CompTIA SecurityX CAS-004 (CAS-004) — Questions 175

510 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
Multi-Selectmedium

A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)

Select 2 answers
A.Establish an IPsec VPN tunnel between the AWS VPC and the on-premises network.
B.Use AWS Direct Connect to create a dedicated private network connection from on-premises to AWS.
C.Store database credentials in AWS Secrets Manager and retrieve them at runtime.
D.Configure VPC peering between the AWS VPC and the on-premises network.
E.Configure the web application to connect to the database using TLS encryption.
AnswersA, B

IPsec VPN provides encrypted tunnel over the internet, securing data in transit.

Why this answer

Option A is correct because an IPsec VPN tunnel creates an encrypted, site-to-site connection between the AWS VPC and the on-premises network, ensuring encryption in transit and minimizing internet exposure by using the VPN gateway as the endpoint. Option B is correct because AWS Direct Connect provides a dedicated, private network connection that bypasses the internet entirely, reducing exposure and supporting encryption via optional MACsec or IPsec, while maintaining low latency and consistent bandwidth.

Exam trap

The trap here is that candidates often confuse VPC peering with hybrid connectivity, not realizing it only works between VPCs within the same AWS region, or they assume TLS alone is sufficient for network-level security without addressing the underlying internet exposure.

2
MCQeasy

Which of the following is the BEST definition of a risk register?

A.A list of identified risks with associated attributes such as impact, likelihood, and owner.
B.A report of audit findings and non-conformities.
C.A document that outlines the organization's risk appetite.
D.A tool used to automate risk assessment processes.
AnswerA

A risk register captures each risk along with its characteristics and management status.

Why this answer

Option B is correct because a risk register is a structured repository for documenting and tracking risks.

3
MCQhard

An architect is designing a multi-factor authentication (MFA) solution for remote access. Which of the following is the STRONGEST form of second factor?

A.Email OTP
B.FIDO2 WebAuthn hardware token
C.SMS one-time code
D.Knowledge-based questions
AnswerB

FIDO2 uses public-key cryptography and is resistant to phishing.

Why this answer

FIDO2 WebAuthn hardware tokens are phishing-resistant and provide strong cryptographic authentication. SMS codes, email OTPs, and knowledge-based questions are vulnerable to phishing or interception.

4
Multi-Selecthard

A security assessor is reviewing a containerized application. Which three of the following practices help secure the container runtime environment? (Select the three best options.)

Select 3 answers
A.Run the container with a read-only root filesystem
B.Use the latest base image from Docker Hub
C.Drop all Linux capabilities and add only required ones
D.Run the container process as a non-root user
AnswersA, C, D

Why this answer

Running a container with a read-only root filesystem (option A) prevents any writes to the container's filesystem layer, which blocks malware from dropping files, modifying binaries, or persisting changes. This is enforced by the container runtime (e.g., Docker, containerd) by mounting the root filesystem as read-only, typically using the `--read-only` flag. Even if an attacker gains code execution inside the container, they cannot alter system files or install tools, significantly reducing the blast radius of a compromise.

Exam trap

CompTIA often tests the distinction between image security (e.g., using latest images) and runtime security (e.g., read-only filesystem, capability dropping, non-root user), and the trap here is that candidates may incorrectly select 'use the latest base image' because they conflate image freshness with runtime hardening.

Why the other options are wrong

B

This is important for image security, not runtime configuration.

5
Multi-Selecthard

Which THREE of the following are required by the NIST Cybersecurity Framework (CSF) for the 'Protect' function?

Select 3 answers
A.Performing regular maintenance of systems
B.Ensuring data at rest and in transit is encrypted
C.Conducting a risk assessment for critical assets
D.Developing an incident response plan
E.Implementing access controls for authorized users
AnswersA, B, E

Maintenance is under Protect.

Why this answer

Options A, C, and E are correct. Access control (PR.AC), data security (PR.DS), and maintenance (PR.MA) are part of the Protect function. Option B is wrong because 'Respond' is a separate function.

Option D is wrong because risk assessment is under 'Identify'.

6
MCQmedium

An organization uses Ansible to automate server configuration for a hybrid cloud environment. The security team requires that sensitive data such as API keys and passwords are not exposed in the Ansible playbooks or logs. The Ansible control node is shared among several administrators. What is the best approach to protect these secrets?

A.Store secrets in plaintext in a separate file and set restrictive file permissions.
B.Remove all secrets from automation and require manual entry during each playbook run.
C.Use Ansible Vault to encrypt the secret variables and restrict access to the vault password file.
D.Define secrets as environment variables on the control node and reference them in playbooks.
AnswerC

Ansible Vault encrypts data at rest; only authorized users with the vault password can decrypt.

Why this answer

Ansible Vault encrypts sensitive data within playbooks. Option A is correct. Plaintext (B) is insecure.

Environment variables (C) can be logged. Removing secrets (D) is impractical.

7
MCQhard

During a ransomware incident, the organization discovers that all production backups have been encrypted by the attacker. What is the most effective recovery approach?

A.Restore from offline immutable backups
B.Restore from system restore points
C.Use a decryption tool from security vendors
D.Pay the ransom to obtain the decryption key
AnswerA

Immutable backups cannot be modified by ransomware and are reliable recovery sources.

Why this answer

Option D is correct because offline immutable backups are not accessible to the ransomware and provide a clean restore point. Option A is wrong because paying ransom does not guarantee decryption. Option B is wrong because system restore points may also be encrypted.

Option C is wrong because decryption tools often fail against modern ransomware.

8
MCQeasy

A financial institution is required to comply with PCI DSS. A low-severity vulnerability is found in the cardholder data environment that would cost significant downtime to patch. What is the BEST course of action?

A.Implement compensating controls and formally accept the risk with documented approval
B.Transfer the risk to a third party
C.Accept the risk without documentation
D.Immediately patch the vulnerability
AnswerA

This satisfies PCI DSS requirements and manages risk.

Why this answer

PCI DSS allows risk acceptance with compensating controls and documented approval. Option A lacks documentation; Option C may cause unacceptable downtime; Option D does not directly address the vulnerability.

9
MCQhard

A network administrator is troubleshooting connectivity issues. Based on the exhibit, which of the following is true about the iptables rules?

A.New connections from the internet to 10.0.1.0/24 are allowed.
B.All traffic is allowed by default because the policy is ACCEPT.
C.Traffic from 10.0.1.0/24 to the internet is allowed, but return traffic is only allowed if it is part of an established connection.
D.The rules apply to incoming traffic on the firewall itself.
AnswerC

The first rule matches new and established traffic from 10.0.1.0/24; the second matches only established traffic back.

Why this answer

Option C is correct because the iptables rules show a default FORWARD policy of ACCEPT, but the INPUT chain has a default policy of DROP. The rule '-A FORWARD -s 10.0.1.0/24 -j ACCEPT' allows outbound traffic from the 10.0.1.0/24 subnet to the internet. The rule '-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT' ensures that only return traffic belonging to an existing connection is permitted back, while new inbound connections from the internet are implicitly dropped by the FORWARD chain's default policy.

Exam trap

The trap here is that candidates often confuse the FORWARD chain with the INPUT chain, assuming that rules in the FORWARD chain apply to traffic destined for the firewall itself, or they overlook that the default policy for the FORWARD chain is DROP (not ACCEPT) unless explicitly set to ACCEPT in the exhibit.

How to eliminate wrong answers

Option A is wrong because the FORWARD chain's default policy is DROP (not shown but implied by the rules), and there is no rule allowing new connections from the internet to 10.0.1.0/24; only ESTABLISHED,RELATED traffic is allowed back. Option B is wrong because the policy shown is ACCEPT only for the FORWARD chain, but the INPUT chain has a default policy of DROP, and the FORWARD chain's default policy is also DROP (as no default ACCEPT is listed for FORWARD in the exhibit); thus, not all traffic is allowed by default. Option D is wrong because the rules shown are in the FORWARD chain, which applies to traffic being routed through the firewall, not to incoming traffic destined for the firewall itself (which would be handled by the INPUT chain).

10
MCQeasy

Which of the following best describes the primary security benefit of using immutable infrastructure in a containerized environment?

A.It reduces resource consumption by reusing containers.
B.It prevents unauthorized modifications to running containers.
C.It automates patching of container images.
D.It eliminates the need for container security scanning.
AnswerB

Why this answer

Immutable infrastructure ensures that once a container image is built and deployed, it is never modified in place. If a change is needed, a new image is built and deployed, replacing the old container entirely. This prevents unauthorized or unplanned modifications to running containers, which is the primary security benefit because it eliminates configuration drift and reduces the attack surface from runtime tampering.

Exam trap

The trap here is that candidates confuse immutability with automation of patching or resource efficiency, when in fact immutability is a security control against runtime modification, not a patch management or cost-saving mechanism.

Why the other options are wrong

A

Immutable infrastructure usually increases resource usage due to frequent replacement; reuse is not a security benefit.

C

Immutable infrastructure requires rebuilding images for patches, but it does not automate the patching itself.

D

Immutable infrastructure still requires scanning images for vulnerabilities before deployment.

11
Multi-Selectmedium

A security engineer is evaluating options for securing firmware updates on IoT devices. Which TWO methods provide integrity verification of the update?

Select 2 answers
A.Obfuscation of the firmware code
B.AES encryption of the firmware
C.Hash-based message authentication code (HMAC)
D.Digital signature verification
E.Secure Boot
AnswersC, D

HMAC uses a shared key to create a tag that verifies integrity and authenticity.

Why this answer

Correct: Digital signature verification and HMAC. Digital signatures use asymmetric cryptography to ensure authenticity and integrity. HMAC uses a shared secret to verify integrity.

AES encryption alone does not provide integrity, obfuscation is not security, and secure boot is about boot-time integrity, not update verification.

12
MCQmedium

A threat hunter wants to identify potential lateral movement within the network. Which data source is LEAST useful for this purpose?

A.Windows Event ID 4624 (Logon) from domain controllers
B.Windows Event ID 4648 (Logon with explicit credentials)
C.Windows Event ID 5140 (File share accessed)
D.DNS query logs
AnswerD

DNS logs show name resolution but not lateral movement itself.

Why this answer

Option B is correct because DNS logs primarily show domain resolution requests, which may not directly indicate lateral movement. Option A shows remote logins. Option C shows processes connecting to other systems.

Option D shows authentication events.

13
Multi-Selectmedium

An organization is implementing a DevSecOps pipeline. Which of the following are essential security controls to include? (Select TWO.)

Select 2 answers
A.Implement SAST in the build phase
B.Conduct annual penetration testing
C.Perform DAST in the staging environment
D.Use network segmentation for production
E.Disable security scanning to speed up deployments
AnswersA, C

Why this answer

SAST (Static Application Security Testing) is essential in the build phase because it analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. Integrating SAST early in the DevSecOps pipeline allows developers to identify and remediate flaws like SQL injection, buffer overflows, or cross-site scripting before the code is compiled and deployed, aligning with the 'shift left' security principle.

Exam trap

Cisco often tests the distinction between continuous pipeline-integrated controls (SAST, DAST) and traditional periodic or infrastructure-level controls (annual pen tests, network segmentation), expecting candidates to recognize that only the former are essential within a DevSecOps pipeline.

Why the other options are wrong

B

Annual testing is not frequent enough for a DevSecOps pipeline, which requires continuous testing.

D

Network segmentation is a security control but not specific to the DevSecOps pipeline; it is an operational security measure.

E

Disabling security scanning would defeat the purpose of DevSecOps.

14
MCQmedium

During a routine vulnerability scan, a security engineer discovers that a critical web application is running an outdated version of a third-party library with a known remote code execution (RCE) vulnerability. The application is in production and cannot be taken offline immediately. Which of the following is the BEST immediate action to reduce risk?

A.Patch the library directly in the production environment.
B.Implement a virtual patch using a web application firewall (WAF) to block exploitation patterns.
C.Schedule a maintenance window for the next weekend to apply the vendor's patch.
D.Disable the web application until a patch is available.
AnswerB

A virtual patch provides temporary protection without affecting application availability.

Why this answer

Option B is correct because a WAF rule can block exploitation attempts while a permanent fix is developed. Option A might break functionality. Option C is too slow for immediate risk reduction.

Option D might not address the vulnerability entry point.

15
Multi-Selectmedium

Which TWO of the following are considered secure design principles for cryptographic systems?

Select 2 answers
A.Implement custom encryption algorithms designed in-house
B.Use the same key for encryption and authentication to reduce complexity
C.Use well-vetted, standard cryptographic algorithms
D.Rely on secrecy of the algorithm for security
E.Generate cryptographic keys using a cryptographically secure random number generator
AnswersC, E

Standard algorithms have been analyzed for weaknesses.

Why this answer

Option C is correct because using well-vetted, standard cryptographic algorithms (e.g., AES, RSA, ECDSA) ensures the system benefits from years of public scrutiny, rigorous cryptanalysis, and proven security properties. Proprietary or custom algorithms often contain undiscovered vulnerabilities, making them unsuitable for secure systems.

Exam trap

CompTIA often tests the misconception that 'custom algorithms' or 'security through obscurity' can be acceptable in secure design, when in fact they are explicitly rejected in favor of open, peer-reviewed standards and key separation.

16
Multi-Selecthard

A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)

Select 3 answers
A.Deploy geo-fencing to block access from non-EU countries.
B.Implement a process for customers to request deletion of their personal data.
C.Use data masking for customer data in development and testing environments.
D.Implement encryption at rest and in transit for all sensitive data.
E.Retain all access logs for a minimum of 7 years.
AnswersB, C, D

Right to erasure is a key GDPR requirement.

Why this answer

Option B is correct because GDPR grants data subjects the right to erasure (Article 17), also known as the 'right to be forgotten.' Implementing a process for customers to request deletion of their personal data is a mandatory control for GDPR compliance, directly addressing this regulatory requirement.

Exam trap

Cisco often tests the misconception that geo-fencing is a GDPR requirement, but GDPR focuses on the rights of data subjects and lawful processing, not on geographic blocking of access.

17
Multi-Selectmedium

A company is adopting container security best practices. Which TWO actions should be implemented to reduce the attack surface of container images? (Select TWO.)

Select 2 answers
A.Set the container filesystem as read-only where possible.
B.Use signed images and verify signatures before deployment.
C.Disable vulnerability scanning to optimize build time.
D.Store secrets in environment variables.
E.Run containers with the root user to simplify permissions.
AnswersA, B

A read-only filesystem prevents attackers from writing malicious files.

Why this answer

Using signed images (A) ensures integrity, and read-only root filesystem (C) prevents runtime modifications. Distractors B and D are insecure, and E is good but not as critical for attack surface reduction.

18
MCQeasy

A company is designing a new multi-tier web application. The security team recommends placing a web application firewall (WAF) in front of the web servers and a network firewall between the web and application tiers. Which security architecture principle does this represent?

A.Defense in depth
B.Separation of duties
C.Least privilege
D.Single point of failure
AnswerA

Multiple layers of defense (WAF and firewalls) exemplify defense in depth.

Why this answer

Defense in depth (layered security) uses multiple controls to protect assets. Option A is wrong because it is not just a single control. Option B is wrong because separation of duties is about dividing responsibilities.

Option D is wrong because least privilege limits access rights.

19
MCQmedium

A security engineer is deploying a wireless network for a high-security facility. Which protocol should be used to provide the strongest authentication and encryption for client devices?

A.WEP with 128-bit key
B.WPA2-PSK with AES
C.WPA3-Enterprise with 802.1X
D.WPA3-Personal with SAE
AnswerC

WPA3-Enterprise uses individual credentials and stronger encryption than WPA2.

Why this answer

WPA3-Enterprise with 802.1X provides per-user authentication using EAP and the strongest encryption (GCMP-256). WPA2-PSK uses a shared passphrase, WPA3-Personal also uses SAE but for personal use, and WEP is obsolete.

20
Multi-Selecthard

A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)

Select 2 answers
A.Configure a site-to-site VPN from the corporate network to the ICS network
B.Implement a network-based intrusion prevention system (IPS) on the ICS network
C.Deploy a unidirectional gateway (data diode) between the networks
D.Place a bastion host in a DMZ accessible from both networks for monitoring traffic
E.Segment the networks using VLANs only
AnswersC, D

Ensures traffic can only flow out, preventing inbound access.

Why this answer

A unidirectional gateway (data diode) physically enforces one-way data flow, ensuring that no traffic can originate from the corporate IT network into the ICS network. This prevents unauthorized access while allowing monitoring data (e.g., syslog, SNMP traps) to be sent out from the ICS side. It is the most effective control for preventing any inbound attack vectors while preserving outbound monitoring traffic.

Exam trap

The trap here is that candidates often choose a VPN (Option A) thinking encryption equals security, but encryption does not prevent unauthorized access—it only protects data in transit, and a VPN still allows bidirectional communication, which is the opposite of what is needed for ICS isolation.

21
Multi-Selectmedium

A company is implementing a vendor risk management program. Which THREE of the following should be included in the initial vendor assessment?

Select 3 answers
A.Employee training records
B.Financial stability
C.Security incident history
D.Marketing collateral
E.Business continuity plan
AnswersB, C, E

Essential to assess viability.

Why this answer

Financial stability, security incident history, and business continuity plan are key to evaluating vendor risk. Employee training is not typically part of initial assessment; marketing collateral is irrelevant.

22
Multi-Selectmedium

A security architect is evaluating web application firewall (WAF) features to protect against common attacks. Which TWO of the following attacks can a WAF most effectively prevent?

Select 2 answers
A.Session hijacking
B.Cross-site scripting (XSS)
C.SQL injection
D.Distributed denial-of-service (DDoS)
E.Cross-site request forgery (CSRF)
AnswersB, C

WAFs can detect and block reflected/stored XSS.

Why this answer

SQL injection and XSS are application-layer attacks that a WAF can detect and block based on signatures or heuristics. CSRF requires tokens, and session hijacking is often at the network layer.

23
MCQeasy

An analyst needs to automate the extraction of indicators of compromise (IOCs) from log files generated by various systems. Which scripting language is most commonly used for cross-platform log parsing and automation due to its extensive library support?

A.PowerShell
B.Bash
C.JavaScript
D.Python
AnswerD

Python is cross-platform with extensive libraries for data parsing and automation.

Why this answer

Python's rich library ecosystem (e.g., pandas, re, json) makes it ideal for log parsing across platforms. PowerShell is Windows-centric, Bash is Unix/Linux-specific, and JavaScript is not typical for log parsing tasks.

24
MCQmedium

A company is deploying a web application in a containerized environment. The security team wants to ensure that the application runs with the least privilege necessary. Which of the following is the BEST approach to achieve this?

A.Run the container as root and use a restrictive seccomp profile
B.Run the container with a non-root user and drop all capabilities
C.Run the container as root but use a read-only filesystem
D.Run the container with the --privileged flag and a custom AppArmor profile
AnswerB

Why this answer

Option B is correct because running a container with a non-root user and dropping all capabilities enforces the principle of least privilege. By default, containers run with a limited set of capabilities, but explicitly dropping all capabilities and using a non-root user ensures that even if the application is compromised, an attacker cannot escalate privileges or perform privileged operations. This aligns with container security best practices, such as those outlined in the Docker security documentation and the CIS Docker Benchmark.

Exam trap

Cisco often tests the misconception that root in a container is safe because of namespace isolation, but the trap here is that root inside a container still has dangerous capabilities that can be exploited if the container is compromised, so the best approach is to avoid root entirely and drop all capabilities.

Why the other options are wrong

A

Running as root still gives elevated privileges; seccomp alone does not enforce user-level least privilege.

C

Read-only filesystem does not prevent root-level process attacks; the container still runs as root.

D

--privileged gives the container nearly all host capabilities, violating least privilege.

25
Multi-Selectmedium

Which two of the following are effective mitigations against XML External Entity (XXE) injection attacks? (Select the two best options.)

Select 2 answers
A.Disable Document Type Definition (DTD) processing in the XML parser
B.Use a blacklist to filter out dangerous XML tags
C.Validate all XML input against a schema
D.Use a JSON or other less complex data format instead of XML
AnswersA, D

Why this answer

Option A is correct because XXE attacks exploit the XML parser's ability to process external entities defined in a DTD. By disabling DTD processing entirely, the parser cannot resolve or fetch external resources, which neutralizes the primary vector for XXE injection. This is a standard security hardening step for XML parsers like libxml2, Xerces, or .NET's XmlReader, often achieved by setting properties such as `LIBXML_NOENT` to false or `XmlReaderSettings.DtdProcessing` to `Prohibit`.

Exam trap

CompTIA often tests the misconception that input validation or schema validation alone can prevent injection attacks, but the trap here is that XXE exploits parser-level features (DTD processing) that occur before any schema validation or content filtering takes place.

Why the other options are wrong

B

Blacklists are easily bypassed; disabling DTD is more robust.

C

Schema validation does not prevent XXE if DTDs are still enabled.

26
MCQmedium

An organization is required to retain logs for seven years per regulatory requirement. Which of the following should be considered to ensure the integrity of these logs?

A.Write-once, read-many (WORM) storage
B.Hashing each log entry
C.Encryption of the logs
D.Compression to reduce storage space
AnswerA

WORM prevents tampering with log entries.

Why this answer

Write-once, read-many (WORM) storage ensures logs cannot be altered or deleted. Encryption, compression, and hashing provide security or validation but not immutable storage.

27
MCQeasy

Refer to the exhibit. A security administrator finds this IAM policy attached to a Lambda execution role. What is the most critical security risk?

A.The Lambda can invoke any other Lambda
B.The Lambda has full IAM management capabilities
C.The Lambda can assume any role
D.The Lambda can access any S3 bucket
AnswerB

iam:* on * allows any IAM action, including creating admin users.

Why this answer

The policy grants full IAM management capabilities (iam:*) on all resources, allowing the Lambda to create, modify, or delete IAM resources. This could lead to privilege escalation or resource destruction.

28
Matchingmedium

Match each authentication protocol or method to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses tickets and symmetric key cryptography

XML-based federated identity protocol

Authorization framework for delegated access

AAA protocol for network access

Directory access protocol for authentication

Why these pairings

These protocols are essential for authentication and authorization.

29
MCQeasy

A company is implementing a new cloud-based SaaS application and needs to ensure compliance with GDPR. The security team is tasked with updating the data protection impact assessment (DPIA). Which of the following should the team prioritize?

A.Assessing the types of personal data processed and the risks to data subjects
B.Defining data retention schedules for all data types
C.Conducting a vulnerability scan of the SaaS application
D.Reviewing the cloud provider's SLA for uptime guarantees
AnswerA

DPIA focuses on the processing of personal data and associated risks.

Why this answer

Under GDPR, a Data Protection Impact Assessment (DPIA) is mandatory when processing personal data that is likely to result in high risk to individuals. The core requirement is to systematically assess the types of personal data being processed, the necessity and proportionality of the processing, and the risks to data subjects' rights and freedoms. This directly aligns with option A, as the DPIA must identify and mitigate privacy risks before the SaaS application goes live.

Exam trap

The trap here is that candidates confuse a DPIA with a security assessment (like a vulnerability scan or SLA review), but the DPIA is specifically a privacy risk assessment mandated by GDPR Article 35, not a general security or operational review.

How to eliminate wrong answers

Option B is wrong because defining data retention schedules is a separate GDPR compliance activity (Article 5(1)(e)) that occurs after the DPIA, not a priority for the DPIA itself; the DPIA focuses on risk assessment, not retention policies. Option C is wrong because conducting a vulnerability scan addresses technical security controls (Article 32), but a DPIA is a broader privacy risk assessment that evaluates the necessity, proportionality, and impact on data subjects, not just security vulnerabilities. Option D is wrong because reviewing the cloud provider's SLA for uptime guarantees relates to business continuity and availability, not to the GDPR-mandated assessment of risks to data subjects' privacy rights.

30
MCQeasy

Which of the following is a secure method for storing secrets (e.g., API keys, passwords) in a cloud-native application?

A.Encode secrets in base64 in configuration files
B.Store secrets in environment variables
C.Use a secrets management service
D.Hardcode secrets in the source code
AnswerC

Why this answer

Option C is correct because a dedicated secrets management service (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) provides encryption at rest and in transit, automatic rotation, fine-grained access control via IAM policies, and audit logging. This prevents secrets from being exposed in configuration files, environment dumps, or version control, which is essential for cloud-native applications that must adhere to the principle of least privilege and compliance standards like SOC 2 or PCI DSS.

Exam trap

CompTIA often tests the misconception that base64 encoding or environment variables are 'secure enough' because they hide the secret from casual view, but the trap is that neither provides encryption, access control, or rotation, which are required for secure secret storage in cloud-native applications.

Why the other options are wrong

A

Base64 is not encryption; it is easily reversible and does not protect secrets.

B

Environment variables can be exposed via process listings, logs, or debug interfaces; they are not encrypted.

D

Hardcoding secrets is insecure as they can be read from version control or decompiled code.

31
MCQeasy

An organization wants to implement a solution that ensures data cannot be read if a storage device is physically stolen. Which encryption approach BEST meets this requirement?

A.Transport Layer Security (TLS) for network traffic
B.File-level encryption on sensitive documents
C.Database column-level encryption for stored data
D.Full disk encryption (FDE) on the storage device
AnswerD

Encrypts all data on the device, protecting against physical theft.

Why this answer

Full disk encryption (FDE) encrypts the entire storage device at the block level, including the operating system, applications, and all data. If the device is physically stolen, the data remains unreadable without the decryption key or passphrase, as the encryption is transparent and covers all sectors of the drive. This directly addresses the requirement of protecting data at rest on a stolen storage device.

Exam trap

Cisco often tests the distinction between encryption of data in transit (TLS) and encryption of data at rest (FDE), leading candidates to mistakenly choose a network encryption solution when the question explicitly involves a stolen storage device.

How to eliminate wrong answers

Option A is wrong because Transport Layer Security (TLS) encrypts data in transit over a network, not data at rest on a storage device; it does not protect against physical theft of the device. Option B is wrong because file-level encryption only encrypts individual files or folders, leaving metadata, temporary files, and the operating system unencrypted, which can expose sensitive data if the device is stolen. Option C is wrong because database column-level encryption protects specific columns within a database, but it does not encrypt the underlying storage device, leaving other data (e.g., logs, swap files, or the database engine itself) exposed upon physical theft.

32
MCQeasy

A large financial organization is migrating its on-premises authentication infrastructure to a cloud-based identity provider (IdP) to support a hybrid workforce. Currently, on-premises Active Directory is used with smart cards for authentication. The cloud IdP will support SAML 2.0 and OAuth 2.0. The security team requires that all authentication to cloud applications be protected by hardware-backed keys and that user credentials never leave the on-premises network. The solution must also support FIDO2 authentication for passwordless logins. During a pilot, users report that after authenticating to the cloud IdP using their smart cards, they are prompted again for credentials when accessing certain cloud applications. The logs show that the cloud IdP is issuing multiple authentication requests to the on-premises AD Federation Services (AD FS). The CISO is concerned about performance and security of repeated authentication. As a security architect, what is the best course of action?

A.Deploy a hardware security module (HSM) on-premises and integrate it with AD FS to perform certificate-based authentication and issue short-lived tokens.
B.Implement a reverse proxy to cache authentication tokens and replay them to cloud applications.
C.Implement a conditional access policy in the cloud IdP to skip authentication for trusted devices based on device compliance.
D.Configure AD FS to pass through the smart card certificate to the cloud IdP and enable seamless SSO by using the certificate as a security token.
AnswerD

Passing the certificate allows the cloud IdP to directly authenticate the user without additional prompts, leveraging hardware-backed keys.

Why this answer

Option B is correct because it solves the repeated authentication issue by having AD FS pass the smart card certificate to the cloud IdP, allowing the cloud IdP to accept the certificate as a valid security token for seamless SSO. This keeps credentials on-premises and leverages hardware-backed keys. Option A is wrong because caching authentication tokens on a reverse proxy introduces security risks and does not solve the fundamental issue of token trust.

Option C is wrong because although HSM integration improves key security, it still may not eliminate re-prompting if the cloud IdP does not trust the AD FS token. Option D is wrong because conditional access policies based on device compliance do not address the authentication chaining problem.

33
MCQmedium

A financial institution is adopting a new vendor-managed SaaS platform for customer data processing. The CISO wants to ensure the vendor's security controls meet regulatory requirements before data is transferred. Which of the following should be completed FIRST?

A.Execute a penetration test on the SaaS platform.
B.Implement data loss prevention controls.
C.Conduct a vulnerability assessment of the vendor's network.
D.Perform a third-party risk assessment.
AnswerD

Third-party risk assessment evaluates the vendor's security controls and compliance before data transfer.

Why this answer

B is correct because a third-party risk assessment is the initial step to evaluate the vendor's security posture against compliance. A and C are technical assessments that come later. D is a control implementation that should follow assessment.

34
MCQmedium

A security architect is designing a web application that handles sensitive user data. To protect against cross-site scripting (XSS) attacks, which of the following should be implemented?

A.Implement Content Security Policy (CSP)
B.Use HTTPS for all communications
C.Implement input validation and output encoding
D.Deploy a Web Application Firewall (WAF)
AnswerC

Why this answer

Input validation and output encoding are the primary defenses against XSS because they prevent malicious scripts from being interpreted by the browser. Input validation rejects or sanitizes dangerous characters (e.g., <, >, &) at the point of entry, while output encoding (e.g., HTML entity encoding) ensures that any user-supplied data rendered in the page is treated as text, not executable code. This directly addresses the root cause of XSS—untrusted data being injected into the DOM.

Exam trap

Cisco often tests the distinction between preventive controls (input validation/output encoding) and compensating controls (CSP, WAF, HTTPS), leading candidates to choose CSP or WAF because they are security-specific technologies, even though they do not eliminate the injection vulnerability itself.

Why the other options are wrong

A

CSP is a defense-in-depth measure that can reduce the impact of XSS but does not prevent it entirely; proper input validation and output encoding are the primary controls.

B

HTTPS protects data in transit but does not prevent XSS attacks.

D

WAF can detect and block some XSS attempts but is not a primary prevention; it can be bypassed and should not replace secure coding.

35
Multi-Selectmedium

Which THREE are key elements of a security policy?

Select 3 answers
A.Vendor names
B.Roles and responsibilities
C.Enforcement actions
D.Review date
E.Scope
AnswersB, C, E

Clear assignment of responsibilities is essential.

Why this answer

Options A, B, and C are correct. Scope defines applicability, roles and responsibilities assign accountability, and enforcement actions ensure compliance. Vendor names are not typical policy elements, and review date is part of document control but not a core element.

36
MCQhard

A large enterprise has deployed a security information and event management (SIEM) system that ingests logs from all critical servers, network devices, and endpoints. The SIEM is configured to correlate events and generate alerts for suspicious activities. Recently, the SOC team has been overwhelmed by a high volume of false positive alerts, particularly from the web server farm. The false positives are mainly triggered by legitimate web crawling and scanning activities from partners and internal tools. The SOC manager wants to reduce false positives without missing real threats. As the security architect, you are asked to recommend a solution. Which of the following is the BEST course of action?

A.Increase the event threshold for web server alerts to reduce sensitivity.
B.Disable logging of successful requests on the web servers to reduce log volume.
C.Tune the SIEM to use more aggressive deduplication and aggregation globally.
D.Create allowlists for known legitimate sources (e.g., partner IP ranges, internal scanners) in the SIEM correlation rules.
AnswerD

Directly reduces false positives while maintaining detection for unknown sources.

Why this answer

Option D is correct because creating allowlists for known legitimate sources (e.g., partner IP ranges, internal scanners) in the SIEM correlation rules directly addresses the root cause: false positives from trusted entities. This approach preserves detection sensitivity for unknown or malicious sources while suppressing alerts from pre-vetted IPs, reducing alert fatigue without compromising security coverage.

Exam trap

The trap here is that candidates confuse reducing log volume (Option B) with reducing false positives, or assume that global tuning (Options A and C) is safer than targeted allowlisting, when in fact allowlisting preserves detection fidelity for unknown threats.

How to eliminate wrong answers

Option A is wrong because increasing the event threshold globally would desensitize the SIEM to all web server alerts, potentially missing low-and-slow attacks or novel threats that fall below the new threshold. Option B is wrong because disabling logging of successful requests eliminates valuable forensic data needed for incident investigation and compliance, and does not reduce false positives from scanning activities that may generate 404s or other non-success codes. Option C is wrong because aggressive deduplication and aggregation globally could merge distinct malicious events into a single alert, obscuring attack patterns and causing loss of contextual detail across all log sources, not just web servers.

37
Multi-Selecthard

A container orchestration platform uses secrets management. Which two methods are recommended for injecting secrets into containers? (Choose two.)

Select 2 answers
A.Store secrets in environment variables in the container image.
B.Hardcode secrets in the application source code.
C.Use Kubernetes Secrets mounted as files.
D.Pass secrets via command-line arguments in the Dockerfile.
E.Use a volume mount from a secret store like HashiCorp Vault.
AnswersC, E

Mounted secrets are stored in tmpfs and not written to disk.

Why this answer

Options B and D are correct. Volume mounts from a secure store and Kubernetes Secrets mounted as files protect secrets at rest and in transit. A, C, and E embed secrets in images or commands, which is insecure.

38
MCQhard

A security engineer is tasked with designing a cryptographic solution to protect data at rest in a multi-tenant cloud storage system. Each tenant's data must be encrypted with a unique key, and the system must support key rotation with minimal performance impact. Which of the following is the BEST approach?

A.Generate a unique key per tenant and encrypt each key with a master key, then store both in the same database column.
B.Implement envelope encryption: generate a unique data encryption key (DEK) per tenant, encrypt each DEK with a key encryption key (KEK) stored in an HSM, and store the wrapped DEK alongside the data.
C.Use a single master key for all tenants and store the key in a hardware security module (HSM) with access controls.
D.Implement a periodic key rotation schedule that rotates all tenant keys every month manually.
AnswerB

Envelope encryption allows per-tenant isolation, easy key rotation (by rewrapping DEKs with new KEKs), and minimal performance impact since data is not re-encrypted on rotation.

Why this answer

Option D is correct because envelope encryption with a unique data key per tenant allows independent rotation and minimizes performance impact by only wrapping new data keys. Option A is wrong because storing keys in the same database violates separation. Option B is wrong because a single master key for all tenants violates isolation; if compromised, all data is at risk.

Option C is wrong because a monthly rotation of a single master key does not provide per-tenant isolation; also key synchronization can be complex.

39
MCQhard

Refer to the exhibit. A system administrator creates a systemd service to run a daily patching script. Which security concern is most prevalent?

A.The service restarts on failure
B.The script location is non-standard
C.The service depends on the network
D.The script runs as root
AnswerD

Executing automation as root increases blast radius; privilege separation is recommended.

Why this answer

Running the service as root grants the script full system privileges. If the patching script has vulnerabilities, an attacker could gain root access. Running as a non-root user with required permissions is better.

40
MCQmedium

During a compliance audit, an organization discovers that its backup data for a critical database is stored in an unencrypted format on a tape that is kept offsite. The organization's data protection policy requires encryption of all data at rest. Which of the following is the BEST remediation action?

A.Change the offsite storage provider to one with better physical security
B.Implement TLS for data transmission to offsite storage
C.Re-encrypt the existing tape and implement encryption for all future backups
D.Encrypt all future backups before writing to tape
AnswerC

Remediates the non-compliance for existing and future backups.

Why this answer

Option C is the best remediation because it directly addresses the compliance violation by re-encrypting the existing unencrypted tape and ensuring all future backups are encrypted before being written to tape. This aligns with the data protection policy requiring encryption of data at rest, as the tape is a storage medium that holds data at rest. Simply encrypting future backups (Option D) would leave the existing unencrypted data in violation, while the other options do not address the at-rest encryption requirement.

Exam trap

The trap here is that candidates often confuse encryption of data in transit (TLS) with encryption of data at rest, or they choose to only encrypt future backups, overlooking the need to remediate the existing non-compliant data that is already stored unencrypted.

How to eliminate wrong answers

Option A is wrong because improving physical security does not satisfy the requirement for encryption of data at rest; the policy mandates cryptographic protection, not just access controls. Option B is wrong because TLS protects data in transit during transmission to offsite storage, but the tape itself remains unencrypted at rest, which is the core compliance issue. Option D is wrong because it only encrypts future backups, leaving the existing unencrypted tape in violation of the policy; remediation must address the current non-compliant data.

41
MCQmedium

A company is migrating its on-premises ERP system to a public cloud IaaS environment. The ERP system contains sensitive financial data. Which of the following architectural changes best maintains data security during and after migration?

A.Leverage the cloud provider's default security groups and disable encryption
B.Encrypt the data at rest and in transit, and implement IAM policies
C.Migrate the ERP without changes and apply encryption after migration
D.Use a VPN to connect on-premises and cloud while keeping data unencrypted
AnswerB

This ensures data confidentiality during migration and in the cloud.

Why this answer

Encrypting the data at rest and in transit, combined with strict access controls, protects data in both environments. A VPN secures transit but does not address at-rest encryption. Relying on the cloud provider's default security may not suffice.

Disabling encryption during migration increases exposure.

42
MCQhard

A SOC team uses a SOAR platform to automate incident response. They want to ensure that playbooks run with minimal human intervention but still require approval for actions that could cause service disruption. Which approach should be used?

A.Require analyst sign-off for every playbook action.
B.Use network isolation as a safety net for any action.
C.Implement conditional manual approval for destructive actions.
D.Configure the SOAR to automatically execute all playbook steps.
AnswerC

Conditional approval balances automation and safety.

Why this answer

Option B is correct because conditional manual approval allows automation for low-risk actions and human approval for high-risk ones. Option A fully automated is risky. Option C fully manual reduces efficiency.

Option D is a technical control but doesn't address approval.

43
MCQmedium

An organization is evaluating risk treatment options for a critical vulnerability with a CVSS score of 9.8. The cost to remediate is $500,000, and the potential loss if exploited is estimated at $2,000,000. Which risk response is most appropriate?

A.Transfer the risk through cyber insurance
B.Accept the risk
C.Avoid the risk by decommissioning the affected system
D.Remediate the vulnerability
AnswerD

Remediation cost is lower than expected loss, making it the best option.

Why this answer

With a CVSS score of 9.8 (critical) and a potential loss of $2,000,000, the cost to remediate ($500,000) is significantly lower than the expected loss. Remediation reduces the risk to an acceptable residual level, making it the most cost-effective response. This aligns with the principle that when the cost of remediation is less than the potential loss, the organization should directly fix the vulnerability.

Exam trap

CompTIA often tests the misconception that a high CVSS score automatically justifies acceptance or transfer, but the key is comparing the cost of remediation against the potential loss to determine the most appropriate risk response.

How to eliminate wrong answers

Option A is wrong because transferring risk via cyber insurance does not reduce the likelihood or impact of exploitation; it only provides financial compensation after a breach, and insurers often exclude critical vulnerabilities or require remediation as a condition. Option B is wrong because accepting a critical vulnerability with a CVSS of 9.8 and a $2,000,000 potential loss is irresponsible when a cheaper remediation option exists; acceptance is only appropriate when the cost of mitigation exceeds the potential loss. Option C is wrong because avoiding the risk by decommissioning the affected system would eliminate the business function entirely, incurring operational and revenue losses that likely exceed the $500,000 remediation cost, making it an extreme and unnecessary response.

44
Multi-Selectmedium

Which TWO of the following are secure coding practices to prevent SQL injection?

Select 2 answers
A.Escaping all single quotes in user input
B.Validating input against a whitelist of allowed characters
C.Using an ORM that automatically parameterizes queries
D.Using parameterized queries with placeholders
E.Using stored procedures that accept user input directly
AnswersC, D

Modern ORMs use parameterization internally, preventing SQL injection.

Why this answer

Parameterized queries (prepared statements) and ORM frameworks that use parameter binding prevent SQL injection by separating SQL logic from data. Stored procedures with dynamic SQL can still be vulnerable. Input validation alone or escaping are not sufficient or can be bypassed.

45
MCQmedium

A security analyst is reviewing an AppArmor profile for an application. Based on the exhibit, which action would the application be denied?

A.Send a UDP packet to a remote server
B.Override discretionary access controls
C.Write to /var/log/app.log
D.Write to a file in /etc/config/
AnswerD

Only read is allowed on /etc/config/*; write is denied.

Why this answer

AppArmor profiles restrict applications by path and capability. The profile shown does not include any rule allowing write access to /etc/config/, so any write attempt to that directory or its files would be denied. This is because AppArmor enforces mandatory access control based on the profile's explicit allow rules.

Exam trap

CompTIA often tests the misconception that AppArmor denies all actions not explicitly allowed, but candidates may overlook that network and capability rules are separate from file path rules, leading them to incorrectly assume a default allow for network or capability operations.

How to eliminate wrong answers

Option A is wrong because the profile does not restrict network access via UDP; AppArmor uses network rules (e.g., 'network udp') to deny such traffic, and none are present. Option B is wrong because overriding discretionary access controls (DAC) is a capability (e.g., CAP_DAC_OVERRIDE) that must be explicitly granted in the profile; the profile shown does not include any capability entries, so it is not denied by default—AppArmor denies capabilities only if they are not listed. Option C is wrong because the profile includes a rule allowing write access to /var/log/app.log (e.g., '/var/log/app.log rw'), so the application can write to that file.

46
MCQmedium

A company is evaluating a vendor that will process sensitive customer data. The vendor's SOC 2 Type II report shows that controls were in place but had several exceptions noted. Which of the following is the BEST course of action?

A.Perform a risk assessment on the exceptions
B.Request a SOC 2 Type I report instead
C.Accept the vendor because it has a Type II report
D.Reject the vendor immediately due to exceptions
AnswerA

Risk assessment determines if exceptions are acceptable.

Why this answer

Option D is correct because a risk assessment should be conducted to evaluate the exceptions in the context of the company's risk appetite. Option A is wrong because rejecting without analysis is hasty. Option B is wrong because accepting without review is negligent.

Option C is wrong because a Type I report covers a point in time, not operations.

47
MCQhard

A company wants to protect its intellectual property stored on a file server. The security architect proposes implementing rights management services (RMS) integrated with Active Directory. Which attack is this architecture primarily designed to mitigate?

A.Unauthorized distribution of sensitive documents outside the organization
B.Phishing attacks targeting user credentials
C.Malware infection on the file server
D.Buffer overflow attack on the file server
AnswerA

RMS restricts access and usage rights even after documents leave the server.

Why this answer

RMS encrypts documents and controls access even if the file is copied or emailed externally, mitigating data exfiltration. Option A is wrong because RMS does not prevent client-side attacks. Option B is wrong because phishing is a social engineering attack.

Option D is wrong because RMS does not prevent server-side exploits if the attacker gains server access.

48
MCQmedium

Given the exhibit, what is the effect of this S3 bucket policy on an object stored in 'bucket-name'?

A.Requests from outside 10.0.0.0/8 are allowed to read objects.
B.All requests from IPs in 10.0.0.0/8 are allowed to read objects.
C.Only anonymous requests are denied.
D.All requests to the bucket are denied regardless of source IP.
AnswerD

The Deny statement applies to all actions and all principals, so it denies everything.

Why this answer

Option B is correct. The Deny statement will override the Allow because Deny takes precedence. The Allow only allows GetObject from 10.0.0.0/8, but the Deny all actions for all principals will block all access, including GetObject from the allowed IP range.

Option A is wrong because Deny overrides. Option C is wrong because there is an explicit Deny. Option D is wrong because the effect is to deny all, not just outside IPs.

49
Multi-Selecthard

A security architect is evaluating a new SIEM solution for a large enterprise. Which THREE of the following capabilities are CRITICAL for effective threat detection and response? (Choose three.)

Select 3 answers
A.Real-time correlation of events from multiple sources
B.Scheduled vulnerability scanning
C.Automated patch management
D.Integration with threat intelligence feeds
E.User and entity behavior analytics (UEBA)
AnswersA, D, E

Correlation is essential for identifying patterns and threats.

Why this answer

Real-time event correlation (A), UEBA (B), and threat intelligence integration (D) are core SIEM capabilities. Automated patch management (C) and scheduled vulnerability scanning (E) are typically separate tools, not built into SIEM.

50
MCQmedium

A security analyst notices repeated failed login attempts from a single IP address across multiple user accounts. Which of the following is the BEST immediate action to mitigate this attack?

A.Disable the affected user accounts until the source IP is blocked.
B.Reset the passwords for all affected accounts.
C.Enable multi-factor authentication for all accounts.
D.Implement a rate-limiting rule on the network firewall for the source IP.
AnswerD

Rate-limiting blocks excessive traffic from the source IP, directly halting the brute-force attempt.

Why this answer

Option D is correct because rate-limiting the source IP at the network firewall immediately throttles the number of authentication attempts from that address, mitigating the brute-force attack without disrupting legitimate user access. This is the best immediate action as it directly blocks the attack vector at the network layer, preventing further failed logins while preserving user productivity.

Exam trap

The trap here is that candidates often confuse a long-term security control (like MFA or password resets) with an immediate mitigation technique, failing to recognize that rate-limiting the source IP is the fastest way to stop the ongoing brute-force attack at the network perimeter.

How to eliminate wrong answers

Option A is wrong because disabling affected user accounts would deny service to legitimate users and does not address the root cause—the attacking IP can still target other accounts. Option B is wrong because resetting passwords for all affected accounts is a reactive, time-consuming measure that does not stop the ongoing attack from the same IP; the attacker can simply continue with new attempts. Option C is wrong because enabling multi-factor authentication (MFA) is a strong security improvement but is not an immediate action—it requires user enrollment and configuration, and it does not stop the current burst of failed login attempts from the single IP.

51
MCQhard

A security engineer is analyzing a serverless application that uses AWS Lambda. Which of the following is the most critical security concern when the function processes external input?

A.The function may be vulnerable to injection attacks if input is not sanitized
B.The function has a timeout of 5 minutes
C.The function uses environment variables for configuration
D.The function does not use a custom runtime
AnswerA

Injection attacks (e.g., command injection) are critical because they can lead to data exfiltration or code execution.

Why this answer

Option D is correct because unsanitized external input can lead to injection attacks, which are critical in serverless environments. Option A (custom runtime) is not a concern. Option B (environment variables) is a standard configuration.

Option C (timeout) is a functional setting, not a security concern.

52
MCQeasy

A security engineer must select a cryptographic algorithm to ensure non-repudiation for digitally signed documents. Which algorithm is most appropriate?

A.RSA with SHA-256
B.HMAC-SHA256
C.AES-256 in GCM mode
D.Elliptic Curve Diffie-Hellman (ECDH)
AnswerA

RSA is an asymmetric algorithm, and combined with SHA-256, it produces a digital signature that binds the signer's identity, providing non-repudiation.

Why this answer

Option D is correct because RSA with SHA-256 provides asymmetric encryption and hashing for digital signatures, ensuring non-repudiation. Option A is wrong because AES is symmetric and does not provide non-repudiation. Option B is wrong because HMAC is symmetric and does not provide non-repudiation.

Option C is wrong because ECDH is a key exchange algorithm, not a signature algorithm.

53
Multi-Selecthard

During a business continuity planning meeting, the team identifies several critical systems. Which THREE of the following are key components of a Business Impact Analysis (BIA)? (Select THREE.)

Select 3 answers
A.Mission-essential functions
B.Inventory of all hardware assets
C.Threat modeling of likely attack vectors
D.Recovery Time Objective (RTO)
E.Recovery Point Objective (RPO)
AnswersA, D, E

BIA identifies which functions are critical to the mission.

Why this answer

A BIA identifies recovery time objective (RTO), recovery point objective (RPO), and mission-essential functions. Asset inventory and threat modeling may be inputs but are not core BIA outputs.

54
MCQmedium

An organization is migrating sensitive customer data to a public cloud. Which of the following actions best demonstrates due diligence for compliance with GDPR?

A.Conducting a data protection impact assessment (DPIA).
B.Enabling server-side encryption on the cloud storage.
C.Obtaining explicit consent from all data subjects.
D.Signing a data processing agreement (DPA) with the cloud provider.
AnswerA

A DPIA is mandated by GDPR for high-risk processing and demonstrates thorough due diligence.

Why this answer

Option C is correct because a DPIA is a systematic process to identify and mitigate data protection risks, required by GDPR for cloud migrations involving sensitive data.

55
MCQmedium

A security architect reviews the iptables firewall rules above. A new web server with IP 192.168.1.100 must be reachable from the internet on ports 80 and 443. Which of the following changes is necessary to allow inbound HTTPS while maintaining security?

A.Delete rule 3 and add a rule: ACCEPT tcp from any to 192.168.1.100 dpt 80,443
B.Change rule 3 source to 0.0.0.0/0 and restrict rule 2 to a management subnet
C.Change default INPUT policy to ACCEPT and rely on application security
D.Add a new rule before rule 5: ACCEPT tcp from any to 192.168.1.100 dpt 443
AnswerB

This allows global HTTPS and secures SSH to a trusted subnet.

Why this answer

The current rule 3 only allows HTTPS from the 192.168.1.0/24 subnet. To allow from the internet, the source must be changed to 0.0.0.0/0. However, the existing SSH rule (rule 2) already allows from any source, which is a risk.

The correct action is to change rule 3's source to 0.0.0.0/0 and also restrict rule 2 to management subnet. Option A is correct. Adding a new rule would work but leave rule 3 misconfigured.

56
MCQmedium

A security analyst needs to write a script that detects changes to critical files across a fleet of Linux servers. Which approach is most efficient and secure?

A.Use a cron job on each server running a Python script that checks file hashes.
B.Enable Linux auditd on each server and forward logs to a SIEM for analysis.
C.Deploy a centralized log server and parse syslog for file modifications.
D.Use an agentless tool like OSSEC with a central manager to report file integrity changes.
AnswerD

OSSEC provides centralized, efficient monitoring.

Why this answer

Option C is correct because OSSEC provides centralized file integrity monitoring with agentless capability. Option A is distributed and harder to manage. Option B relies on syslog, which may not capture all changes.

Option D is more complex and not as efficient.

57
MCQmedium

During a risk assessment, the analyst identifies that a legacy system containing sensitive data cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk treatment strategy is MOST appropriate?

A.Transfer by purchasing cyber insurance
B.Avoidance by decommissioning the system
C.Acceptance by documenting the risk
D.Mitigation by implementing compensating controls
AnswerD

Compensating controls reduce risk without removing the system.

Why this answer

Implementing compensating controls reduces the risk while allowing the system to operate. Option A may not be feasible; Option C does not reduce the risk; Option D is less proactive.

58
MCQmedium

Based on the iptables exhibit, a security analyst has received an alert that an external IP (203.0.113.5) is attempting to connect to TCP port 3389 on the server. Which of the following best describes the current rule set's treatment of this traffic?

A.The connection will be allowed through because there is no explicit DROP rule
B.The connection will be logged and then dropped by the default policy
C.The connection will be accepted because there is a LOG rule
D.The connection will be logged and then dropped by the LOG rule
AnswerB

LOG rule logs, then default policy (DROP) drops the packet.

Why this answer

The correct answer is B. The rule set has a LOG rule for tcp dpt:3389 from any source, which will log the packet but not explicitly accept or drop it; since the policy in the INPUT chain is DROP, the packet will be dropped after being logged. Option A is incorrect because the LOG rule does not drop, only logs.

Option C is incorrect because there is no ACCEPT rule for 3389. Option D is incorrect because the default policy is DROP.

59
MCQmedium

A security architect is designing a network segmentation strategy for a multi-tenant cloud environment. Which of the following is the MOST effective technique to isolate tenant workloads while maintaining manageability?

A.Host-based iptables
B.Stateful firewall rules
C.Virtual private clouds (VPCs) with separate subnets
D.VLAN tagging
AnswerC

VPCs provide scalable, logical isolation in cloud environments.

Why this answer

Virtual Private Clouds (VPCs) with separate subnets provide logical isolation at the cloud provider level, which is more manageable than VLAN tagging across physical networks. Stateful firewalls and host-based iptables are supplementary controls, not primary segmentation.

60
MCQmedium

A company uses a CI/CD pipeline with Jenkins to build and deploy containerized applications. Security scanning of container images is currently done manually after deployment, causing delays. Which of the following would be the most effective automation to improve security and efficiency?

A.Add a stage to the Jenkins pipeline that runs container image scanning using Trivy before pushing to the registry.
B.Schedule a weekly cron job to scan the container registry and generate reports.
C.Use Terraform to enforce that only images from a trusted registry are deployed.
D.Require developers to scan images locally using a Dockerfile HEALTHCHECK instruction.
AnswerA

Automated scanning in the pipeline catches vulnerabilities before deployment, enforcing security earlier.

Why this answer

Integrating image scanning into the CI pipeline ensures vulnerabilities are detected before deployment. Option C is correct because tools like Trivy or Clair can be run as pipeline stages. Option A is incorrect because relying on developers is inconsistent.

Option B is incorrect because scanning after deployment doesn't prevent vulnerabilities. Option D is incorrect because infrastructure as code does not directly address image scanning.

61
MCQeasy

A security engineer needs to implement a solution that provides both confidentiality and integrity for data at rest. Which cryptographic method BEST meets these requirements?

A.AES-256-GCM
B.SHA-256
C.Diffie-Hellman
D.RSA-2048
AnswerA

AES-256-GCM provides both encryption and authentication, satisfying confidentiality and integrity requirements.

Why this answer

AES-256-GCM is an authenticated encryption mode that provides both confidentiality (encryption) and integrity (authentication) in a single algorithm. RSA-2048 is asymmetric and does not provide data integrity directly. SHA-256 is a hash function only.

Diffie-Hellman is a key exchange protocol.

62
MCQeasy

A company is evaluating its disaster recovery plan. Which metric indicates the maximum acceptable downtime?

A.Mean Time to Repair (MTTR)
B.Recovery Point Objective (RPO)
C.Recovery Time Objective (RTO)
D.Mean Time Between Failures (MTBF)
AnswerC

RTO is the maximum acceptable downtime.

Why this answer

Option B is correct because Recovery Time Objective (RTO) defines the maximum acceptable downtime. Option A is wrong RPO defines acceptable data loss. Option C is wrong MTBF measures reliability.

Option D is wrong MTTR measures repair time.

63
MCQeasy

A security engineer is reviewing firewall logs and finds multiple failed SSH attempts from an internal IP. Which control should be implemented to reduce this risk?

A.Allow SSH only from a specific management subnet
B.Implement account lockout after 5 failed attempts
C.Install a host-based IDS on the server
D.Disable SSH and use Telnet instead
AnswerB

Account lockout prevents brute-force attacks by temporarily disabling the account.

Why this answer

Option B is correct because implementing an account lockout policy after a defined number of failed attempts (e.g., 5) directly mitigates brute-force or password-guessing attacks against SSH. This control enforces a threshold that stops automated scripts or manual attempts from continuing, reducing the risk of unauthorized access without blocking legitimate administrative traffic.

Exam trap

The trap here is that candidates often choose a network-based control like subnet restriction (Option A) because it seems logical to limit access, but they overlook that the failed attempts are already coming from an internal IP, meaning the attacker is already inside the trusted zone and subnet filtering alone will not stop the attack.

How to eliminate wrong answers

Option A is wrong because restricting SSH to a specific management subnet reduces the attack surface but does not prevent brute-force attacks from within that subnet; an attacker who compromises a machine on that subnet could still launch unlimited attempts. Option C is wrong because a host-based IDS (HIDS) can detect and alert on failed SSH attempts but does not actively prevent them; it is a detective control, not a preventive one. Option D is wrong because disabling SSH and using Telnet would increase risk, as Telnet transmits credentials and data in cleartext, making it vulnerable to sniffing and completely unacceptable in a secure environment.

64
Multi-Selectmedium

A security architect is designing a secure enclave for processing classified data. Which TWO of the following controls are essential for ensuring data confidentiality in such an enclave? (Select TWO.)

Select 2 answers
A.Data diodes for one-way data transfer from the enclave to external networks
B.Full-disk encryption on all enclave workstations
C.Physical air gap between the enclave and other networks
D.Security Content Automation Protocol (SCAP) vulnerability scanning
E.Redundant power supplies and cooling
AnswersA, B

Data diodes ensure data cannot be extracted from the enclave.

Why this answer

Full-disk encryption protects data at rest if a device is lost; data diodes ensure one-way data flow, preventing exfiltration. Option B is misleading because air gaps are common but not a 'control' per se; the question asks for controls. Option D is not essential as SCAP is for compliance assessment.

Option E is about availability, not confidentiality.

65
MCQeasy

A company is deploying a wireless network for guests. Which security measure is most important to prevent unauthorized users from accessing internal resources?

A.Use WPA2-Enterprise with 802.1X
B.Disable SSID broadcast
C.Implement MAC address filtering
D.Place the guest network on a separate VLAN with no access to internal subnets
AnswerD

VLAN segmentation restricts traffic between guest and internal networks.

Why this answer

Network segmentation ensures guests cannot reach internal systems even if they are on the same physical infrastructure.

66
MCQhard

Match each container security concept with its correct description.

A.Container runtime security
B.Image signing
C.Secrets management
D.Orchestration security
E.Enforces system call filtering and access controls at runtime
F.Ensures container images are not tampered with using cryptographic hashes
G.Safely injects credentials into containerized applications at runtime
H.Manages network segmentation and pod security policies in clusters

Why this answer

The correct pairs are: Container runtime security refers to tools like AppArmor and Seccomp that enforce system call restrictions. Image signing ensures integrity using cryptographic signatures. Secrets management involves tools like Vault to inject credentials.

Orchestration security includes network policies in Kubernetes. The PBQ requires matching each term to its description.

Exam trap

Candidates may confuse 'Image signing' with 'Vulnerability scanning' because both deal with images, but signing is about integrity, not vulnerability detection.

67
MCQmedium

Refer to the exhibit. A security analyst reviews the firewall logs and sees traffic from 192.168.1.200 to the database server 10.0.0.10 on TCP port 1433. 192.168.1.200 is not in the approved IP list for database access. What is the BEST immediate action?

A.Investigate the source host for malware
B.Disable the database server
C.Review the database access rules
D.Block the source IP on the firewall
AnswerD

Immediate containment of unauthorized access.

Why this answer

Blocking the source IP on the firewall immediately contains the potential threat. Investigation is important but secondary; reviewing rules is not immediate; disabling the server is too drastic.

68
MCQhard

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

A.Use a cloud-based DDoS scrubbing service that only forwards clean traffic to the on-premises matching engine.
B.Deploy an intrusion prevention system (IPS) in inline mode in front of the matching engine.
C.Move the matching engine to a cloud provider with elastic scalability.
D.Implement a reverse proxy with rate limiting and IP blacklisting.
AnswerA

Scrubbing services filter attacks at the cloud edge, adding minimal latency if the provider is close to the origin; they preserve low latency for clean traffic.

Why this answer

A cloud-based DDoS scrubbing service (e.g., AWS Shield Advanced, Cloudflare Magic Transit) filters malicious traffic at the cloud edge before it reaches the on-premises matching engine. This preserves low latency because only clean, low-volume traffic is forwarded, and the scrubbing infrastructure is designed for high-throughput, low-latency processing without introducing inline inspection delays on the critical path.

Exam trap

The trap here is that candidates assume inline security controls (IPS, reverse proxy) are always appropriate, but for ultra-low-latency environments, any inline processing—even rate limiting—adds unacceptable delay, making cloud-based scrubbing the only viable option that offloads filtering without touching the critical path.

How to eliminate wrong answers

Option B is wrong because an inline IPS introduces processing latency (deep packet inspection, signature matching) that can exceed the sub-millisecond tolerance of a time-sensitive trading engine, potentially causing order timeouts. Option C is wrong because moving to a cloud provider with elastic scalability does not inherently mitigate DDoS; it only absorbs volumetric attacks by scaling out, but the matching engine itself remains a target and scaling introduces variable latency (e.g., cold starts, network jitter) unacceptable for low-latency trading. Option D is wrong because a reverse proxy with rate limiting and IP blacklisting adds a hop and processing overhead (connection termination, HTTP parsing) that increases latency, and it cannot handle large volumetric DDoS attacks without being overwhelmed itself.

69
MCQeasy

A company's risk assessment identifies that employees often use weak passwords. Which control directly addresses this risk?

A.Conduct security awareness training
B.Deploy single sign-on
C.Implement multi-factor authentication
D.Enforce a strong password policy
AnswerD

A strong password policy directly addresses weak passwords.

Why this answer

Enforcing a strong password policy directly addresses the risk of weak passwords by mandating complexity, length, and expiration requirements (e.g., minimum 12 characters, mixed case, numbers, symbols). This control reduces the likelihood of successful brute-force or dictionary attacks by increasing the entropy of user credentials. Unlike other options, it specifically targets the root cause—weak password creation—rather than adding compensating controls.

Exam trap

The trap here is that candidates confuse 'addressing the risk' with 'mitigating the impact'—MFA (Option C) reduces the impact of a weak password but does not prevent the weak password itself, which is the root cause identified in the risk assessment.

How to eliminate wrong answers

Option A is wrong because security awareness training educates users but does not technically enforce password strength; users may still choose weak passwords despite training. Option B is wrong because single sign-on (SSO) centralizes authentication but does not prevent users from creating weak passwords for the SSO identity provider or downstream systems. Option C is wrong because multi-factor authentication (MFA) adds a second factor (e.g., TOTP, SMS) but does not address the weakness of the first factor (password); a weak password can still be guessed or cracked offline, bypassing MFA in some attack scenarios (e.g., pass-the-cookie).

70
Multi-Selecteasy

A security analyst is reviewing a CI/CD pipeline configuration. The pipeline uses a containerized application and includes automated security scanning. Which TWO practices should be implemented to ensure container immutability and reduce the attack surface?

Select 2 answers
A.Run containers with read-only root filesystem.
B.Scan images for vulnerabilities at build time.
C.Use the same base image for all environments.
D.Run containers as root.
E.Store credentials in environment variables.
AnswersA, B

Enforces container immutability by preventing modifications at runtime.

Why this answer

Option B is correct because running containers with a read-only root filesystem enforces immutability, preventing any modifications at runtime. Option D is correct because scanning images for vulnerabilities at build time reduces the attack surface by catching issues before deployment. Option A is incorrect because using the same base image for all environments does not directly relate to immutability or attack surface reduction.

Option C is incorrect because storing credentials in environment variables is insecure and should be avoided. Option E is incorrect because running containers as root weakens security and increases attack surface.

71
MCQmedium

An organization is merging with another company and needs to ensure that the combined entity's security policies are aligned. Which document type should the security team prioritize to harmonize security expectations and responsibilities?

A.Disaster Recovery Plan (DRP)
B.Non-Disclosure Agreement (NDA)
C.Acceptable Use Policy (AUP)
D.Business Continuity Plan (BCP)
AnswerC

AUP sets rules for system use and user responsibilities.

Why this answer

An Acceptable Use Policy (AUP) defines acceptable behavior and responsibilities for users, making it key for harmonizing expectations. BCP focuses on continuity, DRP on recovery, and NDA on confidentiality.

72
MCQeasy

A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?

A.Use envelope encryption where a cloud KMS wraps a data key, and the data key is used to encrypt the data.
B.Use server-side encryption with customer-provided keys (SSE-C).
C.Use server-side encryption with cloud provider-managed keys (SSE-S3).
D.Use client-side encryption where the application encrypts data before sending it to the cloud.
AnswerD

The company controls the encryption key entirely on-premises; the cloud only stores ciphertext.

Why this answer

Option D is correct because client-side encryption ensures the data is encrypted by the application before it is sent to the cloud, using a key managed by the company's own on-premises HSM. This approach guarantees that the cloud provider never has access to the encryption key or the plaintext data, meeting the requirement that all data at rest in the public cloud object storage bucket be encrypted with a key managed by the company's own HSM.

Exam trap

The trap here is that candidates often confuse 'customer-provided keys' (SSE-C) with true client-side key management, but SSE-C still exposes the key to the cloud provider during the encryption/decryption process, failing the requirement for the key to be managed solely by the company's own on-premises HSM.

How to eliminate wrong answers

Option A is wrong because envelope encryption with a cloud KMS still involves the cloud provider managing the key encryption key (KEK), which violates the requirement that the key be managed by the company's own on-premises HSM. Option B is wrong because server-side encryption with customer-provided keys (SSE-C) requires the customer to provide the key with each API call, but the key is temporarily stored in the cloud provider's memory for encryption/decryption, and the provider still has access to the key during the operation, failing the 'managed by the company's own HSM' requirement. Option C is wrong because server-side encryption with cloud provider-managed keys (SSE-S3) uses keys entirely managed by the cloud provider, which directly contradicts the requirement for the company to manage the key with its own HSM.

73
MCQeasy

A security analyst observes anomalous outbound network traffic from a server that normally only performs internal functions. According to the incident response plan, what should the analyst do first?

A.Follow the incident response plan
B.Contain the server by disconnecting it from the network
C.Immediately shut down the server
D.Ignore the traffic as it might be a false positive
AnswerA

The incident response plan provides procedures for initial actions, including identification and reporting.

Why this answer

Option A is correct because the first step in incident response is to follow the established plan to ensure proper handling and minimize damage. Option B is wrong because containment should follow identification and reporting. Option C is wrong because shutting down may destroy evidence.

Option D is wrong because ignoring is risky.

74
MCQmedium

A security engineer is evaluating the use of AES-256-GCM for encrypting sensitive data in transit. They note that the Additional Authenticated Data (AAD) field is empty. What is the security implication?

A.The cipher is secure, but the missing AAD may allow an attacker to replace the ciphertext with another valid ciphertext from a different context, causing a potential mix-and-match attack.
B.The cipher is still secure, but missing AAD offers no additional protection against man-in-the-middle attacks.
C.The encryption provides no authentication because AAD is missing.
D.The cipher becomes vulnerable to key recovery attacks because AAD is missing.
AnswerA

Without AAD, an attacker could take a valid ciphertext from one session and insert it into another, if the same key is used, leading to potential data confusion.

Why this answer

Option D is correct because AAD provides context binding; without it, an attacker could potentially substitute ciphertexts from different contexts. Option A is wrong because AES-256-GCM provides authentication even without AAD. Option B is wrong because the IV is not derived from the key; missing AAD does not affect key recovery.

Option C is wrong because AAD is optional but recommended; the cipher is still secure, just less context bound.

75
MCQeasy

Which of the following is the PRIMARY purpose of a business continuity plan (BCP)?

A.Assign roles for incident response.
B.Restore IT systems after a disaster.
C.Ensure critical business functions continue during a disruption.
D.Establish procedures for data backup.
AnswerC

The BCP's main goal is to maintain essential operations despite incidents.

Why this answer

Option C is correct because a BCP aims to sustain critical business processes, not just IT recovery.

Page 1 of 7

Page 2

All pages