Cisco CCNP Security 350-701 Questions & Answers

• Question 421:

  Which algorithm provides asymmetric encryption?

  A. RC4

  B. AES

  C. RSA

  D. 3DES

  Correct Answer: C

  https://www.cisco.com/c/en/us/products/security/encryption-explained.html#~types-of-encryption RSA is asymmetric cryptography, so there is one public key and one private key.

• Question 422:

  Which public cloud provider supports the Cisco Next Generation Firewall Virtual?

  A. Google Cloud Platform

  B. Red Hat Enterprise Visualization

  C. VMware ESXi

  D. Amazon Web Services

  Correct Answer: D

  Reference: https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security- virtual-appliance-asav/ white-paper-c11-740505.html

• Question 423:

  Refer to the exhibit.

  

  What will happen when the Python script is executed?

  A. The hostname will be translated to an IP address and printed.

  B. The hostname will be printed for the client in the client ID field.

  C. The script will pull all computer hostnames and print them.

  D. The script will translate the IP address to FODN and print it

  Correct Answer: C

• Question 424:

  An engineer needs a cloud solution that will monitor traffic, create incidents based on events, and integrate with other cloud solutions via an API. Which solution should be used to accomplish this goal?

  A. SIEM

  B. CASB

  C. Adaptive MFA

  D. Cisco Cloudlock

  Correct Answer: D

  Reference: https://docs.umbrella.com/cloudlock-documentation/docs/endpoints

  Note:+ Security information and event management (SIEM) platforms collect log and event data from securitysystems, networks and computers, and turn it into actionable security insights.+ An incident is a record of the triggering of an alerting policy. Cloud Monitoring opens an incident when acondition of an alerting policy has been met.

• Question 425:

  How does DNS Tunneling exfiltrate data?

  A. An attacker registers a domain that a client connects to based on DNS records and sends malware through that connection.

  B. An attacker opens a reverse DNS shell to get into the client's system and install malware on it.

  C. An attacker uses a non-standard DNS port to gain access to the organization's DNS servers in order to poison the resolutions.

  D. An attacker sends an email to the target with hidden DNS resolvers in it to redirect them to a malicious domain.

  Correct Answer: A

  The attacker registers a domain, such as badsite.com. The domain's name server points to the attacker's server, where a tunneling malware program is installed.

  The attacker infects a computer, which often sits behind a company's firewall, with malware. Because DNS requests are always allowed to move in and out of the firewall, the infected computer is allowed to send a query to the DNS resolver.

  The DNS resolver is a server that relays requests for IP addresses to root and top-level domain servers.

  The DNS resolver routes the query to the attacker's command-and-control server, where the tunneling program is installed. A connection is now established between the victim and the attacker through the DNS resolver. This tunnel can be

  used to exfiltrate data or for other malicious purposes. Because there is no direct connection between the attacker and victim, it is more difficult to trace the attacker's computer.

• Question 426:

  An engineer notices traffic interruption on the network. Upon further investigation, it is learned that broadcast packets have been flooding the network. What must be configured, based on a predefined threshold, to address this issue?

  A. Bridge Protocol Data Unit guard

  B. embedded event monitoring

  C. storm control

  D. access control lists

  Correct Answer: C

  ExplanationStorm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.By using the " storm-control broadcast level [falling-threshold]" we can limit the broadcast traffic on the switch.

• Question 427:

  An organization has a Cisco ESA set up with policies and would like to customize the action assigned for violations. The organization wants a copy of the message to be delivered with a message added to flag it as a DLP violation. Which actions must be performed in order to provide this capability?

  A. deliver and send copies to other recipients

  B. quarantine and send a DLP violation notification

  C. quarantine and alter the subject header with a DLP violation

  D. deliver and add disclaimer text

  Correct Answer: D

  Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12- 0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html

• Question 428:

  Refer to the exhibit.

  

  What will happen when this Python script is run?

  A. The compromised computers and malware trajectories will be received from Cisco AMP

  B. The list of computers and their current vulnerabilities will be received from Cisco AMP

  C. The compromised computers and what compromised them will be received from Cisco AMP

  D. The list of computers, policies, and connector statuses will be received from Cisco AMP

  Correct Answer: D

  Reference: https://api- docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fcomputersandapi_host =api.apjc.amp.cisco.comandapi_resource=Computerandapi_version=v1

• Question 429:

  Due to a traffic storm on the network, two interfaces were error-disabled, and both interfaces sent SNMP traps.

  Which two actions must be taken to ensure that interfaces are put back into service? (Choose two)

  A. Have Cisco Prime Infrastructure issue an SNMP set command to re-enable the ports after the pre configured interval.

  B. Use EEM to have the ports return to service automatically in less than 300 seconds.

  C. Enter the shutdown and no shutdown commands on the interfaces.

  D. Enable the snmp-server enable traps command and wait 300 seconds

  E. Ensure that interfaces are configured with the error-disable detection and recovery feature

  Correct Answer: CE

  You can also bring up the port by using these commands:+ The "shutdown" interface configuration command followed by the "no shutdown" interface configurationcommand restarts the disabled port.+ The "errdisable recovery cause ..." global configuration command enables the timer to automatically recover error-disabled state, and the "errdisable recovery interval interval" global configuration command specifies the time to recover error-disabled state.

• Question 430:

  Refer to the exhibit.

  

  An organization is using DHCP Snooping within their network. A user on VLAN 41 on a new switch is complaining that an IP address is not being obtained. Which command should be configured on the switch interface in order to provide the user with network connectivity?

  A. ip dhcp snooping verify mac-address

  B. ip dhcp snooping limit 41

  C. ip dhcp snooping vlan 41

  D. ip dhcp snooping trust

  Correct Answer: D

  To understand DHCP snooping we need to learn about DHCP spoofing attack first.

  DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives

  its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a "man-in-the-middle".The attacker can have some ways to make sure its fake DHCP Response

  arrives first. In fact, if the attacker is "closer" than the DHCP Server then he doesn't need to do anything. Or he can DoS the DHCP Server so that it can't send the DHCP Response.DHCP snooping can prevent DHCP spoofing attacks. DHCP

  snooping is a Cisco Catalyst feature thatdetermines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

  Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP

  messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down. The port connected to a DHCP server should be configured as trusted port with

  the "ip dhcp snooping trust" command. Other ports connecting to hosts are untrusted ports by default.

  In this question, we need to configure the uplink to "trust" (under interface Gi1/0/1) as shown below.