Professional Documents
Culture Documents
Table of Contents
Implementing and Operating Cisco Security Core Technologies (350-701)
Chapter 1: Security Concepts
Chapter 1: Answers
Chapter 2: Network Security
Chapter 2: Answers
Chapter 3: Securing the Cloud
Chapter 3: Answers
Chapter 4: Content Security
Chapter 4: Answers
Chapter 5: Endpoint Protection and Detection
Chapter 5: Answers
Chapter 6: Secure Network Access, Visibility, and Enforcement
Chapter 6: Answers
1. Which two activities can be done using Cisco DNA Center? (Choose two).
A. DHCP
B. Design
C. Accounting
D. DNS
E. Provision
2. Which two endpoint measures are used to minimize the chances of falling
victim to phishing and social engineering attacks? (Choose two).
A. Patch for cross-site scripting.
B. Perform backups to the private cloud.
C. Protect against input validation and character escapes in the endpoint.
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program.
3. What is the primary difference between an Endpoint Protection Platform
and an Endpoint Detection and Response?
A. EPP focuses on prevention. and EDR focuses on advanced threats that
evade perimeter defenses.
B. EDR focuses on prevention, and Epp focuses on advanced threats that
evade perimeter.
C. Epp focuses on network security, and EDR focuses on device security.
D. EDR focuses on network security, and E pp focuses on device security.
4. Which functions of an SDN architecture require southbound APIs to
enable communication?
A. SON controller and the network elements
B. Management console and the SON controller
C. Management console and cloud
D. SON controller and the cloud
5. Which two request of REST API are valid on the Cisco ASA Platform?
(Choose two).
A. put
B. options
C. get
D. push
E. connect
6. What can be integrated with Cisco Threat Intelligence Director to provide
information about security threats which allows the SOC to proactively
automate responses to those threats?
A. Cisco umbrella
B. External Threat Feeds
C. Cisco Threat Grid
D. Cisco Stealthwatch
7. Which attack is commonly associated with C and C++ programming
languages?
A. Cross-site scripting
B. Water holing
C. DDoS
D. Buffer overflow
8. Which two prevention techniques are used to mitigate SQL injection
attacks? (Choose two).
A. Check integer , float, or Boolean string parameters to ensure accurate
values.
B. Use prepared statements and parameterized queries.
C. Secure the connection between the web and the app tier.
D. Write SOL code instead of using object-relational mapping libraries.
E. Block SQL code execution in the web application database login.
9. Which two application layer preprocessors are used by Firepower Next
Generation Intrusion Prevention System? (Choose two).
A. SIP
B. Inline normalization
C. SSL
D. Packet decoder
E. modbus
10. The main function of northbound APIs in the SDN architecture is to
enable communication between which two areas of a network?
A. SDN controller and the cloud
B. Management and the SDN controller
C. Management console and the cloud
D. SDN controller and the management solution
11. Which two services must remain as on-premises equipment when a
hybrid email solution is deployed? (Choose two).
A. DDoS
B. Antispam
C. Antivirus
D. Encryption
E. DLP
12. Which two kinds of attacks are prevented by multifactor authentication?
(Choose two).
A. phishing
B. brute force
C. man-in-the-middle
D. DDOS
E. tear drop
13. Which two preventive measures are used to control cross-site scripting?
(Choose two).
A. Enable client-side scripts on a per-domain basis.
B. Incorporate contextual output encoding/escaping.
C. Disable cookie inspection in the HTML inspection engine.
D. Run untrusted HTML input through an HTML sanitization engine.
E. SameSite cookie attribute should not be used.
14. Which policy is used to capture host information on the Cisco Firepower
Next Generation intrusion Prevention System?
A. Correlation
B. Intrusion
C. Access control
D. Network discovery
15. In which form of attack is alternate encoding, such as hexadecimal
representation, most often observed?
A. Smurf
B. Distributed denial of service
C. Cross-site scripting
D. Rootkit exploit
16. Which two conditions are prerequisites for stateful failover for IPsec?
(Choose two).
A. Only the IKE configuration that is set up on the active device must be
duplicated on the standby device; the IPsec configuration is copied
automatically.
B. The active and standby devices can run different versions of the Cisco IOS
software but must be the same type of device.
C. The IPSec configuration that is set up on the active device must be
duplicated on the standby device.
D. Only the IPsec configuration that is set up on active device must be
duplicated on the standby device, the IKE configuration is copied
automatically.
E. The active and standby devices must run the same version of the Cisco
IOS software and must be the same type of device.
17. What is the result of running the crypto isakmp key ciscXXXXXXXX
address 172.16.0.0 command?
A. Authenticates the IKEv2 peers in the 172.16.00/16 range by using the key
ciscxxxxxxxx
B. Authenticates the IP address of the 172.16.0.0/32 peer by using the key
ciscXXXXXXXX
C. Authenticates the IKEVI peers in the 172.16.0.0/16 range by using the key
ciscXXXXXXXX
D. Secures all the certificates in the IKE exchange by using the key
ciscxxxxxxxx
18. Which two key and block sizes are valid for AES? (Choose two).
A. 64-bit block size, 112-bit key length
B. 64-bit block size, 168-bit key length
C. 128-bit block size, 192-bit key length
D. 128-bit block size, 256-bit key length
E. 192-bit block size, 256-bit key length
19. Elliptic curve cryptography is a stronger more efficient cryptography
method meant to replace which current encryption technology?
A. 3DES
B. RSA
C. DES
D. AES
20. What is the difference between deceptive phishing and spear phishing?
A. Deceptive phishing is an attacked aimed at a specific user in the
organization who holds a C-level.
B. A spear phishing campaign is aimed at a specific person versus a group of
people.
C. Spear phishing is when the attack is aimed at the C-level executives of an
organization.
D. Deceptive phishing hijacks and manipulates the DNS server of the victim
and redirects the user to a false webpage.
21. The Cisco ASA must support TLS proxy for encrypted Cisco Unified
Communications traffic. Where must the ASA be added on the Cisco UC
Manager platform?
A. Certificate Trust List
B. Endpoint Trust List
C. Enterprise Proxy Service
D. Secured Collaboration Proxy
22. Which API is used for Content Security?
A. NX-OS API
B. IOS API
C. OpenVuln API
D. Asyncos API
23. Which two mechanisms are used to control phishing attacks? (Choose
two).
A. Enable browser alerts for fraudulent websites.
B. Define security group memberships.
C. Revoke expired CRL of the websites.
D. Use antispyware software.
E. Implement email filtering techniques.
24. Which flaw does an attacker leverage when exploiting SQL injection
vulnerabilities?
A. User input validation in a web page or web application.
B. Linux and Windows operating systems.
C. Database.
D. Web page images.
25. Which of the following technologies relate to Advanced Malware
Protection?
A. Superior threat prevention and mitigation for known and unknown threats.
B. Detection, blocking, tracking, analysis, and remediation to protect against
targeted persistent malware attacks.
C. Combined integrated solution of strong defense and web protection,
visibility, and controlling solutions.
D. Application-layer control and ability to enforce usage and tailor detection
policies based on custom applications and URLs.
26. Which algorithm provides encryption and authentication for data plane
communication?
A. AES-GCM
B. SHA-96
C. AES-256
D. SHA-384
27. Which of the following technologies is considered a Cisco Web Security
Appliance?
A. Combined integrated solution of strong defense and web protection,
visibility, and controlling solutions.
B. Superior threat prevention and mitigation for known and unknown threats.
C. Application-layer control and ability to enforce usage and tailor detection
policies based on custom applications and URLs.
D. Detection, blocking, tracking, analysis, and remediation to protect against
targeted persistent malware attacks.
28. Which two descriptions of AES encryption are true? (Choose two).
A. AES is less secure than 3DES.
B. AES is more secure than 3DES.
C. AES can use a 168-bit key for encryption.
D. AES Can use a 256—bit key for encryption.
E. AES encrypts and decrypts a key three times in sequence.
29. Which action controls the amount of URI text that is stored in Cisco
WSA logs files?
A. Configure the datasecuntyconfrg command.
B. Configure the advancedproxyconfig command with the HTTPS
subcommand.
C. Configure a small log-entry size.
D. Configure a maximum packet Size.
30 Which of the following technologies is considered a Next Generation
Intrusion Preventio System?
A. Detection, blocking, tracking, analysis, and remediation to protect against
targeted persistent malware attacks.
B. Application-layer control and ability to enforce usage and tailor detection
policies based on custom applications and URLs.
C. Superior threat prevention and mitigation for known and unknown threats.
D. Combined integrated solution of strong defense and web protection,
visibility, and controlling solutions.
31. Which feature is supported when deploying Cisco ASA within AWS
public cloud?
A. Multiple context mode
B. User deployment of Layer 3 networks
C. IPv6
D. Clustering
32. Which proxy mode must be used on Cisco WSA to redirect TCP traffic
with WCCP?
A. Transparent
B. Redirection
C. Forward
D. Proxy gateway
33. Which Talos reputation center allows you to track the reputation of IP
addresses for email and web traffic?
A. IP Blacklist center
B. File Reputation Center
C. AMP Reputation Center
D. IP and Domain Reputation Center
34. Which of the following technologies relates to Application control and
URL filtering?
A. Application-layer control and ability to enforce usage and tailor detection
policies based on custom applications and URLs.
B. Combined integrated solution of strong defense and web protection,
visibility, and controlling solutions.
C. Detection, blocking, tracking, analysis, and remediation to protect against
targeted persistent malware attacks.
D. Superior threat prevention and mitigation for known and unknown threats.
35. Which Statement about the configuration of Cisco ASA NetF10W v9
Secure Event Logging is true?
A. To view bandwidth usage for NetF1ow records, the QOS feature must be
enabled.
B. A Sysopt command can be used to enable NSEL on a specific interface.
C. NSEL can be used without a collector configured.
D. A flow-export event type must be defined under a policy.
Chapter 1: Answers
1. Which two activities can be done using Cisco DNA Center? (Choose two).
B. Design
E. Provision
Cisco DNA (Digital Network Architecture) Center is the network
management, analytics, and command center for your intent-based network
for the enterprise.
Benefits:
Deploy networks in minutes, not days.
Using intuitive workflows.
Cisco DNA Center makes it easy to design, provision, and apply policy
across your network.
2. Which two endpoint measures are used to minimize the chances of falling
victim to phishing and social engineering attacks? (Choose two).
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program.
Having up-to-date antimalware on a local system and also have a spam
filter/email filter are countermeasures to phishing and social engineering.
Input validation is good, no need to protect against it. Backups don't prevent
phishing, cross-site scripting would not be something that is patched (it needs
to be validated or invalidated just in time).
3. What is the primary difference between an Endpoint Protection Platform
and an Endpoint Detection and Response?
A. EPP focuses on prevention. and EDR focuses on advanced
threats that evade perimeter defenses.
EPP (Endpoint Protection Platform) covers traditional anti-malware scanning
(Prevention), whereas EDR (Endpoint Detection and Response) covers some
more advanced capabilities like detecting and investigating security incidents,
and ability to remediate endpoints to pre-infection state (Advanced Threats).
4. Which functions of an SDN architecture require southbound APIs to
enable communication?
A. SON controller and the network elements
Software-defined southbound application program interfaces (SDN
southbound APIs) are used to communicate between the SDN Controller and
the switches and routers of the network.
5. Which two request of REST API are valid on the Cisco ASA Platform?
(Choose two).
A. put
C. get
REST - Representational State Transfer
Cisco ASA API Requests: >GET - PUT - POST - DELETE – PATCH
Cisco ASA API Responses: LOCATION - CONTENT-TYPE
6. What can be integrated with Cisco Threat Intelligence Director to provide
information about security threats which allows the SOC to proactively
automate responses to those threats?
B. External Threat Feeds
SOC - Security Operations Center. Threat Intelligence Director - (TID) is a
system that operationalizes threat intelligence information. The system
consumes and normalizes heterogeneous third-party cyber threat
intelligence, publishes the intelligence to detection technologies and
correlates the observations from the detection technologies. Umbrella - Filters
DNS requests External Threat Feeds - Proactive responds to cyber threats
(malware, ransomware, etc.) Threat Grid - Threat Grid combines advanced
sandboxing with threat intelligence into one unified solution to protect
organizations from malware within AMP (Advanced Malware Protection).
Cisco Stealthwatch - provides enterprise-wide visibility, from the private
network to the public cloud, and applies advanced security analytics to detect
and respond to threats in real-time.
7. Which attack is commonly associated with C and C++ programming
languages?
D. Buffer overflow
C and C++ are known to be subject to buffer overflows if the appropriate
checks are not applied during programming.
8. Which two prevention techniques are used to mitigate SQL injection
attacks? (Choose two).
A. Check integer , float, or Boolean string parameters to ensure
accurate values.
B. Use prepared statements and parameterized queries.
Controlling the user input is the key to mitigating SQL injection; checking
the input or use known 'prepared' statements are the correct user controls.
9. Which two application layer preprocessors are used by Firepower Next
Generation Intrusion Prevention System? (Choose two).
A. SIP
C. SSL
Application layer protocols can represent the same data in a variety of ways.
The Firepower System provides application layer protocol decoders that
normalize specific types of packet data into formats that the intrusion rules
engine can analyze. The following represents several application layer
preprocessors: DCE/RPC, DNS, FTP, HTTP, SIP, IMAP, POP, SMTP,
SSH, SSL, etc. Packet decoders and inline normalization are part of
Firepower NGIPS but are not application layer. Modbus evaluation is also
part of Firepower NGIPS but is a separate lower level protocol.
10. The main function of northbound APIs in the SDN architecture is to
enable communication between which two areas of a network?
D. SDN controller and the management solution
Software-defined northbound application program interfaces (SDN
northbound APIs) are used to communicate between the SDN Controller and
the services and applications (including management solutions) running over
the network.
11. Which two services must remain as on-premises equipment when a
hybrid email solution is deployed? (Choose two).
D. Encryption
E. DLP
Cisco Hybrid Email Security is a unique service offering that combines a
cloud-based email security deployment with an appliance-based email
security deployment (on premises) to provide maximum choice and control
for your organization. The cloud-based infrastructure is typically used for
inbound email cleansing, while the on-premises appliances provide granular
control—protecting sensitive information with data loss prevention (DLP)
and encryption technologies.
12. Which two kinds of attacks are prevented by multifactor authentication?
(Choose two).
A. phishing
B. brute force
Phishing attempts to get logon credentials just a brute force attempts to use
credentials; multi-factor authentication means you need an additional factor
(biometric / RSA token, etc.) to log in. Man-in-the-middle attacks can see the
extra factor so it will not be mitigated by MFA (multi factor authentication).
DDoS and Tear Drop are denial of services, again not affected by MFA.
13. Which two preventive measures are used to control cross-site scripting?
(Choose two).
A. Enable client-side scripts on a per-domain basis.
B. Incorporate contextual output encoding/escaping.
Contextual Output Encoding - Output encoding is the process of replacing
HTML control characters (e.g. <, >, ", &, etc.) into their encoded
representatives. This is the best mitigation against cross-site scripting attacks.
Input HTML Sanitization - Input sanitization describes cleansing and
scrubbing user input to prevent it from jumping the fence and exploiting
security holes such as SQL injection or XSS (Cross-site scripting).
14. Which policy is used to capture host information on the Cisco Firepower
Next Generation intrusion Prevention System?
D. Network discovery
Firepower NGIPS uses Network Discovery for (among other things) Host,
Application, and User Discovery and Identity Data. It is used for viewing
host profiles, which are complete views of all the information available for
your detected hosts.
15. In which form of attack is alternate encoding, such as hexadecimal
representation, most often observed?
C. Cross-site scripting
Cross-site scripting (XSS) is a common vulnerability in the Web. There are
rules in XSS filtering, hackers can easily bypass filtering rules by using HEX
Encoding.
16. Which two conditions are prerequisites for stateful failover for IPsec?
(Choose two).
C. The IPSec configuration that is set up on the active device must
be duplicated on the standby device.
E. The active and standby devices must run the same version of
the Cisco IOS software and must be the same type of device.
The IKE and IPsec configuration that is set up on the active device must be
duplicated on the standby device. Both the active and standby devices must
run the identical version of the Cisco IOS software, and both the active and
standby devices must be connected via hub or switch. Stateful failover for
IPsec requires that your network contains two identical routers that are
available to be either the primary or secondary device.
17. What is the result of running the crypto isakmp key ciscXXXXXXXX
address 172.16.0.0 command?
B. Authenticates the IP address of the 172.16.0.0/32 peer by using
the key ciscXXXXXXXX
Use address keyword if the remote peer Internet Security Association Key
Management Protocol (ISAKMP) identity was set with its IP or IPv6 address.
18. Which two key and block sizes are valid for AES? (Choose two).
C. 128-bit block size, 192-bit key length
D. 128-bit block size, 256-bit key length
AES uses three of the Rijndael family of algorithms with a block size of 128
bits. They use three different key lengths: 128, 192 and 256 bits.
19. Elliptic curve cryptography is a stronger more efficient cryptography
method meant to replace which current encryption technology?
B. RSA
Elliptic Curve Cryptography (ECC) is a public key/private key algorithm
designed to replace the current RSA method.
20. What is the difference between deceptive phishing and spear phishing?
B. A spear phishing campaign is aimed at a specific person
versus a group of people.
Spear phishing is an email or electronic communications scam targeted
towards a specific individual.
21. The Cisco ASA must support TLS proxy for encrypted Cisco Unified
Communications traffic. Where must the ASA be added on the Cisco UC
Manager platform?
A. Certificate Trust List
Configuring an ASA is not enough to fully incorporate the firewall into the
Cisco Unified Communications system. You must also add the ASA to the
Certificate Trust List (CTL) using the Cisco Certificate Trust List Client,
which is part of the Unified Communications Manager.
22. Which API is used for Content Security?
D. Asyncos API
The AsyncOS API for Cisco Security Management appliances (or AsyncOS
API) is a representational state transfer (REST) based set of operations that
provide secure and authenticated access to the Security Management
appliance reports, report counters, tracking, quarantine, and configuration.
23. Which two mechanisms are used to control phishing attacks? (Choose
two).
A. Enable browser alerts for fraudulent websites.
E. Implement email filtering techniques.
Phishing attacks are via email spam or web sites trying to steal credentials.
Browser alerts and email filtering are used to control phishing.
24. Which flaw does an attacker leverage when exploiting SQL injection
vulnerabilities?
C. Database.
A SQL injection attack involves the alteration of SQL statements that are
used within a web application through the use of attacker-supplied data.
Insufficient input validation and improper construction of SQL statements in
web applications can expose them to SQL injection attacks.
25. Which of the following technologies relate to Advanced Malware
Protection?
B. Detection, blocking, tracking, analysis, and remediation to
protect against targeted persistent malware attacks.
Advanced Malware Protection (AMP) is an intelligence-powered, integrated
enterprise-class advanced malware analysis and protection solution with
comprehensive protection for your organization across the attack continuum:
before, during, and after an attack.
26. Which algorithm provides encryption and authentication for data plane
communication?
A. AES-GCM
AES-GCM is a block cipher mode of operation that provides high speed of
authenticated encryption and data integrity. The AES-GCM algorithm
encrypts or decrypts with 128-bit, 192-bit or 256- bit of cipher key.
27. Which of the following technologies is considered a Cisco Web Security
Appliance?
A. Combined integrated solution of strong defense and web
protection, visibility, and controlling solutions.
Cisco Secure Web Appliance protects organizations by automatically
blocking risky sites and testing unknown sites before allowing users to click
on them using TLS 1.3 and high-performance capabilities.
28. Which two descriptions of AES encryption are true? (Choose two).
B. AES is more secure than 3DES.
D. AES Can use a 256—bit key for encryption.
AES algorithm encrypts or decrypts with 128-bit, 192-bit or 256- bit of
cipher key and is the successor to DES and 3DES.
29. Which action controls the amount of URI text that is stored in Cisco
WSA logs files?
B. Configure the advancedproxyconfig command with the
HTTPS subcommand.
Using the advancedproxyconfig and the subcommand for HTTPS allows the
HTTPS-related options: HTTPS URI Logging Style - full uri or stripquery.
30 Which of the following technologies is considered a Next Generation
Intrusion Prevention System?
C. Superior threat prevention and mitigation for known and
unknown threats.
NGIPS is a comprehensive and consistent protection platform that protects
networks against cyberattacks using intrusion detection technologies, public
and private cloud threat management, internal network segmentation and
vulnerability and patch management.
31. Which feature is supported when deploying Cisco ASA within AWS
public cloud?
B. User deployment of Layer 3 networks.
Guidelines and Limitations for the ASAv and AWS:
Supported Features: User deployment of L3 networks and more.
Unsupported Features: IPv6, VLAN, Multiple context mode, Clustering,
and more.
32. Which proxy mode must be used on Cisco WSA to redirect TCP traffic
with WCCP?
A. Transparent
In transparent mode, WCCP can be used. A WCCP v2 enabled device
(typically a router, switch, PIX, or ASA) redirects port 80.
33. Which Talos reputation center allows you to track the reputation of IP
addresses for email and web traffic?
D. IP and Domain Reputation Center
Talos’ IP and Domain Data Center is the world’s most comprehensive real-
time threat detection network. The data is made up of daily security
intelligence across millions of deployed web, email, firewall and IPS
appliances.
34. Which of the following technologies relates to Application control and
URL filtering?
A. Application-layer control and ability to enforce usage and
tailor detection policies based on custom applications and URLs.
Using Cisco Umbrella, you can effectively manage your user’s internet
access through category-based content web filtering, allow/block lists, and
SafeSearch browsing enforcement.
35. Which Statement about the configuration of Cisco ASA NetF10W v9
Secure Event Logging is true?
D. A flow-export event type must be defined under a policy.
NSEL - Netflow Secure Event Logging. You can configure flow-export
actions in a class-map only with the match access-list, match any, or class-
default commands. You can only apply flow-export actions in a global
service policy.
Chapter 2: Network Security
20% 2.0 Network Security
2.1 Compare network security solutions that provide
intrusion prevention and firewall capabilities
2.2 Describe deployment models of network security
solutions and architectures that provide intrusion
prevention and firewall capabilities.
2.3 Describe the components, capabilities, and benefits of
NetFlow and Flexible NetFlow Records
2.4 Configure and verify network infrastructure security
methods (router, switch, wireless)
2.4.a Layer 2 methods (Network segmentation using
VLANs and VRF-lite; Layer 2 and port security;
DHCP snooping; Dynamic ARP inspection; storm
control; PVLANs to segregate network traffic; and
defenses against MAC, ARP, VLAN hopping, STP,
and DHCP rogue attacks
2.4.b Device hardening of network infrastructure
security devices (control plane, data plane,
management plane, and routing protocol security)
2.5 Implement segmentation, access control policies,
AVC, URL filtering, and malware Protection
2.6 Implement management options for network security
solutions such as intrusion prevention and perimeter
security (Single vs. multidevice manager, in-band vs.
out-of-band, CDP, DNS, SCP, SFTP, and DHCP
security and risks)
2.7 Configure AAA for device and network access
(authentication and authorization, TACACS+,
RADIUS and RADIUS flows, accounting, and dACL)
2.8 Configure secure network management of perimeter
security and infrastructure devices (secure device
management, SNMPv3, views, groups, users,
authentication, and encryption, secure logging, and
NTP with authentication)
2.9 Configure and verify site-to-site VPN and remote
access VPN
2.9.a Site-to-site VPN utilizing Cisco routers and IOS
1. Which of the following is a characteristic of Dynamic ARP Inspection?
A. DAI determines the validity of an ARP packet based on valid IP to MAC
address bindings from the DHCP snooping binding database.
B. In a typical network, make all ports as trusted except for the ports
connecting to switches, which are untrusted.
C. DAI associates a trust state with each switch.
D. DAI all ARP requests and responses on trusted ports only.
2. Which ID store requires that a shadow user be created on Cisco ISE for the
admin login to work?
A. RSA SecurelD
B. Internal Database
C. Active Directory
D. LDAP
3. Which VPN Technology can support a multivendor environment and
secure traffic between sites?
A. SSL
B. GET VPN
C. FlexVPN
D. DMVPN
4. Which SNMPv3 configuration must be used to support the strongest
security possible?
A. asa-host(config)#snmp-server group myv3 v3 priv
asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des
ciscXXXXXXXX
asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
Chapter 3: Answers
1. What is the function of Cisco Cloudlock for data security?
A. Data loss prevention
Cloudlock uses DLP technology to monitor cloud environments as well as
application security using an app firewall and crowd-sourced Community
Trust Rating.
2. Which cloud service model offers an environment for cloud consumers to
develop and deploy applications without needing to manage or maintain the
underlying cloud infrastructure?
A. PaaS
SaaS - Software as a Service - The user only runs a software application, no
access to the OS or programming PaaS - Platform as a Service - The user has
access to the OS to develop applications or run their own programs. IaaS -
Infrastructure as a Service - The user has a virtual machine and installs their
OS and applications into it XaaS - Everything as a Service - The user has a
variety of services and applications on demand over the Internet.
3. In a PaaS model, which layer is the tenant responsible for maintaining and
patching?
D. Application
PaaS - Platform as a Service - The user has access to the OS to develop
applications or run their own programs. The application being developed is
the responsibility of the tenant.
4. Which solution protects hybrid cloud deployment workloads with
application visibility and segmentation?
D. Tetration
An on-premises deployment option with high scalability, high availability,
and horizontally scalable architecture which makes it suitable for large
enterprise data centers with data residency and privacy requirements.
5. Which deployment model is the most secure when considering risks to
cloud operation?
D. Private cloud
In Private Cloud, all cloud operations are implemented on premises at the
local enterprise. It can spread to multiple enterprise data centers but is only
on the enterprise equipment. This isolation from the public space allows the
highest level of security.
6. What does the Cloudlock Apps Firewall do to mitigate security concerns
from an application perspective?
B. It discovers and controls cloud apps that are connected to a
company's corporate environment.
The Cloudlock Apps Firewall discovers and controls cloud apps connected to
your corporate environment. You can see a crowd-sourced Community Trust
Rating for individual apps, and you can ban or whitelist them based on risk.
7. What is the primary benefit of deploying an ESA in hybrid mode?
C. It provides maximum protection and control of outbound
messages.
Cisco Hybrid Email Security is a unique service offering that combines a
cloud-based email security deployment with an appliance-based email
security deployment (on premises) to provide maximum choice and control
for your organization. The cloud-based infrastructure is typically used for
inbound email cleansing, while the on-premises appliances provide granular
control—protecting sensitive information with data loss prevention (DLP)
and encryption technologies.
8. In which cloud services model is the tenant responsible for virtual machine
OS patching?
A. laaS
IaaS - Infrastructure as a Service provides just the infrastructure needs
(compute, memory, storage) and the client is responsible for the OS.
1. Why would a user choose an on-premises ESA versus the CES solution?
A. Sensitive data must remain onsite.
B. Demand is unpredictable.
C. The server team wants to outsource this service.
D. ESA is deployed inline.
2. What is a required prerequisite to enable malware file scanning for the
Secure Internet Gateway?
A. Enable IP Layer enforcement.
B. Activate the Advanced Malware Protection license.
C. Activate SSL decryption.
D. Enable Intelligent Proxy.
3. An engineer is configuring AMP for endpoints and wants to block certain
files from executing. Which outbreak control method is used to accomplish
this task?
A. Device flow correlation
B. Simple detections
C. Application blocking list
D. Advanced custom detections
4. Refer to the exhibit. What is a result of the configuration?
B. 2-4-1-3
The correct order is:
Configure a Machine Agent or SIM Agent = Step 1
Install monitoring extension for AWS EC2 = Step 2
Update config.yaml = Step 3
Restart the Machine Agent = Step 4
8. Anengineer is configuring a Cisco ESA and wants to control whether to
accept or reject email messages to a recipient address. Which list contains the
allowed recipient addresses?
D. RAT
RAT - Recipient Access Table HAT - Host Access Table BAT/SAT -
unknown
9. Which two capabilities does TAXII support? (Choose two).
A. exchange
B. pull messaging
TAXII - Trusted Automated eXchange of Indicator Information. TAXII is an
exchange utility using Pull Messaging, Push Messaging, Discovery, and
Query.
10. After deploying a Cisco ESA on your network, you notice that some
messages fail to reach their destinations. Which task can you perform to
determine where each message was lost?
A. Configure the trackingconfig command to enable message
tracking.
Message tracking is enabled with the trackingconfig command and helps
resolve help desk calls by giving a detailed view of message flow. For
example, if a message was not delivered as expected, you can determine if it
was found to contain a virus or placed in a spam quarantine — or if it is
located somewhere else in the mail stream.
11. When web policies are configured in Cisco Umbrella, what provides the
ability to ensure that domains are blocked when they host malware, command
and control, phishing, and more threats?
B. Security Category Blocking
Umbrella's Security Categories are categories of security defense. These
categories are used in creating policies and in viewing reports for when
things are blocked, or even when they are not. Security Categories include:
Malware, Newly Seen Domains, Command and Control Callbacks, Phishing
Attacks, Dynamic DNS, Potentially Harmful Domains, DNS Tunneling, and
Cryptomining.
12. Which Cisco solution does Cisco umbrella integrate with to determine if a
URL is malicious?
D. Talos
Cisco Umbrella uses Cisco Talos and other third-party feeds to determine if a
URL is malicious. Talos is Cisco's threat intelligence organization.
13. What is the purpose of the Decrypt for Application Detection feature
within the WSA Decryption options?
D. It provides enhanced HTTPS application detection for
AsyncOS.
Decrypt for Application Detection: Enhances the ability of AsyncOS to detect
HTTPS applications. The HTTPS Proxy can decrypt HTTPS connections to
web applications.
14. What is the primary role of the Cisco Email Security Appliance?
B. Mail Transfer Agent
Cisco Email Security Appliance (ESA) protects the email infrastructure and
network users who use email at work by filtering unsolicited and malicious
email before it reaches the user. Cisco ESA easily integrates into existing
email infrastructures by acting as a Mail Transfer Agent (MTA), or mail
relay.
15. How does Cisco Umbrella archive logs to an enterprise-owned storage?
D. By being configured to send logs to a self-managed AWS S3
bucket.
Umbrella has the ability to store logs to an Amazon S3 bucket. By having
your logs uploaded to an S3 bucket, you can then automatically download
logs so that you can keep them in perpetuity in backup storage outside of
Umbrella's data warehouse storage system.
16. What is a language format designed to exchange threat intelligence that
can be transported over the TAXII protocol?
A. STIX
The TAXII service uses a subset of the STIX language to describe the
incidents CTA has detected. STIX (Structured Threat Information
eXpression) is a standardized XML programming language for conveying
data about cybersecurity threats in a common language that can be easily
understood by humans and security technologies.
Chapter 5: Endpoint Protection and
Detection
15% 5.0 Endpoint Protection and Detection
5.1 Compare Endpoint Protection Platforms (EPP) and
Endpoint Detection & Response (EDR) solutions
5.2 Explain antimalware, retrospective security,
Indication of Compromise (IOC), antivirus, dynamic
file analysis, and endpoint-sourced telemetry
5.3 Configure and verify outbreak control and
quarantines to limit infection
5.4 Describe justifications for endpoint-based security
5.5 Describe the value of endpoint device management
and asset inventory such as MDM
5.6 Describe the uses and importance of a multifactor
authentication (MFA) strategy
5.7 Describe endpoint posture assessment solutions to
ensure endpoint security
5.8 Explain the importance of an endpoint patching
strategy
1. What are two list types within AMP for Endpoints Outbreak Control?
(Choose two).
A. Blocked ports
B. Simple custom detections
C. Command and control
D. Allowed applications
E. URL
2. Which two conditions can an endpoint be checked using ISE posture
assessment? (Choose two).
A. Computer identity
B. Windows service
C. User identity
D. Default browser
3. Which Cisco product provides proactive endpoint protection and allows
Administrators to centrally manage the deployment?
A. NGFW
B. AMP
C. WSA
D. ESA
4. An engineer must force an endpoint to re-authenticate an already
authenticated session without disrupting the endpoint to apply a new or
updated policy from ISE. Which COA type achieves this goal?
A. Port Bounce
B. CoA Terminate
C. CoA Reauth
D. CoA Session Query
5. With Cisco AMP for Endpoints, which option shows a list of all files that
have been executed in your environment?
A. Vulnerable software
B. File analysis
C. Detections
D. Prevalence
E. Threat root cause
6. Which policy represents a shared set of features or parameters that define
the aspects of a managed device that are likely to be similar to other managed
devices in a deployment?
A. Group policy
B. Access control policy
C. Device management policy
D. Platform service policy
7. What are the two most commonly used authentication factors in
multifactor authentication? (Choose two).
A. Biometric factor
B. Time factor
C. Confidentiality factor
D. Knowledge factor
E. Encryption factor
8. Under which two circumstances is a COA issued? (Choose two).
A. A new authentication rule was added to the policy on the policy Service
node.
B. An endpoint is deleted on the Identity Service Engine server.
C. A new Identity Source Sequence is created and referenced in the
authentication policy.
D. An endpoint is profiled for the first time.
E. A new Identity Service Engine server is added to the deployment with the
Administration persona.
9. Which benefit does endpoint security provide the overall security posture
of an organization?
A. It streamlines the incident response process to automatically perform
digital forensics on the endpoint.
B. It allows the organization to mitigate web-based attacks as long as the user
is active in the domain.
C. It allows the organization to detect and respond to threats at the edge of
the network.
D. It allows the organization to detect and mitigate threats that the perimeter
security devices do not.
Chapter 5: Answers
1. What are two list types within AMP for Endpoints Outbreak Control?
(Choose two).
B. Simple custom detections
D. Allowed applications
Cisco AMP (Advanced Malware Protection) for Endpoints Outbreak Control
gives you a suite of capabilities to effectively stop the spread of malware and
malware-related activities. This is accomplished with actions like custom
detections and application whitelisting.
2. Which two conditions can an endpoint be checked using ISE posture
assessment? (Choose two).
B. Windows service
C. User identity
From the Cisco ISE (Identity Services Engine) network perspective,
concurrent endpoints can be users, personal computers, laptops, IP phones,
smart phones, gaming consoles, printers, fax machines, or any other devices
supported by the Cisco ISE network.
3. Which Cisco product provides proactive endpoint protection and allows
Administrators to centrally manage the deployment?
B. AMP
AMP - Advanced Malware Protection for Endpoints - Endpoint protection,
scanning files, antivirus, central management.
NGFW - Next Generation - visibility to stop threats fast and automate
operations WSA - Web Security Appliance - Automatically blocks risky
websites
ESA - Email Security Appliance - Detects and Blocks a variety of email-
borne threats (malware, spam, etc.)
4. An engineer must force an endpoint to re-authenticate an already
authenticated session without disrupting the endpoint to apply a new or
updated policy from ISE. Which COA type achieves this goal?
C. CoA Reauth
ISE - Identity Services Engine. CoA - Change of Authorization. Reauth
forces one connection (on a multi connection port) to reauthenticate. Port
Bounce forces all devices connected to the same port to reauthenticate.
5. With Cisco AMP for Endpoints, which option shows a list of all files that
have been executed in your environment?
D. Prevalence
Prevalence views files that have been executed in your deployment
Vulnerable. Software views applications with known vulnerabilities observed
by FireAMP. File Analysis shows details what a binary does Detections
views detected items that were quarantined. Threat Root Cause shows how
malware is getting into your computers
6. Which policy represents a shared set of features or parameters that define
the aspects of a managed device that are likely to be similar to other managed
devices in a deployment?
D. Platform service policy
Platform Service Policies provide a consistent and flexible way to configure
certain security appliance features, including priority queuing, application
inspection, and QoS (quality of service).
7. What are the two most commonly used authentication factors in
multifactor authentication? (Choose two).
A. Biometric factor
D. Knowledge factor
The main authentication factors are: Something you know - Knowledge
Something you have - RSA Token or CAC Something you are - Biometric.
8. Under which two circumstances is a COA issued? (Choose two).
B. An endpoint is deleted on the Identity Service Engine server.
D. An endpoint is profiled for the first time.
A Change of Authorization is issued for the following:
-An Endpoint is Deleted
-An Endpoint is Profiled for the First Time
-Static Assignment of an Endpoint.
9. Which benefit does endpoint security provide the overall security posture
of an organization?
D. It allows the organization to detect and mitigate threats that
the perimeter security devices do not.
Protect insiders from threats and prevent insiders from becoming threats.
Monitor user and endpoint behavior on and off the network. Get deep
analytics on users, applications, traffic, destinations and endpoint details.
Chapter 6: Secure Network Access,
Visibility, and Enforcement
15% 6.0 Secure Network Access, Visibility, and Enforcement
6.1 Describe identity management and secure network
access concepts such as guest services, profiling,
posture assessment and BYOD
6.2 Configure and verify network access device
functionality such as 802.1X, MAB, WebAuth
6.3 Describe network access with CoA
6.4 Describe the benefits of device compliance and
application control
6.5 Explain exfiltration techniques (DNS tunneling,
HTTPS, email, FTP/SSH/SCP/SFTP, ICMP,
Messenger, IRC, NTP)
6.6 Describe the benefits of network telemetry
6.7 Describe the components, capabilities, and benefits of
these security products and solutions
6.7.a Cisco Stealthwatch
6.7.b Cisco Stealthwatch Cloud
6.7.c Cisco pxGrid
6.7.d Cisco Umbrella Investigate
6.7.e Cisco Cognitive Threat Analytics
6.7.f Cisco Encrypted Traffic Analytics
6.7.g Cisco AnyConnect Network Visibility Module
(NVM)
Chapter 6: Answers
1. Which command enables 802.1x globally on a Cisco switch?
A. dotlx system-auth-control
To globally enable 802.1x authentication on the switch, use the dot1x
system-auth-control command in Global Configuration mode.
2. Where are individual sites specified to be blacklisted in Cisco Umbrella?
D. Destination lists
Cisco Umbrella offers security protection for both Home and Enterprise users
through filtering DNS requests. A "destination list" can be blocked or
allowed based on the administrative preferences for the policies applied to the
identities within your organization.
3. How is Cisco Umbrella configured to log only security events?
A. Per policy
The configuration is done per policy in the advanced settings page from the
Multi-org Console and Centralized settings.