CompTIA SecurityX CAS-004 (CAS-004) — Questions 76150

510 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQhard

A company deploys a microservices architecture using container orchestration. The security team wants to enforce mutual TLS between services. Which technology should be used?

A.Service mesh
B.SSH tunneling
C.API gateway
D.VPN
AnswerA

A service mesh transparently injects sidecar proxies to handle mTLS encryption and authentication between services.

Why this answer

A service mesh (e.g., Istio) provides automatic mTLS for inter-service communication without modifying application code. VPNs and SSH tunnels are not designed for microservice-to-microservice communication at scale. API gateways handle external traffic, not internal service-to-service.

77
Multi-Selectmedium

Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)

Select 3 answers
A.Lack of visibility into vendor security practices
B.Over-automation of risk scoring
C.Resource constraints for conducting assessments
D.Inconsistent assessment criteria across vendors
E.Excessive cooperation from vendors
AnswersA, C, D

Common challenge

Why this answer

A is correct because organizations often lack visibility into vendor security practices, meaning they cannot verify whether vendors comply with security policies or contractual obligations. This challenge arises when vendors do not provide access to their security controls, audit reports, or real-time monitoring data, leaving gaps in the risk assessment process.

Exam trap

Cisco often tests the distinction between common operational challenges (like lack of visibility, resource constraints, and inconsistent criteria) versus hypothetical or reversed issues (like over-automation or excessive cooperation) that are not typical in vendor risk management programs.

78
MCQeasy

A security architect is designing a web application that handles sensitive customer data. The application must ensure that if one server is compromised, the attacker cannot access the private keys used for TLS termination. Which of the following approaches best meets this requirement?

A.Store the private keys in an encrypted database on a separate database server.
B.Use a software-based key vault that runs on the same operating system as the web server.
C.Use a hardware security module (HSM) to generate and store the private keys, performing TLS termination on the HSM.
D.Store the private keys in a local file with restricted permissions on the application server.
AnswerC

HSM provides tamper-resistant storage and performs cryptographic operations without exposing keys.

Why this answer

Option C is correct because a Hardware Security Module (HSM) provides a dedicated, tamper-resistant cryptographic processor that generates, stores, and manages private keys in hardware, never exposing them to the application server's memory or filesystem. By performing TLS termination directly on the HSM, the private keys remain isolated even if the web server is compromised, meeting the requirement for key confidentiality.

Exam trap

The trap here is that candidates often assume encrypting keys at rest (Option A) or using OS-level permissions (Option D) is sufficient, but the CAS-004 exam emphasizes that any software-based storage, even if encrypted, still exposes the key during runtime operations like TLS termination.

How to eliminate wrong answers

Option A is wrong because storing private keys in an encrypted database on a separate server still exposes the keys to the application server during decryption (the keys must be loaded into memory to terminate TLS), and a compromised server could extract them from memory or intercept the decryption process. Option B is wrong because a software-based key vault running on the same OS as the web server shares the same attack surface; if the OS is compromised, the vault's memory and files can be accessed, allowing key extraction. Option D is wrong because storing private keys in a local file with restricted permissions relies solely on OS-level access controls, which are bypassed if the attacker gains root or equivalent privileges on the compromised server.

79
MCQhard

Match each automation security concept with its correct description.

A.Immutable infrastructure
B.Infrastructure as Code
C.Secret management
D.Container orchestration

Why this answer

Immutable infrastructure prevents drift by never modifying deployed instances. Infrastructure as Code allows version-controlled, repeatable deployments. Secret management securely handles credentials.

Orchestration coordinates container deployment but is not specifically about drift prevention.

Exam trap

Candidates may confuse orchestration with immutable infrastructure or think infrastructure as code is about drift prevention.

Why the other options are wrong

A

Matched to correct description

B

Matched to correct description

C

Matched to correct description

D

Matched to correct description

80
MCQeasy

An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?

A.Faster key generation than software
B.Reduced network latency for encryption
C.Automatic cloud backup of keys
D.Tamper-resistant key storage
AnswerD

HSMs are designed to protect keys from physical and logical attacks.

Why this answer

An HSM provides tamper-resistant key storage by using physical and logical safeguards, such as tamper switches, epoxy potting, and zeroization circuits, that destroy cryptographic keys if an attacker attempts to access the hardware. This ensures that private keys remain secure even if the device is compromised, which is a primary requirement for compliance with standards like FIPS 140-2 Level 3 or 4. Software-based storage cannot offer the same level of physical protection against extraction attacks.

Exam trap

The trap here is that candidates confuse the security benefit of tamper-resistant storage with performance improvements like faster key generation or reduced latency, which are not primary HSM advantages and are often worse than software alternatives.

How to eliminate wrong answers

Option A is wrong because HSMs typically have slower key generation than optimized software implementations due to hardware constraints and the overhead of tamper-proofing mechanisms; software can leverage CPU cryptographic instructions (e.g., AES-NI) for faster generation. Option B is wrong because an HSM does not reduce network latency for encryption; it may actually increase latency due to the need for network communication to the HSM (e.g., via PKCS#11 or KMIP) compared to local software encryption. Option C is wrong because automatic cloud backup of keys is not a built-in HSM feature; cloud backup would require additional configuration and introduces security risks that HSMs are designed to mitigate, and many compliance frameworks prohibit exporting keys from an HSM.

81
MCQmedium

A multinational corporation is migrating its data centers to a hybrid cloud model. The security team must ensure that data sovereignty laws are respected. The company operates in the EU, US, and Asia. Which of the following is the BEST approach?

A.Require all employees to sign a data processing agreement.
B.Encrypt all data at rest and in transit using a single global encryption key.
C.Implement a virtual private network between all data centers and cloud providers.
D.Use cloud regions in each geographic area where data is stored and processed.
AnswerD

Cloud regions allow data to stay within jurisdictional boundaries.

Why this answer

B is correct. Using cloud regions ensures data is stored and processed within legal boundaries. Single global encryption key does not address location.

VPN is for connectivity, not sovereignty. DPA is for processing agreements, not location enforcement.

82
MCQeasy

A security engineer is designing a secure communication channel between two internal systems over an untrusted network. Which protocol should be used to ensure both confidentiality and integrity of data in transit?

A.SSH
B.TLS
C.HTTPS
D.IPsec
AnswerB

TLS provides encryption (confidentiality) and MAC (integrity), suitable for any TCP-based communication.

Why this answer

TLS provides encryption for confidentiality and MAC for integrity, making it the best choice for secure communication over an untrusted network.

83
MCQeasy

An organization wants to ensure that its employees understand their responsibilities regarding data protection. Which of the following is the MOST effective way to achieve this?

A.Include a clause in the employment contract
B.Post posters in common areas
C.Distribute a data protection policy annually via email
D.Conduct regular security awareness training with assessments
AnswerD

Interactive training with assessments reinforces understanding.

Why this answer

Regular training with assessments ensures ongoing awareness and understanding. Options A, B, and C are passive methods that are less effective.

84
Multi-Selectmedium

A security engineer is designing a secure wireless network for a corporate office. Which TWO configurations should be implemented to maximize security?

Select 2 answers
A.WPA2-PSK
B.WPA3-Enterprise
C.MAC address filtering
D.802.1X with EAP-TLS
E.Disable SSID broadcast
AnswersB, D

WPA3-Enterprise provides stronger encryption and authentication than WPA2.

Why this answer

WPA3-Enterprise provides the strongest encryption and authentication. 802.1X with EAP-TLS allows certificate-based authentication, further enhancing security. WPA2-PSK is vulnerable to brute force attacks. Disabling SSID broadcast and MAC filtering are security-through-obscurity measures and do not provide real protection.

85
Multi-Selectmedium

Which TWO of the following are key components of a risk assessment methodology?

Select 2 answers
A.Disaster recovery.
B.Threat identification.
C.Risk appetite.
D.Incident response.
E.Asset inventory.
AnswersB, E

Identifying threats is a fundamental step in risk assessment.

Why this answer

Threat identification and asset inventory are core components of a risk assessment, while risk appetite is a guiding parameter.

86
Multi-Selectmedium

Which THREE of the following are common vulnerabilities found in web applications according to the OWASP Top 10 2021? (Select THREE.)

Select 3 answers
A.Cryptographic Failures
B.Broken Access Control
C.Server-Side Request Forgery (SSRF)
D.SQL Injection
E.Remote Code Execution (RCE) via buffer overflow
AnswersA, B, D

Cryptographic failures (formerly sensitive data exposure) is a key vulnerability.

Why this answer

Options A, B, and E are correct. Broken Access Control (A), Cryptographic Failures (B), and SQL Injection (E) are in the OWASP Top 10. Option C (SSRF) is also in the Top 10 but to have exactly three correct, we focus on the most classic ones; however, SSRF is indeed in the 2021 list, but the question asks for common vulnerabilities; we choose A, B, E as they are widely recognized.

Option D (RCE via buffer overflow) is not a category in the Top 10.

87
MCQmedium

Refer to the exhibit. A security engineer reviews the S3 bucket policy. Which of the following is the most concerning security issue?

A.The policy does not require encryption in transit
B.The policy uses the incorrect version of the policy language
C.The policy allows any user to list the objects in the bucket
D.The policy allows public read access to all objects in the bucket
AnswerD

Principal: * with s3:GetObject allows anonymous read access to all objects.

Why this answer

Option B is correct because the policy allows any user (Principal: *) to read objects (s3:GetObject) from the bucket, making data publicly accessible. Option A is incorrect because the policy does not allow listing objects. Option C is incorrect because the policy version is fine.

Option D is not enforced by this policy.

88
MCQmedium

A company is deploying IoT sensors in a remote area with limited connectivity. The sensors must be able to securely transmit data using minimal bandwidth. Which protocol should the engineer choose?

A.SNMPv3
B.HTTPS
C.MQTT with TLS
D.SSH
AnswerC

MQTT is designed for low-bandwidth, high-latency networks and TLS provides security.

Why this answer

MQTT with TLS is a lightweight publish-subscribe protocol that uses minimal bandwidth and provides security through TLS. HTTPS has higher overhead. SSH is not designed for many-to-one telemetry.

SNMPv3 is for network management, not general IoT data.

89
MCQhard

During a security review, it is discovered that a critical application uses hardcoded cryptographic keys. The development team refactors the code to retrieve keys from a centralized key management system (KMS) using role-based access control. Which additional practice should be implemented to minimize the risk of key compromise?

A.Log every key access without rotation
B.Use a single, long key to reduce management overhead
C.Implement key expiration and automated rotation
D.Store keys in a hardware security module only
AnswerC

Regularly rotating keys limits the time an attacker can use a compromised key.

Why this answer

Rotation reduces the window of exposure if a key is compromised, and automating it ensures consistency.

90
MCQhard

An organization implements a CI/CD pipeline that automatically builds and deploys containerized microservices. Which of the following is the most effective method to ensure that only signed, trusted container images are deployed to production?

A.Implement a private container registry with access controls
B.Enable content trust and require signatures on all images
C.Run vulnerability scanning on all images before deployment
D.Use an admission controller that checks image labels
AnswerB

Why this answer

Option B is correct because enabling content trust (e.g., Docker Content Trust or Notary) cryptographically signs container images, ensuring that only images signed by a trusted publisher can be deployed. This directly enforces integrity and authenticity in the CI/CD pipeline, preventing unauthorized or tampered images from reaching production.

Exam trap

The trap here is that candidates confuse access control (registry permissions) or vulnerability scanning with cryptographic trust, failing to recognize that only content trust provides non-repudiation and tamper-evidence for container images.

Why the other options are wrong

A

Access controls prevent unauthorized pushes but do not verify the integrity or authenticity of images.

C

Scanning identifies vulnerabilities but does not verify the publisher's identity or prevent tampering.

D

Labels are metadata and can be easily spoofed; they do not provide cryptographic proof of origin.

91
MCQhard

An organization deploys a new web application that stores sensitive data in a backend database. During a penetration test, the tester discovers that the application is vulnerable to SQL injection via a search field. Which of the following design changes would best mitigate this vulnerability without significantly impacting functionality?

A.Deploy a web application firewall (WAF) to filter malicious payloads.
B.Rewrite the database query to use parameterized prepared statements.
C.Move all database queries to stored procedures.
D.Implement client-side input validation to block special characters.
AnswerB

Parameterized queries ensure user input is treated as data, not executable code, preventing SQL injection.

Why this answer

Option B is correct because parameterized prepared statements separate SQL logic from user input, ensuring that any input supplied via the search field is treated strictly as data, not executable code. This directly prevents SQL injection by eliminating the possibility of an attacker altering the query structure, regardless of the input content.

Exam trap

CompTIA often tests the misconception that stored procedures are inherently safe against SQL injection, but the trap is that they only prevent injection if they use parameterized queries internally—otherwise, they are just as vulnerable as inline SQL.

How to eliminate wrong answers

Option A is wrong because a WAF is a reactive, signature-based or heuristic filter that can be bypassed with carefully crafted payloads (e.g., encoding, obfuscation) and does not address the root cause of the vulnerability. Option C is wrong because stored procedures alone do not prevent SQL injection if they still concatenate user input into dynamic SQL strings; the protection comes from using parameterized queries within the stored procedure, not from the stored procedure itself. Option D is wrong because client-side validation can be easily bypassed by disabling JavaScript or using tools like cURL or Burp Suite to send raw HTTP requests, and it provides no server-side defense against injection.

92
Multi-Selecthard

A multinational corporation is subject to GDPR and the California Consumer Privacy Act (CCPA). A security architect is designing a data governance solution to meet both regulations. Which TWO controls are most appropriate?

Select 2 answers
A.Implement data mapping to track personal data across systems and jurisdictions.
B.Establish data classification policies to categorize information based on sensitivity.
C.Deploy data loss prevention (DLP) technology to monitor data exfiltration.
D.Define a data retention schedule that automatically deletes data after a set period.
E.Integrate a security information and event management (SIEM) system for log analysis.
AnswersA, B

Data mapping is a foundational governance activity required by both GDPR and CCPA.

Why this answer

Options A and D are correct. GDPR and CCPA both require data mapping (A) to understand data flows, and data classification (D) to apply appropriate controls. Option B (retention schedule) is important but not the most critical for both regulations; retention is more GDPR-specific.

Option C (DLP) is a technical control that supports compliance but is not a governance control. Option E (SIEM) is a security monitoring tool, not a governance control.

93
MCQhard

A company's risk register shows a high-likelihood, high-impact risk related to ransomware. The cost to mitigate fully is $2M, while the expected annual loss is $500K. Which risk response is most appropriate?

A.Avoid the risk by discontinuing use of IT systems
B.Mitigate the risk by implementing full endpoint protection
C.Accept the risk and implement monitoring controls
D.Transfer the risk via cyber insurance
AnswerC

Cost-benefit analysis supports acceptance

Why this answer

The cost to fully mitigate the ransomware risk is $2M, which far exceeds the expected annual loss of $500K. This makes full mitigation economically unjustifiable under a cost-benefit analysis. Accepting the risk with monitoring controls allows the organization to detect ransomware early and respond, without spending more on prevention than the potential loss itself.

Exam trap

CompTIA often tests the cost-benefit analysis principle in risk response decisions, where candidates mistakenly choose 'mitigate' because they focus on the high likelihood and impact without comparing the cost of mitigation to the expected loss.

How to eliminate wrong answers

Option A is wrong because discontinuing IT systems would halt business operations entirely, which is an extreme and impractical response that ignores the organization's need to function; avoidance is only appropriate when the risk outweighs any possible benefit, not when a cost-effective alternative exists. Option B is wrong because implementing full endpoint protection at a cost of $2M is not cost-justified when the annual expected loss is only $500K; this violates the principle of risk management where the cost of mitigation should not exceed the potential loss. Option D is wrong because transferring the risk via cyber insurance does not reduce the likelihood or impact of ransomware; it only provides financial reimbursement after an incident, and the premium cost may still be high relative to the expected loss, making acceptance with monitoring a more balanced approach.

94
MCQeasy

A security administrator needs to secure remote access for employees using personal devices. The company requires that company data be encrypted and that the device be wiped if lost. Which solution best meets these requirements?

A.Use network access control (NAC) to allow only compliant devices onto the network.
B.Deploy a mobile device management (MDM) solution that enforces device encryption and supports remote wipe.
C.Require employees to connect via a corporate VPN and use two-factor authentication.
D.Implement remote desktop protocol (RDP) gateways for all remote access.
AnswerB

MDM can enforce encryption and perform remote wipe to protect company data.

Why this answer

Mobile device management (MDM) solutions are specifically designed to enforce security policies on personal devices, including mandatory device encryption (e.g., AES-256 for data at rest) and the ability to perform a remote wipe (factory reset) to destroy company data if the device is lost or stolen. This directly addresses the requirement to protect company data on unmanaged, employee-owned devices.

Exam trap

The trap here is that candidates often confuse network-level controls (NAC, VPN) or access methods (RDP) with device-level data protection, failing to recognize that only MDM provides the required encryption enforcement and remote wipe capabilities on the endpoint itself.

How to eliminate wrong answers

Option A is wrong because network access control (NAC) checks device compliance before granting network access but does not provide device-level encryption enforcement or remote wipe capabilities; it controls admission, not data protection on the device. Option C is wrong because requiring a corporate VPN and two-factor authentication secures the communication channel and verifies identity but does not enforce encryption of data stored on the device or allow remote wiping of the device. Option D is wrong because RDP gateways provide remote access to internal desktops or applications but do not enforce encryption of local device storage or support remote wipe of the personal device.

95
MCQeasy

Based on the exhibit, which vulnerability is being exploited?

A.Cross-site request forgery (CSRF)
B.SQL injection
C.Directory traversal
D.Cross-site scripting (XSS)
AnswerC

The path contains ../ to escape web root and read system files.

Why this answer

Option D is correct because the GET request uses ../ to traverse directories and access /etc/passwd, typical of directory traversal attack. Option A is wrong because SQL injection would show SQL syntax. Option B is wrong because XSS would contain scripts.

Option C is wrong because CSRF requires cross-site requests.

96
MCQhard

A company is migrating from a legacy three-tier architecture to a microservices architecture on Kubernetes. The security team wants to ensure that service-to-service communication is encrypted and mutually authenticated. Which approach best meets these requirements with minimal operational overhead?

A.Implement a service mesh with mutual TLS (mTLS) and automatic certificate management.
B.Deploy IPsec tunnels between each pair of services using pre-shared keys.
C.Establish a site-to-site VPN between the Kubernetes cluster and the legacy network, and route all service traffic through the VPN.
D.Configure each service to use TLS with self-signed certificates, and distribute the CA certificate to all services.
AnswerA

Service mesh provides automated mTLS, encryption, and mutual authentication with low operational overhead.

Why this answer

A service mesh with mutual TLS (mTLS) and automatic certificate management is the correct approach because it provides encrypted, mutually authenticated service-to-service communication with minimal operational overhead. The service mesh (e.g., Istio, Linkerd) transparently intercepts traffic via sidecar proxies, handles mTLS handshakes, and automates certificate issuance and rotation, eliminating the need for manual key distribution or application-level changes.

Exam trap

The trap here is that candidates may choose IPsec or VPN solutions because they are familiar with network-layer encryption, but they fail to recognize that these approaches do not scale to the dynamic, ephemeral nature of microservices and introduce prohibitive operational overhead compared to a service mesh's automated mTLS.

How to eliminate wrong answers

Option B is wrong because IPsec tunnels between each pair of services introduce significant operational overhead for key management and do not scale well in a dynamic microservices environment where service instances are ephemeral. Option C is wrong because a site-to-site VPN between the Kubernetes cluster and the legacy network secures only cross-network traffic, not internal service-to-service communication within the cluster, and routing all service traffic through the VPN adds unnecessary latency and complexity. Option D is wrong because distributing a CA certificate to all services for self-signed TLS still requires manual management of certificate distribution and does not automate certificate rotation, leading to high operational overhead and potential security gaps if certificates expire or are compromised.

97
Multi-Selectmedium

A security architect is designing a secure software development pipeline. The organization wants to ensure that code is thoroughly analyzed before deployment. Which TWO of the following should be integrated into the pipeline to identify vulnerabilities early? (Select TWO.)

Select 2 answers
A.Static application security testing (SAST)
B.Software composition analysis (SCA)
C.Fuzz testing
D.Dynamic application security testing (DAST)
E.Penetration testing
AnswersA, B

SAST analyzes source code without executing it, identifying vulnerabilities early.

Why this answer

SAST (Static Application Security Testing) analyzes source code, bytecode, or binary code without executing it, scanning for vulnerabilities like SQL injection, buffer overflows, and insecure cryptographic functions. Integrating SAST early in the pipeline (shift-left) allows developers to fix issues before compilation, reducing remediation cost and risk. SCA (Software Composition Analysis) identifies known vulnerabilities in third-party libraries and open-source components by comparing dependency versions against databases like the National Vulnerability Database (NVD).

Both tools are non-intrusive and can be automated in CI/CD pipelines to catch flaws before deployment.

Exam trap

Cisco often tests the distinction between static and dynamic analysis by presenting SAST and DAST as equally valid early-stage options, but the trap is that DAST requires a running application and cannot be integrated before deployment, making SAST and SCA the only correct choices for early vulnerability identification.

98
MCQeasy

A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?

A.Submit a change request to implement an email content filter.
B.Check if the host is configured as a mail server in the organization's asset database.
C.Block the outbound traffic on the firewall to prevent potential data exfiltration.
D.Run a full antivirus scan on the host to detect any malware.
AnswerB

This step quickly confirms if the traffic is expected, avoiding unnecessary escalation.

Why this answer

Option B is correct because the first step in investigating potential data exfiltration over TCP port 25 (SMTP) is to verify whether the host is authorized to send email. If the host is a legitimate mail server, the traffic may be normal; if not, it could indicate malware or a misconfigured application exfiltrating data via SMTP. This aligns with the CAS-004 objective of validating asset roles before escalating to containment.

Exam trap

The trap here is that candidates often jump to containment (blocking traffic) or remediation (antivirus scan) without first verifying the host's authorized role, which Cisco tests to ensure you follow a structured incident response process (identify before contain).

How to eliminate wrong answers

Option A is wrong because submitting a change request to implement an email content filter is a reactive, long-term control that does not address the immediate need to determine if the traffic is malicious; it also assumes the traffic is unauthorized without investigation. Option C is wrong because blocking outbound traffic on the firewall without first confirming the host's role could disrupt legitimate business operations (e.g., if the host is a mail server) and violates the principle of least disruption during incident response. Option D is wrong because running a full antivirus scan is a secondary step that may detect malware but does not confirm whether the host is authorized to send SMTP traffic; it also delays the critical triage step of asset verification.

99
MCQeasy

An organization is deploying a new application that processes sensitive user data. The security team recommends using a dedicated cryptographic module. Which standard should the module comply with to ensure it is validated for security?

A.ISO 27001
B.PCI DSS
C.NIST SP 800-53
D.FIPS 140-2
AnswerD

FIPS 140-2 is the standard for cryptographic module validation, ensuring hardware and software meet security requirements.

Why this answer

FIPS 140-2 (or its successor 140-3) is the U.S. government standard for validating cryptographic modules. NIST SP 800-53 is for security controls, PCI DSS for payment card data, and ISO 27001 for management systems.

100
Multi-Selectmedium

A security engineer is implementing container security controls. Which TWO practices are most effective in preventing privilege escalation within a container? (Choose two.)

Select 2 answers
A.Dropping all capabilities (CAP_DROP=ALL)
B.Enabling SELinux
C.Using host networking
D.Mounting /var/run/docker.sock
E.Setting USER to non-root in the Dockerfile
AnswersA, E

Removing capabilities eliminates potential escalation via Linux capabilities.

Why this answer

Setting USER to non-root prevents the container from running as root, and dropping all capabilities removes many known escalation vectors. Using host networking and mounting the Docker socket increase risk. SELinux helps but is not specific to privilege escalation.

101
Multi-Selectmedium

A DevOps team is automating the deployment of a containerized application to production. Which THREE practices are essential for maintaining security and reliability? (Select THREE.)

Select 3 answers
A.Use Helm charts to package and deploy Kubernetes applications.
B.Use Docker Compose files for production deployments.
C.Use infrastructure as code tools like Terraform to provision and manage container hosts.
D.Manually configure each environment to handle unique settings.
E.Implement continuous deployment pipelines with automated security testing.
AnswersA, C, E

Helm provides reusable, versioned deployment packages with rollback capabilities.

Why this answer

Helm charts (A) manage Kubernetes deployments, IaC (C) ensures reproducible environments, and CI/CD pipelines (D) automate testing and deployment. Manual configuration (B) and Docker Compose for production (E) are not recommended.

102
MCQmedium

An organization is deploying hardware security modules (HSMs) to protect cryptographic keys used for digital signatures. Which attack vector is most effectively mitigated by using an HSM compared to storing keys in software?

A.Side-channel attacks on the host CPU
B.Key extraction from memory dumps
C.Man-in-the-middle attacks on cryptographic operations
D.Brute-force attacks on key strength
AnswerB

HSMs keep keys in hardware, so even if an attacker gains access to the host, keys cannot be extracted from memory.

Why this answer

HSMs protect keys from extraction even if the host system is compromised, making them resistant to key extraction attacks.

103
MCQhard

A company's web application uses single sign-on (SSO) via SAML. Security analysts notice that attackers are able to forge SAML responses to impersonate users. Which misconfiguration is most likely causing this vulnerability?

A.SSL/TLS is not enforced for the SAML endpoint
B.SAML responses are not signed
C.The identity provider's metadata is not verified
D.Clock skew between SP and IdP exceeds the allowed tolerance
AnswerB

Unsigned responses can be intercepted and modified by an attacker.

Why this answer

Option B (SAML responses are not signed) is correct because unsigned responses can be forged. Option A (Metadata not verified) is less likely to allow direct forgery. Option C (SSL/TLS not enforced) affects transport but not message integrity.

Option D (Clock skew) causes authentication failures, not forgery.

104
MCQmedium

A software development team is adopting a DevSecOps approach. Which of the following practices best integrates security into the continuous integration pipeline?

A.Running static application security testing (SAST) on every code commit
B.Conducting annual security training for developers
C.Using a vulnerability scanner on production servers
D.Performing penetration testing after each release
AnswerA

SAST automates security checks early in development, aligning with DevSecOps automation.

Why this answer

Option A is correct because SAST runs on every code commit in CI, catching vulnerabilities early. Option B (penetration testing) is after release, too late. Option C (vulnerability scanning on production) is after deployment.

Option D (annual training) is not integrated into the pipeline.

105
MCQmedium

A security team needs to implement a CI/CD pipeline that automatically scans container images for vulnerabilities before deployment. Which tool can be integrated into the pipeline for this purpose?

A.SonarQube
B.Prometheus
C.Trivy
D.Grafana
AnswerC

Trivy scans container images for known vulnerabilities.

Why this answer

Trivy is a vulnerability scanner for container images. SonarQube is for code quality, Prometheus monitors metrics, and Grafana visualizes data.

106
MCQhard

A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?

A.Perform separate PIAs for GDPR and CCPA requirements
B.Skip PIAs for existing processing activities
C.Conduct a single PIA that covers both regulations' requirements
D.Only perform PIAs when processing high-risk data
AnswerC

Comprehensive and efficient

Why this answer

Option B is correct because conducting a single PIA that addresses both regulations is efficient. Option A is wrong because separate PIAs are redundant. Option C is wrong because PIAs should be conducted before processing.

Option D is wrong because only high-risk processing is not sufficient for all processing.

107
MCQeasy

A small business wants to achieve compliance with PCI DSS. Which approach should they take to minimize the scope of the assessment?

A.Segment the cardholder data environment from the corporate network
B.Implement a tokenization service
C.Encrypt all cardholder data at rest
D.Train employees on security awareness
AnswerA

Segmentation reduces the systems that process, store, or transmit card data.

Why this answer

Segmenting the cardholder data environment (CDE) from other networks reduces the number of systems in scope. Encryption, tokenization, and training are important but do not directly reduce scope like segmentation does.

108
MCQhard

A multinational corporation must comply with both the EU's GDPR and the California Consumer Privacy Act (CCPA). Which of the following scenarios would cause a conflict between these regulations?

A.GDPR requires explicit consent for data processing, while CCPA allows opt-out for data sale
B.One regulation requires breach notification, the other does not
C.CCPA imposes data minimization, while GDPR does not
D.Both require data access rights for individuals
AnswerA

Consent vs opt-out can conflict.

Why this answer

Option B is correct because GDPR requires consent for certain processing, while CCPA allows opt-out for sale of data; these can conflict. Option A is wrong because both require breach notification. Option C is wrong because both allow data access.

Option D is wrong because both address data minimization similarly.

109
MCQhard

A security engineer is reviewing a CI/CD pipeline that builds a Docker image. The engineer notices that the Dockerfile uses a base image from a public registry, installs packages via apt-get without version pinning, and copies a private SSH key into the image. Which of the following vulnerabilities is MOST directly introduced by this practice?

A.Use of untrusted base image
B.Privilege escalation via SUID binaries
C.Exposure of sensitive credentials in the image layers
D.Dependency confusion from unpinned packages
AnswerC

Why this answer

Copying a private SSH key into a Docker image embeds the credential in one of the image's layers. Even if the key is deleted in a later layer, it remains accessible via `docker history` or by pulling the intermediate layers, directly exposing sensitive credentials to anyone who can access the image.

Exam trap

Cisco often tests the misconception that deleting a file in a later Docker layer removes it from the image, when in fact the underlying layer still contains the sensitive data.

Why the other options are wrong

A

While a risk, it's not as directly exploitable as an exposed private key.

B

No indication of SUID; the main issue is secret leakage.

D

Unpinned packages are a supply chain risk but not as immediate as credential exposure.

110
MCQmedium

A healthcare organization has suffered a ransomware attack. The ransomware encrypted all files on file servers and workstations, and a ransom note demands payment in cryptocurrency. The backup systems were also encrypted because the backup service account had write access to the backup repository. The organization's cybersecurity team has activated the incident response plan. Which of the following is the BEST course of action?

A.Restore data from the encrypted backups using a third-party decryption tool.
B.Isolate all affected systems from the network immediately to prevent further encryption.
C.Begin restoring systems from any clean backups located on removable media.
D.Pay the ransom to obtain the decryption key and restore operations quickly.
AnswerB

Containment stops the spread and limits damage.

Why this answer

Option A is correct because containment (isolating infected systems) is the priority to prevent spread to remaining systems. Option B is dangerous as paying the ransom encourages further attacks and provides no guarantee of recovery. Option C is futile if backups are compromised.

Option D focuses on restoration without containment, risking re-encryption.

111
MCQeasy

An organization wants to implement a zero-trust architecture for remote access. Which of the following is the MOST important component?

A.RAID 5
B.Syslog server
C.VPN concentrator
D.Micro-segmentation
AnswerD

Micro-segmentation enforces granular access controls and limits lateral movement, a core zero-trust concept.

Why this answer

Micro-segmentation is fundamental to zero-trust because it restricts lateral movement by dividing the network into small, isolated segments. VPN concentrators are traditional perimeter controls. RAID 5 is storage redundancy.

Syslog is logging.

112
MCQmedium

A security engineer is configuring a SIEM and wants to reduce false positives while ensuring that real attacks are detected. Which of the following approaches would best achieve this balance?

A.Aggregate all logs from all sources and create a single correlation rule for each attack type.
B.Use the default correlation rules provided by the SIEM vendor without modification.
C.Block all traffic from external IP addresses that are not on the organization's whitelist.
D.Tune correlation rules based on the organization's asset inventory, network architecture, and threat intelligence.
AnswerD

Custom tuning ensures rules are relevant and accurate, reducing false positives while detecting true threats.

Why this answer

Option D is correct because tuning correlation rules to the organization's specific asset inventory, network architecture, and threat intelligence directly reduces false positives by filtering out irrelevant events while ensuring that real attacks against known assets are detected. This approach leverages contextual knowledge to adjust thresholds, exclude noise, and prioritize alerts that match the actual attack surface, achieving the desired balance between sensitivity and specificity.

Exam trap

The trap here is that candidates often confuse network security controls (like blocking IPs) with SIEM tuning techniques, or assume that default rules or aggregation alone can achieve optimal detection without contextual customization.

How to eliminate wrong answers

Option A is wrong because aggregating all logs from all sources into a single correlation rule for each attack type ignores the need for context-specific tuning, leading to excessive noise and false positives from irrelevant or duplicate events. Option B is wrong because using default correlation rules without modification fails to account for the organization's unique environment, resulting in either missed attacks (if rules are too narrow) or overwhelming false positives (if rules are too broad). Option C is wrong because blocking all traffic from external IPs not on a whitelist is a network access control measure, not a SIEM tuning technique, and it would disrupt legitimate business traffic while not addressing false positives in detection logic.

113
Multi-Selectmedium

Which TWO of the following are key elements of a data classification policy?

Select 2 answers
A.Handling and labeling procedures
B.Classification categories (e.g., public, internal, confidential)
C.Acceptable use guidelines for company devices
D.Backup frequency and retention periods
E.Encryption algorithms and key lengths
AnswersA, B

Procedures for handling each classification level are essential.

Why this answer

Handling and labeling procedures (Option A) are a key element of a data classification policy because they define the operational steps for marking, storing, transmitting, and disposing of data based on its classification level. Without these procedures, classification categories have no enforceable controls, leading to inconsistent data protection. This aligns with NIST SP 800-53 and ISO 27001 requirements for data handling.

Exam trap

Cisco often tests the distinction between policy elements and implementation controls, so the trap here is confusing operational procedures (handling/labeling) and classification categories (the core of a classification policy) with technical security controls like encryption algorithms or backup schedules, which belong in separate policies.

114
Multi-Selectmedium

Which TWO of the following are essential elements of an effective data governance framework?

Select 2 answers
A.Data classification policies and procedures
B.Mandatory data localization requirements
C.Assignment of data stewardship roles
D.Automated breach notification system
E.Implementation of full-disk encryption on all endpoints
AnswersA, C

Classification is foundational to governance.

Why this answer

Options B and D are correct. Data classification policies define how data is categorized, and data stewardship assigns ownership. Option A is wrong because encryption is a technical control, not governance.

Option C is wrong because data localization is a compliance requirement, not a governance element. Option E is wrong because breach response is operational.

115
MCQmedium

You are the compliance officer for a financial institution that must adhere to the Payment Card Industry Data Security Standard (PCI DSS). During a quarterly vulnerability scan, you discover that several critical vulnerabilities in the cardholder data environment (CDE) were not remediated within the required 30-day window. Additionally, the most recent penetration test report shows that a segmentation control between the CDE and the corporate network is not functioning as intended. The next PCI DSS assessment is in two months. Which of the following remediation actions should be prioritized FIRST to maintain compliance?

A.Implement a compensating control for the segmentation failure and document it
B.Immediately patch all critical vulnerabilities in the CDE
C.Request an extension from the acquirer for the next assessment
D.Re-establish correct segmentation between CDE and corporate network
AnswerD

Segmentation is foundational to PCI DSS compliance.

Why this answer

Option D is correct because fixing the segmentation failure is critical; without proper segmentation, the entire network might be considered in scope, increasing compliance burden. Option A is wrong because patching vulnerabilities is important but the segmentation issue broader. Option B is wrong because compensating controls may be temporary but segmentation is a fundamental requirement.

Option C is wrong because delaying assessment is not a remediation.

116
MCQmedium

An organization is migrating a legacy application to a containerized environment. The application requires root privileges to bind to a low port (80). What is the most secure approach to handle this requirement?

A.Map port 80 to a non-privileged port and grant CAP_NET_BIND_SERVICE capability
B.Change the application to use a high port (e.g., 8080)
C.Run the container as root and bind to port 80
D.Use host networking mode
AnswerA

Allows binding to low port without full root privileges.

Why this answer

Option D (Use a privileged port mapping and run the container as non-root, granting CAP_NET_BIND_SERVICE capability) is correct because it avoids running the container as root while still allowing binding to low ports. Option A runs as root, insecure. Option B uses host network, reducing isolation.

Option C changes port, but may not be feasible.

117
MCQeasy

A security administrator needs to automate the process of revoking access for terminated employees across multiple cloud services. Which scripting approach would best minimize the risk of errors and ensure consistent execution?

A.Create a shell script that relies on environment variables containing API keys.
B.Use a configuration management tool like Ansible with a playbook that calls cloud provider modules using encrypted vault files for credentials.
C.Write a Python script using separate API calls for each service with hardcoded credentials.
D.Manually execute commands each time an employee is terminated.
AnswerB

Ansible with vault securely automates and standardizes the process.

Why this answer

Option B is correct because using Ansible with encrypted vault files provides secure credential management and consistent execution. Option A hardcodes credentials, creating security risks. Option C uses environment variables, which are less secure.

Option D is manual and error-prone.

118
MCQmedium

A security engineer is hardening a container image. Which practice is MOST effective in reducing the attack surface?

A.Running containers as root
B.Using a minimal base image
C.Adding antivirus software
D.Using the latest version of all packages
AnswerB

A minimal image contains only the essentials, reducing the number of potential vulnerabilities.

Why this answer

Using a minimal base image (e.g., Alpine, Distroless) removes unnecessary packages and binaries, significantly reducing the attack surface. Running as root increases risk. Antivirus is not typical in containers.

Latest packages are good but do not reduce surface.

119
MCQhard

A security analyst reviews the above Windows security events from a domain controller. What is the most likely conclusion about the activity?

A.The jsmith account is performing routine administrative tasks with standard user privileges.
B.An attacker has compromised the jsmith account and used it to perform lateral movement and access sensitive data.
C.The Administrator account is locked out due to repeated failed logon attempts.
D.A user named jsmith is attempting to reset the Administrator password via network logon.
AnswerB

The sequence matches typical PtH: failed logon as admin, then successful interactive logon with high privileges, then accessing admin share.

Why this answer

Event ID 4624 with Logon Type 3 (network logon) from jsmith to the domain controller, followed by Event ID 4670 (permissions on an object changed) on a sensitive file share, indicates lateral movement and privilege escalation. The combination of network authentication and subsequent access to sensitive data is a classic indicator of an attacker using compromised credentials to move laterally within the network.

Exam trap

Cisco often tests the distinction between logon types (e.g., Type 2 for interactive, Type 3 for network) and the specific event IDs associated with account management versus object access, leading candidates to confuse a network logon with a password reset or lockout event.

How to eliminate wrong answers

Option A is wrong because Event ID 4624 with Logon Type 3 indicates a network logon, not a local interactive session, and standard user privileges would not generate Event ID 4670 for permission changes on sensitive objects. Option C is wrong because account lockout would generate Event ID 4740, not the 4624 and 4670 events shown; the Administrator account is not referenced in the provided events. Option D is wrong because a password reset attempt would generate Event ID 4724 (password reset attempt), not a network logon (4624) followed by permission changes (4670); the events show successful authentication and subsequent object access, not a reset attempt.

120
MCQmedium

A security architect is designing a segmentation strategy for a multi-tier web application. The public-facing web servers must communicate only with application servers, and application servers must communicate only with database servers. The architect wants to use a firewall that can inspect application-layer traffic to prevent SQL injection attacks. Which firewall type should be deployed between the application tier and the database tier?

A.Packet filtering firewall
B.Next-generation firewall (NGFW) with intrusion prevention
C.Stateful firewall
D.Web application firewall (WAF)
AnswerB

NGFWs can perform deep packet inspection and use IPS signatures to detect SQL injection in database protocols.

Why this answer

A next-generation firewall (NGFW) with intrusion prevention is the correct choice because it can perform deep packet inspection (DPI) at the application layer, allowing it to detect and block SQL injection payloads within database queries. Unlike simpler firewalls, an NGFW integrates signature-based and behavioral IPS engines that can identify malicious SQL patterns (e.g., 'OR 1=1') in traffic between the application and database tiers, providing the required application-layer inspection.

Exam trap

The trap here is that candidates often confuse the WAF's ability to inspect HTTP traffic with the need for application-layer inspection between application and database tiers, forgetting that database protocols (e.g., SQL) are not HTTP-based and require a different inspection engine like an NGFW with IPS.

How to eliminate wrong answers

Option A is wrong because a packet filtering firewall operates only at Layers 3 and 4, inspecting source/destination IPs and ports without any application-layer awareness, so it cannot detect SQL injection attacks. Option C is wrong because a stateful firewall tracks connection states (e.g., TCP handshake) but still inspects only headers at Layers 3–4, not the payload content needed to identify SQL injection. Option D is wrong because a web application firewall (WAF) is designed to inspect HTTP/HTTPS traffic between clients and web servers, not the database protocol traffic (e.g., SQL queries over TCP port 1433 or 3306) between application and database servers; deploying a WAF between these tiers would not inspect the actual database protocol.

121
MCQmedium

The security engineer notices that SSH login attempts to 192.168.1.1 from the untrust zone are being blocked. Which policy misconfiguration is MOST likely causing this?

A.The application is incorrect
B.The source zone is not permitted
C.The log setting prevents connections
D.The destination address is incorrect
AnswerB

The policy only allows source zone vpn; untrust is not allowed, causing the block.

Why this answer

The Remote-Admin policy only permits traffic from the vpn zone, not untrust. Therefore, SSH attempts from untrust are implicitly denied by the firewall's default deny policy. The destination address and application are correctly specified.

The log setting does not affect access. A policy for SSH from untrust is missing.

122
MCQhard

Based on the exhibit, what type of attack is most likely occurring?

A.Man-in-the-middle (MITM) attack
B.Phishing attack
C.Distributed denial-of-service (DDoS) attack
D.Brute-force attack
AnswerD

The log shows repeated failed authentication attempts, typical of brute force.

Why this answer

Option B is correct because multiple failed SSH login attempts from various IPs with different usernames indicate a brute-force attack. Option A is wrong because DDoS would flood traffic, not authentication attempts. Option C is wrong because MITM would involve interception.

Option D is wrong because phishing is social engineering.

123
MCQhard

An organization plans to establish a cross-forest trust between two Active Directory forests to enable resource access. The security architect is concerned about the risk of privilege escalation from a compromised domain in one forest. Which design choice best mitigates this risk?

A.Remove the trust entirely and use individual local accounts
B.Configure the trust to use forest-wide authentication instead of selective
C.Enable SID filtering on both forest trusts
D.Use selective authentication and restrict the authorized accounts
AnswerD

Selective authentication ensures only specified users can access resources in the trusting forest, limiting exposure from a compromise.

Why this answer

Using selective authentication restricts what resources users from the trusting forest can access, ensuring that only specified accounts are allowed. Forest-level authentication would allow broader access. SID filtering is enabled by default for cross-forest trusts but is not sufficient alone; selective authentication provides an additional constraint.

Disabling the trust is not practical.

124
Multi-Selecteasy

Which TWO of the following are best practices for securing a database server?

Select 2 answers
A.Install sample databases for testing
B.Enable remote access from any IP
C.Disable default accounts
D.Use encrypted connections
E.Use simple passwords for ease of administration
AnswersC, D

Default accounts (e.g., 'sa' in SQL Server) are often targeted; disabling them reduces risk.

Why this answer

Disabling default accounts prevents attackers from using known credentials. Encrypted connections protect data in transit. Remote access from any IP expands the attack surface.

Simple passwords are weak. Sample databases can contain known vulnerabilities.

125
MCQhard

An organization has implemented a zero-trust architecture for its mobile workforce. Employees use company-managed smartphones to access internal applications through a reverse proxy. Recently, users report that they are frequently prompted to re-authenticate, causing workflow interruptions. The security team wants to maintain zero-trust principles while improving the user experience. Analysis shows that session tokens are being revoked after a short idle timeout. Which adjustment should the security team implement to balance security and usability?

A.Extend the session token expiration time to reduce the frequency of re-authentication
B.Replace token-based authentication with certificate-based authentication and revoke certificates based on device posture
C.Reduce the number of authentication factors required for re-authentication
D.Implement short-lived access tokens with refresh tokens that are automatically rotated
AnswerD

Refresh tokens allow seamless renewal of access without user intervention, while maintaining short token lifetimes.

Why this answer

Implementing short-lived tokens with automatic refresh using refresh tokens maintains continuous authentication without requiring re-logon. Option A is incorrect because extending token lifetime increases risk if tokens are stolen. Option B is incorrect because reducing multifactor requirements weakens authentication.

Option D is incorrect because token revocation based on device posture may still cause frequent re-authentication, but refresh tokens reduce the impact.

126
MCQmedium

A cloud security team uses AWS and has configured a virtual private cloud (VPC) with a public subnet for a web application. The web servers in the public subnet have security groups that allow inbound HTTP/HTTPS from 0.0.0.0/0. The security team receives an alert that an EC2 instance in the public subnet is making outbound connections to an IP address that is listed on a threat intelligence feed as a known mining pool. The instance's security group allows all outbound traffic. The team suspects the instance is compromised and running cryptocurrency mining malware. Which of the following should be the FIRST action to take?

A.Isolate the instance by revoking its security group egress rules temporarily to prevent further communication.
B.Start a full antivirus scan on the instance and monitor the network logs.
C.Take a forensic snapshot of the instance and then terminate it.
D.Modify the security group inbound rules to block traffic from the miner IP only.
AnswerA

Immediate containment by blocking outbound traffic stops the malware from phoning home.

Why this answer

Option D is correct because isolating the instance by revoking its security group egress immediately cuts off the communication to the mining pool, containing the threat. Option A (terminating) loses evidence. Option B (investigating) allows the attack to continue.

Option C (temporary rule blocking specific IP) may not block future connections.

127
MCQeasy

A small business is designing a defense-in-depth strategy for its e-commerce website. The web server is hosted in a cloud provider and handles credit card transactions. Which of the following additional controls best complements the existing firewall and IDS?

A.Set up a security information and event management (SIEM) system
B.Add a load balancer with SSL termination
C.Implement a web application firewall (WAF)
D.Deploy a network-based antivirus on the web server
AnswerC

A WAF inspects HTTP/HTTPS traffic and blocks SQL injection, XSS, etc., adding a critical defense layer.

Why this answer

A web application firewall (WAF) adds a layer of protection against application-layer attacks, which complements the network-layer firewall and IDS. Antivirus is for endpoints, SIEM provides logging but not proactive defense, and load balancers distribute traffic but do not add security controls beyond resilience.

128
Drag & Dropmedium

Drag and drop the steps to implement a DLP policy to prevent credit card data exfiltration via email into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DLP implementation: classify data, create policy, define match condition, set action, then enable and test.

129
MCQhard

The exhibit shows results from a CIS Controls assessment. Based on the findings, which control deficiency poses the greatest risk to the organization and should be prioritized for remediation?

A.Incident response (Control 8) because testing is only at 1/5
B.Network monitoring and defense (Control 13) because it has the lowest overall score and intrusion detection is missing
C.Data protection (Control 3) because sensitive data inventory is not implemented
D.Data encryption at rest (Subcontrol 3.2) because it received a score of 4/5, indicating room for improvement
AnswerB

This control has the lowest score (1/5) and lacks intrusion detection, which is vital for detecting threats.

Why this answer

Option C is correct because the network monitoring and defense control has the lowest overall score (1/5), and within it, intrusion detection is completely unimplemented (0/5), leaving the organization blind to active attacks. Option A is wrong because data protection has a higher overall score (2/5) and its subcontrols are partially implemented. Option B is wrong because incident response has a score of 3/5, which is relatively better, and the plan is fully in place; testing can be improved but is not as critical.

Option D is wrong because data encryption at rest is already highly implemented (4/5).

130
MCQeasy

Refer to the exhibit. A security analyst is reviewing the firewall rule set for a corporate network. Which misconfiguration is present?

A.No default deny rule present
B.Overly permissive source IP addresses
C.Unnecessary allowed ports
D.Missing logging on permit rules
AnswerA

A deny rule should be the last rule to drop all other traffic; otherwise, it may be implicitly allowed.

Why this answer

The rule set lacks an explicit deny rule at the end. Without a default deny, traffic that does not match any rule may be implicitly permitted depending on the firewall platform. Most security best practices require a deny-all trailing rule to ensure only explicitly allowed traffic passes.

131
Drag & Dropmedium

Drag and drop the steps to set up a SIEM alert for a failed login threshold into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SIEM rule creation: identify log source, create rule, set threshold, configure response, then enable and test.

132
MCQeasy

A cloud-based application uses serverless functions to process user uploads. Which of the following is the most effective way to limit the attack surface of the function?

A.Encrypt all data at rest using KMS
B.Enable detailed logging and monitoring
C.Place a web application firewall (WAF) in front of the function
D.Minimize the function's dependencies and reduce its code footprint
AnswerD

Smaller codebase and fewer libraries reduce the attack surface.

Why this answer

Option B (Minimize the function's dependencies and code) is correct because reducing code and libraries reduces potential vulnerabilities. Option A (Encrypt at rest) protects data but not the function. Option C (Use a WAF) is for web apps, not functions directly.

Option D (Enable logging) is detective, not preventive.

133
MCQeasy

A financial institution must ensure that its data classification policy aligns with regulatory requirements for customer financial information. Which of the following actions best demonstrates governance in this context?

A.Implement a formal data classification policy that maps data types to regulatory categories and enforce it via technical controls.
B.Restrict all customer financial data to a single secure server without labeling.
C.Allow data owners to classify data on an ad-hoc basis as needed.
D.Encrypt all customer data at rest and in transit regardless of classification.
AnswerA

This establishes clear rules, accountability, and enforcement — core governance elements.

Why this answer

Option A is correct because it directly implements governance by establishing a formal data classification policy that maps data types to specific regulatory categories (e.g., PCI DSS, GLBA, SOX) and enforces compliance through technical controls such as Data Loss Prevention (DLP) rules, access control lists (ACLs), and encryption policies. This structured approach ensures that customer financial information is consistently protected according to legal requirements, rather than relying on ad-hoc or incomplete measures.

Exam trap

The trap here is that candidates often confuse encryption (a security control) with governance (a policy-driven framework), leading them to select Option D because they assume encryption alone satisfies regulatory compliance, when in fact governance requires classification to define which data must be encrypted and under what conditions.

How to eliminate wrong answers

Option B is wrong because restricting all customer financial data to a single secure server without labeling violates the principle of data classification; without labels or tags, the organization cannot differentiate between data types or apply granular controls (e.g., retention policies, access restrictions) required by regulations like GDPR or PCI DSS. Option C is wrong because allowing data owners to classify data on an ad-hoc basis introduces inconsistency and human error, undermining governance and potentially leading to misclassification that fails to meet regulatory mandates. Option D is wrong because encrypting all customer data at rest and in transit regardless of classification ignores the need for differentiated controls; while encryption is a security control, governance requires classification to apply appropriate policies (e.g., key management, access logging, retention) based on data sensitivity and regulatory obligations.

134
MCQhard

A security manager is reviewing business continuity plans. Which element is MOST critical to test regularly?

A.Updated contact lists
B.Failover capability of critical systems
C.Alternate site readiness
D.Backup media integrity
AnswerB

Testing failover validates that critical systems can be recovered in a disaster.

Why this answer

Option A is correct because failover capability ensures systems can be restored. Option B is wrong contact lists need updates but are not the most critical to test. Option C is wrong backup media must be tested but failover tests the whole process.

Option D is wrong alternate site readiness is part of failover testing.

135
MCQhard

A regional healthcare provider with 2,000 employees recently acquired a smaller clinic that uses a legacy electronic health record (EHR) system. The provider's security team performed a risk assessment and identified that the legacy system does not support encryption at rest, lacks role-based access controls (RBAC), and stores administrative credentials in plaintext. The system is scheduled to be decommissioned in 18 months, but it must remain operational to support patient care during the transition. The provider is subject to HIPAA and state breach notification laws. The CEO wants to avoid any disruption to patient services but also minimize regulatory risk. Which of the following is the BEST course of action?

A.Accelerate the migration timeline to replace the legacy system within 6 months.
B.Immediately disconnect the legacy system from the network and use manual processes.
C.Accept the residual risk and document it in the risk register.
D.Implement compensating controls such as network segmentation, storage-level encryption, and strict access monitoring.
AnswerD

Compensating controls mitigate risk while the system remains operational.

Why this answer

Option D is the best course of action because it allows the legacy EHR system to remain operational for patient care while reducing regulatory risk. Compensating controls like network segmentation isolate the vulnerable system, storage-level encryption (e.g., BitLocker or LUKS) protects data at rest, and strict access monitoring (e.g., SIEM with real-time alerts) mitigates the lack of RBAC and plaintext credentials. This approach balances the CEO's requirement for no disruption with HIPAA's security rule requirements for reasonable safeguards.

Exam trap

CompTIA often tests the concept that compensating controls are a valid risk treatment option when a vulnerability cannot be immediately remediated, and candidates mistakenly choose risk acceptance (Option C) without realizing that HIPAA requires active safeguards, not just documentation.

How to eliminate wrong answers

Option A is wrong because accelerating migration to 6 months is unrealistic and would likely cause significant disruption to patient services, violating the CEO's directive to avoid disruption. Option B is wrong because immediately disconnecting the legacy system would halt patient care, creating an unacceptable operational impact and potentially violating continuity of care requirements under HIPAA. Option C is wrong because accepting residual risk without implementing any compensating controls would leave the organization exposed to a high likelihood of a breach, violating HIPAA's requirement to implement reasonable and appropriate safeguards and increasing regulatory risk under state breach notification laws.

136
MCQeasy

An organization wants to implement a solution that automatically detects and blocks malicious traffic based on known signatures and behavioral anomalies. Which of the following should be deployed?

A.Next-generation firewall with application control
B.Web application firewall (WAF)
C.Security information and event management (SIEM) system
D.Network-based IDS/IPS
AnswerD

IDS/IPS combined provides detection and prevention for known signatures and anomalies.

Why this answer

A network-based IDS/IPS (Intrusion Detection/Prevention System) is designed to inspect network traffic in real time, using a combination of signature-based detection (matching known attack patterns) and behavioral/anomaly-based detection (identifying deviations from normal traffic baselines). This dual approach allows it to both detect and automatically block malicious traffic, fulfilling the organization's requirement directly.

Exam trap

The trap here is that candidates often confuse a next-generation firewall's application control with the deep packet inspection and behavioral analysis capabilities of a dedicated IDS/IPS, overlooking that NGFWs typically lack comprehensive signature-based threat detection for non-application-layer attacks.

How to eliminate wrong answers

Option A is wrong because a next-generation firewall with application control primarily focuses on application-layer filtering and policy enforcement, not on deep packet inspection for known attack signatures or behavioral anomaly detection. Option B is wrong because a web application firewall (WAF) is specialized to protect web applications from HTTP/S-specific attacks (e.g., SQL injection, XSS) and does not provide general network-level signature or anomaly detection for all traffic types. Option C is wrong because a security information and event management (SIEM) system aggregates and correlates logs from multiple sources for analysis and alerting, but it does not perform inline traffic inspection or automatic blocking of malicious packets.

137
MCQmedium

Which of the following is the MOST effective way to detect unauthorized changes to critical files?

A.Antivirus software
B.Intrusion detection system
C.Regular backups
D.File integrity monitoring
AnswerD

FIM specifically monitors file changes.

Why this answer

File integrity monitoring (FIM) alerts on changes to critical files. Option B detects malware; Option C monitors network traffic; Option D is for recovery, not detection.

138
Multi-Selecthard

A security operations team wants to improve their threat intelligence program. Which THREE of the following are most important for ensuring that threat intelligence is actionable and effectively integrated into security operations?

Select 3 answers
A.Ensure threat intelligence feeds provide timely indicators of compromise (IOCs) that are less than 24 hours old.
B.Require that all threat intelligence sources are completely anonymous to ensure unbiased reporting.
C.Integrate threat intelligence feeds directly into SIEM and SOAR platforms for automated correlation and response.
D.Subscribe to as many threat intelligence feeds as possible to maximize coverage.
E.Prioritize intelligence that includes context such as targeted sectors, attacker motivations, and TTPs.
AnswersA, C, E

Stale IOCs are useless; timeliness is critical for blocking active campaigns.

Why this answer

Option A (timeliness) ensures relevance; Option B (context) allows prioritization; Option D (integration with detection tools) automates response. Option C (volume) can lead to noise. Option E (anonymity) is not a key quality for intelligence.

139
MCQmedium

A security analyst discovers that a third-party vendor has been granted access to the company's production database for support purposes. The vendor's contract expires in two weeks. What is the BEST course of action to ensure compliance with the principle of least privilege and reduce risk?

A.Immediately revoke the vendor's database access and provide temporary access only if needed.
B.Extend the contract for another year to maintain support continuity.
C.Wait until the contract expires and then revoke access.
D.Monitor the vendor's activities until the contract expires.
AnswerA

Immediate revocation aligns with least privilege and reduces risk.

Why this answer

Revoking access before contract end ensures that the vendor cannot access data after the relationship ends, complying with least privilege. Extending or monitoring only would still leave access beyond necessity, and waiting is risky.

140
MCQmedium

A data loss prevention (DLP) solution is being implemented to prevent sensitive data from leaving the corporate network. Which of the following is the most effective approach for detecting structured data like credit card numbers in outbound traffic?

A.Keyword matching
B.Regular expression matching
C.Machine learning classification
D.Exact file hash matching
AnswerB

Regular expressions can accurately match patterns like credit card number formats.

Why this answer

Regular expressions can match patterns like credit card numbers, while other methods are less precise or suited for different data types.

141
MCQhard

A healthtech startup is developing a mobile app that collects PHI. They plan to use a third-party cloud provider for data storage. What is the most critical compliance requirement before signing the contract?

A.Verify the provider's data center locations comply with data residency laws
B.Execute a Business Associate Agreement (BAA) with the provider
C.Review the provider's SOC 2 Type II report
D.Ensure all data is encrypted at rest and in transit
AnswerB

A BAA is a legal requirement under HIPAA for any vendor handling PHI.

Why this answer

Under HIPAA, a Business Associate Agreement (BAA) is a mandatory contract that ensures the third-party cloud provider (a business associate) will safeguard Protected Health Information (PHI). Without a BAA, the startup would be in direct violation of HIPAA's Privacy and Security Rules, regardless of other security measures. This requirement is non-negotiable before any PHI is shared or stored by the provider.

Exam trap

CompTIA often tests the distinction between contractual compliance (BAA) and technical controls (encryption, SOC reports), leading candidates to prioritize security measures over the mandatory legal agreement required by HIPAA.

How to eliminate wrong answers

Option A is wrong because while data residency laws (e.g., GDPR, local regulations) are important, they are not the most critical compliance requirement under HIPAA; a BAA is the foundational legal agreement. Option C is wrong because reviewing a SOC 2 Type II report provides assurance about the provider's controls but does not satisfy the HIPAA requirement for a contractual BAA; it is a supplementary due diligence step. Option D is wrong because encryption at rest and in transit is a technical safeguard, but it does not replace the legal obligation of a BAA; HIPAA mandates the BAA even if encryption is implemented.

142
Multi-Selecteasy

Which TWO of the following are examples of administrative controls? (Select TWO)

Select 2 answers
A.Firewall rules
B.Encryption of data at rest
C.Security awareness training
D.Access control policy
E.Intrusion detection system
AnswersC, D

Administrative control

Why this answer

Security awareness training (C) is an administrative control because it involves policies, procedures, and human behavior management rather than technical mechanisms. It educates users on security risks and compliance requirements, reducing the likelihood of social engineering or policy violations. This aligns with the administrative domain of the CIA triad's governance framework.

Exam trap

Cisco often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse technical controls like encryption or firewalls with administrative controls because they are both part of a defense-in-depth strategy, but only administrative controls involve human processes and documentation.

143
MCQeasy

A developer needs to securely store user passwords in a database. Which hashing technique is recommended for password storage?

A.SHA-256 with a random salt
B.bcrypt with a per-user salt
C.MD5 with a static salt
D.Base64 encoding
AnswerB

bcrypt is slow and includes salting, resistant to rainbow tables.

Why this answer

Option B (bcrypt) is correct because it is designed for password hashing with a cost factor to resist brute-force. Option A (MD5) is fast and insecure; Option C (SHA-256) is better but lacks inherent salting and iteration; Option D (Base64) is encoding, not hashing.

144
MCQmedium

An administrator runs the above iptables command on a Linux server. The server is directly connected to the internet. Which of the following is the MOST significant security issue with this configuration?

A.The INPUT chain default policy is DROP, which will block legitimate traffic
B.The OUTPUT chain default policy is ACCEPT, allowing any outbound traffic
C.SSH (port 22) is allowed from any source, which is overly permissive
D.ICMP echo requests are allowed, which could be used for network reconnaissance
AnswerB

This could allow data exfiltration or command and control traffic.

Why this answer

The most significant security issue is that the OUTPUT chain default policy is ACCEPT, allowing any outbound traffic from the server. Since the server is directly connected to the internet, this means that if the server is compromised, an attacker can freely exfiltrate data, initiate outbound connections to command-and-control servers, or perform other malicious activities without any firewall restriction. A default DROP policy on the OUTPUT chain would require explicit rules for allowed outbound traffic, providing defense in depth.

Exam trap

The trap here is that candidates focus on inbound rules (like SSH or ICMP) because they are more familiar, but the exam tests understanding that a default ACCEPT on the OUTPUT chain is a critical security gap that enables data exfiltration and is often overlooked in firewall configurations.

How to eliminate wrong answers

Option A is wrong because the INPUT chain default policy is DROP, which is a security best practice to block unsolicited inbound traffic; legitimate traffic is explicitly allowed by rules (e.g., SSH on port 22, ICMP echo requests), so it does not block legitimate traffic. Option C is wrong because while allowing SSH from any source is overly permissive, it is less significant than the OUTPUT chain default ACCEPT, as SSH can be restricted to specific source IPs or a jump box, whereas a default ACCEPT on OUTPUT is a fundamental architectural flaw that enables data exfiltration. Option D is wrong because allowing ICMP echo requests is a common and generally acceptable practice for network troubleshooting; while it can aid reconnaissance, it is not the most significant issue compared to unrestricted outbound traffic.

145
MCQhard

You are the security architect for a global manufacturing company that has recently experienced a ransomware attack. The attack originated from a third-party vendor's compromised VPN account, which had been granted privileged access to the corporate network for remote maintenance. The vendor is a critical supplier of industrial control system (ICS) components. The incident severely disrupted production for three days. Post-incident analysis reveals that the vendor's security posture was not assessed prior to granting access, and the contract did not include specific security requirements or audit rights. The company now wants to implement a vendor risk management program to prevent future incidents. Which of the following is the MOST comprehensive and effective course of action to address the root cause?

A.Implement network segmentation to isolate vendor access to specific systems
B.Conduct background checks on all vendor personnel before granting access
C.Develop a vendor risk management policy that includes security assessments, contractual clauses, and periodic audits
D.Require all vendors to use multi-factor authentication (MFA) for remote access
AnswerC

A comprehensive program addresses root cause of lack of oversight.

Why this answer

Option C is correct because establishing a formal vendor risk management program with contractual security requirements and periodic audits directly addresses the lack of assessment and oversight. Option A is wrong because network segmentation alone does not enforce vendor compliance. Option B is wrong because MFA is a single control; it does not replace a program.

Option D is wrong because instituting background checks does not ensure technical security controls.

146
MCQeasy

A web developer is designing an e-commerce application that stores customer payment information. The application runs on a cloud platform and uses a relational database. During a security review, the auditor identifies that the database admin credentials are hardcoded in the application configuration file. The developer must implement a solution that eliminates hardcoded credentials and enables automatic rotation of secrets. Which course of action should the developer take?

A.Replace the database with one that supports certificate-based authentication
B.Encrypt the configuration file using the application's built-in encryption
C.Store the credentials in environment variables and use a scheduled script to change them
D.Use a secrets management service to store and rotate the credentials dynamically
AnswerD

Secrets management services provide secure storage and automatic rotation.

Why this answer

Using a secrets management service like AWS Secrets Manager or HashiCorp Vault securely stores and rotates credentials, eliminating hardcoded secrets. Option B is incorrect because environment variables still expose secrets in process memory. Option C is incorrect because encryption at rest does not protect secrets in configuration files.

Option D is incorrect because certificate authentication is not appropriate for database credentials.

147
MCQhard

A security team discovers a misconfiguration that exposes sensitive data. The operations team wants to wait until the next maintenance window. What is the BEST course of action?

A.Document the risk and accept it
B.Notify the data protection authority
C.Immediately fix the misconfiguration
D.Implement a temporary workaround
AnswerC

Reduces risk immediately.

Why this answer

Immediate remediation minimizes exposure. Options B, C, and D are unacceptable delays given the severity.

148
MCQhard

An organization uses a microservices architecture where services communicate via REST APIs. To ensure defense in depth, they want to authenticate and authorize every API call. Which of the following implementations BEST enforces this at the application layer?

A.Mutual TLS (mTLS) between services
B.API keys in HTTP headers
C.OAuth 2.0 with JWT bearer tokens and scoped permissions
D.IP whitelisting at the network firewall
AnswerC

Why this answer

OAuth 2.0 with JWT bearer tokens and scoped permissions is the best choice because it provides a standardized, token-based authentication and authorization mechanism at the application layer. The JWT contains claims (e.g., issuer, subject, expiration, and scopes) that can be cryptographically verified by each microservice without requiring a centralized session store, enabling fine-grained, per-API authorization. This directly addresses the requirement to authenticate and authorize every API call within a defense-in-depth strategy.

Exam trap

The trap here is that candidates confuse transport-layer security (mTLS) with application-layer authorization, assuming that mutual authentication alone satisfies the 'authenticate and authorize' requirement, but mTLS provides no mechanism for scoped permissions or user-level claims.

Why the other options are wrong

A

mTLS provides transport-layer authentication but does not enforce application-level authorization.

B

API keys are static and often lack scoping; they are not as secure or granular as OAuth tokens.

D

IP whitelisting is network-level and does not authenticate users or services at the application layer.

149
MCQhard

A security engineer needs to design a solution to detect and respond to insider threats involving unauthorized data exfiltration via USB devices. Which of the following is the MOST effective approach?

A.Conduct regular security awareness training on data handling policies.
B.Deploy endpoint detection and response (EDR) agents on all workstations.
C.Disable all USB ports via group policy.
D.Implement a data loss prevention (DLP) solution with device control and content inspection.
AnswerD

DLP can block, log, and alert on unauthorized USB transfers.

Why this answer

Option D is the most effective because a DLP solution with device control and content inspection can monitor, block, or alert on unauthorized data transfers to USB devices by inspecting the content being written (e.g., file types, keywords, patterns) and enforcing policies at the endpoint or network level. This directly addresses the specific threat of data exfiltration via USB, unlike other options that either lack detection or are too restrictive.

Exam trap

The trap here is that candidates often choose EDR (Option B) because they associate it with endpoint security, but EDR is designed for threat detection (e.g., malware, lateral movement), not for granular data exfiltration control via USB, which requires DLP's content-aware inspection and device control capabilities.

How to eliminate wrong answers

Option A is wrong because security awareness training is a preventive control that relies on user compliance and does not provide real-time detection or automated response to unauthorized USB data transfers. Option B is wrong because EDR agents focus on detecting and responding to malware and suspicious process behavior, not on monitoring or blocking file copy operations to removable media. Option C is wrong because disabling all USB ports via group policy is a brute-force approach that prevents legitimate use (e.g., keyboards, mice) and does not allow for granular control or detection of authorized vs. unauthorized data transfers.

150
MCQhard

A company is merging with another organization and needs to integrate their identity management systems. The security team is concerned about maintaining least privilege and segregation of duties across the combined environment. Which of the following approaches BEST addresses these concerns?

A.Deploy single sign-on (SSO) across both organizations
B.Create a unified user group with the same permissions for all employees
C.Use an identity governance and administration (IGA) tool with automated provisioning
D.Perform a role-mining exercise and design new roles based on common job functions
AnswerD

Role mining ensures roles are aligned with business needs and reduces conflict.

Why this answer

Option D is correct because role-mining analyzes existing user entitlements and access patterns across both organizations to identify common job functions, enabling the design of least-privilege roles that enforce segregation of duties. This approach directly addresses the security concerns by ensuring users receive only the permissions necessary for their roles, preventing conflicts of interest inherent in merged environments.

Exam trap

CompTIA often tests the misconception that SSO or automated provisioning alone solves authorization and segregation issues, when in fact they are authentication and enforcement mechanisms that require proper role design (via role-mining) to achieve least privilege.

How to eliminate wrong answers

Option A is wrong because SSO only simplifies authentication by allowing users to log in once, but it does not manage authorization or enforce least privilege or segregation of duties across the combined identity systems. Option B is wrong because creating a unified user group with identical permissions for all employees violates least privilege by granting excessive access and eliminates segregation of duties, as every user would have the same capabilities. Option C is wrong because while an IGA tool with automated provisioning can enforce policies, without first performing role-mining to define appropriate roles based on actual job functions, it would simply automate existing (potentially flawed) permissions, failing to establish proper least privilege and segregation of duties.

Page 1

Page 2 of 7

Page 3

All pages