Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 341:

  What is a difference between tampered and untampered disk images?

  A. Tampered images have the same stored and computed hash.
  B. Untampered images are deliberately altered to preserve as evidence.
  C. Tampered images are used as evidence.
  D. Untampered images are used for forensic investigations.
  D. Untampered images are used for forensic investigations.

  ---

  Explanation

  The disk image must be intact for forensics analysis. As a cybersecurity professional, you may be given the task of capturing an image of a disk in a forensic manner. Imagine a security incident has occurred on a system and you are required to perform some forensic investigation to determine who and what caused the attack. Additionally, you want to ensure the data that was captured is not tampered with or modified during the creation of a disk image process.

  Ref: Cisco Certified CyberOps Associate 200-201 Certification Guide

• Question 342:

  Which system monitors local system operation and local network access for violations of a security policy?

  A. host-based intrusion detection
  B. systems-based sandboxing
  C. host-based firewall
  D. antivirus
  A. host-based intrusion detection

  ---

  Explanation

  HIDS is capable of monitoring the internals of a computing system as well as the network packets on its network interfaces. Host-based firewall is a piece of software running on a single Host that can restrict incoming and outgoing Network activity for that host only.

• Question 343:

  What is a difference between a threat and a risk?

  A. A threat can be people, property, or information, and risk is a probability by which these threats may bring harm to the business.
  B. A risk is a flaw or hole in security, and a threat is what is being used against that flaw.
  C. A risk is an intersection between threat and vulnerabilities, and a threat is what a security engineer is trying to protect against.
  D. A threat is a sum of risks, and a risk itself represents a specific danger toward the asset.
  C. A risk is an intersection between threat and vulnerabilities, and a threat is what a security engineer is trying to protect against.

• Question 344:

  What is a comparison between rule-based and statistical detection?

  A. Statistical is based on measured data while rule-based uses the evaluated probability approach.
  B. Statistical uses the probability approach while rule-based is based on measured data.
  C. Rule-based is based on assumptions and statistical uses data known beforehand.
  D. Rule-based uses data known beforehand and statistical is based on assumptions.
  D. Rule-based uses data known beforehand and statistical is based on assumptions.

• Question 345:

  Which option describes indicators of attack?

  A. blocked phishing attempt on a company
  B. spam emails on an employee workstation
  C. virus detection by the AV software
  D. malware reinfection within a few minutes of removal
  D. malware reinfection within a few minutes of removal

  ---

  Explanation

  Indicators of attack (IoAs) are signs that an attack may be in progress or imminent. Malware reinfection within a few minutes of removal (D) is a strong IoA because it suggests that the attacker has a persistent mechanism to redeploy malware, indicating an active compromise of the system.

  Cisco's Cybersecurity Operations Fundamentals documents

• Question 346:

  How does an attack surface differ from an attack vector?

  A. An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.
  B. An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.
  C. An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.
  D. An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation
  B. An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

  ---

  Explanation

  An attack surface is the sum of all the points where an attacker can try to enter or extract data from an environment. It includes all the hardware, software, network, and human components that are exposed to potential threats. An attack vector is the path or means by which an attacker can exploit a vulnerability in the attack surface. It describes the type, source, and technique of an attack, such as phishing, malware, denial-of-service, etc.

  References:

  Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.1: The CIA Triad and Security Concepts, Topic 1.1.3: Threats, Vulnerabilities, and Exploits

• Question 347:

  Which piece of information is needed for attribution in an investigation?

  A. attack surface and the threat posing the risk
  B. attack vector and exploited vulnerability
  C. asset value and an asset owner
  D. threat actor and associated behavior
  D. threat actor and associated behavior

• Question 348:

  Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?

  A. integrity
  B. confidentiality
  C. availability
  D. scope
  A. integrity

• Question 349:

  Refer to the exhibit.

  

  A SOC team member receives a case from his colleague with notes attached. The artifacts and alerts associated with the case must be analyzed and a conclusion must be provided.

  What is the cause of the alert?

  A. An insider threat compromised the service account to delete sensitive data.
  B. External attackers gained access and are exfiltrating data stealthily.
  C. A ransomware attack is underway, encrypting files and deleting originals.
  D. A misconfigured backup process malfunctioned, causing unexpected file changes.
  C. A ransomware attack is underway, encrypting files and deleting originals.

• Question 350:

  An engineer must gather data for monitoring purposes from different network devices. The engineer needs to collect events from the local network and use that information for packet sniffing. The solution must create an exact copy of traffic and provide full fidelity.

  Which solution should the engineer use?

  A. NAT
  B. tap
  C. SPAN ports
  D. tunneling
  B. tap

  ---

  Explanation

  A network TAP (Test Access Point) is a hardware device designed to create an exact, full-fidelity copy of network traffic for monitoring and packet analysis. TAPs operate at the physical layer and replicate all packets-including errors and malformed frames-without dropping traffic. This makes TAPs ideal for packet sniffing, intrusion detection, and forensic analysis where accuracy and completeness are critical. TAPs do not rely on switch resources and do not introduce packet loss during periods of high traffic. SPAN (mirror) ports can also copy traffic but are dependent on switch processing capacity and may drop packets during congestion, making them unreliable for full-fidelity capture. NAT modifies traffic, and tunneling encapsulates data rather than copying it.

  Cybersecurity operations documentation consistently identifies TAPs as the preferred solution when exact traffic replication is required. Therefore, the correct answer is tap.