Last Updated on June 14, 2021 by InfraExam

CyberOps Associate (200-201) Certification Practice Exam Answers Full 100% 2021

  1. At the request of investors, a company is proceeding with cyber attribution with a particular attack that was conducted from an external source. Which security term is used to describe the person or device responsible for the attack?

    • fragmenter
    • skeleton
    • threat actor
    • tunneler
  2. Which term describes a threat actor who has advanced skills and pursues a social agenda?

    • script kiddie
    • organized crime
    • corporate/industrial spies
    • hacktivist
  3. What are two motivating factors for nation-state sponsored threat actors? (Choose two.)

    • financial gain
    • social or personal causes
    • industrial espionage
    • disruption of trade or infrastructure
    • showing off their hacking skill
  4. Match the definition to the Microsoft Windows term. (Not all options are used.)

  5. Match the definition to the Microsoft Windows term. (Not all options are used.)

  6. Match the Windows term to the description.

  7. Refer to the exhibit. A security specialist is checking if files in the directory contain ADS data. Which switch should be used to show that a file has ADS attached?

    • /a
    • /d
    • /r
    • /s
  8. Refer to the exhibit. Approximately what percentage of the physical memory is still available on this Windows system?

    • 32%
    • 53%
    • 68%
    • 90%
  9. Which Windows application is commonly used by a cybersecurity analyst to view Microsoft IIS access logs?

    • Event Viewer
    • Notepad
    • SIEM
    • Word
  10. Which Windows tool can be used by a cybersecurity administrator to secure stand-alone computers that are not part of an active directory domain?

    • Local Security Policy
    • Windows Defender
    • Windows Firewall
    • PowerShell
  11. What are three benefits of using symbolic links over hard links in Linux? (Choose three.)

    • Symbolic links can be exported.
    • They can be encrypted.
    • They can be compressed.
    • They can link to a directory.
    • They can show the location of the original file.
    • They can link to a file in a different file system.
  12. Match the description to the Linux term. (Not all options are used.)

  13. When attempting to improve system performance for Linux computers with a limited amount of memory, why is increasing the size of the swap file system not considered the best solution?

    • A swap file system only supports the ex2 file system.
    • A swap file system does not have a specific file system.
    • A swap file system cannot be mounted on an MBR partition.
    • A swap file system uses hard disk space to store inactive RAM content.
  14. Match the description to the Linux term. (Not all options are used.)

  15. Refer to the exhibit. A security analyst is reviewing the logs of an Apache web server. Which action should the analyst take based on the output shown?

    • Ignore the message.
    • Notify the server administrator.
    • Restart the server.
    • Notify the appropriate security administration for the country.
  16. Refer to the exhibit. Which technology would contain information similar to the data shown for infrastructure devices within a company?

    • Apache server
    • firewall
    • HIDS
    • syslog server
  17. Which two algorithms use a hashing function to ensure message integrity? (Choose two.)

    • SEAL
    • AES
    • 3DES
    • MD5
    • SHA
  18. Match the antimalware approach to the description.

  19. A security professional is making recommendations to a company for enhancing endpoint security. Which security endpoint technology would be recommended as an agent-based system to protect hosts against malware?

    • baselining
    • blacklisting
    • HIDS
    • IPS
  20. Which security endpoint setting would be used by a security analyst to determine if a computer has been configured to prevent a particular application from running?

    • baselining
    • blacklisting
    • services
    • whitelisting
  21. Which technique could be used by security personnel to analyze a suspicious file in a safe environment?

    • baselining
    • blacklisting
    • sandboxing
    • whitelisting
  22. Which type of evidence cannot prove an IT security fact on its own?

    • best
    • corroborative
    • hearsay
    • indirect
  23. A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court?

    • log collection
    • rootkit
    • Tor
    • unaltered disk image
  24. Which SOC technology automates security responses by using predefined playbooks which require a minimum amount of human intervention?

    • SOAR
    • SIEM
    • NetFlow
    • Wireshark
    • syslog
  25. The SOC manager is reviewing the metrics for the previous calendar quarter and discovers that the MTTD for a breach of password security perpetrated through the Internet was forty days. What does the MTTD metric represent within the SOC?

    • the average time that it takes to stop and remediate a security incident
    • the average time that it takes to identify valid security incidents that have occurred
    • the time required to stop the incident from causing further damage to systems or data
    • window of time required to stop the spread of malware in the network
  26. Match the file system term used in Linux to the function.

  27. What is the first line of defense when an organization is using a defense-in-depth approach to network security?

    • IPS
    • edge router
    • firewall
    • proxy server
  28. What is the benefit of a defense-in-depth approach?

    • The effectiveness of other security measures is not impacted when a security mechanism fails.
    • The need for firewalls is eliminated.
    • All network vulnerabilities are mitigated.
    • Only a single layer of security at the network core is required.
  29. Match the security concept to the description.

  30. Which access control model allows users to control access to data as an owner of that data?

    • mandatory access control
    • nondiscretionary access control
    • discretionary access control
    • attribute-based access control
  31. What is the principle behind the nondiscretionary access control model?

    • It applies the strictest access control possible.
    • It allows access decisions to be based on roles and responsibilities of a user within the organization.
    • It allows users to control access to their data as owners of that data.
    • It allows access based on attributes of the object be to accessed.
  32. What is an example of privilege escalation attack?

    • A threat actor sends an email to an IT manager to request the root access.
    • A threat actor performs an access attack and gains the administrator password.
    • A DDoS attack is launched against a government server and causes the server to crash.
    • A port scanning attack finds that the FTP service is running on a server that allows anonymous access.
  33. Which access control model applies the strictest access control and is often used in military and mission critical applications?

    • discretionary
    • mandatory
    • nondiscretionary
    • attribute-based
  34. Match the information security component with the description.

  35. Which information security component is compromised in a DDoS attack?

    • confidentiality
    • accountability
    • integrity
    • availability
  36. Which access control model assigns security privileges based on the position, responsibilities, or job classification of an individual or group within an organization?

    • discretionary
    • role-based
    • mandatory
    • rule-based
  37. Which component is a pillar of the zero trust security approach that focuses on the secure access of devices, such as servers, printers, and other endpoints, including devices attached to IoT?

    • workforce
    • workflows
    • workloads
    • workplace
  38. Which type of evaluation includes the assessment of the likelihood of an attack, the type of threat actor likely to perpetrate such an attack, and what the consequences could be to the organization if the exploit is successful?

    • risk analysis
    • vulnerability identification
    • penetration testing
    • server profiling
  39. Which metric in the CVSS Base Metric Group is used with an attack vector?

    • the proximity of the threat actor to the vulnerability
    • the determination whether the initial authority changes to a second authority during the exploit
    • the presence or absence of the requirement for user interaction in order for an exploit to be successful
    • the number of components, software, hardware, or networks, that are beyond the control of the attacker and that must be present in order for a vulnerability to
    • be successfully exploited
  40. A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur?

    • availability requirement
    • integrity requirement
    • scope
    • user interaction
  41. A security analyst is investigating a cyber attack that began by compromising one file system through a vulnerability in a custom software application. The attack now appears to be affecting additional file systems under the control of another security authority. Which CVSS v3.0 base exploitability metric score is increased by this attack characteristic?

    • scope
    • attack complexity
    • user interaction
    • privileges required
  42. What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)

    • attack vector
    • availability
    • confidentiality
    • exploit
    • integrity
    • remediation level
  43. A threat hunter is concerned about a significant increase in TCP traffic sourced from port 53. It is suspected that malicious file transfer traffic is being tunneled out using the TCP DNS port. Which deep packet inspection tool can detect the type of application originating the suspicious traffic?

    • Wireshark
    • NetFlow
    • NBAR2
    • syslog analyzer
    • IDS/IPS
  44. A security analyst is reviewing information contained in a Wireshark capture created during an attempted intrusion. The analyst wants to correlate the Wireshark information with the log files from two servers that may have been compromised. What type of information can be used to correlate the events found in these multiple data sets?

    • logged-in user account
    • ISP geolocation data
    • IP five-tuples
    • ownership metadata
  45. Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?

    • probabilistic
    • deterministic
    • statistical
    • log
  46. Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?

    • deterministic
    • log
    • statistical
    • probabilistic
  47. Refer to the exhibit. A security specialist is using Wireshark to review a PCAP file generated by tcpdump . When the client initiated a file download request, which source socket pair was used?

  48. Which three fields are found in both the TCP and UDP headers? (Choose three.)

    • options
    • source port
    • destination port
    • checksum
    • sequence number
    • window
  49. What is a feature of an IPS?

    • It can stop malicious packets.
    • It has no impact on latency.
    • It is deployed in offline mode.
    • It is primarily focused on identifying possible incidents.
  50. Match the security service with the description.

  51. Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?

    • flow label
    • version
    • traffic class
    • next header
  52. Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)

    • fragment offset
    • flag
    • identification
    • version
    • protocol
    • TTL
  53. Which data security component is provided by hashing algorithms?

    • key exchange
    • confidentiality
    • integrity
    • authentication
  54. What is a key difference between the data captured by NetFlow and data captured by Wireshark?

    • NetFlow provides transaction data whereas Wireshark provides session data.
    • NetFlow data is analyzed by tcpdump whereas Wireshark data is analyzed by nfdump .
    • NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
    • NetFlow data shows network flow contents whereas Wireshark data shows network flow statistics.
  55. Refer to the exhibit. Which technology generated the event log?

    • Wireshark
    • web proxy
    • syslog
    • Netflow
  56. Match the IPS alarm with the description.

  57. What classification is used for an alert that correctly identifies that an exploit has occurred?

    • true positive
    • false positive
    • true negative
    • false negative
  58. What will match the regular expression ^83?

    • any string that begins with 83
    • any string that ends with 83
    • any string that includes 83
    • any string with values greater than 83
  59. Which regular expression would match any string that contains 4 consecutive zeros?

    • [0-4]
    • 0{4}
    • {0-4}
    • ^0000
  60. Using Tcpdump and Wireshark, a security analyst extracts a downloaded file from a pcap file. The analyst suspects that the file is a virus and wants to know the file type for further examination. Which Linux command can be used to determine the file type?

    • tail
    • file
    • ls -l
    • nano
  61. Which attack surface, defined by the SANS Institute, is delivered through the exploitation of vulnerabilities in web, cloud, or host-based applications?

    • host
    • human
    • network
    • software
  62. What is an example of a local exploit?

    • Port scanning is used to determine if the Telnet service is running on a remote server.
    • A threat actor performs a brute force attack on an enterprise edge router to gain illegal access.
    • A buffer overflow attack is launched against an online shopping website and causes the server crash.
    • A threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a Trojan.
  63. Which type of cyber attack is a form of MiTM in which the perpetrator copies IP packets off the network without modifying them?

    • IP spoofing
    • denial-of-service
    • eavesdropping
    • compromised key
  64. Which is an example of social engineering?

    • a computer displaying unauthorized pop-ups and adware
    • the infection of a computer by a virus carried by a Trojan
    • an anonymous programmer directing a DDoS attack on a data center
    • an unidentified person claiming to be a technician collecting user information from employees
  65. To which category of security attacks does man-in-the-middle belong?

    • DoS
    • access
    • reconnaissance
    • social engineering
  66. Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials?

    • pivoting
    • traffic substitution
    • resource exhaustion
    • protocol-level misinterpretation
  67. What is the main goal of using different evasion techniques by threat actors?

    • to launch DDoS attacks on targets
    • to identify vulnerabilities of target systems
    • to gain the trust of a corporate employee in an effort to obtain credentials
    • to prevent detection by network and host defenses
  68. What are two examples of DoS attacks? (Choose two.)

    • phishing
    • ping of death
    • SQL injection
    • port scanning
    • buffer overflow
  69. Which attack is integrated with the lowest levels of the operating system of a host and attempts to completely hide the activities of the threat actor on the local system?

    • rootkit
    • traffic insertion
    • traffic substitution
    • encryption and tunneling
  70. Which type of evasion technique splits malicious payloads into smaller packets in order to bypass security sensors that do not reassemble the payloads before scanning them?

    • traffic insertion
    • protocol-level misinterpretation
    • pivoting
    • traffic fragmentation
  71. Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.)

    • SQL injection
    • port scanning
    • port redirection
    • trust exploitation
    • cross-site scripting
  72. Which security function is provided by encryption algorithms?

    • key management
    • authorization
    • integrity
    • confidentiality
  73. Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs?

    • phishing
    • reconnaissance
    • denial of service
    • social engineering
  74. How can NAT/PAT complicate network security monitoring if NetFlow is being used?

    • It changes the source and destination MAC addresses.
    • It conceals the contents of a packet by encrypting the data payload.
    • It disguises the application initiated by a user by manipulating port numbers.
    • It hides internal IP addresses by allowing them to share one or a few outside IP addresses.
  75. Which statement describes the function provided by the Tor network?

    • It distributes user packets through load balancing.
    • It allows users to browse the Internet anonymously.
    • It conceals packet contents by establishing end-to-end tunnels.
    • It manipulates packets by mapping IP addresses between two networks.
  76. Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network?

    • alert
    • session
    • statistical
    • transaction
  77. Which tool captures full data packets with a command-line interface only?

    • nfdump
    • NBAR2
    • tcpdump
    • Wireshark
  78. Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation?

    • ASA
    • AVC
    • ESA
    • WSA
  79. Refer to the exhibit. A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate?

    • the message length in bits
    • the Snort rule that is triggered
    • the session number of the message
    • the id of the user that triggers the alert
  80. When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?

    • total throughput
    • session duration
    • routing protocol convergence
    • bandwidth of the Internet connection
  81. A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?

    • the list of TCP or UDP processes that are available to accept data
    • the IP addresses or the logical location of essential systems or data
    • the time between the establishment of a data flow and its termination
    • the TCP and UDP daemons and ports that are allowed to be open on the server
  82. When establishing a server profile for an organization, which element describes the type of service that an application is allowed to run on the server?

    • user account
    • listening port
    • service account
    • software environment
  83. When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server?

    • listening ports
    • service accounts
    • software environment
    • critical asset address space
  84. According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take?

    • installation
    • exploitation
    • weaponization
    • action on objectives
  85. What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?

    • Collect and exfiltrate data.
    • Add services and autorun keys.
    • Obtain an automated tool to deliver the malware payload.
    • Open a two-way communications channel to the CnC infrastructure.
  86. Which three things will a threat actor do to prepare a DDoS attack against a target system on the Internet? (Choose three.)

    • Collect and exfiltrate data.
    • Install attack software on zombies.
    • Install a black door on the target system.
    • Compromise many hosts on the Internet.
    • Obtain an automated tool to deliver the malware payload.
    • Establish two-way communications channels to the CnC infrastructure with zombies.
  87. Place the seven steps defined in the Cyber Kill Chain in the correct order.

  88. Which two actions should be taken during the preparation phase of the incident response life cycle defined by NIST? (Choose two.)

    • Fully analyze the incident.
    • Create and train the CSIRT.
    • Detect all the incidents that occurred.
    • Acquire and deploy the tools that are needed to investigate incidents.
    • Meet with all involved parties to discuss the incident that took place.
  89. During the detection and analysis phase of the NIST incident response process life cycle, which sign category is used to describe that an incident might occur in the future?

    • attrition
    • indicator
    • precursor
    • impersonation
  90. A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor? (Choose two.)

    • an IDS alert message being sent
    • multiple failed logins from an unknown source
    • log entries that show a response to a port scan
    • a host that has been verified as infected with malware
    • a newly-discovered vulnerability in Apache web servers
  91. Match the NIST incident response life cycle phase with the description.

  92. What is defined in the policy element of the NIST incident response plan?

    • how to handle incidents based on the mission and functions of an organization
    • how the incident response team of an organization will communicate with organization stakeholders
    • the metrics used for measuring incident response capability in an organization
    • a roadmap for updating the incident response capability
  93. What is specified in the plan element of the NIST incident response plan?

    • metrics for measuring the incident response capability and effectiveness
    • organizational structure and the definition of roles, responsibilities, and levels of authority
    • priority and severity ratings of incidents
    • incident handling based on the mission of the organization
  94. Match the NIST incident response stakeholder with the role.

  95. Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident?

    • IT support
    • the legal department
    • management
    • human resources
  96. What is the responsibility of the IT support group when handing an incident as defined by NIST?

    • reviews the incident policies, plans, and procedures for local or federal guideline violations
    • performs actions to minimize the effectiveness of the attack and preserve evidence
    • coordinates the incident response with other stakeholders and minimizes the damage of an incident
    • performs disciplinary measures if an incident is caused by an employee
  97. What is the responsibility of the human resources department when handing a security incident as defined by NIST?

    • Coordinate the incident response with other stakeholders and minimize the damage of an incident.
    • Review the incident policies, plans, and procedures for local or federal guideline violations.
    • Perform actions to minimize the effectiveness of the attack and preserve evidence.
    • Perform disciplinary actions if an incident is caused by an employee.
5 1 vote
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments