Explanation

Explanation

You specify primary and secondary actions that the appliance will take when it detects a possible DLP violation

in an outgoing message. Different actions can be assigned for different violation types and severities.

Primary actions include:

– Deliver

– Drop

– Quarantine

Secondary actions include:

– Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the

original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in

addition to providing another way to monitor DLP violations. When you release the copy from the quarantine,

the appliance delivers the copy to the recipient, who will have already received the original message.

– Encrypting messages. The appliance only encrypts the message body. It does not encrypt the message

headers.

– Altering the subject header of messages containing a DLP violation.

– Adding disclaimer text to messages.

– Sending messages to an alternate destination mailhost.

– Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical

DLP violations to a compliance officer’s mailbox for examination.)

– Sending a DLP violation notification message to the sender or other contacts, such as a manager or DLP

compliance officer.

A SQL injection attack is a type of attack that exploits a vulnerability in a web application that uses user-supplied data to construct SQL statements that interact with a database. By inserting malicious commands into the database, an attacker can execute arbitrary SQL queries or commands on the database server, which may result in data theft, data manipulation, or command execution. Machine 1 is vulnerable to SQL injection because it does not properly validate or sanitize the user input before using it in a SQL statement. Therefore, inserting malicious commands into the database would allow the attacker to gain access to machine 1.

A buffer overflow attack is a type of attack that exploits a vulnerability in a program that does not check the boundaries of a buffer (a temporary storage area for data) before copying data into it. By overflowing the buffer’s memory, an attacker can overwrite adjacent memory locations, which may result in corrupting data, crashing the program, or executing malicious code. Machine 2 is vulnerable to buffer overflow because it does not properly handle the size or length of the data that it receives from the user or another source. Therefore, overflowing the buffer’s memory would allow the attacker to gain access to machine 2.

Sniffing the packets between the two hosts is a passive attack that involves capturing and analyzing the network traffic that flows between the two machines. This attack may reveal sensitive information, such as credentials, session tokens, or database queries, but it does not directly allow the attacker to gain access to either machine. Sending continuous pings is a type of denial-of-service attack that involves flooding the target machine with ICMP echo request packets, which may consume its network bandwidth or processing resources, but it does not directly allow the attacker to gain access to either machine. Therefore, neither sniffing the packets nor sending continuous pings would allow the attacker to gain access to machine 1 but not machine 2. References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 3: Web Security, SQL Injection Attacks

Understanding SQL Injection - Cisco, SQL Injection Explained

Buffer Overflow and SQL Injection: To Remotely Attack and … - Springer, Buffer Overflow and SQL Injection Attacks

Explanation

Message tracking helps resolve help desk calls by giving a detailed view of message flow. For example, if a message was not delivered as expected, you can determine if it was found to contain a virus or placed in a spam quarantine — or if it is located somewhere else in the mail stream.

Cisco Cloudlock is a cloud-native security platform that provides data loss prevention (DLP) capabilities for public cloud environments, such as SaaS, IaaS, and PaaS. Cisco Cloudlock can discover, classify, and protect sensitive data stored in cloud applications, such as Office 365, Google Workspace, Salesforce, Dropbox, and AWS. Cisco Cloudlock uses advanced techniques, such as regular expressions, keywords, dictionaries, and machine learning, to identify and monitor data based on predefined or custom policies. Cisco Cloudlock can also enforce actions, such as encryption, quarantine, deletion, or notification, to prevent data leakage or exposure12. References := 1: Cisco Cloudlock Data Sheet 2: Cloud Data Loss Prevention (Cloud DLP) Overview

Explanation

Because MAB uses the MAC address as a username and password, you should make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution will prevent other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely

identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request

message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.

Explanation

A trusted CA is the only entity that can issue trusted digital certificates. This is extremely important because while PKI manages more of the encryption side of these certificates, authentication is vital to understanding which entities own what keys. Without a trusted CA, anyone can issue their own keys, authentication goes out the window and chaos ensues.

Explanation

All IKE policies on the device are sent to the remote peer regardless of what is in the selected policy section.

The first IKE Policy matched by the remote peer will be selected for the VPN connection. Choose which policy is sent first using the priority field. Priority 1 will be sent first.

https://www.cisco.com/c/dam/en/us/products/collateral/security/cognitive-threat-analytics/at-a-glance-c45-736555.pdf

DevSecOps is a development practice that integrates security into all phases of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. DevSecOps focuses on application development, as it aims to deliver secure and robust applications that meet the customers’ needs and expectations. DevSecOps also makes security a shared responsibility of development, security, and operations teams, rather than a separate silo. DevSecOps enables faster and safer software delivery by automating security processes and tools, and addressing security issues as they emerge, rather than at the end of the cycle.

References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 6: Securing the Data Center, Lesson 6.2: DevSecOps

What Is DevSecOps? Definition and Best Practices | Microsoft Security

What is DevSecOps? | IBM

What is DevSecOps? | DevSecOps vs. DevOps | VMware

The issue is that the engineer is using the wrong hashing algorithm to generate the hash for the custom detection policy. Cisco AMP for Endpoints requires the use of SHA-256 hashes for simple custom detections, as stated in the Configure a Simple Custom Detection List on the AMP for Endpoints Portal document. SHA-256 hashes are 64 hexadecimal characters long, while MD5 hashes are 32 hexadecimal characters long. Therefore, if the engineer tries to upload a hash created using MD5, the dashboard will indicate that the hash is not 64 characters and is non-zero, as shown in the image below:

To resolve the issue, the engineer should use a tool or a website that can generate SHA-256 hashes from files, such as this one, and upload the correct hash to the custom detection list. References : Configure a Simple Custom Detection List on the AMP for Endpoints Portal, Create an Advanced Custom Detection List in Cisco Secure Endpoint, Working with Advanced Malware Protection (AMP) for Endpoints

DNS tunneling is a technique that uses the DNS protocol to exfiltrate data or establish command and control channels between a compromised host and an attacker-controlled server. DNS tunneling can bypass network security controls that allow outbound DNS traffic without inspection or filtering. To stop DNS tunneling, two recommended approaches are:

Enforce security over port 53. This means applying firewall rules, access control lists, or other mechanisms to restrict outbound DNS traffic to only authorized DNS servers and domains. Additionally, DNS traffic should be inspected and analyzed for anomalies, such as unusually large or frequent queries, non-standard encoding, or suspicious domains. This can help detect and block DNS tunneling attempts.

Use Cisco Umbrella. Cisco Umbrella is a cloud-based security service that provides DNS security, web filtering, and threat intelligence. Cisco Umbrella can prevent DNS tunneling by blocking malicious domains, enforcing policies based on content categories, and applying machine learning to identify and stop emerging threats. Cisco Umbrella can also provide visibility and reporting on DNS activity and security events.

References :=

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 5: Securing the Cloud, Lesson 5.2: DNS Security

What Is DNS Tunneling? - Palo Alto Networks

An Introduction to DNS Tunneling Detection & Data Exfiltration via DNS - Vercara

 Multifactor authentication (MFA) is a solution that requires the user to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. MFA is more secure than the traditional use of a username and password because it reduces the risk of identity theft, phishing, and credential compromise. MFA can use different types of factors, such as something the user knows (e.g., password, PIN), something the user has (e.g., smartphone, token, smart card), or something the user is (e.g., fingerprint, facial recognition). MFA can be implemented using various methods, such as security defaults, Conditional Access policies, or third-party solutions123. References:

https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661

https://www.onelogin.com/learn/what-is-mfa

Explanation

Explanation

The following are the benefits of deploying Cisco Advanced Phishing Protection on the Cisco Email Security

Gateway:

Prevents the following:

+ Attacks that use compromised accounts and social engineering.

+ Phishing, ransomware, zero-day attacks and spoofing.

+ BEC with no malicious payload or URL.