Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 391:

  Which data capture includes payload and header information?

  A. frame check sequence
  B. full packet
  C. alert data
  D. session logs
  B. full packet

• Question 392:

  Which attack involves redirecting users to a malicious website without their knowledge?

  A. phishing
  B. pharming
  C. spoofing
  D. sniffing
  B. pharming

  ---

  Explanation

  Pharming is a type of attack that redirects users from a legitimate website to a malicious one, often by compromising DNS servers or modifying host files. Unlike phishing, which relies on tricking users into clicking malicious links, pharming can occur without user interaction. This makes it particularly dangerous because users may believe they are interacting with a legitimate site. Spoofing (C) involves impersonating another entity, and sniffing (D) involves capturing network traffic.

  Pharming attacks aim to steal sensitive information such as login credentials or financial data. Preventing pharming requires securing DNS infrastructure, using HTTPS, and implementing DNSSEC. It highlights the importance of trust in internet infrastructure and the risks associated with its compromise.

• Question 393:

  A security analyst notices a sudden surge of incoming traffic and detects unknown packets from unknown senders After further investigation, the analyst learns that customers claim that they cannot access company servers According to NIST SP800-61, in which phase of the incident response process is the analyst?

  A. post-incident activity
  B. detection and analysis
  C. preparation
  D. containment, eradication, and recovery
  B. detection and analysis

  ---

  Explanation

  The analyst is in the detection and analysis phase of the incident response process according to NIST SP800-61. In this phase, events are detected and analyzed to determine whether they constitute incidents that require a response. It involves monitoring security events or data collection, correlation, and analysis of log entries and network flow data, among others. The goal is to identify incidents quickly so that appropriate actions can be taken.

  References:

  NIST SP800-61, Computer Security Incident Handling Guide, Section 3.2: Detection and Analysis

• Question 394:

  What are two differences between tampered disk images and untampered disk images? (Choose two.)

  A. The image is tampered if the stored hash and the computed hash are identical.
  B. Tampered images are used as an element for the root cause analysis report.
  C. Untampered images can be used as law enforcement evidence.
  D. Tampered images are used in a security Investigation process.
  E. The image is untampered if the existing stored hash matches the computed one.
  C. Untampered images can be used as law enforcement evidence.
  E. The image is untampered if the existing stored hash matches the computed one.

  ---

  Explanation

  C. Untampered images can be used as law enforcement evidence.

  E. The image is untampered if the existing stored hash matches the computed one.

• Question 395:

  Refer to the exhibit.

  

  Which event is occurring?

  A. A binary named "submit" is running on VM cuckoo1.
  B. A binary is being submitted to run on VM cuckoo1
  C. A binary on VM cuckoo1 is being submitted for evaluation
  D. A URL is being evaluated to see if it has a malicious binary
  B. A binary is being submitted to run on VM cuckoo1

  ---

  Explanation

  https://cuckoo.readthedocs.io/en/latest/usage/submit/

• Question 396:

  Which difficulty occurs when log messages are compared from two devices separated by a Layer 3 device that performs Network Address Translation?

  A. IP addresses in the log messages match
  B. Timestamps of the log messages are different.
  C. Log messages contain incorrect information
  D. IP addresses in the log messages do not match
  D. IP addresses in the log messages do not match

• Question 397:

  An analyst received a ticket about degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed disabled antivirus software and could not determine when or why it occurred.

  According to the NIST Incident Handling Guide, what is the next phase of this investigation?

  A. Detection
  B. Analysis
  C. Eradication
  D. Recovery
  B. Analysis

• Question 398:

  Why should an engineer use a full packet capture to investigate a security breach?

  A. It provides the full TCP streams for the engineer to follow the metadata to identify the incoming threat.
  B. It collects metadata for the engineer to analyze, including IP traffic packet data that is sorted, parsed, and indexed.
  C. It reconstructs the event allowing the engineer to identify the root cause by seeing what took place during the breach.
  D. It captures the TCP flags set within each packet for the engineer to focus on suspicious packets to identify malicious activity.
  C. It reconstructs the event allowing the engineer to identify the root cause by seeing what took place during the breach.

• Question 399:

  Refer to the exhibit.

  

  What is depicted in the exhibit?

  A. Windows Event logs
  B. Apache logs
  C. IIS logs
  D. UNIX-based syslog
  B. Apache logs

• Question 400:

  Which type of access control depends on the job function of the user?

  A. discretionary access control
  B. nondiscretionary access control
  C. role-based access control
  D. rule-based access control
  C. role-based access control