Topic 2: Exam Pool B
What are two differences between a Cisco WSA that is running in transparent mode and
one running in explicit mode? (Choose two)
A.
When the Cisco WSA is running in transparent mode, it uses the WSA’s own IP address
as the HTTP
request destination.
B.
The Cisco WSA responds with its own IP address only if it is running in explicit mode
C.
The Cisco WSA is configured in a web browser only if it is running in transparent mode
D.
The Cisco WSA uses a Layer 3 device to redirect traffic only if it is running in
transparent mode.
E.
The Cisco WSA responds with its own IP address only if it is running in transparent
mode.
The Cisco WSA uses a Layer 3 device to redirect traffic only if it is running in
transparent mode.
The Cisco WSA responds with its own IP address only if it is running in transparent
mode.
The Cisco Web Security Appliance (WSA) includes
a web proxy, a threat analytics engine, antimalware engine, policy management, and
reporting in a single physical or virtual appliance. The main use of the Cisco WSA is to
protect users from accessing malicious websites and being infected by malware.You can
deploy the Cisco WSA in two different modes:– Explicit forward mode– Transparent
modeIn explicit forward mode, the client is configured to explicitly use the proxy,
subsequently sending all web traffic to the proxy. Because the client knows there is a proxy
and sends all traffic to the proxy in explicit forward mode, the client does not perform a
DNS lookup of the domain before requesting the URL. The Cisco WSA is responsible for
DNS resolution, as well.
Reference: https://www.cisco.com/c/en/us/tech/content-networking/web-cachecommunications-
protocol-wccp/index.html->Therefore answer D is correct as redirection
can be done on Layer 3 device only.In transparent mode, the client is unaware its traffic is
being sent to a proxy (Cisco WSA) and, as a result, the client uses DNS to resolve the
domain name in the URL and send the web request destined for the web server (not the
proxy). When you configure the Cisco WSA in transparent mode, you need to identify a
network choke point with a redirection device (a Cisco ASA) to redirect traffic to the proxy.
WSA in Transparent modeReference: CCNP And CCIE Security Core SCOR 350-701
Official Cert Guide-> Therefore in Transparent mode, WSA uses its own IP address to
initiate a new connection the Web Server(in step 4 above) -> Answer E is correct.Answer C
is surely not correct as WSA cannot be configured in a web browser in either mode.Answer
A seems to be correct but it is not. This answer is correct if it states “When the Cisco WSA
is running intransparent mode, it uses the WSA’s own IP address as the HTTP request
source” (not destination).
An engineer is configuring AMP for endpoints and wants to block certain files from
executing. Which outbreak control method is used to accomplish this task?
A.
device flow correlation
B.
simple detections
C.
application blocking list
D.
advanced custom detections
application blocking list
How does DNS Tunneling exfiltrate data?
A.
An attacker registers a domain that a client connects to based on DNS records and
sends malware through
that connection.
B.
An attacker opens a reverse DNS shell to get into the client’s system and install malware on it.
C.
An attacker uses a non-standard DNS port to gain access to the organization’s DNS
servers in order to
poison the resolutions.
D.
An attacker sends an email to the target with hidden DNS resolvers in it to redirect them
to a malicious
domain.
An attacker registers a domain that a client connects to based on DNS records and
sends malware through
that connection.
An engineer needs a cloud solution that will monitor traffic, create incidents based on
events, and integrate with
other cloud solutions via an API. Which solution should be used to accomplish this goal?
A.
SIEM
B.
CASB
C.
Adaptive MFA
D.
Cisco Cloudlock
Cisco Cloudlock
Security information and event management (SIEM) platforms collect log and event data
from securitysystems, networks and computers, and turn it into actionable security
insights.+ An incident is a record of the triggering of an alerting policy. Cloud Monitoring
opens an incident when acondition of an alerting policy has been met.
A network engineer is deciding whether to use stateful or stateless failover when
configuring two ASAs for high availability. What is the connection status in both cases?
A.
need to be reestablished with stateful failover and preserved with stateless failover
B.
preserved with stateful failover and need to be reestablished with stateless failover
C.
preserved with both stateful and stateless failover
D.
need to be reestablished with both stateful and stateless failover
preserved with stateful failover and need to be reestablished with stateless failover
An organization is trying to implement micro-segmentation on the network and wants to be
able to gain visibility on the applications within the network. The solution must be able to
maintain and force compliance. Which product should be used to meet these
requirements?
A.
Cisco Umbrella
B.
Cisco AMP
C.
Cisco Stealthwatch
D.
Cisco Tetration
Cisco Tetration
What is the difference between deceptive phishing and spear phishing?
A.
Deceptive phishing is an attacked aimed at a specific user in the organization who holds a C-level role
B.
A spear phishing campaign is aimed at a specific person versus a group of people.
C.
Spear phishing is when the attack is aimed at the C-level executives of an organization.
D.
Deceptive phishing hijacks and manipulates the DNS server of the victim and redirects the user to a false webpage.
A spear phishing campaign is aimed at a specific person versus a group of people.
In deceptive phishing, fraudsters impersonate a legitimate company in an attempt to steal
people’s personal data or login credentials. Those emails frequently use threats and a
sense of urgency to scare users into doing what the attackers want.
Spear phishing is carefully designed to get a single recipient to respond. Criminals select
an individual target within an organization, using social media and other public information
– and craft a fake email tailored for that person.
When using Cisco AMP for Networks which feature copies a file to the Cisco AMP cloud for analysis?
A.
Spero analysis
B.
dynamic analysis
C.
sandbox analysis
D.
malware analysis
dynamic analysis
https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmcconfig-
guidev60/Reference_a_wrapper_Chapter_topic_here.html-> Spero analysis only
uploads the signature of the (executable) files to the AMP cloud. It does not upload
thewhole file. Dynamic analysis sends files to AMP ThreatGrid.Dynamic Analysis submits
(the whole) files to Cisco Threat Grid (formerly AMP Threat Grid). Cisco ThreatGrid runs
the file in a sandbox environment, analyzes the file’s behavior to determine whether the file ismalicious, and returns a threat score that indicates the likelihood that a file contains
malware. From the threatscore, you can view a dynamic analysis summary report with the
reasons for the assigned threat score. Youcan also look in Cisco Threat Grid to view
detailed reports for files that your organization submitted, as well asscrubbed reports with
limited data for files that your organization did not submit.Local malware analysis allows a
managed device to locally inspect executables, PDFs, office documents, andother types of
files for the most common types of malware, using a detection rule set provided by the
CiscoTalos Security Intelligence and Research Group (Talos). Because local analysis does
not query the AMP cloud,and does not run the file, local malware analysis saves time and
system resources. -> Malware analysis doesnot upload files to anywhere, it only checks the
files locally.There is no sandbox analysis feature, it is just a method of dynamic analysis
that runs suspicious files in avirtual machine.
Which two prevention techniques are used to mitigate SQL injection attacks? (Choose two)
A.
Check integer, float, or Boolean string parameters to ensure accurate values.
B.
Use prepared statements and parameterized queries.
C.
Secure the connection between the web and the app tier.
D.
Write SQL code instead of using object-relational mapping libraries.
E.
Block SQL code execution in the web application database login.
Check integer, float, or Boolean string parameters to ensure accurate values.
Use prepared statements and parameterized queries.
Which two descriptions of AES encryption are true? (Choose two)
A.
AES is less secure than 3DES
B.
AES is more secure than 3DES
C.
AES can use a 168-bit key for encryption.
D.
AES can use a 256-bit key for encryption.
E.
AES encrypts and decrypts a key three times in sequence.
AES is more secure than 3DES
AES can use a 256-bit key for encryption.
After deploying a Cisco ESA on your network, you notice that some messages fail to reach their destinations.
Which task can you perform to determine where each message was lost?
A.
Configure the trackingconfig command to enable message tracking.
B.
Generate a system report.
C.
Review the log files.
D.
Perform a trace.
Configure the trackingconfig command to enable message tracking.
https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011110.ht
ml
Which cryptographic process provides origin confidentiality, integrity, and origin
authentication for packets?
A.
IKEv1
B.
AH
C.
ESP
D.
IKEv2
ESP
| Page 16 out of 53 Pages |
| Previous |