350-701 Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Free Practice Exam Questions (2025 Updated)

Posture is a service in Cisco ISE that allows you to check the compliance, also known as posture, of endpoints, before allowing them to connect to your network. A posture agent, such as the AnyConnect ISE Posture Agent or Network Admission Control (NAC) Agent, runs on the endpoint and collects information about the endpoint’s security posture, such as antivirus, antispyware, firewall, and patch status. The posture agent then communicates with the ISE server, which evaluates the posture information against the posture policy and determines the compliance state of the endpoint. Based on the compliance state, the ISE server can grant or deny network access to the endpoint, or apply remediation actions to bring the endpoint into compliance. Posture service is part of the ISE solution for network access control (NAC), which aims to secure the network from unauthorized or compromised endpoints. References:

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Posture Policies

Configuring posture services with the Cisco Identity Services Engine - Cisco Community

Cisco Content Hub - Configure Client Posture Policies

https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/Cisco_Secure_Managed_Endpoint.pdf

Explanation

Community Cloud allows system and services to be accessible by group of organizations. It shares the

infrastructure between several organizations from a specific community. It may be managed internally by

organizations or by the third-party.

 Cisco AMP for Endpoints and Cisco Umbrella Roaming Client are both security solutions that protect mobile users from threats, but they have different functions and features. Cisco AMP for Endpoints is a cloud-managed endpoint security solution that stops and tracks malicious activity on hosts, such as malware execution, file behavior, and command-and-control callbacks. It also provides threat intelligence, sandboxing, and retrospective analysis to detect and respond to advanced threats. Cisco Umbrella Roaming Client is a lightweight DNS client that tracks only URL-based threats, such as phishing, ransomware, and botnets. It prevents connections to malicious domains and IP addresses, and provides visibility and enforcement for off-network devices. It also integrates with Cisco AnyConnect VPN client to provide seamless protection for VPN and non-VPN traffic. Therefore, the functional difference between Cisco AMP for Endpoints and Cisco Umbrella Roaming Client is that AMP for Endpoints stops and tracks malicious activity on hosts, and the Umbrella Roaming Client tracks only URL-based threats. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.1: Cisco AMP for Endpoints Overview

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.2: Cisco AMP for Endpoints Architecture and Components

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.3: Cisco AMP for Endpoints Installation and Configuration

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.4: Cisco AMP for Endpoints Analysis and Response

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.5: Cisco Umbrella Overview

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.6: Cisco Umbrella Architecture and Components

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.7: Cisco Umbrella Roaming Client

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Endpoint Protection and Detection, Lesson 3.8: Cisco Umbrella Policies and Reporting

Best Mobile Cybersecurity Solution - Cisco Umbrella

Explanation

Vendors, security researchers, and vulnerability coordination centers typically assign vulnerabilities an identifier that’s disclosed to the public. This identifier is known as the Common Vulnerabilities and Exposures (CVE).

CVE is an industry-wide standard. CVE is sponsored by US-CERT, the office of Cybersecurity and

Communications at the U.S. Department of Homeland Security.

The goal of CVE is to make it’s easier to share data across tools, vulnerability repositories, and security

services.

SQL injection attacks are a type of code injection technique that exploit the use of dynamic SQL queries in web applications. Attackers can inject malicious SQL statements into user input fields, such as login forms, search boxes, or URLs, and execute them on the underlying database. This can result in unauthorized access, data theft, data corruption, or denial of service.

To prevent SQL injection attacks, web developers should use the following techniques:

Use prepared statements and parameterized queries: Prepared statements are SQL queries that are precompiled and executed with user-supplied parameters. Parameterized queries are SQL queries that use placeholders for user input and bind them to actual values at runtime. Both techniques separate the SQL code from the user input, making it impossible for attackers to inject SQL commands into the query. For example, in Java, PreparedStatement is a class that implements parameterized queries. In PHP, PDO and mysqli are extensions that support prepared statements.

Block SQL code execution in the web application database login: Web applications should use a dedicated database user account with limited privileges to connect to the database. This account should only have the permissions necessary to perform the required operations, such as select, insert, update, or delete. It should not have the permissions to execute arbitrary SQL commands, such as create, drop, alter, grant, or revoke. This way, even if an attacker manages to inject SQL code into the query, the database will reject it due to insufficient privileges.

Explanation

Explanation

If sysopt permit-vpn is not enabled then an access control policy must be created to allow the VPN traffic through the FTD device. If sysopt permit-vpn is enabled skip creating an access control policy.

Anycast IP is a component of Cisco umbrella architecture that increases reliability of the service by allowing the same IP address to exist on multiple servers around the world. This way, the user’s request is automatically routed to the nearest and fastest data center, and failover is seamless in case of an outage. Anycast IP also reduces latency and improves performance by using BGP to select the shortest path to the destination12. References := 1: Why Cisco Umbrella uses anycast routing - Cisco Umbrella 2: Cisco Umbrella At a Glance

The process of performing automated static and dynamic analysis of files against preloaded behavioral indicators for threat analysis is called advanced sandboxing. Advanced sandboxing is a feature of Cisco Secure Malware Analytics (Threat Grid), which is a cloud-based or on-premises solution that analyzes the behavior of suspicious files and URLs. Advanced sandboxing uses a combination of static and dynamic analysis techniques to examine the files against more than 700 behavioral indicators, such as registry changes, network connections, file modifications, and process injections. These indicators help to uncover stealthy and sophisticated threats, and provide the security team with detailed reports and actionable intelligence. Advanced sandboxing also integrates with other Cisco security products, such as AMP, Firepower, and Email Security, to provide comprehensive malware protection across the network. Advanced sandboxing is different from other options, such as deep visibility scan, point-in-time checks, and advanced scanning, which are not specific processes or features of Cisco Secure Malware Analytics. Deep visibility scan is a generic term that refers to the ability to inspect network traffic and files for malicious activity. Point-in-time checks are periodic scans that detect malware at a specific moment, but do not provide continuous analysis or retrospective security. Advanced scanning is also a generic term that can refer to any scanning technique that goes beyond basic signature-based detection, such as heuristic analysis, machine learning, or behavioral analysis. References :=

Some possible references are:

Cisco Secure Malware Analytics (Threat Grid)

Malware Protection - Cisco AMP Advanced Malware Protection

Cisco Secure Malware Analytics Data Sheet

Explanation

Explanation

As the new device does not have a supplicant, we cannot use 802.1X.

MAC Authentication Bypass (MAB) is a fallback option for devices that don’t support 802.1x. It is virtually

always used in deployments in some way shape or form. MAB works by having the authenticator take the

connecting device’s MAC address and send it to the authentication server as its username and password. The authentication server will check its policies and send back an Access-Accept or Access-Reject just like it would with 802.1x.

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the

network. Using MAC addresses as the unique identifier, ISE collects various attributes for each network

endpoint to build an internal endpoint database. The classification process matches the collected attributes to prebuilt or user-defined conditions, which are then correlated to an extensive library of profiles. These profiles include a wide range of device types, including mobile clients (iPads, Android tablets, Chromebooks, and so

on), desktop operating systems (for example, Windows, Mac OS X, Linux, and others), and numerous non-user systems such as printers, phones, cameras, and game consoles.

Once classified, endpoints can be authorized to the network and granted access based on their profile. For example, endpoints that match the IP phone profile can be placed into a voice VLAN using MAC Authentication Bypass (MAB) as the authentication method. Another example is to provide differentiated network access to users based on the device used. For example, employees can get full access when accessing the network from their corporate workstation but be granted limited network access when accessing the network from their personal iPhone.

Contiv is an open source container networking fabric that supports heterogeneous container deployments across virtual machines, bare-metal, and public or private clouds. Contiv facilitates deploying microsegmentation and multi-tenancy services with a policy-based container by allowing cloud architects and IT admins to create, manage, and enforce operational policies such as traffic isolation, bandwidth prioritization, latency requirements, and policies for L4-L7 network services. Contiv also integrates natively with Cisco infrastructure and provides consistent networking across any platform (Docker Swarm, Kubernetes, or OpenShift) and any networking backend (Layer 2, Layer 3, Overlays, or ACI mode)123. References := 1: Introducing Contiv 1.0 - The Most Powerful Container Networking Fabric 2: contivpp 3: Contiv · GitHub

Cisco FMC is assigned the role of a client in the pxGrid ecosystem. A client is a partner that subscribes to the contextual data published by other partners or by ISE. A client can also publish its own data, but it does not have to. A client can use the contextual data to enforce security policies, perform threat analysis, or provide visibility. Cisco FMC can subscribe to various topics from ISE or other partners, such as user identity, session directory, endpoint profile, SGT mapping, threat events, or vulnerability assessment. Cisco FMC can also publish its own threat events to ISE or other partners. Cisco FMC can use the contextual data to apply access control rules, correlation policies, or network discovery policies based on the attributes of the users, endpoints, or sessions12.

The other options are not correct because they are not the roles assigned for Cisco FMC. A server is a partner that publishes contextual data to other partners or to ISE. A server can also subscribe to data, but it does not have to. A server can provide valuable information about the network, such as device inventory, configuration, or compliance. An example of a server is Cisco Prime Infrastructure3. A controller is the core component of the pxGrid ecosystem that manages the communication, authentication, and authorization between the partners. The controller is always ISE, and it is responsible for creating and maintaining the pxGrid domain, distributing the certificates, and facilitating the data exchange4. A publisher is a partner that publishes contextual data to other partners or to ISE, but does not subscribe to any data. A publisher can provide useful information about the network, such as security events, alerts, or incidents. An example of a publisher is Cisco Stealthwatch. References :=

Integrate FMC with ISE using pxGrid | Blue Network Security

How To: Integrate Firepower Management Center (FMC) 6 … - Cisco Community

Cisco Prime Infrastructure and ISE pxGrid Integration - Cisco

pxGrid Overview - Cisco

[Cisco Stealthwatch and ISE pxGrid Integration - Cisco]

Cisco ISE and pxGrid use the IETF (Internet Engineering Task Force) standards to integrate with each other and with other interoperable security platforms. IETF is an open, international community of network designers, operators, vendors, and researchers who produce voluntary standards for the Internet. Cisco pxGrid is based on the IETF standards-track XMPP (Extensible Messaging and Presence Protocol) and RESTCONF (Representational State Transfer Configuration Protocol) technologies. These standards enable Cisco pxGrid to provide a scalable, secure, and open data-sharing platform that supports multiple security products and services. Cisco ISE uses the IETF standards-track RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System Plus) protocols to provide network access control and policy enforcement. Cisco ISE also supports the IETF standards-track SXP (Security Group Tag eXchange Protocol) to propagate security group tags across the network. By using the IETF standards, Cisco ISE and pxGrid can interoperate with other security platforms that support the same standards, such as Infoblox, Splunk, Rapid7, and more. References:

Cisco pxGrid - Cisco

ISE pxGrid General Information & FAQ - Cisco Community

How To: Integrate Cisco WSA using ISE and TrustSec via pxGrid

Infoblox DDI, Cisco ISE, and the pxGrid Solution Platform

Explanation

Explanation

We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.

Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect, quarantine, and remove the virus.

SenderBase is an email reputation service designed to help email administrators research senders, identify legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or highly reputable senders, it delivers them directly to the end user without any content scanning. However, when the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and antivirus scanning.

AAA stands for Authentication, Authorization, and Accounting. It is a framework that provides security to network resources by controlling who can access them (authentication), what they can do (authorization), and what actions they perform (accounting). AAA can be implemented by using the local database of the device or by using an external server such as Cisco ISE (Identity Services Engine).

The question asks which configuration item makes it possible to have the AAA session on the network. A session is a logical connection between a user and a network device. A session can be initiated by various methods, such as console, telnet, SSH, PPP, etc. Each session can have different AAA policies applied to it, depending on the method list configured for that session.

A method list is a set of rules that define the authentication, authorization, and accounting methods to be used for a particular session. A method list can be named or default. A named method list is applied to a specific session by using the login, authorization, or accounting keyword followed by the name of the method list. A default method list is applied to all sessions that do not have a named method list configured.

The configuration item that makes it possible to have the AAA session on the network is the aaa authorization network default group ise command. This command configures a default method list for network authorization, which is the process of determining the network services and attributes that a user is allowed to access after authentication. The command specifies that the network authorization method is group, which means that the device will use an external server (such as Cisco ISE) to obtain the authorization information for the user. The command also specifies that the name of the server group is ise, which means that the device will use the server group defined by the aaa group server radius ise command.

The other options are incorrect because they do not configure a default method list for network authorization. Option A configures a named method list for login authentication, which is the process of verifying the identity of the user. Option B configures a default method list for enable authentication, which is the process of verifying the identity of the user who wants to enter the privileged EXEC mode. Option D configures a default method list for exec authorization, which is the process of determining the commands and features that a user can access in the EXEC mode. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 1: Security Concepts, Lesson 1: Describing Information Security Concepts

Configure Basic AAA on an Access Server, General AAA Configuration, Authentication Configuration, Authorization Configuration

AAA (Authentication, Authorization and Accounting) - GeeksforGeeks, AAA implementation, ACS server

Cisco Advanced Phishing Protection (AAP) is a solution that helps organizations protect against fraudulent senders and identity deception-based attacks, such as business email compromise (BEC) and spear phishing. AAP uses advanced machine learning techniques, real-time behavior analytics, relationship modeling, and telemetry to perform two main functions12:

It determines if the email messages are malicious by assessing the threat posture of the sender and the content of the message. It also validates the reputation and authenticity of the sender by checking various indicators, such as the domain, the IP address, the SPF, DKIM, and DMARC records, the display name, the reply-to address, and the header information. AAP assigns a risk score to each email message and provides a verdict of clean, malicious, or suspicious. It also adds a banner to the email message to inform the recipient of the risk level and the recommended action.

It does a real-time user web browsing behavior analysis by monitoring the user’s interaction with the email message and the links embedded in it. It tracks the user’s clicks, mouse movements, dwell time, and other indicators to detect any signs of hesitation, confusion, or curiosity. It also analyzes the destination URL of the links and compares it with the known malicious websites. If AAP detects any anomalous or risky behavior, it intervenes with a warning message or a redirect page to educate the user and prevent them from falling victim to the phishing attack. References := 1: Cisco’s Security Innovations to Protect the Endpoint and Email 2: Cisco Advanced Phishing Protection - Cisco Video Portal

Explanation

We choose “Chat and Instant Messaging” category in “URL Category”:

To block certain URLs we need to choose URL Reputation from 6 to 10.

Explanation

Explanation

The traditional use of the pull model, where the client requests data from the network does not scale when what you want is near real-time data. Moreover, in some use cases, there is the need to be notified only when some data changes, like interfaces status, protocol neighbors change etc.

Model-Driven Telemetry is a new approach for network monitoring in which data is streamed from network devices continuously using a push model and provides near real-time access to operational statistics.

Applications can subscribe to specific data items they need, by using standard-based YANG data models over NETCONF-YANG. Cisco IOS XE streaming telemetry allows to push data off of the device to an external collector at a much higher frequency, more efficiently, as well as data on-change streaming.

FlexVPN and DMVPN are both Cisco technologies that use point-to-point GRE tunnels to create dynamic VPN networks. However, they differ in some aspects, such as:

FlexVPN is a newer solution that requires newer hardware and IOS versions, while DMVPN is more widely supported on older devices1.

FlexVPN is based on IKEv2, which is a more robust and efficient protocol than IKEv1, which is used by DMVPN (although DMVPN can also use IKEv2)2.

FlexVPN uses static or virtual access interfaces for GRE tunnels, while DMVPN uses a single multipoint GRE interface. This allows more flexibility and visibility for FlexVPN tunnels2.

FlexVPN does not require NHRP registration for spokes to communicate with the hub, while DMVPN does. This simplifies the configuration and reduces the overhead of NHRP3.

FlexVPN has only one standard mode of operation, while DMVPN has three phases with different characteristics and configurations2.

References := 1: what is the difference between dmvpn and flexvpn 2: Cisco FlexVPN DMVPN, Part 1 - Overview and Design 3: DMVPN to FlexVPN Soft Migration Configuration Example

Explanation

Explanation

The various suspicious patterns for which the Cisco Tetration platform looks in the current release are:

+ Shell code execution: Looks for the patterns used by shell code.

+ Privilege escalation: Watches for privilege changes from a lower privilege to a higher privilege in the process lineage tree.

+ Side channel attacks: Cisco Tetration platform watches for cache-timing attacks and page table fault bursts.

Using these, it can detect Meltdown, Spectre, and other cache-timing attacks.

+ Raw socket creation: Creation of a raw socket by a nonstandard process (for example, ping).

+ User login suspicious behavior: Cisco Tetration platform watches user login failures and user login

methods.

+ Interesting file access: Cisco Tetration platform can be armed to look at sensitive files.

+ File access from a different user: Cisco Tetration platform learns the normal behavior of which file is

accessed by which user.

+ Unseen command: Cisco Tetration platform learns the behavior and set of commands as well as the lineage of each command over time. Any new command or command with a different lineage triggers the interest of the Tetration Analytics platform.

 Retrospective security is a feature of Cisco AMP that enables continuous analysis and alerting of files and network activity, even after the initial point of inspection. It allows an engineer to look back in time and trace the processes, file activities, and communications of an endpoint that was infected by malware. This helps to understand the full extent of an infection, establish root causes, and perform remediation. Retrospective security is different from endpoint isolation, advanced search, and advanced investigation, which are other features of Cisco AMP that provide different capabilities. Endpoint isolation allows an engineer to isolate an endpoint from the network to prevent further spread of malware. Advanced search allows an engineer to query the AMP cloud database for information about files, endpoints, events, and trajectories. Advanced investigation allows an engineer to perform deep analysis of files and endpoints using Cisco Secure Malware Analytics (formerly Threat Grid). References :=

Some possible references are:

Malware Defense with Cisco Secure Firewall Data Sheet

Best Practice Guide for Advanced Malware Protection (AMP) on Cisco Email Security

Malware Protection - Cisco AMP Advanced Malware Protection

Group Encrypted Transport VPN (GET VPN) is used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity. GET VPN provides a way to encrypt traffic between sites without the need for point-to-point tunnels, supporting efficient, scalable, and secure communication across a broad network infrastructure.

A multicontext firewall is a feature that allows a single physical firewall to be divided into multiple virtual firewalls, also known as security contexts. Each context operates as an independent device, with its own security policy, interfaces, and administrators. This feature is useful for service providers, large enterprises, or any network that requires more than one firewall. One of the problems that a multicontext firewall can solve is an overlapping IP addressing plan. This means that different contexts can use the same IP addresses without causing conflicts, as long as they are separated by different interfaces or VLANs. This allows for more efficient use of IP address space and easier management of multiple networks. A multicontext firewall can also support dynamic routing protocols and VPNs within each context, providing more flexibility and functionality12 References := 1: What Are Multi-Context Firewalls? - Franklin Fitch 2: Multiple Context Mode - Cisco

Talos Intelligence is a comprehensive threat intelligence service that provides up-to-date information on URL filtering, reputations, and vulnerability information. Talos Intelligence can be integrated with Cisco FTD and Cisco WSA to enhance the security and visibility of the network. Cisco FTD and Cisco WSA can leverage the Talos Intelligence feeds to perform Security Intelligence filtering, which allows the devices to block or allow traffic based on the reputation of the source or destination IP addresses, URLs, or DNS requests. Talos Intelligence feeds are updated regularly and can be configured to download automatically or manually on the FTD and WSA devices12345. References := 1: Cisco Talos Intelligence Group - Comprehensive Threat Intelligence 2: Threat Intelligence on Cisco Stealthwatch - Cisco Community 3: Third-Party Integration of Security Feeds with FMC (Cisco Threat … - Cisco Community 4: Cisco Firepower Threat Defense Configuration Guide for Firepower Device … 5: Cisco Firepower Threat Defense Configuration Guide for Firepower Device …

Defanging is the process of modifying a URL in a message to prevent it from being clickable. This can help protect users from malicious links that have a low URL reputation score. Defanging is one of the actions that can be configured in the Incoming Content Filter on the Cisco ESA. The other actions are Quarantine, FilterAction, and ScreenAction. Quarantine sends the message to a quarantine area for further inspection. FilterAction applies a predefined action such as drop, bounce, or deliver. ScreenAction displays a warning message to the user before allowing them to access the URL. Defanging is the only action that disables the links in the message without affecting the delivery or visibility of the message12. References: 1: URL Filtering on the Cisco IronPort ESA – Mikail’s Blog 2: Configure URL Filtering for Secure Email Gateway and Cloud Gateway - Cisco