Free Cisco 200-201 Practice Exam with Questions & Answers | Set: 2

The packet capture exhibit shows that the source IP address is 192.168.122.100 and it is sending a packet from source port 50272 to destination port 80 of destination IP address 81.179.179.69 using TCP protocol. The TCP protocol is indicated by the Protocol field which has the value 6. The source and destination ports are indicated by the SrcPort and DstPort fields respectively. The source and destination IP addresses are indicated by the SrcAddr and DstAddr fields respectively. References := Cisco Cybersecurity Operations Fundamentals - Module 3: Network Data and Event Analysis

An attack surface is the sum of all the points where an attacker can try to enter or extract data from an environment. It includes all the hardware, software, network, and human components that are exposed to potential threats. An attack vector is the path or means by which an attacker can exploit a vulnerability in the attack surface. It describes the type, source, and technique of an attack, such as phishing, malware, denial-of-service, etc. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.1: The CIA Triad and Security Concepts, Topic 1.1.3: Threats, Vulnerabilities, and Exploits

Deep packet inspection (DPI) is a sophisticated method of examining the content of data packets as they pass through a network checkpoint, including both the header and the data payload. DPI is typically performed at the application layer of the Open Systems Interconnection (OSI) model. This allows the inspection process to evaluate the actual content of the packets, not just the header information, enabling the identification of various types of threats and the enforcement of network policies1.

References := The explanation aligns with the information provided by Digital Guardian, which details how DPI works and at which layer it is applied1.

The analyst is in the detection and analysis phase of the incident response process according to NIST SP800-61. In this phase, events are detected and analyzed to determine whether they constitute incidents that require a response. It involves monitoring security events or data collection, correlation, and analysis of log entries and network flow data, among others. The goal is to identify incidents quickly so that appropriate actions can be taken. References := NIST SP800-61, Computer Security Incident Handling Guide, Section 3.2: Detection and Analysis

 During the negotiation phase of the TLS handshake, the client sends a “ClientHello” message to the server which includes information about TLS versions it supports, cipher-suites it supports and suggested compression methods. This initiates communication protocols for secure connection. References := Cisco Cybersecurity source documents or study guide

Digital certificates are electronic documents that use public key cryptography to verify the identity and authenticity of the sender and the receiver of encrypted communications. Digital certificates are issued and signed by trusted entities called certificate authorities (CAs), and they contain information such as the public key, the name, and the expiration date of the certificate. Digital certificates enable network security devices to decrypt perimeter traffic and inspect it for command and control communications or other malicious activity. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 51.

Windows Management Instrumentation (WMI) provides a unified way for users to request system information, including hardware and software inventory data. The Common Information Model (CIM) is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them. References: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01100.html

Inline traffic interrogation analyzes traffic in real time and has the ability to prevent certain traffic from being forwarded Traffic mirroring doesn't pass the live traffic instead it copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device

The purpose of command and control (C&C) for network-aware malware is to allow an attacker to remotely control compromised systems. This includes sending commands to the malware, receiving data from the infected host, and updating the malware to evade detection or enhance its capabilities.

References: The CBROPS course materials cover the topic of network-aware malware and the role of command and control servers in managing such malware

The CDFS (Compact Disc File System) format is associated with the ISO 9660 standard, which is a file system for optical disc media. It is commonly used in Windows systems for CDs. When a security expert works on an ISO file saved in CDFS format, it typically indicates that the data was prepared or copied using a Windows-based system. This is because CDFS is the file system that Windows uses to read and write CDs, and the ISO file is an image of that CD data1.

References :=

• Understanding CDFS (Compact Disc File System): A Comprehensive Guide2.
• What type of evidence is this file? - VCEguide.com