Free Cisco 200-201 Practice Questions 2026 | Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

Explanation: When a server is experiencing high CPU and memory load, the first step is to identify the processes that are consuming the most resources. The command “ps -ef” is used to display information about all the running processes, including their IDs, memory and CPU usage, and the commands that started them. This allows the engineer to pinpoint which processes are responsible for the high load and take appropriate action, such as terminating unnecessary processes or optimizing resource usage.

Explanation: During the examination phase of the forensic process, digital forensic investigators use various tools and techniques to extract and analyze information from the collected data. This phase involves detailed scrutiny of the data to uncover relevant evidence and is critical for the success of the forensic investigation.
: The explanation aligns with the standard phases of digital forensics, which include identification, preservation, examination, documentation, and presentation as outlined in digital forensics literature and guidelines.

Explanation: In TCP/IP networking, the ACK flag is used to acknowledge the receipt of a packet. It’s a way to confirm that the previous packets have been received and that the connection is proceeding as expected. The RST flag, on the other hand, is used to reset the connection. It is sent if a segment arrives which is not intended for the current connection, or if a connection request is to be denied. Essentially, the ACK flag is about maintaining the established connection, while the RST flag is about aborting connections that are not valid or are no longer needed.

Explanation: Encryption ensures that data is secure and unreadable to unauthorized individuals without the proper decryption key. It is a critical aspect of maintaining data confidentiality and security, especially in the transmission of sensitive information over potentially insecure networks.

Explanation: Indicators of attack (IoAs) are signs that an attack may be in progress or imminent. Malware reinfection within a few minutes of removal (D) is a strong IoA because it suggests that the attacker has a persistent mechanism to redeploy malware, indicating an active compromise of the system.

Explanation: The analyst is in the detection and analysis phase of the incident response process according to NIST SP800-61. In this phase, events are detected and analyzed to determine whether they constitute incidents that require a response. It involves monitoring security events or data collection, correlation, and analysis of log entries and network flow data, among others. The goal is to identify incidents quickly so that appropriate actions can be taken.

Explanation: The logs indicating multiple local TCP connection events are typically provided by a firewall. Firewalls are responsible for monitoring and controlling incoming and outgoing network traffic based on predetermined security rules, and they generate logs that detail such events, which can be used for further analysis and incident response.

Explanation: Statistical detection relies on analyzing data over time to identify patterns and anomalies, without predefined rules. It uses algorithms and statistical models to determine normal behavior and identify deviations. Rule-based detection uses predefined rules or patterns to identify known threats or vulnerabilities, often based on signatures or behaviors associated with specific attacks.

Explanation:

• The ping of death is a type of attack that involves sending oversized or malformed packets using the ICMP protocol to crash, freeze, or reboot the target system1.
• UDP flooding is an attack method that sends a large number of User Datagram Protocol (UDP) packets to random ports on a remote host, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process can saturate the network and the resources of the host, leading to denial of service2.