200-201 Online Practice Questions and Answers

What makes HTTPS traffic difficult to monitor?

A. SSL interception

B. packet header size

C. signature detection time

D. encryption

What is the impact of false positive alerts on business compared to true positive?

A. True positives affect security as no alarm is raised when an attack has taken place, resulting in a potential breach.

B. True positive alerts are blocked by mistake as potential attacks affecting application availability.

C. False positives affect security as no alarm is raised when an attack has taken place, resulting in a potential breach.

D. False positive alerts are blocked by mistake as potential attacks affecting application availability.

Which action prevents buffer overflow attacks?

A. variable randomization

B. using web based applications

C. input sanitization

D. using a Linux operating system

Refer to the exhibit.

An engineer received a ticket about a slowed-down web application The engineer runs the #netstat -an command. How must the engineer interpret the results?

A. The web application is receiving a common, legitimate traffic

B. The engineer must gather more data.

C. The web application server is under a denial-of-service attack.

D. The server is under a man-in-the-middle attack between the web application and its database

What describes the impact of false-positive alerts compared to false-negative alerts?

A. A false negative is alerting for an XSS attack. An engineer investigates the alert and discovers that an XSS attack happened A false positive is when an XSS attack happens and no alert is raised

B. A false negative is a legitimate attack triggering a brute-force alert. An engineer investigates the alert and finds out someone intended to break into the system A false positive is when no alert and no attack is occurring

C. A false positive is an event alerting for a brute-force attack An engineer investigates the alert and discovers that a legitimate user entered the wrong credential several times A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.

D. A false positive is an event alerting for an SQL injection attack An engineer investigates the alert and discovers that an attack attempt was blocked by IPS A false negative is when the attack gets detected but succeeds and results in a breach.

Refer to the exhibit.

A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted What is occurring?

A. indicators of denial-of-service attack due to the frequency of requests

B. garbage flood attack attacker is sending garbage binary data to open ports

C. indicators of data exfiltration HTTP requests must be plain text

D. cache bypassing attack: attacker is sending requests for noncacheable content

A SOC analyst detected connections to known CandC and port scanning activity to main HR database servers from one of the HR endpoints, via Cisco StealthWatch. What are the two next steps of the SOC team according to the NIST.SP80061 incident handling process? (Choose two.)

A. Update antivirus signature databases on affected endpoints to block connections to CandC.

B. Isolate affected endpoints and take disk images for analysis.

C. Block connection to this CandC server on the perimeter next-generation firewall.

D. Provide security awareness training to HR managers and employees

E. Detect the attack vector and analyze CandC connections.

Which option describes indicators of attack?

A. blocked phishing attempt on a company

B. spam emails on an employee workstation

C. virus detection by the AV software

D. malware reinfection within a few minutes of removal

What is a difference between SIEM and SOAR security systems?

A. SOAR ingests numerous types of logs and event data infrastructure components, and SIEM can fetch data from endpoint security software and external threat intelligence feeds.

B. SOAR collects and stores security data at a central point and then converts it into actionable intelligence, and SIEM enables SOC teams to automate and orchestrate manual tasks.

C. SIEM raises alerts in the event of detecting any suspicious activity, and SOAR automates investigation path workflows and reduces time spent on alerts.

D. SIEM combines data collecting, standardization, case management, and analytics for a defense-in-depth concept, and SOAR collects security data, antivirus logs, firewall logs, and hashes of downloaded files.

During a quarterly vulnerability scan, a security analyst discovered unused uncommon ports open and in a listening state. Further investigation showed that the unknown application was communicating with an external IP address on an encrypted channel. A deeper analysis revealed a command and control communication on an infected server. At which step of the Cyber Kill Chain was the attack detected?

A. Exploitation

B. Actions on Objectives

C. Weaponization

D. Delivery