Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 431:

  How does an attacker observe network traffic exchanged between two users?

  A. port scanning
  B. man-in-the-middle
  C. command injection
  D. denial of service
  B. man-in-the-middle

  ---

  Explanation

  A man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. In this scenario, an attacker can observe network traffic exchanged between two users by placing themselves in between their communication channel.

  References:

  Cisco Blogs - New Cybersecurity and Cloud Skills to Protect Companies from Cybersecurity Attacks of the Future

• Question 432:

  What is the difference between deep packet inspection and stateful inspection?

  A. Deep packet inspection gives insights up to Layer 7, and stateful inspection gives insights only up to Layer 4.
  B. Deep packet inspection is more secure due to its complex signatures, and stateful inspection requires less human intervention.
  C. Stateful inspection is more secure due to its complex signatures, and deep packet inspection requires less human intervention.
  D. Stateful inspection verifies data at the transport layer and deep packet inspection verifies data at the application layer
  A. Deep packet inspection gives insights up to Layer 7, and stateful inspection gives insights only up to Layer 4.

  ---

  Explanation

  Deep packet inspection (DPI) analyzes the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination. Stateful inspection, on the other hand, tracks the state of active connections and determines which network packets to allow through the firewall. While stateful inspection tracks the state of connections (Layer 4 - transport layer), DPI goes further by examining the payload of the packet (Layer 7 - application layer). Cisco's official documentation and cybersecurity courses would explain the differences between deep packet inspection and stateful inspection, including their respective layers of operation.

• Question 433:

  How does certificate authority impact a security system?

  A. It authenticates client identity when requesting SSL certificate
  B. It validates domain identity of a SSL certificate
  C. It authenticates domain identity when requesting SSL certificate
  D. It validates client identity when communicating with the sever
  B. It validates domain identity of a SSL certificate

• Question 434:

  Which type of data is used to detect anomalies in the network?

  A. statistical data
  B. metadata
  C. transaction data
  D. alert data
  A. statistical data

• Question 435:

  Which of these describes SOC metrics in relation to security incidents?

  A. time it takes to detect the incident
  B. time it takes to assess the risks of the incident
  C. probability of outage caused by the incident
  D. probability of compromise and impact caused by the incident
  A. time it takes to detect the incident

• Question 436:

  Which two measures are used by the defense-in-depth strategy? (Choose two.)

  A. Bridge the single connection into multiple.
  B. Divide the network into parts.
  C. Split packets into pieces.
  D. Implement the patch management process.
  E. Reduce the load on network devices.
  B. Divide the network into parts.
  D. Implement the patch management process.

• Question 437:

  Refer to the exhibit.

  

  A SOC analyst is examining the Windows security logs of one of the endpoints.

  What is the possible reason for this event log?

  A. Brute force attack
  B. Windows failed to audit logs
  C. Malware Attack
  D. System maintenance logs
  C. Malware Attack

• Question 438:

  What is the difference between tampered and untampered disk images?

  A. Untampered images are not secure.
  B. Tampered images are secure.
  C. Untampered images store hidden items inside.
  D. Tampered images store hidden items inside.
  D. Tampered images store hidden items inside.

  ---

  Explanation

  In digital forensics and incident response, disk imaging is a critical process used to create an exact copy of a storage device for analysis. An untampered disk image -also referred to as a forensically sound image-preserves the original data exactly as it existed at the time of acquisition. This includes file contents, metadata, deleted files, and unallocated space. Untampered images are verified using cryptographic hash values to ensure integrity and admissibility. A tampered disk image, on the other hand, is one that has been altered after acquisition or intentionally manipulated to conceal or insert data. Tampering may involve modifying files, altering metadata, injecting hidden data, or using steganographic techniques to store hidden items within the image. Such changes invalidate the integrity of the evidence and compromise forensic analysis. Options A and B are incorrect because security is not defined by whether an image is tampered or untampered;

  rather, integrity and authenticity are the determining factors. Option C is incorrect because untampered images do not intentionally store hidden items-they preserve data as-is. Cybersecurity operations documentation emphasizes that maintaining untampered disk images is essential for reliable investigation, legal proceedings, and accurate root-cause analysis. Any modification to an image must be documented and performed on a working copy, never the original.

  Therefore, the correct distinction is that tampered disk images may store hidden or altered items, making Option D the correct answer.

• Question 439:

  Which type of malware communicates with a remote server to receive instructions?

  A. worm
  B. spyware
  C. bot
  D. adware
  C. bot

  ---

  Explanation

  A bot is a type of malware that infects a system and connects to a command-and-control (C2) server to receive instructions from an attacker. These instructions can include launching attacks, sending spam, or participating in distributed denial-of-service (DDoS) campaigns. Bots are often part of a botnet, a network of compromised devices controlled centrally. Worms (A) self-replicate but do not necessarily rely on C2 communication. Spyware (B) focuses on collecting information, and adware (D) displays unwanted advertisements. The defining feature of bots is their ability to be remotely controlled, making them highly dangerous in coordinated attacks. Detecting bot activity often involves monitoring unusual outbound connections, especially to known malicious domains or IP addresses. Security tools such as IDS/IPS and threat intelligence feeds are used to identify and block such communications.

• Question 440:

  Which type of attack uses a botnet to reflect requests off of an NTP server to overwhelm a target?

  A. replay
  B. distributed denial of service
  C. denial of service
  D. man-in-the-middle
  B. distributed denial of service