Cisco 350-701 Practice Test - Questions Answers, Page 24
List of questions
Question 231

What is the role of an endpoint in protecting a user from a phishing attack?
Use Cisco Stealthwatch and Cisco ISE Integration.
Utilize 802.1X network security to ensure unauthorized access to resources.
Use machine learning models to help identify anomalies and determine expected sending behavior.
Ensure that antivirus and anti malware software is up to date
Question 232

An organization has noticed an increase in malicious content downloads and wants to use Cisco Umbrella to prevent this activity for suspicious domains while allowing normal web traffic. Which action will accomplish this task?
Set content settings to High
Configure the intelligent proxy.
Use destination block lists.
Configure application block lists.
Obviously, if you allow all traffic to these risky domains, users might access malicious content, resulting in an infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more granular visibility and control.
The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting malware while allowing access to everything else.
Reference: https://docs.umbrella.com/deployment-umbrella/docs/what-is-the-intelligent-proxy
Question 233

With which components does a southbound API within a software-defined network architecture communicate?
controllers within the network
applications
appliances
devices such as routers and switches
The Southbound API is used to communicate between Controllers and network devices.
Question 234

A network administrator needs to find out what assets currently exist on the network. Third-party systems need to be able to feed host data into Cisco Firepower. What must be configured to accomplish this?
a Network Discovery policy to receive data from the host
a Threat Intelligence policy to download the data from the host
a File Analysis policy to send file data into Cisco Firepower
a Network Analysis policy to receive NetFlow data from the host
You can configure discovery rules to tailor the discovery of host and application data to your needs.
The Firepower System can use data from NetFlow exporters to generate connection and discovery events, and to add host and application data to the network map.
A network analysis policy governs how traffic is decoded and preprocessed so it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt -> Answer D is not correct.
Question 235

When configuring ISAKMP for IKEv1 Phase1 on a Cisco IOS router, an administrator needs to input the command crypto isakmp key cisco address 0.0.0.0. The administrator is not sure what the IP addressing in this command issued for.
What would be the effect of changing the IP address from 0.0.0.0 to 1.2.3.4?
The key server that is managing the keys for the connection will be at 1.2.3.4
The remote connection will only be allowed from 1.2.3.4
The address that will be used as the crypto validation authority
All IP addresses other than 1.2.3.4 will be allowed
The command crypto isakmp key cisco address 1.2.3.4 authenticates the IP address of the 1.2.3.4 peer by using the key cisco. The address of "0.0.0.0" will authenticate any address with this key
Question 236

Which suspicious pattern enables the Cisco Tetration platform to learn the normal behavior of users?
file access from a different user
interesting file access
user login suspicious behavior
privilege escalation
The various suspicious patterns for which the Cisco Tetration platform looks in the current release are:
+ Shell code execution: Looks for the patterns used by shell code.
+ Privilege escalation: Watches for privilege changes from a lower privilege to a higher privilege in the process lineage tree.
+ Side channel attacks: Cisco Tetration platform watches for cache-timing attacks and page table fault bursts.
Using these, it can detect Meltdown, Spectre, and other cache-timing attacks.
+ Raw socket creation: Creation of a raw socket by a nonstandard process (for example, ping).
+ User login suspicious behavior: Cisco Tetration platform watches user login failures and user login methods.
+ Interesting file access: Cisco Tetration platform can be armed to look at sensitive files.
+ File access from a different user: Cisco Tetration platform learns the normal behavior of which file is accessed by which user.
+ Unseen command: Cisco Tetration platform learns the behavior and set of commands as well as the lineage of each command over time. Any new command or command with a different lineage triggers the interest of the Tetration
Analytics platform.
Reference: https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetrationanalytics/whitepaper-c11-740380.html
Question 237

Due to a traffic storm on the network, two interfaces were error-disabled, and both interfaces sent SNMP traps.
Which two actions must be taken to ensure that interfaces are put back into service? (Choose two)
Have Cisco Prime Infrastructure issue an SNMP set command to re-enable the ports after the pre configured interval.
Use EEM to have the ports return to service automatically in less than 300 seconds.
Enter the shutdown and no shutdown commands on the interfaces.
Enable the snmp-server enable traps command and wait 300 seconds
Ensure that interfaces are configured with the error-disable detection and recovery feature
You can also bring up the port by using these commands:
+ The "shutdown" interface configuration command followed by the "no shutdown" interface configuration command restarts the disabled port.
+ The "errdisable recovery cause …" global configuration command enables the timer to automatically recover error-disabled state, and the "errdisable recovery interval interval" global configuration command specifies the time to recover error-disabled state.
Question 238

What is the difference between Cross-site Scripting and SQL Injection, attacks?
Cross-site Scripting is an attack where code is injected into a database, whereas SQL Injection is an attack where code is injected into a browser.
Cross-site Scripting is a brute force attack targeting remote sites, whereas SQL Injection is a social engineering attack.
Cross-site Scripting is when executives in a corporation are attacked, whereas SQL Injection is when a database is manipulated.
Cross-site Scripting is an attack where code is executed from the server side, whereas SQL Injection is an attack where code is executed from the client side.
Answer B is not correct because Cross-site Scripting (XSS) is not a brute force attack.
Answer C is not correct because the statement "Cross-site Scripting is when executives in a corporation are attacked" is not true. XSS is a client-side vulnerability that targets other application users.
Answer D is not correct because the statement "Cross-site Scripting is an attack where code is executed from the server side". In fact, XSS is a method that exploits website vulnerability by injecting scripts that will run at client's side.
Therefore only answer A is left. In XSS, an attacker will try to inject his malicious code (usually malicious links) into a database. When other users follow his links, their web browsers are redirected to websites where attackers can steal data from them. In a SQL Injection, an attacker will try to inject SQL code (via his browser) into forms, cookies, or HTTP headers that do not use data sanitizing or validation methods of GET/POST parameters.
Note: The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them.
Question 239

A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is failing authentication and is unable to access the network. Where should the administrator begin troubleshooting to verify the authentication details?
Adaptive Network Control Policy List
Context Visibility
Accounting Reports
RADIUS Live Logs
How To Troubleshoot ISE Failed Authentications & Authorizations
Check the ISE Live Logs
Login to the primary ISE Policy Administration Node (PAN).
Go to Operations > RADIUS > Live Logs
(Optional) If the event is not present in the RADIUS Live Logs, go to Operations > Reports > Reports > Endpoints and Users > RADIUS Authentications Check for Any Failed Authentication Attempts in the Log
Reference: https://community.cisco.com/t5/security-documents/how-to-troubleshoot-ise-faile-dauthenticationsamp/ta-p/3630960
Question 240

What is a prerequisite when integrating a Cisco ISE server and an AD domain?
Place the Cisco ISE server and the AD server in the same subnet
Configure a common administrator account
Configure a common DNS server
Synchronize the clocks of the Cisco ISE server and the AD server
The following are the prerequisites to integrate Active Directory with Cisco ISE.
+ Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server and Active Directory. You can configure NTP settings from Cisco ISE CLI.
+ If your Active Directory structure has multidomain forest or is divided into multiple forests, ensure that trust relationships exist between the domain to which Cisco ISE is connected and the other domains that have user and machine information to which you need access. For more information on establishing trust relationships, refer to Microsoft Active Directory documentation.
+ You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to which you are joining Cisco ISE.
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-
0/ise_active_directory_integration/ b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D582B77BB24F
Question