Practitioner Sample Questions Answers

When you enable URL Filtering, all web traffic is compared against the URL Filtering database, PAN-DB, which contains millions of URLs that have been grouped into about 65 categories.

A directory service is a database that contains information about users, resources, and services in a network.

An encoded string is a common technique used by attackers to obfuscate their malicious code or data. By decoding the string, a security operations engineer can reveal the true nature and intent of the attacker, and potentially discover indicators of compromise (IOCs) such as IP addresses, domain names, file names, etc. Decoding the string can also help the engineer to determine the type and severity of the incident, and the appropriate response actions. Therefore, decoding the string and continuing the investigation is the best option among the given choices. Saving the string to a new file and running it in a sandbox may be risky, as it could execute the malicious code and cause further damage. Running the string against VirusTotal may not yield any useful results, as the string may not be recognized by any antivirus engines. Appending the string to the investigation notes but not altering it may not provide any additional insight into the incident, and may delay the response process. References:

1: SANS Digital Forensics and Incident Response Blog | Strings, Strings, Are Wonderful Things

2: 5 Minute Forensics: Decoding PowerShell Payloads - Tevora

3: Known plaintext analysis of encoded strings - SANS Institute

4: Palo Alto Networks Certified Cybersecurity Entry-level Technician - Palo Alto Networks

5: 10 Palo Alto Networks PCCET Exam Practice Questions - CBT Nuggets

An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack where data exfiltration is often the primary objective. Attackers maintain a covert presence in the network to steal sensitive information over time.

● Benign: Safe and does not exhibit malicious behavior

● Grayware: No security risk but might display obtrusive behavior (for example, adware,

spyware, and browser helper objects)

● Malware: Malicious in nature and intent and can pose a security threat (for example,

viruses, worms, trojans, root kits, botnets, and remote-access toolkits)

● Phishing: Malicious attempt to trick the recipient into revealing sensitive data

Routing Information Protocol (RIP) is an example of a distance-vector routing protocol that uses hop count as its routing metric. To prevent routing loops, in which packets effectively get stuck bouncing between various router nodes, RIP implements a hop limit of 15, which limits the size of networks that RIP can support. After a data packet crosses 15 router nodes (hops) between a source and a destination, the destination is considered unreachable.

In addition to local analysis, Cortex XDR can send unknown files to WildFire for discovery and deeper analysis to rapidly detect.

Cortex XSOAR enhances Security Operations Center (SOC) efficiency with the world’s most comprehensive operating platform for enterprise security. Cortex XSOAR unifies case management, automation, real-time collaboration, and native threat intel management in the industry’s first extended security orchestration, automation, and response (SOAR) offering.

The basic DNS record types are as follows:

● A (IPv4) or AAAA (IPv6) (Address): Maps a domain or subdomain to an IP address or

multiple IP addresses

● CNAME (Canonical Name): Maps a domain or subdomain to another hostname

● MX (Mail Exchanger): Specifies the hostname or hostnames of email servers for a domain

● PTR (Pointer): Points to a CNAME; commonly used for reverse DNS lookups that map an

IP address to a host in a domain or subdomain

● SOA (Start of Authority): Specifies authoritative information about a DNS zone such as

primary name server, email address of the domain administrator, and domain serial

number

● NS (Name Server): The NS record specifies aan authoritative name server for a given host.

● TXT (Text): Stores text-based information

 A routed protocol is a protocol by which data can be routed. It provides appropriate addressing information in its internet layer or network layer to allow a packet to be forwarded from one network to another network. Examples of routed protocols are the Internet Protocol (IP) and Internetwork Packet Exchange (IPX). IP is the most widely used routed protocol on the Internet and other networks. It assigns a unique logical address to each device and enables data to be fragmented, reassembled, and routed across multiple networks. References:

Routing v/s Routed Protocols in Computer Network

Routing protocol - Wikipedia

CCNA Certification: Routed Protocols vs Routing Protocols

What is the difference between Routing Protocols and Routed Protocols

A meddler-in-the-middle (MITM) attack is a type of Wi-Fi attack where the attacker intercepts and redirects the victim’s web traffic to serve content from a web server it controls. The attacker can use various techniques, such as ARP spoofing, DNS spoofing, or SSL stripping, to trick the victim into connecting to a rogue access point or a proxy server that acts as a middleman between the victim and the legitimate website. The attacker can then modify, inject, or drop the packets that are exchanged between the victim and the website, and perform malicious actions, such as stealing credentials, injecting malware, or displaying fake or misleading content. A MITM attack can compromise the confidentiality, integrity, and availability of the victim’s web traffic and expose them to various risks and threats. References:

What is a man-in-the-middle attack?

The 5 most dangerous Wi-Fi attacks, and how to fight them

What Are Sniffing Attacks, and How Can You Protect Yourself?

Containers encapsulate applications and their dependencies into lightweight, portable units that can run consistently across multiple environments. This abstraction supports cloud-native development by enabling microservices architectures, rapid deployment, and scaling within orchestration platforms like Kubernetes. Containers accelerate cloud migration by decoupling applications from infrastructure, facilitating automation, and continuous integration/continuous deployment (CI/CD) workflows. Palo Alto Networks addresses container security by integrating runtime protection, vulnerability scanning, and compliance enforcement within its Prisma Cloud platform, ensuring safe adoption of cloud-native tools and methodologies.

 In SecOps, the identify stage is the first step in the security operations lifecycle. It involves gaining knowledge and understanding of the possible security threats and establishing methods to detect, respond and proactively prevent them from occurring1. Two of the components included in the identify stage are:

Initial Research: This component involves gathering information about the organization’s assets, vulnerabilities, risks, and compliance requirements. It also involves identifying the key stakeholders, objectives, and metrics for the SecOps project2.

Content Engineering: This component involves developing and maintaining the security content, such as rules, policies, signatures, and alerts, that will be used by the SecOps tools and processes. It also involves testing and validating the security content for accuracy and effectiveness3.

 What is SecOps? (and what are the benefits and best practices?), SecOps - definition & overview, The Six Pillars of Effective Security Operations

Lateral movement is a key stage where the attacker moves across the network to find valuable targets.

Privilege escalation involves gaining higher access rights to expand control within the compromised environment.

Communication with covert channels is a tactic used during persistence or exfiltration, while deletion of critical data is not a standard APT lifecycle stage — it’s more characteristic of destructive attacks.

Heap spray attacks exploit memory management vulnerabilities by injecting malicious code into a program’s heap to manipulate execution flow. Endpoint Detection and Response (EDR) platforms monitor memory and process behavior on endpoints, enabling the detection of such memory-based exploits through anomaly and behavior analysis. Palo Alto Networks’ Cortex XDR equips SOC teams with the tools to detect, analyze, and respond to heap spray and other in-memory attacks on company laptops in real time. EDR’s endpoint-centric visibility is crucial since heap spray attacks operate below network layers and often bypass traditional perimeter defenses.

Signature-based systems struggle with polymorphic or obfuscated malware, which changes its code to avoid detection. Signature-based detection relies on static databases of known threat signatures, limiting its ability to identify new or unknown threats.

page 173 "AutoFocus makes over a billion samples and sessions, including billions of artifacts, immediately actionable for security analysis and response efforts. AutoFocus extends the product portfolio with the global threat intelligence and attack context needed to accelerate analysis, forensics, and hunting workflows. Together, the platform and AutoFocus move security teams away from legacy manual approaches that rely on aggregating a growing number of detectionbased alerts and post-event mitigation, to preventing sophisticated attacks and enabling proactive hunting activities."

SOAR stands for security orchestration, automation and response. It is a software solution that enables security teams to integrate and coordinate separate tools into streamlined threat response workflows. SOAR systems allow for accelerated incident response through the execution of standardized and automated playbooks that work upon inputs from security technology and other data flows. SOAR systems can also help ensure consistency, reduce human errors, and improve efficiency and scalability of security operations. References:

Security Operations Infrastructure from Palo Alto Networks

What is SOAR (security orchestration, automation and response)? from IBM

Security Operations Fundamentals (SOF) Flashcards from Quizlet

An evil twin is a type of Wi-Fi attack that involves setting up a fake malicious Wi-Fi hotspot with the same name as a legitimate network to trick users into connecting to it. The attacker can then intercept the user’s data, such as passwords, credit card numbers, or personal information. The victim initiates the connection by choosing the fake network from the list of available Wi-Fi networks, thinking it is the real one. The attacker can also use a deauthentication attack to disconnect the user from the legitimate network and force them to reconnect to the fake one. References:

Types of Wi-Fi Attacks You Need to Guard Your Business Against - TechGenix

Types of Wireless and Mobile Device Attacks - GeeksforGeeks

The 5 most dangerous Wi-Fi attacks, and how to fight them

What are Wi-Fi Attacks & How to Fight - Tech Resider

Prisma Cloud comprises four pillars:

● Visibility, governance, and compliance. Gain deep visibility into the security posture of

multicloud environments. Track everything that gets deployed with an automated asset

inventory, and maintain compliance with out-of-the-box governance policies that

enforce good behavior across your environments.

● Compute security. Secure hosts, containers, and serverless workloads throughout the

application lifecycle. Detect and prevent risks by integrating vulnerability intelligence into

your integrated development environment (IDE), software configuration management

(SCM), and CI/CD workflows. Enforce machine learning-based runtime protection to

protect applications and workloads in real time.

● Network protection. Continuously monitor network activity for anomalous behavior,

enforce microservice-aware micro-segmentation, and implement industry-leading

firewall protection. Protect the network perimeter and the connectivity between

containers and hosts.

● Identity security. Monitor and leverage user and entity behavior analytics (UEBA) across

your environments to detect and block malicious actions. Gain visibility into and enforce

governance p

 A sanctioned application is an application that is approved by the IT department and meets the security and compliance requirements of the organization. Sanctioned applications are allowed to access the organization’s network and data and are monitored and protected by the IT department. Examples of sanctioned applications are Office 365, Salesforce, and Zoom. Sanctioned applications are different from unsanctioned, prohibited, and tolerated applications, which are not approved by the IT department and may pose security risks to the organization. Unsanctioned applications are applications that are used by the employees without the IT department’s knowledge or consent, such as Dropbox, Gmail, or Facebook. Prohibited applications are applications that are explicitly forbidden by the IT department, such as BitTorrent, Tor, or malware. Tolerated applications are applications that are not approved by the IT department, but are not blocked or restricted, such as Skype, Spotify, or YouTube. References: Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET), Cloud Security Fundamentals - Module 4: Cloud Security Best Practices, Application Visibility and Control

Morphing code, also known as polymorphism, allows advanced malware to change its code structure with each iteration or infection. This makes it extremely difficult for traditional signature-based detection tools to recognize and block the malware consistently.

A next-generation firewall (NGFW) is a security component that can detect command-and-control (C2) traffic sent from multiple endpoints within a corporate data center. A NGFW is a network device that combines traditional firewall capabilities with advanced features such as application awareness, intrusion prevention, threat intelligence, and cloud-based analysis. A NGFW can identify and block C2 traffic by inspecting the application layer protocols, signatures, and behaviors of the network traffic, as well as correlating the traffic with external sources of threat intelligence. A NGFW can also leverage inline cloud analysis to detect and prevent zero-day C2 threats in real-time. A NGFW can provide granular visibility and control over the network traffic, as well as generate alerts and reports on the C2 activity. References:

Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)

Command and Control, Tactic TA0011 - Enterprise | MITRE ATT&CK®

Advanced Threat Prevention: Inline Cloud Analysis - Palo Alto Networks

IoT devices often have constant internet connectivity and increased data sharing, making them more vulnerable to command-and-control (C2) attacks. Their limited security features and exposure to external networks provide attackers more opportunities to compromise and control them remotely.

Serverless architecture is primarily implemented through Function as a Service (FaaS), where developers write and deploy individual functions without managing the underlying infrastructure. The cloud provider handles scaling, resource allocation, and execution on demand.

IDSs and IPSs also can be classified as knowledge-based (or signature-based) or behavior-based (or statistical anomaly-based) systems:

● A knowledge-based system uses a database of known vulnerabilities and attack profiles

to identify intrusion attempts. These types of systems have lower false-alarm rates than

behavior-based systems but must be continually updated with new attack signatures to

be effective.

● A behavior-based system uses a baseline of normal network activity to identify unusual

patterns or levels of network activity that may be indicative of an intrusion attempt.

These types of systems are more adaptive than knowledge-based systems and therefore

may be more effective in detecting previously unknown vulnerabilities and attacks, but they have a much higher false-positive rate than knowledge-based systems

Attack communication traffic is usually hidden with various techniques and

tools, including:

● Encryption with SSL, SSH (Secure Shell), or some other custom or proprietary encryption

● Circumvention via proxies, remote access tools, or tunneling. In some instances, use of

cellular networks enables complete circumvention of the target network for attack C2 traffic.

● Port evasion using network anonymizers or port hopping to traverse over any available open

ports

● Fast Flux (or Dynamic DNS) to proxy through multiple infected endpoints or multiple,

ever-changing C2 servers to reroute traffic and make determination of the true destination

or attack source difficult

● DNS tunneling is used for C2 communications and data infiltration

MITRE is a not-for-profit organization that operates research and development centers sponsored by the federal government. MITRE maintains the Common Vulnerabilities and Exposures (CVE) catalog, which is a dictionary of common names for publicly known cybersecurity vulnerabilities. CVE’s common identifiers, called CVE Identifiers, make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools12. References:

Common Vulnerabilities and Exposures (CVE®)

CVE - CVE

A container-based NGFW is specifically designed to integrate with Kubernetes environments, providing full application visibility and control within containerized workloads. It operates at the pod level, making it ideal for securing dynamic microservices architectures.

● Reduce the attack surface: Best-of-breed technologies that are natively integrated provide a prevention architecture that inherently reduces the attack surface. This type of architecture allows organizations to exert positive control based on applications, users, and content, with support for open communication, orchestration, and visibility.

● Prevent all known threats, fast: A coordinated security platform accounts for the full scope of an attack across the various security controls that compose the security posture, thus enabling organizations to quickly identify and block known threats.

● Detect and prevent new, unknown threats with automation: Security that simply detects

threats and requires a manual response is too little, too late. Automated creation and

delivery of near-real-time protections against new threats to the various security solutions in the organization’s environments enable dynamic policy updates. These updates are

designed to allow enterprises to scale defenses with technology, rather than people.

A credit card number is an example of PII that you need to prevent from leaving your enterprise network. PII, or personally identifiable information, is any information that can be used to identify an individual, either alone or in combination with other data. PII can be sensitive or non-sensitive, depending on the level of protection required and the potential harm if exposed. Sensitive PII includes data that can directly identify an individual and cause significant harm if leaked or stolen, such as financial information, medical records, or government-issued ID numbers. Non-sensitive PII includes data that is easily accessible from public sources and does not pose a high risk of identity theft, such as zip code, race, or gender. A credit card number is a sensitive PII because it can be used to access the cardholder’s account, make fraudulent transactions, or steal their identity. Therefore, it is important to prevent credit card numbers from leaving the enterprise network, where they could be intercepted by hackers, malicious insiders, or third parties. To protect credit card numbers and other sensitive PII, enterprises should implement data security measures such as encryption, tokenization, masking, access control, auditing, and monitoring. Additionally, enterprises should comply with data privacy laws and standards that regulate the collection, use, and protection of PII, such as the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA). References:

What is PII? Examples, laws, and standards | CSO Online

What is Personally Identifiable Information (PII)? | IBM

What Is Personally Identifiable Information (PII)? Types and Examples

What is PII (personally identifiable information)? - Cloudflare

What is Personally Identifiable Information (PII)? - Data Privacy Manager

Authentication is the component of the AAA (Authentication, Authorization, and Accounting) framework that verifies user identities (e.g., via passwords, certificates, or biometrics) before granting access to network resources.

Cortex XDR is an endpoint product from Palo Alto Networks that can help with SOC visibility by allowing you to rapidly detect and respond to threats across your networks, endpoints, and clouds. It assists SOC analysts by allowing them to view all the alerts from all Palo Alto Networks products in one place, and to perform root cause analysis and automated response actions. Cortex XDR also integrates with other Palo Alto Networks products, such as WildFire, AutoFocus, and Cortex Data Lake, to provide comprehensive threat intelligence and data enrichment12. References:

SOC Services - Palo Alto Networks

Endpoint Protection - Palo Alto Networks

Security Operations | Palo Alto Networks

Cortex - Palo Alto Networks

A Type 1 hypervisor, also known as a bare-metal hypervisor, is a software layer that runs directly on the hardware of a physical host computer, without requiring an underlying operating system. A Type 1 hypervisor can create and manage multiple isolated virtual machines (VMs), each with its own virtual (or guest) operating system and applications. A Type 1 hypervisor is hardened against cyber attacks, as it has a smaller attack surface and fewer vulnerabilities than a Type 2 hypervisor, which runs within an operating system. A Type 1 hypervisor also offers better performance, scalability, and resource utilization than a Type 2 hypervisor. References: 10 Palo Alto Networks PCCET Exam Practice Questions, Palo Alto Networks Certified Cybersecurity Entry-level Technician v1.0, FREE Cybersecurity Education Courses.

A serverless function is an event-driven snippet of code that runs on managed infrastructure, typically as part of a Function as a Service (FaaS) model. It is executed in response to events such as HTTP requests or database changes, and the cloud provider handles the underlying infrastructure.

PCI DSS stands for Payment Card Industry Data Security Standard, which is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment1. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the major card brands2. PCI DSS covers 12 requirements for compliance, organized into six control objectives, such as building and maintaining a secure network and systems, protecting cardholder data, and implementing strong access control measures3. References: Payment Card Industry Security Standards, PCI Security Standards Council – Protect Payment Data with Industry-driven Security Standards, Training, and Programs, What is PCI Compliance? 12 Requirements & More - Digital Guardian

 Palo Alto Networks Cortex XDR is an extended detection and response platform that provides endpoint protection, threat detection, and incident response capabilities. When an endpoint is asked to run an executable, Cortex XDR does the following steps1:

First, it sends the executable to WildFire, a cloud-based malware analysis and prevention service, to determine if it is malicious or benign. WildFire uses static and dynamic analysis, machine learning, and threat intelligence to analyze the executable and provide a verdict in seconds2.

Next, it checks the execution policy, which is a set of rules that define what actions are allowed or blocked on the endpoint. The execution policy can be configured by the administrator to enforce granular control over the endpoint behavior3.

Then, it runs a static analysis, which is a technique that examines the executable without executing it. Static analysis can identify malicious indicators, such as file signatures, hashes, strings, and embedded resources4.

Finally, it runs a dynamic analysis, which is a technique that executes the executable in a sandboxed environment and monitors its behavior. Dynamic analysis can detect malicious activities, such as network connections, registry changes, file modifications, and process injections4.

Cortex XDR Endpoint Protection Overview

WildFire Overview

[Execution Policy]

[Static and Dynamic Analysis]

Originally designed as a tool to assist organizations with compliance and industry-specific regulations, security information and event management (SIEM) is a technology that has been around for almost two decades

Layer 4 of the TCP/IP model is the transport layer, which is responsible for providing reliable and efficient data transmission between hosts. The transport layer can use different protocols, such as TCP or UDP, depending on the requirements of the application. The transport layer also performs functions such as segmentation, acknowledgement, flow control, and error recovery. 1

The transport layer of the TCP/IP model corresponds to three layers of the OSI model: the transport layer, the session layer, and the presentation layer. The session layer of the OSI model manages the establishment, maintenance, and termination of sessions between applications. The session layer also provides services such as synchronization, dialogue control, and security. The presentation layer of the OSI model handles the representation, encoding, and formatting of data for the application layer. The presentation layer also performs functions such as compression, encryption, and translation. 23

IaaS (Infrastructure as a Service) is a cloud computing model that delivers on-demand infrastructure resources to organizations via the cloud, such as compute, storage, networking, and virtualization1. Customers do not have to manage, maintain, or update their own data center infrastructure, but are responsible for the operating system, middleware, virtual machines, and any apps or data1. Therefore, IaaS gives customers full control over the operating system(s) running on their cloud computing platform, as well as the flexibility to customize and configure their infrastructure according to their needs2. References: What are the different types of cloud computing? | Google Cloud, PaaS vs IaaS vs SaaS: What’s the difference? | Google Cloud

Examples of serverless environments include Amazon Lambda and Azure Functions. Many PaaS offerings, such as Pivotal Cloud Foundry, also are effectively serverless even if they have not historically been marketed as such. Although serverless may appear to lack the container-specific, cloud native attribute, containers are extensively used in the underlying implementations, even if those implementations are not exposed to end users directly.

Security Operations (SecOps) is the process of coordinating and aligning security teams and IT teams to improve the security posture of an organization. SecOps involves implementing and maintaining security controls, technologies, policies, and procedures to protect the organization from cyber threats and incidents. When dealing with a known attack, SecOps must take the following action: document, monitor, and track the incident. This action is important because it helps SecOps to:

•Record the details of the attack, such as the source, target, impact, timeline, and response actions.

•Monitor the status and progress of the incident response and recovery efforts, as well as the ongoing threat activity and indicators of compromise.

•Track the performance and effectiveness of the security controls and technologies, as well as the lessons learned and improvement opportunities. References:

•Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)

•6 Incident Response Steps to Take After a Security Event - Exabeam

•Dealing with Cyber Attacks–Steps You Need to Know | NIST

Least privileges access control is the capability of a Zero Trust network security architecture that leverages the combination of application, user, and content identification to prevent unauthorized access. Least privileges access control means that users and devices are only granted the permissions they need to perform their tasks, and nothing more. This helps reduce the attack surface and makes it more difficult for attackers to gain access to sensitive data or resources. Least privileges access control is based on the principle of Zero Trust, which assumes that there are attackers both within and outside of the network, so no users or devices should be automatically trusted. Zero Trust verifies user identity and privileges as well as device identity and security, and requires end-to-end encryption. Least privileges access control also involves careful management of user permissions and network segmentation, which limit the amount of information and length of time people can access something, and contain the damage if someone does get unauthorized access. References: What Is Zero Trust Architecture? | Microsoft Security, Zero Trust security | What is a Zero Trust network? | Cloudflare, What is Zero Trust Architecture? | SANS Institute, What Is a Zero Trust Architecture? | Zscaler, What is Zero Trust Architecture (ZTA)? - CrowdStrike.

Phishing is a type of email attack where the attacker sends a lot of malicious emails in an untargeted way, pretending to be a trusted source, such as a bank or an online retailer, to trick users into revealing sensitive information, such as passwords or credit card numbers. Attackers use the information to steal money or to launch other attacks. A fake email from a bank asking you to click a link and verify your account details is an example of phishing1 References:

1: Palo Alto Networks Certified Cybersecurity Entry-level Technician - Palo Alto Networks

2: 10 Palo Alto Networks PCCET Exam Practice Questions - CBT Nuggets

3: Types of Email Attacks - Examples and Consequences - Tessian

4: What Is a Phishing Attack? Definition and Types - Cisco

Port hopping is a technique that changes protocols at random during a session to evade detection and analysis by security devices. Port hopping can be used by malware or attackers to communicate with command and control servers or to exfiltrate data. Port hopping makes it difficult to identify and block malicious traffic based on port numbers or signatures. References: Port Hopping, Ports Used for Management Functions, Adding a Custom Application/Ports to Security Policy

A Jasager attack is a type of wireless man-in-the-middle attack that exploits the way mobile devices search for known wireless networks. A Jasager device will respond to any beacon request from a mobile device by saying “Yes, I’m here”, pretending to be one of the preferred networks. This way, the Jasager device can trick the mobile device into connecting to it, without the user’s knowledge or consent. The Jasager device can then intercept, modify, or redirect the traffic of the victim. For this attack to work, the attacker needs to be within close proximity of the victim, and the victim must have at least one known network in their preferred list. The victim does not need to manually choose the attacker’s access point, nor does the attacker try to get victims to connect at random. References: Wireless Man in the Middle - Palo Alto Networks, Man-in-the-middle attacks with malicious & rogue Wi-Fi access points - Privacy Guides

Full-disk encryption is a method of protecting data on a laptop that has been stolen by encrypting the entire hard drive, making it unreadable without the correct password or key. This prevents unauthorized access to the proprietary data stored on the laptop, even if the thief removes the hard drive and connects it to another device. Full-disk encryption can be enabled using built-in features such as BitLocker on Windows or FileVault on macOS, or using third-party software such as Absolute Home & Office12. References: How to Protect your Data if a Laptop is Lost or Stolen, What to do when your laptop is stolen, Palo Alto Networks Certified Cybersecurity Entry-level Technician

SaaS applications are cloud-based software that users can access from anywhere and any device. This poses a challenge for organizations to ensure that their employees are using the SaaS applications in a secure and compliant manner. Therefore, organizations need to establish and enforce acceptable use policies (AUPs) for SaaS applications that define the rules and guidelines for accessing and using the applications, such as who can use them, what data can be stored or shared, and what actions are prohibited12. AUPs help organizations to protect their data, prevent unauthorized access, and comply with local regulations and standards3. References: Using Software as a Service (SaaS) securely - NCSC, Minimum Security Standards for Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) | University IT, How to Secure Your SaaS Applications - CyberArk

Multiple policies, no policy reconciliation tools: Sequential traffic analysis (stateful inspection, application control, intrusion prevention system (IPS), anti-malware, etc.) in traditional data center security solutions requires a corresponding security policy or profile, often using multiple management tools. The result is that your security policies become convoluted as you build and manage a firewall policy with source, destination, user, port, and action; an application control policy with similar rules; and any other threat prevention rules required. Multiple security policies that mix positive (firewall) and negative (application control, IPS, and anti-malware) control models can cause security holes by missing traffic and/or not identifying

Attack Surface Management (ASM) platforms focus on continuous discovery and monitoring of all internet-facing assets, both internal and external, to identify attack vectors, vulnerabilities, and exposures that could be exploited by threat actors.

 A switch is a network device that connects multiple devices on a local area network (LAN) and forwards data packets between them. A switch can be identified by its icon, which is a rectangle with four curved lines on each side. In the attached network diagram, device D is the switch, as it matches the icon and connects three computers to device A, which is another network device. References:

[What is a Network Switch and How Does it Work?]

[Network Diagram Symbols and Icons | Lucidchart]

A knowledge-based system uses a database of known vulnerabilities and attack profiles

to identify intrusion attempts. These types of systems have lower false-alarm rates than

behavior-based systems but must be continually updated with new attack signatures to

be effective.

● A behavior-based system uses a baseline of normal network activity to identify unusual

patterns or levels of network activity that may be indicative of an intrusion attempt.

These types of systems are more adaptive than knowledge-based systems and therefore

may be more effective in detecting previously unknown vulnerabilities and attacks, but

they have a much higher false-positive rate than knowledge-based systems.

SecOps is the organizational function that is responsible for security automation and eventual vetting of the solution to help ensure consistency through machine-driven responses to security issues. SecOps is a collaboration between security and operations teams that aims to align their goals, processes, and tools to improve security posture and efficiency. SecOps can leverage automation to simplify and accelerate security tasks, such as threat detection, incident response, vulnerability management, compliance enforcement, and more. Security automation can also reduce human errors, enhance scalability, and free up resources for more strategic initiatives. References:

SecOps from Palo Alto Networks

What is security automation? from Red Hat

What is Security Automation? from Check Point Software

 If an endpoint does not know how to reach its destination, it will send data to the specified default gateway. A default gateway is a device that routes traffic from a local network to other networks or the internet. The endpoint will use the default gateway’s IP address as the next hop for packets that are destined for unknown or remote networks. The default gateway will then forward the packets to the appropriate destination or another gateway, based on its routing table. References:

Fundamentals of Network Security, Module 2: Networking Concepts, Lesson 2: IP Addressing and Routing1

PCCET Study Guide, Section 2.2: Describe IP Addressing and Routing2

A layer 2 switch will break up collision domains but not broadcast domains. To break up broadcast domains you need a Layer 3 switch with vlan capabilities.

Detection of threats using data analysis – SIEM platforms analyze collected data to identify suspicious patterns and detect threats.

Ingestion of log data – SIEM systems collect and centralize log data from various sources, which is essential for analysis, correlation, and alerting.

Automation and prevention are more aligned with SOAR and firewall/EDR functionalities, not the core operations of SIEM.

SOAR tools ingest aggregated alerts from detection sources (such as SIEMs, network security tools, and mailboxes) before executing automatable, process-driven playbooks to enrich and respond to these alerts.

page 211 "Consolidating servers within trust levels: Organizations often consolidate servers within the same trust level into a single virtual computing environment: ... ... ... This virtual systems capability enables a single physical device to be used to simultaneously meet the unique requirements of multiple VMs or groups of VMs. Control and protection of inter-host traffic with physical network security appliances that are properly positioned and configured is the primary security focus."

Cortex XDR is a cloud-based, advanced endpoint protection solution that combines multiple methods of prevention against known and unknown malware, ransomware, and exploits. Cortex XDR uses behavioral threat protection, exploit prevention, and local analysis to stop the execution of malicious programs before an endpoint can be compromised. Cortex XDR also enables remediation on the endpoint following an alert or investigation, giving administrators the option to isolate, terminate, block, or quarantine malicious files or processes. Cortex XDR is part of the Cortex platform, which provides unified visibility and detection across the network, endpoint, and cloud. References:

Cortex XDR - Palo Alto Networks

Endpoint Protection - Palo Alto Networks

Endpoint Security - Palo Alto Networks

Preventing Malware and Ransomware With Traps - Palo Alto Networks

Cloud-hosted refers to the deployment of traditional on-premises software on cloud-based servers. This approach allows organizations to run their applications in the cloud without re-architecting them for cloud-native environments.

To deliver secure east-west flows and secure Kubernetes workloads in a public cloud environment, you have two deployment options available: VM-Series and CN-Series.

VM-Series is a virtualized form factor of the Palo Alto Networks next-generation firewall that can be deployed in public cloud platforms such as AWS, Azure, Google Cloud, and Oracle Cloud. VM-Series provides comprehensive network security and threat prevention capabilities for protecting your cloud workloads and applications from cyberattacks. VM-Series can also integrate with native cloud services and third-party tools to enable automation, orchestration, and visibility across your cloud environment. VM-Series supports various deployment scenarios, such as securing internet-facing applications, protecting hybrid connectivity, segmenting internal networks, and enabling secure DevOps12.

CN-Series is a containerized form factor of the Palo Alto Networks next-generation firewall that can be deployed in Kubernetes environments. CN-Series provides granular network security and threat prevention capabilities for protecting your Kubernetes pods and namespaces from cyberattacks. CN-Series can also integrate with Kubernetes network plugins and services to enable dynamic policy enforcement, service discovery, and visibility across your Kubernetes clusters. CN-Series supports various deployment scenarios, such as securing ingress and egress traffic, enforcing microsegmentation, and enabling secure DevSecOps34.

VM-Series in Public Cloud

VM-Series Deployment Guide

CN-Series in Kubernetes

CN-Series Deployment Guide

Local systems can eliminate vulnerabilities by patching systems and software effectively and continuously. Patching is the process of applying updates or fixes to software or hardware components that have known vulnerabilities or bugs. Patching can prevent attackers from exploiting these vulnerabilities and compromising the security or functionality of the systems. Patching should be done regularly and promptly, as new vulnerabilities are constantly discovered and exploited by cybercriminals. Patching should also be done effectively, meaning that the patches are tested and verified before deployment, and that they do not introduce new vulnerabilities or issues. Patching should also be done continuously, meaning that the systems are monitored for new vulnerabilities and patches are applied as soon as they are available. Continuous patching can reduce the window of opportunity for attackers to exploit unpatched vulnerabilities and cause damage or data breaches. References:

•1: What is Patch Management? | Palo Alto Networks

•2: Patch Management Best Practices: How to Keep Your Systems Secure | Snyk

•3: Vulnerability Remediation Process - 4 Steps to Remediation | Snyk

Virtual firewalls offer the advantage of dynamic scalability, making them ideal for internal segmentation in data centers. They can be quickly deployed, resized, and adjusted to meet the needs of changing workloads and environments, unlike physical firewalls which require fixed hardware resources.