Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 321:

  An engineer must analyze a security event from last month. The engineer has access to a.pcap file collected via traffic mirroring and NetFlow data. The engineer must perform checks quickly on a busy network segment without prior knowledge of the incident details.

  Which source of data should be used for analysis?

  A. pcap file because it is easy to track all activity for the last month
  B. NetFlow because it has all needed data
  C. both sources, first NetFlow because collection is easy, then pcap
  D. both sources, first.pcap based on a simple query, then NetFlow
  B. NetFlow because it has all needed data

  ---

  Explanation

  When an analyst needs to quickly assess a historical security event on a busy network segment, efficiency and scalability are critical. NetFlow is specifically designed to support rapid, high-level analysis of network activity without requiring deep packet inspection. NetFlow provides summarized metadata such as source and destination IP addresses, ports, protocols, timestamps, and volume of data transferred. This information allows engineers to quickly identify suspicious hosts, unusual traffic patterns, and the scope of potential incidents-even when they have little prior context. Because NetFlow data is compact, indexed, and optimized for querying, it is far more suitable for fast analysis over long time ranges, such as a full month. In contrast,.pcap files contain full packet payloads and generate massive data volumes, especially on busy network segments. Analyzing.pcap data without a specific hypothesis is time-consuming and computationally expensive, making it impractical for quick triage or broad scoping.

  Cybersecurity operations documentation emphasizes NetFlow as the preferred data source for initial investigation, scoping, and rapid situational awareness, with packet captures reserved for deeper forensic analysis once suspicious activity has been identified.

  Therefore, NetFlow is the correct choice for fast, efficient analysis in this scenario.

• Question 322:

  An employee received an email from a colleague's address asking for the password for the domain controller. The employee noticed a missing letter within the sender's address.

  What does this incident describe?

  A. brute-force attack
  B. insider attack
  C. shoulder surfing
  D. social engineering
  D. social engineering

• Question 323:

  What is a scareware attack?

  A. inserting malicious code that causes popup windows with flashing colors
  B. overwhelming a targeted website with fake traffic
  C. gaining access to your computer and encrypting data stored on it
  D. using the spoofed email addresses to trick people into providing login credentials
  A. inserting malicious code that causes popup windows with flashing colors

  ---

  Explanation

  Scareware is a type of malware attack that tricks users into believing their computer is infected with a virus, prompting them to download and pay for fake antivirus software. The attack often uses popup windows with flashing colors to create a sense of urgency and scare the user into taking immediate action. Cisco Certified CyberOps Associate certification materials

• Question 324:

  Refer to the exhibit.

  

  Which technology produced the log?

  A. antivirus
  B. IPS/IDS
  C. firewall
  D. proxy
  D. proxy

• Question 325:

  What is the principle of defense-in-depth?

  A. Agentless and agent-based protection for security are used.
  B. Several distinct protective layers are involved.
  C. Access control models are involved.
  D. Authentication, authorization, and accounting mechanisms are used.
  B. Several distinct protective layers are involved.

• Question 326:

  What is a collection of compromised machines that attackers use to carry out a DDoS attack?

  A. subnet
  B. botnet
  C. VLAN
  D. command and control
  B. botnet

• Question 327:

  What is an example of social engineering attacks?

  A. receiving an unexpected email from an unknown person with an attachment from someone in the same company
  B. receiving an email from human resources requesting a visit to their secure website to update contact information
  C. sending a verbal request to an administrator who knows how to change an account password
  D. receiving an invitation to the department's weekly WebEx meeting
  C. sending a verbal request to an administrator who knows how to change an account password

• Question 328:

  What describes the usage of a rootkit in endpoint-based attacks?

  A. remote code execution that causes a denial-of-service on the system
  B. exploit that can be used to perform remote code execution
  C. set of vulnerabilities used by an attacker to disable root access on the system
  D. set of tools used by an attacker to maintain control of a compromised system while avoiding detection
  D. set of tools used by an attacker to maintain control of a compromised system while avoiding detection

• Question 329:

  A malicious file has been identified in a sandbox analysis tool.

  

  Which piece of information is needed to search for additional downloads of this file by other hosts?

  A. file header type
  B. file size
  C. file name
  D. file hash value
  D. file hash value

• Question 330:

  Refer to the exhibit.

  

  An engineer received a ticket about a slowdown of a web application. During analysis of traffic, the engineer suspects a possible attack on a web server.

  How should the engineer interpret the Wireshark traffic capture?

  A. 10.128.0.2 sends HTTP / FORBIDDEN / 1.1 and GET requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403. This is an HTTP cache bypass attack.
  B. 10.0.0.2 sends GET / HTTP / 1.1 and POST requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403 accordingly. This is an HTTP flood attempt.
  C. 10.128.0.2 sends POST / HTTP / 1.1 and GET requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403 accordingly. This is an HTTP Reverse Bandwidth flood.
  D. 10.0.0.2 sends HTTP / FORBIDDEN / 1.1 and POST requests, while the target responds with HTTP/1.1 200 GET and HTTP/1.1 403. This is an HTTP GET flood attack.
  B. 10.0.0.2 sends GET / HTTP / 1.1 and POST requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403 accordingly. This is an HTTP flood attempt.

  ---

  Explanation

  When analyzing Wireshark traffic for potential attacks, an engineer should look for patterns that indicate abnormal behavior, such as:

  Excessive Requests: A high number of requests over a short period could suggest an attempt to overwhelm the server, known as an HTTP flood.

  Status Codes: Repeated 403 Forbidden responses may indicate that the server is rejecting requests due to a security rule being triggered.

  Request Types: A mix of GET and POST requests could be used in various attack scenarios, including bandwidth flooding or cache bypassing.