200-201 Sample Questions Answers

 The alert from the Cisco ASA device and the numerous activity logs are examples of circumstantial evidence. Circumstantial evidence is evidence that relies on an inference or deduction to connect it to a conclusion of fact, such as a security incident or an attack. Circumstantial evidence does not directly prove the fact in question, but rather suggests or implies it. In this case, the alert and the logs indicate that a TCP connection attempt was denied by an access group, but they do not directly prove that an attack occurred or who was behind it. There could be other explanations for the denied connection, such as a misconfiguration, a network error, or a legitimate request. Therefore, this type of evidence is circumstantial and requires further investigation and analysis to confirm or rule out the possibility of an attack. References := Circumstantial evidence - Wikipedia; Circumstantial Evidence - Definition, Examples, Cases, Processes; Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 92.

Port scanning is a technique that an attacker uses to discover which network ports are open, closed, or filtered on a target device. By sending packets to different ports and observing the responses, an attacker can identify the services and applications running on the device, as well as potential vulnerabilities that can be exploited. Port scanning is a common reconnaissance activity that precedes an attack. References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 2-6; 200-201 CBROPS - Cisco, exam topic 1.1.a

Wireshark is a widely-used network protocol analyzer that allows users to capture and interactively browse the traffic running on a computer network. It provides full packet capture capabilities, enabling detailed analysis of network traffic. References: This is supported by the CBROPS course materials, which discuss security monitoring and the analysis of network traffic, including full packet capture tools like Wireshark

The principle of least privilege states that users and processes should be granted only the minimum permissions necessary to perform their specific role or function within an organization. This reduces the attack surface and limits the potential damage of a compromised account or process. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.2: Security Principles

Cisco Certified CyberOps Associate Overview, Exam Topics, 1.1 Explain the CIA triad

SQL injection is a type of injection attack where malicious SQL statements are inserted into an entry field for execution.

The primary way to prevent SQL injection is by validating and sanitizing user input. This involves checking the input for malicious content and ensuring it adheres to expected patterns.

Prepared statements (parameterized queries) are also highly effective, as they treat user input as data rather than executable code.

Implementing these practices ensures that any input received from users does not manipulate SQL queries in a harmful way.

References

OWASP SQL Injection Prevention Cheat Sheet

Best Practices for Input Validation and Sanitization

Secure Coding Guidelines

A man-in-the-middle attack is a type of cyberattack where an attacker intercepts and alters the communication between two parties who believe they are directly communicating with each other. In this case, the attacker is impersonating mail.google.com and presenting a fake certificate to the endpoint device. The endpoint device detects that the certificate is not issued by a trusted authority and displays an error message. The attacker can then monitor or modify the traffic between the endpoint device and mail.google.com. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, Module 3: Host-Based Analysis, Lesson 3.2: Endpoint Security Technologies

200-201 CBROPS - Cisco, Exam Topics, 3.0 Host-Based Analysis, 3.2 Compare and contrast the functionality of these endpoint security technologies

Cisco Certified CyberOps Associate Overview - Cisco Learning Network, Videos, 3.2 Compare and contrast the functionality of these endpoint security technologies

The exhibit shows a Stealthwatch dashboard displaying information on alarming hosts, alarms by type, and today’s alarms. On the left side under “Top Alarming Hosts,” there are five host IP addresses listed with their respective categories indicating different types of alerts including ‘Data Hoarding’ and ‘Exfiltration.’ In “Alarms by Type” section at center top part of image shows bar graphs representing various alarm types including ‘Crypto Violation’ with their respective counts. On right side under “Today’s Alarms,” there’s a table showing the details of each alarm such as the host IP, the alarm type, the severity, and the time. The potential threat identified in this dashboard is that host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91, which is a sign of data exfiltration. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a command and control server or a malicious actor. This can result in data loss, breach of confidentiality, and damage to the organization’s reputation and assets. References := Cisco Cybersecurity Operations Fundamentals - Module 7: Network and Host Forensics

FAT is a file system that organizes and stores data on a disk. However, FAT has a limitation of 4 GB for the maximum file size, which means that any file larger than that will be corrupted. To resolve this issue, the engineer can use FAT32, which is an improved version of FAT that supports files up to 32 GB. Alternatively, the engineer can use other file systems that have higher file size limits, such as Ext4 or NTFS. References := Cisco Cybersecurity Operations Fundamentals, Module 5: Security Policies and Procedures, Lesson 5.1: Data Retention, Topic 5.1.1: Data Retention Policies and Procedures

A certificate authority (CA) is a trusted entity that issues and manages digital certificates for secure communication over the internet. A digital certificate is a document that contains the public key and the identity of the owner of the key. A CA impacts security by validating the domain identity of the SSL certificate, which is a type of digital certificatethat enables encrypted communication between a web server and a web browser. The CA verifies that the domain name in the certificate matches the domain name of the web server, and signs the certificate with its own private key. The web browser can then verify the signature of the CA and trust the identity of the web server. References := Cisco Cybersecurity Operations Fundamentals, Module 2: Security Monitoring, Lesson 2.3: Cryptography and PKI, Topic 2.3.2: Public Key InfrastructureReference:https://en.wikipedia.org/wiki/Certificate_authority

Corroborative evidence is the type of evidence that supports a theory or an assumption that results from initial evidence. It provides additional support to the initial findings, strengthening the theory or assumption by confirming the same facts or pointing towards the same conclusion with independent pieces of evidence4567.

References := Types of evidence (article) | Lessons | Khan Academy, Evidence: Fundamental Concepts and the Phenomenal Conception, Navigating Scientific Evidence: Types and Definitions, How Courts Work - American Bar Association

A greylist in endpoint applications refers to a list of items that are not yet classified as either good (whitelisted) or bad (blacklisted).

The primary function of a greylist is to hold applications, processes, or files that are under observation due to their unknown status.

These items are neither trusted nor immediately flagged as harmful, allowing security teams to monitor them closely for any suspicious behavior.

By placing items on a greylist, security operations can prevent potential threats without disrupting legitimate processes, awaiting further analysis to determine their true nature.

References

Cisco Cybersecurity Operations Fundamentals

Endpoint Security Best Practices

Greylisting Concepts in Cybersecurity

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. It collects metadata of the IP traffic flowing across networking devices like routers and switches. On the other hand, Traffic mirroring involves capturing all the data packets that flow through a particular point in the network to analyze or inspect them later. References := Cisco Cybersecurity Operations Fundamentals

 IP data stands for Intellectual Property data, which is any data that represents the creations of the mind, such as inventions, patents, designs, or artistic works. IP data is protected by law and has commercial value for its owners. In this case, the automotive company has a database of IP data for their engines and technical information, which customers can access after they register and identify themselves. References := Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.2: Data Protection, Topic 1.2.1: Data Types

Table Description automatically generated

Application whitelisting/blacklisting is a technology used to control which applications are allowed to execute on a company’s corporate PCs. Whitelisting allows only approved applications to run, while blacklisting prevents specific applications from running. This approach is effective for managing application usage across an enterprise.

 Vulnerability management is a proactive approach to securing systems by identifying and fixing vulnerabilities before they can be exploited by attackers. It involves scanning systems for known weaknesses, prioritizing and assessing the risks of those vulnerabilities, and applying patches or other remediation measures to mitigate them. Vulnerability management helps reduce the attack surface and prevent potential breaches. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 11.

The difference between tampered and untampered disk images is:

Tampered Images: These are disk images that have been altered or modified in some way after their initial creation. The stored hash and the computed hash will not match if the image has been tampered with.

Untampered Images: These are disk images that have not been altered since their creation. They are considered authentic and reliable for forensic investigations. The stored hash and the computed hash will match, confirming that the image has remained unchanged.

Therefore, the correct answer is: D. Untampered images are used for forensic investigations.

A regular expression (regex) is a sequence of characters that defines a search pattern for text. A regex can be used to extract custom properties from log messages or events in a SIEM platform. In this case, the regex that matches the phrase “File: Clean” exactly is ^File: Clean$. The ^ symbol indicates the beginning of the line and the $ symbol indicates the end of the line. The regex ensures that no other characters are before or after the phrase. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, Module 5: Security Policies and Procedures, Lesson 5.3: Data and Event Analysis

200-201 CBROPS - Cisco, Exam Topics, 5.0 Security Policies and Procedures, 5.3 Analyze data as part of security monitoring activities

Cisco Certified CyberOps Associate Overview - Cisco Learning Network, Videos, 5.3 Analyze data as part of security monitoring activities

HTTPS uses SSL/TLS encryption to secure data transmission over the internet. This encryption makes it difficult to monitor HTTPS traffic because the data packets are encrypted making them unreadable to anyone trying to intercept or monitor the data without proper decryption keys. References := Cisco CyberOps Associate

Inline traffic interrogation analyzes traffic in real time and has the ability to prevent certain traffic from being forwarded Traffic mirroring doesn't pass the live traffic instead it copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device

The #netstat -an command output typically displays a list of all open ports and associated connections. If the web application is slowed down, the engineer would look for unusual patterns such as an excessive number of connections to the web server which could indicate a denial-of-service attack. However, without specific details from the #netstat -an output, it’s not possible to determine the exact cause of the issue. Therefore, the engineer would need to gather more data, possibly including checking server logs, resource usage, and network traffic patterns to diagnose the problem accurately.

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) provides knowledge on network monitoring tools and interpreting their output to identify potential security incidents.

Trafshow is a network monitoring tool that provides real-time monitoring of network traffic. It displays the current connections and the amount of data being transferred over those connections. It is particularly useful in a Security Operations Center (SOC) for identifying unusual traffic patterns or connections that may indicate a security incident.

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

The attack vector score in the Common Vulnerability Scoring System (CVSS) reflects how a vulnerability can be exploited. A higher score is given when the attack can be conducted remotely, making it easier for an attacker to exploit the vulnerability without physical access to the vulnerable component3. References: The CVSS specification document provides a detailed explanation of how the attack vector score is determined, emphasizing the impact of the ease of exploitation on the score

Stealthwatch is the technology that an engineer should use to fetch logs from a proxy server and generate actual events based on the data received. Cisco Secure Network Analytics, formerly known as Stealthwatch, provides the capability to configure proxy server logs so that the Flow Collector can receive the information. The Stealthwatch Management Console then displays this information on the Flow Proxy Records page, which includes URLs and application names of the traffic inside a network going through the proxy server1.

References :=

Cisco Secure Network Analytics Proxy Log Configuration Guide

 In RBAC, access is based on the roles that users have within an organization, and permissions to perform certain operations are assigned to specific roles. DAC, on the other hand, is a type of access control where the access rights are determined by the owner of the resource or the resource itself.

In the context of NIST SP800-61, a precursor is an event that indicates the potential occurrence of an incident. When an organization adjusts its security stance in response to online threats made by a known hacktivist group, the initial event—the threats—would be considered a precursor. It is an indication of a potential future attack or security incident34.

References :=

NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide3.

Computer Security Incident Handling Guide - NIST

 To investigate the callouts made post infection, it’s essential to know where the callouts were made to (domain names) and from which host IP addresses they originated. This information can help trace back the source and destination, aiding in understanding the nature of the callouts. References: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Working_with_Indicators_of_Compromise.html

The command “$ cuckoo submit --machine cuckoo1 /path/to/binary” indicates that a binary located at “/path/to/binary” is being submitted to be run on a virtual machine named “cuckoo1”. This is a common practice in cybersecurity to analyze the behavior of suspicious files in an isolated environment. References: Cisco Cybersecurity documents or resources are needed for more detailed information.

Asymmetric cryptography, also known as public key cryptography, involves two keys: a public key for encryption and a private key for decryption. This method ensures that even if the public key is known, only the holder of the private key can decrypt the message, thus providing a secure way to transfer data. References: Asymmetric encryption is beneficial for secure data transfer because it allows message authentication, non-repudiation, and detects tampering, although it is slower than symmetric encryption

The exhibit shows a network diagram with a switch, a router, and two hosts. The switch has a MAC address table that maps the MAC addresses of the connected devices to the corresponding ports. A MAC flooding attack is a type of attack that aims to overload the switch’s MAC address table by sending a large number of frames with spoofed source MAC addresses. This causes the switch to enter a fail-open mode, where it broadcasts all incoming frames to all ports, effectively turning it into a hub. This allows the attacker tosniff the traffic between the hosts and the router, or launch other attacks such as ARP spoofing or man-in-the-middle

A load balancer is the correct technology to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier (URI), and SSL session ID attributes. Load balancers can inspect incoming traffic and make routing decisions to distribute the traffic across multiple servers based on various attributes, including the ones mentioned, to ensure optimal resource use and efficient traffic management12.

References :=

Cisco Unified Border Element Configuration Guide1.

URI based outbound Dial-peer configuration on CUBE - Cisco Community

 Profiling a network involves various elements that provide insights into its characteristics and behaviors. Total throughput is crucial as it measures the amount of data passing from a source to a destination in a given period, reflecting the network’s capacity and usage patterns1. Listening ports are also essential for profiling because they represent the entry points for network services, indicating which services are available and potentially vulnerable1.

References :=

Network profiling tools and techniques discussed in online resources23.

Direct explanations of network profile elements

The Zero Trust security model operates on the principle that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. It emphasizes continuous monitoring, validation, and least-privilege access to minimize exposure to sensitive parts of the network.

 Zero Trust security | What is a Zero Trust network? | Cloudflare, Zero Trust Model: Unveiling 3 Core Principles for Enhanced Security, The Evolution of Zero Trust and the Frameworks that Guide It

Rule-based detection involves identifying malicious activities based on predefined rules or patterns of known attacks; it does not adapt or change with new data. In contrast, behavioral detection adapts over time by learning from new data; it identifies malicious activities based on deviations from established norms or behaviors. References: CiscoCertified CyberOps Associate Overview, Section 1.0: Security Concepts, Subsection 1.1: Compare and contrast the characteristics of data obtained from taps, NetFlow, and packet capture)

When analyzing a pcap file, data encryption can pose a significant challenge in terms of visibility. Encrypted data cannot be easily inspected, which means that the analyst may not be able to view the contents of the network packets to detect suspicious activity.

The answers are based on the general knowledge of host-based firewalls and the challenges faced during the analysis of pcap files in cybersecurity, as outlined in Cisco’s cybersecurity documentation and resources.

 Secure boot and restricting USB ports are two components that can reduce the attack surface on an endpoint. The attack surface is the sum of all paths for data into and out of the environment. Reducing the attack surface means minimizing the number and complexity of these paths, and thus reducing the opportunities for attackers to exploit vulnerabilities or gain unauthorized access. Secure boot is a feature that ensures that only trusted and verified code can run during the boot process, preventing malware or unauthorized software from compromising the system. Restricting USB ports is a policy that limits the use of USB devices, such as flash drives or external hard drives, that can introduce malware or exfiltrate data from the endpoint.

[Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Module 4: Network Intrusion Analysis], [Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Module 5: Security Policies and Procedures]

Agent-based monitoring: With agent-based monitoring, software agents are installed on the monitored systems or devices. These agents collect data locally, perform filtering or preprocessing of the data, and then transmit the relevant or valuable information to the monitoring system. Agent-based monitoring allows for local processing and filtering, which can reduce network utilization by only transmitting essential data. Agentless monitoring: Agentless monitoring, on the other hand, does not require software agents to be installed on the monitored systems or devices. Instead, it relies on leveraging existing protocols and interfaces, such as APIs (Application Programming Interfaces) or SNMP (Simple Network Management Protocol), to remotely access and retrieve monitoring data from the target systems. Agentless monitoring generally involves higher network utilization as the monitoring system needs to gather data from remote systems over the network.

The image shows a piece of code within a bordered rectangular area.

It is a string of HTML code that appears to be an example of an attack, specifically “”.

The code suggests an attempt to execute JavaScript within an image source attribute, indicative of a cross-site scripting attack.

Cisco Application Visibility and Control (AVC) provides features like metrics collection and exporting (D) for visibility on TCP bandwidth usage, response time, and latency. Application recognition (E) combined with deep packet inspection helps in identifying unknown software by its network traffic flow. References := Cisco CyberOps Associate - Module 2: Security Concepts

 CDFS stands for Compact Disc File System, which is a file system used by Mac OS to store data on CDs. CDFS is also known as ISO 9660, which is a standard format for data interchange on optical discs. CDFS allows files to be accessed by different operating systems, such as Windows, Linux, and Mac OS. Therefore, an ISO file that is stored in CDFS format is data from a CD copied using Mac-based system. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 4: Network Intrusion Analysis, Lesson 4.4: File Type Analysis, Topic 4.4.1: File Systems, page 4-40.

Reflective XSS, also known as Non-Persistent XSS, occurs when an attacker sends a malicious script to a user through a web application, and the script is executed immediately in the user’s browser without being stored on the server. This type of attack is typically carried out by including the malicious script in a URL, which is then sent to the victim. When the victim clicks on the link, the script runs in their browser, reflecting the attacker’s actions without storing the payload for repeated use12. References: OWASP Foundation’s documentation on Cross-Site Scripting (XSS) provides detailed information on the different types of XSS attacks, including Reflective XSS

In a PCAP file, which is used to capture network packets, each packet contains various pieces of information that can be analyzed. The source and destination addresses refer to the IP addresses of the sender and receiver of the packets. The source and destination ports refer to the port numbers used for the communication, with common ports like 443 indicating HTTPS traffic. The network protocol here is TCP, which is responsible for establishing a connection and ensuring the delivery of packets. The transport protocol is IPv4, which is the underlying protocol for routing packets across the network. Lastly, the application protocol is TLS v1.2, which is used for secure communication over the internet.

References := The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) course material covers the analysis of network traffic and the interpretation of PCAP files, which includes identifying the different elements within a packet capture1.

Social engineering is the practice of manipulating or deceiving people into performing actions or divulging information that can compromise the security of the organization. Asking questions about the company’s user account format and password complexity at a party is an example of social engineering, as the guest may be trying to gather information that can be used to launch a cyberattack. References := Cisco Cybersecurity Operations Fundamentals - Module 6: Security Incident Investigations

The regular expression that matches both “color” and “colour” is colo?ur. In this expression, the ? denotes that the preceding character u is optional, meaning it may appear zero or one time. This allows the expression to match both the American spelling “color” and the British spelling “colour”.

References := Understanding regular expressions is fundamental in various computing tasks, including cybersecurity operations. The Cisco Cybersecurity Operations Fundamentals (CBROPS) material covers the use of regular expressions for searching through logs and data, which is a critical skill for a cybersecurity analyst.

Social engineering attacks involve manipulating individuals into divulging confidential information or performing actions that compromise security. The fake offer for a free music download is a classic example of social engineering, where attackers lure users with a tempting offer to trick them into providing personal information or downloading malware.

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

The CDFS (Compact Disc File System) format is associated with the ISO 9660 standard, which is a file system for optical disc media. It is commonly used in Windows systems for CDs. When a security expert works on an ISO file saved in CDFS format, it typically indicates that the data was prepared or copied using a Windows-based system. This is because CDFS is the file system that Windows uses to read and write CDs, and the ISO file is an image of that CD data1.

References :=

Understanding CDFS (Compact Disc File System): A Comprehensive Guide2.

What type of evidence is this file? - VCEguide.com

Enabling the “Allow subdissector to reassemble TCP streams” feature in Wireshark allows the tool to reassemble TCP segments into a contiguous sequence, which can be used by higher-level protocols to reconstruct a full message, such as an HTTP request or response. This is particularly useful for extracting files or data transmitted over TCP that are spread across multiple packets1.

References := The explanation is based on the Wireshark documentation, which details how the reassembly feature works and its use in analyzing TCP streams

Under the General Data Protection Regulation (GDPR), an email address that can be linked to an individual is classified as personal data, regardless of whether it contains a real name. The regulation grants individuals the right to erasure, also known as the “right to be forgotten,” when they request deletion of their personal data and no lawful basis for retention exists.

Because the company is based in Europe, GDPR applies to its data processing activities. Additionally, GDPR protections extend not only to EU citizens but also to any individual whose data is processed by an EU-based organization, depending on context. Therefore, deletion should not be conditional on the customer’s geographic location.

Option A is incorrect because email addresses are considered personal data under GDPR. Option C is incomplete and misleading because GDPR obligations are not limited only to confirmed EU residents in this scenario. Option D may be appropriate if systemic noncompliance is identified, but the immediate and correct action is to honor the deletion request.

Cybersecurity and compliance documentation emphasizes minimizing data retention and responding promptly to data subject requests. As no lawful justification for retaining the email exists, it must be deleted.

Therefore, the correct action is to delete the data regardless of where the customer is from.

User interaction is any event that requires the user to perform an action that enables or facilitates a cyberattack. Opening a malicious file is an example of user interaction, as it can trigger the execution of malicious code or malware that can compromise the system or network. Gaining root access, executing remote code, and reading and writing file permissions are not user interactions, but rather actions that can be performed by an attacker after exploiting a vulnerability or bypassing security controls. References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, More than 99% of cyberattacks rely on human interaction

An untampered disk image is one that has not been altered since its creation. This is verified by comparing the stored hash of the image at the time of creation with a newly computed hash; if they match, the image is considered untampered. Tampered images, on the other hand, may be used during the root cause analysis process to understand how and what was altered12. References: The differences between tampered and untampered disk images are discussed in cybersecurity literature, including Cisco’scertification guides, which explain the importance of hash matching for verifying the integrity of disk images

 A web proxy is the technology used to block a user’s HTTP connection to a malicious site according to configured policy. It acts as an intermediary between users and the internet, enforcing security policies and preventing access to harmful sites by inspecting and managing web traffic.

In the context of cybersecurity, an asset is anything that has value to the organization, its business operations and their continuity, including data and physical devices. In the role of attribution in an investigation, which is the process of associating an action or event with a particular individual or entity, certain assets are particularly relevant. A laptop © can be an asset because it may contain data or clues that can help trace the origin of a cyber attack. Similarly, identifying the threat actor (E) is crucial for attribution, as it involves understanding who is behind the attack and their motives, which can be essential for preventing future attacks and for legal proceedings.

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)1.

When a server is experiencing heavy CPU and memory load, the initial step is to identify the processes consuming the most resources. The command “ps -ef” provides a detailed view of all running processes, including their IDs, CPU, and memory usage, which helps in pinpointing the resource-intensive processes1234. References: This approach is supportedby various resources on server management and troubleshooting, which recommend using the “ps -ef” command as a starting point for investigating high resource usage on servers

 Running all processes as root or administrator violates the principle of least privilege, which states that users and processes should be granted only the minimum permissions necessary to perform their specific role or function within an organization. Running all processes as root or administrator gives them full access and control over the system, which increases the risk of unauthorized actions, malicious attacks, and accidental errors. It also makes it easier for attackers to escalate their privileges and compromise the system. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.2: Security Principles

Cisco Certified CyberOps Associate Overview, Exam Topics, 1.1 Explain the CIA triad

False positives and false negatives are terms used to describe the accuracy of security alerts. A false positive occurs when a security system incorrectly identifies benign activity as malicious, leading to unnecessary investigation and potential disruption of legitimate activities. Conversely, a false negative happens when a security system fails to detect actual malicious activity, allowing the attackers to proceed undetected. The impact of false positives is generally wasted time and resources investigating non-issues, while the impact of false negatives can be much more severe, potentially leading to undetected breaches and significant damage.

The CBROPS curriculum covers the concepts of false positives and false negatives in the context of security monitoring and alerting systems

The file that is extractable via TCP stream within Wireshark is the one that has the Content-Type header set to application/octet-stream, which indicates binary data. Thisheader is present in frames 7, 14, and 21, which are part of the same TCP stream. The other frames have different Content-Type headers, such as text/html or image/jpeg, which are not extractable as binary files. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 3: Network Intrusion Analysis, Lesson 3.2: Analyze Data from Common TCP/IP Protocols, Topic 3.2.3: HTTP

 Agent-based protection is a type of endpoint security that uses software agents installed on the devices to monitor and protect them. Agent-based protection can collect and detect all traffic locally, which means it can operate without relying on a network connection or a centralized server. Agent-based protection can also provide more granular and comprehensive visibility and control over the devices. References: https://learningnetworkstore.cisco.com/on-demand-e-learning/understanding-cisco-cybersecurity-operations-fundamentals-cbrops-v1.0/CSCU-LP-CBROPS-V1-028093.html (Module 2: Security Concepts, Lesson 2.3: Endpoint Security)

 When communicating via TLS, part of the handshake process involves presenting a certificate containing the server name, the name of the trusted CA that issued the certificate, and the public key of the server. The client can verify the validity of the certificate and use the public key to encrypt the data sent to the server. References := Cisco Cybersecurity Source Documents

A man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. In this scenario, an attacker can observe network traffic exchanged between two users by placing themselves in between their communication channel. References := Cisco Blogs - New Cybersecurity and Cloud Skills to Protect Companies from Cybersecurity Attacks of the Future

The improper use or disclosure of Personally Identifiable Information (PII) falls under the category of compliance because organizations are required to adhere to laws and regulations that protect the privacy and security of PII. This includes following guidelines set forth by privacy laws such as GDPR, HIPAA, and others that mandate the proper handling of personal data to prevent misuse and unauthorized access123.

References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS), Personally identifiable information (PII): What it is, how it’s used, and how to protect it, What is PII? Examples, laws, and standards, Overview of the Privacy Act: 2020 Edition

Statistical detection involves collecting data over time to define what is considered normal behavior or legitimate data for users or systems. It then uses statistical analysis to identify abnormal behavior that could indicate a security incident. Rule-based detection uses predefined rules or patterns that are based on known threats or vulnerabilities - it operates on an IF/THEN basis where if certain conditions are met then an alert is triggered. References := Cisco Cybersecurity Operations Fundamentals

The exhibit shows a high rate of SYN packets being sent from multiple sources towards a single destination IP. This is indicative of a SYN flood attack, where the attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. References := Cisco Cybersecurity Operations Fundamentals - Module 4: Network Intrusion Analysis

What Are Ports 139 And 445? SMB has always been a network file sharing protocol. As such, SMB requires network ports on a computer or server to enable communication to other systems. SMB uses either IP port 139 or 445. Port 139 - SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network. Port 445 - Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet. https://www.varonis.com/blog/smb-port SMB Ports 139 and 445 are open Email Ports 25 and 110 are closed Therefore "D. Email Ports are closed on the Server."

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow. It provides valuable data about the network sessions occurring within the network, such as source and destination IP addresses, port numbers, and protocols used. This session data is useful for understanding traffic patterns, volume, and usage.

Cisco’s training and certification materials on NetFlow would discuss how it is used to obtain session data for network analysis.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide confidentiality, integrity, and authentication for network communications. Older versions of TLS, including TLS 1.2, are susceptible to downgrade attacks when not properly configured. In a downgrade attack, an attacker forces communicating parties to fall back to a weaker or less secure protocol version, enabling man-in-the-middle exploitation.

TLS 1.3 was specifically designed to mitigate these risks by removing insecure cryptographic algorithms, eliminating legacy handshake mechanisms, and enforcing stronger cipher suites. It also reduces the attack surface by simplifying the handshake process and providing built-in protections against downgrade attacks.

Option B is insufficient because monitoring alone does not prevent cryptographic weaknesses. Option C may improve general security posture but does not directly address protocol-level downgrade vulnerabilities. Option D significantly weakens security and would increase exposure.

Cybersecurity best practices and operations documentation strongly recommend disabling outdated TLS versions and enforcing TLS 1.3 wherever possible to ensure robust protection against MITM and downgrade attacks.

Therefore, upgrading to TLS 1.3 or higher is the correct preventive action.

 In NetFlow log sessions within TCP connections; ACK flag is used for acknowledging that data has been successfully received while RST flag is used when there’s an error or when closing a connection spontaneously without following standard procedures. References := Cisco Cybersecurity source documents or study guide

Encryption is an evasion technique that is a function of ransomware, which is a type of malware that encrypts the victim’s files or system and demands a ransom for the decryption key. Encryption is used by ransomware to prevent the victim from accessing their data and to avoid detection by antivirus or other security tools. Encryption can also be used by other types of malware to hide their communication, configuration, or payload from analysis. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 3: Network Intrusion Analysis, Lesson 3.4: Malware

Cisco Certified CyberOps Associate Overview, Exam Topics, 3.4 Compare and contrast types of malware

Based on the image details, the exhibit shows a series of HTTP requests with the method GET, which are used to retrieve data from a web server. There is no evidence of any malicious payload or parameter in these requests, so they are likely regular GET requests. The other options are types of web application attacks that exploit different vulnerabilities, such as XML External Entities, insecure deserialization, and cross-site scripting. References := Cisco Cybersecurity

The ping of death is a type of attack that involves sending oversized or malformed packets using the ICMP protocol to crash, freeze, or reboot the target system1.

UDP flooding is an attack method that sends a large number of User Datagram Protocol (UDP) packets to random ports on a remote host, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process can saturate the network and the resources of the host, leading to denial of service2.

Cloudflare’s explanation of common DoS attacks1.

Wikipedia’s description of denial-of-service attack methods

The regular expression ^ (?:[0-9]{1,3}.){3}[0-9]{1,3} is needed to capture the IP address 192.168.20.232. This regex matches any string that starts with three groups of one to three digits followed by a dot, and ends with one group of one to three digits. The IP address 192.168.20.232 matches this pattern exactly. The other options are either invalid or do not match the IP address format. References := Cisco Cybersecurity Operations Fundamentals, Module 5: Security Policies and Procedures, Lesson 5.3: Data and Event Analysis, Topic 5.3.2: Regular Expressions

 Full packet capture provides the complete recording of all the packets that are transmitted over the network. This data is essential for in-depth analysis during an investigation, as it allows investigators to reconstruct the session, observe the content of the traffic, and determine if data exfiltration has occurred.

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) study materials would typically cover the importance of full packet capture in network forensics and incident response.

The logs indicating multiple local TCP connection events are typically provided by a firewall. Firewalls are responsible for monitoring and controlling incoming and outgoing network traffic based on predetermined security rules, and they generate logs that detail such events, which can be used for further analysis and incident response. References := Cisco Cybersecurity Operations Fundamentals

TCP injection is an attack where the attacker sends crafted packets into an existing TCP session. These packets appear to be part of the session.

The presence of many SYN packets with the same sequence number, source, and destination IP but different payloads indicates that an attacker might be injecting packets into the session.

This method can be used to disrupt communication, inject malicious commands, or manipulate the data being transmitted.

References

Understanding TCP Injection Attacks

Analyzing Packet Captures for Injection Attacks

Network Security Monitoring Techniques

The scenario described is indicative of a port scanning attack. Port scanning is a method used by attackers to discover open ports on network devices. A single SYN packet sent to each port is a technique known as SYN scanning or half-open scanning, where the attacker sends a SYN message (as if they are going to initiate a TCP connection) to every port on the server, looking for positive responses which indicate an open port. This type of scanning is less intrusive and harder to detect because it never completes the TCP three-way handshake1.

Cisco community resources on Denial of Service (DoS) attacks

NIST Special Publication 800-61 r2 outlines the incident response process including detection and analysis, which involves identifying and validating the occurrence of incidents, and post-incident activity that focuses on lessons learned and improvements to be made after an incident has occurred. References := NIST Special Publication 800-61 r2

According to NIST SP800-61, the incident response lifecycle consists of four phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity.

When a SOC team member checks the Cisco Firepower Manager dashboard for further isolation actions, they are working within the Eradication and Recovery phase.

This phase focuses on removing the threat from the environment and recovering affected systems to normal operations.

References

NIST SP800-61 Computer Security Incident Handling Guide

Incident Response Phases Explained

Role of SOC in Incident Response

Windows Security Event ID 4625 is generated when an account fails to log on. When a SOC analyst observes a large number of Audit Failure events occurring in rapid succession, this is a strong indicator of a brute-force authentication attack.

Brute-force attacks involve repeatedly attempting different username and password combinations to gain unauthorized access to a system. These attacks commonly target Windows servers exposed to internal or external networks and often focus on privileged or commonly used accounts. The repeated failures shown in the exhibit indicate that authentication attempts are being made unsuccessfully over a short time period, which is abnormal for standard user behavior.

Option A is incorrect because the logs clearly show that Windows auditing is functioning correctly and recording failures. Option B is incorrect because normal Windows activity does not generate large volumes of failed authentication events in a short time frame. Option D is incorrect because a Denial-of-Service (DoS) attack targets system availability and resource exhaustion, not authentication mechanisms.

Cybersecurity operations documentation highlights failed login storms as one of the most common indicators of credential-based attacks. SIEM platforms are designed to alert analysts on such patterns because they often precede account compromise or lateral movement attempts.

Defense-in-depth is a security strategy where multiple layers of defense are placed throughout an information technology (IT) system. It addresses physical, technical, and administrative controls to provide redundancy and ensure that if one layer fails, others will be in place to thwart an attack. References: Cisco Tech Roles - CyberOps Engineer

Digital certificates are essential for decrypting ingress and egress perimeter traffic, as they provide the necessary encryption keys for secure communications. By using digital certificates, network security devices can inspect the decrypted traffic to detect any malicious outbound communications that may indicate command-and-control activity.

 A vulnerability refers to a weakness or flaw in a system that can be exploited by threats (such as hackers or malware) to gain unauthorized access, cause damage, etc. Threats exploit these vulnerabilities to impact the confidentiality, integrity, or availability of information and systems. References: Cisco Cybersecurity Associate

A buffer overflow attack occurs when more data is written to a buffer than it is designed to hold. This excess data can overwrite adjacent memory locations, leading to the execution of malicious code or crashing the system. Buffer overflows are a common vulnerability that attackers exploit to gain unauthorized access to systems.

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

Cisco’s Zero Trust Architecture is built around the principle of never trust, always verify, and it organizes zero trust controls into three interconnected domains: Workforce, Workplace, and Workload. Each domain addresses a different aspect of access control and risk reduction.

The Workforce pillar focuses on user identity and endpoint posture. Cisco zero trust ensures that users and their devices are continuously verified before granting access to applications. This includes validating identity, device health, and context to determine appropriate access privileges.

The Workplace pillar addresses the network environment where users and devices connect. This includes enterprise networks, branch offices, and IoT environments. Cisco applies trust-based access controls to ensure that only authorized and compliant devices can communicate on the network, regardless of location.

The Workload pillar protects applications and services running in data centers, cloud environments, and containers. The goal is to reduce the attack surface by enforcing least-privilege access, ensuring that workloads only communicate with explicitly authorized services and users.

Cybersecurity operations documentation emphasizes that effective zero trust requires visibility and enforcement across all three areas. Cisco’s model simplifies implementation by clearly defining responsibilities and controls within each domain, enabling organizations to reduce lateral movement, limit blast radius, and improve overall security posture.

 A TCP handshake is a three-way exchange of messages between a client and a server to establish a TCP connection. The client initiates the handshake by sending a SYN packet with a sequence number to the server. The server responds with a SYN-ACK packet with its own sequence number and an acknowledgment number that is the client’s sequence number plus one. The client completes the handshake by sending an ACK packet with an acknowledgment number that is the server’s sequence number plus one. If the remote server is not receiving an SYN-ACK packet from the local server, it means that the TCP handshake is not completed and the connection is not established. This could be causedby various factors, such as network congestion, firewall rules, packet filtering, or misconfiguration of the TCP parameters on either end. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 177; TCP 3-Way Handshake Process - GeeksforGeeks

 A threat represents a potential danger that could exploit a weakness in a system while risk is associated with the potential impact or loss that could occur if a threat exploits a vulnerability in the system. So, option A which states “Threat represents a potential danger that could take advantage of a weakness in a system” is correct. References := Cisco Certified CyberOps Associate Overview

 For high availability and responsiveness, especially where milliseconds of latency are critical, an engineer must analyze the network’s performance in detail. Total throughput on the interface of the router will provide information on the bandwidth and traffic load, which is essential for understanding if the network can handle the current and projected traffic without delays. NetFlow records are crucial for this analysis as they provide data about the traffic flow across the network, which helps in identifying patterns, peak usage times, and types of traffic. This information is vital for making informed decisions to optimize traffic movement and minimize latency123.

References :=

Cisco’s guide on Network Traffic Analysis1.

Cisco’s white paper on Network Security Policy: Best Practices2.

Cisco’s documentation on Implementation of High Availability

A threat actor is a person or entity that is responsible for an incident that impacts or has the potential to impact an organization’s security. A threat actor can have various motivations, such as financial gain, espionage, sabotage, or activism. A threat actor can use various methods, such as malware, phishing, denial-of-service, or social engineering, to perform an attack. A threat actor is not the same as a malware author, a bug bounty hunter, or a direct competitor, although they may be related or associated. A malware author is someone who creates malicious software that can be used by threat actors. A bug bounty hunter is someone who finds and reports vulnerabilities in software or systems for a reward. A direct competitor is someone who offers similar products or services as the organization and may seek to gain an advantage over it. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 87; CNSSI 4009-2015, page 77

The attack described is a DNS amplification attack. It involves infected endpoints sending DNS requests with spoofed IP addresses to external DNS servers. The DNS servers then send large responses to the spoofed addresses, which are actually the targets of the attack. This can result in a significant amount of traffic being directed at the target, overwhelming their network resources. DNS amplification is a type of Distributed Denial of Service (DDoS) attack that leverages the DNS protocol to amplify the attack traffic.

 Phishing is considered a low-bandwidth attack because it does not require the use of significant network resources. Instead, it relies on social engineering to deceive individuals into providing sensitive information or clicking on malicious links, often through email or other communication methods1.

 Sliding window anomaly detection is a technique used in cybersecurity to identify unusual patterns or behaviors that deviate from the norm. It involves analyzing segments of data over a period of time, referred to as a ‘window,’ and comparing them against typical patterns. Anomalies are detected when observed behaviors significantly differ from expected patterns, indicating potential security incidents or issues that require further investigation. References: An adaptive sliding window for anomaly detection of time series in wireless sensor networks

The security scenario involves protecting the company from known issues that trigger adware and addressing a recent incident that could harm the system.

This scenario involves identifying vulnerabilities (weaknesses in the system that can be exploited) and threats (potential harm that can exploit these vulnerabilities).

A vulnerability is an inherent flaw in the system, while a threat is an event or condition that has the potential to exploit the vulnerability.

The security engineer needs to assess both the vulnerabilities present and the threats that could exploit these vulnerabilities to implement effective protection measures.

References

Cisco Cybersecurity Operations Fundamentals

Concepts of Vulnerability and Threat in Cybersecurity

Best Practices in Vulnerability Management

The data shown in the exhibit is typical of what can be captured and displayed using tcpdump, a command-line packet analyzer that allows users to display TCP/IP and other packets being transmitted or received over a network.

 Traffic fragmentation is an evasion technique where an attacker splits malicious payloads into smaller packets. This can help avoid detection since some security systems may not reassemble these packets to inspect the complete payload.

 In the context of a cybersecurity breach, attribution involves identifying the responsible party. Since the external USB device was not found, the focus shifts to the actions performed by the receptionist. Analyzing these actions can provide insights into how the breach occurred and may help in attributing the incident to the threat actor

References := Cisco Certified CyberOps Associate 200-201 Certification Guide

Untampered images are crucial for security investigations as they provide original evidence that has not been altered or corrupted; their integrity and authenticity can be verified by comparing the stored hash and the computed hash of the image. If they match, the image is untampered and can be used for analysis. Tampered images, on the other hand, are useless for security investigations as they may contain false or misleading information; their integrity and authenticity are compromised by the modification of the image data. Tampered images may be used for incident recovery purposes, such as restoring a system to a previous state, but not for forensic purposes. References := Cisco Cybersecurity Operations Fundamentals - Module 6: Security Incident Investigations

The screenshot shows multiple POP requests with the command PASS, which is typically used for password entry. The rapid succession and variation of these requests suggest an attempt to guess the password, characteristic of a brute-force attack. Remember, always verify with additional data or context when possible, as packet captures can contain vast amounts of information and may require thorough analysis for accurate interpretation.

When a company workstation is compromised, the stakeholders that must be involved are the ones who are responsible for the security incident response process. According to the table, these are Employee 4 (Security Operation Center Analyst), Employee 6 (Head of Network and Security Infrastructure Services), and Employee 7 (Technical Director). The other employees have different roles that are not directly related to the incident response process, such as accounting, financial management, or system administration. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 1: Security Concepts, Lesson 1.4: Security Monitoring, Topic 1.4.1: Security Operations Center

 During the collection phase of the forensic process, data related to a specific event is labeled and recorded to preserve its integrity. This step ensures that the data remains unaltered and authentic from the time of collection until it is presented as evidence,maintaining the chain of custody. References := Cisco Cybersecurity Operations Fundamentals - Module 6: Security Incident Investigations

An attack vector is the method or technique that an attacker uses to exploit a vulnerability in a system or network. An attack vector can be a software, hardware, or human component that can be manipulated to gain unauthorized access, execute malicious code, or cause damage. An attack surface is the sum of all the possible attackvectors that are exposed by a system or network. An attack surface can be reduced by applying security measures such as patching, hardening, firewalling, and encrypting. References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 1-4; 200-201 CBROPS - Cisco, exam topic 1.1.c

In this scenario, the threat actor refers to the individuals or entities responsible for the attack that resulted in a breach of assets and sensitive information. The receptionist received a threatening call but did not take action, leading to an actual breach within 48 hours. References: The explanation is inferred from general cybersecurity knowledge as specific details are not provided in the Cisco Cybersecurity documents linked.