350-701 Exam Dumps - Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

WannaCry ransomware is a type of malware that encrypts the files on the infected devices and demands a ransom for their decryption. It exploits a vulnerability in the Windows SMB protocol that allows remote code execution. To prevent WannaCry ransomware from spreading to all clients, IT should take the following precautions:

Ensure that noncompliant endpoints are segmented off to contain any potential damage. This means that any device that is not patched, managed, or compliant with the security policies should be isolated from the rest of the network and given limited access to resources. This can be done using Cisco Identity Services Engine (ISE) and Cisco TrustSec, which can enforce dynamic segmentation based on the device’s identity, posture, and context. This way, IT can prevent the ransomware from infecting other devices and reduce the impact of the attack12

Perform a posture check to allow only network access to those Windows devices that are already patched. This means that IT should verify that the devices have installed the latest security updates from Microsoft that fix the SMB vulnerability. This can be done using Cisco AnyConnect Secure Mobility Client, which offers a VPN Posture/HostScan Module and an ISE Posture Module. Both modules can assess the endpoint’s compliance for things like operating system, patches, antivirus, antispyware, and firewall software. If the device is not patched, it can be denied access to the network or redirected to a remediation portal13

 1: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Configure Posture 2: Can We Trust Your Device? Checking Security Posture - Cisco 3: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Configure Posture

Explanation

Explanation

+ Cisco Cloudlock continuously monitors cloud environments with a cloud Data Loss Prevention (DLP) engine

to identify sensitive information stored in cloud environments in violation of policy.

+ Cloudlock is API-based.

+ Incidents are a key resource in the Cisco Cloudlock application. They are triggered by the Cloudlock policy engine when a policy detection criteria result in a match in an object (document, field, folder, post, or file).

 To prevent rogue NTP servers from inserting themselves as the authoritative time source, the administrator needs to configure NTP authentication and specify the interface for syncing to the NTP server. NTP authentication allows the ASA to verify the identity and integrity of the NTP packets received from the server, using a shared secret key. Specifying the interface for syncing to the NTP server ensures that the ASA uses the correct source address for sending and receiving NTP packets, and avoids potential routing issues. The other options are not required or relevant for this task. Specifying the NTP version is optional and does not affect security. Configuring the NTP stratum is only applicable for NTP servers, not clients. The ASA can only act as an NTP client, not a server. Setting the NTP DNS hostname is not recommended, as it introduces a dependency on DNS resolution and may cause synchronization problems if the DNS server changes the IP address of the NTP server. References :=

Some possible references are:

Configure NTP Authentication on Secure Network Analytics

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6 - Basic Settings

Cisco ASA NTP and Clock Configuration with Examples

 A flow monitor is a component of Flexible NetFlow that is used to store and export flow data. A flow monitor consists of a record, an optional exporter, and a cache. The cache is a section of memory that stores flow entries before they are exported to an external collector. The cache is created by the flow monitor when NetFlow is applied to an interface. The cache collects traffic based on the key and nonkey fields in the configured record. The key fields are used to identify a flow uniquely, while the nonkey fields are used to provide additional information about the flow. The cache can be configured with various parameters, such as the number of entries, the timeout values, and the type of cache. The cache can also be viewed and cleared using show and clear commands. References :=

Some possible references are:

Flexible Netflow Configuration Guide, Cisco IOS Release 15M&T

ASR9000/XR Netflow Architecture and overview

Cisco IOS Flexible NetFlow Command Reference - cache (Flexible NetFlow) through match flow

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud

Cisco Stealthwatch

NetFlow for Cybersecurity and Incident Response

B

 Cisco Umbrella evaluates policies from the top down and looks for a matching identity and destination. Once a match is found, Umbrella applies that policy’s settings to the identity and destination and stops evaluating all other DNS policies. Therefore, to ensure that the policy that the identity must use takes precedence over the second one, the engineer should make the correct policy first in the policy order. This way, Umbrella will match the identity to the correct policy before checking the second policy. The other options are not correct because they do not guarantee that the identity will use the correct policy. Configuring the default policy to redirect the requests to the correct policy will not work if the identity matches another policy before the default one. Placing the policy with the most-specific configuration last in the policy order will not work if the identity matches a less-specific policy before the last one. Configuring only the policy with the most recently changed timestamp will not work if the identity matches an older policy before the newer one. References :=

Some possible references are:

Policy Precedence - Umbrella User Guide1

Manage Policies - Umbrella User Guide2

Umbrella Policy order - Cisco Community3

Explanation

Explanation

You specify primary and secondary actions that the appliance will take when it detects a possible DLP violation

in an outgoing message. Different actions can be assigned for different violation types and severities.

Primary actions include:

– Deliver

– Drop

– Quarantine

Secondary actions include:

– Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the

original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in

addition to providing another way to monitor DLP violations. When you release the copy from the quarantine,

the appliance delivers the copy to the recipient, who will have already received the original message.

– Encrypting messages. The appliance only encrypts the message body. It does not encrypt the message

headers.

– Altering the subject header of messages containing a DLP violation.

– Adding disclaimer text to messages.

– Sending messages to an alternate destination mailhost.

– Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical

DLP violations to a compliance officer’s mailbox for examination.)

– Sending a DLP violation notification message to the sender or other contacts, such as a manager or DLP

compliance officer.