350-701 Cisco Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) Free Practice Exam Questions (2025 Updated)

create an application control blocked applications list. This option allows you to specify a list of files that you want to prevent from running on the endpoints that have the AMP connector installed. The files are identified by their SHA-256 hashes, and you can upload them individually or in a batch. The files are not quarantined, but they are blocked from execution and reported as events in the AMP console1. This option is different from the simple custom detection list, which is used to detect and quarantine specific files that are considered malicious2. The advanced custom detection list is also used to detect and quarantine files, but it allows you to specify more criteria such as file size, file name, and file path3. The IP block and allow lists are used to control the network traffic to and from the endpoints, not the file execution4. References: 1: Configure Application Control on the AMP for Endpoints Portal 2: Configure a Simple Custom Detection List on the AMP for Endpoints Portal 3: [Configure an Advanced Custom Detection List on the AMP for Endpoints Portal] 4: [Configure IP Block and Allow Lists on the AMP for Endpoints Portal]

The difference between GRE over IPsec and IPsec with crypto map is that GRE (Generic Routing Encapsulation) over IPsec can encapsulate and transport non-IP protocols across an IP network, whereas IPsec with crypto map is typically used for IP traffic. GRE tunnels wrapped in IPsec provide a way to transport multicast traffic and other protocol types across an IPsec VPN, offering greater flexibility in the types of traffic that can be secured.

 Firepower NGIPS inline deployment mode is a mode where the NGIPS device is placed in the traffic path and can take actions such as blocking, modifying, or redirecting traffic based on the policies and rules. In this mode, the NGIPS device must have inline interface pairs configured, which are pairs of physical or logical interfaces that act as a single logical interface. The inline interface pairs are connected to the network devices on both sides of the NGIPS device, and the traffic flows through the NGIPS device from one interface to the other. The NGIPS device can inspect and modify the traffic as it passes through the inline interface pairs12. References := 1: Firepower Management Center Configuration Guide, Version 6.6 - Device Management Basics 2: Configure FTD Interfaces in Inline-Pair Mode

Add the DNS entry for the new Cisco ISE node into the DNS server. This is because the fully qualified domain name (FQDN) of the new Cisco ISE node, for example, ise1.cisco.com, must be DNS-resolvable from the primary Administration ISE node. Otherwise, node registration will fail. The DNS server must contain the IP addresses and FQDNs of the ISE nodes that are part of the distributed deployment1.

The other options are incorrect because:

Changing the IP address of the new Cisco ISE node to the same network as the others is not necessary, as long as the nodes can communicate with each other over the network.

Making the new Cisco ISE node a secondary PAN before registering it with the primary is not possible, as the node must be registered first before changing its persona or role.

Opening port 8905 on the firewall between the Cisco ISE nodes is not required, as this port is used for communication between the primary and secondary Monitoring ISE nodes, not for node registration.

Based on the configuration script in the image, the interface GigabitEthernet0/0/18 is configured for both 802.1X and MAB authentication. The command authentication port-control auto enables 802.1X authentication on the port, while the command dot1x pae authenticator enables the port to act as an authenticator. The command authentication host-mode multi-domain enables MAB authentication on the port, and allows two devices to be authenticated, one in the voice VLAN and one in the data VLAN. Therefore, when a device tries to connect to the port, the switch will first attempt 802.1X authentication, and if it fails, it will fall back to MAB authentication using the device’s MAC address. The switch will then contact the ISE server, which is configured as the RADIUS server group ise-group, to verify the device’s credentials and assign the appropriate access level based on the ISE policy. The ISE policy can also dynamically assign VLANs, ACLs, or service policies to the device based on its identity and posture. References :=

Some possible references are:

[Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0], Module 6: Secure Connectivity, Lesson 6.2: Implementing Site-to-Site VPNs, Topic 6.2.2: Group Encrypted Transport VPN

Cisco IOS Security Configuration Guide, Release 15M&T - Configuring IEEE 802.1x Port-Based Authentication

Cisco IOS Security Configuration Guide, Release 15M&T - Configuring MAC Authentication Bypass

Cisco Identity Services Engine Administrator Guide, Release 2.7 - Configure Wired 802.1X and MAB

Explanation

The call to API of “https://api.amp.cisco.com/v1/computers” allows us to fetch list of computers across your

organization that Advanced Malware Protection (AMP) sees

AES encryption is a symmetric block cipher algorithm that uses a single key to encrypt and decrypt data. It is more secure than 3DES, which is an older and slower algorithm that encrypts and decrypts a key three times in sequence. AES can use different key sizes, such as 128, 192, or 256 bits, depending on the security level required. The longer the key, the more rounds of encryption and decryption are performed, making it harder to break. AES encryption is based on a substitution-permutation network, which consists of a series of operations that transform the input data into the output data using the key. References :=

https://www.simplilearn.com/tutorials/cryptography-tutorial/aes-encryption

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

To collect full metadata information about the traffic going through their AWS cloud services, the organization needs to send VPC Flow Logs to Cisco Stealthwatch Cloud and configure Cisco Stealthwatch Cloud to ingest AWS information. VPC Flow Logs is a feature that enables the organization to capture information about the IP traffic going to and from network interfaces in their VPC. Flow log data can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose1. Cisco Stealthwatch Cloud is a SaaS-based network and cloud security solution that provides behavioral analytics across the network to help the organization improve threat detection and achieve a stronger security posture2. By sending VPC Flow Logs to Cisco Stealthwatch Cloud, the organization can leverage the rich network flow metadata to perform various types of flow analysis, such as troubleshooting connectivity issues, monitoring the traffic patterns, detecting anomalous or malicious activity, and verifying compliance3. To send VPC Flow Logs to Cisco Stealthwatch Cloud, the organization needs to create a flow log for their VPC, subnet, or network interface, and specify Cisco Stealthwatch Cloud as the destination4. To configure Cisco Stealthwatch Cloud to ingest AWS information, the organization needs to add their AWS account as a data source in the Cisco Stealthwatch Cloud portal, and grant the necessary permissions for Cisco Stealthwatch Cloud to access their VPC Flow Logs5. By doing so, the organization can view and analyze the flow log data in the Cisco Stealthwatch Cloud dashboard, and receive valuable security alerts and insights based on the network behavior6.

References := 1: Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud 2: Cisco Secure Cloud Analytics (Stealthwatch Cloud) - Cisco 3: Cisco Secure Cloud Analytics - AWS VPC Flow Logs: A New Tool for Your … 4: Publish flow logs to Cisco Stealthwatch Cloud - Amazon Virtual Private Cloud 5: AWS Data Source Setup - Cisco Stealthwatch Cloud 6: AWS Workload Protection - Cisco Stealthwatch Cloud

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_using_intrusion_and_file_policies.html#:~:text=File%20Policies-,Access%20Control%20Traffic%20Handling%20with%20Intrusion%20and%20File%20Policies,-The%20following%20diagram

the first three access control rules in the policy—Monitor, Trust, and Block—cannot inspect matching traffic. Monitor rules track and log but do not inspect network traffic, so the system continues to match traffic against additional rules to determine whether to permit or deny it

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/access_control_rules.html#:~:text=Rule%20Blocking%20Actions-,Access%20Control%20Rule%20Allow%20Action,network%20discovery%20policy%3B%20additionally%2C%20application%20discovery%20is%20limited%20for%20encrypted%20sessions.,-Related%20Concepts

The cause of this issue is that NTP authentication is not enabled on the router. The commands shown in the exhibit only define the authentication key and mark it as trusted, but they do not enable NTP authentication globally or on a per-peer basis. To enable NTP authentication globally, the command ntp authenticate must be used. To enable NTP authentication on a per-peer basis, the command ntp server ip-address key key-id or ntp peer ip-address key key-id must be used, where key-id is the same as the one defined by the ntp authentication-key command. Without enabling NTP authentication, any device can synchronize time with this router, regardless of whether it has the same authentication key or not.

The other options are incorrect because:

The key was configured in plain text, but this is not the cause of the issue. Although it is recommended to use the ntp authentication-key key-id md5 key [encrypted] command to encrypt the key, using plain text does not prevent NTP authentication from working, as long as the same key is configured on both the router and the peer.

The hashing algorithm that was used was MD5, which is supported by NTP. MD5 is the default algorithm for NTP authentication and it can be used with any key length from 1 to 16 characters. Other algorithms, such as SHA and SHA1, are also supported by NTP if the OpenSSL library is installed, but they are not required for NTP authentication to work.

The router was not rebooted after the NTP configuration updated, but this is not necessary for NTP authentication to take effect. NTP authentication is applied immediately after the configuration commands are entered, and no reboot is required.

Using a company-managed Amazon S3 bucket for Cisco Umbrella logs allows the administrator to have full control over the access and lifecycle of the log data. This configuration can grant third-party SIEM integrations write access to the S3 bucket, which can enable more advanced analysis and correlation of the log data with other sources. This configuration also provides more flexibility in terms of how long the data can be stored offline, as opposed to the Cisco-managed S3 bucket, which has a fixed retention period of 30 days. References:

Enable Logging to Your Own S3 Bucket

Centralized Umbrella Log Management with Amazon’s S3 service for MSP, MSSP, and Multi-org customers

 Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. Cloudlock integrates with cloud applications like Dropbox and Office 365 by providing visibility, compliance, threat protection, and data security. Cloudlock can detect and prevent data exfiltration by applying data loss prevention (DLP) policies, encrypting sensitive data, and alerting or blocking unauthorized activities. Cloudlock also supports cloud app discovery and risk assessment, user and entity behavior analytics (UEBA), and cloud app firewall12. References: 1: Cisco Cloudlock - Cisco 2: Cisco Cloudlock Privacy Data Sheet

Explanation

The Version 1 format was the initially released version. Do not use the Version 1 format unless you are using a legacy collection system that requires it. Use Version 9 or Version 5 export format.

Version 5 export format is suitable only for the main cache; it cannot be expanded to support new features.

Version 8 export format is available only for aggregation caches; it cannot be expanded to support new

features.

To deploy Cisco WSA in transparent mode, the configuration component that must be used is WCCP on switch. WCCP stands for Web Cache Communication Protocol, which is a protocol that allows a network device (such as a switch) to redirect web traffic to a proxy server (such as Cisco WSA) transparently. This means that the client does not need to configure any proxy settings on the browser, and the proxy server can intercept and process the web requests and responses without the client’s knowledge. WCCP can also provide load balancing and failover capabilities for multiple proxy servers.

The other options are incorrect because they are not required or relevant for transparent mode deployment. Option A is incorrect because MDA (Multilink PPP Dial Access) is a feature that allows multiple physical links to be aggregated into a single logical link for dial-up connections. It has nothing to do with transparent mode. Option B is incorrect because PBR (Policy-Based Routing) is a feature that allows routing decisions to be based on criteria other than the destination IP address, such as source IP address, protocol, port, etc. It is not necessary for transparent mode, as WCCP can handle the traffic redirection. Option D is incorrect because DNS resolution on Cisco WSA is not a configuration component, but a function that allows the proxy server to resolve domain names to IP addresses. It is not specific to transparent mode, as it is also used in explicit mode. References:

What is the difference between transparent and forward proxy mode?

User Guide for AsyncOS 12.7 for Cisco Web Security Appliances - LD (Limited Deployment) - Acquire End-User Credentials

Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP?

Explanation

Cisco Hybrid Email Security is a unique service offering that combines a cloud-based email security deployment

with an appliance-based email security deployment (on premises) to provide maximum choice and control for

your organization. The cloud-based infrastructure is typically used for inbound email cleansing, while the onpremises appliances provide granular control – protecting sensitive information with data loss

prevention (DLP) and encryption technologies.

Explanation

DNS Tunneling is a method of cyber attack that encodes the data of other programs or protocols in DNS

queries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNS

server and used to control a remote server and applications.

Explanation

You can configure your ASA FirePOWER module using one of the following deployment models:

You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or

passive) deployment.

The correct command to log all events to a destination collector is flow-export event-type all destination 209.165.201.10. This command configures a flow-export action that sends all NSEL events to the specified IP address. NSEL events include flow-create, flow-teardown, flow-denied, and flow-update events. The command must be entered in the policy-map class configuration mode, after defining a policy-map and a class-map that match the traffic and event type. The other commands are incorrect because they either specify the wrong event type (flow-update instead of all) or the wrong destination IP address (209.165.201 instead of 209.165.201.10). References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

Cisco Secure Firewall ASA NetFlow Implementation Guide

Configuring Cisco ASA for NetFlow Export via CLI – Plixer

Cisco Umbrella allows you to create custom destination lists that contain specific domains or IP addresses that you want to allow or block. You can then apply these destination lists to your policies to override the default behavior of Umbrella. For example, if you want to block specific addresses using Cisco Umbrella, you can create a destination list with those addresses and set the action to block. Then, you can assign this destination list to the policy that you want to modify. This way, any request to those addresses will be blocked by Umbrella, regardless of the content category or application settings12 References := 1: Manage Policies - Umbrella User Guide 2: Understanding Destination lists supported entries and error messages - Cisco Umbrella

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

Explanation

Explanation

NetFlow is typically used for several key customer applications, including the following:

…

Billing and accounting. NetFlow data provides fine-grained metering (for instance, flow data includes details such as IP addresses, packet and byte counts, time stamps, type of service (ToS), and application ports) for highly flexible and detailed resource utilization accounting. Service providers may use the information for billing based on time of day, bandwidth usage, application usage, quality of service, and so on. Enterprise customers may use the information for departmental charge back or cost allocation for resource utilization.

vulnerability is a flaw or gap in the security of a system or network that can be exploited by an attacker to compromise its functionality, integrity, confidentiality, or availability. A vulnerability can exist in the design, implementation, configuration, or operation of a system or network, and can be caused by human errors, software bugs, hardware defects, or environmental factors. A vulnerability can be exploited by an attacker using various methods, such as malware, phishing, brute force, denial-of-service, or injection attacks. A vulnerability can also be exploited by an insider who has legitimate access to the system or network, but abuses their privileges for malicious purposes. A vulnerability can be discovered by security researchers, ethical hackers, or malicious hackers, and can be reported to the vendor or the public for remediation or exploitation. A vulnerability can be mitigated by applying patches, updates, or configuration changes, or by using security tools such as firewalls, antivirus, or encryption.

An exploit is a piece of code, data, or technique that takes advantage of a vulnerability to perform unauthorized or malicious actions on a system or network. An exploit can be used to gain access, escalate privileges, execute commands, steal data, disrupt services, or damage resources. An exploit can be delivered by various means, such as email attachments, web links, removable media, or network packets. An exploit can be developed by security researchers, ethical hackers, or malicious hackers, and can be shared or sold on the dark web or other platforms for testing or attacking purposes. An exploit can be detected by security tools such as intrusion detection systems, antivirus, or anti-exploit software.

The difference between a vulnerability and an exploit is that a vulnerability is a potential weakness that can be exploited, while an exploit is an actual attack that uses a vulnerability. A vulnerability can exist without being exploited, but an exploit cannot exist without a vulnerability. A vulnerability can be fixed or prevented, but an exploit can only be blocked or stopped. References :=

Exploit vs Vulnerability: What’s the Difference? - InfoSec Insights

Difference Between Vulnerability and Exploit - GeeksforGeeks

Exploit vs. Vulnerability: What Is the Difference? - Coralogix

Exploit vs Vulnerability: What’s the Difference? - Cybers Guards

 Mobile Device Management (MDM) is a solution that allows an organization to manage, monitor, and secure mobile devices such as smartphones, tablets, and laptops. MDM provides two main advantages to an organization with regards to device management:

Asset inventory management: MDM helps an organization keep track of all the mobile devices that are connected to its network, including their location, status, configuration, and usage. MDM also enables an organization to remotely wipe or lock devices that are lost, stolen, or compromised, preventing data loss and unauthorized access. Asset inventory management helps an organization optimize its resources, reduce costs, and comply with regulations12.

Allowed application management: MDM allows an organization to control what applications can be installed and run on the mobile devices, as well as how they can access and share data. MDM can also push updates and patches to the devices, ensuring that they are always running the latest and most secure versions of the applications. Allowed application management helps an organization enhance security, productivity, and performance of the mobile devices34.

 1: 7 Advantages and Disadvantages of Mobile Device Management [2024] 2: 5 Benefits of Mobile Device Management - ESET 3: Top 10 Benefits of Mobile Device Management (MDM) - TechFunnel 4: Benefits of Mobile Device Management (MDM) for Businesses

Asymmetric encryption, also known as public key cryptography, uses two different keys for encryption and decryption: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret. Data encrypted with the public key can only be decrypted with the private key, and vice versa. This ensures that only the intended recipient can access the encrypted data, and that the sender can prove their identity with a digital signature. Asymmetric encryption is widely used for securing Internet communications, such as TLS/SSL, which enables HTTPS. Some examples of asymmetric encryption algorithms are RSA, Diffie-Hellman, and Elliptic Curve Cryptography. The other options are not correct because they do not use a public key and private key. Symmetric encryption uses the same key for encryption and decryption, and is faster and more efficient than asymmetric encryption. However, symmetric encryption requires a secure way to exchange the key between the sender and the receiver, which can be facilitated by asymmetric encryption. Linear and nonlinear encryption are not types of encryption, but rather properties of encryption algorithms. A linear encryption algorithm is one that can be expressed as a linear function, such as XOR. A nonlinear encryption algorithm is one that involves more complex mathematical operations, such as modular arithmetic or S-boxes. Nonlinear encryption algorithms are generally more secure and resistant to cryptanalysis than linear encryption algorithms. References :=

Public-key cryptography - Wikipedia

How does public key cryptography work? - Cloudflare

Public and private encryption keys | PreVeil

AES encryption, what are public and private keys?

Explanation

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable

source. It is usually done through email. The goal is to steal sensitive data like credit card and login information,

or to install malware on the victim’s machine.

 Cisco Identity Services Engine (ISE) and AnyConnect Posture module are the best solution to ensure that all endpoints are compliant before users are allowed access on the corporate network. ISE is a policy-based platform that provides secure network access, identity management, and endpoint compliance. AnyConnect Posture module is a component of the AnyConnect Secure Mobility Client that performs posture assessment and remediation on the endpoints. Together, they can enforce policies based on the endpoint’s compliance status, such as the presence and update of the corporate antivirus application and the Windows 10 build version. The administrator can configure posture requirements, profiles, and policies on ISE, and deploy them to the endpoints through AnyConnect. The endpoints will then report their posture status to ISE, which will grant or deny network access accordingly, or redirect them to a remediation portal if needed. References :

Explanation

Protect sensitive content in outgoing emails with Data Loss Prevention (DLP) and easy-to-use email

encryption, all in one solution.

Cisco Email Security appliance can now handle incoming mail connections and incoming messages from

specific geolocations and perform appropriate actions on them, for example:

– Prevent email threats coming from specific geographic regions.

– Allow or disallow emails coming from specific geographic regions.