Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

 File discovery is a feature of Cisco AMP that allows the engineering team to search for files across all endpoints in the network based on their SHA-256 hashes. File discovery can help identify whether a file is installed on a selected few workstations, and also provide information such as file name, path, size, date, and disposition. File discovery can be used to locate malicious files, unauthorized software, or sensitive data on the endpoints. File discovery can be accessed from the Outbreak Control menu in the AMP console1. References: https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/215176-configure-a-simple-custom-detection-list.html

 SNMP (Simple Network Management Protocol) is the most commonly used protocol for network telemetry. SNMP is a standard protocol that allows network devices to exchange management information1. SNMP agents run on network devices and collect data about their status, performance, configuration, and events. SNMP managers run on network management systems and query the agents for data or receive notifications from them. SNMP can also be used to configure or control network devices remotely2. SNMP is widely supported by various vendors and platforms, and it provides a simple and flexible way to monitor and manage networks3.

 1: What is SNMP? | Cisco 2: SNMP Basics: What is SNMP and How It Works | SolarWinds 3: Network Telemetry Explained: Frameworks, Applications & Standards | Splunk

Cisco FTDv in AWS can be deployed in two different deployment models: single-instance and cluster. In both models, the FTDv can be configured in routed mode and managed by either an FMCv installed in AWS or a physical FMC appliance on premises. The FTDv can also use Geneve encapsulation for traffic interfaces to support AWS Gateway Load Balancer (GWLB) integration. The following table summarizes the supported deployment model configurations for FTDv in AWS:

Table

Deployment Model

Management Mode

Traffic Mode

Geneve Encapsulation

Single-instance

FMCv in AWS

Routed

Optional

Single-instance

FMC on premises

Routed

Optional

Cluster

FMCv in AWS

Routed

Required

Cluster

FMC on premises

Routed

Required

References :=

Deploy the Threat Defense Virtual on AWS - Cisco

Deploy a Threat Defense Virtual Cluster on AWS - Cisco

Configure Geneve Interfaces in Secure FTDv - Cisco

Deployment of Cisco Secure FTDv and FMCv instances in AWS - Terraform

Solved: FTD virtual appliance in AWS - Cisco Community

Cross-site scripting (XSS) is the method of attack that is used by a hacker to send malicious code through a web application to an unsuspecting user to request that the victim’s web browser executes the code. XSS is a type of injection attack that exploits the lack of input validation or output encoding in a web application. An attacker can craft a malicious script and embed it in a web page or a URL that is sent to the user. When the user visits the web page or clicks the URL, the script is executed by the user’s browser, which may not be able to distinguish it from legitimate code. The script can then perform various actions, such as stealing cookies, session tokens, or other sensitive information, redirecting the user to a malicious site, or performing actions on behalf of the user12. The other options are not correct, because they are not methods of attack that use web applications to execute malicious code on the user’s browser. Buffer overflow is a type of attack that exploits a memory vulnerability in a program or system, where an attacker can overwrite the memory beyond the allocated buffer and execute arbitrary code3. Browser WGET is a command-line tool that can be used to download files from the web, but it is not an attack method by itself4. SQL injection is a type of attack that exploits a database vulnerability in a web application, where an attacker can inject malicious SQL statements into a user input field and execute them on the database server5. References:

1: What is Cross-Site Scripting (XSS)? - Cisco

2: Cross-Site Scripting (XSS) - OWASP

3: What is a Buffer Overflow? - Cisco

4: GNU Wget 1.21.1 Manual

5: What is SQL Injection (SQLi)? - Cisco

3DES is a symmetric-key block cipher that applies the DES algorithm three times to each data block. It was developed to improve the security of DES, which has a small key size and is vulnerable to brute-force attacks. 3DES encrypts traffic by using three different keys, each 56 bits long, to perform three rounds of encryption on the plaintext. The encryption process can be described as follows:

Encrypt the plaintext with the first key (K1).

Decrypt the result with the second key (K2).

Encrypt the result again with the third key (K3).

The final ciphertext is the output of the third encryption. The decryption process is the reverse of the encryption process, using the same keys in reverse order:

Decrypt the ciphertext with the third key (K3).

Encrypt the result with the second key (K2).

Decrypt the result again with the first key (K1).

The final plaintext is the output of the third decryption. 3DES is more secure than DES because it uses a longer effective key length of 168 bits (56 x 3), which makes brute-force attacks more difficult. However, 3DES is also slower than DES because it requires three times more computations. Moreover, 3DES has some weaknesses, such as the meet-in-the-middle attack, which can reduce the effective key length to 112 bits. Therefore, 3DES is not recommended for new applications and has been deprecated by NIST since 201712

References := 1: NIST Special Publication 800-67 Revision 2 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 2: What is 3DES encryption and how does DES work? | Comparitech

An application that does not validate user input is particularly susceptible to SQL injection attacks. In an SQL injection attack, an attacker can insert or "inject" a SQL query via the input data from the client to the application. Due to the lack of validation, the malicious SQL commands are executed by the database server, leading to unauthorized access or manipulation of the database.

Explanation

Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cisco Cloudlock provides visibility and compliance checks, protects data against misuse and exfiltration, and provides threat protections against malware like ransomware.

 The Cisco Umbrella roaming client is a cloud-delivered security service for Cisco’s next-generation firewall that protects employees when they are off the VPN. No additional agents are required. Simply enable the Umbrella functionality in the Cisco AnyConnect client. One of the advantages of the Umbrella roaming client is that it provides visibility into IP-based threats by tunneling suspicious IP connections to the Umbrella cloud for inspection and blocking. This way, the roaming client can prevent malware, phishing, and command-and-control callbacks from reaching malicious domains and IPs, regardless of the port or protocol. The Umbrella roaming client also provides DNS-layer security when the VPN is off, and proactive blocking of emerging threats using real-time data analysis. References:

Cisco Umbrella Roaming

3 Benefits of Using Roaming Client with Cisco Umbrella

Secure remote workers with the Cisco Umbrella roaming client

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5.1.1)

 To add switches into the fabric, administrators can use PowerOn Auto Provisioning (POAP) or Seed IP methods. POAP is a feature that automates the process of upgrading software images and installing configuration files on Cisco switches that are being deployed in the network for the first time. Seed IP is a method that allows administrators to specify the IP address of a switch that is already part of the fabric, and then use it to discover and add other switches that are connected to it. Both methods enable administrators to control how switches are added into DCNM for private cloud management. References:

POAP, section “PowerOn Auto Provisioning (POAP)”.

Seed IP, section “Add Switches”.

https://www.cisco.com/c/en/us/td/docs/security/ise/1-4-1/admin_guide/b_ise_admin_guide_141/b_ise_admin_guide_141_chapter_01110.html

To share data between multiple security products, you must use Cisco Platform Exchange Grid (pxGrid). pxGrid is an open and scalable framework that allows for bi-directional any-to-any partner platform integrations. pxGrid uses REST and WebSocket interfaces to exchange intelligence and obtain contextual information from Cisco Identity Services Engine (ISE) and other security products. pxGrid can also direct ISE to contain threats by setting network policies. pxGrid enables cross-platform network system collaboration across your IT infrastructure and helps you monitor security, detect threats, and manage assets, configuration, identity, and access. References: Introduction to the Cisco Platform Exchange Grid (pxGrid) in ISE, Cisco Identity Services Engine Administrator Guide, Release 3.3

A CoA request is a network protocol message used in the context of network access control and authentication systems. It is typically employed in scenarios where a user’s access privileges or attributes need to be modified during an active network session. CoA requests are commonly used in conjunction with the RADIUS protocol, which is widely used for managing user authentication and authorization in network environments. When a CoA request is initiated, it is sent by a network access server (NAS) to a RADIUS server to request a change in the user’s authorization state or attributes. The CoA request contains information specifying the desired change, such as granting additional access privileges, revoking existing privileges, modifying session parameters, or updating user attributes. The RADIUS server processes the CoA request and applies the necessary changes to the user’s session in real-time, allowing dynamic adjustments to the user’s authorization and network access. CoA requests are often utilized in scenarios where an administrator needs to promptly update a user’s access rights without requiring them to terminate their current session. This flexibility is particularly valuable in environments that demand fine-grained access control or where access privileges need to be adjusted based on changing circumstances or policies. References :=

Some possible references for this answer are:

RADIUS Change of Authorization - Cisco

What is a CoA Request? - Portnox

RADIUS Change of Authorization: Explained - Cloud RADIUS

Explanation

Explanation

Telemetry – Information and/or data that provides awareness and visibility into what is occurring on the network

at any given time from networking devices, appliances, applications or servers in which the core function of the

device is not to generate security alerts designed to detect unwanted or malicious activity from computer

networks.

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

Explanation

Advanced Malware Protection (AMP) for Endpoints offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.

A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and

quarantine.

Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf

 Transparent mode is a Cisco ASA deployment model that allows the ASA to act as a bump in the wire, or a stealth firewall. In this mode, the ASA does not have an IP address on the network, and it does not participate in routing. Instead, it filters traffic between hosts in the same IP subnet using higher-level protocols such as TCP, UDP, and ICMP. Transparent mode is useful when you want to apply security policies without readdressing the network or changing the default gateway of the hosts. Some of the benefits of transparent mode are:

It preserves the original source and destination IP addresses of the packets, which can be useful for logging and auditing purposes.

It simplifies the configuration of the ASA, as you do not need to configure routing protocols, NAT, or DHCP.

It allows the ASA to inspect non-IP traffic, such as ARP, STP, and CDP.

It supports multiple contexts, which can provide logical separation of traffic for different tenants or customers.

Some of the limitations of transparent mode are:

It does not support VPN, dynamic routing, multicast routing, or QoS.

It requires the use of EtherType ACLs to filter non-IP traffic, which can be complex and cumbersome.

It requires the use of bridge groups and bridge domains to define the interfaces and VLANs that belong to the same broadcast domain.

It requires the use of MAC address learning and aging to maintain a MAC address table for each bridge group.

References :=

Some possible references are:

Cisco ASA Series Firewall CLI Configuration Guide, 9.10 - Transparent Firewall Mode

Deploying ASA - Cisco

Cisco ASA 5500-X Series Firewalls - Configuration Guides - Cisco