200-201 Cisco Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Free Practice Exam Questions (2025 Updated)

 Phishing is considered a low-bandwidth attack because it does not require the use of significant network resources. Instead, it relies on social engineering to deceive individuals into providing sensitive information or clicking on malicious links, often through email or other communication methods1.

Network Address Translation (NAT) is the technology that allows a single IP address to send and receive traffic for multiple devices by modifying the IP header. NAT remaps one IP address space into another, enabling multiple devices to use a single public IP address to send and receive packets through the Internet2.

References := The concept of NAT and its role in network traffic management is detailed in networking resources and documentation, including those provided by network solution providers2.

 SYN flood and teardrop are two types of denial-of-service (DoS) attacks, which aim to disrupt the availability of a service or a system by overwhelming it with malicious traffic or requests. A SYN flood attack exploits the TCP three-way handshake process by sending a large number of SYN packets to the target’s port, without completing the connection. This causes the target to allocate resources for half-open connections, eventually exhausting its memory or bandwidth. A teardrop attack exploits the IP fragmentation process by sending malformed or overlapping IP fragments to the target, causing it to crash or reboot when trying to reassemble them. References := Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.3: Common Network Application Operations and Attacks, Topic 1.3.4: Denial-of-Service Attacks

An Nmap scan can provide detailed information about a network including the functionality and purpose of servers on that network as well as any services that are currently running on those servers. This information can be used by an attacker to identify potential vulnerabilities or targets for exploitation during a cyber attack. References := Cisco Cybersecurity Training

When analyzing a pcap file, data encryption can pose a significant challenge in terms of visibility. Encrypted data cannot be easily inspected, which means that the analyst may not be able to view the contents of the network packets to detect suspicious activity.

Encryption is challenging to security monitoring because it can be used by threat actors as a method of evasion and obfuscation. Encryption can prevent security devices from inspecting the content or payload of the network traffic, making it difficult to detect malicious activity or signatures. Encryption can also hide the source and destination of the traffic, making it hard to trace the origin or destination of the attack. References: https://learningnetworkstore.cisco.com/on-demand-e-learning/understanding-cisco-cybersecurity-operations-fundamentals-cbrops-v1-0/CSCU-LP-CBROPS-V1-028093.html (Module 4, Lesson 4.1.1)

The difference between tampered and untampered disk images is:

Tampered Images: These are disk images that have been altered or modified in some way after their initial creation. The stored hash and the computed hash will not match if the image has been tampered with.

Untampered Images: These are disk images that have not been altered since their creation. They are considered authentic and reliable for forensic investigations. The stored hash and the computed hash will match, confirming that the image has remained unchanged.

Therefore, the correct answer is: D. Untampered images are used for forensic investigations.

Session data is the data type that is necessary to get information about source/destination ports. Session data is the information about connections between hosts, such as IP addresses, ports, protocols, and duration. Session data can be used to identify the services and applications that are being used on the network, as well as the direction and volume of the traffic. Session data can also help to detect anomalous or malicious behavior, such as port scanning, brute force attacks, or data exfiltration. Session data can be collected from various sources, such as firewalls, routers, switches, or network monitoring tools. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 2: Security Monitoring, Lesson 2.2: Data Sources, Topic 2.2.2: Session Data (https://learningnetworkstore.cisco.com/on-demand-e-learning/understanding-cisco-cybersecurity-operations-fundamentals-cbrops-v1-0/CSCU-LP-CBROPS-V1-028093.html)

Cisco Certified CyberOps Associate Certification Guide, Chapter 3: Data Sources, Section 3.2: Session Data (https://www.ciscopress.com/store/cisco-certified-cyberops-associate-certification-guide-9780136807834)

Corroborative evidence is the type of evidence that supports a theory or an assumption that results from initial evidence. It provides additional support to the initial findings, strengthening the theory or assumption by confirming the same facts or pointing towards the same conclusion with independent pieces of evidence4567.

References := Types of evidence (article) | Lessons | Khan Academy, Evidence: Fundamental Concepts and the Phenomenal Conception, Navigating Scientific Evidence: Types and Definitions, How Courts Work - American Bar Association

 The alert from the Cisco ASA device and the numerous activity logs are examples of circumstantial evidence. Circumstantial evidence is evidence that relies on an inference or deduction to connect it to a conclusion of fact, such as a security incident or an attack. Circumstantial evidence does not directly prove the fact in question, but rather suggests or implies it. In this case, the alert and the logs indicate that a TCP connection attempt was denied by an access group, but they do not directly prove that an attack occurred or who was behind it. There could be other explanations for the denied connection, such as a misconfiguration, a network error, or a legitimate request. Therefore, this type of evidence is circumstantial and requires further investigation and analysis to confirm or rule out the possibility of an attack. References := Circumstantial evidence - Wikipedia; Circumstantial Evidence - Definition, Examples, Cases, Processes; Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 92.

Data encapsulation is a process in networking where the protocol stack of the sending host adds headers (and sometimes trailers) to the data.

Each layer of the OSI or TCP/IP model adds its own header to the data as it passes down the layers, preparing it for transmission over the network.

For example, in the TCP/IP model, data starts at the application layer and is encapsulated at each subsequent layer (Transport, Internet, and Network Access) before being transmitted.

This encapsulation ensures that the data is correctly formatted and routed to its destination, where the headers are stripped off in reverse order by the receiving host.

References

Networking Fundamentals by Cisco

OSI Model and Data Encapsulation Process

Understanding TCP/IP Encapsulation

The /var/log/auth.log file contains information about authentication and authorization events on a Linux system, such as successful and failed logins, sudo commands, and SSH sessions. The output in the exhibit shows a failed login attempt from a user named “root” using SSH. References: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01101.html

When analyzing Wireshark traffic for potential attacks, an engineer should look for patterns that indicate abnormal behavior, such as:

Excessive Requests: A high number of requests over a short period could suggest an attempt to overwhelm the server, known as an HTTP flood.

Status Codes: Repeated 403 Forbidden responses may indicate that the server is rejecting requests due to a security rule being triggered.

Request Types: A mix of GET and POST requests could be used in various attack scenarios, including bandwidth flooding or cache bypassing.

Threat hunting is a proactive cybersecurity technique that involves searching for indicators of compromise or signs of intrusion within an organization’s network or systems. Unlike automated detection systems, threat hunting is typically carried out by security analysts who use their knowledge and intuition to identify subtle, unusual patterns that may indicate a security breach. The goal of threat hunting is to identify and mitigate threats before they can cause significant damage.

The scenario described is indicative of a port scanning attack. Port scanning is a method used by attackers to discover open ports on network devices. A single SYN packet sent to each port is a technique known as SYN scanning or half-open scanning, where the attacker sends a SYN message (as if they are going to initiate a TCP connection) to every port on the server, looking for positive responses which indicate an open port. This type of scanning is less intrusive and harder to detect because it never completes the TCP three-way handshake1.

Social engineering is the practice of manipulating or deceiving people into performing actions or divulging information that can compromise the security of the organization. Asking questions about the company’s user account format and password complexity at a party is an example of social engineering, as the guest may be trying to gather information that can be used to launch a cyberattack. References := Cisco Cybersecurity Operations Fundamentals - Module 6: Security Incident Investigations