DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Prepare Strategically for the Cisco 350-201 CBRCOR Exam with Practice Tests

Please write another 130-160 words of "Real Cisco 350-201 CBRCOR exam questions to help you pass the exam", which includes professional content introduced by the exam. It is recommended to include the following keywords: Cisco certification, exam questions, exam preparation, study materials, exam resources, successful passing, mock exam, mock exam, exam questions and answers, test questions.
Take other online exams

Question #1
Refer to the exhibit. An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks. Which action will accomplish this goal?
A. xclude the step “BAN malicious IP” to allow analysts to conduct and track the remediation
B. nclude a step “Take a Snapshot” to capture the endpoint state to contain the threat for analysis
C. xclude the step “Check for GeoIP location” to allow analysts to analyze the location and the associated risk based on asset criticality
D. nclude a step “Reporting” to alert the security department of threats identified by the SOAR reporting engine
View answer
Correct Answer: A

View The Updated 350-201 Exam Questions

SPOTO Provides 100% Real 350-201 Exam Questions for You to Pass Your 350-201 Exam!

Question #2
Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine. What should be concluded from this report?
A. hreat scores are high, malicious ransomware has been detected, and files have been modified
B. hreat scores are low, malicious ransomware has been detected, and files have been modified
C. hreat scores are high, malicious activity is detected, but files have not been modified
D. hreat scores are low and no malicious file activity is detected
View answer
Correct Answer: B
Question #3
Drag and drop the threat from the left onto the scenario that introduces the threat on the right. Not all options are used.Select and Place:Exhibit A:Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #4
An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?
A. isable memory limit
B. isable CPU threshold trap toward the SNMP server
C. nable memory tracing notifications
D. nable memory threshold notifications
View answer
Correct Answer: D
Question #5
Refer to the exhibit. Which indicator of compromise is represented by this STIX?
A. website redirecting traffic to ransomware server
B. website hosting malware to download files
C. web server vulnerability exploited by malware
D. cross-site scripting vulnerability to backdoor server
View answer
Correct Answer: C
Question #6
A company?€?s web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities. Which additional element is needed to calculate the risk?
A. assessment scope
B. event severity and likelihood
C. incident response playbook
D. risk model framework
View answer
Correct Answer: D
Question #7
A customer is using a central device to manage network devices over SNMPv2. A remote attacker caused a denial of service condition and can trigger this vulnerability by issuing a GET request for the ciscoFlashMIB OID on an affected device. Which should be disabled to resolve the issue?
A. NMPv2
B. CP small services
C. ort UDP 161 and 162
D. DP small services
View answer
Correct Answer: A
Question #8
05. How is a SIEM tool used?
A. ocollectsecuritydatafromauthenticationfailuresandcyberattacksandforwarditforanalysi
B. osearchandcomparesecuritydataagainstacceptancestandardsandgeneratereportsforanalysi
C. ocomparesecurityalertsagainstconfiguredscenariosandtriggersystemresponse
D. ocollectandanalyzesecuritydatafromnetworkdevicesandserversandproduceale
View answer
Correct Answer: D
Question #9
Refer to the exhibit. Where does it signify that a page will be stopped from loading when a scripting attack is detected?
A. -frame-options
B. -content-type-options
C. -xss-protection
D. -test-debug
View answer
Correct Answer: C
Question #10
An engineer received an alert of a zero-day vulnerability affecting desktop phones through which an attacker sends a crafted packet to a device, resets the credentials, makes the device unavailable, and allows a default administrator account login. Which step should an engineer take after receiving this alert?
A. nitiate a triage meeting to acknowledge the vulnerability and its potential impact
B. etermine company usage of the affected products
C. earch for a patch to install from the vendor
D. mplement restrictions within the VoIP VLANS
View answer
Correct Answer: C
Question #11
06. What is needed to assess risk mitigation effectiveness in an organization?
A. ost-effectivenessofcontrolmeasure
B. nalysisofkeyperformanceindica
C. ompliancewithsecuritystandard
D. pdatedlistofvulnerablesystem
View answer
Correct Answer: A
Question #12
A security architect is working in a processing center and must implement a DLP solution to detect and prevent any type of copy and paste attempts of sensitive data within unapproved applications and removable devices. Which technical architecture must be used?
A. LP for data in motion
B. LP for removable data
C. LP for data in use
D. LP for data at rest
View answer
Correct Answer: C
Question #13
Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop has automatically submitted a low prevalence file to the Threat Grid analysis engine for further analysis. What should be concluded from this report?
A. he prioritized behavioral indicators of compromise do not justify the execution of the “ransomware” because the scores do not indicate the likelihood of malicious ransomware
B. he prioritized behavioral indicators of compromise do not justify the execution of the “ransomware” because the scores are high and do not indicate the likelihood of malicious ransomware
C. he prioritized behavioral indicators of compromise justify the execution of the “ransomware” because the scores are high and indicate the likelihood that malicious ransomware has been detected
D. he prioritized behavioral indicators of compromise justify the execution of the “ransomware” because the scores are low and indicate the likelihood that malicious ransomware has been detected
View answer
Correct Answer: C
Question #14
A threat actor attacked an organization's Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial
A. acket sniffer
B. alware analysis
C. IEM
D. irewall manager
View answer
Correct Answer: C
Question #15
Refer to the exhibit. What is occurring in this packet capture?
A. CP port scan
B. CP flood
C. NS flood
D. NS tunneling
View answer
Correct Answer: B
Question #16
How is a SIEM tool used?
A. o collect security data from authentication failures and cyber attacks and forward it for analysis
B. o search and compare security data against acceptance standards and generate reports for analysis
C. o compare security alerts against configured scenarios and trigger system responses
D. o collect and analyze security data from network devices and servers and produce alerts
View answer
Correct Answer: D
Question #17
Refer to the exhibit. An engineer received a report that an attacker has compromised a workstation and gained access to sensitive customer data from the network using insecure protocols. Which action prevents this type of attack in the future?
A. se VLANs to segregate zones and the firewall to allow only required services and secured protocols
B. eploy a SOAR solution and correlate log alerts from customer zones
C. eploy IDS within sensitive areas and continuously update signatures
D. se syslog to gather data from multiple sources and detect intrusion logs for timely responses
View answer
Correct Answer: A
Question #18
Refer to the exhibit. An organization is using an internal application for printing documents that requires a separate registration on the website. The application allows format-free user creation, and users must match these required conditions to comply with the company’s user creation policy: -minimum length: 3 -usernames can only use letters, numbers, dots, and underscores -usernames cannot begin with a numberThe application administrator has to manually change and track these daily to ensure compliance.
A. odify code to return error on restrictions def return false_user(username, minlen)
B. utomate the restrictions def automate_user(username, minlen)
C. alidate the restrictions, def validate_user(username, minlen)
D. odify code to force the restrictions, def force_user(username, minlen)
View answer
Correct Answer: B
Question #19
An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach. Which indicator generated this IOC event?
A. xecutedMalware
B. rossrider
C. onnectToSuspiciousDomain
D. 32 AccesschkUtility
View answer
Correct Answer: D
Question #20
Refer to the exhibit. What is the threat in this Wireshark traffic capture?
A. high rate of SYN packets being sent from multiple sources toward a single destination IP
B. flood of ACK packets coming from a single source IP to multiple destination IPs
C. high rate of SYN packets being sent from a single source IP toward multiple destination IPs
D. flood of SYN packets coming from a single source IP to a single destination IP
View answer
Correct Answer: D
Question #21
A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat. What is the first action for the incident response team?
A. ssess the network for unexpected behavior
B. solate critical hosts from the network
C. atch detected vulnerabilities from critical hosts
D. erform analysis based on the established risk factors
View answer
Correct Answer: B
Question #22
Drag and drop the NIST incident response process steps from the left onto the actions that occur in the steps on the right.Select and Place:Exhibit A:Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #23
An engineer is analyzing a possible compromise that happened a week ago when the company database servers unexpectedly went down. The analysis reveals that attackers tampered with Microsoft SQL Server Resolution Protocol and launched a DDoS attack. The engineer must act quickly to ensure that all systems are protected. Which two tools should be used to detect and mitigate this type of future attack? (Choose two.)
A. IPAA
B. CI-DSS
C. arbanes-Oxley
D. DPR
View answer
Correct Answer: AB
Question #24
What is a principle of Infrastructure as Code?
A. ystem maintenance is delegated to software systems
B. omprehensive initial designs support robust systems
C. cripts and manual configurations work together to ensure repeatable routines
D. ystem downtime is grouped and scheduled across the infrastructure
View answer
Correct Answer: B
Question #25
Drag and drop the mitigation steps from the left onto the vulnerabilities they mitigate on the right.Select and Place:Exhibit A:Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #26
Drag and drop the phases to evaluate the security posture of an asset from the left onto the activity that happens during the phases on the right.Select and Place:Exhibit A: Exhibit B:
A. erform a vulnerability assessment
B. onduct a data protection impact assessment
C. onduct penetration testing
D. erform awareness testing
View answer
Correct Answer: A
Question #27
Refer to the exhibit. Cisco Rapid Threat Containment using Cisco Secure Network Analytics (Stealthwatch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a Quarantine VLAN using Adaptive Network Control policy. Which telemetry feeds were correlated with SMC to identify the malware?
A. etFlow and event data
B. vent data and syslog data
C. NMP and syslog data
D. etFlow and SNMP
View answer
Correct Answer: B
Question #28
What is a benefit of key risk indicators?
A. lear perspective into the risk position of an organization
B. mproved visibility on quantifiable information
C. mproved mitigation techniques for unknown threats
D. lear procedures and processes for organizational risk
View answer
Correct Answer: C
Question #29
A threat actor used a phishing email to deliver a file with an embedded macro. The file was opened, and a remote code execution attack occurred in a company’s infrastructure. Which steps should an engineer take at the recovery stage?
A. etermine the systems involved and deploy available patches
B. nalyze event logs and restrict network access
C. eview access lists and require users to increase password complexity
D. dentify the attack vector and update the IDS signature list
View answer
Correct Answer: B
Question #30
A new malware variant is discovered hidden in pirated software that is distributed on the Internet. Executives have asked for an organizational risk assessment. The security officer is given a list of all assets. According to NIST, which two elements are missing to calculate the risk assessment? (Choose two.)
A. xploitation
B. ctions on objectives
C. elivery
D. econnaissance
View answer
Correct Answer: BE
Question #31
04. The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive. The team collects and documents all the necessary evidence from the computing resource. What is the next step?
A. onductariskassessmentofsystemsandapplicati
B. solatetheinfectedhostfromtherestofthesubne
C. nstallmalwarepreventionsoftwareontheh
D. nalyzenetworktrafficonthehost'ssubne
View answer
Correct Answer: B
Question #32
A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a few weeks before the attack. Which step was missed that would have prevented this breach?
A. se of the Nmap tool to identify the vulnerability when the new code was deployed
B. mplementation of a firewall and intrusion detection system
C. mplementation of an endpoint protection system
D. se of SecDevOps to detect the vulnerability during development
View answer
Correct Answer: D
Question #33
Drag and drop the components from the left onto the phases of the CI/CD pipeline on the right.Select and Place:Exhibit A:Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #34
What is the HTTP response code when the REST API information requested by the authenticated user cannot be found?
A. 01
B. 02
C. 03
D. 04
E. 05
View answer
Correct Answer: A
Question #35
Refer to the exhibit. A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive. Which solution protects the application from being overloaded and ensures more equitable application access across the end-user community?
A. imit the number of API calls that a single client is allowed to make
B. dd restrictions on the edge router on how often a single client can access the API
C. educe the amount of data that can be fetched from the total pool of active clients that call the API
D. ncrease the application cache of the total pool of active clients that call the API
View answer
Correct Answer: A
Question #36
A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user’s laptop while traveling. The attacker has the user’s credentials and is attempting to connect to the network.What is the next step in handling the incident?
A. lock the source IP from the firewall
B. erform an antivirus scan on the laptop
C. dentify systems or services at risk
D. dentify lateral movement
View answer
Correct Answer: C
Question #37
An engineer receives an incident ticket with hundreds of intrusion alerts that require investigation. An analysis of the incident log shows that the alerts are from trusted IP addresses and internal devices. The final incident report stated that these alerts were false positives and that no intrusions were detected. What action should be taken to harden the network?
A. ove the IPS to after the firewall facing the internal network
B. ove the IPS to before the firewall facing the outside network
C. onfigure the proxy service on the IPS
D. onfigure reverse port forwarding on the IPS
View answer
Correct Answer: C
Question #38
Refer to the exhibit. A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive. Which solution protects the application from being overloaded and ensures more equitable application access across the end- user community?
A. imit the number of API calls that a single client is allowed to make
B. dd restrictions on the edge router on how often a single client can access the API
C. educe the amount of data that can be fetched from the total pool of active clients that call the API
D. ncrease the application cache of the total pool of active clients that call the API
View answer
Correct Answer: A
Question #39
A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?
A. reate a follow-up report based on the incident documentation
B. erform a vulnerability assessment to find existing vulnerabilities
C. radicate malicious software from the infected machines
D. ollect evidence and maintain a chain-of-custody during further analysis
View answer
Correct Answer: D
Question #40
An engineer notices that unauthorized software was installed on the network and discovers that it was installed by a dormant user account. The engineer suspects an escalation of privilege attack and responds to the incident. Drag and drop the activities from the left into the order for the response on the right.Select and Place:Exhibit A:Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #41
Drag and drop the type of attacks from the left onto the cyber kill chain stages at which the attacks are seen on the right.Select and Place:Exhibit A:Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #42
Where do threat intelligence tools search for data to identify potential malicious IP addresses, domain names, and URLs?
A. ustomer data
B. nternal database
C. nternal cloud
D. nternet
View answer
Correct Answer: D
Question #43
01. Employees report computer system crashes within the same week. An analyst is investigating one of the computers that crashed and discovers multiple shortcuts in the system's startup folder. It appears that the shortcuts redirect users to malicious URLs.
A. emovetheshortcutfile
B. hecktheauditl
C. dentifyaffectedsystem
D. nvestigatethemaliciousURL
View answer
Correct Answer: C
Question #44
An engineer wants to review the packet overviews of SNORT alerts. When printing the SNORT alerts, all the packet headers are included, and the file is too large to utilize. Which action is needed to correct this problem?
A. odify the alert rule to “output alert_syslog: output log”
B. odify the output module rule to “output alert_quick: output filename”
C. odify the alert rule to “output alert_syslog: output header”
D. odify the output module rule to “output alert_fast: output filename”
View answer
Correct Answer: A
Question #45
The physical security department received a report that an unauthorized person followed an authorized individual to enter a secured premise. The incident was documented and given to a security specialist to analyze. Which step should be taken at this stage?
A. etermine the assets to which the attacker has access
B. dentify assets the attacker handled or acquired
C. hange access controls to high risk assets in the enterprise
D. dentify movement of the attacker in the enterprise
View answer
Correct Answer: D
Question #46
03. How does Wireshark decrypt TLS network traffic?
A. ithakeylogfileusingper-sessionsecre
B. singanRSApublickey
C. yobservingDHkeyexchange
D. ydefiningauser-specifieddecode-a
View answer
Correct Answer: A
Question #47
An organization had several cyberattacks over the last 6 months and has tasked an engineer with looking for patterns or trends that will help the organization anticipate future attacks and mitigate them. Which data analytic technique should the engineer use to accomplish this task?
A. iagnostic
B. ualitative
C. redictive
D. tatistical
View answer
Correct Answer: C
Question #48
Refer to the exhibit. How must these advisories be prioritized for handling?
A. he highest priority for handling depends on the type of institution deploying the devices
B. ulnerability #2 is the highest priority for every type of institution
C. ulnerability #1 and vulnerability #2 have the same priority
D. ulnerability #1 is the highest priority for every type of institution
View answer
Correct Answer: D
Question #49
An engineer is going through vulnerability triage with company management because of a recent malware outbreak from which 21 affected assets need to be patched or remediated. Management decides not to prioritize fixing the assets and accepts the vulnerabilities. What is the next step the engineer should take?
A. nvestigate the vulnerability to prevent further spread
B. cknowledge the vulnerabilities and document the risk
C. pply vendor patches or available hot fixes
D. solate the assets affected in a separate network
View answer
Correct Answer: D
Question #50
Refer to the exhibit. An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim’s spoofed source IP to a network using an IP broadcast address that causes devices in the network to respond back to the source IP address. Which action does the engineer recommend?
A. se command ip verify reverse-path interface
B. se global configuration command service tcp-keepalives-out
C. se subinterface command no ip directed-broadcast
D. se logging trap 6
View answer
Correct Answer: A
Question #51
Drag and drop the cloud computing service descriptions from the left onto the cloud service categories on the right.Select and Place:Exhibit A:Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #52
08. Which command does an engineer use to set read/write/execute access on a folder for everyone who reaches the resource?
A. dditionalactionmustbetakenbytheclienttocompletethereque
B. heservertakesresponsibilityforerrorstatuscode
C. uccessfulacceptanceoftheclient'sreque
D. ommunicationoftransferprotocol-levelinformati
View answer
Correct Answer: B
Question #53
The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive. The team collects and documents all the necessary evidence from the computing resource. What is the next step?
A. onduct a risk assessment of systems and applications
B. solate the infected host from the rest of the subnet
C. nstall malware prevention software on the host
D. nalyze network traffic on the host’s subnet
View answer
Correct Answer: B
Question #54
How is a SIEM tool used?
A. To collect security data from authentication failures and cyber attacks and forward it for analysis
B. To search and compare security data against acceptance standards and generate reports for analysis
C. To compare security alerts against configured scenarios and trigger system responses
D. To collect and analyze security data from network devices and servers and produce alerts
View answer
Correct Answer: D
Question #55
A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?
A. solate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
B. dentify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
C. eview the server backup and identify server content and data criticality to assess the intrusion risk
D. erform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious
View answer
Correct Answer: C
Question #56
The incident response team was notified of detected malware. The team identified the infected hosts, removed the malware, restored the functionality and data of infected systems, and planned a company meeting to improve the incident handling capability. Which step was missed according to the NIST incident handling guide?
A. ontain the malware
B. nstall IPS software
C. etermine the escalation path
D. erform vulnerability assessment
View answer
Correct Answer: D
Question #57
An API developer is improving an application code to prevent DDoS attacks. The solution needs to accommodate instances of a large number of API requests coming for legitimate purposes from trustworthy services. Which solution should be implemented?
A. estrict the number of requests based on a calculation of daily averages
B. mplement REST API Security Essentials solution to automatically mitigate limit exhaustion
C. ncrease a limit of replies in a given interval for each API
D. pply a limit to the number of requests in a given time interval for each API
View answer
Correct Answer: D
Question #58
Refer to the exhibit. IDS is producing an increased amount of false positive events about brute force attempts on the organization’s mail server. How should the Snort rule be modified to improve performance?
A. lock list of internal IPs from the rule
B. hange the rule content match to case sensitive
C. et the rule to track the source IP
D. une the count and seconds threshold of the rule
View answer
Correct Answer: B
Question #59
How does Wireshark decrypt TLS network traffic?
A. ith a key log file using per-session secrets
B. sing an RSA public key
C. y observing DH key exchange
D. y defining a user-specified decode-as
View answer
Correct Answer: A
Question #60
An organization is using a PKI management server and a SOAR platform to manage the certificate lifecycle. The SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. Engineers are struggling to manage problematic certificates outside of PKI management since deploying certificates and tracking them requires searching server owners manually. Which action will improve workflow automation?
A. mplement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests
B. ntegrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates
C. mplement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed
D. ntegrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates
View answer
Correct Answer: C
Question #61
Refer to the exhibit. What is occurring in this packet capture?
A. TCP port scan
B. TCP flood
C. DNS flood
D. DNS tunneling
View answer
Correct Answer: B
Question #62
An employee who often travels abroad logs in from a first-seen country during non-working hours. The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out. The investigation concludes that the external domain belongs to a competitor. Which two behaviors triggered UEBA? (Choose two.)
A. domain belongs to a competitor
B. log in during non-working hours
C. email forwarding to an external domain
D. log in from a first-seen country
E. increased number of sent mails
View answer
Correct Answer: AB
Question #63
A patient views information that is not theirs when they sign in to the hospital’s online portal. The patient calls the support center at the hospital but continues to be put on hold because other patients are experiencing the same issue. An incident has been declared, and an engineer is now on the incident bridge as the CyberOps Tier 3 Analyst. There is a concern about the disclosure of PII occurring in real-time. What is the first step the analyst should take to address this incident?
A. valuate visibility tools to determine if external access resulted in tampering
B. ontact the third-party handling provider to respond to the incident as critical
C. urn off all access to the patient portal to secure patient records
D. eview system and application logs to identify errors in the portal code
View answer
Correct Answer: C
Question #64
An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand. Which data management process is being used?
A. ata clustering
B. ata regression
C. ata ingestion
D. ata obfuscation
View answer
Correct Answer: A
Question #65
Refer to the exhibit. Which two steps mitigate attacks on the webserver from the Internet? (Choose two.)
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: BD
Question #66
Refer to the exhibit. A security analyst needs to investigate a security incident involving several suspicious connections with a possible attacker. Which tool should the analyst use to identify the source IP of the offender?
A. acket sniffer
B. alware analysis
C. IEM
D. irewall manager
View answer
Correct Answer: A
Question #67
Refer to the exhibit. An engineer is performing a static analysis on a malware and knows that it is capturing keys and webcam events on a company server. What is the indicator of compromise?
A. he malware is performing comprehensive fingerprinting of the host, including a processor, motherboard manufacturer, and connected removable storage
B. he malware is a ransomware querying for installed anti-virus products and operating systems to encrypt and render unreadable until payment is made for file decryption
C. he malware has moved to harvesting cookies and stored account information from major browsers and configuring a reverse proxy for intercepting network activity
D. he malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval
View answer
Correct Answer: B
Question #68
A company’s web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities.Which additional element is needed to calculate the risk?
A. ssessment scope
B. vent severity and likelihood
C. ncident response playbook
D. isk model framework
View answer
Correct Answer: D
Question #69
A company recently completed an internal audit and discovered that there is CSRF vulnerability in 20 of its hosted applications. Based on the audit, which recommendation should an engineer make for patching?
A. dentify the business applications running on the assets
B. pdate software to patch third-party software
C. alidate CSRF by executing exploits within Metasploit
D. ix applications according to the risk scores
View answer
Correct Answer: D
Question #70
Refer to the exhibit. What results from this script?
A. eeds for existing domains are checked
B. search is conducted for additional seeds
C. omains are compared to seed rules
D. list of domains as seeds is blocked
View answer
Correct Answer: B
Question #71
An engineer detects an intrusion event inside an organization's network and becomes aware that files that contain personal data have been accessed. Which action must be taken to contain this attack?
A. isconnect the affected server from the network
B. nalyze the source
C. ccess the affected server to confirm compromised files are encrypted
D. etermine the attack surface
View answer
Correct Answer: C
Question #72
An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials. How should the workflow be improved to resolve these issues?
A. eet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts
B. hange the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats
C. dd a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts
D. ncrease incorrect login tries and tune anomalous user behavior not to affect privileged accounts
View answer
Correct Answer: B
Question #73
A SOC team is informed that a UK-based user will be traveling between three countries over the next 60 days. Having the names of the 3 destination countries and the user's working hours, what must the analyst do next to detect an abnormal behavior?
A. reate a rule triggered by 3 failed VPN connection attempts in an 8-hour period
B. reate a rule triggered by 1 successful VPN connection from any nondestination country
C. reate a rule triggered by multiple successful VPN connections from the destination countries
D. nalyze the logs from all countries related to this user during the traveling period
View answer
Correct Answer: D
Question #74
What do 2xx HTTP response codes indicate for REST APIs?
A. dditional action must be taken by the client to complete the request
B. he server takes responsibility for error status codes
C. ommunication of transfer protocol-level information
D. uccessful acceptance of the client’s request
View answer
Correct Answer: D
Question #75
A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?
A. lassify the criticality of the information, research the attacker’s motives, and identify missing patches
B. etermine the damage to the business, extract reports, and save evidence according to a chain of custody
C. lassify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
D. etermine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan
View answer
Correct Answer: B
Question #76
An audit is assessing a small business that is selling automotive parts and diagnostic services. Due to increased customer demands, the company recently started to accept credit card payments and acquired a POS terminal. Which compliance regulations must the audit apply to the company?
A. IPAA
B. ISMA
C. OBIT
D. CI DSS
View answer
Correct Answer: D
Question #77
A security incident affected an organization's critical business services, and the customer-side web API became unresponsive and crashed. An investigation revealed a spike of API call requests and a high number of inactive sessions during the incident. Which two recommendations should the engineers make to prevent similar incidents in the future? (Choose two.)
A. onfigure shorter timeout periods
B. etermine API rate-limiting requirements
C. mplement API key maintenance
D. utomate server-side error reporting for customers
E. ecrease simultaneous API responses
View answer
Correct Answer: BD
Question #78
An audit is assessing a small business that is selling automotive parts and diagnostic services. Due to increased customer demands, the company recently started to accept credit card payments and acquired a POS terminal. Which compliance regulations must the audit apply to the company?
A. HIPAA
B. FISMA
C. COBIT
D. PCI DSS
View answer
Correct Answer: D
Question #79
Drag and drop the telemetry-related considerations from the left onto their cloud service models on the right.Select and Place:Exhibit A: Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #80
An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties. What is the first action the engineer must take to determine whether an incident has occurred?
A. nalyze environmental threats and causes
B. nform the product security incident response team to investigate further
C. nalyze the precursors and indicators
D. nform the computer security incident response team to investigate further
View answer
Correct Answer: C
Question #81
A customer is using a central device to manage network devices over SNMPv2. A remote attacker caused a denial of service condition and can trigger this vulnerability by issuing a GET request for the ciscoFlashMIB OID on an affected device. Which should be disabled to resolve the issue?
A. SNMPv2
B. TCP small services
C. port UDP 161 and 162
D. UDP small services
View answer
Correct Answer: A
Question #82
An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices are functioning. Drag and drop the steps from the left into the sequence on the right to continue investigating this issue. Not all options are used.Select and Place:Exhibit A: Exhibit B:
A. lease refer to Exhibit B for the answer
View answer
Correct Answer: A
Question #83
An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand. Which data management process is being used?
A. data clustering
B. data regression
C. data ingestion
D. data obfuscation
View answer
Correct Answer: A
Question #84
07. The physical security department received a report that an unauthorized person followed an authorized individual to enter a secured premise. The incident was documented and given to a security specialist to analyze. Which step should be taken at this stage?
A. hmod666
B. hmod777
C. hmod775
D. hmod774
View answer
Correct Answer: D
Question #85
Which command does an engineer use to set read/write/execute access on a folder for everyone who reaches the resource?
A. hmod 666
B. hmod 774
C. hmod 775
D. hmod 777
View answer
Correct Answer: D
Question #86
A threat actor attacked an organization’s Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial
A. ccessing the Active Directory server
B. ccessing the server with financial data
C. ccessing multiple servers
D. ownloading more than 10 files
View answer
Correct Answer: C
Question #87
Refer to the exhibit. Which indicator of compromise is represented by this STIX?
A. ebsite redirecting traffic to ransomware server
B. ebsite hosting malware to download files
C. eb server vulnerability exploited by malware
D. ross-site scripting vulnerability to backdoor server
View answer
Correct Answer: C
Question #88
02. According to GDPR, what should be done with data to ensure its confidentiality, integrity, and availability?
A. erformavulnerabilityassessme
B. onductadataprotectionimpactassessme
C. onductpenetrationtesti
D. erformawarenesstesti
View answer
Correct Answer: B
Question #89
An organization had a breach due to a phishing attack. An engineer leads a team through the recovery phase of the incident response process. Which action should be taken during this phase?
A. ost a discovery meeting and define configuration and policy updates
B. pdate the IDS/IPS signatures and reimage the affected hosts
C. dentify the systems that have been affected and tools used to detect the attack
D. dentify the traffic with data capture using Wireshark and review email filters
View answer
Correct Answer: C
Question #90
A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company's confidential document management folder using a company- owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments. What are the actions a security manager should take?
A. easure confidentiality level of downloaded documents
B. eport to the incident response team
C. scalate to contractor's manager
D. ommunicate with the contractor to identify the motives
View answer
Correct Answer: B
Question #91
Refer to the exhibit. An engineer is reverse engineering a suspicious file by examining its resources. What does this file indicate?
A. DOS MZ executable format
B. MS-DOS executable archive
C. n archived malware
D. Windows executable file
View answer
Correct Answer: D
Question #92
Refer to the exhibit. Which data format is being used?
A. SON
B. TML
C. ML
D. SV
View answer
Correct Answer: B
Question #93
Refer to the exhibit. Which command was executed in PowerShell to generate this log?
A. et-EventLog -LogName*
B. et-EventLog -List
C. et-WinEvent -ListLog* -ComputerName localhost
D. et-WinEvent -ListLog*
View answer
Correct Answer: A
Question #94
Refer to the exhibit. An engineer is analyzing this Vlan0392-int12-239.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?
A. he extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible
B. he traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information
C. here is a possible data leak because payloads should be encoded as UTF-8 text
D. here is a malware that is communicating via encrypted channels to the command and control server
View answer
Correct Answer: C

View The Updated CCNP Exam Questions

SPOTO Provides 100% Real CCNP Exam Questions for You to Pass Your CCNP Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: