Valid 350-201 Test Answers & Cisco 350-201 Exam PDF [Q77-Q94]

Q77. An audit is assessing a small business that is selling automotive parts and diagnostic services. Due to increased customer demands, the company recently started to accept credit card payments and acquired a POS terminal.
Which compliance regulations must the audit apply to the company?

HIPAA

FISMA

COBIT

PCI DSS

Q78.

Refer to the exhibit. At which stage of the threat kill chain is an attacker, based on these URIs of inbound web requests from known malicious Internet scanners?

exploitation

actions on objectives

delivery

reconnaissance

Q79. What is needed to assess risk mitigation effectiveness in an organization?

analysis of key performance indicators

compliance with security standards

cost-effectiveness of control measures

updated list of vulnerable systems

Q80. An engineer is analyzing a possible compromise that happened a week ago when the company database servers unexpectedly went down. The analysis reveals that attackers tampered with Microsoft SQL Server Resolution Protocol and launched a DDoS attack. The engineer must act quickly to ensure that all systems are protected. Which two tools should be used to detect and mitigate this type of future attack? (Choose two.)

firewall

Wireshark

autopsy

SHA512

IPS

Q81. Refer to the exhibit.

An engineer is investigating a case with suspicious usernames within the active directory. After the engineer investigates and cross-correlates events from other sources, it appears that the 2 users are privileged, and their creation date matches suspicious network traffic that was initiated from the internal network 2 days prior.
Which type of compromise is occurring?

compromised insider

compromised root access

compromised database tables

compromised network

Q82. A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?

Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack

Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities

Review the server backup and identify server content and data criticality to assess the intrusion risk

Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

Q83. Refer to the exhibit.

An engineer is analyzing this Vlan0386-int12-117.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?

The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible

The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information

There is a possible data leak because payloads should be encoded as UTF-8 text

There is a malware that is communicating via encrypted channels to the command and control server

Q84. Refer to the exhibit.

Which indicator of compromise is represented by this STIX?

website redirecting traffic to ransomware server

website hosting malware to download files

web server vulnerability exploited by malware

cross-site scripting vulnerability to backdoor server

Q85. Drag and drop the mitigation steps from the left onto the vulnerabilities they mitigate on the right.

Q86. An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach. Which indicator generated this IOC event?

ExecutedMalware.ioc

Crossrider.ioc

ConnectToSuspiciousDomain.ioc

W32 AccesschkUtility.ioc

Q87. A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?

Create a follow-up report based on the incident documentation.

Perform a vulnerability assessment to find existing vulnerabilities.

Eradicate malicious software from the infected machines.

Collect evidence and maintain a chain-of-custody during further analysis.

Q88. Refer to the exhibit.

An engineer is performing static analysis of a file received and reported by a user. Which risk is indicated in this STIX?

The file is redirecting users to a website that requests privilege escalations from the user.

The file is redirecting users to the website that is downloading ransomware to encrypt files.

The file is redirecting users to a website that harvests cookies and stored account information.

The file is redirecting users to a website that is determining users’ geographic location.

Q89. Drag and drop the type of attacks from the left onto the cyber kill chain stages at which the attacks are seen on the right.

Q90. An organization suffered a security breach in which the attacker exploited a Netlogon Remote Protocol vulnerability for further privilege escalation. Which two actions should the incident response team take to prevent this type of attack from reoccurring? (Choose two.)

Implement a patch management process.

Scan the company server files for known viruses.

Apply existing patches to the company servers.

Automate antivirus scans of the company servers.

Define roles and responsibilities in the incident response playbook.

Q91. A security architect is working in a processing center and must implement a DLP solution to detect and prevent any type of copy and paste attempts of sensitive data within unapproved applications and removable devices. Which technical architecture must be used?

DLP for data in motion

DLP for removable data

DLP for data in use

DLP for data at rest

Q92. A threat actor used a phishing email to deliver a file with an embedded macro. The file was opened, and a remote code execution attack occurred in a company’s infrastructure. Which steps should an engineer take at the recovery stage?

Determine the systems involved and deploy available patches

Analyze event logs and restrict network access

Review access lists and require users to increase password complexity

Identify the attack vector and update the IDS signature list

Q93. A Mac laptop user notices that several files have disappeared from their laptop documents folder. While looking for the files, the user notices that the browser history was recently cleared. The user raises a case, and an analyst reviews the network usage and discovers that it is abnormally high. Which step should be taken to continue the investigation?

Run the sudo sysdiagnose command

Run the sh command

Run the w command

Run the who command

Q94. Refer to the exhibit.

Which code snippet will parse the response to identify the status of the domain as malicious, clean or undefined?