Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

350-201Free trial

By cisco

Verified

25Q per page

Question 1

Refer to the exhibit. A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive. Which solution protects the application from being overloaded and ensures more equitable application access across the end- user community?

A: Limit the number of API calls that a single client is allowed to make
B: Add restrictions on the edge router on how often a single client can access the API
C: Reduce the amount of data that can be fetched from the total pool of active clients that call the API
D: Increase the application cache of the total pool of active clients that call the API

—

Question 2

Refer to the exhibit. Which two steps mitigate attacks on the webserver from the Internet? (Choose two.)

A: Create an ACL on the firewall to allow only TLS 1.3
B: Implement a reverse server in the DMZ network
C: Create an ACL on the firewall to allow only external connections
D: Move the webserver to the internal network
E: Move the webserver to the external network

—

Question 3

Refer to the exhibit. An engineer is investigating a case with suspicious usernames within the active directory. After the engineer investigates and cross-correlates events from other sources, it appears that the 2 users are privileged, and their creation date matches suspicious network traffic that was initiated from the internal network 2 days prior. Which type of compromise is occurring?

A: compromised insider
B: compromised root access
C: compromised database tables
D: compromised network

—

Question 4

Refer to the exhibit. For IP 192.168.1.209, what are the risk level, activity, and next step?

A: high risk level, anomalous periodic communication, quarantine with antivirus
B: critical risk level, malicious server IP, run in a sandboxed environment
C: critical risk level, data exfiltration, isolate the device
D: high risk level, malicious host, investigate further

—

Question 5

Refer to the exhibit. What is the connection status of the ICMP event?

A: blocked by a configured access policy rule
B: allowed by a configured access policy rule
C: blocked by an intrusion policy rule
D: allowed in the default action

—

Question 6

Refer to the exhibit. An engineer received multiple reports from employees unable to log into systems with the error: The Group Policy Client service failed to logon `" Access is denied. Through further analysis, the engineer discovered several unexpected modifications to system settings. Which type of breach is occurring?

A: malware break
B: data theft
C: elevation of privileges
D: denial-of-service

—

Question 7

What is needed to assess risk mitigation effectiveness in an organization?

A: analysis of key performance indicators
B: compliance with security standards
C: cost-effectiveness of control measures
D: updated list of vulnerable systems

—

Question 8

Refer to the exhibit. Where is the MIME type that should be followed indicated?

A: x-test-debug
B: strict-transport-security
C: x-xss-protection
D: x-content-type-options

—

Question 9

Refer to the exhibit. Based on the detected vulnerabilities, what is the next recommended mitigation step?

A: Evaluate service disruption and associated risk before prioritizing patches.
B: Perform root cause analysis for all detected vulnerabilities.
C: Remediate all vulnerabilities with descending CVSS score order.
D: Temporarily shut down unnecessary services until patch deployment ends.

—

Question 10

An engineer received an incident ticket of a malware outbreak and used antivirus and malware removal tools to eradicate the threat. The engineer notices that abnormal processes are still occurring in the system and determines that manual intervention is needed to clean the infected host and restore functionality. What is the next step the engineer should take to complete this playbook step?

A: Scan the network to identify unknown assets and the asset owners.
B: Analyze the components of the infected hosts and associated business services.
C: Scan the host with updated signatures and remove temporary containment.
D: Analyze the impact of the malware and contain the artifacts.

—

Question 11

The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis. What is the next step in the malware analysis process?

A: Perform static and dynamic code analysis of the specimen.
B: Unpack the specimen and perform memory forensics.
C: Contain the subnet in which the suspicious file was found.
D: Document findings and clean-up the laboratory.

—

Question 12

DRAG DROP -
Drag and drop the phases to evaluate the security posture of an asset from the left onto the activity that happens during the phases on the right.
Select and Place:

—

Question 13

A logistic company must use an outdated application located in a private VLAN during the migration to new technologies. The IPS blocked and reported an unencrypted communication. Which tuning option should be applied to IPS?

A: Allow list only authorized hosts to contact the application's IP at a specific port.
B: Allow list HTTP traffic through the corporate VLANS.
C: Allow list traffic to application's IP from the internal network at a specific port.
D: Allow list only authorized hosts to contact the application's VLAN.

—

Question 14

A company recently started accepting credit card payments in their local warehouses and is undergoing a PCI audit. Based on business requirements, the company needs to store sensitive authentication data for 45 days. How must data be stored for compliance?

A: post-authorization by non-issuing entities if there is a documented business justification
B: by entities that issue the payment cards or that perform support issuing services
C: post-authorization by non-issuing entities if the data is encrypted and securely stored
D: by issuers and issuer processors if there is a legitimate reason

—

Question 15

A security engineer discovers that a spreadsheet containing confidential information for nine of their employees was fraudulently posted on a competitor's website.
The spreadsheet contains names, salaries, and social security numbers. What is the next step the engineer should take in this investigation?

A: Determine if there is internal knowledge of this incident.
B: Check incoming and outgoing communications to identify spoofed emails.
C: Disconnect the network from Internet access to stop the phishing threats and regain control.
D: Engage the legal department to explore action against the competitor that posted the spreadsheet.

—

Question 16

An engineer notices that every Sunday night, there is a two-hour period with a large load of network activity. Upon further investigation, the engineer finds that the activity is from locations around the globe outside the organization's service area. What are the next steps the engineer must take?

A: Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.
B: Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.
C: Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in question, and cross-correlate other source events.
D: Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.

—

Question 17

An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?

A: Disable memory limit.
B: Disable CPU threshold trap toward the SNMP server.
C: Enable memory tracing notifications.
D: Enable memory threshold notifications.

—

Question 18

A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?

A: Create a follow-up report based on the incident documentation.
B: Perform a vulnerability assessment to find existing vulnerabilities.
C: Eradicate malicious software from the infected machines.
D: Collect evidence and maintain a chain-of-custody during further analysis.

—

Question 19

A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company's confidential document management folder using a company-owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments. What are the actions a security manager should take?

A: Measure confidentiality level of downloaded documents.
B: Report to the incident response team.
C: Escalate to contractor's manager.
D: Communicate with the contractor to identify the motives.

—

Question 20

An engineer detects an intrusion event inside an organization's network and becomes aware that files that contain personal data have been accessed. Which action must be taken to contain this attack?

A: Disconnect the affected server from the network.
B: Analyze the source.
C: Access the affected server to confirm compromised files are encrypted.
D: Determine the attack surface.

—

Question 21

The network operations center has identified malware, created a ticket within their ticketing system, and assigned the case to the SOC with high-level information.
A SOC analyst was able to stop the malware from spreading and identified the attacking host. What is the next step in the incident response workflow?

A: eradication and recovery
B: post-incident activity
C: containment
D: detection and analysis

—

Question 22

A SOC engineer discovers that the organization had three DDOS attacks overnight. Four servers are reported offline, even though the hardware seems to be working as expected. One of the offline servers is affecting the pay system reporting times. Three employees, including executive management, have reported ransomware on their laptops. Which steps help the engineer understand a comprehensive overview of the incident?

A: Run and evaluate a full packet capture on the workloads, review SIEM logs, and define a root cause.
B: Run and evaluate a full packet capture on the workloads, review SIEM logs, and plan mitigation steps.
C: Check SOAR to learn what the security systems are reporting about the overnight events, research the attacks, and plan mitigation step.
D: Check SOAR to know what the security systems are reporting about the overnight events, review the threat vectors, and define a root cause.

—

Question 23

According to GDPR, what should be done with data to ensure its confidentiality, integrity, and availability?

A: Perform a vulnerability assessment
B: Conduct a data protection impact assessment
C: Conduct penetration testing
D: Perform awareness testing

—

Question 24

Which action should be taken when the HTTP response code 301 is received from a web application?

A: Update the cached header metadata.
B: Confirm the resource's location.
C: Increase the allowed user limit.
D: Modify the session timeout setting.

—

Question 25

Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports. Which two steps should the analyst take to begin this investigation? (Choose two.)

A: Evaluate the intrusion detection system alerts to determine the threat source and attack surface.
B: Communicate with employees to determine who opened the link and isolate the affected assets.
C: Examine the firewall and HIPS configuration to identify the exploited vulnerabilities and apply recommended mitigation.
D: Review the mail server and proxy logs to identify the impact of a potential breach.
E: Check the email header to identify the sender and analyze the link in an isolated environment.

—

Page 1 of 6 • Questions 1-25 of 137

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!