Cisco 300-745 Designing Cisco Security Infrastructure (300-745 SDSI) v1.0 Exam Practice Test

The scenario describes a typical "insider threat" involvingdata exfiltration. While the initial failure was likely in the off-boarding process (Identity Management), the technical control required to specifically "detect and restrict unauthorized data access and transfer" is aData Loss Prevention (DLP) strategy. DLP solutions are designed to monitor, detect, and block sensitive data from leaving the organization's control.

A robust DLP strategy—integrated across Cisco platforms likeEmail Security (ESA),Web Security (WSA), andCisco Umbrella—works by identifying sensitive content (such as customer lists, proprietary code, or financial data) using techniques like fingerprinting or keyword matching. If an unauthorized attempt is made to upload this data to a personal cloud drive or send it via email, the DLP engine intercepts and blocks the transfer. WhileAudit Logging(Option D) is essential for forensic investigationafterthe fact, it does not "restrict" the transfer in real-time.WAFs(Option A) protect against external attacks on web servers, andNetwork Policies(Option B) control traffic flow but generally lack the content-awareness required to identify sensitive business data. Implementing DLP ensures that the organization's intellectual property remains protected even if an account remains active or a user has legitimate network access.

The scenario described—where physical theft of written credentials led to a breach—is a classic failure of single-factor authentication. To mitigate this risk, the company must implementMulti-Factor Authentication (MFA). MFA requires users to provide two or more verification factors to gain access to a resource, typically categorized as something you know (password), something you have (a smartphone or hardware token), or something you are (biometrics).

According to Cisco Security Infrastructure design best practices, MFA (such asCisco Duo) ensures that even if an attacker possesses valid credentials (the "something you know" from the stolen notepad), they cannot gain access without the second factor (the "something you have"). This effectively neutralizes the threat of stolen passwords.Single Sign-On (SSO)(Option B) improves user experience and centralizes management but does not, by itself, stop an attacker who has the master password.Updating the RADIUS server(Option C) is a maintenance task that doesn't change the authentication logic, and apassword expiration policy(Option D) would only limit the "shelf life" of the stolen credentials rather than preventing their initial use. MFA is the most robust architectural control for enhancing identity security and is a core pillar of a Zero Trust framework.

========

Polymorphic malware is particularly dangerous because it constantly changes its identifiable features (such as its file name or encryption keys) to evade traditional signature-based detection. A stateful traditional firewall is ineffective here as it primarily checks packet headers rather than inspecting the payload for malicious intent. To defend against these variants, aheuristics-based IPS (Intrusion Prevention System)is required.

Unlike traditional IPS systems that look for an exact match of a known threat "signature," heuristics-based systems look forsuspicious characteristicsor behaviors. For example, if a file attempts to modify system registries in a specific sequence or uses obfuscation techniques common to malware, the heuristics engine will flag and block it even if it has never seen that specific version of the malware before. This is a core component ofCisco Secure Firewall (NGFW). While aWAF(Option A) protects web applications and aNetwork Performance Monitor(Option C) provides visibility into traffic speeds, neither is designed to combat evolving malware. Adding a heuristics-based IPS provides the "deep packet inspection" layer necessary for a true defense-in-depth strategy, ensuring the agricultural company is protected against modern, evasive cyber threats.

========

Cisco TrustSec is a next-generation security architecture that provides software-defined segmentation to simplify the provisioning of network access control. In a hotel environment where guest privacy is paramount, TrustSec is the ideal solution to prevent "peer-to-peer" or cross-communication between devices located within the same VLAN. Traditional methods for this isolation, such as Private VLANs (PVLANs) or complex, manually managed Access Control Lists (ACLs), can be extremely difficult to maintain at scale across a global infrastructure.

TrustSec replaces these IP-based or VLAN-based restrictions with Scalable Group Tags (SGTs). When a device connects to the network, Cisco Identity Services Engine (ISE) authenticates the endpoint and assigns it a specific SGT based on its role, identity, or security posture. The network infrastructure (switches) then enforces policy based on these tags. To meet the requirement of preventing communication between devices in the same VLAN without using dynamic ACLs (dACLs), ISE can be configured to assign the same SGT to guest devices and then apply a Security Group ACL (SGACL) that denies traffic where both the source and destination tags are identical. This "intra-SGT" isolation effectively blocks devices from communicating with their neighbors on the same local segment. This approach aligns with the Cisco SAFE architecture by providing granular, identity-aware segmentation that is topology-independent, allowing the hotel chain to maintain a simplified network structure while ensuring robust client security.

========

TheSarbanes-Oxley Act of 2002 (SOX)is a mandatory federal law that all publicly traded companies in the United States must comply with to ensure the accuracy and reliability of their corporate financial reporting. Within theCisco Security Infrastructure (300-745 SDSI)framework, SOX is a critical driver for designing secure architectures, particularly regardingaccess control, data integrity, and auditing. Sections 302 and 404 of the act are of particular importance to IT security teams, as they mandate that corporate officers certify the effectiveness of internal controls over financial reporting.

To satisfy SOX requirements, a security designer must implement robust logging and monitoring to ensure that financial data cannot be altered without authorization. Technologies such asCisco Identity Services Engine (ISE)for role-based access control andCisco XDRfor centralized visibility are often utilized to provide the necessary audit trails. UnlikeHIPAA(Option A), which focuses on protected health information, orFedRAMP(Option D), which applies to cloud service providers for the federal government, SOX is a broad financial regulatory requirement. WhileSOC(Option C) reports (such as SOC 2) are independent auditing standards often requested by businesses to verify service provider controls, they are not the federal law itself. Therefore, SOX remains the primary regulatory framework governing the security and integrity of financial reporting systems for public entities in the U.S.

As organizations shift toward a "borderless" or hybrid work model, the traditional perimeter-based security model becomes insufficient. When employees work from home, coffee shops, or airports, they are no longer behind the enterprise's physicalNext-Generation Firewall (NGFW)(Option A). To ensure that security policies are enforced "regardless of location," the security must move with the device.

Ahost-based firewallis a software-defined firewall that resides directly on the endpoint (laptop, workstation, or server). In the Cisco ecosystem, this is often a component ofCisco Secure ClientorCisco Secure Endpoint. Because the firewall is local to the operating system, it can enforce strict inbound and outbound traffic rules even when the user is not connected to a VPN. This protects the device from lateral movement threats on untrusted local networks (like a public Wi-Fi) and ensures that only authorized applications can communicate over the network.

While an NGFW (Option A) provides superior deep packet inspection for the corporate perimeter, and aWeb Application Firewall (WAF)(Option C) protects web servers from application-layer attacks, neither provides the local, location-independent protection required for a distributed remote workforce. Implementing a host-based firewall aligns with theZero Trustarchitecture promoted by Cisco, where the endpoint itself becomes a micro-perimeter capable of self-protection.

In modern secure infrastructure design, especially within high-performance testing and developer environments, the ability to observe and filter traffic at a deep level is crucial. eBPF (extended Berkeley Packet Filter) is a revolutionary technology that allows developers to run sandboxed programs within the Linux kernel. The primary advantage of eBPF is that it enables sophisticated tracing, monitoring, and network filtering capabilities without the need to modify the underlying kernel source code or load intrusive kernel modules.

In the context of the Cisco SDSI objectives, eBPF is highlighted as a key component of distributed firewalling and cloud-native security architectures. It operates by attaching programs to various "hooks" in the kernel, such as network events, tracepoints, or system calls. When a packet enters the system or a specific event occurs, the eBPF program can inspect the context and make high-speed decisions on whether to allow, drop, or redirect traffic. This provides a much more efficient and flexible alternative to traditional technologies like IPTables. Because eBPF programs are verified for safety by a JIT compiler before being executed, they do not risk crashing the kernel, making them ideal for dynamic developer environments. Unlike Vector Packet Processing (VPP) (Option D), which moves packet processing into userspace, or standard Next-Generation Firewalls (NGFW) (Option C), which are typically separate appliances, eBPF provides "in-kernel" observability and enforcement that is programmable and highly scalable for microservices and containerized applications.

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law in the European Union (EU) that has a significant global reach. For a California-based marketing firm with customers on every continent, any breach involving the Personally Identifiable Information (PII) of European residents triggers immediate and severe legal exposure under GDPR. This regulation is unique because of its extraterritorial application; it mandates that any entity—regardless of its physical headquarters—must comply if they offer goods or services to, or monitor the behavior of, individuals located within the EU.

In the event of a data breach, GDPR requires organizations to notify the relevant supervisory authority within 72 hours and, in cases of high risk, notify the affected individuals without undue delay. Failure to implement adequate technical and organizational measures to protect data can result in astronomical fines of up to €20 million or 4% of annual global turnover, whichever is higher. While other frameworks like NIST SP 800-53 (often confused with ISO in Option A) or ISO 27001 (Option D) provide the architectural standards and controls to prevent such incidents, they are voluntary standards or frameworks, not legally binding regulations that a company "violates" in the same sense as GDPR. FedRAMP (Option B) is specific to US federal government cloud service providers and would not typically apply to a private marketing firm's global operations. Thus, GDPR represents the primary regulatory threat for a global firm handling international PII.

========

In the scenario described, the healthcare organization fell victim to aransomware attack, where devices were encrypted to extort the organization. To mitigate such risks in the future,Endpoint Detection and Response (EDR)is the essential architectural component. According to the Cisco SDSI Secure Infrastructure domain, protecting endpoints requires more than just traditional antivirus; it necessitates a solution that provides deep visibility into file behavior and process execution.

A robust EDR solution, such asCisco Secure Endpoint, continuously monitors all activity on the device. When ransomware attempts to initiate its encryption process, the EDR can detect the malicious behavioral pattern in real-time. It can then take automated actions, such as isolating the infected host from the network and "stopping" the encryption process before it spreads. Furthermore, Cisco's EDR providesretrospective security, allowing administrators to see how the malware arrived and which other devices it touched. While Option A (Password Policies) helps prevent credential theft and Option C (DLP) prevents data theft, they do not stop the technical process of disk encryption. Only EDR provides the necessary detection and automated response capabilities to handle modern file-less and polymorphic malware threats effectively. This aligns with the Cisco SAFE goal of securing the endpoint layer against advanced persistent threats (APTs) and ransomware variants.

========

In the context of theCisco Security Infrastructure (300-745 SDSI)objectives, ensuringdata integrityis a fundamental requirement, particularly in the healthcare sector where the accuracy of medical records at remote sites is critical for patient safety.Hashingis the primary mathematical process used to verify that data has not been altered or tampered with during transit between locations.

Hashing works by applying a cryptographic algorithm (such as SHA-256) to a data set to produce a fixed-size string of characters called a "hash" or "checksum." When data is sent from one remote site to another, the sender calculates a hash of the original data. Upon arrival, the receiving site recalculates the hash using the same algorithm. If the two hashes match exactly, the receiver is assured that the data is identical to the original and has maintained its integrity. Even a single-bit change in the original data would result in a completely different hash value.

WhileAuthentication(Option D) andPreshared Keys(Option C) are essential for verifying the identity of the sites and establishing secure tunnels (like IPsec VPNs), they do not, by themselves, provide the mathematical proof of content integrity.Data Masking(Option B) is a privacy technique used to hide sensitive information from unauthorized viewers, but it does not prevent or detect data corruption or unauthorized modifications. Therefore, hashing is the specified technical control for achieving verifiable data integrity across distributed infrastructures.

In the provided exhibit of theCisco Data Loss Prevention (DLP) Policyinterface (likely within Cisco Umbrella or a similar cloud security gateway), the reason for the policy's failure to stop the upload is clearly visible in the "Action" column. The rule named"ChatGPT Source Code"is currently configured with the action set toMonitor.

According to theCisco SDSI v1.0objectives regarding application and data security, theMonitoraction is designed for visibility and auditing. It allows the traffic to pass through while generating a log entry for security analysts to review. This is often used during an initial "discovery" phase to understand how data is moving without disrupting business processes. However, to fulfill the requirement ofpreventingthe unauthorized upload of sensitive data—such as application source code—the policy must be enforcement-centric.

By selectingOption D, the developer changes the action from "Monitor" toBlock. In "Block" mode, the DLP engine will actively intercept the web request to ChatGPT, inspect the content for "Source Code" classifications, and drop the connection if a match is found, thereby preventing the data from leaving the corporate environment. While moving rules (Option B) can resolve conflicts if a "Block" rule is superseded by an "Allow" rule higher in the list, the primary issue here is the non-restrictive action of the specific rule itself. Modifying data classifications (Option C) is unnecessary if the engine is already correctly identifying the source code, as evidenced by the successful monitoring logs mentioned in the scenario. Changing the action to Block is the definitive step to ensure data integrity and prevent intellectual property theft.

In the context of theCisco SDSI v1.0blueprint, "shifting left" refers to the practice of integrating security testing as early as possible in the Software Development Life Cycle (SDLC). The most effective component of the pipeline for running these early tests isSource Code Management (SCM). By integrating security tools directly into the SCM system (such as GitHub, GitLab, or Bitbucket), developers can identify vulnerabilities while the code is still being written or during the initial commit phase.

Techniques such as Static Application Security Testing (SAST) and secret scanning are typically triggered at the SCM level through pull requests or commit hooks. This allows the security team to identify flawed logic or hardcoded credentials before the code is ever compiled or moved to the build stage. WhileContinuous Deployment(Option A) handles the final release of the software, it is too late in the pipeline for a "shift-left" approach to be most effective.Software Bill of Materials (SBOM) analysis(Option C) is a specific task focused on dependency management, andCloud Security Posture Management (CSPM)(Option B) focuses on the runtime environment rather than the application code itself. Utilizing SCM as the primary checkpoint ensures that security becomes a foundational part of the development process, reducing the risk of vulnerable software reaching production environments.

========

In aFull TunnelVPN configuration, all traffic from the remote client is sent to the VPN headend before being routed to its final destination. This often results in "hairpinning," where high-bandwidth latency-sensitive traffic, such as video conferencing, travels to the corporate data center only to be sent back out to the internet, doubling the bandwidth consumption at the headquarter's ISP link.

To resolve this, the company should implementSplit-Excludetunneling. This configuration allows the VPN administrator to define specific applications or IP ranges—in this case, the SaaS video platform—that should bypass the secure tunnel and go directly to the internet via the user's local ISP. This significantly reduces the load on the corporate headquarter's internet connection and often improves the "employee experience" by reducing latency for the video stream. Unlike Option A, which degrades quality, or Option C/D, which disrupts workflow and security posture, split-excluding trusted SaaS traffic maintains a high security standard for internal resources while optimizing infrastructure costs. This aligns with theCisco SDSIobjective of designing scalable and cost-effective remote access solutions usingCisco Secure Client(AnyConnect) and Firepower Threat Defense (FTD) policies.

========

The spread of malicious content between endpoints is a classic case oflateral movement. To control and restrict communication between individual endpoints—regardless of their physical location or IP address—Cisco TrustSecis the recommended architectural approach. TrustSec moves away from traditional, IP-based Access Control Lists (ACLs), which are difficult to manage and scale, and instead usesScalable Group Tags (SGTs).

With TrustSec, every endpoint is assigned an SGT based on its role or security context (e.g., "Employee," "Contractor," or "HR"). Security policies are then defined in a centralized matrix (the egress policy matrix) that dictates which SGTs can talk to one another. For example, a policy can be set so that endpoints in the "Developer" group cannot communicate directly with endpoints in the "Sales" group, effectively preventing malware from hopping between machines. WhileRADIUS(Option A) is the protocol used for authentication, it does not perform the segmentation itself.Posture(Option C) checks the health of the device, andProfiling(Option D) identifies what the device is, but neither provides the policy-based traffic control of TrustSec. By implementing TrustSec, the company achievesmicro-segmentation, significantly reducing the internal attack surface and containing potential breaches within a single group, which is a core goal of modern secure infrastructure design.

In the realm of Artificial Intelligence security,AI hallucinationsoccur when a generative model perceives patterns that are non-existent or logically incorrect, leading to the creation of content that is nonsensical, factually wrong, or potentially dangerous. To mitigate the risks associated with these inaccuracies, ahuman-in-the-loop (HITL)design policy is essential. This policy ensures that human judgment and contextual understanding are integrated into the AI's decision-making or output validation process.

According to theCisco SDSI v1.0objectives, while AI is exceptional at processing high volumes of data, it lacks the ethical and logical framework to consistently identify its own hallucinations. By implementing a HITL approach, subject matter experts can review AI-generated responses, code, or security alerts before they are acted upon. This human oversight allows for the identification of "logical leaps" or false information that automated filters might miss.

Whiledeep fakes(Option B) are typically addressed through cryptographic watermarking or origin tracking, andphishing(Option C) is mitigated via email security gateways and user training, hallucinations are an inherent flaw in the model's predictive nature that requires manual verification.Scale changes(Option D) refer to technical image manipulations and are not a primary concern for HITL policies. Incorporating human feedback—often throughReinforcement Learning from Human Feedback (RLHF)—allows the security infrastructure to refine the model's accuracy over time, ensuring that generative outputs remain reliable, safe, and aligned with organizational standards.

In a DevSecOps environment, "shifting left" means identifying risks before a single line of application code is even executed.Open API Specification (OAS) Analysisis a proactive technique where the "contract" of the API (the YAML or JSON file defining its endpoints, methods, and data structures) is audited for security flaws.

By analyzing the OAS, security tools can proactively identify if "destructive" methods—like DELETE or PATCH—lack proper authorization scopes or if sensitive fields (like PII or passwords) are being exposed in responses where they shouldn't be. This allows the developer to "score" the risk based on the API's design before moving into the implementation phase.

WhileSAST (Static Application Security Testing)(Option B) is vital for finding vulnerabilities in written source code, it occursafterthe code is written.SBOM (Software Bill of Materials) Generation(Option C) tracks third-party libraries but doesn't analyze API logic.CSPM (Cloud Security Posture Management)(Option D) focuses on the misconfiguration of the cloud infrastructure (like open S3 buckets) rather than the internal logic of the API itself. OAS Analysis specifically addresses the developer's need to validate access controls and sensitive data handling during the design and definition stage of API development.

A Security Operations Center (SOC) is often overwhelmed by thousands of alerts from various security tools. The primary tool used to aggregate, correlate, and—most importantly—prioritizethese incidents is theSecurity Information and Event Management (SIEM)system. According to the Cisco SDSI domain on Risk, Events, and Requirements, a SIEM acts as the central brain of the SOC.

A SIEM (such as Splunk or Cisco Secure Cloud Analytics) ingests logs from firewalls, endpoints, and cloud services. It uses correlation rules and risk-scoring algorithms to distinguish between low-priority "noise" and critical security incidents. For example, a single failed login might be ignored, but ten failed logins followed by a successful one and a large data transfer would be escalated as a high-priority incident.Endpoint Detection and Response (EDR)(Option B) andEndpoint Protection Platforms (EPP)(Option D) provide deep visibility and protection on individual hosts but lack the cross-platform correlation needed to prioritize organizational risk.CloudWatch(Option C) is a monitoring service for AWS resources but does not function as a multi-source security correlation engine. By using a SIEM, SOC analysts can focus their limited time on the most impactful threats, ensuring a more efficient and effective incident response process.

========