350-701 Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Questions and Answers

Cisco Umbrella is a cloud-delivered security service that protects users from malicious domains and IPs, regardless of their location or network. When users are off the corporate network, they can use the Cisco Umbrella roaming client, which is embedded in the Cisco AnyConnect client, to enforce Umbrella DNS servers for all DNS queries. This way, Umbrella can block requests to malicious or unwanted domains before a connection is ever made, and provide visibility and protection for users anywhere they go. The Umbrella roaming client does not require any additional agents or end user action, and it can work with or without a VPN connection. References := Cisco Umbrella Roaming, Umbrella Roaming Client – How it Works on Your Company Network

The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Cisco strongly recommends that you keep the default settings for the remote management port, but if the

management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

VMware APIC is a platform that integrates with Cisco ACI to provide enhanced visibility, policy integration and deployment, and security policies with access lists. VMware APIC is a virtual appliance that runs on VMware vSphere and communicates with the Cisco APIC controller. VMware APIC allows administrators to create and manage Cisco ACI policies for VMware virtual machines and networks. VMware APIC also provides a unified view of the physical and virtual network topology, health, and statistics. VMware APIC supports the following modes of Cisco ACI and VMware integration:

VMware VDS: When integrated with Cisco ACI, the VMware vSphere Distributed Switch (VDS) enables administrators to configure VM networking in the ACI fabric.

Cisco ACI Virtual Edge: Cisco ACI Virtual Edge is a distributed service that provides Layer 4 to Layer 7 services for applications running on VMware vSphere.

Cisco Application Virtual Switch (AVS): Cisco AVS is a distributed virtual switch that provides policy-based network services for VMware vSphere environments. References:

Cisco ACI with VMware VDS Integration

Cisco ACI and VMware NSX-T Data Center Integration

Cisco ACI and VMware: The Perfect Pair

Setting the Record Straight: Confusion about ACI on VMware Technologies

Explanation

A posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.

In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware; and we can also configure ISE to update the client with this patch.

For TACACS authentication to work, the key configured on the network device must match the key configured on the TACACS server. If users are unable to authenticate despite the TACACS server being reachable, it is likely due to a mismatch in the keys. Ensuring that both the network device and the TACACS server have the same key configured is crucial for successful authentication.

Explanation

Explanation

Easy Connect simplifies network access control and segmentation by allowing the assignment of Security

Group Tags to endpoints without requiring 802.1X on those endpoints, whether using wired or wireless

connectivity.

Explanation

Explanation

To configure an NTP enabled router to require authentication when other devices connect to it, use the

following commands:

NTP_Server(config)#ntp authentication-key 2 md5 securitytut

NTP_Server(config)#ntp authenticate

NTP_Server(config)#ntp trusted-key 2

Then you must configure the same authentication-key on the client router:

NTP_Client(config)#ntp authentication-key 2 md5 securitytut

NTP_Client(config)#ntp authenticate

NTP_Client(config)#ntp trusted-key 2

NTP_Client(config)#ntp server 10.10.10.1 key 2

Note: To configure a Cisco device as a NTP client, use the command ntp server < IP address > . For example:

Router(config)#ntp server 10.10.10.1. This command will instruct the router to query 10.10.10.1 for the time.

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01101.html Policy Order The order in which policies are listed in a policy table determines the priority with which they are applied to Web requests. Web requests are checked against policies beginning at the top of the table and ending at the first policy matched. Any policies below that point in the table are not processed. If no user-defined policy is matched against a Web request, then the global policy for that policy type is applied. Global policies are always positioned last in Policy tables and cannot be re-ordered.

Explanation

In deceptive phishing, fraudsters impersonate a legitimate company in an attempt to steal people’s personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.

Spear phishing is carefully designed to get a single recipient to respond. Criminals select an individual target within an organization, using social media and other public information – and craft a fake email tailored for that person.

Explanation

Obviously, if you allow all traffic to these risky domains, users might access malicious content, resulting in an infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more granular visibility and control.

The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting malware while allowing access to everything else.

Explanation

Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.

Asymmetric encryption takes relatively more time than the symmetric encryption.

Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric key

algorithm. Nowadays most of the people uses hybrid crypto system i.e, combination of symmetric and

asymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share secret key and after the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.

Triple DES (3DES), a symmetric-key algorithm for the encryption of electronic data, is the successor of DES (Data Encryption Standard) and provides more secure encryption then DES.

Note: Although “requires secret keys” option in this question is a bit unclear but it can only be assigned to

Symmetric algorithm.

Explanation

Cisco ISE can determine the type of device or endpoint connecting to the network by performing “profiling.”

Profiling is done by using DHCP, SNMP, Span, NetFlow, HTTP, RADIUS, DNS, or NMAP scans to collect as

much metadata as possible to learn the device fingerprint.

NMAP (“Network Mapper”) is a popular network scanner which provides a lot of features. One of them is the

OUI (Organizationally Unique Identifier) information. OUI is the first 24 bit or 6 hexadecimal value of the MAC

address.

Note: DHCP probe cannot collect OUIs of endpoints. NMAP scan probe can collect these endpoint attributes:

+ EndPointPolicy

+ LastNmapScanCount

+ NmapScanCount

+ OUI

+ Operating-system

Explanation

Explanation

Denial-of-service (DDoS) aims at shutting down a network or service, causing it to be inaccessible to its

intended users.

The Smurf attack is a DDoS attack in which large numbers of Internet Control Message Protocol (ICMP)

packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP

broadcast address.

 The vulnerability that allows the attacker to see the passwords being transmitted in clear text is the lack of encryption on the VPN links. Encryption is a process of transforming data into an unreadable form, so that only authorized parties can access it. VPN (Virtual Private Network) is a technology that creates a secure tunnel between two or more devices over a public network, such as the Internet. VPN links should be encrypted to prevent eavesdropping, tampering, or spoofing of the data that passes through them. If the VPN links are not encrypted, an attacker can use a packet sniffer to intercept and read the data, including the passwords, that are sent over the network. This is called a sniffing attack, and it can lead to credential theft, identity spoofing, or data manipulation. Therefore, VPN links should always use strong encryption protocols, such as IPsec or SSL/TLS, to protect the confidentiality and integrity of the data. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Cisco: This is the official course page for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. It provides the course objectives, outline, duration, and prerequisites. It also offers various learning options, such as instructor-led training, e-learning, and practice exams.

SCOR 350-701 Official Cert Guide - Cisco Press: This is the official study guide for the SCOR 350-701 exam, written by Omar Santos, a principal engineer at Cisco’s Security Research and Operations group. It covers all the exam topics in depth, with explanations, examples, exercises, and practice questions. It also includes a companion website with online resources, such as videos, quizzes, flashcards, and more.

Cleartext submission of password - PortSwigger: This is a web security article that explains the vulnerability of transmitting passwords over unencrypted connections, and how to exploit it using Burp Suite, a web application testing tool. It also provides some remediation advice, such as using HTTPS and HSTS to enforce encryption.

What Are Sniffing Attacks, and How Can You Protect Yourself? - EC-Council: This is a blog post that describes what sniffing attacks are, how they work, and what are the common types and tools of sniffing attacks. It also provides some tips on how to prevent or detect sniffing attacks, such as using encryption, VPN, firewall, IDS, and anti-sniffing software.

OWASP Application Security FAQ | OWASP Foundation: This is a frequently asked questions page about application security, maintained by the Open Web Application Security Project (OWASP), a non-profit organization that promotes web security awareness and best practices. It covers various topics, such as authentication, authorization, session management, input validation, output encoding, cryptography, error handling, logging, and more.

Explanation

Malware means “malicious software”, is any software intentionally designed to cause damage to a computer, server, client, or computer network. The most popular types of malware includes viruses, ransomware and spyware. Virus Possibly the most common type of malware, viruses attach their malicious code to clean code and wait to be run.

Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.

Spyware is spying software that can secretly record everything you enter, upload, download, and store on your computers or mobile devices. Spyware always tries to keep itself hidden.

An exploit is a code that takes advantage of a software vulnerability or security flaw.

Exploits and malware are two risks for endpoints that are not up to date. ARP spoofing and eavesdropping are attacks against the network while denial-of-service attack is based on the flooding of IP packets.

Cisco ISE and pxGrid use the IETF (Internet Engineering Task Force) standards to integrate with each other and with other interoperable security platforms. IETF is an open, international community of network designers, operators, vendors, and researchers who produce voluntary standards for the Internet. Cisco pxGrid is based on the IETF standards-track XMPP (Extensible Messaging and Presence Protocol) and RESTCONF (Representational State Transfer Configuration Protocol) technologies. These standards enable Cisco pxGrid to provide a scalable, secure, and open data-sharing platform that supports multiple security products and services. Cisco ISE uses the IETF standards-track RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols to provide network access control and policy enforcement. Cisco ISE also supports the IETF standards-track SXP (Security Group Tag eXchange Protocol) to propagate security group tags across the network. By using the IETF standards, Cisco ISE and pxGrid can interoperate with other security platforms that support the same standards, such as Infoblox, Splunk, Rapid7, and more. References:

Cisco pxGrid - Cisco

ISE pxGrid General Information & FAQ - Cisco Community

How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid

Infoblox DDI, Cisco ISE, and the pxGrid Solution Platform

Explanation

A trustpoint enrollment mode, which also defines the trustpoint authentication mode, can be performed via 3 main methods:

1. Terminal Enrollment – manual method of performing trustpoint authentication and certificate enrolment using copy-paste in the CLI terminal.

2. SCEP Enrollment – Trustpoint authentication and enrollment using SCEP over HTTP.

3. Enrollment Profile – Here, authentication and enrollment methods are defined separately. Along with terminal and SCEP enrollment methods, enrollment profiles provide an option to specify HTTP/TFTP commands to perform file retrieval from the Server, which is defined using an authentication or enrollment url under the profile.

To migrate a Cisco WSA virtual appliance from one physical host to another physical host by using VMware vMotion, both hosts must have access to the same defined network. This is because vMotion preserves the network identity and connections of the virtual machine, and requires that the source and destination hosts have compatible CPUs and shared storage1. The hosts do not need to run the same or different versions of Cisco AsyncOS, as long as they meet the minimum requirements for the virtual appliance2. The hosts do not need to use a different datastore than the virtual appliance, as vMotion can migrate virtual machines across datastores as well3. References: 1: VMware vMotion: Live Migration of Virtual Machines and Storage 2: Cisco Secure Web Appliance Virtual - Cisco 3: Migrating to Virtual SMA from Physical - Cisco Community

Explanation

The appliance will try once to upload the file; if upload is not successful, for example because of

connectivity problems, the file may not be uploaded. If the failure was because the file analysis server was overloaded, the upload will be attempted once more.

https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threat-analytics/at-a-glance-c45-736555.pdf

Explanation

Explanation

The Cisco Application Visibility and Control (AVC) solution leverages multiple technologies to recognize,

analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer

(P2P), and cloud-based applications. AVC combines several Cisco IOS/IOS XE components, as well as

communicating with external tools, to integrate the following functions into a powerful solution…

Explanation

The purpose of above commands is to redirect traffic that matches the ACL “redirect-acl” to the Cisco

FirePOWER (SFR) module in the inline (normal) mode. In this mode, after the undesired traffic is dropped and

any other actions that are applied by policy are performed, the traffic is returned to the ASA for further

processing and ultimate transmission.

The command “service-policy global_policy global” applies the policy to all of the interfaces.

Explanation

Explanation

You can also monitor on-premises networks in your organizations using Cisco Stealthwatch Cloud. In order to do so, you need to deploy at least one Cisco Stealthwatch Cloud Sensor appliance (virtual or physical appliance).

The threat intelligence standard that contains malware hashes is trusted automated exchange of indicator information (TAXII). TAXII is a protocol that enables the exchange of cyber threat information in a standardized and automated manner. It supports various types of threat intelligence, such as indicators of compromise (IOCs), observables, incidents, tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are one example of IOCs that can be shared using TAXII. Malware hashes are cryptographic signatures that uniquely identify malicious files or programs. They can be used to detect and block malware infections on endpoints or networks. TAXII uses STIX (structured threat information expression) as the data format for representing threat intelligence. STIX is a language that defines a common vocabulary and structure for describing cyber threat information. STIX allows threat intelligence producers and consumers to share information in a consistent and interoperable way. STIX defines various objects and properties that can be used to represent different aspects of cyber threat information, such as indicators, observables, incidents, TTPs, campaigns, threat actors, courses of action, and relationships. Malware hashes can be expressed as observables in STIX, which are concrete items or events that are observable in the operational domain. Observables can have various types, such as file, process, registry key, URL, IP address, domain name, etc. Each observable type has a set of attributes that describe its properties. For example, a file observable can have attributes such as name, size, type, hashes, magic number, etc. A hash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such as the hexadecimal representation of the hash). A file observable can have one or more hash attributes to represent different hashing algorithms applied to the same file. For example, a file observable can have both MD5 and SHA256 hashes to increase the confidence and accuracy of identifying the file.

The other options are incorrect because they are not threat intelligence standards that contain malware hashes. Option A is incorrect because advanced persistent threat (APT) is not a standard, but a term that describes a stealthy and sophisticated cyberattack that aims to compromise and maintain access to a target network or system over a long period of time. Option B is incorrect because open command and control (OpenC2) is not a standard that contains malware hashes, but a language that enables the command and control of cyber defense components, such as sensors, actuators, and orchestrators. Option C is incorrect because structured threat information expression (STIX) is not a standard that contains malware hashes, but a data format that represents threat intelligence. STIX uses TAXII as the transport protocol for exchanging threat intelligence, including malware hashes. References:

TAXII

STIX

Malware Hashes

Posture is a service in Cisco ISE that allows you to check the compliance, also known as posture, of endpoints, before allowing them to connect to your network. A posture agent, such as the AnyConnect ISE Posture Agent or Network Admission Control (NAC) Agent, runs on the endpoint and collects information about the endpoint’s security posture, such as antivirus, antispyware, firewall, and patch status. The posture agent then communicates with the ISE server, which evaluates the posture information against the posture policy and determines the compliance state of the endpoint. Based on the compliance state, the ISE server can grant or deny network access to the endpoint, or apply remediation actions to bring the endpoint into compliance. Posture service is part of the ISE solution for network access control (NAC), which aims to secure the network from unauthorized or compromised endpoints. References:

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies

Configuring posture services with the Cisco Identity Services Engine - Cisco Community

Cisco Content Hub - Configure Client Posture Policies

 OWASP stands for Open Web Application Security Project, a non-profit organization that provides resources for web application security. OWASP has developed a number of standards, projects, events, and news on topics such as web application security, supply chain security, and cyber risk mitigation1. One of the most widely recognized OWASP resources is the OWASP Top 10, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications, such as broken access control, cryptographic failures, injection, and insecure design2. The OWASP Top 10 is updated periodically based on data analysis and community feedback. The latest edition was released in 20213. By following the OWASP Top 10 and other OWASP resources, developers can build more secure applications that minimize these risks. References := 1: OWASP Foundation, the Open Source Foundation for Application Security 2: OWASP Top Ten | OWASP Foundation 3: OWASP Top 10:2021

A traffic profile is a graph of network traffic based on connection data collected over a profiling time window (PTW). This measurement presumably represents normal network traffic. After the learning period, you can detect abnormal network traffic by evaluating new traffic against your profile. You can also set up inactive periods in traffic profile to exclude data that does not reflect normal network behavior. You can use traffic profiles to write correlation rules that trigger when the traffic deviates from the profile by a certain threshold or standard deviation. This way, you can identify and respond to potential attacks or security policy violations that cause traffic anomalies. References :=

Some possible references are:

Firepower Management Center Configuration Guide, Version 6.0 - Traffic Profiling

Cisco Next-Generation Intrusion Prevention System (NGIPS)

Which statement describes a traffic profile on a Cisco Next Generation Intrusion Prevention System?

In a remote access VPN configuration, dynamic split tunneling allows traffic to certain trusted domains to bypass the VPN tunnel and exit through the client ' s local internet gateway. This feature selectively directs only the necessary traffic over the VPN, while allowing direct internet access for specific domains or traffic deemed safe or trusted, optimizing bandwidth and performance for remote users.

The Cisco WSA can participate in the Cisco SensorBase Network, which is a threat management database that collects and shares data from Cisco security products. By participating in the SensorBase Network, the WSA can receive web reputation scores and URL categories for the requested web content, and also contribute data to improve the accuracy and efficacy of the service. The data that the WSA sends to the SensorBase Network servers includes information about request attributes and how the appliance handles requests. However, to protect the privacy and confidentiality of the users and the organization, the WSA does not send the complete URL, but only the summarized server-name information and the MD5-hashed path information. The MD5 hash is a one-way encryption algorithm that converts the path information into a fixed-length string that cannot be reversed. This way, the SensorBase Network can identify the URL without revealing the actual content or parameters of the request. The WSA also does not send any personal or confidential information such as usernames and passwords, or any information about HTTPS transactions, except for the IP address, web reputation score, and URL category of the server name in the certificate. The SensorBase Network Participation is enabled by default, but it can be disabled by the administrator if desired123. References: 3: Web Base Network Participation (WBNP) and Sender Base Network Participation (SBNP) - Cisco 2: User Guide for AsyncOS 15.0 for Cisco Secure Web Appliance - GD (General Deployment) - Introduction 1: User Guide for AsyncOS 12.0 for Cisco Web Security Appliances - GD (General Deployment) - Introduction

Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can compromise the user’s interaction with the web application, steal sensitive data, perform unauthorized actions, and more. To prevent XSS, web developers need to apply various defensive techniques to ensure that user-supplied data is not interpreted as code by the browser. Two of these techniques are:

Incorporate contextual output encoding/escaping: This means that any user-supplied data that is displayed on the web page should be properly encoded or escaped according to the context where it appears. For example, if the data is inserted into an HTML attribute, it should be HTML attribute encoded; if the data is inserted into a JavaScript string, it should be JavaScript string encoded; and so on. This prevents the data from breaking out of its intended context and being executed as code by the browser. Output encoding should be done by using a reliable library or framework that supports different contexts and encodings.

Run untrusted HTML input through an HTML sanitization engine: This means that any user-supplied data that is intended to contain HTML markup should be filtered and validated by a sanitization engine that removes or escapes any potentially dangerous elements, attributes, or scripts. This prevents the attacker from injecting malicious HTML code that can execute scripts, load external resources, redirect the user, or perform other malicious actions. HTML sanitization should be done by using a well-tested and maintained library or framework that follows the best practices and standards for HTML filtering.

References :=

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Securing the Cloud, Lesson 5.2: Web Application Security, Topic 5.2.2: Cross-Site Scripting (XSS)

Cross Site Scripting Prevention Cheat Sheet - OWASP

What is cross-site scripting (XSS) and how to prevent it? - Web Security Academy

 The product that allows Cisco FMC to push security intelligence observable to its sensors from other products is Threat Intelligence Director (TID). TID is a feature of Cisco FMC that enables you to integrate third-party threat intelligence feeds into your security policies. TID collects, aggregates, and correlates observables from multiple sources, such as Cisco Talos Intelligence, Cisco Umbrella, and other external providers. TID then pushes the observables to the sensors that are managed by FMC, such as Firepower Threat Defense (FTD) devices, Firepower appliances, and Cisco Secure Firewall Cloud Native. The sensors can then use the observables to block or monitor traffic based on the reputation and threat level of the IP addresses, URLs, and domains12.

 1: Firepower Management Center Configuration Guide, Version 6.6 - Threat Intelligence Director [Cisco Secure Firewall Management Center] - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Threat Intelligence Director [Cisco Firepower NGFW] - Cisco

Explanation

The AES encryption algorithm encrypts and decrypts data in blocks of 128 bits (block size). It can do this using 128-bit, 192-bit, or 256-bit keys

Explanation

Cisco‘s Group Encrypted Transport VPN (GETVPN) introduces the concept of a trusted group to eliminate

point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security

association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any

other GM.

GETVPN provides instantaneous large-scale any-to-any IP connectivity using a group IPsec security paradigm.

Explanation

" configure INTRUSION RULES for DNP3 " - > Documentation states, that enabling INTRUSION RULES is mandatory for CIP to work + required preprocessors (in Network Access Policy - NAP) will be enabled automatically:

" If you want the CIP preprocessor rules listed in the following table to generate events, you MUST enable them. See Setting Intrusion Rule States for information on enabling rules. "

" If the Modbus, DNP3, or CIP preprocessor is disabled, and you enable and deploy an intrusion rule that requires one of these preprocessors, the system automatically uses the required preprocessor, with its current settings, although the preprocessor remains disabled in the web interface for the corresponding network analysis policy. "

[1] https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/scada_preprocessors.html

IKEv1 has two modes of operation: main mode and aggressive mode. Main mode uses six messages to establish the IKE SA, while aggressive mode uses only three messages. Therefore, aggressive mode is faster than main mode, but less secure, as it exposes the identities of the peers in cleartext. This makes it vulnerable to man-in-the-middle attacks. IKEv2 does not have these modes, but uses a single four-message exchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers, making it more secure than IKEv1 aggressive mode.

IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs. IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows the use of various authentication methods, such as certificates, tokens, or passwords.

IKEv1 conversations are initiated by the ISAKMP header, which contains the security parameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INIT message, which contains the security parameters, the message type, and the message ID. The message ID is used to identify and order the messages in the IKEv2 exchange.

NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address Translation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to pass through a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE and IPsec packets in UDP headers, so that they can be translated by the NAT device. References:

IKEv1 vs IKEv2 – What is the Difference?

Comparison between IKEv1 and IKEv2

IKEv2 vs IKEv1: What are the differences?

To achieve the goal of excluding some servers from the VPN tunnel and accessing them directly, the engineer must modify the group policy that is applied to the remote access VPN users. The group policy contains the settings for split tunneling, which is a feature that allows the VPN client to route some traffic through the VPN tunnel and some traffic directly to the internet. Split tunneling can be configured based on the destination IP address, the application, or the domain name of the traffic. By modifying the group policy, the engineer can specify which servers or networks should be excluded from the VPN tunnel and accessed directly by the VPN client. This can improve the performance and efficiency of the VPN connection, as well as reduce the load on the VPN gateway and the corporate network. However, split tunneling also introduces some security risks, such as exposing the VPN client to internet threats, bypassing the corporate firewall and security policies, and leaking sensitive data. Therefore, the engineer must carefully evaluate the trade-offs and best practices of using split tunneling for remote access VPNs. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Secure Connectivity, Lesson 3.1: Implementing and Troubleshooting Remote Access VPN, Topic 3.1.4: Configure and Verify Remote Access VPN, Subtopic 3.1.4.2: Configure and Verify Split Tunneling

VPN Split Tunneling: What It Is & Pros and Cons

Cisco ASA - Enable Split Tunnel for Remote VPN Clients

Microsegmentation is a technology that limits communication between nodes on the same network segment to individual applications by creating secure zones across cloud and data center environments. Microsegmentation isolates application workloads from one another and secures them individually with granular firewall policies based on a zero-trust security approach1. Microsegmentation can reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance1.

Serverless infrastructure is a technology that allows developers to run code without provisioning or managing servers2. Serverless infrastructure does not limit communication between nodes on the same network segment to individual applications, but rather abstracts away the underlying infrastructure from the application logic.

SaaS deployment is a technology that delivers software applications over the internet as a service3. SaaS deployment does not limit communication between nodes on the same network segment to individual applications, but rather provides access to software applications from any device and location.

Machine-to-machine firewalling is a technology that controls the communication between machines or devices on a network. Machine-to-machine firewalling does not limit communication between nodes on the same network segment to individual applications, but rather applies rules to the traffic between machines or devices based on their IP addresses, ports, protocols, or other criteria.

References :=

What Is Micro-Segmentation? - Cisco

What is serverless?

What is SaaS?

[Machine-to-Machine Firewalling]

Mobile device management (MDM) is a solution that allows organizations to manage and secure mobile devices such as smartphones and tablets. MDM can provide scalability by supporting BYOD (bring your own device) scenarios without requiring extra appliance or licenses. BYOD allows employees to use their personal devices for work purposes, which can reduce costs and increase productivity. However, BYOD also introduces security and compliance risks, which MDM can mitigate by enforcing policies, monitoring device status, and performing remote actions. MDM can also integrate with other Cisco security solutions such as Identity Services Engine (ISE) and Umbrella to provide additional protection and visibility. According to the Cisco SCOR course, MDM can provide the following benefits for BYOD1:

Simplify device enrollment and configuration

Automate device compliance checks and remediation

Apply granular policies based on device type, user role, location, and network

Enable secure access to corporate resources and applications

Protect data at rest and in transit with encryption and VPN

Detect and respond to device threats and vulnerabilities

Wipe or lock devices in case of loss or theft

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 4: Secure Connectivity - Lesson 4.3: Mobile Device Management (MDM)

Explanation

Explanation

The Application Visibility and Control (AVC) engine lets you create policies to control application activity on the network without having to fully understand the underlying technology of each application. You can configure application control settings in Access Policy groups. You can block or allow applications individually or according to application type. You can also apply controls to particular application types.

SHA-2 is a family of hash functions that includes SHA-256, SHA-384, and SHA-512. SHA-2 is part of the Next Generation Encryption (NGE) suite of cryptographic algorithms that Cisco recommends for strong security and good performance. SHA-2 is believed to be quantum-computer resistant, meaning that it would not be easily broken by a hypothetical quantum-computer. SHA-2 is also more secure than older hash functions such as MD5 and SHA-1, which have been shown to have weaknesses and collisions. SHA-2 is widely used in various protocols and functions, such as digital signatures, integrity verification, and key derivation. References: 1

https://sec.cloudapps.cisco.com/security/center/resources/next_generation_cryptography

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

Explanation

Explanation

Cisco IOS public key infrastructure (PKI) provides certificate management to support security protocols such as IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL). This module identifies and describes concepts that are needed to understand, plan for, and implement a PKI.

A PKI is composed of the following entities: …

– A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for certificate revocation lists (CRLs)

 Cisco Umbrella evaluates policies from the top down and looks for a matching identity and destination. Once a match is found, Umbrella applies that policy’s settings to the identity and destination and stops evaluating all other DNS policies. Therefore, to ensure that the policy that the identity must use takes precedence over the second one, the engineer should make the correct policy first in the policy order. This way, Umbrella will match the identity to the correct policy before checking the second policy. The other options are not correct because they do not guarantee that the identity will use the correct policy. Configuring the default policy to redirect the requests to the correct policy will not work if the identity matches another policy before the default one. Placing the policy with the most-specific configuration last in the policy order will not work if the identity matches a less-specific policy before the last one. Configuring only the policy with the most recently changed timestamp will not work if the identity matches an older policy before the newer one. References :=

Some possible references are:

Policy Precedence - Umbrella User Guide1

Manage Policies - Umbrella User Guide2

Umbrella Policy order - Cisco Community3

A PAC file is a Proxy Auto-Configuration file that contains a JavaScript function that determines whether web browser requests go directly to the destination or are forwarded to a web proxy server. A PAC file allows the client desktop browsers to be configured to select when to connect direct or when to use the proxy based on the URL and the host name. A PAC file can be downloaded from a web server or a local file. A PAC file is more suitable for complex proxy configurations or multiple proxy servers12

A transparent mode is a proxy configuration where the client browsers do not need to be configured to use the proxy. The proxy intercepts the traffic and forwards it to the destination. A transparent mode does not allow the client browsers to select when to connect direct or when to use the proxy34

A forward file is not a valid proxy configuration method.

A bridge mode is a network configuration where a device connects two or more network segments and forwards traffic between them. A bridge mode is not a proxy configuration method5 References := 1: Proxy Auto-Configuration (PAC) file - HTTP | MDN 2: Proxy auto-config - Wikipedia 3: Explicit and Transparent Proxy - techdocs.broadcom.com 4: Configure Explicit Proxy - Palo Alto Networks | TechDocs 5: config web-proxy explicit | FortiGate / FortiOS 7.4.0

ISE posture assessment allows you to inspect the security “health” of your PC and MAC clients. This includes checking for the installation, running state, and last update for security software, such as anti-virus, anti-malware, personal firewall, and so on1. Windows service and Windows firewall are examples of such security software that can be checked by ISE posture assessment. Computer identity and user identity are not conditions that can be checked by ISE posture assessment, as they are related to authentication and authorization, not security posture. Default browser is also not a condition that can be checked by ISE posture assessment, as it is not a security software or a security risk. References: 1: Chapter 15. Device Posture Assessment - Cisco ISE for BYOD and Secure Unified Access, 3

DNS tunneling is a technique that encodes data of other programs and protocols in DNS queries, including data payloads that can be used to control a remote server and applications1. DNS exfiltration is a form of DNS tunneling that allows attackers to extract data from a compromised system by sending encoded DNS requests to a domain under their control2. The direction of the data transfer in DNS exfiltration is outbound, meaning from the victim’s network to the attacker’s network. This is different from inbound, which means from the attacker’s network to the victim’s network, or north-south and east-west, which are terms used to describe the traffic flow between different network segments or zones3. Outbound DNS requests are often allowed by default in many firewalls and network devices, making them an attractive channel for data exfiltration4. However, DNS exfiltration can be detected and prevented by using security solutions that monitor and analyze DNS traffic for anomalies and malicious patterns5.

 1: Improvements to DNS Tunneling & Exfiltration Detection - Cisco Umbrella 2: DNS Exfiltration & Tunneling: How it Works & DNSteal Demo Setup 3: What Is DNS Tunneling? - Palo Alto Networks 4: DNS Data Exfiltration and DNS Tunneling | Vercara 5: DNS Exfiltration: The Light at the End of the DNS Tunnel - site

Explanation

Explanation

Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.

Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

Cisco Stealthwatch is a network security and visibility platform that provides an agentless solution to monitor network traffic and detect threats, including those in encrypted traffic. Stealthwatch uses Encrypted Traffic Analytics (ETA), a technology that leverages network telemetry and machine learning to identify malicious patterns and behaviors in encrypted traffic without decryption. ETA can also assess the cryptographic strength and compliance of the encryption protocols used in the network. Stealthwatch integrates with other Cisco security products, such as Cisco Identity Services Engine (ISE) and Cisco Advanced Malware Protection (AMP), to provide contextual information and threat intelligence for faster and more effective response. Stealthwatch is the only Cisco platform that offers ETA as a solution to provide visibility across the network, including encrypted traffic analytics, to detect malware in encrypted traffic without the need for decryption. References :=

Some possible references are:

Cisco Secure Network Analytics (Stealthwatch) - Cisco, Cisco

Encrypted Traffic Analytics > Security | Cisco Press, Cisco Press

Solutions - Encrypted Traffic Analytics with the New Cisco Network and Secure Network Analytics At-a-Glance - Cisco, Cisco

Cisco Encrypted Traffic Analytics White Paper, Cisco

 Cisco FTD is the recommended solution for this requirement because it allows the administrator to configure URL filtering as part of the access control policy. URL filtering in FTD can block or allow traffic based on the destination URL of a web request, the generalized category of the URL, or the public reputation of the target site. FTD can also use HTTPS URL filtering to inspect encrypted web traffic and block malicious or unwanted sites. FTD supports both local URL lists and external URL filtering servers such as Cisco Talos Intelligence Group (TIG), Websense, or SmartFilter12.

Cisco ASA does not include URL filtering in the access control policy capabilities. ASA can only enable URL filtering for web traffic using external filtering servers such as Websense or SmartFilter. ASA cannot block HTTPS or FTP traffic based on URLs, nor can it use local URL lists or categories. ASA also does not block malicious URLs by default, but relies on the filtering server’s configuration34.

Therefore, option C is the correct answer, and the other options are incorrect. References :=

FTD URL Filtering - How it works? - Cisco Community

Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Access Control

Configuring Filtering Services - Cisco

Configuring URL Filtering - Cisco

 IOS zone-based firewalls (ZBFW) are a feature that provides stateful firewall policies between groups of interfaces known as zones. A zone is a logical grouping of one or more interfaces that have similar security requirements. A zone can be applied to physical interfaces, subinterfaces, port channels, VLAN interfaces, or tunnel interfaces. However, an interface can be assigned only to one zone, and it cannot be shared between zones. This is because the ZBFW policy is applied between zones, not interfaces, and it controls the bidirectional traffic flow between them. Therefore, an interface can belong to only one zone at a time, and it must be removed from one zone before it can be added to another zone. This ensures that the firewall policy is consistent and unambiguous for each interface.

References :=

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Gibraltar 16.12.x, Configuring Zones

Understand the Zone-Based Policy Firewall Design, Zone-Based Policy Overview

IOS Zone Based Firewall Step-by-Step Basic Configuration, Zone Based Firewall Vs CBAC

A simple custom detection list is a feature of AMP for Endpoints that allows you to specify a list of file hashes (MD5, SHA-1, or SHA-256) that you want to detect, block, and quarantine on your endpoints. You can create a simple custom detection list from the Outbreak Control section of the AMP for Endpoints console, and apply it to a policy that is assigned to your endpoints. When the AMP connector on the endpoint encounters a file that matches the hash in the list, it will perform the action that you specified, such as blocking the file execution, sending an alert, or quarantining the file. A simple custom detection list is useful when you want to quickly and easily block specific files that are known to be malicious or unwanted, without having to create a complex signature or rule12 References := 1: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 2: Create an Advanced Custom Detection List in Cisco Secure Endpoint

Cisco AMP for Endpoints is a cloud-based endpoint security solution that provides advanced malware protection, threat detection and response, and endpoint isolation. It protects endpoint systems through application control and real-time scanning, which are two of its multifaceted prevention techniques. Application control allows administrators to define and enforce policies on which applications can run on the endpoints, while real-time scanning continuously monitors files and processes for malicious activity. These features help stop threats from compromising the endpoints and reduce the attack surface. Cisco Secure Endpoint (Formerly AMP for Endpoints) - CiscoMalware Protection - Cisco AMP Advanced Malware Protection References:

Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

Malware Protection - Cisco AMP Advanced Malware Protection

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.1: Introduction to Cisco AMP for Endpoints

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.2: Cisco AMP for Endpoints Architecture

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints, Topic 3.1.3: Cisco AMP for Endpoints Features

Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice and video. DMVPN provides scalability for organizations with many remote sites by using a hub-and-spoke topology with dynamic tunnels between spokes. This reduces the number of static tunnels required and simplifies the configuration and management of the VPN. DMVPN also supports dynamic routing protocols, multicast traffic, and quality of service (QoS) features, making it suitable for various network scenarios and requirements12 References := 1: Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

Explanation

A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations.

Buffer overflow is a vulnerability in low level codes of C and C++. An attacker can cause the program to crash, make data corrupt, steal some private information or run his/her own code. It basically means to access any buffer outside of it’s alloted memory space. This happens quite frequently in the case of arrays.

Web usage controls are a feature of Cisco Web Security Appliance (WSA) that allow administrators to define and enforce policies for web access based on URL categories. URL categories are groups of websites that share a common theme or content, such as news, sports, entertainment, etc. Cisco WSA uses the Cisco Dynamic Content Analysis Engine and the Talos Security Intelligence and Research Group to provide accurate and up-to-date URL categorization. Administrators can use the web usage controls to allow, block, warn, or monitor web requests based on the URL category of the destination website. They can also create custom URL categories to include or exclude specific domains or URLs from the predefined categories. Web usage controls help administrators to control web traffic, enhance security, improve productivity, and comply with regulatory and organizational requirements. References :=

Some possible references are:

Web Usage Controls - Cisco Web Security Appliance User Guide, Cisco

Cisco Web Usage Control Filtering Categories Data Sheet, Cisco

Define Custom URL Categories in WSA, Cisco

 To configure the Cisco ASA via ASDM for SNMPv3, the administrator needs to perform two main tasks: specify an SNMP user group and add an SNMP USM entry. An SNMP user group defines the access level and security model for a group of SNMP users. An SNMP USM entry defines the authentication and encryption parameters for a specific SNMP user. These two tasks are required for SNMPv3 because it uses a user-based security model (USM) that provides secure access to the MIB objects. SNMPv3 does not use a community string, which is a shared password used by SNMPv1 and SNMPv2c. The SNMP manager and UDP port are optional parameters that can be specified to customize the SNMP communication. The SNMP host access entry is also optional and can be used to restrict the access of SNMP hosts to specific interfaces or networks. References :=

Some possible references are:

SNMP Configuration, Verification and Troubleshooting on ASA

How to configure SNMP v3 on Cisco Switch, Router, ASA, Nexus

SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Explanation

Explanation

DevSecOps (development, security, and operations) is a concept used in recent years to describe how to move

security activities to the start of the development life cycle and have built-in security practices in the continuous

integration/continuous deployment (CI/CD) pipeline. Thus minimizing vulnerabilities and bringing security closer

to IT and business objectives.

Three key things make a real DevSecOps environment:

+ Security testing is done by the development team.

+ Issues found during that testing is managed by the development team.

+ Fixing those issues stays within the development team.

Network telemetry is a technology for gaining network insight and facilitating efficient and automated network management. It encompasses various techniques for remote data generation, collection, correlation, and consumption1. Network telemetry can be used for various purposes, such as network performance monitoring, security analysis, troubleshooting, and optimization. One of the applications of network telemetry is Layer 2 device discovery, which allows network operators to discover and map the physical topology of the network, including switches, routers, hosts, and links. Layer 2 device discovery can be achieved by using protocols such as Link Layer Discovery Protocol (LLDP) or Cisco Discovery Protocol (CDP), which enable network devices to advertise their identity, capabilities, and neighbors to other devices on the same network segment. To enable Layer 2 device discovery, network telemetry must be enabled on the network devices, so that they can send and receive LLDP or CDP packets. This feature requires network telemetry to be enabled, because without it, the network devices would not be able to exchange information about their topology and configuration. Therefore, the correct answer is C. Layer 2 device discovery. References: 1: RFC 9232: Network Telemetry Framework - Internet Engineering Task Force

One of the key capabilities of endpoint security is to prevent phishing attacks by ensuring that antivirus and anti malware software is up to date. This helps to detect and block malicious attachments or links that may be embedded in phishing emails. Antivirus and anti malware software can also scan the endpoint for any signs of compromise or infection that may have resulted from a successful phishing attack. Additionally, endpoint security can provide data loss prevention (DLP) features that can prevent sensitive data from being exfiltrated by attackers who have gained access to the endpoint through phishing. References :=

Some possible references are:

Endpoint Security and Phishing: What to Know

Protect Against Spear Phishing with Endpoint Security

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

The zero-trust model is a modern security strategy that assumes breach and verifies each request as though it originates from an open network. The main concept behind the zero-trust model is “never trust, always verify”, which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified12

One of the principles of the zero-trust model is to verify explicitly, which means to always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies13 To achieve this, the zero-trust model recommends using multifactor authentication (MFA), which is a method of verifying a user’s identity by requiring two or more pieces of evidence, such as something the user knows (e.g., password, PIN), something the user has (e.g., token, smart card), or something the user is (e.g., fingerprint, face scan). MFA provides a higher level of security than using only a single factor, such as a password, which can be easily compromised or guessed. MFA also reduces the risk of unauthorized access to corporate applications and resources, which may contain sensitive or confidential information.

Therefore, the recommendation in a zero-trust model before granting access to corporate applications and resources is to use multifactor authentication, as it ensures that only verified and authorized users and devices can access the data they need, and nothing more13

References := 1: Zero Trust Model - Modern Security Architecture | Microsoft Security 2: Zero trust security model - Wikipedia 3: What is Zero Trust? | Microsoft Learn : Multifactor Authentication (MFA) | Cisco

Explanation

We choose “Chat and Instant Messaging” category in “URL Category”:

To block certain URLs we need to choose URL Reputation from 6 to 10.

The Secure Event Connector is a component of the Security Analytics and Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The Secure Event Connector uses syslog to forward events from the FMC and the managed devices to the cloud. This method reduces the load on the firewall resources, as the events are sent in batches and compressed before transmission. The Secure Event Connector also provides encryption, authentication, and reliability for the log data. The other methods are not supported by the Security Analytics and Logging (SaaS) solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

Cisco Defense Orchestrator (CDO) is a cloud-based management solution that allows you to manage security policies and device configurations with ease across multiple Cisco and cloud-native security platforms. CDO centrally manages elements of policy and configuration across Cisco ASA, Cisco Firepower, Cisco Meraki, and AWS1. CDO also provides visibility, automation, and orchestration capabilities to simplify and unify security operations2. The other options are not cloud security software that can centrally manage policies on multiple platforms. Cisco Configuration Professional is a device management tool for Cisco routers and switches. Cisco Secureworks is a security services provider that offers threat intelligence and incident response. Cisco DNAC is a network controller that automates and assures services across campus, branch, and edge networks. References :=

Cisco Defense Orchestrator Data Sheet

Cisco Defense Orchestrator

Explanation

Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.

It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,

protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

The RAT (Recipient Access Table) is the list that contains the allowed recipient addresses on the Cisco ESA. The RAT controls whether the ESA accepts or rejects messages to a recipient address based on the sender group and the mail policy. The RAT can be configured to allow, relay, or reject messages to specific recipients or domains. The RAT can also be used to apply different message filters or content filters to different recipient groups12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 3: Deploying Cisco Email Security Appliance, Topic: Configuring Mail Policies2: Cisco Email Security Appliance User Guide, Release 13.5 - Configuring Mail Policies [Cisco Secure Email Gateway] - Cisco.

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

The process of performing automated static and dynamic analysis of files against preloaded behavioral indicators for threat analysis is called advanced sandboxing. Advanced sandboxing is a feature of Cisco Secure Malware Analytics (Threat Grid), which is a cloud-based or on-premises solution that analyzes the behavior of suspicious files and URLs. Advanced sandboxing uses a combination of static and dynamic analysis techniques to examine the files against more than 700 behavioral indicators, such as registry changes, network connections, file modifications, and process injections. These indicators help to uncover stealthy and sophisticated threats, and provide the security team with detailed reports and actionable intelligence. Advanced sandboxing also integrates with other Cisco security products, such as AMP, Firepower, and Email Security, to provide comprehensive malware protection across the network. Advanced sandboxing is different from other options, such as deep visibility scan, point-in-time checks, and advanced scanning, which are not specific processes or features of Cisco Secure Malware Analytics. Deep visibility scan is a generic term that refers to the ability to inspect network traffic and files for malicious activity. Point-in-time checks are periodic scans that detect malware at a specific moment, but do not provide continuous analysis or retrospective security. Advanced scanning is also a generic term that can refer to any scanning technique that goes beyond basic signature-based detection, such as heuristic analysis, machine learning, or behavioral analysis. References :=

Some possible references are:

Cisco Secure Malware Analytics (Threat Grid)

Malware Protection - Cisco AMP Advanced Malware Protection

Cisco Secure Malware Analytics Data Sheet

the interface configuration. MAB stands for MAC Authentication Bypass, which is a feature that allows devices that do not support 802.1X, such as printers and video cameras, to bypass the authentication process and gain network access based on their MAC addresses1. By adding mab to the interface configuration, the Cisco ISE administrator can enable MAB as a fallback method after 802.1X fails or times out. This way, the devices that support 802.1X can use their machine certificate credentials, while the devices that do not support 802.1X can use their MAC addresses to authenticate with Cisco ISE2. The other options are not correct because they either compromise the security controls or do not address the problem. Changing the default policy in Cisco ISE to allow all devices not using machine authentication would weaken the security posture and expose the network to unauthorized access. Enabling insecure protocols within Cisco ISE in the allowed protocols configuration would also reduce the security level and increase the risk of attacks. Configuring authentication event fail retry 2 action authorize vlan 41 on the interface would only apply to the devices that fail authentication twice, and would not solve the issue for the devices that do not support 802.1X at all3. References:

1: MAC Authentication Bypass Deployment Guide

2: Configuring MAC Authentication Bypass

3: Cisco Identity Services Engine Administrator Guide, Release 3.1 - Segmentation

Cisco AnyConnect is a client-based VPN solution that provides secure remote access for individual users from their machines. It allows customization of access policies based on user identity, such as group membership, device posture, or location. This enables granular control over who can access what resources on the network. Cisco AnyConnect also supports various authentication methods, such as certificates, multifactor authentication, or single sign-on. Cisco AnyConnect can be deployed with Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) as the VPN headend.

Cisco DMVPN is a network-based VPN solution that provides dynamic, on-demand, and scalable connectivity for branch offices, teleworkers, and business partners. It uses multipoint GRE (mGRE) tunnels and Next Hop Resolution Protocol (NHRP) to establish direct spoke-to-spoke communications without traversing the hub. It also supports IPsec encryption and various routing protocols over the tunnel. Cisco DMVPN can be deployed with Cisco IOS routers as the VPN headend.

The advantages of using Cisco AnyConnect over DMVPN are:

It enables VPN access for individual users from their machines, which is useful for mobile workers or telecommuters who need to connect to the network from anywhere.

It allows customization of access policies based on user identity, which is useful for enforcing security and compliance requirements for different types of users or devices.

The advantages of using DMVPN over Cisco AnyConnect are:

It provides spoke-to-spoke communications without traversing the hub, which reduces latency and bandwidth consumption for traffic between remote sites.

It allows different routing protocols to work over the tunnel, which provides flexibility and scalability for network design and management.

 The strongest security possible for SNMPv3 requires both authentication and encryption, which is achieved by using the priv security level. Authentication ensures that the message is from a valid source, and encryption scrambles the content of the packet to prevent it from being learned by an unauthorized source. The auth sha and priv aes 256 parameters specify the algorithms used for authentication and encryption, respectively. SHA is more secure than MD5, and AES 256 is more secure than DES or 3DES. Therefore, option D is the correct answer, as it uses the priv security level, the SHA algorithm for authentication, and the AES 256 algorithm for encryption. The other options either use a lower security level (noauth or authNoPriv), a weaker encryption algorithm (des or 3des), or no encryption at all. References :=

SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) - SNMP Version 3

Configuration Template for SNMPv3 - Cisco Community

SNMP Version 3 - Cisco

Content Security is a term that encompasses various security features and solutions that protect the data and applications from threats such as malware, ransomware, phishing, data loss, and unauthorized access. Content Security includes products such as Cisco Email Security, Cisco Web Security, Cisco Cloudlock, and Cisco Umbrella. These products use the AsyncOS API, which is a RESTful API that allows administrators and developers to programmatically interact with the content security appliances and services. The AsyncOS API enables tasks such as configuration, reporting, monitoring, troubleshooting, and automation of content security policies and actions. The AsyncOS API is based on the HTTP protocol and uses JSON or XML as the data format. The AsyncOS API also supports authentication, authorization, rate limiting, and error handling mechanisms. The AsyncOS API documentation provides the details of the available resources, methods, parameters, and responses for each content security product. References :=

Cisco Content Security Products

AsyncOS API Overview

AsyncOS API Documentation

1: https://www.cisco.com/c/en/us/products/security/content-security/index.html 2: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/API/b_ESA_API_13_0_1/b_ESA_API_13_0_1_chapter_01.html 3: https://developer.cisco.com/docs/email-security/#!asyncos-api-overview

 TAXII, short for Trusted Automated eXchange of Intelligence Information, is a protocol that defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which is a standardized language for expressing and exchanging cyber threat information. TAXII enables organizations to share STIX information by defining an API that aligns with common sharing models, such as hub and spoke, source/subscriber, and peer-to-peer. TAXII also defines four services that allow users to discover, manage, receive, and request STIX information. Therefore, TAXII supports STIX information and determines how threat intelligence information is relayed. TAXII does not determine the “what” of threat intelligence, as that is the role of STIX. TAXII does not allow users to describe threat motivations and abilities, as that is also part of STIX. TAXII does not exchange trusted anomaly intelligence information, as that is a specific type of threat intelligence that may or may not be represented in STIX. References:

What are STIX/TAXII Standards I Resources I Anomali

Cyber Threat Intelligence Technical Committee - GitHub Pages

Explanation

Explanation

We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.

Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect, quarantine, and remove the virus.

SenderBase is an email reputation service designed to help email administrators research senders, identify legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or highly reputable senders, it delivers them directly to the end user without any content scanning. However, when the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and antivirus scanning.

Multifactor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN1. MFA is a core component of a strong identity and access management (IAM) policy. MFA can help prevent an attacker from stealing usernames and passwords of users within an organization by adding an extra layer of security beyond the traditional username and password. For example, a user may need to enter a one-time code sent to their phone or email, scan their fingerprint, or use a hardware token to prove their identity. This way, even if an attacker obtains the user’s credentials, they cannot access the resource without the second factor2.

The other options are not technologies that can help prevent an attacker from stealing usernames and passwords of users within an organization. RADIUS-based REAP is a protocol that allows wireless clients to authenticate with a RADIUS server, but it does not provide MFA3. Fingerprinting is a technique that identifies the operating system or application of a device based on its network characteristics, but it does not provide MFA4. Dynamic ARP Inspection is a security feature that prevents ARP spoofing attacks by validating ARP packets, but it does not provide MFA5.

References := 1: What is Multi-Factor Authentication (MFA)? | OneLogin(https://www.onelogin.com/learn/what-is-mfa) 2: What is: Multifactor Authentication - Microsoft Support(https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661) 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing the Network, Lesson 3.3: Secure Wireless Connectivity, Topic 3.3.1: Wireless Security Protocols, page 3-40. 4: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 2: Securing the Cloud, Lesson 2.2: Cloud Security Assessment, Topic 2.2.1: Cloud Security Concepts, page 2-13. 5: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing the Network, Lesson 3.2: Secure Network Access, Topic 3.2.2: Layer 2 Security Features, page 3-19.

Explanation

Cisco Stealthwatch Cloud: Available as an SaaS product offer to provide visibility and threat detection within public cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

 TACACS+ is a protocol that provides authentication, authorization, and accounting (AAA) services for network devices. Unlike RADIUS, which only supports authorization at the user level, TACACS+ supports authorization at the command level. This means that TACACS+ can verify the permissions of the network administrator for every command that is entered, and allow or deny access accordingly. This provides more granular and secure control over network resources and operations. EAPOL, SSH, and RADIUS are not protocols that can provide command-level authorization for AAA. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Network Security Devices and Cloud Services, Topic 1.2.3: AAA

350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.2 Compare network security solutions, 1.2.a AAA

What Is AAA Security? | Fortinet, Authentication, Authorization, and Accounting (AAA)

Full Context Awareness - policy enforcement

NGIPS - threat prevention

AMP - real-time

Collective Sec Intel - Detection, blocking an remediation

Cisco ESA uses a multilayer approach to fight viruses and malware. The first layer of defense consists of outbreak filters, which the appliance downloads from Cisco SenderBase. Outbreak filters use global threat intelligence and behavioral analysis to identify and block emerging threats before they reach the network. The second layer of defense consists of antivirus engines, which scan the message body and attachments for known viruses and malware. Cisco ESA supports multiple antivirus engines, such as Sophos, McAfee, and Cisco AMP. The Sophos engine is one of the default engines that Cisco ESA uses, along with McAfee. The Sophos engine provides fast and accurate detection of viruses and malware, and updates its signatures frequently. The other options are not features that are used to configure Cisco ESA with a multilayer approach to fight viruses and malware. A white list is a list of trusted senders or recipients that are exempt from spam or virus filtering. RAT is the Recipient Access Table, which is used to determine whether the appliance accepts or rejects messages to a recipient address. DLP is Data Loss Prevention, which is used to prevent sensitive or confidential data from leaving the network. References :=

Email Security Using Cisco ESA

Demystifying Cisco ESA HAT, RAT Tables and Deployment Types

Email Security Deployment Guide - Cisco

 The configuration snippet in the image is a part of IKEv2 configuration where the name mangler is associated with the organizational unit (OU) “MANGLER”. In Cisco’s IKEv2 implementation, this specific configuration means that only an IKEv2 peer whose certificate has an OU attribute set to “MANGLER” can establish an IKEv2 Security Association successfully. This is a method of ensuring that only peers with certificates issued to a specific organizational unit can connect, enhancing security by limiting unauthorized access. The name mangler is a feature that allows the administrator to specify a string that must be present in the peer’s certificate for authentication. The name mangler can be applied to any certificate field, such as common name (CN), organization (O), or OU. The name mangler can also be used to modify the peer’s identity based on the certificate field, such as appending or prepending a string to the identity. The name mangler is configured under the IKEv2 profile using the command crypto ikev2 profile profile-name identity name-mangler name-mangler-name dn field-name. In this case, the name mangler is applied to the OU field of the peer’s certificate. The other options are incorrect because they do not describe the effect of the name mangler configuration. Option A is incorrect because the name mangler does not affect the identity matching for the IKEv2 authorization policy. The identity matching is based on the peer’s identity type and value, which can be different from the certificate field. Option C is incorrect because the name mangler does not encrypt the OU field of the peer’s certificate. The OU field is part of the certificate’s subject, which is not encrypted in the IKEv2 messages. Option D is incorrect because the name mangler does not set the OU field of the peer’s certificate. The OU field is determined by the certificate authority (CA) that issues the certificate, and the name mangler only verifies or modifies the peer’s identity based on the OU field. References : Configuring Internet Key Exchange Version 2, Internet Key Exchange Version 2 CLI Constructs, Tutorial: Setting up a certificate-based IKEv2 VPN connection (RSA)

 Microsegmentation is a method of securing multi cloud data centers using granular segmentation rules for the individual workload or application, reducing the risk of an attacker moving from one compromised workload or application to another1. Microsegmentation with Cisco ACI enables you to automatically assign endpoints to logical security zones called endpoint groups (EPGs). These EPGs are based on various network-based or virtual machine (VM)-based attributes2. Microsegmentation is also referred to as application segmentation or east-west segmentation in a multicloud data center1. References: 1: What Is Micro-Segmentation? - Cisco 2: Microsegmentation with Cisco ACI

The Cisco Stealthwatch system collects and analyzes network telemetry such as flow (NetFlow, sFlow, JFlow, IPFIX, etc.) from routers, switches, and firewalls to monitor network and user behavior. The system conducts sophisticated, proprietary analytics on network data to automatically detect abnormal behaviors that may signify an attack1. NetFlow is a protocol that provides information about network traffic flows, such as source and destination IP addresses, ports, protocols, bytes, packets, and timestamps. NetFlow data can be used to identify network anomalies, bandwidth usage, application performance, and security incidents2. References :=

Some possible references are:

1: Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics, Zones, 3 2: What is NetFlow? Definition and Benefits, Cisco, 7

Explanation

Explanation

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics.

Applications can subscribe to specific data items they need, by using standard-based YANG data models over NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external collector at a much higher frequency, more efficiently, as well as data on-change streaming.

Explanation

Explanation

… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower

Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

According to the NIST 800-145 guide1, a community cloud is a cloud infrastructure that is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. A community cloud is different from a hybrid cloud, which is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). A private cloud is a cloud infrastructure that is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. A public cloud is a cloud infrastructure that is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. References :=

Some possible references are:

1: NIST SP 800-145, The NIST Definition of Cloud Computing, 1 2: Evaluation of Cloud Computing Services Based on NIST SP 800-145, 3 3: What Is Community Cloud? Definition, Architecture, Examples, and Best Practices, 6

To collect full metadata information about the traffic going through their AWS cloud services, the organization needs to send VPC Flow Logs to Cisco Stealthwatch Cloud and configure Cisco Stealthwatch Cloud to ingest AWS information. VPC Flow Logs is a feature that enables the organization to capture information about the IP traffic going to and from network interfaces in their VPC. Flow log data can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose1. Cisco Stealthwatch Cloud is a SaaS-based network and cloud security solution that provides behavioral analytics across the network to help the organization improve threat detection and achieve a stronger security posture2. By sending VPC Flow Logs to Cisco Stealthwatch Cloud, the organization can leverage the rich network flow metadata to perform various types of flow analysis, such as troubleshooting connectivity issues, monitoring the traffic patterns, detecting anomalous or malicious activity, and verifying compliance3. To send VPC Flow Logs to Cisco Stealthwatch Cloud, the organization needs to create a flow log for their VPC, subnet, or network interface, and specify Cisco Stealthwatch Cloud as the destination4. To configure Cisco Stealthwatch Cloud to ingest AWS information, the organization needs to add their AWS account as a data source in the Cisco Stealthwatch Cloud portal, and grant the necessary permissions for Cisco Stealthwatch Cloud to access their VPC Flow Logs5. By doing so, the organization can view and analyze the flow log data in the Cisco Stealthwatch Cloud dashboard, and receive valuable security alerts and insights based on the network behavior6.

References := 1: Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud 2: Cisco Secure Cloud Analytics (Stealthwatch Cloud) - Cisco 3: Cisco Secure Cloud Analytics - AWS VPC Flow Logs: A New Tool for Your … 4: Publish flow logs to Cisco Stealthwatch Cloud - Amazon Virtual Private Cloud 5: AWS Data Source Setup - Cisco Stealthwatch Cloud 6: AWS Workload Protection - Cisco Stealthwatch Cloud

To prevent rogue NTP servers from inserting themselves as the authoritative time source, the administrator needs to configure NTP authentication and specify the interface for syncing to the NTP server. NTP authentication allows the ASA to verify the identity and integrity of the NTP packets received from the server, using a shared secret key. Specifying the interface for syncing to the NTP server ensures that the ASA uses the correct source address for sending and receiving NTP packets, and avoids potential routing issues. The other options are not required or relevant for this task. Specifying the NTP version is optional and does not affect security. Configuring the NTP stratum is only applicable for NTP servers, not clients. The ASA can only act as an NTP client, not a server. Setting the NTP DNS hostname is not recommended, as it introduces a dependency on DNS resolution and may cause synchronization problems if the DNS server changes the IP address of the NTP server. References :=

Some possible references are:

Configure NTP Authentication on Secure Network Analytics

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6 - Basic Settings

Cisco ASA NTP and Clock Configuration with Examples

 Mobile Device Management (MDM) is a solution that allows an organization to manage, monitor, and secure mobile devices such as smartphones, tablets, and laptops. MDM provides two main advantages to an organization with regards to device management:

Asset inventory management: MDM helps an organization keep track of all the mobile devices that are connected to its network, including their location, status, configuration, and usage. MDM also enables an organization to remotely wipe or lock devices that are lost, stolen, or compromised, preventing data loss and unauthorized access. Asset inventory management helps an organization optimize its resources, reduce costs, and comply with regulations12.

Allowed application management: MDM allows an organization to control what applications can be installed and run on the mobile devices, as well as how they can access and share data. MDM can also push updates and patches to the devices, ensuring that they are always running the latest and most secure versions of the applications. Allowed application management helps an organization enhance security, productivity, and performance of the mobile devices34.

 1: 7 Advantages and Disadvantages of Mobile Device Management [2024] 2: 5 Benefits of Mobile Device Management - ESET 3: Top 10 Benefits of Mobile Device Management (MDM) - TechFunnel 4: Benefits of Mobile Device Management (MDM) for Businesses

a Cisco FirePower sensor to Firepower Management Center is configure manager add < host > < key > . This command establishes a secure connection between the sensor and the FMC using a registration key. The  < host >  parameter can be either the IP address or the hostname of the FMC. The  < key >  parameter can be any alphanumeric string that matches the one configured on the FMC. This command is executed on the sensor’s CLI in the privileged EXEC mode12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 2: Deploying Cisco Firepower Next-Generation Firewall, Topic: Registering the Cisco Firepower NGFW to the FMC2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics [Cisco Secure Firewall Management Center] - Cisco.

The kind of API that is used with Cisco DNA Center to provision SSIDs, QoS policies, and update software versions on switches is the Intent API. The Intent API is a category of APIs that allows users to express their desired network outcomes or intents, such as creating a site, adding a device, or deploying a network profile. The Intent API then translates these intents into specific network configurations and commands, and applies them to the relevant network devices and services. The Intent API simplifies and automates the network provisioning and management process, and enables users to focus on the business objectives rather than the technical details. Some examples of Intent APIs are:

Site Management API: This API allows users to create, update, delete, and retrieve sites and buildings in Cisco DNA Center. A site is a logical grouping of network devices and services that share common characteristics, such as location, policies, or functions. A site can have one or more buildings, and a building can have one or more floors. Sites are used to organize and manage the network hierarchy and topology.

Network Settings API: This API allows users to configure and manage network-wide settings, such as global credentials, network discovery, IP address pools, DHCP and DNS servers, and SNMP settings. These settings are applied to all network devices and services that are managed by Cisco DNA Center.

Network Profile API: This API allows users to create, update, delete, and retrieve network profiles in Cisco DNA Center. A network profile is a collection of network settings and policies that define how a network segment or service should operate, such as SSIDs, QoS policies, security policies, and device roles. Network profiles are used to standardize and simplify the network configuration and deployment process, and to ensure consistency and compliance across the network.

Software Image Management API: This API allows users to manage the software images and versions of network devices that are managed by Cisco DNA Center. Users can import, export, delete, and retrieve software images, as well as assign them to network devices or device groups. Users can also schedule and monitor software image updates, and view the software image compliance status of network devices.

Explanation

Device sensor is a feature of access devices. It allows to collect information about connected endpoints. Mostly,

information collected by Device Sensor can come from the following protocols:

+ Cisco Discovery Protocol (CDP)

+ Link Layer Discovery Protocol (LLDP)

+ Dynamic Host Configuration Protocol (DHCP)

Explanation

The data plane of any network is responsible for handling data packets that are transported across the network.

(The data plane is also sometimes called the forwarding plane.)

Maybe this Qwants to ask about the encryption and authentication in the data plane of a SD-WAN network (but SD-WAN is not a topic of the SCOR 350-701 exam?).

In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetrickey algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which are similar to IP route updates.

GETVPN and IPsec are both VPN technologies that use ESP (Encapsulating Security Payload) to encrypt and authenticate data packets. However, they differ in the following aspects:

GETVPN uses a group IPSec security paradigm, which means that all group members share the same IPSec SA (Security Association) and can communicate with each other without having to establish point-to-point tunnels. IPsec, on the other hand, uses a pair-wise IPSec security paradigm, which requires each pair of devices to negotiate and maintain their own IPSec SAs and tunnels.

GETVPN uses GDOI (Group Domain of Interpretation) as a key management protocol, which allows a Key Server (KS) to distribute the encryption keys and policies to all group members. IPsec uses IKE (Internet Key Exchange) as a key management protocol, which involves two phases of negotiation between each pair of devices to establish the IPSec SAs.

GETVPN supports multicast traffic without the need for GRE (Generic Routing Encapsulation) tunneling, as it preserves the original IP header of the packet. IPsec does not support multicast traffic natively, and requires GRE tunneling to encapsulate the multicast packets with a new IP header.

GETVPN relies on the underlying WAN routing to deliver the encrypted packets to the destination, as it does not create any overlay routing. IPsec creates an overlay routing, which may introduce additional latency and complexity.

References :=

Some possible references are:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 6: Secure Connectivity, Lesson 6.2: Implementing Site-to-Site VPNs, Topic 6.2.2: Group Encrypted Transport VPN

Group Encrypted Transport VPN (GETVPN)

GETVPN - Cisco Community

Cisco Get VPN vs DMVPN: Difference and Comparison

What is a difference between GETVPN and IPsec?

Explanation

Diffie Hellman (DH) uses a private-public key pair to establish a shared secret, typically a symmetric key. DH is not a symmetric algorithm – it is an asymmetric algorithm used to establish a shared secret for a symmetric key algorithm.

 Cisco Firepower is a unified security solution that combines firewall, intrusion prevention system (IPS), advanced malware protection (AMP), and threat intelligence features. Cisco ASA is a traditional firewall that focuses on network traffic control based on packet filtering and stateful inspection. One of the key differences between Cisco Firepower and Cisco ASA is that Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA does not. Intrusion prevention is the process of detecting and blocking malicious network traffic before it reaches the intended target. Cisco Firepower uses a combination of signature-based and behavior-based detection methods to identify and stop known and unknown attacks. Cisco ASA, on the other hand, does not have built-in intrusion prevention capabilities. It can only perform basic packet inspection and filtering based on predefined rules. To enable intrusion prevention on Cisco ASA, an additional module called FirePOWER Services is required. This module integrates Cisco Firepower features into Cisco ASA, but it is not the same as Cisco Firepower itself. Cisco Firepower offers more advanced and integrated security features than Cisco ASA with FirePOWER Services123. References: 1: Cisco ASA vs Cisco Firepower | What are the differences? - StackShare 2: Cisco FTD vs ASA: Difference and Comparison 3: CISCO FIREPOWER VS. ASA - Critical Design

Multiple context mode allows you to partition a single ASA into multiple virtual firewalls, each with its own security policy, interfaces, and management IP address. This mode is useful for providing security services to different customers or tenants on a shared appliance, while maintaining separation of management and configuration. Each context acts as an independent device and can be in either routed or transparent mode. You can also assign different administrators to each context and limit their access to specific commands and features. Multiple context mode is supported in Cisco ACI with the ASA device package version 1.2 or later. References: 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Service_Graph_Deployment_Guide/b_L4L7_Service_Graph_Deploy_ver122g/b_L4L7_Service_Graph_Deploy_ver122x_chapter_0110.pdf

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html

Explanation

Spero analysis is a feature of Cisco AMP for Networks that examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud for analysis1. Spero analysis can detect malware based on the file’s structure and behavior, without requiring a full file upload2. Spero analysis is different from dynamic analysis, sandbox analysis, and malware analysis, which are other features of Cisco AMP for Networks that perform different types of file inspection and analysis3. References: 1: How to configure Firepower AMP to not upload files to … - Cisco Community 2: File Policies - Network Direction 3: Cisco AMP for Networks - Cisco

The cause of this issue is that NTP authentication is not enabled on the router. The commands shown in the exhibit only define the authentication key and mark it as trusted, but they do not enable NTP authentication globally or on a per-peer basis. To enable NTP authentication globally, the command ntp authenticate must be used. To enable NTP authentication on a per-peer basis, the command ntp server ip-address key key-id or ntp peer ip-address key key-id must be used, where key-id is the same as the one defined by the ntp authentication-key command. Without enabling NTP authentication, any device can synchronize time with this router, regardless of whether it has the same authentication key or not.

The other options are incorrect because:

The key was configured in plain text, but this is not the cause of the issue. Although it is recommended to use the ntp authentication-key key-id md5 key [encrypted] command to encrypt the key, using plain text does not prevent NTP authentication from working, as long as the same key is configured on both the router and the peer.

The hashing algorithm that was used was MD5, which is supported by NTP. MD5 is the default algorithm for NTP authentication and it can be used with any key length from 1 to 16 characters. Other algorithms, such as SHA and SHA1, are also supported by NTP if the OpenSSL library is installed, but they are not required for NTP authentication to work.

The router was not rebooted after the NTP configuration updated, but this is not necessary for NTP authentication to take effect. NTP authentication is applied immediately after the configuration commands are entered, and no reboot is required.

 Cisco NBAR2 is a classification engine that recognizes and classifies a wide variety of protocols and applications based on their deep packet inspection (DPI) signatures. NBAR2 enables the platform to identify and output various applications within the network traffic flows, such as web, email, voice, video, and so on. NBAR2 also supports custom protocols and applications, allowing the platform to classify traffic based on user-defined criteria. NBAR2 helps the platform to apply the appropriate quality of service (QoS), security, and policy for each application or protocol. References :=

Some possible references are:

Cisco NBAR2

Classifying Network Traffic Using NBAR

Next Generation NBAR (NBAR2)

Microsegmentation is a network security technique that enables security architects to logically divide the data center or cloud environment into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment. Microsegmentation software with network virtualization technology is used to create zones in cloud deployments. These granular secure zones isolate workloads, securing them individually with custom, workload-specific policies. Microsegmentation uses a zero-trust model, which means that no traffic is allowed by default, and only explicitly authorized traffic is permitted based on the principle of least privilege. Microsegmentation helps to reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance. The other options are incorrect because they do not describe microsegmentation accurately. Option B is incorrect because container orchestration platforms, such as Kubernetes, are used to automate the deployment, scaling, and management of containerized applications, but they do not provide microsegmentation by themselves. Option C is incorrect because private VLAN segmentation is a network security technique that isolates hosts within the same VLAN, but it does not provide granular security controls at the workload level. Option D is incorrect because host-based firewall rules are one of the components of microsegmentation, but they are not sufficient to implement microsegmentation without network virtualization and policy automation. References : What Is Microsegmentation? - Palo Alto Networks, What Is Micro-Segmentation? - Cisco, What is Micro-Segmentation? | VMware Glossary

A SQL injection attack is a type of attack that exploits a vulnerability in a web application that uses user-supplied data to construct SQL statements that interact with a database. By inserting malicious commands into the database, an attacker can execute arbitrary SQL queries or commands on the database server, which may result in data theft, data manipulation, or command execution. Machine 1 is vulnerable to SQL injection because it does not properly validate or sanitize the user input before using it in a SQL statement. Therefore, inserting malicious commands into the database would allow the attacker to gain access to machine 1.

A buffer overflow attack is a type of attack that exploits a vulnerability in a program that does not check the boundaries of a buffer (a temporary storage area for data) before copying data into it. By overflowing the buffer’s memory, an attacker can overwrite adjacent memory locations, which may result in corrupting data, crashing the program, or executing malicious code. Machine 2 is vulnerable to buffer overflow because it does not properly handle the size or length of the data that it receives from the user or another source. Therefore, overflowing the buffer’s memory would allow the attacker to gain access to machine 2.

Sniffing the packets between the two hosts is a passive attack that involves capturing and analyzing the network traffic that flows between the two machines. This attack may reveal sensitive information, such as credentials, session tokens, or database queries, but it does not directly allow the attacker to gain access to either machine. Sending continuous pings is a type of denial-of-service attack that involves flooding the target machine with ICMP echo request packets, which may consume its network bandwidth or processing resources, but it does not directly allow the attacker to gain access to either machine. Therefore, neither sniffing the packets nor sending continuous pings would allow the attacker to gain access to machine 1 but not machine 2. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Web Security, SQL Injection Attacks

Understanding SQL Injection - Cisco, SQL Injection Explained

Buffer Overflow and SQL Injection: To Remotely Attack and … - Springer, Buffer Overflow and SQL Injection Attacks

Explanation

Umbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your employees even when they are off the VPN.

Northbound APIs are the link between the applications and the SDN controller. The applications can tell the network what they need (data, storage, bandwidth, and so on) and the network can deliver those resources, or communicate what it has. These APIs support a wide variety of applications, such as load balancers, firewalls, orchestration platforms, and automation stacks. Northbound APIs also enable the applications to use the controller’s capabilities to program flows into the network devices using the southbound interface. Northbound APIs are usually RESTful APIs that use HTTP methods to exchange data in JSON or XML formats12.

OpenFlow is not a northbound API protocol, but a southbound API protocol that defines the communication between the SDN controller and the network switches or routers. OpenFlow allows the controller to manipulate the forwarding behavior of the switches or routers by sending commands and receiving events3 .

NETCONF is not a northbound API protocol, but a network management protocol that can be used as a southbound API protocol to configure and monitor network devices. NETCONF uses XML to encode data and remote procedure calls (RPCs) to exchange messages between the controller and the network devices . References := 1: What are SDN Northbound APIs (and SDN Rest APIs)? - SDxCentral 2: SDN North-bound and South-bound APIs and Interfaces 3: OpenFlow - Wikipedia : OpenFlow - SDxCentral : NETCONF - Wikipedia : NETCONF Protocol - Cisco

1sdxcentral.com2computernetworkingnotes.com3examguides.com

The exhibit shows an access rule for URL filtering that has the following conditions:

The action is Block

The URL category is Botnets

The URL reputation is 3

The URL list is empty

This means that the rule will block any URL that matches the category and reputation criteria, regardless of the individual URL. According to the Cisco documentation1, the URL reputation is a score from 1 to 5 that indicates the risk level of a URL, where 1 is the most risky and 5 is the least risky. Therefore, a reputation score of 3 means a moderate risk level. The rule will not block URLs for botnets with reputation scores of 1, 2, 4, or 5, nor will it block any other URL category or list. The rule will also not allow any URL, as the action is Block, not Allow.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing the Cloud, Lesson 4.3: Cloud Application Security, Topic 4.3.2: Cisco Umbrella, page 4-58.

A passphrase is a type of protection that encrypts RSA keys when they are exported and imported. A passphrase is a sequence of characters that the user enters to decrypt the key. The passphrase acts as a symmetric key that is used to encrypt and decrypt the RSA key with a symmetric algorithm, such as AES. This way, the RSA key is protected from unauthorized access or tampering when it is transferred or stored. A passphrase can also provide additional security by adding entropy to the RSA key generation process. A file, NGE, and nonexportable are not types of protection that encrypt RSA keys when they are exported and imported. A file is a container that stores the RSA key, but does not encrypt it. NGE stands for Next Generation Encryption, which is a set of cryptographic standards and algorithms that Cisco recommends, but it is not a specific type of protection. Nonexportable is a property that prevents the RSA key from being exported at all, but it does not encrypt it. References: RSA/Schannel Key BLOBs, Common Encryption Types, Protocols and Algorithms Explained, Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5: Implementing Secure Communications with VPNs, Lesson 5.1: Implementing Site-to-Site VPNs, Topic 5.1.2: Implementing Site-to-Site VPNs with Pre-Shared Keys)

 The Cisco ESA uses the Sender Domain Reputation (SDR) service to assign a reputation verdict to each message based on the sender’s domain and other attributes. The SDR verdicts range from Awful to Good, and each verdict has a corresponding reputation score. The administrator can configure a message or content filter to take action on messages based on their SDR verdict or score. For example, the administrator can set a threshold score to drop messages that have a poor or awful reputation. However, if the SDR service cannot determine a verdict for a message, it assigns an undetermined verdict with a score of -1. This means that the message will not be dropped by the filter unless the administrator explicitly sets the threshold to -1 or lower. Therefore, the reason why the Cisco ESA is not dropping files that have an undetermined verdict is because the file has a reputation score that is above the threshold. References :=

Some possible references are:

Configure Sender Domain Reputation for ESA

Sender Domain Reputation Filtering

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

Explanation

The HMAC-SHA-1-96 (also known as HMAC-SHA-1) encryption technique is used by IPSec to ensure that a message has not been altered. (- > Therefore answer “integrity” is the best choice). HMAC-SHA-1 uses the SHA-1 specified in FIPS-190-1, combined with HMAC (as per RFC 2104), and is described in RFC 2404.

NetFlow Secure Event Logging (NSEL) is a security logging mechanism that is built on NetFlow Version 9 technology. It provides a stateful, IP flow tracking method that exports only those records that indicate significant events in a flow, such as flow-create, flow-teardown, and flow-denied. NSEL events are triggered by the event that caused the state change in the flow. This reduces the amount of data that is exported and provides more relevant information for security analysis. NSEL also supports periodic flow-update events, which provide byte counters over the duration of the flow. These events are usually time-driven, but may also be triggered by state changes in the flow. NSEL uses templates to describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it. NSEL delivers templates and data records to configured NSEL collectors through NetFlow over UDP only. NSEL also allows filtering of NSEL events based on the traffic and event type through Modular Policy Framework, and then sends records to different collectors. The supported event types are flow-create, flow-denied, flow-teardown, flow-update, and all. References :=

Some possible references are:

NetFlow Secure Event Logging (NSEL) - Cisco

NetFlow Secure Event Logging (NSEL) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

The command show authen sess int gi0/1 displays the authentication session information for the interface gi0/1, such as the MAC address, the authentication method, the authentication state, the session timeout, and the VLAN assignment. This command is useful for verifying the status of an 802.1X connection on a specific interface. The other commands are not related to 802.1X authentication. The command show authorization status displays the authorization status for the current user. The command show connection status gi0/1 is not a valid Cisco command. The command show ver gi0/1 displays the version information for the interface gi0/1. References: 802.1X Authentication Commands, Configuring IEEE 802.1x Port-Based Authentication, What Cisco command shows you the status of an 802.1X connection on interface gi0/1?

Explanation

Compared to RSA, the prevalent public-key cryptography of the Internet today, Elliptic Curve Cryptography (ECC) offers smaller key sizes, faster computation,as well as memory, energy and bandwidth savings and is thus better suited forsmall devices.

Trusted Automated Exchange of Indicator Information (TAXII) is a standard that defines how to exchange cyber threat intelligence (CTI) over HTTPS. CTI includes indicators of compromise (IOCs), such as malware hashes, IP addresses, URLs, and domains, that can be used to detect and respond to cyberattacks. TAXII enables the sharing of CTI in a secure, automated, and interoperable way among different organizations and tools. Structured Threat Information Expression (STIX) is a standard that defines how to represent and structure CTI in a common language. STIX and TAXII are often used together to facilitate the exchange of CTI. Advanced Persistent Threat (APT) is not a standard, but a term used to describe a sophisticated and stealthy cyberattack that persists over a long period of time, often targeting specific organizations or sectors. Open Command and Control (OpenC2) is a standard that defines how to communicate and execute cyber defense actions across different technologies and domains. OpenC2 enables the orchestration and automation of cyber defense actions, such as blocking, isolating, or redirecting malicious traffic or devices. References :=

Some possible references are:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 4: Content Security, Lesson 4.3: Cisco Umbrella, Topic 4.3.1: Cisco Umbrella Investigate

350-701 SCOR - Cisco, Exam Topics, 4.0 Content Security, 4.3 Describe the components, capabilities, and benefits of Cisco Umbrella, 4.3.a Investigate

TAXII - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction

STIX - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction

OpenC2 - OASIS Open Command and Control Technical Committee, Overview, Introduction

What is an Advanced Persistent Threat (APT)? | Fortinet, Definition, What is an APT?

create an application control blocked applications list. This option allows you to specify a list of files that you want to prevent from running on the endpoints that have the AMP connector installed. The files are identified by their SHA-256 hashes, and you can upload them individually or in a batch. The files are not quarantined, but they are blocked from execution and reported as events in the AMP console1. This option is different from the simple custom detection list, which is used to detect and quarantine specific files that are considered malicious2. The advanced custom detection list is also used to detect and quarantine files, but it allows you to specify more criteria such as file size, file name, and file path3. The IP block and allow lists are used to control the network traffic to and from the endpoints, not the file execution4. References: 1: Configure Application Control on the AMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP for Endpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]

Cisco ISE is the security solution that is used for posture assessment of the endpoints in a BYOD solution. Posture assessment allows Cisco ISE to inspect the security health of the endpoints, such as their operating system, software applications, network settings, and security software. Cisco ISE can then enforce posture policies based on the compliance status of the endpoints and grant or deny them access to the network resources. Cisco ISE supports different types of posture agents, such as AnyConnect, AnyConnect Stealth, and Temporal Agent, to monitor and remediate the endpoints. Cisco ISE also supports agentless posture for devices that cannot run an agent, such as printers, cameras, and IoT devices. Cisco ISE integrates with various third-party vendors to provide posture assessment for different endpoint platforms, such as Windows, Mac, Linux, Android, and iOS. References :=

Some possible references are:

Cisco Identity Services Engine Administrator Guide, Release 3.0 - Compliance

Chapter 15. Device Posture Assessment - Cisco ISE for BYOD and Secure Unified Access

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

 Split tunneling is a feature that allows VPN users to access both the corporate network and the internet at the same time. By using split tunneling, only the traffic destined for the 10.0.0.0/24 network will be encrypted and sent through the VPN tunnel, while the rest of the traffic will be sent directly to the internet. This reduces the VPN bandwidth load on the headend Cisco ASA and ensures that bandwidth is available for VPN users needing access to corporate resources. Split tunneling can be configured on the ASA by using the split-tunnel-network-list value command under the group-policy attributes. The network list should include the 10.0.0.0/24 network as the only entry. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Secure Connectivity, Lesson 5.1: Implementing Site-to-Site VPNs on Cisco Routers and ASA Firewalls, Topic 5.1.3: Configuring Site-to-Site VPNs on Cisco ASA Firewalls, Subtopic 5.1.3.2: Configuring Split Tunneling.

 MFA stands for multi-factor authentication, which is a security method that requires users to provide two or more pieces of evidence to verify their identity before accessing a system. MFA can prevent unauthorized access to the system if a user’s password is compromised, because the attacker would also need to obtain the other factors, such as a one-time code, a biometric scan, or a physical token. MFA can be implemented using various technologies, such as SMS, email, phone call, mobile app, or hardware device. According to Microsoft, adopting MFA can prevent approximately 99.9% of compromised user accounts, significantly bolstering security measures against unauthorized access12. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Secure Network Access and Visibility, Lesson 6.1: Implementing Secure Network Access

350-701 SCOR - Cisco, Exam Topics, 6.1 Implement secure network access

What Is Unauthorized Access? 5 Key Prevention Best Practices - Cynet, Best Practice #3: Implement multi-factor authentication

Unauthorized Access: Top 8 Practices for Detecting and Responding - Ekran System, Best Practice #3: Use multi-factor authentication

A Trojan malware attack is a type of malicious code or software that disguises itself as a legitimate program or file to trick users into executing it. Once executed, the Trojan can perform various harmful actions on the infected system or network, such as stealing data, deleting files, or installing other malware. There are different types of Trojan malware attacks, depending on their purpose and behavior. Two common types are:

Rootkit: A rootkit is a type of Trojan that hides itself and other malware from detection and removal by antivirus software or system tools. A rootkit can modify the operating system or the firmware of the device to gain persistent and privileged access to the system. A rootkit can also intercept and manipulate system calls, network traffic, or user input to conceal its activities or redirect them to malicious servers.

Backdoor: A backdoor is a type of Trojan that creates a secret or unauthorized access point to the infected system or network. A backdoor can allow an attacker to remotely control the system, execute commands, upload or download files, or monitor the system activity. A backdoor can also be used to install other malware or launch further attacks on other systems or networks.

 Cisco ISE is a solution that allows an administrator to provision, monitor, and secure mobile devices on Windows and Mac computers from a centralized dashboard. Cisco ISE integrates with Mobile Device Management (MDM) servers to provide necessary insight into the posture of mobile devices and enforce network access policies. Cisco ISE can also perform device registration, remediation, and periodic compliance checks on mobile devices. Cisco ISE can also issue remote actions on the device through the MDM server, such as full wipe, corporate wipe, and PIN lock. Cisco ISE can also augment endpoint data with information from the MDM server that cannot be gathered using the Cisco ISE profiling services. References:

Integrate XenMobile Mobile Device Management (MDM) with Cisco Identity Services Engine (ISE)

Cisco Identity Services Engine Administrator Guide, Release 2.4 - Mobile Device Manager Interoperability with Cisco ISE

Cisco ISE Integration with Mobile Device Management (MDM)

Explanation

Explanation

NetFlow is typically used for several key customer applications, including the following:

…

Billing and accounting. NetFlow data provides fine-grained metering (for instance, flow data includes details such as IP addresses, packet and byte counts, time stamps, type of service (ToS), and application ports) for highly flexible and detailed resource utilization accounting. Service providers may use the information for billing based on time of day, bandwidth usage, application usage, quality of service, and so on. Enterprise customers may use the information for departmental charge back or cost allocation for resource utilization.

Time synchronization is one of the features that can be configured for managed devices in the device platform settings of the Firepower Management Center (FMC). Time synchronization ensures that the FMC and its managed devices have the same date and time settings, which is important for accurate event logging and reporting. The FMC can act as a Network Time Protocol (NTP) server for its managed devices, or it can use an external NTP server as a time source1. The FMC can also synchronize its time with the system clock of the device where it is installed2. References := 1: Firepower Management Center Device Configuration Guide, 7.1 - Platform Settings 2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics

To block all subdomains of domain.com, the administrator should configure the domain.com address in the block list. This is because Umbrella automatically applies a left side and right side wildcard to every domain in a block or allow destination list. Therefore, adding domain.com to a block list will result in requests to domain.com or its subdomains, such as www.domain.com, being blocked. Adding a wildcard character (*) is not supported and will not work. Adding the *.com address in the block list will block all domains that end with .com, which is not the desired outcome. References:

Understanding Destination lists supported entries and error messages

Wildcards and Destination Lists

DNS-layer security is a method of protecting users from cyberthreats by blocking malicious or risky domains before a connection is established. Cisco Umbrella is a cloud-based service that provides DNS-layer security by using Cisco Talos threat intelligence to filter DNS requests and prevent access to malicious domains. Cisco Umbrella also offers other security features, such as web filtering, cloud-delivered firewall, secure web gateway, and cloud access security broker. Cisco Umbrella can protect users on and off the corporate network, regardless of their location or device. Cisco Umbrella is compatible with other Cisco security solutions, such as Cisco ISE, Cisco FTD, and Cisco ASA, but it is the only one that offers DNS-layer security as a core capability. References:

What Is DNS Security? How Does It Work? - Cisco Umbrella

Why Umbrella DNS Security? - Cisco Umbrella

Explanation

A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.

Explanation

Cisco Hybrid Email Security is a unique service offering that facilitates the deployment of your email security

infrastructure both on premises and in the cloud. You can change the number of on-premises versus cloud

users at any time throughout the term of your contract, assuming the total number of users does not change.

This allows for deployment flexibility as your organization’s needs change.

Explanation

Application Visibility and control (AVC) supports NetFlow to export application usage and performance

statistics. This data can be used for analytics, billing, and security policies.

The issue is that the engineer is using the wrong hashing algorithm to generate the hash for the custom detection policy. Cisco AMP for Endpoints requires the use of SHA-256 hashes for simple custom detections, as stated in the Configure a Simple Custom Detection List on the AMP for Endpoints Portal document. SHA-256 hashes are 64 hexadecimal characters long, while MD5 hashes are 32 hexadecimal characters long. Therefore, if the engineer tries to upload a hash created using MD5, the dashboard will indicate that the hash is not 64 characters and is non-zero, as shown in the image below:

To resolve the issue, the engineer should use a tool or a website that can generate SHA-256 hashes from files, such as this one, and upload the correct hash to the custom detection list. References : Configure a Simple Custom Detection List on the AMP for Endpoints Portal, Create an Advanced Custom Detection List in Cisco Secure Endpoint, Working with Advanced Malware Protection (AMP) for Endpoints

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud

Cisco Stealthwatch

NetFlow for Cybersecurity and Incident Response

B

Malware installation: This may be done by hijacking DNS queries and responding with malicious IP addresses.

Command & Control communication: As part of lateral movement, after an initial compromise, DNS

communications is abused to communicate with a C2 server. This typically involves making periodic DNS

queries from a computer in the target network for a domain controlled by the adversary. The responses contain encoded messages that may be used to perform unauthorized actions in the target network.

Network footprinting: Adversaries use DNS queries to build a map of the network. Attackers live off the terrain so developing a map is important to them.

Data theft (exfiltration): Abuse of DNS to transfer data; this may be performed by tunneling other protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and transferring malware into the target network.

A cloud access security broker (CASB) is a security solution that helps protect cloud-hosted services and applications from cyberattacks and data breaches. A CASB acts as an intermediary between cloud users and cloud providers, and enforces the organization’s security policies and compliance requirements. A CASB integrates with other cloud solutions via APIs and monitors the cloud activity and data across multiple platforms and devices. A CASB can also create incidents based on events from the cloud solution, such as unauthorized access, data leakage, malware infection, or policy violation. A CASB can then alert the administrators, block the malicious actions, or remediate the issues. A CASB provides visibility, control, and protection for the organization’s cloud environment12.

References :=

What Is a Cloud Access Security Broker (CASB)? | Microsoft

What is a CASB Cloud Access Security Broker? - CrowdStrike

 DoS attacks are categorized as flood attacks or crash attacks. Flood attacks are the more common form of DoS attacks. They occur when the attacked system is overwhelmed by large amounts of traffic that the server is unable to handle. The system eventually stops. Some examples of flood attacks are ICMP flood, SYN flood, and UDP flood. Crash attacks are less frequent and they exploit flaws in the targeted system. The result is that the system crashes. Some examples of crash attacks are Ping of Death, Teardrop, and Land. References:

What is a denial-of-service (DoS) attack? | Cloudflare

What is a Denial of Service (DoS) attack? | Norton

What is a Denial of Service (DoS) Attack? | Cobalt

What is a denial of service attack (DoS) - Palo Alto Networks

Explanation

Explanation

When supporting personal devices on a corporate network, you must protect network services and enterprise

data by authenticating and authorizing users (employees, contractors, and guests) and their devices. Cisco ISE

provides the tools you need to allow employees to securely use personal devices on a corporate network.

Guests can add their personal devices to the network by running the native supplicant provisioning (Network

Setup Assistant), or by adding their devices to the My Devices portal.

Because native supplicant profiles are not available for all devices, users can use the My Devices portal to add

these devices manually; or you can configure Bring Your Own Device (BYOD) rules to register these devices.

Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone, and a private key, which is kept secret by the owner. In asymmetric encryption, the sender uses the recipient’s public key to encrypt the data. The recipient then uses their private key to decrypt the data. This approach allows for secure communication between two parties without the need for both parties to have the same secret key. RSA is one of the most commonly used asymmetric encryption algorithms. It is based on the mathematical problem of factoring large numbers, which is believed to be hard to solve. RSA stands for Rivest-Shamir-Adleman, the names of the three inventors of the algorithm. RSA can be used for both encryption and digital signatures. To generate an RSA key pair, the following steps are performed:

Choose two large prime numbers, p and q, and compute their product, n = pq. This is called the modulus.

Choose a small number, e, that is relatively prime to (p-1)(q-1). This is called the public exponent.

Compute a number, d, that satisfies the equation ed ≡ 1 (mod (p-1)(q-1)). This is called the private exponent.

The public key is (n, e) and the private key is (n, d).

To encrypt a message, m, with the public key (n, e), the following formula is used:

c = m^e mod n

To decrypt a ciphertext, c, with the private key (n, d), the following formula is used:

m = c^d mod n

References :=

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.2: IPsec VPNs

What is Asymmetric Encryption? - GeeksforGeeks

What is asymmetric encryption? | Asymmetric vs. symmetric … - Cloudflare

Wired 802.1X authentication is a port-based network access control that uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port1. Wired 802.1X authentication requires three components: a supplicant, an authenticator, and an authentication server2. The supplicant is the client device that requests access to the network. The authenticator is the switch port that controls the access to the network based on the authentication result. The authentication server is the server that validates the credentials of the supplicant and sends the authentication result to the authenticator3.

In this question, option A is correct because Cisco Identity Service Engine (ISE) is an example of an authentication server that supports wired 802.1X authentication4. Option C is correct because Cisco Catalyst switch is an example of an authenticator that supports wired 802.1X authentication5. Option B is incorrect because Cisco AnyConnect ISE Posture module is not a supplicant, but a software component that checks the compliance status of the supplicant. Option D is incorrect because Cisco ISE is not an authenticator, but an authentication server. Option E is incorrect because Cisco Prime Infrastructure is not an authentication server, but a network management tool.

 1: Wired 802.1X Deployment Guide - Cisco 2: 802.1X Authenticated Wired Access Overview | Microsoft Learn 3: About 802.1X Authentication - Aruba 4: Cisco Identity Services Engine - Products & Services - Cisco 5: Cisco Catalyst 2960-X Series Switches - Products & Services - Cisco : Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Configure Posture [Cisco AnyConnect Secure Mobility Client] - Cisco : Cisco Prime Infrastructure - Products & Services - Cisco

Explanation

Explanation

In this question, the engineer was trying to secure the connection so maybe he was trying to allow SSH to the device. But maybe something went wrong so the connection was failing (the connection used to be good). So maybe he was missing the “crypto key generate rsa” command.

 Phishing is a type of cyberattack that uses fraudulent emails or other communications to trick users into providing sensitive information or installing malware on their devices1. Phishing can lead to identity theft, data breaches, ransomware infections, and financial losses. To protect employees from phishing attacks, a company can use various solutions that can detect, block, and remediate phishing threats. Two of these solutions are:

Cisco Umbrella: Cisco Umbrella is a cloud-based security platform that provides the first line of defense against threats on the internet, including phishing2. Cisco Umbrella uses DNS-layer security, which can identify and block malicious domains, IPs, and URLs before they can reach the user’s device2. Cisco Umbrella also integrates with Cisco Email Security to provide additional protection against phishing emails that may bypass the email gateway3.

Cisco Email Security Appliance (ESA): Cisco ESA is an email gateway that protects inbound and outbound email traffic from spam, malware, phishing, and other threats4. Cisco ESA uses multiple layers of defense, such as reputation filtering, antivirus scanning, outbreak filters, and content filtering, to prevent malicious emails from reaching the user’s inbox4. Cisco ESA also leverages Cisco Advanced Phishing Protection, which uses machine learning and threat intelligence to identify and block sophisticated phishing attacks that use identity deception techniques5.

References := 1: What Is Phishing? Examples and Phishing Quiz - Cisco 2: Cisco Umbrella - Cloud Delivered Enterprise Security 3: Cisco Umbrella and Cisco Email Security Integration 4: Cisco Secure Email - Cisco 5: Cisco Advanced Phishing Protection - Cisco Video Portal

The configuration that is needed to accomplish the goal of adding protection for data in transit and having headers in the email message is to deploy an encryption appliance. An encryption appliance is a device that encrypts and decrypts email messages using various encryption standards, such as S/MIME, PGP, or Cisco Registered Envelope Service (CRES). An encryption appliance can also add headers to the email message to indicate the encryption status, the encryption key, or the encryption policy. An encryption appliance can be integrated with an email appliance, such as Cisco Email Security Appliance (ESA), to provide end-to-end email security and encryption.

The other options are incorrect because:

Provisioning the email appliance is not enough to add protection for data in transit and have headers in the email message. An email appliance can provide various email security features, such as spam filtering, virus scanning, content filtering, or data loss prevention, but it does not encrypt or decrypt email messages by itself. An email appliance needs to work with an encryption appliance to provide email encryption and decryption.

Mapping sender IP addresses to a host interface is not related to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to accept email messages from specific IP addresses or ranges and assign them to a specific host interface. This can be useful for load balancing, traffic management, or policy enforcement, but it does not affect email encryption or decryption.

Enabling flagged message handling is not relevant to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to handle email messages that have a specific flag or tag in the subject line or the body. This can be useful for testing, troubleshooting, or applying special policies, but it does not affect email encryption or decryption.

The Cisco WSA can enforce bandwidth restrictions for web applications by using the Application Visibility and Control (AVC) engine. The AVC engine allows the WSA to identify and control application activity on the network, and to apply bandwidth limits to certain application types or individual applications. The WSA dynamically creates a scavenger class QoS policy and applies it to each client that connects through the WSA. The scavenger class QoS policy assigns a low priority to the application traffic and limits the bandwidth usage based on the configured settings. This way, the WSA can prevent congestion and ensure fair allocation of bandwidth among different applications and users. References:

User Guide for AsyncOS 11.8 for Cisco Web Security Appliances - GD (General Deployment) - Managing Access to Web Applications

WSA - limit bandwidth - Cisco Community

 Retrospective security is a feature of Cisco AMP that enables continuous analysis and alerting of files and network activity, even after the initial point of inspection. It allows an engineer to look back in time and trace the processes, file activities, and communications of an endpoint that was infected by malware. This helps to understand the full extent of an infection, establish root causes, and perform remediation. Retrospective security is different from endpoint isolation, advanced search, and advanced investigation, which are other features of Cisco AMP that provide different capabilities. Endpoint isolation allows an engineer to isolate an endpoint from the network to prevent further spread of malware. Advanced search allows an engineer to query the AMP cloud database for information about files, endpoints, events, and trajectories. Advanced investigation allows an engineer to perform deep analysis of files and endpoints using Cisco Secure Malware Analytics (formerly Threat Grid). References :=

Some possible references are:

Malware Defense with Cisco Secure Firewall Data Sheet

Best Practice Guide for Advanced Malware Protection (AMP) on Cisco Email Security

Malware Protection - Cisco AMP Advanced Malware Protection

DevSecOps is a development practice that integrates security into all phases of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. DevSecOps focuses on application development, as it aims to deliver secure and robust applications that meet the customers’ needs and expectations. DevSecOps also makes security a shared responsibility of development, security, and operations teams, rather than a separate silo. DevSecOps enables faster and safer software delivery by automating security processes and tools, and addressing security issues as they emerge, rather than at the end of the cycle.

References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Securing the Data Center, Lesson 6.2: DevSecOps

What Is DevSecOps? Definition and Best Practices | Microsoft Security

What is DevSecOps? | IBM

What is DevSecOps? | DevSecOps vs. DevOps | VMware

MDM stands for Mobile Device Management, which is a system that performs compliance checks and remote wiping on mobile devices. MDM allows administrators to enforce security policies, monitor device status, and remotely manage devices in case of loss, theft, or compromise. MDM can also integrate with other Cisco security solutions, such as ISE, AMP, and Umbrella, to provide enhanced protection and visibility for mobile devices. References:

Mobile Device Management (MDM) - Cisco

Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 5: Secure Network Access

Cisco CWS eliminates the need to backhaul traffic through headquarters for remote workers whereas Cisco WSA does not. Cisco CWS is a cloud-based web security service that provides comprehensive protection against web-based threats for users anywhere, on any device1. Cisco WSA is an on-premises web security appliance that provides web filtering, malware scanning, data loss prevention, and other features for users within the network perimeter2. One of the benefits of using Cisco CWS over Cisco WSA is that it eliminates the need to backhaul traffic through headquarters for remote workers, which can reduce bandwidth costs, latency, and complexity3. Remote workers can connect directly to the nearest Cisco CWS data center and receive the same level of web security as if they were in the office. Cisco WSA, on the other hand, requires remote workers to use a VPN or proxy to route their web traffic through the headquarters, which can affect their performance and user experience. References:

1: Cisco Cloud Web Security Data Sheet

2: Cisco Secure Web Appliance Data Sheet

3: Cisco Cloud Web Security: Comprehensive Defense, Advanced Threat Protection, and Superior Flexibility for Your Business

: Cisco Cloud Web Security: How It Works

: Cisco Cloud Web Security: FAQ

Explanation

Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also

known as posture, of all the endpoints that are connecting to a network for compliance with corporate security

policies.

A posture policy is a collection of posture requirements that are associated with one or more identity groups and

operating systems.

Posture-policy requirements can be set to mandatory, optional, or audit types in posture policies.

+ If a mandatory requirement fails, the user will be moved to Non-Compliant state

+ If an optional requirement fails, the user is allowed to skip the specified optional requirements and the user

is moved to Compliant state

This Qdid not clearly specify the type of posture policy requirement (mandatory or optional) is not met so the

user can be in Non-compliant or compliant state. But “noncompliant” is the best answer here.

Explanation

The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an

authentication, authorization, and accounting (AAA) session after it is authenticated.

 Platform as a Service (PaaS) is a cloud service model that delivers and manages all the hardware and software resources to develop applications through the cloud. The service provider is responsible for the infrastructure, middleware, runtime, and operating system, while the customer only has to focus on the application and data. PaaS enables the customer to avoid the hassle of patching, updating, or maintaining the operating system, as well as the underlying hardware and network12. Infrastructure as a Service (IaaS) is a cloud service model that delivers on-demand infrastructure resources, such as compute, storage, networking, and virtualization, to the customer via the cloud. The service provider hosts and manages the infrastructure, but the customer is responsible for the operating system, middleware, virtual machines, and any apps or data. IaaS requires the customer to handle the patch management of the operating system, as well as the security and configuration of the virtual machines34. References := 1: Use platform as a service (PaaS) options - Azure Architecture Center 2: What is Platform-as-a-Service (PaaS)? - Cloudflare 3: PaaS vs IaaS vs SaaS: What’s the difference? | Google Cloud 4: SaaS vs PaaS vs IaaS: What’s The Difference & How To Choose – BMC Software | Blogs

Cisco Umbrella groups harmful destinations into categories of security threat, such as Malware, Command Control Callbacks, Phishing Attacks, Dynamic DNS, Potentially Harmful Domains, DNS Tunneling VPN, and Cryptomining1. When web policies are configured in Cisco Umbrella, the security category blocking provides the ability to ensure that domains are blocked when they host malware, command and control, phishing, and more threats. By enabling or disabling these categories, the administrator can control the identity access to these destinations and protect the network from malicious traffic2. References: 1: Security Categories - Umbrella User Guide 2: Manage Security Settings - Umbrella User Guide

Explanation

Private Network Monitoring (PNM) provides visibility and threat detection for the on-premises network, delivered from the cloud as a SaaS solution. It is the perfect solution for organizations who prefer SaaS products and desire better awareness and security in their on-premises environments while reducing capital expenditure and

operational overhead. It works by deploying lightweight software in a virtual machine or server that can

consume a variety of native sources of telemetry or extract metadata from network packet flow. It encrypts this metadata and sends it to the Stealthwatch Cloud analytics platform for analysis. Stealthwatch Cloud consumes metadata only. The packet payloads are never retained or transferred outside the network.

This lab focuses on how to configure a Stealthwatch Cloud Private Network Monitoring (PNM) Sensor, in order to provide visibility and effectively identify active threats, and monitors user and device behavior within onpremises networks.

The Stealthwatch Cloud PNM Sensor is an extremely flexible piece of technology, capable of being utilized in a number of different deployment scenarios. It can be deployed as a complete Ubuntu based virtual appliance on different hypervisors (e.g. –VMware, VirtualBox). It can be deployed on hardware running a number of different Linux-based operating systems.

Explanation

Explanation

A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target

machine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IP

fragmentation reassembly, the packets overlap one another, crashing the target network device. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.

Posture is a service in Cisco ISE that checks the compliance of endpoints with corporate security policies before allowing them to connect to the network. Posture policies define the requirements that endpoints must meet to be compliant, such as having antivirus software installed and updated, or having a specific registry key value. If an endpoint is compliant, Cisco ISE can apply a Change of Authorization (CoA) to grant it access to the network resources. CoA is a mechanism that allows Cisco ISE to dynamically change the authorization attributes of an existing session, such as VLAN, dACL, or SGT, without requiring the user to reauthenticate. CoA can be triggered by various events, such as posture assessment results, profiling changes, or manual actions by the administrator. CoA can also be used to quarantine or disconnect non-compliant endpoints. Therefore, ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE provides the benefit of allowing CoA to be applied if the endpoint status is compliant. References :=

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Change of Authorization

In Cisco Secure Endpoint, to create a custom detection file list for detecting and quarantining future files, an advanced custom detection should be created, and the hash of each file to be detected and quarantined should be uploaded. This allows the system to uniquely identify and take action on files based on their hash values, providing a precise method for targeting specific malicious or unwanted files.

A serverless application is one that does not require the developer to manage the underlying infrastructure or servers. Instead, the application code is executed by a cloud provider in response to events or triggers, such as HTTP requests, database changes, or messages. The cloud provider automatically provisions, scales, and manages the resources needed to run the code, and charges only for the time and resources consumed by the execution. A serverless application runs from an ephemeral, event-triggered, and stateless container that is fully managed by a cloud provider. This means that the container is created on demand when an event occurs, and is destroyed when the execution is completed. The container does not store any persistent state or data, and is isolated from other containers. The cloud provider handles the load balancing, fault tolerance, security, and monitoring of the container. A serverless application can leverage various cloud services, such as databases, storage, messaging, analytics, and machine learning, to perform complex tasks and functionalities. Serverless computing is a cloud-native development model that enables developers to focus on the business logic and deliver faster and more scalable applications. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.1: Cloud Computing Concepts

What is serverless? - Red Hat

Serverless computing and applications | Microsoft Azure

Explanation

Explanation

Cisco FTD devices, Cisco Firepower devices, and the Cisco ASA FirePOWER modules can be managed by

the Firepower Management Center (FMC), formerly known as the FireSIGHT Management Center - > Answer D

is not correct

Cisco DNA Center is an open and extensible platform that allows third-party applications and processes to exchange data and intelligence with Cisco DNA Center1. One of the features of the open platform capabilities of Cisco DNA Center is the intent-based APIs, which enable DNA Center to provide automation to applications2. Intent-based APIs allow applications to express their intent or desired outcome, and let DNA Center translate that intent into network configurations and policies3. Intent-based APIs simplify the interaction between applications and the network, and enable faster and more consistent service delivery.

 1: Cisco DNA Center 2.3.5 Data Sheet - Cisco 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Unlocking the Power of Open Platforms with Cisco DNA Center Platform

To add switches into the fabric for private cloud management, administrators can use the following two methods:

PowerOn Auto Provisioning (POAP): This method allows the switches to be automatically discovered and provisioned by DCNM using a POAP configuration file. The switches are assigned an IP address and a startup configuration based on the fabric settings and policies. The switches are then added to the fabric and deployed with the VXLAN EVPN configuration. This method is suitable for greenfield deployments or adding new switches to an existing fabric12.

Seed IP: This method allows the administrators to manually specify the IP address of the switches that they want to add to the fabric. The switches must have a reachable IP address and a username and password that match the fabric settings. The switches are then added to the fabric and deployed with the VXLAN EVPN configuration. This method is suitable for brownfield deployments or transitioning existing switches to DCNM management12. References: Cisco NDFC Fabric Controller Configuration Guide, Release 12.0.x, Cisco DCNM LAN Fabric Configuration Guide, Release 11.5(x).

Cisco FTDv in AWS can be deployed in two different deployment models: single-instance and cluster. In both models, the FTDv can be configured in routed mode and managed by either an FMCv installed in AWS or a physical FMC appliance on premises. The FTDv can also use Geneve encapsulation for traffic interfaces to support AWS Gateway Load Balancer (GWLB) integration. The following table summarizes the supported deployment model configurations for FTDv in AWS:

Table

Deployment Model

Management Mode

Traffic Mode

Geneve Encapsulation

Single-instance

FMCv in AWS

Routed

Optional

Single-instance

FMC on premises

Routed

Optional

Cluster

FMCv in AWS

Routed

Required

Cluster

FMC on premises

Routed

Required

References :=

Deploy the Threat Defense Virtual on AWS - Cisco

Deploy a Threat Defense Virtual Cluster on AWS - Cisco

Configure Geneve Interfaces in Secure FTDv - Cisco

Deployment of Cisco Secure FTDv and FMCv instances in AWS - Terraform

Solved: FTD virtual appliance in AWS - Cisco Community

One of the main reasons why a user would choose an on-premises ESA versus the CES solution is to have more control over the sensitive data that flows through the email system. With an on-premises ESA, the user can ensure that the data is stored and processed within their own network and data center, and that they comply with any regulatory or organizational requirements for data security and privacy. With a CES solution, the user would have to trust Cisco to handle the data in their cloud infrastructure, and to adhere to the service level agreements and security policies that are agreed upon. Some users may not be comfortable with this level of outsourcing, especially if they have strict data governance or compliance needs12. References: 1: Physical ESA vs Cloud ESA - Cisco Community 2: Cisco Email Security Appliance - Data Sheet

Explanation

In this IaaS model, cloud providers offer resources to users/machines that include computers as virtual

machines, raw (block) storage, firewalls, load balancers, and network devices.

Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware such as ransomware.

 Multi-factor authentication (MFA) is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g. password), something the user has (e.g. token), or something the user is (e.g. biometric). MFA can prevent or mitigate some common types of cyberattacks that rely on stealing or guessing a user’s credentials, such as phishing and brute force attacks12

Phishing is an attack where an attacker sends a fraudulent email or message that appears to come from a legitimate source, such as a bank or a government agency, and tries to trick the user into clicking on a malicious link or attachment, or providing their credentials or personal information34 MFA can prevent phishing attacks by requiring an additional factor of authentication that the attacker cannot obtain from the phishing email or message, such as a one-time password (OTP) sent to the user’s phone or email, or a biometric verification such as a fingerprint or face scan56

Brute force is an attack where an attacker tries to guess a user’s password by systematically trying different combinations of characters, words, or phrases until they find the correct one. MFA can prevent brute force attacks by requiring an additional factor of authentication that the attacker cannot guess, such as a physical token or a push notification that the user has to approve.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: What Type of Attacks Does MFA Prevent? | OneLogin 3: 5 Multi-Factor Authentication Vulnerabilities and How to Resolve Them 4: FBI warns about attacks that bypass multi-factor authentication (MFA) 5: Defend your users from MFA fatigue attacks - Microsoft Community Hub 6: What type of attacks does Multi-Factor Authentication prevent? : How to Prevent Brute Force Attacks | Cloudflare : Brute Force Attack - an overview | ScienceDirect Topics : Multi-factor authentication - Wikipedia : Multi-factor authentication fatigue attacks are on the rise: How to defend against them | CSO Online

Device compliance checks are used to verify that the devices managed by Intune meet the security and configuration requirements defined by the organization. Device compliance checks can use various parameters to evaluate the device state, such as:

Endpoint protection software version: This parameter checks if the device has a valid and up-to-date antivirus or antimalware software installed and running. This parameter helps to protect the device from malicious software and network attacks.

Device operating system version: This parameter checks if the device has the minimum or maximum operating system version supported by the organization. This parameter helps to ensure that the device has the latest security patches and features available.

Windows registry values: This parameter checks if the device has specific registry values configured or not. This parameter helps to enforce custom settings or policies on the device that are not covered by other parameters.

DHCP snooping checks: This parameter checks if the device is connected to a trusted network that uses DHCP snooping to prevent rogue DHCP servers from assigning IP addresses to the device. This parameter helps to prevent man-in-the-middle attacks and network spoofing.

DNS integrity checks: This parameter checks if the device is using a secure and reliable DNS server that can resolve domain names correctly and prevent DNS hijacking or poisoning. This parameter helps to prevent phishing and redirection attacks.

References :=

Some possible references are:

Device compliance policies in Microsoft Intune | Microsoft Learn, Microsoft

Monitor results of your device compliance policies in Microsoft Intune | Microsoft Learn, Microsoft

Check device access | Microsoft Learn, Microsoft

Ensure device compliance - Configuration Manager | Microsoft Learn, Microsoft

The service password-encryption command is used to encrypt all passwords in the router configuration file, such as the enable password, the console password, the vty password, and the username password. This command prevents credentials from being seen if the router configuration was compromised, for example, by an attacker who gained access to the router or the backup files. The encryption used by this command is a weak algorithm that can be easily reversed, but it provides some level of protection against casual observers1.

The other commands are not used to encrypt passwords in the router configuration file. The username < username > privilege 15 password < password > and the username < username > password < password > commands are used to create local user accounts with or without administrative privileges, respectively. These commands store the passwords in clear text unless the service password-encryption command is enabled2. The service password-recovery command is used to enable or disable the password recovery mechanism on the router. This command does not affect the encryption of passwords in the configuration file3.

References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.1: Device Hardening, page 1-14. 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Securing Network Devices, Topic 1.2.2: Management Plane Security, page 1-17. 3: Cisco IOS Configuration Fundamentals Command Reference, Release 12.2, Chapter: service password-recovery, page 1.

 The Python script accomplishes the following tasks:

It imports the required libraries for HTTP, base64, SSL, and sys modules.

It takes the host, user, and password information from the command line arguments and assigns them to variables.

It creates an HTTPS connection object using the host and port 9060, and specifies the SSL protocol as TLSv1_2.

It encodes the user and password information in base64 format for basic HTTP authentication.

It sets the headers for the HTTP request, including the accept, authorization, and cache-control fields.

It sends a GET request to the Cisco ISE server to retrieve information from the “/ers/config/internaluser/” endpoint, which returns the list of internal users configured on Cisco ISE.

It reads the response from the server and prints the status, headers, and body in a human-readable format.

The script authenticates to the Cisco ISE server using the username of ersad and the password of Password1, and retrieves the internal user information from the server.

The Python script in the exhibit uses the Cisco AMP for Endpoints API to get information about the computers in the deployment. It imports the requests library, which allows it to make HTTP requests. It then defines three variables: client_id, api_key, and url. These are used to authenticate and access the API endpoint. The url is set to ‘1’, which returns a list of computers in JSON format. The script then makes a GET request using the requests.get() method, passing the url and the authentication details as parameters. The response from the API is stored in the response variable, and converted to JSON using the response.json() method. The script then loops over each computer in the ‘data’ field of the JSON response, using a for loop. Inside the loop, it extracts the hostname of each computer using the ‘hostname’ key, and prints it using the print() function. Therefore, the script will pull all computer hostnames and print them, which is option C. References:

Overview of the Cisco AMP for Endpoints API

Secure Endpoint API - Cisco DevNet

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

 Cisco AnyConnect with Umbrella Roaming Security module protects a user from a phishing attack by enforcing security at the DNS layer and blocking malicious domains that are used for phishing campaigns. The Umbrella Roaming Security module integrates with the Cisco AnyConnect client and provides always-on security even when no VPN is active. The Umbrella Roaming Security module can replace the existing Cisco Umbrella roaming client or be part of a new AnyConnect deployment12.

Cisco Identity Services Engine (ISE) is not an endpoint solution, but a network access control and policy enforcement platform that can integrate with AnyConnect for posture assessment and compliance3. Cisco AnyConnect with ISE Posture module is used to check the compliance status of the endpoint device and apply the appropriate network access policy based on the posture result4. Cisco AnyConnect with Network Access Manager module is used to manage the network connections and profiles of the endpoint device and support various authentication methods5. Neither of these modules directly protect the user from a phishing attack.

References :=

Roaming Client: Umbrella Roaming Security (Integration with AnyConnect)

Secure Umbrella Roaming: Cisco Secure Client (Formerly AnyConnect)

Cisco Identity Services Engine

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Posture Module]

[Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.9 - Network Access Manager Module]

Explanation

Prevalence allows you to view files that have been executed in your deployment.

Note: Threat Root Cause shows how malware is getting onto your computers.

The function of Cisco Cloudlock for data security is data loss prevention (DLP). Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem1. One of the key features of Cloudlock is its DLP technology, which continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. You can use Cloudlock’s DLP to prevent data breaches, comply with regulations, and enforce data governance across SaaS, PaaS, and IaaS platforms2. References: 1: Cisco Cloudlock - Cisco2: Cloudlock: Cloud User Security - Cisco Umbrella.

To enable malware file scanning for the Secure Internet Gateway (SIG), you need to enable Intelligent Proxy, which is a feature of Cisco Umbrella that provides selective proxying of web requests based on the risk level of the domain1. Intelligent Proxy allows SIG to inspect the content of potentially malicious web requests and block or allow them based on the configured policies2. Intelligent Proxy also enables SSL decryption, which is necessary to scan encrypted web traffic for malware3. Enabling IP Layer enforcement, activating the Advanced Malware Protection license, and activating SSL decryption are not required prerequisites to enable malware file scanning for the SIG, although they may provide additional security benefits45. References: 1: Intelligent Proxy - Cisco Umbrella 2: Cisco Umbrella SIG Advantage - Cisco Umbrella 3: [SSL Decryption - Cisco Umbrella] 4: [IP Layer Enforcement - Cisco Umbrella]  5: [Advanced Malware Protection - Cisco Umbrella]

Explanation

Explanation

ETHOS is the Cisco file grouping engine. It allows us to group families of files together so if we see variants of

a malware, we mark the ETHOS hash as malicious and whole families of malware are instantly detected.

A Simple Custom Detection List is a feature of Cisco AMP for Endpoints that allows administrators to create a list of SHA-256 hashes of files that they want to detect, block, and quarantine on their endpoints. The list can be applied to a policy and the connectors will synchronize with the latest changes. However, the list only works with the exact SHA-256 hashes that are provided, and it does not detect any variations or modifications of the files. Therefore, if the malicious file abc428565580xyz.exe has been altered in any way, such as by changing its name, size, or content, the Simple Custom Detection List will not be able to recognize it as a threat. To ensure detection of the malicious file, the administrator must upload the SHA-256 hash of the current version of the file to the Simple Custom Detection List, or use another method that can detect file variations, such as an Advanced Custom Detection List or Cisco Threat Grid. References :=

Some possible references are:

Configure a Simple Custom Detection List on the AMP for Endpoints Portal

Create an Advanced Custom Detection List in Cisco Secure Endpoint

[Cisco AMP for Endpoints User Guide]

https://www.cisco.com/c/en/us/td/docs/security/firepower/amp/6-3/user-guide/amp-user-guide.pdf

Explanation

The call to API of “https://api.amp.cisco.com/v1/computers” allows us to fetch list of computers across your

organization that Advanced Malware Protection (AMP) sees

ETHOS is one of the many detection engines that AMP uses to continuously protect you from malware. It is only available in the public cloud, as it requires a large amount of data and processing power to operate. ETHOS uses machine learning to analyze the behavior and characteristics of files and determine their maliciousness. It can detect both known and unknown threats, as well as polymorphic and metamorphic malware that can change their appearance or code. ETHOS is part of the AMP cloud’s dynamic analysis capabilities, which also include SPERO and Threat Grid12.

The private cloud instance of AMP does not have ETHOS, as it is meant to be an on-premises, self-contained solution that satisfies stringent privacy requirements. The private cloud instance also does not have SPERO or Threat Grid, unless they are deployed separately as additional appliances. The private cloud instance relies on the TETRA detection engine, which is a signature-based engine that can identify known malware. TETRA is updated regularly with new signatures from the AMP cloud, but it cannot detect unknown or zero-day threats as effectively as ETHOS34.

Therefore, the capability that is exclusive to the AMP public cloud instance as compared to the private cloud instance is the ETHOS detection engine. References: 1: Cisco Advanced Malware Protection Private Cloud Appliance Data Sheet 2: What is AMP Private Cloud 3: Deploy Cisco AMP Private Cloud on Cisco HyperFlex Systems 4: AMP Private Cloud vs Public Cloud Dashboard different

REST stands for Representational State Transfer, which is an architectural style for designing web services. RESTful web services use HTTP as the application protocol and support the standard HTTP methods, such as GET, PUT, POST, and DELETE, to perform CRUD (Create, Read, Update, Delete) operations on resources. Cisco DNA Center exposes its functionality through a set of RESTful APIs that allow external applications to interact with the network controller and automate various tasks. The RESTful architecture used within Cisco DNA Center has the following characteristics12:

It is simple, extensible, and secure to use. The APIs are based on open standards and use JSON as the data format. The APIs also support HTTPS for secure communication and authentication.

It is stateless, meaning that each request contains all the information necessary to process it, and the server does not store any session or client state. This improves scalability and performance of the web services.

It is resource-oriented, meaning that each API endpoint represents a logical entity or a resource that can be manipulated by the HTTP methods. For example, the /dna/intent/api/v1/network-device endpoint represents the network devices resource, and the GET method can be used to retrieve the list of network devices from Cisco DNA Center.

It is uniform, meaning that the same interface and conventions are used across all the APIs. For example, the APIs use the same authentication mechanism, error handling, pagination, filtering, and sorting parameters. References:

1: Introduction to Cisco DNA Center REST APIs - Cisco DevNet Learning Labs

2: Cisco DNA Center Platform User Guide, Release 2.2.3