Cisco CCNP Security 350-701 Questions & Answers

• Question 461:

  What can be integrated with Cisco Threat Intelligence Director to provide information about security threats, which allows the SOC to proactively automate responses to those threats?

  A. Cisco Umbrella

  B. External Threat Feeds

  C. Cisco Threat Grid

  D. Cisco Stealthwatch

  Correct Answer: B

  https://www.cisco.com/c/en/us/support/docs/storage-networking/security/214859-configure-and-troubleshoot-cisco-threat.html

• Question 462:

  Which two prevention techniques are used to mitigate SQL injection attacks? (Choose two)

  A. Check integer, float, or Boolean string parameters to ensure accurate values.

  B. Use prepared statements and parameterized queries.

  C. Secure the connection between the web and the app tier.

  D. Write SQL code instead of using object-relational mapping libraries.

  E. Block SQL code execution in the web application database login.

  Correct Answer: AB

• Question 463:

  When web policies are configured in Cisco Umbrella, what provides the ability to ensure that domains are blocked when they host malware, command and control, phishing, and more threats?

  A. Application Control

  B. Security Category Blocking

  C. Content Category Blocking

  D. File Analysis

  Correct Answer: B

• Question 464:

  Which feature requires a network discovery policy on the Cisco Firepower Next Generation Intrusion Prevention System?

  A. Security Intelligence

  B. Impact Flags

  C. Health Monitoring

  D. URL Filtering

  Correct Answer: B

  https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3300.pdf

• Question 465:

  Which two preventive measures are used to control cross-site scripting? (Choose two)

  A. Enable client-side scripts on a per-domain basis.

  B. Incorporate contextual output encoding/escaping.

  C. Disable cookie inspection in the HTML inspection engine.

  D. Run untrusted HTML input through an HTML sanitization engine.

  E. Same Site cookie attribute should not be used.

  Correct Answer: BD

  https://en.wikipedia.org/wiki/Cross-site_scripting#Safely_validating_untrusted_HTML_input

• Question 466:

  What provides visibility and awareness into what is currently occurring on the network?

  A. CMX

  B. WMI

  C. Prime Infrastructure

  D. Telemetry

  Correct Answer: D

  Reference:

  https://www.cisco.com/c/dam/en_us/about/doing_business/legal/service_descriptions/docs/ activethreat-analytics-premier.pdf

• Question 467:

  How many interfaces per bridge group does an ASA bridge group deployment support?

  A. up to 2

  B. up to 4

  C. up to 8

  D. up to 16

  Correct Answer: B

  https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.html

• Question 468:

  When Cisco and other industry organizations publish and inform users of known security findings and vulnerabilities, which name is used?

  A. Common Security Exploits

  B. Common Vulnerabilities and Exposures

  C. Common Exploits and Vulnerabilities

  D. Common Vulnerabilities, Exploits and Threats

  Correct Answer: B

  Reference: CCNP And CCIE Security Core SCOR 350-701 Official Cert Guide

• Question 469:

  An engineer used a posture check on a Microsoft Windows endpoint and discovered that the MS17-010 patch was not installed, which left the endpoint vulnerable to WannaCry ransomware. Which two solutions mitigate the risk of this ransom ware infection? (Choose two)

  A. Configure a posture policy in Cisco Identity Services Engine to install the MS17-010 patch before allowing access on the network.

  B. Set up a profiling policy in Cisco Identity Service Engine to check and endpoint patch level before allowing access on the network.

  C. Configure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level is met before allowing access on the network.

  D. Configure endpoint firewall policies to stop the exploit traffic from being allowed to run and replicate throughout the network.

  E. Set up a well-defined endpoint patching strategy to ensure that endpoints have critical vulnerabilities patched in a timely fashion.

  Correct Answer: AC

  A posture policy is a collection of posture requirements, which are associated with one or more identity groups, and operating systems. We can configure ISE to check for the Windows patch at Work Centers > Posture > Posture Elements > Conditions > File.In this example, we are going to use the predefined file check to ensure that our Windows 10 clients have the critical security patch installed to prevent the Wanna Cry malware.

  

• Question 470:

  A network administrator configures Dynamic ARP Inspection on a switch. After Dynamic ARP Inspection is applied, all users on that switch are unable to communicate with any destination. The network administrator checks the interface status of all interfaces, and there is no err-disabled interface. What is causing this problem?

  A. DHCP snooping has not been enabled on all VLANs.

  B. The ip arp inspection limit command is applied on all interfaces and is blocking the traffic of all users.

  C. Dynamic ARP Inspection has not been enabled on all VLANs

  D. The no ip arp inspection trust command is applied on all user host interfaces

  Correct Answer: D

  Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man- in-themiddle attacks. After enabling DAI, all ports become untrusted ports.