Free Cisco 200-201 Actual Exam Questions
Dumps Box (DumpsBox) offers up-to-date practice exam questions for CBROPS 200-201 certification exam which are developed and validated by Cisco subject domain experts certified in Cisco 200-201 . These practice questions are update regularly as we keep an eye on any recent changes in CBROPS 200-201 syllabus, and when there is update our team quickly adjusts the questions. This commitment to providing the best quality exam prep material to certification aspirants is what makes DumpsBox.com the best certification exam prep website. On top of that, our strong, yet strictly moderated, community based feedback keeps the content clean and current. Each question has helpful community discussion that provides it extra perspective and introduces helpful resources for better exam preparation. This also saves students from other outdated practice questions or illicit exam dumps that can have adverse affects on career. Browse through our Cisco 200-201 exam questions and pass your exam on first try.
known hacktivist group.
What is the initial event called in the NIST SP800-61?
B/C? The question says "adjusted in response to threats," which sounds like a warning sign before anything actually happens, matching precursor. But initial event might also mean what sets the attack in motion, so trigger fits that too.
C imo since the question says “initial event,” it points to the moment something actually kicks off, not just a warning or sign, so “trigger” fits better than “precursor.”
was targeting the company servers. According to the Cyber Kill Chain model, which step must be
assigned to this type of event?
B imo, delivery usually means sending the payload, which isn’t happening here. So it can’t be B. It’s definitely before exploitation, so reconnaissance (C) still feels right.
C vs A? The scan is definitely about gathering info, so it fits reconnaissance (C). Actions on objectives (A) usually means the attacker is already inside and doing their main goal, which this isn’t. Since it’s just scanning, not exploiting or delivering anything, C makes the most sense here.
recorded to preserve its integrity?
C. Labeling and recording evidence has to happen right when you collect it to make sure everything stays legit. If you wait until examination or reporting, there’s a risk the data could get mixed up or tampered with. Preservation starts from the moment you handle the evidence.
It’s C for sure. Labeling and recording happen as soon as you collect the data; you can’t wait until examination or reporting without risking contamination or losing the chain of custody.
What must be interpreted from this packet capture?
C The source port 80 shows it's likely a server responding to the client at a high destination port, which matches common TCP behavior in web traffic.
Amit G. imo, option C fits better since port 80 is usually the server’s source port replying back, and the high port 49098 would be the client’s destination port in that case.
Maybe B makes sense too because data normalization specifically targets cleaning and structuring data, which includes removing unwanted events to keep things consistent. D feels broader and less specific here.
I think D makes more sense because data protection is all about maintaining integrity, which includes removing faulty or corrupted IPS events. Not just cleaning like normalization, but actively safeguarding the data. D
(DAC)?
C/D? MAC is more about system or admin control, not owners, and DAC lets owners decide access. D sounds off since MAC isn’t just object-based but policy-based, so C seems clearer here.
Maybe C makes sense too because MAC is generally enforced by the system or security policies set by administrators, not the owners themselves. DAC usually gives the owner control over permissions, which matches the idea that it’s less rigid and more user-driven. A is close but the way it phrases MAC being controlled by an administrator doesn’t fully capture that it’s enforced by the system or a central policy, so C seems like a clearer distinction here.
responds back with its certificate for identification.
Which information is available on the server certificate?
A/D? The private key is definitely not on the certificate, so A and C can be ruled out. Between B and D, B mentions cipher suites which aren’t in certs. So D seems like the only logical choice.
D imo, the cert definitely has the public key and the CA info, plus the server’s identity like CN. Private keys or cipher suites wouldn’t be part of it, so D fits best.
What is occurring in this network?
It’s D since the MAC table overflow clearly signals a MAC flooding attack here.
D imo, the key is the switch's MAC table being overwhelmed with fake addresses, which matches a MAC flooding attack. ARP or DNS cache poisoning wouldn’t cause this many MAC entries to appear.
An engineer received a ticket about a slowed-down web application. The engineer runs the #netstat -
an command. How must the engineer interpret the results?
C makes sense since SYN_RECV backlog usually means a SYN flood attack underway.
Can someone confirm if SYN_RECV count is unusually high here? That’s key.
Not B, using web apps doesn't prevent buffer overflows at all. Variable randomization (A) helps but mainly makes exploitation harder, so C really fits best since it stops bad input from causing overflow.
Makes sense to rule out B and D since web apps and OS choice alone don’t stop overflows. C seems solid because cleaning inputs directly stops buffer overflow attempts at the source. That’s my pick: C.
network. What is the impact of this traffic?
Makes sense to rule out A and B since those are more about specific activities, not the network impact. D feels right since TOR is mostly used to bypass firewalls, so I’d go with D.
D imo, TOR’s main use is to dodge restrictions like firewalls, so the primary impact is users bypassing security controls. While data exfiltration (C) is possible, the question seems more focused on the network-level effect rather than specific malicious activities. Since the alert flags TOR exit node traffic, it’s most likely highlighting someone going around firewall rules rather than an automatic sign of ransomware or copyright issues. Without explicit signs of data theft or malware, D fits best as the direct impact.
approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the
cyber kill chain should the security team mitigate this type of attack?
It’s C for me. Even if spam is active, knowing how attackers gather info helps predict and block future campaigns earlier, making reconnaissance a key phase to disrupt planning and reduce spam effectiveness.
It’s B. If the spam’s actively coming through, cutting it off during delivery stops it from reaching users and reduces the chance of further infection or spreading.
C, vulnerability is the weakness, risk is what happens if it’s exploited.
A seems off because it separates vulnerability as just entry points, missing that it’s about weaknesses. Risk definitely includes the chance something bad happens, not just the possibility of entry.
incomprehensible without a specific key, certificate, or password?
D imo, since steganography hides data inside other files making it practically indecipherable without knowing where or how to look, even if you don’t have a key or password.
C, because neither fragmentation nor pivoting changes the data itself; only encryption actually scrambles it so you need a key to make sense of it.
complexity. How is this type of conversation classified?
D, because asking those questions is classic info gathering for manipulation.
This sounds like D because it’s about manipulating someone into revealing info, no matter if they’re successful or not. D