350-701 Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Free Practice Exam Questions (2025 Updated)

 Cisco ISE is a solution that allows an administrator to provision, monitor, and secure mobile devices on Windows and Mac computers from a centralized dashboard. Cisco ISE integrates with Mobile Device Management (MDM) servers to provide necessary insight into the posture of mobile devices and enforce network access policies. Cisco ISE can also perform device registration, remediation, and periodic compliance checks on mobile devices. Cisco ISE can also issue remote actions on the device through the MDM server, such as full wipe, corporate wipe, and PIN lock. Cisco ISE can also augment endpoint data with information from the MDM server that cannot be gathered using the Cisco ISE profiling services. References:

Integrate XenMobile Mobile Device Management (MDM) with Cisco Identity Services Engine (ISE)

Cisco Identity Services Engine Administrator Guide, Release 2.4 - Mobile Device Manager Interoperability with Cisco ISE

Cisco ISE Integration with Mobile Device Management (MDM)

Explanation

Posture is a service in Cisco Identity Services Engine (Cisco ISE) that allows you to check the state, also

known as posture, of all the endpoints that are connecting to a network for compliance with corporate security

policies.

A posture policy is a collection of posture requirements that are associated with one or more identity groups and

operating systems.

Posture-policy requirements can be set to mandatory, optional, or audit types in posture policies.

+ If a mandatory requirement fails, the user will be moved to Non-Compliant state

+ If an optional requirement fails, the user is allowed to skip the specified optional requirements and the user

is moved to Compliant state

This Qdid not clearly specify the type of posture policy requirement (mandatory or optional) is not met so the

user can be in Non-compliant or compliant state. But “noncompliant” is the best answer here.

Explanation

Spero analysis is a feature of Cisco AMP for Networks that examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud for analysis1. Spero analysis can detect malware based on the file’s structure and behavior, without requiring a full file upload2. Spero analysis is different from dynamic analysis, sandbox analysis, and malware analysis, which are other features of Cisco AMP for Networks that perform different types of file inspection and analysis3. References: 1: How to configure Firepower AMP to not upload files to … - Cisco Community 2: File Policies - Network Direction 3: Cisco AMP for Networks - Cisco

Cisco Advanced Malware Protection (AMP) for Web Security is a solution that provides protection against web-related threats before, during, and after an attack. One of the functions that AMP for Web Security includes is detailed analytics of the unknown file’s behavior. This means that AMP can continuously monitor and analyze the activity of files that cross the web gateway, even after they have been initially scanned and allowed. This allows AMP to detect and block any malicious behavior that may emerge later, and provide retrospective security alerts and remediation actions12. References: 1: Cisco Advanced Malware Protection for Web Security 2: Cisco Adds Advanced Malware Protection to Web and Email Security Appliances and Cloud Services

 The monitoring agent uses the RTP (Real-time Transport Protocol) performance metric to collect and output packet loss and jitter information. RTP is a network protocol used for delivering audio and video over IP networks. It provides mechanisms for timestamping, sequence numbering, and delivery monitoring, which allow for the measurement of packet loss and jitter. RTP is specifically designed for real-time multimedia streaming applications, which are more sensitive to changes in the transmission characteristics of data networks than other applications. Therefore, RTP performance is a suitable metric for monitoring and collecting packet loss and jitter information.

The other options are not directly related to measuring packet loss and jitter. TCP (Transmission Control Protocol) is a transport protocol that ensures reliable and ordered delivery of data, but it is not typically used for real-time multimedia applications. WSAv (Web Security Virtual Appliance) is a Cisco solution for web security, but it does not measure packet loss and jitter. AVC (Application Visibility and Control) is a technology that monitors and controls network applications, but it does not focus on packet loss and jitter. References :=

Measuring Delay, Jitter, and Packet Loss with Cisco IOS SAA and RTTMON1

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.02

Cisco 350-701: Which metric used by monitoring agent to collect and output packet loss and jitter information?

Explanation

SQL injection usually occurs when you ask a user for input, like their username/userid, but the user gives

(“injects”) you an SQL statement that you will unknowingly run on your database. For example:

Look at the following example, which creates a SELECT statement by adding a variable (txtUserId) to a select

string. The variable is fetched from user input (getRequestString):

txtUserId = getRequestString(“UserId”);

txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;

If user enter something like this: “100 OR 1=1” then the SzQL statement will look like this:

SELECT * FROM Users WHERE UserId = 100 OR 1=1;

The SQL above is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. A

hacker might get access to all the user names and passwords in this database.

 The Cisco Umbrella roaming client is a cloud-delivered security service for Cisco’s next-generation firewall that protects employees when they are off the VPN. No additional agents are required. Simply enable the Umbrella functionality in the Cisco AnyConnect client. One of the advantages of the Umbrella roaming client is that it provides visibility into IP-based threats by tunneling suspicious IP connections to the Umbrella cloud for inspection and blocking. This way, the roaming client can prevent malware, phishing, and command-and-control callbacks from reaching malicious domains and IPs, regardless of the port or protocol. The Umbrella roaming client also provides DNS-layer security when the VPN is off, and proactive blocking of emerging threats using real-time data analysis. References:

Cisco Umbrella Roaming

3 Benefits of Using Roaming Client with Cisco Umbrella

Secure remote workers with the Cisco Umbrella roaming client

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0 (Module 5.1.1)

Explanation

The term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with the

highest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to the

software that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program that

gives someone – with legitimate or malicious intentions – privileged access to a computer.

There are four main types of rootkits: Kernel rootkits, User mode rootkits, Bootloader rootkits, Memory rootkits

 Microsegmentation is a method of securing multi cloud data centers using granular segmentation rules for the individual workload or application, reducing the risk of an attacker moving from one compromised workload or application to another1. Microsegmentation with Cisco ACI enables you to automatically assign endpoints to logical security zones called endpoint groups (EPGs). These EPGs are based on various network-based or virtual machine (VM)-based attributes2. Microsegmentation is also referred to as application segmentation or east-west segmentation in a multicloud data center1. References: 1: What Is Micro-Segmentation? - Cisco 2: Microsegmentation with Cisco ACI

Explanation

Explanation

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more

verification factors to gain access to a resource. MFA requires means of verification that unauthorized users

won’t have.

Proper multi-factor authentication uses factors from at least two different categories.

MFA methods:

+ Knowledge – usually a password – is the most commonly used tool in MFA solutions. However, despite their

simplicity, passwords have become a security problem and slow down productivity.

+ Physical factors – also called possession factors–use tokens, such as a USB dongle or a portable device,

that generate a temporary QR (quick response) code. Mobile phones are commonly used, as they have the

advantage of being readily available in most situations.

+ Inherent – This category includes biometrics like fingerprint, face, and retina scans. As technology advances,

it may also include voice ID or other behavioral inputs like keystroke metrics. Because inherent factors are

reliably unique, always present, and secure, this category shows promise.

+ Location-based and time-based – Authentication systems can use GPS coordinates, network parameters,

and metadata for the network in use, and device recognition for MFA. Adaptive authentication combines these

data points with historical or contextual user data.

A time factor in conjunction with a location factor could detect an attacker attempting to authenticate in Europe

when the user was last authenticated in California an hour prior, for example.

+ Time-based one-time password (TOTP) – This is generally used in 2FA but could apply to any MFA

method where a second step is introduced dynamically at login upon completing a first step. The wait for a

second step–in which temporary passcodes are sent by SMS or email–is usually brief, and the process is easy

to use for a wide range of users and devices. This method is currently widely used.

+ Social media – In this case a user grants permission for a website to use their social media username and

password for login. This provide an easy login process, and one generally available to all users.

+ Risk-based authentication – Sometimes called adaptive multi-factor authentication, this method combines

adaptive authentication and algorithms that calculate risk and observe the context of specific login requests.

The goal of this method is to reduce redundant logins and provide a more user-friendly workflow.

+ Push-based 2FA – Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security

while improving ease of use. It confirms a user’s identity with multiple factors of authentication that other

methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi,

users must have data access on their mobile devices to use the 2FA functionality.

In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other users follow his links, their web browsers are redirected to websites where attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST parameters.

Workload security models refer to the ways of protecting applications, services, and capabilities that run on a cloud resource. There are different types of cloud deployment models, such as public, private, hybrid, and multicloud, and different types of cloud service models, such as IaaS, PaaS, and SaaS. However, these are not workload security models, but rather ways of describing the cloud environment and the level of abstraction. Workload security models are more focused on the location and ownership of the workloads, and how they are secured. The two main workload security models are off-premises and on-premises. Off-premises workload security model means that the workloads are hosted and managed by a third-party cloud service provider, such as AWS, Azure, or GCP. The cloud service provider is responsible for the security of the underlying infrastructure, such as the physical servers, network devices, storage systems, and hypervisors. The customer is responsible for the security of the workloads themselves, such as the guest operating systems, applications, data, and users. The customer can use various tools and techniques to secure their workloads, such as encryption, firewalls, identity and access management, vulnerability scanning, and logging and monitoring. On-premises workload security model means that the workloads are hosted and managed by the customer on their own data center or private cloud. The customer is responsible for the security of both the infrastructure and the workloads, and has full control and visibility over them. The customer can use similar tools and techniques as the off-premises model, but also has to deal with the physical security, network security, and compliance requirements of their own environment. References:

What Is Workload Security? On-Premises, Cloud, Kubernetes, and More

What is Cloud Workload Security? - CyberArk

What is Cloud Workload Protection? | Workload Security | VMware

What is Cloud Workload Security? - Check Point Software

Introduction To Classic Security Models - GeeksforGeeks

The Secure Event Connector is a component of the Security Analytics and Logging (SaaS) solution that enables the FMC to send logs to the cloud-based service. The Secure Event Connector uses syslog to forward events from the FMC and the managed devices to the cloud. This method reduces the load on the firewall resources, as the events are sent in batches and compressed before transmission. The Secure Event Connector also provides encryption, authentication, and reliability for the log data. The other methods are not supported by the Security Analytics and Logging (SaaS) solution12 References := 1: Cisco Security Analytics and Logging (On Premises)

Explanation

Explanation

Easy Connect simplifies network access control and segmentation by allowing the assignment of Security

Group Tags to endpoints without requiring 802.1X on those endpoints, whether using wired or wireless

connectivity.

The Cisco DNA Center RESTful PNP API allows external applications to interact with the Plug and Play (PNP) service of Cisco DNA Center, which automates the onboarding and provisioning of network devices. The PNP API has several endpoints for different operations, such as importing, claiming, updating, and deleting devices. The endpoint that adds and claims a device into a workflow is api/v1/onboarding/pnp-device/import, which takes a JSON payload with the device information and the workflow ID. This endpoint creates a new device entry in the PNP database and associates it with the specified workflow. The workflow defines the configuration template, image, and license to be applied to the device during the provisioning process12. References:

1: See How to Use the Plug and Play API in DNA Center – Part 2

2: Cisco DNA Center Platform User Guide, Release 2.2.3

An active/active FlexVPN configuration allows for multiple routers or VRFs to act as hubs for different VPN groups, providing load balancing and redundancy1. This is useful when the VPN deployment has a large number of spokes or different security policies for different groups of spokes. DMVPN, on the other hand, only supports a single hub or a pair of hubs in active/standby mode for each VPN group2. This limits the scalability and flexibility of DMVPN deployments. Therefore, an engineer would opt for an active/active FlexVPN configuration as opposed to DMVPN when multiple routers or VRFs are required. References :=

Cisco FlexVPN: Benefits and Best Practices

Cisco DMVPN Design Guide

ESA stands for Email Security Appliance, which is a Cisco product that provides comprehensive email security solutions. ESA can be deployed in different modes, such as gateway, hybrid, or cloud, depending on the customer’s needs and preferences. One of the key components of ESA configuration is the listener, which is a service that listens for incoming SMTP connections on a specific port and interface. A listener can be configured to handle inbound or outbound email, or both, depending on the mail flow policies and sender groups that are applied to it.

One way to segregate inbound and outbound email on ESA is to use a pair of logical listeners on a single physical interface with two unique logical IPv4 addresses and one IPv6 address. This method allows the ESA to have two separate listeners for inbound and outbound email, each with its own IP address and mail flow policies, while using the same physical interface and port. This can simplify the network configuration and reduce the hardware requirements for ESA deployment. The IPv6 address can be used to support dual-stack IPv4 and IPv6 environments, or to provide redundancy in case of IPv4 address exhaustion.

The other options are incorrect because:

A is false, as one listener on a single physical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.

C is false, as pair of logical IPv4 listeners and a pair of IPv6 listeners on two physically separate interfaces is an unnecessary and complex configuration that does not provide any additional benefits over option B.

D is false, as one listener on one logical IPv4 address on a single logical interface cannot segregate inbound and outbound email, unless it uses different sender groups and mail flow policies for different hosts, which is not a recommended practice.

 The configuration snippet in the image is a part of IKEv2 configuration where the name mangler is associated with the organizational unit (OU) “MANGLER”. In Cisco’s IKEv2 implementation, this specific configuration means that only an IKEv2 peer whose certificate has an OU attribute set to “MANGLER” can establish an IKEv2 Security Association successfully. This is a method of ensuring that only peers with certificates issued to a specific organizational unit can connect, enhancing security by limiting unauthorized access. The name mangler is a feature that allows the administrator to specify a string that must be present in the peer’s certificate for authentication. The name mangler can be applied to any certificate field, such as common name (CN), organization (O), or OU. The name mangler can also be used to modify the peer’s identity based on the certificate field, such as appending or prepending a string to the identity. The name mangler is configured under the IKEv2 profile using the command crypto ikev2 profile profile-name identity name-mangler name-mangler-name dn field-name. In this case, the name mangler is applied to the OU field of the peer’s certificate. The other options are incorrect because they do not describe the effect of the name mangler configuration. Option A is incorrect because the name mangler does not affect the identity matching for the IKEv2 authorization policy. The identity matching is based on the peer’s identity type and value, which can be different from the certificate field. Option C is incorrect because the name mangler does not encrypt the OU field of the peer’s certificate. The OU field is part of the certificate’s subject, which is not encrypted in the IKEv2 messages. Option D is incorrect because the name mangler does not set the OU field of the peer’s certificate. The OU field is determined by the certificate authority (CA) that issues the certificate, and the name mangler only verifies or modifies the peer’s identity based on the OU field. References : Configuring Internet Key Exchange Version 2, Internet Key Exchange Version 2 CLI Constructs, Tutorial: Setting up a certificate-based IKEv2 VPN connection (RSA)

Explanation

The version 9 export format uses templates to provide access to observations of IP packet flows in a flexible and extensible manner. A template defines a collection of fields, with corresponding descriptions of structure and semantics.

https://confluence.netvizura.com/display/NVUG/Traditional+vs.+Flexible+NetFlow

Explanation

The HMAC-SHA-1-96 (also known as HMAC-SHA-1) encryption technique is used by IPSec to ensure that a message has not been altered. (-> Therefore answer “integrity” is the best choice). HMAC-SHA-1 uses the SHA-1 specified in FIPS-190-1, combined with HMAC (as per RFC 2104), and is described in RFC 2404.