200-201 Exam Questions
563 real 200-201 exam questions with expert-verified answers and explanations. Page 1 of 12.
- Question #1Network Intrusion Analysis
Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)
IPv4 headerProtocol layersNetwork packet structureIP addresses - Question #2Security Monitoring
In a SOC environment, what is a vulnerability management metric?
Vulnerability managementSOC metricsinternet exposed assets - Question #3Security Policies and Procedures
Which category relates to improper use or disclosure of PII data?
PIIdata privacycompliance - Question #4Security Concepts
Which regex matches only on all lowercase letters?
regular expressionspattern matching - Question #5Security Concepts
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?
TLS handshakeClientHelloencryption protocols - Question #6Host-Based Analysis
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise. Which kind of evidence is this IP addre...
forensic evidenceaudit logsincident response - Question #7Host-Based Analysis
Which security technology allows only a set of pre-approved applications to run on a system?
application whitelistingendpoint securitysecurity controls - Question #8Network Intrusion Analysis
Refer to the exhibit. Which type of log is displayed?
IDS logssecurity logslog analysis - Question #9Network Intrusion Analysis
Refer to the exhibit. Which two elements in the table are parts of the 5-tuple? (Choose two.)
5-tuplenetwork flowpacket analysis - Question #10Security Concepts
Which security principle is violated by running all processes as root or administrator?
Least PrivilegeSecurity PrinciplesPrivilege Management - Question #11Security Concepts
What is the function of a command and control server?
Command and Control (C2)MalwareThreat Actor InfrastructureCyber Attacks - Question #12Network Intrusion Analysis
What is the difference between deep packet inspection and stateful inspection?
DPIstateful inspectionnetwork securityOSI model - Question #13Host-Based Analysis
Which evasion technique is a function of ransomware?
ransomwaremalware techniquesencryption - Question #14Security Concepts
What does cyber attribution identity in an investigation?
cyber attributionthreat intelligenceincident response - Question #15CompTIA Security+ Domain 1: General Security Concepts / Threats, Vulnerabilities, and Mitigations - Understanding core security terminology including threats, vulnerabilities, exploits, and risk assessment processes.
Drag and Drop Question Drag and drop the security concept on the left onto the example of that concept on the right. Answer:
Risk ManagementSecurity FundamentalsThreat and VulnerabilitySecurity Concepts - Question #16Network Traffic Analysis / Packet Capture Interpretation - typically aligned with CompTIA CySA+, Security+, or Network+ domains covering network forensics and protocol analysis
Drag and Drop Question Refer to the exhibit. Drag and drop the element name from the left onto the correct piece of the PCAP file on the right. Answer:
PCAP AnalysisNetwork ProtocolsPacket HeadersWireshark - Question #17CompTIA Security+ Domain 4: Identity and Access Management (IAM) - Understanding and differentiating between access control models including DAC, MAC, RBAC, and ABAC
Drag and Drop Question Drag and drop the access control models from the left onto the correct descriptions on the right. Answer:
Access Control ModelsIdentity and Access ManagementSecurity FundamentalsAuthorization - Question #18CyberOps Associate / Security+ - Network Monitoring and Data Collection; specifically understanding the types of security data produced by different network monitoring technologies (Cisco CyberOps Domain 2: Security Monitoring or CompTIA CySA+ Domain: Security Operations)
Drag and Drop Question Drag and drop the technology on the left onto the data type the technology provides on the right. Answer:
network security monitoringdata typespacket captureNetFlowfirewall logging - Question #19Security Concepts
Which tool is commonly used by threat actors on a webpage to take advantage of the softwarevulnerabilitiesof a system to spread malware?
exploit kitmalware deliveryweb security - Question #20Network Intrusion Analysis
Which two methods might be used by an analyst to detect SSL/TLS encrypted command-and- control communication? (Choose two.)
TLS decryptionNetFlow analysisC2 detectionnetwork forensics - Question #21Network Intrusion Analysis
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header. Which technology makes this behavio...
NATpacket analysisIP addressing - Question #22Security Concepts
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification. Which information is available on...
TLS certificatespublic keytrusted CAencryption - Question #23Security Policies and Procedures
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor. Which typ...
evidence typesforensicsincident response - Question #24Security Policies and Procedures
Which two elements of the incident response process are stated in NIST Special Publication 800- 61 r2? (Choose two.)
incident responseNIST 800-61security frameworks - Question #25Host-Based Analysis
Which utility blocks a host portscan?
port scanninghost-based firewallsecurity tools - Question #26Security Concepts
Which event is user interaction?
user interactionattack vectorsmalware delivery - Question #27Security Concepts
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to eng...
social engineeringphishingattack methods - Question #28Network Intrusion Analysis
Refer to the exhibit. What information is depicted?
NetFlownetwork monitoringnetwork traffic analysis - Question #29Security Policies and Procedures
Which type of evidence supports a theory or an assumption that results from initial evidence?
evidence typesforensicsincident response - Question #30Security Policies and Procedures
When you are researching a Windows operating system vulnerability (such as CVE-2016-7211), which organization can provide detailed information about the specific vulnerability?
vulnerability researchNISTCVE - Question #31Security Concepts
Which property of a cryptographic hash algorithm is desirable?
cryptographic hashcollision resistancecryptography concepts - Question #32Security Monitoring
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
attributionincident investigationthreat intelligence - Question #33Security Monitoring
Which regular expression matches "color" and "colour"?
regular expressionslog analysispattern matching - Question #34Security Concepts
A user received a malicious attachment but did not run it. Which category classifies the intrusion?
cyber kill chainattack phasesmalware delivery - Question #35Security Monitoring
Which process is used when IPS events are removed to improve data integrity?
data normalizationIPS logsdata integrity - Question #36Host-Based Analysis
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
CDFSfile systemsforensic analysis - Question #37Security Monitoring
Which piece of information is needed for attribution in an investigation?
attributionthreat actorincident investigation - Question #38Host-Based Analysis
Refer to the exhibit. In which Linux log file is this output found?
Linux logsauthentication logshost-based analysis - Question #39Network Intrusion Analysis
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
TCP flagsNetFlownetwork protocols - Question #40Network Intrusion Analysis
Which type of data typically consists of connection level, application-specific records generated from network traffic?
network data typesconnection datatraffic analysis - Question #41Security Policies and Procedures
What are three key components of a threat-centric SOC? (Choose three.)
SOCsecurity operationsthreat-centric - Question #42Network Intrusion Analysis
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
5-tuplesession identificationnetwork analysis - Question #43Network Intrusion Analysis
Refer to the exhibit. Which type of log is displayed?
NetFlownetwork logstraffic analysis - Question #44Network Intrusion Analysis
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
network monitoringtraffic tappinginline inspectionnetwork security tools - Question #45Host-Based Analysis
Which two components reduce the attack surface on an endpoint? (Choose two.)
attack surface reductionendpoint securitysecure bootUSB security - Question #46Security Monitoring
An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?
alert classificationfalse negativeincident responsesecurity alerts - Question #47Network Intrusion Analysis
Which event artifact is used to identity HTTP GET requests for a specific file?
HTTP protocolURInetwork forensicsweb traffic analysis - Question #48Security Policies and Procedures
Which security principle requires more than one person is required to perform a critical task?
security principlesseparation of dutiesaccess control - Question #49Host-Based Analysis
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
forensic imagingdisk integrityhashingchain of custody - Question #50Network Intrusion Analysis
What makes HTTPS traffic difficult to monitor?
HTTPSencryptionTLS/SSLnetwork monitoring