200-201: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Part 3
Question #: 121
Topic #: 1
Refer to the exhibit. Which type of attack is being executed?
A. cross-site request forgery
B. command injection
C. SQL injection
D. cross-site scripting
Selected Answer: C
Question #: 122
Topic #: 1
What is a difference between inline traffic interrogation and traffic mirroring?
A. Inline inspection acts on the original traffic data flow
B. Traffic mirroring passes live traffic to a tool for blocking
C. Traffic mirroring inspects live traffic for analysis and mitigation
D. Inline traffic copies packets for analysis and security
Selected Answer: A
Question #: 123
Topic #: 1
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
A. file extension associations
B. hardware, software, and security settings for the system
C. currently logged in users, including folders and control panel settings
D. all users on the system, including visual settings
Selected Answer: B
Question #: 124
Topic #: 1
Refer to the exhibit. Which packet contains a file that is extractable within Wireshark?
A. 2317
B. 1986
C. 2318
D. 2542
Selected Answer: D
Question #: 125
Topic #: 1
Which regex matches only on all lowercase letters?
A. [aגˆ’z]+
B. [^aגˆ’z]+
C. aגˆ’z+
D. a*z+
Selected Answer: A
Question #: 126
Topic #: 1
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.
Which technology makes this behavior possible?
A. encapsulation
B. TOR
C. tunneling
D. NAT
Selected Answer: C
Question #: 127
Topic #: 1
Which action should be taken if the system is overwhelmed with alerts when false positives and false negatives are compared?
A. Modify the settings of the intrusion detection system.
B. Design criteria for reviewing alerts.
C. Redefine signature rules.
D. Adjust the alerts schedule.
Selected Answer: B
Question #: 128
Topic #: 1
What is the impact of false positive alerts on business compared to true positive?
A. True positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.
B. True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks identified as harmless.
C. False positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.
D. False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.
Selected Answer: A
Question #: 129
Topic #: 1
An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?
A. Firepower
B. Email Security Appliance
C. Web Security Appliance
D. Stealthwatch
Selected Answer: C
Question #: 130
Topic #: 1
Refer to the exhibit. Which technology generates this log?
A. NetFlow
B. IDS
C. web proxy
D. firewall
Selected Answer: D
Question #: 131
Topic #: 1
Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic for LAN 10.11.x.x, between workstations and servers without the Internet?
A. src=10.11.0.0/16 and dst=10.11.0.0/16
B. ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16
C. ip.src=10.11.0.0/16 and ip.dst=10.11.0.0/16
D. src==10.11.0.0/16 and dst==10.11.0.0/16
Selected Answer: B
Question #: 132
Topic #: 1
Which tool provides a full packet capture from network traffic?
A. Nagios
B. CAINE
C. Hydra
D. Wireshark
Selected Answer: D
Question #: 133
Topic #: 1
A company is using several network applications that require high availability and responsiveness, such that milliseconds of latency on network traffic is not acceptable. An engineer needs to analyze the network and identify ways to improve traffic movement to minimize delays. Which information must the engineer obtain for this analysis?
A. total throughput on the interface of the router and NetFlow records
B. output of routing protocol authentication failures and ports used
C. running processes on the applications and their total network usage
D. deep packet captures of each application flow and duration
Selected Answer: A
Question #: 134
Topic #: 1
Refer to the exhibit. What is depicted in the exhibit?
A. Windows Event logs
B. Apache logs
C. IIS logs
D. UNIX-based syslog
Selected Answer: B
Question #: 135
Topic #: 1
Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID attributes?
A. AWS
B. IIS
C. Load balancer
D. Proxy server
Selected Answer: C
Question #: 136
Topic #: 1
Which regular expression matches “color” and “colour”?
A. colo?ur
B. col[0גˆ’8]+our
C. colou?r
D. col[0גˆ’9]+our
Selected Answer: C
Question #: 137
Topic #: 1
Which artifact is used to uniquely identify a detected file?
A. file timestamp
B. file extension
C. file size
D. file hash
Selected Answer: D
Question #: 138
Topic #: 1
A security engineer deploys an enterprise-wide host/endpoint technology for all of the company’s corporate PCs. Management requests the engineer to block a selected set of applications on all PCs.
Which technology should be used to accomplish this task?
A. application whitelisting/blacklisting
B. network NGFW
C. host-based IDS
D. antivirus/antispyware software
Selected Answer: A
Question #: 139
Topic #: 1
Which utility blocks a host portscan?
A. HIDS
B. sandboxing
C. host-based firewall
D. antimalware
Selected Answer: C
Question #: 140
Topic #: 1
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
A. resource exhaustion
B. tunneling
C. traffic fragmentation
D. timing attack
Selected Answer: A
Question #: 141
Topic #: 1
DRAG DROP –
Drag and drop the technology on the left onto the data type the technology provides on the right.
Select and Place:
Suggestion Answer:
Question #: 142
Topic #: 1
Refer to the exhibit. Which application protocol is in this PCAP file?
A. SSH
B. TCP
C. TLS
D. HTTP
Selected Answer: C
Question #: 143
Topic #: 1
DRAG DROP –
Refer to the exhibit. Drag and drop the element name from the left onto the appropriate piece of the PCAP file on the right.
Select and Place:
Suggestion Answer:
Question #: 144
Topic #: 1
Refer to the exhibit. What is the expected result when the “Allow subdissector to reassemble TCP streams” feature is enabled?
A. insert TCP subdissectors
B. extract a file from a packet capture
C. disable TCP streams
D. unfragment TCP
Selected Answer: B
Question #: 145
Topic #: 1
Which type of data collection requires the largest amount of storage space?
A. alert data
B. transaction data
C. session data
D. full packet capture
Selected Answer: D
Question #: 146
Topic #: 1
An analyst discovers that a legitimate security alert has been dismissed.
Which signature caused this impact on network traffic?
A. true negative
B. false negative
C. false positive
D. true positive
Selected Answer: B
Question #: 147
Topic #: 1
Which signature impacts network traffic by causing legitimate traffic to be blocked?
A. false negative
B. true positive
C. true negative
D. false positive
Selected Answer: D
Question #: 148
Topic #: 1
Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)
A. UDP port to which the traffic is destined
B. TCP port from which the traffic was sourced
C. source IP address of the packet
D. destination IP address of the packet
E. UDP port from which the traffic is sourced
Selected Answer: CD
Question #: 149
Topic #: 1
Which HTTP header field is used in forensics to identify the type of browser used?
A. referrer
B. host
C. user-agent
D. accept-language
Selected Answer: C
Question #: 150
Topic #: 1
Which event artifact is used to identify HTTP GET requests for a specific file?
A. destination IP address
B. TCP ACK
C. HTTP status code
D. URI
Selected Answer: D
Question #: 151
Topic #: 1
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
A. Tapping interrogation replicates signals to a separate port for analyzing traffic
B. Tapping interrogations detect and block malicious traffic
C. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
D. Inline interrogation detects malicious traffic but does not block the traffic
Selected Answer: A
Question #: 152
Topic #: 1
At which layer is deep packet inspection investigated on a firewall?
A. internet
B. transport
C. application
D. data link
Selected Answer: C
Question #: 153
Topic #: 1
DRAG DROP –
Drag and drop the access control models from the left onto its corresponding descriptions on the right.
Select and Place:
Suggestion Answer:
Question #: 154
Topic #: 1
DRAG DROP –
Drag and drop the event term from the left onto the description on the right.
Select and Place:
Suggestion Answer:
Question #: 155
Topic #: 1
Refer to the exhibit. What is occurring?
A. insecure deserialization
B. cross-site scripting attack
C. XML External Entities attack
D. regular GET requests
Selected Answer: B
Question #: 156
Topic #: 1
What is a difference between data obtained from Tap and SPAN ports?
A. SPAN passively splits traffic between a network device and the network without altering it, while Tap alters response times.
B. Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.
C. SPAN improves the detection of media errors, while Tap provides direct access to traffic with lowered data visibility.
D. Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination.
Selected Answer: D
Question #: 157
Topic #: 1
DRAG DROP –
Drag and drop the data source from the left onto the data type on the right.
Select and Place:
Suggestion Answer:
Question #: 158
Topic #: 1
A threat actor penetrated an organization’s network. Using the 5-tuple approach, which data points should the analyst use to isolate the compromised host in a grouped set of logs?
A. event name, log source, time, source IP, and username
B. event name, log source, time, source IP, and host name
C. protocol, log source, source IP, destination IP, and host name
D. protocol, source IP, source port destination IP, and destination port
Selected Answer: D
Question #: 159
Topic #: 1
What is a difference between an inline and a tap mode traffic monitoring?
A. Tap mode monitors packets and their content with the highest speed, while the inline mode draws a packet path for analysis.
B. Inline monitors traffic without examining other devices, while a tap mode tags traffic and examines the data from monitoring devices.
C. Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode monitors traffic as it crosses the network.
D. Tap mode monitors traffic direction, while inline mode keeps packet data as it passes through the monitoring devices.
Selected Answer: C
Question #: 160
Topic #: 1
An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving a SYN-ACK while establishing a session by sending the first SYN. What is causing this issue?
A. incorrect TCP handshake
B. incorrect UDP handshake
C. incorrect OSI configuration
D. incorrect snaplen configuration
Selected Answer: A
Question #: 161
Topic #: 1
Refer to the exhibit. What is shown in this PCAP file?
A. The User-Agent is Mozilla/5.0.
B. Timestamps are indicated with error.
C. The HTTP GET is encoded.
D. The protocol is TCP.
Selected Answer: C
Question #: 162
Topic #: 1
Which regular expression is needed to capture the IP address 192.168.20.232?
A. ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}
B. ^(?:[0-9]{1,3}\.)*
C. ^)?:[0-9]{1,3}\.){1,4}
D. ^([0-9].{3})
Selected Answer: A
Question #: 163
Topic #: 1
An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?
A. Run ג€ps -uג€ to find out who executed additional processes that caused a high load on a server
B. Run ג€ps -efג€ to understand which processes are taking a high amount of resources
C. Run ג€ps -dג€ to decrease the priority state of high load processes to avoid resource exhaustion
D. Run ג€ps -mג€ to capture the existing state of daemons and map required processes to find the gap
Selected Answer: B
Question #: 164
Topic #: 1
Refer to the exhibit. Which component is identifiable in this exhibit?
A. Windows Registry hive
B. Trusted Root Certificate store on the local machine
C. Windows PowerShell verb
D. local service in the Windows Services Manager
Selected Answer: A
Question #: 165
Topic #: 1
An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group.
What is the initial event called in the NIST SP800-61?
A. online assault
B. precursor
C. trigger
D. instigator
Selected Answer: B
Question #: 166
Topic #: 1
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?
A. CSIRT
B. PSIRT
C. public affairs
D. management
Selected Answer: B
Question #: 167
Topic #: 1
Which incidence response step includes identifying all hosts affected by an attack?
A. detection and analysis
B. post-incident activity
C. preparation
D. containment, eradication, and recovery
Selected Answer: D
Question #: 168
Topic #: 1
Which two elements are used for profiling a network? (Choose two.)
A. session duration
B. total throughput
C. running processes
D. listening ports
E. OS fingerprint
Selected Answer: AB
Question #: 169
Topic #: 1
Which category relates to improper use or disclosure of PII data?
A. legal
B. compliance
C. regulated
D. contractual
Selected Answer: C
Question #: 170
Topic #: 1
Which type of evidence supports a theory or an assumption that results from initial evidence?
A. probabilistic
B. indirect
C. best
D. corroborative
Selected Answer: D
Question #: 171
Topic #: 1
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
A. context
B. session
C. laptop
D. firewall logs
E. threat actor
Selected Answer: AE
Question #: 172
Topic #: 1
What is personally identifiable information that must be safeguarded from unauthorized access?
A. date of birth
B. driver’s license number
C. gender
D. zip code
Selected Answer: D
Question #: 173
Topic #: 1
In a SOC environment, what is a vulnerability management metric?
A. code signing enforcement
B. full assets scan
C. internet exposed devices
D. single factor authentication
Selected Answer: B
Question #: 174
Topic #: 1
A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of evidence is this file?
A. CD data copy prepared in Windows
B. CD data copy prepared in Mac-based system
C. CD data copy prepared in Linux system
D. CD data copy prepared in Android-based system
Selected Answer: A
Question #: 175
Topic #: 1
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)
A. detection and analysis
B. post-incident activity
C. vulnerability management
D. risk assessment
E. vulnerability scoring
Selected Answer: AB
Question #: 176
Topic #: 1
DRAG DROP –
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
Select and Place:
Suggestion Answer:
Question #: 177
Topic #: 1
Refer to the exhibit. What does this output indicate?
A. HTTPS ports are open on the server.
B. SMB ports are closed on the server.
C. FTP ports are open on the server.
D. Email ports are closed on the server.
Selected Answer: D
Question #: 178
Topic #: 1
DRAG DROP –
Drag and drop the elements from the left into the order for incident handling on the right.
Select and Place:
Suggestion Answer:
Question #: 179
Topic #: 1
Which metric should be used when evaluating the effectiveness and scope of a Security Operations Center?
A. The average time the SOC takes to register and assign the incident.
B. The total incident escalations per week.
C. The average time the SOC takes to detect and resolve the incident.
D. The total incident escalations per month.
Selected Answer: C
Question #: 180
Topic #: 1
A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:
✑ If the process is unsuccessful, a negative value is returned.
✑ If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent process.
Which component results from this operation?
A. parent directory name of a file pathname
B. process spawn scheduled
C. macros for managing CPU sets
D. new process created by parent process
Selected Answer: D
