Zscaler EDU 200 - Essentials - ZDTA Study set

How do most major security breaches begin?

An attacker finding your attack surface

What are features of the Security Services Cyber Protection Suite?

Antivirus, Adv. Threat Protection, Sandbox, IPS, Deception, WAF, Browser Isolation

What does the ZDX Deep Trace feature do?

Collects more information about the user's device, targeting a specific application.

How do cyber attacks generally occur?

Cyber attacks follow the same general pattern. First comes finding the attack surface, then initial compromise, then lateral movement, and finally data loss through exfiltration, encryption or extortion.

You can operationalize ZDX Alerting by feeding the alerts into your existing tools using: (Select 2) Options: - API - Email - Webhooks - SMTP - DNS

Email Webhooks

Zscaler offers ML based data discovery for many thematic document categories such as: (Select 3)

Legal documents Medical records Images such as passports, driving license, etc.

How are Newly Observed Domains (NODs) different than Newly Registered Domains (NRDs)?

NRDs were registered recently, whereas NODs may have been registered some time ago but have never been observed with actual clients visiting them, which makes them suspicious

Traditional access control powered by legacy on-prem firewalls are zone-based and provide network-to-network access; why is this ineffective? Options: - Zones inherently are built for rigorous micro-segmentation at a hostname or even a process-to-process level - Network-to-network access allows for lateral propagation, which increases the attack surface in the event of a compromise - Linux and IoT devices are incompatible with zones - It is not possible to set up Layer 7 application rules for different zones, including a demilitarized zone (DMZ)

Network-to-network access allows for lateral propagation, which increases the attack surface in the event of a compromise

OCR (Optical Character Recognition) is necessary for which of the following?

OCR helps protect sensitive data in images, image files and handwritten texts

The Zero Trust Exchange, Zscaler's inline security platform, is powered by data centers that sit in how many locations?

Over 150 data centers globally

The ZDX Web Probe provides which of the following metrics? Options: 1. GET Codes, TCP Sliding Window, Page Errors, and Availability 2. Page Fetch Time, DNS Time, Server Response Time, and Availability 3. TCP Connect time, HTTP Response Codes, and Page Load Times 4. Browser Load Times is the main metric

Page Fetch Time, DNS Time, Server Response Time, and Availability

How does Zscaler Private Access authenticate end users? Options: - Username and Password in a form-based auth - Hosted DB - SAML - SCIM

SAML

What does the app profile PAC URL define?

The Zero Trust Exchange node to be used based on the client's geographic IP information.

What component of SAML authentication is the Service Provider (SP)?

Zscaler acts as a SAML SP

You want Zscaler Client Connector to automatically redirect to your corporate SAML IDP on launch. Which installer options should you configure to do so? (Select 2)

--cloudName --userDomain

ZDX Deep Tracing can be leveraged to get granular data on demand from a user's device. How granular can the probing frequency get? Options: - 1 minute - 5 minutes - 3 minutes - 2 minutes

1 minute

How does SAML authentication work using Zscaler?

1. Request Application 2. Redirect to Zscaler SP (ZIA/ZPA) 3. Login Request 4. Redirect to SAML IdP 5. Login to IdP 6. SAML Assertion Identity 7. SAML 8. Auth Token issued 9. Access granted to application

By how much has hybrid work increased ticket resolution time?

30%

You have data centers in New York, San Francisco, London, and Hong Kong. Each data center hosts multiple applications, and all have internet connectivity. What is the MINIMUM number of App Connectors you should deploy for production? Options: - 4, one per DC - 6, one per DC, plus 2 for cold standby - 8, 2 per DC - 16, 4 DC's and each requires a connector to build a mesh to the other DC's

8, 2 per DC

Why is SSL/TLS inspection critical in a security architecture? Options: - It is not important - QUIC is an encrypted protocol that rides on SSL; hence, it is important from an HTTP/3 inspection perspective - 85-90% of all internet traffic is SSL/TLS encrypted (including threats), as protocols such as HTTP/2 are only delivered over TLS; SSL/TLS inspection allows you to inspect the connection and look at the full payload, including HTTP headers, which is important to be able to block malicious traffic and prevent sensitive data from leaking out of an organization - A MITM (man-in-the-middle) attack should always be performed, even for certificate-pinned applications, as it allows for real-time visibility and storing transactions in plain text for further inspection by a third auditing party

85-90% of all internet traffic is SSL/TLS encrypted (including threats), as protocols such as HTTP/2 are only delivered over TLS; SSL/TLS inspection allows you to inspect the connection and look at the full payload, including HTTP headers, which is important to be able to block malicious traffic and prevent sensitive data from leaking out of an organization

What is Zscaler ThreatLabZ?

A best-in-class security threat research team of more than 100+ security researchers who analyze security trends and help keep Zscaler's signature databases up to date

What is an Application Segment? (Select 3) Options: - A mechanism to append DNS Suffixes to short names - A list of FQDNs or IP Addresses - A list of TCP or UDP Ports - A wildcard domain - Segments define the network subnets applications exist on

A list of FQDNs or IP Addresses A list of TCP or UDP Ports A wildcard domain

How are app connectors deployed?

A provisioning key is created for each connector group, which is signed by by an intermediate certificate authority and the intermediate trusted by the root CA. Clients are enrolled against a client intermediate certificate authority.

What is a spear phishing attack?

A type of attack in which malicious files or attachments can be used in an email, luring the user to open it

Which are the acceptable actions for Firewall policy? (Select 3) Options: - Allow - Block/Drop - Block/Reset - Block/FIN+ACK - Redirect

Allow Block/Drop Block/Reset

What are security assertions?

Also known as tokens, they are issued to users by the IdP and presented to SPs/RPs to confirm authentication. Trust is based on Public Key Infrastructure (PKI). Assertions may contain: Authentication, Attribute, or Authorization statements.

A server group maps _____ to ____? Options: - App Connectors Groups to Application Segments - Applications to FQDNS - FQDNs to IP Addresses - Applications to Application Groups

App Connectors Groups to Application Segments

What are the different Alerting Criteria available in ZDX? Options: - Application, Device, Network, and ZDX Score - Device, Protocol, User Experience, and Web Probe - Web Probe, Cloud Path Probes, DNS, and TCP Timeout - CPU, DNS, ZDX Score, and RUM

Application, Device, Network, and ZDX Score

What aspects of the user experience does ZDX monitor?

Application, Device, and Network, along with data received from Microsoft Teams and Zoom Integration

What is the function of the auto proxy forwarding firewall configuration? Options: - Automatically forwarding traffic from all ports and protocols to Zscaler's proxy. - Automatically detecting web traffic (e.g., FTP, HTTPS) coming in on non-standard ports and forwarding it to Zscaler's proxy - Blocking traffic destined for a web proxy - Turning the firewall into a makeshift proxy in case the Zscaler cloud is down

Automatically detecting web traffic (e.g., FTP, HTTPS) coming in on non-standard ports and forwarding it to Zscaler's proxy

What is the best practice for a cloud-gen firewall in terms of having default rules? Options: - Block everything and start allowing what your users need to access - Allow all, even risky ports and protocols - Allow all, with certain exceptions, for specific ports and protocols (e.g., port 22, SSH) - Block ICMP packets

Block everything and start allowing what your users need to access

What are features of the Connectivity Services Suite?

Browser Access, Client Connector, Branch Connector, Cloud Connector, SD-WAN/Any Router

Zscaler offers user notification and coaching via which of the following mechanisms? (Select 3)

Browser Notification (Browser based) Slack Connector (Application based) Zscaler Workflow Automation (Client connector pop-up)

Which check guarantees identification of a corporate-managed device by the Zscaler Client Connector?

Client Certificate & Non-Exportable private key

Cloud Path can provide visibility over which paths? Options: - Cloud Path can provide visibility into the traffic going directly via ZIA and ZPA - In tunnels formed over ZIA using ZCC Tunnel 2.0 only - Mainly tunnels which are running ZPA (mtunnels) - Direct Internet traffic only, as it is not possible to traceroute via Layer 7 Proxy

Cloud Path can provide visibility into the traffic going directly via ZIA and ZPA

What are features of the Security Services Data Protection Suite?

Cloud and Endpoint DLP, Browser Isolation, Inline and Out of Band CASB, SSPM, CSPM/CIEM/IaC

What is a possible data exfiltration channel?

Cloud based personal email, file sharing, and collaboration tools

Zscaler offers fully integrated data protection for all channels, which includes: (Select 3)

Cloud channels such as data in motion or data-at-rest in SaaS applications Endpoint Email

SSPM (SaaS Security Posture Management) enables organizations to find which of the following:

Cloud misconfigurations and compliance violations

What is typically the second step of a breach after an attacker finds your attack surface?

Compromise, for example through a phishing link that someone may click, which could infect their machine with malware

What conditions exist for Trusted Network Detection? Options: - Hostname Resolution, Network Adaptor IP, Default Gateway - Hostname Resolution, DNS Servers, Geo Location - DNS Search Domain, DNS Server, Hostname Resolution - DNS Servers, DNS Search Domain, Network Adaptor IP

DNS Search Domain, DNS Server, Hostname Resolution

What are features of the Access Control Services Suite?

DNS, Firewall, URL/Web Filtering, App Segmentation, Micro-Segmentation, Tenant Restrictions, Bandwidth QoS, Private App Access, Adaptive Access

What tunnel methods does ZTunnel 2.0 use?

DTLS with a fallback to TLS

What address translation options are available in the Firewall policy? (Select 3) Options: - Destination Port Translation - Source IP Translation to static IP - Destination IP Translation to static IP - Source Port Translation - Destination IP Translation to FQDN

Destination Port Translation Destination IP Translation to static IP Destination IP Translation to FQDN

What is used to detect if a SAML assertion was modified after being issued? Options: - XML - Digital Signatures - Attributes - Tokens

Digital Signatures

EDM (Exact Data Match) is an advanced DLP feature that does which of the following?

EDM enables organizations to perform a structured data match on specific types of data, e.g. a column of credit card numbers

What are features of Digital Experience?

Endpoint Monitoring, Network Monitoring, Application Monitoring, UCaaS Monitoring

Why is it important for a cloud-gen firewall to implement DPI signatures? Options: - Evasive apps like BitTorrent can often disguise themselves as coming from a standard port, and it is critical to identify and block these applications - Web traffic only traverses ports 80 and 443, so IPS engines are geared towards these ports to help people identify malicious web traffic - In high-traffic volume situations, IPS signatures will help reduce false positives - IPS signatures are lightweight and can therefore be handled by traditional firewalls

Evasive apps like BitTorrent can often disguise themselves as coming from a standard port, and it is critical to identify and block these applications

How often will Zscaler Client Connector download the PAC file of the app profiles and the forwarding profiles?

Every 15 minutes

How often does the Zscaler Client Connector check for software updates? Options: - Every 2 hours - Every 6 hours - Every 12 hours - Every 24 hours

Every 2 hours

How often does ZDX probe an application?

Every 5 minutes

How often does Zscaler Client Connector download policy updates for the app profiles and forwarding profiles?

Every hour

Contextual DLP policy includes (Select 3):

File Type Control Cloud App Control Tenancy Restrictions

Browser Based Access enables what kinds of applications to be published? Options: - HTTP and HTTPS - RDP and SSH - Telnet and RDP - HTTP, HTTPS, and SSH

HTTP and HTTPS

A Cloud Path supports the following protocols for probing: (Select 3) 1. BGP 2. ICMP 3. TCP 4. UDP

ICMP TCP UDP

What component of SAML authentication is the Identity Provider (IdP)?

IdP examples include: Okta, Ping, AD FS, Azure AD

Where is the control to prevent a user from exiting Zscaler Client Connector? Options: - It's a ZCC Installer option - In the Forwarding Profile - In the Application Profile - Under Administration, Advanced Settings

In the Application Profile

Define a zero trust connection

Independent of any network for control or trust. Zero trust ensures access is granted by never sharing the network between the originator and the destination application.

Which services can coexist on an Application Segment? Options: - Isolation, Browser Access, and Inspection - RDP, SSH, and Inspection - Inspection, Isolation, and RDP - CIFS, RDP, and SSJ

Isolation, Browser Access, and Inspection

In what way does Zscaler's Identity Proxy enable authentication to SaaS applications? Options: - Injecting identity headers into the HTTP request - SSL Inspection - Browser Isolation - Issuing SAML assertions

Issuing SAML assertions

Zscaler Private Access isolation policy controls what? Options: - It prevents two clients on the same network from communicating (peer to peer) - It triggers Zscaler Client Connector to prevent access to all applications - It controls Browser Based Access to redirect the session into a web container - It moves all user traffic into a container on the client

It controls Browser Based Access to redirect the session into a web container

What is the purpose of the Client Forwarding policy? Options: - It defines which Zero Trust Exchange data centers are used - It controls whether Zscaler Internet Access, Private Access, or Digital Experience is enabled in the client - It defines which Application Segments definitions are downloaded by the Zscaler Client Connector - It enables forwarding of traffic from ZIA to ZPA for source IP anchoring

It defines which Application Segments definitions are downloaded by the Zscaler Client Connector

What functionality does SCIM provide?

It supports the addition, deletion, and updating of users as well as the ability to apply policy based on SCIM user or group attributes.

What is Ransomware?

Malware that steals data and encrypts it

Zscaler supports data at rest scanning with DLP and Cloud Sandbox using which technology?

OOB CASB

Once a phishing attack occurs and a user is directed to malicious content, which of the following typically occurs?

One or more files are downloaded, with the attacker also attempting to download secondary payloads onto the user's machine The establishing of an outbound connection from the user's device using an outbound command and control channel to an adversaries' infrastructure Full control over the endpoint by the adversary

Why is this important for cloud-gen firewalls to provide consistent and adaptive policy, regardless of a user's location? Options: - Post-COVID, with hybrid work becoming the norm, it is important to get the same firewall policies irrespective of where the user may be located - The impossible traveler scenario means that a user could legitimately be located in two locations at once, and should get the same firewall rules - With return to work, it is standard policy to override the trusted network security stack and default to cloud firewall rules - Evasive threats can originate from many different locations, so firewalls must be deployed at the point of the threat's origin

Post-COVID, with hybrid work becoming the norm, it is important to get the same firewall policies irrespective of where the user may be located

Why is Z-Tunnel 2.0 superior to Z-Tunnel 1.0? (Select 3) Options: - Provides a control channel to update device - Faster transport mechanism - Allows multicast traffic - Enables Cloud Firewall - Z-Tunnel 1.0 is no longer supported

Provides a control channel to update device Faster transport mechanism Enables Cloud Firewall

What does the Zscaler Cloud Firewall do?

Provides complete control over all ports and protocols as well as applications and/or services for all Zscaler users

The way to apply a consistent firewall policy for roaming users is to select the ________ location type in the "All Firewall Filtering Rule" settings. Options: - Bangalore - Global - Road Warrior - It's more complicated than this - you need to configure SCIM, and one of the SCIM attributes needs to be able to do a dynamic geo-IP lookup to determine if a user is on the road or not

Road Warrior

In order for Zscaler to enforce policy based on accessing devices, what method is best used by IdPs to share information about a user's accessing device? Options - Kerberos - SAML - Header Injection - Mobile Device Management

SAML

In Zscaler Private Access policy, which criteria can be used to control access? (Select 3) Options - Zero Trust Exchange data center - SAML or SCIM Attribute - Client Connector Posture and Trusted Network - Client Type - Zscaler Internet Access Enabled

SAML or SCIM Attribute Client Connector Posture and Trusted Network Client Type

How does Zscaler Internet Access authenticate users? (Select 3) Options: - SAML - SCIM - LDAP - Hosted Database

SAML, LDAP, Hosted Database

Privileged Remote Access supports which protocols? (Select 2) Options: - SSH - RDP - CIFS - HTTP/HTTPS

SSH, RDP

What connection methods are used for Zscaler browser access?

SSL is always used for the outside connection, whereas HTTP or HTTPS may be used internally.

What is the fastest way to change a user's access entitlements?

Send different attributes via SCIM

What does a forwarding profile PAC do?

Steers traffic toward or away from the Client Connector

What does an app profile PAC do?

Steers traffic toward or away from the Zscaler Cloud

What are features of the Platform Services Suite?

TLS Decryption, Policy Framework, Incident Response/Workflow, Discovery, Device Posture, Reporting/Logging, Risk Score, Analytics/UEBA, AI/ML, Private Service Edge

To protect sensitive data, organizations must inspect the content inline with data classification capabilities such as predefined dictionaries, custom dictionaries, etc. (True or False)

TRUE

How is a SAML assertion delivered to Zscaler? Options: - The IdP sends it via an HTTP post directly to the SP via a backend API - The SP sends it via an HTTP post directly to the IdP via a backend API - The IdP sends it via the user's browser to the SP - The SP sends it via a trusted authority to the IdP

The IdP sends it via the user's browser to the SP (Uses a form POST submitted via JavaScript)

What mechanism identifies the Zero Trust Exchange node to be used for Zscaler Tunnels? Options: - The PAC file used in the Forwarding Profile - The Machine Key used in the Application Profile - The IP ranges included/excluded in the App Profile - The PAC file used in the Application Profile

The PAC file used in the Application Profile

What is the Zscaler Page Risk score?

The Page Risk score is a slider on the Advanced Threat Protection configuration page, which allows a user to pre-select what level of risk they are comfortable with on particular websites; the risk itself is computed on a scale of 0-100 by looking at several factors including the top-level domain, the user agent, whether certain HTTP headers are missing, whether a high-entropy domain name is being used, and several other factors

To be able to monitor the Zoom or Teams call quality statistics using ZDX, which of the following requirements must be met? (Select 2) Options: - All the Zoom and Teams traffic should traverse over ZIA - The Zoom and Teams tenants should be added under the Applications tab - Zoom and Teams traffic can traverse via ZIA or directly without ZIA - Teams and Zoom traffic has to traverse over ZPA so that we SSL decrypt it and provide statistics - Teams and Zoom traffic has to traverse over both ZIA and ZPA

The Zoom and Teams tenants should be added under the Applications tab Zoom and Teams traffic can traverse via ZIA or directly without ZIA

When moving from an Explicit Proxy to a Tunneled/Transparent Proxy - what, if any, effects will be seen on the client? (Select 3) Options: - No Effect - The client will always resolve DNS - The client browser needs re-configuration - Authenticated websites may no longer work - An Explicit Proxy and a Transparent Proxy are the same thing

The client will always resolve DNS The client browser needs re-configuration Authenticated websites may no longer work

Do most organizations around the world inspect 100% of all SSL/TLS encrypted traffic? Options: - Yes - in fact the inspected percentage can be higher than 100% due to double inspection - The reality is more nuanced - certain traffic exclusions for healthcare and financial websites may be required depending on the organization's choice - that is why the Zscaler platform has the ability to bypass SSL inspection for certain categories of websites. Furthermore certain types of latency sensitive traffic such as UCaaS should be bypassed, so organizations rarely inspect of all traffic - The average inspection percentage is 99%, with only certain global bypasses for developer environments based on a pre-defined list that Zscaler defines which cannot be changed - This is a best practice that is recommended only in retail, due to retail-specific ransomware threats that are seasonal

The reality is more nuanced - certain traffic exclusions for healthcare and financial websites may be required depending on the organization's choice - that is why the Zscaler platform has the ability to bypass SSL inspection for certain categories of websites. Furthermore certain types of latency sensitive traffic such as UCaaS should be bypassed, so organizations rarely inspect of all traffic

How do app connectors work?

They establish connections through the firewall to the Zscaler cloud and the Zero Trust Exchange facilitates a reverse connection.

What benefits does a Zscaler Tunnel have over other forwarding mechanisms for Zscaler Client Connector? Options: - Tunnels are the only mechanism to install ZCC - Tunnels enable only HTTP and HTTPS traffic to be forwarded by ZCC - Tunnels enable Zscaler to control the end user device - Tunnels encapsulate traffic and authenticate to the Zero Trust Exchange

Tunnels encapsulate traffic and authenticate to the Zero Trust Exchange

When enrolling Zscaler Client Connector against the Zero Trust Exchange, how many times does the user authenticate to the SAML IDP? Options: - Once - Twice. One for ZIA, one for ZPA - Three times. One for ZIA, one for ZPA, one for ZDX - Multiple times. Each request for ZIA or ZPA results in a connection to the IDP to validate credentials

Twice. One for ZIA, one for ZPA

How does ZTunnel 1.0 work?

Uses a HTTP CONNECT tunnel. Use 2 tunnels, one connecting to ZTE for authentication, enrollment, and passing traffic. The other tunnel is used for applying policy updates every 60 minutes.

TLS Inspection provides what functionality? (Select 3) Options: - Validation of certificate and issuer - Ability to decrypt and scan encrypted content - Policy for which traffic should be inspected - Harvests session keys from Zscaler Client Connector for decryption of payload - Decryption of transport in Zero Trust Exchange, and passes unencrypted through Zscaler Tunnels to endpoint

Validation of certificate and issuer Ability to decrypt and scan encrypted content Policy for which traffic should be inspected

How can Zscaler integrate with third-party firewall configuration management vendors so that customers can create and read firewall rules programmatically? Options: - Via a ticketing system, where third-parties file a ticket - Via a full CRUD API so customers can create, read, update, and delete firewall rules - This is not possible - rules must be configured in the Admin UI - Through natural language processing algorithms in a Slack integration

Via a full CRUD API so customers can create, read, update, and delete firewall rules

What are the two probe types that are configured while configuring an application in the ZDX Administrator portal? Options: - HTML and Network Probes - MTR and HTTP POST Probes - Web Probe and Cloudpath Probes - Traceroute Probe and Network Auth Probes

Web Probe and Cloudpath Probes

SSL inspection is important in order to see

What's good and what's bad inside a connection, since most connections are encrypted, in order to understand if there is any malware coming in and/or if there's any sensitive data leaking out.

What does the predefined firewall rule called 'Zscaler proxy traffic' enable? Options: - Whitelist the IP addresses of Zscaler data centers, which is important so that traffic can reach the Zero Trust Exchange - Whitelists the legacy on-prem proxy vendor's public IP addresses, e.g., a Bluecoat proxy - Configure failover between Zscaler data centers - Implement a Layer 2 MAC header-based security group tag to allow for a match on specific Zscaler hardware located in data centers around the world

Whitelist the IP addresses of Zscaler data centers, which is important so that traffic can reach the Zero Trust Exchange

Which of the ZDX functionalities leverages Machine Learning to assist with Automated Root Cause Analysis? Options: - AI Ops Function - AutoRCA - ChatZDX - Y-Engine

Y-Engine

With Zero Trust, if we use the analogy of publishing your phone number, then:

Your phone number is unpublished and only authorized parties can call you

Which of the following statements are correct regarding Call Quality Monitoring? Options: 1. ZDX monitors application performance and isn't a tool that helps with Call Quality Monitoring for Zoom and Teams 2. ZDX supports call quality monitoring for Microsoft Teams only 3. ZDX supports call quality monitoring for Zoom only using APIs 4. ZDX supports call quality monitoring for both Zoom and Teams

ZDX supports call quality monitoring for both Zoom and Teams

What options for TLS Inspection Certificates are available? (Select 2) Options: - Zscaler Root Certificate Authority - Customer Root Certificate Authority - Verisign Root CA - Microsoft Azure Certificate Authority

Zscaler Root Certificate Authority Customer Root Certificate Authority

How much of an organization's traffic can Zscaler perform SSL/TLS inspection on? Options: - Zscaler inspects and decrypts 100% of TLS traffic without constraints - Up to 50%, based on the geography from which a customer is logging in - All traffic except for zero day malicious files, which cannot be inspected due to evasive techniques built into file's process list - All traffic except for traffic originating from SaaS providers such as Salesforce, who utilize special SSL evasion techniques

Zscaler inspects and decrypts 100% of TLS traffic without constraints