Last Updated on July 25, 2021 by Admin 2

200-201 : Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) : Part 06

  1. Which of the following would provide cybersecurity training and incident response to both a federal executive branch agency and foreign company?

    • National CSIRT
    • Coordination center
    • Internal CSIRT
    • PSIRT

    Explanation:

    200-201 Part 06 Q01 027
    200-201 Part 06 Q01 027
  2. Which of the following would help multiple CSIRTS facilitate incident handling?

    • MSSP
    • national CSIRT
    • Coordination center
    • Analysis center

    Explanation:

    200-201 Part 06 Q02 028
    200-201 Part 06 Q02 028
  3. Which of the following represents a step in the second normal form in the process of normalization?

    • Create a separate table for each set of related data.
    • Eliminate repeating groups in individual tables.
    • Create separate tables for sets of values that apply to multiple records.
    • Eliminate fields that do not depend on the key.

    Explanation:

    200-201 Part 06 Q03 029
    200-201 Part 06 Q03 029
  4. Which of the following is the second step in incident handling, according to NIST.SP 800-61 r2?

    • detection and analysis
    • post incident analysis
    • preparation
    • containment, eradication, and recovery

    Explanation:

    200-201 Part 06 Q04 030
    200-201 Part 06 Q04 030
  5. What information can be discovered from the user agent field in an HTTP packet?

    • IP address of attacker
    • domain name of attacker
    • browser version
    • destination site

    Explanation:

    200-201 Part 06 Q05 031
    200-201 Part 06 Q05 031
  6. In which stage of incident is the environment returned to a secure state?

    • remediation
    • Identification
    • containment
    • lesson-based hardening

    Explanation:

    Returning the environment to a secure state occurs during the remediation stage. There are six steps in the incident:

    – Identification – determining whether there is an incident
    – Scoping – determining the extent of the incident and identifying the attackers
    – Containment – halting the spread of the incident and minimizing the impact
    – Remediation – returning the environment to secure state
    – Lesson-based hardening preventing future incidents
    – Reporting – documenting the incident and reporting it

  7. What is the term for any evasion attempt where the attacker splits malicious traffic to avoid detection or filtering?

    • fragmentation
    • SYN flood
    • LAND attack
    • network mapping

    Explanation:

    200-201 Part 06 Q07 032
    200-201 Part 06 Q07 032
  8. Actors and actions are part of which VERIS schema category?

    • discovery and response
    • incident tracking
    • victim demographics
    • incident description

    Explanation:

    200-201 Part 06 Q08 033
    200-201 Part 06 Q08 033
  9. When discontinuous free space is created by the adding and removing of data on a hard drive, what has occurred?

    • steganography
    • alternative data streams
    • forking
    • fragmentation

    Explanation:

    200-201 Part 06 Q09 034
    200-201 Part 06 Q09 034
  10. Which process is used to increase data accuracy and integrity and to support data visualization?

    • data aggregation
    • data warehousing
    • data normalization
    • data mapping

    Explanation:

    200-201 Part 06 Q10 035
    200-201 Part 06 Q10 035
  11. Which of the following is a standard for port-based access control?

    • X.509
    • 802.11n
    • 802.3
    • 802.1x

    Explanation:

    200-201 Part 06 Q11 036
    200-201 Part 06 Q11 036
  12. You discover several client machines are infected with malware that begins to make outbound calls (connection attempts) to a remote server after infection. You run a malware analysis tool.

    What information could you derive from any domain names and host IP addresses in the malware analysis report?

    • the next machine that will be infected
    • destination of the callouts
    • signature of the malware
    • the first machine infected

    Explanation:

    200-201 Part 06 Q12 037
    200-201 Part 06 Q12 037
  13. Which of the following Wireshark filters excludes an IP address?

    • gateway host <host>
    • !ip.addr ==192.168.1.2
    • eth.addr == 00:60:0e:53:13:d5
    • ip.addr==192.168.1.0/24

    Explanation:

    200-201 Part 06 Q13 038
    200-201 Part 06 Q13 038
  14. What is the main purpose of data normalization?

    • synchronize of time stamps
    • duplicate data streams
    • eliminate redundancy
    • aggregate data

    Explanation:

    200-201 Part 06 Q14 039
    200-201 Part 06 Q14 039
  15. What is the first step in the Cyber Kill Chain framework?

    • exploitation
    • weaponization
    • reconnaissance
    • installation

    Explanation:

    200-201 Part 06 Q15 040
    200-201 Part 06 Q15 040
    200-201 Part 06 Q15 041
    200-201 Part 06 Q15 041
  16. Which of the following is part of the 5 tuple?

    • web software
    • NetFlow record ID
    • source IP address
    • operating system
    • device name

    Explanation:

    200-201 Part 06 Q16 042
    200-201 Part 06 Q16 042
  17. When an email with a malicious attachment is delivered to a mailbox, what step in the Cyber Kill Chain framework has occurred?

    • Reconnaissance
    • Exploitation
    • Weaponization
    • Delivery
  18. Which of the following is NOT of interest during server profiling?

    • Applications
    • Logged-in Users/Service Accounts
    • Running Processes
    • Closed ports

    Explanation:

    200-201 Part 06 Q18 043
    200-201 Part 06 Q18 043
    200-201 Part 06 Q18 044
    200-201 Part 06 Q18 044
    200-201 Part 06 Q18 045
    200-201 Part 06 Q18 045
  19. According to NIST.SP800-61 r2, which of the following is NOT a question to ask during post mortem?

    • Exactly what happened and at what time?
    • How could information sharing with other organizations be improved?
    • Whose fault was the attack?
    • Were any steps or actions taken that might have inhibited the recovery?

    Explanation:

    Blame placing is not port o the post mortem.