CCNA Scor Content Security Questions

75 of 85 questions · Page 1/2 · Scor Content Security topic · Answers revealed

1
MCQmedium

A security engineer needs to block access to social media websites for all users except those in the HR department. The solution must integrate with Active Directory. Which Cisco WSA feature should be used?

A.SSL/TLS decryption
B.Explicit proxy with PAC file
C.Identity-based policies with AD integration
D.Transparent proxy with WCCP
AnswerC

Identity-based policies allow different rules per user or group via AD.

Why this answer

Cisco WSA identity-based policies with AD integration allow different URL filtering rules per user group.

2
MCQhard

A security engineer is troubleshooting an issue where users can bypass the Cisco WSA by using HTTPS. What must be enabled on the WSA to inspect encrypted traffic?

A.AVC
B.URL Filtering
C.HTTPS Inspection
D.Bandwidth Controls
AnswerC

HTTPS Inspection decrypts SSL/TLS traffic for content scanning.

Why this answer

SSL/TLS decryption (HTTPS inspection) is required to decrypt and inspect encrypted web traffic.

3
MCQmedium

A security engineer is configuring Cisco Firepower NGFW to block social media applications. Which feature should be used to achieve this?

A.URL filtering
B.Application control
C.Intrusion prevention
D.TLS server identity discovery
AnswerB

Correct. Application control can block social media applications.

Why this answer

Firepower uses application control to identify and block specific applications like social media.

4
MCQmedium

An administrator wants to enforce identity-based policies on Cisco WSA by integrating with Active Directory. Which method allows the WSA to identify users transparently without requiring client software?

A.LDAP bind with user credentials
B.Explicit proxy with PAC file
C.Kerberos authentication with keytab file
D.Transparent user identification using Active Directory agent
AnswerD

Correct. The AD agent maps IP addresses to usernames transparently.

Why this answer

Transparent user identification on WSA can be achieved via NTLM authentication or Kerberos, but the most common transparent method is using NTLM challenge/response, or via AD agent. However, the question asks for transparent identification without client software; typical methods include using the AD agent or IP-based mapping. The best answer is 'NTLM authentication with browser integration' which is transparent to the user after initial login.

But among options, 'Transparent user identification using Active Directory agent' is correct.

5
MCQmedium

A user reports slow performance when accessing cloud-based applications. Which Cisco tool provides visibility into SaaS application performance?

A.Cisco ThousandEyes
B.Cisco Firepower URL filtering
C.Cisco Umbrella SIG
D.Cisco WSA bandwidth controls
AnswerA

ThousandEyes monitors application performance across networks.

Why this answer

Cisco ThousandEyes provides monitoring and visibility into the performance of cloud and SaaS applications.

6
MCQmedium

A security analyst notices that a user is receiving a high volume of emails from unknown senders with links to malicious sites. The ESA is configured with Cisco TALOS threat intelligence. Which ESA feature should the analyst configure to block these emails based on the reputation of the sender before they reach the user's inbox?

A.Anti-malware with AMP for Email
B.Outbreak filters
C.DLP policies
D.IronPort SenderBase reputation
AnswerD

SenderBase reputation uses SBRS scores to block low-reputation senders.

Why this answer

The IronPort SenderBase reputation system uses SBRS scores to filter email based on sender reputation, blocking messages from low-reputation senders before delivery.

7
MCQeasy

Which Cisco content security solution uses DNS to block access to malicious domains and provides cloud-based proxy protection?

A.Cisco WSA
B.Cisco ESA
C.Cisco Firepower NGFW
D.Cisco Umbrella
AnswerD

Umbrella provides DNS-layer security and a cloud proxy for web traffic.

Why this answer

Cisco Umbrella is a cloud-delivered security solution that uses DNS to block requests to malicious domains. It also includes a cloud proxy for full URL filtering and threat protection.

8
Multi-Selectmedium

A Cisco WSA administrator wants to apply different web usage policies based on user group membership. Which two methods can be used to identify users transparently? (Choose two.)

Select 2 answers
A.Explicit proxy configuration
B.Active Directory integration
C.LDAP bind
D.NTLM authentication
E.WCCP redirect
AnswersB, D

AD can authenticate users transparently.

Why this answer

Transparent identification can use Active Directory or NTLM authentication without explicit proxy config.

9
MCQeasy

An organization wants to prevent users from accessing known malicious websites. Which Cisco WSA feature should be configured to block access based on website reputation?

A.SSL/TLS Decryption
B.URL Filtering
C.AMP File Scanning
D.AVC (Application Visibility and Control)
AnswerB

URL Filtering uses Talos web reputation to block malicious sites.

Why this answer

Cisco WSA uses Cisco Talos web reputation scores to block access to malicious websites based on their reputation.

10
MCQmedium

A security engineer is configuring the Cisco ESA to block spam. The engineer wants to rely on a reputation-based system that scores senders based on global email traffic patterns. Which technology should be used?

A.IronPort SenderBase reputation
B.DMARC verification
C.Cisco TALOS outbreak filters
D.AMP for Email
AnswerA

Correct. SenderBase provides SBRS scores based on global email traffic patterns.

Why this answer

IronPort SenderBase uses a reputation score (SBRS) ranging from -10 to +10 to classify senders as trusted or spam sources.

11
Multi-Selectmedium

Which TWO of the following are valid methods for deploying Cisco WSA? (Choose TWO.)

Select 2 answers
A.As a mail relay
B.As a DNS server
C.Inline with firewall port mirroring
D.Explicit proxy (browser configuration)
E.Transparent proxy via WCCP
AnswersD, E

Explicit proxy requires browser proxy settings.

Why this answer

Cisco WSA can be deployed as an explicit proxy (browsers configured to use it) or as a transparent proxy using WCCP or other redirection methods.

12
MCQmedium

Which Cisco NGFW technology can be used to block social media categories such as Facebook and Twitter during business hours?

A.TLS Server Identity Discovery
B.URL Filtering
C.Intrusion Prevention
D.Application Control
AnswerB

URL filtering on Firepower can block entire URL categories like social media.

Why this answer

Firepower URL filtering allows blocking by category, including social media.

13
MCQmedium

Which Cisco content security solution provides DNS-layer protection and a cloud proxy to enforce security policies?

A.Cisco ESA
B.Cisco Firepower NGFW
C.Cisco WSA
D.Cisco Umbrella SIG
AnswerD

Umbrella SIG combines DNS security and cloud proxy.

Why this answer

Cisco Umbrella SIG provides DNS security and a cloud-based proxy for web filtering.

14
MCQhard

During a phishing simulation, an employee receives an email that appears to be from the CEO requesting an urgent wire transfer. This type of attack is known as:

A.Whaling
B.Business Email Compromise (BEC)
C.Spear phishing
D.Malspam
AnswerB

BEC involves impersonating executives to request money transfers.

Why this answer

Business Email Compromise (BEC) is a targeted attack where the attacker impersonates a senior executive to request fraudulent transfers.

15
MCQmedium

Which email authentication method allows the domain owner to publish a policy that instructs receiving mail servers on how to handle messages that fail SPF and DKIM checks?

A.DMARC
B.SPF
C.SenderBase
D.DKIM
AnswerA

Correct. DMARC provides a policy framework.

Why this answer

DMARC builds on SPF and DKIM to specify policies (none, quarantine, reject) for failed messages.

16
MCQhard

During an email security audit, it is discovered that some phishing emails are passing through the Cisco ESA. Analysis shows the emails have valid SPF and DKIM signatures but are classified as phishing. What additional Cisco ESA feature should be tuned to improve detection?

A.Disable SPF checking
B.Increase the SBRS threshold
C.Enable DMARC with reject policy
D.Reduce DLP scanning sensitivity
AnswerC

DMARC can reject emails that fail alignment even if SPF/DKIM pass.

Why this answer

Even with valid SPF/DKIM, phishing can occur if the domain is compromised. Tuning anti-spam or outbreak filters can help, but DMARC can provide additional protection by enforcing alignment.

17
MCQmedium

An organization uses Cisco ESA to enforce DLP policies. Which of the following is an example of a DLP policy that can be configured on the ESA?

A.Scanning for credit card numbers in outbound email
B.Blocking email attachments over 10 MB
C.Quarantining messages with malware
D.Filtering spam based on SenderBase reputation
AnswerA

Correct. DLP policies identify sensitive data like credit card numbers.

Why this answer

DLP policies on ESA scan for patterns like credit card numbers, SSNs, etc., in outbound email to prevent data leaks.

18
MCQmedium

An organization wants to implement URL filtering based on user identity. The Cisco WSA must integrate with which directory service to apply policies per user or group?

A.Active Directory
D.LDAP
AnswerA

AD integration allows WSA to map users to groups for policy enforcement.

Why this answer

Cisco WSA integrates with Active Directory for identity-based policies.

19
MCQmedium

A network administrator is configuring Cisco WSA to intercept web traffic transparently. Which protocol should be used to redirect traffic from the router to the WSA?

A.SSL/TLS Decryption
B.WCCP
C.HTTP Proxy with PAC files
D.Active Directory integration
AnswerB

WCCP enables transparent redirection of web traffic to the WSA.

Why this answer

WCCP (Web Cache Communication Protocol) is used to transparently redirect web traffic from routers or switches to the WSA.

20
MCQmedium

An organization wants to enforce a policy that blocks outbound emails containing Social Security numbers. Which feature of Cisco ESA should be configured?

A.DLP Policies
B.Anti-Spam
C.AMP for Email
D.Outbreak Filters
AnswerA

DLP policies are designed to detect and prevent sensitive data leakage.

Why this answer

DLP policies on Cisco ESA scan outbound email for sensitive data patterns like SSNs.

21
MCQeasy

Which Cisco security solution provides DNS-layer security to block access to malicious domains before a connection is established?

A.Cisco Umbrella
B.Cisco ESA
C.Cisco WSA
D.Cisco Firepower NGFW
AnswerA

Correct. Umbrella provides DNS security and cloud proxy.

Why this answer

Cisco Umbrella operates at the DNS layer to block requests to malicious domains.

22
MCQmedium

A network administrator wants to deploy Cisco WSA as a transparent proxy using WCCP. Which traffic redirection method does WCCP use?

A.GRE tunneling
B.WCCP redirects traffic from the router to the WSA
C.DNS redirection
D.PAC file configuration on clients
AnswerB

WCCP enables the router to redirect specified traffic to the WSA.

Why this answer

WCCP allows routers to redirect web traffic to the WSA transparently without client configuration.

23
MCQhard

A SOC analyst notices that a user downloaded a malicious file from a website. The Cisco WSA is configured with AMP file scanning. However, the file was not blocked. Which scenario best explains why AMP failed to detect the file?

A.The file was a zero-day malware not yet analyzed by AMP
B.The file was cached from a previous scan
C.The file was less than 10 KB
D.SSL decryption was disabled
AnswerA

Correct. Zero-day files may not have a known reputation and could be allowed.

Why this answer

AMP uses SHA-256 cloud lookup and sandboxing. If the file is new and unknown (zero-day), the cloud may not have a disposition, and if sandboxing is not enabled or the file type is not analyzed, it could be allowed.

24
MCQeasy

Which Cisco email security feature uses SHA-256 hash lookups to detect known malware in email attachments?

A.Outbreak filters
B.AMP for Email
C.Anti-spam
D.DLP policies
AnswerB

AMP for Email performs SHA-256 cloud lookups and file sandboxing.

Why this answer

Cisco AMP for Email uses SHA-256 hashing to compare file hashes against a cloud database of known malware. If a match is found, the email is blocked or quarantined.

25
Multi-Selectmedium

A security analyst is investigating a Business Email Compromise (BEC) attack. Which two indicators are commonly associated with BEC attacks? (Choose two.)

Select 2 answers
A.Spoofed email address resembling a legitimate executive
B.Malicious attachment with ransomware
C.Presence of a phishing URL
D.Encrypted ZIP file attachment
E.Urgent request for wire transfer or gift cards
AnswersA, E

Correct. BEC uses spoofing to impersonate executives.

Why this answer

BEC attacks often involve spoofed email addresses (domain lookalikes) and urgent requests for wire transfers or sensitive data.

26
Multi-Selectmedium

A company is using Cisco WSA with transparent proxy via WCCP. The security team wants to identify which users are accessing banned websites and also enforce bandwidth limits for video streaming. Which TWO features should be configured on the WSA?

Select 2 answers
A.Identity-based policies with AD integration
B.AMP file scanning
C.Bandwidth controls
D.SSL/TLS decryption
E.URL filtering categories
AnswersA, C

Allows mapping web traffic to specific users for logging and policy enforcement.

Why this answer

Identity-based policies allow user identification via AD, and bandwidth controls can limit traffic per user or group.

27
MCQhard

An organization wants to use Cisco Umbrella SIG to enforce security policy for remote users. Which deployment method allows Umbrella to inspect traffic for all ports and protocols, not just DNS?

A.Configuring a PAC file for proxy
B.Using IPsec tunnel to Umbrella
C.DNS-layer enforcement only
D.Deploying the Umbrella roaming client
AnswerD

Correct. The roaming client forwards all traffic to the SIG for full inspection.

Why this answer

Umbrella SIG (Security Internet Gateway) can be deployed as a cloud proxy or with the Umbrella roaming client. The roaming client forwards all traffic to the cloud proxy for full inspection.

28
MCQeasy

Which Cisco technology uses SHA-256 file hashes to determine if a file is malicious by querying a cloud database?

A.DLP Policies
B.Outbreak Filters
C.SenderBase Reputation
D.AMP for Email
AnswerD

AMP for Email sends file SHA-256 to the cloud for analysis.

Why this answer

AMP for Email uses SHA-256 cloud lookup to compare file hashes against known threats.

29
MCQeasy

To protect against phishing attacks that use fraudulent emails to trick users into revealing credentials, which email authentication technology verifies the sending domain's DNS records for a digital signature?

A.DMARC
B.SenderBase
C.SPF
D.DKIM
AnswerD

DKIM adds a digital signature to the email header, verified via DNS.

Why this answer

DKIM uses a digital signature to verify the email originated from the claimed domain.

30
MCQmedium

An organization using Cisco WSA in transparent proxy mode with WCCP redirect notices that some HTTPS traffic is not being decrypted for inspection. The administrator has enabled SSL decryption but certain traffic still bypasses. What is the most likely cause?

A.The clients are not configured to use a proxy
B.The web server certificate is self-signed
C.The WSA is operating in explicit proxy mode
D.The SSL decryption policy is not set to decrypt on port 443
AnswerD

HTTPS traffic typically uses port 443. If the decryption policy does not include port 443, it will not be decrypted.

Why this answer

In transparent proxy mode, SSL decryption requires that the WSA is positioned in the traffic path (e.g., via WCCP). If decryption is not happening, the WSA may not be intercepting the traffic correctly, often due to the destination port not being included in the decryption policy or the traffic being non-HTTP.

31
Multi-Selectmedium

A company is experiencing an increase in spear-phishing attacks targeting executives. Which TWO Cisco ESA features should be configured to mitigate this threat?

Select 2 answers
A.Anti-spam (SenderBase)
B.BEC impersonation protection
C.DMARC verification
D.DLP policies
E.Outbreak Filters
AnswersB, C

Specifically designed to detect impersonation of executives.

Why this answer

IMPERSONATION PROTECTION (BEC) and DMARC verification help detect spoofed executive emails. Outbreak filters and anti-spam may not catch targeted attacks.

32
MCQmedium

A security administrator receives an alert that an email with an attachment was blocked by the Cisco Email Security Appliance (ESA). The attachment was identified as malware using cloud lookup. Which technology was used to detect the threat?

A.IronPort SenderBase Reputation Score (SBRS)
B.Outbreak Filters
C.Data Loss Prevention (DLP) policies
D.AMP for Email with SHA-256 cloud lookup
AnswerD

AMP for Email uses SHA-256 cloud lookups to detect known malware.

Why this answer

Cisco ESA uses Advanced Malware Protection (AMP) for Email, which performs SHA-256 cloud lookups to detect known malware.

33
Multi-Selecthard

A financial institution uses Cisco ESA and wants to protect against spear phishing attacks targeting executives. The security team configures DMARC with a 'reject' policy for the corporate domain. Additionally, they want to ensure that emails from external sources claiming to be from the CEO are flagged and quarantined. Which THREE security measures should be implemented?

Select 3 answers
A.Outbreak filters
B.Impersonation protection (display name spoofing detection)
C.Anti-phishing filters with machine learning
D.DMARC reject policy
E.Anti-spam with SenderBase
AnswersB, C, D

Detects when the display name is spoofed even if the domain is legitimate.

Why this answer

DMARC reject policy handles spoofed domains; impersonation protection can catch display name spoofing; and anti-phishing filters with machine learning detect advanced phishing attempts.

34
Multi-Selecthard

A security team is investigating an email threat that bypassed the Cisco ESA. The email appears to be from the CFO asking for a wire transfer. Which THREE of the following are characteristics of this attack? (Choose THREE.)

Select 3 answers
A.It is a type of phishing known as Business Email Compromise (BEC).
B.It is easily blocked by anti-spam filters.
C.It impersonates a senior executive to request financial transactions.
D.It relies on social engineering rather than technical exploits.
E.It uses malware attachments to compromise the system.
AnswersA, C, D

BEC is a targeted phishing attack impersonating executives.

Why this answer

This is a Business Email Compromise (BEC) attack, which often involves spoofing, impersonation of executives, and social engineering to request financial transfers.

35
MCQmedium

A company is deploying Cisco Secure Web (WSA) and wants to integrate with Active Directory for user-based policies. The proxy is in transparent mode. Which technology allows the WSA to identify users transparently without requiring client configuration?

A.Explicit proxy configuration on browsers
B.WCCP redirect
C.Transparent user identification (TUI)
D.Kerberos authentication proxy
AnswerC

TUI allows the WSA to identify users transparently via AD integration.

Why this answer

Transparent user identification (TUI) on the WSA uses technologies like NTLM authentication or LDAP to identify users without explicit proxy configuration. It can leverage Active Directory and transparently capture user credentials via HTTP authentication or other means.

36
Multi-Selecthard

An organization uses Cisco Firepower NGFW to enforce content security policies. The security team wants to block all social media traffic during business hours but allow access during lunch breaks. Additionally, they want to detect and alert on any SSL connections to unknown destinations that might indicate data exfiltration. Which THREE capabilities of the NGFW should be combined to achieve these objectives?

Select 3 answers
A.Intrusion prevention system (IPS)
B.URL filtering based on time schedules
C.Application control
D.TLS server identity discovery
E.AMP file scanning
AnswersB, C, D

Allows blocking social media categories during specific hours.

Why this answer

URL filtering blocks categories by time, application control enforces policies per app, and TLS server identity discovery detects unknown destinations in encrypted traffic.

37
Multi-Selectmedium

A company is deploying Cisco ESA and wants to protect against malware delivered via email attachments. Which TWO features can be used together to provide both signature-based detection and behavioral analysis?

Select 2 answers
A.SHA-256 cloud lookup
B.Outbreak filters
C.DLP policies
D.File sandboxing
E.Anti-spam with SenderBase
AnswersA, D

This provides signature-based detection by comparing file hashes against known malware.

Why this answer

AMP for Email uses SHA-256 cloud lookup for known malware and file sandboxing for unknown files to detect malicious behavior.

38
MCQmedium

An organization is using Cisco Firepower NGFW to enforce content filtering. They want to block social media applications like Facebook and Twitter but allow LinkedIn for business purposes. Which feature should be used to differentiate between these applications?

A.URL filtering based on categories
B.Intrusion policy
C.Application control with application filters
D.TLS server identity discovery
AnswerC

Application control allows blocking specific applications or subcategories, providing granularity.

Why this answer

Firepower NGFW uses application control to identify and block specific applications. By creating a rule that blocks the 'Social Networking' category but then allows 'LinkedIn' specifically (or blocks Facebook and Twitter by application), the administrator can achieve granular control.

39
Multi-Selecthard

A SOC analyst is investigating a BEC attack. Which three indicators should be examined in the email headers to detect the spoofing? (Choose three.)

Select 3 answers
A.DKIM result
B.SPF result
C.Subject line
D.DMARC result
E.Message body content
AnswersA, B, D

DKIM fail means signature invalid.

Why this answer

SPF, DKIM, and DMARC results indicate authentication status and potential spoofing.

40
MCQeasy

Which Cisco technology uses SenderBase reputation scores (SBRS) to evaluate incoming email?

A.Cisco ESA anti-spam
B.Cisco Firepower intrusion prevention
C.Cisco WSA URL filtering
D.Cisco Umbrella DNS security
AnswerA

SenderBase is the anti-spam technology in ESA.

Why this answer

Cisco ESA uses IronPort SenderBase reputation to assign a score (-10 to +10) to senders to determine spam likelihood.

41
MCQeasy

A company wants to block social media access for employees during work hours. Which Cisco Firepower NGFW feature should be used to achieve this?

A.DLP Policies
B.URL Filtering
C.TLS Server Identity Discovery
D.Application Control
AnswerD

Application control can block social media applications regardless of URL.

Why this answer

Firepower NGFW application control can block specific application categories such as social media.

42
MCQhard

An email administrator receives reports of a targeted phishing campaign where attackers impersonate the CEO to request wire transfers. Which Cisco ESA feature provides the best defense against this Business Email Compromise (BEC) attack?

A.Outbreak Filters
B.Anti-spam with SenderBase reputation
C.DMARC verification
D.DLP policies
AnswerC

DMARC uses SPF and DKIM to authenticate the sender's domain and reject spoofed emails.

Why this answer

DMARC can detect and block spoofed emails from the CEO's domain by verifying SPF and DKIM alignment.

43
MCQeasy

Which Cisco cloud-based security solution provides DNS-layer security to block requests to malicious domains?

A.Cisco Umbrella SIG
B.Cisco Firepower NGFW
C.Cisco WSA
D.Cisco ESA
AnswerA

Umbrella SIG provides DNS-layer security as a cloud service.

Why this answer

Cisco Umbrella SIG (Security Internet Gateway) is a cloud-delivered security solution that provides DNS-layer security by intercepting and analyzing DNS queries. When a user attempts to resolve a domain, Umbrella checks the request against its threat intelligence database and blocks the resolution if the domain is known to be malicious, preventing the connection before it is established.

Exam trap

Cisco often tests the distinction between DNS-layer security (Umbrella) and proxy-based security (WSA), so the trap here is that candidates may confuse Cisco WSA's URL filtering with Umbrella's DNS-layer blocking, not realizing that WSA operates at the application layer after the DNS resolution has already occurred.

How to eliminate wrong answers

Option B is wrong because Cisco Firepower NGFW is a next-generation firewall that provides stateful inspection, intrusion prevention, and application visibility, but it does not offer cloud-based DNS-layer security as its primary function; it relies on local or cloud-based URL filtering via Cisco Talos, not DNS-layer blocking. Option C is wrong because Cisco WSA (Web Security Appliance) is an on-premises or cloud-based proxy that filters HTTP/HTTPS traffic at the application layer, but it does not operate at the DNS layer to block malicious domain requests before the connection is made. Option D is wrong because Cisco ESA (Email Security Appliance) is designed to protect against email-borne threats such as spam, phishing, and malware, and it does not provide DNS-layer security for general web traffic.

44
MCQeasy

Which Cisco technology provides visibility into the performance of SaaS applications such as Microsoft 365?

A.Cisco WSA
B.Cisco ESA
C.Cisco ThousandEyes
D.Cisco Umbrella SIG
AnswerC

Correct. ThousandEyes monitors SaaS performance.

Why this answer

Cisco ThousandEyes is correct because it provides end-to-end visibility into the performance of SaaS applications like Microsoft 365 by using cloud-based agents and enterprise agents to monitor network paths, application latency, and packet loss. It specifically measures the user experience for SaaS services through synthetic testing and real-user monitoring, identifying issues such as ISP throttling or routing problems that affect Microsoft 365 performance.

Exam trap

Cisco often tests the distinction between security-focused tools (WSA, ESA, Umbrella) and performance/visibility tools (ThousandEyes), so the trap here is assuming that a security gateway like Umbrella SIG can also provide application performance monitoring, when in fact it only provides security policy enforcement and not deep performance analytics.

How to eliminate wrong answers

Option A is wrong because Cisco WSA (Web Security Appliance) is a proxy-based web security gateway that enforces URL filtering and malware protection, but it does not provide performance visibility into SaaS applications. Option B is wrong because Cisco ESA (Email Security Appliance) focuses on email security, including spam and phishing detection, and has no capability to monitor SaaS application performance. Option D is wrong because Cisco Umbrella SIG (Secure Internet Gateway) is a cloud-delivered security solution that provides DNS-layer security and web filtering, but it does not offer the deep, agent-based performance monitoring and path analysis that ThousandEyes provides for SaaS applications.

45
MCQhard

An organization is implementing email authentication to prevent domain spoofing. They have deployed SPF and DKIM. Which additional record should they publish to instruct receiving mail servers on how to handle emails that fail SPF or DKIM checks?

A.CNAME record for DKIM
B.TXT record with v=spf1
C.MX record with priority 0
D.DMARC TXT record
AnswerD

DMARC defines policy for handling authentication failures.

Why this answer

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers how to handle emails that fail SPF/DKIM (e.g., reject or quarantine).

46
Multi-Selectmedium

Which TWO statements about Cisco Umbrella SIG are true?

Select 2 answers
A.It only protects traffic that goes through a VPN
B.It can enforce URL filtering policies via a cloud proxy
C.It operates as a DNS resolver that blocks malicious domain requests
D.It requires on-premises hardware for deployment
E.It does not provide reporting or analytics
AnswersB, C

Umbrella SIG includes a cloud proxy that can apply URL filtering.

Why this answer

Cisco Umbrella SIG provides cloud-based security including DNS-layer filtering and a cloud proxy. It can enforce URL filtering and blocks threats before connection. It does not require on-premises hardware and can be used with any internet connection.

47
MCQeasy

An organization wants to prevent employees from accessing social media websites during work hours. Which Cisco WSA feature should be used to enforce this policy?

A.SSL/TLS decryption
B.AMP file scanning
C.AVC (Application Visibility and Control)
D.URL filtering
AnswerD

Correct. URL filtering blocks or allows access based on categories like social media.

Why this answer

Cisco WSA URL filtering uses categories (e.g., social media) to allow or block access based on policy.

48
MCQhard

A company is using Cisco WSA with explicit proxy mode. The security team wants to enforce HTTPS inspection for all web traffic from the finance department to detect malicious content in encrypted connections. However, they want to exclude traffic to financial institutions' websites due to compliance reasons. Which configuration approach should be used to achieve this?

A.Configure a policy for the finance department with HTTPS inspection enabled and add a bypass rule for the Financial Services URL category.
B.Disable HTTPS inspection globally and enable it only for the finance department using a custom policy.
C.Configure SSL/TLS decryption on the firewall instead of the WSA.
D.Use transparent proxy mode with WCCP redirect to bypass inspection for financial sites.
AnswerA

This allows inspection for the finance department while bypassing for financial institutions.

Why this answer

In WSA, you can configure bypass rules for specific URL categories or destinations to exclude them from HTTPS inspection while still inspecting other traffic.

49
MCQmedium

Which Cisco Umbrella feature provides protection against malicious domains by blocking DNS requests to known bad sites?

A.Cloud Proxy
B.DNS Security
C.Secure Web Gateway
D.ThousandEyes
AnswerB

DNS security is the core of Umbrella's protection, blocking malicious domains at the DNS layer.

Why this answer

Cisco Umbrella SIG uses DNS security to block requests to malicious domains.

50
MCQhard

A security engineer is configuring Cisco WSA in explicit proxy mode. Which traffic interception method is being used when each endpoint browser is configured with the proxy address?

A.WCCP redirect
B.Policy-Based Routing
C.Explicit proxy
D.Transparent proxy
AnswerC

Explicit proxy requires the client to be configured to use the proxy.

Why this answer

Explicit proxy requires manual browser configuration; transparent proxy uses WCCP or PBR.

51
Multi-Selectmedium

An administrator is configuring Cisco ESA to protect against Business Email Compromise (BEC) attacks. Which TWO of the following features are most effective in detecting and mitigating BEC?

Select 2 answers
A.Data Loss Prevention (DLP)
B.DMARC verification
C.SenderBase reputation
D.Outbreak filters
E.AMP for Email
AnswersA, B

DLP can detect and block sensitive data sent to unauthorized recipients, a common BEC goal.

Why this answer

BEC attacks often involve spoofed or compromised accounts. DMARC helps prevent domain spoofing, and DLP can detect sensitive data being sent to unauthorized recipients. FTL (Forged Email Detection) is also relevant, but DMARC and DLP are standard ESA features for BEC.

52
Multi-Selectmedium

A company is deploying Cisco Umbrella SIG to protect against malware and phishing. The security team wants to ensure that even if a user clicks on a malicious link in an email, the traffic is inspected and blocked if needed. Which TWO features of Umbrella can be used to provide this protection?

Select 2 answers
A.SSL/TLS decryption on the proxy
B.ThousandEyes agents
C.Cloud proxy with URL filtering
D.DNS security layer
E.AMP for mobile devices
AnswersC, D

Inspects web traffic and can block malicious URLs even if the domain is not blocked by DNS.

Why this answer

DNS security blocks malicious domains at the DNS lookup stage, and cloud proxy can inspect HTTP/HTTPS traffic to block malicious content even if DNS is bypassed.

53
Multi-Selectmedium

An organization wants to block access to malicious websites using Cisco Umbrella. Which two protection layers are available with the Umbrella SIG? (Choose two.)

Select 2 answers
B.Cloud proxy
C.DNS security
D.VPN termination
E.Email sandboxing
AnswersB, C

Cloud proxy inspects HTTP/HTTPS traffic.

Why this answer

Umbrella SIG includes DNS security and cloud proxy for web traffic filtering.

54
Multi-Selecthard

An organization is deploying Cisco WSA in explicit proxy mode. Which three considerations are important for this deployment? (Choose three.)

Select 3 answers
A.Client browsers must be configured to use the proxy
B.SSL decryption can be performed on the proxy
C.Network changes are required on all endpoints
D.The proxy IP address must be configured on the router for WCCP
E.Authentication can be enforced at the proxy
AnswersA, B, E

Correct. Explicit proxy requires browser proxy settings.

Why this answer

Explicit proxy requires browser configuration (PAC file or manual), supports authentication, and can apply identity-based policies. Transparent proxy does not require client configuration.

55
MCQmedium

An organization is using Cisco ESA and wants to ensure that emails sent from their domain are authenticated using a cryptographic signature. Which email authentication method should be configured?

A.DMARC
B.SPF
C.SenderBase
D.DKIM
AnswerD

DKIM provides a cryptographic signature for email authentication.

Why this answer

DKIM (DomainKeys Identified Mail) uses a digital signature to verify that an email was not tampered with and is from the claimed domain.

56
MCQmedium

A Cisco WSA administrator wants to prioritize bandwidth for video conferencing applications while limiting recreational streaming. Which feature should be configured?

A.Bandwidth Controls
B.SSL/TLS Decryption
C.Application Visibility and Control (AVC)
D.URL Filtering
AnswerA

Bandwidth controls allow setting per-application bandwidth limits.

Why this answer

Bandwidth controls on Cisco WSA allow setting bandwidth limits per application (via AVC) to prioritize critical applications and limit others.

57
MCQeasy

What is the primary purpose of DMARC in email authentication?

A.To add a digital signature
B.To specify a policy for failed authentication
C.To encrypt email content
D.To verify the sending IP address
AnswerB

DMARC instructs receivers to quarantine or reject failure.

Why this answer

DMARC tells receiving servers how to handle emails that fail SPF or DKIM checks.

58
MCQmedium

A security analyst notices that a user is downloading a file from a website. The Cisco WSA is configured to perform AMP file scanning. What happens when the file's SHA-256 hash is not found in the local cache?

A.The file is allowed immediately.
B.The file is sent to the cloud for analysis and a verdict is returned.
C.The file is quarantined until an administrator reviews it.
D.The file is blocked permanently.
AnswerB

AMP performs a cloud lookup or sandboxing to determine the file's safety.

Why this answer

Cisco WSA AMP file scanning performs a cloud lookup to check the file's reputation; if unknown, it may sandbox the file for analysis.

59
MCQmedium

A security administrator notices that a significant volume of spam is bypassing the Cisco ESA's anti-spam filters. Upon investigation, they find that the messages have a mid-range SBRS score of 5.0. Which action should the administrator take to improve spam detection?

A.Change the SBRS score interpretation to positive
B.Lower the SBRS threshold to 3.0
C.Increase the SBRS threshold to 7.0
D.Disable SenderBase reputation checks
AnswerB

Lowering the threshold causes the ESA to treat messages with lower SBRS scores as spam, improving catch rates.

Why this answer

The SBRS score ranges from -10 to +10, with negative scores indicating spam. A score of 5.0 is considered likely legitimate. To catch more spam, the administrator should lower the threshold so that messages with scores above a lower value (e.g., 3.0) are treated as spam.

60
Multi-Selecteasy

An organization wants to prevent sensitive data such as credit card numbers from being sent via email. Which TWO features of Cisco ESA can be used to achieve this?

Select 2 answers
A.Outbreak filters
B.Anti-spam filters
C.Content filters
D.SenderBase reputation
E.DLP policies
AnswersC, E

Content filters allow custom rules to block or modify emails based on content.

Why this answer

DLP policies scan for specific patterns like credit card numbers, and content filters can be used to block or quarantine matching emails.

61
MCQhard

A Cisco ESA administrator is investigating an increase in false positive detections from the outbreak filter. The filter is configured to use TALOS intelligence and has a threshold of 'Medium'. Which action would most effectively reduce false positives while maintaining protection against new outbreaks?

A.Change the threshold to 'Low'
B.Change the threshold to 'High'
C.Disable the outbreak filter
D.Exempt all internal senders from the filter
AnswerB

A higher threshold reduces false positives by requiring stronger evidence.

Why this answer

The outbreak filter uses TALOS threat intelligence to quarantine suspicious messages. Increasing the threshold to 'High' reduces sensitivity, meaning only messages with strong indicators of maliciousness will be flagged, reducing false positives.

62
Multi-Selecthard

A Cisco WSA administrator needs to implement HTTPS inspection for traffic from internal users. The administrator wants to avoid decrypting traffic to financial and healthcare sites due to compliance requirements. Which THREE actions should the administrator take to configure this policy?

Select 3 answers
A.Configure the proxy in explicit mode
B.Create a decryption policy with action 'Decrypt' for all traffic
C.Install the WSA's CA certificate on all client devices
D.Enable AMP file scanning for decrypted traffic
E.Add a bypass rule for the URL categories 'Finance' and 'Health'
AnswersB, C, E

This enables decryption by default.

Why this answer

To selectively decrypt, the administrator should create a decryption policy that decrypts all traffic, then use URL category exceptions to bypass decryption for finance and health categories. Alternatively, create a policy that explicitly decrypts all else and uses bypass rules. The three actions: create a decryption policy with action 'Decrypt', add bypass rules for the specified categories, and ensure CA certificate is deployed.

63
MCQmedium

A company wants to enforce that all outbound emails containing credit card numbers are blocked. Which Cisco ESA feature should be configured to achieve this?

A.DLP policies
B.Anti-Spam (SenderBase)
C.Outbreak Filters
D.AMP for Email
AnswerA

DLP policies detect and block sensitive data in outbound emails.

Why this answer

Data Loss Prevention (DLP) policies on Cisco ESA can scan outbound emails for sensitive data like credit card numbers and block them.

64
MCQmedium

A company is implementing DMARC for its domain. The administrator wants to instruct receivers to reject emails that fail SPF or DKIM checks. Which DMARC policy should the administrator set?

A.p=quarantine
B.p=none
C.p=reject
D.p=deny
AnswerC

p=reject instructs receivers to reject emails that fail authentication.

Why this answer

DMARC policy options are: none (monitor), quarantine (send to spam), or reject (block). To reject failing messages, the administrator sets p=reject in the DMARC DNS record.

65
MCQeasy

Which Cisco WSA feature allows administrators to control bandwidth usage per user or group by limiting the amount of bandwidth consumed for specific applications?

A.URL filtering
B.AVC (Application Visibility and Control)
C.Bandwidth controls
D.Decryption policies
AnswerC

Bandwidth controls enforce traffic shaping and limits per policy.

Why this answer

The WSA includes bandwidth controls that can be applied per user/group and per application category, allowing traffic shaping and rate limiting.

66
MCQhard

A company using Cisco ESA receives an email that appears to be from the CEO requesting an urgent wire transfer. The email fails SPF and DKIM checks but passes DMARC. What is the most likely explanation?

A.The email passed SPF alignment
B.DMARC policy is set to 'p=none'
C.DKIM signature was valid but not aligned
D.The sender IP is in the SPF whitelist
AnswerB

Correct. DMARC with 'p=none' only monitors, does not affect delivery.

Why this answer

DMARC policy can be set to 'none' (monitoring only) or 'quarantine'/'reject' based on SPF/DKIM alignment. If DMARC passes, it means the policy is not enforced, or the SPF/DKIM alignment still passes despite individual failures. However, if SPF and DKIM both fail, DMARC would also fail unless the policy is 'none'.

The scenario suggests DMARC is set to 'none', so no action is taken.

67
MCQmedium

A Cisco WSA administrator wants to block access to social media sites for all users during work hours. The proxy is deployed in explicit mode. Which policy type should the administrator use to enforce this restriction?

A.Access policy
B.Identity policy
C.Routing policy
D.Decryption policy
AnswerA

Access policies enforce rules on URL filtering, application control, and time-based restrictions.

Why this answer

In explicit proxy mode, the WSA uses access policies to control web traffic based on URL categories. The administrator should create an access policy that identifies social media traffic and sets the action to 'Block'.

68
MCQmedium

An organization using Cisco Firepower NGFW wants to block all social media traffic while allowing other web traffic. Which feature should be configured?

A.Intrusion prevention
B.URL filtering
C.TLS server identity discovery
D.Application control
AnswerB

URL filtering blocks entire categories of websites.

Why this answer

Firepower URL filtering can block categories such as 'Social Networking' to prevent access to social media sites.

69
MCQhard

In Cisco ESA, which feature uses TALOS intelligence to provide real-time protection against newly identified email threats before signature updates are available?

A.Outbreak Filters
B.DLP Policies
C.Anti-Spam
D.AMP for Email
AnswerA

Outbreak Filters use TALOS to catch zero-hour threats.

Why this answer

Outbreak Filters leverage TALOS to detect emerging threats in near real-time.

70
MCQhard

A security engineer is configuring Cisco WSA for HTTPS inspection but notices that some encrypted traffic is being bypassed. The WSA is configured with a decryption policy that excludes traffic to financial websites. What is the most likely reason for the bypass?

A.The WSA's certificate is not trusted by clients
B.The WSA is in explicit proxy mode
C.TLS version is incompatible
D.The decryption policy has an exception for financial services
AnswerD

Explicit exceptions in decryption policies prevent inspection.

Why this answer

If the decryption policy excludes certain categories (e.g., Financial), those sites will not be decrypted and will bypass inspection.

71
Multi-Selectmedium

A security analyst notices that emails from a trusted partner's domain are being quarantined by the Cisco ESA. The analyst wants to verify the email authentication status. Which TWO authentication mechanisms should be checked?

Select 2 answers
A.SenderBase
B.DKIM
C.SPF
D.DMARC
E.TALOS
AnswersB, C

DKIM provides a digital signature.

Why this answer

SPF and DKIM are used to authenticate email senders and verify domain ownership.

72
MCQeasy

An organization wants to prevent outbound email containing credit card numbers from leaving the network. Which Cisco ESA feature should be configured?

A.AMP for Email
B.DLP Policies
C.Anti-spam (SenderBase)
D.Outbreak Filters
AnswerB

DLP policies inspect outbound email for regulated content.

Why this answer

The Cisco ESA DLP feature scans outbound email for sensitive data like credit card numbers and can block or quarantine such messages.

73
MCQeasy

What is the correct order of email authentication checks recommended by Cisco?

A.SPF, DKIM, DMARC
B.SPF, DMARC, DKIM
C.DMARC, SPF, DKIM
D.DKIM, SPF, DMARC
AnswerA

SPF and DKIM are validated first, then DMARC policy applied.

Why this answer

The recommended order is SPF, then DKIM, then DMARC policy.

74
MCQeasy

An organization wants to protect against Business Email Compromise (BEC) attacks where attackers spoof the CEO's email address to request wire transfers. Which email authentication method is specifically designed to help prevent domain spoofing by allowing senders to specify how email that fails authentication should be handled?

A.SPF
B.DKIM
C.SenderBase
D.DMARC
AnswerD

DMARC uses SPF and DKIM results and tells receivers how to handle unauthenticated email (e.g., quarantine or reject).

Why this answer

DMARC builds on SPF and DKIM to provide a policy telling receiving mail servers how to handle email that fails authentication, helping prevent spoofing.

75
MCQeasy

Which Cisco ESA feature uses SHA-256 cloud lookups to detect malware in email attachments?

A.AMP for Email
B.Outbreak Filters
C.DLP Policies
D.Anti-spam (SenderBase)
AnswerA

AMP for Email performs SHA-256 lookup and sandboxing.

Why this answer

Cisco ESA's AMP for Email (Advanced Malware Protection) leverages SHA-256 cloud lookups to compare file hashes of email attachments against Talos threat intelligence. When an attachment is processed, its SHA-256 hash is computed and sent to the AMP cloud for real-time verdict (malicious, clean, or unknown). This is distinct from signature-based detection, as it relies on cloud-based file reputation analysis.

Exam trap

Cisco often tests the distinction between cloud-based file reputation (AMP) and heuristic/rule-based outbreak detection (Outbreak Filters), leading candidates to confuse Outbreak Filters as the answer because both deal with malware outbreaks.

How to eliminate wrong answers

Option B (Outbreak Filters) is wrong because it uses URL reputation and heuristic rules to detect fast-spreading malware outbreaks, not SHA-256 cloud lookups on attachments. Option C (DLP Policies) is wrong because Data Loss Prevention focuses on content inspection (e.g., regex, keywords, data patterns) to prevent sensitive data leakage, not malware detection via file hashing. Option D (Anti-spam / SenderBase) is wrong because it relies on sender reputation, IP blacklists, and email header analysis to filter spam, not SHA-256 cloud lookups for attachment malware.

Page 1 of 2 · 85 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Scor Content Security questions.