CompTIA SecurityX CAS-004 (CAS-004) — Questions 826900

1000 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

During a security assessment, the engineer discovers that a network appliance's firmware updates are signed using a 1024-bit RSA key. The appliance was manufactured in 2015. What is the primary security concern?

A.The key length is insufficient against modern attacks
B.The firmware is not encrypted
C.The signature algorithm is obsolete
D.The signing key is not rotated
AnswerA

1024-bit RSA can be broken by determined attackers; NIST recommends at least 2048 bits.

Why this answer

1024-bit RSA keys are considered weak because they can be factored with moderate computational resources, allowing an attacker to forge firmware updates. While the signature algorithm (RSA) is not obsolete, the key length is insufficient. Firmware encryption is not required for integrity; signing key rotation is secondary.

827
MCQmedium

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

A.Place all three services in the same DMZ subnet and use host-based firewalls to restrict traffic.
B.Create two DMZ subnets: one for the web server and API gateway, and another for the database server.
C.Place the web server in a DMZ subnet, the API gateway in a separate DMZ subnet, and the database server on the internal network.
D.Create three separate DMZ subnets: one for the web server, one for the API gateway, and one for the database server, with firewall rules allowing only required traffic.
AnswerD

This provides defense in depth; each tier is isolated, and only specific ports/protocols are allowed between them.

Why this answer

Option D is correct because it implements the principle of least privilege through network segmentation. By placing each service in its own DMZ subnet with firewall rules that allow only the required traffic (e.g., HTTP/HTTPS from web to API, SQL from API to database), the attack surface is minimized. This prevents lateral movement if one service is compromised, as an attacker cannot directly reach the database from the web server or the API gateway from the internet.

Exam trap

CompTIA often tests the misconception that placing the database server on the internal network (Option C) is acceptable, but in a DMZ design, any server that must be accessed from a DMZ should remain in the DMZ to avoid exposing internal network resources to potential compromise.

How to eliminate wrong answers

Option A is wrong because placing all three services in the same subnet allows unrestricted lateral movement; host-based firewalls can be bypassed if the host is compromised, and this approach does not provide network-level isolation. Option B is wrong because placing the web server and API gateway in the same subnet still exposes the API gateway to direct attack from the web server if the web server is compromised, and the database subnet is not isolated from the API gateway with sufficient granularity. Option C is wrong because placing the database server on the internal network violates the DMZ principle; the API gateway must traverse the internal firewall to reach the database, which increases the attack surface and exposes internal resources to DMZ traffic.

828
Multi-Selectmedium

A company is adopting a serverless architecture using AWS Lambda. Which of the following are security concerns specific to serverless functions? (Select TWO.)

Select 2 answers
A.Insecure deserialization of function input
B.Event injection via malformed input
C.Container escape vulnerabilities
D.Overly permissive IAM roles assigned to the function
E.SQL injection in the database
AnswersB, D

Why this answer

Event injection via malformed input (B) is a specific serverless security concern because AWS Lambda functions are triggered by events from sources like API Gateway, S3, or DynamoDB Streams. An attacker can craft malicious input that exploits the function's event-handling logic, leading to unintended execution paths or data corruption. This differs from traditional injection attacks because the event structure itself can be manipulated to bypass validation.

Exam trap

CompTIA often tests the misconception that serverless functions are immune to injection attacks because they are 'stateless' or 'event-driven,' but the trap here is that event injection is a distinct attack vector where the event structure itself is the injection surface, not just the data within it.

Why the other options are wrong

A

A general web vulnerability, not specific to serverless.

C

Serverless functions run in isolated containers, but escape is more relevant to traditional containers.

E

A general web vulnerability, not specific to serverless.

829
MCQmedium

The Docker container `myservice` has the mount configuration shown. What is the most significant security implication of this configuration?

A.The container can modify files on the host at /data/config.
B.The container has full access to the host's filesystem.
C.The container can read host files at /data/config, but not write.
D.The container can mount additional filesystems using the bind mount.
AnswerC

Read-only bind mount allows reading, no writing.

Why this answer

Option B is correct because the mount is read-only (ro), so the container can read host files but not write. Option A is false. Options C and D are incorrect as the mount is a bind mount, not allowing additional mounts or full filesystem access.

830
MCQeasy

An organization wants to reduce the attack surface of its web servers by ensuring only necessary modules are enabled. Which practice directly supports this goal?

A.Patch management
B.Application whitelisting and module disablement
C.Regular backups
D.Multi-factor authentication
AnswerB

Whitelisting and disabling unnecessary modules reduce attack surface.

Why this answer

Option A is correct because hardening includes disabling unnecessary services and modules. Option B is about patching, not reducing attack surface directly. Option C is backup strategy.

Option D is about authentication, not module reduction.

831
MCQhard

A security architect is designing a PKI for a large organization. The architect wants to ensure that private keys are stored securely and that cryptographic operations are performed in a tamper-resistant environment. Which solution should be used?

A.Trusted Platform Module (TPM)
B.Hardware Security Module (HSM)
C.Software-based keystore
D.Key Management Service (KMS) in the cloud
AnswerB

HSMs are designed for secure key generation, storage, and cryptographic operations.

Why this answer

Hardware Security Modules (HSMs) provide dedicated, tamper-resistant hardware for key storage and cryptographic operations.

832
MCQhard

A security architect is evaluating a web application that uses JSON Web Tokens (JWTs) for authentication. The application uses an RSA256 asymmetric signing algorithm. The architect discovers that the JWT library accepts tokens with the algorithm set to 'none' if the public key is not provided during verification. Which of the following attacks is most likely to succeed if the application does not enforce algorithm validation?

A.Algorithm confusion (key confusion) attack where the attacker uses the public key as an HMAC secret
B.Signature exclusion attack using the 'none' algorithm
C.Timing attack to brute-force the private key
D.Header injection attack to modify the JWT header
AnswerB

Why this answer

Option B is correct because the JWT library accepts tokens with the algorithm set to 'none' when the public key is not provided during verification. This allows an attacker to forge a JWT with the 'none' algorithm, bypassing signature verification entirely. The attack succeeds because the application fails to enforce a whitelist of allowed algorithms, as recommended by RFC 7518.

Exam trap

The CAS-004 exam often tests the distinction between algorithm confusion attacks (which involve key reuse) and signature exclusion attacks (which exploit the 'none' algorithm), and the trap here is that candidates confuse the 'none' algorithm vulnerability with the more complex key confusion attack described in option A.

Why the other options are wrong

A

This attack targets libraries that use the same key for both HMAC and RSA, but the scenario describes a library that accepts 'none' algorithm, not HMAC.

C

Timing attacks target side-channel leakage, not algorithm validation bypass.

D

Header injection is about modifying headers in requests, not exploiting JWT algorithm handling.

833
MCQhard

During a penetration test, a tester finds that an application uses server-side sessions with predictable session IDs. Which attack is this vulnerability most likely to facilitate?

A.Session fixation
B.Clickjacking
C.Session hijacking
D.CSRF
AnswerC

With predictable session IDs, an attacker can obtain a valid session and impersonate the user.

Why this answer

Predictable session IDs allow an attacker to guess or brute-force valid session tokens, leading to session hijacking. Session fixation requires the attacker to set a known session ID, not predict. CSRF and clickjacking exploit user actions, not session prediction.

834
MCQeasy

An organization is developing a SOAR playbook to handle phishing emails reported by users. Which of the following actions is most appropriate to automate in the first step of the playbook?

A.Block the sender's email address at the gateway
B.Remove the email from all user mailboxes
C.Scan the attachment in a sandbox
D.Send an alert to the SOC analyst for manual analysis
AnswerB

Removing the email from mailboxes is a containment action that limits further risk.

Why this answer

The first step in a phishing response playbook should isolate the potentially malicious email to prevent further exposure. Automating the removal of the email from all user mailboxes is a common initial containment action.

835
MCQhard

An organization is adopting a SASE architecture to provide secure access to cloud applications. Which component is essential for enforcing security policies based on user identity and device posture?

A.Zero Trust Network Access (ZTNA)
B.Firewall as a Service (FWaaS)
C.Secure Web Gateway (SWG)
D.Cloud Access Security Broker (CASB)
AnswerA

ZTNA enforces access based on user identity, device posture, and context, aligning with zero trust principles.

Why this answer

SASE converges networking and security functions. A Cloud Access Security Broker (CASB) is not part of SASE; rather, the Security Service Edge (SSE) includes SWG, CASB, ZTNA, and FWaaS. The question specifically asks for identity- and device-based policy enforcement, which is a key function of ZTNA.

836
MCQhard

After containing a confirmed security incident, the incident response team must plan for eradication. What must be done before eradication begins?

A.Conduct a full forensic analysis of all systems
B.Determine the root cause of the incident
C.Begin eradication immediately to minimize dwell time
D.Notify law enforcement agencies
AnswerB

Root cause analysis ensures eradication addresses the entry point and method.

Why this answer

Option C is correct because understanding the root cause ensures complete removal of the threat and prevents re-infection. Option A is wrong that eradication is the next step after containment; root cause analysis is critical. Option B is wrong because forensics can be done during or after eradication.

Option D is wrong because notifying law enforcement is optional and not a prerequisite.

837
MCQmedium

A security analyst is reviewing the results of a vulnerability scan and identifies a critical vulnerability in a legacy application that cannot be patched because it is no longer supported by the vendor. The application is critical for business operations. Which of the following risk treatment strategies should the organization implement?

A.Risk transfer by purchasing cyber insurance to cover potential losses.
B.Risk mitigation by applying a vendor-supplied patch.
C.Risk avoidance by decommissioning the application and migrating to a new system.
D.Risk acceptance with compensating controls such as network segmentation and strict access controls.
AnswerD

Acceptance acknowledges the residual risk, and compensating controls reduce likelihood/impact.

Why this answer

Option D is correct because when a legacy application cannot be patched due to vendor end-of-life, the organization must accept the residual risk while implementing compensating controls. Network segmentation (e.g., VLANs, ACLs) and strict access controls (e.g., least privilege, MFA) reduce the attack surface and contain potential exploitation, aligning with the risk acceptance strategy under the NIST SP 800-37 risk management framework.

Exam trap

The trap here is that candidates often confuse risk acceptance with doing nothing, but in CAS-004, risk acceptance requires documented compensating controls to reduce residual risk to an acceptable level, not simply ignoring the vulnerability.

How to eliminate wrong answers

Option A is wrong because risk transfer via cyber insurance does not reduce the likelihood or impact of a vulnerability being exploited; it only provides financial reimbursement after a breach, leaving the technical exposure unaddressed. Option B is wrong because a vendor-supplied patch is unavailable by definition (the application is no longer supported), making risk mitigation via patching impossible. Option C is wrong because risk avoidance by decommissioning the application would halt critical business operations, which is not feasible; the question explicitly states the application is critical for business operations.

838
Multi-Selecteasy

A security engineer is hardening a Linux server. Which TWO of the following are best practices for preventing privilege escalation attacks?

Select 2 answers
A.Disable all user accounts except root
B.Apply kernel hardening with sysctl
C.Enable SELinux in enforcing mode
D.Remove the SUID bit from all binaries
E.Restrict cron jobs to root only
AnswersB, C

Kernel hardening parameters (e.g., disabling IP forwarding) reduce attack surface.

Why this answer

Options B and E are correct. SELinux (B) provides mandatory access control that restricts processes, and kernel hardening with sysctl (E) reduces the attack surface. Option A is incorrect because removing all SUID bits may break essential system functionality.

Option C is incorrect because disabling all non-root user accounts is impractical and violates least privilege. Option D is incorrect because restricting cron jobs to root only is not directly related to privilege escalation prevention.

839
Multi-Selectmedium

An IoT device uses a Trusted Platform Module (TPM) 2.0 for secure boot and attestation. Which THREE of the following functions does the TPM provide to support these security features?

Select 3 answers
A.Accelerated symmetric encryption
B.Platform Configuration Registers (PCRs) for storing measurements
C.Hardware random number generation
D.Sealed storage that decrypts data only if PCR values match expected measurements
E.Remote attestation using TPM_Quote to sign PCR values
AnswersB, D, E

PCRs store hash measurements of boot components.

Why this answer

TPM 2.0 provides secure boot (via PCR measurement), remote attestation (via quote operation), and sealed storage (binding data to PCR values). Measured boot is a process that uses TPM to record measurements.

840
MCQmedium

During a penetration test, the tester has gained initial access to a system and wants to escalate privileges. Which of the following techniques is most likely to be effective for privilege escalation on a Windows system?

A.Using Mimikatz to extract plaintext passwords from memory
B.Exploiting a local privilege escalation vulnerability like CVE-2023-xxxx
C.Scanning for open ports on the network
D.Performing a phishing attack on the domain administrator
AnswerB

Local exploits can elevate from user to admin/system.

Why this answer

Exploiting a kernel vulnerability or a misconfigured service is a common privilege escalation technique. Token manipulation and DLL hijacking are also methods, but kernel exploits are direct.

841
MCQeasy

Which of the following best describes the security benefit of using an API gateway in a microservices architecture?

A.It eliminates the need for input validation in individual microservices
B.It encrypts all data between the client and server using mTLS
C.It enforces security policies such as authentication and rate limiting centrally
D.It automatically load balances traffic to ensure high availability
AnswerC

The gateway centralizes cross-cutting security concerns, providing a single enforcement point.

Why this answer

An API gateway acts as a reverse proxy that can enforce security policies such as authentication, rate limiting, input validation, and logging. It centralizes security controls, reducing the attack surface. Client-side code does not run on the gateway.

Encryption is handled by TLS. It manages traffic but does not automatically load balance without configuration.

842
MCQhard

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

A.Client credentials grant
B.Authorization code grant
C.Resource owner password credentials grant
D.Implicit grant
AnswerD

Implicit grant does not support scope parameter; scopes are typically fixed in client configuration.

Why this answer

The implicit grant flow in OAuth 2.0 does not require the client to include the scope parameter in the authorization request; the access token is returned directly in the URL fragment without a separate token endpoint call. When the scope parameter is missing, the authorization server may issue a token with a default or limited scope, causing users to be unable to access resources that require a specific scope. This matches the described symptom, making the implicit grant the most likely flow in use.

Exam trap

The CAS-004 exam often tests the misconception that the scope parameter is always mandatory in all OAuth flows, but the implicit grant allows it to be optional, leading candidates to incorrectly select the authorization code grant.

How to eliminate wrong answers

Option A is wrong because the client credentials grant is used for server-to-server communication without user involvement, and the scope parameter is typically required and validated; missing scope would result in an error, not a token with insufficient scope. Option B is wrong because the authorization code grant requires the client to include the scope parameter in the authorization request, and the authorization server validates it before issuing the code; a missing scope would cause the request to fail or return an error. Option C is wrong because the resource owner password credentials grant requires the client to send the scope parameter along with the username and password; omitting it would lead to a token with default scope or an error, not the described behavior.

843
MCQmedium

A security architect is evaluating a SASE solution. Which component of SASE is primarily responsible for inspecting encrypted traffic for threats?

A.Zero Trust Network Access (ZTNA)
B.Next-generation firewall (NGFW)
C.Secure web gateway (SWG)
D.SD-WAN edge
AnswerC

Correct – SWG performs deep packet inspection on encrypted traffic.

Why this answer

SASE integrates SWG (Secure Web Gateway) for web filtering and threat inspection, including decryption and inspection of TLS traffic.

844
MCQmedium

In a CI/CD pipeline, a security gate fails because a high-severity vulnerability is found in the base image of a container. The pipeline is configured to block deployment on such findings. What is the appropriate remediation step?

A.Update the base image to a patched version
B.Override the security gate and proceed with deployment
C.Rebuild the image using the same base image
D.Add the vulnerability to an exception list
AnswerA

Using a patched base image resolves the vulnerability.

Why this answer

Updating the base image to a patched version ensures the vulnerability is fixed. Overriding the gate or adding exceptions bypasses security, and rebuilding with the same base retains the issue.

845
MCQhard

The engineer needs to prevent brute-force attacks while allowing legitimate access. Which security control is MOST effective?

A.Disable root login
B.Change SSH port to 2222
C.Implement fail2ban with a threshold of 5 attempts per minute
D.Implement IP whitelist for 10.0.0.0/8
AnswerC

Fail2ban automatically blocks offending IPs after exceeding the threshold, allowing legitimate traffic.

Why this answer

Fail2ban dynamically blocks IP addresses after a configurable number of failed attempts, stopping brute-force while allowing legitimate users (e.g., 10.0.0.50) to connect. Disabling root login only prevents root access but not attacks on other users. Changing the SSH port is security by obscurity.

IP whitelisting for 10.0.0.0/8 would block all other legitimate users and is not flexible.

846
MCQmedium

A company is migrating its workloads to a public cloud and wants to ensure it understands the division of security responsibilities. Which model defines the demarcation of security controls between the cloud provider and the customer?

A.Cloud Security Posture Management (CSPM)
B.Zero trust architecture
C.Cloud Access Security Broker (CASB)
D.Shared responsibility model
AnswerD

This model defines security responsibilities between provider and customer.

Why this answer

The shared responsibility model clearly delineates which security tasks are handled by the cloud provider and which by the customer, varying by service type (IaaS, PaaS, SaaS).

847
Multi-Selecthard

During a penetration test, the tester has gained initial access to a web server and wants to perform lateral movement to reach a database server. The tester enumerates the network and finds that the web server has two network interfaces: one connected to a DMZ and one to an internal network. The database server is on the internal network. Which TWO techniques could the tester use to pivot from the web server to the database server? (Choose TWO.)

Select 2 answers
A.Use SSH tunneling to create a local forward to the database server's port
B.Perform a SQL injection attack against the database server
C.Deploy a reverse shell from the web server to the tester's machine
D.Install a keylogger on the web server to capture database credentials
E.Use Metasploit's route add command to add a route to the internal subnet through the web server
AnswersA, E

SSH tunneling can forward local ports to internal services.

Why this answer

Pivoting techniques include using the compromised host as a proxy to route traffic and port forwarding to tunnel to internal systems. SSH tunneling and Metasploit's pivot module are common. A reverse shell is for initial access, not pivoting.

SQL injection is for initial compromise, not lateral movement.

848
MCQmedium

A security architect is designing a new authentication system for a cloud-based application that requires strong multi-factor authentication. The solution must be resistant to phishing attacks and not rely on shared secrets. Which of the following is the BEST choice?

A.HOTP with a hardware token
B.FIDO2/WebAuthn
C.TOTP via a mobile authenticator app
D.SMS one-time passcodes
AnswerB

FIDO2/WebAuthn provides phishing-resistant, passwordless authentication using public key cryptography.

Why this answer

FIDO2/WebAuthn is a passwordless authentication protocol that uses public key cryptography and is resistant to phishing because the private key never leaves the user's device.

849
MCQeasy

A security architect reviews this Cisco router ACL configuration. The web server at 192.168.1.100 is accessible from the internet. What additional security measure should be implemented to protect the internal network (10.0.0.0/24)?

A.Remove the log statement from the deny rules to improve performance
B.Add an ACL on GigabitEthernet0/1 to limit outbound traffic to web ports only
C.Replace the ACLs with a stateful firewall that inspects connection states
D.Apply the same OUTSIDE_IN ACL to GigabitEthernet0/1 inbound
AnswerC

A stateful firewall provides deeper inspection and can prevent various attacks.

Why this answer

The INSIDE_OUT ACL allows all traffic from the internal network to any destination, including potentially malicious outbound connections. Implementing a stateful firewall would track connection states and provide better inspection. Egress filtering could be added, but stateful inspection is more comprehensive.

The OUTSIDE_IN ACL only allows inbound web traffic, which is good. The missing piece is stateful awareness to prevent internal hosts from initiating connections to malicious external hosts.

850
MCQmedium

Refer to the exhibit. A security engineer is reviewing an X.509 certificate used for TLS. Which security concern should the engineer identify?

A.The certificate uses the SHA-1 hash algorithm
B.The RSA key length is 2048 bits
C.The certificate is self-signed
D.The validity period is only one year
AnswerA

SHA-1 is considered broken and should not be used for digital signatures.

Why this answer

The certificate uses SHA-1 as the signature algorithm, which is cryptographically weak and deprecated by major browsers and industry standards. Self-signed would show issuer == subject, key length 2048 is acceptable, and one-year validity is normal.

851
MCQhard

An OpenVPN configuration file is shown. A security auditor recommends replacing the cipher and auth directives. Which of the following is the BEST replacement pair from a security engineering perspective?

A.cipher AES-256-GCM and auth SHA256
B.cipher AES-128-GCM and auth SHA384
C.cipher 3DES-168 and auth MD5
D.cipher Blowfish-128 and auth SHA1
AnswerA

AES-256-GCM is an AEAD cipher that includes authentication, so the auth directive becomes unnecessary; however, OpenVPN allows both. This is a secure modern combination.

Why this answer

Option C is correct because AES-256-GCM is an AEAD cipher that provides both encryption and authentication, and TLS 1.3 uses AEAD. Option A is wrong because the configuration already uses SHA256 for auth; adding HMAC is redundant but not best. Option B is wrong because Blowfish is outdated and DES is weak.

Option D is wrong because 3DES is weak and MD5 is deprecated.

852
MCQhard

A company's security team is reviewing the integration of a legacy application that only supports NTLM authentication. The infrastructure must be updated to meet modern security standards. Which of the following is the BEST approach to mitigate the risk of using NTLM?

A.Place the application on an isolated network segment and restrict access with IP whitelisting.
B.Deploy an authentication federation service that translates modern Kerberos/SAML to NTLM for the legacy application.
C.Apply vendor patches to upgrade NTLM to NTLMv2 and enable extended protection for authentication.
D.Disable NTLM and force the application to use Kerberos directly.
AnswerB

A federation service (e.g., ADFS with NTLM fallback) allows the application to use modern authentication while the broker handles the legacy protocol, reducing risk.

Why this answer

Option D is correct because extending the application's authentication to support Kerberos or modern SSO via a federation service like ADFS or SAML proxy allows the legacy app to use modern authentication without modifying the app. Option A is wrong because network isolation does not address the weakness of NTLM in the authentication protocol. Option B is wrong because disabling NTLM would break the application.

Option C is wrong because applying patches may not be possible if the application is no longer supported, and NTLMv2 is still vulnerable.

853
Multi-Selecteasy

Which TWO of the following are examples of compensating controls for a security control deficiency?

Select 2 answers
A.Increasing logging and monitoring.
B.Implementing stricter access controls.
C.Accepting the risk.
D.Purchasing cyber insurance.
E.Re-architecting the network.
AnswersA, B

Enhanced monitoring can detect unauthorized activities that a deficient control might not prevent.

Why this answer

Compensating controls are alternative measures that mitigate the risk from a primary control failure; stricter access and enhanced monitoring are good examples.

854
MCQmedium

A company runs a containerized application in a Kubernetes cluster. After a penetration test, the security team found that several containers are running with root privileges and have unnecessary packages installed. To reduce the attack surface, the team wants to enforce least privilege and minimize the software footprint. Which action should be taken first to address these findings?

A.Apply SELinux labels to restrict container capabilities
B.Rebuild the container images using minimal base images and remove unnecessary packages
C.Configure the containers to run as non-root user and use read-only filesystems
D.Implement network policies to limit lateral movement between pods
AnswerB

Minimal images reduce attack surface by eliminating unnecessary components.

Why this answer

Using minimal base images (e.g., Alpine or distroless) reduces the attack surface by removing unnecessary tools and libraries. Option B is incorrect because running containers as non-root is important but does not address unnecessary packages. Option C is incorrect because read-only filesystems improve security but do not reduce the number of packages.

Option D is incorrect because network policies control traffic but not container privileges or packages.

855
Multi-Selectmedium

A security team is developing a data classification policy. Which TWO of the following elements should be included in the policy to ensure effective data governance?

Select 2 answers
A.Handling requirements for each classification level, including storage and transmission
B.Data retention and disposal schedules
C.Encryption algorithms to be used for data at rest
D.Data loss prevention (DLP) rules
E.Criteria for classifying data into categories such as public, internal, confidential
AnswersA, E

Specifies how data should be protected based on classification.

Why this answer

Option A is correct because a data classification policy must define handling requirements for each classification level, specifying how data should be stored, transmitted, and accessed. This ensures consistent protection controls are applied based on sensitivity, which is a core governance principle. Without these requirements, data may be mishandled, leading to compliance violations or data breaches.

Exam trap

CompTIA often tests the distinction between policy elements (what the policy should contain) and derived controls (e.g., DLP rules, encryption algorithms), leading candidates to confuse operational implementation details with foundational policy components.

856
MCQhard

A multinational corporation is implementing a data classification scheme. Which of the following data types should be classified as 'restricted'?

A.Internal meeting minutes
B.Customer PII with legal requirements
C.Employee training materials
D.Marketing brochures
AnswerB

PII with regulatory requirements is often classified as restricted.

Why this answer

Restricted data typically includes information that could cause severe damage if disclosed, such as trade secrets, intellectual property, or personally identifiable information (PII) that is heavily regulated. Public data is for public release. Internal data is for internal use only.

Confidential data is sensitive but less critical than restricted.

857
MCQeasy

Which of the following is a cloud-native security control provided by a cloud service provider to manage user permissions and access to resources?

A.Virtual Private Cloud (VPC)
B.CloudTrail
C.Key Management Service (KMS)
D.Identity and Access Management (IAM)
AnswerD

IAM controls authentication and authorization for cloud resources.

Why this answer

Identity and Access Management (IAM) is a fundamental cloud service for managing users, roles, and permissions.

858
Multi-Selectmedium

A security architect is designing a cloud-native application that must comply with GDPR data residency requirements. Which TWO of the following measures should the architect implement? (Choose two.)

Select 2 answers
A.Deploy the application in a single region to simplify compliance
B.Store data only in approved geographical locations
C.Use data loss prevention (DLP) policies to monitor data transfers
D.Encrypt data at rest and in transit
E.Implement data classification and labeling
AnswersB, D

Ensuring data is stored only in approved regions directly enforces data residency.

Why this answer

Encrypting data at rest and in transit (C) and storing data only in approved geographical locations (E) are direct controls for GDPR data residency. DLP (A) is detective, single-region deployment (B) may affect availability, and data classification (D) is not specific to residency.

859
MCQmedium

A security analyst is reviewing CVSS scores for vulnerabilities in the environment. A vulnerability has a base score of 9.0, but the organization has a compensating control that reduces the likelihood of exploitation. The analyst adjusts the score to 6.0 for prioritization. Which CVSS metric group did the analyst modify?

A.Base
B.Vector
C.Environmental
D.Temporal
AnswerC

Environmental metrics adjust for local controls and asset criticality.

Why this answer

The environmental score allows customization based on the organization's environment, including compensating controls.

860
MCQmedium

Which of the following is a key difference between compliance and security?

A.Compliance is voluntary, security is mandatory
B.Compliance is proactive, security is reactive
C.Security only applies to technical controls, compliance to administrative
D.Compliance typically represents a minimum bar, while security seeks best practice
AnswerD

Correct. Compliance is about meeting minimum requirements; security goes beyond.

Why this answer

Compliance focuses on meeting minimum legal or regulatory requirements, while security aims for best practices to protect assets beyond what is required.

861
Multi-Selecthard

A security analyst is investigating a potential advanced persistent threat (APT) that has been evading traditional detection. The analyst decides to use User and Entity Behavior Analytics (UEBA) to identify anomalous activity. Which TWO of the following activities would be most indicative of a potential compromise when analyzed through UEBA? (Choose TWO.)

Select 2 answers
A.A service account authenticating to a database server every 5 minutes
B.A user logging in from a remote location at 3:00 AM, which is outside their normal working hours
C.A user accessing a large number of files on a file server that they do not normally access
D.A user connecting to the corporate VPN from a hotel during a business trip
E.An administrator running a scheduled antivirus scan on a server
AnswersB, C

Off-hours access is a common indicator of compromise.

Why this answer

UEBA detects deviations from normal behavior. A user logging in at unusual hours and accessing large volumes of data are common anomalies. Running scheduled antivirus scans and normal VPN access are expected behaviors.

862
Multi-Selectmedium

A security architect is designing a secure wireless network for a government facility. Which TWO of the following measures should be implemented to ensure the highest level of security? (Select TWO.)

Select 2 answers
A.Use WPA2-PSK with a strong pre-shared key
B.Implement a captive portal with social login
C.Disable SSID broadcast on the access points
D.Use WPA3-Enterprise with EAP-TLS for authentication
E.Enable MAC address filtering on the access points
AnswersC, D

Disabling SSID broadcast can deter casual discovery, though it is not a primary control.

Why this answer

WPA3-Enterprise with EAP-TLS is the most secure for authentication and encryption, and disabling SSID broadcast hides the network from casual scanning, though it is not a strong security measure. MAC filtering is easily spoofed. WPA2-PSK is less secure.

Captive portals do not provide strong access control.

863
MCQmedium

A company is deploying IoT sensors in a harsh environment. The sensors have limited processing power and memory. Which of the following cryptographic algorithms is most suitable for ensuring data confidentiality with minimal overhead?

A.RSA-4096
B.ChaCha20-Poly1305
C.SHA-256
D.AES-256-GCM
AnswerB

ChaCha20 is designed for high performance in software and has low memory footprint, ideal for IoT.

Why this answer

ChaCha20-Poly1305 is a stream cipher that is fast in software, especially on devices without AES hardware acceleration, and provides authenticated encryption with low overhead.

864
MCQmedium

A developer is using a third-party library with a known vulnerability. The vulnerability has a CVSS score of 9.8 and an exploit is publicly available. Which of the following is the most immediate course of action?

A.Update the library to the patched version if available
B.Contact the vendor for a patch
C.Remove the library and rewrite functionality
D.Implement a WAF rule to block exploitation
AnswerA

Updating to the latest patched version directly removes the vulnerability.

Why this answer

Option D is correct because updating to the patched version is the most immediate and effective fix. Option A (WAF rule) is a workaround, not a fix. Option B (contact vendor) delays, and a patch may already exist.

Option C (rewrite) is too drastic if a patch is available.

865
Multi-Selecthard

A senior security architect is designing a detection strategy for advanced persistent threats (APTs) that employ living-off-the-land (LotL) techniques. Which THREE of the following approaches are most effective for detecting LotL activities? (Choose three.)

Select 3 answers
A.User and Entity Behavior Analytics (UEBA)
B.Deploying honeytokens and honeypots
C.Signature-based detection on malicious file hashes
D.Monitoring for native tool usage with EDR and logging command-line arguments
E.Blocking all scripts and macros by default
AnswersA, B, D

UEBA can establish baselines and detect deviations, such as an admin using PowerShell in an unusual way.

Why this answer

LotL attackers use legitimate tools to avoid detection. Behavioral analytics can detect unusual usage patterns of native tools. Deception technologies can lure attackers into revealing themselves.

Endpoint detection and response (EDR) that monitors process behavior can detect anomalies like PowerShell executing scripts from unusual locations.

866
MCQeasy

Which of the following certificate types is most appropriate for an organization that needs to validate the identity of individuals for email encryption and signing?

A.S/MIME certificate
B.Domain Validation (DV) certificate
C.Client authentication certificate
D.Code signing certificate
AnswerA

S/MIME certificates are used for email signing and encryption.

Why this answer

S/MIME certificates are specifically designed for securing email. Client certificates are for authentication. Code signing is for software.

DV certificates are for websites.

867
Multi-Selecthard

An organization is implementing a PKI with a three-tier hierarchy (root CA, intermediate CA, issuing CA). The security team wants to ensure that certificate revocation information is available quickly and efficiently. Which TWO mechanisms should they implement? (Select TWO.)

Select 2 answers
A.OCSP stapling
B.Delta CRLs
C.Certificate Transparency (CT) logs
D.CRL distribution points (CRL DP)
E.OCSP responders
AnswersD, E

CRLs provide a list of revoked certificates.

Why this answer

CRL and OCSP are standard revocation mechanisms. Certificate transparency (CT) logs are for auditing, not real-time revocation. Delta CRLs are more efficient for frequent updates.

OCSP stapling reduces load on OCSP responders.

868
MCQeasy

An organization wants to enforce that only signed container images are deployed in production. Which of the following should be implemented?

A.Network policies
B.Container runtime security (e.g., seccomp)
C.Image signing and verification in the registry
D.Admission controllers
AnswerC

Image signing ensures integrity and authenticity; verifying signatures before deployment enforces only signed images.

Why this answer

Image scanning verifies signatures and checks for vulnerabilities; however, to enforce only signed images, the registry must require signature verification.

869
MCQmedium

Based on the exhibit, what vulnerability is present in the firewall rule?

A.Overly permissive service specification
B.Source IP range is too broad
C.No logging is enabled
D.Missing application ID control
AnswerA

Allowing 'any' service gives full access to all ports and protocols.

Why this answer

Option D is correct because allowing 'any' service is overly permissive. Option A is wrong a /24 is a specific range, not too broad. Option B is wrong logging is not shown but not a vulnerability.

Option C is wrong application ID is not relevant to the rule.

870
MCQhard

A security engineer needs to deploy a host-based intrusion detection system (HIDS) on a critical Linux server without impacting performance. Which configuration is MOST appropriate?

A.Install OSSEC agent with file integrity monitoring and log analysis only.
B.Install Snort in inline mode on the server.
C.Enable Windows Defender on the Linux server.
D.Deploy ClamAV with real-time scanning and OSSEC.
AnswerA

OSSEC is a well-known HIDS that can be configured minimally for performance.

Why this answer

Option A is correct because OSSEC with file integrity monitoring and log analysis is lightweight and suitable for critical servers. Option B uses a network-based tool not host-based. Option C includes antivirus which is resource-intensive.

Option D is a SIEM, not a HIDS agent.

871
MCQhard

Based on the exhibit, which type of attack is most likely occurring?

A.Pass-the-hash attack
B.Account lockout attack
C.Replay attack
D.Brute force password guessing
AnswerD

The rapid succession of authentication failures for the root user indicates an attempt to guess the password.

Why this answer

The exhibit shows a high number of failed authentication attempts (e.g., Event ID 4625) from a single source IP against multiple user accounts over a short period. This pattern is characteristic of a brute force password guessing attack, where an attacker systematically tries common passwords against many accounts to gain unauthorized access. The absence of successful logins or account lockouts further supports this conclusion.

Exam trap

The CAS-004 exam often tests the distinction between a brute force attack (many passwords, one account) and a password spraying attack (one password, many accounts), and the trap here is confusing the high volume of failed logins with a replay or pass-the-hash attack, which would show successful authentication or token reuse instead of repeated failures.

How to eliminate wrong answers

Option A is wrong because a pass-the-hash attack uses captured NTLM or Kerberos hashes to authenticate without knowing the plaintext password, and the exhibit shows failed logins with incorrect passwords, not hash reuse. Option B is wrong because an account lockout attack would trigger Event ID 4740 (account locked out) after exceeding the lockout threshold, but the exhibit shows only failed logins without lockout events. Option C is wrong because a replay attack involves capturing and retransmitting valid authentication tokens (e.g., Kerberos TGT or NTLM challenge-response), not repeated failed password attempts.

872
Multi-Selecteasy

Which TWO of the following are primary goals of security operations monitoring? (Choose two.)

Select 2 answers
A.Automate patch deployment
B.Maintain situational awareness of the security posture
C.Conduct vulnerability scans
D.Ensure compliance with regulatory standards
E.Detect security incidents in near real-time
AnswersB, E

Situational awareness is a key outcome of monitoring.

Why this answer

Options A and D are correct. Detection of security incidents and maintaining situational awareness are core monitoring goals. Compliance (B) is a secondary benefit, and vulnerability scanning (C) is a separate process.

873
MCQeasy

A developer is writing a mobile app that stores sensitive user data locally on the device. Which is the best practice for protecting the data at rest?

A.Use SQLite without encryption
B.Use the device's keychain/keystore with encryption
C.Store data in a remote database only
D.Store data in plain XML files
AnswerB

Keychain/keystore uses hardware-backed encryption for secure local storage.

Why this answer

Option A is correct because using the device's keychain/keystore provides encrypted storage. Option B (plain XML) is insecure; Option C (SQLite without encryption) exposes data; Option D (remote database only) prevents offline access and may not be feasible.

874
MCQhard

A financial institution manages customer data through a web application built on a LAMP stack. The application uses a third-party library for PDF generation that was patched last year. Recently, the security team discovered that an attacker exploited an unpatched vulnerability in the library to execute arbitrary code on the server. The library vendor has released an update, but the development team is concerned that updating the library will break several custom features that rely on its internal API. The CIO wants to minimize risk while maintaining business continuity. The application is critical to daily operations, and any downtime would result in significant revenue loss. Which course of action should the security analyst recommend?

A.Disable the PDF generation feature entirely until the library can be updated in the next quarterly release
B.Deploy a virtual private network (VPN) for all access to the server and restrict input to only trusted IPs
C.Implement a web application firewall (WAF) with a custom rule to block known attack patterns against the library, and then schedule the patch for the next maintenance window
D.Immediately apply the vendor's patch and then test all features in a staging environment for a month before production rollout
AnswerC

WAF provides virtual patching to block exploits while the team tests the update.

Why this answer

Option C is correct because deploying a WAF with custom rules provides virtual patching, reducing risk immediately while allowing time for thorough testing of the library update. Option A (immediate patch) could break features without adequate testing. Option B (VPN) does not address the vulnerability.

Option D (disable PDF generation) removes functionality, impacting business operations.

875
MCQeasy

Refer to the exhibit. A security architect is reviewing this S3 bucket policy. Which of the following security concerns is MOST evident?

A.The policy denies all write access
B.The policy allows public read access
C.The policy uses an outdated version
D.The policy lacks encryption
AnswerB

The wildcard principal '*' allows any anonymous user to read objects.

Why this answer

The policy allows anonymous principals ('*') to perform 's3:GetObject' on all objects in the bucket, making the bucket publicly readable. This is a serious data exposure risk. The policy version is 2012-10-17 which is current, and encryption is not addressed in this policy.

876
MCQeasy

A SOC analyst receives an alert indicating that a workstation has been making outbound connections to a known command-and-control (C2) IP address. The analyst initiates the incident response process. Which of the following should be the FIRST action taken?

A.Run a full antivirus scan on the affected workstation.
B.Notify the organization's management and legal team.
C.Delete the suspicious files identified by the antivirus.
D.Isolate the workstation from the network.
AnswerD

Isolation stops the immediate threat and prevents spread.

Why this answer

The first priority in incident response is to contain the threat to prevent further damage. Option D, isolating the workstation, stops the C2 communication and limits lateral movement. Option A (notifying management) is important but not first.

Option B (deleting files) is premature without analysis. Option C (running AV) is reactive and may alert the attacker.

877
MCQmedium

A financial institution is required to comply with SOX. Which of the following is a primary focus of this regulation?

A.Privacy of personal data for EU citizens
B.Accuracy of financial reporting and internal controls
C.Security of health information
D.Protection of cardholder data
AnswerB

Correct: SOX mandates controls to ensure financial reporting accuracy.

Why this answer

SOX focuses on financial reporting accuracy and internal controls over financial reporting.

878
MCQhard

A security auditor reviews this Kubernetes pod configuration. Which security vulnerability is most critical?

A.The container image is from a public registry and should use a private one.
B.The container runs as non-root, but root access is required for certain operations.
C.The container allows privilege escalation, which should be disabled.
D.The hostPath volume mount provides direct filesystem access to the host, enabling potential container escape.
AnswerD

HostPath mounts give the container access to the host filesystem; if compromised, the attacker can manipulate host files.

Why this answer

The pod mounts a hostPath volume, which allows the container to access and potentially modify host filesystem, leading to container escape. Option C is correct. Options A and B are mitigated by the security context.

Option D is false.

879
MCQmedium

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a public-facing e-commerce site. The site has been experiencing intermittent false positives that block legitimate customers during checkout. The WAF is deployed in blocking mode with a rule set that includes SQL injection and cross-site scripting (XSS) signatures. The engineer notices that legitimate credit card numbers containing the string 'OR' are being blocked. The site uses HTTPS and input validation on the server side. Which of the following actions would BEST resolve the false positives while maintaining security?

A.Remove the WAF and rely on server-side input validation alone.
B.Disable the specific signature that matches the string 'OR' in the SQL injection rule set.
C.Change the WAF from blocking mode to detection mode.
D.Add a custom rule to allow all traffic to the checkout page.
AnswerB

This targets the exact cause of false positives while keeping other protections active.

Why this answer

Option B is correct because the false positive is caused by a specific SQL injection signature that matches the string 'OR' within legitimate credit card numbers. Disabling only that signature preserves the WAF's protection against actual SQL injection and XSS attacks while eliminating the false positive. The server-side input validation and HTTPS provide additional layers of defense, so removing the entire rule or switching to detection mode would unnecessarily weaken security.

Exam trap

CompTIA often tests the misconception that switching to detection mode or disabling the entire rule set is a safe compromise, but the correct approach is to surgically disable only the offending signature to balance security and usability.

How to eliminate wrong answers

Option A is wrong because removing the WAF entirely eliminates a critical defense layer, leaving the site vulnerable to attacks that server-side input validation might miss (e.g., bypasses via encoding or logic flaws). Option C is wrong because changing to detection mode would log but not block attacks, failing to protect the site during checkout and violating the requirement to maintain security. Option D is wrong because adding a custom rule to allow all traffic to the checkout page disables all WAF protections for that endpoint, exposing it to SQL injection, XSS, and other threats.

880
Multi-Selecteasy

Which THREE components are essential for a fully functional Security Operations Center (SOC)? (Select exactly 3.)

Select 3 answers
A.Incident response team
B.VPN concentrator
C.Security Information and Event Management (SIEM) system
D.Firewall
E.Standard operating procedures and playbooks
AnswersA, C, E

People are essential for investigation and response.

Why this answer

Options A, C, and E are correct because SIEM for correlation, incident response team, and playbooks are core. Option B is a security control but not a SOC component. Option D is network infrastructure.

881
Multi-Selecteasy

A security team is evaluating endpoint detection and response (EDR) solutions. They want a solution that can detect fileless malware and malicious PowerShell scripts. Which TWO capabilities should the team prioritize? (Choose TWO.)

Select 2 answers
A.Signature-based detection of known malware
B.Network traffic analysis for C2 communication
C.Behavioral monitoring of script execution (e.g., PowerShell)
D.Automated firewall rule creation
E.Memory scanning capabilities
AnswersC, E

Monitoring script behavior can detect malicious activities.

Why this answer

Fileless malware often lives in memory and uses scripting. Memory scanning and script monitoring are key. Signature-based detection may miss fileless attacks.

Firewall rules are unrelated.

882
MCQhard

An organization is evaluating its cloud service provider's security posture as part of third-party risk management. Which regulatory framework requires the organization to ensure that the provider has appropriate technical and organizational measures to protect personal data?

A.PCI DSS
B.SOX
C.GDPR
D.HIPAA
AnswerC

GDPR requires data processors to have appropriate measures.

Why this answer

GDPR Article 28 explicitly requires data processors to implement appropriate technical and organizational measures. PCI DSS focuses on cardholder data, SOX on financial controls, and HIPAA on healthcare data.

883
MCQeasy

A security architect needs to protect sensitive data in use within a server's memory from other processes. Which technology should be implemented?

A.Secure Boot
B.Trusted Platform Module (TPM)
C.Intel Software Guard Extensions (SGX)
D.Hardware Security Module (HSM)
AnswerC

SGX creates secure enclaves in memory, protecting data in use from other processes and the host OS.

Why this answer

Intel SGX provides hardware-based memory encryption that isolates code and data in enclaves, protecting data in use from other processes. TPM is for attestation and key storage, HSM for dedicated cryptographic operations, and Secure Boot for boot integrity.

884
MCQeasy

A security analyst is collecting evidence from a compromised workstation. Which of the following should be collected first to preserve volatile data?

A.Memory dump
B.Hard drive image
C.Network capture
D.Event logs
AnswerA

Memory is volatile and must be captured before power loss.

Why this answer

Volatile data includes memory contents, network connections, and running processes. Memory is the most volatile and should be captured first.

885
MCQhard

During a PKI migration, the security team discovers that some internal clients do not support OCSP stapling but require online certificate status checking. Which alternative should be configured to minimize latency and ensure validity?

A.Switch to self-signed certificates to avoid revocation checking altogether.
B.Configure clients to use CRLDP with a local CRL distribution point.
C.Use a local OCSP responder to handle revocation checks within the internal network.
D.Disable CRL checking and rely on certificate expiration only.
AnswerC

A local OCSP responder reduces latency and provides timely revocation status.

Why this answer

OCSP stapling is not supported; traditional OCSP requests add latency. A locally hosted OCSP responder reduces network round trips compared to relying on external CAs.

886
MCQeasy

Refer to the exhibit. The security team has been asked to remediate the vulnerability before the next PCI DSS audit. Which of the following is the MOST appropriate action?

A.Move the host to a separate VLAN
B.Disable TLS 1.0 and enable TLS 1.2 only
C.Apply a compensating control such as an API gateway
D.Accept the risk because the CVSS score is below 8.0
AnswerB

Eliminates the vulnerability and achieves compliance.

Why this answer

Disabling TLS 1.0 and enabling TLS 1.2 directly addresses the vulnerability and PCI DSS requirement. Compensating controls may not satisfy the audit; accepting risk is not allowed for high severity; moving the host does not fix the issue.

887
MCQeasy

A security analyst is reviewing a Kubernetes cluster and wants to ensure that only authorized users can create or modify pods. Which Kubernetes object should be configured to enforce this?

A.Admission controllers
B.Pod security policies
C.RBAC
D.Network policies
AnswerC

RBAC grants or denies API access to users and service accounts.

Why this answer

RBAC (Role-Based Access Control) in Kubernetes controls access to API resources, including pod creation, based on roles and bindings.

888
MCQmedium

A security engineer is writing a Python script to parse system logs and alert on suspicious patterns. What is the best practice to ensure the script remains secure when handling log data?

A.Store all logs in a database and query directly.
B.Use `eval()` to dynamically evaluate log content.
C.Sanitize log input and use safe parsing functions like `json.loads()` for structured logs.
D.Run the script with root privileges to access all logs.
AnswerC

Safe parsing prevents injection and handles data securely.

Why this answer

Option B is correct because sanitizing input and using safe parsing functions like `json.loads()` prevents injection attacks. Option A (`eval()`) is dangerous. Option C is not a scripting best practice.

Option D runs with excessive privileges.

889
MCQeasy

During a tabletop exercise, the CSIRT discovers that the organization lacks a clear chain of command for decision-making during incidents. Which document should be updated to address this gap?

A.Incident response plan
B.Business continuity plan
C.Security awareness training material
D.Network topology diagram
AnswerA

The IR plan outlines the chain of command and communication structure.

Why this answer

Option A is correct because the incident response plan should define roles, responsibilities, and escalation paths. Option B is for regular operations. Option C is for network architecture.

Option D is for user training.

890
MCQmedium

An organization wants to detect and respond to advanced threats that may evade traditional endpoint security solutions. They deploy an EDR solution that provides real-time visibility into endpoint activities. However, the security team is overwhelmed by alerts. Which technology can be integrated with EDR to automate response actions and reduce alert fatigue?

A.SIEM with correlation rules
B.Network traffic analysis (NTA)
C.Deception technology
D.SOAR platform
AnswerD

SOAR orchestrates and automates response workflows.

Why this answer

SOAR platforms ingest alerts from various sources (including EDR) and use playbooks to automate incident response actions, such as isolating a host or blocking an IP. This reduces manual effort and alert fatigue.

891
MCQmedium

A security engineer is designing a secure boot process for embedded devices. Which component is responsible for verifying the signature of the bootloader before execution?

A.Secure Boot
B.Root of trust (RoT)
C.Trusted Platform Module (TPM)
D.UEFI firmware
AnswerB

RoT is the immutable hardware or code that establishes the first link in the chain of trust by verifying the bootloader.

Why this answer

The root of trust (RoT), typically implemented as a small section of immutable code in ROM or a dedicated microcontroller, checks the bootloader's signature using a public key stored in fuses. The TPM can store measurements but is not the verifier. UEFI is a firmware interface, and Secure Boot is the process itself.

892
MCQmedium

A penetration tester is in the post-exploitation phase and wants to maintain access to a compromised system. Which of the following techniques is most effective for establishing persistent access while evading detection?

A.Uploading a web shell to a publicly accessible directory
B.Creating a new local user account with administrative privileges
C.Installing a rogue certificate authority
D.Creating a scheduled task that executes a reverse shell
AnswerD

Scheduled tasks can be used for persistence and are less monitored.

Why this answer

Creating a scheduled task that executes a backdoor is a common persistence mechanism. It can be disguised and runs at system startup or on a schedule, making it harder to detect.

893
MCQmedium

Refer to the exhibit. Which of the following best describes the effect of this ACL?

A.Blocks all traffic to the 10.0.0.0/24 network.
B.Blocks all traffic from the 10.0.0.0/24 network.
C.Permits all traffic to the 10.0.0.0/24 network.
D.Permits all traffic from the 10.0.0.0/24 network.
AnswerA

The 'deny ip any 10.0.0.0 0.0.0.255' denies any source IP to destination network 10.0.0.0/24.

Why this answer

Option B is correct because the ACL explicitly denies all traffic destined to the 10.0.0.0/24 network.

894
Multi-Selecthard

A security manager is selecting key risk indicators (KRIs) for the organization's risk management program. Which THREE of the following are examples of KRIs that can provide early warning of increasing risk?

Select 3 answers
A.Number of failed login attempts per hour
B.Mean time to detect (MTTD) for incidents
C.Percentage of users with privileged access
D.Number of unpatched critical vulnerabilities
E.Percentage of systems with current backups
AnswersA, C, D

Correct: An increase may indicate brute-force attacks, increasing risk.

Why this answer

KRIs measure risk levels and can indicate changes. Unpatched critical vulnerabilities, number of failed login attempts, and percentage of users with privileged access are direct indicators of risk.

895
MCQeasy

A company is implementing a risk management framework and needs to prioritize remediation of vulnerabilities based on potential impact. Which of the following is the MOST appropriate approach?

A.Focus on vulnerabilities with the highest CVSS score regardless of asset value
B.Remediate all vulnerabilities within 30 days of discovery
C.Perform a quantitative risk assessment using asset value and loss expectancy
D.Address vulnerabilities in order of ease of exploitation
AnswerC

This approach combines asset value and potential loss to prioritize risks effectively.

Why this answer

A quantitative risk assessment uses asset value and loss expectancy to prioritize risks based on impact. Option A ignores asset criticality; Option B considers only likelihood; Option D is not prioritization.

896
Multi-Selecthard

During an incident response, the team must perform containment actions. Which TWO actions are considered proper containment? (Select exactly 2.)

Select 2 answers
A.Isolate affected systems from the network
B.Notify law enforcement
C.Disable compromised user accounts
D.Back up the affected systems
E.Patch all vulnerabilities on affected systems
AnswersA, C

Isolation stops lateral movement.

Why this answer

Options B and D are correct because isolating affected systems and disabling compromised accounts prevent further spread. Option A is recovery, not containment. Option C is notification after containment.

Option E is eradication.

897
Multi-Selecteasy

An organization is planning to modernize its cryptographic infrastructure to protect sensitive data for the next 10 years. The security architect must consider future threats from quantum computing. Which TWO quantum-resistant algorithms should the architect prioritize for key encapsulation and digital signatures? (Choose TWO.)

Select 2 answers
A.CRYSTALS-Dilithium
B.AES-256 with GCM
C.ECDSA with P-521
D.RSA-4096
E.CRYSTALS-Kyber
AnswersA, E

CRYSTALS-Dilithium is a NIST-selected digital signature algorithm for post-quantum security.

Why this answer

CRYSTALS-Kyber is a key encapsulation mechanism (KEM), and CRYSTALS-Dilithium is a digital signature algorithm. Both are NIST PQC standards for post-quantum security. RSA and ECDSA are not quantum-resistant, and AES-256 is symmetric but does not provide key encapsulation or digital signatures.

898
Multi-Selectmedium

An organization is setting up a PKI with a three-tier hierarchy (root CA, issuing CA, and registration authority). Which TWO of the following are best practices for securing the root CA?

Select 2 answers
A.Allow the root CA to be accessible over the network for certificate requests
B.Enable CRL distribution points on the root CA
C.Use the root CA to issue end-entity certificates directly
D.Keep the root CA offline and physically secured
E.Store the root CA private key in an HSM
AnswersD, E

Offline storage prevents remote attacks.

Why this answer

The root CA should be kept offline to prevent compromise, and its private key should be stored in an HSM. The issuing CA handles day-to-day operations.

899
Multi-Selecthard

An organization is developing a policy exception management process. Which three of the following are essential components of an effective exception process? (Choose three.)

Select 3 answers
A.Documented business justification for the exception
B.An expiration date for the exception
C.Automatic enforcement of policy via technical controls
D.A risk assessment of the exception
E.A copy of the entire policy hierarchy
AnswersA, B, D

Justification ensures the exception is necessary.

Why this answer

An exception process should include documented justification, expiration date, and formal approval by management. Policy hierarchy documentation is separate; automated enforcement may not be required.

900
Multi-Selectmedium

A SOC analyst is investigating a potential data exfiltration incident. The analyst suspects that an insider is using encrypted tunnels to transfer data. Which TWO of the following network traffic analysis (NTA) indicators are most likely to suggest encrypted exfiltration? (Choose two.)

Select 2 answers
A.Large data transfers to an external IP address during non-business hours
B.Multiple HTTP GET requests to a known content delivery network
C.A single large file upload to a cloud storage provider during work hours
D.Repeated connections to an external host on a non-standard port using TLS
E.High volumes of DNS queries to a single external domain
AnswersA, D

Encrypted exfiltration often occurs outside business hours to avoid detection, and large transfers are a key indicator.

Why this answer

Unusual volumes of traffic to a single external IP, especially during off-hours, can indicate data exfiltration. Repeated connections to an external host using non-standard ports, even if encrypted, are suspicious because they may bypass security controls. DNS tunneling is detectable by high volumes of DNS queries to a single domain, but that is separate.

Page 11

Page 12 of 14

Page 13