200-201: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Part 1
Question #: 1
Topic #: 1
Which event is user interaction?
A. gaining root access
B. executing remote code
C. reading and writing file permission
D. opening a malicious file
Selected Answer: D
Question #: 2
Topic #: 1
Which security principle requires more than one person is required to perform a critical task?
A. least privilege
B. need to know
C. separation of duties
D. due diligence
Selected Answer: C
Question #: 3
Topic #: 1
How is attacking a vulnerability categorized?
A. action on objectives
B. delivery
C. exploitation
D. installation
Selected Answer: C
Question #: 4
Topic #: 1
What is a benefit of agent-based protection when compared to agentless protection?
A. It lowers maintenance costs
B. It provides a centralized platform
C. It collects and detects all traffic locally
D. It manages numerous devices simultaneously
Selected Answer: B
Question #: 5
Topic #: 1
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
A. decision making
B. rapid response
C. data mining
D. due diligence
Selected Answer: D
Question #: 6
Topic #: 1
One of the objectives of information security is to protect the CIA of information and systems.
What does CIA mean in this context?
A. confidentiality, identity, and authorization
B. confidentiality, integrity, and authorization
C. confidentiality, identity, and availability
D. confidentiality, integrity, and availability
Selected Answer: D
Question #: 7
Topic #: 1
What is rule-based detection when compared to statistical detection?
A. proof of a user’s identity
B. proof of a user’s action
C. likelihood of user’s action
D. falsification of a user’s identity
Selected Answer: B
Question #: 8
Topic #: 1
An engineer configured regular expression “.*\.([Dd][Oo][Cc]|[Xx][LI][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]” on Cisco ASA firewall. What does this regular expression do?
A. It captures .doc, .xls, and .pdf files in HTTP v1.0 and v1.1.
B. It captures documents in an HTTP network session.
C. It captures Word, Excel, and PowerPoint files in HTTP v1.0 and v1.1.
D. It captures .doc, .xls, and .ppt files extensions in HTTP v1.0.
Selected Answer: A
Question #: 9
Topic #: 1
Which process is used when IPS events are removed to improve data integrity?
A. data availability
B. data normalization
C. data signature
D. data protection
Selected Answer: B
Question #: 10
Topic #: 1
An analyst is investigating an incident in a SOC environment.
Which method is used to identify a session from a group of logs?
A. sequence numbers
B. IP identifier
C. 5-tuple
D. timestamps
Selected Answer: C
Question #: 11
Topic #: 1
What is a difference between SOAR and SIEM?
A. SOAR platforms are used for threat and vulnerability management, but SIEM applications are not
B. SIEM applications are used for threat and vulnerability management, but SOAR platforms are not
C. SOAR receives information from a single platform and delivers it to a SIEM
D. SIEM receives information from a single platform and delivers it to a SOAR
Selected Answer: D
Question #: 12
Topic #: 1
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
A. MAC is controlled by the discretion of the owner and DAC is controlled by an administrator
B. MAC is the strictest of all levels of control and DAC is object-based access
C. DAC is controlled by the operating system and MAC is controlled by an administrator
D. DAC is the strictest of all levels of control and MAC is object-based access
Selected Answer: B
Question #: 13
Topic #: 1
What is the practice of giving employees only those permissions necessary to perform their specific role within an organization?
A. least privilege
B. need to know
C. integrity validation
D. due diligence
Selected Answer: A
Question #: 14
Topic #: 1
What is the virtual address space for a Windows process?
A. physical location of an object in memory
B. set of pages that reside in the physical memory
C. system-level memory protection feature built into the operating system
D. set of virtual memory addresses that can be used
Selected Answer: D
Question #: 15
Topic #: 1
Which security principle is violated by running all processes as root or administrator?
A. principle of least privilege
B. role-based access control
C. separation of duties
D. trusted computing base
Selected Answer: A
Question #: 16
Topic #: 1
What is the function of a command and control server?
A. It enumerates open ports on a network device
B. It drops secondary payload into malware
C. It is used to regain control of the network after a compromise
D. It sends instruction to a compromised system
Selected Answer: D
Question #: 17
Topic #: 1
What is the difference between deep packet inspection and stateful inspection?
A. Deep packet inspection is more secure than stateful inspection on Layer 4
B. Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7
C. Stateful inspection is more secure than deep packet inspection on Layer 7
D. Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4
Selected Answer: D
Question #: 18
Topic #: 1
Which evasion technique is a function of ransomware?
A. extended sleep calls
B. encryption
C. resource exhaustion
D. encoding
Selected Answer: B
Question #: 19
Topic #: 1
Refer to the exhibit. Which two elements in the table are parts of the 5-tuple? (Choose two.)
A. First Packet
B. Initiator User
C. Ingress Security Zone
D. Source Port
E. Initiator IP
Selected Answer: DE
Question #: 20
Topic #: 1
DRAG DROP –
Drag and drop the security concept on the left onto the example of that concept on the right.
Select and Place:
Suggestion Answer:
Question #: 21
Topic #: 1
What is the difference between statistical detection and rule-based detection models?
A. Rule-based detection involves the collection of data in relation to the behavior of legitimate users over a period of time
B. Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis
C. Statistical detection involves the evaluation of an object on its intended actions before it executes that behavior
D. Rule-based detection defines legitimate data of users over a period of time and statistical detection defines it on an IF/THEN basis
Selected Answer: B
Question #: 22
Topic #: 1
What is the difference between a threat and a risk?
A. Threat represents a potential danger that could take advantage of a weakness, while the risk is the likelihood of a compromise or damage of an asset.
B. Risk represents the known and identified loss or danger in the system, while threat is a non-identified impact of possible risks.
C. Risk is the unintentional possibility of damages or harm to infrastructure, while the threats are certain and intentional.
D. Threat is a state of being exposed to an attack or a compromise, while risk is the calculation of damage or potential loss affecting the organization from an exposure.
Selected Answer: D
Question #: 23
Topic #: 1
Which attack method intercepts traffic on a switched network?
A. denial of service
B. ARP cache poisoning
C. DHCP snooping
D. command and control
Selected Answer: B
Question #: 24
Topic #: 1
What does an attacker use to determine which network ports are listening on a potential target device?
A. man-in-the-middle
B. port scanning
C. SQL injection
D. ping sweep
Selected Answer: B
Question #: 25
Topic #: 1
What is a purpose of a vulnerability management framework?
A. identifies, removes, and mitigates system vulnerabilities
B. detects and removes vulnerabilities in source code
C. conducts vulnerability scans on the network
D. manages a list of reported vulnerabilities
Selected Answer: A
Question #: 26
Topic #: 1
A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?
A. the intellectual property that was stolen
B. the defense contractor who stored the intellectual property
C. the method used to conduct the attack
D. the foreign government that conducted the attack
Selected Answer: D
Question #: 27
Topic #: 1
What is the practice of giving an employee access to only the resources needed to accomplish their job?
A. principle of least privilege
B. organizational separation
C. separation of duties
D. need to know principle
Selected Answer: A
Question #: 28
Topic #: 1
Which metric is used to capture the level of access needed to launch a successful attack?
A. privileges required
B. user interaction
C. attack complexity
D. attack vector
Selected Answer: D
Question #: 29
Topic #: 1
What is the difference between an attack vector and an attack surface?
A. An attack surface identifies vulnerabilities that require user input or validation; and an attack vector identifies vulnerabilities that are independent of user actions.
B. An attack vector identifies components that can be exploited; and an attack surface identifies the potential path an attack can take to penetrate the network.
C. An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector identifies which attacks are possible with these vulnerabilities.
D. An attack vector identifies the potential outcomes of an attack; and an attack surface launches an attack using several methods against the identified vulnerabilities.
Selected Answer: C
Question #: 30
Topic #: 1
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
A. integrity
B. confidentiality
C. availability
D. scope
Selected Answer: A
Question #: 31
Topic #: 1
A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in the requests contains PHP code that, if executed, creates and writes to a new PHP file on the webserver. Which event category is described?
A. reconnaissance
B. action on objectives
C. installation
D. exploitation
Selected Answer: D
Question #: 32
Topic #: 1
What specific type of analysis is assigning values to the scenario to see expected outcomes?
A. deterministic
B. exploratory
C. probabilistic
D. descriptive
Selected Answer: C
Question #: 33
Topic #: 1
When trying to evade IDS/IPS devices, which mechanism allows the user to make the data incomprehensible without a specific key, certificate, or password?
A. fragmentation
B. pivoting
C. encryption
D. stenography
Selected Answer: A
Question #: 34
Topic #: 1
Why is encryption challenging to security monitoring?
A. Encryption analysis is used by attackers to monitor VPN tunnels.
B. Encryption is used by threat actors as a method of evasion and obfuscation.
C. Encryption introduces additional processing requirements by the CPU.
D. Encryption introduces larger packet sizes to analyze and store.
Selected Answer: C
Question #: 35
Topic #: 1
An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin. The security specialist reviewed the system logs, found nothing suspicious, and was not able to determine what occurred. The software is up to date; there are no alerts from antivirus and no failed login attempts. What is causing the lack of data visibility needed to detect the attack?
A. The threat actor used a dictionary-based password attack to obtain credentials.
B. The threat actor gained access to the system by known credentials.
C. The threat actor used the teardrop technique to confuse and crash login services.
D. The threat actor used an unknown vulnerability of the operating system that went undetected.
Selected Answer: B
Question #: 36
Topic #: 1
A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within
48 hours, multiple assets were breached, affecting the confidentiality of sensitive information. What is the threat actor in this incident?
A. company assets that are threatened
B. customer assets that are threatened
C. perpetrators of the attack
D. victims of the attack
Selected Answer: C
Question #: 37
Topic #: 1
What is the relationship between a vulnerability and a threat?
A. A threat exploits a vulnerability
B. A vulnerability is a calculation of the potential loss caused by a threat
C. A vulnerability exploits a threat
D. A threat is a calculation of the potential loss caused by a vulnerability
Selected Answer: A
Question #: 38
Topic #: 1
What is the principle of defense-in-depth?
A. Agentless and agent-based protection for security are used.
B. Several distinct protective layers are involved.
C. Access control models are involved.
D. Authentication, authorization, and accounting mechanisms are used.
Selected Answer: B
Question #: 39
Topic #: 1
DRAG DROP –
Drag and drop the uses on the left onto the type of security system on the right.
Select and Place:
Suggestion Answer:
Question #: 40
Topic #: 1
What is the difference between the rule-based detection when compared to behavioral detection?
A. Rule-Based detection is searching for patterns linked to specific types of attacks, while behavioral is identifying per signature.
B. Rule-Based systems have established patterns that do not change with new data, while behavioral changes.
C. Behavioral systems are predefined patterns from hundreds of users, while Rule-Based only flags potentially abnormal patterns using signatures.
D. Behavioral systems find sequences that match a particular attack signature, while Rule-Based identifies potential attacks.
Selected Answer: B
Question #: 41
Topic #: 1
A security incident occurred with the potential of impacting business services. Who performs the attack?
A. threat actor
B. malware author
C. direct competitor
D. bug bounty hunter
Selected Answer: C
Question #: 42
Topic #: 1
How does a certificate authority impact security?
A. It authenticates domain identity when requesting an SSL certificate.
B. It validates client identity when communicating with the server.
C. It authenticates client identity when requesting an SSL certificate.
D. It validates the domain identity of the SSL certificate.
Selected Answer: B
Question #: 43
Topic #: 1
Which data type is necessary to get information about source/destination ports?
A. statistical data
B. session data
C. alert data
D. connectivity data
Selected Answer: B
Question #: 44
Topic #: 1
Which event is a vishing attack?
A. obtaining disposed documents from an organization
B. using a vulnerability scanner on a corporate network
C. impersonating a tech support agent during a phone call
D. setting up a rogue access point near a public hotspot
Selected Answer: A
Question #: 45
Topic #: 1
DRAG DROP –
Drag and drop the security concept from the left onto the example of that concept on the right.
Select and Place:
Suggestion Answer:
Question #: 46
Topic #: 1
What is a difference between SIEM and SOAR?
A. SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation.
B. SIEM’s primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.
C. SOAR’s primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.
D. SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation.
Selected Answer: B
Question #: 47
Topic #: 1
What is vulnerability management?
A. A process to identify and remediate existing weaknesses.
B. A process to recover from service interruptions and restore business-critical applications.
C. A security practice of performing actions rather than acknowledging the threats.
D. A security practice focused on clarifying and narrowing intrusion points.
Selected Answer: A
Question #: 48
Topic #: 1
What is a difference between signature-based and behavior-based detection?
A. Signature-based identifies behaviors that may be linked to attacks, while behavior-based has a predefined set of rules to match before an alert.
B. Behavior-based identifies behaviors that may be linked to attacks, while signature-based has a predefined set of rules to match before an alert.
C. Behavior-based uses a known vulnerability database, while signature-based intelligently summarizes existing data.
D. Signature-based uses a known vulnerability database, while behavior-based intelligently summarizes existing data.
Selected Answer: B
Question #: 49
Topic #: 1
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.
Which information is available on the server certificate?
A. server name, trusted subordinate CA, and private key
B. trusted subordinate CA, public key, and cipher suites
C. trusted CA name, cipher suites, and private key
D. server name, trusted CA, and public key
Selected Answer: D
Question #: 50
Topic #: 1
How does an SSL certificate impact security between the client and the server?
A. by enabling an authenticated channel between the client and the server
B. by creating an integrated channel between the client and the server
C. by enabling an authorized channel between the client and the server
D. by creating an encrypted channel between the client and the server
Selected Answer: D
Question #: 51
Topic #: 1
Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?
A. forgery attack
B. plaintext-only attack
C. ciphertext-only attack
D. meet-in-the-middle attack
Selected Answer: C
Question #: 52
Topic #: 1
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?
A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
C. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods
D. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
Selected Answer: C
Question #: 53
Topic #: 1
Refer to the exhibit. Which type of log is displayed?
A. IDS
B. proxy
C. NetFlow
D. sys
Selected Answer: A
Question #: 54
Topic #: 1
Refer to the exhibit. What information is depicted?
A. IIS data
B. NetFlow data
C. network discovery event
D. IPS event data
Selected Answer: C
Question #: 55
Topic #: 1
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
A. The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete
B. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete
C. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection
D. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection
Selected Answer: C
Question #: 56
Topic #: 1
Refer to the exhibit. Which type of log is displayed?
A. proxy
B. NetFlow
C. IDS
D. sys
Selected Answer: B
Question #: 57
Topic #: 1
How is NetFlow different from traffic mirroring?
A. NetFlow collects metadata and traffic mirroring clones data.
B. Traffic mirroring impacts switch performance and NetFlow does not.
C. Traffic mirroring costs less to operate than NetFlow.
D. NetFlow generates more data than traffic mirroring.
Selected Answer: A
Question #: 58
Topic #: 1
What makes HTTPS traffic difficult to monitor?
A. SSL interception
B. packet header size
C. signature detection time
D. encryption
Selected Answer: D
Question #: 59
Topic #: 1
How does an attacker observe network traffic exchanged between two users?
A. port scanning
B. man-in-the-middle
C. command injection
D. denial of service
Selected Answer: B
Question #: 60
Topic #: 1
Which type of data consists of connection level, application-specific records generated from network traffic?
A. transaction data
B. location data
C. statistical data
D. alert data
Selected Answer: A
