Explanation

Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable

source. It is usually done through email. The goal is to steal sensitive data like credit card and login information,

or to install malware on the victim’s machine.

The cloud security shared responsibility model is a way of describing how the security tasks and obligations are divided between the cloud service provider (CSP) and the customer, depending on the type of cloud service model used. The cloud service models are:

Software as a Service (SaaS): The CSP provides and manages the entire software stack, including the applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer only needs to access the software through a web browser or an application. The customer is responsible for managing their own data and identities, as well as configuring the security settings of the software. The CSP is responsible for everything else, including patching the operating system and the applications12

Platform as a Service (PaaS): The CSP provides and manages the platform layer, including the runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer can deploy and run their own applications and data on the platform, using the tools and languages supported by the CSP. The customer is responsible for managing their own applications and data, as well as configuring the security settings of the platform. The CSP is responsible for patching the operating system and the middleware12

Infrastructure as a Service (IaaS): The CSP provides and manages the infrastructure layer, including the virtualization, servers, storage, and networking. The customer can provision and use virtual machines, containers, or bare metal servers, and install their own operating system, middleware, applications, and data. The customer is responsible for managing and patching their own operating system, middleware, applications, and data, as well as configuring the security settings of the infrastructure. The CSP is responsible for the physical security and availability of the infrastructure12

References := 1: Shared responsibility in the cloud - Microsoft Azure 2: Cloud security shared responsibility model - NCSC

The mechanism that the engineer should configure to accomplish the goal of sending telemetry using the cloud provider’s mechanisms to a security device is VPC flow logs. VPC flow logs are a feature of Google Cloud that capture and record information about the network flows sent from and received by the virtual machines (VMs) inside a VPC network1. VPC flow logs can provide network telemetry data such as source and destination IP addresses, ports, protocols, bytes sent and received, and connection state1. VPC flow logs can be exported to Cloud Logging, Pub/Sub, or Cloud Storage for further analysis by security devices or tools1. VPC flow logs can help the engineer to perform behavioral analysis to detect malicious activity on the hosts, such as network scans, port sweeps, brute force attacks, data exfiltration, or lateral movement2.

The other options are not correct mechanisms to send telemetry using the cloud provider’s mechanisms to a security device. Option A is incorrect because mirror port is not a feature of Google Cloud, but rather a network device configuration that copies traffic from one port to another for monitoring purposes3. Option B is incorrect because flow is not a specific mechanism, but rather a generic term that refers to a sequence of packets between a source and a destination4. Option C is incorrect because NetFlow is not a feature of Google Cloud, but rather a network protocol developed by Cisco that collects and aggregates information about network flows5. NetFlow is not compatible with VPC flow logs, which use a different format6. References:

VPC flow logs overview

When to use 5 telemetry types in security threat monitoring

What is a Mirror Port?

What is a Network Flow?

What is NetFlow?

Exporting VPC flow logs to Pub/Sub

Explanation

Explanation

Endpoint protection platforms (EPP) prevent endpoint security threats like known and unknown malware.

Endpoint detection and response (EDR) solutions can detect and respond to threats that your EPP and other security tools did not catch.

EDR and EPP have similar goals but are designed to fulfill different purposes. EPP is designed to provide

device-level protection by identifying malicious files, detecting potentially malicious activity, and providing tools for incident investigation and response.

The preventative nature of EPP complements proactive EDR. EPP acts as the first line of defense, filtering out attacks that can be detected by the organization’s deployed security solutions. EDR acts as a second layer of protection, enabling security analysts to perform threat hunting and identify more subtle threats to the endpoint.

Effective endpoint defense requires a solution that integrates the capabilities of both EDR and EPP to provide protection against cyber threats without overwhelming an organization’s security team.

To create an access control list (ACL) on a Cisco Adaptive Security Appliance (ASA) firewall, you need to use the access-list command followed by the name of the ACL, the action (permit or deny), the protocol, the source address and mask, and the destination address and mask. For example, to permit HTTP traffic from the inside network 192.168.1.0/24 to any destination on the internet, you can use this command:

access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

This command creates an ACL named inside_access_in that permits TCP traffic from the source network 192.168.1.0/24 to any destination with the destination port equal to 80 (www). The eq keyword is used to specify the port number or name. You can also use the range keyword to specify a range of ports.

To apply the ACL to an interface, you need to use the access-group command followed by the name of the ACL and the direction (in or out). For example, to apply the ACL to the inside interface in the inbound direction, you can use this command:

access-group inside_access_in in interface inside

This command applies the ACL inside_access_in to the interface named inside in the inbound direction. This means that the ACL will filter the traffic that enters the firewall through the inside interface.

Option D is the only option that matches the syntax of the access-list command for the ASA firewall. Option A is incorrect because it uses the ip keyword instead of the tcp keyword. Option B is incorrect because it uses the any keyword for both the source and destination addresses. Option C is incorrect because it uses the host keyword for the source address, which is not valid for a network address.

Explanation

Explanation

There are three basic categories of attack:

+ volume-based attacks, which use high traffic to inundate the network bandwidth

+ protocol attacks, which focus on exploiting server resources

+ application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks Reference: https://www.esecurityplanet.com/networks/types-of-ddos-attacks/

Explanation

Explanation

… we will showcase Cisco Threat Intelligence Director (CTID) an exciting feature on Cisco’s Firepower

Management Center (FMC) product offering that automates the operationalization of threat intelligence. TID has the ability to consume threat intelligence via STIX over TAXII and allows uploads/downloads of STIX and simple blacklists. Reference: https://blogs.cisco.com/developer/automate-threat-intelligence-using-cisco-threat-intelligencedirector

Cisco Stealthwatch is a security solution that uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. NetFlow is a protocol that collects and exports statistics on network traffic flows from routers, switches, firewalls, and other devices. NetFlow data can be used to monitor network performance, troubleshoot issues, detect anomalies, and identify security threats. Cisco Stealthwatch analyzes NetFlow data from various sources and correlates it with other contextual information, such as identity, device, location, and threat intelligence. Cisco Stealthwatch then applies advanced behavioral analytics and machine learning to detect and respond to malicious activities, such as data exfiltration, malware infection, insider threats, and denial-of-service attacks. Cisco Stealthwatch also provides comprehensive network visibility and security across hybrid environments, including public cloud, private cloud, and on-premises networks. Cisco Stealthwatch can integrate with other Cisco security solutions, such as Cisco Identity Services Engine (ISE), Cisco Firepower, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP), to enhance network security and incident response capabilities. References:

Implementing and Operating Cisco Security Core Technologies (SCOR) v1.0, Module 8: Cloud and Virtual Network Security, Lesson 8.2: Cisco Stealthwatch Cloud

Cisco Stealthwatch

NetFlow for Cybersecurity and Incident Response

B

Explanation

Explanation

Cisco ISE allows a global configuration to issue a Change of Authorization (CoA) in the Profiler Configuration

page that enables the profiling service with more control over endpoints that are already authenticated.

One of the settings to configure the CoA type is “Reauth”. This option is used to enforce reauthentication of an already authenticated endpoint when it is profiled.

 A security application that notifies a controller within a software-defined network architecture about a specific security threat is using a northbound API. A northbound API is an interface that enables communication between the SDN controller and the applications or management systems that use the network services1. A security application can use a northbound API to send alerts, requests, or commands to the SDN controller, which can then take appropriate actions on the network devices or policies2. For example, a security application can use a northbound API to inform the SDN controller about a malicious traffic pattern, and the SDN controller can then block or redirect the traffic using a southbound API3.

 1: What is Software-Defined Networking (SDN)? | VMware Glossary 2: Intent-Based Networking’s Next Evolution: The DNA Center Platform - Cisco Blogs 3: Cisco SDN Security: Securing the Software Defined Network - Cisco

Explanation

The term ‘rootkit’ originally comes from the Unix world, where the word ‘root’ is used to describe a user with the

highest possible level of access privileges, similar to an ‘Administrator’ in Windows. The word ‘kit’ refers to the

software that grants root-level access to the machine. Put the two together and you get ‘rootkit’, a program that

gives someone – with legitimate or malicious intentions – privileged access to a computer.

There are four main types of rootkits: Kernel rootkits, User mode rootkits, Bootloader rootkits, Memory rootkits

Explanation

The following are restrictions for Flexible NetFlow:

+ Traditional NetFlow (TNF) accounting is not supported.

+ Flexible NetFlow v5 export format is not supported, only NetFlow v9 export format is supported.

+ Both ingress and egress NetFlow accounting is supported.

+ Microflow policing feature shares the NetFlow hardware resource with FNF.

+ Only one flow monitor per interface and per direction is supported.

 Patching is important for security, compliance, stability, and reputation reasons. Patches are released to fix security vulnerabilities in software and systems, which can be exploited by cybercriminals to cause data breaches, data loss, or other damage. Failure to patch these vulnerabilities leaves the company’s systems exposed to potential security risks. Patch management helps to minimize these risks by ensuring that all software and systems are up-to-date with the latest security patches. Patch management also helps to comply with regulatory and industry standards that require a certain level of security, and to avoid legal consequences for non-compliance. Additionally, patches provide bug fixes and other updates that improve the stability and performance of software and systems, and prevent system crashes, downtime, and other issues that can negatively impact the business operations. Finally, patch management helps to maintain a positive reputation for the company, as a security breach or downtime caused by unpatched vulnerabilities can damage the customer trust and loyalty, and result in revenue loss. References:

5 Patch Management Best Practices for Success in 2023 - TechRepublic

Six Patch Management Best Practices [Updated 2024] - Heimdal Security