Cisco Ccnp...

Implementing and Operating Cisco
Security Core Technologies (350-

701)
Book Update Version 1.0
This book will dive into the latest practice questions
needed before you take the Cisco Security Core Technologies
exam 350-701.
Table of Contents
Implementing and Operating Cisco Security Core Technologies (350-701)
Chapter 1: Security Concepts
Chapter 1: Answers
Chapter 2: Network Security
Chapter 2: Answers
Chapter 3: Securing the Cloud
Chapter 3: Answers
Chapter 4: Content Security
Chapter 4: Answers
Chapter 5: Endpoint Protection and Detection
Chapter 5: Answers
Chapter 6: Secure Network Access, Visibility, and Enforcement
Chapter 6: Answers
Chapter 1: Security Concepts

The objectives covered in this chapter:
25% 1.0 Security Concepts
1.1 Explain common threats against on-premises and
cloud environments
1.1.a On-premises: viruses, trojans, DoS/DDoS
attacks, phishing, rootkits, man-in-the-middle
attacks, SQL injection, cross-site scripting, malware
1.1.b Cloud: data breaches, insecure APIs,
DoS/DDoS, compromised credentials
1.2 Compare common security vulnerabilities such as
software bugs, weak and/or hardcoded passwords,
SQL injection, missing encryption, buffer overflow,
path traversal, cross-site scripting/forgery
1.3 Describe functions of the cryptography components
such as hashing, encryption, PKI, SSL, IPsec, NAT-T
IPv4 for IPsec, pre-shared key and certificate based
authorization
1.4 Compare site-to-site VPN and remote access VPN
deployment types such as sVTI, IPsec, Cryptomap,
DMVPN, FLEXVPN including high availability
considerations, and AnyConnect
1.5 Describe security intelligence authoring, sharing, and
consumption
1.6 Explain the role of the endpoint in protecting humans
from phishing and social
engineering attacks
1.7 Explain North Bound and South Bound APIs in the
SDN architecture
1.8 Explain DNAC APIs for network provisioning,
optimization, monitoring, and Troubleshooting
1.9 Interpret basic Python scripts used to call Cisco
Security appliances APIs
1. Which two activities can be done using Cisco DNA Center? (Choose two).
A. DHCP
B. Design
C. Accounting
D. DNS
E. Provision
2. Which two endpoint measures are used to minimize the chances of falling
victim to phishing and social engineering attacks? (Choose two).
A. Patch for cross-site scripting.
B. Perform backups to the private cloud.
C. Protect against input validation and character escapes in the endpoint.
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program.
3. What is the primary difference between an Endpoint Protection Platform
and an Endpoint Detection and Response?
A. EPP focuses on prevention. and EDR focuses on advanced threats that
evade perimeter defenses.
B. EDR focuses on prevention, and Epp focuses on advanced threats that
evade perimeter.
C. Epp focuses on network security, and EDR focuses on device security.
D. EDR focuses on network security, and E pp focuses on device security.
4. Which functions of an SDN architecture require southbound APIs to
enable communication?
A. SON controller and the network elements
B. Management console and the SON controller
C. Management console and cloud
D. SON controller and the cloud
5. Which two request of REST API are valid on the Cisco ASA Platform?
(Choose two).
A. put
B. options
C. get
D. push
E. connect
6. What can be integrated with Cisco Threat Intelligence Director to provide
information about security threats which allows the SOC to proactively
automate responses to those threats?
A. Cisco umbrella
B. External Threat Feeds
C. Cisco Threat Grid
D. Cisco Stealthwatch
7. Which attack is commonly associated with C and C++ programming
languages?
A. Cross-site scripting
B. Water holing
C. DDoS
D. Buffer overflow
8. Which two prevention techniques are used to mitigate SQL injection
attacks? (Choose two).
A. Check integer , float, or Boolean string parameters to ensure accurate
values.
B. Use prepared statements and parameterized queries.
C. Secure the connection between the web and the app tier.
D. Write SOL code instead of using object-relational mapping libraries.
E. Block SQL code execution in the web application database login.
9. Which two application layer preprocessors are used by Firepower Next
Generation Intrusion Prevention System? (Choose two).
A. SIP
B. Inline normalization
C. SSL
D. Packet decoder
E. modbus
10. The main function of northbound APIs in the SDN architecture is to
enable communication between which two areas of a network?
A. SDN controller and the cloud
B. Management and the SDN controller
C. Management console and the cloud
D. SDN controller and the management solution
11. Which two services must remain as on-premises equipment when a
hybrid email solution is deployed? (Choose two).
A. DDoS
B. Antispam
C. Antivirus
D. Encryption
E. DLP
12. Which two kinds of attacks are prevented by multifactor authentication?
(Choose two).
A. phishing
B. brute force
C. man-in-the-middle
D. DDOS
E. tear drop
13. Which two preventive measures are used to control cross-site scripting?
(Choose two).
A. Enable client-side scripts on a per-domain basis.
B. Incorporate contextual output encoding/escaping.
C. Disable cookie inspection in the HTML inspection engine.
D. Run untrusted HTML input through an HTML sanitization engine.
E. SameSite cookie attribute should not be used.
14. Which policy is used to capture host information on the Cisco Firepower
Next Generation intrusion Prevention System?
A. Correlation
B. Intrusion
C. Access control
D. Network discovery
15. In which form of attack is alternate encoding, such as hexadecimal
representation, most often observed?
A. Smurf
B. Distributed denial of service
C. Cross-site scripting
D. Rootkit exploit
16. Which two conditions are prerequisites for stateful failover for IPsec?
(Choose two).
A. Only the IKE configuration that is set up on the active device must be
duplicated on the standby device; the IPsec configuration is copied
automatically.
B. The active and standby devices can run different versions of the Cisco IOS
software but must be the same type of device.
C. The IPSec configuration that is set up on the active device must be
duplicated on the standby device.
D. Only the IPsec configuration that is set up on active device must be
duplicated on the standby device, the IKE configuration is copied
automatically.
E. The active and standby devices must run the same version of the Cisco
IOS software and must be the same type of device.
17. What is the result of running the crypto isakmp key ciscXXXXXXXX
address 172.16.0.0 command?
A. Authenticates the IKEv2 peers in the 172.16.00/16 range by using the key
ciscxxxxxxxx
B. Authenticates the IP address of the 172.16.0.0/32 peer by using the key
ciscXXXXXXXX
C. Authenticates the IKEVI peers in the 172.16.0.0/16 range by using the key
ciscXXXXXXXX
D. Secures all the certificates in the IKE exchange by using the key
ciscxxxxxxxx
18. Which two key and block sizes are valid for AES? (Choose two).
A. 64-bit block size, 112-bit key length
B. 64-bit block size, 168-bit key length
C. 128-bit block size, 192-bit key length
D. 128-bit block size, 256-bit key length
E. 192-bit block size, 256-bit key length
19. Elliptic curve cryptography is a stronger more efficient cryptography
method meant to replace which current encryption technology?
A. 3DES
B. RSA
C. DES
D. AES
20. What is the difference between deceptive phishing and spear phishing?
A. Deceptive phishing is an attacked aimed at a specific user in the
organization who holds a C-level.
B. A spear phishing campaign is aimed at a specific person versus a group of
people.
C. Spear phishing is when the attack is aimed at the C-level executives of an
organization.
D. Deceptive phishing hijacks and manipulates the DNS server of the victim
and redirects the user to a false webpage.
21. The Cisco ASA must support TLS proxy for encrypted Cisco Unified
Communications traffic. Where must the ASA be added on the Cisco UC
Manager platform?
A. Certificate Trust List
B. Endpoint Trust List
C. Enterprise Proxy Service
D. Secured Collaboration Proxy
22. Which API is used for Content Security?
A. NX-OS API
B. IOS API
C. OpenVuln API
D. Asyncos API
23. Which two mechanisms are used to control phishing attacks? (Choose
two).
A. Enable browser alerts for fraudulent websites.
B. Define security group memberships.
C. Revoke expired CRL of the websites.
D. Use antispyware software.
E. Implement email filtering techniques.
24. Which flaw does an attacker leverage when exploiting SQL injection
vulnerabilities?
A. User input validation in a web page or web application.
B. Linux and Windows operating systems.
C. Database.
D. Web page images.
25. Which of the following technologies relate to Advanced Malware
Protection?
A. Superior threat prevention and mitigation for known and unknown threats.
B. Detection, blocking, tracking, analysis, and remediation to protect against
targeted persistent malware attacks.
C. Combined integrated solution of strong defense and web protection,
visibility, and controlling solutions.
D. Application-layer control and ability to enforce usage and tailor detection
policies based on custom applications and URLs.
26. Which algorithm provides encryption and authentication for data plane
communication?
A. AES-GCM
B. SHA-96
C. AES-256
D. SHA-384
27. Which of the following technologies is considered a Cisco Web Security
Appliance?
A. Combined integrated solution of strong defense and web protection,
B. Superior threat prevention and mitigation for known and unknown threats.
C. Application-layer control and ability to enforce usage and tailor detection
D. Detection, blocking, tracking, analysis, and remediation to protect against
28. Which two descriptions of AES encryption are true? (Choose two).
A. AES is less secure than 3DES.
B. AES is more secure than 3DES.
C. AES can use a 168-bit key for encryption.
D. AES Can use a 256—bit key for encryption.
E. AES encrypts and decrypts a key three times in sequence.
29. Which action controls the amount of URI text that is stored in Cisco
WSA logs files?
A. Configure the datasecuntyconfrg command.
B. Configure the advancedproxyconfig command with the HTTPS
subcommand.
C. Configure a small log-entry size.
D. Configure a maximum packet Size.
30 Which of the following technologies is considered a Next Generation
Intrusion Preventio System?
A. Detection, blocking, tracking, analysis, and remediation to protect against
B. Application-layer control and ability to enforce usage and tailor detection
C. Superior threat prevention and mitigation for known and unknown threats.
D. Combined integrated solution of strong defense and web protection,
31. Which feature is supported when deploying Cisco ASA within AWS
public cloud?
A. Multiple context mode
B. User deployment of Layer 3 networks
C. IPv6
D. Clustering
32. Which proxy mode must be used on Cisco WSA to redirect TCP traffic
with WCCP?
A. Transparent
B. Redirection
C. Forward
D. Proxy gateway
33. Which Talos reputation center allows you to track the reputation of IP
addresses for email and web traffic?
A. IP Blacklist center
B. File Reputation Center
C. AMP Reputation Center
D. IP and Domain Reputation Center
34. Which of the following technologies relates to Application control and
URL filtering?
A. Application-layer control and ability to enforce usage and tailor detection
B. Combined integrated solution of strong defense and web protection,
C. Detection, blocking, tracking, analysis, and remediation to protect against
D. Superior threat prevention and mitigation for known and unknown threats.
35. Which Statement about the configuration of Cisco ASA NetF10W v9
Secure Event Logging is true?
A. To view bandwidth usage for NetF1ow records, the QOS feature must be
enabled.
B. A Sysopt command can be used to enable NSEL on a specific interface.
C. NSEL can be used without a collector configured.
D. A flow-export event type must be defined under a policy.
Chapter 1: Answers
1. Which two activities can be done using Cisco DNA Center? (Choose two).
B. Design
E. Provision
Cisco DNA (Digital Network Architecture) Center is the network
management, analytics, and command center for your intent-based network
for the enterprise.
Benefits:
Deploy networks in minutes, not days.
Using intuitive workflows.
Cisco DNA Center makes it easy to design, provision, and apply policy
across your network.
2. Which two endpoint measures are used to minimize the chances of falling
victim to phishing and social engineering attacks? (Choose two).
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program.
Having up-to-date antimalware on a local system and also have a spam
filter/email filter are countermeasures to phishing and social engineering.
Input validation is good, no need to protect against it. Backups don't prevent
phishing, cross-site scripting would not be something that is patched (it needs
to be validated or invalidated just in time).
3. What is the primary difference between an Endpoint Protection Platform
and an Endpoint Detection and Response?
A. EPP focuses on prevention. and EDR focuses on advanced
threats that evade perimeter defenses.
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning
(Prevention), whereas EDR (Endpoint Detection and Response) covers some
more advanced capabilities like detecting and investigating security incidents,
and ability to remediate endpoints to pre-infection state (Advanced Threats).
4. Which functions of an SDN architecture require southbound APIs to
enable communication?
A. SON controller and the network elements
Software-defined southbound application program interfaces (SDN
southbound APIs) are used to communicate between the SDN Controller and
the switches and routers of the network.
5. Which two request of REST API are valid on the Cisco ASA Platform?
(Choose two).
A. put
C. get
REST - Representational State Transfer
Cisco ASA API Requests: >GET - PUT - POST - DELETE – PATCH
Cisco ASA API Responses: LOCATION - CONTENT-TYPE
6. What can be integrated with Cisco Threat Intelligence Director to provide
information about security threats which allows the SOC to proactively
automate responses to those threats?
B. External Threat Feeds
SOC - Security Operations Center. Threat Intelligence Director - (TID) is a
system that operationalizes threat intelligence information. The system
consumes and normalizes heterogeneous third-party cyber threat
intelligence, publishes the intelligence to detection technologies and
correlates the observations from the detection technologies. Umbrella - Filters
DNS requests External Threat Feeds - Proactive responds to cyber threats
(malware, ransomware, etc.) Threat Grid - Threat Grid combines advanced
sandboxing with threat intelligence into one unified solution to protect
organizations from malware within AMP (Advanced Malware Protection).
Cisco Stealthwatch - provides enterprise-wide visibility, from the private
network to the public cloud, and applies advanced security analytics to detect
and respond to threats in real-time.
7. Which attack is commonly associated with C and C++ programming
languages?
D. Buffer overflow
C and C++ are known to be subject to buffer overflows if the appropriate
checks are not applied during programming.
8. Which two prevention techniques are used to mitigate SQL injection
attacks? (Choose two).
A. Check integer , float, or Boolean string parameters to ensure
accurate values.
B. Use prepared statements and parameterized queries.
Controlling the user input is the key to mitigating SQL injection; checking
the input or use known 'prepared' statements are the correct user controls.
9. Which two application layer preprocessors are used by Firepower Next
Generation Intrusion Prevention System? (Choose two).
A. SIP
C. SSL
Application layer protocols can represent the same data in a variety of ways.
The Firepower System provides application layer protocol decoders that
normalize specific types of packet data into formats that the intrusion rules
engine can analyze. The following represents several application layer
preprocessors: DCE/RPC, DNS, FTP, HTTP, SIP, IMAP, POP, SMTP,
SSH, SSL, etc. Packet decoders and inline normalization are part of
Firepower NGIPS but are not application layer. Modbus evaluation is also
part of Firepower NGIPS but is a separate lower level protocol.
10. The main function of northbound APIs in the SDN architecture is to
enable communication between which two areas of a network?
D. SDN controller and the management solution
Software-defined northbound application program interfaces (SDN
northbound APIs) are used to communicate between the SDN Controller and
the services and applications (including management solutions) running over
the network.
11. Which two services must remain as on-premises equipment when a
hybrid email solution is deployed? (Choose two).
D. Encryption
E. DLP
Cisco Hybrid Email Security is a unique service offering that combines a
cloud-based email security deployment with an appliance-based email
security deployment (on premises) to provide maximum choice and control
for your organization. The cloud-based infrastructure is typically used for
inbound email cleansing, while the on-premises appliances provide granular
control—protecting sensitive information with data loss prevention (DLP)
and encryption technologies.
12. Which two kinds of attacks are prevented by multifactor authentication?
(Choose two).
A. phishing
B. brute force
Phishing attempts to get logon credentials just a brute force attempts to use
credentials; multi-factor authentication means you need an additional factor
(biometric / RSA token, etc.) to log in. Man-in-the-middle attacks can see the
extra factor so it will not be mitigated by MFA (multi factor authentication).
DDoS and Tear Drop are denial of services, again not affected by MFA.
13. Which two preventive measures are used to control cross-site scripting?
(Choose two).
A. Enable client-side scripts on a per-domain basis.
B. Incorporate contextual output encoding/escaping.
Contextual Output Encoding - Output encoding is the process of replacing
HTML control characters (e.g. <, >, ", &, etc.) into their encoded
representatives. This is the best mitigation against cross-site scripting attacks.
Input HTML Sanitization - Input sanitization describes cleansing and
scrubbing user input to prevent it from jumping the fence and exploiting
security holes such as SQL injection or XSS (Cross-site scripting).
14. Which policy is used to capture host information on the Cisco Firepower
Next Generation intrusion Prevention System?
D. Network discovery
Firepower NGIPS uses Network Discovery for (among other things) Host,
Application, and User Discovery and Identity Data. It is used for viewing
host profiles, which are complete views of all the information available for
your detected hosts.
15. In which form of attack is alternate encoding, such as hexadecimal
representation, most often observed?
C. Cross-site scripting
Cross-site scripting (XSS) is a common vulnerability in the Web. There are
rules in XSS filtering, hackers can easily bypass filtering rules by using HEX
Encoding.
16. Which two conditions are prerequisites for stateful failover for IPsec?
(Choose two).
C. The IPSec configuration that is set up on the active device must
be duplicated on the standby device.
E. The active and standby devices must run the same version of
the Cisco IOS software and must be the same type of device.
The IKE and IPsec configuration that is set up on the active device must be
duplicated on the standby device. Both the active and standby devices must
run the identical version of the Cisco IOS software, and both the active and
standby devices must be connected via hub or switch. Stateful failover for
IPsec requires that your network contains two identical routers that are
available to be either the primary or secondary device.
17. What is the result of running the crypto isakmp key ciscXXXXXXXX
address 172.16.0.0 command?
B. Authenticates the IP address of the 172.16.0.0/32 peer by using
the key ciscXXXXXXXX
Use address keyword if the remote peer Internet Security Association Key
Management Protocol (ISAKMP) identity was set with its IP or IPv6 address.
18. Which two key and block sizes are valid for AES? (Choose two).
C. 128-bit block size, 192-bit key length
D. 128-bit block size, 256-bit key length
AES uses three of the Rijndael family of algorithms with a block size of 128
bits. They use three different key lengths: 128, 192 and 256 bits.
19. Elliptic curve cryptography is a stronger more efficient cryptography
method meant to replace which current encryption technology?
B. RSA
Elliptic Curve Cryptography (ECC) is a public key/private key algorithm
designed to replace the current RSA method.
20. What is the difference between deceptive phishing and spear phishing?
B. A spear phishing campaign is aimed at a specific person
versus a group of people.
Spear phishing is an email or electronic communications scam targeted
towards a specific individual.
21. The Cisco ASA must support TLS proxy for encrypted Cisco Unified
Communications traffic. Where must the ASA be added on the Cisco UC
Manager platform?
A. Certificate Trust List
Configuring an ASA is not enough to fully incorporate the firewall into the
Cisco Unified Communications system. You must also add the ASA to the
Certificate Trust List (CTL) using the Cisco Certificate Trust List Client,
which is part of the Unified Communications Manager.
22. Which API is used for Content Security?
D. Asyncos API
The AsyncOS API for Cisco Security Management appliances (or AsyncOS
API) is a representational state transfer (REST) based set of operations that
provide secure and authenticated access to the Security Management
appliance reports, report counters, tracking, quarantine, and configuration.
23. Which two mechanisms are used to control phishing attacks? (Choose
two).
A. Enable browser alerts for fraudulent websites.
E. Implement email filtering techniques.
Phishing attacks are via email spam or web sites trying to steal credentials.
Browser alerts and email filtering are used to control phishing.
24. Which flaw does an attacker leverage when exploiting SQL injection
vulnerabilities?
C. Database.
A SQL injection attack involves the alteration of SQL statements that are
used within a web application through the use of attacker-supplied data.
Insufficient input validation and improper construction of SQL statements in
web applications can expose them to SQL injection attacks.
25. Which of the following technologies relate to Advanced Malware
Protection?
B. Detection, blocking, tracking, analysis, and remediation to
protect against targeted persistent malware attacks.
Advanced Malware Protection (AMP) is an intelligence-powered, integrated
enterprise-class advanced malware analysis and protection solution with
comprehensive protection for your organization across the attack continuum:
before, during, and after an attack.
26. Which algorithm provides encryption and authentication for data plane
communication?
A. AES-GCM
AES-GCM is a block cipher mode of operation that provides high speed of
authenticated encryption and data integrity. The AES-GCM algorithm
encrypts or decrypts with 128-bit, 192-bit or 256- bit of cipher key.
27. Which of the following technologies is considered a Cisco Web Security
Appliance?
A. Combined integrated solution of strong defense and web
protection, visibility, and controlling solutions.
Cisco Secure Web Appliance protects organizations by automatically
blocking risky sites and testing unknown sites before allowing users to click
on them using TLS 1.3 and high-performance capabilities.
28. Which two descriptions of AES encryption are true? (Choose two).
B. AES is more secure than 3DES.
D. AES Can use a 256—bit key for encryption.
AES algorithm encrypts or decrypts with 128-bit, 192-bit or 256- bit of
cipher key and is the successor to DES and 3DES.
29. Which action controls the amount of URI text that is stored in Cisco
WSA logs files?
B. Configure the advancedproxyconfig command with the
HTTPS subcommand.
Using the advancedproxyconfig and the subcommand for HTTPS allows the
HTTPS-related options: HTTPS URI Logging Style - full uri or stripquery.
30 Which of the following technologies is considered a Next Generation
Intrusion Prevention System?
C. Superior threat prevention and mitigation for known and
unknown threats.
NGIPS is a comprehensive and consistent protection platform that protects
networks against cyberattacks using intrusion detection technologies, public
and private cloud threat management, internal network segmentation and
vulnerability and patch management.
31. Which feature is supported when deploying Cisco ASA within AWS
public cloud?
B. User deployment of Layer 3 networks.
Guidelines and Limitations for the ASAv and AWS:
Supported Features: User deployment of L3 networks and more.
Unsupported Features: IPv6, VLAN, Multiple context mode, Clustering,
and more.
32. Which proxy mode must be used on Cisco WSA to redirect TCP traffic
with WCCP?
A. Transparent
In transparent mode, WCCP can be used. A WCCP v2 enabled device
(typically a router, switch, PIX, or ASA) redirects port 80.
33. Which Talos reputation center allows you to track the reputation of IP
addresses for email and web traffic?
D. IP and Domain Reputation Center
Talos’ IP and Domain Data Center is the world’s most comprehensive real-
time threat detection network. The data is made up of daily security
intelligence across millions of deployed web, email, firewall and IPS
appliances.
34. Which of the following technologies relates to Application control and
URL filtering?
A. Application-layer control and ability to enforce usage and
tailor detection policies based on custom applications and URLs.
Using Cisco Umbrella, you can effectively manage your user’s internet
access through category-based content web filtering, allow/block lists, and
SafeSearch browsing enforcement.
35. Which Statement about the configuration of Cisco ASA NetF10W v9
Secure Event Logging is true?
D. A flow-export event type must be defined under a policy.
NSEL - Netflow Secure Event Logging. You can configure flow-export
actions in a class-map only with the match access-list, match any, or class-
default commands. You can only apply flow-export actions in a global
service policy.
Chapter 2: Network Security
20% 2.0 Network Security
2.1 Compare network security solutions that provide
intrusion prevention and firewall capabilities
2.2 Describe deployment models of network security
solutions and architectures that provide intrusion
prevention and firewall capabilities.
2.3 Describe the components, capabilities, and benefits of
NetFlow and Flexible NetFlow Records
2.4 Configure and verify network infrastructure security
methods (router, switch, wireless)
2.4.a Layer 2 methods (Network segmentation using
VLANs and VRF-lite; Layer 2 and port security;
DHCP snooping; Dynamic ARP inspection; storm
control; PVLANs to segregate network traffic; and
defenses against MAC, ARP, VLAN hopping, STP,
and DHCP rogue attacks
2.4.b Device hardening of network infrastructure
security devices (control plane, data plane,
management plane, and routing protocol security)
2.5 Implement segmentation, access control policies,
AVC, URL filtering, and malware Protection
2.6 Implement management options for network security
solutions such as intrusion prevention and perimeter
security (Single vs. multidevice manager, in-band vs.
out-of-band, CDP, DNS, SCP, SFTP, and DHCP
security and risks)
2.7 Configure AAA for device and network access
(authentication and authorization, TACACS+,
RADIUS and RADIUS flows, accounting, and dACL)
2.8 Configure secure network management of perimeter
security and infrastructure devices (secure device
management, SNMPv3, views, groups, users,
authentication, and encryption, secure logging, and
NTP with authentication)
2.9 Configure and verify site-to-site VPN and remote
access VPN
2.9.a Site-to-site VPN utilizing Cisco routers and IOS
1. Which of the following is a characteristic of Dynamic ARP Inspection?
A. DAI determines the validity of an ARP packet based on valid IP to MAC
address bindings from the DHCP snooping binding database.
B. In a typical network, make all ports as trusted except for the ports
connecting to switches, which are untrusted.
C. DAI associates a trust state with each switch.
D. DAI all ARP requests and responses on trusted ports only.
2. Which ID store requires that a shadow user be created on Cisco ISE for the
admin login to work?
A. RSA SecurelD
B. Internal Database
C. Active Directory
D. LDAP
3. Which VPN Technology can support a multivendor environment and
secure traffic between sites?
A. SSL
B. GET VPN
C. FlexVPN
D. DMVPN
4. Which SNMPv3 configuration must be used to support the strongest
security possible?
A. asa-host(config)#snmp-server group myv3 v3 priv
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des
ciscXXXXXXXX
asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
B. asa-host(config)#snmp-server group myv3 v3 noauth

asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256
ciscXXXXXXXX
C. asa-host(config)#snmp-server group myv3 v3 noauth
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des
ciscXXXXXXXX
D. asa-host(config)#snmp-server group myv3 v3 priv
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256
ciscXXXXXXXX
5. Which solution combines Cisco IOS and IOS XE components to enable
administrators to recognize applications, collect and send network metrics to
Cisco Prime and other third-party management tools, and prioritize
application traffic?
A. CISCO Security Intelligence
B. Cisco Application Visibility and Control
C. Cisco Model Driven Telemetry
D. Cisco ONA center
6. Which technology must be used to implement secure VPN connectivity
among company branches over a private IP cloud with any-to-any scalable
connectivity?
A. DMVPN
B. FlexVPN
C. IPsec DVTI
D. GET
7. Which statement about IOS zone-based firewalls is true?
A. An unassigned interface can communicate with assigned interfaces.
B. Only one interface can be assigned to a zone.
C. An interface can be assigned to multiple zones.
D. An interface can be assigned to only one zone.
8. Which ASA deployment mode can provide separation of management on a
shared appliance?
A. DMZ multiple zone mode
B. Transparent firewall mode
C. Multiple context mode
D. Routed mode
9. Which two deployment model configurations are supported for Cisco
FTDv in AWS? (Choose two).
A. Cisco FTDv configured in routed mode and managed by an FMCv
installed in AWS.
B. Cisco FTDv with one management interface and two traffic interfaces
configured.
C. Cisco FTDv configured in routed mode and managed by a physical FMC
appliance on premises.
D. Cisco FTDv with two management interfaces and one traffic interface
configured.
E. Cisco FTDv configured in routed mode and IPv6 configured.
10. Which feature is configured for managed devices in the device platform
settings of the Firepower Management Center?
A. Quality of service
B. Time synchronization
C. Network address translations
D. Intrusion policy
11. Which information is required when adding a device to Firepower
Management Center?
A. Username and password
B. Encryption method
C. Device serial number
D. Registration key
12. What is a characteristic of Cisco ASA Netflow v9 Secure Event Logging
(NSEL)?
A. It tracks flow-create, flow-teardown, and flow-denied events.
B. It provides stateless IP flow tracking that exports all records of a specific
flow.
C. It tracks the flow continuously and provides updates every 10 seconds.
D. Its' events match all traffic classes in parallel.
13. Which RADIUS attribute can you use to filter MAB requests in an 802.1x
deployment?
A. 1
B. 6
C. 31
D. 2
14. Which feature requires a network discovery policy on the Cisco
Firepower Next Generation intrusion Prevention System?
A. Security intelligence
B. Impact flags
C. Health monitoring
D. URL filtering
15. Refer to the exhibit. Which statement about the authentication protocol
used in the configuration is true?
A. The authentication request contains only a password.

B. The authentication request contains only a username.
C. The authentication and authorization requests are grouped in a single
packet.
D. There are separate authentication and authorization request packets.
16. An administrator wants to ensure that all endpoints are compliant before
users are allowed access on the corporate network. The endpoints must have
the corporate antivirus application installed and be running the latest build of
Windows 10. What must the administrator implement to ensure that all
devices are compliant before they are allowed on the network?
A. Cisco Identity Services Engine and AnyConnect Posture module
B. Cisco Stealthwatch and Cisco Identity Services Engine integration
C. Cisco ASA firewall With Dynamic Access Policies configured
D. Cisco Identity Services Engine With PXGrid services enabled
17. Which feature of Cisco ASA allows VPN users to be postured against
Cisco ISE without requiring an inline posture node?
A. RADIUS Change of Authorization
B. Device tracking
C. DHCP snooping
D. VLAN hopping
18. Which two probes are configured to gather attributes of connected
endpoints using Cisco Identity Services Engine? (Choose two).
A. RADIUS
B. TACACS+
C. DHCP
D. Snow
E. SMTP
19. Which two behavioral patterns characterize a ping of death attack?
(Choose two).
A. The attack is fragmented into groups of 16 octets before transmission.
B. The attack is fragmented into groups of 8 octets before transmission.
C. Short synchronized bursts of traffic are used to disrupt TCP connections.
D. Malformed packets are used to crash Systems.
E. Publicly accessible DNS servers are typically used to execute the attack.
20. What two mechanisms are used to redirect users to a web portal to
authenticate to ISE for guest services? (Choose two).
A. TACACS+
B. Central web auth
C. Single sign-on
D. Multiple factor auth
E. Local Web auth
21. Which option is the main function of Cisco Firepower impact flags?
A. They alert Administrators when critical events occur.
B. They highlight known and suspected malicious IP addresses in reports.
C. They correlate data about intrusions and vulnerability.
D. They identify data that the ASA sends to the Firepower module.
22. Which two deployment modes does the Cisco ASA Firepower module
support? (Choose two).
A. Transparent mode
B. Routed mode
C. Inline mode
D. Active mode
E. Passive monitor-only mode
23. Which Firepower Next Generation Intrusion Prevention System detectors

defines Distributed PortScan?
A. Many-to-one PortScan in which hosts query a single host for open ports.
B. One-to-many port sweep. An attacker against one or more hosts to scan a
single port on multiple target hosts.
C. One-to-one PortScan. Attacker mixes spoofed source IP addresses with the
actual scanning IP address.
D. One-to-one PortScan. An attacker against one or more hosts to scan one or
more ports.
24. Which of the following belong to the IKEv1 protocol? (Choose two).
A. Standard includes NAT-T.
B. Uses six packets in main mode to establish phase 1.
C. Uses four packets to establish phase 1 and phase 2.
D. Uses three packets in aggressive mode to establish phase 1.
E. Uses EAP to authentication remote access clients.
25. Which of the following belong to the IKEv2 protocol? (Choose three).
defines Port Sweep?
A. One-to-one PortScan. Attacker mixes spoofed source IP addresses with
the actual scanning IP address.
B. One-to-one PortScan. An attacker against one or more hosts to scan one or
more ports.
C. Many-to-one PortScan in which hosts query a single host for open ports.
D. One-to-many port sweep. An attacker against one or more hosts to scan a
27. Which two features of Cisco DNA Center are used in a Software Defined
Network solution? (Choose two).
A. Accounting
B. Assurance
C. Automation
D. Authentication
E. Encryption
28. Which exfiltration method does an attacker use to hide and encode data
inside DNS requests and queries?
A. DNS tunneling
B. DNSCrypt
C. DNS security
D. DNSSEC
29. Which technology is used to improve web traffic performance by proxy
caching?
A. WSA
B. Firepower
C. FireSlGHT
D. ASA
30. Which two statements about a Cisco WSA configured in Transparent
mode are true? (Choose two).
A. It can handle explicit HTTP requests.
B. It requires a PAC file for the client web browser.
C. It requires a proxy for the client web browser.
D. WCCP v2 enabled devices can automatically redirect traffic destined to
port 80.
E. Layer 4 switches can automatically redirect traffic destined to port 80.
31. Refer to the router output. What does the number 15 represent in this
configuration?
snmp-server group SNMP v3 auth access 15
A. Privilege level for an authorized user to this router.
B. Access list that identifies the SNMP devices that can access the router.
C. Interval seconds between SNMPv3 authentication attempts.
D. Number of possible failed attempts until the SNMPv3 user is locked out.
32. Which network monitoring solution uses streams and pushes operational
data to provide a near real-time view of activity?
A. SNMP
B. SMTP
C. Syslog
D. model-driven telemetry
defines Decoy PortScan?
A. One-to-many port sweep. An attacker against one or more hosts to scan a
B. Many-to-one PortScan in which hosts query a single host for open ports.
C. One-to-one PortScan. An attacker against one or more hosts to scan one or
more ports.
D. One-to-one PortScan. Attacker mixes spoofed source IP addresses with
the actual scanning IP address.
34. An MDM provides which two advantages to an organization with regards

to device management? (Choose two).
A. Asset inventory management
B. Allowed application management
C. Active Directory group policy management
D. Network device management
E. Critical management
35. An engineer configured a new network identity in Cisco Umbrella but
must verify that traffic is being routed through the Cisco Umbrella network.
Which action tests the routing?
A. Ensure that the client computers are pointing to the on-premises DNS
servers.
B. Enable the Intelligent Proxy to validate that traffic is being routed
correctly.
C. Add the public IP address that the client computers are behind to a Core
Identity.
D. Browse to http://welcome.umbrella.com to validate that the new identity is
working.
defines PortScan Detection?
A. One-to-one PortScan. An attacker against one or more hosts to scan one or
more ports.
B. One-to-one PortScan. Attacker mixes spoofed source IP addresses with the
actual scanning IP address.
C. One-to-many port sweep. An attacker against one or more hosts to scan a
D. Many-to-one PortScan in which hosts query a single host for open ports.
Chapter 2: Answers
1. Which of the following is a characteristic of Dynamic ARP Inspection?
A. DAI determines the validity of an ARP packet based on
valid IP to MAC address bindings from the DHCP snooping binding
database.
DAI determines the validity of an ARP packet based on valid IP-to-MAC
address bindings stored in the DHCP snooping binding database. DAI -
Dynamic ARP Inspection. ARP - Address Resolution Protocol
2. Which ID store requires that a shadow user be created on Cisco ISE for the
admin login to work?
C. Active Directory
Cisco ISE uses Microsoft Active Directory as an external identity source to
access resources such as users, machines, groups, and attributes. An external
account (shadow user) must be created for the "join operation' and have a
static password. This account must have Super Admin or System Admin in
ISE. ISE - Identity Services Engine
3. Which VPN Technology can support a multivendor environment and
secure traffic between sites?
C. FlexVPN
One of the primary advantages of an SSL VPN is that it uses the TLS
technology implemented in modern web browsers, so there is no need to
install specific client software.
SSL - Secure Socket Layer (Deprecated, actually uses TLS - Transport Layer
Security - keeping SSL name is legacy)
GET - Group Encrypted Transport - establishes a single Security Association
(SA) for all routers in a group (Mesh)
FlexVPN - Cisco proprietary for multiple VPN types (telework, remote
office, etc.)
DMVPN - Dynamic Multipoint VPN - a routing technique we can use to
build a VPN network with multiple sites without having to statically
configure all devices.
4. Which SNMPv3 configuration must be used to support the strongest
security possible?
D. asa-host(config)#snmp-server group myv3 v3 priv
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv
aes 256 ciscXXXXXXXX
asa-host(config)#snmp-server host inside 10.255.254.1 version 3
andy
priv - private (encrypted); (counterpart would be nopriv - not private)
auth - authentication required (counterpart would be noauth - no
authentication required)
aes 256 (less then best des and 3des) Bottom line, best is: priv and auth and
aes256
5. Which solution combines Cisco IOS and IOS XE components to enable
administrators to recognize applications, collect and send network metrics to
Cisco Prime and other third-party management tools, and prioritize
application traffic?
B. Cisco Application Visibility and Control
Cisco Application Visibility and Control (AVC) solution leverages multiple
technologies to recognize, analyze, and control applications, including voice
and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud- based
applications combining several Cisco IOS/IOS XE components.
6. Which technology must be used to implement secure VPN connectivity
among company branches over a private IP cloud with any-to-any scalable
connectivity?
D. GET
GET - Group Encrypted Transport - establishes a single Security Association
(SA) for all routers in a group (Mesh). FlexVPN - Cisco proprietary for
multiple VPN types (telework, remote office, etc.) DMVPN - Dynamic
Multipoint VPN - a routing technique we can use to build a VPN network
with multiple sites without having to statically configure all devices. IPSec
DVTI - Dynamic VTI (Virtual Tunnel Interface) - Dynamic IP security
(IPsec) virtual tunnel interfaces. (VTIs) provide a routable interface type for
terminating IPsec tunnels and an easy way to define protection between sites
to form an overlay network
7. Which statement about IOS zone-based firewalls is true?
D. An interface can be assigned to only one zone.
Router network interfaces’ membership in zones are subject to several rules
that govern interface behavior, as is the traffic moving between zone member
interfaces:
A zone must be configured before interfaces can be assigned to the zone.
An interface can be assigned to only one security zone.
For more rules/info, visit
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-
zone-design-guide.html
8. Which ASA deployment mode can provide separation of management on a
shared appliance?
C. Multiple context mode
The Cisco ASA supports firewall Multiple Contexts, also called Firewall
Multimode, which can be viewed as having multiple separate (virtual)
firewalls on the same hardware.
9. Which two deployment model configurations are supported for Cisco
FTDv in AWS? (Choose two).
A. Cisco FTDv configured in routed mode and managed by an
FMCv installed in AWS.
C. Cisco FTDv configured in routed mode and managed by a
physical FMC appliance on premises.
FTDv - Firepower Threat Defense virtual
FMCv - Firepower Management Center virtual
AWS - Amazon Web Services
In the AWS Marketplace an FMCv can be provisioned in AWS or use an on-
premises FMC (physical or virtual).
10. Which feature is configured for managed devices in the device platform
settings of the Firepower Management Center?
B. Time synchronization
Platform settings for managed devices are policy-based so that you can apply
the same configuration to multiple devices. Platform settings include access
list, audit log, language, login banner, shell timeout, SNMP, time
synchronization, etc.
11. Which information is required when adding a device to Firepower
Management Center?
D. Registration key
There are several fields to complete to add a device to Firepower
Management Center including: Host, Display Name, Registration Key,
Domain, Group, Access Control Policy, etc.
12. What is a characteristic of Cisco ASA Netflow v9 Secure Event Logging
(NSEL)?
A. It tracks flow-create, flow-teardown, and flow-denied events.
The ASA and ASASM implementations of NSEL provide a stateful, IP flow
tracking method that exports only those records that indicate significant
events in a flow. The significant events that are tracked include flow- create,
flow-teardown, and flow-denied.
13. Which RADIUS attribute can you use to filter MAB requests in an 802.1x
deployment?
B. 6
MAB - MAC (Media Access Control) Authentication Bypass. MAB Cisco
switches uniquely identify MAB requests by setting Attribute 6 (Service-
Type) to 10 (Call-Check) in a MAB Access-Request message. Therefore, you
can use Attribute 6 to filter MAB requests at the RADIUS server.
14. Which feature requires a network discovery policy on the Cisco
Firepower Next Generation intrusion Prevention System?
A. Security intelligence
The network discovery policy on the Firepower Management Center controls
how the system collects data on your organization’s network assets and
which network segments and ports are monitored. The system correlates data
gathered about your monitored network and its traffic, using intrusion,
connection, Security Intelligence, and file or malware events, and determines
that a potential IOC (Indication of Compromise) has occurred.
15. Refer to the exhibit. Which statement about the authentication protocol
used in the configuration is true?
C. The authentication and authorization requests are grouped in

a single packet.
RADIUS combines both authentication and authorization into one request
(single packet).
16. An administrator wants to ensure that all endpoints are compliant before
users are allowed access on the corporate network. The endpoints must have
the corporate antivirus application installed and be running the latest build of
Windows 10. What must the administrator implement to ensure that all
devices are compliant before they are allowed on the network?
A. Cisco Identity Services Engine and AnyConnect Posture
module
The AnyConnect Secure Mobility Client offers an VPN Posture (HostScan)
Module and an ISE Posture Module. Both provide the Cisco AnyConnect
Secure Mobility Client with the ability to assess an endpoint's compliance for
things like antivirus, antispyware, and firewall software installed on the host.
17. Which feature of Cisco ASA allows VPN users to be postured against
Cisco ISE without requiring an inline posture node?
A. RADIUS Change of Authorization
The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization
(CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco
ISE without the need for an IPN.
18. Which two probes are configured to gather attributes of connected
endpoints using Cisco Identity Services Engine? (Choose two).
A. RADIUS
C. DHCP
The profiling service in Cisco Identity Services Engine (ISE) identifies the
devices that connect to your network and their location and are profiled based
on the endpoint profiling policies configured in Cisco ISE. Probes that can
used include: NetFlow, DHCP, DHCP SPAN, HTTP, HTTP SPAN,
RADIUS, NMAP, DNS, SNMP, SNMP Trap, and Active Directory.
19. Which two behavioral patterns characterize a ping of death attack?
(Choose two).
B. The attack is fragmented into groups of 8 octets before
transmission.
D. Malformed packets are used to crash Systems.
A ping of death is a type of attack on a computer system that involves
sending a malformed or otherwise malicious ping to a computer. A ping of
death is fragmented into groups of 8 octets before transmission.
20. What two mechanisms are used to redirect users to a web portal to
authenticate to ISE for guest services? (Choose two).
B. Central web auth
E. Local Web auth
Central and Local web authentication are two mechanisms to redirect users to
a web portal
21. Which option is the main function of Cisco Firepower impact flags?
C. They correlate data about intrusions and vulnerability.
You can configure the system to alert you whenever an intrusion event with
a specific impact flag occurs. Impact flags help you evaluate the impact an
intrusion has on your network by correlating intrusion data, network
discovery data, and vulnerability information.
22. Which two deployment modes does the Cisco ASA Firepower module
support? (Choose two).
A. Transparent mode
B. Routed mode
The ASA FirePower module supplies next-generation firewall services,
including Next-Generation IPS (NGIPS), Application Visibility and Control
(AVC), URL filtering, and Advanced Malware Protection (AMP). You can
use the module in single or multiple context mode, and in routed or
transparent mode.
defines Distributed PortScan?
A. Many-to-one PortScan in which hosts query a single host for
open ports.
Many-to-one Portscan is the correct definition for the Firepower Next
Intrusion Prevention System. Distributed portscans are characterized by a
high number of scanning hosts, a high number of ports that are scanned only
once, and a single (or a low number of) scanned hosts.
24. Which of the following belong to the IKEv1 protocol? (Choose two).
IKEv1 Phase 1 negotiation can happen in two modes, either using Main
Mode or using Aggressive Mode. IKEv1 Phase 1 Main mode has three pairs
of messages (total six messages) between IPSec peers. IKE Phase 1
Aggressive Mode has only three message exchanges. The purpose of IKEv1
Phase 1 is to establish IKE SA.
25. Which of the following belong to the IKEv2 protocol? (Choose three).
IKEv2 uses four messages for Phase 1 or Phase 2 to replace the IKEv1 Main
Mode and Aggressive mode. It also uses NAT-T and Peers are validated
using EAP allowing authentication between them.
defines Port Sweep?
D. One-to-many port sweep. An attacker against one or more
hosts to scan a single port on multiple target hosts.
One-to-many port sweep is the correct definition of Port Sweep. This triggers
when a series of connections to a number of different destination ports on a
specific host have been initiated.
27. Which two features of Cisco DNA Center are used in a Software Defined
Network solution? (Choose two).
B. Assurance
C. Automation
Cisco DNA allows IT to move beyond SDN and transcend the automation-
focused network technologies that make up SDN. Cisco DNA uses a holistic
systems approach to align the network to business intent. This approach
combines automation with translation, policy, and assurance capabilities.
28. Which exfiltration method does an attacker use to hide and encode data
inside DNS requests and queries?
A. DNS tunneling
DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic
(i.e. HTTP) over port 53. There are legitimate reasons why you would use
DNS tunneling, but attackers have been using it for data exfiltration and
command and control callbacks.
29. Which technology is used to improve web traffic performance by proxy

caching?
A. WSA
In the Web Security Appliance (WSA), the web proxy cache is used to cache
data to increase performance.
30. Which two statements about a Cisco WSA configured in Transparent
mode are true? (Choose two).
D. WCCP v2 enabled devices can automatically redirect traffic
destined to port 80.
E. Layer 4 switches can automatically redirect traffic destined to
port 80.
The WSA HTTP proxy obtains the client's request can be defined as one of
two ways: Transparently or Explicitly.
Transparent-Layer 4 Switch (PBR)-A Layer 4 switch is used to redirect based
on destination port 80.
Transparent-WCCP-A WCCP v2 enabled device (typically a router, switch,
PIX, or ASA) redirects port 80.
31. Refer to the router output. What does the number 15 represent in this
configuration?
snmp-server group SNMP v3 auth access 15
B. Access list that identifies the SNMP devices that can access the
router.
The command configures the SNMP server group to enable authentication for
members of a specified named access list.
32. Which network monitoring solution uses streams and pushes operational
data to provide a near real-time view of activity?
D. model-driven telemetry
Model-Driven Telemetry is a new approach for network monitoring in which
data is streamed from network devices continuously using a push model and
provides near real-time access to operational statistics.
defines Decoy PortScan?
D. One-to-one PortScan. Attacker mixes spoofed source IP
addresses with the actual scanning IP address.
A spoofed source IP address is the correct definition of Decoy Portscan. The
decoy portscan option detects TCP, UDP, and IP protocol portscans.
34. An MDM provides which two advantages to an organization with regards
to device management? (Choose two).
A. Asset inventory management
B. Allowed application management
Mobile device management (MDM) is a type of security software used by an
IT department to monitor, manage and secure employees' mobile devices that
are deployed across multiple mobile service providers and across multiple
mobile operating systems being used in the organization.
35. An engineer configured a new network identity in Cisco Umbrella but
must verify that traffic is being routed through the Cisco Umbrella network.
Which action tests the routing?
D. Browse to http://welcome.umbrella.com to validate that the
new identity is working.
You register a fixed network to Umbrella by adding a Network identity that is
configured to include the fixed network's public IP space. The last step (Step
4) is to test the network. Verify that your DNS connections are routed
through Cisco Umbrella's global network by navigating to the following
page in your client's browser: https://welcome.umbrella.com/. You should see
the Welcome to Umbrella page.
defines PortScan Detection?
A. One-to-one PortScan. An attacker against one or more hosts to
scan one or more ports.
Cisco’s portscan detector is designed to help you determine which portscans
might be malicious by detecting patterns of activity. Attackers are likely to
use several methods to probe your network.
Chapter 3: Securing the Cloud
15% 3.0 Securing the Cloud
3.1 Identify security solutions for cloud environments
3.1.a Public, private, hybrid, and community clouds
3.1.b Cloud service models: SaaS, PaaS, IaaS (NIST
800-145)
3.2 Compare the customer vs. provider security
responsibility for the different cloud service models
3.2.a Patch management in the cloud
3.2.b Security assessment in the cloud
3.2.c Cloud-delivered security solutions such as
firewall, management, proxy, security intelligence,
and CASB
3.3 Describe the concept of DevSecOps (CI/CD pipeline,
container orchestration, and Security
3.4 Implement application and data security in cloud
environments
3.5 Identify security capabilities, deployment models, and
policy management to secure the cloud
3.6 Configure cloud logging and monitoring
methodologies
3.7 Describe application and workload security concepts
1. What is the function of Cisco Cloudlock for data security?

A. Data loss prevention
B. Controls malicious cloud apps
C. Detects anomalies
D. User and entity behavior analytics
2. Which cloud service model offers an environment for cloud consumers to
develop and deploy applications without needing to manage or maintain the
underlying cloud infrastructure?
A. PaaS
B. Xaas
C. LaaS
D. SaaS
3. In a PaaS model, which layer is the tenant responsible for maintaining and
patching?
A. Hyper-visor
B. Virtual machine
C. Network
D. Application
4. Which solution protects hybrid cloud deployment workloads with
application visibility and segmentation?
A. Nexus
B. Stealthwatch
C. Firepower
D. Tetration
5. Which deployment model is the most secure when considering risks to
cloud operation?
A. Public cloud
B. Hybrid cloud
C. Community cloud
D. Private cloud
6. What does the Cloudlock Apps Firewall do to mitigate security concerns
from an application perspective?
A. It allows the Administrator to quarantine malicious files so that the
application can function, just not maliciously.
B. It discovers and controls cloud apps that are connected to a company's
corporate environment.
C. It deletes any application that does not belong in the network.
D. It sends the application information to an Administrator to act on.
7. What is the primary benefit of deploying an ESA in hybrid mode?
A. You can fine-tune its settings to provide the optimum balance between
security and performance for your environment.
B. It provides the lowest total cost of ownership by reducing the need for
physical appliances.
C. It provides maximum protection and control of outbound messages.
D. It provides email security while supporting the transition to the cloud.
8. In which cloud services model is the tenant responsible for virtual machine
OS patching?
A. laaS
B. UCaaS
C. Paas
D. SaaS
9. Which technology reduces data loss by identifying sensitive information
stored in public computing environments?
A. Cisco SDA
B. Cisco Firepower
C. Cisco HyperFlex
D. Cisco Cloudlock
Chapter 3: Answers
1. What is the function of Cisco Cloudlock for data security?
A. Data loss prevention
Cloudlock uses DLP technology to monitor cloud environments as well as
application security using an app firewall and crowd-sourced Community
Trust Rating.
2. Which cloud service model offers an environment for cloud consumers to
develop and deploy applications without needing to manage or maintain the
underlying cloud infrastructure?
A. PaaS
SaaS - Software as a Service - The user only runs a software application, no
access to the OS or programming PaaS - Platform as a Service - The user has
access to the OS to develop applications or run their own programs. IaaS -
Infrastructure as a Service - The user has a virtual machine and installs their
OS and applications into it XaaS - Everything as a Service - The user has a
variety of services and applications on demand over the Internet.
3. In a PaaS model, which layer is the tenant responsible for maintaining and
patching?
D. Application
PaaS - Platform as a Service - The user has access to the OS to develop
applications or run their own programs. The application being developed is
the responsibility of the tenant.
4. Which solution protects hybrid cloud deployment workloads with
application visibility and segmentation?
D. Tetration
An on-premises deployment option with high scalability, high availability,
and horizontally scalable architecture which makes it suitable for large
enterprise data centers with data residency and privacy requirements.
5. Which deployment model is the most secure when considering risks to
cloud operation?
D. Private cloud
In Private Cloud, all cloud operations are implemented on premises at the
local enterprise. It can spread to multiple enterprise data centers but is only
on the enterprise equipment. This isolation from the public space allows the
highest level of security.
6. What does the Cloudlock Apps Firewall do to mitigate security concerns
from an application perspective?
B. It discovers and controls cloud apps that are connected to a
company's corporate environment.
The Cloudlock Apps Firewall discovers and controls cloud apps connected to
your corporate environment. You can see a crowd-sourced Community Trust
Rating for individual apps, and you can ban or whitelist them based on risk.
7. What is the primary benefit of deploying an ESA in hybrid mode?
C. It provides maximum protection and control of outbound
messages.
Cisco Hybrid Email Security is a unique service offering that combines a
cloud-based email security deployment with an appliance-based email
security deployment (on premises) to provide maximum choice and control
for your organization. The cloud-based infrastructure is typically used for
inbound email cleansing, while the on-premises appliances provide granular
control—protecting sensitive information with data loss prevention (DLP)
and encryption technologies.
8. In which cloud services model is the tenant responsible for virtual machine
OS patching?
A. laaS
IaaS - Infrastructure as a Service provides just the infrastructure needs
(compute, memory, storage) and the client is responsible for the OS.
9. Which technology reduces data loss by identifying sensitive information

stored in public computing environments?
D. Cisco Cloudlock
Cloudlock's data loss prevention (DLP) technology continuously monitors
cloud environments to detect and secure sensitive information.
Chapter 4: Content Security

10% 4.0 Content Security
4.1 Implement traffic redirection and capture methods
4.2 Describe web proxy identity and authentication
including transparent user identification
4.3 Compare the components, capabilities, and benefits of
local and cloud-based email and web solutions (ESA,
CES, WSA)
4.4 Configure and verify web and email security
deployment methods to protect on-premises and
remote users (inbound and outbound controls and
policy management)
4.5 Configure and verify email security features such as
SPAM filtering, antimalware filtering, DLP, block
listing, and email encryption
4.6 Configure and verify secure internet gateway and web
security features such as block
listing, URL filtering, malware scanning, URL
categorization, web application filtering, and TLS
decryption
Cisco Umbrella
4.8 Configure and verify web security controls on Cisco
Umbrella (identities, URL content settings, destination
lists, and reporting)
1. Why would a user choose an on-premises ESA versus the CES solution?
A. Sensitive data must remain onsite.
B. Demand is unpredictable.
C. The server team wants to outsource this service.
D. ESA is deployed inline.
2. What is a required prerequisite to enable malware file scanning for the
Secure Internet Gateway?
A. Enable IP Layer enforcement.
B. Activate the Advanced Malware Protection license.
C. Activate SSL decryption.
D. Enable Intelligent Proxy.
3. An engineer is configuring AMP for endpoints and wants to block certain
files from executing. Which outbreak control method is used to accomplish
this task?
A. Device flow correlation
B. Simple detections
C. Application blocking list
D. Advanced custom detections
4. Refer to the exhibit. What is a result of the configuration?
A. Traffic from the DMZ network is redirected.

B. Traffic from the inside network is redirected.
C. All TCP traffic is redirected.
D. Traffic from the inside and DMZ networks is redirected.
5. Which feature within Cisco Umbrella allows for the ability to inspect
secure HTTP traffic?
A. File Analysis
B. SafeSearch
C. SSL Decryption
D. Destination Lists
6. Which two features of Cisco Email Security can protect your organization
against email threats? (Choose two).
A. Time-based one-time passwords
B. Data loss prevention
C. Heuristic-based filtering
D. Geolocation-based filtering
E. NetFlow
7. What is the correct sequence to enable AppDynamics to monitor an EC2
instance in Amazon Web Services?
1. Update config.yaml
2. Configure a Machine Agent or SIM Agent
3. Restart the Machine Agent
4. Install monitoring extension for AWS EC2
A. 4-2-1-3
B. 2-4-1-3
C. 3-1-4-2
D. 1-4-2-3
8. Anengineer is configuring a Cisco ESA and wants to control whether to
accept or reject email messages to a recipient address. Which list contains the
allowed recipient addresses?
A. SAT
B. BAT
C. HAT
D. RAT
9. Which two capabilities does TAXII support? (Choose two).
A. exchange
B. pull messaging
C. binding
D. correlation
E. mitigating
10. After deploying a Cisco ESA on your network, you notice that some
messages fail to reach their destinations. Which task can you perform to
determine where each message was lost?
A. Configure the trackingconfig command to enable message tracking.
B. Generate a System report.
C. Review the log files.
D. Perform a trace.
11. When web policies are configured in Cisco Umbrella, what provides the
ability to ensure that domains are blocked when they host malware, command
and control, phishing, and more threats?
A. Application Control
B. Security Category Blocking
C. Content Category Blocking
D. File Analysis
12. Which Cisco solution does Cisco umbrella integrate with to determine if a
URL is malicious?
A. AMP
B. AnyConnect
C. DynDNS
D. Talos
13. What is the purpose of the Decrypt for Application Detection feature
within the WSA Decryption options?
A. It decrypts HTTPS application traffic for unauthenticated users.
B. It alerts users when the WSA decrypts their traffic.
C. It decrypts HTTPS application traffic for authenticated users.
D. It provides enhanced HTTPS application detection for AsyncOS.
14. What is the primary role of the Cisco Email Security Appliance?
A. Mail Submission Agent
B. Mail Transfer Agent
C. Mail Delivery Agent
D. Mail user Agent
15. How does Cisco Umbrella archive logs to an enterprise-owned storage?
A. By using the Application programming Interface to fetch the logs.
B. By sending logs via syslog to an on-premises or cloud-based syslog server.
C. By the System administrator downloading the logs from the Cisco
Umbrella web portal.
D. By being configured to send logs to a self-managed AWS S3 bucket.
16. What is a language format designed to exchange threat intelligence that
can be transported over the TAXII protocol?
A. STIX
B. XMPP
C. pxGrid
D. SMTP
Chapter 4: Answers
1. Why would a user choose an on-premises ESA versus the CES solution?
A. Sensitive data must remain onsite.
ESA - Email Security Appliance
CES - Cloud Email Security
If sensitive data must remain on premises, the appliance would be the best
choice.
2. What is a required prerequisite to enable malware file scanning for the
Secure Internet Gateway?
D. Enable Intelligent Proxy.
Secure Internet Gateway (Cisco Umbrella) is multiple security functions
integrated in one cloud service; flexibility to deploy security services how
and where you choose; ability to secure direct-to-internet access, cloud app
usage and roaming users; plus, no appliances to deploy. An intelligent proxy
is required for malware file scanning.
3. An engineer is configuring AMP for endpoints and wants to block certain
files from executing. Which outbreak control method is used to accomplish
this task?
C. Application blocking list
Cisco AMP (Advanced Malware Protection) is an intelligence-powered,
integrated, enterprise-class advanced malware analysis and protection
solution. Application Control:
- Blocked Lists to stop executables from running.
- Allowed Lists to create lists of applications that will not be wrongly
detected.
4. Refer to the exhibit. What is a result of the configuration?
D. Traffic from the inside and DMZ networks is redirected.

The access list identifies the Inside Network and the DMZ network and
applied within the policy.
5. Which feature within Cisco Umbrella allows for the ability to inspect
secure HTTP traffic?
C. SSL Decryption
SSL Decryption is an important part of the Umbrella Intelligent Proxy. The
feature allows the Intelligent Proxy to go beyond simply inspecting normal
URLs and actually proxy and inspect traffic that's sent over HTTPS.
6. Which two features of Cisco Email Security can protect your organization
against email threats? (Choose two).
B. Data loss prevention
C. Heuristic-based filtering
Cisco Email Security, with content-aware, heuristic analysis with Outbreak
detection, policy-based Data Loss Prevention (DLP) and encryption helps
business detect and manage risks.
7. What is the correct sequence to enable AppDynamics to monitor an EC2
instance in Amazon Web Services?
1. Update config.yaml
2. Configure a Machine Agent or SIM Agent
3. Restart the Machine Agent
4. Install monitoring extension for AWS EC2
B. 2-4-1-3
The correct order is:
Configure a Machine Agent or SIM Agent = Step 1
Install monitoring extension for AWS EC2 = Step 2
Update config.yaml = Step 3
Restart the Machine Agent = Step 4
8. Anengineer is configuring a Cisco ESA and wants to control whether to
accept or reject email messages to a recipient address. Which list contains the
allowed recipient addresses?
D. RAT
RAT - Recipient Access Table HAT - Host Access Table BAT/SAT -
unknown
9. Which two capabilities does TAXII support? (Choose two).
A. exchange
B. pull messaging
TAXII - Trusted Automated eXchange of Indicator Information. TAXII is an
exchange utility using Pull Messaging, Push Messaging, Discovery, and
Query.
10. After deploying a Cisco ESA on your network, you notice that some
messages fail to reach their destinations. Which task can you perform to
determine where each message was lost?
A. Configure the trackingconfig command to enable message
tracking.
Message tracking is enabled with the trackingconfig command and helps
resolve help desk calls by giving a detailed view of message flow. For
example, if a message was not delivered as expected, you can determine if it
was found to contain a virus or placed in a spam quarantine — or if it is
located somewhere else in the mail stream.
11. When web policies are configured in Cisco Umbrella, what provides the
ability to ensure that domains are blocked when they host malware, command
and control, phishing, and more threats?
B. Security Category Blocking
Umbrella's Security Categories are categories of security defense. These
categories are used in creating policies and in viewing reports for when
things are blocked, or even when they are not. Security Categories include:
Malware, Newly Seen Domains, Command and Control Callbacks, Phishing
Attacks, Dynamic DNS, Potentially Harmful Domains, DNS Tunneling, and
Cryptomining.
12. Which Cisco solution does Cisco umbrella integrate with to determine if a
URL is malicious?
D. Talos
Cisco Umbrella uses Cisco Talos and other third-party feeds to determine if a
URL is malicious. Talos is Cisco's threat intelligence organization.
13. What is the purpose of the Decrypt for Application Detection feature
within the WSA Decryption options?
D. It provides enhanced HTTPS application detection for
AsyncOS.
Decrypt for Application Detection: Enhances the ability of AsyncOS to detect
HTTPS applications. The HTTPS Proxy can decrypt HTTPS connections to
web applications.
14. What is the primary role of the Cisco Email Security Appliance?
B. Mail Transfer Agent
Cisco Email Security Appliance (ESA) protects the email infrastructure and
network users who use email at work by filtering unsolicited and malicious
email before it reaches the user. Cisco ESA easily integrates into existing
email infrastructures by acting as a Mail Transfer Agent (MTA), or mail
relay.
15. How does Cisco Umbrella archive logs to an enterprise-owned storage?
D. By being configured to send logs to a self-managed AWS S3
bucket.
Umbrella has the ability to store logs to an Amazon S3 bucket. By having
your logs uploaded to an S3 bucket, you can then automatically download
logs so that you can keep them in perpetuity in backup storage outside of
Umbrella's data warehouse storage system.
16. What is a language format designed to exchange threat intelligence that
can be transported over the TAXII protocol?
A. STIX
The TAXII service uses a subset of the STIX language to describe the
incidents CTA has detected. STIX (Structured Threat Information
eXpression) is a standardized XML programming language for conveying
data about cybersecurity threats in a common language that can be easily
understood by humans and security technologies.
Chapter 5: Endpoint Protection and
Detection
15% 5.0 Endpoint Protection and Detection
5.1 Compare Endpoint Protection Platforms (EPP) and
Endpoint Detection & Response (EDR) solutions
5.2 Explain antimalware, retrospective security,
Indication of Compromise (IOC), antivirus, dynamic
file analysis, and endpoint-sourced telemetry
5.3 Configure and verify outbreak control and
quarantines to limit infection
5.4 Describe justifications for endpoint-based security
5.5 Describe the value of endpoint device management
and asset inventory such as MDM
5.6 Describe the uses and importance of a multifactor
authentication (MFA) strategy
5.7 Describe endpoint posture assessment solutions to
ensure endpoint security
5.8 Explain the importance of an endpoint patching
strategy
1. What are two list types within AMP for Endpoints Outbreak Control?
(Choose two).
A. Blocked ports
B. Simple custom detections
C. Command and control
D. Allowed applications
E. URL
2. Which two conditions can an endpoint be checked using ISE posture
assessment? (Choose two).
A. Computer identity
B. Windows service
C. User identity
D. Default browser
3. Which Cisco product provides proactive endpoint protection and allows
Administrators to centrally manage the deployment?
A. NGFW
B. AMP
C. WSA
D. ESA
4. An engineer must force an endpoint to re-authenticate an already
authenticated session without disrupting the endpoint to apply a new or
updated policy from ISE. Which COA type achieves this goal?
A. Port Bounce
B. CoA Terminate
C. CoA Reauth
D. CoA Session Query
5. With Cisco AMP for Endpoints, which option shows a list of all files that
have been executed in your environment?
A. Vulnerable software
B. File analysis
C. Detections
D. Prevalence
E. Threat root cause
6. Which policy represents a shared set of features or parameters that define
the aspects of a managed device that are likely to be similar to other managed
devices in a deployment?
A. Group policy
B. Access control policy
C. Device management policy
D. Platform service policy
7. What are the two most commonly used authentication factors in
multifactor authentication? (Choose two).
A. Biometric factor
B. Time factor
C. Confidentiality factor
D. Knowledge factor
E. Encryption factor
8. Under which two circumstances is a COA issued? (Choose two).
A. A new authentication rule was added to the policy on the policy Service
node.
B. An endpoint is deleted on the Identity Service Engine server.
C. A new Identity Source Sequence is created and referenced in the
authentication policy.
D. An endpoint is profiled for the first time.
E. A new Identity Service Engine server is added to the deployment with the
Administration persona.
9. Which benefit does endpoint security provide the overall security posture
of an organization?
A. It streamlines the incident response process to automatically perform
digital forensics on the endpoint.
B. It allows the organization to mitigate web-based attacks as long as the user
is active in the domain.
C. It allows the organization to detect and respond to threats at the edge of
the network.
D. It allows the organization to detect and mitigate threats that the perimeter
security devices do not.
Chapter 5: Answers
1. What are two list types within AMP for Endpoints Outbreak Control?
(Choose two).
B. Simple custom detections
D. Allowed applications
Cisco AMP (Advanced Malware Protection) for Endpoints Outbreak Control
gives you a suite of capabilities to effectively stop the spread of malware and
malware-related activities. This is accomplished with actions like custom
detections and application whitelisting.
2. Which two conditions can an endpoint be checked using ISE posture
assessment? (Choose two).
B. Windows service
C. User identity
From the Cisco ISE (Identity Services Engine) network perspective,
concurrent endpoints can be users, personal computers, laptops, IP phones,
smart phones, gaming consoles, printers, fax machines, or any other devices
supported by the Cisco ISE network.
3. Which Cisco product provides proactive endpoint protection and allows
Administrators to centrally manage the deployment?
B. AMP
AMP - Advanced Malware Protection for Endpoints - Endpoint protection,
scanning files, antivirus, central management.
NGFW - Next Generation - visibility to stop threats fast and automate
operations WSA - Web Security Appliance - Automatically blocks risky
websites
ESA - Email Security Appliance - Detects and Blocks a variety of email-
borne threats (malware, spam, etc.)
4. An engineer must force an endpoint to re-authenticate an already
authenticated session without disrupting the endpoint to apply a new or
updated policy from ISE. Which COA type achieves this goal?
C. CoA Reauth
ISE - Identity Services Engine. CoA - Change of Authorization. Reauth
forces one connection (on a multi connection port) to reauthenticate. Port
Bounce forces all devices connected to the same port to reauthenticate.
5. With Cisco AMP for Endpoints, which option shows a list of all files that
have been executed in your environment?
D. Prevalence
Prevalence views files that have been executed in your deployment
Vulnerable. Software views applications with known vulnerabilities observed
by FireAMP. File Analysis shows details what a binary does Detections
views detected items that were quarantined. Threat Root Cause shows how
malware is getting into your computers
6. Which policy represents a shared set of features or parameters that define
the aspects of a managed device that are likely to be similar to other managed
devices in a deployment?
D. Platform service policy
Platform Service Policies provide a consistent and flexible way to configure
certain security appliance features, including priority queuing, application
inspection, and QoS (quality of service).
7. What are the two most commonly used authentication factors in
multifactor authentication? (Choose two).
A. Biometric factor
D. Knowledge factor
The main authentication factors are: Something you know - Knowledge
Something you have - RSA Token or CAC Something you are - Biometric.
8. Under which two circumstances is a COA issued? (Choose two).
B. An endpoint is deleted on the Identity Service Engine server.
D. An endpoint is profiled for the first time.
A Change of Authorization is issued for the following:
-An Endpoint is Deleted
-An Endpoint is Profiled for the First Time
-Static Assignment of an Endpoint.
9. Which benefit does endpoint security provide the overall security posture
of an organization?
D. It allows the organization to detect and mitigate threats that
the perimeter security devices do not.
Protect insiders from threats and prevent insiders from becoming threats.
Monitor user and endpoint behavior on and off the network. Get deep
analytics on users, applications, traffic, destinations and endpoint details.
Chapter 6: Secure Network Access,
Visibility, and Enforcement
15% 6.0 Secure Network Access, Visibility, and Enforcement
6.1 Describe identity management and secure network
access concepts such as guest services, profiling,
posture assessment and BYOD
6.2 Configure and verify network access device
functionality such as 802.1X, MAB, WebAuth
6.3 Describe network access with CoA
6.4 Describe the benefits of device compliance and
application control
6.5 Explain exfiltration techniques (DNS tunneling,
HTTPS, email, FTP/SSH/SCP/SFTP, ICMP,
Messenger, IRC, NTP)
6.6 Describe the benefits of network telemetry
these security products and solutions
6.7.a Cisco Stealthwatch
6.7.b Cisco Stealthwatch Cloud
6.7.c Cisco pxGrid
6.7.d Cisco Umbrella Investigate
6.7.e Cisco Cognitive Threat Analytics
6.7.f Cisco Encrypted Traffic Analytics
6.7.g Cisco AnyConnect Network Visibility Module
(NVM)
1. Which command enables 802.1x globally on a Cisco switch?

A. dotlx system-auth-control
B. dot Ix pae authenticator
C. authentication port-control auto
D. aaa new-model
2. Where are individual sites specified to be blacklisted in Cisco Umbrella?
A. Application settings
B. Content categories
C. Security settings
D. Destination lists
3. How is Cisco Umbrella configured to log only security events?
A. Per policy
B. In the Reporting settings
C. In the Security Settings section
D. Per network in the Deployments section
4. On which part of the IT environment does DevSecOps focus?
A. Application development
B. Wireless network
C. Data center
D. Perimeter network
5. What is a characteristic of traffic storm control behavior?
A. Traffic storm control drops all broadcast and multicast traffic if the
combined traffic exceeds the level within the interval.
B. Traffic storm control cannot determine if the packet is unicast or
broadcast.
C. Traffic storm control monitors incoming traffic levels over a 10-second
traffic storm control interval.
D. Traffic control uses the Individual/Group bit in the packet source address
to determine if the packet is unicast or broadcast.
6. What provides Visibility and awareness into what is currently occurring on
the network?
A. CMX
B. WMI
C. Prime Infrastructure
D. Telemetry
7. Refer to the exhibit. Which command was used to display this output?
A. show dotlx all

B. show dotlx
C. show dotlx all summary
D. show dotlx interface gi/0/12
8. How does Cisco Stealthwatch Cloud provide security for cloud
environments?
A. It delivers visibility and threat detection.
B. It prevents exfiltration of sensitive data.
C. It assigns Internet-based DNS protection for clients and servers.
D. It facilitates secure connectivity between public and private networks.
9. Refer to the exhibit. Which command was used to generate this output and
to show which ports are authenticating with dotlx or MAB?
A. show authentication registrations
B. show authentication method
C. show dotlx all
D. show authentication sessions
10. What are two Detection and Analytics Engines of Cognitive Threat
Analytics? (Choose two).
A. Data exfiltration
B. Command and control communication
C. Intelligent proxy
D. Snort
E. URL categorization
11. What Cisco command shows you the status of an 802.1x connection on
interface gi0/1?
A. show authorization status
B. show authen sess int gi0/1
C. show connection status gi0/1
D. show ver gi0/1
12. A malicious user gained network access by spoofing printer connections
that were authorized using MAB on four different switch ports at the same
time. What two catalyst switch security features will prevent further
violations? (Choose two).
A. DHCP Snooping
B. 802.1AE MacSec
C. Port security
D. IP Device tracking
E. Dynamic ARP inspection
F. Private VLANs
13. How is ICMP used an exfiltration technique?
A. By flooding the destination host with unreachable packets.
B. By sending large numbers of ICMP packets with a targeted hosts source IP
address using an IP broadcast address.
C. By encrypting the payload in an ICMP packet to carry out command and
control tasks on a compromised host.
D. By overwhelming a targeted host with ICMP echo-request packets.
14. An engineer needs a solution for TACACS+ authentication and
authorization for device administration. The engineer also wants to enhance
wired and wireless network security by requiring users and endpoints to use
802.1x, MAB, or WebAuth. Which product meets all of these requirements?
A. Cisco Prime Infrastructure
B. Cisco Identity Services Engine
C. Cisco Stealthwatch
D. Cisco AMP for Endpoints
15. When wired 802.1x authentication is implemented, which two
components are required? (Choose two).
A. Authentication Server: Cisco Identity Service Engine
B. Supplicant: Cisco AnyConnect ISE Posture module
C. Authenticator: Cisco Catalyst switch
D. Authenticator: Cisco Identity Services Engine
E. Authentication server: Cisco Prime Infrastructure
Chapter 6: Answers
1. Which command enables 802.1x globally on a Cisco switch?
A. dotlx system-auth-control
To globally enable 802.1x authentication on the switch, use the dot1x
system-auth-control command in Global Configuration mode.
2. Where are individual sites specified to be blacklisted in Cisco Umbrella?
D. Destination lists
Cisco Umbrella offers security protection for both Home and Enterprise users
through filtering DNS requests. A "destination list" can be blocked or
allowed based on the administrative preferences for the policies applied to the
identities within your organization.
3. How is Cisco Umbrella configured to log only security events?
A. Per policy
The configuration is done per policy in the advanced settings page from the
Multi-org Console and Centralized settings.
4. On which part of the IT environment does DevSecOps focus?

A. Application development
DevSecOps is about introducing security earlier in the life cycle of
application development, thus minimizing vulnerabilities and bringing
security closer to IT and business objectives.
5. What is a characteristic of traffic storm control behavior?
A. Traffic storm control drops all broadcast and multicast traffic
if the combined traffic exceeds the level within the interval.
Traffic storm control is implemented in hardware. The traffic storm control
circuitry monitors packets passing from a LAN interface to the switching bus.
Using the Individual/Group bit in the packet destination address, the traffic
storm control circuitry determines if the packet is unicast or broadcast, keeps
track of the current count of packets within the 1-second interval and when
the threshold is reached, traffic storm control filters out subsequent packets.
6. What provides Visibility and awareness into what is currently occurring on
the network?
D. Telemetry
CMX - Cisco CMX is a software solution that uses location and other
intelligence from Cisco wireless. infrastructure to generate analytics and
deliver relevant services to customers on their mobile devices. WMI -
Windows Management Instrumentation is a set of specifications from
Microsoft for consolidating the management of devices and applications in a
network. Prime Infrastructure - simplifies the management of wireless and
wired networks. It offers Day 0 and 1 provisioning. Telemetry - is a new
approach for network monitoring in which data is streamed from network
devices continuously using a push model and provides near real-time access
to operational statistics.
7. Refer to the exhibit. Which command was used to display this output?
A. show dotlx all

The show dot1x all command was used to create the output.
8. How does Cisco Stealthwatch Cloud provide security for cloud
environments?
A. It delivers visibility and threat detection.
Stealthwatch provides enterprise class visibility into both public and private
cloud infrastructures.
9. Refer to the exhibit. Which command was used to generate this output and
to show which ports are authenticating with dotlx or MAB?
B. show authentication method
The show authentication method command was used to generate the output.
10. What are two Detection and Analytics Engines of Cognitive Threat
Analytics? (Choose two).
A. Data exfiltration
B. Command and control communication
The Detection and Analytic engines provided by the Cognitive Threat
Analytics are: Data Exfiltration, Domain-generation algorithm, Exploit Kit,
Tunneling through HTTP and HTTPs requests, and Command-and-control
(C2) communication
11. What Cisco command shows you the status of an 802.1x connection on
interface gi0/1?
B. show authen sess int gi0/1
The show authentication session interface gi0/1 command will show the
status of the 802.1x connection.
12. A malicious user gained network access by spoofing printer connections
that were authorized using MAB on four different switch ports at the same
time. What two catalyst switch security features will prevent further
violations? (Choose two).
B. 802.1AE MacSec
F. Private VLANs
MACsec is the IEEE 802.1AE standard for authenticating and encrypting
packets between two MACsec- capable devices. Putting the printers in a
Private VLAN and controlling who the printers can initiate communication
with should mitigate further compromise.
A. DHCP Snooping
13. How is ICMP used an exfiltration technique?
C. By encrypting the payload in an ICMP packet to carry out
command and control tasks on a compromised host.
Using the payload of a ping packet (ICMP echo), programs can be setup to
use the payload as command and control. Encrypting the data obfuscates it
from detection engines.
14. An engineer needs a solution for TACACS+ authentication and
authorization for device administration. The engineer also wants to enhance
wired and wireless network security by requiring users and endpoints to use
802.1x, MAB, or WebAuth. Which product meets all of these requirements?
B. Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) is a network administration product that
enables the creation and enforcement of security and access policies for
endpoint devices connected to the company's routers, switches, and diverse
devices.
15. When wired 802.1x authentication is implemented, which two
components are required? (Choose two).
A. Authentication Server: Cisco Identity Service Engine
C. Authenticator: Cisco Catalyst switch
The end device, the supplicant, request access to the network via the 802.1x
client, a Cisco Catalyst switch for example, and is authenticated to an identity
server such as Cisco Identity Service Engine.

Cisco Ccnp...

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Ccnp...

Uploaded by

Copyright:

Available Formats

Implementing and Operating Cisco

Security Core Technologies (350-

Chapter 1: Security Concepts

B. asa-host(config)#snmp-server group myv3 v3 noauth

A. The authentication request contains only a password.

23. Which Firepower Next Generation Intrusion Prevention System detectors

34. An MDM provides which two advantages to an organization with regards

C. The authentication and authorization requests are grouped in

29. Which technology is used to improve web traffic performance by proxy

1. What is the function of Cisco Cloudlock for data security?

9. Which technology reduces data loss by identifying sensitive information

Chapter 4: Content Security

A. Traffic from the DMZ network is redirected.

D. Traffic from the inside and DMZ networks is redirected.

1. Which command enables 802.1x globally on a Cisco switch?

A. show dotlx all

4. On which part of the IT environment does DevSecOps focus?

A. show dotlx all

You might also like