350-701 Exam Dumps - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Cisco AMP for Endpoints is a next generation endpoint security solution that provides prevention, detection, and response capabilities. One of its functions is to automate threat responses of an infected host by isolating it from the network, blocking malicious files, and removing them from all endpoints. This reduces the time and effort required to contain and remediate a threat, and prevents further damage or data loss. According to the source book, Cisco AMP for Endpoints can perform the following automated responses1:

Endpoint Isolation: This feature allows you to isolate an endpoint from the network if it is compromised or infected. This prevents the endpoint from communicating with other devices or servers, and stops the spread of malware or exfiltration of data. You can isolate an endpoint manually from the console, or automatically based on a policy or a detection. You can also restore the network connectivity of an isolated endpoint when it is safe to do so.

File Blocking: This feature allows you to block a file from executing on any endpoint if it is deemed malicious or suspicious. You can block a file manually from the console, or automatically based on a policy or a detection. You can also unblock a file if it is a false positive or no longer a threat.

File Removal: This feature allows you to remove a file from any endpoint if it is malicious or unwanted. You can remove a file manually from the console, or automatically based on a policy or a detection. You can also restore a file from quarantine if it is a false positive or needed for analysis.

 1: Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Endpoint Protection and Detection, Lesson 6.2: Cisco AMP for Endpoints, Topic 6.2.3: Automated Responses.

Explanation

The Firepower System uses network discovery and identity policies to collect host, application, and user data for traffic on your network. You can use certain types of discovery and identity data to build a comprehensive map of your network assets, perform forensic analysis, behavioral profiling, access control, and mitigate and respond to the vulnerabilities and exploits to which your organization is susceptible.

The Cisco Advanced Malware Protection (AMP) solution enables you to detect and block malware, continuously analyze for malware, and get retrospective alerts. AMP for Networks delivers network-based advanced malware protection that goes beyond point-in-time detection to protect your organization across the entire attack continuum – before, during, and after an attack. Designed for Cisco Firepower® network threat appliances, AMP for Networks detects, blocks, tracks, and contains malware threats across multiple threat vectors within a single system. It also provides the visibility and control necessary to protect your organization against highly sophisticated, targeted, zero-day, and persistent advanced malware threats.

Explanation

Explanation

Southbound APIs enable SDN controllers to dynamically make changes based on real-time demands and

scalability needs.

Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) are both important components of an endpoint security strategy, but they have different goals and capabilities. EPP is designed to act as a preventive security measure, blocking known and unknown malware and malicious activity on endpoint devices using various techniques such as antivirus, data encryption, and data loss prevention. EPP solutions are mainly cloud-managed and assisted by cloud data, and use multiple detection engines such as signature-based, machine learning, and behavioral analysis. EPP solutions prevent breaches by leveraging threat intelligence and sandboxing capabilities to continuously protect endpoints from emerging threats12.

EDR, on the other hand, focuses on detecting and responding to advanced threats that have already evaded the front-line defenses and infiltrated the environment. EDR solutions provide continuous and comprehensive visibility into endpoint activity in real time, allowing security teams to quickly and effectively identify and remediate cyberattacks such as ransomware and fileless malware. EDR solutions offer advanced threat detection, investigation, and response capabilities, including incident data search and investigation, alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment. EDR solutions serve as a safety net to capture threats that go undetected by traditional antivirus software and uncover incidents that would otherwise remain invisible34.

Therefore, the primary difference between an EPP and an EDR is that EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses. References: 1: Endpoint Protection Platform (EPP) Definition - Cisco 2: EPP vs. EDR: Why You Need Both - CrowdStrike 3: Endpoint Detection and Response (EDR) Definition - Cisco 4: EDR vs EPP: Why Should You Have to Choose? - Check Point Software

The Cisco ASA and the Cisco IOS router with Zone-Based Policy Firewall (ZFW) have different default behaviors when it comes to traffic filtering. The Cisco ASA follows a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic1. The Cisco IOS router with ZFW, on the other hand, starts out by allowing all traffic, even on untrusted interfaces, until a zone-pair policy is applied to restrict or inspect traffic2. This means that the Cisco ASA provides a higher level of security by default, while the Cisco IOS router with ZFW requires more configuration to harden the router. However, the Cisco IOS router with ZFW also offers more flexibility and granularity in defining firewall policies, as well as more advanced features such as DMVPN, GET VPN, and Policy-Based Routing, which are not supported by the Cisco ASA23. References:

2: IOS Firewall vs. ASA - Cisco Community

1: Understand the Zone-Based Policy Firewall Design - Cisco

4: What is a functional difference between a Cisco ASA and a Cisco IOS router with Zone-based policy firewall?

5: What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-based policy firewall?

3: Cisco Zone-Based Firewall Reporting – Plixer

A basic SYN flood attack is a type of denial-of-service (DoS) attack that aims to exhaust the resources of a server by sending a large number of SYN packets and not completing the TCP three-way handshake. The intent of this attack is to exceed the threshold limit of the connection queue, which is the data structure that stores the information about the pending connections. By doing so, the attacker prevents legitimate clients from establishing connections with the server, as the server cannot accept any more SYN requests. A SYN flood attack can be performed with spoofed IP addresses or without IP spoofing, depending on the attacker’s strategy and the server’s configuration. References: [Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 3: Securing Networks with Firewalls, Lesson 3.2: Firewall Technologies, Topic 3.2.1: Firewall Technologies Overview, Page 8. SYN flood DDoS attack | Cloudflare. How to Perform TCP SYN Flood DoS Attack & Detect it with Wireshark - Kali Linux hping3. SYN flood - Wikipedia. SYN Flood Attack | SpringerLink. What Is a SYN Flood Attack? | F5.

Explanation

A data breach is the intentional or unintentional release of secure or private/confidential information to an

untrusted environment.

When your credentials have been compromised, it means someone other than you may be in possession of your account information, such as your username and/or password.