Cisco 350-701 Implementing and Operating Cisco Security Core Technologies (SCOR) Exam Practice Test

ExplanationCisco Stealthwatch Cloud: Available as an SaaS product offer to provide visibility and threat detection within public cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

Content Security is a term that encompasses various security features and solutions that protect the data and applications from threats such as malware, ransomware, phishing, data loss, and unauthorized access. Content Security includes products such as Cisco Email Security, Cisco Web Security, Cisco Cloudlock, and Cisco Umbrella. These products use the AsyncOS API, which is a RESTful API that allows administrators and developers to programmatically interact with the content security appliances and services. The AsyncOS API enables tasks such as configuration, reporting, monitoring, troubleshooting, and automation of content security policies and actions. The AsyncOS API is based on the HTTP protocol and uses JSON or XML as the data format. The AsyncOS API also supports authentication, authorization, rate limiting, and error handling mechanisms. The AsyncOS API documentation provides the details of the available resources, methods, parameters, and responses for each content security product. References :=

• Cisco Content Security Products
• AsyncOS API Overview
• AsyncOS API Documentation

1: https://www.cisco.com/c/en/us/products/security/content-security/index.html  2: https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/API/b_ESA_API_13_0_1/b_ESA_API_13_0_1_chapter_01.html  3: https://developer.cisco.com/docs/email-security/#!asyncos-api-overview

 Mobile Device Management (MDM) is a solution that allows an organization to manage, monitor, and secure mobile devices such as smartphones, tablets, and laptops. MDM provides two main advantages to an organization with regards to device management:

• Asset inventory management: MDM helps an organization keep track of all the mobile devices that are connected to its network, including their location, status, configuration, and usage. MDM also enables an organization to remotely wipe or lock devices that are lost, stolen, or compromised, preventing data loss and unauthorized access. Asset inventory management helps an organization optimize its resources, reduce costs, and comply with regulations12.
• Allowed application management: MDM allows an organization to control what applications can be installed and run on the mobile devices, as well as how they can access and share data. MDM can also push updates and patches to the devices, ensuring that they are always running the latest and most secure versions of the applications. Allowed application management helps an organization enhance security, productivity, and performance of the mobile devices34.

References: 1: 7 Advantages and Disadvantages of Mobile Device Management [2024] 2: 5 Benefits of Mobile Device Management - ESET 3: Top 10 Benefits of Mobile Device Management (MDM) - TechFunnel 4: Benefits of Mobile Device Management (MDM) for Businesses

 Cisco AMP Threat Grid is a cloud-based or on-premises solution that provides advanced malware analysis and threat intelligence. It combines static and dynamic analysis techniques to examine the behavior of malware samples and correlate them with global and historical context. It also produces detailed reports, threat scores, and behavioral indicators that help security teams prioritize and respond to threats faster and more effectively12. References: 1: Cisco Secure Malware Analytics (Threat Grid) - Cisco 2: Products - Cisco Threat Grid Cloud Data Sheet - Cisco

ExplanationExplanationIn this question, the engineer was trying to secure the connection so maybe he was trying to allow SSH to the device. But maybe something went wrong so the connection was failing (the connection used to be good). So maybe he was missing the “crypto key generate rsa” command.

A network discovery policy is required for the health monitoring feature on the Cisco Firepower Next Generation Intrusion Prevention System (NGIPS). Health monitoring allows the system to collect and display information about the health and performance of the managed devices, such as CPU, memory, disk, and interface utilization, as well as the status of various processes and services. Health monitoring also enables the system to generate alerts and notifications when certain thresholds or conditions are met or violated.

To enable health monitoring, the system must have access to the network data from the managed devices, which is provided by the network discovery policy. The network discovery policy controls how the system collects data on the network assets and which network segments and ports are monitored. The network discovery policy also specifies the zones to which the policy is deployed, which determines the scope of the health monitoring data. Without a network discovery policy, the system cannot perform health monitoring on the NGIPS devices.

References :=

1: Network Discovery Policies, Cisco Firepower Management Center Configuration Guide, Version 7.0, page 1. 2: Health Monitoring, Cisco Firepower Management Center Configuration Guide, Version 7.0, page 1.

ExplanationCisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

 The Atomic ARP engine is a signature engine that defines basic Layer 2 ARP signatures and provides more advanced detection of the ARP spoof tools dsniff and ettercap. ARP spoofing is an attack that involves sending spoofed ARP messages over a local area network to associate the attacker’s MAC address with the IP address of the target. The Atomic ARP engine inspects the Layer 2 ARP protocol and compares the ARP requests and replies with the MAC address table to detect any anomalies or inconsistencies. The Atomic ARP engine can also detect gratuitous ARP messages, which are unsolicited ARP replies that can be used to poison the ARP cache of other hosts. The Atomic ARP engine is different from other IPS engines because most engines are based on Layer 3 IP protocol. References := 

https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_signature_engines.html

https://security.stackexchange.com/questions/71023/can-suricata-ips-detect-and-prevent-arp-poisoning-attacks

ExplanationMalware means “malicious software”, is any software intentionally designed to cause damage to a computer, server, client, or computer network. The most popular types of malware includes viruses, ransomware and spyware. Virus Possibly the most common type of malware, viruses attach their malicious code to clean code and wait to be run.

Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.Spyware is spying software that can secretly record everything you enter, upload, download, and store on your computers or mobile devices. Spyware always tries to keep itself hidden.An exploit is a code that takes advantage of a software vulnerability or security flaw.Exploits and malware are two risks for endpoints that are not up to date. ARP spoofing and eavesdropping are attacks against the network while denial-of-service attack is based on the flooding of IP packets.

Northbound APIs (SDN northbound APIs) are typically RESTful APIs that are used to communicate between the SDN controller and the services and applications running over the network. Such northbound APIs can be used for the orchestration and automation of the network components to align with the needs of different applications via SDN network programmability1. The management solution is an example of an application that can use the northbound APIs to interact with the SDN controller and configure, monitor, and troubleshoot the network devices and services2. Therefore, the main function of northbound APIs in the SDN architecture is to enable communication between the SDN controller and the management solution. References: 1: What are SDN Northbound APIs (and SDN Rest APIs)? - SDxCentral 2: Software-Defined Networking Security and Network Programmability

 In a PaaS model, the cloud provider is responsible for managing and maintaining the underlying infrastructure, such as the hypervisor, the virtual machine, and the network. The tenant only needs to focus on developing and deploying the application, which runs on the cloud platform. The tenant is responsible for ensuring the security and availability of the application, as well as applying any patches or updates to the application code or configuration12. References :=

• Shared responsibility in the cloud
• Best practices for secure PaaS deployments

ETHOS is one of the many detection engines that AMP uses to continuously protect you from malware. It is only available in the public cloud, as it requires a large amount of data and processing power to operate. ETHOS uses machine learning to analyze the behavior and characteristics of files and determine their maliciousness. It can detect both known and unknown threats, as well as polymorphic and metamorphic malware that can change their appearance or code. ETHOS is part of the AMP cloud’s dynamic analysis capabilities, which also include SPERO and Threat Grid12.

The private cloud instance of AMP does not have ETHOS, as it is meant to be an on-premises, self-contained solution that satisfies stringent privacy requirements. The private cloud instance also does not have SPERO or Threat Grid, unless they are deployed separately as additional appliances. The private cloud instance relies on the TETRA detection engine, which is a signature-based engine that can identify known malware. TETRA is updated regularly with new signatures from the AMP cloud, but it cannot detect unknown or zero-day threats as effectively as ETHOS34.

Therefore, the capability that is exclusive to the AMP public cloud instance as compared to the private cloud instance is the ETHOS detection engine. References: 1: Cisco Advanced Malware Protection Private Cloud Appliance Data Sheet 2: What is AMP Private Cloud 3: Deploy Cisco AMP Private Cloud on Cisco HyperFlex Systems 4: AMP Private Cloud vs Public Cloud Dashboard different

ExplanationThe term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with thehighest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to thesoftware that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program thatgives someone – with legitimate or malicious intentions – privileged access to a computer.There are four main types of rootkits: Kernel rootkits, User mode rootkits, Bootloader rootkits, Memory rootkits

 Firepower NGIPS inline deployment mode is a mode where the NGIPS device is placed in the traffic path and can take actions such as blocking, modifying, or redirecting traffic based on the policies and rules. In this mode, the NGIPS device must have inline interface pairs configured, which are pairs of physical or logical interfaces that act as a single logical interface. The inline interface pairs are connected to the network devices on both sides of the NGIPS device, and the traffic flows through the NGIPS device from one interface to the other. The NGIPS device can inspect and modify the traffic as it passes through the inline interface pairs12. References := 1: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics 2: Configure FTD Interfaces in Inline-Pair Mode

Explanation

Spero analysis is a feature of Cisco AMP for Networks that examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud for analysis1. Spero analysis can detect malware based on the file’s structure and behavior, without requiring a full file upload2. Spero analysis is different from dynamic analysis, sandbox analysis, and malware analysis, which are other features of Cisco AMP for Networks that perform different types of file inspection and analysis3. References: 1: How to configure Firepower AMP to not upload files to … - Cisco Community 2: File Policies - Network Direction 3: Cisco AMP for Networks - Cisco

DevSecOps is a development practice that integrates security into all phases of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. DevSecOps focuses on application development, as it aims to deliver secure and robust applications that meet the customers’ needs and expectations. DevSecOps also makes security a shared responsibility of development, security, and operations teams, rather than a separate silo. DevSecOps enables faster and safer software delivery by automating security processes and tools, and addressing security issues as they emerge, rather than at the end of the cycle.

References :=

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Securing the Data Center, Lesson 6.2: DevSecOps
• What Is DevSecOps? Definition and Best Practices | Microsoft Security
• What is DevSecOps? | IBM
• What is DevSecOps? | DevSecOps vs. DevOps | VMware

the routing of traffic through the Cisco Umbrella network is to browse to http://welcome.umbrella.com/ . This URL will display a message that confirms whether the new network identity is working or not. If the message says “You’re protected by Cisco Umbrella”, then the traffic is being routed correctly. If the message says “You’re not using Cisco Umbrella”, then the traffic is not being routed correctly and the configuration needs to be checked. The other options are not valid actions to test the routing. Option A is incorrect because the client computers should point to the Cisco Umbrella DNS servers, not the on-premises DNS servers. Option B is incorrect because the Intelligent Proxy is a feature that selectively intercepts and proxies web requests for deeper inspection, not a tool to test the routing. Option C is incorrect because adding the public IP address to a Core Identity is a way to identify the network, not a way to test the routing. References:

• How To: Successfully test to ensure you’re running Umbrella correctly
• Add a Network Identity

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html

The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic. This means that the ASA acts as a proxy between the Cisco IP Phone and the Cisco Unified Communications Manager (UCM), decrypting, inspecting, and re-encrypting the voice signaling traffic. To do this, the ASA needs to have the certificates of the devices that the phone trusts, such as the UCM servers and the TFTP servers. These certificates are stored in a Certificate Trust List (CTL) file that the phone downloads from the UCM before registration. Therefore, the ASA must be added to the CTL file on the UCM platform, so that the phone can verify the identity of the ASA as a proxy. The other options are not relevant for this scenario. The Endpoint Trust List is a list of certificates that the UCM trusts for encrypted endpoints. The Enterprise Proxy Service is a feature that allows the UCM to route calls to and from the public switched telephone network (PSTN) through a SIP proxy server. The Secured Collaboration Proxy is a feature that allows the UCM to encrypt the media streams between endpoints using Secure Real-Time Transport Protocol (SRTP). References :=

• Cisco Secure Firewall ASA Unified Communications Guide - TLS Proxy for Encrypted Voice Inspection
• TLS Proxy for Encrypted Voice Inspection - Cisco
• Where must the ASA be added on the Cisco UC Manager platform?

a Cisco FirePower sensor to Firepower Management Center is configure manager add . This command establishes a secure connection between the sensor and the FMC using a registration key. The  parameter can be either the IP address or the hostname of the FMC. The  parameter can be any alphanumeric string that matches the one configured on the FMC. This command is executed on the sensor’s CLI in the privileged EXEC mode12. References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) course, Module 2: Network Security, Lesson 2: Deploying Cisco Firepower Next-Generation Firewall, Topic: Registering the Cisco Firepower NGFW to the FMC2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics [Cisco Secure Firewall Management Center] - Cisco.

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

• RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.
• DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

References: 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

Cisco AMP (Advanced Malware Protection) is a product that provides proactive endpoint protection and allows administrators to centrally manage the deployment. AMP uses cloud-based intelligence, sandboxing, and continuous analysis to detect and block advanced threats before they reach the endpoints. AMP also provides retrospective security, which means that it can alert and remediate endpoints if a file that was previously deemed benign is later found to be malicious. AMP can be integrated with other Cisco products, such as Firepower, Meraki, and Email Security Appliance, to provide comprehensive security across the network. AMP is available for Windows, Mac, Linux, Android, and iOS devices. References :=

Some possible references are:

• Endpoint Protection Platform (EPP) Definition - Cisco: This page defines what an endpoint protection platform (EPP) is and how it differs from traditional antivirus solutions. It also explains the benefits of using Cisco Secure Endpoint, formerly known as AMP for Endpoints.
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco: This page provides an overview of the features and capabilities of Cisco Secure Endpoint, such as cloud-based intelligence, endpoint isolation, file trajectory, device flow correlation, and more. It also offers resources for getting started, deploying, and managing Cisco Secure Endpoint.
• SCOR 350-701 Flashcards | Quizlet: This page contains flashcards for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. One of the flashcards is the same question as the one asked by the user, and it provides the correct answer and a brief explanation.

ExplanationThe AES encryption algorithm encrypts and decrypts data in blocks of 128 bits (block size). It can do this using 128-bit, 192-bit, or 256-bit keys

ExplanationCross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on.For example the code below is written in hex: Click Hereis equivalent to:Click HereNote: In the format “&#xhhhh“, hhhh is the code point in hexadecimal form.

ExplanationCisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking suspicious domains when users click on the given links that an attacker sent. Cisco Umbrella roaming protects your employees even when they are off the VPN.

ExplanationThe ASAv on AWS supports the following features:+ Support for Amazon EC2 C5 instances, the next generation of the Amazon EC2 Compute Optimized instancefamily.+ Deployment in the Virtual Private Cloud (VPC)+ Enhanced networking (SR-IOV) where available+ Deployment from Amazon Marketplace+ Maximum of four vCPUs per instance+ User deployment of L3 networks+ Routed mode (default)Note: The Cisco Adaptive Security Virtual Appliance (ASAv) runs the same software as physical Cisco ASAs to deliver proven security functionality in a virtual form factor. The ASAv can be deployed in the public AWS cloud.It can then be configured to protect virtual and physical data center workloads that expand, contract, or shift their location over time. Reference: https:// www.c isco.com/c/en/us/td/docs/security/asa/asa96/asav/quick-start-book/asav-96 qsg/asavaws.html

Posture is a service in Cisco ISE that checks the compliance of endpoints with corporate security policies before allowing them to connect to the network. Posture policies define the requirements that endpoints must meet to be compliant, such as having antivirus software installed and updated, or having a specific registry key value. If an endpoint is compliant, Cisco ISE can apply a Change of Authorization (CoA) to grant it access to the network resources. CoA is a mechanism that allows Cisco ISE to dynamically change the authorization attributes of an existing session, such as VLAN, dACL, or SGT, without requiring the user to reauthenticate. CoA can be triggered by various events, such as posture assessment results, profiling changes, or manual actions by the administrator. CoA can also be used to quarantine or disconnect non-compliant endpoints. Therefore, ensuring that an endpoint is compliant with a posture policy configured in Cisco ISE provides the benefit of allowing CoA to be applied if the endpoint status is compliant. References :=

• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies
• Cisco Identity Services Engine Administrator Guide, Release 2.2 - Change of Authorization

 Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-based solution that provides endpoint protection against malware and advanced threats. It can be deployed in different architectures depending on the customer’s needs and preferences. One of the deployment options is the private cloud, which is designed to keep data within a network perimeter. In this option, the customer hosts the AMP for Endpoints console and the AMP cloud on their own infrastructure, and the endpoints connect to the private cloud for analysis and policy enforcement. This option provides more control and privacy over the data, but also requires more resources and maintenance from the customer. The other deployment options are the public cloud, which uses the Cisco-hosted AMP cloud and console, and the hybrid cloud, which uses a combination of the public and private clouds123 References: 1: Protecting Against Malware Threats with Cisco AMP for Endpoints (SSFAMP) course overview 2: Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco 3: Cisco Advanced Malware Protection for Endpoints - Zones

ExplanationTwo-factor authentication adds a second layer of security to your online accounts. Verifying your identity using asecond factor (like your phone or other mobile device) prevents anyone but you from logging in, even if theyknow your password.Note: Single sign-on (SSO) is a property of identity and access management that enables users to securelyauthenticate with multiple applications and websites by logging in only once with just one set of credentials(username and password). With SSO, the application or website that the user is trying to access relies on atrusted third party to verify that users are who they say they are.

The aaa server radius dynamic-author command enables authentication, authorization, and accounting (AAA) globally on the device so that Change of Authorization (CoA) is supported. CoA is a feature that allows an external AAA server to dynamically change the attributes of a user session after it is authenticated. For example, the AAA server can send a CoA request to reauthenticate a user, terminate a session, or apply a new policy. The aaa server radius dynamic-author command specifies the IP address and port number of the device that listens for CoA requests from the AAA server. The command also configures the shared secret key that is used to encrypt the communication between the device and the AAA server12. References := 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Securing Networks with Cisco Firepower Next Generation Firewall, Lesson 3.2: Deploying Cisco Firepower Next-Generation Firewall, Topic 3.2.2: Cisco Firepower NGFW Device Management 2: Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15SY - RADIUS Change of Authorization [Support] - Cisco3

ExplanationExplanationWhen Umbrella receives a DNS request, it uses intelligence to determine if the request is safe, malicious or risky — meaning the domain contains both malicious and legitimate content. Safe and malicious requests are routed as usual or blocked, respectively. Risky requests are routed to our cloud-based proxy for deeper inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious.

ExplanationSQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives(“injects”) you an SQL statement that you will unknowingly run on your database. For example:Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a selectstring. The variable is fetched from user input (getRequestString):txtUserId = getRequestString(“UserId”);txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;If user enter something like this: “100 OR 1=1” then the SzQL statement will look like this:SELECT * FROM Users WHERE UserId = 100 OR 1=1;The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. Ahacker might get access to all the user names and passwords in this database.

ExplanationThe profiling service issues the change of authorization in the following cases:– Endpoint deleted—When an endpoint is deleted from the Endpoints page and the endpoint is disconnectedor removed from the network.An exception action is configured—If you have an exception action configured per profile that leads to anunusual or an unacceptable event from that endpoint. The profiling service moves the endpoint to thecorresponding static profile by issuing a CoA.– An endpoint is profiled for the first time—When an endpoint is not statically assigned and profiled for the first time; for example, the profile changes from an unknown to a known profile.+ An endpoint identity group has changed—When an endpoint is added or removed from an endpoint identity group that is used by an authorization policy.The profiling service issues a CoA when there is any change in an endpoint identity group, and the endpoint identity group is used in the authorization policy for the following:

 The strongest security possible for SNMPv3 requires both authentication and encryption, which is achieved by using the priv security level. Authentication ensures that the message is from a valid source, and encryption scrambles the content of the packet to prevent it from being learned by an unauthorized source. The auth sha and priv aes 256 parameters specify the algorithms used for authentication and encryption, respectively. SHA is more secure than MD5, and AES 256 is more secure than DES or 3DES. Therefore, option D is the correct answer, as it uses the priv security level, the SHA algorithm for authentication, and the AES 256 algorithm for encryption. The other options either use a lower security level (noauth or authNoPriv), a weaker encryption algorithm (des or 3des), or no encryption at all. References :=

• SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) - SNMP Version 3
• Configuration Template for SNMPv3 - Cisco Community
• SNMP Version 3 - Cisco

ExplanationThe user “admin5” was configured with privilege level 5. In order to allow configuration (enter globalconfiguration mode), we must type this command:(config)#privilege exec level 5 configure terminalWithout this command, this user cannot do any configuration.Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC)

ExplanationThe Trusted Automated eXchangeof Indicator Information (TAXII) specifies mechanisms for exchangingstructured cyber threat information between parties over the network.TAXII exists to provide specific capabilities to those interested in sharing structured cyber threat information.TAXII Capabilities are the highest level at which TAXII actions can be described. There are three capabilitiesthat this version of TAXII supports: push messaging, pull messaging, and discovery.Although there is no “binding” capability in the list but it is the best answer here.

ISE posture assessment allows you to inspect the security “health” of your PC and MAC clients. This includes checking for the installation, running state, and last update for security software, such as anti-virus, anti-malware, personal firewall, and so on1. Windows service and Windows firewall are examples of such security software that can be checked by ISE posture assessment. Computer identity and user identity are not conditions that can be checked by ISE posture assessment, as they are related to authentication and authorization, not security posture. Default browser is also not a condition that can be checked by ISE posture assessment, as it is not a security software or a security risk. References: 1: Chapter 15. Device Posture Assessment - Cisco ISE for BYOD and Secure Unified Access, 3

 The Decrypt for Application Detection feature within the WSA Decryption options enhances the ability of AsyncOS to detect HTTPS applications. The HTTPS Proxy can decrypt HTTPS connections to web applications. This allows the Application Visibility and Control (AVC) engine to more accurately detect and block web applications that use HTTPS. This feature can help improve the security and performance of the network by identifying and controlling the usage of web applications that may consume bandwidth, pose security risks, or violate compliance policies.

References:

• WSA decryption options - Cisco Community, Topic: Decrypt for Application Detection
• User Guide for AsyncOS 11.7 for Cisco Web Security Appliances - GD (General Deployment) - Create Decryption Policies to Control HTTPS Traffic, Topic: Overview of Create Decryption Policies to Control HTTPS Traffic, Decryption for Application Detection

The dot1x pae authenticator command enables 802.1x authentication on the port and configures the port as an authenticator. This command is required for the port to initiate the authentication process with the connected client. Without this command, the port will not send EAPOL packets to the client and will not receive the client credentials. Therefore, the client will not be authenticated and will remain in the unauthorized state. The other options are not mandatory for 802.1x authentication, although they can be used to modify the default behavior of the port. For example, authentication open allows the port to grant access to the client before authentication, dot1x reauthentication enables periodic reauthentication of the client, and cisp enable enables Cisco Identity Services Protocol (CISP) on the port. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Secure Network Access, Lesson 5.1: Implementing 802.1X Authentication, Topic 5.1.2: Configuring 802.1X Authentication, Page 5-9.

Traffic storm control is a feature that prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces. Traffic storm control monitors the level of each traffic type for which it is enabled in 1-second intervals and compares it with the configured threshold, which is a percentage of the total available bandwidth of the port. When the ingress traffic reaches the threshold, traffic storm control drops the traffic until the end of the interval. Traffic storm control uses the Individual/Group bit in the packet destination address to determine if the packet is unicast or broadcast. This bit is set to 0 for unicast addresses and 1 for multicast or broadcast addresses. Traffic storm control does not use the source address to classify the traffic type. References := Configuring Traffic Storm Control - Cisco, Understanding Cisco Traffic Storm Control - NetCraftsmen

Explanation

Compared to RSA, the prevalent public-key cryptography of the Internet today, Elliptic Curve Cryptography (ECC) offers smaller key sizes, faster computation,as well as memory, energy and bandwidth savings and is thus better suited forsmall devices.

ExplanationAdvanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect andquarantine.Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf

ExplanationWith Cisco pxGrid (Platform Exchange Grid), your multiple security products can now share data and work together. This open, scalable, and IETF standards-driven platform helps you automate security to get answers and contain threats faster.

The function of Cisco Cloudlock for data security is data loss prevention (DLP). Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem1. One of the key features of Cloudlock is its DLP technology, which continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. You can use Cloudlock’s DLP to prevent data breaches, comply with regulations, and enforce data governance across SaaS, PaaS, and IaaS platforms2. References: 1: Cisco Cloudlock - Cisco2: Cloudlock: Cloud User Security - Cisco Umbrella.

Cisco DNA Center is an open and extensible platform that allows third-party applications and processes to exchange data and intelligence with Cisco DNA Center1. One of the features of the open platform capabilities of Cisco DNA Center is the intent-based APIs, which enable DNA Center to provide automation to applications2. Intent-based APIs allow applications to express their intent or desired outcome, and let DNA Center translate that intent into network configurations and policies3. Intent-based APIs simplify the interaction between applications and the network, and enable faster and more consistent service delivery.

References: 1: Cisco DNA Center 2.3.5 Data Sheet - Cisco 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Unlocking the Power of Open Platforms with Cisco DNA Center Platform

Cisco FTDv in AWS can be deployed in two different deployment models: single-instance and cluster. In both models, the FTDv can be configured in routed mode and managed by either an FMCv installed in AWS or a physical FMC appliance on premises. The FTDv can also use Geneve encapsulation for traffic interfaces to support AWS Gateway Load Balancer (GWLB) integration. The following table summarizes the supported deployment model configurations for FTDv in AWS:

Table

Deployment Model

Management Mode

Traffic Mode

Geneve Encapsulation

Single-instance

FMCv in AWS

Routed

Optional

Single-instance

FMC on premises

Routed

Optional

Cluster

FMCv in AWS

Routed

Required

Cluster

FMC on premises

Routed

Required

References :=

• Deploy the Threat Defense Virtual on AWS - Cisco
• Deploy a Threat Defense Virtual Cluster on AWS - Cisco
• Configure Geneve Interfaces in Secure FTDv - Cisco
• Deployment of Cisco Secure FTDv and FMCv instances in AWS - Terraform
• Solved: FTD virtual appliance in AWS - Cisco Community

ExplanationThe ASA REST API gives you programmatic access to managing individual ASAs through a Representational State Transfer (REST) API. The API allows external clients to perform CRUD (Create, Read, Update, Delete) operations on ASA resources; it is based on the HTTPS protocol and REST methodology.All API requests are sent over HTTPS to the ASA, and a response is returned.Request StructureAvailable request methods are:GET – Retrieves data from the specified object.PUT – Adds the supplied information to the specified object; returns a 404 Resource Not Found error if the object does not exist.POST – Creates the object with the supplied information.DELETE – Deletes the specified object

ExplanationDynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

Phishing attacks are a type of social engineering that aim to trick users into revealing their personal or financial information, or installing malware on their devices. To control phishing attacks, users and organizations need to implement various preventive and reactive measures, such as:

• Enable browser alerts for fraudulent websites. Most modern browsers have built-in features that can warn users when they visit a website that is suspected of being malicious or impersonating a legitimate entity. These alerts can help users avoid falling for phishing scams that use fake web pages to capture their credentials or other sensitive data. For example, Google Chrome has a Safe Browsing feature that displays a red warning page when users try to access a deceptive site. Users should always pay attention to these alerts and avoid proceeding to untrusted sites.
• Implement email filtering techniques. Email is one of the most common channels for phishing attacks, as attackers can send spoofed messages that appear to come from trusted sources, such as banks, government agencies, or colleagues. Email filtering techniques can help block or flag suspicious emails based on various criteria, such as the sender’s address, the subject line, the content, or the attachments. For example, Microsoft Outlook has a Junk Email Filter that can move potential phishing emails to a separate folder or delete them automatically. Users should also be careful not to open or reply to any unsolicited or unexpected emails, especially those that ask for personal or financial information, or contain links or attachments.

Other mechanisms that can help control phishing attacks include:

• Use strong passwords and enable two-factor authentication. Even if users fall victim to phishing attacks and reveal their passwords, they can still protect their accounts by using strong and unique passwords for each service, and enabling two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security by requiring users to enter a code or a token that is sent to their phone or email, or generated by an app, in addition to their password. This way, even if attackers obtain the password, they cannot access the account without the second factor.
• Don’t ignore update messages. Users should always keep their operating systems, browsers, and applications updated with the latest security patches and fixes. These updates can help prevent phishing attacks that exploit known vulnerabilities or bugs in the software. Users should also use antivirus and antispyware software that can detect and remove malware that may be installed by phishing attacks.
• Exercise caution when opening emails or clicking on links. Users should always be skeptical and vigilant when they receive emails or messages that ask them to take urgent or unusual actions, such as verifying their account, updating their payment information, or downloading a file. Users should also check the sender’s address, the spelling and grammar, and the URL of any links before clicking on them. Users can hover over the link to see the actual destination, or use a link scanner tool, such as VirusTotal, to check if the link is malicious or not.

References :=

1: https://safebrowsing.google.com/  2: https://support.microsoft.com/en-us/office/overview-of-the-junk-email-filter-5ae3ea8e-cf41-4fa0-b02a-3b96e21de089  3: https://www.virustotal.com/gui/home/url

Asymmetric encryption, also known as public-key cryptography, is a type of encryption that uses a pair of keys to encrypt and decrypt data. The pair of keys includes a public key, which can be shared with anyone, and a private key, which is kept secret by the owner. In asymmetric encryption, the sender uses the recipient’s public key to encrypt the data. The recipient then uses their private key to decrypt the data. This approach allows for secure communication between two parties without the need for both parties to have the same secret key. RSA is one of the most commonly used asymmetric encryption algorithms. It is based on the mathematical problem of factoring large numbers, which is believed to be hard to solve. RSA stands for Rivest-Shamir-Adleman, the names of the three inventors of the algorithm. RSA can be used for both encryption and digital signatures. To generate an RSA key pair, the following steps are performed:

• Choose two large prime numbers, p and q, and compute their product, n = pq. This is called the modulus.
• Choose a small number, e, that is relatively prime to (p-1)(q-1). This is called the public exponent.
• Compute a number, d, that satisfies the equation ed ≡ 1 (mod (p-1)(q-1)). This is called the private exponent.
• The public key is (n, e) and the private key is (n, d).

To encrypt a message, m, with the public key (n, e), the following formula is used:

• c = m^e mod n

To decrypt a ciphertext, c, with the private key (n, d), the following formula is used:

• m = c^d mod n

References :=

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.2: IPsec VPNs
• What is Asymmetric Encryption? - GeeksforGeeks
• What is asymmetric encryption? | Asymmetric vs. symmetric … - Cloudflare

A passphrase is a type of protection that encrypts RSA keys when they are exported and imported. A passphrase is a sequence of characters that the user enters to decrypt the key. The passphrase acts as a symmetric key that is used to encrypt and decrypt the RSA key with a symmetric algorithm, such as AES. This way, the RSA key is protected from unauthorized access or tampering when it is transferred or stored. A passphrase can also provide additional security by adding entropy to the RSA key generation process. A file, NGE, and nonexportable are not types of protection that encrypt RSA keys when they are exported and imported. A file is a container that stores the RSA key, but does not encrypt it. NGE stands for Next Generation Encryption, which is a set of cryptographic standards and algorithms that Cisco recommends, but it is not a specific type of protection. Nonexportable is a property that prevents the RSA key from being exported at all, but it does not encrypt it. References: RSA/Schannel Key BLOBs, Common Encryption Types, Protocols and Algorithms Explained, Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5: Implementing Secure Communications with VPNs, Lesson 5.1: Implementing Site-to-Site VPNs, Topic 5.1.2: Implementing Site-to-Site VPNs with Pre-Shared Keys)

A Trojan malware attack is a type of malicious code or software that disguises itself as a legitimate program or file to trick users into executing it. Once executed, the Trojan can perform various harmful actions on the infected system or network, such as stealing data, deleting files, or installing other malware. There are different types of Trojan malware attacks, depending on their purpose and behavior. Two common types are:

• Rootkit: A rootkit is a type of Trojan that hides itself and other malware from detection and removal by antivirus software or system tools. A rootkit can modify the operating system or the firmware of the device to gain persistent and privileged access to the system. A rootkit can also intercept and manipulate system calls, network traffic, or user input to conceal its activities or redirect them to malicious servers.
• Backdoor: A backdoor is a type of Trojan that creates a secret or unauthorized access point to the infected system or network. A backdoor can allow an attacker to remotely control the system, execute commands, upload or download files, or monitor the system activity. A backdoor can also be used to install other malware or launch further attacks on other systems or networks.

References:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 1: Malware Threats, Lesson 1: Identifying Malware Threats, Topic: Trojan Horse
• What is a Trojan? Is it a virus or is it malware? - Norton™
• Trojan Horse Examples (2024): The 6 Worst Attacks Ever - SoftwareLab

The Southbound API is used to communicate between Controllers and network devices.

Device compliance checks are a feature of Cisco Identity Services Engine (ISE) that allows you to verify the posture of endpoints before allowing them to access your network. Posture is the state of the endpoint in terms of security, such as the presence of anti-virus software, firewall, patches, and so on. A posture agent, such as the AnyConnect ISE Posture Agent, runs on the endpoint and collects posture information, which is then sent to the ISE server for evaluation. Based on the posture policy, the ISE server can grant or deny network access, or apply remediation actions to the endpoint. One of the benefits of conducting device compliance checks is that it validates if anti-virus software is installed on the endpoint, which can prevent malware infections and protect your network from threats. The other options are not benefits of device compliance checks, as they are not related to the posture of the endpoint. References:

• Compliance - Cisco
• Device Compliance - Cisco

Cisco FTDv is a virtual appliance that combines the features of Cisco ASA and Cisco Firepower NGIPS. It provides stateful firewall, IPS, URL filtering, malware protection, and other advanced security functions. Cisco ASAv is a virtual appliance that only provides stateful firewall and VPN features. It does not support URL filtering or other Firepower functions. Therefore, Cisco FTDv provides more features than ASAv, especially for next-generation firewall capabilities. References :=

• Cisco Firewall in AWS - Should i use ASAv or FTDv/FMCv?
• Difference between Cisco ASAv, NGIPSv and FTDv…?
• Are there any differences in features between Cisco ASA hardware …

An active/active FlexVPN configuration allows for multiple routers or VRFs to act as hubs for different VPN groups, providing load balancing and redundancy1. This is useful when the VPN deployment has a large number of spokes or different security policies for different groups of spokes. DMVPN, on the other hand, only supports a single hub or a pair of hubs in active/standby mode for each VPN group2. This limits the scalability and flexibility of DMVPN deployments. Therefore, an engineer would opt for an active/active FlexVPN configuration as opposed to DMVPN when multiple routers or VRFs are required. References :=

• Cisco FlexVPN: Benefits and Best Practices
• Cisco DMVPN Design Guide

Explanation To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.

Explanation CoA Messages are sent on two different udp ports depending on the platform. Cisco standardizes on UDP port1700, while the actual RFC calls out using UDP port 3799.

3DES is a symmetric-key block cipher that applies the DES algorithm three times to each data block. It was developed to improve the security of DES, which has a small key size and is vulnerable to brute-force attacks. 3DES encrypts traffic by using three different keys, each 56 bits long, to perform three rounds of encryption on the plaintext. The encryption process can be described as follows:

• Encrypt the plaintext with the first key (K1).
• Decrypt the result with the second key (K2).
• Encrypt the result again with the third key (K3).

The final ciphertext is the output of the third encryption. The decryption process is the reverse of the encryption process, using the same keys in reverse order:

• Decrypt the ciphertext with the third key (K3).
• Encrypt the result with the second key (K2).
• Decrypt the result again with the first key (K1).

The final plaintext is the output of the third decryption. 3DES is more secure than DES because it uses a longer effective key length of 168 bits (56 x 3), which makes brute-force attacks more difficult. However, 3DES is also slower than DES because it requires three times more computations. Moreover, 3DES has some weaknesses, such as the meet-in-the-middle attack, which can reduce the effective key length to 112 bits. Therefore, 3DES is not recommended for new applications and has been deprecated by NIST since 201712

References := 1: NIST Special Publication 800-67 Revision 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 2: What is 3DES encryption and how does DES work? | Comparitech

ExplanationExplanationThe Mail Policies menu is where almost all of the controls related to email filtering happens. All the security and content filtering policies are set here, so it’s likely that, as an ESA administrator, the pages on this menu are where you are likely to spend most of your time.

Text, chat or text message Description automatically generated

ExplanationExplanationTo configure an NTP enabled router to require authentication when other devices connect to it, use thefollowing commands:NTP_Server(config)#ntp authentication-key 2 md5 securitytutNTP_Server(config)#ntp authenticateNTP_Server(config)#ntp trusted-key 2Then you must configure the same authentication-key on the client router:NTP_Client(config)#ntp authentication-key 2 md5 securitytutNTP_Client(config)#ntp authenticateNTP_Client(config)#ntp trusted-key 2NTP_Client(config)#ntp server 10.10.10.1 key 2Note: To configure a Cisco device as a NTP client, use the command ntp server . For example:Router(config)#ntp server 10.10.10.1. This command will instruct the router to query 10.10.10.1 for the time.

 A SYN flood is a type of denial-of-service (DoS) attack that exploits the TCP three-way handshake process to exhaust the resources of a target server. The attacker sends a large number of SYN packets to the target server, each with a spoofed source IP address. The target server allocates resources for each incoming SYN packet and responds with a SYN-ACK packet to the spoofed address. However, the spoofed address never sends back the final ACK packet to complete the connection, leaving the target server with many half-open connections that eventually fill up its connection table. This prevents the target server from accepting new legitimate connections and causes service disruption123 References: 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 course overview 2: SYN Flood Explained. How to Prevent this Attack from Taking over your … 3: What is a SYN flood attack? | Cloudflare

ExplanationExplanationThe Application Visibility and Control (AVC) engine lets you create policies to control application activity on the network without having to fully understand the underlying technology of each application. You can configure application control settings in Access Policy groups. You can block or allow applications individually or according to application type. You can also apply controls to particular application types.

 The product that allows Cisco FMC to push security intelligence observable to its sensors from other products is Threat Intelligence Director (TID). TID is a feature of Cisco FMC that enables you to integrate third-party threat intelligence feeds into your security policies. TID collects, aggregates, and correlates observables from multiple sources, such as Cisco Talos Intelligence, Cisco Umbrella, and other external providers. TID then pushes the observables to the sensors that are managed by FMC, such as Firepower Threat Defense (FTD) devices, Firepower appliances, and Cisco Secure Firewall Cloud Native. The sensors can then use the observables to block or monitor traffic based on the reputation and threat level of the IP addresses, URLs, and domains12.

References: 1: Firepower Management Center Configuration Guide, Version 6.6 - Threat Intelligence Director [Cisco Secure Firewall Management Center] - Cisco 2: Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.6 - Threat Intelligence Director [Cisco Firepower NGFW] - Cisco

 ESP (Encapsulating Security Payload) is a cryptographic process that provides origin confidentiality, integrity, and origin authentication for packets. ESP encrypts the payload of an IP packet with a symmetric key, and adds a header and a trailer to the packet. The header contains a security parameter index (SPI) and a sequence number, which are used to identify the security association (SA) and prevent replay attacks. The trailer contains padding and a next header field, which are used to align the packet and indicate the type of the original payload. ESP also adds an authentication data field at the end of the packet, which contains a message authentication code (MAC) that is computed over the entire ESP packet (except for the authentication data field itself) using a secret key and a hash function. The MAC provides data integrity and origin authentication for the packet. ESP can operate in two modes: tunnel mode and transport mode. In tunnel mode, ESP encapsulates the entire original IP packet, including the IP header, and adds a new IP header. This mode provides protection for the entire packet, but adds more overhead. In transport mode, ESP only encapsulates the payload of the original IP packet, and leaves the IP header intact. This mode provides protection only for the payload, but preserves the original IP header information. ESP is one of the two main protocols of IPsec, along with AH (Authentication Header). AH only provides data integrity and origin authentication, but not confidentiality. AH adds a header to the IP packet, which contains a MAC that is computed over the immutable fields of the IP header and the entire payload. AH does not encrypt the payload, and therefore does not protect it from eavesdropping. AH can also operate in tunnel mode or transport mode, but it is incompatible with NAT devices, which modify the IP header fields. IKE (Internet Key Exchange) is a protocol that is used to establish and manage SAs for IPsec. IKE negotiates the security parameters, such as the encryption and authentication algorithms, the keys, and the SPIs, for the IPsec protocols. IKE also performs mutual authentication between the IPsec peers, and establishes a secure channel for exchanging keying material. IKE has two versions: IKEv1 and IKEv2. IKEv1 consists of two phases: phase 1 and phase 2. In phase 1, IKEv1 establishes an IKE SA, which is a secure channel for phase 2. In phase 2, IKEv1 negotiates one or more IPsec SAs, which are used to protect the IPsec traffic. IKEv2 simplifies the IKE protocol by combining the two phases of IKEv1 into a single exchange. IKEv2 also supports more features, such as NAT traversal, EAP authentication, and MOBIKE. References :=

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: VPN Technologies, Lesson 3.1: Site-to-Site VPNs, Topic 3.1.1: IPsec VPNs
• IPsec - Wikipedia
• AH and ESP protocols - IBM
• How TLS provides identification, authentication, confidentiality, and integrity - IBM

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

References: 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

One of the key capabilities of endpoint security is to prevent phishing attacks by ensuring that antivirus and anti malware software is up to date. This helps to detect and block malicious attachments or links that may be embedded in phishing emails. Antivirus and anti malware software can also scan the endpoint for any signs of compromise or infection that may have resulted from a successful phishing attack. Additionally, endpoint security can provide data loss prevention (DLP) features that can prevent sensitive data from being exfiltrated by attackers who have gained access to the endpoint through phishing. References :=

Some possible references are:

• Endpoint Security and Phishing: What to Know
• Protect Against Spear Phishing with Endpoint Security
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (source book)

In a man-in-the-middle (MITM) attack, the attacker inserts their machine between two hosts that are communicating with each other, and secretly relays and possibly alters the messages between them. The attacker can intercept, modify, or spoof the data, and the hosts are unaware that their communication is compromised. A MITM attack can target any communication channel that uses weak or no encryption, such as email, web, or wireless networks. A MITM attack can break the confidentiality, integrity, and authenticity of the communication, and can have various goals, such as eavesdropping, stealing credentials, impersonating a legitimate party, or redirecting traffic. A MITM attack can be prevented by using strong encryption protocols, such as TLS, IPSec, or SSH, and verifying the identity of the communication endpoints using certificates or other means. References: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Man-in-the-middle attack - Wikipedia, Man-in-the-Middle Attack: Types and Examples - Fortinet

The best way to prevent the session during the initial TCP communication is to configure policies to stop and reject communication from the known malicious domain. This will prevent the ESA from accepting any messages from that domain and send a negative SMTP response code back to the sender. This will also save the ESA’s resources and bandwidth, as it will not have to process or store the malicious emails. This can be done by creating a sender group in the Host Access Table (HAT) that matches the malicious domain and setting the mail flow policy to “Reject” or “Throttle”. Alternatively, a message filter can be created that checks the envelope sender against the malicious domain and applies the “stop_connection” or “reject_connection” action12.

The other options are not as effective as stopping and rejecting the communication at the TCP level. Configuring the Cisco ESA to drop the malicious emails (option A) will still allow the ESA to accept the messages and then silently discard them, which will consume the ESA’s resources and bandwidth, and also not notify the sender of the rejection. Configuring policies to quarantine malicious emails (option B) will also require the ESA to accept and store the messages, which will take up disk space and require manual or automated management of the quarantine. Configuring the Cisco ESA to reset the TCP connection (option D) will abruptly terminate the connection without sending a proper SMTP response code, which may cause the sender to retry the delivery and generate more traffic. Resetting the TCP connection is also considered a less polite and less compliant way of rejecting messages than sending a negative SMTP response code34. References: 1: How to Block a Sender Domain on the Email Security Appliance 2: Message Filters on the Cisco Email Security Appliance 3: How to Configure the Cisco Email Security Appliance to Reject or Drop Messages 4: Cisco Email Security Appliance User Guide - Configuring Mail Policies

 The vulnerability that allows the attacker to see the passwords being transmitted in clear text is the lack of encryption on the VPN links. Encryption is a process of transforming data into an unreadable form, so that only authorized parties can access it. VPN (Virtual Private Network) is a technology that creates a secure tunnel between two or more devices over a public network, such as the Internet. VPN links should be encrypted to prevent eavesdropping, tampering, or spoofing of the data that passes through them. If the VPN links are not encrypted, an attacker can use a packet sniffer to intercept and read the data, including the passwords, that are sent over the network. This is called a sniffing attack, and it can lead to credential theft, identity spoofing, or data manipulation. Therefore, VPN links should always use strong encryption protocols, such as IPsec or SSL/TLS, to protect the confidentiality and integrity of the data. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Cisco: This is the official course page for the SCOR 350-701 exam, which covers the topics of implementing and operating Cisco security core technologies. It provides the course objectives, outline, duration, and prerequisites. It also offers various learning options, such as instructor-led training, e-learning, and practice exams.
• SCOR 350-701 Official Cert Guide - Cisco Press: This is the official study guide for the SCOR 350-701 exam, written by Omar Santos, a principal engineer at Cisco’s Security Research and Operations group. It covers all the exam topics in depth, with explanations, examples, exercises, and practice questions. It also includes a companion website with online resources, such as videos, quizzes, flashcards, and more.
• Cleartext submission of password - PortSwigger: This is a web security article that explains the vulnerability of transmitting passwords over unencrypted connections, and how to exploit it using Burp Suite, a web application testing tool. It also provides some remediation advice, such as using HTTPS and HSTS to enforce encryption.
• What Are Sniffing Attacks, and How Can You Protect Yourself? - EC-Council: This is a blog post that describes what sniffing attacks are, how they work, and what are the common types and tools of sniffing attacks. It also provides some tips on how to prevent or detect sniffing attacks, such as using encryption, VPN, firewall, IDS, and anti-sniffing software.
• OWASP Application Security FAQ | OWASP Foundation: This is a frequently asked questions page about application security, maintained by the Open Web Application Security Project (OWASP), a non-profit organization that promotes web security awareness and best practices. It covers various topics, such as authentication, authorization, session management, input validation, output encoding, cryptography, error handling, logging, and more.

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets on untrusted interfaces by comparing the MAC address to IP address bindings in the DHCP snooping database or an ARP access-list. If the ARP packet contains invalid or spoofed information, it is dropped and logged. DAI also inspects ARP packets on trusted interfaces, but it does not drop them if they are invalid. Instead, it forwards them to the destination without validation. This allows the switch to support devices that use static IP addresses or have legitimate reasons to send ARP packets with different MAC address to IP address bindings. However, this also means that if a spoofed ARP packet is received on a trusted interface, it will bypass the DAI validation and be forwarded to the destination. This could allow an attacker to poison the ARP cache of other devices and perform a man-in-the-middle attack. Therefore, the correct answer is option B. The switch drops the packet after validation by using the IP & MAC Binding Table. References:

• Understanding and Configuring Dynamic ARP Inspection
• DAI (Dynamic ARP Inspection)
• Dynamic ARP Inspection (DAI) Explanation & Configuration
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

The mechanism that the engineer should configure to accomplish the goal of sending telemetry using the cloud provider’s mechanisms to a security device is VPC flow logs. VPC flow logs are a feature of Google Cloud that capture and record information about the network flows sent from and received by the virtual machines (VMs) inside a VPC network1. VPC flow logs can provide network telemetry data such as source and destination IP addresses, ports, protocols, bytes sent and received, and connection state1. VPC flow logs can be exported to Cloud Logging, Pub/Sub, or Cloud Storage for further analysis by security devices or tools1. VPC flow logs can help the engineer to perform behavioral analysis to detect malicious activity on the hosts, such as network scans, port sweeps, brute force attacks, data exfiltration, or lateral movement2.

The other options are not correct mechanisms to send telemetry using the cloud provider’s mechanisms to a security device. Option A is incorrect because mirror port is not a feature of Google Cloud, but rather a network device configuration that copies traffic from one port to another for monitoring purposes3. Option B is incorrect because flow is not a specific mechanism, but rather a generic term that refers to a sequence of packets between a source and a destination4. Option C is incorrect because NetFlow is not a feature of Google Cloud, but rather a network protocol developed by Cisco that collects and aggregates information about network flows5. NetFlow is not compatible with VPC flow logs, which use a different format6. References:

• VPC flow logs overview
• When to use 5 telemetry types in security threat monitoring
• What is a Mirror Port?
• What is a Network Flow?
• What is NetFlow?
• Exporting VPC flow logs to Pub/Sub

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution

ExplanationA data breach is the intentional or unintentional release of secure or private/confidential information to anuntrusted environment.When your credentials have been compromised, it means someone other than you may be in possession of your account information, such as your username and/or password.

 SNMPv3 is a security model that uses authentication and encryption to provide secure access to devices. SNMPv3 requires the configuration of SNMP groups, users, and views. SNMP groups define the security model, security level, and access rights for a set of users. SNMP users are members of SNMP groups and have passwords for authentication and encryption. SNMP views define the subset of the MIB tree that a group of users can access. To facilitate access to the SNMP views, the network administrator must map the SNMPv3 users to the SNMP views using the snmp-server group command with the v3 and view keywords. This command assigns a view to a group of users and specifies the security model and level for that group. For example, the following command maps the SNMPv3 users in the group admin to the view all using the authPriv security level:

snmp-server group admin v3 authPriv read all write all

This command allows the users in the group admin to access all the MIB objects in the view all using authentication and encryption. The other options are not correct because they are not related to the SNMP views. Option B is incorrect because the password for SNMPv3 authentication is configured for each user using the snmp-server user command with the auth keyword. Option C is incorrect because the encryption algorithm for SNMPv3 is also configured for each user using the snmp-server user command with the priv keyword. Option D is incorrect because the UDP port used by SNMP is not configurable and is always 161 for queries and 162 for traps. References :=

Some possible references for this question are:

• SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) - SNMP Version 3
• Configuration Template for SNMPv3 - Cisco Community
• Configure ESXi for SNMP v3 - VMware Docs
• How to Configure SNMPv3 and How It Works - CBT Nuggets

ExplanationExplanationEndpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware.Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other security tools did not catch.EDR and EPP have similar goals but are designed to fulfill different purposes. EPP is designed to providedevice-level protection by identifying malicious files, detecting potentially malicious activity, and providing tools for incident investigation and response.The preventative nature of EPP complements proactive EDR. EPP acts as the first line of defense, filtering out attacks that can be detected by the organization’s deployed security solutions. EDR acts as a second layer of protection, enabling security analysts to perform threat hunting and identify more subtle threats to the endpoint.Effective endpoint defense requires a solution that integrates the capabilities of both EDR and EPP to provide protection against cyber threats without overwhelming an organization’s security team.

ExplanationExplanation… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s FirepowerManagement Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

Anycast IP is a component of Cisco umbrella architecture that increases reliability of the service by allowing the same IP address to exist on multiple servers around the world. This way, the user’s request is automatically routed to the nearest and fastest data center, and failover is seamless in case of an outage. Anycast IP also reduces latency and improves performance by using BGP to select the shortest path to the destination12. References := 1: Why Cisco Umbrella uses anycast routing - Cisco Umbrella 2: Cisco Umbrella At a Glance

ExplanationTo understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCPmessages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP responseis seen on an untrusted port, the port is shut down.

Graphical user interface Description automatically generated with low confidence

 Secret key cryptography, also known as symmetric key cryptography, is a type of encryption where a single secret key is used for both encryption and decryption of a message. The cryptographic key is kept secret between the sender and receiver, making it difficult for anyone else to decipher the message. Some of the functions of secret key cryptography are:

• Key selection without integer factorization: Secret key cryptography does not rely on complex mathematical problems such as integer factorization or discrete logarithms to generate keys. Instead, the keys are chosen randomly or derived from a passphrase or a shared secret. This makes the key generation process faster and simpler than in public key cryptography.
• Utilization of less memory: Secret key cryptography uses less memory than public key cryptography, as it only requires one key to be stored and managed. Public key cryptography, on the other hand, requires two keys (public and private) for each user, which increases the memory overhead and complexity of key management.

The other options are not functions of secret key cryptography, but rather characteristics of public key cryptography or asymmetric cryptography, which is a different type of encryption where different keys are used for encryption and decryption. Public key cryptography has the following features:

• Utilization of different keys for encryption and decryption: Public key cryptography uses a pair of keys, one public and one private, for each user. The public key can be shared with anyone, while the private key must be kept secret. The public key is used to encrypt messages, while the private key is used to decrypt them. This allows users to communicate securely without having to exchange a secret key beforehand.
• Utilization of large prime number iterations: Public key cryptography relies on hard mathematical problems such as integer factorization or discrete logarithms to generate keys. These problems involve finding the prime factors of large numbers or finding the discrete logarithms of numbers in a finite field. These problems are easy to solve in one direction, but hard to solve in the reverse direction. For example, it is easy to multiply two large prime numbers, but hard to find the prime factors of the product. This makes the keys hard to break by brute force or other methods.
• Provides the capability to only know the key on one side: Public key cryptography enables users to encrypt messages without knowing the recipient’s key, and vice versa. This is possible because the encryption and decryption keys are different and mathematically related. For example, Alice can encrypt a message with Bob’s public key, and only Bob can decrypt it with his private key. Alice does not need to know Bob’s private key, and Bob does not need to know Alice’s key. This also enables public key cryptography to support digital signatures, which are a way of verifying the identity and integrity of a message.

References :=

• What Is Secret Key Cryptography? A Complete Guide - Helenix
• Definition of Secret-key Cryptography - Gartner

ExplanationExplanationHow To Troubleshoot ISE Failed Authentications & AuthorizationsCheck the ISE Live LogsLogin to the primary ISE Policy Administration Node (PAN).Go to Operations > RADIUS > Live Logs(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports >Endpoints and Users > RADIUS AuthenticationsCheck for Any Failed Authentication Attempts in the Log

ExplanationCommunity Cloud allows system and services to be accessible by group of organizations. It shares theinfrastructure between several organizations from a specific community. It may be managed internally byorganizations or by the third-party.

The Python script in the exhibit uses the Cisco AMP for Endpoints API to get information about the computers in the deployment. It imports the requests library, which allows it to make HTTP requests. It then defines three variables: client_id, api_key, and url. These are used to authenticate and access the API endpoint. The url is set to ‘1’, which returns a list of computers in JSON format. The script then makes a GET request using the requests.get() method, passing the url and the authentication details as parameters. The response from the API is stored in the response variable, and converted to JSON using the response.json() method. The script then loops over each computer in the ‘data’ field of the JSON response, using a for loop. Inside the loop, it extracts the hostname of each computer using the ‘hostname’ key, and prints it using the print() function. Therefore, the script will pull all computer hostnames and print them, which is option C. References:

• Overview of the Cisco AMP for Endpoints API
• Secure Endpoint API - Cisco DevNet
• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

ExplanationSymmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.Asymmetric encryption takes relatively more time than the symmetric encryption.Diffie Hellman algorithm is an asymmetric algorithm used to establish a shared secret for a symmetric keyalgorithm. Nowadays most of the people uses hybrid crypto system i.e, combination of symmetric andasymmetric encryption. Asymmetric Encryption is used as a technique in key exchange mechanism to share secret key and after the key is shared between sender and receiver, the communication will take place using symmetric encryption. The shared secret key will be used to encrypt the communication.Triple DES (3DES), a symmetric-key algorithm for the encryption of electronic data, is the successor of DES (Data Encryption Standard) and provides more secure encryption then DES.Note: Although “requires secret keys” option in this question is a bit unclear but it can only be assigned toSymmetric algorithm.

ExplanationA posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware; and we can also configure ISE to update the client with this patch.

The Cisco ASA and the Cisco IOS router with Zone-Based Policy Firewall (ZFW) have different default behaviors when it comes to traffic filtering. The Cisco ASA follows a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic1. The Cisco IOS router with ZFW, on the other hand, starts out by allowing all traffic, even on untrusted interfaces, until a zone-pair policy is applied to restrict or inspect traffic2. This means that the Cisco ASA provides a higher level of security by default, while the Cisco IOS router with ZFW requires more configuration to harden the router. However, the Cisco IOS router with ZFW also offers more flexibility and granularity in defining firewall policies, as well as more advanced features such as DMVPN, GET VPN, and Policy-Based Routing, which are not supported by the Cisco ASA23. References:

• 2: IOS Firewall vs. ASA - Cisco Community
• 1: Understand the Zone-Based Policy Firewall Design - Cisco
• 4: What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy firewall?
• 5: What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-based policy firewall?
• 3: Cisco Zone-Based Firewall Reporting – Plixer

Using an Internet browser to access cloud-based service creates the risk of insecure implementation of API. API stands for Application Programming Interface, which is a set of rules and protocols that allow different applications or services to communicate and exchange data. API is often used to access cloud-based service, such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). However, if the API is not implemented securely, it can expose sensitive data or allow unauthorized access to the cloud service. For example, an API may not use encryption, authentication, or authorization mechanisms to protect the data in transit or at rest. An API may also have vulnerabilities such as injection, broken authentication, or insufficient logging and monitoring, which can be exploited by attackers to compromise the cloud service or the user’s browser. Therefore, it is important to follow the best practices and standards for secure API development and testing, such as OWASP API Security Top 10. References:

• 1: Implementing and Operating Cisco Security Core Technologies (SCOR) - Cisco
• 2: 350-701 SCOR - Cisco
• 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0
• 4: 12 Cloud Security Issues: Risks, Threats & Challenges - CrowdStrike
• 5: 12 Risks, Threats, & Vulnerabilities in Moving to the Cloud - SEI Blog
• 6: Remote Browser Isolation Protects Users from Threats - Cisco Umbrella
• 7: Which risk is created when using an Internet browser to access cloud-based service?
• 8: Browser in the Cloud: The Evolution of Secure Browsing - Leostream
• [9]: OWASP API Security Top 10 2023

ExplanationExplanationCryptographic algorithms defined for use with IPsec include:+ HMAC-SHA1/SHA2 for integrity protection and authenticity.+ TripleDES-CBC for confidentiality+ AES-CBC and AES-CTR for confidentiality.+ AES-GCM and ChaCha20-Poly1305 providing confidentiality and authentication together efficiently.

ExplanationExplanationThere are three basic categories of attack:+ volume-based attacks, which use high traffic to inundate the network bandwidth+ protocol attacks, which focus on exploiting server resources+ application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference: https://www.esecurityplanet.com/networks/types-of-ddos-attacks/

 TAXII, short for Trusted Automated eXchange of Intelligence Information, is a protocol that defines how cyber threat information can be shared via services and message exchanges. It is designed specifically to support STIX information, which is a standardized language for expressing and exchanging cyber threat information. TAXII enables organizations to share STIX information by defining an API that aligns with common sharing models, such as hub and spoke, source/subscriber, and peer-to-peer. TAXII also defines four services that allow users to discover, manage, receive, and request STIX information. Therefore, TAXII supports STIX information and determines how threat intelligence information is relayed. TAXII does not determine the “what” of threat intelligence, as that is the role of STIX. TAXII does not allow users to describe threat motivations and abilities, as that is also part of STIX. TAXII does not exchange trusted anomaly intelligence information, as that is a specific type of threat intelligence that may or may not be represented in STIX. References:

• What are STIX/TAXII Standards I Resources I Anomali
• Cyber Threat Intelligence Technical Committee - GitHub Pages

DNS-layer security is a method of protecting users from cyberthreats by blocking malicious or risky domains before a connection is established. Cisco Umbrella is a cloud-based service that provides DNS-layer security by using Cisco Talos threat intelligence to filter DNS requests and prevent access to malicious domains. Cisco Umbrella also offers other security features, such as web filtering, cloud-delivered firewall, secure web gateway, and cloud access security broker. Cisco Umbrella can protect users on and off the corporate network, regardless of their location or device. Cisco Umbrella is compatible with other Cisco security solutions, such as Cisco ISE, Cisco FTD, and Cisco ASA, but it is the only one that offers DNS-layer security as a core capability. References:

• What Is DNS Security? How Does It Work? - Cisco Umbrella
• Why Umbrella DNS Security? - Cisco Umbrella

Posture assessment is a feature of Cisco ISE that allows you to check the compliance of endpoints with corporate security policies before allowing them to access the network1. Posture assessment can detect missing patches on endpoints and help with remediation by applying the appropriate posture policy and requirement2. Posture assessment can also check for the presence and status of security software, such as antivirus, antispyware, firewall, and so on3. Posture assessment is one of the core security technologies covered in the Implementing and Operating Cisco Security Core Technologies (SCOR) course4, which prepares you for the Cisco CCNP Security and CCIE Security certifications and for senior-level security roles. References: 1: Posture Service 2: Configure Posture Policies 3: Posture Conditions 4: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

https://www.cisco.com/c/en/us/t d/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_using_intrusion_and_file_policies.html#:~:text=File%20Policies-,Access%20Control%20Traffic%20Handling%20with%20Intrusion%20and%20File%20Policies,-The%20following%20diagram

the first three access control rules in the policy—Monitor, Trust, and Block—cannot inspect matching traffic. Monitor rules track and log but do not inspect network traffic, so the system continues to match traffic against additional rules to determine whether to permit or deny it

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_rules.html#:~:text=Rule%20Blocking%20Actions-,Access%20Control%20Rule%20Allow%20Action,network%20discovery%20policy%3B%20additionally%2C%20application%20discovery%20is%20limited%20for%20encrypted%20sessions.,-Related%20Concepts

Trusted Automated Exchange of Indicator Information (TAXII) is a standard that defines how to exchange cyber threat intelligence (CTI) over HTTPS. CTI includes indicators of compromise (IOCs), such as malware hashes, IP addresses, URLs, and domains, that can be used to detect and respond to cyberattacks. TAXII enables the sharing of CTI in a secure, automated, and interoperable way among different organizations and tools. Structured Threat Information Expression (STIX) is a standard that defines how to represent and structure CTI in a common language. STIX and TAXII are often used together to facilitate the exchange of CTI. Advanced Persistent Threat (APT) is not a standard, but a term used to describe a sophisticated and stealthy cyberattack that persists over a long period of time, often targeting specific organizations or sectors. Open Command and Control (OpenC2) is a standard that defines how to communicate and execute cyber defense actions across different technologies and domains. OpenC2 enables the orchestration and automation of cyber defense actions, such as blocking, isolating, or redirecting malicious traffic or devices. References :=

Some possible references are:

• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 4: Content Security, Lesson 4.3: Cisco Umbrella, Topic 4.3.1: Cisco Umbrella Investigate
• 350-701 SCOR - Cisco, Exam Topics, 4.0 Content Security, 4.3 Describe the components, capabilities, and benefits of Cisco Umbrella, 4.3.a Investigate
• TAXII - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction
• STIX - OASIS Cyber Threat Intelligence Technical Committee, Overview, Introduction
• OpenC2 - OASIS Open Command and Control Technical Committee, Overview, Introduction
• What is an Advanced Persistent Threat (APT)? | Fortinet, Definition, What is an APT?

 SaaS stands for Software as a Service, which is a cloud service offering that allows customers to access a web application that is being hosted, managed, and maintained by a cloud service provider. SaaS applications are typically accessed through a web browser or a mobile app, and the customers do not need to install, update, or maintain any software or hardware on their own. SaaS applications can provide various benefits, such as lower upfront costs, faster deployment, scalability, and automatic updates. Some examples of SaaS applications are Gmail, Salesforce, Zoom, and Netflix123.

IaC stands for Infrastructure as Code, which is a method of provisioning and managing cloud resources using code or scripts, rather than manual processes or graphical user interfaces. IaC can help automate and standardize the deployment and configuration of cloud infrastructure, as well as improve consistency, reliability, and security. IaC is not a cloud service offering, but rather a technique or practice that can be used with different cloud service models, such as IaaS or PaaS45.

IaaS stands for Infrastructure as a Service, which is a cloud service offering that provides customers with access to virtualized computing resources, such as servers, storage, networks, and operating systems. IaaS customers can rent or lease these resources from a cloud service provider, and have full control over their configuration and management. IaaS customers are responsible for installing, updating, and maintaining their own applications and middleware on top of the cloud infrastructure. IaaS can provide various benefits, such as flexibility, scalability, cost-effectiveness, and security. Some examples of IaaS providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform .

PaaS stands for Platform as a Service, which is a cloud service offering that provides customers with access to a cloud-based platform that includes the infrastructure, operating system, middleware, and development tools needed to build, deploy, and run applications. PaaS customers can focus on developing and running their own applications, without worrying about the underlying cloud infrastructure or software. PaaS can provide various benefits, such as faster development, scalability, compatibility, and security. Some examples of PaaS providers are Heroku, AWS Elastic Beanstalk, and Google App Engine .

References := 1: IaaS vs. PaaS vs. SaaS | IBM 2: What is SaaS? Software as a service explained | InfoWorld 3: SaaS - Software as a Service | Oracle 4: What is Infrastructure as Code (IaC)? | Red Hat 5: Infrastructure as Code (IaC) | AWS : What is IaaS? Infrastructure as a service explained | InfoWorld : IaaS - Infrastructure as a Service | Oracle : Cloud Computing Services | Google Cloud : What is PaaS? Platform as a service explained | InfoWorld : PaaS - Platform as a Service | Oracle : Cloud Services - Deploy Cloud Apps & APIs | Microsoft Azure

A next-generation endpoint security solution is a modern approach of combining user and system behavior analytics with AI and machine learning to provide endpoint security12. These solutions are specifically designed to detect unknown malware and zero-day threats, which other non-next-generation solutions might fail to detect3. Two key deliverables that help justify the implementation of a next-generation endpoint security solution are:

• Continuous monitoring of all files that are located on connected endpoints. This feature allows the solution to scan and analyze all files on the endpoints, regardless of their origin or type, and identify any malicious or suspicious behavior. This helps to prevent malware from infecting the endpoints or spreading to other devices on the network4.
• Real-time feeds from global threat intelligence centers. This feature enables the solution to leverage the latest information and insights from various sources, such as security researchers, vendors, and customers, to detect and block new and emerging threats. This helps to keep the endpoints updated and protected from the most advanced and sophisticated attacks5.

References := 1: Overview of next-generation protection in Microsoft Defender for Endpoint 2: What Is Next-Generation Endpoint Security? 2024 Ultimate Guide - SelectHub 3: [Next

Network telemetry is the collection, measurement, and analysis of data related to the behavior and performance of a network1. It involves gathering information about routers, switches, servers, and applications to gain insights into how they function and how data moves through them. To correlate different sources of network telemetry data, it is important to enable Network Time Protocol (NTP) across all network infrastructure devices. NTP is a protocol that synchronizes the clocks of network devices to a common reference time source2. This ensures that the network telemetry data has consistent timestamps and can be compared and correlated accurately. NTP also helps with troubleshooting network issues, as it allows network administrators to pinpoint the exact time of events and anomalies. NTP is a core security technology that is covered in the Implementing and Operating Cisco Security Core Technologies (SCOR) course3, which helps you prepare for the Cisco CCNP Security and CCIE Security certifications and for senior-level security roles. References: 1: Network Telemetry Explained: Frameworks, Applications & Standards - Splunk 2: [Network Time Protocol (NTP) - Cisco] 3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

ExplanationApplication Visibility and control (AVC) supports NetFlow to export application usage and performancestatistics. This data can be used for analytics, billing, and security policies.

CoA stands for Change of Authorization, which is a feature that allows a RADIUS server to adjust an active client session after it is authenticated. For example, CoA can be used to reauthenticate a client, terminate a client session, or change the VLAN or group policy of a client. CoA is supported by several RADIUS vendors, including Cisco ISE. CoA is defined in RFC 5176 and uses a pushed model, where the request originates from the RADIUS server and is sent to the network device that acts as a listener. CoA requests can have two possible response codes: CoA-ACK (acknowledgment) or CoA-NAK (non-acknowledgment). References :=

Some possible references are:

• RADIUS Change of Authorization
• Change of Authorization with RADIUS (CoA) on MR Access Points
• Change of Authorization with RADIUS (CoA) on MS Switches
• Technical Tip: Radius COA behavior

To block all subdomains of domain.com, the administrator should configure the domain.com address in the block list. This is because Umbrella automatically applies a left side and right side wildcard to every domain in a block or allow destination list. Therefore, adding domain.com to a block list will result in requests to domain.com or its subdomains, such as www.domain.com, being blocked. Adding a wildcard character (*) is not supported and will not work. Adding the *.com address in the block list will block all domains that end with .com, which is not the desired outcome.  References:

• Understanding Destination lists supported entries and error messages
• Wildcards and Destination Lists

the file to Cisco Threat Grid for dynamic analysis. Cisco Threat Grid is a cloud-based service that provides malware analysis and threat intelligence. It can analyze suspicious files and URLs, and provide detailed reports on the behavior, indicators, and severity of the threat1. By sending the file to Cisco Threat Grid, the custom file policy can leverage the dynamic analysis results to detect the file as an indicator of compromise, and prevent other endpoints from executing the infected file. The other options are not correct because they do not address the root cause of the problem, which is the lack of detection by the custom file policy. Creating an IP block list, blocking the application, or uploading the hash for the file may help to mitigate the attack, but they do not ensure that the custom file policy is functioning as it should. References:

• 2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 - Module 5: Endpoint Protection and Detection
• 3: Cisco AMP for Endpoints User Guide - Custom Detection Lists
• 4: Cisco AMP for Endpoints User Guide - File Analysis and Cisco Threat Grid
• 1: Cisco Threat Grid - Overview

Transparent traffic redirection using WCCP is a deployment mode for the Cisco WSA that allows it to intercept and proxy web requests from client applications without requiring any configuration on the clients. This mode increases the visibility and control of web traffic, while making the proxy function invisible to the users. To support this mode, the Cisco WSA must be configured to use the transparent proxy mode, which enables it to listen on ports 80 and 443 for HTTP and HTTPS traffic, respectively. The Cisco WSA must also be configured to use WCCP service IDs, which are numerical identifiers that specify the type and range of ports to be redirected. For example, service ID 0 (web-cache) redirects port 80, service ID 70 (https-cache) redirects port 443, and service ID 60 (ftp-native) redirects port 21 and a range of passive FTP ports. The Cisco WSA must also be configured to join a WCCP group, which is a set of WCCP routers or switches that cooperate to redirect traffic to the WSA. The WCCP group can be specified by a group list, which is an access list that defines the IP addresses of the WCCP routers or switches, or by a password, which is a shared secret that authenticates the WCCP communication. The WCCP group must also be configured on the network device that performs the traffic redirection, such as a Cisco router, switch, or ASA firewall. The network device must support WCCPv2, which is the latest version of the protocol that allows for advanced features such as load balancing, encryption, and GRE encapsulation. The network device must also be configured to use the same WCCP service IDs and group list or password as the Cisco WSA. The network device must also be configured to apply the WCCP redirection to the appropriate interface and direction, such as the inside interface and inbound direction for traffic originating from the internal network. The network device must also be configured to use an access list that defines the traffic to be redirected or bypassed, such as the source and destination IP addresses, ports, and protocols. The access list can also be used to exclude certain traffic from WCCP redirection, such as traffic to private or internal destinations, or traffic from specific hosts123 References := 1: Configure Transparent Redirection With WCCP in Order to Redirect Native FTP Traffic - Cisco 2: Solved: Transparent Redirection - Cisco Community 3: Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP - Cisco Community

AAA stands for Authentication, Authorization, and Accounting. It is a framework that provides security to network resources by controlling who can access them (authentication), what they can do (authorization), and what actions they perform (accounting). AAA can be implemented by using the local database of the device or by using an external server such as Cisco ISE (Identity Services Engine).

The question asks which configuration item makes it possible to have the AAA session on the network. A session is a logical connection between a user and a network device. A session can be initiated by various methods, such as console, telnet, SSH, PPP, etc. Each session can have different AAA policies applied to it, depending on the method list configured for that session.

A method list is a set of rules that define the authentication, authorization, and accounting methods to be used for a particular session. A method list can be named or default. A named method list is applied to a specific session by using the login, authorization, or accounting keyword followed by the name of the method list. A default method list is applied to all sessions that do not have a named method list configured.

The configuration item that makes it possible to have the AAA session on the network is the aaa authorization network default group ise command. This command configures a default method list for network authorization, which is the process of determining the network services and attributes that a user is allowed to access after authentication. The command specifies that the network authorization method is group, which means that the device will use an external server (such as Cisco ISE) to obtain the authorization information for the user. The command also specifies that the name of the server group is ise, which means that the device will use the server group defined by the aaa group server radius ise command.

The other options are incorrect because they do not configure a default method list for network authorization. Option A configures a named method list for login authentication, which is the process of verifying the identity of the user. Option B configures a default method list for enable authentication, which is the process of verifying the identity of the user who wants to enter the privileged EXEC mode. Option D configures a default method list for exec authorization, which is the process of determining the commands and features that a user can access in the EXEC mode. References:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts
• Configure Basic AAA on an Access Server, General AAA Configuration, Authentication Configuration, Authorization Configuration
• AAA (Authentication, Authorization and Accounting) - GeeksforGeeks, AAA implementation, ACS server

The configuration that is needed to accomplish the goal of adding protection for data in transit and having headers in the email message is to deploy an encryption appliance. An encryption appliance is a device that encrypts and decrypts email messages using various encryption standards, such as S/MIME, PGP, or Cisco Registered Envelope Service (CRES). An encryption appliance can also add headers to the email message to indicate the encryption status, the encryption key, or the encryption policy. An encryption appliance can be integrated with an email appliance, such as Cisco Email Security Appliance (ESA), to provide end-to-end email security and encryption.

The other options are incorrect because:

• Provisioning the email appliance is not enough to add protection for data in transit and have headers in the email message. An email appliance can provide various email security features, such as spam filtering, virus scanning, content filtering, or data loss prevention, but it does not encrypt or decrypt email messages by itself. An email appliance needs to work with an encryption appliance to provide email encryption and decryption.
• Mapping sender IP addresses to a host interface is not related to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to accept email messages from specific IP addresses or ranges and assign them to a specific host interface. This can be useful for load balancing, traffic management, or policy enforcement, but it does not affect email encryption or decryption.
• Enabling flagged message handling is not relevant to adding protection for data in transit and having headers in the email message. This is a configuration option for an email appliance that allows it to handle email messages that have a specific flag or tag in the subject line or the body. This can be useful for testing, troubleshooting, or applying special policies, but it does not affect email encryption or decryption.

References:

• Cisco Email Encryption
• Cisco Email Encryption Appliance
• Cisco Email Security Appliance Configuration Guide

 TACACS+ is a protocol that provides authentication, authorization, and accounting (AAA) services for network devices. Unlike RADIUS, which only supports authorization at the user level, TACACS+ supports authorization at the command level. This means that TACACS+ can verify the permissions of the network administrator for every command that is entered, and allow or deny access accordingly. This provides more granular and secure control over network resources and operations. EAPOL, SSH, and RADIUS are not protocols that can provide command-level authorization for AAA. References :=

Some possible references are:

• Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1.2: Network Security Devices and Cloud Services, Topic 1.2.3: AAA
• 350-701 SCOR - Cisco, Exam Topics, 1.0 Security Concepts, 1.2 Compare network security solutions, 1.2.a AAA
• What Is AAA Security? | Fortinet, Authentication, Authorization, and Accounting (AAA)

The login block-for command sets a limit on the maximum number of failed login attempts allowed within a defined period of time. If this limit is exceeded, no further logins are allowed for the specified period of time. This feature is designed to protect the router from denial-of-service and dictionary attacks. The syntax of the command is as follows:

login block-for attempts within

The  parameter specifies the duration of the quiet period in seconds. The  parameter specifies the number of failed attempts that trigger the quiet period. The  parameter specifies the time window in seconds for counting the failed attempts.

In this question, the command login block-for 100 attempts 4 within 60 means that if four failures occur in 60 seconds, the router goes to quiet mode for 100 seconds. During the quiet period, no login attempts are accepted, and the router responds with the message “Login disabled for seconds due to too many failed login attempts.” After the quiet period expires, the router resumes normal login operations.

The other options are incorrect because they do not match the command syntax or the expected behavior of the login block-for feature.

References :=

Some possible references for this question are:

• User Security Configuration Guide - Cisco IOS Login Enhancements-Login Block
• Configuring Login Block
• Restrict login attempts : login block-for command
• When applied to a router, which command would help mitigate brute-force password attacks against the router?

The threat intelligence standard that contains malware hashes is trusted automated exchange of indicator information (TAXII). TAXII is a protocol that enables the exchange of cyber threat information in a standardized and automated manner. It supports various types of threat intelligence, such as indicators of compromise (IOCs), observables, incidents, tactics, techniques, and procedures (TTPs), and campaigns. Malware hashes are one example of IOCs that can be shared using TAXII. Malware hashes are cryptographic signatures that uniquely identify malicious files or programs. They can be used to detect and block malware infections on endpoints or networks. TAXII uses STIX (structured threat information expression) as the data format for representing threat intelligence. STIX is a language that defines a common vocabulary and structure for describing cyber threat information. STIX allows threat intelligence producers and consumers to share information in a consistent and interoperable way. STIX defines various objects and properties that can be used to represent different aspects of cyber threat information, such as indicators, observables, incidents, TTPs, campaigns, threat actors, courses of action, and relationships. Malware hashes can be expressed as observables in STIX, which are concrete items or events that are observable in the operational domain. Observables can have various types, such as file, process, registry key, URL, IP address, domain name, etc. Each observable type has a set of attributes that describe its properties. For example, a file observable can have attributes such as name, size, type, hashes, magic number, etc. A hash attribute can have a type (such as MD5, SHA1, SHA256, etc.) and a value (such as the hexadecimal representation of the hash). A file observable can have one or more hash attributes to represent different hashing algorithms applied to the same file. For example, a file observable can have both MD5 and SHA256 hashes to increase the confidence and accuracy of identifying the file.

The other options are incorrect because they are not threat intelligence standards that contain malware hashes. Option A is incorrect because advanced persistent threat (APT) is not a standard, but a term that describes a stealthy and sophisticated cyberattack that aims to compromise and maintain access to a target network or system over a long period of time. Option B is incorrect because open command and control (OpenC2) is not a standard that contains malware hashes, but a language that enables the command and control of cyber defense components, such as sensors, actuators, and orchestrators. Option C is incorrect because structured threat information expression (STIX) is not a standard that contains malware hashes, but a data format that represents threat intelligence. STIX uses TAXII as the transport protocol for exchanging threat intelligence, including malware hashes. References:

• TAXII
• STIX
• Malware Hashes

 Cisco Umbrella evaluates policies from the top down and looks for a matching identity and destination. Once a match is found, Umbrella applies that policy’s settings to the identity and destination and stops evaluating all other DNS policies. Therefore, to ensure that the policy that the identity must use takes precedence over the second one, the engineer should make the correct policy first in the policy order. This way, Umbrella will match the identity to the correct policy before checking the second policy. The other options are not correct because they do not guarantee that the identity will use the correct policy. Configuring the default policy to redirect the requests to the correct policy will not work if the identity matches another policy before the default one. Placing the policy with the most-specific configuration last in the policy order will not work if the identity matches a less-specific policy before the last one. Configuring only the policy with the most recently changed timestamp will not work if the identity matches an older policy before the newer one. References :=

Some possible references are:

• Policy Precedence - Umbrella User Guide1
• Manage Policies - Umbrella User Guide2
• Umbrella Policy order - Cisco Community3

 Cisco Advanced Phishing Protection (AAP) is a solution that adds sophisticated machine learning capabilities to Cisco Email Security to block advanced identity deception attacks for inbound email by assessing its threat posture1. It also uses both global and local telemetry data combined with analytics and modeling to validate the reputation and authenticity of senders2. AAP provides sender authentication and BEC detection capabilities, and uses advanced machine learning techniques, real-time behavior analytics, relationship modeling and telemetry to protect against identity deception–based threats3.

In two ways, the Cisco Advanced Phishing Protection solution protects users:

• It prevents use of compromised accounts and social engineering. AAP detects and blocks phishing emails that attempt to impersonate legitimate senders, such as executives, partners, or customers, and trick users into revealing sensitive information or transferring funds. AAP analyzes the sender’s identity, behavior, and relationship with the recipient, and assigns a risk score to the email. If the email is deemed suspicious or malicious, AAP can quarantine it, flag it, or deliver it with a warning4.
• It automatically removes malicious emails from users’ inbox. AAP provides retrospective analysis and remediation capabilities, which means that it can identify and remove emails that were initially delivered but later found to be malicious. AAP leverages the Cisco Talos threat intelligence network and the Sensor-based solution to continuously monitor the threat landscape and update the email disposition accordingly. If an email is reclassified as malicious, AAP can automatically delete it from the users’ inbox, or notify the administrator or the user to take action45.

The other options are incorrect because they do not accurately describe the functions of AAP. AAP does not prevent all zero-day attacks coming from the Internet, as it focuses on phishing and identity deception attacks. AAP does not prevent trojan horse malware using sensors, as sensors are used to collect and analyze email data, not to block malware. AAP does not secure all passwords that are shared in video conferences, as it is not related to video conferencing security. Therefore, the correct answer is A and C. References:

• Cisco’s Security Innovations to Protect the Endpoint and Email
• Cisco Advanced Phishing Protection - Cisco Video Portal
• Cisco Advanced Phishing Protection At A Glance - AVANTEC
• User Guide for Cisco Advanced Phishing Protection
• Cisco Secure Email Threat Defense - Cisco
• Integrating the Email Gateway with Cisco Advanced Phishing Protection

Joining Cisco WSAs to an appliance group simplifies the task of patching multiple appliances. An appliance group is a collection of WSAs that share the same configuration settings and software versions. Administrators can use appliance groups to apply configuration changes and software updates to multiple WSAs at once, instead of performing these tasks individually for each appliance12. This reduces the administrative overhead and ensures consistency across the WSAs. References:

• Appliance groups, section “Appliance Groups”.
• What is the purpose of joining Cisco WSAs to an appliance group?

ESA stands for Email Security Appliance, which is a Cisco product that provides comprehensive email security solutions. ESA can be deployed in different modes, such as gateway, hybrid, or cloud, depending on the customer’s needs and preferences. One of the key components of ESA configuration is the listener, which is a service that listens for incoming SMTP connections on a specific port and interface. A listener can be configured to handle inbound or outbound email, or both, depending on the mail flow policies and sender groups that are applied to it.

One way to segregate inbound and outbound email on ESA is to use a pair of logical listeners on a single physical interface with two unique logical IPv4 addresses and one IPv6 address. This method allows the ESA to have two separate listeners for inbound and outbound email, each with its own IP address and mail flow policies, while using the same physical interface and port. This can simplify the network configuration and reduce the hardware requirements for ESA deployment. The IPv6 address can be used to support dual-stack IPv4 and IPv6 environments, or to provide redundancy in case of IPv4 address exhaustion.

The other options are incorrect because:

• A is false, as one listener on a single physical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.
• C is false, as pair of logical IPv4 listeners and a pair of IPv6 listeners on two physically separate interfaces is an unnecessary and complex configuration that does not provide any additional benefits over option B.
• D is false, as one listener on one logical IPv4 address on a single logical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.

References:

• ESA Outbound Traffic Relay Configuration Example
• How do I configure a relay host on the ESA for outbound mail?
• [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0] - Module 5: Securing Email with Cisco Email Security Appliance, Lesson 5.1: Describing the Cisco Email Security Solution

 To prevent rogue NTP servers from inserting themselves as the authoritative time source, the administrator needs to configure NTP authentication and specify the interface for syncing to the NTP server. NTP authentication allows the ASA to verify the identity and integrity of the NTP packets received from the server, using a shared secret key. Specifying the interface for syncing to the NTP server ensures that the ASA uses the correct source address for sending and receiving NTP packets, and avoids potential routing issues. The other options are not required or relevant for this task. Specifying the NTP version is optional and does not affect security. Configuring the NTP stratum is only applicable for NTP servers, not clients. The ASA can only act as an NTP client, not a server. Setting the NTP DNS hostname is not recommended, as it introduces a dependency on DNS resolution and may cause synchronization problems if the DNS server changes the IP address of the NTP server. References :=

Some possible references are:

• Configure NTP Authentication on Secure Network Analytics
• CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6 - Basic Settings
• Cisco ASA NTP and Clock Configuration with Examples

The IP and Domain Reputation Center is a service provided by Talos, Cisco’s Security Intelligence and Research Group, that tracks the reputation of IP addresses and domains for email and web traffic. The IP and Domain Reputation Center collects and analyzes data from millions of deployed web, email, firewall and IPS appliances, as well as open-source data sets, endpoint intelligence, and network intrusions. The IP and Domain Reputation Center transforms this data into actionable threat intelligence and tools to improve security posture. The IP and Domain Reputation Center allows users to look up websites, URLs and IP addresses and the information Talos has about them, such as their reputation score, category, volume, and threat level. The IP and Domain Reputation Center also provides threat data overviews, such as the top email and spam senders by country, and the standard categories used to classify website content and attack types123. References := 1: Reputation Center - A Real Time Threat Detection Service || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence 2: IP & Domain Reputation Center - Talos Intelligence 3: Talos Reputation Center overview | Talos Support Documents

accomplish the task is to install and configure the Cisco DUO Authentication Proxy and configure the identity source sequence within Cisco ISE. This will allow the engineer to integrate Cisco ISE with Cisco DUO for TACACS+ device administration using Active Directory as the primary authentication source and Cisco DUO as the secondary authentication source for multi-factor authentication (MFA). The steps to configure this solution are as follows12:

• Install and configure the Cisco DUO Authentication Proxy on a Windows or Linux machine. The proxy will act as a RADIUS server that communicates with Cisco ISE and a RADIUS client that communicates with Cisco DUO cloud. The proxy will also connect to Active Directory for the primary authentication of the users.
• Configure the proxy by editing the authproxy.cfg file. The file should include the following sections:
• Restart the proxy service after saving the authproxy.cfg file.
• Configure Cisco ISE as a TACACS+ server and add the proxy as an external RADIUS server. The steps are as follows:
• Configure the network devices to use TACACS+ for device administration and specify Cisco ISE as the TACACS+ server and the proxy as the RADIUS server. The configuration commands may vary depending on the device type and model, but the general syntax is as follows:
• aaa new-model
• aaa authentication login default group tacacs+ local
• aaa authorization exec default group tacacs+ local
• aaa accounting exec default start-stop group tacacs+
• tacacs server ISE
• address ipv4
• key
• radius server DUO
• address ipv4 auth-port
• key
• Test the solution by logging into the network devices using Active Directory credentials. The user should receive a Cisco DUO prompt for the second factor authentication, such as a push notification, a phone call, or a passcode. After approving the second factor authentication, the user should be granted access to the device with the appropriate privileges based on the TACACS profile and the Active Directory attributes.

References := 1: Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users - Cisco Community 2: Protecting Access to Network devices with ISE TACACS+ and DUO MFA - Cisco Community

A simple custom detection list is a feature of AMP for Endpoints that allows you to specify a list of file hashes (MD5, SHA-1, or SHA-256) that you want to detect, block, and quarantine on your endpoints. You can create a simple custom detection list from the Outbreak Control section of the AMP for Endpoints console, and apply it to a policy that is assigned to your endpoints. When the AMP connector on the endpoint encounters a file that matches the hash in the list, it will perform the action that you specified, such as blocking the file execution, sending an alert, or quarantining the file. A simple custom detection list is useful when you want to quickly and easily block specific files that are known to be malicious or unwanted, without having to create a complex signature or rule12 References := 1: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 2: Create an Advanced Custom Detection List in Cisco Secure Endpoint

https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/Cisco_Secure_Managed_Endpoint.pdf

 SNMP (Simple Network Management Protocol) is the most commonly used protocol for network telemetry. SNMP is a standard protocol that allows network devices to exchange management information1. SNMP agents run on network devices and collect data about their status, performance, configuration, and events. SNMP managers run on network management systems and query the agents for data or receive notifications from them. SNMP can also be used to configure or control network devices remotely2. SNMP is widely supported by various vendors and platforms, and it provides a simple and flexible way to monitor and manage networks3.

References: 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works | SolarWinds 3: Network Telemetry Explained: Frameworks, Applications & Standards | Splunk

The result of using this authentication protocol in the configuration is that the authentication and authorization requests are grouped in a single packet. This is because the configuration uses RADIUS as the AAA protocol, which combines both authentication and authorization functions in one process. RADIUS is facilitated through AAA and can be enabled only through AAA commands. The aaa new-model global configuration command enables AAA, and the radius-server host command specifies the IP address and the shared secret key of the RADIUS server. The aaa authentication command defines the method list for RADIUS authentication, and the aaa group server command defines the group name and the members of the group. The line and interface commands enable the defined method list to be used. When a user tries to access the router, the router sends a single Access-Request packet to the RADIUS server, which contains the user credentials and other attributes. The RADIUS server then verifies the credentials and returns either an Access-Accept packet, which grants access and may include authorization information, or an Access-Reject packet, which denies access. Therefore, the correct answer is D. References:

• Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst …
• Configuring Basic AAA on an Access Server - Cisco
• AAA Server Priority explained with New Radius Server Command Line
• Configuring AAA on Cisco Devices – RADIUS and TACACS+ - Study-CCNA

IKEv1 has two modes of operation: main mode and aggressive mode. Main mode uses six messages to establish the IKE SA, while aggressive mode uses only three messages. Therefore, aggressive mode is faster than main mode, but less secure, as it exposes the identities of the peers in cleartext. This makes it vulnerable to man-in-the-middle attacks. IKEv2 does not have these modes, but uses a single four-message exchange to establish the IKE SA. IKEv2 also encrypts the identities of the peers, making it more secure than IKEv1 aggressive mode.

IKEv1 uses EAP authentication only for remote access VPNs, not for site-to-site VPNs. IKEv2 supports EAP authentication for both types of VPNs. EAP authentication allows the use of various authentication methods, such as certificates, tokens, or passwords.

IKEv1 conversations are initiated by the ISAKMP header, which contains the security parameters and the message type. IKEv2 conversations are initiated by the IKE_SA_INIT message, which contains the security parameters, the message type, and the message ID. The message ID is used to identify and order the messages in the IKEv2 exchange.

NAT-T is supported by both IKEv1 and IKEv2. NAT-T stands for Network Address Translation-Traversal, and it is a mechanism that allows IKE and IPsec traffic to pass through a NAT device. NAT-T detects the presence of NAT and encapsulates the IKE and IPsec packets in UDP headers, so that they can be translated by the NAT device. References:

• IKEv1 vs IKEv2 – What is the Difference?
• Comparison between IKEv1 and IKEv2
• IKEv2 vs IKEv1: What are the differences?

Dual-SSID BYOD is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest access, and the same guest portal is used as the BYOD portal. This flow is a unique capability of ISE where the user does not have to log in twice, as ISE can take the user information from the 802.1X session and direct the user to the BYOD flow. Once the endpoint is onboarded, it is reconnected to the secured WLAN for full network access. This flow is different from single-SSID BYOD, where the endpoint associates to a secure WLAN, gets onboarded, and then reconnects to the same WLAN12. References: 1: ISE BYOD: Dual vs. Single SSID Onboarding - Cisco Community 2: Cisco ISE BYOD Prescriptive Deployment Guide - Cisco Community

create an application control blocked applications list. This option allows you to specify a list of files that you want to prevent from running on the endpoints that have the AMP connector installed. The files are identified by their SHA-256 hashes, and you can upload them individually or in a batch. The files are not quarantined, but they are blocked from execution and reported as events in the AMP console1. This option is different from the simple custom detection list, which is used to detect and quarantine specific files that are considered malicious2. The advanced custom detection list is also used to detect and quarantine files, but it allows you to specify more criteria such as file size, file name, and file path3. The IP block and allow lists are used to control the network traffic to and from the endpoints, not the file execution4. References: 1: Configure Application Control on the AMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP for Endpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]

One of the benefits of a Cisco Secure Email Gateway Virtual appliance compared to a physical one is the ability to allocate additional resources as needed. Virtual appliances can be easily scaled up by allocating more CPU, memory, or storage resources, providing flexibility and scalability in response to changing demands or growth.

Data is sent out to the attacker during a DNS tunneling attack as part of the domain name. DNS tunneling is a technique that encodes the data of other protocols or programs in DNS queries and responses. The attacker registers a domain, such as badsite.com, and points it to a server under their control, where a tunneling program is installed. The attacker infects a device with malware, which sends DNS queries to the attacker’s server, using subdomains of badsite.com to encode the data. For example, the malware could send a query for 1234.badsite.com, where 1234 is the encoded data. The attacker’s server decodes the data from the subdomain and sends back a DNS response, which may also contain encoded data in the answer section12. The other options are not correct, because they do not use the domain name to encode the data. The UDP/53 and TCP/53 packet payload and header are used to transport the DNS query and response, but they are not modified by the tunneling technique. The DNS response packet contains the answer to the query, but it is not the only way to send data to the attacker3. References:

• 1: DNS Tunneling attack - What is it, and how to protect ourselves?
• 2: What Is DNS Tunneling? - Palo Alto Networks
• 3: What Are DNS Attacks? - Palo Alto Networks

 Cisco NBAR2 is a classification engine that recognizes and classifies a wide variety of protocols and applications based on their deep packet inspection (DPI) signatures. NBAR2 enables the platform to identify and output various applications within the network traffic flows, such as web, email, voice, video, and so on. NBAR2 also supports custom protocols and applications, allowing the platform to classify traffic based on user-defined criteria. NBAR2 helps the platform to apply the appropriate quality of service (QoS), security, and policy for each application or protocol. References :=

Some possible references are:

• Cisco NBAR2
• Classifying Network Traffic Using NBAR
• Next Generation NBAR (NBAR2)

Southbound APIs are used to communicate between the SDN Controller and the switches and routers of the network. They can be open-source or proprietary. They facilitate control over the network and enable the SDN Controller to dynamically make changes according to real-time demands and needs. OpenFlow and OpFlex are two examples of southbound APIs. OpenFlow, which was developed by the Open Networking Foundation (ONF), is the first and probably most well-known southbound interface. OpenFlow defines the way the SDN Controller should interact with the forwarding plane to make adjustments to the network, so it can better adapt to changing business requirements. With OpenFlow, entries can be added and removed to the internal flow-table of switches and routers to make the network more responsive to real-time traffic demands. OpFlex, which was proposed by Cisco, is another southbound interface that uses a declarative model to communicate policies and state between the controller and the network devices. OpFlex allows the network devices to retain some intelligence and autonomy, while still being managed by the controller. OpFlex is designed to be flexible and extensible, and can support different types of network devices and services. Services running over the network, external application APIs, and applications running over the network are not southbound APIs, as they do not directly communicate between the controller and the network devices. Therefore, the correct answer is B and E. References :=

Some possible references are:

• What are SDN Southbound APIs? - Where they are used. - SDxCentral
• SDN North-bound and South-bound APIs and Interfaces
• Cisco Application Centric Infrastructure Fundamentals

The W32/AutoRun worm is a type of malware that spreads through removable drives, such as USB flash drives, and modifies the autorun.inf file to execute itself when the drive is inserted. The worm also attempts to connect to a remote server and download additional malicious files. One of the features of this worm is that it generates random domain names based on the current date and time, and sends DNS requests to these domains. This is a technique to evade detection and analysis, as well as to communicate with the command and control server. The DNS requests generated by the worm have a distinctive pattern, such as the length of the domain name, the number of subdomains, and the use of redacted characters. By comparing these features to the expected behavior of normal DNS requests, security analysts can identify the presence of the worm and block its traffic. References :=

Some possible references are:

• W32/AutoRun worm
• DNS requests malicious attack
• Four major DNS attack types and how to mitigate them

Cisco Defense Orchestrator (CDO) is a cloud-based management solution that allows you to manage security policies and device configurations with ease across multiple Cisco and cloud-native security platforms. CDO centrally manages elements of policy and configuration across Cisco ASA, Cisco Firepower, Cisco Meraki, and AWS1. CDO also provides visibility, automation, and orchestration capabilities to simplify and unify security operations2. The other options are not cloud security software that can centrally manage policies on multiple platforms. Cisco Configuration Professional is a device management tool for Cisco routers and switches. Cisco Secureworks is a security services provider that offers threat intelligence and incident response. Cisco DNAC is a network controller that automates and assures services across campus, branch, and edge networks. References :=

• Cisco Defense Orchestrator Data Sheet
• Cisco Defense Orchestrator

Application visibility and control (AVC) is a solution that leverages multiple technologies to recognize, analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications1. One of the key components of AVC is application recognition, which uses stateful deep packet inspection (DPI) to identify applications within the network traffic flow, using L3 to L7 data2. DPI is a technique that examines the content of packets beyond the header information, and can classify applications based on their signatures, protocols, ports, or other attributes3. DPI enables AVC to monitor and control application performance, bandwidth usage, quality of service, and security policies4. References := 1: Cisco Application Visibility and Control (AVC) - Cisco 2: Cisco Application Visibility and Control User Guide - Technology Overview 3: What is application visibility and control? | Juniper Networks US 4: Application visibility and control - Secure Internet Access Enterprise

 To add switches into the fabric, administrators can use PowerOn Auto Provisioning (POAP) or Seed IP methods. POAP is a feature that automates the process of upgrading software images and installing configuration files on Cisco switches that are being deployed in the network for the first time. Seed IP is a method that allows administrators to specify the IP address of a switch that is already part of the fabric, and then use it to discover and add other switches that are connected to it. Both methods enable administrators to control how switches are added into DCNM for private cloud management. References:

• POAP, section “PowerOn Auto Provisioning (POAP)”.
• Seed IP, section “Add Switches”.

https://www.cisco.com/c/en /us/td/docs/security/ise/1-4-1/admin_guide/b_ise_admin_guide_141/b_ise_admin_guide_141_chapter_01110.html

ExplanationFlexVPN supports IKEv2 -> Answer A is not correct.DMVPN supports both IKEv1 & IKEv2 -> Answer B is not correct.FlexVPN support multiple SAs -> Answer D is not correct.

Cisco Umbrella Investigate provides a comprehensive view of Internet domains, IP addresses, and autonomous systems, offering a wealth of information about the infrastructure of the internet. It helps security analysts and threat investigators to pinpoint current and emerging threats by providing access to data from Cisco's global network, thereby enabling the identification of attackers and malicious infrastructures.

 Cisco AMP for Endpoints provides next-generation protection by leveraging an endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities. EPP is a set of multifaceted prevention techniques that stop threats from compromising endpoints, such as behavioral analytics, machine learning, and signature-based methods. EDR is a set of powerful features that reduce the attack surface and remediate faster, such as advanced threat hunting, endpoint isolation, and dynamic malware analysis. Cisco AMP for Endpoints also integrates with SecureX, a built-in platform that offers extended detection and response (XDR) capabilities across multiple control points, such as network, cloud, email, and web. By combining EPP, EDR, and XDR, Cisco AMP for Endpoints delivers a comprehensive and resilient endpoint security solution that can detect, respond, and recover from sophisticated attacks. References:

• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco
• Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco

Before identifying the URL during HTTPS inspection in Cisco Secure Firewall Threat Defense software, the default action is to "pass." This means that the traffic is allowed through without inspection until the URL can be identified, at which point appropriate security policies can be applied based on the URL categorization and reputation.

 The API key is used for HTTP authentication when working with APIs, including https://api.amp.cisco.com/v1/computers. It ensures that the user or system making the API request is authenticated and authorized to access the resources requested. The image you sent shows a Python code snippet that imports the requests module, assigns a client ID and an API key to variables, and uses them to make an API call. The API key is passed as a header parameter in the requests.get() function, which is a common way of implementing HTTP authentication. The other options are not correct because they do not describe the role of the API key. The client ID is a different parameter that identifies the user or system making the request, but it does not authenticate them. HTTP authorization is a process of granting or denying access to resources based on the user’s identity and permissions, but it is not the same as authentication. Importing requests is a Python statement that loads the requests module, which is a library for making HTTP requests, but it has nothing to do with the API key.  References :=

Some possible references are:

• Cisco AMP for Endpoints API
• requests - HTTP for Humans
• HTTP authentication - MDN Web Docs

 IKEv1 is the authentication protocol that is reliable and supports ACK and sequence for IPsec VPN. IKEv1 is a key management protocol that is used in conjunction with IPsec to establish secure and authenticated connections between IPsec peers. IKEv1 uses UDP port 500 and consists of two phases: phase 1 and phase 2. In phase 1, the peers authenticate each other and negotiate a shared secret key that is used to encrypt the subsequent messages. In phase 2, the peers negotiate the security parameters for the IPsec tunnel, such as the encryption and authentication algorithms, the lifetime, and the mode (transport or tunnel). IKEv1 uses ACK and sequence numbers to ensure the reliability and integrity of the messages exchanged between the peers. ACK is an acknowledgment message that confirms the receipt of a previous message. Sequence number is a unique identifier that is assigned to each message to prevent replay attacks and to detect missing or out-of-order messages. IKEv1 also supports various authentication methods, such as pre-shared keys, digital certificates, and extended authentication (XAUTH). References : Internet Key Exchange for IPsec VPNs Configuration Guide, Security for VPNs with IPsec Configuration Guide, IPSec Architecture

Full Context Awareness - policy enforcement

NGIPS - threat prevention

AMP - real-time

Collective Sec Intel - Detection, blocking an remediation

 GET VPN (Group Encrypted Transport VPN) is a tunnel-less VPN technology that uses a single security association (SA) for all routers in a group. This allows GET VPN to natively support MPLS and private IP networks, without requiring any additional encapsulation or tunneling protocols. GET VPN also supports multicast traffic without GRE, which reduces overhead and improves performance. FlexVPN is a newer VPN solution that covers all VPN types, such as site-to-site, hub and spoke, and remote access. FlexVPN uses IKEv2 for all VPN types, which offers some advantages over IKEv1, such as resiliency and fewer messages. However, FlexVPN requires newer hardware and software versions to support its features. FlexVPN also relies on GRE or static and dynamic point-to-point interfaces to support MPLS and private IP networks, which adds complexity and overhead. Therefore, a benefit of using GET VPN over FlexVPN within a VPN deployment is that GET VPN natively supports MPLS and private IP networks, without requiring any additional encapsulation or tunneling protocols. References:

• Group Encrypted Transport VPN (GETVPN)
• Introduction to FlexVPN
• what is the difference between dmvpn and flexvpn

 Cisco FTD is the recommended solution for this requirement because it allows the administrator to configure URL filtering as part of the access control policy. URL filtering in FTD can block or allow traffic based on the destination URL of a web request, the generalized category of the URL, or the public reputation of the target site. FTD can also use HTTPS URL filtering to inspect encrypted web traffic and block malicious or unwanted sites. FTD supports both local URL lists and external URL filtering servers such as Cisco Talos Intelligence Group (TIG), Websense, or SmartFilter12.

Cisco ASA does not include URL filtering in the access control policy capabilities. ASA can only enable URL filtering for web traffic using external filtering servers such as Websense or SmartFilter. ASA cannot block HTTPS or FTP traffic based on URLs, nor can it use local URL lists or categories. ASA also does not block malicious URLs by default, but relies on the filtering server’s configuration34.

Therefore, option C is the correct answer, and the other options are incorrect. References :=

• FTD URL Filtering - How it works? - Cisco Community
• Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.2.3 - Access Control
• Configuring Filtering Services - Cisco
• Configuring URL Filtering - Cisco

Network telemetry is a technology that allows network devices to push data to a collector in real time, rather than waiting for the collector to pull data from them. This improves the efficiency and accuracy of data collection, and enables the monitoring of a large number of network devices. SNMP, on the other hand, is a protocol that uses a pull model, where the collector requests data from the devices periodically. This can cause delays, gaps, and overhead in data collection, and limit the scalability of network monitoring. Therefore, network telemetry has an advantage over SNMP pulls in terms of scalability. References:

• What Is Telemetry? Telemetry vs. SNMP - Huawei
• Streaming telemetry challenges SNMP in large, complex networks
• Network streaming telemetry: Monitoring in “real-time” - Paessler
• An Overview of Network Telemetry - Geek Speak - Resources - THWACK

Cisco Stealthwatch Cloud is a cloud-delivered and SaaS-based solution that provides visibility and threat detection across the AWS network. It does not require any software agents to be installed on the AWS instances, and it relies on AWS VPC flow logs to collect network traffic metadata. Cisco Stealthwatch Cloud analyzes the flow logs using machine learning and behavioral modeling to detect anomalies and threats, such as data exfiltration, lateral movement, reconnaissance, and compromised instances. Cisco Stealthwatch Cloud also provides contextual information and actionable alerts to help users respond to incidents and remediate issues.

Cisco Umbrella is a cloud-delivered and SaaS-based solution that provides DNS-layer security and web filtering for internet traffic. It does not provide visibility and threat detection for internal AWS network traffic, and it requires software agents to be installed on the endpoints or network devices to enforce policies and redirect DNS requests.

NetFlow collectors are devices or software applications that collect and analyze NetFlow records, which are generated by network devices to capture information about IP traffic flows. NetFlow collectors can provide visibility and threat detection for network traffic, but they are not cloud-delivered or SaaS-based solutions. They also require NetFlow exporters to be configured on the network devices, which may not be supported by AWS.

Cisco Cloudlock is a cloud-delivered and SaaS-based solution that provides cloud security posture management (CSPM) and cloud access security broker (CASB) capabilities for cloud applications and environments. It does not provide visibility and threat detection for AWS network traffic, and it does not rely on AWS VPC flow logs. It focuses on protecting cloud data, users, and configurations from misconfigurations, compliance violations, and malicious activities. References :=

• Cisco Stealthwatch Cloud for AWS
• Cisco Umbrella
• NetFlow
• [Cisco Cloudlock]

Cisco Tetration is a Cisco security solution that provides patch management in the cloud. Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems to correct security and functionality problems in software and firmware1. Cisco Tetration is a cloud-native platform that delivers comprehensive workload protection for multicloud data centers by enabling a zero-trust model using segmentation2. One of the features of Cisco Tetration is software vulnerability detection and patch management, which allows users to identify software vulnerabilities on workloads, prioritize patching based on risk scores, and automate patch deployment using orchestration tools3. Cisco Tetration leverages the National Vulnerability Database (NVD) and Cisco Talos Intelligence Group to provide up-to-date information on software vulnerabilities and their severity levels3. Cisco Tetration also supports patch management for both Windows and Linux operating systems, as well as third-party applications such as Apache, Java, MySQL, and Oracle4. Therefore, the correct answer is D. Cisco Tetration. References: 1: RFC 9232: Network Telemetry Framework - Internet Engineering Task Force 2: Cisco Tetration - Workload Protection - Cisco 3: Cisco Tetration Software Vulnerability Detection and Patch Management - Cisco 4: Cisco Tetration Platform Data Sheet - Cisco

Group Encrypted Transport VPN (GET VPN) is used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity. GET VPN provides a way to encrypt traffic between sites without the need for point-to-point tunnels, supporting efficient, scalable, and secure communication across a broad network infrastructure.