Visit here for our full Cisco 200-201 exam dumps and practice test questions.
Question 121:
Which protocol operates at the Application Layer and is commonly used for secure file transfer?
A) SFTP (SSH File Transfer Protocol)
B) ARP
C) ICMP
D) OSPF
Answer: A
Explanation:
SFTP operates at the Application Layer of the OSI model and provides secure file transfer capabilities by encrypting both authentication credentials and data during transmission. SFTP runs over SSH (Secure Shell) protocol using port 22 by default, providing confidentiality and integrity for file transfers between systems. Unlike FTP which transmits credentials and data in cleartext, SFTP encrypts all communications protecting against eavesdropping and man-in-the-middle attacks. Security analysts must understand SFTP to recognize legitimate secure file transfer traffic versus suspicious data exfiltration attempts, monitor SFTP logs for unauthorized access, configure secure file transfer solutions for incident response evidence collection, and distinguish SFTP from similar protocols like FTPS which uses SSL/TLS rather than SSH. SFTP supports authentication through passwords or public key cryptography, enabling strong authentication mechanisms.
Question 122:
What is the primary purpose of a Security Information and Event Management (SIEM) system?
A) To aggregate, correlate, and analyze security logs from multiple sources for threat detection
B) To provide antivirus scanning for email attachments
C) To encrypt data at rest on storage devices
D) To manage user passwords across applications
Answer: A
Explanation:
SIEM systems aggregate security logs and events from diverse sources including firewalls, IDS/IPS, servers, applications, and endpoints into centralized platforms for correlation, analysis, and alerting. SIEM provides real-time monitoring identifying security incidents through correlation rules detecting attack patterns spanning multiple systems, normalized log formats enabling comparison across different technologies, retention of historical data supporting forensic investigations, compliance reporting demonstrating security controls, and automated alerting notifying analysts of suspicious activities. Security analysts use SIEM for threat hunting by querying log data, incident investigation by reconstructing attack timelines, and identifying trends through dashboard visualization. Effective SIEM deployment requires proper log source configuration, tuning correlation rules to reduce false positives, and analyst training on query languages and investigation workflows for maximum value.
Question 123:
Which attack technique involves sending specially crafted packets with the same source and destination IP address?
A) Land attack
B) Smurf attack
C) SYN flood
D) DNS amplification
Answer: A
Explanation:
Land attacks send spoofed packets where source and destination IP addresses are identical, typically targeting the victim’s IP address in both fields. When vulnerable systems receive these malformed packets, they may enter infinite loops attempting to respond to themselves, causing system crashes, resource exhaustion, or denial of service. Modern operating systems include protections against land attacks by validating that source and destination addresses differ before processing packets. Security analysts should recognize land attack patterns in network traffic showing identical source/destination pairs, configure intrusion prevention systems to block such traffic, and understand that land attacks represent historical vulnerabilities largely mitigated in current systems but occasionally relevant when targeting legacy infrastructure. Land attacks differ from reflection attacks which use legitimate third parties rather than identical addresses.
Question 124:
What is the purpose of threat intelligence feeds in security operations?
A) To provide updated information about current threats, vulnerabilities, and indicators of compromise
B) To automatically patch all systems in the network
C) To generate phishing emails for security awareness training
D) To encrypt sensitive data before transmission
Answer: A
Explanation:
Threat intelligence feeds provide continuously updated information about emerging threats, attack techniques, malicious IP addresses, known malware hashes, compromised domains, and vulnerabilities being actively exploited. Security operations centers integrate threat intelligence into detection systems enabling identification of known malicious indicators in network traffic and system logs, prioritization of alerts based on threat relevance and severity, proactive blocking of known bad actors, and contextual information supporting incident investigation. Feeds vary in quality from open-source community sources to commercial premium feeds offering validated, timely intelligence with analyst commentary. Effective threat intelligence consumption requires automation integrating feeds with SIEM, firewalls, and endpoint protection, validation processes ensuring feed accuracy, and analyst expertise interpreting intelligence relevance to organizational threat landscape.
Question 125:
Which Windows log records successful and failed authentication attempts?
A) Security log
B) Application log
C) System log
D) Setup log
Answer: A
Explanation:
Windows Security log records authentication events including successful logons, failed logon attempts, account lockouts, privilege escalation, and policy changes. Event IDs like 4624 indicate successful logon while 4625 shows failed logon attempts with failure reasons. Security analysts monitor Security logs for brute force attacks through repeated failed authentications, unusual logon times suggesting compromised accounts, privilege escalation attempts, and lateral movement as attackers authenticate across systems. Security log analysis requires understanding event ID meanings, correlating events across multiple systems, and recognizing normal versus anomalous authentication patterns. Security logs must be enabled through audit policies, protected from tampering, and forwarded to centralized logging systems ensuring availability during investigations even if local systems are compromised.
Question 126:
What type of malware specifically targets industrial control systems and SCADA networks?
A) Stuxnet (and similar ICS-targeted malware)
B) Ransomware
C) Adware
D) Spyware
Answer: A
Explanation:
ICS-targeted malware like Stuxnet specifically attacks industrial control systems and SCADA infrastructure controlling physical processes in manufacturing, utilities, and critical infrastructure. Stuxnet demonstrated sophisticated capabilities including spreading through USB drives and network shares, exploiting multiple zero-day vulnerabilities, targeting specific Siemens PLCs controlling uranium enrichment centrifuges, and manipulating physical processes while hiding changes from operators. Modern ICS threats include variants targeting energy grids, water treatment facilities, and manufacturing systems. Security analysts protecting ICS environments must understand unique challenges including legacy systems, safety-critical operations preventing patching windows, network segmentation requirements, and protocol-specific threats. ICS security requires specialized monitoring tools understanding industrial protocols, air-gapped networks where possible, and incident response procedures accounting for physical safety implications.
Question 127:
Which Linux command displays active network connections and listening ports?
A) netstat
B) ifconfig
C) ping
D) traceroute
Answer: A
Explanation:
The netstat command displays active network connections, listening ports, routing tables, and network statistics on Linux systems. Security analysts use netstat during investigations to identify suspicious connections to external IPs, unexpected listening services suggesting backdoors, and processes associated with network activity. Common options include “netstat -tulpn” showing TCP and UDP listening ports with process IDs, “netstat -an” displaying all connections numerically, and “netstat -r” showing routing tables. Modern alternatives include “ss” offering enhanced performance and “lsof -i” showing files associated with network connections. Analysts must baseline normal network activity, recognize suspicious connections to unusual ports or foreign IPs, and correlate netstat findings with process information identifying malicious programs.
Question 128:
What is the primary purpose of network segmentation in security architecture?
A) To isolate systems into separate network zones limiting lateral movement and blast radius
B) To increase overall network bandwidth
C) To reduce the number of required switches
D) To simplify IP address management
Answer: A
Explanation:
Network segmentation divides networks into isolated zones or segments limiting lateral movement after attackers compromise initial systems and reducing blast radius from security incidents. Segmentation uses VLANs, firewalls, or physical separation creating security boundaries between zones like public-facing services, internal user networks, servers, management networks, and industrial control systems. Each segment implements appropriate security controls based on sensitivity and threat exposure. Security analysts benefit from segmentation through simplified monitoring of inter-zone traffic, reduced attack surface by limiting exposed services, containment of compromised systems within segments, and compliance with frameworks requiring network isolation. Effective segmentation requires identifying asset criticality, defining zone boundaries, implementing strict inter-zone access controls, and monitoring cross-segment traffic.
Question 129:
Which attack involves an attacker positioning themselves between two communicating parties to intercept or modify traffic?
A) Man-in-the-Middle (MITM) attack
B) DDoS attack
C) SQL injection
D) Cross-site scripting
Answer: A
Explanation:
Man-in-the-Middle attacks position attackers between legitimate communicating parties, enabling interception, eavesdropping, or modification of traffic without parties’ knowledge. MITM attacks exploit unencrypted communications, weak encryption, or compromised certificate authorities. Common MITM techniques include ARP spoofing on local networks, DNS spoofing redirecting traffic, rogue Wi-Fi access points mimicking legitimate networks, and SSL stripping downgrading HTTPS to HTTP. Security analysts detect MITM attacks through monitoring for ARP cache inconsistencies, unexpected certificate warnings, DNS resolution anomalies, and unusual network paths. Mitigation includes implementing encrypted communications with certificate pinning, validating certificate authenticity, using VPNs on untrusted networks, and deploying tools detecting ARP spoofing. Understanding MITM attacks helps analysts recognize compromise indicators and implement appropriate detective and preventive controls.
Question 130:
What is the purpose of a honeypot in cybersecurity?
A) To attract and study attackers by simulating vulnerable systems while collecting intelligence
B) To store backup copies of critical data
C) To encrypt sensitive information at rest
D) To manage user access permissions
Answer: A
Explanation:
Honeypots are decoy systems designed to attract attackers by simulating vulnerable systems, applications, or data, allowing security teams to observe attack techniques, collect malware samples, and gather threat intelligence without risking production systems. Honeypots range from low-interaction emulating specific services to high-interaction providing full operating systems. Benefits include early warning of scanning activities, distraction delaying attacks on real systems, intelligence on attacker tactics and tools, and legal evidence for prosecution. Security analysts deploy honeypots in isolated network segments, monitor all honeypot activity as inherently suspicious, analyze collected data identifying attack patterns, and share intelligence with broader community. Risks include honeypots becoming launchpads for attacking others if insufficiently isolated, requiring careful containment and monitoring.
Question 131:
Which protocol provides secure remote command-line access to network devices?
A) SSH (Secure Shell)
B) Telnet
C) FTP
D) SNMP
Answer: A
Explanation:
SSH provides encrypted remote command-line access to network devices, servers, and systems, replacing insecure Telnet which transmits credentials and commands in cleartext. SSH encrypts all communications including authentication and session data, supports multiple authentication methods including passwords and public key cryptography, and provides secure tunneling for other protocols. Security analysts use SSH for secure administrative access during incident response, secure file transfer via SCP or SFTP, and tunneling traffic through encrypted channels. Best practices include disabling password authentication favoring key-based authentication, changing default port 22 to reduce automated attacks, implementing fail2ban blocking repeated failed attempts, and maintaining SSH key hygiene with regular rotation. Analysts must recognize legitimate SSH traffic versus suspicious SSH tunneling for data exfiltration or command-and-control communications.
Question 132:
What type of attack uses multiple compromised systems to overwhelm a target with traffic?
A) Distributed Denial of Service (DDoS)
B) SQL injection
C) Cross-site scripting
D) Buffer overflow
Answer: A
Explanation:
DDoS attacks leverage multiple compromised systems (botnets) simultaneously flooding targets with traffic exceeding capacity and causing service disruption. DDoS attack types include volumetric attacks consuming bandwidth, protocol attacks exhausting connection state tables, and application layer attacks targeting specific application resources. Amplification attacks abuse legitimate services reflecting and amplifying traffic toward victims. Security analysts identify DDoS through monitoring for traffic volume anomalies, unusual source patterns, specific attack signatures, and service degradation. Mitigation includes upstream filtering at ISP level, content delivery networks absorbing attacks, rate limiting, and automated DDoS protection services. Analysts must distinguish DDoS from legitimate traffic spikes, identify attack vectors, and coordinate with network and service providers implementing countermeasures while maintaining evidence for investigations.
Question 133:
Which file format is commonly associated with malicious macro-based attacks in office documents?
A) .docm or .xlsm (macro-enabled Office files)
B) .txt
C) .pdf
D) .jpg
Answer: A
Explanation:
Macro-enabled Office files with extensions like .docm, .xlsm, and .pptm can execute VBA macros enabling malicious code execution when users open documents and enable macros. Attackers distribute macro malware through phishing emails with enticing subjects encouraging recipients to enable macros, triggering malware download, system compromise, or data theft. Security analysts recognize macro attacks through user reports of macro prompts in unexpected documents, analysis of VBA code showing malicious functions, and detection of macro-triggered network connections or process executions. Mitigation includes disabling macros by default, educating users about macro risks, implementing application control blocking unsigned macros, and using document sandboxing analyzing suspicious files safely. Modern attacks increasingly use alternative techniques as macro defenses improve.
Question 134:
What is the primary purpose of packet capture (PCAP) analysis in security investigations?
A) To examine detailed network traffic at the packet level for evidence and attack indicators
B) To configure firewall rules automatically
C) To generate security awareness training content
D) To manage software licenses
Answer: A
Explanation:
Packet capture analysis examines raw network traffic at the packet level, providing detailed visibility into communications for security investigations, incident response, and threat hunting. Tools like Wireshark, tcpdump, and tshark capture and analyze packets revealing application protocols, data content, communication patterns, and attack indicators invisible in log data. Analysts use PCAP for identifying malware command-and-control traffic, reconstructing attacker actions, extracting malicious payloads, validating IDS alerts, and discovering lateral movement. Effective PCAP analysis requires understanding network protocols, filtering techniques focusing on relevant traffic, and recognizing suspicious patterns. Challenges include large capture sizes, encrypted traffic limiting visibility, and privacy considerations requiring careful handling. Strategic capture at network choke points maximizes coverage while managing storage.
Question 135:
Which Windows command-line tool can be used to view and manage user accounts and groups?
A) net user / net localgroup
B) ping
C) ipconfig
D) tracert
Answer: A
Explanation:
Windows “net user” and “net localgroup” commands manage local user accounts and groups, displaying account information, creating or deleting accounts, and modifying group memberships. Security analysts use these commands during investigations to identify unauthorized accounts suggesting persistence mechanisms, check account privileges revealing privilege escalation, and audit group memberships ensuring proper access control. Common usage includes “net user” listing all accounts, “net user [username]” showing specific account details, “net localgroup administrators” displaying administrator group members, and “net user [username] /domain” querying domain accounts. Analysts compare current account states against baselines identifying anomalies, investigate suspicious account creation times, and validate that only authorized users possess administrative privileges during security assessments.
Question 136:
What type of security control is an intrusion detection system (IDS)?
A) Detective control
B) Preventive control
C) Corrective control
D) Deterrent control
Answer: A
Explanation:
IDS functions as detective control identifying and alerting on suspicious activities or policy violations after they occur without actively blocking traffic. Detective controls complement preventive controls by providing visibility into attacks bypassing prevention, enabling investigation and response. IDS analyzes network traffic or system activities against signatures of known attacks or baselines of normal behavior, generating alerts when suspicious patterns are detected. Security analysts rely on IDS for threat visibility, attack detection, and incident investigation while understanding IDS doesn’t prevent attacks unlike IPS. Effective IDS deployment requires tuning reducing false positives, strategic sensor placement, integration with SIEM for alert management, and analyst training on alert investigation. Understanding control types helps analysts implement defense-in-depth with complementary detective, preventive, and corrective controls.
Question 137:
Which attack technique exploits the trust relationship between a website and a user’s browser to execute malicious scripts?
A) Cross-Site Scripting (XSS)
B) SQL injection
C) DDoS
D) Man-in-the-Middle
Answer: A
Explanation:
Cross-Site Scripting exploits insufficient input validation allowing attackers to inject malicious JavaScript into web pages viewed by other users. XSS attacks leverage browsers’ trust in content from legitimate websites, executing attacker-controlled scripts in victims’ browsers with access to cookies, session tokens, and page content. XSS types include stored XSS persisting in databases, reflected XSS executing immediately from manipulated URLs, and DOM-based XSS exploiting client-side code. Security analysts identify XSS through web application scanning, monitoring for JavaScript execution anomalies, and analyzing user reports of suspicious browser behavior. Mitigation includes input validation, output encoding, Content Security Policy headers, and web application firewalls. Understanding XSS helps analysts recognize compromised websites, investigate data theft, and recommend remediation for vulnerable applications.
Question 138:
What is the purpose of a Security Operations Center (SOC)?
A) To provide centralized monitoring, detection, and response to security incidents
B) To develop software applications for the organization
C) To manage employee payroll and benefits
D) To coordinate physical building security only
Answer: A
Explanation:
SOCs provide centralized security monitoring, threat detection, incident response, and security operations for organizations. SOC analysts monitor security tools including SIEM, IDS/IPS, endpoint protection, and firewalls, investigating alerts, responding to incidents, and conducting threat hunting. SOC functions span multiple tiers with Level 1 analysts performing initial triage, Level 2 conducting deeper investigations, and Level 3 handling advanced threats and threat hunting. Effective SOCs require defined processes and playbooks, integrated security technologies, skilled analysts, and metrics measuring performance. SOC models include internal, outsourced, or hybrid approaches. Understanding SOC operations helps analysts recognize their roles in broader security programs, establish effective workflows, and coordinate responses across teams.
Question 139:
Which protocol is commonly targeted by attackers for DNS amplification attacks?
A) DNS (Domain Name System)
B) HTTP
C) SMTP
D) FTP
Answer: A
Explanation:
DNS amplification attacks abuse DNS servers sending small queries with spoofed source addresses to open recursive DNS resolvers, which respond with much larger responses to victims. Amplification factors reach 50:1 or higher, enabling attackers with limited bandwidth to generate massive traffic volumes overwhelming targets. Attackers typically query ANY records producing largest responses. Security analysts detect DNS amplification through monitoring for high volumes of DNS responses to single destinations, unusually large DNS packets, and specific query patterns. Mitigation includes disabling open recursive resolvers, implementing rate limiting, and using response rate limiting. Organizations should configure DNS servers securely, monitor for abuse, and implement ingress filtering preventing IP spoofing. Understanding amplification attacks helps analysts identify DDoS sources and implement appropriate countermeasures.
Question 140:
What is the primary purpose of digital forensics in cybersecurity?
A) To collect, preserve, analyze, and present digital evidence from security incidents for investigation
B) To develop new security software applications
C) To manage network infrastructure devices
D) To create marketing materials for security products
Answer: A
Explanation:
Digital forensics involves scientifically collecting, preserving, analyzing, and presenting digital evidence from computers, networks, and storage media supporting security investigations, legal proceedings, and incident response. Forensic processes include identifying evidence sources, preserving volatile data before shutdown, creating forensic images maintaining evidence integrity, analyzing artifacts revealing attacker actions, and documenting findings for reporting. Forensic analysts examine file systems, memory dumps, network traffic, logs, and registry data reconstructing timelines, identifying malware, attributing attacks, and determining scope. Proper forensic procedures maintain evidence chain of custody ensuring admissibility in legal proceedings. Understanding forensics helps security analysts preserve evidence during incident response, conduct thorough investigations, and support legal actions against attackers.
