NSK100 Netskope Certified Cloud Security Administrator (NCCSA) Questions and Answers

To protect your users from malicious scripts that may be downloaded from websites, you need to use technologies that can detect and prevent malware, ransomware, phishing, and other advanced threats in web traffic. Two technologies that form a part of Netskope’s Threat Protection module, which is a feature in the Netskope platform that provides these capabilities, are sandbox and heuristics. Sandbox is a technology that allows Netskope to analyze suspicious files or URLs in a virtual environment isolated from the rest of the network. It simulates the execution of the files or URLs and observes their behavior and impact on the system. It then generates a verdict based on the analysis and blocks any malicious files or URLsfrom reaching your users or devices. Heuristics is a technology that allows Netskope to identify unknown or emerging threats based on their characteristics or patterns, rather than relying on predefined signatures or rules. It uses machine learning and artificial intelligence to analyze various attributes of files or URLs, such as file type, size, entropy, metadata, code structure, etc., and assigns a risk score based on the analysis. It then blocks any files or URLs that exceed a certain risk threshold from reaching your users or devices. A log parser or DLP are not technologies that form a part of Netskope’s Threat Protection module, as they are more related to discovering cloud applications or protecting sensitive data. References: [Netskope Threat Protection], Netskope Security Cloud Operation & Administration (NSCO&A) - Classroom Course, Module 9: Threat Protection.

The two traffic steering configurations that are supported by Netskope are cloud applications only and all Web traffic including cloud applications. These configurations allow you to control what kind of traffic gets steered to Netskope for real-time deep analysis and what kind of traffic gets bypassed. You can choose one of these options for both on-premises and off-premises scenarios, depending on your network environment and security needs. You can also create exceptions for specific domains, IP addresses, or certificate-pinned applications that you want to bypass or steer regardless of the configuration option. References: Steering ConfigurationCreating a Steering Configuration

When creating a real-time policy for cloud applications, you can use access method and device classification as source criteria, in addition to users, groups, and organizational units. Access method refers to how the user accesses the cloud application, such as browser, sync client, mobile app, etc. Device classification refers to the type of device used by the user, such as managed or unmanaged, Windows or Mac, etc. These criteria can help you define granular policies based on different scenarios and risks. References: [Creating Real-Time Policies for Cloud Applications]

Shadow IT is the term for the unauthorized use of IT resources and functions by employees within an organization. It can include cloud services, software, and hardware that are not approved or managed by the IT department. Two use cases that would be considered examples of shadow IT within an organization are: an unsanctioned Microsoft 365 OneDrive account being used by a corporate user to upload sensitive data and an unsanctioned Google Drive account used by a corporate user to upload non-sensitive data. In both cases, the corporate user is using a personal cloud storage service that is not sanctioned by the organization to store work-related data. This can introduce security risks, such as data leakage, data loss, compliance violations, malware infections, etc. The IT department may not have visibility or control over these cloud services or the data stored in them. References: What is shadow IT? | CloudflareWhat is Shadow IT? | IBM

To locate information pertaining to a DLP violation on a file in your sanctioned Google Drive instance, you can use the Incidents dashboard in Netskope. The Incidents dashboard provides a comprehensive view of all the incidents that have occurred in your cloud environment, such as DLP violations, malware infections, anomalous activities, etc. You can filter the incidents by various criteria, such as app name, incident type, severity, user name, etc. You can also drill down into each incident to see more details, such as file name, file path, file owner, file size, file type, etc. The Incidents dashboard can show DLP violations for files that are in a deleted state, as long as they are still recoverable from the trash bin of the app. If the file is permanently deleted from the app, then the incident will not be visible in the dashboard. References: Netskope Incidents Dashboard

Three security controls that are offered by the Netskope Cloud platform are: C. cloud security posture management, E. threat protection, and B. data loss prevention for SMTP.

• Cloud security posture management is a service that provides continuous assessment and remediation of public cloud deployments for risks, threats, and compliance issues. Netskope CSPM leverages the APIs available from cloud service providers such as AWS, Azure, and GCP to scan the cloud infrastructure for misconfigurations, such as insecure permissions, open ports, unencrypted data, etc. Netskope CSPM also provides security posture policies, profiles, and rules that can be customized to match the security standards and best practices of the organization or industry.
• Threat protection is a capability to detect and block malware, ransomware, phishing, and other cyber threats that may compromise cloud data or users. Netskope threat protection uses advanced techniques such as machine learning, sandboxing, threat intelligence, and behavioral analysis to identify and prevent malicious activities in real time.Netskope threat protection also integrates with third-party solutions such as antivirus engines, firewalls, SIEMs, etc., to provide comprehensive defense across the cloud and web1.
• Data loss prevention for SMTP is a feature that allows you to protect sensitive data that is sent or received via email. Netskope DLP for SMTP can scan email messages and attachments for predefined or custom data patterns, such as credit card numbers, social security numbers, health records, etc., and apply appropriate actions, such as block, quarantine, encrypt, notify, etc., based on the DLP policies.Netskope DLP for SMTP can also support multiple email domains and routing rules for different groups of users2.

Two primary advantages of Netskope’s Secure Access Service Edge (SASE) architecture are: no on-premises hardware required for policy enforcement and single management console. Netskope’s SASE architecture delivers network and security services as cloud-based services that can be accessed from any location and device. This eliminates the need for on-premises hardware appliances such as firewalls, proxies, VPNs, etc., that are costly to maintain and scale. Netskope’s SASE architecture also provides a single management console that allows administrators to configure and monitor all the network and security services from one place. This simplifies IT operations and reduces complexity and overhead. References: Netskope SASEWhat is SASE?

Two statements that are correct about DLP Incidents in the Netskope platform are: An incident can have one or more DLP violations and an incident can be associated to one or more DLP rules. A DLP violation occurs when a file or object matches a DLP rule used in a DLP profile. A DLP rule defines the criteria for detecting sensitive data, such as keywords, regular expressions, fingerprints, machine learning classifiers, etc. A DLP profile is a collection of DLP rules that can be applied to a policy. An incident is a record of a file or object that triggered a DLP policy violation. An incident can have multiple violations if the file or object matches multiple DLP rules from different profiles. An incident can also be associated to multiple DLP rules if the file or object matches more than one rule from the same profile. References: About DLPDLP Profiles

The term that correctly defines the Zero Trust security model is least privilege access. The Zero Trust security model is a modern security strategy based on the principle: never trust, always verify. Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. One of the core principles of the Zero Trust model is to use least privilege access, which means granting users or systems only the minimum level of access they need to perform their tasks, and only for a limited time. This helps reduce the attack surface and minimize the impact of a potential breach. References: Zero Trust Security - microsoft.comWhat is Zero Trust Security? Principles of the Zero Trust Model

The statement that is true in this scenario is: Certificate-related settings apply to each individual steering configuration level. Certificate-related settings are the options that allow you to configure how Netskope handles SSL/TLS certificates for encrypted web traffic. For example, you can choose whether to allow or block self-signed certificates, expired certificates, revoked certificates, etc. You can also choose whether to enable SSL decryption for specific domains or categories. Certificate-related settings apply to each individual steering configuration level, which means that you can have different settings for different types of traffic or devices. For example, you can have one steering configuration for managed devices and another one for unmanaged devices, and apply different certificate-related settings for each one. This allows you to customize your security policies based on your needs and preferences. References: Netskope SSL DecryptionNetskope Steering Configuration

To provision users to your customer’s Netskope tenant, two methods that you can use are: use the AD Connector and use SCIM. The AD Connector is a tool that allows you to synchronize users and groups from your Active Directory (AD) domain to your Netskope tenant. The AD Connector runs as a Windows service on a machine that has access to your AD domain controller. The AD Connector periodically queries your AD domain for any changes in users and groups and updates them in your Netskope tenant accordingly. The AD Connector also supports filtering users and groups based on attributes or organizational units (OUs). SCIM stands for System for Cross-domain Identity Management, which is a standard protocol for managing user identities across different applications and services. SCIM allows you to provision users and groups from your identity provider (IdP), such as Azure AD or Okta, to your Netskope tenant using APIs. SCIM also supports creating, updating, deleting, and searching users and groups in your Netskope tenant based on your IdP’s configuration. References: Netskope AD ConnectorUser Provisioning with Azure AD

The three technologies that describe the primary cloud service models as defined by the National Institute of Standards and Technology (NIST) are Platform as a Service (PaaS), Software as a Service (SaaS), and Infrastructure as a Service (IaaS). These service models are based on the type of computing capability that is provided by the cloud provider to the cloud consumer over a network. According to NIST, these service models have the following definitions:

• Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
• Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
• Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

References: The NIST Definition of Cloud ComputingNIST Cloud Computing Program

To prevent Man-in-the-Middle (MITM) attacks on an encrypted website or application, one method that you can use is certificate pinning. Certificate pinning is a technique that restricts which certificates are considered valid for a particular website or application, limiting risk. Instead of allowing any trusted certificate to be used, operators "pin" the certificate authority (CA) issuer(s), public keys or even end-entity certificates of their choice. Certificate pinning helps to prevent MITM attacks by validating the server certificates against a hardcoded list of certificates in the website or application. If an attacker tries to intercept or modify the traffic using a fraudulent or compromised certificate, it will be rejected by the website or application as invalid, even if it is signed by a trusted CA. References: Certificate pinning - IBMCertificate and Public Key Pinning | OWASP Foundation

Legacy solutions, such as on-premises firewalls and proxies, fail to secure the data and data access compared to Netskope Secure Web Gateway because they are designed for a perimeter-based security model, where the applications and the users are both within the corporate network. However, with the rise of cloud computing and remote work, this model is no longer valid. The applications where the data resides are no longer in one central location, but distributed across multiple cloud services and regions. The users accessing this data are not in one central place, but working from anywhere, on any device. Legacy solutions cannot provide adequate visibility and control over this dynamic and complex environment, resulting in security gaps and performance issues. Netskope Secure Web Gateway, on the other hand, leverages a cloud-native architecture that provides high-performance and scalable inspection of traffic from any location and device, as well as granular policies and advanced threat and data protection for web and cloud applications. References: Netskope Architecture OverviewNetskope Next Gen SWG

Secure Access Service Edge (SASE) is a cloud-based architecture that combines various cloud security and infrastructure enablement technologies into a unified platform that delivers security and networking services from the edge of the network. Two of these technologies are Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB). ZTNA is a technology that provides secure access to private applications without exposing them to the internet or using VPNs. It uses identity-based policies and encryption to grant granular access to authorized users and devices, regardless of their location or network. CASB is a technology that provides visibility and control over cloud applications (SaaS) used by users and devices. It uses API connections or inline proxies to inspect and enforce policies on data and activities in cloud applications, such as data loss prevention, threat protection, or compliance. Distributed Denial of Service Protection (DDoS) and Unified Threat Management (UTM) are not technologies that SASE combines into its unified platform, although they may be related or integrated with some of its components. References: [SASE], [ZTNA], [CASB].