Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Sandboxing is a feature that is leveraged by advanced antimalware capabilities to be an effective endpoint protection platform. Sandboxing allows an endpoint protection platform to isolate suspect files in a safe environment and analyze their behavior and impact without affecting the rest of the system. Sandboxing can help detect and prevent unknown or zero-day malware that may evade traditional signature-based detection methods. Sandboxing can also provide valuable threat intelligence and forensic data for further investigation and response.

Big data, storm centers, and blocklisting are not features that are leveraged by advanced antimalware capabilities to be an effective endpoint protection platform. Big data refers to the large volume, variety, and velocity of data that can be used for various purposes, such as analytics, machine learning, or business intelligence. Storm centers are centralized hubs that monitor and respond to cyber incidents and threats. Blocklisting is a method of preventing access to malicious or unwanted domains, IP addresses, or files by adding them to a list of blocked entities. References:

Endpoint Protection Platform (EPP) Definition

Cisco Advanced Malware Protection (AMP) for Endpoints

Cisco AMP for Endpoints: Sandboxing

Explanation

Cisco Hybrid Email Security is a unique service offering that combines a cloud-based email security deployment

with an appliance-based email security deployment (on premises) to provide maximum choice and control for

your organization. The cloud-based infrastructure is typically used for inbound email cleansing, while the onpremises appliances provide granular control – protecting sensitive information with data loss

prevention (DLP) and encryption technologies.

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.

Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

Malware installation: This may be done by hijacking DNS queries and responding with malicious IP addresses.

Command & Control communication: As part of lateral movement, after an initial compromise, DNS

communications is abused to communicate with a C2 server. This typically involves making periodic DNS

queries from a computer in the target network for a domain controlled by the adversary. The responses contain encoded messages that may be used to perform unauthorized actions in the target network.

Network footprinting: Adversaries use DNS queries to build a map of the network. Attackers live off the terrain so developing a map is important to them.

Data theft (exfiltration): Abuse of DNS to transfer data; this may be performed by tunneling other protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and transferring malware into the target network.

Endpoint security is the process of protecting devices like workstations, servers, and other devices from malicious threats and cyberattacks. Endpoint security enables businesses to secure endpoints that employees use for work purposes or servers that are either on a network or in the cloud. Endpoint security is important because every device that connects to the corporate network is a potential vulnerability, providing a possible entry point for cyber criminals. Therefore, every device an employee uses to connect to any business system or resource carries the risk of becoming the chosen route for hacking into an organization. These devices can be exploited by malware that could leak or steal sensitive data from the business12.

One of the benefits of endpoint security is that it allows the organization to detect and mitigate threats that the perimeter security devices do not detect. Perimeter security devices, such as firewalls and intrusion prevention systems, are designed to protect the network from external attacks. However, they may not be able to prevent or detect attacks that originate from within the network, such as insider threats, compromised devices, or lateral movement. Endpoint security solutions can provide visibility and control over the devices that connect to the network, and can monitor, analyze, and respond to suspicious or malicious activities on the endpoints. Endpoint security solutions can also leverage threat intelligence and advanced analytics to identify and block known and unknown threats, such as ransomware, zero-day exploits, and targeted attacks13. References := 1: What is Endpoint Security? How Does It Work? | Fortinet 2: Microsoft Defender for Endpoint | Microsoft Security 3: Endpoint Security - Check Point Software

MFA, or multi-factor authentication, is a method of verifying a user’s identity by requiring two or more factors, such as something the user knows (e.g. password), something the user has (e.g. phone), or something the user is (e.g. fingerprint). MFA is an effective deterrent for phishing attacks, which are attempts to trick users into revealing their credentials or other sensitive information by sending them fraudulent emails or websites that impersonate legitimate entities. MFA can prevent phishing attacks by adding an extra layer of security that is not easily compromised by the attackers, even if they manage to obtain the user’s password. For example, if the user receives a phishing email that asks them to log in to their bank account, and they enter their password on the fake website, the attacker will not be able to access the account unless they also have the user’s phone or fingerprint. MFA can also alert the user of a phishing attempt if they receive an unexpected authentication request on their phone or other device. References:

What Type of Attacks Does MFA Prevent? | OneLogin

Multi-Factor Authentication and Cyberattacks - NYU

When the Cisco Secure Firewall downloads threat intelligence updates from Cisco Talos, it is engaged in "consumption." This term refers to the process of receiving and utilizing threat intelligence data to enhance security measures. Cisco Talos provides comprehensive threat intelligence that Cisco Secure Firewall consumes to update its threat detection and prevention capabilities.

The Web Security Appliance (WSA) supports different authentication protocols and schemes to acquire end-user credentials. The most common protocols are NTLMSSP and Kerberos, which are both supported by Active Directory realms. NTLMSSP is a challenge-response authentication protocol that uses a hash of the user’s password to authenticate. Kerberos is a ticket-based authentication protocol that uses a trusted third-party (the Key Distribution Center) to issue tickets to the user and the service. Both protocols are more secure and widely supported than Basic authentication, which sends the user’s credentials in clear text. CHAP, TACACS+, and RADIUS are not supported by the WSA for end-user authentication, although they can be used for external authentication of administrators or for credential encryption. References: 1, 2, 3

https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-742373.html

https://frontegg.com/blog/authentication

Explanation

Explanation

Depending on your company policy, you might be able to use your mobile phones, tablets, printers, Internet radios, and other network devices on your company’s network. You can use the My Devices portal to register and manage these devices on your company’s network.

 Grafana is an open source tool that displays graphs and counters for data streamed from network devices. Cisco uses Grafana to create graphical visualizations of network telemetry on Cisco IOS XE devices, which support model-driven telemetry. Model-driven telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics. Applications can subscribe to specific data items they need, by using standard-based YANG data models over NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external collector at a much higher frequency, more efficiently, as well as data on-change streaming. Grafana uses the data from InfluxDB database to build dashboards and graphs. InfluxDB is a time-series database that stores the telemetry data received from the network devices. Telegraf is an agent that collects the telemetry data from the network devices and pushes it to InfluxDB. The TIG software stack refers to the three open-source software components that enable receiving, storing, and visualization the telemetry data: Telegraf, InfluxDB, and Grafana. References :=

Enterprise Streaming Telemetry and You: Getting Started with Model Driven Telemetry - Cisco Blogs

Explore Model-Driven Telemetry - Cisco Blogs

Telemetry Configuration Guide for Cisco 8000 Series Routers, IOS XR Release 7.8.x - Dial-Out Telemetry Session from Router to Destination

Free 350-701 Implementing and Operating Cisco Security Core Technologies Practice Test Questions

Explanation

Only in On-site (on-premises) and IaaS we (tenant) manage O/S (Operating System).

Cisco Umbrella Investigate is a cloud-based service that provides interactive threat intelligence on domains, IPs, and files. It helps security analysts to uncover the attacker’s infrastructure and predict future threats by analyzing the relationships and evolution of internet domains, IPs, and files. It also integrates with other Cisco security solutions, such as Cisco Secure Network Analytics, Cisco Secure Cloud Analytics, and Cisco pxGrid, to provide a holistic view of the network and cloud security posture. Cisco Umbrella Investigate is based on the data collected by Cisco Umbrella, which processes more than 620 billion DNS requests per day from over 190 countries. Cisco Umbrella Investigate uses statistical and machine learning models to automatically score and classify the data, and provides a risk score for each domain, IP, and file, along with the contributing factors and historical context. Cisco Umbrella Investigate also allows security analysts to query the data using a web-based console or an API, and to visualize the results using graphs, tables, and maps. Cisco Umbrella Investigate is the most complete and interactive threat intelligence solution that helps to prevent cyber attacks before they happen. References :=

Some possible references are:

Cisco Umbrella Investigate

Cyber Attack Prevention - Cisco Umbrella

Cisco Umbrella Investigate - Cisco Umbrella