200-201 Cisco Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Free Practice Exam Questions (2026 Updated)

A screenshot of a computer Description automatically generated

The security scenario involves protecting the company from known issues that trigger adware and addressing a recent incident that could harm the system.

This scenario involves identifying vulnerabilities (weaknesses in the system that can be exploited) and threats (potential harm that can exploit these vulnerabilities).

A vulnerability is an inherent flaw in the system, while a threat is an event or condition that has the potential to exploit the vulnerability.

The security engineer needs to assess both the vulnerabilities present and the threats that could exploit these vulnerabilities to implement effective protection measures.

References

Cisco Cybersecurity Operations Fundamentals

Concepts of Vulnerability and Threat in Cybersecurity

Best Practices in Vulnerability Management

The exhibit shows an event log file with fields like date time action protocol src-ip dst-ip src-port dst-port etc., which are typical in Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). These systems monitor network traffic for suspicious activity or violations of policies and produce reports as seen in the exhibit. References: Cisco Certified CyberOps Associate Overview

The executable file is identified in the “name” section of the exhibit, which lists the file name “VAC-Bypass-Loader.exe”. This indicates that the file is an executable, as denoted by the “.exe” extension commonly associated with executable files in Windows operating systems.

The information provided is based on standard practices for identifying executable files within cybersecurity analysis reports and is consistent with Cisco’s cybersecurity documentation.

 A vulnerability refers to a weakness or flaw in a system that can be exploited by threats (such as hackers or malware) to gain unauthorized access, cause damage, etc. Threats exploit these vulnerabilities to impact the confidentiality, integrity, or availability of information and systems. References: Cisco Cybersecurity Associate

 Behavior-based detection monitors the behavior of programs in real-time. If a piece of software acts similarly to known malware after it’s been executed, behavior-based detection can stop it in its tracks. Signature-based detection involves searching for known patterns of data within executable code; if a pattern matches a “signature” in the system’s database that is considered malicious. References: Cisco Cybersecurity Operations Fundamentals

 Separation of duties is a security principle that requires more than one person to perform a critical task, such as authorizing a transaction, approving a budget, or granting access to sensitive data. Separation of duties reduces the risk of fraud, error, abuse, or conflict of interest by preventing any single person from having too much power or privilege. Least privilege, need to know, and due diligence are other security principles, but they do not require more than one person to perform a critical task. References: Separation of Duty (SOD) - Glossary | CSRC - NIST Computer Security …, Separation of Duties | Imperva

Social engineering is a type of testing method that involves manipulating or deceiving people into performing actions or divulging information that can compromise the security of the organization. Social engineering can take various forms, such as phishing, vishing, baiting, quid pro quo, or impersonation. The scenario in the question is an example of a phishing attack, where the intruder sent an email to the user that appeared to be legitimate and contained a malicious link that infected the user’s machine and allowed the intruder to access the corporate network. References: [Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Module 6: Security Incident Investigations]

 In RBAC, access is based on the roles that users have within an organization, and permissions to perform certain operations are assigned to specific roles. DAC, on the other hand, is a type of access control where the access rights are determined by the owner of the resource or the resource itself.

 Phishing is considered a low-bandwidth attack because it does not require the use of significant network resources. Instead, it relies on social engineering to deceive individuals into providing sensitive information or clicking on malicious links, often through email or other communication methods1.

A regular expression (regex) is a sequence of characters that defines a search pattern for text. A regex can be used to extract custom properties from log messages or events in a SIEM platform. In this case, the regex that matches the phrase “File: Clean” exactly is ^File: Clean$. The ^ symbol indicates the beginning of the line and the $ symbol indicates the end of the line. The regex ensures that no other characters are before or after the phrase. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, Module 5: Security Policies and Procedures, Lesson 5.3: Data and Event Analysis

200-201 CBROPS - Cisco, Exam Topics, 5.0 Security Policies and Procedures, 5.3 Analyze data as part of security monitoring activities

Cisco Certified CyberOps Associate Overview - Cisco Learning Network, Videos, 5.3 Analyze data as part of security monitoring activities

The log in the exhibit is generated by a firewall. It shows a deny action taken on TCP traffic, specifying the source and destination addresses and ports, which is characteristic of firewall logs. Firewalls are designed to control incoming and outgoing network traffic based on predetermined security rules, and this log entry reflects the enforcement of such a rule.

References :=

Cisco’s official documentation on firewall technologies and their log formats.

The Nmap scan results show that several ports, including ftp (21/tcp), ssh (22/tcp), telnet (23/tcp), smtp (25/tcp), and http (80/tcp), are listed as “filtered”. This typically indicatesthat a firewall is filtering the traffic to these ports, making it impossible to determine whether they are open without further investigation. However, the question specifically asks about SMB ports, which are not shown in the provided Nmap scan results. Therefore, based on the information given, we cannot confirm that the attacker identified open SMB ports on the server. The correct answer would require additional evidence not present in the scan results. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) course materials and official Cisco documentation provide insights into interpreting Nmap scan results and identifying port states. These resources can be found at the Cisco Learning Network Store and Cisco’s official training and certifications webpage