Cisco Updated 200-201 Exam Questions and Answers by yusha

• Rule-based detection methods rely on predefined rules and patterns that are known beforehand. These rules are created based on prior knowledge of what constitutes normal and abnormal behavior.
• Statistical detection, on the other hand, involves analyzing data to identify anomalies. It is based on assumptions about what normal behavior looks like and uses statistical methods to detect deviations from this norm.
• Rule-based systems are typically straightforward but may miss novel attacks that do not match existing rules.
• Statistical methods can detect previously unknown threats by recognizing patterns that deviate from established baselines but may produce more false positives.

References

• Intrusion Detection Systems (IDS) Concepts
• Comparative Studies on Rule-based and Statistical Anomaly Detection
• Understanding Anomaly Detection in Network Security

 Deep packet inspection (DPI) and stateful inspection are two techniques that are used by firewalls and other network security devices to inspect and filter network traffic. Stateful inspection allows visibility on Layer 4 (transport layer) of the OSI model, which means it can track the state of TCP or UDP connections and filter packets based on source and destination IP addresses, ports, and protocols. Deep packet inspection allows visibility on Layer 7 (application layer) of the OSI model, which means it can inspect the contents and payloads of packets and filter packets based on application-specific criteria, such as signatures, keywords, URLs, or behaviors. References:

• Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 2: Security Monitoring, Lesson 2.2: Network Security Monitoring Tools
• Cisco Certified CyberOps Associate Overview, Exam Topics, 2.2 Describe the impact of network security monitoring tools on data privacy

Untampered images are crucial for security investigations as they provide original evidence that has not been altered or corrupted; their integrity and authenticity can be verified by comparing the stored hash and the computed hash of the image. If they match, the image is untampered and can be used for analysis. Tampered images, on the other hand, are useless for security investigations as they may contain false or misleading information; their integrity and authenticity are compromised by the modification of the image data. Tampered images may be used for incident recovery purposes, such as restoring a system to a previous state, but not for forensic purposes. References := Cisco Cybersecurity Operations Fundamentals - Module 6: Security Incident Investigations

NIST Special Publication 800-61 r2 outlines the incident response process including detection and analysis, which involves identifying and validating the occurrence of incidents, and post-incident activity that focuses on lessons learned and improvements to be made after an incident has occurred. References := NIST Special Publication 800-61 r2