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.

  ---

  Explanation

  The exhibit shows a Stealthwatch dashboard displaying information on alarming hosts, alarms by type, and today's alarms. On the left side under "Top Alarming Hosts," there are five host IP addresses listed with their respective categories indicating different types of alerts including `Data Hoarding' and `Exfiltration.' In "Alarms by Type" section at center top part of image shows bar graphs representing various alarm types including `Crypto Violation' with their respective counts.

  On right side under "Today's Alarms," there's a table showing the details of each alarm such as the host IP, the alarm type, the severity, and the time. The potential threat identified in this dashboard is that host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91, which is a sign of data exfiltration. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a command and control server

  or a malicious actor. This can result in data loss, breach of confidentiality, and damage to the organization's reputation and assets.

  References:

  Cisco Cybersecurity Operations Fundamentals - Module 7: Network and Host Forensics

• Question 149:

  Refer to the exhibit.

  

  An engineer is analyzing a PCAP file after a recent breach An engineer identified that the attacker used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact data being transmitted over an encrypted channel and cannot identify how the attacker gained access.

  How did the attacker gain access?

  A. by using the buffer overflow in the URL catcher feature for SSH
  B. by using an SSH Tectia Server vulnerability to enable host-based authentication
  C. by using an SSH vulnerability to silently redirect connections to the local host
  D. by using brute force on the SSH service to gain access
  D. by using brute force on the SSH service to gain access

• Question 150:

  According to the NIST SP 800-86.

  which two types of data are considered volatile? (Choose two.)

  A. swap files
  B. temporary files
  C. login sessions
  D. dump files
  E. free space
  C. login sessions
  E. free space

  ---

  Explanation

  According to NIST SP 800-86, volatile data refers to data that is lost when the system is powered off. This includes active data in RAM, such as login sessions and free space in memory that may still contain remnants of previous activity.

  These types of data are critical to collect early during an investigation due to their ephemeral nature.