Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Explanation:
Multi-Factor Authentication adds a critical layer of security by requiring a second (or more) form of verification beyond just a password. This directly mitigates attacks that target the weakness of single-factor (password-only) authentication.

Let's break down why A and B are correct and the others are not:

A) Phishing is CORRECT.
In a phishing attack, a user is tricked into revealing their credentials (username and password) to a fake login page. With MFA enabled, the stolen password alone is useless to the attacker. They would also need to possess the user's second factor (e.g., their phone for a push notification or a hardware token), which they typically cannot obtain through the phishing attack itself.

B) Brute force is CORRECT.
In a brute force attack, an attacker uses automated tools to try many different password combinations until they find the correct one. MFA effectively neutralizes this attack. Even if the attacker correctly guesses the password through brute force, they cannot complete the login without the second factor, making the attack impractical.

Why the other options are incorrect:

C) Man-in-the-middle (MITM) is INCORRECT.
While MFA can make a MITM attack more difficult, it does not inherently prevent it. In a sophisticated real-time MITM attack, the attacker can intercept the user's password and the one-time code from the second factor as they are entered, and then immediately use both to authenticate to the real service. Modern MFA solutions like FIDO2/WebAuthn are designed to resist these attacks, but traditional TOTP or SMS-based MFA can be vulnerable.

D) DDoS (Distributed Denial-of-Service) is INCORRECT.
A DDoS attack aims to overwhelm a service's resources (like a web server) to make it unavailable. MFA is an authentication mechanism and has no bearing on the network volume or resource exhaustion that characterizes a DDoS attack.

E) Teardrop is INCORRECT.
A teardrop attack is a very old type of Denial-of-Service attack that exploits fragmentation reassembly bugs in operating systems. It is unrelated to user authentication and is prevented by modern OS patches and network security devices, not MFA.

Reference:

NIST Special Publication 800-63B - Digital Identity Guidelines: This standard strongly recommends the use of multi-factor authentication to mitigate credential-based attacks like phishing and brute-forcing.

Cisco Duo Security & MFA Best Practices: Cisco's own documentation for its Duo MFA product consistently highlights protection against "stolen passwords" and "credential stuffing" (a form of brute force) as primary benefits.

Graphical user interface, text, application, email
Description automatically generated

Explanation
This Python script is making a GET request to the Cisco Advanced Malware Protection (AMP) for Endpoints API. Let's break down the specific API endpoint being called: The URL is: https://api.amp.cisco.com/v1/computers

According to the official Cisco AMP for Endpoints API Documentation, the /v1/computers endpoint is used to "Get a list of computers."

The data returned by this API call includes a list of all computers registered to the account, and for each computer, it provides a wealth of information, including: The computer's hostname, operating system, and network addresses.

The policy currently applied to the computer.

The connector (AMP agent) status (e.g., online, offline).

The last time the connector communicated with the AMP cloud.

The script will print this list of computers and their associated data.

Why the other options are incorrect:

A. The compromised computers and malware trajectories will be received from Cisco AMP:
The script calls the general computer listing endpoint (/v1/computers), not an endpoint specific to compromises or investigations (like /v1/events). It will return data for all computers, not just compromised ones.

B. The list of computers and their current vulnerabilities will be received from Cisco AMP:
While the computer list is correct, the AMP for Endpoints API does not provide vulnerability management data.

Vulnerability scanning is the function of a different product, like Cisco Secure Endpoint (formerly AMP for Endpoints) does not include a vulnerability database.

C. The compromised computers and what compromised them will be received from Cisco AMP:
Similar to option A, this describes a more specific investigative query. The general /v1/computers endpoint does not filter for or return detailed causality data about compromises.

Reference:
The official Cisco AMP for Endpoints API Reference for the GET /v1/computers endpoint confirms that it returns a "list of computers," and the sample JSON response includes fields for hostname, policy, and connector_guid (which is used to check status), aligning perfectly with option D.

Explanation
A Change of Authorization (CoA) is a RADIUS mechanism that allows a policy server like Cisco ISE to dynamically change the authorization for an active, authenticated session. The "CoA Reauth" type is specifically designed for the scenario described.

Here's how it works:

The Situation:
An endpoint is already authenticated on the network. ISE needs to apply a new policy to this session (e.g., the endpoint's posture state changed, its profile was updated, or an administrator modified its access rights).

The Action:
ISE sends a CoA Reauth request to the network access device (NAD) like a switch or wireless controller.

The Result:
The NAD receives this request and silently forces the endpoint to go through the authentication process again. This is typically done by sending a new EAP-Request/Identity frame to the endpoint.

The Benefit:
The endpoint re-authenticates. During this new authentication, ISE re-evaluates all policies and issues a new authorization result based on the latest information. This all happens without disconnecting the endpoint or causing a noticeable network outage. The user might see a brief "checking for network connectivity" message, but their IP address and active TCP sessions are generally preserved.

This makes "CoA Reauth" the ideal tool for applying policy changes to existing sessions in a non-disruptive manner.

Detailed Breakdown of Incorrect Options:

A. Port Bounce:

Why it is incorrect:
A Port Bounce CoA is a very disruptive action. It effectively performs a "shutdown / no shutdown" on the switch port to which the endpoint is connected. This will completely disconnect the endpoint from the network, causing all active sessions to drop. The user would have to wait for the port to come back up and for their device to re-associate and obtain a new IP address (if using DHCP). This is the opposite of "without disrupting the endpoint."

B. CoA Terminate:

Why it is incorrect:
A CoA Terminate command is explicitly used to end the user's session immediately. It instructs the NAD to tear down the authenticated session and remove the endpoint from the network. Like Port Bounce, this is a disruptive action that logs the user off, which violates the requirement of the task.

D. CoA Session Query:

Why it is incorrect:
A CoA Session Query is not used to change authorization or force re-authentication. Its purpose is purely informational. ISE sends this request to the NAD to ask for a snapshot of the current state of a specific session (e.g., its IP address, session timeout, data usage). It is a read-only operation that does not modify the session or apply any new policy.

Reference and Key Context:
RFC 5176: The standard for "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)" defines these CoA messages.

Cisco ISE Administration Guide: The use of CoA Reauth is detailed in sections discussing session management, profiling, and posture remediation.

Cisco Cloudlock

assurance

automation

https://www.cisco.com/c/en/us/products/collateral/cloud-systemsmanagement/
dna-center/nb-06- cisco-dna-center-aag-cte-en.html

Explanation
Cisco AMP for Endpoints uses a multi-layered approach with several specialized engines to provide comprehensive protection. Each engine has a specific purpose.

A. Ethos Engine to perform fuzzy fingerprinting:
This is correct. The Ethos Engine is a core component of AMP's detection capability. It uses fuzzy hashing or "fuzzy fingerprinting" to identify malware families. Unlike a traditional MD5 or SHA256 hash, which changes completely if a single bit of the file is altered, fuzzy hashing can identify files that are similar. This allows AMP to detect new variants of a known malware family, even if the attacker has slightly modified the code to evade traditional signature-based detection.

Why the other options are incorrect:

B. Tetra Engine to detect malware when the endpoint is connected to the cloud:
This is incorrect. The Tetra Engine is responsible for static analysis. It performs an initial, quick scan of a file when it is first encountered, checking its characteristics and code against known malicious patterns before it is even executed. Its operation is not dependent on the endpoint's connection state to the cloud.

C. Clam AV Engine to perform email scanning:
This is incorrect. While Cisco Email Security appliances may integrate with or use techniques inspired by open-source tools, ClamAV is not a primary detection engine within the Cisco AMP for Endpoints product. AMP relies on its own proprietary engines (like Ethos, Spero, and Tetra) for endpoint protection.

D. Spero Engine with machine learning to perform dynamic analysis:
This is partially tricky but ultimately incorrect. The Spero Engine is indeed a machine learning model. However, its primary function is static analysis, not dynamic analysis. It classifies files as malicious or clean by examining the file's static properties and code structure without executing it. Dynamic analysis, which involves running a file in a sandboxed environment to observe its behavior, is a separate capability of the AMP ecosystem, often handled by the Threat Grid integration.

Reference:
This information is based on the official architecture of Cisco AMP for Endpoints. The "Engines" are a fundamental part of the product's data sheets and technical documentation.

Cisco AMP for Endpoints Data Sheet: Often references the "multiple detection engines" working in concert.

Cisco AMP Technical Documentation / White Papers: Specifically detail the roles of each engine:

Ethos: Specializes in fuzzy hashing and malware family identification.

Tetra: Provides high-performance static analysis.

Spero: A machine-learning-based static analysis engine.

In summary, the key to this question is associating the "fuzzy fingerprinting" technique, which is essential for detecting malware families and their variants, with the correct engine, which is Ethos.

Explanation for Each Option:

A. automated email encryption (Incorrect):
Automated email encryption is a feature provided by solutions like Cisco Secure Email Gateway, which secures email communication. Cisco AMP Threat Grid does not focus on email encryption; its primary role is analyzing malware, making this option unrelated to its core function. (Reference: Cisco Secure Email Gateway Datasheet.)

B. applying a real-time URI blacklist (Incorrect):
Applying a real-time URI blacklist is a capability of Cisco Umbrella, which blocks malicious domains at the DNS layer. AMP Threat Grid, however, is designed for malware analysis, not real-time URL filtering or blacklisting, rendering this option incorrect for its primary purpose. (Reference: Cisco Umbrella Overview.)

C. automated malware analysis (Correct):
The primary function of Cisco AMP Threat Grid is to provide automated malware analysis by executing suspicious files in a virtualized sandbox environment. It identifies malicious behavior, generates threat intelligence, and integrates findings with other Cisco security products, making this its core capability. (Reference: Cisco AMP Threat Grid Datasheet.)

D. monitoring network traffic (Incorrect):
Monitoring network traffic is a function of solutions like Cisco Stealthwatch or Firepower, which analyze flow data for threats. AMP Threat Grid focuses on file-based malware analysis, not real-time network traffic monitoring, making this option misaligned with its primary role. (Reference: Cisco Stealthwatch Datasheet.)

Additional Notes:
AMP Threat Grid’s malware analysis is a key topic in the 350-701 SCOR exam under endpoint security. As of 10:35 AM PKT, October 02, 2025, it remains a critical tool for threat intelligence. For details, refer to the Cisco AMP Threat Grid documentation (cisco.com) and the 350-701 Exam Blueprint (Section 2.0 Endpoint Security).

Explanation
Cisco Umbrella Roaming is a lightweight module (the Umbrella Roaming Client or the DNS module of the Cisco Secure Client) that is installed on an endpoint (laptop, mobile device). Its primary function is to provide consistent DNS-layer security regardless of the endpoint's physical location.

Here’s how it fulfills the role described in option B:

On the Corporate Network:
The endpoint is protected by the organization's Umbrella policies.

Off the Corporate Network:
When the user connects to a coffee shop Wi-Fi, a home network, or a mobile hotspot, the Umbrella Roaming client continues to enforce the same DNS security policies. It directs all DNS queries through the Cisco Umbrella cloud, which blocks requests to malicious domains, including those used for phishing, malware, and ransomware. This protects the user from clicking on malicious links in emails or websites that would lead to infection, even when the endpoint is not behind the corporate firewall.

Why the other options are incorrect:

A. To protect the endpoint against malicious file transfers:
While Umbrella can block the download of known malicious files by preventing a connection to the host serving them, this is a byproduct of its DNS-layer blocking. It is not a dedicated file-scanning or anti-malware service like Cisco AMP for Endpoints.

C. To establish secure VPN connectivity to the corporate network:
This is the function of the VPN module of the Cisco Secure Client (formerly AnyConnect). While the Umbrella Roaming client and the VPN client can be part of the same client package, they are separate modules with distinct functions. Umbrella Roaming does not create a VPN tunnel.

D. To enforce posture compliance and mandatory software:
This is the function of Cisco ISE (Identity Services Engine) and the Posture module of the Cisco Secure Client. Posture assessment checks for things like antivirus installation, firewall status, and OS patches, which is a different security function than DNS-based web filtering.

Reference:
The purpose of the Umbrella Roaming client is clearly defined in its product documentation.

As per the Cisco Umbrella Administration Guide, the Roaming Client is described as providing "consistent security for your users on and off your network... The roaming computers are protected by your security policies even when they aren’t behind your firewall or connected to your VPN."

This directly confirms that its role is to protect assets from malicious internet destinations, both on and off the corporate network.