Free Cisco 200-201 Practice Exam with Questions & Answers | Set: 3

The attack vector score in the Common Vulnerability Scoring System (CVSS) reflects how a vulnerability can be exploited. A higher score is given when the attack can be conducted remotely, making it easier for an attacker to exploit the vulnerability without physical access to the vulnerable component3. References: The CVSS specification document provides a detailed explanation of how the attack vector score is determined, emphasizing the impact of the ease of exploitation on the score

 SSL Certificate guarantees the integrity and authenticity of all messages transferred to and from a web application. It encrypts the data transferred between the user’s browser and the website, ensuring that all data passed between them remains private and integral. References := Cisco CyberOps Engineer - Module 3: Secure Communications

To search for additional downloads of a malicious file by other hosts, the file hash value is needed. The hash value provides a unique identifier for each specific file version, enabling cybersecurity professionals to track down identical files across networks. References := Cisco Certified CyberOps Associate Overview

Full packet capture data involves storing the entire content of packets that traverse a network. This type of data is comprehensive and allows for detailed analysis but requires a significant amount of storage space compared to other data types like transaction, statistical, or session data. References := Cisco Cybersecurity Operations Fundamentals - Module 3: Network Data and Event Analysis

Social engineering techniques often involve manipulating individuals into divulging confidential information or performing actions that compromise security. Phishing involves sending fraudulent messages (often emails) that appear to be from reputable sources with the goal of stealing sensitive data or installing malware. Pharming redirects the traffic of a legitimate website to another fraudulent website without the user’s knowledge, aiming to collect the user’s credentials. References := Cisco Cybersecurity Source Documents

When a company workstation is compromised, the stakeholders that must be involved are the ones who are responsible for the security incident response process. According to the table, these are Employee 4 (Security Operation Center Analyst), Employee 6 (Head of Network and Security Infrastructure Services), and Employee 7 (Technical Director). The other employees have different roles that are not directly related to the incident response process, such as accounting, financial management, or system administration. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.4: Security Monitoring, Topic 1.4.1: Security Operations Center

• According to NIST SP800-61, the incident response lifecycle consists of four phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity.
• When a SOC team member checks the Cisco Firepower Manager dashboard for further isolation actions, they are working within the Eradication and Recovery phase.
• This phase focuses on removing the threat from the environment and recovering affected systems to normal operations.

References

• NIST SP800-61 Computer Security Incident Handling Guide
• Incident Response Phases Explained
• Role of SOC in Incident Response

The Cuckoo report indicates that the file has been identified by Yara rules as being capable of detecting a sandbox environment, which is a security mechanism for isolating and analyzing suspicious code. The presence of the “vmdetect” and “anti_dog” Yara rules suggests that the file may have mechanisms to avoid executing its malicious behavior when it detects that it is being analyzed in a sandbox. This is a common evasion technique used by malware to prevent detection and analysis by security researchers or automated systems.

References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) and other Cisco cybersecurity resources discuss malware analysis and the use of sandbox environments to safely execute and study potential malware. These resources also cover the topic of evasion techniques used by malware to avoid detection.

• A Distributed Denial of Service (DDoS) attack involves multiple compromised devices (botnet) sending a large number of requests to a target server to overwhelm it.
• In a specific type of DDoS attack known as an NTP amplification attack, the attacker exploits the Network Time Protocol (NTP) servers by sending small queries with a spoofed source IP address (the target’s IP).
• The NTP server responds with a much larger reply to the target’s IP address, thereby amplifying the traffic directed at the target.
• This reflection and amplification technique significantly increases the volume of traffic sent to the target, causing denial of service.

References

• OWASP DDoS Attack Overview
• NTP Amplification Attack Explained
• Understanding Botnets and Distributed Attacks

 Tap and SPAN are two methods of capturing network traffic for analysis. Tap (Test Access Point) is a hardware device that is inserted between two network devices and sends a copy of all traffic to a monitoring device. SPAN (Switched Port Analyzer) is a software feature that allows a network switch to replicate traffic from one or more source ports to a destination port, where a monitoring device is connected. Both methods provide visibility into network traffic, but Tap is more reliable and less intrusive than SPAN, as it does not affect the network performance or introduce errors. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 68.