• ホーム
  • ブログ
  • NSK100試験問題集合格できるには更新された2023年10月テスト問題集 [Q22-Q44]

NSK100試験問題集合格できるには更新された2023年10月テスト問題集 [Q22-Q44]

Share

NSK100試験問題集合格できるには更新された2023年10月テスト問題集

NSK100テスト問題練習は2023年最新のに更新された62問あります

質問 # 22
What are two primary advantages of Netskope's Secure Access Service Edge (SASE) architecture? (Choose two.

  • A. Endpoint Detection and Response (EDR)
  • B. no on-premises hardware required for policy enforcement
  • C. Bayesian spam filtering
  • D. single management console

正解:B、D

解説:
Explanation
Two primary advantages of Netskope's Secure Access Service Edge (SASE) architecture are: no on-premises hardware required for policy enforcement and single management console. Netskope's SASE architecture delivers network and security services as cloud-based services that can be accessed from any location and device. This eliminates the need for on-premises hardware appliances such as firewalls, proxies, VPNs, etc., that are costly to maintain and scale. Netskope's SASE architecture also provides a single management console that allows administrators to configure and monitor all the network and security services from one place. This simplifies IT operations and reduces complexity and overhead. References: Netskope SASEWhat is SASE?


質問 # 23
What are two pillars of CASB? (Choose two.)

  • A. cloud native
  • B. SASE
  • C. compliance
  • D. visibility

正解:C、D

解説:
Explanation
Two pillars of CASB are visibility and compliance. CASB stands for Cloud Access Security Broker, which is a solution that provides visibility and control over cloud services and web traffic, as well as data and threat protection for cloud users and devices. Visibility is thecapability to identify all cloud services in use and assess their risk factors, such as security, auditability, business continuity, etc. Compliance is the capability to ensure that cloud services and data meet the regulatory standards and policies of the organization or industry, such as GDPR, HIPAA, PCI DSS, etc. References: What Is a Cloud Access Security Broker (CASB)? | MicrosoftCASB Guide: What are the 4 Pillars of CASB? - Security Service Edge


質問 # 24
Which two functions are available for both inline and API protection? (Choose two.)

  • A. multi-factor authentication
  • B. DLP
  • C. Cloud Security Posture Management (CSPM)
  • D. threat protection

正解:B、D

解説:
Explanation
Netskope provides both inline and API protection for cloud applications and web traffic. Inline protection refers to the real-time inspection and enforcement of policies on the traffic between users and cloud applications, using Netskope's inline proxy mode. API protection refers to the retrospective inspection and enforcement of policies on the data that is already stored in cloud applications, using Netskope's API connectors. Two functions that are available for both inline and API protection are threat protection and DLP.
Threat protection is the capability to detect and block malware, ransomware, phishing, and other cyber threats that may compromise cloud data or users. DLP is the capability to detect and protect sensitive data, such as personal information, intellectual property, or regulated data, that may be exposed or leaked through cloud applications. References: Netskope Inline Proxy ModeNetskope API ProtectionNetskope Threat ProtectionNetskope DLP Engine


質問 # 25
You consume application infrastructure (middleware) capabilities by a third-party provider. What is the cloud service model that you are using in this scenario?

  • A. DaaS
  • B. PaaS
  • C. SaaS
  • D. MaaS

正解:B

解説:
Explanation
If you consume application infrastructure (middleware) capabilities by a third-party provider, then the cloud service model that you are using in this scenario is PaaS, which stands for Platform as a Service. PaaS is a cloud service model that provides customers with a platform to develop, run, and manage applications without having to deal with the underlying infrastructure or software. PaaS typically includes middleware capabilities such as databases, web servers, development tools, integration services, etc., that customers can use to build and deploy their applications faster and easier. MaaS, DaaS, and SaaS are not cloud service models that match this scenario, as they stand for different types of services. MaaS stands for Monitoring as a Service, which is a service that provides customers with tools to monitor and manage their cloud resources and performance.
DaaS stands for Desktop as a Service, which is a service that provides customers with virtual desktops that they can access from any device or location. SaaS stands for Software as a Service, which is a service that provides customers with software applications that they can use over the internet without installing or maintaining them. References: [PaaS], [MaaS], [DaaS], [SaaS].


質問 # 26
You are working with traffic from applications with pinned certificates. In this scenario, which statement is correct?

  • A. Traffic with pinned certificates should be blocked.
  • B. The domains used by certificate-pinned applications should be added to the authentication bypass list.
  • C. The domains used by applications with pinned certificates should be allowed in an inline policy.
  • D. An exception should be added to the steering configuration.

正解:D

解説:
Explanation
When working with traffic from applications with pinned certificates, you should add an exception to the steering configuration to bypass them. Pinned certificates are a security technique that prevents man-in-the-middle attacks by validating the server certificates against a hardcoded list of certificates in the application. If you try to intercept or inspect the traffic from such applications, they will reject the connection or display an error message. Therefore, you should add the domains used by certificate-pinned applications as exceptions in your steering configuration, so that they are not steered to Netskope for analysis and enforcement. References: Certificate Pinned ApplicationsCreating a Steering Configuration


質問 # 27
When would an administrator need to use a tombstone file?

  • A. You use a tombstone file when a policy causes a file to be moved to legal hold.
  • B. You use a tombstone file when a policy causes a file download to be blocked.
  • C. You use a tombstone file when a policy causes a publicly shared file to be encrypted.
  • D. You use a tombstone file when the policy causes a file to be moved to quarantine.

正解:D

解説:
Explanation
A tombstone file is a placeholder file that replaces the original file when it is moved to quarantine by a Netskope policy. The tombstone file contains information about the original file, such as its name, size, type, owner, and the reason why it was quarantined. The tombstone file also provides a link to the Netskope UI where the administrator or the file owner can view more details about the incident and take appropriate actions, such as restoring or deleting the file. The purpose of using a tombstone file is to preserve the metadata and location of the original file, as well as to notify the users about the quarantine action and how to access the file if needed. References: Threat Protection - Netskope Knowledge PortalNetskope threat protection - Netskope


質問 # 28
Your department is asked to report on GDPR data publicly exposed in Microsoft 365, Salesforce. and Slack-sanctioned cloud applications. Which deployment model would you use to discover this data?

  • A. inline protection
  • B. API-enabled protection
  • C. on-premises appliance
  • D. reverse proxy

正解:B

解説:
Explanation
To discover GDPR data publicly exposed in Microsoft 365, Salesforce, and Slack-sanctioned cloud applications, you need to use a deployment model that allows Netskope to access and scan the data stored in these applications using out-of-band API connections. The deployment model that would match this requirement is API-enabled protection, which is a feature in the Netskope platform that allows you to connect your sanctioned cloud applications to Netskope using API connectors. This enables you to discover sensitive data, enforce near real-time policy controls, and quarantine malware in your cloud applications without affecting user experience or performance. You can use Netskope's data loss prevention (DLP) engine to scan for GDPR data in your cloud applications and identify any public exposure or sharing settings that may violate the regulation. A reverse proxy, an on-premises appliance, or an inline protection are not deployment models that would help you discover GDPR data publicly exposed in your sanctioned cloud applications, as they are more suitable for inline modes that rely on intercepting traffic to and from these applications in real time, rather than accessing data stored in these applications using APIs. References: [Netskope SaaS API-enabled Protection], [Netskope Data Loss Prevention].


質問 # 29
You just deployed the Netskope client in Web mode and several users mention that their messenger application is no longer working. Although you have a specific real-time policy that allows this application, upon further investigation you discover that it is using proprietary encryption. You need to permit access to all the users and maintain some visibility.
In this scenario, which configuration change would accomplish this task?

  • A. Edit the steering configuration and add a steering exception for the messenger application.
  • B. Change the real-time policy to block the messenger application.
  • C. Create a new custom cloud application using the custom connector that can be used in the real-time policy.
  • D. Add a policy in the SSL decryption section to bypass the messenger domain(s).

正解:D

解説:
Explanation
In this scenario, you have deployed the Netskope client in Web mode, which is a feature that allows you to steer your users' web traffic to Netskope for inspection and policy enforcement. However, some users report that their messenger application is no longer working, even though you have a specific real-time policy that allows this application. Upon further investigation, you discover that the messenger application is using proprietary encryption, which means that Netskope cannot decrypt or inspect the traffic from this application.
To resolve this issue, you need to permit access to all the users and maintain some visibility. The configuration change that would accomplish this task is to add a policy in the SSL decryption section to bypass the messenger domain(s). This will allow Netskope to skip the decryption process for the traffic from the messenger application and pass it through without any modification. However, Netskope will still be able to log some basic information about the traffic, such as source, destination, bytes, etc., for visibility purposes.
Changing the real-time policy to block the messenger application, creating a new custom cloud application using the custom connector, or editing the steering configuration and adding a steering exception for the messenger application are not configuration changes that would accomplish this task, as they would either prevent access to the application, require additional steps or resources, or reduce visibility. References: [Netskope Client], Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 4: Decryption Policy.


質問 # 30
When using an out-of-band API connection with your sanctioned cloud service, what are two capabilities available to the administrator? (Choose two.)

  • A. to find sensitive content
  • B. to block uploads
  • C. to quarantine malware
  • D. to allow real-time access

正解:A、C

解説:
Explanation
When using an out-of-band API connection with your sanctioned cloud service, two capabilities available to the administrator are: to quarantine malware and to find sensitive content. An out-of-band API connection is a method of integrating Netskope with your cloud service provider using the APIs exposed by the cloud service.
This allows Netskope to access the data that is already stored in the cloud service and perform retrospective inspection and enforcement ofpolicies. One capability that the administrator can use with an out-of-band API connection is to quarantine malware. This means that Netskope can scan the files in the cloud service for malware, ransomware, phishing, and other threats, and move them to a quarantine folder or delete them if they are found to be malicious. Another capability that the administrator can use with an out-of-band API connection is to find sensitive content. This means that Netskope can scan the files in the cloud service for sensitive data, such as personal information, intellectual property, or regulated data, and apply data loss prevention (DLP) policies to protect them. For example, Netskope can encrypt, redact, or watermark the files that contain sensitive content, or notify the administrator or the file owner about the exposure. References: Netskope API ProtectionReal-time Control and Data Protection via Out-of-Band API


質問 # 31
Which two traffic steering configurations are supported by Netskope? (Choose two.)

  • A. all Web traffic including cloud applications
  • B. cloud applications only
  • C. Web traffic only
  • D. browser isolation traffic only

正解:A、B

解説:
Explanation
The two traffic steering configurations that are supported by Netskope are cloud applications only and all Web traffic including cloud applications. These configurations allow you to control what kind of traffic gets steered to Netskope for real-time deep analysis and what kind of traffic gets bypassed. You can choose one of these options for both on-premises and off-premises scenarios, depending on your network environment and security needs. You can also create exceptions for specific domains, IP addresses, or certificate-pinned applications that you want to bypass or steer regardless of the configuration option. References: Steering ConfigurationCreating a Steering Configuration


質問 # 32
In which scenario would you use a SAML reverse proxy?

  • A. When the organization wants to perform inline inspection of cloud application traffic for roaming users that do not have the Netskope agent installed.
  • B. When the API-enabled protection exceeds the Cloud App API usage limits and cannot be used anymore.
  • C. When there are multiple SAML IdPs in use and the SAML reverse proxy can help federate them all together.
  • D. When PAC files or explicit proxies can be used to steer traffic to the Netskope platform.

正解:C

解説:
Explanation
A SAML reverse proxy is a service that acts as an intermediary between a SAML service provider (SP) and one or more SAML identity providers (IdPs). It can perform various functions, such as authentication, authorization, load balancing, caching, etc. One scenario where you would use a SAML reverse proxy is when there are multiple SAML IdPs in use and the SAML reverse proxy can help federate them all together. For example, suppose you have an internal application that needs to authenticate users from different domains or organizations, each with their own SAML IdP. Instead of configuring the application to trust each IdP separately, you can use a SAML reverse proxy to act as a single SP for the application and a single IdP for the users. The SAML reverse proxy can then redirect the users to their respective IdPs for authentication and relay the SAML assertions back to the application. This way, you can simplify the integration and management of multiple SAML IdPs and provide a seamless user experience. References: SAML Reverse ProxyWhat is application proxy & SAML SSO?


質問 # 33
You are creating a real-time policy for cloud applications.
In addition to users, groups, and organizational units, which two source criteria would support this scenario?
(Choose two.)

  • A. browser version
  • B. protocol version
  • C. device classification
  • D. access method

正解:C、D

解説:
Explanation
When creating a real-time policy for cloud applications, you can use access method and device classification as source criteria, in addition to users, groups, and organizational units. Access method refers to how the user accesses the cloud application, such as browser, sync client, mobile app, etc. Device classification refers to the type of device used by the user, such as managed or unmanaged, Windows or Mac, etc. These criteria can help you define granular policies based on different scenarios and risks. References: [Creating Real-Time Policies for Cloud Applications]


質問 # 34
Which two controls are covered by Netskope's security platform? (Choose two.)

  • A. EDR
  • B. VPN
  • C. ZTNA
  • D. CASB

正解:C、D

解説:
Explanation
Netskope's security platform covers two controls: ZTNA and CASB. ZTNA stands for Zero Trust Network Access, which is a solution that provides secure and granular access to private applications without exposing them to the internet or requiring VPNs. CASB stands for Cloud Access Security Broker, which is a solution that provides visibility and control over cloud services and web traffic, as well as data and threat protection for cloud users and devices. References: Netskope PlatformNetskope ZTNANetskope CASB


質問 # 35
You want to take into account some recent adjustments to CCI scoring that were made in your Netskope tenant.
In this scenario, which two CCI aspects in the Ul would be used in a real-time protection policy? (Choose two.)

  • A. App Tag
  • B. CCL
  • C. GDPR Readiness
  • D. App Score

正解:A、D

解説:
Explanation
To take into account some recent adjustments to CCI scoring that were made in your Netskope tenant, you can use the App Tag and App Score aspects in the UI to create a real-time protection policy. The App Tag is a label that indicates the level of enterprise readiness of a cloud app based on its CCI score. The App Score is a numerical value that represents the CCI score of a cloud app based on various criteria such as security, auditability, and business continuity. You can use these aspects to filter cloud apps by their CCI ratings and apply policies accordingly. For example, you can create a policy that blocks access to cloud apps with an App Tag of Poor or an App Score below 50. References: Netskope Cloud Confidence IndexCreating Real-Time Policies for Cloud Applications


質問 # 36
You want to enable Netskope to gain visibility into your users' cloud application activities in an inline mode.
In this scenario, which two deployment methods would match your inline use case? (Choose two.)

  • A. Use a reverse proxy.
  • B. Use a log parser.
  • C. Use an API connector
  • D. Use a forward proxy.

正解:A、D

解説:
Explanation
To enable Netskope to gain visibility into your users' cloud application activities in an inline mode, you need to use a deployment method that allows Netskope to intercept and inspect the traffic between your users and the cloud applications in real time. Two deployment methods that would match your inline use case are: use a forward proxy and use a reverse proxy. A forward proxy is a deployment method that allows Netskope to act as a proxy server for your users' outbound traffic to the internet. You can configure your users' devices or browsers to send their traffic to Netskope's proxy server, either manually or using PAC files or VPN profiles.
A reverse proxy is a deployment method that allows Netskope to act as a proxy server for your users' inbound traffic from specific cloud applications. You can configure your cloud applications to redirect their traffic to Netskope's proxy server, either using custom URLs or certificates. Using an API connector or a log parser are not deployment methods that would match your inline use case, as they are more suitable for out-of-band modes that rely on accessing data and events from the cloud applications using APIs or logs, rather than intercepting traffic in real time. References: [Netskope Inline CASB], Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 3: Steering Configuration, Lesson 4: Forward Proxy and Lesson 5: Reverse Proxy.


質問 # 37
You want to prevent Man-in-the-Middle (MITM) attacks on an encrypted website or application. In this scenario, which method would you use?

  • A. Use a weaker encryption algorithm.
  • B. Use a proxy for the connection.
  • C. Use a stronger encryption algorithm.
  • D. Use certificate pinning.

正解:D

解説:
Explanation
To prevent Man-in-the-Middle (MITM) attacks on an encrypted website or application, one method that you can use is certificate pinning. Certificate pinning is a technique that restricts which certificates are considered valid for a particular website or application, limiting risk. Instead of allowing any trusted certificate to be used, operators "pin" the certificate authority (CA) issuer(s), public keys or even end-entity certificates of their choice. Certificate pinning helps to prevent MITM attacks by validating the server certificates against a hardcoded list of certificates in the website or application. If an attacker tries to intercept or modify the traffic using a fraudulent or compromised certificate, it will be rejected by the website or application as invalid, even if it is signed by a trusted CA. References: Certificate pinning - IBMCertificate and Public Key Pinning | OWASP Foundation


質問 # 38
Which two common security frameworks are used today to assess and validate a vendor's security practices?
(Choose two.)

  • A. Data Science Council of America
  • B. NIST Cybersecurity Framework
  • C. ISO 27001
  • D. Building Security in Maturity Model

正解:C、D

解説:
Explanation
The Building Security in Maturity Model (BSIMM) is a framework that measures and compares the security activities of different organizations. It helps organizations to assess their current security practices and identify areas for improvement. ISO 27001 is an international standardthat specifies the requirements for establishing, implementing, maintaining, and improving an information security management system. It helps organizations to manage their information security risks and demonstrate their compliance with best practices. Data Science Council of America (DASCA) is not a security framework, but a credentialing body for data science professionals. NIST Cybersecurity Framework (NIST CSF) is a security framework, but it is not commonly used to assess and validate a vendor's security practices, as it is more focused on improving the cybersecurity of critical infrastructure sectors in the United States. References: [BSIMM], [ISO 27001], [DASCA], [NIST CSF].


質問 # 39
Which two cloud security and infrastructure enablement technologies does Secure Access Service Edge (SASE) combine into its unified platform? (Choose two.)

  • A. Unified Threat Management (UTM)
  • B. Distributed Denial of Service Protection (DDoS)
  • C. Cloud Access Security Broker (CASB)
  • D. Zero Trust Network Access (ZTNA)

正解:C、D

解説:
Explanation
Secure Access Service Edge (SASE) is a cloud-based architecture that combines various cloud security and infrastructure enablement technologies into a unified platform that delivers security and networking services from the edge of the network. Two of these technologies are Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB). ZTNA is a technology that provides secure access to private applications without exposing them to the internet or using VPNs. It uses identity-based policies and encryption to grant granular access to authorized users and devices, regardless of their location or network. CASB is a technology that provides visibility and control over cloud applications (SaaS) used by users and devices. It uses API connections or inline proxies to inspect and enforce policies on data and activities in cloud applications, such as data loss prevention, threat protection, or compliance. Distributed Denial of Service Protection (DDoS) and Unified Threat Management (UTM) are not technologies that SASE combines into its unified platform, although they may be related or integrated with some of its components. References: [SASE], [ZTNA],
[CASB].


質問 # 40
What is the limitation of using a legacy proxy compared to Netskope's solution?

  • A. To enforce policies, traffic needs to traverse back through a customer's on-premises security stack.
  • B. Legacy solutions offer higher performance and scalability for corporate and remote users.
  • C. Legacy on-premises solutions fail to provide protection for traffic from on-premises users.
  • D. Netskope architecture requires on-premises components.

正解:A

解説:
Explanation
A limitation of using a legacy proxy compared to Netskope's solution is that to enforce policies, traffic needs to traverse back through a customer's on-premises security stack. This creates latency, bandwidth, and scalability issues for remote users and cloud applications. Netskope's solution, on the other hand, leverages a cloud-native architecture that provides high-performance and scalable inspection of traffic from any location and device. References: [Netskope Architecture Overview]


質問 # 41

Click the Exhibit button.
Referring to the exhibit, which statement accurately describes the difference between Source IP (Egress) and Source IP (User) address?

  • A. Source IP (Egress) is the public IP address of your Internet edge router while Source IP (User) is the address assigned to the endpoint.
  • B. You must always leave the source IP fields blank and configure the user identity as a source criteria.
  • C. Source IP (Egress) is the IP address assigned to the endpoint host IP address while Source IP (User) is the public IP address of your Internet edge router.
  • D. Source IP (Egress) is the IP address of the destination Web server while Source IP (User) is the IP address assigned to your network.

正解:A

解説:
Explanation
The statement that accurately describes the difference between Source IP (Egress) and Source IP (User) address is: Source IP (Egress) is the public IP address of your Internet edge router while Source IP (User) is the address assigned to the endpoint. Source IP (Egress) is the IP address that is visible to external networks when you send traffic from your network to the Internet. It is usually the IP address of your Internet edge router or gateway that performs NAT (Network Address Translation). Source IP (User) is the IP address that is assigned to your endpoint device, such as a laptop or a smartphone, within your network. It is usually a private IP address that is not routable on the Internet. You can use these two criteria to filter traffic based on where it originates from within your network or outside your network. References: Source Address / Source Port vs Destination Address / Destination PortHow to explain Source IP Address, Destination IP Address & Service in easy way


質問 # 42
You need to block all users from uploading data files into risky collaboration applications. Which element must you configure within Netskope's CASB to accomplish this task?

  • A. real-time policy
  • B. DLP Rule
  • C. DLP Profile
  • D. block notification

正解:A

解説:
Explanation
A real-time policy is a type of policy in Netskope's CASB that allows you to control the actions that users can perform on cloud applications in real time. You can use a real-time policy to block all users from uploading data files into risky collaboration applications by specifying the following elements: the application category (such as Collaboration), the activity (such as Upload), the file type (such as Data), the risk level (such as High or Very High), and the action (such as Block). A DLP rule, a DLP profile, and a block notification are not sufficient to accomplish this task, as they are either sub-components or outcomes of a real-time policy. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 5: Real-Time Policies, Lesson 1: Real-Time Policy Overview and Lesson 2: Real-Time Policy Configuration.


質問 # 43
You investigate a suspected malware incident and confirm that it was a false alarm.

  • A. In this scenario, how would you prevent the same file from triggering another incident?
  • B. Export the packet capture to a pcap file.
  • C. Add the hash to the file filter.
  • D. Quarantine the file. Look up the hash at the VirusTotal website.

正解:C

解説:
Explanation
A file filter is a list of file hashes that you can use to exclude files from inspection by Netskope. By adding the hash of the file that triggered a false alarm to the file filter, you can prevent it from being scanned again by Netskope and avoid generating another incident. Quarantining the file, exporting the packet capture, or looking up the hash at VirusTotal are not effective ways to prevent the same file from triggering another incident, as they do not affect how Netskope handles the file. References: Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 6: Data Loss Prevention, Lesson 2: File Filters.


質問 # 44
......

正真正銘のNSK100問題集には100%合格率練習テスト問題集:https://www.passtest.jp/Netskope/NSK100-shiken.html

更新されたプレミアムNSK100試験エンジンPDF:https://drive.google.com/open?id=1zi_pXSIyD_f0mtzDFKiOCHskzaVMLy9x

関するブログ

もっと
NSK100 無料問題集