350-701 Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Questions and Answers

ExplanationWith Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.

Cisco Identity Services Engine (ISE) is a product that provides comprehensive and scalable access policy enforcement for wired and wireless networks. ISE supports TACACS+ for device administration, which allows for granular control over the commands and actions that network administrators can perform on network devices. ISE also supports 802.1X, MAB, and WebAuth for network access, which enables authentication and authorization of users and endpoints based on various attributes, such as identity, device type, posture, location, and time. ISE can also integrate with other Cisco security products, such as Cisco Stealthwatch and Cisco AMP for Endpoints, to provide enhanced visibility and threat detection. Therefore, ISE is the product that meets all of the requirements stated in the question. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Network Access, Identity Management, and Secure Access
• TACACS+ Configuration Guide, Configuring TACACS
• Cisco Identity Services Engine Administrator Guide, Release 2.7, Device Administration
• Cisco Identity Services Engine Administrator Guide, Release 2.7, Network Access Devices
• Cisco Identity Services Engine Administrator Guide, Release 2.7, Policy Sets

Multiple context mode allows you to partition a single ASA into multiple virtual firewalls, each with its own security policy, interfaces, and management IP address. This mode is useful for providing security services to different customers or tenants on a shared appliance, while maintaining separation of management and configuration. Each context acts as an independent device and can be in either routed or transparent mode. You can also assign different administrators to each context and limit their access to specific commands and features. Multiple context mode is supported in Cisco ACI with the ASA device package version 1.2 or later. References: 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Service_Graph_Deployment_Guide/b_L4L7_Service_Graph_Deploy_ver122g/b_L4L7_Service_Graph_Deploy_ver122x_chapter_0110.pdf

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html

ExplanationSQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives(“injects”) you an SQL statement that you will unknowingly run on your database. For example:Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a selectstring. The variable is fetched from user input (getRequestString):txtUserId = getRequestString(“UserId”);txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;If user enter something like this: “100 OR 1=1” then the SzQL statement will look like this:SELECT * FROM Users WHERE UserId = 100 OR 1=1;The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. Ahacker might get access to all the user names and passwords in this database.

RADIUS Change of Authorization (CoA) is a feature of Cisco ASA that allows VPN users to be postured against Cisco ISE without requiring an inline posture node. RADIUS CoA enables the ISE to send a message to the ASA to change the authorization attributes of an existing VPN session, such as the assigned IP address, ACL, or group policy. This way, the ISE can dynamically adjust the access level of the VPN user based on the posture assessment results, without the need for an intermediate device to enforce the policy change12. RADIUS CoA is supported by the ASA since version 9.2.13. References: 1: ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco 2: How To: ISE and ASA Integration using CoA for Posture - Cisco Community 3: How To Configure Posture with AnyConnect Compliance … - Cisco CommunityQUESTION NO: 94

What two mechanisms are used to redirect users to a web portal to authenticate to ISE for guest services?(Choose two)A. multiple factor authB. local web authC. single sign-onD. central web authE. TACACS+

Answer: B, D

 Local web authentication (LWA) and central web authentication (CWA) are two mechanisms that are used to redirect users to a web portal to authenticate to ISE for guest services. Both methods involve the use of a redirect access control list (ACL) that allows the user to access only the web portal URL and blocks all other traffic until the user is authenticated. The difference between LWA and CWA is where the web portal and the authentication logic are hosted.

• LWA: The web portal and the authentication logic are hosted on the wireless LAN controller (WLC). The WLC sends a RADIUS access-accept message to the network access device (NAD) along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the WLC, where the user enters their credentials. The WLC verifies the credentials with the ISE and grants or denies access to the user. The advantage of LWA is that it does not require any configuration on the ISE, but the disadvantage is that it does not support advanced features such as posture assessment, profiling, or authorization policies.
• CWA: The web portal and the authentication logic are hosted on the ISE. The WLC sends a RADIUS access-challenge message to the NAD along with the redirect ACL and the web portal URL. The NAD then redirects the user to the web portal on the ISE, where the user enters their credentials. The ISE verifies the credentials and sends a RADIUS access-accept message to the WLC with the authorization profile and the final ACL. The WLC then applies the authorization profile and the final ACL to the user session. The advantage of CWA is that it supports advanced features such as posture assessment, profiling, or authorization policies, but the disadvantage is that it requires more configuration on the ISE.

References :=

• Configure Guest Access
• Web Authentication Redirection to Original URL
• Configure Local Web Authentication with External Authentication

Posture is a service in Cisco ISE that checks the compliance of endpoints with corporate security policies before allowing them to connect to the network. Posture policies define the requirements that endpoints must meet to be compliant, such as having antivirus software installed and updated, or having a specific registry key value. If an endpoint is compliant, Cisco ISE can apply a Change of Authorization (CoA) to grant it access to the network resources. CoA is a mechanism that allows Cisco ISE to dynamically change the authorization attributes of an existing session, such as VLAN, dACL, or SGT, without requiring the user to reauthenticate. CoA can be triggered by various events, such as posture assessment results, profiling changes, or manual actions by the administrator. CoA can also be used to quarantine or disconnect non-compliant endpoints. Therefore, ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE provides the benefit of allowing CoA to be applied if the endpoint status is compliant. References :=

• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies
• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Change of Authorization

Explanation

TAXII (Trusted Automated Exchange of Indicator Information) is a standard that provides a transport

Cisco DNA Center is an open and extensible platform that allows third-party applications and processes to exchange data and intelligence with Cisco DNA Center1. One of the features of the open platform capabilities of Cisco DNA Center is the intent-based APIs, which enable DNA Center to provide automation to applications2. Intent-based APIs allow applications to express their intent or desired outcome, and let DNA Center translate that intent into network configurations and policies3. Intent-based APIs simplify the interaction between applications and the network, and enable faster and more consistent service delivery.

References: 1: Cisco DNA Center 2.3.5 Data Sheet - Cisco 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Unlocking the Power of Open Platforms with Cisco DNA Center Platform

 The application blocking list is an outbreak control method that allows the administrator to block certain files from executing on the endpoints based on their SHA values. This can prevent malware from running on the endpoints and causing damage. The other options are not outbreak control methods, but rather different features of AMP for endpoints. Device flow correlation is a network analysis feature that monitors connections and detects malicious activity. Simple detections and advanced custom detections are custom rules that can be created by the administrator to detect and block files based on signatures or other criteria. References:

• Configure Windows Policy in AMP for Endpoints - Cisco
• Prevent, Detect and Respond with Cisco AMP for Endpoints

ETHOS is one of the many detection engines that AMP uses to continuously protect you from malware. It is only available in the public cloud, as it requires a large amount of data and processing power to operate. ETHOS uses machine learning to analyze the behavior and characteristics of files and determine their maliciousness. It can detect both known and unknown threats, as well as polymorphic and metamorphic malware that can change their appearance or code. ETHOS is part of the AMP cloud’s dynamic analysis capabilities, which also include SPERO and Threat Grid12.

The private cloud instance of AMP does not have ETHOS, as it is meant to be an on-premises, self-contained solution that satisfies stringent privacy requirements. The private cloud instance also does not have SPERO or Threat Grid, unless they are deployed separately as additional appliances. The private cloud instance relies on the TETRA detection engine, which is a signature-based engine that can identify known malware. TETRA is updated regularly with new signatures from the AMP cloud, but it cannot detect unknown or zero-day threats as effectively as ETHOS34.

Therefore, the capability that is exclusive to the AMP public cloud instance as compared to the private cloud instance is the ETHOS detection engine. References: 1: Cisco Advanced Malware Protection Private Cloud Appliance Data Sheet 2: What is AMP Private Cloud 3: Deploy Cisco AMP Private Cloud on Cisco HyperFlex Systems 4: AMP Private Cloud vs Public Cloud Dashboard different

Traffic storm control is a feature that prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces. Traffic storm control monitors the level of each traffic type for which it is enabled in 1-second intervals and compares it with the configured threshold, which is a percentage of the total available bandwidth of the port. When the ingress traffic reaches the threshold, traffic storm control drops the traffic until the end of the interval. Traffic storm control uses the Individual/Group bit in the packet destination address to determine if the packet is unicast or broadcast. This bit is set to 0 for unicast addresses and 1 for multicast or broadcast addresses. Traffic storm control does not use the source address to classify the traffic type. References := Configuring Traffic Storm Control - Cisco, Understanding Cisco Traffic Storm Control - NetCraftsmen

ExplanationThe Southbound API is used to communicate between Controllers and network devices

ExplanationThe Trusted Automated eXchangeof Indicator Information (TAXII) specifies mechanisms for exchangingstructured cyber threat information between parties over the network.TAXII exists to provide specific capabilities to those interested in sharing structured cyber threat information.TAXII Capabilities are the highest level at which TAXII actions can be described. There are three capabilitiesthat this version of TAXII supports: push messaging, pull messaging, and discovery.Although there is no “binding” capability in the list but it is the best answer here.

Cisco Cloudlock is a cloud-native security platform that provides data loss prevention (DLP) capabilities for public cloud environments, such as SaaS, IaaS, and PaaS. Cisco Cloudlock can discover, classify, and protect sensitive data stored in cloud applications, such as Office 365, Google Workspace, Salesforce, Dropbox, and AWS. Cisco Cloudlock uses advanced techniques, such as regular expressions, keywords, dictionaries, and machine learning, to identify and monitor data based on predefined or custom policies. Cisco Cloudlock can also enforce actions, such as encryption, quarantine, deletion, or notification, to prevent data leakage or exposure12. References := 1: Cisco Cloudlock Data Sheet 2: Cloud Data Loss Prevention (Cloud DLP) Overview

ExplanationExplanationIn this question, the engineer was trying to secure the connection so maybe he was trying to allow SSH to the device. But maybe something went wrong so the connection was failing (the connection used to be good). So maybe he was missing the “crypto key generate rsa” command.

 The Atomic ARP engine is a signature engine that defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. ARP spoofing is an attack that involves sending spoofed ARP messages over a local area network to associate the attacker’s MAC address with the IP address of the target. The Atomic ARP engine inspects the Layer 2 ARP protocol and compares the ARP requests and replies with the MAC address table to detect any anomalies or inconsistencies. The Atomic ARP engine can also detect gratuitous ARP messages, which are unsolicited ARP replies that can be used to poison the ARP cache of other hosts. The Atomic ARP engine is different from other IPS engines because most engines are based on Layer 3 IP protocol. References := 

https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_signature_engines.html

https://security.stackexchange.com/questions/71023/can-suricata-ips-detect-and-prevent-arp-poisoning-attacks

the routing of traffic through the Cisco Umbrella network is to browse to http://welcome.umbrella.com/ . This URL will display a message that confirms whether the new network identity is working or not. If the message says “You’re protected by Cisco Umbrella”, then the traffic is being routed correctly. If the message says “You’re not using Cisco Umbrella”, then the traffic is not being routed correctly and the configuration needs to be checked. The other options are not valid actions to test the routing. Option A is incorrect because the client computers should point to the Cisco Umbrella DNS servers, not the on-premises DNS servers. Option B is incorrect because the Intelligent Proxy is a feature that selectively intercepts and proxies web requests for deeper inspection, not a tool to test the routing. Option C is incorrect because adding the public IP address to a Core Identity is a way to identify the network, not a way to test the routing. References:

• How To: Successfully test to ensure you’re running Umbrella correctly
• Add a Network Identity

ExplanationThis command uses RADIUS which combines authentication and authorization in one function (packet).

Active Directory (AD) is an ID store that requires that a shadow user be created on Cisco ISE for the admin login to work. A shadow user is a user account that is defined in the ISE internal database, but has the password set to external. This means that the user authentication is performed against an external identity source, such as AD, while the user authorization is based on the ISE admin group membership. A shadow user is useful when the admin wants to assign different roles or permissions to specific AD users, rather than using AD groups. To create a shadow user, the admin must check the External checkbox in the ISE admin user configuration, and make sure that the username matches the AD username. The shadow user must also be assigned to an ISE admin group that has the Type set to External123. References := 1: ISE Admin User Shadow AD Account Issue 2: ISE Admin user authentication from AD 3: Which ID store requires that a shadow user be created on Cisco ISE for the admin login to work?

 NetFlow is a protocol that collects and exports information about network traffic flows. NetFlow Version 9 is the latest version supported by the Cisco ASA 5500 Series firewall. To enable NetFlow on the ASA, you need to perform two main tasks: define a NetFlow collector and apply NetFlow exporter to an interface. A NetFlow collector is a device or application that receives and processes the NetFlow records sent by the ASA. You can define a NetFlow collector by using the flow-export command, which specifies the IP address, port number, and interface of the collector. A NetFlow exporter is a configuration that determines which traffic flows are monitored and exported by the ASA. You can apply NetFlow exporter to an interface by using the Modular Policy Framework (MPF), which allows you to create class maps and policy maps to match and act on interesting traffic. You can use the flow-export event-type option in the policy map to select the NetFlow events that you want to export. The other options (B, C, and D) are not required or correct for enabling NetFlow on the ASA. You do not need to create an ACL to allow UDP traffic on port 9996, because the ASA uses a random high port number to send NetFlow records to the collector. You do not need to apply NetFlow exporter to the outside interface in the inbound direction, because you can apply it to any interface and direction that you want to monitor. You do not need to create a class map to match interesting traffic, because the ASA monitors all traffic flows by default, unless you filter them by using the flow-export filters command. References:

• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “About NSEL”
• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure NSEL Collectors (CLI)”
• Cisco Secure Firewall ASA NetFlow Implementation Guide, section “Configure Flow-Export Actions Through Modular Policy Framework”
• Configuring NetFlow on ASA with ASDM, section “Enabling NetFlow on ASA”

ExplanationPhishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal,often financial, information. Attackers may send email seemingly from a reputable credit card company orfinancial institution that requests account information, often suggesting that there is a problem.

ExplanationExplanation… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s FirepowerManagement Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

The Cloudlock Apps Firewall is a feature of Cisco Cloudlock, which is a cloud-native cloud access security broker (CASB) that helps organizations move to the cloud safely. The Cloudlock Apps Firewall mitigates security concerns from an application perspective by discovering and controlling cloud apps that are connected to a company’s corporate environment, such as Google G Suite or Microsoft Azure Active Directory (AD). These cloud apps are authorized through OAuth to access corporate data and resources via APIs, and may pose risks such as data exfiltration, account compromise, or malicious behavior. The Cloudlock Apps Firewall provides visibility into the app ecosystem, including the app name, category, risk level, access scopes, and number of users. It also allows administrators to ban or allowlist apps based on their risk profile and compliance requirements. Additionally, the Cloudlock Apps Firewall leverages a crowd-sourced Community Trust Rating for each app, which reflects the feedback from other Cloudlock customers on the app’s security and functionality. References :=

• Cisco Content Security Products
• Cisco Cloudlock - Cisco
• Shadow IT Control with Apps Firewall - Cisco
• Test scor q151 - q200

ExplanationPhishing attacks are the practice of sending fraudulent communications that appear to come from a reputablesource. It is usually done through email. The goal is to steal sensitive data like credit card and login information,or to install malware on the victim’s machine.

ExplanationCross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on.For example the code below is written in hex: Click Hereis equivalent to:Click HereNote: In the format “&#xhhhh“, hhhh is the code point in hexadecimal form.

Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) are both important components of an endpoint security strategy, but they have different goals and capabilities. EPP is designed to act as a preventive security measure, blocking known and unknown malware and malicious activity on endpoint devices using various techniques such as antivirus, data encryption, and data loss prevention. EPP solutions are mainly cloud-managed and assisted by cloud data, and use multiple detection engines such as signature-based, machine learning, and behavioral analysis. EPP solutions prevent breaches by leveraging threat intelligence and sandboxing capabilities to continuously protect endpoints from emerging threats12.

EDR, on the other hand, focuses on detecting and responding to advanced threats that have already evaded the front-line defenses and infiltrated the environment. EDR solutions provide continuous and comprehensive visibility into endpoint activity in real time, allowing security teams to quickly and effectively identify and remediate cyberattacks such as ransomware and fileless malware. EDR solutions offer advanced threat detection, investigation, and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment. EDR solutions serve as a safety net to capture threats that go undetected by traditional antivirus software and uncover incidents that would otherwise remain invisible34.

Therefore, the primary difference between an EPP and an EDR is that EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses. References: 1: Endpoint Protection Platform (EPP) Definition - Cisco 2: EPP vs. EDR: Why You Need Both - CrowdStrike 3: Endpoint Detection and Response (EDR) Definition - Cisco 4: EDR vs EPP: Why Should You Have to Choose? - Check Point Software

FlexVPN and DMVPN are both Cisco technologies that use point-to-point GRE tunnels to create dynamic VPN networks. However, they differ in some aspects, such as:

• FlexVPN is a newer solution that requires newer hardware and IOS versions, while DMVPN is more widely supported on older devices1.
• FlexVPN is based on IKEv2, which is a more robust and efficient protocol than IKEv1, which is used by DMVPN (although DMVPN can also use IKEv2)2.
• FlexVPN uses static or virtual access interfaces for GRE tunnels, while DMVPN uses a single multipoint GRE interface. This allows more flexibility and visibility for FlexVPN tunnels2.
• FlexVPN does not require NHRP registration for spokes to communicate with the hub, while DMVPN does. This simplifies the configuration and reduces the overhead of NHRP3.
• FlexVPN has only one standard mode of operation, while DMVPN has three phases with different characteristics and configurations2.

References := 1: what is the difference between dmvpn and flexvpn 2: Cisco FlexVPN DMVPN, Part 1 - Overview and Design 3: DMVPN to FlexVPN Soft Migration Configuration Example

Cisco Umbrella groups harmful destinations into categories of security threat, such as Malware, Command Control Callbacks, Phishing Attacks, Dynamic DNS, Potentially Harmful Domains, DNS Tunneling VPN, and Cryptomining1. When web policies are configured in Cisco Umbrella, the security category blocking provides the ability to ensure that domains are blocked when they host malware, command and control, phishing, and more threats. By enabling or disabling these categories, the administrator can control the identity access to these destinations and protect the network from malicious traffic2. References: 1: Security Categories - Umbrella User Guide 2: Manage Security Settings - Umbrella User Guide

ExplanationExplanationCisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking suspicious domains when users click on the given links that an attacker sent.

ExplanationDNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNSqueries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNSserver and used to control a remote server and applications.

Endpoint security is the process of protecting devices like workstations, servers, and other devices from malicious threats and cyberattacks. Endpoint security enables businesses to secure endpoints that employees use for work purposes or servers that are either on a network or in the cloud. Endpoint security is important because every device that connects to the corporate network is a potential vulnerability, providing a possible entry point for cyber criminals. Therefore, every device an employee uses to connect to any business system or resource carries the risk of becoming the chosen route for hacking into an organization. These devices can be exploited by malware that could leak or steal sensitive data from the business12.

One of the benefits of endpoint security is that it allows the organization to detect and mitigate threats that the perimeter security devices do not detect. Perimeter security devices, such as firewalls and intrusion prevention systems, are designed to protect the network from external attacks. However, they may not be able to prevent or detect attacks that originate from within the network, such as insider threats, compromised devices, or lateral movement. Endpoint security solutions can provide visibility and control over the devices that connect to the network, and can monitor, analyze, and respond to suspicious or malicious activities on the endpoints. Endpoint security solutions can also leverage threat intelligence and advanced analytics to identify and block known and unknown threats, such as ransomware, zero-day exploits, and targeted attacks13. References := 1: What is Endpoint Security? How Does It Work? | Fortinet 2: Microsoft Defender for Endpoint | Microsoft Security 3: Endpoint Security - Check Point Software

ExplanationCisco Stealthwatch Cloud: Available as an SaaS product offer to provide visibility and threat detection within public cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

 The dot1x system-auth-control command enables 802.1X globally on a Cisco switch. This command allows the switch to act as an authenticator for 802.1X clients connected to the switch ports. The switch will then communicate with a RADIUS server to authenticate the clients and grant or deny access to the network. The other commands are not related to enabling 802.1X globally. The dot1x pae authenticator command enables 802.1X authentication on a specific interface. The authentication port-control aut command enables automatic port-based authentication on an interface. The aaa new-model command enables the AAA framework for authentication, authorization, and accounting. References :=

https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb5635-configure-global-802-1x-properties-on-a-switch-through-the-c.html

https://www.cisco.com/c/en/us/td/docs/routers/nfvis/switch_command/b-nfvis-switch-command-reference/802_1x_commands.html

Proxy caching is a method that enables a proxy server to save recent and frequent website/webpage requests and data requested by one or more client machines. It reduces latency, eases bandwidth consumption, and ensures content is served more swiftly to the end-user12. WSA (Web Security Appliance) is a Cisco product that provides proxy caching functionality, along with other web security features such as malware protection, URL filtering, and data loss prevention3. Firepower, FireSIGHT, and ASA are other Cisco products that do not provide proxy caching, but rather focus on different aspects of network security, such as threat detection, management, and firewall . References:

• What is Proxy Caching? | StackPath
• What Is Proxy Caching? | Definition & Overview | NinjaOne
• Cisco Web Security Appliance Data Sheet
• [Cisco Firepower NGFW Data Sheet]
• [Cisco FireSIGHT Management Center Data Sheet]
• [Cisco ASA 5500-X Series Firewalls Data Sheet]

The function of Cisco Cloudlock for data security is data loss prevention (DLP). Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem1. One of the key features of Cloudlock is its DLP technology, which continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. You can use Cloudlock’s DLP to prevent data breaches, comply with regulations, and enforce data governance across SaaS, PaaS, and IaaS platforms2. References: 1: Cisco Cloudlock - Cisco2: Cloudlock: Cloud User Security - Cisco Umbrella.

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

• Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.
• Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Securing the Cloud, Lesson 5.2: Cloud Application Security, Topic 5.2.2: SQL Injection
• SQL Injection Prevention - OWASP Cheat Sheet Series
• How to Prevent SQL Injection: 5 Key Prevention Methods - eSecurityPlanet
• How to Protect Against SQL Injection Attacks

ExplanationExplanationA Directory Harvest Attack (DHA) is a technique used by spammers to find valid/existent email addresses at a domain either by using Brute force or by guessing valid e-mail addresses at a domain using differentpermutations of common username. Its easy for attackers to get hold of a valid email address if yourorganization uses standard format for official e-mail alias (for example: jsmith@example.com). We canconfigure DHA Prevention to prevent malicious actors from quickly identifying valid recipients.Note: Lightweight Directory Access Protocol (LDAP) is an Internet protocol that email programs use to look up contact information from a server, such as ClickMail Central Directory. For example, here’s an LDAP search translated into plain English: “Search for all people located in Chicago who’s name contains “Fred” that have an email address. Please return their full name, email, title, and description.

 Cisco Firepower is a unified security solution that combines firewall, intrusion prevention system (IPS), advanced malware protection (AMP), and threat intelligence features. Cisco ASA is a traditional firewall that focuses on network traffic control based on packet filtering and stateful inspection. One of the key differences between Cisco Firepower and Cisco ASA is that Cisco Firepower natively provides intrusion prevention capabilities while Cisco ASA does not. Intrusion prevention is the process of detecting and blocking malicious network traffic before it reaches the intended target. Cisco Firepower uses a combination of signature-based and behavior-based detection methods to identify and stop known and unknown attacks. Cisco ASA, on the other hand, does not have built-in intrusion prevention capabilities. It can only perform basic packet inspection and filtering based on predefined rules. To enable intrusion prevention on Cisco ASA, an additional module called FirePOWER Services is required. This module integrates Cisco Firepower features into Cisco ASA, but it is not the same as Cisco Firepower itself. Cisco Firepower offers more advanced and integrated security features than Cisco ASA with FirePOWER Services123. References: 1: Cisco ASA vs Cisco Firepower | What are the differences? - StackShare 2: Cisco FTD vs ASA: Difference and Comparison 3: CISCO FIREPOWER VS. ASA - Critical Design

ExplanationExplanationHow To Troubleshoot ISE Failed Authentications & AuthorizationsCheck the ISE Live LogsLogin to the primary ISE Policy Administration Node (PAN).Go to Operations > RADIUS > Live Logs(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >Endpoints and Users > RADIUS AuthenticationsCheck for Any Failed Authentication Attempts in the Log

ExplanationA data breach is the intentional or unintentional release of secure or private/confidential information to anuntrusted environment.When your credentials have been compromised, it means someone other than you may be in possession of your account information, such as your username and/or password.

Explanation Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely.It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks,protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

DNS tunneling is a technique that exploits the DNS protocol to tunnel malware and other data through a client-server model. DNS tunneling can be used for data exfiltration, command and control, or IP-over-DNS tunneling. DNS tunneling works by encoding the information of other protocols or programs in DNS queries and responses. An attacker registers a domain, such as badsite.com, and sets up a malicious DNS server that can interpret the encoded data. The attacker then infects a client with malware that can send and receive DNS queries to the attacker’s domain. The malware can use DNS queries to request commands from the attacker, or to send sensitive data to the attacker. The DNS queries and responses look like normal DNS traffic, but they contain hidden data that can bypass network defenses123. References := 1: What Is DNS Tunneling? - Palo Alto Networks 2: What is DNS Tunneling? - Check Point Software 3: What Is DNS Tunneling and How to Detect and Prevent Attacks

In a man-in-the-middle (MITM) attack, the attacker inserts their machine between two hosts that are communicating with each other, and secretly relays and possibly alters the messages between them. The attacker can intercept, modify, or spoof the data, and the hosts are unaware that their communication is compromised. A MITM attack can target any communication channel that uses weak or no encryption, such as email, web, or wireless networks. A MITM attack can break the confidentiality, integrity, and authenticity of the communication, and can have various goals, such as eavesdropping, stealing credentials, impersonating a legitimate party, or redirecting traffic. A MITM attack can be prevented by using strong encryption protocols, such as TLS, IPSec, or SSH, and verifying the identity of the communication endpoints using certificates or other means. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Man-in-the-middle attack - Wikipedia, Man-in-the-Middle Attack: Types and Examples - Fortinet

Cisco FTDv is a virtual appliance that combines the features of Cisco ASA and Cisco Firepower NGIPS. It provides stateful firewall, IPS, URL filtering, malware protection, and other advanced security functions. Cisco ASAv is a virtual appliance that only provides stateful firewall and VPN features. It does not support URL filtering or other Firepower functions. Therefore, Cisco FTDv provides more features than ASAv, especially for next-generation firewall capabilities. References :=

• Cisco Firewall in AWS - Should i use ASAv or FTDv/FMCv?
• Difference between Cisco ASAv, NGIPSv and FTDv…?
• Are there any differences in features between Cisco ASA hardware …

ExplanationExplanationYou can also bring up the port by using these commands:+ The “shutdown” interface configuration command followed by the “no shutdown” interface configurationcommand restarts the disabled port.+ The “errdisable recovery cause …” global configuration command enables the timer to automatically recover error-disabled state, and the “errdisable recovery interval interval” global configuration command specifies the time to recover error-disabled state.

ExplanationExplanationEach rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic.Note: With action “trust”, Firepower does not do any more inspection on the traffic. There will be no intrusion protection and also no file-policy on this traffic.

The main difference between an on-premise solution and a cloud-based solution is the distribution of responsibilities between the customer and the provider. With an on-premise solution, the customer has full control over the installation, configuration, maintenance, and security of the product, but also bears the costs and risks associated with it. With a cloud-based solution, the provider takes care of most of these aspects, while the customer pays a subscription fee and accesses the product over the internet. Therefore, when choosing between the two options, the customer must consider factors such as cost, scalability, performance, availability, security, compliance, and customization. For example, an on-premise solution may be preferred if the customer has strict security or regulatory requirements, or needs a high level of customization. A cloud-based solution may be preferred if the customer wants to reduce capital expenditure, or needs a flexible and scalable solution that can adapt to changing demands. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts, Topic: Cloud Security
• 350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.6 Compare and contrast the characteristics of a data center and the cloud
• Cloud vs. On-Premise Software Comparison

Anycast IP is a component of Cisco umbrella architecture that increases reliability of the service by allowing the same IP address to exist on multiple servers around the world. This way, the user’s request is automatically routed to the nearest and fastest data center, and failover is seamless in case of an outage. Anycast IP also reduces latency and improves performance by using BGP to select the shortest path to the destination12. References := 1: Why Cisco Umbrella uses anycast routing - Cisco Umbrella 2: Cisco Umbrella At a Glance

PFS stands for Perfect Forward Secrecy, which is a property of some cryptographic protocols that ensures that the compromise of a long-term key does not affect the security of past or future sessions. PFS provides the highest level of protection against brute-force attacks, because even if an attacker manages to break the long-term key, they cannot decrypt the previous or subsequent communications that use different session keys. PFS is achieved by using ephemeral or temporary keys that are derived from a Diffie-Hellman key exchange, and are not based on the long-term key. Therefore, each session has a unique and independent key that is not stored or reused. PFS is supported by some protocols such as TLS, SSH, and IPsec123. References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Securing Networks with Cisco Firepower Next Generation IPS, Lesson 4.1: Deploying Cisco Firepower Next-Generation IPS, Topic 4.1.2: Cisco Firepower NGIPS Device Management 2: What is Perfect Forward Secrecy? | Baeldung on Computer Science4 3: Perfect Forward Secrecy - an overview | ScienceDirect Topics5

 Secret key cryptography, also known as symmetric key cryptography, is a type of encryption where a single secret key is used for both encryption and decryption of a message. The cryptographic key is kept secret between the sender and receiver, making it difficult for anyone else to decipher the message. Some of the functions of secret key cryptography are:

• Key selection without integer factorization: Secret key cryptography does not rely on complex mathematical problems such as integer factorization or discrete logarithms to generate keys. Instead, the keys are chosen randomly or derived from a passphrase or a shared secret. This makes the key generation process faster and simpler than in public key cryptography.
• Utilization of less memory: Secret key cryptography uses less memory than public key cryptography, as it only requires one key to be stored and managed. Public key cryptography, on the other hand, requires two keys (public and private) for each user, which increases the memory overhead and complexity of key management.

The other options are not functions of secret key cryptography, but rather characteristics of public key cryptography or asymmetric cryptography, which is a different type of encryption where different keys are used for encryption and decryption. Public key cryptography has the following features:

• Utilization of different keys for encryption and decryption: Public key cryptography uses a pair of keys, one public and one private, for each user. The public key can be shared with anyone, while the private key must be kept secret. The public key is used to encrypt messages, while the private key is used to decrypt them. This allows users to communicate securely without having to exchange a secret key beforehand.
• Utilization of large prime number iterations: Public key cryptography relies on hard mathematical problems such as integer factorization or discrete logarithms to generate keys. These problems involve finding the prime factors of large numbers or finding the discrete logarithms of numbers in a finite field. These problems are easy to solve in one direction, but hard to solve in the reverse direction. For example, it is easy to multiply two large prime numbers, but hard to find the prime factors of the product. This makes the keys hard to break by brute force or other methods.
• Provides the capability to only know the key on one side: Public key cryptography enables users to encrypt messages without knowing the recipient’s key, and vice versa. This is possible because the encryption and decryption keys are different and mathematically related. For example, Alice can encrypt a message with Bob’s public key, and only Bob can decrypt it with his private key. Alice does not need to know Bob’s private key, and Bob does not need to know Alice’s key. This also enables public key cryptography to support digital signatures, which are a way of verifying the identity and integrity of a message.

References :=

• What Is Secret Key Cryptography? A Complete Guide - Helenix
• Definition of Secret-key Cryptography - Gartner

Graphical user interface Description automatically generated with low confidence

ExplanationIn this IaaS model, cloud providers offer resources to users/machines that include computers as virtualmachines, raw (block) storage, firewalls, load balancers, and network devices.Note: Cloud access security broker (CASB) provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware such as ransomware.

Text, chat or text message Description automatically generated

ExplanationYou can configure discovery rules to tailor the discovery of host and application data to your needs.The Firepower System can use data from NetFlow exporters to generate connection and discovery events, and to add host and application data to the network map.A network analysis policy governs how traffic is decoded and preprocessed so it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not correct.

A passphrase is a type of protection that encrypts RSA keys when they are exported and imported. A passphrase is a sequence of characters that the user enters to decrypt the key. The passphrase acts as a symmetric key that is used to encrypt and decrypt the RSA key with a symmetric algorithm, such as AES. This way, the RSA key is protected from unauthorized access or tampering when it is transferred or stored. A passphrase can also provide additional security by adding entropy to the RSA key generation process. A file, NGE, and nonexportable are not types of protection that encrypt RSA keys when they are exported and imported. A file is a container that stores the RSA key, but does not encrypt it. NGE stands for Next Generation Encryption, which is a set of cryptographic standards and algorithms that Cisco recommends, but it is not a specific type of protection. Nonexportable is a property that prevents the RSA key from being exported at all, but it does not encrypt it. References: RSA/Schannel Key BLOBs, Common Encryption Types, Protocols and Algorithms Explained, Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5: Implementing Secure Communications with VPNs, Lesson 5.1: Implementing Site-to-Site VPNs, Topic 5.1.2: Implementing Site-to-Site VPNs with Pre-Shared Keys)

A picture containing application Description automatically generated

ExplanationExplanationA certificate signing request (CSR) is one of the first steps towards getting your own SSL Certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) that the Certificate Authority (CA) will use to create your certificate. It also contains the public key that will be included in your certificate and is signed with the corresponding private key

ExplanationExplanationTo configure an NTP enabled router to require authentication when other devices connect to it, use thefollowing commands:NTP_Server(config)#ntp authentication-key 2 md5 securitytutNTP_Server(config)#ntp authenticateNTP_Server(config)#ntp trusted-key 2Then you must configure the same authentication-key on the client router:NTP_Client(config)#ntp authentication-key 2 md5 securitytutNTP_Client(config)#ntp authenticateNTP_Client(config)#ntp trusted-key 2NTP_Client(config)#ntp server 10.10.10.1 key 2Note: To configure a Cisco device as a NTP client, use the command ntp server . For example:Router(config)#ntp server 10.10.10.1. This command will instruct the router to query 10.10.10.1 for the time.

DMVPN and sVTI are both VPN technologies that use IPsec to secure the tunnel traffic. However, they differ in how they establish and manage the tunnels. DMVPN supports dynamic tunnel establishment, which means that the VPN endpoints can create and delete tunnels on demand, based on the routing information. This allows for a scalable and flexible VPN topology, where the endpoints can communicate directly with each other without going through a central hub. sVTI, on the other hand, supports static tunnel establishment, which means that the VPN endpoints have to manually configure the tunnel source and destination addresses. This requires a one-to-one mapping between the endpoints, and limits the VPN topology to a hub-and-spoke model, where the endpoints can only communicate with the hub. Therefore, DMVPN is more suitable for large and dynamic VPN networks, while sVTI is more suitable for small and stable VPN networks. References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 5: Secure Connectivity, Lesson 5.2: Implementing Site-to-Site VPNs, Topic 5.2.3: Dynamic Multipoint VPN (DMVPN)
• what is difference between svti and DVTI? - Cisco Community

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

References: 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

ExplanationSymmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.Asymmetric encryption takes relatively more time than the symmetric encryption.Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric keyalgorithm. Nowadays most of the people uses hybrid crypto system i.e, combination of symmetric andasymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share secret key and after the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.Triple DES (3DES), a symmetric-key algorithm for the encryption of electronic data, is the successor of DES (Data Encryption Standard) and provides more secure encryption then DES.Note: Although “requires secret keys” option in this question is a bit unclear but it can only be assigned toSymmetric algorithm.

ExplanationExplanationEndpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware.Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other security tools did not catch.EDR and EPP have similar goals but are designed to fulfill different purposes. EPP is designed to providedevice-level protection by identifying malicious files, detecting potentially malicious activity, and providing tools for incident investigation and response.The preventative nature of EPP complements proactive EDR. EPP acts as the first line of defense, filtering out attacks that can be detected by the organization’s deployed security solutions. EDR acts as a second layer of protection, enabling security analysts to perform threat hunting and identify more subtle threats to the endpoint.Effective endpoint defense requires a solution that integrates the capabilities of both EDR and EPP to provide protection against cyber threats without overwhelming an organization’s security team.

 SNMPv3 is a security model that uses authentication and encryption to provide secure access to devices. SNMPv3 requires the configuration of SNMP groups, users, and views. SNMP groups define the security model, security level, and access rights for a set of users. SNMP users are members of SNMP groups and have passwords for authentication and encryption. SNMP views define the subset of the MIB tree that a group of users can access. To facilitate access to the SNMP views, the network administrator must map the SNMPv3 users to the SNMP views using the snmp-server group command with the v3 and view keywords. This command assigns a view to a group of users and specifies the security model and level for that group. For example, the following command maps the SNMPv3 users in the group admin to the view all using the authPriv security level:

snmp-server group admin v3 authPriv read all write all

This command allows the users in the group admin to access all the MIB objects in the view all using authentication and encryption. The other options are not correct because they are not related to the SNMP views. Option B is incorrect because the password for SNMPv3 authentication is configured for each user using the snmp-server user command with the auth keyword. Option C is incorrect because the encryption algorithm for SNMPv3 is also configured for each user using the snmp-server user command with the priv keyword. Option D is incorrect because the UDP port used by SNMP is not configurable and is always 161 for queries and 162 for traps. References :=

Some possible references for this question are:

• SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) - SNMP Version 3
• Configuration Template for SNMPv3 - Cisco Community
• Configure ESXi for SNMP v3 - VMware Docs
• How to Configure SNMPv3 and How It Works - CBT Nuggets

ExplanationUmbrella Roaming is a cloud-delivered security service for Cisco’s next-generation firewall. It protects your employees even when they are off the VPN.

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution

The Southbound API is used to communicate between Controllers and network devices.

ExplanationExplanationA teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a targetmachine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IPfragmentation reassembly, the packets overlap one another, crashing the target network device. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.

Using an Internet browser to access cloud-based service creates the risk of insecure implementation of API. API stands for Application Programming Interface, which is a set of rules and protocols that allow different applications or services to communicate and exchange data. API is often used to access cloud-based service, such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). However, if the API is not implemented securely, it can expose sensitive data or allow unauthorized access to the cloud service. For example, an API may not use encryption, authentication, or authorization mechanisms to protect the data in transit or at rest. An API may also have vulnerabilities such as injection, broken authentication, or insufficient logging and monitoring, which can be exploited by attackers to compromise the cloud service or the user’s browser. Therefore, it is important to follow the best practices and standards for secure API development and testing, such as OWASP API Security Top 10. References:

• 1: Implementing and Operating Cisco Security Core Technologies (SCOR) - Cisco
• 2: 350-701 SCOR - Cisco
• 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0
• 4: 12 Cloud Security Issues: Risks, Threats & Challenges - CrowdStrike
• 5: 12 Risks, Threats, & Vulnerabilities in Moving to the Cloud - SEI Blog
• 6: Remote Browser Isolation Protects Users from Threats - Cisco Umbrella
• 7: Which risk is created when using an Internet browser to access cloud-based service?
• 8: Browser in the Cloud: The Evolution of Secure Browsing - Leostream
• [9]: OWASP API Security Top 10 2023

 The Cisco ESA uses the Sender Domain Reputation (SDR) service to assign a reputation verdict to each message based on the sender’s domain and other attributes. The SDR verdicts range from Awful to Good, and each verdict has a corresponding reputation score. The administrator can configure a message or content filter to take action on messages based on their SDR verdict or score. For example, the administrator can set a threshold score to drop messages that have a poor or awful reputation. However, if the SDR service cannot determine a verdict for a message, it assigns an undetermined verdict with a score of -1. This means that the message will not be dropped by the filter unless the administrator explicitly sets the threshold to -1 or lower. Therefore, the reason why the Cisco ESA is not dropping files that have an undetermined verdict is because the file has a reputation score that is above the threshold. References :=

Some possible references are:

• Configure Sender Domain Reputation for ESA
• Sender Domain Reputation Filtering
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

 The vulnerability that allows the attacker to see the passwords being transmitted in clear text is the lack of encryption on the VPN links. Encryption is a process of transforming data into an unreadable form, so that only authorized parties can access it. VPN (Virtual Private Network) is a technology that creates a secure tunnel between two or more devices over a public network, such as the Internet. VPN links should be encrypted to prevent eavesdropping, tampering, or spoofing of the data that passes through them. If the VPN links are not encrypted, an attacker can use a packet sniffer to intercept and read the data, including the passwords, that are sent over the network. This is called a sniffing attack, and it can lead to credential theft, identity spoofing, or data manipulation. Therefore, VPN links should always use strong encryption protocols, such as IPsec or SSL/TLS, to protect the confidentiality and integrity of the data. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Cisco: This is the official course page for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. It provides the course objectives, outline, duration, and prerequisites. It also offers various learning options, such as instructor-led training, e-learning, and practice exams.
• SCOR 350-701 Official Cert Guide - Cisco Press: This is the official study guide for the SCOR 350-701 exam, written by Omar Santos, a principal engineer at Cisco’s Security Research and Operations group. It covers all the exam topics in depth, with explanations, examples, exercises, and practice questions. It also includes a companion website with online resources, such as videos, quizzes, flashcards, and more.
• Cleartext submission of password - PortSwigger: This is a web security article that explains the vulnerability of transmitting passwords over unencrypted connections, and how to exploit it using Burp Suite, a web application testing tool. It also provides some remediation advice, such as using HTTPS and HSTS to enforce encryption.
• What Are Sniffing Attacks, and How Can You Protect Yourself? - EC-Council: This is a blog post that describes what sniffing attacks are, how they work, and what are the common types and tools of sniffing attacks. It also provides some tips on how to prevent or detect sniffing attacks, such as using encryption, VPN, firewall, IDS, and anti-sniffing software.
• OWASP Application Security FAQ | OWASP Foundation: This is a frequently asked questions page about application security, maintained by the Open Web Application Security Project (OWASP), a non-profit organization that promotes web security awareness and best practices. It covers various topics, such as authentication, authorization, session management, input validation, output encoding, cryptography, error handling, logging, and more.

 ESP (Encapsulating Security Payload) is a cryptographic process that provides origin confidentiality, integrity, and origin authentication for packets. ESP encrypts the payload of an IP packet with a symmetric key, and adds a header and a trailer to the packet. The header contains a security parameter index (SPI) and a sequence number, which are used to identify the security association (SA) and prevent replay attacks. The trailer contains padding and a next header field, which are used to align the packet and indicate the type of the original payload. ESP also adds an authentication data field at the end of the packet, which contains a message authentication code (MAC) that is computed over the entire ESP packet (except for the authentication data field itself) using a secret key and a hash function. The MAC provides data integrity and origin authentication for the packet. ESP can operate in two modes: tunnel mode and transport mode. In tunnel mode, ESP encapsulates the entire original IP packet, including the IP header, and adds a new IP header. This mode provides protection for the entire packet, but adds more overhead. In transport mode, ESP only encapsulates the payload of the original IP packet, and leaves the IP header intact. This mode provides protection only for the payload, but preserves the original IP header information. ESP is one of the two main protocols of IPsec, along with AH (Authentication Header). AH only provides data integrity and origin authentication, but not confidentiality. AH adds a header to the IP packet, which contains a MAC that is computed over the immutable fields of the IP header and the entire payload. AH does not encrypt the payload, and therefore does not protect it from eavesdropping. AH can also operate in tunnel mode or transport mode, but it is incompatible with NAT devices, which modify the IP header fields. IKE (Internet Key Exchange) is a protocol that is used to establish and manage SAs for IPsec. IKE negotiates the security parameters, such as the encryption and authentication algorithms, the keys, and the SPIs, for the IPsec protocols. IKE also performs mutual authentication between the IPsec peers, and establishes a secure channel for exchanging keying material. IKE has two versions: IKEv1 and IKEv2. IKEv1 consists of two phases: phase 1 and phase 2. In phase 1, IKEv1 establishes an IKE SA, which is a secure channel for phase 2. In phase 2, IKEv1 negotiates one or more IPsec SAs, which are used to protect the IPsec traffic. IKEv2 simplifies the IKE protocol by combining the two phases of IKEv1 into a single exchange. IKEv2 also supports more features, such as NAT traversal, EAP authentication, and MOBIKE. References :=

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.1: IPsec VPNs
• IPsec - Wikipedia
• AH and ESP protocols - IBM
• How TLS provides identification, authentication, confidentiality, and integrity - IBM

 The product that allows Cisco FMC to push security intelligence observable to its sensors from other products is Threat Intelligence Director (TID). TID is a feature of Cisco FMC that enables you to integrate third-party threat intelligence feeds into your security policies. TID collects, aggregates, and correlates observables from multiple sources, such as Cisco Talos Intelligence, Cisco Umbrella, and other external providers. TID then pushes the observables to the sensors that are managed by FMC, such as Firepower Threat Defense (FTD) devices, Firepower appliances, and Cisco Secure Firewall Cloud Native. The sensors can then use the observables to block or monitor traffic based on the reputation and threat level of the IP addresses, URLs, and domains12.

References: 1: Firepower Management Center Configuration Guide, Version 6.6 - Threat Intelligence Director [Cisco Secure Firewall Management Center] - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Threat Intelligence Director [Cisco Firepower NGFW] - Cisco

An active/active FlexVPN configuration allows for multiple routers or VRFs to act as hubs for different VPN groups, providing load balancing and redundancy1. This is useful when the VPN deployment has a large number of spokes or different security policies for different groups of spokes. DMVPN, on the other hand, only supports a single hub or a pair of hubs in active/standby mode for each VPN group2. This limits the scalability and flexibility of DMVPN deployments. Therefore, an engineer would opt for an active/active FlexVPN configuration as opposed to DMVPN when multiple routers or VRFs are required. References :=

• Cisco FlexVPN: Benefits and Best Practices
• Cisco DMVPN Design Guide

ExplanationThe command crypto isakmp key cisco address 1.2.3.4 authenticates the IP address of the 1.2.3.4 peer by using the key cisco. The address of “0.0.0.0” will authenticate any address with this key

ExplanationExplanationCustomers must manage applications and data in PaaS.

ExplanationExplanationThere are three basic categories of attack:+ volume-based attacks, which use high traffic to inundate the network bandwidth+ protocol attacks, which focus on exploiting server resources+ application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference: https://www.esecurityplanet.com/networks/types-of-ddos-attacks/

ExplanationA posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware; and we can also configure ISE to update the client with this patch.

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

ExplanationMalware means “malicious software”, is any software intentionally designed to cause damage to a computer, server, client, or computer network. The most popular types of malware includes viruses, ransomware and spyware. Virus Possibly the most common type of malware, viruses attach their malicious code to clean code and wait to be run.

Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.Spyware is spying software that can secretly record everything you enter, upload, download, and store on your computers or mobile devices. Spyware always tries to keep itself hidden.An exploit is a code that takes advantage of a software vulnerability or security flaw.Exploits and malware are two risks for endpoints that are not up to date. ARP spoofing and eavesdropping are attacks against the network while denial-of-service attack is based on the flooding of IP packets.

Phishing attacks are a type of social engineering that aim to trick users into revealing their personal or financial information, or installing malware on their devices. To control phishing attacks, users and organizations need to implement various preventive and reactive measures, such as:

• Enable browser alerts for fraudulent websites. Most modern browsers have built-in features that can warn users when they visit a website that is suspected of being malicious or impersonating a legitimate entity. These alerts can help users avoid falling for phishing scams that use fake web pages to capture their credentials or other sensitive data. For example, Google Chrome has a Safe Browsing feature that displays a red warning page when users try to access a deceptive site. Users should always pay attention to these alerts and avoid proceeding to untrusted sites.
• Implement email filtering techniques. Email is one of the most common channels for phishing attacks, as attackers can send spoofed messages that appear to come from trusted sources, such as banks, government agencies, or colleagues. Email filtering techniques can help block or flag suspicious emails based on various criteria, such as the sender’s address, the subject line, the content, or the attachments. For example, Microsoft Outlook has a Junk Email Filter that can move potential phishing emails to a separate folder or delete them automatically. Users should also be careful not to open or reply to any unsolicited or unexpected emails, especially those that ask for personal or financial information, or contain links or attachments.

Other mechanisms that can help control phishing attacks include:

• Use strong passwords and enable two-factor authentication. Even if users fall victim to phishing attacks and reveal their passwords, they can still protect their accounts by using strong and unique passwords for each service, and enabling two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security by requiring users to enter a code or a token that is sent to their phone or email, or generated by an app, in addition to their password. This way, even if attackers obtain the password, they cannot access the account without the second factor.
• Don’t ignore update messages. Users should always keep their operating systems, browsers, and applications updated with the latest security patches and fixes. These updates can help prevent phishing attacks that exploit known vulnerabilities or bugs in the software. Users should also use antivirus and antispyware software that can detect and remove malware that may be installed by phishing attacks.
• Exercise caution when opening emails or clicking on links. Users should always be skeptical and vigilant when they receive emails or messages that ask them to take urgent or unusual actions, such as verifying their account, updating their payment information, or downloading a file. Users should also check the sender’s address, the spelling and grammar, and the URL of any links before clicking on them. Users can hover over the link to see the actual destination, or use a link scanner tool, such as VirusTotal, to check if the link is malicious or not.

References :=

1: https://safebrowsing.google.com/  2: https://support.microsoft.com/en-us/office/overview-of-the-junk-email-filter-5ae3ea8e-cf41-4fa0-b02a-3b96e21de089  3: https://www.virustotal.com/gui/home/url

 A private cloud is a cloud deployment model that is dedicated to a single organization and provides exclusive access to its resources and services. A private cloud can be hosted on-premises or off-premises by a third-party provider, but in either case, the organization has full control and visibility over the security, privacy, and compliance of its data and applications. A private cloud can also leverage the security features and best practices of the public cloud service provider, if applicable, while maintaining a higher degree of isolation and customization. A private cloud is the most secure deployment model when considering risks to cloud adoption, as it minimizes the exposure of sensitive data to external threats, reduces the dependency on the security posture of the cloud service provider, and enables the organization to meet its specific security and regulatory requirements123. References: 1: Best Practices to Manage Risks in the Cloud - ISACA 2: Security in the Microsoft Cloud Adoption Framework for Azure 3: Five challenges to cloud adoption and how to overcome them - PwC Middle East

ExplanationPing of Death (PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash,destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.A correctly-formed ping packet is typically 56 bytes in size, or 64 bytes when the ICMP header is considered,and 84 including Internet Protocol version 4 header. However, any IPv4 packet (including pings) may be as large as 65,535 bytes. Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol documentedLike other large but well-formed packets, a ping of death is fragmented into groups of 8 octets beforetransmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

ExplanationA botnet is a collection of internet-connected devices infected by malware that allow hackers to control them.Cyber criminals use botnets to instigate botnet attacks, which include malicious activities such as credentialsleaks, unauthorized access, data theft and DDoS attacks.

 Cisco AMP Threat Grid is a cloud-based or on-premises solution that provides advanced malware analysis and threat intelligence. It combines static and dynamic analysis techniques to examine the behavior of malware samples and correlate them with global and historical context. It also produces detailed reports, threat scores, and behavioral indicators that help security teams prioritize and respond to threats faster and more effectively12. References: 1: Cisco Secure Malware Analytics (Threat Grid) - Cisco 2: Products - Cisco Threat Grid Cloud Data Sheet - Cisco

Explanation

In deceptive phishing, fraudsters impersonate a legitimate company in an attempt to steal people’s personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.

Spear phishing is carefully designed to get a single recipient to respond. Criminals select an individual target within an organization, using social media and other public information – and craft a fake email tailored for that person.

ExplanationTwo-factor authentication adds a second layer of security to your online accounts. Verifying your identity using asecond factor (like your phone or other mobile device) prevents anyone but you from logging in, even if theyknow your password.Note: Single sign-on (SSO) is a property of identity and access management that enables users to securelyauthenticate with multiple applications and websites by logging in only once with just one set of credentials(username and password). With SSO, the application or website that the user is trying to access relies on atrusted third party to verify that users are who they say they are.

Explanation

Spero analysis is a feature of Cisco AMP for Networks that examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud for analysis1. Spero analysis can detect malware based on the file’s structure and behavior, without requiring a full file upload2. Spero analysis is different from dynamic analysis, sandbox analysis, and malware analysis, which are other features of Cisco AMP for Networks that perform different types of file inspection and analysis3. References: 1: How to configure Firepower AMP to not upload files to … - Cisco Community 2: File Policies - Network Direction 3: Cisco AMP for Networks - Cisco

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

• RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.
• DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

References: 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

The amount of URI text that is stored in Cisco WSA log files is controlled by the log-entry size parameter, which can be configured using the advancedproxyconfig command. The log-entry size parameter specifies the maximum number of bytes of the URI that will be logged for each request. The default value is 1024 bytes, but it can be changed to any value between 1 and 4096 bytes. If the URI is longer than the log-entry size, it will be truncated and a plus sign (+) will be appended to indicate that the URI was cut off. Configuring a small log-entry size can reduce the disk space and bandwidth consumption of the log files, but it can also limit the visibility and analysis of the requests.

References :=

• User Guide for AsyncOS 11.0 for Cisco Web Security Appliances, Customizing Access Logs
• Cisco WSA CLI Reference Guide for AsyncOS 11.0, advancedproxyconfig Command
• WSA FAQ: How can I view the logs on the Cisco WSA? - Cisco

ExplanationDynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic. This means that the ASA acts as a proxy between the Cisco IP Phone and the Cisco Unified Communications Manager (UCM), decrypting, inspecting, and re-encrypting the voice signaling traffic. To do this, the ASA needs to have the certificates of the devices that the phone trusts, such as the UCM servers and the TFTP servers. These certificates are stored in a Certificate Trust List (CTL) file that the phone downloads from the UCM before registration. Therefore, the ASA must be added to the CTL file on the UCM platform, so that the phone can verify the identity of the ASA as a proxy. The other options are not relevant for this scenario. The Endpoint Trust List is a list of certificates that the UCM trusts for encrypted endpoints. The Enterprise Proxy Service is a feature that allows the UCM to route calls to and from the public switched telephone network (PSTN) through a SIP proxy server. The Secured Collaboration Proxy is a feature that allows the UCM to encrypt the media streams between endpoints using Secure Real-Time Transport Protocol (SRTP). References :=

• Cisco Secure Firewall ASA Unified Communications Guide - TLS Proxy for Encrypted Voice Inspection
• TLS Proxy for Encrypted Voice Inspection - Cisco
• Where must the ASA be added on the Cisco UC Manager platform?

In a remote access VPN configuration, dynamic split tunneling allows traffic to certain trusted domains to bypass the VPN tunnel and exit through the client's local internet gateway. This feature selectively directs only the necessary traffic over the VPN, while allowing direct internet access for specific domains or traffic deemed safe or trusted, optimizing bandwidth and performance for remote users.

MFA, or multi-factor authentication, is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g. password), something the user has (e.g. phone), or something the user is (e.g. fingerprint). MFA is an effective deterrent for phishing attacks, which are attempts to trick users into revealing their credentials or other sensitive information by sending them fraudulent emails or websites that impersonate legitimate entities. MFA can prevent phishing attacks by adding an extra layer of security that is not easily compromised by the attackers, even if they manage to obtain the user’s password. For example, if the user receives a phishing email that asks them to log in to their bank account, and they enter their password on the fake website, the attacker will not be able to access the account unless they also have the user’s phone or fingerprint. MFA can also alert the user of a phishing attempt if they receive an unexpected authentication request on their phone or other device. References:

• What Type of Attacks Does MFA Prevent? | OneLogin
• Multi-Factor Authentication and Cyberattacks - NYU

 OWASP stands for Open Web Application Security Project, a non-profit organization that provides resources for web application security. OWASP has developed a number of standards, projects, events, and news on topics such as web application security, supply chain security, and cyber risk mitigation1. One of the most widely recognized OWASP resources is the OWASP Top 10, a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications, such as broken access control, cryptographic failures, injection, and insecure design2. The OWASP Top 10 is updated periodically based on data analysis and community feedback. The latest edition was released in 20213. By following the OWASP Top 10 and other OWASP resources, developers can build more secure applications that minimize these risks. References := 1: OWASP Foundation, the Open Source Foundation for Application Security 2: OWASP Top Ten | OWASP Foundation 3: OWASP Top 10:2021

 Posture is a feature within Cisco ISE that verifies the compliance of an endpoint before providing access to the network. Posture assessment checks the state of the endpoint, such as the operating system, antivirus, firewall, patches, and so on, against the predefined policies. If the endpoint does not meet the policy requirements, it can be remediated by installing or updating the necessary software or configuration. Posture assessment can be done for both wired and wireless endpoints, as well as VPN clients. Posture assessment requires the installation of a posture agent on the endpoint, which communicates with the posture service on the ISE server. The posture agent can be either a persistent agent, which runs in the background and provides continuous assessment, or a temporal agent, which runs on-demand and is removed after the assessment is complete. Posture assessment can be integrated with 802.1X or web authentication methods for network access control. References :=

Some possible references are:

• ISE Posture Prescriptive Deployment Guide
• ISE Posture Deployment Best Practices and Considerations
• Understanding ISE Posture Services

 The destination command is required to complete the flow record and specify the IP address of the Stealthwatch collector that will receive the NetFlow data. The transport udp 2055 command is also needed, but it is part of the flow exporter configuration, not the flow record. The match ipv4 ttl and cache timeout active 60 commands are optional and can be used to customize the flow record, but they are not mandatory. The flow record defines the fields that are collected and exported for each flow, such as source and destination IP addresses, ports, protocols, etc. The flow exporter defines the destination, source, transport protocol, and port for sending the NetFlow data. The flow monitor binds the flow record and the flow exporter together and applies them to an interface. The following is an example of a complete NetFlow configuration for sending data to Stealthwatch:

flow exporter EXPORTER description Export NetFlow to Stealthwatch destination 1.1.1.1 export-protocol netflow-v9 source Vlan100 transport udp 2055 ! flow record RECORD description NetFlow record match datalink mac source address input match datalink mac destination address input match datalink vlan input match ipv4 ttl match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect interface output collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last ! flow monitor IPv4_NETFLOW record RECORD exporter EXPORTER cache timeout active 60 ! interface <> ip flow monitor IPv4_NETFLOW input ! References : Configuring and Troubleshooting NetFlow for Stealthwatch, Cisco NetFlow Configuration, Building a Better Monitoring Solution with Flexible Netflow

CoA stands for Change of Authorization, which is a feature that allows a RADIUS server to adjust an active client session after it is authenticated. For example, CoA can be used to reauthenticate a client, terminate a client session, or change the VLAN or group policy of a client. CoA is supported by several RADIUS vendors, including Cisco ISE. CoA is defined in RFC 5176 and uses a pushed model, where the request originates from the RADIUS server and is sent to the network device that acts as a listener. CoA requests can have two possible response codes: CoA-ACK (acknowledgment) or CoA-NAK (non-acknowledgment). References :=

Some possible references are:

• RADIUS Change of Authorization
• Change of Authorization with RADIUS (CoA) on MR Access Points
• Change of Authorization with RADIUS (CoA) on MS Switches
• Technical Tip: Radius COA behavior

 To configure the Cisco ASA via ASDM for SNMPv3, the administrator needs to perform two main tasks: specify an SNMP user group and add an SNMP USM entry. An SNMP user group defines the access level and security model for a group of SNMP users. An SNMP USM entry defines the authentication and encryption parameters for a specific SNMP user. These two tasks are required for SNMPv3 because it uses a user-based security model (USM) that provides secure access to the MIB objects. SNMPv3 does not use a community string, which is a shared password used by SNMPv1 and SNMPv2c. The SNMP manager and UDP port are optional parameters that can be specified to customize the SNMP communication. The SNMP host access entry is also optional and can be used to restrict the access of SNMP hosts to specific interfaces or networks. References :=

Some possible references are:

• SNMP Configuration, Verification and Troubleshooting on ASA
• How to configure SNMP v3 on Cisco Switch, Router, ASA, Nexus
• SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Transparent traffic redirection using WCCP is a deployment mode for the Cisco WSA that allows it to intercept and proxy web requests from client applications without requiring any configuration on the clients. This mode increases the visibility and control of web traffic, while making the proxy function invisible to the users. To support this mode, the Cisco WSA must be configured to use the transparent proxy mode, which enables it to listen on ports 80 and 443 for HTTP and HTTPS traffic, respectively. The Cisco WSA must also be configured to use WCCP service IDs, which are numerical identifiers that specify the type and range of ports to be redirected. For example, service ID 0 (web-cache) redirects port 80, service ID 70 (https-cache) redirects port 443, and service ID 60 (ftp-native) redirects port 21 and a range of passive FTP ports. The Cisco WSA must also be configured to join a WCCP group, which is a set of WCCP routers or switches that cooperate to redirect traffic to the WSA. The WCCP group can be specified by a group list, which is an access list that defines the IP addresses of the WCCP routers or switches, or by a password, which is a shared secret that authenticates the WCCP communication. The WCCP group must also be configured on the network device that performs the traffic redirection, such as a Cisco router, switch, or ASA firewall. The network device must support WCCPv2, which is the latest version of the protocol that allows for advanced features such as load balancing, encryption, and GRE encapsulation. The network device must also be configured to use the same WCCP service IDs and group list or password as the Cisco WSA. The network device must also be configured to apply the WCCP redirection to the appropriate interface and direction, such as the inside interface and inbound direction for traffic originating from the internal network. The network device must also be configured to use an access list that defines the traffic to be redirected or bypassed, such as the source and destination IP addresses, ports, and protocols. The access list can also be used to exclude certain traffic from WCCP redirection, such as traffic to private or internal destinations, or traffic from specific hosts123 References := 1: Configure Transparent Redirection With WCCP in Order to Redirect Native FTP Traffic - Cisco 2: Solved: Transparent Redirection - Cisco Community 3: Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP - Cisco Community

Cisco Stealthwatch is a network security and visibility platform that provides an agentless solution to monitor network traffic and detect threats, including those in encrypted traffic. Stealthwatch uses Encrypted Traffic Analytics (ETA), a technology that leverages network telemetry and machine learning to identify malicious patterns and behaviors in encrypted traffic without decryption. ETA can also assess the cryptographic strength and compliance of the encryption protocols used in the network. Stealthwatch integrates with other Cisco security products, such as Cisco Identity Services Engine (ISE) and Cisco Advanced Malware Protection (AMP), to provide contextual information and threat intelligence for faster and more effective response. Stealthwatch is the only Cisco platform that offers ETA as a solution to provide visibility across the network, including encrypted traffic analytics, to detect malware in encrypted traffic without the need for decryption. References :=

Some possible references are:

• Cisco Secure Network Analytics (Stealthwatch) - Cisco, Cisco
• Encrypted Traffic Analytics > Security | Cisco Press, Cisco Press
• Solutions - Encrypted Traffic Analytics with the New Cisco Network and Secure Network Analytics At-a-Glance - Cisco, Cisco
• Cisco Encrypted Traffic Analytics White Paper, Cisco

Certificate authorities (CAs) are responsible for issuing, renewing, revoking, and publishing digital certificates. They also maintain a certificate revocation list (CRL), which is a database of revoked certificates that can be checked by relying parties to verify the validity of a certificate. Registration authorities (RAs) are entities that assist CAs with the verification of user identities and enrollment requests. They do not issue certificates themselves, nor do they have access to the CRL. Therefore, CRL publishing is a function that is performed by CAs but is a limitation of RAs. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.1: VPN Fundamentals, Topic 4.1.1: Public Key Infrastructure (PKI)
• Easy guide to SSL certificate authorities, Namecheap
• How exactly are registration authorities related to certificate authorities?, Information Security Stack Exchange

The WCCP-configured router identifies if the Cisco WSA is functional by exchanging periodic messages with the WSA. The WSA sends a Here-I-Am message every 10 seconds to the router, which contains information such as the WSA’s IP address, service group, and hash assignment. The router responds with an I-See-You message, which acknowledges the receipt of the Here-I-Am message and provides information such as the router’s IP address, service group, and view of the WCCP topology. These messages allow the router and the WSA to maintain a bidirectional communication and to detect any changes or failures in the WCCP network12.

Option C is the correct answer, as it describes the correct message exchange between the WCCP-configured router and the Cisco WSA. Option A is incorrect, as the router does not use ICMP ping to check the WSA’s functionality, and the traffic is not transmitted to the router, but redirected by the router. Option B is incorrect, as the router does not use ICMP ping to check the WSA’s functionality, and the traffic is not transmitted to the WSA, but redirected by the WSA. Option D is incorrect, as the router does not send a Here-I-Am message, but an I-See-You message, and the WSA does not acknowledge with an I-See-You message, but a Here-I-Am message. References: WCCP Router Configuration Example - Cisco. Cisco ASA WCCP Traffic Redirection Guide - Cisco.

 To enable CWA for wireless guest access, the ISE engineer needs to configure the following steps on the ISE server:

• Create a guest portal with the desired settings and appearance.
• Create an authorization profile that references the guest portal and the DACL name for the Airespace ACL configured on the WLC. The DACL name must match the name of the ACL on the WLC exactly. The authorization profile also needs to have the common tasks of Web Redirection and Web Authentication enabled.
• Create an authorization policy that matches the unauthenticated devices based on the MAC address or other criteria and applies the authorization profile created in the previous step.

The DACL name is required for the WLC to apply the correct ACL to the guest endpoints and redirect them to the guest portal. Without the DACL name, the WLC will not know which ACL to use and may grant full guest access to the endpoints. Therefore, the correct answer is D.

References :=

Some possible references are:

• Central Web Authentication (CWA) for guests with ISE
• Understand And Troubleshoot Central Web-Authentication (CWA) In Guest Anchor Set-Up
• Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Release 17.3.0 - Guest Access

Full Context Awareness - policy enforcement

NGIPS - threat prevention

AMP - real-time

Collective Sec Intel - Detection, blocking an remediation

Mobile device management (MDM) is a toolset that provides a workforce with mobile productivity tools and applications while keeping corporate data secure1. One of the essential capabilities of an MDM solution is the unified management of mobile devices, Macs, and PCs from a centralized dashboard2. This allows IT and security departments to manage all of a company’s devices, regardless of their operating system, and perform tasks such as provisioning, configuration, update, lock, wipe, and troubleshoot2. Another important capability of an MDM solution is the enforcement of device security policies from a centralized dashboard3. This enables IT and security departments to protect the device’s applications, data, and content, and ensure compliance with organizational and regulatory standards3. For example, an MDM solution can set minimum password strength, encrypt data, restrict access, and detect threats3.

References: 1: What is Mobile Device Management (MDM)? | IBM 2: 5 Essential Capabilities of an MDM Solution | Macworld 3: What is device management? | Microsoft Learn

 The error 403: Forbidden indicates that the web server denied access to the requested resource, which in this case is the PCAP file. One possible reason for this error is that the HTTPS server is not enabled for the device platform policy, which is a configuration that applies to the FTD devices managed by the FMC. The device platform policy defines the settings for the management interface, the SSH access, the SNMP, the NTP, the DNS, and the HTTPS server. The HTTPS server allows the FMC to access the FTD devices via HTTPS and perform tasks such as packet capture, packet tracer, and file transfer. If the HTTPS server is not enabled for the device platform policy, the FMC cannot access the PCAP file from the FTD device via HTTPS. Therefore, the engineer must enable the HTTPS server for the device platform policy in order to resolve this issue. To enable the HTTPS server for the device platform policy, the engineer must follow these steps:

• Log in to the FMC web interface and navigate to Devices > Platform Settings.
• Select the device platform policy that applies to the FTD device and click Edit.
• In the General tab, check the Enable HTTPS Server checkbox and click Save.
• Deploy the policy changes to the FTD device and wait for the deployment to complete.
• Try to access the PCAP file again from the FMC web browser using the same address.

Alternatively, the engineer can also enable the HTTPS server for the FTD device from the FTD CLI using the command configure network https-server enable. However, this method is not recommended because it may cause a configuration conflict with the FMC123

References := 1: Use Firepower Threat Defense Captures and Packet Tracer - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Device Management Basics [Cisco Firepower NGFW] - Cisco 3: Cisco Firepower Threat Defense Command Reference - C through D Commands [Cisco Firepower NGFW] - Cisco

AES (Advanced Encryption Standard) is a symmetric encryption algorithm that uses the same key to encrypt and decrypt data. It turns plain text into a code that only the intended recipient can read. AES has different key sizes, such as 128, 192, and 256 bits. The larger the key size, the more secure and complex the encryption is. AES 256 is the most secure encryption algorithm for VPN communications, as it uses a 256-bit key that would take an enormous amount of time and computing power to crack. AES 256 is widely used by VPN providers, as it offers a high level of security and performance for VPN tunnels. AES 256 is also recommended by the U.S. government for protecting classified information. References :=

• How Does a VPN Securely Encrypt Your Connection?
• What Is VPN Encryption, Types, Protocols And Algorithms Explained
• What is AES (Advanced Encryption Standard)?
• What is VPN Encryption & How Does it Work?

 Cisco Cloudlock is a cloud-native security solution that secures public, private, hybrid, and community clouds. It provides visibility, compliance, threat protection, and data security for cloud applications and environments. Cisco Cloudlock integrates with various cloud platforms and services, such as AWS, Azure, Google Cloud, Office 365, Salesforce, Dropbox, and more. Cisco Cloudlock monitors user activities, configurations, and sensitive data across the cloud, and alerts or blocks any violations of policies or regulations. Cisco Cloudlock also leverages user and entity behavior analytics (UEBA) to detect and respond to anomalous or malicious behaviors in the cloud. Cisco Cloudlock helps organizations protect their cloud assets and data, while enabling them to embrace the benefits of cloud computing. References :=

• Cloud and Application Security - Cisco
• Cloud Security Products and Solutions - Cisco
• What Is Cloud Security? - Cisco
• [Cisco Cloudlock: Cloud-Native CASB and Cloud Cybersecurity Platform]

 The API key is used for HTTP authentication when working with APIs, including https://api.amp.cisco.com/v1/computers. It ensures that the user or system making the API request is authenticated and authorized to access the resources requested. The image you sent shows a Python code snippet that imports the requests module, assigns a client ID and an API key to variables, and uses them to make an API call. The API key is passed as a header parameter in the requests.get() function, which is a common way of implementing HTTP authentication. The other options are not correct because they do not describe the role of the API key. The client ID is a different parameter that identifies the user or system making the request, but it does not authenticate them. HTTP authorization is a process of granting or denying access to resources based on the user’s identity and permissions, but it is not the same as authentication. Importing requests is a Python statement that loads the requests module, which is a library for making HTTP requests, but it has nothing to do with the API key.  References :=

Some possible references are:

• Cisco AMP for Endpoints API
• requests - HTTP for Humans
• HTTP authentication - MDN Web Docs

 PAC files are scripts that tell web browsers how to use proxies on the network. They use if-else statements to determine whether to use a proxy or a direct connection for traffic between the PC and the host, based on criteria such as the destination URL, the source IP address, or the network subnet12. The WSA can host PAC files on port 9001 by default, and this port can be changed in the PAC file hosting settings2. If the WSA host port is changed, the default port does not redirect web traffic to the correct port automatically; the browser needs to point to the new port in the PAC file URL2. The WSA does not host PAC files on port 6001 by default2. PAC files do not direct traffic through a proxy when the PC and the host are on the same subnet by default; this behavior depends on the PAC file logic12. References:

• PAC file format
• PAC file hosting on WSA

Two-factor authentication is a security feature that requires users to provide two forms of information before gaining access to the Cisco ESA. The two factors are usually something the user knows, such as a password, and something the user has, such as a token or a code. Two-factor authentication can be enabled for specific user roles on the Cisco ESA through a RADIUS server, which is an external authentication server that supports the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS server can generate and validate the second factor for the users, such as a one-time password (OTP) or a time-based one-time password (TOTP). To enable two-factor authentication through a RADIUS server, the network engineer must configure the RADIUS server settings on the Cisco ESA, and assign the user roles that require two-factor authentication to use the RADIUS server as the authentication source. This can be done on the System Administration > Users page in the web interface, or by using the userconfig command in the CLI12.

A cluster is a group of Cisco ESAs that share the same configuration information and can be managed centrally. A cluster can provide increased reliability, flexibility, and scalability for the email security system. To join a cluster, a Cisco ESA must have the same AsyncOS version as the other cluster members, and must use a pre-shared key to authenticate with the cluster leader. The pre-shared key is a secret passphrase that is configured on the cluster leader and must be entered on the joining appliance. To join a cluster by using the Cisco ESA CLI, the network engineer must use the clusterconfig command, which allows the engineer to create a new cluster, join an existing cluster, or leave a cluster. The clusterconfig command also allows the engineer to specify the communication port and the hostname or IP address of the cluster leader. If the Cisco ESA has enabled two-factor authentication, the network engineer must also use the clusterconfig > prepjoin command to configure the pre-shared key before joining the cluster34.

Therefore, option A is the correct answer, and the other options are incorrect. Option B is incorrect because the cluster configuration options must be done via the CLI on the Cisco ESA and cannot be created or joined in the GUI. Option C is incorrect because the Cisco ESA does not support TACACS+ as an external authentication source, only LDAP and RADIUS. Option D is incorrect because it also uses TACACS+, which is not supported by the Cisco ESA. References :=

• User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - Distributing Administrative Tasks
• User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - External Authentication
• Configure an Email Security Appliance (ESA) Cluster
• User Guide for AsyncOS 14.0 for Cisco Secure Email Gateway - GD (General Deployment) - Centralized Management

DNS tunneling is a technique that encodes data of other programs and protocols in DNS queries, including data payloads that can be used to control a remote server and applications1. DNS exfiltration is a form of DNS tunneling that allows attackers to extract data from a compromised system by sending encoded DNS requests to a domain under their control2. The direction of the data transfer in DNS exfiltration is outbound, meaning from the victim’s network to the attacker’s network. This is different from inbound, which means from the attacker’s network to the victim’s network, or north-south and east-west, which are terms used to describe the traffic flow between different network segments or zones3. Outbound DNS requests are often allowed by default in many firewalls and network devices, making them an attractive channel for data exfiltration4. However, DNS exfiltration can be detected and prevented by using security solutions that monitor and analyze DNS traffic for anomalies and malicious patterns5.

References: 1: Improvements to DNS Tunneling & Exfiltration Detection - Cisco Umbrella 2: DNS Exfiltration & Tunneling: How it Works & DNSteal Demo Setup 3: What Is DNS Tunneling? - Palo Alto Networks 4: DNS Data Exfiltration and DNS Tunneling | Vercara 5: DNS Exfiltration: The Light at the End of the DNS Tunnel - site

Asymmetric encryption, also known as public key cryptography, uses two different keys for encryption and decryption: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret. Data encrypted with the public key can only be decrypted with the private key, and vice versa. This ensures that only the intended recipient can access the encrypted data, and that the sender can prove their identity with a digital signature. Asymmetric encryption is widely used for securing Internet communications, such as TLS/SSL, which enables HTTPS. Some examples of asymmetric encryption algorithms are RSA, Diffie-Hellman, and Elliptic Curve Cryptography. The other options are not correct because they do not use a public key and private key. Symmetric encryption uses the same key for encryption and decryption, and is faster and more efficient than asymmetric encryption. However, symmetric encryption requires a secure way to exchange the key between the sender and the receiver, which can be facilitated by asymmetric encryption. Linear and nonlinear encryption are not types of encryption, but rather properties of encryption algorithms. A linear encryption algorithm is one that can be expressed as a linear function, such as XOR. A nonlinear encryption algorithm is one that involves more complex mathematical operations, such as modular arithmetic or S-boxes. Nonlinear encryption algorithms are generally more secure and resistant to cryptanalysis than linear encryption algorithms. References :=

• Public-key cryptography - Wikipedia
• How does public key cryptography work? - Cloudflare
• Public and private encryption keys | PreVeil
• AES encryption, what are public and private keys?

The intelligent proxy is a feature of Cisco Umbrella that allows it to selectively inspect and proxy web requests for domains that are classified as risky or potentially malicious. These domains may contain both safe and harmful content, and the intelligent proxy can filter out the malicious files or URLs while allowing the benign ones to pass through. The intelligent proxy can also apply SSL decryption to inspect encrypted traffic and enforce policies based on the content or destination of the web requests. To enable the intelligent proxy, an engineer needs to configure it within the Cisco Umbrella dashboard and select the categories of domains that should be proxied. The categories are based on the domain reputation and security risk, and range from High Risk to Low Risk. The engineer can also customize the list of domains to include or exclude from the intelligent proxy. By configuring the intelligent proxy, the engineer can achieve the objectives of identifying and proxying traffic that is categorized as risky domains and may contain safe and malicious content. References :=

Some possible references are:

• Enable the Intelligent Proxy - Umbrella User Guide, Cisco
• Manage the Intelligent Proxy - Umbrella User Guide, Cisco
• Intelligent Proxy in Cisco Umbrella how it works, Cisco Learning Network
• What is the Intelligent Proxy? - MSP User Guide, Cisco
• Cisco Umbrella Intelligent Proxy and SSL Decryption implementation, Cisco Community

The process in DevSecOps where all changes in the central code repository are merged and synchronized is called Continuous Integration (CI). CI is a practice that aims to improve the quality and speed of software development by automating the building, testing, and integration of code changes. CI enables developers to collaborate more effectively and detect errors early in the development cycle. CI also helps to ensure that the code in the repository is always in a deployable state and conforms to the security and quality standards123. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 5: Secure Network Access, Identity Management, and Visibility, Lesson 5.1: Introducing DevSecOps 2: DevSecOps code process - AT&T4 3: Building a DevSecOps Culture - from a Technical Perspective5

CoA-ACK is the CoA response code that is sent if an authorization state is changed successfully on a Cisco IOS device. CoA-ACK stands for CoA acknowledgment, which indicates that the device has received and processed the CoA request from the server and applied the new authorization settings to the session. The attributes returned within a CoA-ACK can vary based on the CoA request, such as session reauthentication, session termination, or session modification. The other options are not correct because they are not valid CoA response codes. CoA-NCL, CoA-NAK, and CoA-MAV are not defined in RFC 5176, which specifies the CoA protocol. CoA-NAK is the closest option, but it stands for CoA non-acknowledgment, which indicates that the device has rejected the CoA request from the server due to some error or inconsistency. References :=

Some possible references are:

• RADIUS Change of Authorization - Cisco
• Security and VPN Configuration Guide, Cisco IOS XE 17.x
• RFC 5176 - Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

ESA stands for Email Security Appliance, which is a Cisco product that provides comprehensive email security solutions. ESA can be deployed in different modes, such as gateway, hybrid, or cloud, depending on the customer’s needs and preferences. One of the key components of ESA configuration is the listener, which is a service that listens for incoming SMTP connections on a specific port and interface. A listener can be configured to handle inbound or outbound email, or both, depending on the mail flow policies and sender groups that are applied to it.

One way to segregate inbound and outbound email on ESA is to use a pair of logical listeners on a single physical interface with two unique logical IPv4 addresses and one IPv6 address. This method allows the ESA to have two separate listeners for inbound and outbound email, each with its own IP address and mail flow policies, while using the same physical interface and port. This can simplify the network configuration and reduce the hardware requirements for ESA deployment. The IPv6 address can be used to support dual-stack IPv4 and IPv6 environments, or to provide redundancy in case of IPv4 address exhaustion.

The other options are incorrect because:

• A is false, as one listener on a single physical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.
• C is false, as pair of logical IPv4 listeners and a pair of IPv6 listeners on two physically separate interfaces is an unnecessary and complex configuration that does not provide any additional benefits over option B.
• D is false, as one listener on one logical IPv4 address on a single logical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.

References:

• ESA Outbound Traffic Relay Configuration Example
• How do I configure a relay host on the ESA for outbound mail?
• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0] - Module 5: Securing Email with Cisco Email Security Appliance, Lesson 5.1: Describing the Cisco Email Security Solution

 TAXII, short for Trusted Automated eXchange of Intelligence Information, is a protocol that defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which is a standardized language for expressing and exchanging cyber threat information. TAXII enables organizations to share STIX information by defining an API that aligns with common sharing models, such as hub and spoke, source/subscriber, and peer-to-peer. TAXII also defines four services that allow users to discover, manage, receive, and request STIX information. Therefore, TAXII supports STIX information and determines how threat intelligence information is relayed. TAXII does not determine the “what” of threat intelligence, as that is the role of STIX. TAXII does not allow users to describe threat motivations and abilities, as that is also part of STIX. TAXII does not exchange trusted anomaly intelligence information, as that is a specific type of threat intelligence that may or may not be represented in STIX. References:

• What are STIX/TAXII Standards I Resources I Anomali
• Cyber Threat Intelligence Technical Committee - GitHub Pages

DHCP option 82 is a feature that allows the network access device (NAD) to insert additional information into the DHCP request packet from the endpoint. This information can include the switch ID, port number, VLAN ID, and other attributes that can help Cisco ISE to identify and profile the endpoint. Cisco ISE can use DHCP option 82 to assign the endpoint to the appropriate identity group, policy, and authorization profile. DHCP option 82 is also useful to prevent rogue DHCP servers from assigning IP addresses to endpoints, as Cisco ISE can verify the legitimacy of the DHCP request based on the option 82 data. To use DHCP option 82, the NAD must be configured to enable this feature and send the option 82 data to Cisco ISE. Cisco ISE must also be configured to accept and parse the option 82 data from the NAD. For more details on how to configure DHCP option 82 on Cisco ISE and NAD, see the references below. References:

• Configuring the DHCP Probe
• Securing Your Network From DHCP Risks
• Can we use ISE as DHCP/DNS server to prevent guest traffic using …

 The RADIUS CoA feature supports the IETF attribute 24 State, which is used to identify the session for which the CoA request is intended. The State attribute is sent by the device in the Access-Accept message and must be echoed back by the RADIUS server in the CoA-Request message. The other attributes are not supported for the RADIUS CoA feature.

To understand the concept of RADIUS CoA and the supported attributes, you can refer to the following sections of the source book:

• Section 1.1.2: Describe the concepts of network security
• Section 1.1.2.6: Describe the concepts of RADIUS CoA
• Section 1.1.2.7: Describe the concepts of supported IETF attributes

References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0
• RADIUS Change of Authorization - Cisco
• RADIUS attribute for change of authorization - Ruckus Networks

The difference between GRE over IPsec and IPsec with crypto map is that GRE (Generic Routing Encapsulation) over IPsec can encapsulate and transport non-IP protocols across an IP network, whereas IPsec with crypto map is typically used for IP traffic. GRE tunnels wrapped in IPsec provide a way to transport multicast traffic and other protocol types across an IPsec VPN, offering greater flexibility in the types of traffic that can be secured.

Cisco CWS eliminates the need to backhaul traffic through headquarters for remote workers whereas Cisco WSA does not. Cisco CWS is a cloud-based web security service that provides comprehensive protection against web-based threats for users anywhere, on any device1. Cisco WSA is an on-premises web security appliance that provides web filtering, malware scanning, data loss prevention, and other features for users within the network perimeter2. One of the benefits of using Cisco CWS over Cisco WSA is that it eliminates the need to backhaul traffic through headquarters for remote workers, which can reduce bandwidth costs, latency, and complexity3. Remote workers can connect directly to the nearest Cisco CWS data center and receive the same level of web security as if they were in the office. Cisco WSA, on the other hand, requires remote workers to use a VPN or proxy to route their web traffic through the headquarters, which can affect their performance and user experience. References:

• 1: Cisco Cloud Web Security Data Sheet
• 2: Cisco Secure Web Appliance Data Sheet
• 3: Cisco Cloud Web Security: Comprehensive Defense, Advanced Threat Protection, and Superior Flexibility for Your Business
• : Cisco Cloud Web Security: How It Works
• : Cisco Cloud Web Security: FAQ

L2TP and GRE are both tunneling protocols that can be used to create site-to-site VPNs. However, they have some differences in how they encapsulate and transport data. L2TP is a layer 2 protocol that uses IP packet encapsulation to carry PPP frames over an IP network. L2TP does not add any additional header to the IP packet, but relies on IPsec to provide encryption and authentication. GRE is a layer 3 protocol that adds its own header to the IP packet, which contains information such as the protocol type, checksum, and key. GRE can be used to carry any type of payload over an IP network, not just PPP frames. GRE also requires IPsec to provide security for the tunnel. Therefore, the correct answer is C, because GRE over IPsec adds its own header, and L2TP does not1234 References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Secure Connectivity 2: What is the difference between L2TP vs GRE 3: GRE over IPSec vs L2TP over IPSEC 4: difference between L2TP/GRE/MPLS

 Cisco AMP for Endpoints is the Cisco security solution that determines if an endpoint has the latest OS updates and patches installed on the system. Cisco AMP for Endpoints is a cloud-based endpoint protection platform that provides advanced malware prevention, detection, and response capabilities. One of the features of Cisco AMP for Endpoints is the Endpoint Compliance Scanner, which allows administrators to create and enforce policies that check the compliance status of endpoints based on various criteria, such as OS version, patch level, antivirus status, firewall status, and more. The Endpoint Compliance Scanner can also remediate non-compliant endpoints by applying patches, updating antivirus signatures, enabling firewall, and so on. By using the Endpoint Compliance Scanner, administrators can ensure that all endpoints are up to date and secure against known vulnerabilities and threats. References:

• Cisco AMP for Endpoints
• Endpoint Compliance Scanner
• Implementing and Operating Cisco Security Core Technologies (SCOR) - Module 4: Endpoint Protection and Detection

The crypto isakmp identity hostname command is required to define the identity used by the router when participating in the Internet Key Exchange protocol. This command is needed when you specify preshared keys for authentication. The ip name-server command is required to specify the IP address of the DNS server that can resolve the FQDN of the remote peer. This command is needed when you use the crypto isakmp key command with the hostname option instead of the address option. The other commands are not required or correct for this scenario. References: 1, 2, 3

To block certain URLs based on the “Chat and Instant Messaging” category, the network administrator should select a reputation score of 5. A reputation score is a numerical value that indicates the likelihood of a URL being malicious or unwanted. The lower the score, the higher the risk. A score of 5 means that the URL is suspicious or potentially harmful, and should be blocked or inspected12. A score of 3 means that the URL is unknown or unverified, and may be allowed or blocked depending on the policy settings12. A score of 10 means that the URL is trustworthy or benign, and should be allowed12. A score of 1 means that the URL is malicious or high-risk, and should be blocked12. Therefore, a score of 5 is the most appropriate to block the “Chat and Instant Messaging” category, which may contain unwanted or problematic websites. References:

• Reputation score, section “Reputation score”.
• Web content filtering, section “What is web content filtering?”.

ExplanationZero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.The Zero Trust model uses microsegmentation — a security technique that involves dividing perimeters into small zones to maintain separate access to every part of the network — to contain attacks.

To connect Cisco Secure Workload to external orchestrators at a client site where incoming connections are not allowed, a reverse tunnel must be used. A reverse tunnel initiates the connection from the inside of the client's network out to the external orchestrator, thereby bypassing restrictions on incoming connections and enabling secure communication.

To implement external authentication against Active Directory, the Cisco ISE server needs to communicate with the domain controller using either RADIUS or LDAP protocols. RADIUS is used for network access control, while LDAP is used for identity management and directory services. Both protocols require the appropriate ports to be opened and firewall rules to be configured to allow the traffic between the ISE server and the domain controller.

The ISE account does not need to be a domain administrator in Active Directory to perform JOIN operations. It only needs to have the permissions to create computer objects and reset passwords in the domain. This can be achieved by delegating the rights to a specific OU or using a service account with limited privileges.

Active Directory supports user and machine authentication by using various methods, not only MSCHAPv2. MSCHAPv2 is a challenge-response authentication protocol that is commonly used with RADIUS and VPN connections. However, Active Directory also supports other protocols such as Kerberos, NTLM, EAP, and PEAP, depending on the scenario and the client capabilities.

References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0
• Cisco ISE Integration with Microsoft Active Directory
• RADIUS vs. LDAP: What’s the Difference?
• MS-CHAP v2 Authentication

A PAC file, or proxy auto-configuration file, is a script that tells the web browser how to use a proxy server for different URLs. A PAC file can be hosted on a web server or on the WSA itself, and can be deployed to the client web browser manually or automatically. A WSA HTTP proxy configuration with a PAC file is defined as an explicit proxy deployment, because the client web browser is aware of the proxy and sends requests to it directly. This is different from a transparent proxy deployment, where the client web browser is unaware of the proxy and the requests are redirected to it by a network device such as a router or a firewall. A bridge proxy deployment is a type of transparent proxy deployment where the WSA acts as a layer 2 bridge between two network segments and intercepts the traffic passing through it. A PAC file is not used in a bridge proxy deployment. In a dual-NIC configuration, the WSA has two network interfaces, one for the client-side network and one for the server-side network. The PAC file does not direct traffic through the two NICs to the proxy, but rather tells the client web browser to send requests to the proxy’s IP address and port number. The WSA then forwards the requests to the server-side network through the other NIC. Therefore, option B is incorrect. References :=

Some possible references are:

• 1: What is a Proxy Pac file and are there any examples? - Cisco
• 2: What is a PAC file and where is it located on WSA? - Cisco
• 3: [WSA Training Series] How to configure the HTTPS Proxy on the Cisco Web Security Appliance
• 4: Proxy Auto-Configuration (PAC) file
• 5: Use proxy auto-configuration (.pac) files with IEAK 11

 Phishing is a type of cyberattack that uses fraudulent emails or other communications to trick users into providing sensitive information or installing malware on their devices1. Phishing can lead to identity theft, data breaches, ransomware infections, and financial losses. To protect employees from phishing attacks, a company can use various solutions that can detect, block, and remediate phishing threats. Two of these solutions are:

• Cisco Umbrella: Cisco Umbrella is a cloud-based security platform that provides the first line of defense against threats on the internet, including phishing2. Cisco Umbrella uses DNS-layer security, which can identify and block malicious domains, IPs, and URLs before they can reach the user’s device2. Cisco Umbrella also integrates with Cisco Email Security to provide additional protection against phishing emails that may bypass the email gateway3.
• Cisco Email Security Appliance (ESA): Cisco ESA is an email gateway that protects inbound and outbound email traffic from spam, malware, phishing, and other threats4. Cisco ESA uses multiple layers of defense, such as reputation filtering, antivirus scanning, outbreak filters, and content filtering, to prevent malicious emails from reaching the user’s inbox4. Cisco ESA also leverages Cisco Advanced Phishing Protection, which uses machine learning and threat intelligence to identify and block sophisticated phishing attacks that use identity deception techniques5.

References := 1: What Is Phishing? Examples and Phishing Quiz - Cisco 2: Cisco Umbrella - Cloud Delivered Enterprise Security 3: Cisco Umbrella and Cisco Email Security Integration 4: Cisco Secure Email - Cisco 5: Cisco Advanced Phishing Protection - Cisco Video Portal

Container orchestration is the automated process of organizing the functions of modular, containerized components that create the infrastructure of an application1. Container orchestration tools, such as Kubernetes, provide a framework for managing containers and microservices architecture at scale2. A feature of container orchestration is the ability to deploy Kubernetes clusters in air-gapped sites, which are isolated from the internet and other networks for security reasons3. Cisco Container Platform (CCP) is a solution that simplifies the deployment and management of Kubernetes clusters in any environment, including air-gapped sites4. CCP provides a data plane that runs on the Kubernetes nodes and handles the container networking, storage, and security. CCP also provides a control plane that runs on a separate management cluster and provides a web-based user interface and API for cluster operations. CCP supports the deployment of Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) clusters on the data plane, but not on air-gapped sites. References: 1: What Is Container Orchestration? | AppDynamics 2: What is container orchestration? - Red Hat 3: Container orchestration for microservices - Azure Architecture Center 4: Cisco Container Platform Data Sheet : Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Cloud and Network Security, Lesson 5.3: Cisco Cloud Security Solutions, Topic 5.3.2: Cisco Container Platform : Cisco Container Platform User Guide, Release 5.1, Chapter: Deploying Amazon ECS Clusters

In a Cisco Secure Workload implementation, telemetry data can be generated from IPFIX (Internet Protocol Flow Information Export) records using NetFlow connectors and Cisco Secure Workload itself. NetFlow provides insights into network traffic flow and volume, while Cisco Secure Workload uses this data for visibility, segmentation, and security analytics within the data center.

 Cisco AMP for Endpoints provides next-generation protection by leveraging an endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities. EPP is a set of multifaceted prevention techniques that stop threats from compromising endpoints, such as behavioral analytics, machine learning, and signature-based methods. EDR is a set of powerful features that reduce the attack surface and remediate faster, such as advanced threat hunting, endpoint isolation, and dynamic malware analysis. Cisco AMP for Endpoints also integrates with SecureX, a built-in platform that offers extended detection and response (XDR) capabilities across multiple control points, such as network, cloud, email, and web. By combining EPP, EDR, and XDR, Cisco AMP for Endpoints delivers a comprehensive and resilient endpoint security solution that can detect, respond, and recover from sophisticated attacks. References:

• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

Talos Intelligence is a comprehensive threat intelligence service that provides up-to-date information on URL filtering, reputations, and vulnerability information. Talos Intelligence can be integrated with Cisco FTD and Cisco WSA to enhance the security and visibility of the network. Cisco FTD and Cisco WSA can leverage the Talos Intelligence feeds to perform Security Intelligence filtering, which allows the devices to block or allow traffic based on the reputation of the source or destination IP addresses, URLs, or DNS requests. Talos Intelligence feeds are updated regularly and can be configured to download automatically or manually on the FTD and WSA devices12345. References := 1: Cisco Talos Intelligence Group - Comprehensive Threat Intelligence 2: Threat Intelligence on Cisco Stealthwatch - Cisco Community 3: Third-Party Integration of Security Feeds with FMC (Cisco Threat … - Cisco Community 4: Cisco Firepower Threat Defense Configuration Guide for Firepower Device … 5: Cisco Firepower Threat Defense Configuration Guide for Firepower Device …

Cisco Advanced Phishing Protection (AAP) is a solution that helps organizations protect against fraudulent senders and identity deception-based attacks, such as business email compromise (BEC) and spear phishing. AAP uses advanced machine learning techniques, real-time behavior analytics, relationship modeling, and telemetry to perform two main functions12:

• It determines if the email messages are malicious by assessing the threat posture of the sender and the content of the message. It also validates the reputation and authenticity of the sender by checking various indicators, such as the domain, the IP address, the SPF, DKIM, and DMARC records, the display name, the reply-to address, and the header information. AAP assigns a risk score to each email message and provides a verdict of clean, malicious, or suspicious. It also adds a banner to the email message to inform the recipient of the risk level and the recommended action.
• It does a real-time user web browsing behavior analysis by monitoring the user’s interaction with the email message and the links embedded in it. It tracks the user’s clicks, mouse movements, dwell time, and other indicators to detect any signs of hesitation, confusion, or curiosity. It also analyzes the destination URL of the links and compares it with the known malicious websites. If AAP detects any anomalous or risky behavior, it intervenes with a warning message or a redirect page to educate the user and prevent them from falling victim to the phishing attack. References := 1: Cisco’s Security Innovations to Protect the Endpoint and Email 2: Cisco Advanced Phishing Protection - Cisco Video Portal

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

The cloud security shared responsibility model is a way of describing how the security tasks and obligations are divided between the cloud service provider (CSP) and the customer, depending on the type of cloud service model used. The cloud service models are:

• Software as a Service (SaaS): The CSP provides and manages the entire software stack, including the applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer only needs to access the software through a web browser or an application. The customer is responsible for managing their own data and identities, as well as configuring the security settings of the software. The CSP is responsible for everything else, including patching the operating system and the applications12
• Platform as a Service (PaaS): The CSP provides and manages the platform layer, including the runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer can deploy and run their own applications and data on the platform, using the tools and languages supported by the CSP. The customer is responsible for managing their own applications and data, as well as configuring the security settings of the platform. The CSP is responsible for patching the operating system and the middleware12
• Infrastructure as a Service (IaaS): The CSP provides and manages the infrastructure layer, including the virtualization, servers, storage, and networking. The customer can provision and use virtual machines, containers, or bare metal servers, and install their own operating system, middleware, applications, and data. The customer is responsible for managing and patching their own operating system, middleware, applications, and data, as well as configuring the security settings of the infrastructure. The CSP is responsible for the physical security and availability of the infrastructure12

References := 1: Shared responsibility in the cloud - Microsoft Azure 2: Cloud security shared responsibility model - NCSC

A connector is a feature that enables a Cisco ISR to use the default bypass list automatically for web filtering. A connector is a software component that runs on the ISR and communicates with the Cloud Web Security service. The connector intercepts the web traffic from the branch users and redirects it to the Cloud Web Security service for scanning and policy enforcement. The connector also maintains a default bypass list, which contains the domains and URLs that are not redirected to the Cloud Web Security service. The default bypass list is updated automatically by the Cloud Web Security service and can be customized by the administrator. The default bypass list helps to improve the performance and reliability of the web filtering solution by avoiding unnecessary redirections of trusted or sensitive web traffic12. References: 1: Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T - Cisco Integrated Services Routers Generation 2 with Cisco Cloud Web Security Solution [Support] - Cisco 2: Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T - Configuring Cloud Web Security on Integrated Services Routers Generation 2 [Support] - Cisco

The login block-for command sets a limit on the maximum number of failed login attempts allowed within a defined period of time. If this limit is exceeded, no further logins are allowed for the specified period of time. This feature is designed to protect the router from denial-of-service and dictionary attacks. The syntax of the command is as follows:

login block-for attempts within

The  parameter specifies the duration of the quiet period in seconds. The  parameter specifies the number of failed attempts that trigger the quiet period. The  parameter specifies the time window in seconds for counting the failed attempts.

In this question, the command login block-for 100 attempts 4 within 60 means that if four failures occur in 60 seconds, the router goes to quiet mode for 100 seconds. During the quiet period, no login attempts are accepted, and the router responds with the message “Login disabled for seconds due to too many failed login attempts.” After the quiet period expires, the router resumes normal login operations.

The other options are incorrect because they do not match the command syntax or the expected behavior of the login block-for feature.

References :=

Some possible references for this question are:

• User Security Configuration Guide - Cisco IOS Login Enhancements-Login Block
• Configuring Login Block
• Restrict login attempts : login block-for command
• When applied to a router, which command would help mitigate brute-force password attacks against the router?

 Platform as a Service (PaaS) is a cloud service model that delivers and manages all the hardware and software resources to develop applications through the cloud. The service provider is responsible for the infrastructure, middleware, runtime, and operating system, while the customer only has to focus on the application and data. PaaS enables the customer to avoid the hassle of patching, updating, or maintaining the operating system, as well as the underlying hardware and network12. Infrastructure as a Service (IaaS) is a cloud service model that delivers on-demand infrastructure resources, such as compute, storage, networking, and virtualization, to the customer via the cloud. The service provider hosts and manages the infrastructure, but the customer is responsible for the operating system, middleware, virtual machines, and any apps or data. IaaS requires the customer to handle the patch management of the operating system, as well as the security and configuration of the virtual machines34. References := 1: Use platform as a service (PaaS) options - Azure Architecture Center 2: What is Platform-as-a-Service (PaaS)? - Cloudflare 3: PaaS vs IaaS vs SaaS: What’s the difference? | Google Cloud 4: SaaS vs PaaS vs IaaS: What’s The Difference & How To Choose – BMC Software | Blogs

Microsegmentation is a network security technique that enables security architects to logically divide the data center or cloud environment into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment. Microsegmentation software with network virtualization technology is used to create zones in cloud deployments. These granular secure zones isolate workloads, securing them individually with custom, workload-specific policies. Microsegmentation uses a zero-trust model, which means that no traffic is allowed by default, and only explicitly authorized traffic is permitted based on the principle of least privilege. Microsegmentation helps to reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance. The other options are incorrect because they do not describe microsegmentation accurately. Option B is incorrect because container orchestration platforms, such as Kubernetes, are used to automate the deployment, scaling, and management of containerized applications, but they do not provide microsegmentation by themselves. Option C is incorrect because private VLAN segmentation is a network security technique that isolates hosts within the same VLAN, but it does not provide granular security controls at the workload level. Option D is incorrect because host-based firewall rules are one of the components of microsegmentation, but they are not sufficient to implement microsegmentation without network virtualization and policy automation. References : What Is Microsegmentation? - Palo Alto Networks, What Is Micro-Segmentation? - Cisco, What is Micro-Segmentation? | VMware Glossary

An application that does not validate user input is particularly susceptible to SQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQL query via the input data from the client to the application. Due to the lack of validation, the malicious SQL commands are executed by the database server, leading to unauthorized access or manipulation of the database.

Cisco ISE and pxGrid use the IETF (Internet Engineering Task Force) standards to integrate with each other and with other interoperable security platforms. IETF is an open, international community of network designers, operators, vendors, and researchers who produce voluntary standards for the Internet. Cisco pxGrid is based on the IETF standards-track XMPP (Extensible Messaging and Presence Protocol) and RESTCONF (Representational State Transfer Configuration Protocol) technologies. These standards enable Cisco pxGrid to provide a scalable, secure, and open data-sharing platform that supports multiple security products and services. Cisco ISE uses the IETF standards-track RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols to provide network access control and policy enforcement. Cisco ISE also supports the IETF standards-track SXP (Security Group Tag eXchange Protocol) to propagate security group tags across the network. By using the IETF standards, Cisco ISE and pxGrid can interoperate with other security platforms that support the same standards, such as Infoblox, Splunk, Rapid7, and more. References:

• Cisco pxGrid - Cisco
• ISE pxGrid General Information & FAQ - Cisco Community
• How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid
• Infoblox DDI, Cisco ISE, and the pxGrid Solution Platform

Network telemetry is the collection, measurement, and analysis of data related to the behavior and performance of a network1. It involves gathering information about routers, switches, servers, and applications to gain insights into how they function and how data moves through them. To correlate different sources of network telemetry data, it is important to enable Network Time Protocol (NTP) across all network infrastructure devices. NTP is a protocol that synchronizes the clocks of network devices to a common reference time source2. This ensures that the network telemetry data has consistent timestamps and can be compared and correlated accurately. NTP also helps with troubleshooting network issues, as it allows network administrators to pinpoint the exact time of events and anomalies. NTP is a core security technology that is covered in the Implementing and Operating Cisco Security Core Technologies (SCOR) course3, which helps you prepare for the Cisco CCNP Security and CCIE Security certifications and for senior-level security roles. References: 1: Network Telemetry Explained: Frameworks, Applications & Standards - Splunk 2: [Network Time Protocol (NTP) - Cisco] 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0