350-201 Cisco Performing CyberOps Using Core Security Technologies (CBRCOR) Free Practice Exam Questions (2025 Updated)

The browser page rendering permissions are displayed in the X-Frame-Options HTTP response header. This header is used to control whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. The options are “DENY”, “SAMEORIGIN”, or “ALLOW-FROM uri”.

References:

MDN Web Docs on X-Frame-Options

Cisco’s training on Performing CyberOps Using Cisco Security Technologies (CBRCOR) would cover the analysis of HTTP headers and their implications on security.

 The “permission denied” error during script execution indicates that the script does not have execute permissions. The chmod +x ex.sh command changes the script’s permissions to make it executable. This is the necessary step to resolve the permission issue and allow the script to run

The behavior analytics tool was likely triggered by the action of downloading more than 10 files. Behavior analytics tools, such as User and Entity Behavior Analytics (UEBA), are designed to detect anomalous behavior that deviates from a user’s normal activity patterns. In this scenario, the downloading of a large number of files in a short period is an unusual activity that could indicate a data exfiltration attempt. This is especially true if the baseline or normal behavior for the administrator account does not include frequent bulk file downloads. The sudden spike in file download activity would be flagged by the behavior analytics tool as potentially malicious, leading to the disconnection of the session and the disabling of the administrator’s account to prevent further unauthorized access or data loss.

Key risk indicators (KRIs) provide a clear perspective into the risk position of an organization. KRIs are metrics used to proactively measure risks that a business may face. They serve as early warning signs of upcoming crises, which can provide an organization’s management team time to create an action plan to mitigate that risk’s potential impact or prevent it from occurring2.

When there is a report of a possible malicious insider incident, the first action should be to inform the computer security incident response team (CSIRT) to investigate further. The CSIRT has the expertise and authority to conduct a thorough investigation, analyze the precursors and indicators, and determine whether an incident has occurred3.

A European-based advertisement company that collects tracking information from partner websites must adhere to the General Data Protection Regulation (GDPR). GDPR is the standard that governs data protection and privacy in the European Union and the European Economic Area. It provides guidelines on how personal data should be collected, processed, and stored, ensuring that individuals’ data is protected and that companies are transparent about their data handling practices

 When addressing detected vulnerabilities, it is crucial to first evaluate the potential service disruption and associated risks before prioritizing patches. This approach ensures that the most critical services remain operational and that the patches are applied in a manner that minimizes impact on business operations. It is important to consider the severity of the vulnerabilities, the importance of the affected systems, and the potential consequences of applying patches, which may require system reboots or could lead to compatibility issues with other applications123.

References:

Cisco’s Performing CyberOps Using Cisco Security Technologies (CBRCOR) course provides guidance on cybersecurity operations, including vulnerability management and mitigation strategies1.

The CBRCOR Exam Topics outline the importance of evaluating the security posture of an asset and determining patching recommendations based on scenarios, which aligns with the recommended mitigation step of evaluating service disruption and associated risk2.

Industry best practices for vulnerability management also emphasize the need to assess the impact of patches and to prioritize them based on the risk to the organization

When analyzing a possible compromise that occurred in the past, tools like Wireshark and Autopsy can be instrumental. Wireshark is a network protocol analyzer that can capture and display the data traveling back and forth on a network in real-time. It’s useful for understanding what happened during the compromise by analyzing the packets for signs of malicious activity. Autopsy is a digital forensics platform that cananalyze hard drives and smartphones to recover evidence of a compromise, such as malware artifacts or suspicious file changes. Both tools would provide an engineer with the necessary data to analyze the events leading up to and during the compromise.

Prioritizing vulnerabilities for handling is a critical process that depends on various factors, including the nature of the institution and the context in which the devices are deployed. Vulnerability #1, which affects the Command Line Interpreter (CLI) of ACME Super Firewall, could allow an attacker to execute arbitrary commands with administrative rights. This type of vulnerability is particularly severe because it could lead to complete system compromise. However, it requires the attacker to be logged in to the device, which adds a layer of difficulty for exploitation.

Vulnerability #2 affects the web-based management interface of ACME Router models 1010 and 1020, allowing an attacker to bypass authorization checks. This vulnerability is also critical as it can lead to unauthorized access to sensitive information and system configuration. Unlike Vulnerability #1, it does not require the attacker to be logged in, making it easier to exploit.

The prioritization of these vulnerabilities would depend on the specific deployment scenario of the institution. For example, an institution that heavily relies on remote management of devices may prioritize Vulnerability #2 higher due to its remote exploitability. Conversely, an institution with strict access controls and limited remote access might prioritize Vulnerability #1 due to the potential for internal threats.

To mitigate attacks on a webserver from the Internet, it’s crucial to implement security measures that control the traffic reaching the server and provide an additional layer of abstraction.

A. Create an ACL on the firewall to allow only TLS 1.3: This step ensures that only secure, encrypted traffic using the latest version of the TLS protocol can reach the webserver. TLS 1.3 includes improvements over previous versions that enhance security and performance, making it a strong choice for protecting web traffic.

B. Implement a proxy server in the DMZ network: A proxy server acts as an intermediary between users on the Internet and the webserver. It can provide additional security features like content filtering and load balancing. By processing requests and responses through the proxy, direct access to the webserver is avoided, reducing the attack surface.

Options C and D are less effective in this context: C. Create an ACL on the firewall to allow only external connections: This would not be a mitigation step, as it does not restrict the type of traffic or provide additional security measures. D. Move the webserver to the internal network: This could potentially expose the internal network to more risks if the webserver is compromised. It’s generally safer to keep public-facing services in a DMZ.

To calculate the risk as part of a risk assessment, it is essential to consider the event severity and likelihood. This involves evaluating how severe the impact of a threat event could be and the probability of its occurrence1. These factors help in determining the level of risk associated with a particular asset or event. While the assessment scope, incident response playbook, and risk model framework are important elements of risk management, they do not directly contribute to the calculation of risk in the same way that understanding the severity and likelihood of an event does234.

To prevent DDoS attacks while accommodating legitimate high-volume requests from trusted services, it’s advisable to implement rate limiting. This involves setting a threshold for the number of requests that can be made to an API within a certain time frame. If this limit is exceeded, access should be temporarily blocked, and a 429 HTTP error code (“Too Many Requests”) should be returned. This allows legitimate users to be throttled rather than completely cut off, preserving functionality while protecting against abuse.

When an intrusion event is detected and personal data has been accessed, the immediate action to contain the attack is to disconnect the affected server from the network. This prevents the attacker from accessing more resources or causing further damage and allows the organization to begin the process of investigating and eradicating the threat

Continuous delivery is a software development approach that enables teams to produce software in short cycles, ensuring that the software can be reliably released at any time. It aims to build, test, and release software with greater speed and frequency. This approach helps in closing feedback loops and enables teams to quickly apply patches, making it ideal for situations where code updates need to reach the market as often as possible

The IP address 192.168.1.209 is associated with a critical risk level due to data exfiltration activities. Data exfiltration refers to the unauthorized transfer of data from a computer or other device, which can be a significant security threat as it may involve sensitive or proprietary information being taken out of the network. Given the severity of the risk and the nature of the activity, the immediate next step is to isolate the device to prevent further unauthorized data transfer and to contain the potential breach. This action will also allow fora more thorough investigation without the risk of additional data loss or network compromise1.

References:

Cisco’s CyberOps Using Core Security Technologies course provides insights into identifying and responding to cybersecurity threats, including data exfiltration2.

The Cisco Certified CyberOps Associate certification emphasizes the skills needed to work in a Security Operations Center (SOC), including the handling of critical threats and the isolation of affected devices

 If multiple assets received requests on TCP port 79, which is associated with the Finger service, the SOC team should take action to disable the Finger service on affected devices. This service is known to be used for reconnaissance by attackers, and disabling it can help mitigate the attack and prevent further information leakage