Practitioner Palo Alto Networks Cybersecurity Practitioner (PCCP) Questions and Answers

Full-disk encryption is a method of protecting data on a laptop that has been stolen by encrypting the entire hard drive, making it unreadable without the correct password or key. This prevents unauthorized access to the proprietary data stored on the laptop, even if the thief removes the hard drive and connects it to another device. Full-disk encryption can be enabled using built-in features such as BitLocker on Windows or FileVault on macOS, or using third-party software such as Absolute Home & Office12. References: How to Protect your Data if a Laptop is Lost or Stolen, What to do when your laptop is stolen, Palo Alto Networks Certified Cybersecurity Entry-level Technician

Knowledge-based systems and behavior-based systems are two types of artificial intelligence systems that can be used for security purposes. Knowledge-based systems use a predefined database of rules, facts, and patterns that distinguish “bad” or malicious activities from normal ones. They compare the incoming data with the stored knowledge and flag any anomalies or matches. Behavior-based systems, on the other hand, learn from the observed data and establish a baseline of normal behavior. They then monitor the data for any deviations or changes from the baseline and alert on any suspicious or abnormal activities. References:

•Types of Knowledge-Based Systems - Springer

•Difference between Knowledge-based IDS and behavior-based IDS

•Behaviour-based Knowledge Systems: An Epigenetic Path from Behaviour to …

 A cloud native security platform (CNSP) is a set of security practices and technologies designed specifically for applications built and deployed in cloud environments. It involves a shift in mindset from traditional security approaches, which often rely on network-based protections, to a more application-focused approach that emphasizes identity and access management, container security and workload security, and continuous monitoring and response. A CNSP offers three main benefits for cloud native applications:

Agility: A CNSP enables faster and more frequent delivery of software updates, as security is built into the application and infrastructure from the ground up, rather than added on as an afterthought. This allows for seamless integration of security controls into the continuous integration/continuous delivery (CI/CD) pipeline, reducing the risk of security gaps or delays. A CNSP also leverages automation and orchestration to simplify and streamline security operations, such as configuration, patching, scanning, and remediation.

Digital transformation: A CNSP supports the adoption of cloud native technologies, such as microservices, containers, serverless, and platform as a service (PaaS), which enable greater scalability, deployability, manageability, and performance of cloud applications. These technologies also allow for more innovation and experimentation, as developers can easily create, test, and deploy new features and functionalities. A CNSP helps to protect these cloud native architectures from threats and vulnerabilities, while also ensuring compliance with regulations and standards.

Flexibility: A CNSP provides consistent and comprehensive security across different cloud environments, such as public, private, and multi-cloud. It also allows for customization and adaptation of security policies and controls to suit the specific needs and preferences of each application and organization. A CNSP can also integrate with other security tools and platforms, such as firewalls, endpoint protection, threat intelligence, and security information and event management (SIEM), to provide a holistic and unified view of the security posture and risk level of cloud applications.

What Is a Cloud Native Security Platform?

What Is Cloud-Native Security?

All You Need to Know About Cloud Native Security

Top Five Benefits of Cloud Native Application Security

Automation in SOAR (Security Orchestration, Automation, and Response) is the process of programming tasks, alerts, and responses to security incidents so that they can be executed without human intervention. Automation in SOAR helps security teams to handle the huge amount of information generated by various security tools, analyze it through machine learning processes, and take appropriate actions based on predefined rules and workflows. Automation in SOAR also reduces the manual effort and time required for security operations, improves the accuracy and efficiency of threat detection and response, and provides consistency in handling security issues across different environments and scenarios. References: What is SOAR (security orchestration, automation and response)? | IBM, What Is SOAR? Technology and Solutions | Microsoft Security, Security orchestration - Wikipedia.

 A sanctioned application is an application that is approved by the IT department and meets the security and compliance requirements of the organization. Sanctioned applications are allowed to access the organization’s network and data and are monitored and protected by the IT department. Examples of sanctioned applications are Office 365, Salesforce, and Zoom. Sanctioned applications are different from unsanctioned, prohibited, and tolerated applications, which are not approved by the IT department and may pose security risks to the organization. Unsanctioned applications are applications that are used by the employees without the IT department’s knowledge or consent, such as Dropbox, Gmail, or Facebook. Prohibited applications are applications that are explicitly forbidden by the IT department, such as BitTorrent, Tor, or malware. Tolerated applications are applications that are not approved by the IT department, but are not blocked or restricted, such as Skype, Spotify, or YouTube. References: Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET), Cloud Security Fundamentals - Module 4: Cloud Security Best Practices, Application Visibility and Control

 A local area network (LAN) is a network that connects end-user devices such as personal computers, printers, scanners, and phones within a small geographic area, such as an office, school, or home. LANs allow users to share resources, such as files, applications, and internet access, among the connected devices. LANs typically use Ethernet or Wi-Fi as the communication medium and operate at high speeds with low error rates. LANs are usually owned and managed by a single person or organization. References: LANs, WANs, and Other Area Networks Explained, What is a LAN? Local Area Network, Types of area networks - LAN, MAN and WAN

OSPF is a link-state routing protocol that requires all routers in the same domain to maintain a map of the network. This map is called the link-state database (LSDB) and it contains information about the topology and the state of each link. Each router independently calculates the shortest path to every destination in the network using the Dijkstra algorithm. OSPF routers exchange routing information by flooding link-state advertisements (LSAs) to their neighbors. LSAs are acknowledged by the receivers to ensure reliable delivery12. References:

What Is OSPF? Understanding Network Protocols By WireX Systems

Routing Protocols Overview - Global Knowledge

A perimeter-based network security strategy relies on firewalls, routers, and other devices to create a boundary between the internal network and the external network. This strategy assumes that every internal endpoint can be trusted, and that any threat comes from outside the network. However, this assumption is flawed, as internal endpoints can also be compromised by malware, phishing, insider attacks, or other methods. Once an attacker gains access to an internal endpoint, they can use it to move laterally within the network, bypassing the perimeter defenses. Therefore, a perimeter-based network security strategy is not sufficient to protect an organization’s endpoint systems, and a more comprehensive approach, such as Zero Trust, is needed. References:

Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)

Traditional perimeter-based network defense is obsolete—transform to a Zero Trust model

What is Network Perimeter Security? Definition and Components | Acalvio

 Palo Alto Networks Cortex XDR is an extended detection and response platform that provides endpoint protection, threat detection, and incident response capabilities. When an endpoint is asked to run an executable, Cortex XDR does the following steps1:

First, it sends the executable to WildFire, a cloud-based malware analysis and prevention service, to determine if it is malicious or benign. WildFire uses static and dynamic analysis, machine learning, and threat intelligence to analyze the executable and provide a verdict in seconds2.

Next, it checks the execution policy, which is a set of rules that define what actions are allowed or blocked on the endpoint. The execution policy can be configured by the administrator to enforce granular control over the endpoint behavior3.

Then, it runs a static analysis, which is a technique that examines the executable without executing it. Static analysis can identify malicious indicators, such as file signatures, hashes, strings, and embedded resources4.

Finally, it runs a dynamic analysis, which is a technique that executes the executable in a sandboxed environment and monitors its behavior. Dynamic analysis can detect malicious activities, such as network connections, registry changes, file modifications, and process injections4.

Cortex XDR Endpoint Protection Overview

WildFire Overview

[Execution Policy]

[Static and Dynamic Analysis]

In a host-based architecture, the server (host) handles all processing tasks, while the client mainly provides input/output. This centralizes control, processing, and data storage on the server, reducing the client’s role to that of a terminal.

Workload security in a Cloud-Native Security Platform (CNSP) focuses on protecting VMs, containers, and serverless deployments against application-level attacks during runtime. It ensures that workloads remain secure by monitoring behavior, enforcing policies, and detecting threats in real time.

Endpoint antivirus software is a type of software designed to help detect, prevent, and eliminate malware on devices, such as laptops, desktops, smartphones, and tablets. Endpoint antivirus software can block viruses that are not seen and blocked by the perimeter firewall, which is a network security device that monitors and controls incoming and outgoing network traffic based on predefined security rules. Perimeter firewall can block some known viruses, but it may not be able to detect and stop new or unknown viruses that use advanced techniques to evade detection. Endpoint antivirus software can provide an additional layer of protection by scanning the files and processes on the devices and using various methods, such as signatures, heuristics, behavior analysis, and cloud-based analysis, to identify and remove malicious code123. References:

What Is Endpoint Antivirus? Key Features & Solutions Explained - Trellix

Microsoft Defender for Endpoint | Microsoft Security

Download ESET Endpoint Antivirus | ESET

Workload security in a Cloud Native Security Platform (CNSP) is designed to secure containers, VMs, and serverless functions throughout the entire application lifecycle — from development to runtime — by detecting and blocking vulnerabilities, misconfigurations, and runtime threats.

Identity and access management (IAM) is a software service or framework that allows organizations to define user or group identities within software environments, then associate permissions with them. The identities and permissions are usually spelled out in a text file, which is referred to as an IAM policy.

Advanced Threat Prevention is the Palo Alto Networks solution that has replaced legacy Intrusion Prevention Systems (IPS). It offers inline, ML-powered threat detection and evasion-resistant inspection to block sophisticated threats in real time, going beyond traditional signature-based IPS.

According to the NIST definition of cloud computing, Infrastructure as a Service (IaaS) is a cloud service model that provides “the capability to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications” 1. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls) 1. In other words, IaaS gives the user access to cloud-hosted physical and virtual servers, storage, and networking, as stated in the question. References: 1: SP 800-145, The NIST Definition of Cloud Computing | CSRC 2

Cyberterrorists are attackers who use the internet to recruit members to an ideology, to train them, and to spread fear and induce panic. Cyberterrorists may target critical infrastructure, government systems, or public services to cause disruption, damage, or harm. Cyberterrorists may also use the internet to disseminate propaganda, incite violence, or coordinate attacks. Cyberterrorists differ from other attacker profiles in their motivation, which is usually political, religious, or ideological, rather than financial or personal. References: Cyberterrorism, Cyber Threats, Cybersecurity Threat Landscape

A Jasager attack is a type of wireless man-in-the-middle attack that exploits the way mobile devices search for known wireless networks. A Jasager device will respond to any beacon request from a mobile device by saying “Yes, I’m here”, pretending to be one of the preferred networks. This way, the Jasager device can trick the mobile device into connecting to it, without the user’s knowledge or consent. The Jasager device can then intercept, modify, or redirect the traffic of the victim. For this attack to work, the attacker needs to be within close proximity of the victim, and the victim must have at least one known network in their preferred list. The victim does not need to manually choose the attacker’s access point, nor does the attacker try to get victims to connect at random. References: Wireless Man in the Middle - Palo Alto Networks, Man-in-the-middle attacks with malicious & rogue Wi-Fi access points - Privacy Guides

Local organization security policies are the rules and guidelines that define how a SaaS application can be used by the employees, contractors, and partners of an organization. These policies cover aspects such as authentication, authorization, data access, data protection, data sharing, and compliance. Local organization security policies aim to ensure that the SaaS application is used in a secure, ethical, and legal manner, and that the organization’s data and assets are not compromised or misused123. References:

Securing SaaS tools for your organisation - GOV.UK

SaaS Security: A Complete Best Practices Guide - BetterCloud

Security policy document examples for B2B SaaS apps

Attack Surface Management (ASM) platforms focus on continuous discovery and monitoring of all internet-facing assets, both internal and external, to identify attack vectors, vulnerabilities, and exposures that could be exploited by threat actors.

SaaS applications are cloud-based software that users can access from anywhere and any device. This poses a challenge for organizations to ensure that their employees are using the SaaS applications in a secure and compliant manner. Therefore, organizations need to establish and enforce acceptable use policies (AUPs) for SaaS applications that define the rules and guidelines for accessing and using the applications, such as who can use them, what data can be stored or shared, and what actions are prohibited12. AUPs help organizations to protect their data, prevent unauthorized access, and comply with local regulations and standards3. References: Using Software as a Service (SaaS) securely - NCSC, Minimum Security Standards for Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) | University IT, How to Secure Your SaaS Applications - CyberArk

Cortex XSOAR Threat Intelligence Management (TIM) is a platform that enables security teams to manage the lifecycle of threat intelligence, from aggregation to action. One of the key features of Cortex XSOAR TIM is that it automates the ingestion and aggregation of indicators from various sources, such as threat feeds, open-source intelligence, internal data, and third-party integrations 1. Indicators are pieces of information that can be used to identify malicious activity, such as IP addresses, domains, URLs, hashes, etc. By automating the ingestion and aggregation of indicators, Cortex XSOAR TIM reduces the manual effort and time required to collect, validate, and prioritize threat data. It also enables analysts to have a unified view of the global threat landscape and the impact of threats on their network 1. References: 1: Threat Intelligence Management - Palo Alto Networks 2

In addition to local analysis, Cortex XDR can send unknown files to WildFire for discovery and deeper analysis to rapidly detect.

A worm is a type of malware that replicates itself to spread rapidly through a computer network. Unlike a virus, a worm does not need a host program or human interaction to infect other devices. A worm can consume network bandwidth, slow down the system performance, or deliver a malicious payload, such as ransomware or a backdoor123. References: Types of Malware & Malware Examples - Kaspersky, 10 types of malware + how to prevent malware from the start, Computer worm - Wikipedia

A worm replicates through the network while a virus replicates, not necessarily to spread through the network.

Local systems can eliminate vulnerabilities by patching systems and software effectively and continuously. Patching is the process of applying updates or fixes to software or hardware components that have known vulnerabilities or bugs. Patching can prevent attackers from exploiting these vulnerabilities and compromising the security or functionality of the systems. Patching should be done regularly and promptly, as new vulnerabilities are constantly discovered and exploited by cybercriminals. Patching should also be done effectively, meaning that the patches are tested and verified before deployment, and that they do not introduce new vulnerabilities or issues. Patching should also be done continuously, meaning that the systems are monitored for new vulnerabilities and patches are applied as soon as they are available. Continuous patching can reduce the window of opportunity for attackers to exploit unpatched vulnerabilities and cause damage or data breaches. References:

•1: What is Patch Management? | Palo Alto Networks

•2: Patch Management Best Practices: How to Keep Your Systems Secure | Snyk

•3: Vulnerability Remediation Process - 4 Steps to Remediation | Snyk

To maximize the use of a network address, the administrator should use the subnet that can accommodate the required number of hosts with the least amount of wasted IP addresses. The subnet mask determines how many bits are used for the network portion and the host portion of the IP address. The more bits are used for the network portion, the more subnets can be created, but the fewer hosts can be assigned to each subnet. The formula to calculate the number of hosts per subnet is

2(32−n)−2

, where

n

is the number of bits in the network portion of the subnet mask. For example, a /30 subnet mask has 30 bits in the network portion, so the number of hosts per subnet is

2(32−30)−2=2

A /25 subnet mask has 25 bits in the network portion, so the number of hosts per subnet is

2(32−25)−2=126

The subnet 192.168.6.0/25 can accommodate 126 hosts, which is enough for the network with 120 hosts. The subnet 192.168.6.168/30 can only accommodate 2 hosts, which is not enough. The subnet 192.168.6.160/29 can accommodate 6 hosts, which is also not enough. The subnet 192.168.6.128/27 can accommodate 30 hosts, which is enough, but it wastes more IP addresses than the /25 subnet. Therefore, the best option is B. 192.168.6.0/25. References:

Getting Started: Layer 3 Subinterfaces - Palo Alto Networks Knowledge Base

DotW: Multiple IP Addresses on an Interface - Palo Alto Networks Knowledge Base

Configure NAT - Palo Alto Networks | TechDocs

IaaS (Infrastructure as a Service) is a cloud computing model that delivers on-demand infrastructure resources to organizations via the cloud, such as compute, storage, networking, and virtualization1. Customers do not have to manage, maintain, or update their own data center infrastructure, but are responsible for the operating system, middleware, virtual machines, and any apps or data1. Therefore, IaaS gives customers full control over the operating system(s) running on their cloud computing platform, as well as the flexibility to customize and configure their infrastructure according to their needs2. References: What are the different types of cloud computing? | Google Cloud, PaaS vs IaaS vs SaaS: What’s the difference? | Google Cloud

Examples of serverless environments include Amazon Lambda and Azure Functions. Many PaaS offerings, such as Pivotal Cloud Foundry, also are effectively serverless even if they have not historically been marketed as such. Although serverless may appear to lack the container-specific, cloud native attribute, containers are extensively used in the underlying implementations, even if those implementations are not exposed to end users directly.

SSL/TLS decryption allows security tools to inspect encrypted traffic, enabling them to detect hidden malware, command-and-control communication, or data exfiltration that would otherwise bypass inspection if left encrypted.

Identity Threat Detection and Response (ITDR) leverages behavior analysis to identify suspicious or anomalous activities associated with user identities. This methodology involves continuously monitoring user authentication patterns, access events, and privilege escalations to build a baseline of “normal” behavior. By detecting deviations—such as unusual login locations, timeframes, or excessive access attempts—ITDR can flag potential identity compromises or insider threats that traditional signature or rule-based systems often miss. Palo Alto Networks’ ITDR integrates behavioral analytics with threat intelligence to deliver real-time alerts and automated response capabilities, essential in mitigating credential abuse and lateral movement within networks. This behavioral approach is crucial for adapting to sophisticated identity attacks that evolve constantly.

One of the best practices for securing sensitive data in SaaS applications is to control the access and usage of data based on the device type. Managed devices are those that are enrolled and monitored by the organization’s IT department, and have security policies and controls applied to them. Unmanaged devices are those that are not under the organization’s control, such as personal laptops or mobile phones. Allowing downloads to managed devices but blocking them from unmanaged devices prevents data leakage and unauthorized access to sensitive data. This can be achieved by using a cloud access security broker (CASB) solution, such as Prisma SaaS from Palo Alto Networks, which can enforce granular policies based on device posture, user identity, and data sensitivity 12. References: 1: Securing SaaS applications on the cloud is a critical aspect of protecting sensitive data and maintaining the trust of customers. By implementing best practices, such as enhanced authentication, data encryption, Break Glass, and oversight, organizations can mitigate the security risks associated with SaaS applications2: Prisma SaaS - Palo Alto Networks

Determining system health using unaltered system data – Active monitoring collects real-time data to assess the current health and performance of systems.

Using probes to establish potential load issues – Active monitoring uses synthetic transactions or probes to simulate user interactions and identify performance or load-related issues before they affect users.

Cortex XDR breaks the silos of traditional detection and response by natively integrating network, endpoint, and cloud data to stop sophisticated attacks

The six pillars include:

1. Business (goals and outcomes)

2. People (who will perform the work)

3. Interfaces (external functions to help achieve goals)

4. Visibility (information needed to accomplish goals)

5. Technology (capabilities needed to provide visibility and enable people)

6. Processes (tactical steps required to execute on goals)

All elements must tie back to the business itself and the goals of the security operations

Security Operations (SecOps) is the process of coordinating and aligning security teams and IT teams to improve the security posture of an organization. SecOps involves implementing and maintaining security controls, technologies, policies, and procedures to protect the organization from cyber threats and incidents. When dealing with a known attack, SecOps must take the following action: document, monitor, and track the incident. This action is important because it helps SecOps to:

•Record the details of the attack, such as the source, target, impact, timeline, and response actions.

•Monitor the status and progress of the incident response and recovery efforts, as well as the ongoing threat activity and indicators of compromise.

•Track the performance and effectiveness of the security controls and technologies, as well as the lessons learned and improvement opportunities. References:

•Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)

•6 Incident Response Steps to Take After a Security Event - Exabeam

•Dealing with Cyber Attacks–Steps You Need to Know | NIST

Advanced WildFire is a Cloud-Delivered Security Service (CDSS) that detects zero-day malware using inline cloud machine learning (ML) and sandboxing techniques. It analyzes unknown files in real-time to identify and block new threats before they can cause harm.

Phishing is a type of email attack where the attacker sends a lot of malicious emails in an untargeted way, pretending to be a trusted source, such as a bank or an online retailer, to trick users into revealing sensitive information, such as passwords or credit card numbers. Attackers use the information to steal money or to launch other attacks. A fake email from a bank asking you to click a link and verify your account details is an example of phishing1 References:

1: Palo Alto Networks Certified Cybersecurity Entry-level Technician - Palo Alto Networks

2: 10 Palo Alto Networks PCCET Exam Practice Questions - CBT Nuggets

3: Types of Email Attacks - Examples and Consequences - Tessian

4: What Is a Phishing Attack? Definition and Types - Cisco

 In SecOps, the identify stage is the first step in the security operations lifecycle. It involves gaining knowledge and understanding of the possible security threats and establishing methods to detect, respond and proactively prevent them from occurring1. Two of the components included in the identify stage are:

Initial Research: This component involves gathering information about the organization’s assets, vulnerabilities, risks, and compliance requirements. It also involves identifying the key stakeholders, objectives, and metrics for the SecOps project2.

Content Engineering: This component involves developing and maintaining the security content, such as rules, policies, signatures, and alerts, that will be used by the SecOps tools and processes. It also involves testing and validating the security content for accuracy and effectiveness3.

 What is SecOps? (and what are the benefits and best practices?), SecOps - definition & overview, The Six Pillars of Effective Security Operations

Assessing severity levels – UEBA data helps prioritize incidents by evaluating the risk and severity based on user and entity behavior.

Detecting and correlating anomalies – UEBA continuously analyzes activity to identify abnormal behavior and correlate anomalies that may indicate insider threats or compromised accounts.

Cybercriminals are attackers who act independently or as part of an unlawful organization, such as a crime syndicate or a hacker group. Their main motivation is to make money by exploiting vulnerabilities in systems, networks, or applications. They use various methods, such as ransomware, phishing, identity theft, fraud, or botnets, to steal data, extort victims, or disrupt services. Cybercriminals often target individuals, businesses, or institutions that have valuable or sensitive information, such as financial, personal, or health data. Cybercriminals are constantly evolving their techniques and tools to evade detection and countermeasures. They may also collaborate with other cybercriminals or hire hackers to perform specific tasks. References:

Cybersecurity Threats: Cybercriminals

Attackers Profile

Micro-segmentation is a VM-Series virtual firewall cloud deployment use case that reduces your environment’s attack surface. Micro-segmentation is the process of dividing a network into smaller segments, each with its own security policies and controls. This helps to isolate and protect workloads from lateral movement and unauthorized access, as well as to enforce granular trust zones and application dependencies. Micro-segmentation can be applied to virtualized data centers, private clouds, and public clouds, using software-defined solutions such as VMware NSX, Cisco ACI, and Azure Virtual WAN. References: Micro-Segmentation - Palo Alto Networks, VM-Series Deployment Guide - Palo Alto Networks, VM-Series on VMware NSX - Palo Alto Networks, VM-Series on Cisco ACI - Palo Alto Networks, VM-Series on Azure Virtual WAN - Palo Alto Networks

To find the subnet that the host 192.168.19.36/27 belongs to, we need to convert the IP address and the subnet mask to binary form and perform a logical AND operation. The /27 notation means that the subnet mask has 27 bits of ones and 5 bits of zeros. In decimal form, the subnet mask is 255.255.255.224. The binary form of the IP address and the subnet mask are:

IP address: 11000000.10101000.00010011.00100100 Subnet mask: 11111111.11111111.11111111.11100000

The logical AND operation gives us the network prefix:

Network prefix: 11000000.10101000.00010011.00100000

To get the subnet address, we convert the network prefix back to decimal form:

Subnet address: 192.168.19.32

The subnet address is the first address in the subnet range. To find the last address in the subnet range, we flip the bits of the subnet mask and perform a logical OR operation with the network prefix:

Flipped subnet mask: 00000000.00000000.00000000.00011111 Logical OR: 11000000.10101000.00010011.00111111

The last address in the subnet range is:

Last address: 192.168.19.63

The subnet range is from 192.168.19.32 to 192.168.19.63. The host 192.168.19.36 belongs to this subnet. Therefore, the correct answer is B. 192.168.19.16, which is the second address in the subnet range.

IP Subnet Calculator

Subnet Calculator - IP and CIDR

Which subnet does the host 192.168.19.36/27 belong? - VCEguide.com

 A zero-day threat is an attack that takes advantage of a security vulnerability that does not have a fix in place. It is referred to as a “zero-day” threat because once the flaw is eventually discovered, the developer or organization has “zero days” to then come up with a solution. A zero-day threat can compromise a system or network by exploiting the unknown vulnerability, and can cause data loss, unauthorized access, or other damages. Zero-day threats are difficult to detect and prevent, and require advanced security solutions and practices to mitigate them. References:

Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)

Zero-day (computing) - Wikipedia

What is a zero-day exploit? | Zero-day threats | Cloudflare

In cloud computing, there are three main service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each model defines the level of responsibility and control that the cloud provider and the cloud customer have over the cloud resources and services. The cloud provider is responsible for vulnerability and patch management of the underlying operating system in SaaS and PaaS models, while the cloud customer is responsible for it in IaaS model. In SaaS, the cloud provider delivers software applications over the internet and manages all aspects of the cloud infrastructure, platform, and application. The cloud customer only needs to access the software through a web browser or an API. In PaaS, the cloud provider offers a platform for developing, testing, and deploying applications and manages the cloud infrastructure and operating system. The cloud customer can use the platform tools and services to create and run their own applications. In IaaS, the cloud provider supplies the basic cloud infrastructure, such as servers, storage, and networking, and the cloud customer can provision and configure their own operating system, middleware, and applications. References: Cloud Computing Service Models, Cloud Security Fundamentals - Module 2: Cloud Computing Models, Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)

Malicious Portable Executable (PE) files hidden inside PDFs represent a stealthy delivery tactic where attackers embed executable payloads within seemingly benign documents. When a user opens the PDF, the embedded PE executes, potentially installing malware. This approach combines social engineering with file obfuscation to bypass traditional detection methods. Palo Alto Networks’ Advanced WildFire sandboxing inspects such files by detonating them in isolated environments to observe behavior and identify hidden threats. This detection technique is critical for uncovering evasive malware concealed within common file types before they reach end-users.

The six pillars include:

1. Business (goals and outcomes)

2. People (who will perform the work)

3. Interfaces (external functions to help achieve goals)

4. Visibility (information needed to accomplish goals)

5. Technology (capabilities needed to provide visibility and enable people)

6. Processes (tactical steps required to execute on goals)

Data security is the only type of security that the customer is fully responsible for when using a SaaS application. Data security refers to the protection of data from unauthorized access, use, modification, deletion, or disclosure. Data security includes aspects such as encryption, backup, recovery, access control, and compliance12. The customer is responsible for ensuring that their data is secure in transit and at rest, and that they comply with any applicable regulations or policies regarding their data.

The other types of security - physical, platform, and infrastructure - are the responsibility of the SaaS provider. Physical security refers to the protection of the hardware and facilities that host the SaaS application. Platform security refers to the protection of the software and services that run the SaaS application. Infrastructure security refers to the protection of the network and systems that support the SaaS application. The SaaS provider is responsible for ensuring that these layers of security are maintained and updated, and that they meet the required standards and certifications34. References:

SaaS and the Shared Security Model

A Guide to SaaS Shared Responsibility Model

The Shared Responsibility Model for Security in The Cloud (IaaS, PaaS & SaaS)

Shared responsibility in the cloud

Signature-based malware detection relies on a constantly updated database of known threat signatures to identify malicious files or activity. Without frequent updates, it becomes ineffective against newly emerging threats.

2G/2.5G: 2G connectivity remains a prevalent and viable IoT connectivity option due

to the low cost of 2G modules, relatively long battery life, and large installed base of

2G sensors and M2M applications.

○ 3G: IoT devices with 3G modules use either Wideband Code Division Multiple Access

(W-CDMA) or Evolved High Speed Packet Access (HSPA+ and Advanced HSPA+) to

achieve data transfer rates of 384Kbps to 168Mbps.

○ 4G/Long-Term Evolution (LTE): 4G/LTE networks enable real-time IoT use cases, such

as autonomous vehicles, with 4G LTE Advanced Pro delivering speeds in excess of

3Gbps and less than 2 milliseconds of latency.

○ 5G: 5G cellular technology provides significant enhancements compared to 4G/LTE

networks and is backed by ultra-low latency, massive connectivity and scalability for

IoT devices, more efficient use of the licensed spectrum, and network slicing for

application traffic prioritization.

Managed Detection and Response (MDR) services combine incident impact analysis and proactive threat hunting to enhance organizational security posture. Incident impact analysis assesses the severity, scope, and potential damage of identified threats, helping prioritize responses. Proactive threat hunting involves skilled analysts searching for hidden threats that automated detection may miss, leveraging threat intelligence and behavioral analytics. Palo Alto Networks’ MDR integrates Cortex XDR and human expertise to detect, investigate, and remediate sophisticated threats early. Unlike routine firewall updates or development processes, MDR is focused on active threat discovery and comprehensive incident management.

Prisma SaaS connects directly to the applications themselves, therefore providing continuous silent monitoring of the risks within the sanctioned SaaS applications, with detailed visibility that is not possible with traditional security solutions.

An evil twin is a type of Wi-Fi attack that involves setting up a fake malicious Wi-Fi hotspot with the same name as a legitimate network to trick users into connecting to it. The attacker can then intercept the user’s data, such as passwords, credit card numbers, or personal information. The victim initiates the connection by choosing the fake network from the list of available Wi-Fi networks, thinking it is the real one. The attacker can also use a deauthentication attack to disconnect the user from the legitimate network and force them to reconnect to the fake one. References:

Types of Wi-Fi Attacks You Need to Guard Your Business Against - TechGenix

Types of Wireless and Mobile Device Attacks - GeeksforGeeks

The 5 most dangerous Wi-Fi attacks, and how to fight them

What are Wi-Fi Attacks & How to Fight - Tech Resider

TCP stands for Transmission Control Protocol, and it is one of the main protocols used in the internet. TCP provides reliable, ordered, and error-free delivery of data between applications 1. In terms of the OSI model, TCP is a transport-layer protocol. The transport layer is the fourth layer of the OSI model, and it is responsible for establishing end-to-end connections, segmenting data into packets, and ensuring reliable and efficient data transfer 2. The transport layer also provides flow control, congestion control, and error detection and correction mechanisms 2. TCP is not the only transport-layer protocol; another common one is UDP (User Datagram Protocol), which is faster but less reliable than TCP 3. References: 1: TCP/IP TCP, UDP, and IP protocols - IBM 2: Transport Layer | Layer 4 | The OSI-Model 3: TCP/IP Model vs. OSI Model | Similarities and Differences - Fortinet

Sanctioned SaaS applications are those that are approved and supported by the organization’s IT department. They provide business benefits such as increased productivity, collaboration, and efficiency. They are fast to deploy because they do not require installation or maintenance on the user’s device. They require minimal cost because they are usually paid on a subscription or usage basis, and they do not incur hardware or software expenses. They are infinitely scalable because they can adjust to the changing needs and demands of the organization without affecting performance or availability12. References: 8 Types of SaaS Solutions You Must Know About in 2024, What is SaaS (Software as a Service)? | SaaS Types | CDW, Palo Alto Networks Certified Cybersecurity Entry-level Technician

Xpanse is a tool from Palo Alto Networks that provides attack surface management by analyzing exposed services and internet-facing assets, giving security operations teams visibility into environmental risks and helping prioritize remediation of vulnerabilities.

Application allow listing is a security practice that permits only pre-approved (trusted) applications, files, and processes to run on a system. This approach helps prevent unauthorized or malicious software from executing, thereby reducing the attack surface.

Event Viewer is a native Windows application that can be used to inspect actions taken at a specific time. Event Viewer displays detailed information about significant events on your computer, such as application, security, system, and setup events. You can use Event Viewer to monitor and troubleshoot problems with your computer, such as hardware failures, software errors, security breaches, network issues, etc. Event Viewer allows you to filter, sort, and search events by various criteria, such as date and time, event level, event source, event ID, etc. You can also view the event properties, which provide more details about the event, such as the event description, user name, computer name, event data, etc. Event Viewer can help you identify the root cause of a problem, or provide evidence of a malicious activity, by inspecting the actions taken at a specific time on your computer. References:

Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET) - Palo Alto Networks

WinAppDriver and Desktop UI Test Automation - Microsoft Tech Community

Palo Alto Networks PCCET Quiz 1 Topic 14 Questions 1-5 - Buddy4Exam

Paloalto Networks Exam PCCET Questions and Answers - DumpsMate

Event Viewer - Windows 10 - Microsoft Docs

Software patches are updates that fix bugs, vulnerabilities, or performance issues in applications. Applying software patches regularly is one of the best practices to secure applications against exploits, as it prevents attackers from taking advantage of known flaws in the software. Software patches can also improve the functionality and compatibility of applications, as well as address any security gaps that may arise from changes in the operating system or other software components. Endpoint security solutions, such as Cortex XDR, can help organizations automate and streamline the patch management process, ensuring that all endpoints are up to date and protected from exploits. References:

Endpoint Protection - Palo Alto Networks

Endpoint Security - Palo Alto Networks

Patch Management - Palo Alto Networks

CaaS, or Containers-as-a-Service, is a cloud service that allows users to manage and deploy applications using containers and clusters. CaaS can be situated between IaaS and PaaS in the spread of cloud computing services, based on how much is managed by the vendor. IaaS, or Infrastructure-as-a-Service, provides the lowest level of abstraction, where users have to manage the servers, storage, network, and operating system. PaaS, or Platform-as-a-Service, provides a higher level of abstraction, where users only have to manage the application code and data. FaaS, or Function-as-a-Service, provides the highest level of abstraction, where users only have to manage the functions or logic of the application. CaaS falls in between IaaS and PaaS, as it provides users with more control over the container orchestration and configuration than PaaS, but also simplifies the infrastructure management and scaling than IaaS123. References:

What is CaaS? from Red Hat

Containers as a Service from Atlassian

Container as a Service (CaaS) from GeeksforGeeks

Routing protocols are defined at the network layer (Layer 3) of the OSI model. The network layer is responsible for routing packets across different networks using logical addresses (IP addresses). Routing protocols are used to exchange routing information between routers and to determine the best path for data delivery. Some examples of routing protocols are BGP, OSPF, RIP, and EIGRP. Palo Alto Networks devices support advanced routing features using the Advanced Routing Engine1. References: Advanced Routing - Palo Alto Networks | TechDocs, What Is Layer 7? - Palo Alto Networks, How to Configure Routing Information Protocol (RIP)

Authentication is the component of the AAA (Authentication, Authorization, and Accounting) framework that verifies user identities (e.g., via passwords, certificates, or biometrics) before granting access to network resources.

 If an endpoint does not know how to reach its destination, it will send data to the specified default gateway. A default gateway is a device that routes traffic from a local network to other networks or the internet. The endpoint will use the default gateway’s IP address as the next hop for packets that are destined for unknown or remote networks. The default gateway will then forward the packets to the appropriate destination or another gateway, based on its routing table. References:

Fundamentals of Network Security, Module 2: Networking Concepts, Lesson 2: IP Addressing and Routing1

PCCET Study Guide, Section 2.2: Describe IP Addressing and Routing2

Short-range wireless:

● Adaptive Network Technology+ (ANT+): ANT+ is a proprietary multicast wireless sensor

network technology primarily used in personal wearables, such as sports and fitness sensors.

● Bluetooth/Bluetooth Low-Energy (BLE): Bluetooth is a low-power, short-range

communications technology primarily designed for point-to-point communications between wireless devices in a hub-and-spoke topology. BLE (also known as Bluetooth Smart or Bluetooth 4.0+) devices consume significantly less power than Bluetooth devices and can access the internet directly through 6LoWPAN connectivity.

● Internet Protocol version 6 (IPv6) over Low-Power Wireless Personal Area Networks

(6LoWPAN): 6LoWPAN allows IPv6 traffic to be carried over low-power wireless mesh

networks. 6LoWPAN is designed for nodes and applications that require wireless internet

connectivity at relatively low data rates in small form factors, such as smart light bulbs

and smart meters.

● Wi-Fi/802.11: The Institute of Electrical and Electronics Engineers (IEEE) defines the 802

LAN protocol standards. 802.11 is the set of standards used for Wi-Fi networks typically

operating in the 2.4GHz and 5GHz frequency bands. The most common implementations

today include:

‒ 802.11n (labeled Wi-Fi 4 by the Wi-Fi Alliance), which operates on both 2.4GHz and 5GHz

bands at ranges from 54Mbps to 600Mbps

‒ 802.11ac (Wi-Fi 5), which operates on the 5GHz band at ranges from 433Mbps to 3.46

Gbps

‒ 802.11ax (Wi-Fi 6), which operates on the 2.4GHz and 5GHz bands (and all bands between 1 and 6GHz, when they become available for 802.11 use) at ranges up to 11Gbps

● Z-Wave: Z-Wave is a low-energy wireless mesh network protocol primarily used for home

automation applications such as smart appliances, lighting control, security systems,

smart thermostats, windows and locks, and garage doors.

● Zigbee/802.14: Zigbee is a low-cost, low-power wireless mesh network protocol based on the IEEE 802.15.4 standard. Zigbee is the dominant protocol in the low-power networking market, with a large installed base in industrial environments and smart home products.

Attack communication traffic is usually hidden with various techniques and

tools, including:

● Encryption with SSL, SSH (Secure Shell), or some other custom or proprietary encryption

● Circumvention via proxies, remote access tools, or tunneling. In some instances, use of

cellular networks enables complete circumvention of the target network for attack C2 traffic.

● Port evasion using network anonymizers or port hopping to traverse over any available open

ports

● Fast Flux (or Dynamic DNS) to proxy through multiple infected endpoints or multiple,

ever-changing C2 servers to reroute traffic and make determination of the true destination

or attack source difficult

● DNS tunneling is used for C2 communications and data infiltration

IDSs and IPSs also can be classified as knowledge-based (or signature-based) or behavior-based (or statistical anomaly-based) systems:

● A knowledge-based system uses a database of known vulnerabilities and attack profiles

to identify intrusion attempts. These types of systems have lower false-alarm rates than

behavior-based systems but must be continually updated with new attack signatures to

be effective.

● A behavior-based system uses a baseline of normal network activity to identify unusual

patterns or levels of network activity that may be indicative of an intrusion attempt.

These types of systems are more adaptive than knowledge-based systems and therefore

may be more effective in detecting previously unknown vulnerabilities and attacks, but they have a much higher false-positive rate than knowledge-based systems