Cisco CyberOps Associate 200-201 (200-201) — Questions 976985

985 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

Which compliance standard specifically applies to organizations that handle credit card information?

A.HIPAA
B.GDPR
C.ISO 27001
D.PCI DSS
AnswerD

PCI DSS governs credit card data security.

Why this answer

PCI DSS is the Payment Card Industry Data Security Standard for credit card data.

977
MCQeasy

An analyst observes an alert triggered by a single SYN packet to a closed port. The packet did not complete a TCP handshake. What type of attack does this most likely indicate?

A.SYN scan
B.TCP connect scan
C.Ping sweep
D.UDP scan
AnswerA

SYN scan sends SYN and expects SYN-ACK for open ports; RST indicates closed.

Why this answer

A SYN scan sends SYN packets to target ports. If a RST is received, the port is closed. The incomplete handshake is characteristic of a SYN scan, not a full connection scan or DoS attack.

978
Multi-Selectmedium

A security engineer is analyzing a recent data breach. Which TWO are examples of active reconnaissance techniques? (Select two.)

Select 2 answers
A.Port scanning
B.Ping sweep
C.LinkedIn profiling
D.WHOIS lookup
E.Google dorking
AnswersA, B

Port scanning directly probes open ports on a target system.

Why this answer

Active reconnaissance involves direct interaction with the target. Port scanning and ping sweeps are active; WHOIS and Google searches are passive.

979
MCQmedium

During an incident response, an analyst identifies a PCAP containing an HTTP POST request to a suspicious external IP with a large payload. The response is not typical for web applications. What type of activity is most likely occurring?

A.SQL injection attack
B.Normal web browsing
C.Data exfiltration
D.Command and control beaconing
AnswerC

Correct. Large POST to external IP suggests exfiltration.

Why this answer

Large outbound data transfers via HTTP POST to external IPs are indicative of data exfiltration.

980
MCQeasy

A SOC analyst receives an alert from the SIEM indicating a high number of outbound DNS queries from an internal host to a domain known for malicious activity. The analyst reviews the logs and finds that the host is a DNS server. What should be the analyst's first action?

A.Isolate the DNS server from the network and escalate to incident response.
B.Check the baseline of DNS traffic to confirm it is anomalous.
C.Block the domain at the firewall and close the alert.
D.Restart the DNS service on the server and monitor.
AnswerA

Immediate containment to prevent further compromise.

Why this answer

The correct first action is to isolate the DNS server from the network and escalate to incident response. A DNS server generating outbound DNS queries to a known malicious domain indicates a likely compromise (e.g., DNS tunneling or malware command-and-control), not normal recursive resolution. Immediate containment prevents further data exfiltration or lateral movement, aligning with incident response best practices.

Exam trap

Cisco often tests the misconception that a DNS server's outbound queries are always benign recursive lookups, leading candidates to choose baseline checking or simple blocking instead of recognizing the need for immediate containment and escalation.

How to eliminate wrong answers

Option B is wrong because checking a baseline assumes the activity might be normal, but a DNS server should not be making outbound queries to a known malicious domain; this wastes critical time during an active compromise. Option C is wrong because blocking the domain at the firewall without investigation may stop the immediate symptom but does not address the root cause (e.g., a backdoor or persistent threat), and closing the alert prematurely violates proper incident handling procedures. Option D is wrong because restarting the DNS service could destroy volatile evidence (e.g., in-memory artifacts, active connections) and does not remediate the underlying compromise, potentially allowing the threat to persist.

981
MCQhard

A security policy requires that all endpoints have host-based firewalls enabled. A user reports that an application stopped working after a recent update. What should the analyst do?

A.Escalate to the application vendor.
B.Create an exception rule for the application.
C.Roll back the update.
D.Disable the host firewall for that user.
E.Reinstall the application.
AnswerB

Aligns with policy while solving issue.

Why this answer

Option B is correct because creating an exception maintains firewall policy while allowing the app. Option A violates policy. Option C may revert security patches.

Options D and E are less direct.

982
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address against multiple user accounts. What is the best immediate action to take?

A.Increase logging verbosity for the authentication server.
B.Change all user passwords immediately.
C.Disable the affected user accounts.
D.Block the source IP address on the firewall.
AnswerD

Blocking the IP address stops the brute-force attempt immediately.

Why this answer

Blocking the source IP address on the firewall is the best immediate action because it stops the ongoing brute-force attack at the network perimeter, preventing further authentication attempts from that IP without disrupting legitimate users. This aligns with the principle of containment before investigation, as the firewall ACL can be updated quickly to deny traffic from the offending source.

Exam trap

Cisco often tests the candidate's ability to prioritize containment over investigation or remediation; the trap here is that candidates may choose to increase logging (Option A) to gather evidence, but the immediate action must stop the active attack first.

How to eliminate wrong answers

Option A is wrong because increasing logging verbosity does not stop the attack; it only generates more log data, which could overwhelm storage and delay response. Option B is wrong because changing all user passwords is disruptive, time-consuming, and does not address the source of the attack—the attacker can simply continue trying new passwords against the same accounts. Option C is wrong because disabling affected user accounts would deny service to legitimate users and does not prevent the attacker from targeting other accounts from the same IP.

983
MCQhard

During memory analysis with Volatility, the 'cmdline' plugin shows a process with no command-line arguments. Which plugin could help recover the original command line if it was truncated or hidden?

A.consoles
B.cmdscan
C.malfind
D.dlllist
AnswerB

cmdscan searches for command-line history in memory.

Why this answer

The 'cmdscan' plugin scans the memory for command-line history that might not be captured by cmdline. It can recover previously typed commands.

984
MCQhard

A company is implementing a new data classification policy. The policy defines three levels: Public, Internal, and Confidential. An employee accidentally emails a spreadsheet marked 'Confidential' to an external partner. The email system automatically encrypts all outbound emails containing 'Confidential' classification. Which security control is being demonstrated?

A.Auditing
B.Encryption at rest
C.Data Loss Prevention (DLP)
D.Access control
AnswerC

DLP controls can automatically encrypt outbound emails containing sensitive data based on classification.

Why this answer

Option D is correct because the email system is automatically encrypting outbound emails based on classification, which is a type of data loss prevention (DLP). Option A is wrong because access control restricts who can access data, not how it is transmitted. Option B is wrong because encryption at rest occurs when data is stored.

Option C is wrong because auditing records events but does not prevent data loss.

985
MCQmedium

An analyst is analyzing a PCAP and sees multiple ICMP port unreachable responses from a target host when scanning UDP ports. What does this indicate about the scanned ports?

A.The ports are closed.
B.The scan is a SYN scan.
C.The ports are filtered by a firewall.
D.The ports are open.
AnswerA

Correct. ICMP port unreachable indicates closed port.

Why this answer

When a UDP scan sends a packet to a closed port, the target responds with an ICMP port unreachable message.

Page 13

Page 14 of 14