CCNA Scor Content Security Questions

10 of 85 questions · Page 2/2 · Scor Content Security topic · Answers revealed

76
Multi-Selectmedium

Which TWO of the following are capabilities of Cisco Umbrella SIG? (Choose TWO.)

Select 2 answers
A.DLP for outbound email
B.File sandboxing for attachments
C.On-premises email filtering
D.Cloud-based proxy for web traffic
E.DNS-layer security to block malicious domains
AnswersD, E

Umbrella includes a cloud proxy to enforce web security policies.

Why this answer

Cisco Umbrella SIG provides DNS-layer security (blocking malicious domains) and a cloud-based proxy for web traffic filtering.

77
MCQmedium

A company uses Cisco Umbrella SIG to secure internet access for remote users. The security team wants to block access to social media websites but allow access to business-related websites that may share the same IP addresses. Which Umbrella feature should be used to enforce this granular control?

A.DNS security layer
B.ThousandEyes agents
C.Cloud proxy with URL filtering
D.AMP file scanning
AnswerC

The cloud proxy inspects HTTP/HTTPS requests and can apply URL category policies to block social media while allowing business sites.

Why this answer

Option C is correct because Cisco Umbrella's cloud proxy with URL filtering operates at the application layer (HTTP/HTTPS), inspecting full URLs rather than just domain names. This allows the security team to block social media websites while permitting business-related websites that may resolve to the same IP addresses, as the proxy can differentiate based on the URL path and content category.

Exam trap

Cisco often tests the distinction between DNS-layer security (domain-based) and proxy-based URL filtering (full URL inspection), leading candidates to mistakenly choose the DNS security layer when granular control over websites sharing IP addresses is required.

How to eliminate wrong answers

Option A is wrong because the DNS security layer only filters based on domain name resolution (DNS queries), which cannot distinguish between different websites hosted on the same IP address; it would block or allow all traffic to that IP. Option B is wrong because ThousandEyes agents are used for network performance monitoring and visibility, not for enforcing URL-level access control policies. Option D is wrong because AMP file scanning focuses on detecting and blocking malicious files (malware) at the file level, not on controlling access to specific websites or URL categories.

78
MCQhard

An organization has deployed Cisco WSA in explicit proxy mode. Users are required to authenticate using their Active Directory credentials. Which WSA feature enables transparent user identification without requiring users to manually log in?

A.URL Filtering
B.WCCP redirection
C.Transparent user identification via Kerberos
D.SSL/TLS Decryption
AnswerC

Kerberos enables automatic user identification without manual login.

Why this answer

Transparent user identification on Cisco WSA can be achieved using Kerberos authentication or NTLM, allowing automatic authentication with AD credentials without manual login.

79
MCQhard

An organization is deploying Cisco ESA and wants to ensure that outbound emails containing credit card numbers are blocked. The administrator configures a DLP policy to scan for credit card patterns. However, some legitimate emails with credit card numbers are being incorrectly blocked. What is the best approach to reduce false positives while still preventing data leakage?

A.Disable the DLP policy for outbound email
B.Change the DLP action from 'Block' to 'Confirm with Sender'
C.Increase the DLP sensitivity threshold
D.Add all senders to a DLP exemption list
AnswerB

This allows the sender to confirm the email is legitimate, reducing false positives while maintaining oversight.

Why this answer

Option B is correct because changing the DLP action from 'Block' to 'Confirm with Sender' allows the Cisco ESA to send a notification to the sender when a credit card pattern is detected, asking them to confirm whether the email should be sent. This reduces false positives by giving legitimate senders a chance to override the block, while still preventing accidental data leakage by requiring explicit confirmation. The DLP policy remains active, so unauthorized or unconfirmed outbound emails containing credit card numbers are still stopped.

Exam trap

Cisco often tests the misconception that increasing sensitivity reduces false positives, when in fact it increases them by matching more patterns, and that exemption lists are a safe way to handle false positives, when they actually bypass all DLP scanning for those senders.

How to eliminate wrong answers

Option A is wrong because disabling the DLP policy for outbound email would completely remove protection against data leakage, which contradicts the organization's goal of preventing credit card numbers from being sent out. Option C is wrong because increasing the DLP sensitivity threshold would make the scanner more strict, likely increasing false positives rather than reducing them; the threshold controls how closely a pattern must match, and raising it would flag more borderline matches. Option D is wrong because adding all senders to a DLP exemption list would bypass the DLP policy entirely for those senders, allowing any credit card numbers to be sent without scanning, which defeats the purpose of preventing data leakage.

80
Multi-Selecthard

An organization is deploying Cisco WSA to enforce acceptable use policies. The administrator wants to block access to social media and streaming video, while also decrypting HTTPS traffic for these categories. Which THREE configuration steps are required?

Select 3 answers
A.Install a trusted root CA certificate on all client devices
B.Enable SSL decryption for those categories
C.Configure URL filtering to block the 'Social Networking' and 'Streaming Media' categories
D.Enable AMP file scanning
E.Configure WCCP on the router
AnswersA, B, C

Clients must trust the WSA's CA to avoid certificate warnings.

Why this answer

To block and decrypt HTTPS traffic for specific categories, you need URL filtering, decryption policy, and identity-based policies for granular control.

81
MCQmedium

A network administrator wants to deploy Cisco WSA as a transparent proxy to inspect web traffic without changing browser settings. Which protocol should be used to redirect traffic to the WSA?

A.PAC files
B.WCCP
C.WPAD
D.GRE tunneling
AnswerB

Correct. WCCP is used for transparent redirection.

Why this answer

WCCP (Web Cache Communication Protocol) allows routers to redirect web traffic to the WSA transparently.

82
MCQmedium

A company receives a spear-phishing email that appears to come from the CEO requesting an urgent wire transfer. What type of email attack is this?

A.Whaling
B.Phishing
C.Spear Phishing
D.Malspam
AnswerA

Whaling specifically targets high-profile executives.

Why this answer

Whaling targets senior executives with personalized attacks.

83
MCQmedium

A company uses Cisco Umbrella SIG to enforce security policies. An employee attempts to visit a website categorized as 'Phishing' but the request is allowed. What is the most likely cause?

A.The employee is using a VPN that bypasses the proxy
B.The policy is set to 'Allow' for the Phishing category
C.DNS security is disabled
D.The website uses HTTPS and Umbrella cannot inspect it
AnswerB

If the policy allows the category, the request will be permitted.

Why this answer

If the security policy does not block the 'Phishing' category, or if the destination is not categorized, the request may be allowed by default.

84
Multi-Selectmedium

Which two Cisco solutions can be used to provide cloud-based content security including DNS-layer protection and cloud proxy? (Choose two.)

Select 2 answers
A.Cisco ThousandEyes
B.Cisco ESA
C.Cisco Umbrella DNS-layer security
D.Cisco WSA
E.Cisco Umbrella SIG
AnswersC, E

Correct. Umbrella DNS-layer blocks malicious domains.

Why this answer

Cisco Umbrella offers both DNS security and cloud proxy (SIG). Cisco ThousandEyes is for performance, not security. WSA and ESA are on-premises.

85
MCQhard

A security analyst receives an alert that a user clicked a link in an email that led to a malicious website. The email was allowed by the Cisco ESA because it passed SPF, DKIM, and DMARC checks. Later analysis reveals the email was sent from a compromised account within the same domain. Which type of attack best describes this scenario?

A.Account takeover (BEC)
B.Malspam
C.Spear phishing
D.Whaling
AnswerA

Account takeover involves using a compromised legitimate account to send malicious emails, bypassing authentication.

Why this answer

When an attacker compromises a legitimate email account within the organization and uses it to send malicious emails, it is an account takeover attack, which is a form of Business Email Compromise (BEC). Since the email authenticated correctly, it bypassed email authentication checks.

← PreviousPage 2 of 2 · 85 questions total

Ready to test yourself?

Try a timed practice session using only Scor Content Security questions.