CompTIA SecurityX CAS-004 (CAS-004) — Questions 226300

510 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

A security architect at a financial institution is designing a cloud-native application using AWS. The application processes sensitive customer data and must comply with PCI DSS. Which of the following security architecture decisions best supports both compliance and operational efficiency?

A.Place all application resources in a VPC with no internet gateway and use VPC endpoints for AWS services
B.Use a cloud-based web application firewall (WAF) and enable logging for all API calls
C.Deploy the application on a single tenant dedicated instance and rely on the cloud provider's compliance certifications
D.Implement a cloud access security broker (CASB) and use customer-managed encryption keys (CMKs) for data at rest
AnswerD

CASB provides visibility and policy enforcement; CMKs meet PCI DSS encryption requirements.

Why this answer

Using a CASB provides visibility and control over cloud traffic, and encryption with customer-managed keys satisfies PCI DSS requirements. Option A is wrong because ignoring cloud risks is not acceptable. Option B is wrong because a cloud-based WAF is not specifically for data protection compliance.

Option D is wrong because VPC endpoints reduce exposure but do not address data protection requirements directly.

227
MCQhard

During a risk assessment, a residual risk is identified as high. What should be the NEXT step?

A.Transfer the risk to a third party
B.Implement additional controls to reduce the risk to an acceptable level
C.Ignore the risk because it is residual
D.Accept the residual risk as is
AnswerB

The next step is to apply additional controls to lower residual risk.

Why this answer

Option C is correct because residual risk should be reduced to an acceptable level. Option A is wrong accepting high risk without mitigation is not responsible. Option B is wrong transferring risk may be an option but not necessarily the next step.

Option D is wrong ignoring risk is not acceptable.

228
MCQmedium

A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?

A.Adopt a unified control framework such as NIST SP 800-53
B.Focus only on the most stringent regulation
C.Implement automated GRC tools without changing controls
D.Maintain separate control sets for each regulation
AnswerA

Allows mapping to multiple regulations

Why this answer

Adopting a unified control framework such as NIST SP 800-53 allows the firm to map controls from GDPR and SOX into a single, comprehensive set, reducing duplication and ensuring consistent compliance. This approach leverages the framework's catalog of controls, which can be tailored to meet the specific requirements of multiple regulations simultaneously, aligning with the CISO's goal of consolidation.

Exam trap

Cisco often tests the misconception that simply automating compliance with GRC tools or focusing on the strictest regulation is sufficient, but the correct approach requires a unified framework that harmonizes controls across all applicable regulations.

How to eliminate wrong answers

Option B is wrong because focusing only on the most stringent regulation ignores unique requirements of other regulations (e.g., GDPR's data subject rights or SOX's financial reporting controls), leading to compliance gaps. Option C is wrong because implementing automated GRC tools without changing controls merely automates existing inefficiencies and does not consolidate or harmonize the control sets across frameworks. Option D is wrong because maintaining separate control sets for each regulation increases administrative overhead, audit complexity, and the risk of control conflicts, contradicting the requirement for consolidation.

229
Multi-Selecteasy

Which TWO of the following are common compliance frameworks used in the healthcare industry?

Select 2 answers
A.HIPAA
B.PCI DSS
C.ISO 27001
D.SOX
E.HITECH
AnswersA, E

HIPAA governs healthcare data.

Why this answer

Options A and C are correct. HIPAA is the U.S. healthcare privacy rule, and HITECH strengthens HIPAA. Option B is wrong because PCI DSS is for payment card data.

Option D is wrong because SOX is for financial reporting. Option E is wrong because ISO 27001 is general.

230
MCQmedium

A company is deploying a new web application that handles sensitive customer data. The application is built using a microservices architecture running in containers on a Kubernetes cluster. The security team wants to implement mutual TLS (mTLS) for service-to-service communication. However, they are concerned about the operational overhead of certificate management. Which approach minimizes management overhead while still ensuring strong authentication?

A.Generate self-signed certificates for each service and manually distribute them
B.Use a service mesh that provides automatic mTLS and certificate rotation
C.Use a single certificate for all services with Subject Alternative Names
D.Implement TLS termination at the ingress and use plaintext inside the cluster
AnswerB

Service mesh handles lifecycle automatically.

Why this answer

A service mesh like Istio automates mTLS certificate issuance and rotation with minimal manual effort.

231
Multi-Selecthard

A DevOps engineer is automating container orchestration using Kubernetes. Which of the following are security best practices to include in the automation? (Choose two.)

Select 2 answers
A.Disable RBAC to simplify automation scripts
B.Enforce Pod Security Policies to restrict privileged containers
C.Allow all network traffic between pods for simplicity
D.Implement network policies to restrict pod-to-pod communication
AnswersB, D

Why this answer

Enforcing Pod Security Policies (PSPs) is a critical security best practice in Kubernetes because it restricts the creation of privileged containers, prevents host namespace sharing, and enforces read-only root filesystems. This reduces the attack surface by ensuring that containers run with the least privilege necessary, mitigating risks of container breakout or host compromise. Disabling PSPs or failing to enforce them would allow developers to deploy containers with excessive capabilities, violating the principle of least privilege.

Exam trap

CompTIA often tests the misconception that disabling security features like RBAC or network policies simplifies automation and is acceptable in a DevOps pipeline, when in fact automation should enforce security controls, not bypass them.

Why the other options are wrong

A

RBAC is a critical security control.

C

Network policies should restrict traffic.

232
MCQmedium

A development team is using Docker containers for microservices. The security team wants to scan containers for vulnerabilities during the CI/CD pipeline. Which approach is most effective?

A.Use a runtime security tool that scans containers only when they are running.
B.Scan the container image only after deployment to production.
C.Rely on the developers to manually check for vulnerabilities.
D.Integrate image scanning into the pipeline before promoting images to the registry, using a tool like Trivy.
AnswerD

Early scanning prevents vulnerable images from being stored or deployed.

Why this answer

Option B is correct because integrating image scanning early in the pipeline prevents vulnerable images from being deployed. Option A scans too late. Option C relies on unreliable manual checks.

Option D only catches runtime issues, not build-time vulnerabilities.

233
MCQeasy

A company is implementing a risk management framework to comply with PCI DSS. Which type of control is a firewall rule that blocks all inbound traffic except HTTP and HTTPS?

A.Corrective
B.Compensating
C.Preventive
D.Detective
AnswerC

Preventive controls block or avoid security incidents.

Why this answer

A firewall rule that blocks traffic is a preventive control because it prevents unauthorized access. Detective controls identify incidents after they occur, corrective controls fix issues, and compensating controls provide alternative security.

234
MCQeasy

A SOC analyst is investigating a potential lateral movement within the network. Which log source is most critical for detecting lateral movement using pass-the-hash or pass-the-ticket attacks?

A.Authentication logs (e.g., Windows Event ID 4624)
B.Antivirus logs
C.DNS logs
D.Firewall logs
AnswerA

Authentication logs track logon events and can reveal anomalous access patterns.

Why this answer

Option D is correct because authentication logs, especially from domain controllers, record logon events that indicate lateral movement. Option A is wrong because firewall logs show network flows but not authentication. Option B is wrong because antivirus logs show malware detections, not lateral movement directly.

Option C is wrong because DNS logs show name resolution.

235
MCQhard

An organization is migrating its on-premises monolithic application to a containerized microservices architecture on a Kubernetes cluster. The development team has created a set of Docker images that are stored in a private registry. The security team requires that all container images be scanned for vulnerabilities before deployment. The current CI/CD pipeline uses Jenkins to build images, push them to the registry, and then deploy to Kubernetes via kubectl. The scanning is performed by a tool that generates a report, but developers have been ignoring critical vulnerabilities and deploying anyway. The security team wants to enforce a policy that blocks deployment if the image has any critical or high-severity vulnerabilities. Additionally, the cluster must ensure that containers run with the least privilege and that secrets are not exposed in environment variables. The operations team is concerned about performance overhead from runtime security monitoring. Which of the following approaches best addresses these requirements while minimizing operational overhead?

A.Implement admission controller webhooks that check vulnerability scan results from the registry before allowing pod creation, and use a service mesh with mutual TLS to encrypt secrets.
B.Use a custom script in Jenkins to parse the scan report and abort the build if vulnerabilities are found, and store secrets in Kubernetes secrets mounted as volumes.
C.Deploy a runtime security agent that monitors container activity and rejects pods that contain known vulnerability signatures, and use Kubernetes RBAC to limit permissions.
D.Configure a network policy in Kubernetes to restrict pod-to-pod communication, and use a static analysis tool during development to find coding flaws.
AnswerA

Admission webhooks enforce policy at pod creation without runtime overhead; service mesh mTLS protects secrets.

Why this answer

Option A is correct because admission controller webhooks can enforce vulnerability policies at deployment time, blocking pods with critical/high vulnerabilities without runtime overhead. Service mesh with mTLS encrypts secrets in transit, reducing exposure. Option B is incorrect because aborting the Jenkins build does not prevent deployment from other sources (e.g., direct kubectl) and secrets mounted as volumes are still vulnerable to compromise.

Option C is incorrect because network policies do not address vulnerability scanning or secret protection. Option D is incorrect because runtime security agents incur performance overhead and do not block deployment upfront.

236
MCQeasy

A company's security policy requires that all remote access be conducted via VPN. An employee uses a personal device without VPN to access company email. Which type of policy violation is this?

A.Legal violation
B.Standards violation
C.Regulatory compliance violation
D.Organizational policy violation
AnswerD

Directly contravenes company policy

Why this answer

Option D is correct because the employee's action directly violates the company's internal security policy requiring VPN for all remote access. This is a policy violation, not a legal or regulatory one, as the company has established a mandatory rule that the employee failed to follow. The use of a personal device without VPN to access company email is a clear breach of organizational policy, which is a governance issue within the company's risk management framework.

Exam trap

The trap here is that candidates often confuse 'organizational policy violation' with 'regulatory compliance violation,' mistakenly thinking that any security breach automatically involves a regulatory mandate, when in fact the question explicitly describes a breach of internal policy.

How to eliminate wrong answers

Option A is wrong because a legal violation involves breaking a law (e.g., data protection statutes like GDPR or HIPAA), and while the action may have legal implications, the question specifically asks about a policy violation, not a legal one. Option B is wrong because a standards violation refers to non-compliance with industry or technical standards (e.g., ISO 27001, NIST SP 800-53), not internal company rules. Option C is wrong because a regulatory compliance violation involves failing to meet external regulatory requirements (e.g., PCI DSS, SOX), and the scenario describes a breach of internal policy, not a specific regulatory mandate.

237
Multi-Selecthard

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC) to ensure security engineering? (Select exactly 3.)

Select 3 answers
A.Dynamic application security testing (DAST) and penetration testing before release.
B.User acceptance testing (UAT) to validate business requirements.
C.Static application security testing (SAST) in the development phase.
D.Daily stand-up meetings for developers.
E.Threat modeling during design phase.
AnswersA, C, E

DAST and pentesting find runtime vulnerabilities that may be missed by static analysis.

Why this answer

Options A, C, and E are correct. Threat modeling, static analysis, and penetration testing are core SSDLC activities. Option B is wrong because daily stand-ups are project management, not security specific.

Option D is wrong because user acceptance testing focuses on functionality, not security.

238
MCQeasy

You are a SOC analyst at a mid-sized company. The SIEM alerts on anomalous outbound traffic from a finance workstation to an external IP address never seen before. The workstation belongs to an employee in the accounts payable department. The alert shows that 500 MB of data was transferred via SMB over the internet, which is unusual because internal file shares are normally used. The employee is currently logged in and is in a meeting across the building. The initial triage confirms the workstation is not domain-joined and has been bypassing corporate firewall rules using a personal VPN. Which of the following actions should you take FIRST?

A.Isolate the workstation by disabling the network port or using endpoint security tools to block connectivity.
B.Escalate the incident to the incident response team lead.
C.Contact the employee's manager to discuss the situation.
D.Interview the employee about the suspicious activity.
AnswerA

Immediate containment stops the exfiltration and limits risk.

Why this answer

Option C is correct because you must contain the exfiltration by disconnecting the workstation from the network. This stops the data transfer and prevents further damage. Option A is premature without containment.

Option B may be necessary but not first. Option D could alert the potential insider.

239
MCQeasy

During a security assessment, it is discovered that an organization's DMZ hosts can initiate outbound connections to the internal network. Which architectural change would best mitigate the risk of a DMZ compromise spreading to the internal network?

A.Allow only specific IPs in the DMZ to connect to internal servers
B.Replace the DMZ firewall with a next-generation firewall that includes IPS
C.Configure the DMZ firewall to block all outbound connections from DMZ to the internal network, and use a reverse proxy for inbound services
D.Move all DMZ services to a cloud provider and use a site-to-site VPN
AnswerC

This ensures that DMZ hosts cannot be used as a pivot point into the internal network.

Why this answer

Using a reverse proxy for inbound traffic and preventing DMZ hosts from initiating connections to internal networks enforces a trust direction. Option A is wrong because a stateful firewall alone does not enforce directionality if rules allow outbound from DMZ. Option B is wrong because DMZ hosts should not initiate internal connections.

Option D is wrong because a VPN does not prevent DMZ-to-internal traffic.

240
MCQmedium

A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?

A.Deploy SSH tunneling with certificate-based authentication and configure iptables rules on the bastion host.
B.Deploy an SSL/TLS VPN using client certificates and rely on the VPN client to enforce access policies.
C.Deploy a RDP gateway with certificate authentication and restrict access via group policies.
D.Deploy an IPsec VPN with certificate-based authentication and integrate with a RADIUS server for role-based access control.
AnswerD

IPsec provides network-layer access, RADIUS can enforce subnet restrictions based on user role.

Why this answer

Option D is correct because an IPsec VPN with certificate-based authentication satisfies the requirement for encrypted, integrity-protected connections using the company's internal PKI. Integrating with a RADIUS server enables role-based IP access control, allowing the VPN gateway to restrict access to specific internal subnets based on the user's role, which aligns with the need for IP-based network access control.

Exam trap

The trap here is that candidates often choose SSL/TLS VPN (Option B) because it is commonly associated with certificate authentication, but they overlook the critical requirement for IP-based network access control enforced by the server, not the client.

How to eliminate wrong answers

Option A is wrong because SSH tunneling provides only application-layer port forwarding, not full IP-based network access control, and iptables rules on a bastion host cannot dynamically enforce role-based subnet restrictions per user. Option B is wrong because relying on the VPN client to enforce access policies is a security flaw; policy enforcement must occur on the gateway, not the client, which can be compromised or misconfigured. Option C is wrong because an RDP gateway is designed for remote desktop sessions, not general IP-based network access, and group policies do not provide the granular role-based subnet restrictions required for a global workforce.

241
MCQhard

A financial company is expanding its hybrid cloud architecture. They have an AWS VPC connected to an on-premises network via an IPsec VPN using IKEv2. The on-premises firewall is a Cisco ASA. Recently, users report intermittent connectivity to cloud resources. The security team reviews logs and finds the following message on the ASA: 'no matching crypto map entry for traffic from on-prem to cloud'. The team also suspects potential data leakage due to occasional unencrypted traffic. The corporate policy requires all traffic between environments to be encrypted. The engineer has verified that the IKEv2 proposals match on both sides. The cloud side uses a virtual private gateway with a static route to the on-premises network. Which of the following should the engineer do FIRST to resolve the issue?

A.Check the crypto map configuration on the Cisco ASA and ensure it matches the peer IP and proxy IDs
B.Disable NAT traversal on both VPN endpoints
C.Reconfigure the IKEv2 policies on both sides to use different encryption algorithms
D.Replace the VPN connection with AWS Direct Connect for dedicated bandwidth
AnswerA

The 'no matching crypto map entry' error is resolved by correcting the crypto map.

Why this answer

Option B is correct because the error message directly indicates a crypto map mismatch. Checking and adjusting the crypto map on the ASA to match the peer IP and proxy IDs will resolve the issue. Option A is incorrect because IKEv2 policies already match.

Option C is too drastic and not the first step. Option D could actually cause connectivity issues if NAT traversal is required.

242
MCQeasy

A developer is implementing input validation for a web application that accepts file uploads. Which of the following is the most secure method to prevent path traversal attacks?

A.Using a whitelist of allowed file extensions
B.Sanitizing the filename by removing '../' sequences
C.Storing files outside the web root directory
D.Validating the file size before storage
AnswerC

Storing files outside web root ensures they cannot be accessed directly via path traversal even if validation fails.

Why this answer

Option A is correct because storing files outside the web root directory prevents direct access via path traversal. Option B (whitelist of extensions) does not prevent path traversal. Option C (file size validation) is unrelated.

Option D (sanitizing '../' sequences) can be bypassed with encoding.

243
MCQhard

An organization is implementing a zero-trust architecture for remote access. Which component is essential for continuous authentication?

A.VPN concentrator
B.Identity provider with continuous evaluation
C.Firewall with deep packet inspection
D.Network access control (NAC)
AnswerB

An IdP with conditional access can step up authentication based on anomalous behavior, ensuring continuous identity verification.

Why this answer

An identity provider with continuous evaluation (e.g., conditional access policies) can re-authenticate users based on risk signals throughout a session. VPNs and firewalls provide network access but lack session-level authentication. NAC enforces policy at connection time, not continuously.

244
Matchingmedium

Match each acronym to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud Access Security Broker

Data Loss Prevention

Identity and Access Management

Security Information and Event Management

Security Orchestration, Automation, and Response

Why these pairings

These are common security acronyms relevant to CAS-004.

245
MCQhard

During a third-party risk assessment, a security architect discovers that a vendor's data retention policy does not align with the organization's legal requirements. Which of the following is the BEST course of action?

A.Request the vendor to update its retention policy to align with legal requirements.
B.Accept the risk and document it in the risk register.
C.Immediately terminate the vendor contract.
D.Implement compensating controls to enforce data deletion after the required period.
AnswerA

This directly addresses the discrepancy and leverages the contractual requirement to follow best practices.

Why this answer

Option D is correct because the best first step is to request the vendor to comply, as termination or acceptance are premature.

246
MCQeasy

A security team is adopting the NIST risk management framework. Which step should they perform first?

A.Categorize.
B.Select.
C.Implement.
D.Assess.
AnswerA

The first step in NIST RMF is Categorize, where the system and its information are categorized based on impact.

Why this answer

Option D is correct because the NIST RMF requires categorization of the system and data as the initial step to guide subsequent risk management decisions.

247
Drag & Dropmedium

Drag and drop the steps to configure a host-based firewall (Windows Defender Firewall) to block all inbound traffic except RDP into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall configuration: open console, create allow rule for RDP, ensure it's enabled, then set default block, and test.

248
Matchingmedium

Match each security tier or model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest privilege assets like domain controllers

Server and application administration

User workstations and devices

Separates admin accounts by sensitivity

Never trust, always verify

Why these pairings

Tier models and Zero Trust are key concepts in identity and access management.

249
MCQmedium

A virtualization administrator needs to ensure that virtual machines (VMs) from different customers cannot communicate with each other unless explicitly allowed. Which network security control should be implemented on the hypervisor?

A.Patch the hypervisor regularly
B.Assign each VM to a different physical server
C.Use a virtual firewall to create per-VM security groups
D.Enable hypervisor memory overcommitment
AnswerC

Virtual firewalls can apply policies to individual VMs, isolating them.

Why this answer

Micro-segmentation (e.g., NSX) allows fine-grained control over VM-to-VM traffic at the virtual switch level.

250
MCQeasy

A company is implementing a SIEM solution and needs to ensure that logs from network devices, servers, and endpoints are collected in a consistent format. Which protocol should be used to transport logs securely?

A.Syslog over UDP
B.Syslog over TLS
C.SFTP
D.SNMP traps
AnswerB

Syslog over TLS ensures encrypted and authenticated log transport.

Why this answer

Option C is correct because Syslog over TLS provides encryption and reliable delivery. Option A is unencrypted. Option B is not a standard log transport protocol.

Option D is for file transfer, not real-time log streaming.

251
MCQhard

A company's Jenkins pipeline builds container images by mounting the Docker socket from the host into the Jenkins container (Docker-in-Docker). An auditor flags this as a security risk because it gives the Jenkins container root access to the host's Docker daemon. The development team wants to maintain the same functionality without the risk. Which alternative should they implement?

A.Configure the Jenkins Kubernetes plugin to launch dynamic pod agents that build images without needing a Docker socket.
B.Replace Jenkins with Ansible to build and deploy containers.
C.Disable the pipeline and require manual builds on a dedicated build server.
D.Use Docker-outside-of-Docker (DooD) by mounting the Docker socket into a sibling container.
AnswerA

The Kubernetes plugin uses the Kubernetes API to spawn build pods that can use Docker inside the pod or via other tools, avoiding host socket access.

Why this answer

Using the Kubernetes plugin with dynamic agents isolates builds without exposing the host Docker socket. Option B is correct. Option A (DooD) still requires Docker socket access.

Option C stops automation. Option D is a different approach but doesn't solve the immediate issue.

252
MCQmedium

A security analyst is writing a Python script to parse network logs and automatically block IP addresses that exceed a threshold of failed login attempts. Which security consideration is most critical when implementing this automation?

A.Using the most efficient parsing algorithm
B.Ensuring the script runs with root privileges
C.Validating and sanitizing all input from logs
D.Writing detailed audit logs of script actions
AnswerC

Why this answer

Option C is correct because log files can contain maliciously crafted entries designed to exploit parsing logic. Without input validation and sanitization, an attacker could inject commands or manipulate the script into blocking legitimate IPs or executing unintended actions, leading to a denial-of-service or compromise of the automation system itself.

Exam trap

CompTIA often tests the misconception that automation security is about efficiency or privilege escalation, when the real trap is that log data is untrusted input that must be validated to prevent injection attacks.

Why the other options are wrong

A

Efficiency is secondary; security is paramount.

B

Least privilege principle suggests non-root.

D

Auditing is important but not the most critical.

253
MCQhard

A company that processes credit card transactions discovers that a third-party vendor with access to its network has suffered a data breach. The vendor's access was limited but included a connection to the cardholder data environment. The company must comply with PCI DSS. Which of the following is the FIRST action the company should take?

A.Revoke the vendor's access immediately and change all shared credentials.
B.Notify all affected cardholders as required by law.
C.Perform a forensic investigation to determine the scope of the breach.
D.Contact the acquiring bank and report the breach.
AnswerA

Immediate containment is the first priority to stop further exfiltration.

Why this answer

A is correct. PCI DSS requires immediate revocation of compromised access to prevent further data loss. Reporting and investigation follow containment.

Cardholder notification occurs after determining scope.

254
MCQhard

A SOC analyst is reviewing an alert about a suspicious process execution on a critical server. The alert shows that cmd.exe spawned from Microsoft Word. Which of the following is the BEST next step for the analyst?

A.Collect a memory dump from the host without any immediate action.
B.Reimage the server to ensure it is clean.
C.Isolate the host from the network and collect a memory dump.
D.Terminate the cmd.exe process immediately.
AnswerC

Isolation prevents lateral movement; memory dump preserves evidence.

Why this answer

Option C is correct because the alert indicates a classic living-off-the-land (LotL) attack where Microsoft Word (likely via a malicious macro) spawns cmd.exe, suggesting code execution. Isolating the host prevents lateral movement and data exfiltration, while collecting a memory dump preserves volatile evidence (e.g., process memory, network connections, injected code) for forensic analysis. Immediate termination (Option D) or reimaging (Option B) would destroy critical evidence, and doing nothing (Option A) risks further compromise.

Exam trap

The trap here is that candidates may choose Option D (terminate the process) thinking it stops the attack, but fail to recognize that isolation and evidence preservation are higher priorities in incident response, as termination destroys volatile data and may not prevent reinfection.

How to eliminate wrong answers

Option A is wrong because taking no immediate action allows the potentially compromised host to continue communicating with an attacker, risking lateral movement or data exfiltration; a memory dump alone without isolation does not contain the threat. Option B is wrong because reimaging the server destroys all volatile evidence (e.g., running processes, network connections, in-memory malware) needed to determine the root cause and scope of the compromise, and it may be premature without confirming persistence. Option D is wrong because terminating cmd.exe alone does not address the underlying malicious macro or payload in Word, and the attacker may have already established persistence or exfiltrated data; it also destroys the process memory that could contain critical forensic artifacts.

255
MCQeasy

A security analyst reviews this configuration and identifies a vulnerability. What is the MOST critical issue?

A.The grant type is authorization_code
B.The client secret is hardcoded
C.The redirect URI uses HTTP
D.The token endpoint uses HTTPS
AnswerC

HTTP transmits the authorization code in plaintext, making it vulnerable to interception.

Why this answer

The redirect URI uses HTTP (plaintext), which could allow an attacker to intercept the authorization code returned by the OAuth provider. Hardcoded secrets are a problem but can be mitigated with secrets management. The grant type and token endpoint are correct.

256
Drag & Dropmedium

Drag and drop the steps to perform a vulnerability scan using Nessus into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning: configure policy, set targets, run scan, review results, and report.

257
Multi-Selectmedium

A company is adopting a secure software development lifecycle (SDLC). Which two practices are most effective for identifying vulnerabilities early in the development process? (Select TWO.)

Select 2 answers
A.Runtime application self-protection (RASP)
B.Dynamic application security testing (DAST)
C.Regular code reviews with security focus
D.Static application security testing (SAST) integrated into the IDE
E.Penetration testing after deployment
AnswersC, D

Code reviews can find logic flaws and security issues before build.

Why this answer

Options B (SAST integrated into IDE) and D (Regular code reviews) are correct because they find vulnerabilities during development. Option A (DAST) is performed on running applications later. Option C (Penetration testing) is after deployment.

Option E (RASP) is runtime protection.

258
MCQhard

A multinational organization is subject to GDPR and local data protection laws. A data subject from country X requests deletion of personal data, but the data is also required for a legal hold under country Y's law. What is the BEST course of action?

A.Anonymize the data to satisfy both requirements
B.Escalate to the data protection authority
C.Retain the data and inform the data subject of the conflicting legal obligation
D.Delete the data to comply with GDPR
AnswerC

This balances compliance requirements transparently.

Why this answer

Informing the data subject of the conflicting legal obligation is transparent and complies with both laws. Option A violates the legal hold; Option C may not satisfy either requirement; Option D should be a last resort.

259
MCQeasy

An organization is deploying a new wireless network for employees and guests. The security policy requires that all wireless traffic be encrypted using AES-CCMP, and that clients must authenticate using 802.1X with EAP-TLS. Which of the following wireless security standards should be implemented?

A.WPA2-Personal
B.WEP
C.WPA3-Enterprise
D.WPA2-Enterprise
AnswerD

WPA2-Enterprise with AES-CCMP and 802.1X meets all requirements.

Why this answer

WPA2-Enterprise (D) is the correct choice because it supports AES-CCMP encryption and 802.1X authentication with EAP-TLS. WPA2-Enterprise uses a RADIUS server for centralized authentication, allowing per-user credentials via EAP methods, and mandates CCMP (AES-based) for data confidentiality and integrity, meeting all stated security policy requirements.

Exam trap

The trap here is that candidates often confuse WPA3-Enterprise with WPA2-Enterprise, assuming newer is always better, but the question explicitly requires AES-CCMP and 802.1X with EAP-TLS, which are core to WPA2-Enterprise, while WPA3-Enterprise introduces optional stronger ciphers (GCMP-256) and a different handshake (SAE), making it not the direct match for the given requirements.

How to eliminate wrong answers

Option A is wrong because WPA2-Personal uses a pre-shared key (PSK) for authentication, not 802.1X with EAP-TLS, and thus cannot meet the enterprise authentication requirement. Option B is wrong because WEP uses RC4 encryption with weak IVs and does not support AES-CCMP or 802.1X authentication; it is deprecated and insecure. Option C is wrong because WPA3-Enterprise, while it supports 802.1X and AES-CCMP (via GCMP-256 in some modes), is not the standard that matches the explicit requirement for AES-CCMP and 802.1X with EAP-TLS; WPA2-Enterprise is the established standard for these specific protocols, and WPA3 introduces SAE handshake and optional GCMP-256, which are not mandated here.

260
MCQhard

During a red team exercise, an attacker exploits a vulnerability in a containerized web application to gain a shell. The container is running with a read-only root filesystem. What is the most likely persistence mechanism the attacker will use?

A.Modify the container's entrypoint script in the image.
B.Write a cron job to the container's writable /tmp directory.
C.Create a new user account in /etc/passwd.
D.Install a kernel module on the host.
AnswerB

/tmp is often writable and can be used for persistence.

Why this answer

Option A is correct because /tmp is typically writable even with a read-only root filesystem. Option B and C require writable /etc or image modification. Option D requires host access, which is not given.

261
MCQmedium

A security architect is reviewing the architecture of a critical web application that handles sensitive financial transactions. The application is deployed across three tiers: a web server, an application server, and a database server. The application is protected by a web application firewall (WAF) and a network-based intrusion detection system (IDS). Recent penetration testing identified a SQL injection vulnerability in the application's search feature. The architect needs to propose a remediation that minimizes performance impact and maintains defense in depth. The development team is slow to fix code due to legacy dependencies. What should the security architect recommend as the MOST effective immediate control?

A.Disable the search feature until the code is fixed.
B.Isolate the database server on a separate network segment with strict firewall rules.
C.Add a WAF rule to block common SQL injection payloads and signatures.
D.Increase the IDS sensitivity to detect SQL injection attempts and automatically block them.
AnswerC

A WAF can provide virtual patching to mitigate the vulnerability until code fix is deployed.

Why this answer

Option D (Implement parameterized queries in the application code) is the most effective long-term fix, but since the development team is slow, the best immediate control is to add a WAF rule to block SQL injection patterns. Option A (Disable the search feature) is too disruptive. Option B (Increase IDS sensitivity) would only detect, not prevent.

Option C (Segment the database server) is good but does not address the vulnerability at the application layer.

262
MCQhard

A SOC analyst discovers unusual outbound traffic from a host in the production DMZ to an unknown IP address on the internet. The traffic consists of encrypted connections (HTTPS) to a domain that was registered three days ago. The host is a web server that has been fully patched and is configured with a default deny egress firewall policy, but this particular traffic is being allowed because a recently added rule permits outbound HTTPS to any destination for a specific application's updates. The security architect is called in to investigate and must determine the best course of action to identify the scope of the potential compromise and prevent further data exfiltration. The architect has access to network flow data, endpoint detection and response (EDR) telemetry, and firewall logs. What should the security architect do FIRST?

A.Enable full SSL inspection on the firewall to decrypt the traffic and analyze the contents.
B.Use EDR to identify the process or service generating the outbound connections on the web server.
C.Isolate the web server from the network to prevent further data exfiltration.
D.Immediately remove the outbound HTTPS rule to block the traffic.
AnswerB

EDR can pinpoint the root cause (e.g., a webshell or backdoor) for further investigation.

Why this answer

Option C (Check EDR telemetry on the host to identify the process making the outbound connections) is the best first step because it provides visibility into the exact source of the traffic. Option A (Block the outbound HTTPS rule immediately) may disrupt legitimate traffic and does not help identify the scope. Option B (Enable full SSL inspection on the firewall) is resource-intensive and can be deployed later.

Option D (Isolate the host from the network) is a containment step but should follow identification to ensure proper forensic collection.

263
Multi-Selecthard

A security engineer is hardening a Linux web server. The team requires that the web server process cannot run with root privileges and that any file it writes must have minimal permissions. Which two controls should be implemented together? (Select TWO).

Select 2 answers
A.Run the web server process under a dedicated non-privileged user account
B.Place the web server in a chroot jail
C.Enable SELinux in enforcing mode with a targeted policy for the web server
D.Apply mandatory access control (MAC) to restrict file permissions
E.Use file capability bounding sets to limit the web server's capabilities
AnswersA, D

This ensures the process does not run as root.

Why this answer

Running the web server process under a dedicated non-privileged user account (Option A) ensures that even if the process is compromised, the attacker does not gain root privileges. This is a fundamental principle of least privilege, typically implemented by creating a system user (e.g., 'www-data' or 'httpd') with no login shell and assigning ownership of web directories to that user.

Exam trap

The trap here is that candidates often confuse chroot jails (Option B) or SELinux (Option C) as substitutes for running the process as a non-root user, but neither addresses the core requirement of preventing root-level execution; the question explicitly requires the process to not run with root privileges, which only a dedicated non-privileged user account achieves.

264
MCQmedium

A security analyst reviews a web application that accepts user-supplied data to generate PDF reports. The application uses a legacy library that directly inserts user input into SQL queries and also includes user input in the PDF generation without sanitization. Which is the most effective countermeasure?

A.Use parameterized queries and output encoding
B.Enable HTTPS and HSTS
C.Implement a web application firewall (WAF) to block malicious input
D.Deploy a SIEM to log all database queries and PDF generation events
AnswerA

Parameterized queries prevent SQL injection; output encoding prevents XSS in PDF output.

Why this answer

Option B is correct because it addresses both SQL injection (via parameterized queries) and cross-site scripting (via output encoding). Option A (WAF) can be bypassed; Option C (HTTPS) only encrypts in transit; Option D (SIEM) only logs, not prevents.

265
MCQmedium

A SOC manager is considering implementing a SOAR platform. Which is the primary benefit of SOAR in day-to-day operations?

A.Automated playbook execution and orchestration of response actions
B.Centralized storage of all security logs
C.Elimination of the need for human analysts
D.Reduction in false positive alerts from the SIEM
AnswerA

SOAR automates incident response playbooks, reducing manual effort and response time.

Why this answer

Option A is correct because SOAR automates repetitive tasks and orchestrates workflows, enabling faster and consistent incident response. Option B is wrong because SOAR does not directly reduce false positives; that's SIEM tuning. Option C is wrong because SOAR does not replace people.

Option D is wrong because SOAR is not primarily for log storage.

266
MCQhard

A financial services company uses a continuous integration/continuous delivery (CI/CD) pipeline to deploy microservices. The security team wants to ensure that no secrets (e.g., API keys, database passwords) are hard-coded in source code repositories. Which tool or practice is most appropriate for detecting secrets before they are committed?

A.Run dynamic application security testing (DAST) on deployed apps
B.Implement a pre-commit hook using git-secrets or similar
C.Perform static application security testing (SAST) in the build pipeline
D.Deploy runtime application self-protection (RASP)
AnswerB

Scans code before commit, blocking secrets from being pushed.

Why this answer

Option A (Pre-commit hook with git-secrets) is correct because it scans code before commit, preventing secrets from entering the repository. Option B (DAST) tests running apps; Option C (SAST) analyzes source but often after commit; Option D (RASP) protects at runtime.

267
MCQhard

A security architect is designing a deception-based detection system for a high-security environment. The goal is to detect lateral movement by attackers who have already breached the perimeter. Which of the following deception techniques would be most effective at identifying an attacker without alerting them to the deception?

A.Configure a network share with honey files and monitor for file access.
B.Create a honeypot web server with known vulnerabilities and monitor for interactions.
C.Deploy fake database tables containing plausible but fictitious data.
D.Plant honey credentials (username/password) for non-existent Active Directory accounts in a common password manager.
AnswerD

Honey credentials are low interaction and high value; usage indicates compromise without tipping off attackers.

Why this answer

Option A is correct because honey tokens that appear as real credentials will be used only by attackers, and if used, provide high-confidence detection. Option B will alert attackers. Option C is easily detectable by experienced attackers.

Option D may be ignored if attackers don't use network shares.

268
MCQmedium

A healthcare provider is migrating patient records to a cloud EHR system. The security officer is concerned about data ownership and portability. Which contractual clause is MOST critical to include in the cloud service agreement?

A.A clause on data portability and format standards
B.A service level agreement guaranteeing 99.999% uptime
C.A stipulation that encryption keys are managed by the customer
D.A requirement for breach notification within 24 hours
AnswerA

Data portability ensures the organization can retrieve data.

Why this answer

Option B is correct because data portability ensures the provider can retrieve data if they switch vendors. Option A is wrong because uptime SLAs address availability, not ownership. Option C is wrong because breach notification is standard but doesn't address ownership.

Option D is wrong because encryption strength is important but not about ownership.

269
MCQmedium

A security analyst discovers that an employee has been using a personal USB drive to transfer sensitive customer data from a workstation to a home computer. This violates the company's data handling policy. According to the company's incident response plan, which of the following is the FIRST step the analyst should take?

A.Perform a forensic analysis of the workstation
B.Isolate the workstation from the network
C.Escalate the incident to the data protection officer (DPO)
D.Notify law enforcement
AnswerB

Isolation contains the incident and prevents further data transfer.

Why this answer

The first priority in any incident response is containment to prevent further data loss or network propagation. Isolating the workstation from the network (Option B) immediately stops the employee from exfiltrating additional data and prevents any potential lateral movement by malware that might be on the USB drive. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

CompTIA often tests the candidate's ability to prioritize containment over investigation or notification, trapping those who confuse the order of the incident response phases (e.g., jumping to forensic analysis or legal escalation before stopping the bleeding).

How to eliminate wrong answers

Option A is wrong because forensic analysis is a post-containment step; performing it first could alter volatile evidence and does not stop ongoing data exfiltration. Option C is wrong because escalation to the DPO is a notification step that occurs after containment and initial triage, not as the first action. Option D is wrong because notifying law enforcement is a final step reserved for criminal activity after the incident is fully contained and evidence is preserved, and it is not the immediate priority.

270
MCQeasy

Which of the following is the primary security benefit of using immutable infrastructure in automated deployments?

A.Reduces operational costs by reusing existing servers
B.Eliminates configuration drift and unauthorized changes
C.Increases system performance through hardware acceleration
D.Simplifies monitoring by reducing the number of servers
AnswerB

Why this answer

Immutable infrastructure ensures that servers are never modified after deployment; instead, updates are made by replacing the entire instance with a new, pre-configured image. This eliminates configuration drift because any unauthorized or unintended changes are wiped out on the next deployment cycle, enforcing a consistent, known-good state across all environments.

Exam trap

The trap here is that candidates confuse immutable infrastructure with traditional configuration management (e.g., Puppet, Ansible) that corrects drift by modifying existing servers, whereas immutable infrastructure prevents drift entirely by never modifying servers in place.

Why the other options are wrong

A

Immutable infrastructure typically increases costs because new instances are spun up instead of patching old ones.

C

Immutable infrastructure is about deployment methodology, not hardware performance.

D

Immutable infrastructure may actually increase server count due to frequent redeployments.

271
Multi-Selectmedium

A security administrator is evaluating ways to improve endpoint detection and response (EDR) capabilities. Which TWO of the following approaches would most effectively enhance the detection of fileless malware attacks?

Select 2 answers
A.Monitor PowerShell script block logging and execution events.
B.Install a network intrusion detection system (NIDS) to inspect traffic.
C.Monitor process creation chain events to detect anomalous parent-child relationships.
D.Enable file integrity monitoring (FIM) on critical system files.
E.Deploy advanced antivirus with machine learning signatures.
AnswersA, C

PowerShell is commonly abused for fileless execution.

Why this answer

Fileless malware often exploits memory and legitimate tools. Option A (monitoring process creation chains) detects abnormal parent-child relationships (e.g., wmic spawning cmd). Option D (monitoring PowerShell script execution) catches malicious scripts.

Option B focuses on files, which may miss fileless. Option C is less effective for memory-resident malware. Option E is generally for network-based detection.

272
MCQhard

A Kubernetes pod is defined with the above manifest. Which security concern is most critical?

A.The image tag "latest" might pull an outdated image.
B.The pod has added capabilities NET_ADMIN and SYS_ADMIN, which could allow network manipulation and system administration.
C.The readOnlyRootFilesystem prevents logging.
D.The pod runs as root by default.
AnswerB

These capabilities can lead to container escape or host compromise.

Why this answer

Option B is correct because NET_ADMIN and SYS_ADMIN capabilities allow significant host-level manipulation, such as network configuration and system administration. Option A is not explicitly set but default root user is a concern, but less critical than capabilities. Option C is a limitation, not a security risk.

Option D is a best-practice issue but less critical than capability escalation.

273
Multi-Selectmedium

Which TWO of the following are valid techniques to mitigate the risk of side-channel attacks on cryptographic implementations? (Select exactly 2.)

Select 2 answers
A.Obfuscating the source code of the cryptographic library.
B.Using a cryptographically secure random number generator for key generation.
C.Implementing constant-time algorithms to avoid timing variations.
D.Increasing the key length to 4096 bits.
E.Adding noise to power consumption or using power analysis resistant logic.
AnswersC, E

Constant-time code ensures that execution time does not depend on secret data, preventing timing attacks.

Why this answer

Options B and E are correct. Constant-time operations and power analysis protection are direct mitigations. Option A is wrong because longer keys do not prevent side-channel leakage.

Option C is wrong because using a CSPRNG is about key generation, not execution. Option D is wrong because obfuscation is not a cryptographic defense against side channels.

274
MCQhard

An organization is migrating to a zero-trust architecture. Which of the following components is CRITICAL for enforcing policy decisions based on user identity, device health, and context?

A.Intrusion prevention system (IPS)
B.Web application firewall (WAF)
C.Policy enforcement point (PEP)
D.Network access control (NAC)
AnswerC

PEP is the decision point that enforces access policies based on identity and context.

Why this answer

The Policy Enforcement Point (PEP) is the component that makes access decisions in a zero-trust architecture, often integrating with a policy engine. NAC, WAF, and IPS are related but not the core enforcement component in zero-trust.

275
MCQhard

A security auditor finds that a company's backup tapes are stored in the same building as the primary data center. Which risk treatment strategy does this lack represent?

A.Risk avoidance
B.Risk mitigation
C.Risk acceptance
D.Risk transference
AnswerB

Mitigation would require offsite backups to reduce risk.

Why this answer

Storing backups at a separate site is risk mitigation through redundancy. The current practice increases risk due to common physical location. Acceptance, transference, and avoidance are not directly addressed here.

276
MCQhard

A technology company suspects an insider threat is exfiltrating intellectual property. The security team has deployed user and entity behavior analytics (UEBA) and set up data loss prevention (DLP) rules. A UEBA alert flags a senior developer who is accessing the source code repository at 2 AM from a VPN connection that routes through a foreign country. The developer also recently downloaded a large quantity of source code—more than 10 times the normal volume. DLP policies are configured to block emails with attachments over 10 MB. Which of the following should the incident response team do FIRST?

A.Implement stricter DLP policies to block large downloads from the repository.
B.Conduct an informal interview with the developer to ask about the unusual activity.
C.Isolate the developer's workstation and revoke access to the source code repository immediately.
D.Review DLP logs to confirm that no emails containing source code were sent.
AnswerC

Containment is critical given the high risk of active exfiltration.

Why this answer

Option A is correct because the UEBA alert combined with anomalous behavior strongly suggests malicious activity. Immediate isolation prevents exfiltration and preserves evidence. Option B interviews the user, which could alert them and lead to data destruction.

Option C focuses only on DLP, but the exfiltration may not be via email. Option D is a long-term preventive measure, not immediate response.

277
Multi-Selecthard

Which THREE of the following are key components of a zero-trust security architecture? (Select THREE).

Select 3 answers
A.VPN concentrator
B.Micro-segmentation
C.Implicit trust for internal network traffic
D.Least privilege access control
E.Continuous monitoring of user and device behavior
AnswersB, D, E

Micro-segmentation divides the network into isolated zones to contain threats.

Why this answer

Zero trust requires micro-segmentation to limit lateral movement, continuous monitoring to verify every session, and least privilege access to enforce minimal permissions. VPN is a perimeter technology, and implicit trust violates zero trust principles.

278
Multi-Selectmedium

Which TWO of the following are key components of a governance framework? (Select TWO)

Select 2 answers
A.Policies and procedures
B.Vulnerability scanning schedule
C.Firewall rules
D.Penetration test results
E.Defined roles and responsibilities
AnswersA, E

Core governance documents

Why this answer

Policies and procedures are foundational to a governance framework because they define the rules, standards, and operational guidelines that an organization must follow to ensure compliance, security, and risk management. They establish the 'what' and 'how' for decision-making and behavior, aligning with frameworks like ISO 27001 or NIST SP 800-53. Without documented policies and procedures, governance lacks enforceable structure and accountability.

Exam trap

CompTIA often tests the distinction between governance components (policies, roles) and operational or technical controls (schedules, rules, results), leading candidates to mistake tactical activities for strategic framework elements.

279
MCQmedium

An IAM policy is applied to an AWS user. Which of the following actions is permitted?

A.Delete objects in example-bucket
B.Put objects in secret-bucket
C.List objects in secret-bucket
D.List objects in example-bucket
AnswerD

The Allow statement grants s3:ListBucket on example-bucket.

Why this answer

The policy explicitly allows s3:ListBucket on example-bucket. The Deny statement for secret-bucket applies to all S3 actions on that bucket. There is no Allow for Delete or Put on example-bucket, so those are implicitly denied.

280
MCQhard

Refer to the exhibit. The data classification policy defines levels and rules. During an audit, a database containing both PII and credit card numbers is found labeled as 'Internal'. Which of the following is the BEST first action?

A.Accept the risk as the data is not public
B.Remove the credit card numbers from the database
C.Create a new classification level for mixed data
D.Reclassify the database as 'Critical' to reflect the highest required level
AnswerD

Aligns with policy rule that PCI data must be Critical.

Why this answer

The database should be reclassified to 'Critical' because it contains PCI data, which requires the highest level. Creating a new level is unnecessary; accepting risk violates policy; removing data is not the first step.

281
MCQmedium

A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?

A.deny ip 192.168.1.0 0.0.0.255 any
B.deny ip 192.168.1.0 0.0.0.0 any
C.deny ip 192.168.1.0 0.0.0.127 any
D.deny ip 192.168.1.0 255.255.255.0 any
AnswerA

Wildcard 0.0.0.255 matches the entire /24 subnet.

Why this answer

Option A is correct because in Cisco ACL syntax, the wildcard mask 0.0.0.255 matches all addresses in the 192.168.1.0/24 network. The 'deny ip 192.168.1.0 0.0.0.255 any' entry blocks any IP traffic from the source subnet 192.168.1.0 through 192.168.1.255 to any destination.

Exam trap

The trap here is that candidates often confuse subnet masks with wildcard masks, selecting option D (255.255.255.0) instead of the correct wildcard mask 0.0.0.255.

How to eliminate wrong answers

Option B is wrong because the wildcard mask 0.0.0.0 matches only the single host 192.168.1.0, not the entire /24 subnet. Option C is wrong because the wildcard mask 0.0.0.127 matches only the first 128 addresses (192.168.1.0–192.168.1.127), which is a /25 range, not the full /24. Option D is wrong because 255.255.255.0 is a subnet mask, not a wildcard mask; ACLs require inverse (wildcard) masks, so this entry would be syntactically invalid or misinterpreted.

282
MCQeasy

A developer is creating a REST API that handles sensitive data. Which HTTP method should be used for updates that are not idempotent?

A.DELETE
B.GET
C.PUT
D.POST
AnswerD

POST is non-idempotent and suitable for operations that create or update resources with potentially different results on each call.

Why this answer

POST is non-idempotent—multiple identical requests may result in different side effects (e.g., creating multiple resources). PUT is idempotent, GET is safe, DELETE is idempotent.

283
Matchingmedium

Match each encryption standard or algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key cryptosystem

Hash function (one-way)

Elliptic curve digital signature algorithm

Keyed-hash message authentication code

Why these pairings

Understanding encryption types is critical for cryptography domain.

284
MCQhard

An organization's containerized application is deployed on Kubernetes. The security team wants to enforce that containers run with the least privilege and cannot access the host file system. Which Kubernetes security mechanism should be configured?

A.Secrets management with Vault
B.Role-based access control (RBAC) for service accounts
C.Network policies to restrict egress traffic
D.Pod Security Policy (PSP) with readOnlyRootFilesystem and runAsNonRoot
AnswerD

PSP enforces security contexts; readOnlyRootFilesystem prevents writes to host file system.

Why this answer

Pod Security Policies (now deprecated, but in CASP context is still valid) or Pod Security Standards control security contexts; readOnlyRootFilesystem and runAsNonRoot directly address the requirement. Option A is wrong because network policies control traffic, not file system. Option B is wrong because secrets management does not enforce file system restrictions.

Option D is wrong because RBAC controls API access, not container runtime privileges.

285
Multi-Selecteasy

A security team is implementing controls to meet PCI DSS requirements for cardholder data. Which THREE controls are required?

Select 3 answers
A.Encrypt cardholder data at rest
B.Implement multi-factor authentication for remote access
C.Regularly update antivirus software
D.Use unique IDs for each person with access
E.Perform quarterly vulnerability scans
AnswersA, B, D

Requirement 3.4 mandates encryption of stored cardholder data.

Why this answer

PCI DSS requires encryption of cardholder data at rest (Requirement 3.4), unique user IDs (Requirement 8.1.1), and quarterly vulnerability scans (Requirement 11.2). Regular antivirus updates (Requirement 5) are also required but many organizations also use MFA for remote access (Requirement 8.3); however, the three listed are undeniably mandatory per the current version.

286
MCQeasy

Which of the following is the primary benefit of using infrastructure as code (IaC) for automating security configurations?

A.It eliminates the need for security testing
B.It ensures consistent and repeatable security configurations
C.It allows unapproved changes to be deployed faster
D.It increases manual oversight of security settings
AnswerB

Why this answer

Infrastructure as code (IaC) enables security configurations to be defined in declarative or procedural scripts (e.g., Terraform, AWS CloudFormation, Ansible). This ensures that every deployment applies the exact same security settings (e.g., firewall rules, IAM policies, encryption at rest) without drift, making configurations consistent and repeatable across environments. The primary benefit is eliminating manual, error-prone processes that lead to configuration inconsistencies.

Exam trap

The trap here is that candidates may think IaC eliminates the need for security testing (Option A) because automation implies perfection, but in reality, IaC code itself must be tested for security flaws, just like application code.

Why the other options are wrong

A

IaC does not eliminate testing; it automates deployment.

C

Unapproved changes are a risk, not a benefit.

D

IaC reduces manual oversight.

287
Matchingmedium

Match each security tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects web applications from attacks

Detects intrusions and alerts

Detects and blocks intrusions in real-time

Host-based intrusion detection system

Network-based intrusion detection system

Why these pairings

These tools are fundamental to network and host security monitoring.

288
Multi-Selecthard

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

Select 3 answers
A.Deploy a TLS termination gateway (e.g., NGINX ingress) with certificate management.
B.Use Kubernetes Secrets mounted as volumes with integration to an external vault.
C.Apply Kubernetes network policies to restrict pod-to-pod communication.
D.Implement a service mesh such as Istio to handle mTLS between pods.
E.Configure RPM package signing for all container images.
AnswersA, B, D

Terminates external TLS and can re-encrypt internally; manages certificates for external-facing services.

Why this answer

Option A is correct because a TLS termination gateway (e.g., NGINX ingress) with certificate management provides encryption of data in transit between external clients and the Kubernetes cluster, fulfilling the requirement for encryption of data in transit at the edge. It terminates TLS at the ingress point, allowing secure HTTPS connections and centralized certificate lifecycle management.

Exam trap

Cisco often tests the distinction between network segmentation (network policies) and cryptographic controls (mTLS, TLS), leading candidates to mistakenly choose network policies as a solution for encryption or authentication.

289
MCQmedium

A security analyst reviews the ACL rules above. A host at 10.0.1.5 attempts to SSH (port 22) to a server at 10.0.2.10. What is the result?

A.The connection is denied by Rule 3.
B.The connection is permitted by Rule 4.
C.The connection is permitted by the implicit permit.
D.The connection is denied by Rule 1.
AnswerD

Rule 1 explicitly denies SSH from the 10.0.1.0/24 subnet.

Why this answer

Rule 1 denies all traffic from 10.0.1.0/24 to 10.0.2.0/24. Since the source (10.0.1.5) and destination (10.0.2.10) fall within these subnets, the SSH attempt is denied by Rule 1, regardless of any later rules. ACLs are processed top-down, and the first matching rule determines the action.

Exam trap

Cisco often tests the first-match principle in ACLs, where candidates mistakenly think a later permit rule (like Rule 3 or 4) can override an earlier deny rule, but the order of evaluation is sequential and stops at the first match.

How to eliminate wrong answers

Option A is wrong because Rule 3 permits TCP traffic from 10.0.1.0/24 to 10.0.2.0/24 on port 80, not port 22, so it does not apply to SSH. Option B is wrong because Rule 4 permits traffic from 10.0.1.0/24 to 10.0.2.0/24 on port 443, not port 22, so it does not permit SSH. Option C is wrong because an implicit deny (not permit) exists at the end of all ACLs; there is no implicit permit, so traffic not explicitly permitted is denied.

290
MCQmedium

A security engineer needs to implement a solution that will detect and block command-and-control (C2) traffic from malware on the internal network. The solution must be able to inspect encrypted traffic and operate at the network layer. Which of the following is the BEST choice?

A.Implement a web application firewall (WAF) to filter outbound HTTP/HTTPS traffic.
B.Install a network-based intrusion detection/prevention system (IDS/IPS) with signature updates.
C.Use endpoint detection and response (EDR) agents on all workstations and servers.
D.Deploy a next-generation firewall (NGFW) with SSL/TLS inspection and application-level filtering.
AnswerD

NGFW can decrypt SSL/TLS traffic and inspect it for C2 patterns, then block malicious flows.

Why this answer

A next-generation firewall (NGFW) with SSL/TLS inspection and application-level filtering is the best choice because it can decrypt and inspect encrypted C2 traffic at the network layer, then apply application-aware rules to block malicious communications. This directly addresses the requirement to detect and block C2 traffic that uses encryption to evade traditional inspection.

Exam trap

The trap here is that candidates often choose a network-based IDS/IPS (Option B) thinking it can inspect encrypted traffic, but without SSL/TLS decryption, it can only see encrypted payloads and cannot detect C2 commands hidden inside the encrypted tunnel.

How to eliminate wrong answers

Option A is wrong because a web application firewall (WAF) is designed to protect web servers from application-layer attacks (e.g., SQL injection, XSS) and typically filters inbound HTTP/HTTPS traffic, not outbound C2 traffic from internal malware. Option B is wrong because a network-based IDS/IPS with signature updates can detect known C2 patterns but cannot inspect encrypted traffic without decryption, so it would miss C2 traffic tunneled over TLS/SSL. Option C is wrong because endpoint detection and response (EDR) agents operate at the host/endpoint layer, not the network layer, and the question specifically requires a solution that operates at the network layer.

291
MCQeasy

A security architect is designing a secure enclave for a high-value application. Which of the following is the BEST approach to isolate the application from the rest of the network?

A.Deploy the application in a DMZ behind a stateful firewall with least-privilege rules.
B.Install an intrusion detection system (IDS) on the application subnet.
C.Configure a jump box with two-factor authentication to access the application.
D.Place the application on a separate VLAN with an ACL.
AnswerA

A DMZ enclave with a stateful firewall ensures strict network isolation and policy enforcement, which is the best practice for high-value applications.

Why this answer

Option B is correct because an enclave uses a DMZ with strict firewall rules to isolate the application. Option A is wrong because VLANs alone do not provide the same level of isolation; they can be misconfigured or bypassed. Option C is wrong because jump boxes are for administrative access, not isolation.

Option D is wrong because IDS/IPS is detection, not isolation.

292
MCQmedium

A security architect is designing a data classification scheme. Which of the following is the MOST effective way to ensure consistent labeling across the organization?

A.Implementing DLP solutions.
B.Manual labeling by data owners.
C.User training and awareness.
D.Automated classification based on data content.
AnswerD

Automated tools using content analysis ensure consistent and accurate labeling without human error.

Why this answer

Option D is correct because automated classification minimizes human error and provides uniform application of labels.

293
Multi-Selecteasy

Which TWO of the following are key components of a successful incident response plan according to NIST SP 800-61?

Select 2 answers
A.Vulnerability scanning
B.Preparation
C.Patch management
D.User training
E.Detection and Analysis
AnswersB, E

Preparation is a foundational phase of the incident response lifecycle.

Why this answer

NIST SP 800-61 defines the incident response lifecycle as having four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Preparation (Option B) is the foundational phase that ensures the organization has the tools, policies, and trained personnel ready before an incident occurs. Detection and Analysis (Option E) is the second phase, focusing on identifying and validating security incidents through monitoring, alerting, and forensic analysis.

Exam trap

Cisco often tests the distinction between activities that are part of the incident response lifecycle phases versus supporting security processes, leading candidates to mistakenly select vulnerability scanning or patch management as core components when they are actually separate operational tasks.

294
MCQhard

Based on the exhibit, which security issue does this IAM policy represent?

A.No versioning configured
B.Overly permissive resource access
C.Missing server-side encryption
D.Insufficient logging and monitoring
AnswerB

Allowing all principals (*) to get any object in the bucket is a significant security risk.

Why this answer

Option B is correct because the policy allows any principal to read all objects in the bucket, making it overly permissive. Option A is wrong encryption is not addressed. Option C is wrong versioning is not relevant.

Option D is wrong logging is not mentioned.

295
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A.Identify vulnerabilities and threats
B.Identify critical business processes and their impact if disrupted
C.Determine recovery time objectives (RTOs)
D.Develop continuity strategies
AnswerB

Core purpose of BIA

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the operational and financial impact if they were disrupted. This foundational step determines which systems and functions are essential to the organization's survival, directly informing the selection of recovery strategies and objectives. Without a BIA, continuity planning lacks a data-driven basis for prioritizing resources.

Exam trap

The trap here is that candidates confuse the BIA's role as a data-gathering and analysis phase with the subsequent planning outputs (RTOs, strategies), leading them to select a downstream deliverable instead of the primary purpose.

How to eliminate wrong answers

Option A is wrong because identifying vulnerabilities and threats is the primary purpose of a risk assessment, not a BIA; a BIA focuses on impact to business processes, not the specific threats that could cause disruption. Option C is wrong because determining recovery time objectives (RTOs) is an output derived from the BIA's impact analysis, not the primary purpose itself; the BIA provides the data (e.g., maximum tolerable downtime) that allows RTOs to be set. Option D is wrong because developing continuity strategies is a subsequent phase that uses the BIA's findings (critical processes and impact tolerances) to design recovery plans, not the BIA's core goal.

296
MCQhard

A DevOps team is implementing a CI/CD pipeline for a Java application. They want to ensure that all dependencies are scanned for known vulnerabilities before deployment. Which type of tool should they integrate into the pipeline?

A.Static Application Security Testing (SAST)
B.Dynamic Application Security Testing (DAST)
C.Software Composition Analysis (SCA)
D.Interactive Application Security Testing (IAST)
AnswerC

Why this answer

Software Composition Analysis (SCA) is the correct tool because it specifically analyzes open-source and third-party libraries (dependencies) for known vulnerabilities by cross-referencing them against databases like the National Vulnerability Database (NVD). In a CI/CD pipeline for a Java application, SCA tools (e.g., OWASP Dependency-Check, Snyk) scan build artifacts such as pom.xml or build.gradle to identify vulnerable components before deployment.

Exam trap

Cisco often tests the distinction between SAST (source code analysis) and SCA (dependency analysis), so the trap here is that candidates mistakenly choose SAST because they think 'static' covers all pre-deployment scanning, but SAST does not analyze third-party libraries.

Why the other options are wrong

A

SAST analyzes source code for security flaws, not third-party libraries.

B

DAST tests running applications for vulnerabilities, not dependencies.

D

IAST combines SAST and DAST but still focuses on custom code, not dependencies.

297
MCQhard

During a security review, you find that a web application uses a Content Security Policy (CSP) header with the value: 'default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com;'. Which attack is the application still vulnerable to?

A.Cross-site request forgery (CSRF)
B.Cross-site scripting (XSS) via inline script injection
C.SQL injection
D.Man-in-the-middle (MITM) attack due to CDN inclusion
AnswerB

Why this answer

Option B is correct because the CSP includes 'unsafe-inline' in the script-src directive, which explicitly allows inline scripts. This bypasses the primary protection CSP offers against XSS, as an attacker can inject malicious JavaScript directly into the HTML (e.g., via a <script> tag or event handler) without violating the policy. The 'self' source only restricts external scripts to the same origin, but inline scripts remain permitted, leaving the application vulnerable to stored, reflected, or DOM-based XSS attacks.

Exam trap

Cisco often tests the misconception that CSP alone prevents all XSS, but the trap here is that 'unsafe-inline' explicitly disables CSP's inline script protection, making XSS via script injection still possible despite the policy.

Why the other options are wrong

A

CSP does not directly prevent CSRF; CSRF is mitigated by anti-CSRF tokens.

C

CSP is a browser-side security mechanism and does not prevent server-side SQL injection.

D

The CDN is over HTTPS, so MITM is not the primary vulnerability; 'unsafe-inline' is the issue.

298
MCQeasy

A web application generates an Ansible playbook from user input as shown. What is the primary security risk?

A.The application is vulnerable to SQL injection.
B.The user input could be crafted to execute arbitrary Ansible modules.
C.The application is vulnerable to LDAP injection.
D.The playbook may fail to run if input contains special characters.
AnswerB

YAML injection can lead to arbitrary module execution, compromising hosts.

Why this answer

Option B is correct because replacing the placeholder with user input can allow YAML injection, enabling arbitrary module execution. Option A is operational, not security. Option C is SQL injection, irrelevant here.

Option D is LDAP injection, not applicable.

299
Drag & Dropmedium

Drag and drop the steps to configure a RADIUS server for 802.1X authentication into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RADIUS setup: install NPS, register in AD, add RADIUS client, configure connection policy, then network policy.

300
MCQhard

An organization's business continuity plan (BCP) includes a recovery time objective (RTO) of 4 hours for its critical ERP system. During a disaster, the system is restored in 5 hours. Which of the following is the MOST significant impact?

A.Unacceptable business downtime and potential contractual penalties
B.Need to reroute network traffic to the DR site
C.Higher cost for cyber insurance premiums
D.Increased recovery point objective (RPO) for the last backup
AnswerA

Missing RTO leads to unacceptable downtime and penalties.

Why this answer

Option C is correct because exceeding the RTO results in unacceptable downtime and potential revenue loss. Option A is wrong because RPO affects data loss, not uptime. Option B is wrong because rerouting does not fix the missed RTO.

Option D is wrong because insurance may cover financial loss but does not address the operational impact.

Page 3

Page 4 of 7

Page 5

All pages