200-201 Exam Questions
563 real 200-201 exam questions with expert-verified answers and explanations. Page 2 of 12.
- Question #51Network Intrusion Analysis
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture the analyst...
TLS encryptionC2 communicationpacket analysisobfuscation - Question #52Security Policies and Procedures
What best describes the Security Operations Center (SOC)?
Security Operations CenterSOC functionssecurity teams - Question #53Security Concepts
Which term represents a potential danger that could take advantage of a weakness in a system?
threatvulnerabilityrisksecurity concepts - Question #54Host-Based Analysis
Which artifact is used to uniquely identify a detected file?
file hashdigital forensicsmalware analysisfile identification - Question #55Network Intrusion Analysis
How does an attacker observe network traffic exchanged between two users?
man-in-the-middlenetwork attackstraffic interceptioneavesdropping - Question #56Host-Based Analysis
Refer to the exhibit. Which event is occurring?
sandbox analysismalware analysisCuckoo Sandboxdynamic analysis - Question #57Host-Based Analysis
What is a benefit of agent-based protection when compared to agentless protection?
agent-based securityendpoint protectionhost monitoringsecurity architecture - Question #58Security Policies and Procedures
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
incident responsedecision makingsecurity principles - Question #59Host-Based Analysis
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection. Which two pieces of inf...
malware analysissandbox analysisnetwork forensicsC2 communication - Question #60Host-Based Analysis
An analyst is exploring the functionality of different operating systems. What is a feature of Windows Management Instrumentation that must be considered when deciding on an operat...
WMIWindows securitysystem administrationCommon Information Model - Question #61Security Concepts
One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context?
CIA triadconfidentialityintegrityavailabilitysecurity concepts - Question #62Security Monitoring
What is rule-based detection when compared to statistical detection?
rule-based detectionstatistical detectionIDS/IPSsecurity analytics - Question #63Security Policies and Procedures
What is personally identifiable information that must be safeguarded from unauthorized access?
PIIdata privacypersonal data - Question #64Security Concepts
How does an SSL certificate impact security between the client and the server?
SSL/TLSencryptionHTTPStransport layer security - Question #65Security Concepts
Which type of exploit normally requires the culprit to have prior access to the target system?
exploit typeslocal exploitvulnerability - Question #66Security Monitoring
Which identifier is used to describe the application or process that submitted a log message?
sysloglogginglog analysisfacility - Question #67Security Monitoring
Which type of data is used to monitor and detect anomalies within the organization's network?
anomaly detectionstatistical analysisnetwork monitoringsecurity analytics - Question #68Network Intrusion Analysis
At which layer is deep packet inspection investigated on a firewall?
deep packet inspectionOSI modelfirewallapplication layer - Question #69Network Intrusion Analysis
Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?
packet capture toolstcpdumpnetwork analysis toolsopen-source tools - Question #70Security Policies and Procedures
An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. What is the initial event called in the NIST SP800-61?
NIST SP800-61incident responseprecursorthreat intelligence - Question #71Security Concepts
What is an attack surface as compared to a vulnerability?
attack surfacevulnerabilitysecurity conceptsrisk management - Question #72Security Monitoring
What is a difference between SOAR and SIEM?
SIEMSOARsecurity automationsecurity orchestrationthreat management - Question #73Network Intrusion Analysis
Refer to the exhibit. Which application protocol is in this PCAP file?
PCAP analysisprotocol identificationHTTPnetwork traffic analysis - Question #74Network Intrusion Analysis
Refer to the exhibit. What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?
packet analysisTCP reassemblyWiresharknetwork forensics - Question #75Network Intrusion Analysis
What is a difference between inline traffic interrogation and traffic mirroring?
traffic inspectiontraffic mirroringinline securitynetwork tapSPAN port - Question #76Security Policies and Procedures
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
forensic processdata collectionevidence integrityincident response - Question #77Security Policies and Procedures
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?
NIST IRincident response rolesmanagement responsibilitiesregulatory compliance - Question #78Network Intrusion Analysis
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?
TORanonymity networksfirewall circumventionnetwork monitoringthreat intelligence - Question #79Security Concepts
Which of the following access control models use security labels to make access decisions?
access control modelsMACsecurity labelsRBACDAC - Question #80Security Concepts
What is the main advantage of using a mandatory access control (MAC) model instead of a discretionary access control (DAC) model?
access control modelsMACDACsecurity policy enforcement - Question #81Security Concepts
How is attacking a vulnerability categorized?
attack phasesexploitationvulnerabilitykill chain - Question #82Host-Based Analysis
A system administrator is ensuring that specific registry information is accurate. Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
Windows RegistryHKEY_LOCAL_MACHINEsystem configurationhost analysis - Question #83Security Monitoring
What is the difference between statistical detection and rule-based detection models?
Intrusion detectionAnomaly detectionSignature-based detectionBehavioral analysis - Question #84Security Monitoring
Which step in the incident response process researches an attacking host through logs in a SIEM?
Incident responseSIEMLog analysisDetection and analysis - Question #85Security Concepts
What is the difference between a threat and a risk?
ThreatRiskVulnerabilitySecurity concepts - Question #86Network Intrusion Analysis
Which signature impacts network traffic by causing legitimate traffic to be blocked?
Intrusion prevention systemsIPS signaturesFalse positiveNetwork traffic - Question #87Security Concepts
Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?
Stream cipherRC4Key reuseCryptographic attacks - Question #88Security Concepts
What is ransomware?
MalwareRansomwareCyber threats - Question #89Network Intrusion Analysis
What two are examples of UDP-based attacks? (Choose two.)
UDP attacksDenial of ServiceSQL SlammerUDP flooding - Question #90Host-Based Analysis
What causes events on a Windows system to show Event Code 4625 in the log messages?
Windows logsEvent ID 4625Brute-force attackHost analysis - Question #91Network Intrusion Analysis
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
IDS evasionResource exhaustionDenial of ServiceIntrusion detection - Question #92Security Monitoring
Refer to the exhibit. What does the message indicate?
Web server logsLog analysisHTTP status codesAccess logs - Question #93Security Concepts
What are two social engineering techniques? (Choose two.)
social engineeringphishingpharming - Question #94Network Intrusion Analysis
Refer to the exhibit. What does the output indicate about the server with the IP address 172.18.104.139?
port scanningservice identificationnetwork reconnaissance - Question #95Network Intrusion Analysis
Refer to the exhibit. This request was sent to a web application server driven by a database. Which type of web server attack is represented?
SQL injectionweb application attacksdatabase security - Question #96Security Concepts
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
access controlMACDAC - Question #97Host-Based Analysis
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?
Linux processesprocess IDsystem investigation - Question #98Security Monitoring
A malicious file has been identified in a sandbox analysis tool. Which piece of information is needed to search for additional downloads of this file by other hosts?
file hashIOCsthreat huntingmalware analysis - Question #99Network Intrusion Analysis
Which attack method intercepts traffic on a switched network?
ARP poisoningMITM attacksswitched networks - Question #100Security Monitoring
Which two elements are used for profiling a network? (Choose two.)
network profilingnetwork baseliningtraffic analysis