Pass4Future also provide interactive practice exam software for preparing Cisco Designing Cisco Security Infrastructure (300-745) Exam effectively. You are welcome to explore sample free Cisco 300-745 Exam questions below and also try Cisco 300-745 Exam practice test software.
Do you know that you can access more real Cisco 300-745 exam questions via Premium Access? ()
A technology company recently onboarded a new customer in the medical space. The customer needs a solution to provide data integrity across remote sites. Which solution must be used to meet this requirement?
Answer : A
In the context of the Cisco Security Infrastructure (300-745 SDSI) objectives, ensuring data integrity is a fundamental requirement, particularly in the healthcare sector where the accuracy of medical records at remote sites is critical for patient safety. Hashing is the primary mathematical process used to verify that data has not been altered or tampered with during transit between locations.
Hashing works by applying a cryptographic algorithm (such as SHA-256) to a data set to produce a fixed-size string of characters called a 'hash' or 'checksum.' When data is sent from one remote site to another, the sender calculates a hash of the original data. Upon arrival, the receiving site recalculates the hash using the same algorithm. If the two hashes match exactly, the receiver is assured that the data is identical to the original and has maintained its integrity. Even a single-bit change in the original data would result in a completely different hash value.
While Authentication (Option D) and Preshared Keys (Option C) are essential for verifying the identity of the sites and establishing secure tunnels (like IPsec VPNs), they do not, by themselves, provide the mathematical proof of content integrity. Data Masking (Option B) is a privacy technique used to hide sensitive information from unauthorized viewers, but it does not prevent or detect data corruption or unauthorized modifications. Therefore, hashing is the specified technical control for achieving verifiable data integrity across distributed infrastructures.
A manufacturing company recently experienced a network-down scenario due to malware spread on the management network. The company wants to implement a solution to detect and mitigate a similar threat in the future and protect the overall network. Which solution meets the requirements?
Answer : A
The spread of malware across a sensitive segment like the management network highlights a failure in host-level security and internal visibility. To detect and mitigate the spread of such threats and protect the overall network, Endpoint Detection and Response (EDR) is the most effective choice among the options. In the Cisco security ecosystem, the endpoint is often the last line of defense and the most critical source of telemetry for malware incidents.
By deploying an EDR solution like Cisco Secure Endpoint, the manufacturing company gains the ability to identify the 'patient zero' of the infection. EDR uses advanced features like Device Traversal and Lateral Movement detection to see how malware moves from one machine to another over the management network. Once detected, the security team can use the EDR platform to initiate a 'host isolation' command, effectively cutting off the infected device's communication with the rest of the network without physically unplugging it. While Encrypted Threat Analytics (ETA) (Option C) is a powerful network-based feature for detecting malware in encrypted traffic without decryption, EDR provides the most granular control and response capabilities specifically for malware residing on and spreading between hosts. RADIUS (Option B) and IPsec VPNs (Option D) focus on access control and encryption of data in transit, respectively, but do not provide the behavioral analysis needed to stop a running malware outbreak once the network has already been accessed.
A software development company relies on GitHub for managing the source code and is committed to maintaining application security. The company must ensure that known software vulnerabilities are not introduced to the application. The company needs a capability within GitHub that can analyze semantic versioning and flag any software components that pose security risks. Which GitHub feature must be used?
Answer : A
In modern DevSecOps, managing third-party dependencies is a major security challenge. Dependabot (often stylized as Depend-a-bot) is the specific GitHub feature designed to automate the identification and updating of vulnerable dependencies. It works by scanning the application's manifest files (like package.json or requirements.txt) and analyzing the semantic versioning of the included libraries.
When a known vulnerability (CVE) is reported in a specific version of a library used by the application, Dependabot flags the security risk and alerts the development team. Most importantly, it can automatically generate pull requests to upgrade the dependency to the minimum secure version that resolves the vulnerability. This ensures that the application remains secure without requiring manual tracking of every third-party component.
While GitHub Actions (Option C) can be used to run security scanners (like SAST tools), it is a general automation framework, not a dedicated dependency analysis tool. Artifact attestations (Option D) are used to prove the provenance and integrity of a build, and Sealed boxes (Option B) is not a standard GitHub security feature related to vulnerability scanning. Utilizing Dependabot directly supports the Cisco SDSI objective of 'Securing the CI/CD pipeline' by proactively managing the Software Bill of Materials (SBOM) and ensuring that vulnerable components do not reach the production environment.
Network administrators at a medical facility cannot log in to network devices because of excessive resource consumption and high CPU utilization. The situation has led to delays in routine maintenance and troubleshooting, which affects overall network performance. An engineer must optimize the handling of traffic to reduce the impact and maintain consistent access and operational efficiency. Which approach must be implemented to meet the requirement?
Answer : A
The scenario described---where high CPU utilization prevents administrators from accessing device management interfaces---is a classic indication that the device's Control Plane is being overwhelmed by malicious or malformed traffic (such as a DoS attack or a routing loop). To protect the 'brains' of the network device, Control Plane Policing (CoPP) must be implemented.
CoPP allows an engineer to define filter and rate-limit policies specifically for traffic destined for the CPU. By categorizing traffic into different classes (e.g., routing protocols, management traffic like SSH, and 'catch-all' untrusted traffic), CoPP ensures that critical management and control traffic is prioritized while excessive or suspicious traffic is dropped before it can impact the device's performance. This maintains operational efficiency even during a traffic spike or attack. While AAA (Option B) handles authentication and RBAC (Option D) manages permissions once a user is logged in, neither can prevent the CPU exhaustion that blocks the login attempt in the first place. SNMP (Option C) is used for monitoring but does not provide active traffic policing. Within the Cisco SDSI framework, CoPP is a fundamental 'Self-Defending Network' feature required to ensure the availability and resilience of the core infrastructure.
========
Which design policy addresses harmful content creation by generative AI?
Answer : D
The creation of harmful content (such as hate speech, misinformation, or malicious code) by generative AI models is a major concern in modern security design. The most effective design policy to mitigate this is the Human-in-the-loop (HITL) approach. This involves integrating human oversight and intervention at various stages of the AI's operation, particularly during the verification of the model's output before it is published or acted upon.
According to Cisco SDSI objectives regarding AI security, HITL ensures that automated decisions are subject to ethical judgment and contextual awareness that AI currently lacks. Humans can provide 'Reinforcement Learning from Human Feedback' (RLHF) to tune the model's safety filters, ensuring it refuses to generate toxic or prohibited content. While Watermarking (Option B) helps identify content as AI-generated after the fact, it does not prevent the creation of harmful material. Retrieval Augmented Generation (RAG) (Option C) is a technique for grounding AI in specific data to reduce 'hallucinations' but doesn't inherently filter for harmful intent. Quantum resistant encryption (Option A) is a cryptographic standard unrelated to content moderation. HITL remains the primary safeguard for ensuring AI outputs align with safety guidelines and organizational requirements.
========
