CompTIA SecurityX CAS-004 (CAS-004) — Questions 151225

510 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQmedium

An enterprise is adopting a DevOps model and wants to integrate security into the CI/CD pipeline. The security architect recommends adding automated security testing. Which phase of the pipeline should static application security testing (SAST) be introduced to minimize rework?

A.During the build phase after code commit
B.During the production deployment phase
C.After the code is promoted to production
D.During runtime in the staging environment
AnswerA

SAST analyzes source code, so running it in the build phase catches issues early.

Why this answer

SAST is most effective when run early, ideally during the build phase, so developers can fix vulnerabilities before deployment. In production, it's too late. During deployment might cause delays.

SAST is not typically run on running applications.

152
MCQhard

A large healthcare organization has implemented a zero-trust network architecture (ZTNA) to secure access to its electronic health record (EHR) system. The architecture uses a software-defined perimeter (SDP) where all users must authenticate and be authorized before accessing the EHR. The EHR system is hosted in a private cloud and communicates with a legacy billing system that cannot support modern authentication protocols. The billing system is accessed by a small number of finance employees via a dedicated VPN. Recently, an auditor discovered that a finance employee's credentials were compromised, and the attacker used the VPN to access the billing system and exfiltrate patient billing data. The security architect must prevent such lateral movement while maintaining access for legitimate users. Which of the following is the BEST course of action?

A.Apply micro-segmentation to isolate the billing system and allow only finance VLAN traffic
B.Remove the VPN and allow finance employees to access the billing system directly via RDP over the internet
C.Implement a jump server with multi-factor authentication (MFA) and session recording, and restrict the VPN to only allow access to the jump server
D.Upgrade the billing system to support OAuth 2.0 and integrate it with the ZTNA SDP
AnswerC

This adds an extra layer of security and auditability, preventing direct access to the billing system.

Why this answer

Option C is correct because a jump server with MFA and session recording creates a controlled, auditable choke point that prevents lateral movement from the VPN to the billing system. By restricting the VPN to only allow access to the jump server, the attacker cannot directly reach the billing system even with compromised VPN credentials, and MFA adds an additional layer of authentication. Session recording provides forensic evidence for post-incident analysis, addressing the auditor's concern without requiring the legacy billing system to support modern protocols.

Exam trap

The trap here is that candidates often choose micro-segmentation (Option A) thinking it prevents lateral movement, but they overlook that the compromised VPN credentials already provide authenticated access to the network segment, so micro-segmentation alone does not stop the attacker from reaching the billing system within the same VLAN.

How to eliminate wrong answers

Option A is wrong because micro-segmentation and VLAN isolation can reduce lateral movement but do not address the compromised VPN credentials; an attacker with valid VPN access could still move laterally within the finance VLAN to the billing system. Option B is wrong because removing the VPN and exposing the billing system directly via RDP over the internet dramatically increases the attack surface, bypassing all network segmentation and introducing significant security risks without any compensating controls. Option D is wrong because upgrading the legacy billing system to support OAuth 2.0 is often technically infeasible or cost-prohibitive, and the question explicitly states the system cannot support modern authentication protocols, making this option unrealistic.

153
MCQhard

A security architect finds this IAM policy attached to an S3 bucket. Which of the following best describes a critical security flaw in this policy?

A.The condition on the second statement uses StringEquals instead of IpAddress
B.The second statement allows public access from the 10.0.0.0/8 IP range
C.The first statement allows EC2 to assume any role in the account
D.The policy should use a NotPrincipal element to restrict access
AnswerB

Since Principal is "*", anyone on that IP range can access the bucket without authentication.

Why this answer

The second statement uses "Principal": "*" which allows any user or service to access the bucket if they meet the IP condition. Since "Effect": "Allow", it grants public access from the specified IP range. This is a major risk because the bucket is named "my-sensitive-bucket" and the IP range 10.0.0.0/8 is an internal private range that could be spoofed or used by anyone on that network.

The first statement is fine for EC2 assume role. The flaw is that the policy allows anonymous access from a broad private IP range.

154
MCQhard

A large enterprise recently migrated its critical applications to a hybrid cloud environment. The security team is concerned about the risk of privileged account abuse. They have implemented a privileged access management (PAM) solution that rotates passwords for service accounts after each use. However, during a incident response drill, the team discovers that an attacker who compromised a jump server was able to access multiple administrative consoles without re-authentication. Investigation reveals that the PAM solution uses session recording but does not enforce session termination; instead, it relies on the lifecycle of the token issued during initial authentication. The attacker captured a valid token and reused it from a different machine. Which of the following is the most effective remediation?

A.Implement token-binding by including the client's TLS certificate in the token
B.Require multi-factor authentication at each console access
C.Shorten the token lifetime to 30 seconds
D.Deploy a host-based intrusion detection system on the jump server
AnswerA

Token-binding binds the token to the device, ensuring it cannot be used elsewhere.

Why this answer

Token-binding ties the token to the client device, preventing its reuse from other machines. Option B only addresses after compromise, not prevention. Option C breaks functionality.

Option D doesn't address token theft.

155
MCQeasy

A small business uses an on-premises Active Directory for user authentication. They want to enable employees to use their corporate credentials to access a SaaS application that supports SAML 2.0. The security administrator needs to set up a federation between the on-premises AD and the SaaS provider. Which of the following components must be deployed on-premises to act as a bridge between AD and the SAML identity provider?

A.RADIUS server
B.Active Directory Federation Services (AD FS)
C.Kerberos key distribution center (KDC)
D.Azure AD Connect
AnswerB

AD FS is a SAML 2.0 IdP that authenticates against AD.

Why this answer

Active Directory Federation Services (AD FS) is Microsoft's solution for federated identity and can act as the SAML IdP, integrating with AD.

156
MCQmedium

A security analyst reviews this output from an SSH session. What security control is in place on the remote server?

A.Account lockout policy
B.MaxAuthTries limit in SSH configuration
C.Fail2ban or similar IP blocking
D.SSH banner
AnswerB

The SSH server's MaxAuthTries setting limits the number of authentication attempts per connection.

Why this answer

The output shows repeated 'Permission denied' messages followed by 'Connection closed by remote host' after a specific number of attempts. This behavior is characteristic of the MaxAuthTries directive in the SSH server configuration (sshd_config), which limits the number of authentication attempts per connection. When the limit is reached, the SSH server immediately closes the connection, as seen in the output.

Exam trap

Cisco often tests the distinction between server-side connection termination (MaxAuthTries) and account-level lockout or external IP blocking, leading candidates to confuse a per-connection limit with a per-account or firewall-based control.

How to eliminate wrong answers

Option A is wrong because an account lockout policy would lock the user account after failed attempts, but the output shows the connection being closed by the remote host without any account lockout message, and the SSH session itself is terminated. Option C is wrong because Fail2ban or similar IP blocking would block the source IP at the firewall level, resulting in a timeout or connection refused, not the 'Connection closed by remote host' message after authentication attempts. Option D is wrong because an SSH banner is displayed before authentication begins and does not cause connection closure after failed attempts; it is a pre-authentication message.

157
MCQmedium

Based on the exhibit, what is the primary purpose of the condition in this IAM policy?

A.Enable encryption in transit for the S3 bucket
B.Allow all incoming traffic to the S3 bucket
C.Deny access from the specified IP ranges
D.Restrict access to requests originating from the specified IP ranges
AnswerD

The condition allows only requests from those IPs.

Why this answer

Option C is correct because the condition uses aws:SourceIp to restrict access to specific IP ranges. Option A is wrong because it does not allow all traffic. Option B is wrong because it is an Allow policy with condition.

Option D is wrong because encryption is not addressed.

158
MCQeasy

A security architect is designing a network segmentation strategy for a multi-tier web application. The web servers must be accessible from the internet, while the application and database servers must only be accessible from the web tier. Which architecture best meets these requirements?

A.Use a single VLAN with access control lists to restrict traffic between servers.
B.Place all servers in the same subnet and use host-based firewalls for isolation.
C.Deploy web servers in a DMZ, application servers in an internal network, and database servers in a separate restricted network with firewall rules allowing only necessary traffic.
D.Use a VPN concentrator for all external access and place all servers in a private subnet.
AnswerC

This provides defense in depth with proper segmentation and access controls.

Why this answer

Option C is correct because it implements a classic three-tier DMZ architecture: web servers in a DMZ (publicly accessible), application servers in an internal network (accessible only from the DMZ), and database servers in a restricted backend network (accessible only from the application tier). This layered segmentation enforces the principle of least privilege and uses firewall rules to control traffic between each tier, ensuring that internet-facing components cannot directly reach sensitive data stores.

Exam trap

The trap here is that candidates often confuse network segmentation with simple access control lists or host-based firewalls, failing to recognize that true segmentation requires separate network zones (DMZ, internal, restricted) with firewall-enforced traffic flows between them.

How to eliminate wrong answers

Option A is wrong because a single VLAN with ACLs does not provide true network segmentation; ACLs on a Layer 3 device can filter traffic but all servers remain in the same broadcast domain, increasing the attack surface and risk of lateral movement. Option B is wrong because placing all servers in the same subnet with host-based firewalls relies solely on endpoint security, which can be bypassed if a host is compromised, and does not provide network-level isolation or defense in depth. Option D is wrong because using a VPN concentrator for all external access and placing all servers in a private subnet would require all users to connect via VPN, which is impractical for a public web application and does not segment internal tiers from each other.

159
MCQhard

A multinational corporation must comply with multiple data protection laws. What is the BEST strategy?

A.Use a minimal baseline that meets all laws
B.Follow only the laws of the home country
C.Follow local laws per region
D.Implement the most stringent requirements across all regions
AnswerD

This ensures compliance with the highest standards and reduces legal risk.

Why this answer

Option A is correct because applying the most stringent requirements ensures compliance across all jurisdictions. Option B is wrong following local laws per region may lead to inconsistencies and gaps. Option C is wrong following only home country laws may violate other laws.

Option D is wrong a minimal baseline may not meet stricter requirements.

160
MCQhard

During a security assessment, a penetration tester discovers that a web application uses a custom encryption algorithm to protect session tokens. According to secure engineering principles, what is the primary concern?

A.Performance overhead of the custom algorithm
B.Insufficient key length used in the algorithm
C.Incompatibility with modern browsers
D.Lack of peer review and cryptanalysis
AnswerD

Custom algorithms have not been scrutinized by the cryptographic community, making them vulnerable to undiscovered weaknesses.

Why this answer

Custom cryptographic algorithms often lack peer review and may contain subtle flaws that compromise security. The primary concern is the absence of public cryptanalysis, not performance, key length (assuming sufficient), or browser compatibility.

161
MCQmedium

A small business runs its critical line-of-business application on a single Windows server located in a local data center. The server is accessed by employees remotely via RDP over a VPN. Recently, the server has been experiencing slow performance, and the administrator notices high CPU usage from a process named 'svchost.exe'. The administrator suspects malware but is not sure. The business has no security tools beyond Windows Defender. Management wants to minimize downtime and ensure the server is back to full operation as soon as possible. Which of the following is the BEST course of action for the administrator to take first?

A.Run a full offline scan using Microsoft Defender (Windows Defender Offline) from a bootable media.
B.Restore the server from the most recent backup taken before the performance issues started.
C.Install a third-party antivirus solution and perform a full system scan.
D.Disconnect the server from the network immediately to contain any potential threat.
AnswerA

Can detect and remove malware without affecting the running system, minimizing downtime.

Why this answer

A full offline scan using Microsoft Defender Offline boots the server from a clean environment, bypassing the running operating system where malware can hide or resist detection. This approach directly addresses the suspected malware without relying on the compromised OS, minimizes downtime by avoiding unnecessary restoration or network changes, and uses the only security tool available (Windows Defender) effectively.

Exam trap

CompTIA often tests the principle of 'least disruption first' combined with 'clean environment scanning,' where candidates mistakenly choose immediate network isolation (Option D) or backup restoration (Option B) without first using a low-impact diagnostic tool like an offline scan.

How to eliminate wrong answers

Option B is wrong because restoring from a backup taken before the performance issues started assumes the backup is clean and that the issue is definitively malware, but it could be a non-malware cause (e.g., a corrupted update or misconfiguration) and restoration incurs significant downtime and potential data loss. Option C is wrong because installing a third-party antivirus on a potentially compromised system can itself trigger conflicts, increase downtime, and the scan runs within the same vulnerable OS environment where malware may evade detection. Option D is wrong because immediately disconnecting the server from the network is premature without confirming a threat exists, and it causes unnecessary downtime for a business that relies on remote access via VPN; containment should follow confirmation of an active threat.

162
MCQhard

You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?

A.Encrypt all cardholder data at rest and in transit
B.Replace the database with a tokenization service and remove the database from the CDE
C.Move all servers to a DMZ and implement host-based firewalls
D.Deploy a firewall between the CDE and corporate network, allowing only necessary traffic
AnswerD

Segmenting the CDE reduces scope

Why this answer

Option D is correct because deploying a firewall between the CDE and the corporate network, and restricting traffic to only what is necessary, creates a proper network segmentation boundary. This isolation reduces the PCI DSS scope by ensuring that only systems within the CDE are subject to the full set of PCI requirements, while the corporate network remains out of scope. The firewall enforces a default-deny policy, which aligns with PCI DSS Requirement 1 for network segmentation and access control.

Exam trap

The trap here is that candidates often confuse data-centric controls (like encryption or tokenization) with network-centric controls (like segmentation), leading them to choose options that protect data but do not reduce the number of systems in the CDE.

How to eliminate wrong answers

Option A is wrong because encrypting cardholder data at rest and in transit does not reduce the number of systems that handle cardholder data; it only protects the data but does not change the CDE boundary or scope. Option B is wrong because replacing the database with a tokenization service and removing the database from the CDE would reduce scope, but the question asks for the most effective approach to segment the existing CDE; tokenization is a data-centric approach, not a network segmentation technique, and does not address the immediate need for network isolation. Option C is wrong because moving all servers to a DMZ and implementing host-based firewalls does not isolate the CDE from the corporate network; a DMZ is typically used for public-facing services and does not provide the strict segmentation required to reduce PCI scope, and host-based firewalls alone are insufficient for network-level segmentation.

163
MCQhard

During a forensic investigation, an analyst finds that a compromised system's memory dump shows signs of a kernel-mode rootkit. Which technique is MOST effective to detect the rootkit without relying on the compromised OS?

A.Run antivirus scans on the disk image.
B.Compare registry snapshots before and after infection.
C.Analyze network packet captures for C2 traffic.
D.Perform memory analysis using volatility on an isolated forensic workstation.
AnswerD

Memory analysis from a dump allows detection of kernel-mode artifacts without trusting the compromised OS.

Why this answer

Option D is correct because memory forensics on a different system allows analysis of the dump without trusting the compromised OS. Option A relies on the OS which may be compromised. Option B is for network traffic, not kernel rootkits.

Option C may not detect rootkits if they hide from registry.

164
Multi-Selecteasy

Which two practices are essential for securing a CI/CD pipeline? (Choose two.)

Select 2 answers
A.Allow any developer to merge code into the main branch without review.
B.Implement code signing for all build artifacts.
C.Store credentials in plaintext within pipeline configuration files.
D.Use immutable tags for container images.
E.Scan container images for vulnerabilities before deployment.
AnswersB, E

Code signing ensures artifacts have not been tampered with.

Why this answer

Options B and C are correct. Code signing ensures artifact integrity, and vulnerability scanning prevents deploying insecure images. Option A is insecure.

Option D lacks necessary review. Option E is beneficial but not as essential as B and C.

165
Multi-Selectmedium

A security analyst is reviewing a web application's authentication mechanism. Which of the following are best practices to prevent session hijacking? (Select TWO.)

Select 2 answers
A.Regenerate session ID upon successful login
B.Set the session timeout to 5 minutes
C.Use the same session ID before and after authentication
D.Store session tokens in localStorage
E.Use the Secure and HttpOnly flags on session cookies
AnswersA, E

Why this answer

Regenerating the session ID upon successful login (option A) is a critical defense against session fixation attacks, where an attacker forces a known session ID on a user before authentication. By issuing a new, server-generated session ID after login, the application ensures that any pre-authentication session ID controlled by an attacker becomes invalid. This practice is recommended by OWASP and aligns with RFC 6265 session management guidelines.

Exam trap

Cisco often tests the misconception that short session timeouts (like 5 minutes) are a primary defense against session hijacking, when in fact they are a secondary mitigation that can harm usability, while the core technical controls are session ID regeneration and cookie security flags.

Why the other options are wrong

B

Short timeouts reduce risk but do not prevent hijacking; they are a mitigation, not a prevention.

C

Using the same session ID allows session fixation attacks.

D

localStorage is accessible by JavaScript and vulnerable to XSS; cookies with HttpOnly flag are more secure.

166
MCQeasy

Which of the following is the primary purpose of input validation in application security?

A.To improve application performance by filtering out large inputs
B.To prevent injection attacks by ensuring data conforms to expected formats
C.To encrypt user input before storing it in the database
D.To log all user input for auditing purposes
AnswerB

Why this answer

Input validation is a security control that ensures user-supplied data matches expected formats, types, lengths, and ranges before processing. By rejecting malformed input, it directly prevents injection attacks (e.g., SQL injection, XSS, command injection) where an attacker embeds malicious code within input fields. This aligns with OWASP's top application security risks and is a foundational defense-in-depth measure.

Exam trap

Cisco often tests the misconception that input validation is about performance or logging, but the core purpose is always preventing injection attacks by enforcing data integrity at the application layer.

Why the other options are wrong

A

Performance improvement is a side effect, not the primary security goal.

C

Encryption protects data at rest, but input validation focuses on input integrity.

D

Logging is important but not the primary purpose of input validation.

167
Multi-Selecthard

Which THREE of the following are common vulnerabilities in IoT devices? (Select THREE.)

Select 3 answers
A.Large storage capacity
B.Hardcoded credentials
C.Lack of secure boot
D.High compute power
E.Unencrypted communications
AnswersB, C, E

Many IoT devices ship with default or hardcoded credentials that cannot be changed.

Why this answer

Hardcoded credentials (Option B) are a common IoT vulnerability because manufacturers often embed default usernames and passwords (e.g., 'admin/admin') into device firmware for ease of deployment. Attackers can exploit these static credentials via SSH, Telnet, or web interfaces to gain unauthorized access, as seen in Mirai botnet attacks. This violates the principle of least privilege and secure credential management.

Exam trap

CompTIA often tests the misconception that hardware features like storage or compute power are vulnerabilities, when in fact the risks stem from insecure design choices (e.g., hardcoded credentials, lack of encryption) rather than raw capability.

168
MCQmedium

A security analyst at a financial institution is investigating a potential data exfiltration incident. The organization uses a zero-trust network architecture with micro-segmentation. The analyst notices that a database server with sensitive customer financial data has been communicating with an external IP address (198.51.100.45) over port 443 during non-business hours. The database server is not supposed to initiate outbound connections; all outbound traffic is logged and blocked by default except for specific allowlisted IPs and ports. The analyst reviews the firewall logs and finds that the outbound connection to 198.51.100.45 was allowed because the source port was 443, which is an allowed port for inbound HTTPS traffic. The database server is not a web server and does not run any HTTPS services. Which of the following is the best course of action for the analyst to take first?

A.Immediately block the external IP address at the perimeter firewall
B.Disable the database server's network interface
C.Review the database server's recent application logs for any anomalies
D.Check the endpoint detection and response (EDR) logs on the database server for signs of malware or unauthorized processes
AnswerD

Checking EDR logs can quickly indicate whether the server is compromised, guiding further actions.

Why this answer

Option D is correct because the database server is not supposed to initiate outbound connections, yet a connection to an external IP over port 443 was allowed due to source port 443 matching an inbound allow rule. This strongly suggests the server may be compromised, with malware or an unauthorized process using source port 443 to bypass firewall restrictions. Checking EDR logs is the best first step to identify malicious processes or indicators of compromise without prematurely destroying evidence.

Exam trap

The trap here is that candidates assume the firewall allowed the connection because port 443 is legitimate for HTTPS, but the key insight is that the source port (not destination port) was used to bypass egress rules, requiring endpoint-level investigation rather than network-level blocking or application log review.

How to eliminate wrong answers

Option A is wrong because immediately blocking the external IP at the perimeter firewall could alert an attacker and destroy forensic evidence before the scope of the incident is understood. Option B is wrong because disabling the database server's network interface is a drastic, disruptive action that should only be taken after confirming compromise and preserving evidence; it may also cause unnecessary downtime for legitimate services. Option C is wrong because while reviewing application logs may be useful later, the database server is not a web server and does not run HTTPS services, so application logs are unlikely to reveal the root cause of the outbound connection; the anomaly is at the network and process level, best captured by EDR.

169
MCQhard

A security engineer is designing a new network architecture for a government agency that requires compliance with NIST SP 800-53. The network must segregate data tiers and enforce least privilege. Which of the following designs BEST meets the requirements?

A.Perimeter-based security with a VPN for remote access.
B.Zero-trust architecture with micro-segmentation and continuous verification.
C.DMZ architecture with a single firewall between the internet and internal network.
D.Flat network with VLANs for each data tier and ACLs controlling traffic.
AnswerB

Zero-trust enforces least privilege and fine-grained segmentation, aligning with NIST SP 800-53.

Why this answer

C is correct. Zero-trust architecture with micro-segmentation provides granular control and enforces least privilege. VLANs with ACLs are less fine-grained.

DMZ and perimeter-based designs do not provide internal segmentation.

170
Multi-Selecteasy

A security analyst is reviewing web server logs and notices repeated requests to URLs containing sequences like '/../../../etc/shadow' and '/../../../etc/passwd'. Which TWO actions should the analyst take as part of the immediate incident response process?

Select 2 answers
A.Check for successful exploitation by reviewing file access logs
B.Block the source IP address at the firewall
C.Run a full antivirus scan on the web server
D.Rebuild the web server from a known good backup
E.Disable the web server until a patch is applied
AnswersA, B

Determines if sensitive files were actually accessed.

Why this answer

The correct actions are A and D. Blocking the source IP at the firewall (A) helps prevent further exploitation attempts. Checking for successful exploitation (D) is critical to determine if any files were accessed or exfiltrated.

Running antivirus (B) is not directly relevant to a directory traversal attack. Rebuilding the server from a known good state (C) is premature without investigation. Disabling the web server (E) is too disruptive and unnecessary if the threat is contained.

171
Multi-Selecthard

When evaluating the security architecture of a containerized application, which THREE of the following practices should be implemented to minimize the attack surface? (Select THREE.)

Select 3 answers
A.Encrypt sensitive data at rest within the container
B.Use minimal base images (e.g., Alpine Linux) instead of full OS images
C.Implement multi-factor authentication for container registries
D.Set container file systems to read-only where possible
E.Drop all capabilities except those required for the application
AnswersB, D, E

Smaller images have fewer packages and vulnerabilities.

Why this answer

Using minimal base images reduces vulnerabilities; read-only file system prevents malware persistence; dropping unnecessary capabilities limits kernel attack surface. Option B is not about attack surface reduction; it's about data protection. Option C is about authentication, not attack surface.

172
Multi-Selectmedium

A security analyst is analyzing a network capture and sees repeated TCP SYN packets to a host but no SYN-ACK responses. Which TWO conclusions are MOST likely? (Choose two.)

Select 2 answers
A.The host is out of TCP receive window space.
B.The network has a loop causing packet duplication.
C.The host has accepted the connections.
D.A firewall is dropping the SYN packets before they reach the host.
E.An attacker is performing a SYN flood DDoS attack.
AnswersD, E

Firewalls can block incoming SYN packets, resulting in no response.

Why this answer

Options A and D are correct. A SYN flood without response suggests a DDoS attack (A) or a stateful firewall blocking (D). Option B is incorrect because no SYN-ACK means no connection established.

Option C is unrelated. Option E is possible but less likely than the top two.

173
MCQhard

In a CI/CD pipeline, a container image is built from a Dockerfile that uses a base image from a public registry. To minimize the attack surface, which of the following actions should be automated in the pipeline?

A.Use the 'latest' tag for the base image to get latest patches
B.Run a vulnerability scanner and fail the build on critical findings
C.Store the Dockerfile in a private repository only
D.Install all available packages inside the container
AnswerB

Why this answer

Option B is correct because integrating a vulnerability scanner into the CI/CD pipeline and failing the build on critical findings directly reduces the attack surface by preventing deployment of images with known exploitable vulnerabilities. This aligns with the principle of secure software supply chain management, where automated security gates are essential for containerized environments.

Exam trap

CompTIA often tests the misconception that using the 'latest' tag is a safe practice for security patching, when in fact it undermines deterministic builds and introduces supply chain risks.

Why the other options are wrong

A

'latest' can introduce breaking changes or untested versions.

C

Storage location does not reduce attack surface.

D

Installing extra packages increases attack surface.

174
MCQeasy

A system administrator is configuring a Linux server to host a web application. Which file permission should be set for the private SSL key?

A.600
B.644
C.444
D.755
AnswerA

600 grants read/write to owner only, which is secure for private keys.

Why this answer

Private keys must be readable only by the owner (usually root or the application user). Permission 600 ensures only the owner can read and write the file, preventing unauthorized access.

175
MCQmedium

A company uses a microservices architecture with Docker containers orchestrated by Kubernetes. Developers push code to a Git repository, which triggers a CI/CD pipeline using Jenkins. The pipeline builds Docker images and pushes them to a private registry (Harbor). Recently, a critical vulnerability (CVE-2024-XXXX) was discovered in the base image of several containers. The security team wants to ensure that only images that pass vulnerability scans are deployed to production. The pipeline currently builds and pushes images without any security check. Developers are responsible for updating base images, but this has been inconsistent. Which action should the security team take?

A.Require developers to manually check their images and update base images
B.Implement a webhook in Harbor to automatically scan all images upon push and block vulnerable images from being pulled
C.Configure Jenkins to run Trivy scans on each built image and fail the pipeline if vulnerabilities exceed a defined threshold, and only allow images that pass to be pushed to the production registry
D.Use Kubernetes PodSecurity admission to block containers with high-severity vulnerabilities
AnswerC

This integrates security into the CI/CD pipeline, ensuring only compliant images are deployed.

Why this answer

Option A is correct because integrating vulnerability scanning into the pipeline ensures each image is scanned before deployment, and failing the build on excessive vulnerabilities prevents insecure images from reaching production. Option B (Harbor webhook) would block pulls but images are already in the registry; Option C (PodSecurity) cannot assess vulnerability severity; Option D (manual updates) is inconsistent and does not enforce policy.

176
MCQhard

During a compliance audit, an organization's security team discovers that sensitive data in a legacy database is stored in plaintext. The database is critical for operations and cannot be taken offline for patching until the next maintenance window in three months. Which of the following is the BEST compensating control to reduce risk immediately?

A.Restrict network access to the database to only authorized applications
B.Use file-level encryption on the database storage volume
C.Implement transparent database encryption (TDE)
D.Apply a digital signature to the database files
AnswerA

Network restrictions reduce attack surface without downtime.

Why this answer

Option D is correct because network access restrictions limit exposure while the database remains unencrypted. Option A is wrong because encryption would require downtime or performance impact. Option B is wrong because file-level encryption does not apply to database storage.

Option C is wrong because signing does not address confidentiality.

177
MCQhard

A large enterprise is migrating its critical financial applications to a public cloud provider. The security architecture team has designed a multi-region deployment to ensure availability and disaster recovery. The applications use TLS for data in transit and rely on a key management service (KMS) for encryption keys. During a penetration test, it was discovered that the KMS master keys are stored in a single region, creating a single point of failure. Additionally, the load balancer configuration exposes internal application health check ports to the internet. The security architect must remediate these issues while minimizing latency and cost. Which of the following is the BEST course of action?

A.Replace the TLS encryption with IPsec VPNs and use a third-party key management appliance in each region
B.Implement cross-region replication of KMS master keys and restrict health check ports to internal IP ranges only
C.Move all applications to a single region to simplify key management and use a single shared load balancer
D.Use client-side encryption with keys stored in the application code and disable the health checks entirely
AnswerB

Replication ensures key availability; restricting health check ports reduces attack surface.

Why this answer

Option A addresses both issues: cross-region replication ensures KMS availability, and restricting health check ports reduces exposure. Option B increases risk by consolidating to one region. Option C embeds keys in code, violating security best practices.

Option D replaces TLS with IPsec, which is unnecessary and adds complexity.

178
MCQeasy

A small business uses Puppet for configuration management on Linux servers. They are now migrating to containers and want to maintain security. The operations team is unfamiliar with containers. The security team insists on automated vulnerability scanning of container images before deployment. What should be the company's first step?

A.Deploy a Kubernetes cluster and migrate all applications.
B.Discontinue using Puppet and switch entirely to container-based configurations.
C.Train the operations team on Docker and Kubernetes fundamentals.
D.Create a hardened base image standard, and set up a CI pipeline that automatically scans every image for vulnerabilities before it is pushed to the registry.
AnswerD

This establishes security controls early and automates the scanning requirement.

Why this answer

Creating a hardened base image standard and integrating scanning into CI is foundational. Option C is correct. Training (A) is premature without a plan.

Kubernetes (B) is too advanced initially. Discontinuing Puppet (D) is unnecessary.

179
MCQhard

A security analyst is reviewing the following JSON Web Token (JWT) header: {"alg":"none","typ":"JWT"}. Which of the following vulnerabilities does this indicate?

A.Weak signing key
B.Algorithm confusion attack surface
C.Token expiration not set
D.Unencrypted payload
AnswerB

The 'none' algorithm allows attackers to bypass verification, a known JWT vulnerability.

Why this answer

Option C is correct because the 'alg':'none' header allows tokens without a signature, enabling attackers to forge valid tokens. Option A (expiration) is not indicated. Option B (weak key) requires a signature.

Option D (unencrypted payload) is not directly indicated.

180
Multi-Selectmedium

Which of the following are secure scripting practices when automating administrative tasks? (Choose two.)

Select 2 answers
A.Hardcode credentials in the script for convenience
B.Use a secrets management service to retrieve credentials at runtime
C.Run the script with the highest privileges required
D.Implement input validation to prevent injection attacks
AnswersB, D

Why this answer

Option B is correct because using a secrets management service (e.g., HashiCorp Vault, AWS Secrets Manager) retrieves credentials at runtime via secure APIs, avoiding hardcoded secrets in scripts. This practice ensures credentials are encrypted at rest and in transit, and supports rotation without modifying the script. It aligns with the principle of least privilege and reduces the risk of credential exposure in version control or logs.

Exam trap

Cisco often tests the misconception that running with elevated privileges is necessary for automation, when in fact least privilege and secrets management are the secure practices, and input validation is a separate but equally important control.

Why the other options are wrong

A

Hardcoding exposes secrets in version control.

C

Should run with least privilege, not highest.

181
Multi-Selectmedium

A security analyst is investigating a potential data breach. The logs show that an attacker used a compromised service account to access sensitive files on a file server. Which TWO actions should the analyst take FIRST to contain the incident? (Choose TWO.)

Select 2 answers
A.Check the workstation logs for signs of malware.
B.Notify law enforcement and the organization's legal department.
C.Reset the service account password and revoke any active tokens.
D.Review and modify permissions on the file server to limit the account's access.
E.Restore the affected files from a known good backup.
AnswersC, D

Immediately stops the attacker's access.

Why this answer

Resetting the service account password and revoking active tokens (C) immediately invalidates the attacker's current authentication credentials, preventing further unauthorized access via that compromised account. This is a critical containment step because service accounts often have persistent access and may use long-lived tokens or cached credentials that remain valid until explicitly revoked.

Exam trap

Cisco often tests the distinction between containment, eradication, and recovery phases; the trap here is that candidates may confuse a recovery action (restoring backups) or a notification step (calling law enforcement) with the immediate containment priority of cutting off the attacker's access.

182
Multi-Selecthard

Which THREE of the following are common techniques to mitigate side-channel attacks?

Select 3 answers
A.Disable CPU caching to prevent cache timing attacks
B.Implement constant-time algorithms for cryptographic operations
C.Add noise to power consumption or electromagnetic emissions
D.Ensure memory access patterns are independent of secret data
E.Use random delays in code execution paths
AnswersB, C, D

Constant-time execution prevents timing variations based on secret data.

Why this answer

Option B is correct because constant-time algorithms ensure that the execution time of cryptographic operations does not depend on secret data, such as keys. By avoiding conditional branches or variable-time instructions (e.g., multiplication or memory accesses) that vary with input, these algorithms prevent attackers from inferring secrets through timing measurements. This is a fundamental mitigation against timing side-channel attacks, as specified in standards like FIPS 140-3 and NIST SP 800-56B.

Exam trap

CompTIA often tests the misconception that adding random delays (Option E) is a valid side-channel mitigation, but candidates must recognize that statistical averaging defeats such noise, whereas constant-time algorithms (Option B) and noise injection (Option C) are standard, effective techniques.

183
MCQmedium

An organization is implementing a governance framework to ensure that security controls are aligned with business objectives. Which of the following frameworks is specifically designed for this purpose?

A.COBIT 2019
B.NIST SP 800-53
C.ITIL 4
D.ISO/IEC 27001
AnswerA

COBIT is a governance framework that aligns IT with business objectives.

Why this answer

COBIT 2019 is specifically designed to align IT governance and security controls with business objectives by providing a comprehensive framework that links business goals to IT goals and enablers. It focuses on governance of enterprise IT (GEIT), ensuring that security investments and controls directly support strategic business outcomes, unlike other frameworks that are more operational or compliance-focused.

Exam trap

CompTIA often tests the distinction between governance frameworks (COBIT) and operational or compliance frameworks (NIST SP 800-53, ITIL, ISO 27001), trapping candidates who confuse control implementation with strategic alignment.

How to eliminate wrong answers

Option B (NIST SP 800-53) is wrong because it is a catalog of security and privacy controls for federal information systems, not a governance framework designed to align controls with business objectives; it focuses on technical and operational control implementation rather than strategic alignment. Option C (ITIL 4) is wrong because it is a service management framework that focuses on IT service lifecycle and delivery processes, not on governance or linking security controls to business goals. Option D (ISO/IEC 27001) is wrong because it is an information security management standard that specifies requirements for an ISMS, emphasizing risk management and compliance, but it does not inherently provide a governance structure to align controls with business objectives like COBIT does.

184
MCQmedium

A security analyst discovers that container images in the company's private registry lack signatures. The development team uses a script to build and push images. The analyst wants to ensure image integrity and prevent tampering. Which solution should the analyst recommend?

A.Implement Docker Content Trust with a Notary server to require signatures on all images.
B.Restrict registry access to only the build servers.
C.Use SSH keys to sign the image tarball before pushing.
D.Encrypt the image filesystem layer using AES-256.
AnswerA

Docker Content Trust uses signing keys and a Notary server to verify image integrity at pull time.

Why this answer

Docker Content Trust (Notary) provides image signing and verification. Option A is correct. SSH keys (B) are not designed for image signing.

Encryption (C) does not provide integrity. Private registry only (D) does not prevent tampering after push.

185
MCQhard

An organization uses AWS, Azure, and GCP for different workloads. They want a single tool to manage infrastructure consistently across all providers. Which approach is most appropriate?

A.Use Terraform with provider plugins
B.Use Azure Resource Manager templates
C.Write provider-specific scripts in PowerShell
D.Use AWS CloudFormation
AnswerA

Terraform’s provider model allows unified management across clouds.

Why this answer

Terraform supports multiple providers via plugins, enabling consistent management. Provider-specific tools are limited to one cloud, and writing scripts for each is inefficient.

186
MCQeasy

Which of the following is a primary benefit of using a Web Application Firewall (WAF) in front of a web application?

A.It encrypts all traffic between client and server
B.It prevents all types of attacks against the application
C.It filters malicious HTTP requests and can block common web exploits
D.It performs static code analysis on the application
AnswerC

Why this answer

A Web Application Firewall (WAF) operates at Layer 7 (application layer) of the OSI model and inspects HTTP/HTTPS traffic for malicious payloads. It uses a combination of signature-based detection, behavioral analysis, and rule sets (e.g., OWASP ModSecurity Core Rule Set) to filter out common web exploits such as SQL injection, cross-site scripting (XSS), and path traversal. By intercepting and blocking malicious requests before they reach the web application, a WAF provides a critical layer of defense without requiring changes to the application code.

Exam trap

CompTIA often tests the misconception that a WAF provides comprehensive protection against all attacks, when in fact it is a specialized Layer 7 filter that cannot prevent network-layer attacks, business logic abuse, or vulnerabilities in the application's own code logic.

Why the other options are wrong

A

Encryption is typically handled by TLS, not the WAF.

B

WAFs cannot prevent all attacks, especially logic flaws or zero-days.

D

Static code analysis is a separate process, not a WAF function.

187
MCQmedium

A company wants to reduce the mean time to detect (MTTD) for security incidents. Which technology is most effective for this purpose?

A.Security information and event management (SIEM) with behavior analytics
B.Full disk encryption software
C.Data loss prevention (DLP) system
D.Network-based intrusion detection system (NIDS)
AnswerA

SIEM with UEBA provides real-time correlation and anomaly detection, reducing MTTD.

Why this answer

Option C is correct because SIEM with User and Entity Behavior Analytics (UEBA) baseline normal behavior and detect anomalies quickly. Option A is wrong because IDS only matches signatures. Option B is wrong because DLP focuses on data loss.

Option D is wrong because encryption is for data protection.

188
MCQmedium

A network administrator is configuring a firewall rule set. The requirement is to allow inbound HTTPS traffic from the internet to a web server at 10.1.1.10, and to allow the web server to respond. All other inbound traffic should be blocked. Which rule set accomplishes this?

A.Allow inbound TCP 80 to 10.1.1.10; allow outbound TCP from 10.1.1.10; deny all inbound
B.Allow inbound TCP 443 to 10.1.1.10; allow outbound TCP from 10.1.1.10; deny all inbound
C.Deny all inbound; allow inbound TCP 443 to 10.1.1.10; allow outbound TCP from 10.1.1.10
D.Allow inbound TCP 22 to 10.1.1.10; allow outbound TCP from 10.1.1.10; deny all inbound
AnswerB

Correctly permits HTTPS and related responses.

Why this answer

Option B is correct because HTTPS uses TCP port 443, and the rule set correctly allows inbound TCP 443 to the web server at 10.1.1.10, permits the server's outbound responses (stateful or explicit), and then denies all other inbound traffic. This matches the requirement to allow only HTTPS traffic from the internet while blocking everything else.

Exam trap

The trap here is that candidates often overlook rule order and choose Option C, thinking a 'deny all' at the top is safe, but it actually blocks the intended traffic before the allow rule is processed.

How to eliminate wrong answers

Option A is wrong because it allows inbound TCP port 80 (HTTP), not HTTPS (TCP 443), so it does not meet the requirement for HTTPS traffic. Option C is wrong because the order of rules matters: placing 'deny all inbound' first would block all inbound traffic, including the intended HTTPS traffic, before the allow rule is evaluated. Option D is wrong because it allows inbound TCP port 22 (SSH), which is not HTTPS and would permit unauthorized administrative access, violating the requirement to block all other inbound traffic.

189
MCQmedium

A security engineer is reviewing the configuration of an AWS S3 bucket that stores customer data. Which of the following settings is most likely to cause a data breach?

A.Versioning enabled on the bucket
B.Bucket policy that allows public read access
C.Server-side encryption with AWS KMS
D.MFA delete enabled on the bucket
AnswerB

Public read access makes all objects accessible to anyone, which is a common cause of data leaks.

Why this answer

Option B is correct because a bucket policy allowing public read access exposes data to anyone. Option A (encryption) is secure. Option C (versioning) is a feature, not a risk.

Option D (MFA delete) is a security control.

190
Drag & Dropmedium

Drag and drop the steps to perform a forensic acquisition of a hard drive using FTK Imager into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic acquisition requires write-blocking first, then using FTK Imager to create a forensic image, ensuring integrity with hash verification.

191
MCQhard

A security analyst is reviewing the firewall rules. Which of the following best describes the rule set's effect?

A.HTTP is allowed from any source
B.Default input policy is ACCEPT
C.ICMP is logged
D.SSH is allowed from any source
AnswerA

The first rule accepts TCP on port 80 from any source (0.0.0.0/0).

Why this answer

The INPUT chain has a default policy of DROP. Only traffic matching explicit ACCEPT rules is allowed. HTTP (port 80) is accepted from any source; SSH (port 22) is accepted only from 192.168.1.0/24; ICMP is accepted from any; all other traffic is logged and then dropped (due to default DROP).

192
MCQmedium

An organization's risk appetite is defined as 'low' for data privacy. Which of the following risk treatments is most aligned with this appetite?

A.Transfer the risk through cyber insurance
B.Mitigate the risk by encrypting personal data
C.Avoid the risk by not collecting unnecessary personal data
D.Accept the risk and self-insure
AnswerC

Eliminates risk directly

Why this answer

With a 'low' risk appetite for data privacy, the organization must minimize exposure to privacy breaches. Avoiding the risk by not collecting unnecessary personal data is the most aligned treatment because it eliminates the privacy risk entirely rather than reducing or transferring it. This approach ensures no personal data exists to be compromised, directly supporting a low-risk appetite.

Exam trap

Cisco often tests the distinction between risk mitigation and risk avoidance, where candidates mistakenly choose encryption (mitigation) as the best option for a low-risk appetite, overlooking that avoidance eliminates the risk entirely.

How to eliminate wrong answers

Option A is wrong because transferring risk through cyber insurance does not reduce the likelihood or impact of a privacy breach; it only provides financial compensation, which is insufficient for a low-risk appetite that demands minimal exposure. Option B is wrong because mitigating the risk by encrypting personal data reduces but does not eliminate the risk; encrypted data can still be exfiltrated and decrypted, leaving residual privacy risk unacceptable for a low appetite. Option D is wrong because accepting the risk and self-insuring implies tolerance of potential privacy breaches, which contradicts a low-risk appetite that seeks to avoid such events entirely.

193
MCQhard

An organization has recently migrated its on-premises data center to a public cloud. The security team notices that several virtual machines (VMs) in the same subnet are communicating with each other without any restrictions. The company policy requires that only specific application traffic (e.g., database queries from web servers) be allowed between VMs, and all other inter-VM traffic must be blocked to comply with a zero-trust model. The cloud provider offers native security group and network ACL features. The architect must design a solution that enforces the policy with minimal administrative overhead and supports future expansion. Which of the following is the BEST course of action?

A.Move each application tier to a separate VPC and use VPC peering with strict routing policies
B.Place all VMs in the same subnet and configure security groups that only allow necessary inter-VM traffic (e.g., web-to-db), with a default deny rule
C.Place all VMs in the same subnet and configure network ACLs with explicit allow rules for required traffic and a deny-all rule for other traffic
D.Keep all VMs in the same subnet but deploy a third-party next-generation firewall as a virtual appliance to inspect and filter inter-VM traffic
AnswerB

Security groups are stateful and evaluated at the instance level; they allow fine-grained control with default deny.

Why this answer

Using security groups (instance-level firewalls) allows per-VM permit rules and denies by default, meeting zero-trust requirements. Option B is wrong because network ACLs are stateless and require rules for both directions, increasing complexity. Option C is wrong because moving to different VPCs breaks application connectivity unnecessarily.

Option D is wrong because a third-party firewall is an additional cost and complexity without clear benefit over native security groups.

194
MCQmedium

A security engineer is writing a Python script to automate the revocation of compromised credentials across multiple cloud services. Which of the following is the most critical security consideration when implementing this script?

A.Ensure the script runs with the least privilege necessary.
B.Use a secrets management service to store API keys.
C.Log all actions performed by the script.
D.Run the script from a hardened bastion host.
AnswerB

Why this answer

Option B is correct because storing API keys in a secrets management service (e.g., HashiCorp Vault, AWS Secrets Manager) prevents hardcoding credentials in the script, which is a critical security practice for automation. Even with least privilege, if the API key is exposed in plaintext (e.g., in source code or logs), an attacker can reuse it across services. Secrets management also enables rotation, auditing, and dynamic access control, directly addressing the risk of credential compromise in multi-cloud revocation scripts.

Exam trap

Cisco often tests the misconception that least privilege (Option A) is the most critical control, but the trap here is that without secure credential storage, even a least-privilege key can be exfiltrated and reused, making secrets management the foundational security consideration for automation scripts.

Why the other options are wrong

A

Important but not the most critical; the script's credentials must be protected first.

C

Logging is good for auditing but does not protect the script's credentials.

D

While a hardened host reduces risk, the script's secrets are still exposed if hardcoded.

195
MCQeasy

Based on the auth.log exhibit, what is the MOST appropriate immediate action to mitigate this attack?

A.Disable root login and remove the admin account.
B.Block the entire 192.168.1.0/24 subnet at the firewall.
C.Configure fail2ban to block the IP address after a threshold of failed attempts.
D.Change the SSH port to a non-standard port.
AnswerC

fail2ban automatically blocks the attacking IP, stopping the attack.

Why this answer

Option C is correct. The log shows a brute-force attack against SSH. Installing fail2ban will dynamically block the IP after multiple failures.

Option A is too broad and may block legitimate users from that subnet. Option B doesn't address the immediate attack. Option D is good practice but does not stop the ongoing attack immediately.

196
MCQmedium

An organization wants to adopt a cybersecurity framework that provides a structured approach to managing cyber risks. Which framework is BEST suited?

A.COBIT
B.NIST Cybersecurity Framework
C.ISO 27001
D.ITIL
AnswerB

NIST CSF provides a comprehensive framework for managing cybersecurity risks.

Why this answer

Option B is correct because NIST Cybersecurity Framework is designed for managing cyber risks. Option A is wrong ISO 27001 is a management standard, not specifically a risk management framework. Option C is wrong COBIT focuses on IT governance.

Option D is wrong ITIL focuses on IT service management.

197
Multi-Selecteasy

A company is implementing a software-defined perimeter (SDP) architecture. Which TWO of the following are key characteristics of SDP? (Select TWO.)

Select 2 answers
A.Network segmentation is implemented via VLANs
B.The infrastructure is invisible to unauthorized users
C.Peering between SDP components is done via BGP
D.All communications are encrypted using public key cryptography
E.Device authentication is required before granting network access
AnswersB, E

SDP uses a black cloud model, hiding assets until authentication.

Why this answer

SDP hides infrastructure from unauthorized users and enforces device authentication before granting access. Option A is wrong because SDP does not inherently use public keys; it can use various authentication methods. Option D is wrong because SDP uses a controller, not peering.

Option E is wrong because SDP is not based on VLANs.

198
MCQeasy

A company is migrating its applications to a SaaS model. Which of the following should be included in the contract to ensure secure data handling?

A.Right to audit
B.Indemnification clause
C.SLA for uptime
D.Data encryption at rest and in transit
AnswerD

Encryption protects confidentiality of data regardless of where it is stored or transmitted.

Why this answer

Data encryption at rest and in transit is a fundamental requirement for protecting sensitive data. While right to audit is important for compliance, the primary direct security control for data handling is encryption. SLAs and indemnification address availability and liability, not data protection.

199
MCQmedium

A security architect is evaluating a hardware security module (HSM) for key management. Which of the following is a PRIMARY benefit of using an HSM over software-based key storage?

A.Easier key rotation
B.Integration with cloud APIs
C.Tamper-resistant physical protection of keys
D.Lower cost
AnswerC

HSMs are designed to protect keys against physical tampering.

Why this answer

HSMs provide tamper-resistant physical protection for cryptographic keys, which is their primary advantage. They are typically more expensive, and key rotation may be more complex. Cloud integration is possible but not a primary benefit.

200
MCQeasy

A security analyst discovers that a containerized application is running with root privileges. Which of the following is the best practice to reduce the attack surface?

A.Use a minimal base image
B.Disable network access for the container
C.Run the container as a non-root user
D.Use a read-only root filesystem
AnswerC

Running as non-root ensures the container does not have unnecessary privileges, reducing the blast radius of a compromise.

Why this answer

Option B is correct because running as a non-root user limits privilege escalation. Option A (read-only filesystem) helps but does not address root privileges. Option C (disable network) may break functionality.

Option D (minimal base image) reduces attack surface but does not directly address privilege level.

201
MCQhard

A security engineer is hardening a Kubernetes cluster. They want to reduce the risk of container escape attacks. Which combination of settings is most effective at the pod security context level?

A.Set runAsNonRoot: true, readOnlyRootFilesystem: true, and drop: ['ALL'].
B.Set runAsNonRoot: false and readOnlyRootFilesystem: true.
C.Set runAsUser: 1000 and capabilities.add: ['NET_ADMIN'].
D.Set privileged: true and readOnlyRootFilesystem: false.
AnswerA

Drops all capabilities, enforces non-root, and read-only filesystem – defense in depth against escapes.

Why this answer

Using read-only root filesystem and dropping all capabilities limits the attack surface. Option D is correct. Option A allows privileged access.

Option B keeps default capabilities. Option C runs as root, increasing risk.

202
Multi-Selecthard

During a compliance audit, the auditor finds that several systems are missing security patches. The CISO needs to decide on a risk treatment. Which TWO of the following actions are appropriate?

Select 2 answers
A.Mitigate with compensating controls
B.Transfer risk through cyber insurance
C.Immediately patch all systems
D.Ignore the findings until next audit
E.Accept the risk formally
AnswersA, B

Compensating controls reduce risk without immediate patching.

Why this answer

Transferring risk via cyber insurance and mitigating with compensating controls are valid risk treatments. Ignoring findings is not acceptable; immediate patching may not be feasible; decommissioning is extreme.

203
MCQeasy

A mid-sized healthcare organization processes protected health information (PHI) and must comply with HIPAA and the GDPR for its EU patients. The organization uses a hybrid cloud environment with on-premises servers and AWS. Recently, an employee's laptop was stolen containing unencrypted PHI. The incident response team was activated. The security architect must determine the best course of action to address compliance obligations. The organization has a data classification policy, but it is not consistently enforced. A business continuity plan exists but has not been tested in two years. The CEO is concerned about reputational damage and legal liability. Which of the following should the security architect recommend FIRST?

A.Purchase cyber liability insurance to cover potential fines and legal costs
B.Notify affected patients and relevant regulatory authorities per breach notification rules
C.Implement full-disk encryption on all laptops and mobile devices immediately
D.Update the data classification policy to require encryption of all PHI on endpoints
AnswerB

Both HIPAA and GDPR require timely notification of data breaches; this is the first step in incident response compliance.

Why this answer

Option B is correct because the primary obligation under both HIPAA and GDPR is to notify affected individuals and authorities within prescribed timeframes (72 hours for GDPR, but HIPAA allows up to 60 days). Notifying demonstrates compliance and mitigates legal risk. Option A is wrong because updating the classification policy is important but is a secondary, long-term task; immediate notification is legally required.

Option C is wrong because buying cyber insurance is reactive and does not fulfill notification requirements; it addresses financial risk but not compliance. Option D is wrong while encryption would have prevented this incident, implementing encryption now will not address the current breach; notification must come first.

204
MCQhard

A company is deploying a containerized application on Kubernetes. The security team requires that only signed images from a private registry be used and that containers run without privileged mode. Which Kubernetes admission controller should be configured to enforce both requirements?

A.NodeRestriction
B.PodSecurity
C.ImagePolicyWebhook
D.AlwaysPullImages
AnswerB

PodSecurity (or Pod Security Admission) with a restricted profile disallows privileged containers and can be extended with external webhooks for image signing.

Why this answer

Option D (PodSecurity) with a restricted profile enforces non-privileged containers and, when combined with ImagePolicyWebhook or OPA, can also enforce image signing. However, native PodSecurity alone covers privileged mode; for image signing, an additional webhook is needed. Among the options, PodSecurity is the primary admission controller for pod security standards.

Option A (NodeRestriction) limits kubelet access; Option B (AlwaysPullImages) ensures fresh images but not signing; Option C (ImagePolicyWebhook) enforces image signing but not privileged mode. Thus, D is the best single choice to cover both.

205
MCQhard

An organization is migrating to a hybrid cloud model. The security policy mandates that all keys used for data encryption must be managed on-premises. Which key management solution should be used?

A.Cloud KMS with BYOK
B.HSM on-premises with key escrow
C.Software-based key store on-premises
D.Cloud HSM
AnswerB

On-premises HSM keeps keys locally, satisfying the policy; key escrow provides backup.

Why this answer

An on-premises Hardware Security Module (HSM) ensures keys never leave the local environment. BYOK still involves key material being processed in the cloud. Cloud HSM is managed by the provider.

Software key stores lack physical security.

206
MCQmedium

A security analyst is reviewing alerts from a SIEM and notices multiple failed login attempts from a single IP address to different user accounts over a 5-minute window. What should the analyst do FIRST?

A.Block the IP address at the firewall.
B.Isolate all endpoints that received the login attempts.
C.Check the source IP and correlate with other logs to confirm suspicious activity.
D.Reset all user accounts that were targeted.
AnswerC

Verification is the first step before taking action.

Why this answer

Option B is correct because the first step in incident response is to verify the alert and determine if it is a false positive. Option A is premature without verification. Option C is reactive and may not address the immediate threat.

Option D is excessive and may disrupt operations.

207
MCQhard

An auditor reviews this IAM policy attached to a user group. What is the primary compliance concern?

A.The policy restricts access to specific resources
B.The policy does not enable logging
C.The policy violates the principle of least privilege
D.The policy does not allow any actions
AnswerC

Granting all actions on all resources is excessive and violates least privilege.

Why this answer

Option C is correct because the IAM policy grants wildcard actions (Action: '*') on all resources (Resource: '*'), which violates the principle of least privilege by allowing any user in the group to perform any operation on any resource. This broad permission set creates an excessive attack surface and is a primary compliance concern under frameworks like NIST SP 800-53 or PCI DSS, which require restricting access to only what is necessary for job functions.

Exam trap

Cisco often tests the principle of least privilege by presenting a policy that appears functional (allows actions) but is overly permissive, tricking candidates into focusing on whether the policy 'works' rather than whether it complies with security best practices.

How to eliminate wrong answers

Option A is wrong because the policy does not restrict access to specific resources; it uses 'Resource': '*' to allow access to all resources, which is the opposite of restriction. Option B is wrong because IAM policies themselves do not enable or disable logging; logging is configured separately via services like AWS CloudTrail or Azure Monitor, and the absence of logging is not a compliance issue inherent to the policy statement. Option D is wrong because the policy explicitly allows all actions via 'Action': '*', so it does allow actions; the problem is that it allows too many actions, not none.

208
MCQeasy

An organization uses Kubernetes to orchestrate containers. Which practice enhances the security of pod-to-pod communication?

A.Implement network policies that restrict ingress and egress traffic based on labels.
B.Expose all pods via NodePort services.
C.Use ClusterIP services for all internal traffic.
D.Rely on the default Kubernetes network configuration.
AnswerA

Network policies enforce least-privilege communication.

Why this answer

Option B is correct because Kubernetes Network Policies can restrict traffic based on labels, providing micro-segmentation. Option A (ClusterIP) is a service type, not a security control. Option C (NodePort) unnecessarily exposes pods.

Option D relies on default permissive settings.

209
MCQhard

A security analyst reviews logs from a web application firewall (WAF) and notices that an attacker is bypassing the WAF by encoding malicious payloads using base64 and then sending them in HTTP headers. Which WAF configuration change would BEST detect and block such attacks?

A.Enable geoblocking to restrict traffic from the attacker's country
B.Implement strict HTTP protocol validation to reject malformed requests
C.Add custom signatures to detect base64-encoded patterns in headers
D.Increase the rate limiting threshold to allow more requests per second
AnswerC

Custom signatures can identify known encoded attack patterns.

Why this answer

Option C is correct because base64-encoded payloads in HTTP headers are a known evasion technique that bypasses signature-based WAF rules designed for plaintext attacks. By adding custom signatures that specifically match base64-encoded patterns (e.g., detecting long strings of base64 characters or known malicious base64 strings), the WAF can decode and inspect the payload before applying detection logic. This directly addresses the attacker's encoding method without relying on generic protocol or rate controls.

Exam trap

The trap here is that candidates confuse protocol-level validation (Option B) with content inspection, assuming strict RFC compliance would catch encoded payloads, but base64 is perfectly valid HTTP header content and requires application-layer decoding logic to detect.

How to eliminate wrong answers

Option A is wrong because geoblocking restricts traffic based on source IP country, which does not detect or block the encoded payload itself; the attacker can use proxies or VPNs to bypass geolocation filters. Option B is wrong because strict HTTP protocol validation (RFC 7230) rejects malformed requests (e.g., invalid headers or method), but base64-encoded payloads in headers are syntactically valid HTTP; the WAF would not reject them based on protocol alone. Option D is wrong because increasing the rate limiting threshold allows more requests per second, which does not inspect or block the malicious content; it only prevents volumetric attacks, not payload-level evasion.

210
Multi-Selectmedium

A SOC wants to improve detection of advanced persistent threats (APTs) that evade traditional signature-based tools. Which TWO approaches are most effective? (Select exactly 2.)

Select 2 answers
A.Reduce the false positive rate of the SIEM
B.Increase log retention period to 12 months
C.Hire additional security analysts
D.Deploy honeypots and deception technology
E.Integrate external threat intelligence feeds into the SIEM
AnswersD, E

Honeypots lure attackers and reveal their presence.

Why this answer

Options A and C are correct because deception technology (honeypots) and threat intelligence feeds help detect unknown threats. Option B increases log storage but not detection capability. Option D reduces noise but not detection of APTs.

Option E increases analysts but is not a technology approach.

211
MCQeasy

A company wants to protect sensitive data stored in a public cloud bucket. Which of the following is the MOST effective control to prevent accidental public exposure?

A.Enable bucket logging
B.Implement lifecycle policies
C.Use server-side encryption
D.Apply resource-based policies with explicit deny for public access
AnswerD

Explicit deny prevents any public access, even if other permissions accidentally allow it.

Why this answer

Applying resource-based policies with an explicit deny for public access directly prevents public exposure. Bucket logging, encryption, and lifecycle policies are important but do not prevent accidental exposure.

212
MCQmedium

A financial institution is required to comply with PCI DSS and uses a mix of legacy and modern applications. The security architect proposes to segment the network so that the cardholder data environment (CDE) is isolated. However, a legacy application in a non-CDE segment must send data to a database in the CDE. The legacy application cannot be modified and communicates via clear-text protocols. Which of the following is the most secure solution that maintains compliance?

A.Replace the legacy application immediately
B.Use a bastion host to terminate TLS on behalf of the legacy application and forward via a one-way replication
C.Place the legacy application in the CDE and isolate it with a firewall
D.Install a network-based DLP sensor to monitor traffic
AnswerB

Encrypts traffic and limits the legacy application's direct access.

Why this answer

A bastion host with TLS termination can wrap clear-text traffic in encryption, and strict firewall rules prevent direct access.

213
MCQhard

An organization wants to implement a zero-trust architecture for remote access. Which component is most critical for enforcing least-privilege access to internal applications?

A.Virtual private network (VPN) concentrator
B.Software-defined perimeter (SDP)
C.Next-generation firewall (NGFW)
D.Intrusion detection system (IDS)
AnswerB

SDP creates a micro-perimeter around each application, authenticating and authorizing per session.

Why this answer

A software-defined perimeter (SDP) uses a controller to authenticate users and devices before granting access to specific applications, hiding the network from unauthorized users. VPNs extend network access, IDS only detects, and firewalls enforce network-level rules but not user/device granularity.

214
MCQmedium

A systems administrator must automate the patching of 200 Windows servers. The environment has strict security requirements and change management. Which scripting approach best balances automation and control?

A.Use PowerShell DSC (Desired State Configuration) with a pull server and authorized users via JEA.
B.Write a Python script that uses WMI to apply patches and reboot servers.
C.Create a scheduled task on each server that runs a script from a network share.
D.Use Group Policy to install updates during the next restart.
AnswerA

DSC ensures desired state, JEA provides least privilege, and pull server allows control and auditing.

Why this answer

PowerShell with Just Enough Administration (JEA) provides both automation and secure access. Option B is correct. Option A is unreliable for enterprise.

Option C bypasses change management. Option D is too manual.

215
MCQeasy

An engineer reviews the TLS configuration for a web server. Which of the following is a security concern present in this configuration?

A.The cipher suite does not include perfect forward secrecy (PFS).
B.The configuration supports outdated TLS 1.2 protocols.
C.The private key is stored in an accessible location.
D.The server does not require client certificates for authentication.
AnswerD

With ssl_verify_client = optional, clients can skip certificate authentication, weakening mutual authentication.

Why this answer

Option A is correct because mutual TLS (mTLS) is not enforced; ssl_verify_client is set to optional, allowing clients to connect without a certificate. Option B is wrong because TLS 1.2 and 1.3 are strong protocols. Option C is wrong because the key path is outside document root and is typical.

Option D is wrong because the cipher suite uses strong ciphers.

216
MCQmedium

A cloud security engineer reviews the above S3 bucket policy. Which of the following is the most significant security concern?

A.The bucket policy grants unnecessary permissions for s3:GetObject.
B.The IP address restriction uses an incorrect format for the condition key.
C.The bucket policy allows public read access to all objects.
D.The bucket policy allows any user to upload objects to the bucket.
AnswerD

The second statement grants s3:PutObject to Principal "*", meaning anyone can write to the bucket.

Why this answer

Option D is correct because the bucket policy statement includes a Principal of '*' and an Action of 's3:PutObject' without any condition restricting who can upload, meaning any unauthenticated user on the internet can write objects to the bucket. This creates a severe data integrity and malware-upload risk, as attackers can place arbitrary content into the bucket, potentially leading to data corruption, storage cost abuse, or serving malicious files.

Exam trap

CompTIA often tests the distinction between read and write permissions in S3 policies, and the trap here is that candidates focus on the IP restriction or the read permission being 'public' while overlooking that the write action (s3:PutObject) has no such restriction, making it the more dangerous vulnerability.

How to eliminate wrong answers

Option A is wrong because s3:GetObject is explicitly allowed only to the specific AWS account root user (AWS:SourceOwner condition) and only from the allowed VPC endpoint, so it is not 'unnecessary'—it is the intended read permission for that trusted principal. Option B is wrong because the IP address restriction uses the 'aws:SourceIp' condition key with a valid CIDR notation (10.0.0.0/16), which is the correct format for IP-based conditions in S3 bucket policies. Option C is wrong because the bucket policy does not allow public read access; the s3:GetObject action is restricted by both the SourceOwner condition and the VpcSourceIp condition, so anonymous users cannot read objects.

217
MCQeasy

A security architect is designing a secure remote access solution for employees using personal devices (BYOD). The company requires that corporate data is separated from personal data and can be wiped remotely without affecting personal data. Which solution best meets these requirements?

A.Deploy a virtual desktop infrastructure (VDI) solution
B.Provide a full VPN client and remote wipe capability
C.Implement mobile device management (MDM) with containerization
D.Require employees to use company-owned devices only
AnswerC

MDM containerization isolates corporate data and allows selective wipe.

Why this answer

Containerization using MDM profiles creates a separate, encrypted workspace for corporate apps and data, allowing selective wipe. Full VPN gives access but not separation. Full device wipe is too aggressive.

VDI requires constant connectivity and may not support offline work.

218
Multi-Selecthard

A security engineer is designing a secure enclave for processing sensitive personally identifiable information (PII). The enclave must protect data at rest and in use, and must support attestation to verify its integrity. Which THREE technologies should the engineer incorporate? (Choose three.)

Select 3 answers
A.Trusted Platform Module (TPM)
B.AMD Secure Encrypted Virtualization (SEV)
C.ARM TrustZone
D.Intel Software Guard Extensions (SGX)
E.Hardware Security Module (HSM)
AnswersB, C, D

Encrypts memory for VMs, supports attestation.

Why this answer

AMD Secure Encrypted Virtualization (SEV) encrypts the memory of virtual machines, protecting data in use from the hypervisor and other VMs. It also supports attestation via the AMD Secure Processor, which generates a signed measurement of the VM's initial state, allowing a remote party to verify integrity. This makes SEV a valid choice for a secure enclave that must protect data at rest and in use and support attestation.

Exam trap

CompTIA often tests the distinction between hardware roots of trust (TPM, HSM) and actual secure enclave technologies (SGX, SEV, TrustZone), so candidates mistakenly choose TPM or HSM because they associate them with 'trust' and 'security' without understanding that enclaves require isolated memory regions for processing data in use.

219
Multi-Selectmedium

A security analyst is performing a risk assessment for a critical application. Which TWO of the following are characteristics of a quantitative risk assessment methodology?

Select 2 answers
A.Calculates Annualized Loss Expectancy (ALE)
B.Relies on expert judgment and scenarios
C.Determines Exposure Factor (EF) for each asset
D.Uses high/medium/low ratings for likelihood and impact
E.Assigns dollar values to assets and potential losses
AnswersA, E

ALE is a key output of quantitative risk assessment.

Why this answer

Quantitative risk assessment uses numerical values for assets, threats, and vulnerabilities. Option A (Assigns dollar values to assets and losses) is correct because it uses monetary figures. Option C (Calculates Annualized Loss Expectancy (ALE)) is also correct because ALE = SLE * ARO is a quantitative metric.

Option B is qualitative (judgment-based). Option D is qualitative (expert opinion). Option E is quantitative but not a characteristic of the methodology itself; it's a common metric but not defining.

However, careful: The stem asks for characteristics of quantitative methodology. ALE is a result, not a characteristic. But typical CompTIA sees ALE as part of quantitative.

I'll adjust options to be clearer.

220
Multi-Selecteasy

A healthcare organization is implementing HIPAA Security Rule safeguards. Which TWO of the following are required administrative safeguards? (Choose TWO.)

Select 2 answers
A.Security management process.
B.Encryption of ePHI at rest.
C.Unique user identification.
D.Assigned security responsibility.
E.Facility access controls.
AnswersA, D

Required administrative safeguard per HIPAA §164.308(a)(1).

Why this answer

A and C are correct. Administrative safeguards include security management process and assigned security responsibility. B is a technical safeguard, D is a physical safeguard, and E is a technical safeguard.

221
MCQmedium

A security architect is designing a microservices application that uses JWTs for authentication. Which of the following is the most critical security concern regarding JWT handling?

A.Token expiration not being enforced
B.The JWT being transmitted over HTTP instead of HTTPS
C.The server not validating the JWT's 'alg' header properly
D.The JWT containing personally identifiable information (PII)
AnswerC

Why this answer

Option C is correct because a failure to validate the JWT's 'alg' header can allow an attacker to change the algorithm to 'none' or from an asymmetric algorithm (e.g., RS256) to a symmetric one (e.g., HS256), potentially bypassing signature verification. This vulnerability, known as a JWT algorithm confusion attack, is a critical security concern because it directly undermines the integrity and authenticity of the token, which is the core security mechanism for authentication in microservices.

Exam trap

The trap here is that candidates often focus on obvious issues like HTTP vs. HTTPS or token expiration, but Cisco tests the deeper understanding that a JWT's security hinges on proper validation of the 'alg' header, as a single misconfiguration can completely bypass all other security controls.

Why the other options are wrong

A

Though important, expiration can be mitigated with refresh tokens; algorithm confusion is more fundamental.

B

Transmission security is important but is a network-layer concern, not JWT-specific.

D

PII in JWT is a data privacy concern, but not the most critical security vulnerability.

222
MCQmedium

A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?

A.Preventive control failure
B.Corrective control failure
C.Administrative control failure
D.Detective control failure
AnswerA

A DLP solution should have prevented the email

Why this answer

A preventive control failure occurred because the organization lacked a technical safeguard—such as Data Loss Prevention (DLP) rules, email content filtering, or mandatory access controls—to block the outbound transmission of confidential financial data. Preventive controls are designed to stop unauthorized actions before they happen, and the absence of such a mechanism allowed the accidental email to be sent. The failure is not in detection or correction, but in the inability to prevent the data exfiltration at the point of transmission.

Exam trap

The trap here is that candidates confuse the existence of a policy (administrative control) with the technical enforcement of that policy, leading them to incorrectly select 'Administrative control failure' when the real issue is the lack of a preventive technical control.

How to eliminate wrong answers

Option B is wrong because corrective controls (e.g., data backup restoration, incident response procedures) are activated after an incident to repair damage or restore normal operations, not to block the initial unauthorized email. Option C is wrong because administrative controls (e.g., policies, training, user awareness programs) are procedural and human-focused; while a policy existed, the failure was in the technical enforcement layer, not in the policy itself. Option D is wrong because detective controls (e.g., audit logs, SIEM alerts, DLP monitoring) would identify the breach after it occurred, but the question asks about the control that should have prevented the email from being sent in the first place.

223
MCQmedium

A security architect is designing a system for a healthcare provider that must comply with HIPAA. Which control is required for ePHI transmission?

A.Encryption of data in transit
B.Integrity verification mechanisms
C.Role-based access control
D.Audit logging for all access
AnswerA

HIPAA requires encryption for ePHI transmitted over networks.

Why this answer

Option A is correct because HIPAA requires encryption for ePHI in transit. Option B is wrong access controls are required but not specifically for transmission. Option C is wrong audit logs are required for monitoring but not for transmission.

Option D is wrong integrity controls are required but encryption is the specific requirement for transmission.

224
Multi-Selecthard

Which THREE of the following are required components of a Business Continuity Plan (BCP) per ISO 22301?

Select 3 answers
A.Detailed technical recovery procedures for IT systems
B.Scope and policy for business continuity
C.Vulnerability scanner configuration
D.Communication and notification plan
E.Business Impact Analysis (BIA)
AnswersB, D, E

The BCP must define its scope and the policy that drives it.

Why this answer

ISO 22301 mandates that a Business Continuity Plan (BCP) must include the scope and policy for business continuity (Option B) to define the boundaries and objectives of the BCP. This ensures alignment with organizational strategy and compliance requirements, as specified in Clause 4.3 (Scope) and Clause 5.2 (Policy) of the standard.

Exam trap

CompTIA often tests the distinction between a BCP (organizational continuity) and a DRP (technical recovery), leading candidates to mistakenly select detailed IT recovery procedures as a BCP component.

225
Drag & Dropmedium

Drag and drop the steps to deploy a new certificate from an internal CA using Group Policy into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Certificate deployment involves requesting, approving, exporting with private key, importing, and then distributing via Group Policy.

Page 2

Page 3 of 7

Page 4

All pages