CCNP Security 350-701 Full Course Free

Data is sent out to the attacker during a DNS tunneling attack as part of the domain name. DNS tunneling is a technique that encodes the data of other protocols or programs in DNS queries and responses. The attacker registers a domain, such as badsite.com, and points it to a server under their control, where a tunneling program is installed. The attacker infects a device with malware, which sends DNS queries to the attacker’s server, using subdomains of badsite.com to encode the data. For example, the malware could send a query for 1234.badsite.com, where 1234 is the encoded data. The attacker’s server decodes the data from the subdomain and sends back a DNS response, which may also contain encoded data in the answer section12. The other options are not correct, because they do not use the domain name to encode the data. The UDP/53 and TCP/53 packet payload and header are used to transport the DNS query and response, but they are not modified by the tunneling technique. The DNS response packet contains the answer to the query, but it is not the only way to send data to the attacker3. References:

1: DNS Tunneling attack - What is it, and how to protect ourselves?

2: What Is DNS Tunneling? - Palo Alto Networks

3: What Are DNS Attacks? - Palo Alto Networks

Explanation

The profiling service issues the change of authorization in the following cases:

– Endpoint deleted—When an endpoint is deleted from the Endpoints page and the endpoint is disconnected

or removed from the network.

An exception action is configured—If you have an exception action configured per profile that leads to an

unusual or an unacceptable event from that endpoint. The profiling service moves the endpoint to the

corresponding static profile by issuing a CoA.

– An endpoint is profiled for the first time—When an endpoint is not statically assigned and profiled for the first time; for example, the profile changes from an unknown to a known profile.

+ An endpoint identity group has changed—When an endpoint is added or removed from an endpoint identity group that is used by an authorization policy.

The profiling service issues a CoA when there is any change in an endpoint identity group, and the endpoint identity group is used in the authorization policy for the following:

++ The endpoint identity group changes for endpoints when they are dynamically profiled

++ The endpoint identity group changes when the static assignment flag is set to true for a dynamic endpoint – An endpoint profiling policy has changed and the policy is used in an authorization policy—When an endpoint profiling policy changes, and the policy is included in a logical profile that is used in an authorization policy. The endpoint profiling policy may change due to the profiling policy match or when an endpoint is statically assigned to an endpoint profiling policy, which is associated to a logical profile. In both the cases, the profiling service issues a CoA, only when the endpoint profiling policy is used in an authorization policy.

Explanation

Micro-segmentation secures applications by expressly allowing particular application traffic and, by default,

denying all other traffic. Micro-segmentation is the foundation for implementing a zero-trust security model for

application workloads in the data center and cloud.

Cisco Tetration is an application workload security platform designed to secure your compute instances across

any infrastructure and any cloud. To achieve this, it uses behavior and attribute-driven microsegmentation

policy generation and enforcement. It enables trusted access through automated, exhaustive context from

various systems to automatically adapt security policies.

To generate accurate microsegmentation policy, Cisco Tetration performs application dependency mapping to

discover the relationships between different application tiers and infrastructure services. In addition, the

platform supports “what-if” policy analysis using real-time data or historical data to assist in the validation and risk assessment of policy application pre-enforcement to ensure ongoing application availability. The

normalized microsegmentation policy can be enforced through the application workload itself for a consistent approach to workload microsegmentation across any environment, including virtualized, bare-metal, and container workloads running in any public cloud or any data center. Once the microsegmentation policy is enforced, Cisco Tetration continues to monitor for compliance deviations, ensuring the segmentation policy is up to date as the application behavior change.

Multifactor authentication (MFA) is a security measure that requires two or more proofs of identity to grant access to a resource, such as a username and password, a one-time code, a smart card, etc.1 MFA provides stronger protection than single-factor authentication (SFA), which only requires one proof of identity, such as a password. SFA can be compromised more easily by attackers who can guess, steal, or intercept passwords, or use phishing or social engineering techniques to trick users into revealing their credentials. MFA adds an extra layer of security that makes it harder for attackers to gain access, even if they have the password. MFA can also prevent unauthorized access from lost or stolen devices, as the attacker would need another factor to authenticate. MFA can also deter attackers from targeting an organization, as they would need to invest more time and resources to bypass the security measures. Therefore, organizations should migrate to a multifactor authentication strategy to enhance their security posture and protect their data and assets. References := 1: What is Multi-Factor Authentication (MFA)? - Auth0