Cisco 350-701 - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation

Cisco Umbrella protects users from accessing malicious domains by proactively analyzing and blocking unsafe destinations – before a connection is ever made. Thus it can protect from phishing attacks by blocking suspicious domains when users click on the given links that an attacker sent. Cisco Umbrella roaming protects your employees even when they are off the VPN.

Cisco Cloudlock is a cloud-native security platform that provides data loss prevention (DLP) capabilities for public cloud environments, such as SaaS, IaaS, and PaaS. Cisco Cloudlock can discover, classify, and protect sensitive data stored in cloud applications, such as Office 365, Google Workspace, Salesforce, Dropbox, and AWS. Cisco Cloudlock uses advanced techniques, such as regular expressions, keywords, dictionaries, and machine learning, to identify and monitor data based on predefined or custom policies. Cisco Cloudlock can also enforce actions, such as encryption, quarantine, deletion, or notification, to prevent data leakage or exposure12. References := 1: Cisco Cloudlock Data Sheet 2: Cloud Data Loss Prevention (Cloud DLP) Overview

Explanation

SSL Decryption is an important part of the Umbrella Intelligent Proxy. he feature allows the Intelligent Proxy to go beyond simply inspecting normal URLs and actually proxy and inspect traffic that’s sent over HTTPS. The SSL Decryption feature does require the root certificate be installed.

 Posture is a feature within Cisco ISE that verifies the compliance of an endpoint before providing access to the network. Posture assessment checks the state of the endpoint, such as the operating system, antivirus, firewall, patches, and so on, against the predefined policies. If the endpoint does not meet the policy requirements, it can be remediated by installing or updating the necessary software or configuration. Posture assessment can be done for both wired and wireless endpoints, as well as VPN clients. Posture assessment requires the installation of a posture agent on the endpoint, which communicates with the posture service on the ISE server. The posture agent can be either a persistent agent, which runs in the background and provides continuous assessment, or a temporal agent, which runs on-demand and is removed after the assessment is complete. Posture assessment can be integrated with 802.1X or web authentication methods for network access control. References :=

Some possible references are:

ISE Posture Prescriptive Deployment Guide

ISE Posture Deployment Best Practices and Considerations

Understanding ISE Posture Services

A Cisco Umbrella virtual appliance (VA) is a lightweight virtual machine that acts as a DNS forwarder in your network. It forwards internal DNS queries to Umbrella and provides Umbrella with the internal IP address and hostname of the device that made the request. This allows Umbrella to apply policies and report on traffic based on the subnet, hostname, or user identity of the device1. The other options are not relevant for this scenario. Tenant control features are used to limit access to specific instances of cloud applications, such as Microsoft 365 or Google G Suite2. The Microsoft Active Directory Connector is used to provision users and groups from Active Directory to Umbrella, not to provide IP address information3. An internal domain is a domain that is resolved by your own DNS server, not by Umbrella, and is used to bypass Umbrella for domains that are only accessible within your network4. References:

1: Deploy Virtual Appliances - Umbrella User Guide

2: Manage Tenant Controls - Umbrella SIG User Guide

3: Connect Active Directory to Umbrella to Provision User and Groups

4: Domain Management - Umbrella User Guide

Explanation

Explanation

+ Cisco Cloudlock continuously monitors cloud environments with a cloud Data Loss Prevention (DLP) engine

to identify sensitive information stored in cloud environments in violation of policy.

+ Cloudlock is API-based.

+ Incidents are a key resource in the Cisco Cloudlock application. They are triggered by the Cloudlock policy engine when a policy detection criteria result in a match in an object (document, field, folder, post, or file).

Explanation

The user “admin5” was configured with privilege level 5. In order to allow configuration (enter global

configuration mode), we must type this command:

(config)#privilege exec level 5 configure terminal

Without this command, this user cannot do any configuration.

Note: Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC)

Explanation

A destination list is a list of internet destinations that can be blocked or allowed based on the administrative

preferences for the policies applied to the identities within your organization. A destination is an IP address

(IPv4), URL, or fully qualified domain name. You can add a destination list to Umbrella at any time; however, a

destination list does not come into use until it is added to a policy.

Cisco Identity Services Engine (ISE) uses various probes to collect attributes of connected endpoints, such as device type, operating system, IP address, MAC address, and so on. These attributes are used to profile the endpoints and assign them to appropriate identity groups and policies. Two of the probes that can be configured to gather attributes of connected endpoints using Cisco ISE are RADIUS and DHCP.

RADIUS probe: The RADIUS probe collects attributes from the RADIUS packets that are exchanged between the network access devices (NADs) and the ISE Policy Service Nodes (PSNs) during the authentication and authorization process. The RADIUS probe can extract attributes such as username, calling-station-ID, NAS-IP-address, NAS-port-type, service-type, and so on. The RADIUS probe can also collect attributes from the RADIUS accounting packets that are sent by the NADs to the ISE PSNs after the session is established. The RADIUS probe can extract attributes such as session-ID, framed-IP-address, acct-session-time, and so on. The RADIUS probe is enabled by default and does not require any additional configuration on the NADs or the ISE PSNs.

DHCP probe: The DHCP probe collects attributes from the DHCP packets that are exchanged between the endpoints and the DHCP server during the IP address assignment process. The DHCP probe can extract attributes such as hostname, vendor-class-identifier, client-identifier, parameter-request-list, and so on. The DHCP probe can also collect attributes from the DHCP relay packets that are forwarded by the NADs to the ISE PSNs. The DHCP probe can extract attributes such as relay-agent-information and subscriber-ID. The DHCP probe requires some configuration on the NADs and the ISE PSNs. The NADs must be configured to relay or copy the DHCP packets to the ISE PSNs, and the ISE PSNs must be configured to receive the DHCP packets on a specific interface.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_assetvisibility_endpointprofiler.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_00.html

Certificate authorities (CAs) are responsible for issuing, renewing, revoking, and publishing digital certificates. They also maintain a certificate revocation list (CRL), which is a database of revoked certificates that can be checked by relying parties to verify the validity of a certificate. Registration authorities (RAs) are entities that assist CAs with the verification of user identities and enrollment requests. They do not issue certificates themselves, nor do they have access to the CRL. Therefore, CRL publishing is a function that is performed by CAs but is a limitation of RAs. References :=

Some possible references are:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 4: Secure Connectivity, Lesson 4.1: VPN Fundamentals, Topic 4.1.1: Public Key Infrastructure (PKI)

Easy guide to SSL certificate authorities, Namecheap

How exactly are registration authorities related to certificate authorities?, Information Security Stack Exchange

Mobile device management (MDM) is a solution that allows organizations to manage and secure mobile devices such as smartphones and tablets. MDM can provide two security benefits:

Robust security policy enforcement: MDM can enforce strong security practices and hygiene by defining unified settings that can be applied across your fleet. This centralized software ensures all devices are continuously staying in compliance. For example, MDM can configure settings like full-disk encryption, screen locks, password policies, device restrictions, VPN, firewall, antivirus, and more. MDM can also prevent unwanted or risky software from being installed, and remotely lock or wipe devices if they are lost, stolen, or compromised1.

Privacy control checks: MDM can help organizations stay compliant with privacy regulations and protect sensitive data from unauthorized access. MDM can segment personal and corporate data on devices, and selectively wipe only corporate data when needed. MDM can also monitor device usage and location, and alert administrators of any suspicious or anomalous behavior. MDM can also provide secure containers for sensitive documents and content, and encrypt data in transit and at rest23.

Explanation

Explanation

We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.

Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect, quarantine, and remove the virus.

SenderBase is an email reputation service designed to help email administrators research senders, identify legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or highly reputable senders, it delivers them directly to the end user without any content scanning. However, when the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and antivirus scanning.