Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 301:

  Refer to the exhibit.

  

  A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error.

  What is occurring?

  A. DNS hijacking attack
  B. Endpoint local time is invalid.
  C. Certificate is not in trusted roots.
  D. man-m-the-middle attack
  C. Certificate is not in trusted roots.

• Question 302:

  What is an advantage of symmetric over asymmetric encryption?

  A. A key is generated on demand according to data type.
  B. A one-time encryption key is generated for data transmission
  C. It is suited for transmitting large amounts of data.
  D. It is a faster encryption mechanism for sessions
  D. It is a faster encryption mechanism for sessions

  ---

  Explanation

  Symmetric encryption is a type of encryption that uses the same key to encrypt and decrypt data. Asymmetric encryption is a type of encryption that uses a pair of keys: a public key and a private key. The public key can be used to encrypt data, but only the private key can decrypt it, and vice versa. An advantage of symmetric encryption over asymmetric encryption is that it is faster and more efficient for encrypting large amounts of data, such as in sessions or bulk transfers.

  Asymmetric encryption is slower and more computationally intensive, but it is more secure and suitable for key exchange or digital signatures.

  References:

  Cisco Cybersecurity Operations Fundamentals, Module 2:

  Security Monitoring, Lesson 2.3: Cryptography and PKI, Topic 2.3.1: Cryptography

• Question 303:

  A company's cyber security team performed a phishing simulation campaign for employees and performed security awareness trainings to affected personal.

  According to NIST.SP800-61, at which phase of incident response is this action?

  A. post-incident activity phase
  B. detection and analyze phase
  C. preparation phase
  D. eradication and recovery phase
  C. preparation phase

• Question 304:

  An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection.

  Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)

  A. signatures
  B. host IP addresses
  C. file size
  D. dropped files
  E. domain names
  B. host IP addresses
  E. domain names

• Question 305:

  The SOC team has confirmed a potential indicator of compromise on an isolated endpoint. The team has narrowed the potential malware type to a new trojan family.

  According to the NIST Computer Security Incident Handling Guide, what is the next step in handling the event?

  A. Perform an AV scan on the infected endpoint.
  B. Isolate the infected endpoint from the network.
  C. Prioritize incident handling based on the impact.
  D. Analyze the malware behavior.
  B. Isolate the infected endpoint from the network.

• Question 306:

  Refer to the exhibit.

  

  A SOC analyst received a message from SIEM about abnormal activity on the Windows server.

  The analyst checked the Windows event log and saw numerous Audit Failures logs.

  What is occurring?

  A. Windows failed to audit the logs
  B. regular Windows log
  C. brute-force attack
  D. DoS attack
  C. brute-force attack

  ---

  Explanation

  Windows Security Event ID 4625 is generated when an account fails to log on. When a SOC analyst observes a large number of Audit Failure events occurring in rapid succession, this is a strong indicator of a brute-force authentication attack. Brute-force attacks involve repeatedly attempting different username and password combinations to gain unauthorized access to a system. These attacks commonly target Windows servers exposed to internal or external networks and often focus on privileged or commonly used accounts. The repeated failures shown in the exhibit indicate that authentication attempts are being made unsuccessfully over a short time period, which is abnormal for standard user behavior.

  Option A is incorrect because the logs clearly show that Windows auditing is functioning correctly and recording failures.

  Option B is incorrect because normal Windows activity does not generate large volumes of failed authentication events in a short time frame.

  Option D is incorrect because a Denial-of-Service (DoS) attack targets system availability and resource exhaustion, not authentication mechanisms. Cybersecurity operations documentation highlights failed login storms as one of the most common indicators of credential-based attacks. SIEM platforms are designed to alert analysts on such patterns because they often precede account compromise or lateral movement attempts.

• Question 307:

  What is corroborating evidence?

  A. Evidence that can be provided to cyber police for further restrictive actions over threat actors
  B. Evidence that can be presented in court in the original form, such as an exact copy of a hard drive
  C. Evidence that tends to support a theory or an assumption deduced by some initial evidence
  D. Evidence that relies on an extrapolation to a conclusion of fact, such as fingerprints
  C. Evidence that tends to support a theory or an assumption deduced by some initial evidence

• Question 308:

  Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic for LAN 10.11.

  x.x, between workstations and servers without the Internet?

  A. src=10.11.0.0/16 and dst=10.11.0.0/16
  B. ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16
  C. ip.src=10.11.0.0/16 and ip.dst=10.11.0.0/16
  D. src==10.11.0.0/16 and dst==10.11.0.0/16
  B. ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16

• Question 309:

  What is a description of a social engineering attack?

  A. fake offer for free music download to trick the user into providing sensitive data
  B. package deliberately sent to the wrong receiver to advertise a new product
  C. mistakenly received valuable order destined for another person and hidden on purpose
  D. email offering last-minute deals on various vacations around the world with a due date and a counter
  D. email offering last-minute deals on various vacations around the world with a due date and a counter

• Question 310:

  In a SOC environment, what is a vulnerability management metric?

  A. code signing enforcement
  B. full assets scan
  C. internet exposed devices
  D. single factor authentication
  C. internet exposed devices