Cisco SCOR / CCNP Security Core 350-701 (350-701) — Questions 976988

988 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQmedium

A university is using Cisco ESA to manage email for 20,000 students and staff. They have implemented anti-spam and anti-virus policies. Recently, the IT helpdesk has been receiving complaints that legitimate emails from external senders (such as admissions notifications) are being marked as spam and quarantined. The administrators check the ESA and find that these emails are being flagged with a spam score above the threshold, but the content appears to be legitimate. The sending domains are not on any blacklist. The ESA is using default anti-spam settings. What should the administrator do to reduce false positives without compromising security?

A.Create a content filter to allow any email with 'admissions' in the subject.
B.Disable anti-spam scanning for all inbound email.
C.Add the legitimate sender domains or IPs to the ESA's whitelist (SenderBase whitelist).
D.Lower the spam threshold to decrease sensitivity.
AnswerC

Whitelist trusted senders.

Why this answer

Option C is correct because adding the legitimate sender domains or IPs to the ESA's SenderBase whitelist explicitly bypasses anti-spam scanning for those trusted sources, reducing false positives while maintaining security for all other inbound email. This approach leverages the ESA's reputation-based filtering to allow known good senders without lowering the global spam threshold or disabling protection entirely.

Exam trap

Cisco often tests the distinction between whitelisting (bypassing scanning) and content filters (applying actions after scanning), leading candidates to mistakenly choose a content filter rule that can be exploited or a threshold adjustment that worsens false positives.

How to eliminate wrong answers

Option A is wrong because creating a content filter based solely on the subject line 'admissions' is too broad and can be easily bypassed by spammers, leading to security gaps. Option B is wrong because disabling anti-spam scanning for all inbound email removes protection against spam and malware, compromising the university's email security posture. Option D is wrong because lowering the spam threshold increases sensitivity, which would actually cause more false positives, not reduce them.

977
MCQmedium

A network engineer is configuring NAT on a Cisco ASA for internal servers to be accessible from the internet. One server (10.1.1.10) must always be reachable via a fixed public IP (203.0.113.10). Which NAT type should be used?

A.Identity NAT
B.Dynamic NAT
C.Dynamic PAT (overload)
D.Static NAT
AnswerD

Correct; static NAT creates a permanent one-to-one mapping.

Why this answer

Static NAT provides a one-to-one fixed mapping between a private IP and a public IP, ensuring the server is always reachable via the same public address.

978
MCQmedium

A network engineer is configuring Cisco ISE for wireless 802.1X authentication. The company wants to use certificate-based authentication for all corporate devices. Which EAP method should be configured?

A.EAP-MD5
B.PEAP-MSCHAPv2
C.EAP-TLS
D.LEAP
AnswerC

EAP-TLS requires client and server certificates for authentication.

Why this answer

EAP-TLS uses digital certificates for mutual authentication between the client and the server, providing strong security without requiring passwords.

979
MCQhard

A network security engineer is configuring site-to-site IPsec VPN between two Cisco ASA firewalls using IKEv2. Which of the following configuration elements is required to define the encryption and integrity algorithms for the IPsec SA?

A.Crypto map
B.Virtual Tunnel Interface (VTI)
C.Transform set
D.ISAKMP policy
AnswerC

Transform set defines the encryption and integrity algorithms for the IPsec SA.

Why this answer

In IKEv2, the IPsec SA parameters (encryption, integrity, etc.) are defined in the transform set. IKEv2 uses a single transform set. ISAKMP policy is for IKEv1 phase 1.

Crypto map binds the transform set to a peer and interface. VTI is a virtual interface for routing but not for algorithm definition.

980
MCQeasy

In the 802.1X authentication process, which component is responsible for relaying authentication messages between the client and the authentication server?

A.Authentication server (ISE)
B.RADIUS proxy
C.Authenticator
D.Supplicant
AnswerC

The authenticator (e.g., switch) forwards EAP messages between the supplicant and the authentication server.

Why this answer

In the 802.1X authentication process, the authenticator (typically a switch or wireless access point) is responsible for relaying Extensible Authentication Protocol (EAP) messages between the supplicant (client) and the authentication server (e.g., ISE). The authenticator encapsulates EAP frames into RADIUS packets for transmission to the server, acting as a transparent proxy that does not modify or terminate the EAP conversation. This role is defined in IEEE 802.1X-2010, where the authenticator controls port access based on the authentication result.

Exam trap

Cisco often tests the misconception that the RADIUS proxy is the relay component, but the authenticator (switch/AP) is the standard relay in 802.1X, while a RADIUS proxy is an optional network element for routing RADIUS traffic between different administrative domains.

How to eliminate wrong answers

Option A is wrong because the authentication server (ISE) is the endpoint that validates credentials and makes the final access decision, not the relay of messages between client and server. Option B is wrong because a RADIUS proxy is an optional intermediary that forwards RADIUS packets between different RADIUS realms or domains, but it is not a required component in the standard 802.1X architecture; the authenticator itself performs the relay. Option D is wrong because the supplicant is the client software (e.g., on a laptop) that initiates authentication and responds to EAP requests, but it does not relay messages to the server.

981
MCQmedium

A security engineer is deploying Cisco AMP for Endpoints to protect against malware. The company wants to block all executables from running in the Downloads folder except those signed by a specific trusted publisher. Which policy configuration should the engineer use?

A.Use the default malware protection policy, which automatically blocks untrusted executables in Downloads.
B.Create an Application Control rule to block all executables in the Downloads folder and add an exception for the trusted publisher.
C.Configure an Exclusion for the Downloads folder and then use a Custom Detection for untrusted executables.
D.Enable Simple Custom Detections with the SHA-256 hashes of all known executables.
AnswerB

Application Control allows blocking by path and creating exceptions based on publisher certificate.

Why this answer

Option B is correct because Cisco AMP for Endpoints uses Application Control rules to allow or block executables based on file path and publisher certificate. By creating a rule that blocks all executables in the Downloads folder and adding an exception for executables signed by the trusted publisher, the engineer achieves the exact requirement—only trusted signed executables can run from that folder.

Exam trap

The trap here is that candidates often confuse malware protection policies (which rely on reputation and analytics) with Application Control rules (which enforce explicit allow/block based on path and publisher), leading them to select the default malware protection option despite it not supporting folder-specific blocking based on publisher trust.

How to eliminate wrong answers

Option A is wrong because the default malware protection policy in AMP for Endpoints uses cloud-based file reputation and behavioral analysis, not path-based blocking of all untrusted executables in a specific folder. Option C is wrong because configuring an Exclusion for the Downloads folder would exempt it from all scanning, allowing any executable to run, and Custom Detections are for specific files or hashes, not for publisher-based exceptions. Option D is wrong because Simple Custom Detections rely on SHA-256 hashes, which is impractical for blocking all untrusted executables dynamically and does not support publisher-based trust exceptions.

982
MCQmedium

An organization wants to enforce micro-segmentation in a data center to isolate application tiers. Which Cisco technology allows defining security policies based on endpoint groups rather than IP addresses?

A.Cisco ASA with access-lists
B.Cisco TrustSec with Security Group Tags (SGTs)
C.Cisco ISE with guest services
D.Cisco Firepower NGFW with URL filtering
AnswerB

TrustSec uses SGTs for group-based policy enforcement, ideal for micro-segmentation.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on endpoint groups (e.g., application tiers) rather than IP addresses. This allows micro-segmentation by enforcing policies that follow the traffic regardless of IP changes, using SGTs carried in the packet via Cisco Metadata (CMD) or inline tagging.

Exam trap

Cisco often tests the distinction between IP-based ACLs (ASA) and identity-based segmentation (TrustSec), so the trap here is assuming that any firewall or NGFW can achieve micro-segmentation without understanding that TrustSec's SGTs are specifically designed for endpoint-group policies independent of IP addresses.

How to eliminate wrong answers

Option A is wrong because Cisco ASA with access-lists relies on static IP addresses and port numbers, not endpoint groups, making it unsuitable for dynamic micro-segmentation that follows workloads. Option C is wrong because Cisco ISE with guest services focuses on guest user authentication and policy enforcement for network access, not on defining security policies between application tiers within a data center. Option D is wrong because Cisco Firepower NGFW with URL filtering controls web traffic based on URLs and categories, not on endpoint group-based segmentation between application tiers.

983
Multi-Selecteasy

Which THREE of the following are indicators of compromise (IOCs) that can be detected by Cisco AMP for Endpoints?

Select 3 answers
A.Physical access badge ID
B.Suspicious process execution
C.Malicious file SHA256 hash
D.Phishing URL in an email
E.Command-and-control IP address
AnswersB, C, E

AMP's behavioral protection detects malicious process behavior.

Why this answer

Cisco AMP for Endpoints uses a combination of signature-based, behavioral, and machine learning analysis to detect threats. Suspicious process execution (B) is a key behavioral IOC, as AMP monitors process trees, spawning patterns, and memory injections to identify malicious activity that may evade signature-based detection.

Exam trap

Cisco often tests the distinction between endpoint-specific IOCs (processes, hashes, C2 IPs) and network-layer or physical IOCs, leading candidates to mistakenly include phishing URLs or physical access indicators as endpoint IOCs.

984
MCQeasy

Which symmetric encryption algorithm is considered the current standard and is often used in VPNs and SSL/TLS?

A.MD5
B.AES
C.3DES
D.RSA
AnswerB

AES is the current standard for symmetric encryption.

Why this answer

AES (Advanced Encryption Standard) is widely used and recommended.

985
MCQhard

A company uses AWS Organizations with multiple accounts. They need to enforce that all S3 buckets have encryption enabled. Which AWS service can centrally audit and automatically remediate non-compliant buckets?

A.Amazon GuardDuty
B.AWS CloudTrail
C.AWS Config conformance packs
D.AWS Security Hub
AnswerC

Config can evaluate rules and trigger remediation actions.

Why this answer

AWS Config conformance packs allow you to deploy a collection of AWS Config rules and remediation actions as a single entity. By using a conformance pack that includes the 's3-bucket-server-side-encryption-enabled' managed rule, you can continuously audit all S3 buckets across your AWS Organization for encryption compliance and automatically trigger remediation (e.g., via AWS Systems Manager Automation) to enable encryption on non-compliant buckets.

Exam trap

Cisco often tests the distinction between services that detect threats (GuardDuty), log API calls (CloudTrail), aggregate findings (Security Hub), and those that enforce configuration compliance (Config conformance packs), so the trap here is confusing Security Hub's aggregation role with Config's direct auditing and remediation capability.

How to eliminate wrong answers

Option A is wrong because Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, not a compliance auditing or remediation service for S3 bucket encryption. Option B is wrong because AWS CloudTrail records API activity for auditing and governance, but it does not evaluate resource configurations or enforce compliance policies. Option D is wrong because AWS Security Hub aggregates security findings from multiple services (like GuardDuty, Inspector, and Config) and provides a centralized view, but it does not itself perform configuration auditing or automated remediation of non-compliant resources.

986
MCQmedium

An organization wants to protect their web application hosted on AWS from common exploits like SQL injection. Which AWS service should they use?

A.AWS Security Groups
B.AWS Shield
C.AWS CloudTrail
D.AWS WAF
AnswerD

Correct. WAF filters web traffic for exploits.

Why this answer

AWS WAF (Web Application Firewall) protects against web exploits.

987
MCQeasy

Which protocol does Cisco ISE use to communicate with the pxGrid controller for sharing contextual data?

A.JSON-RPC over certificate-based TLS
B.REST API over HTTPS
C.TACACS+
D.RADIUS
AnswerA

pxGrid uses JSON-RPC over TLS with mutual certificate authentication.

Why this answer

Cisco ISE uses the JSON-RPC protocol over certificate-based TLS to communicate with the pxGrid controller for sharing contextual data. This ensures encrypted, authenticated, and structured messaging between ISE and other pxGrid-enabled services, such as Cisco Threat Response or third-party integrations.

Exam trap

Cisco often tests the distinction between pxGrid communication (JSON-RPC over TLS) and other ISE APIs (REST over HTTPS), leading candidates to mistakenly choose REST API because they associate HTTPS with secure data exchange.

How to eliminate wrong answers

Option B is wrong because REST API over HTTPS is used for northbound API calls (e.g., external systems querying ISE), not for pxGrid controller communication, which requires a persistent, bidirectional messaging protocol. Option C is wrong because TACACS+ is a legacy AAA protocol for device administration (authorization and accounting), not for real-time contextual data sharing via pxGrid. Option D is wrong because RADIUS is used for network access authentication, authorization, and accounting, and does not support the pub/sub or topic-based messaging required by pxGrid.

988
Multi-Selectmedium

An organization is planning to deploy Cisco FTD in a high-availability pair. Which two statements about active/active failover are true? (Choose two.)

Select 2 answers
A.It requires multiple context mode.
B.Both units can actively pass traffic.
C.Stateful failover is supported.
D.It is the default failover mode.
E.Configuration is not synchronized.
AnswersA, B

Correct; active/active is only supported in multiple context mode.

Why this answer

Active/active failover requires multiple context mode and both units can process traffic simultaneously. Stateful failover is supported only in active/standby.

Page 13

Page 14 of 14

Cisco SCOR / CCNP Security Core 350-701 350-701 Questions 976–988 | Page 14/14 | Courseiva