Cisco CCNP Security Core - SCOR 350-701 Official Certification Guide (1).pdf

Full Transcript

From the Library of William Timothy Ray Murray
Companion Website and Pearson Test Prep
Access Code
Access interactive study tools on this book’s companion website, including practice test software,
review exercises, a Key Term flash card application, a study planner, and more!

To access the companion website, simply follow these steps:

1. Go to ciscopress.com/register.

2. Enter the print book ISBN: 9780138221263.

3. Answer the security question to validate your purchase.

4. Go to your account page.

5. Click on the Registered Products tab.

6. Under the book listing, click on the Access Bonus Content link.
When you register your book, your Pearson Test Prep practice test access code will automatically
be populated in your account under the Registered Products tab. You will need this code to access
the practice test that comes with this book. You can redeem the code at PearsonTestPrep.com.
Simply choose Pearson IT Certification as your product group and log in to the site with the same
credentials you used to register your book. Click the Activate New Product button and enter the
access code. More detailed instructions on how to redeem your access code for both the online
and desktop versions can be found on the companion website.

If you have any issues accessing the companion website or obtaining your Pearson
Test Prep practice test access code, you can contact our support team by going to
pearsonitp.echelp.org.

From the Library of William Timothy Ray Murray
This page intentionally left blank

From the Library of William Timothy Ray Murray
 CCNP and
CCIE
Security
Core
SCOR 350-701
Official Cert Guide,
2nd Edition

OMAR SANTOS

Cisco Press
Hoboken, New Jersey

From the Library of William Timothy Ray Murray
iv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

CCNP and CCIE Security Core
SCOR 350-701 Official Cert Guide,
2nd Edition
Omar Santos

Copyright © 2024 Cisco Systems, Inc.

Published by:
Cisco Press

All rights reserved. This publication is protected by copyright, and permission must be obtained from the
publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form
or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding
permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights &
Permissions Department, please visit www.pearson.com/permissions.

No patent liability is assumed with respect to the use of the information contained herein. Although
every precaution has been taken in the preparation of this book, the publisher and author assume no
responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of
the information contained herein.
$PrintCode
Library of Congress Control Number: 2023914718

ISBN-13: 978-0-13-822126-3
ISBN-10: 0-13-822126-X

Warning and Disclaimer
This book is designed to provide information about the Implementing and Operating Cisco Security Core
Technologies (SCOR 350-701) exam. Every effort has been made to make this book as complete and accu-
rate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The
author and the publisher shall have neither liability nor responsibility to any person or entity with respect
to any loss or damages arising from the information contained in this book or from the use of the supple-
mental online content or programs accompanying it.

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropri-
ately capitalized. Cisco Press cannot attest to the accuracy of this information. Use of a term in this book
should not be regarded as affecting the validity of any trademark or service mark.

Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear-
soned.com or (800) 382-3419.

For government sales inquiries, please contact [email protected].

For questions about sales outside the U.S., please contact [email protected].

From the Library of William Timothy Ray Murray
 v

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of
members from the professional technical community.

Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at [email protected]. Please make sure to include the book title and ISBN in your
message.

We greatly appreciate your assistance.

Vice President, IT Professional: Mark Taub Copy Editors: Bart Reed and Chuck Hutchinson

Director, ITP Product Management: Brett Bartow Alliances Manager, Cisco Press: Jaci Featherly;
James Risler

Technical Editor: John Stuppi Executive Editor: James Manly

Designer: Chuti Prasertsith Managing Editor: Sandra Schroeder

Composition: codeMantra Development Editor: Christopher A. Cleveland

Indexer: Erika Millen Senior Project Editor: Mandie Frank

Proofreader: Donna E. Mulder Editorial Assistant: Cindy Teeters

Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)

Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (1110R)

From the Library of William Timothy Ray Murray
vi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Pearson’s Commitment to Diversity, Equity,
and Inclusion
Pearson is dedicated to creating bias-free content that reflects the diversity of all learners.
We embrace the many dimensions of diversity, including but not limited to race, ethnic-
ity, gender, socioeconomic status, ability, age, sexual orientation, and religious or political
beliefs.

Education is a powerful force for equity and change in our world. It has the potential to
deliver opportunities that improve lives and enable economic mobility. As we work with
authors to create content for every product and service, we acknowledge our responsibil-
ity to demonstrate inclusivity and incorporate diverse scholarship so that everyone can
achieve their potential through learning. As the world’s leading learning company, we have
a duty to help drive change and live up to our purpose to help more people create a
better life for themselves and to create a better world.

Our ambition is to purposefully contribute to a world where

Everyone has an equitable and lifelong opportunity to succeed through learning

Our educational products and services are inclusive and represent the rich diversity
of learners

Our educational content accurately reflects the histories and experiences of the
learners we serve

Our educational content prompts deeper discussions with learners and motivates
them to expand their own learning (and worldview)

While we work hard to present unbiased content, we want to hear from you about any
concerns or needs with this Pearson product so that we can investigate and address them.

Please contact us with concerns about any potential bias at https://www.pearson.com/
report-bias.html.

From the Library of William Timothy Ray Murray
 vii

Credits
Figure 1-4: United States Department of Defense

Figure 1-6: Webgoat SQL Injection

Figure 1-1, Figure 1-2: OffSec Services Limited

Figure 3-27-Figure 3-30: Python Software Foundation

Figure 9-11: Amazon Web Services

Figure 9-14-Figure 9-16: Docker Inc

Figure 9-19-Figure 9-21: Google Inc

Figure 10-2: Apple Inc

From the Library of William Timothy Ray Murray
viii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

About the Author
Omar Santos is a cybersecurity thought leader with a passion for driving industry-wide
initiatives to enhance the security of critical infrastructures. Omar is the lead of the
DEF CON Red Team Village, the chair of the Common Security Advisory Framework
(CSAF) technical committee, and board member of the OASIS Open standards
organization. Omar’s collaborative efforts extend to numerous organizations, including
the Forum of Incident Response and Security Teams (FIRST) and the Industry Consor-
tium for Advancement of Security on the Internet (ICASI).

Omar is a renowned expert in ethical hacking, vulnerability research, incident response,
and AI security. He employs his deep understanding of these disciplines to help orga-
nizations stay ahead of emerging threats. His dedication to cybersecurity has made a
significant impact on businesses, academic institutions, law enforcement agencies, and
other entities striving to bolster their security measures. Omar is currently leading several
Artificial Intelligence (AI) security research efforts at the Cisco Security and Trust
Organization (STO).

With over twenty books, video courses, white papers, and technical articles under his
belt, Omar’s expertise is widely recognized and respected. As a principal engineer at
Cisco’s Product Security Incident Response Team (PSIRT), Omar not only leads engineers
and incident managers in investigating and resolving cybersecurity vulnerabilities, but
also actively mentors the next generation of security professionals. You can follow Omar
on Twitter @santosomar.

From the Library of William Timothy Ray Murray
 ix

About the Technical Reviewer
John Stuppi, CCIE No. 11154, is a Technical Leader in the Security & Trust Organization
(S&TO) at Cisco where he consults Cisco customers on protecting their networks against
existing and emerging cyber security threats, risks, and vulnerabilities. Current projects
include working with newly acquired entities to integrate them into Cisco’s PSIRT
Vulnerability Management processes and advising some of Cisco’s most strategic custom-
ers on vulnerability management and risk assessment. John has presented multiple times
on various network security topics at Cisco Live, Black Hat, as well as other customer-
facing cyber security conferences. John is also the co-author of the CCNA Security
210-260 Official Cert Guide published by Cisco Press. Additionally, John has contrib-
uted to the Cisco Security Portal through the publication of white papers, Security Blog
posts, and Cyber Risk Report articles. Prior to joining Cisco, John worked as a network
engineer for JPMorgan and then as a network security engineer at Time, Inc., with both
positions based in New York City. John is also a CISSP (#25525) and holds AWS Cloud
Practitioner and Information Systems Security (INFOSEC) Professional Certifications. In
addition, John has a BSEE from Lehigh University and an MBA from Rutgers University.
John splits his time between Eatontown, New Jersey and Clemson, South Carolina with
his wife, son, daughter, and his dog.

From the Library of William Timothy Ray Murray
x CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Dedication
I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful
children, Hannah and Derek, who have inspired and supported me throughout the
development of this book.

From the Library of William Timothy Ray Murray
 xi

Acknowledgments
I would like to thank the technical editor and my good friend, John Stuppi, for his time
and technical expertise.

I would like to thank the Cisco Press team, especially James Manly and Christopher
Cleveland, for their patience, guidance, and consideration.

Finally, I would like to thank Cisco and the Cisco Product Security Incident Response
Team (PSIRT), Security and Trust Organization for enabling me to constantly learn and
achieve many goals throughout all these years.

From the Library of William Timothy Ray Murray
xii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Contents at a Glance
Introduction xxxi

Chapter 1 Cybersecurity Fundamentals 2

Chapter 2 Cryptography 80

Chapter 3 Software-Defined Networking Security and Network
Programmability 110

Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity
Management 156

Chapter 5 Network Visibility and Segmentation 232

Chapter 6 Infrastructure Security 316

Chapter 7 Cisco Secure Firewall 410

Chapter 8 Virtual Private Networks (VPNs) 490

Chapter 9 Securing the Cloud 578

Chapter 10 Content Security 638

Chapter 11 Endpoint Protection and Detection 672

Chapter 12 Final Preparation 696

Chapter 13 CCNP and CCIE Security Core SCOR (350-701) Exam Updates 698

Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A
Sections 702

Glossary 714

Index 732

Online Element

Appendix B Study Planner

From the Library of William Timothy Ray Murray
 xiii

Contents
Introduction xxxi

Chapter 1 Cybersecurity Fundamentals 2
“Do I Know This Already?” Quiz 3
Foundation Topics 6
Introduction to Cybersecurity 6
Cybersecurity vs. Information Security (InfoSec) 6
The NIST Cybersecurity Framework 7
Additional NIST Guidance and Documents 7
The International Organization for Standardization (ISO) 8
Defining What Are Threats, Vulnerabilities, and Exploits 8
What Is a Threat? 8
What Is a Vulnerability? 9
What Is an Exploit? 10
Risk, Assets, Threats, and Vulnerabilities 12
Defining Threat Actors 13
Understanding What Threat Intelligence Is 14
Viruses and Worms 16
Types and Transmission Methods 16
Malware Payloads 17
Trojans 18
Trojan Types 18
Trojan Ports and Communication Methods 19
Trojan Goals 20
Trojan Infection Mechanisms 21
Effects of Trojans 22
Distributing Malware 22
Ransomware 23
Covert Communication 24
Keyloggers 26
Spyware 27
Analyzing Malware 28
Static Analysis 28
Dynamic Analysis 29

From the Library of William Timothy Ray Murray
xiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Common Software and Hardware Vulnerabilities 31
Injection Vulnerabilities 31
SQL Injection 31
HTML Injection 33
Command Injection 33
Authentication-based Vulnerabilities 33
Credential Brute-Force Attacks and Password Cracking 34
Session Hijacking 35
Default Credentials 35
Insecure Direct Object Reference Vulnerabilities 35
Cross-site Scripting (XSS) 36
Cross-site Request Forgery 38
Server-side Request Forgery 38
Cookie Manipulation Attacks 39
Race Conditions 39
Unprotected APIs 39
Typical Attacks Against Artificial Intelligence (AI) and Machine
Learning 40
Return-to-LibC Attacks and Buffer Overflows 41
OWASP Top 10 42
Security Vulnerabilities in Open-Source Software 42
Confidentiality, Integrity, and Availability 43
What Is Confidentiality? 43
What Is Integrity? 45
What Is Availability? 46
Talking About Availability, What Is a Denial-of-Service (DoS) Attack? 46
Access Control Management 48
Cloud Security Threats 50
Cloud Computing Issues and Concerns 51
Cloud Computing Attacks 53
Cloud Computing Security 53
IoT Security Threats 54
IoT Protocols 56
Hacking IoT Implementations 57
An Introduction to Digital Forensics and Incident Response 58
ISO/IEC 27002:2013 and NIST Incident Response Guidance 58
What Is an Incident? 59

From the Library of William Timothy Ray Murray
 Contents xv

False Positives, False Negatives, True Positives, and True Negatives 60
Incident Severity Levels 60
How Are Incidents Reported? 61
What Is an Incident Response Program? 62
The Incident Response Plan 62
The Incident Response Process 63
Tabletop Exercises and Playbooks 65
Information Sharing and Coordination 66
Computer Security Incident Response Teams 67
Product Security Incident Response Teams (PSIRTs) 69
The Common Vulnerability Scoring System (CVSS) 69
The Stakeholder-Specific Vulnerability Categorization (SSVC) 73
National CSIRTs and Computer Emergency Response Teams (CERTs) 74
Coordination Centers 74
Incident Response Providers and Managed Security Service Providers
(MSSPs) 75
Key Incident Management Personnel 75
Summary 76
Exam Preparation Tasks 76
Review All Key Topics 76
Define Key Terms 78
Review Questions 78

Chapter 2 Cryptography 80
“Do I Know This Already?” Quiz 80
Foundation Topics 82
Introduction to Cryptography 82
Ciphers 82
Keys 83
Block and Stream Ciphers 84
Symmetric and Asymmetric Algorithms 84
Hashes 86
Hashed Message Authentication Code 89
Digital Signatures 90
Key Management 92
Next-Generation Encryption Protocols 92
IPsec 93

From the Library of William Timothy Ray Murray
xvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Post-Quantum Cryptography 93
SSL and TLS 95
Fundamentals of PKI 97
Public and Private Key Pairs 97
More About Keys and Digital Certificates 97
Certificate Authorities 98
Root Certificates 99
Identity Certificates 101
X.500 and X.509v3 101
Authenticating and Enrolling with the CA 102
Public Key Cryptography Standards 103
Simple Certificate Enrollment Protocol 103
Revoking Digital Certificates 103
Digital Certificates in Practice 104
PKI Topologies 105
Single Root CA 105
Hierarchical CA with Subordinate CAs 105
Cross-Certifying CAs 106
Exam Preparation Tasks 106
Review All Key Topics 106
Define Key Terms 107
Review Questions 107

Chapter 3 Software-Defined Networking Security and Network
Programmability 110
“Do I Know This Already?” Quiz 110
Foundation Topics 112
Software-Defined Networking (SDN) and SDN Security 112
Traditional Networking Planes 113
So What’s Different with SDN? 114
Introduction to the Cisco ACI Solution 114
VXLAN and Network Overlays 116
Micro-Segmentation 118
Open-Source Initiatives 120
More About Network Function Virtualization 121
NFV MANO 123
Contiv 123

From the Library of William Timothy Ray Murray
 Contents xvii

ThousandEyes Integration 124
Cisco Digital Network Architecture (DNA) 125
Cisco DNA Policies 127
Cisco DNA Group-Based Access Control Policy 129
Cisco DNA IP-Based Access Control Policy 131
Cisco DNA Application Policies 131
Cisco DNA Traffic Copy Policy 132
Cisco DNA Center Assurance Solution 133
Cisco DNA Center APIs 135
Cisco DNA Security Solution 135
Cisco DNA Multivendor Support 136
Introduction to Network Programmability 136
Modern Programming Languages and Tools 137
DevNet 140
Getting Started with APIs 140
REST APIs 141
Using Network Device APIs 145
YANG Models 145
NETCONF 147
RESTCONF 149
OpenConfig and gNMI 151
Exam Preparation Tasks 151
Review All Key Topics 151
Define Key Terms 152
Review Questions 152

Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity
Management 156
“Do I Know This Already?” Quiz 157
Foundation Topics 160
Introduction to Authentication, Authorization, and Accounting 160
The Principle of Least Privilege and Separation of Duties 161
Authentication 162
Authentication by Knowledge 162
Authentication by Ownership or Possession 164
Authentication by Characteristic 164
Multifactor Authentication 165

From the Library of William Timothy Ray Murray
xviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Duo Security 166
Zero Trust and BeyondCorp 169
Single Sign-On 171
JWT 173
SSO and Federated Identity Elements 174
Authorization 177
Mandatory Access Control (MAC) 177
Discretionary Access Control (DAC) 178
Role-Based Access Control (RBAC) 178
Rule-Based Access Control 178
Attribute-Based Access Control 179
Accounting 179
Infrastructure Access Controls 179
Access Control Mechanisms 179
AAA Protocols 182
RADIUS 182
TACACS+ 184
Diameter 186
802.1X 188
Network Access Control List and Firewalling 190
VLAN ACLs 191
Security Group–Based ACL 191
Downloadable ACL 191
Cisco Identity Services Engine (ISE) 192
Cisco Platform Exchange Grid (pxGrid) 193
Cisco ISE Context and Identity Services 195
Cisco ISE Profiling Services 195
Cisco ISE Identity Services 198
Cisco ISE Authorization Rules 199
Cisco TrustSec 201
Posture Assessment 203
Change of Authorization (CoA) 204
Configuring TACACS+ Access 207
Configuring RADIUS Authentication 213
Configuring 802.1X Authentication 215
Additional Cisco ISE Design Tips 222

From the Library of William Timothy Ray Murray
 Contents xix

Advice on Sizing a Cisco ISE Distributed Deployment 224
Exam Preparation Tasks 225
Review All Key Topics 225
Define Key Terms 226
Review Questions 227

Chapter 5 Network Visibility and Segmentation 232
“Do I Know This Already?” Quiz 233
Foundation Topics 236
Introduction to Network Visibility 236
NetFlow 237
The Network as a Sensor and as an Enforcer 238
What Is a Flow? 238
NetFlow for Network Security and Visibility 241
NetFlow for Anomaly Detection and DDoS Attack Mitigation 241
Data Leak Detection and Prevention 243
Incident Response, Threat Hunting, and Network Security Forensics 243
Traffic Engineering and Network Planning 248
NetFlow Versions 249
IP Flow Information Export (IPFIX) 249
IPFIX Architecture 251
Understanding IPFIX Mediators 251
IPFIX Templates 252
Option Templates 253
Understanding the Stream Control Transmission Protocol (SCTP) 254
Exploring Application Visibility and Control and NetFlow 254
Application Recognition 254
Metrics Collection and Exporting 255
NetFlow Deployment Scenarios 255
NetFlow Deployment Scenario: User Access Layer 256
NetFlow Deployment Scenario: Wireless LAN 256
NetFlow Deployment Scenario: Internet Edge 258
NetFlow Deployment Scenario: Data Center 259
NetFlow Deployment Scenario: NetFlow in Site-to-Site
and Remote VPNs 261
Cisco Secure Network Analytics and Cisco Secure Cloud Analytics 263
Cisco Secure Cloud Analytics 264

From the Library of William Timothy Ray Murray
xx CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

On-Premises Monitoring with Cisco Secure Cloud Analytics 267
Cisco Secure Cloud Analytics Integration with Meraki and Cisco
Umbrella 268
Exploring the Cisco Secure Network Analytics Dashboard 268
Threat Hunting with Cisco Secure Network Analytics 270
Cisco Cognitive Intelligence and Cisco Encrypted Traffic
Analytics (ETA) 274
What Is Cisco ETA? 274
What Is Cisco Cognitive Intelligence? 274
NetFlow Collection Considerations and Best Practices 279
Determining the Flows per Second and Scalability 280
Configuring NetFlow in Cisco IOS and Cisco IOS-XE 280
Simultaneous Application Tracking 281
Flexible NetFlow Records 282
Flexible NetFlow Key Fields 282
Flexible NetFlow Non-Key Fields 284
NetFlow Predefined Records 285
User-Defined Records 286
Flow Monitors 286
Flow Exporters 286
Flow Samplers 286
Flexible NetFlow Configuration 286
Configure a Flow Record 287
Configure a Flow Monitor for IPv4 or IPv6 289
Configure a Flow Exporter for the Flow Monitor 291
Apply a Flow Monitor to an Interface 293
Flexible NetFlow IPFIX Export Format 294
Configuring NetFlow in NX-OS 295
Introduction to Network Segmentation 296
Data-Driven Segmentation 297
Application-Based Segmentation 299
Micro-Segmentation with Cisco ACI 301
Segmentation with Cisco ISE 302
The Scalable Group Tag Exchange Protocol (SXP) 303
SGT Assignment and Deployment 306
Initially Deploying 802.1X and/or TrustSec in Monitor Mode 306
Active Policy Enforcement 306
Cisco ISE TrustSec and Cisco ACI Integration 310

From the Library of William Timothy Ray Murray
 Contents xxi

Exam Preparation Tasks 312
Review All Key Topics 312
Define Key Terms 313
Review Questions 314

Chapter 6 Infrastructure Security 316
“Do I Know This Already?” Quiz 317
Foundation Topics 320
Securing Layer 2 Technologies 320
VLAN and Trunking Fundamentals 320
What Is a VLAN? 321
Trunking with 802.1Q 323
Let’s Follow the Frame, Step by Step 325
What Is the Native VLAN on a Trunk? 326
So, What Do You Want to Be? (Asks the Port) 326
Understanding Inter-VLAN Routing 326
What Is the Challenge of Only Using Physical Interfaces? 326
Using Virtual “Sub” Interfaces 326
Spanning Tree Fundamentals 328
The Solution to the Layer 2 Loop 328
STP Is Wary of New Ports 331
Improving the Time Until Forwarding 332
Common Layer 2 Threats and How to Mitigate Them 333
Do Not Allow Negotiations 334
Layer 2 Security Toolkit 334
BPDU Guard 335
Root Guard 336
Port Security 336
CDP and LLDP 338
DHCP Snooping 339
Dynamic ARP Inspection 341
Network Foundation Protection 343
The Importance of the Network Infrastructure 343
The Network Foundation Protection Framework 344
Interdependence 344
Implementing NFP 344

From the Library of William Timothy Ray Murray
xxii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Understanding and Securing the Management Plane 345
Best Practices for Securing the Management Plane 345
Understanding the Control Plane 347
Best Practices for Securing the Control Plane 347
Understanding and Securing the Data Plane 348
Best Practices for Protecting the Data Plane 349
Additional Data Plane Protection Mechanisms 349
Securing Management Traffic 350
What Is Management Traffic and the Management Plane? 350
NETCONF and RESTCONF vs. SNMP 350
Beyond the Console Cable 353
Management Plane Best Practices 354
Password Recommendations 356
Using AAA to Verify Users 357
Router Access Authentication 357
The AAA Method List 358
Role-Based Access Control 359
Custom Privilege Levels 359
Limiting the Administrator by Assigning a View 359
Encrypted Management Protocols 359
Using Logging Files 360
Understanding NTP 361
Protecting Cisco IOS, Cisco IOS-XE, Cisco IOS-XR, and Cisco NX-OS
Files 362
Implementing Security Measures to Protect the Management Plane 362
Implementing Strong Passwords 362
User Authentication with AAA 364
Using the CLI to Troubleshoot AAA for Cisco Routers 369
RBAC Privilege Level/Parser View 371
Implementing Parser Views 374
SSH and HTTPS 375
Implementing Logging Features 378
Configuring Syslog Support 378
Configuring NTP 379
Securing the Network Infrastructure Device Image and Configuration
Files 380
Securing the Data Plane in IPv6 381

From the Library of William Timothy Ray Murray
 Contents xxiii

Understanding and Configuring IPv6 381
The Format of an IPv6 Address 383
Understanding the Shortcuts 383
Did We Get an Extra Address? 383
IPv6 Address Types 384
Configuring IPv6 Routing 386
Moving to IPv6 388
Developing a Security Plan for IPv6 388
Best Practices Common to Both IPv4 and IPv6 388
Threats Common to Both IPv4 and IPv6 389
The Focus on IPv6 Security 390
New Potential Risks with IPv6 391
IPv6 Best Practices 393
IPv6 Access Control Lists 394
Securing Routing Protocols and the Control Plane 395
Minimizing the Impact of Control Plane Traffic on the CPU 395
Details about CoPP 397
Details about CPPr 399
Securing Routing Protocols 399
Implementing Routing Update Authentication on OSPF 400
Implementing Routing Update Authentication on EIGRP 401
Implementing Routing Update Authentication on RIP 401
Implementing Routing Update Authentication on BGP 402
Exam Preparation Tasks 404
Review All Key Topics 404
Define Key Terms 405
Review Questions 405

Chapter 7 Cisco Secure Firewall 410
“Do I Know This Already?” Quiz 410
Foundation Topics 413
Introduction to Cisco Secure Firewall 413
Cisco Firewall History and Legacy 413
Introducing the Cisco ASA 414
The Cisco ASA FirePOWER Module 414
Cisco Secure Firewall: Formerly known as Cisco Firepower Threat Defense
(FTD) 415

From the Library of William Timothy Ray Murray
xxiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Cisco Secure Firewall 415
Cisco Secure Firewall Migration Tool 415
Cisco Secure Firewall Threat Defense Virtual 416
Cisco Secure Firewall Cloud Native 417
Cisco Secure Firewall ISA3000 418
Cisco Secure WAF and Bot Protection 419
SD-WAN, Firewall Capabilities, and the Cisco Integrated Services Routers
(ISRs) 419
Introduction to Cisco Secure Intrusion Prevention (NGIPS) 421
Surveying the Cisco Secure Firewall Management Center (FMC) 423
Cisco SecureX 426
Exploring the Cisco Firepower Device Manager (FDM) 429
Cisco Defense Orchestrator 433
Comparing Network Security Solutions That Provide Firewall
Capabilities 435
Deployment Modes of Network Security Solutions and Architectures That
Provide Firewall Capabilities 437
Routed vs. Transparent Firewalls 437
Security Contexts 438
Single-Mode Transparent Firewalls 439
Surveying the Cisco Secure Firewall Deployment Modes 441
Cisco Secure Firewall Interface Modes 442
Inline Pair 445
Inline Pair with Tap 445
Passive Mode 446
Passive with ERSPAN Mode 447
Additional Cisco Secure Firewall Deployment Design Considerations 447
High Availability and Clustering 448
Clustering 450
Implementing Access Control 452
Implementing Access Control Lists in Cisco ASA 452
Cisco ASA Application Inspection 458
To-the-Box Traffic Filtering in the Cisco ASA 459
Object Grouping and Other ACL Features 460
Standard ACLs 461
Time-Based ACLs 461
ICMP Filtering in the Cisco ASA 462

From the Library of William Timothy Ray Murray
 Contents xxv

Network Address Translation in Cisco ASA 463
Cisco ASA Auto NAT 469
Implementing Access Control Policies in the Cisco Firepower Threat
Defense 469
Cisco Firepower Intrusion Policies 472
Variables 475
Platform Settings Policy 476
Cisco NGIPS Preprocessors 476
Cisco Secure Malware Defense 478
Security Intelligence, Security Updates, and Keeping Firepower Software Up
to Date 483
Security Intelligence Updates 484
Keeping Software Up to Date 484
Exam Preparation Tasks 484
Review All Key Topics 485
Define Key Terms 486
Review Questions 486

Chapter 8 Virtual Private Networks (VPNs) 490
“Do I Know This Already?” Quiz 490
Foundation Topics 494
Virtual Private Network (VPN) Fundamentals 494
An Overview of IPsec 496
IKEv1 Phase 1 496
IKEv1 Phase 2 498
NAT Traversal (NAT-T) 501
IKEv2 501
SSL VPNs 503
Cisco Secure Client Mobility 504
Deploying and Configuring Site-to-Site VPNs in Cisco Routers 506
Traditional Site-to-Site VPNs in Cisco IOS and Cisco IOS-XE Devices 506
Tunnel Interfaces 508
GRE over IPsec 508
More About Tunnel Interfaces 510
Multipoint GRE (mGRE) Tunnels 512
DMVPN 512
GETVPN 515
FlexVPN 518

From the Library of William Timothy Ray Murray
xxvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Debug and Show Commands to Verify and Troubleshoot IPsec
Tunnels 522
Configuring Site-to-Site VPNs in Cisco ASA Firewalls 528
Step 1: Enable ISAKMP in the Cisco ASA 529
Step 2: Create the ISAKMP Policy 529
Step 3: Set Up the Tunnel Groups 530
Step 4: Define the IPsec Policy 531
Step 5: Create the Crypto Map in the Cisco ASA 532
Step 6: Configure Traffic Filtering (Optional) 534
Step 7: Bypass NAT (Optional) 534
Step 8: Enable Perfect Forward Secrecy (Optional) 535
Additional Attributes in Cisco Site-to-Site VPN Configurations 535
Configuring Remote-Access VPNs in the Cisco ASA 537
Configuring IPsec Remote-Access VPN in the Cisco ASA 538
Configuring Clientless Remote Access SSL VPNs in the Cisco ASA 540
Cisco ASA Remote-Access VPN Design Considerations 541
Pre-SSL VPN Configuration Steps 542
Understanding the Remote-Access VPN Attributes and Policy Inheritance
Model 544
Configuring Clientless SSL VPN Group Policies 544
Configuring the Tunnel Group for Clientless SSL VPN 545
Configuring User Authentication for Clientless SSL VPN 546
Enabling Clientless SSL VPN 548
Configuring WebType ACLs 549
Configuring Application Access in Clientless SSL VPNs 550
Configuring Client-Based Remote-Access SSL VPNs in the Cisco ASA 551
Setting Up Tunnel and Group Policies 552
Deploying the Cisco Secure Client 553
Understanding Split Tunneling 554
Understanding DTLS 555
Configuring Remote-Access VPNs in Cisco Secure Firewall 556
Using the Remote Access VPN Policy Wizard 557
Troubleshooting Cisco Secure Firewall Remote-Access VPN
Implementations 566
Configuring Site-to-Site VPNs in the Cisco Secure Firewall 567
Cisco SD-WAN 569

From the Library of William Timothy Ray Murray
 Contents xxvii

Exam Preparation Tasks 573
Review All Key Topics 573
Define Key Terms 574
Review Questions 575

Chapter 9 Securing the Cloud 578
“Do I Know This Already?” Quiz 579
Foundation Topics 581
What Is Cloud and What Are the Cloud Service Models? 581
DevOps, Continuous Integration (CI), Continuous Delivery (CD), and
DevSecOps 583
The Waterfall Development Methodology 583
The Agile Methodology 583
DevOps 586
CI/CD Pipelines 588
The Serverless Buzzword 589
Container Orchestration 592
A Quick Introduction to Containers and Docker 592
Kubernetes 597
Microservices and Micro-Segmentation 602
DevSecOps 603
Describing the Customer vs. Provider Security Responsibility for the Different
Cloud Service Models 605
Patch Management in the Cloud 607
Security Assessment in the Cloud and Questions to Ask Your Cloud
Service Provider 607
Cisco Umbrella 608
The Cisco Umbrella Architecture 609
Secure Internet Gateway 610
Cisco Umbrella Investigate 612
Cisco Secure Email Threat Defense 614
Forged Email Detection 614
Sender Policy Framework 615
Email Encryption 615
Cisco Secure Email Threat Defense for Office 365 615
Cisco Attack Surface Management (Formerly Cisco Secure Cloud
Insights) 616
Cisco Secure Cloud Analytics 618

From the Library of William Timothy Ray Murray
xxviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

AppDynamics Cloud Monitoring 619
Cisco Secure Workload 622
Cisco Secure Workload Agents 622
Application Dependency Mapping 622
Cisco Secure Workload Forensics Feature 623
Cisco Secure Workload Security Dashboard 623
Cisco XDR 627
Introducing the XDR Concept 627
Exploring the Cisco XDR Solution 628
Cisco XDR Threat Intelligence and Automation 632
Exam Preparation Tasks 632
Review All Key Topics 633
Define Key Terms 634
Review Questions 634

Chapter 10 Content Security 638
“Do I Know This Already?” Quiz 638
Foundation Topics 641
Content Security Fundamentals 641
Cisco Async Operating System (AsyncOS) 642
Cisco Secure Web Appliance 642
The Cisco Secure Web Appliance Proxy 643
Cisco Secure Web Appliance in Explicit Forward Mode 644
Cisco Secure Web Appliance in Transparent Mode 646
Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco
Secure Web Appliance 647
Configuring WCCP on a Cisco Switch 649
Configuring the Cisco Secure Web Appliance to Accept WCCP
Redirection 650
Traffic Redirection with Policy-Based Routing 651
Cisco Secure Web Appliance Security Services 652
Deploying Web Proxy IP Spoofing 653
Configuring Policies in the Cisco Secure Web Appliance 653
Cisco Secure Web Appliance Reports 655
Cisco Secure Email 658
Reviewing a Few Email Concepts 658
Cisco Secure Email Deployment 659

From the Library of William Timothy Ray Murray
 Contents xxix

Cisco Secure Email Listeners 660
SenderBase 660
The Recipient Access Table (RAT) 661
Cisco Secure Email Data Loss Prevention 661
SMTP Authentication and Encryption 661
Domain Keys Identified Mail (DKIM) 662
Cisco Content Security Management Appliance (SMA) 662
Exam Preparation Tasks 667
Review All Key Topics 668
Define Key Terms 668
Review Questions 669

Chapter 11 Endpoint Protection and Detection 672
“Do I Know This Already?” Quiz 672
Foundation Topics 674
Introduction to Endpoint Protection and Detection 674
Endpoint Threat Detection and Response (ETDR) and Endpoint Detection
and Response (EDR) 676
Cisco Secure Endpoint 676
Outbreak Control 677
IP Blacklists and Whitelists 681
Cisco Secure Endpoint Application Control 683
Exclusion Sets 684
Cisco Secure Endpoint Connectors 687
Cisco Secure Endpoint Policies 687
Cisco Secure Client AMP Enabler 688
Cisco Secure Endpoint Engines 689
Cisco Secure Endpoint Reporting 690
Cisco Threat Response 693
Exam Preparation Tasks 693
Review All Key Topics 693
Define Key Terms 694
Review Questions 694

Chapter 12 Final Preparation 696
Hands-on Activities 696
Suggested Plan for Final Review and Study 696
Summary 697

From the Library of William Timothy Ray Murray
xxx CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Chapter 13 CCNP and CCIE Security Core SCOR (350-701) Exam Updates 698
The Purpose of This Chapter 698
About Possible Exam Updates 698
Impact on You and Your Study Plan 699
News about the Next Exam Release 700
Updated Technical Content 700

Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A
Sections 702

Glossary 714

Index 732

Online Element
Appendix B Study Planner

From the Library of William Timothy Ray Murray
 xxxi

Introduction
The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) exam
is the required “core” exam for the CCNP Security and CCIE Security certifications. If you
pass the SCOR 350-701 exam, you also obtain the Cisco Certified Specialist–Security
Core Certification. This exam covers core security technologies, including cybersecurity
fundamentals, network security, cloud security, identity management, secure network
access, endpoint protection and detection, and visibility and enforcement.

The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701) is a
120-minute exam.

TIP You can review the exam blueprint from Cisco’s website at https://learningnetwork.
cisco.com/s/scor-exam-topics.

This book gives you the foundation and covers the topics necessary to start your CCNP
Security or CCIE Security journey.

The CCNP Security Certification
The CCNP Security certification is one of the industry’s most respected certifications.
In order for you to earn the CCNP Security certification, you must pass two exams: the
SCOR exam covered in this book (which covers core security technologies) and one secu-
rity concentration exam of your choice, so you can customize your certification to your
technical area of focus.

TIP The SCOR core exam is also the qualifying exam for the CCIE Security certification.
Passing this exam is the first step toward earning both of these certifications.

The following are the CCNP Security concentration exams:

Securing Networks with Cisco Firepower (SNCF 300-710)

Implementing and Configuring Cisco Identity Services Engine (SISE 300-715)

Securing Email with Cisco Email Security Appliance (SESA 300-720)

Securing the Web with Cisco Web Security Appliance (SWSA 300-725)

Implementing Secure Solutions with Virtual Private Networks (SVPN 300-730)

Automating Cisco Security Solutions (SAUTO 300-735)

TIP CCNP Security now includes automation and programmability to help you scale
your security infrastructure. If you pass the Developing Applications Using Cisco Core
Platforms and APIs v1.0 (DEVCOR 350-901) exam, the SCOR exam, and the Automating
Cisco Security Solutions (SAUTO 300-735) exam, you will achieve the CCNP Security and
DevNet Professional certifications with only three exams. Every exam earns an individual
Specialist certification, allowing you to get recognized for each of your accomplishments,
instead of waiting until you pass all the exams.

From the Library of William Timothy Ray Murray
xxxii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

There are no formal prerequisites for CCNP Security. In other words, you do not have to
pass the CCNA Security or any other certifications in order to take CCNP-level exams.
The same goes for the CCIE exams. On the other hand, CCNP candidates often have
three to five years of experience in IT and cybersecurity.
Cisco considers ideal candidates to be those that possess the following:

Knowledge of implementing and operating core security technologies

Understanding of cloud security

Hands-on experience with Cisco Secure Firewalls, intrusion prevention systems
(IPSs), and other network infrastructure devices

Understanding of content security, endpoint protection and detection, and secure
network access, visibility, and enforcement

Understanding of cybersecurity concepts with hands-on experience in implementing
security controls

The CCIE Security Certification
The CCIE Security certification is one of the most admired and elite certifications in the
industry. The CCIE Security program prepares you to be a recognized technical leader.
In order to earn the CCIE Security certification, you must pass the SCOR 350-701 exam
and an 8-hour, hands-on lab exam. The lab exam covers very complex network security
scenarios. These scenarios range from designing through deploying, operating, and
optimizing security solutions.
Cisco considers ideal candidates to be those who possess the following:

Extensive hands-on experience with Cisco’s security portfolio

Experience deploying Cisco Secure Firewalls and IPS devices

Experience with cloud security solutions

Deep understanding of secure connectivity and segmentation solutions

Hands-on experience with infrastructure device hardening and infrastructure
security

Configuring and troubleshooting identity management, information exchange, and
access control

Deep understanding of advanced threat protection and content security

The Exam Objectives (Domains)
The Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)
exam is broken down into six major domains. The contents of this book cover each of the
domains and the subtopics included in them, as illustrated in the following descriptions.

From the Library of William Timothy Ray Murray
 The Exam Objectives (Domains) xxxiii

The following table breaks down each of the domains represented in the exam.

Domain Percentage of Representation in
Exam
1: Security Concepts 25%
2: Network Security 20%
3: Securing the Cloud 15%
4: Content Security 15%
5: Endpoint Protection and Detection 10%
6: Secure Network Access, Visibility, and 15%
Enforcement
Total 100%

Here are the details of each domain:

Domain 1: Monitoring and Reporting: This domain is covered in Chapters 1, 2, 3, and 8.

1.1 Explain common threats against on-premises and cloud environments
1.1.a On-premises: viruses, trojans, DoS/DDoS attacks, phishing, rootkits,
man-in-the-middle attacks, SQL injection, cross-site scripting, malware
1.1.b Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials
1.2 Compare common security vulnerabilities such as software bugs, weak and/or hard-
coded passwords, SQL injection, missing encryption, buffer overflow, path traversal,
cross-site scripting/forgery
1.3 Describe functions of the cryptography components such as hashing, encryp-
tion, PKI, SSL, IPsec, NAT-T IPv4 for IPsec, pre-shared key, and certificate-based
authorization
1.4 Compare site-to-site VPN and remote access VPN deployment types such as sVTI,
IPsec, Cryptomap, DMVPN, FLEXVPN, including high availability considerations,
and AnyConnect
1.5 Describe security intelligence authoring, sharing, and consumption
1.6 Explain the role of the endpoint in protecting humans from phishing and social
engineering attacks
1.7 Explain northbound and southbound APIs in the SDN architecture
1.8 Explain DNAC APIs for network provisioning, optimization, monitoring, and
troubleshooting
1.9 Interpret basic Python scripts used to call Cisco Security appliances APIs
Domain 2: Network Security: This domain is covered primarily in Chapters 5, 6, and 7.
2.1 Compare network security solutions that provide intrusion prevention and firewall
capabilities
2.2 Describe deployment models of network security solutions and architectures that
provide intrusion prevention and firewall capabilities
2.3 Describe the components, capabilities, and benefits of NetFlow and Flexible
NetFlow records

From the Library of William Timothy Ray Murray
xxxiv CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

2.4 Configure and verify network infrastructure security methods (router, switch,
wireless)
2.4.a Layer 2 methods (network segmentation using VLANs; Layer 2 and port
security; DHCP snooping; Dynamic ARP inspection; storm control;
PVLANs to segregate network traffic; and defenses against MAC, ARP,
VLAN hopping, STP, and DHCP rogue attacks)
2.4.b Device hardening of network infrastructure security devices (control plane,
data plane, and management plane)
2.5 Implement segmentation, access control policies, AVC, URL filtering, and malware
protection
2.6 Implement management options for network security solutions such as intrusion
prevention and perimeter security (single vs. multidevice manager, in-band vs. out-of-
band, CDP, DNS, SCP, SFTP, and DHCP security and risks)
2.7 Configure AAA for device and network access (authentication and authorization,
TACACS+, RADIUS and RADIUS flows, accounting, and dACL)
2.8 Configure secure network management of perimeter security and infrastructure
devices such as SNMPv3, NETCONF, RESTCONF, APIs, secure syslog, and NTP
with authentication
2.9 Configure and verify site-to-site VPN and remote access VPN
2.9.a Site-to-site VPN utilizing Cisco routers and IOS
2.9.b Remote-access VPN using Cisco AnyConnect Secure Mobility client
2.9.c Debug commands to view IPsec tunnel establishment and troubleshooting
Domain 3: Securing the Cloud: This domain is covered primarily in Chapter 9.
3.1 Identify security solutions for cloud environments
3.1.a Public, private, hybrid, and community clouds
3.1.b Cloud service models: SaaS, PaaS, and IaaS (NIST 800-145)
3.2 Compare the customer vs. provider security responsibility for the different cloud
service models
3.2.a Patch management in the cloud
3.2.b Security assessment in the cloud
3.2.c Cloud-delivered security solutions such as firewall, management, proxy,
security intelligence, and CASB
3.3 Describe the concept of DevSecOps (CI/CD pipeline, container orchestration, and
security)
3.4 Implement application and data security in cloud environments
3.5 Identify security capabilities, deployment models, and policy management to secure
the cloud
3.6 Configure cloud logging and monitoring methodologies
3.7 Describe application and workload security concepts

From the Library of William Timothy Ray Murray
 The Exam Objectives (Domains) xxxv

Domain 4: Content Security: This domain is covered primarily in Chapter 10.
4.1 Implement traffic redirection and capture methods
4.2 Describe web proxy identity and authentication, including transparent user
identification
4.3 Compare the components, capabilities, and benefits of local and cloud-based email
and web solutions (ESA, CES, WSA)
4.4 Configure and verify web and email security deployment methods to protect on-
premises and remote users (inbound and outbound controls and policy management)
4.5 Configure and verify email security features such as SPAM filtering, antimalware
filtering, DLP, blacklisting, and email encryption
4.6 Configure and verify secure Internet gateway and web security features such as
blacklisting, URL filtering, malware scanning, URL categorization, web application
filtering, and TLS decryption
4.7 Describe the components, capabilities, and benefits of Cisco Umbrella
4.8 Configure and verify web security controls on Cisco Umbrella (identities, URL
content settings, destination lists, and reporting)
Domain 5: Endpoint Protection and Detection: This domain is covered primarily in
Chapter 11.

5.1 Compare Endpoint Protection Platforms (EPPs) and Endpoint Detection & Response
(EDR) solutions
5.2 Explain antimalware, retrospective security, Indicator of Compromise (IOC),
antivirus, dynamic file analysis, and endpoint-sourced telemetry
5.3 Configure and verify outbreak control and quarantines to limit infection
5.4 Describe justifications for endpoint-based security
5.5 Describe the value of endpoint device management and asset inventory such as
MDM
5.6 Describe the uses and importance of a multifactor authentication (MFA) strategy
5.7 Describe endpoint posture assessment solutions to ensure endpoint security
5.8 Explain the importance of an endpoint patching strategy
Domain 6: Secure Network Access, Visibility, and Enforcement: This domain is covered
primarily in Chapters 4 and 5.
6.1 Describe identity management and secure network access concepts such as guest
services, profiling, posture assessment, and BYOD
6.2 Configure and verify network access device functionality such as 802.1X, MAB, and
WebAuth
6.3 Describe network access with CoA
6.4 Describe the benefits of device compliance and application control
6.5 Explain exfiltration techniques (DNS tunneling, HTTPS, email, FTP/SSH/SCP/SFTP,
ICMP, Messenger, IRC, and NTP)

From the Library of William Timothy Ray Murray
xxxvi CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

6.6 Describe the benefits of network telemetry
6.7 Describe the components, capabilities, and benefits of these security products and
solutions:
6.7.a Cisco Secure Network Analytics
6.7.b Cisco Stealthwatch Cloud
6.7.c Cisco pxGrid
6.7.d Cisco Umbrella Investigate
6.7.e Cisco Cognitive Threat Analytics
6.7.f Cisco Encrypted Traffic Analytics
6.7.g Cisco AnyConnect Network Visibility Module (NVM)

Steps to Pass the SCOR Exam
There are no prerequisites for the SCOR exam. However, students must have an
understanding of networking and cybersecurity concepts.

Signing Up for the Exam
The steps required to sign up for the Implementing and Operating Cisco Security Core
Technologies (SCOR 350-701) exam:

1. Create a Certiport account at https://www.certiport.com/portal/SSL/Login.aspx.
2. Once you have logged in, make sure that “Test Candidate” from the drop-down
menu is selected.
3. Click on the Shop Available Exams button.
4. Select the Schedule exam button under the exam you wish to take.
5. Verify your information and continue throughout the next few screens.
6. On the Enter payment and billing page, click on Add Voucher or Promo Code
button if applicable. Enter the voucher number or promo/discount code in the field
below and click the Apply button.
7. Continue through the next two screens to finish scheduling your exam.

Facts About the Exam
The exam is a computer-based test. The exam consists of multiple-choice questions only.
You must bring a government-issued identification card. No other forms of ID will be
accepted. You can take the exam at a Pearson Vue center or online via the OnVUE plat-
form. Visit the OnVUE page for your exam program: https://home.pearsonvue.com/Test-
takers/OnVUE-online-proctoring/View-all.aspx.

Once there, navigate to the FAQs section of the page, where you’ll find helpful informa-
tion on everything from scheduling your exam to system requirements, testing policies,
and more.

TIP Refer to the Cisco Certification site at https://cisco.com/go/certifications for more
information regarding this, and other, Cisco certifications.

From the Library of William Timothy Ray Murray
 Facts About the Exam xxxvii

About the CCNP and CCIE Security Core SCOR 350-701 Official
Cert Guide
This book maps directly to the topic areas of the SCOR exam and uses a number of
features to help you understand the topics and prepare for the exam.

Objectives and Methods
This book uses several key methodologies to help you discover the exam topics that need
more review, to help you fully understand and remember those details, and to help you
prove to yourself that you have retained your knowledge of those topics. This book does
not try to help you pass the exam only by memorization; it seeks to help you to truly
learn and understand the topics. This book is designed to help you pass the Implementing
and Operating Cisco Security Core Technologies (SCOR 350-701) exam by using the
following methods:

Helping you discover which exam topics you have not mastered

Providing explanations and information to fill in your knowledge gaps

Supplying exercises that enhance your ability to recall and deduce the answers to
test questions

Providing practice exercises on the topics and the testing process via test questions
on the companion website

Book Features
To help you customize your study time using this book, the core chapters have several
features that help you make the best use of your time:

Foundation Topics: These are the core sections of each chapter. They explain the
concepts for the topics in that chapter.

Exam Preparation Tasks: After the “Foundation Topics” section of each chapter, the
“Exam Preparation Tasks” section lists a series of study activities that you should do
at the end of the chapter:

Review All Key Topics: The Key Topic icon appears next to the most important
items in the “Foundation Topics” section of the chapter. The Review All Key
Topics activity lists the key topics from the chapter, along with their page num-
bers. Although the contents of the entire chapter could be on the exam, you
should definitely know the information listed in each key topic, so you should
review these.

Define Key Terms: Although the Implementing and Operating Cisco Security
Core Technologies (SCOR 350-701) exam may be unlikely to ask a question such
as “Define this term,” the exam does require that you learn and know a lot of
cybersecurity terminology. This section lists the most important terms from the
chapter, asking you to write a short definition and compare your answer to the
glossary at the end of the book.

From the Library of William Timothy Ray Murray
xxxviii CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

Review Questions: Confirm that you understand the content you just covered by
answering these questions and reading the answer explanations.

Web-based practice exam: The companion website includes the Pearson Cert
Practice Test engine, which allows you to take practice exam questions. Use it to
prepare with a sample exam and to pinpoint topics where you need more study.

How This Book Is Organized
This book contains 11 core chapters—Chapters 1 through 11. Chapter 12 includes prepa-
ration tips and suggestions for how to approach the exam. Each core chapter covers a
subset of the topics on the Implementing and Operating Cisco Security Core Technolo-
gies (SCOR 350-701) exam. The core chapters map to the SCOR topic areas and cover the
concepts and technologies you will encounter on the exam.

The Companion Website for Online Content Review
All the electronic review elements, as well as other electronic components of the book,
exist on this book’s companion website.

To access the companion website, which gives you access to the electronic content with
this book, start by establishing a login at www.ciscopress.com and registering your book.

To do so, simply go to www.ciscopress.com/register and enter the ISBN of the print
book: 9780138221263. After you have registered your book, go to your account page
and click the Registered Products tab. From there, click the Access Bonus Content link
to get access to the book’s companion website.

Note that if you buy the Premium Edition eBook and Practice Test version of this book
from Cisco Press, your book will automatically be registered on your account page.
Simply go to your account page, click the Registered Products tab, and select Access
Bonus Content to access the book’s companion website.

Please note that many of our companion content files can be very large, especially image
and video files.

If you are unable to locate the files for this title by following the steps above, please visit
www.pearsonITcertification.com/contact and select the Site Problems/Comments option.
Our customer service representatives will assist you.

How to Access the Pearson Test Prep (PTP) App
You have two options for installing and using the Pearson Test Prep application: a web
app and a desktop app. To use the Pearson Test Prep application, start by finding the
registration code that comes with the book. You can find the code in these ways:

Print book or bookseller eBook versions: You can get your access code by register-
ing the print ISBN (9780138221263) on ciscopress.com/register. Make sure to use
the print book ISBN regardless of whether you purchased an eBook or the print
book. Once you register the book, your access code will be populated on your
account page under the Registered Products tab. Instructions for how to redeem the
code are available on the book’s companion website by clicking the Access Bonus
Content link.

From the Library of William Timothy Ray Murray
 The Companion Website for Online Content Review xxxix

Premium Edition: If you purchase the Premium Edition eBook and Practice Test
directly from the Cisco Press website, the code will be populated on your account
page after purchase. Just log in at ciscopress.com, click Account to see details of
your account, and click the digital purchases tab.

NOTE After you register your book, your code can always be found in your account
under the Registered Products tab.

Once you have the access code, to find instructions about both the PTP web app and the
desktop app, follow these steps:

Step 1. Open this book’s companion website, as shown earlier in this Introduction
under the heading “The Companion Website for Online Content Review.”
Step 2. Click the Practice Exams button.
Step 3. Follow the instructions listed there both for installing the desktop app and for
using the web app.
Note that if you want to use the web app only at this point, just navigate to pearsontest-
prep.com, log in using the same credentials used to register your book or purchase the
Premium Edition, and register this book’s practice tests using the registration code you
just found. The process should take only a couple of minutes.

Customizing Your Exams
Once you are in the exam settings screen, you can choose to take exams in one of three
modes:

Study mode: Allows you to fully customize your exams and review answers as you
are taking the exam. This is typically the mode you would use first to assess your
knowledge and identify information gaps.

Practice Exam mode: Locks certain customization options, as it is presenting a
realistic exam experience. Use this mode when you are preparing to test your exam
readiness.

Flash Card mode: Strips out the answers and presents you with only the question
stem. This mode is great for late-stage preparation when you really want to challenge
yourself to provide answers without the benefit of seeing multiple-choice options.
This mode does not provide the detailed score reports that the other two modes do,
so you should not use it if you are trying to identify knowledge gaps.

In addition to these three modes, you will be able to select the source of your questions.
You can choose to take exams that cover all of the chapters or you can narrow your
selection to just a single chapter or the chapters that make up specific parts in the book.
All chapters are selected by default. If you want to narrow your focus to individual
chapters, simply deselect all the chapters and then select only those on which you wish
to focus in the Objectives area.

From the Library of William Timothy Ray Murray
xl CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

You can also select the exam banks on which to focus. Each exam bank comes complete
with a full exam of questions that cover topics in every chapter. The two exams printed
in the book are available to you as well as two additional exams of unique questions. You
can have the test engine serve up exams from all four banks or just from one individual
bank by selecting the desired banks in the exam bank area.

There are several other customizations you can make to your exam from the exam set-
tings screen, such as the time of the exam, the number of questions served up, whether
to randomize questions and answers, whether to show the number of correct answers for
multiple-answer questions, and whether to serve up only specific types of questions. You
can also create custom test banks by selecting only questions that you have marked or
questions on which you have added notes.

Updating Your Exams
If you are using the online version of the Pearson Test Prep software, you should always
have access to the latest version of the software as well as the exam data. If you are using
the Windows desktop version, every time you launch the software while connected
to the Internet, it checks if there are any updates to your exam data and automatically
downloads any changes that were made since the last time you used the software.

Sometimes, due to many factors, the exam data may not fully download when you acti-
vate your exam. If you find that figures or exhibits are missing, you may need to manu-
ally update your exams. To update a particular exam you have already activated and
downloaded, simply click the Tools tab and click the Update Products button. Again,
this is only an issue with the desktop Windows application.

If you wish to check for updates to the Pearson Test Prep exam engine software,
Windows desktop version, simply click the Tools tab and click the Update Application
button. This ensures that you are running the latest version of the software engine.

From the Library of William Timothy Ray Murray
This page intentionally left blank

From the Library of William Timothy Ray Murray
CHAPTER 1

Cybersecurity Fundamentals

This chapter covers the following topics:
Introduction to Cybersecurity: Cybersecurity programs recognize that organizations
must be vigilant, resilient, and ready to protect and defend every ingress and egress con-
nection as well as organizational data wherever it is stored, transmitted, or processed. In
this chapter, you will learn concepts of cybersecurity and information security.

Defining What Are Threats, Vulnerabilities, and Exploits: Describe the difference
between cybersecurity threats, vulnerabilities, and exploits.

Exploring Common Threats: Describe and understand the most common cybersecurity
threats.

Common Software and Hardware Vulnerabilities: Describe and understand the most
common software and hardware vulnerabilities.
Confidentiality, Integrity, and Availability: The CIA triad is a concept that was created
to define security policies to protect assets. The idea is that confidentiality, integrity and
availability should be guaranteed in any system that is considered secured.

Cloud Security Threats: Learn about different cloud security threats and how cloud
computing has changed traditional IT and is introducing several security challenges and
benefits at the same time.

IoT Security Threats: The proliferation of connected devices is introducing major
cybersecurity risks in today’s environment.

An Introduction to Digital Forensics and Incident Response: You will learn the con-
cepts of digital forensics and incident response (DFIR) and cybersecurity operations.

This chapter starts by introducing you to different cybersecurity concepts that are foun-
dational for any individual starting a career in cybersecurity or network security. You will
learn the difference between cybersecurity threats, vulnerabilities, and exploits. You will also
explore the most common cybersecurity threats, as well as common software and hardware
vulnerabilities. You will learn the details about the CIA triad—confidentiality, integrity, and
availability. In this chapter, you will learn about different cloud security and IoT security
threats. This chapter concludes with an introduction to DFIR and security operations.
The following SCOR 350-701 exam objectives are covered in this chapter:

1.1 Explain common threats against on-premises and cloud environments

1.1.a On-premises: viruses, Trojans, DoS/DDoS attacks, phishing, rootkits,
man-in-the-middle attacks, SQL injection, cross-site scripting, malware

From the Library of William Timothy Ray Murray
 1.1.b Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials

1.2 Compare common security vulnerabilities such as software bugs, weak and/or
hardcoded passwords, SQL injection, missing encryption, buffer overflow, path
traversal, cross-site scripting/forgery

1.5 Describe security intelligence authoring, sharing, and consumption

1.6 Explain the role of the endpoint in protecting humans from phishing and social
engineering attacks

“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this
entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in
doubt about your answers to these questions or your own assessment of your knowledge
of the topics, read the entire chapter. Table 1-1 lists the major headings in this chapter and
their corresponding “Do I Know This Already?” quiz questions. You can find the answers in
Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.”

Table 1-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section Questions
Introduction to Cybersecurity 1
Defining What Are Threats, Vulnerabilities, and Exploits 2–6
Common Software and Hardware Vulnerabilities 7–10
Confidentiality, Integrity, and Availability 11–13
Cloud Security Threats 14–15
IoT Security Threats 16–17
An Introduction to Digital Forensics and Incident Response 18

CAUTION The goal of self-assessment is to gauge your mastery of the topics in this
chapter. If you do not know the answer to a question or are only partially sure of the answer,
you should mark that question as wrong for purposes of the self-assessment. Giving yourself
credit for an answer you incorrectly guess skews your self-assessment results and might
provide you with a false sense of security.

1. Which of the following is a collection of industry standards and best practices to help
organizations manage cybersecurity risks?
a. MITRE
b. NIST Cybersecurity Framework
c. ISO Cybersecurity Framework
d. CERT/cc

From the Library of William Timothy Ray Murray
4 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

2. _________ is any potential danger to an asset.
a. Vulnerability
b. Threat
c. Exploit
d. None of these answers are correct.
3. A ___________ is a weakness in the system design, implementation, software, or code,
or the lack of a mechanism.
a. Vulnerability
b. Threat
c. Exploit
d. None of these answers are correct.
4. Which of the following is a piece of software, a tool, a technique, or a process that
takes advantage of a vulnerability that leads to access, privilege escalation, loss of
integrity, or denial of service on a computer system?
a. Exploit
b. Reverse shell
c. Searchsploit
d. None of these answers are correct.
5. Which of the following is referred to as the knowledge about an existing or emerging
threat to assets, including networks and systems?
a. Exploits
b. Vulnerabilities
c. Threat assessment
d. Threat intelligence
6. Which of the following are examples of malware attack and propagation mechanisms?
a. Master boot record infection
b. File infector
c. Macro infector
d. All of these answers are correct.
7. Vulnerabilities are typically identified by a ___________.
a. CVE
b. CVSS
c. PSIRT
d. None of these answers are correct.
8. SQL injection attacks can be divided into which of the following categories?
a. Blind SQL injection
b. Out-of-band SQL injection
c. In-band SQL injection
d. All of these answers are correct.

From the Library of William Timothy Ray Murray
 Chapter 1: Cybersecurity Fundamentals 5

9. Which of the following is a type of vulnerability where the flaw is in a web application
but the attack is against an end user (client)? 1
a. XXE
b. HTML injection
c. SQL injection
d. XSS
10. Which of the following is a way for an attacker to perform a session hijack attack?
a. Predicting session tokens
b. Session sniffing
c. Man-in-the-middle attack
d. Man-in-the-browser attack
e. All of these answers are correct.
11. A denial-of-service attack impacts which of the following?
a. Integrity
b. Availability
c. Confidentiality
d. None of these answers are correct.
12. Which of the following are examples of security mechanisms designed to preserve
confidentiality?
a. Logical and physical access controls
b. Encryption
c. Controlled traffic routing
d. All of these answers are correct.
13. An attacker is able to manipulate the configuration of a router by stealing the adminis-
trator credential. This attack impacts which of the following?
a. Integrity
b. Session keys
c. Encryption
d. None of these answers are correct.
14. Which of the following is a cloud deployment model?
a. Public cloud
b. Community cloud
c. Private cloud
d. All of these answers are correct.
15. Which of the following cloud models include all phases of the system development life
cycle (SDLC) and can use application programming interfaces (APIs), website portals,
or gateway software?
a. SaaS
b. PaaS
c. SDLC containers
d. None of these answers are correct.

From the Library of William Timothy Ray Murray
6 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide

16. Which of the following is not a communications protocol used in IoT environments?
a. Zigbee
b. INSTEON
c. LoRaWAN
d. 802.1X
17. Which of the following is an example of tools and methods to hack IoT devices?
a. UART debuggers
b. JTAG analyzers
c. IDA
d. Ghidra
e. All of these answers are correct.
18. Which of the following is an adverse event that threatens business security and/or
disrupts service?
a. An incident
b. An IPS alert
c. A DLP alert
d. A SIEM alert

Foundation Topics
Introduction to Cybersecurity
In today’s highly interconnected world, our individual and collective actions can have a pro-
found impact, either for good or for ill. It is in this context that cybersecurity plays a crucial
role, safeguarding not only our personal data but also our economy, critical infrastructure,
and national security against the risks posed by inadvertent or intentional misuse, compro-
mise, or destruction of information and information systems.
However, the scope of cybersecurity risk extends beyond just data breaches to encompass
the entire organization’s operations that rely on digitization and accessibility, making it more
crucial than ever for businesses to develop an effective cybersecurity program. It is no lon-
ger sufficient to delegate this responsibility solely to the IT team; rather, every individual
within an organization must take an active role in mitigating these risks, from entry-level
employees to the board of directors.
Developing and maintaining robust cybersecurity measures are vital aspects of organiza-
tional strategy in today’s digital landscape. By doing so, we can ensure that our information
systems remain secure and that our collective actions lead to positive outcomes for all.

Cybersecurity vs. Information Security (InfoSec)
Many individuals confuse traditional information security with cybersecurity. In the past,
information security programs and policies were designed to protect the confidentiality,
integrity, and availability of data within the confines of an organization. Unfortunately, this
is no longer sufficient. Organizations are rarely self-contained, and the price of interconnec-
tivity is exposure to attack. Every organization, regardless of size or geographic location,
is a potential target. Cybersecurity is the process of protecting information by preventing,
detecting, and responding to attacks.

From the Library of William Timothy Ray Murray
 Chapter 1: Cybersecurity Fundamentals 7

Cybersecurity programs recognize that organizations must be vigilant, resilient, and ready to
protect and defend every ingress and egress connection as well as organizational data wher- 1
ever it is stored, transmitted, or processed. Cybersecurity programs and policies expand and
build upon traditional information security programs, but also include the following:

Cyber risk management and oversight

Threat intelligence and information sharing

Third-party organization, software, and hardware dependency management

Incident response and resiliency

Threat hunting and adversarial emulation

The NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) is a well-known organization tha