350-701 Exam Dumps - Cisco CCNP Security Questions and Answers

The Cisco Endpoint IoC feature is a powerful incident response tool for scanning of post-compromise indicators across multiple computers. Endpoint IoCs are imported through the console from OpenIOC-based files written to trigger on file properties such as name, size, hash, and other attributes and system properties such as process information, running services, and Windows Registry entries. The IoC syntax can be used by incident responders to find specific artifacts or use logic to create sophisticated, correlated detections for families of malware. Endpoint IoCs have the advantage of being portable to share within your organization or in industry vertical forums and mailing lists. The Endpoint IoC scanner is available in AMP for Endpoints Windows Connector versions 4 and higher. Running Endpoint IoC scans may require up to 1 GB of free drive space. The Endpoint IoC feature is based on the openioc.com framework, which is an open standard for sharing threat intelligence. References:

Cisco Endpoint IOC Attributes, User Guide

What Are Indicators of Compromise (IOC)? - Cisco, Security Indicators of Compromise

General questions about AMP - Cisco Community, Post by Cisco Employee

Dual-SSID BYOD is the term for when an endpoint is associated to a provisioning WLAN that is shared with guest access, and the same guest portal is used as the BYOD portal. This flow is a unique capability of ISE where the user does not have to log in twice, as ISE can take the user information from the 802.1X session and direct the user to the BYOD flow. Once the endpoint is onboarded, it is reconnected to the secured WLAN for full network access. This flow is different from single-SSID BYOD, where the endpoint associates to a secure WLAN, gets onboarded, and then reconnects to the same WLAN12. References: 1: ISE BYOD: Dual vs. Single SSID Onboarding - Cisco Community 2: Cisco ISE BYOD Prescriptive Deployment Guide - Cisco Community

Certificate authorities (CAs) are responsible for issuing, renewing, revoking, and publishing digital certificates. They also maintain a certificate revocation list (CRL), which is a database of revoked certificates that can be checked by relying parties to verify the validity of a certificate. Registration authorities (RAs) are entities that assist CAs with the verification of user identities and enrollment requests. They do not issue certificates themselves, nor do they have access to the CRL. Therefore, CRL publishing is a function that is performed by CAs but is a limitation of RAs. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.1: VPN Fundamentals, Topic 4.1.1: Public Key Infrastructure (PKI)

Easy guide to SSL certificate authorities, Namecheap

How exactly are registration authorities related to certificate authorities?, Information Security Stack Exchange

Explanation

A posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.

In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware.

To implement external authentication against Active Directory, the Cisco ISE server needs to communicate with the domain controller using either RADIUS or LDAP protocols. RADIUS is used for network access control, while LDAP is used for identity management and directory services. Both protocols require the appropriate ports to be opened and firewall rules to be configured to allow the traffic between the ISE server and the domain controller.

The ISE account does not need to be a domain administrator in Active Directory to perform JOIN operations. It only needs to have the permissions to create computer objects and reset passwords in the domain. This can be achieved by delegating the rights to a specific OU or using a service account with limited privileges.

Active Directory supports user and machine authentication by using various methods, not only MSCHAPv2. MSCHAPv2 is a challenge-response authentication protocol that is commonly used with RADIUS and VPN connections. However, Active Directory also supports other protocols such as Kerberos, NTLM, EAP, and PEAP, depending on the scenario and the client capabilities.

Cisco Stealthwatch - rapidly collects and analyzes netflow and telementy data to deliver in-depth visibility and understanding of network traffic

Cisco ISE – obtains contextual identity and profiles for all users and device

Cisco TrustSec – software defined segmentation that uses SGTs

Cisco Umbrella – secure internet gateway ion the cloud that provides a security solution

Explanation

You can configure your ASA FirePOWER module using one of the following deployment models:

You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or

passive) deployment.

To force a session to be adjusted after a policy change is made, two configurations are required on Cisco ISE and on Cisco TrustSec devices: Dynamic Authorization and Change of Authorization (CoA). Dynamic Authorization allows Cisco ISE to send commands to network devices to change the authorization status of a user session. CoA is a feature that enables Cisco ISE to send a RADIUS message to a network device to reauthenticate or disconnect a user session. These two configurations enable Cisco ISE to apply the updated policy to the user session without requiring the user to log out and log in again.

According to the source book, the steps to configure Dynamic Authorization and CoA are as follows1:

On Cisco ISE, navigate to Administration > Network Resources > Network Devices and select the network device that supports TrustSec.

On the Edit Network Device page, select the Advanced TrustSec Settings tab and check the Support for CoA check box.

On the same tab, select the appropriate CoA type from the drop-down list. The options are RADIUS Disconnect, Port Bounce, and Reauth.

Click Submit to save the changes.

On the network device, enter the global configuration mode and issue the command aaa server radius dynamic-author to enable Dynamic Authorization.

Optionally, you can specify the source interface, authentication key, and port number for the Dynamic Authorization messages.

Exit the global configuration mode and save the configuration.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.2: Implementing TrustSec, Topic 4.2.3: Configuring TrustSec on Cisco ISE and Network Devices, pp. 4-83 to 4-85.

Microsegmentation is a technology that limits communication between nodes on the same network segment to individual applications by creating secure zones across cloud and data center environments. Microsegmentation isolates application workloads from one another and secures them individually with granular firewall policies based on a zero-trust security approach1. Microsegmentation can reduce the attack surface, prevent the lateral movement of threats, and strengthen regulatory compliance1.

Serverless infrastructure is a technology that allows developers to run code without provisioning or managing servers2. Serverless infrastructure does not limit communication between nodes on the same network segment to individual applications, but rather abstracts away the underlying infrastructure from the application logic.

SaaS deployment is a technology that delivers software applications over the internet as a service3. SaaS deployment does not limit communication between nodes on the same network segment to individual applications, but rather provides access to software applications from any device and location.

Machine-to-machine firewalling is a technology that controls the communication between machines or devices on a network. Machine-to-machine firewalling does not limit communication between nodes on the same network segment to individual applications, but rather applies rules to the traffic between machines or devices based on their IP addresses, ports, protocols, or other criteria.

References :=

What Is Micro-Segmentation? - Cisco

What is serverless?

What is SaaS?

[Machine-to-Machine Firewalling]

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.

Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

Explanation

Explanation

A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target

machine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IP

fragmentation reassembly, the packets overlap one another, crashing the target network device. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.