Topic 2: Exam Pool B
An engineer needs behavioral analysis to detect malicious activity on the hosts, and is
configuring the
organization’s public cloud to send telemetry using the cloud provider’s mechanisms to a
security device. Which
mechanism should the engineer configure to accomplish this goal?
A.
mirror port
B.
Flow
C.
NetFlow
D.
VPC flow logs
NetFlow
What is the role of an endpoint in protecting a user from a phishing attack?
A.
Use Cisco Stealthwatch and Cisco ISE Integration
B.
Utilize 802.1X network security to ensure unauthorized access to resources
C.
Use machine learning models to help identify anomalies and determine expected
sending behavior
D.
Ensure that antivirus and anti malware software is up to date
Use machine learning models to help identify anomalies and determine expected
sending behavior
In which form of attack is alternate encoding, such as hexadecimal representation, most
often observed?
A.
Smurf
B.
distributed denial of service
C.
cross-site scripting
D.
rootkit exploit
cross-site scripting
ExplanationCross site scripting (also known as XSS) occurs when a web
application gathers malicious data from a user. The data is usually gathered in the form of
a hyperlink which contains malicious content within it. The user will most likely click on this
link from another website, instant message, or simply just reading a web board or email
message.Usually the attacker will encode the malicious portion of the link to the site in HEX
(or other encoding methods) so the request is less suspicious looking to the user when
clicked on.For example the code below is written in hex:
<ahref=javascript:alert('XSS')>Click Here</a>is equivalent to:<a
href=javascript:alert('XSS')>Click Here</a>Note: In the format “&#xhhhh“, hhhh is the code
point in hexadecimal form.
A Cisco ESA network administrator has been tasked to use a newly installed service to
help create policy based on the reputation verdict. During testing, it is discovered that the
Cisco ESA is not dropping files that have an undetermined verdict. What is causing this
issue?
A.
The policy was created to send a message to quarantine instead of drop
B.
The file has a reputation score that is above the threshold
C.
The file has a reputation score that is below the threshold
D.
The policy was created to disable file analysis
The policy was created to disable file analysis
Maybe the “newly installed service” in this Qmentions about
Advanced Malware Protection (AMP) which can be used along with ESA. AMP allows
superior protection across the attack continuum.+ File Reputation – captures a fingerprint
of each file as it traverses the ESA and sends it to AMP’s cloudbased intelligence network
for a reputation verdict. Given these results, you can automatically block malicious files and
apply administrator-defined policy.+ File Analysis – provides the ability to analyze
unknown files that are traversing the ESA. A highly secure sandbox environment enables
AMP to glean precise details about the file’s behavior and to combine that data with
detailed human and machine analysis to determine the file’s threat level. This disposition is
then fed into AMP cloud-based intelligence network and used to dynamically update and
expand the AMP cloud data set for enhanced protection
Which exfiltration method does an attacker use to hide and encode data inside DNS requests and queries?
A.
DNS tunneling
B.
DNSCrypt
C.
DNS security
D.
DNSSEC
DNS tunneling
DNS Tunneling is a method of cyber attack that encodes the
data of other programs or protocols in DNSqueries and responses. DNS tunneling often
includes data payloads that can be added to an attacked DNSserver and used to control a
remote server and applications.
A network administrator is configuring a rule in an access control policy to block certain
URLs and selects the “Chat and Instant Messaging” category. Which reputation score
should be selected to accomplish this goal?
A.
1
B.
3
C.
5
D.
10
10
We choose “Chat and Instant Messaging” category in “URL
Category”:
What provides the ability to program and monitor networks from somewhere other than the
DNAC GUI?
A.
NetFlow
B.
desktop client
C.
ASDM
D.
API
API
Which two capabilities does TAXII support? (Choose two)
A.
Exchange
B.
Pull messaging
C.
Binding
D.
Correlation
E.
Mitigating
Pull messaging
Binding
The Trusted Automated eXchangeof Indicator Information
(TAXII) specifies mechanisms for exchangingstructured cyber threat information between
parties over the network.TAXII exists to provide specific capabilities to those interested in
sharing structured cyber threat information.TAXII Capabilities are the highest level at which TAXII actions can be described. There are three capabilitiesthat this version of TAXII
supports: push messaging, pull messaging, and discovery.Although there is no “binding”
capability in the list but it is the best answer here.
What features does Cisco FTDv provide over ASAv?
A.
Cisco FTDv runs on VMWare while ASAv does not
B.
Cisco FTDv provides 1GB of firewall throughput while Cisco ASAv does not
C.
Cisco FTDv runs on AWS while ASAv does not
D.
Cisco FTDv supports URL filtering while ASAv does not
Cisco FTDv supports URL filtering while ASAv does not
The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications
traffic. Where must the
ASA be added on the Cisco UC Manager platform?
A.
Certificate Trust List
B.
Endpoint Trust List
C.
Enterprise Proxy Service
D.
Secured Collaboration Proxy
Certificate Trust List
Refer to the exhibit.
Which type of authentication is in use?
A.
LDAP authentication for Microsoft Outlook
B.
POP3 authentication
C.
SMTP relay server authentication
D.
external user and relay mail authentication
external user and relay mail authentication
Reference: https://www.cisco.com/c/en/us/support/docs/security/email-securityappliance/
118844-technoteesa-00.htmlThe exhibit in this Qshows a successful TLS
connection from the remote host (reception) in the mail log.
A Cisco ESA administrator has been tasked with configuring the Cisco ESA to ensure there
are no viruses before quarantined emails are delivered. In addition, delivery of mail from
known bad mail servers must be prevented. Which two actions must be taken in order to
meet these requirements? (Choose two)
A.
Use outbreak filters from SenderBase
B.
Enable a message tracking service
C.
Configure a recipient access table
D.
Deploy the Cisco ESA in the DMZ
E.
Scan quarantined emails using AntiVirus signatures
Use outbreak filters from SenderBase
Scan quarantined emails using AntiVirus signatures
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-
0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0100100.
html-> Therefore Outbreak filters can be used to block emails from bad mail servers.Web
servers and email gateways are generally located in the DMZ soNote: The recipient access
table (RAT), not to be confused with remote-access Trojan (also RAT), is a Cisco ESA term
that defines which recipients are accepted by a public listener.
| Page 2 out of 53 Pages |
| Previous |