350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

Application visibility and control (AVC) is a solution that leverages multiple technologies to recognize, analyze, and control over 1000 applications, including voice and video, email, file sharing, gaming, peer-to-peer (P2P), and cloud-based applications1. One of the key components of AVC is application recognition, which uses stateful deep packet inspection (DPI) to identify applications within the network traffic flow, using L3 to L7 data2. DPI is a technique that examines the content of packets beyond the header information, and can classify applications based on their signatures, protocols, ports, or other attributes3. DPI enables AVC to monitor and control application performance, bandwidth usage, quality of service, and security policies4. References := 1: Cisco Application Visibility and Control (AVC) - Cisco 2: Cisco Application Visibility and Control User Guide - Technology Overview 3: What is application visibility and control? | Juniper Networks US 4: Application visibility and control - Secure Internet Access Enterprise

 The open standard that creates a framework for sharing threat intelligence in a machine-digestible format is STIX (Structured Threat Information Expression). STIX is a language and serialization format that enables the exchange of cyber threat information across organizations, tools, and platforms. STIX defines a common vocabulary and data model for representing various types of threat intelligence, such as indicators, observables, incidents, campaigns, threat actors, courses of action, and more. STIX also supports the expression of context, relationships, confidence, and handling of the threat information. STIX aims to improve the speed, accuracy, and efficiency of threat detection, analysis, and response.

STIX is often used in conjunction with TAXII (Trusted Automated Exchange of Indicator Information), which is a protocol and transport mechanism that enables the secure and automated communication of STIX data. TAXII defines how to request, send, receive, and store STIX data using standard methods and formats, such as HTTPS, JSON, and XML. TAXII supports various exchange models, such as hub-and-spoke, peer-to-peer, or subscription-based. TAXII enables the interoperability and scalability of threat intelligence sharing among different systems and organizations.

 Multifactor authentication (MFA) is a solution that requires the user to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. MFA is more secure than the traditional use of a username and password because it reduces the risk of identity theft, phishing, and credential compromise. MFA can use different types of factors, such as something the user knows (e.g., password, PIN), something the user has (e.g., smartphone, token, smart card), or something the user is (e.g., fingerprint, facial recognition). MFA can be implemented using various methods, such as security defaults, Conditional Access policies, or third-party solutions123. References:

https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661

https://www.onelogin.com/learn/what-is-mfa

The crypto isakmp key command is used to configure a preshared key for ISAKMP authentication between two peers. The address 0.0.0.0 indicates that the key is valid for any peer address. Therefore, the same command must be entered on hostB with the same password in order to establish the tunnel with hostA. Changing the protocol to ikev2, using a different password, or changing the password to the default will not solve the problem, as they will create a mismatch in the authentication parameters. References:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T, section “Prerequisites for Dynamic Multipoint VPN (DMVPN)”

DMVPN - Concepts & Configuration, section “DMVPN - What is it?”

DMVPN Hub as the CA Server for the DMVPN Network Configuration Example, section “Prerequisites”

Using an Internet browser to access cloud-based service creates the risk of insecure implementation of API. API stands for Application Programming Interface, which is a set of rules and protocols that allow different applications or services to communicate and exchange data. API is often used to access cloud-based service, such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). However, if the API is not implemented securely, it can expose sensitive data or allow unauthorized access to the cloud service. For example, an API may not use encryption, authentication, or authorization mechanisms to protect the data in transit or at rest. An API may also have vulnerabilities such as injection, broken authentication, or insufficient logging and monitoring, which can be exploited by attackers to compromise the cloud service or the user’s browser. Therefore, it is important to follow the best practices and standards for secure API development and testing, such as OWASP API Security Top 10. References:

1: Implementing and Operating Cisco Security Core Technologies (SCOR) - Cisco

2: 350-701 SCOR - Cisco

3: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0

4: 12 Cloud Security Issues: Risks, Threats & Challenges - CrowdStrike

5: 12 Risks, Threats, & Vulnerabilities in Moving to the Cloud - SEI Blog

6: Remote Browser Isolation Protects Users from Threats - Cisco Umbrella

7: Which risk is created when using an Internet browser to access cloud-based service?

8: Browser in the Cloud: The Evolution of Secure Browsing - Leostream

[9]: OWASP API Security Top 10 2023

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_using_intrusion_and_file_policies.html#:~:text=File%20Policies-,Access%20Control%20Traffic%20Handling%20with%20Intrusion%20and%20File%20Policies,-The%20following%20diagram

the first three access control rules in the policy—Monitor, Trust, and Block—cannot inspect matching traffic. Monitor rules track and log but do not inspect network traffic, so the system continues to match traffic against additional rules to determine whether to permit or deny it

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_rules.html#:~:text=Rule%20Blocking%20Actions-,Access%20Control%20Rule%20Allow%20Action,network%20discovery%20policy%3B%20additionally%2C%20application%20discovery%20is%20limited%20for%20encrypted%20sessions.,-Related%20Concepts

3DES is a symmetric-key block cipher that applies the DES algorithm three times to each data block. It was developed to improve the security of DES, which has a small key size and is vulnerable to brute-force attacks. 3DES encrypts traffic by using three different keys, each 56 bits long, to perform three rounds of encryption on the plaintext. The encryption process can be described as follows:

Encrypt the plaintext with the first key (K1).

Decrypt the result with the second key (K2).

Encrypt the result again with the third key (K3).

The final ciphertext is the output of the third encryption. The decryption process is the reverse of the encryption process, using the same keys in reverse order:

Decrypt the ciphertext with the third key (K3).

Encrypt the result with the second key (K2).

Decrypt the result again with the first key (K1).

The final plaintext is the output of the third decryption. 3DES is more secure than DES because it uses a longer effective key length of 168 bits (56 x 3), which makes brute-force attacks more difficult. However, 3DES is also slower than DES because it requires three times more computations. Moreover, 3DES has some weaknesses, such as the meet-in-the-middle attack, which can reduce the effective key length to 112 bits. Therefore, 3DES is not recommended for new applications and has been deprecated by NIST since 201712

References := 1: NIST Special Publication 800-67 Revision 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 2: What is 3DES encryption and how does DES work? | Comparitech

Time synchronization is one of the features that can be configured for managed devices in the device platform settings of the Firepower Management Center (FMC). Time synchronization ensures that the FMC and its managed devices have the same date and time settings, which is important for accurate event logging and reporting. The FMC can act as a Network Time Protocol (NTP) server for its managed devices, or it can use an external NTP server as a time source1. The FMC can also synchronize its time with the system clock of the device where it is installed2. References := 1: Firepower Management Center Device Configuration Guide, 7.1 - Platform Settings 2: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

 Cisco Advanced Malware Protection (AMP) for Endpoints is a cloud-based solution that provides endpoint protection against malware and advanced threats. It can be deployed in different architectures depending on the customer’s needs and preferences. One of the deployment options is the private cloud, which is designed to keep data within a network perimeter. In this option, the customer hosts the AMP for Endpoints console and the AMP cloud on their own infrastructure, and the endpoints connect to the private cloud for analysis and policy enforcement. This option provides more control and privacy over the data, but also requires more resources and maintenance from the customer. The other deployment options are the public cloud, which uses the Cisco-hosted AMP cloud and console, and the hybrid cloud, which uses a combination of the public and private clouds123 References: 1: Protecting Against Malware Threats with Cisco AMP for Endpoints (SSFAMP) course overview 2: Cisco Secure Endpoint (Formerly AMP for Endpoints) - Cisco 3: Cisco Advanced Malware Protection for Endpoints - Zones

NTP uses UDP port 123 to communicate with its servers and peers. If the Cisco ASA has IP reachability to the NTP server and is not filtering any traffic, then the most likely cause of the unsynchronized state and the stratum of 16 is that the NTP server is not working properly or is not configured to provide NTP service. A stratum of 16 means that the NTP server is unreachable or is not considered a viable candidate1. The value.INIT. in the refid column indicates that NTP is initializing, and the server has not yet been reached1. To resolve this issue, the network engineer should verify the status and configuration of the NTP server, and use a different server if needed. Alternatively, the network engineer can use the ntp server command with the prefer keyword to specify a preferred NTP server, or use the ntp update-calendar command to force a resynchronization of NTP2. References:

1: NTP server is unsynchronized or unreachable, a Wireshark perspective.

2: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Network Security, Lesson 1.3: Configuring Network Time Protocol.

Explanation

Each of the ASAs interfaces need to be grouped into one or more bridge groups. Each of these groups acts as an independent transparent firewall. It is not possible for one bridge group to communicate with another bridge group without assistance from an external router.

As of 8.4(1) upto 8 bridge groups are supported with 2-4 interface in each group. Prior to this only one bridge group was supported and only 2 interfaces.

Up to 4 interfaces are permitted per bridge–group (inside, outside, DMZ1, DMZ2)

Explanation

The term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with the

highest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to the

software that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program that

gives someone – with legitimate or malicious intentions – privileged access to a computer.

There are four main types of rootkits: Kernel rootkits, User mode rootkits, Bootloader rootkits, Memory rootkits