350-701 · Question #15
An engineer used a posture check on a Microsoft Windows endpoint and discovered that the MS17-010 patch was not installed, which left the endpoint vulnerable to WannaCry ransomware. Which two solution
The correct answer is A. Configure a posture policy in Cisco Identity Services Engine to install the MS17-010 patch before C. Configure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level. Cisco ISE posture policies can check for and enforce the installation of critical patches like MS17-010 to mitigate ransomware vulnerabilities.
Question
An engineer used a posture check on a Microsoft Windows endpoint and discovered that the MS17-010 patch was not installed, which left the endpoint vulnerable to WannaCry ransomware. Which two solutions mitigate the risk of this ransomware infection? (Choose two.)
Exhibit
Options
- AConfigure a posture policy in Cisco Identity Services Engine to install the MS17-010 patch before
- BSet up a profiling policy in Cisco Identity Service Engine to check and endpoint patch level before
- CConfigure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level
- DConfigure endpoint firewall policies to stop the exploit traffic from being allowed to run and
- ESet up a well-defined endpoint patching strategy to ensure that endpoints have critical
How the community answered
(62 responses)- A81% (50)
- B5% (3)
- D11% (7)
- E3% (2)
Why each option
Cisco ISE posture policies can check for and enforce the installation of critical patches like MS17-010 to mitigate ransomware vulnerabilities.
Cisco Identity Services Engine (ISE) posture policies can be configured not only to detect missing patches like MS17-010 but also to automatically initiate or enforce the installation of these patches, thereby remediating the vulnerability before granting network access.
Profiling in Cisco ISE identifies and categorizes endpoints based on various attributes but is not used to check for specific patch levels or to initiate patch installation for posture compliance.
A Cisco Identity Services Engine (ISE) posture policy can be configured to check that an endpoint has the required MS17-010 patch installed as a condition for determining its compliance and eligibility for network access.
While endpoint firewall policies can help prevent the spread or execution of exploit traffic post-compromise, they do not directly address or remediate the root vulnerability of a missing patch.
Setting up a well-defined endpoint patching strategy is a good overall practice but does not represent a specific, immediate technical solution using Cisco products to mitigate the discovered vulnerability as the other options do.
Concept tested: Cisco ISE Posture Remediation (Patch Management)
Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ISE_admin_guide_27/b_ISE_admin_guide_27_chapter_0100.html
Topics
Community Discussion
No community discussion yet for this question.
