CompTIA SecurityX CAS-004 (CAS-004) — Questions 301375

510 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQhard

Match each automation security concept (left) with its corresponding best practice (right).

Immutable infrastructure.Never modify a running instance; redeploy instead
Infrastructure as Code.Store all configuration files in version control
Secret management.Use a dedicated vault service to store credentials
CI/CD pipeline security scanning.Scan container images for vulnerabilities before deployment

Why this answer

This matching pairs key concepts with their best practices: Immutable infrastructure -> never modify after deployment, Infrastructure as Code -> version control all configurations, Secret management -> use vault for credentials, CI/CD pipeline scanning -> scan images before deployment.

Exam trap

Candidates might confuse 'immutable infrastructure' with 'infrastructure as code'.

302
Multi-Selecteasy

A security architect is reviewing firewall rules for a new application tier. Which TWO of the following principles should be applied when designing the firewall policy? (Choose two.)

Select 2 answers
A.Log all denied traffic
B.Use static IP addresses for all servers
C.Implement stateful packet inspection
D.Default allow all traffic
E.Allow only necessary ports and protocols
AnswersC, E

Stateful inspection allows rules based on connection state, improving security.

Why this answer

Allowing only necessary ports and protocols (B) implements least privilege, and implementing stateful packet inspection (C) enables intelligent traffic filtering. Default allow (A) is insecure, static IPs (D) are not a principle, and logging (E) is operational, not a design principle.

303
MCQeasy

During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?

A.dd
B.Wireshark
C.FTK Imager (with memory capture)
D.Nmap
AnswerC

FTK Imager can capture an image of physical memory (RAM) for analysis.

Why this answer

FTK Imager with memory capture is the correct tool because it is specifically designed to acquire a bit-for-bit copy of volatile memory (RAM) from a live system while preserving forensic integrity. Unlike disk imaging tools, FTK Imager can capture the contents of physical memory, including running processes, network connections, and encryption keys, which are critical for incident response. This tool also generates a hash of the captured memory to ensure data integrity during analysis.

Exam trap

CompTIA often tests the misconception that dd can be used for memory capture because it is a common Linux imaging tool, but dd is designed for block-level disk copying and cannot reliably access volatile memory without specialized drivers or kernel patches.

How to eliminate wrong answers

Option A is wrong because dd is a disk imaging tool that copies block devices (e.g., hard drives) and cannot directly capture volatile memory; it lacks the ability to access the /dev/mem or /dev/kmem interfaces on modern systems without additional kernel modules, and it does not handle memory-specific structures like page tables. Option B is wrong because Wireshark is a network packet analyzer used for capturing and inspecting network traffic, not for acquiring volatile memory; it operates at Layer 2-7 of the OSI model and cannot access system RAM. Option D is wrong because Nmap is a network scanning tool used for port discovery and service enumeration; it has no capability to interact with system memory or perform forensic acquisition.

304
MCQmedium

Refer to the exhibit. A security analyst notices that traffic from external clients to the web server at 10.0.0.10 port 80 is being blocked. Which of the following is the MOST likely cause?

A.The ACL lacks a log statement
B.The ACL is misordered (deny before permit)
C.The web server is using port 443
D.The destination IP is incorrect
AnswerB

The deny all rule (line 1) blocks all traffic before the permit rule is evaluated.

Why this answer

The ACL is processed top-down. The 'deny ip any any' rule matches all traffic before the permit rule, so all traffic is blocked. Misordering is the cause.

The web server using HTTPS (443) is possible but not indicated, and the destination IP appears correct. Lack of logging is not the cause.

305
MCQhard

A company uses Terraform to deploy infrastructure on AWS. They have a compliance requirement that all containers running on Amazon ECS must have a read-only root filesystem and must not run as root. The security team needs an automated way to enforce this policy and provide an audit trail for any violations. Which solution best meets these requirements?

A.Review all container definitions manually during the change management process.
B.Add a Terraform policy that validates container definitions at deployment time.
C.Write a custom Python script that periodically scans running ECS tasks and reports violations.
D.Use Open Policy Agent (OPA) with Gatekeeper as an admission controller on Amazon EKS, and deploy EKS instead of ECS.
AnswerD

OPA/Gatekeeper enforces policies at runtime on Kubernetes, blocking non-compliant pods and providing audit logs. EKS replaced ECS to leverage this capability.

Why this answer

Kubernetes admission controllers like OPA/Gatekeeper enforce policies on pods at runtime. Option C is correct. Terraform (A) is for provisioning but cannot enforce runtime behavior.

Custom scripts (B) are reactive. Manual review (D) is not automated.

306
MCQeasy

A development team wants to deploy a microservices application using containers. They need a solution to automate the deployment, scaling, and management of the containers across a cluster. Which technology is most suitable?

A.VMware vSphere with container support.
B.Jenkins with Docker plugins.
C.Docker Compose with manual scaling.
D.Kubernetes with Helm charts.
AnswerD

Kubernetes provides automated deployment, scaling, and management; Helm simplifies configuration.

Why this answer

Kubernetes is designed for orchestrating containerized applications at scale. Option D is correct. Option A is for single hosts.

Option B is for VMs. Option C is for CI/CD.

307
MCQeasy

A forensic analyst needs to collect volatile data from a live Windows system. In which order should the analyst collect the following data? (Order of volatility)

A.Disk image, memory dump, network connections, running processes
B.Memory dump, network connections, running processes, disk image
C.Network connections, running processes, memory dump, disk image
D.Running processes, memory dump, network connections, disk image
AnswerB

This follows the order of volatility from most to least volatile.

Why this answer

Option B is correct because memory is the most volatile and should be collected first, followed by network connections, then processes, and finally disk data. Option A is wrong because disk is less volatile. Option C is wrong because processes should be after memory.

Option D is wrong because network state is more volatile than disk.

308
MCQeasy

A Windows administrator needs to automate the retrieval of failed login events from the Security log. Which scripting language is most native and efficient for this task?

A.Bash
B.Ruby
C.PowerShell
D.Python
AnswerC

PowerShell natively supports querying Windows Event Log.

Why this answer

PowerShell has built-in cmdlets like Get-WinEvent to interact with Windows Event Log. Bash and Python require extra modules, and JavaScript is not suited.

309
MCQeasy

A company is developing a new mobile app that will process users' biometric data for authentication. The legal team is concerned about compliance with the GDPR's data protection by design. Which of the following is the MOST appropriate control to implement?

A.Obtain explicit consent from users before data collection.
B.Store biometric data in hashed form on the device.
C.Implement strong encryption for data in transit and at rest.
D.Conduct a Data Protection Impact Assessment (DPIA) before development.
AnswerD

DPIA is mandated for high-risk processing and is a key part of data protection by design.

Why this answer

D is correct. A DPIA is required by GDPR for high-risk processing like biometrics. Consent is important but does not replace the DPIA.

Encryption is a technical control but the DPIA is foundational for 'by design'.

310
Multi-Selectmedium

Which TWO of the following are advantages of using a hardware security module (HSM) over a software-based cryptographic module? (Select exactly 2.)

Select 2 answers
A.Easier to deploy in cloud environments than software.
B.Automatically receive security patches without manual intervention.
C.Physical tamper resistance and protection against key extraction.
D.Lower cost than software modules.
E.Faster cryptographic operations due to dedicated hardware accelerators.
AnswersC, E

HSMs are designed to resist physical attacks, making them more secure for key storage.

Why this answer

Options B and D are correct. HSM provides tamper resistance and dedicated hardware acceleration. Option A is wrong because HSMs are generally more expensive.

Option C is wrong because HSMs can be integrated into cloud environments. Option E is wrong because HSMs are managed by the organization or provider, not automatically patched.

311
MCQhard

An organization uses a multi-cloud strategy with workloads in AWS and Azure. The security architect needs to implement a single identity provider for all cloud resources while maintaining on-premises Active Directory as the authoritative source. Which architecture minimizes latency and complexity?

A.Use a third-party cloud-based identity provider and sync AD to it
B.Synchronize AD to Azure AD and then use Azure AD as an identity source for AWS via SAML
C.Create separate identity stores in AWS and Azure and sync from AD
D.Federate on-premises AD directly with both AWS and Azure using ADFS
AnswerD

ADFS can federate with both clouds using SAML, minimizing synchronization and complexity.

Why this answer

Using Azure AD Connect for Azure and AWS SSO with SAML federation from on-premises AD centralizes identity without synchronizing to two clouds separately. Direct federation from on-prem to each cloud is acceptable but using separate identity sources increases complexity. A third-party IdP could work but adds cost.

312
MCQmedium

A company is implementing a zero-trust network architecture. Which of the following components is essential for enforcing micro-segmentation?

A.Security information and event management (SIEM) system
B.Software-defined networking (SDN) with distributed firewalls
C.Multi-factor authentication (MFA)
D.Network access control (NAC)
AnswerB

SDN allows granular, policy-driven segmentation at the virtual network level.

Why this answer

Micro-segmentation divides the network into small zones, each with its own security controls. Software-defined networking (SDN) enables dynamic policy enforcement at the hypervisor level. Option A is wrong because NAC controls access but not segmentation.

Option B is wrong because MFA is an authentication mechanism. Option D is wrong because a SIEM correlates logs but does not enforce policies.

313
MCQhard

During a security assessment, a penetration tester discovers that a web application's session tokens are predictable. The application uses a custom session management system. Which of the following is the MOST effective remediation to ensure secure session tokens?

A.Generate session tokens using a cryptographically secure random number generator (CSPRNG) with at least 128 bits of entropy.
B.Regenerate the session token on each page request.
C.Implement a short session timeout of 5 minutes.
D.Generate tokens using HMAC-SHA256 of a timestamp and a secret key.
AnswerA

CSPRNGs produce unpredictable values resistant to analysis, ensuring that session tokens cannot be guessed.

Why this answer

Option C is correct because using a cryptographically secure random number generator (CSPRNG) ensures unpredictability. Option A is wrong because a short timeout does not address the predictability issue; tokens must be random. Option B is wrong because HMAC of a timestamp offers some unpredictability but is not as robust as a CSPRNG; if the key is known, tokens can be predicted.

Option D is wrong because regenerating on each request is inefficient and does not fix root cause.

314
Multi-Selectmedium

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

Select 2 answers
A.LDAP binds
B.OAuth 2.0 tokens
C.API keys
D.SAML assertions
E.Kerberos tickets
AnswersB, C

OAuth 2.0 is widely used for API authorization.

Why this answer

OAuth 2.0 tokens (B) are a standard method for securing REST APIs by providing delegated, scoped access without exposing user credentials. The client presents a bearer token (typically a JSON Web Token) in the Authorization header, which the API server validates to authorize the request. This aligns with RFC 6749 and is widely adopted for stateless, scalable API security.

Exam trap

Cisco often tests the distinction between authentication and authorization protocols, leading candidates to select Kerberos or SAML because they are 'secure,' but they fail to recognize that REST APIs require stateless, lightweight token-based mechanisms like OAuth 2.0 or API keys.

315
MCQmedium

Refer to the exhibit. Based on the data classification policy JSON, what action is MOST consistent with the policy?

A.Block the email and notify the security team
B.Allow the email but reclassify the document as 'Internal'
C.Allow the email with an exception request
D.Encrypt the email automatically with S/MIME
AnswerA

The policy prohibits unencrypted transmission of Confidential data.

Why this answer

Option A is correct because the policy states that Confidential data must be transmitted via VPN or encrypted email; unencrypted email is not allowed, so the transmission should be blocked. Option B is wrong because the policy does not permit downgrading classification. Option C is wrong because no override clause is indicated.

Option D is wrong because unencrypted email is explicitly prohibited.

316
MCQhard

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

A.Request the provider's most recent SOC 3 report
B.Accept the risk and proceed with migration
C.Require the provider to sign a Business Associate Agreement (BAA)
D.Require the provider to encrypt all data at rest and in transit
AnswerC

Mandatory under HIPAA for covered entities

Why this answer

Option B is correct because a BA agreement is required under HIPAA to ensure the provider contractually agrees to safeguard ePHI. Option A is wrong because the risk assessment should drive decisions, not just acceptance. Option C is wrong because encryption does not eliminate the need for contractual protections.

Option D is wrong because a SOC 2 report without HIPAA coverage does not suffice.

317
Multi-Selecthard

A security architect is designing a secure software development lifecycle (SSDLC). Which of the following practices are essential for integrating security into the development process? (Select TWO.)

Select 2 answers
A.Conducting static application security testing (SAST) during coding
B.Performing penetration testing only after production deployment
C.Using dependency scanning to check for known vulnerabilities in libraries
D.Implementing runtime application self-protection (RASP) in development
E.Deploying a web application firewall (WAF) in staging
AnswersA, C

Why this answer

Static application security testing (SAST) analyzes source code, bytecode, or binaries without executing the program, allowing developers to identify vulnerabilities such as buffer overflows, SQL injection, and cross-site scripting during the coding phase. Integrating SAST early in the SSDLC reduces the cost and effort of fixing security flaws by catching them before they reach later stages like testing or production.

Exam trap

Cisco often tests the distinction between security controls applied during development (SAST, dependency scanning) versus runtime controls (RASP, WAF) or post-deployment activities (penetration testing), leading candidates to select options that are valid security measures but not essential to the SSDLC itself.

Why the other options are wrong

B

Pen testing is important but occurs later; it's not integrated into the development process early.

D

RASP is a runtime control, not typically integrated into the development phase.

E

WAF is a network security control, not a development practice.

318
MCQmedium

Refer to the exhibit. A security analyst notices that the pod is running with a service account token mounted. Which security best practice should be implemented to reduce the risk of token theft in container environments?

A.Store the token in a Kubernetes secret and mount it.
B.Use a different container runtime.
C.Disable the service account for the pod.
D.Set automountServiceAccountToken to false in the pod spec.
AnswerD

This prevents automatic mounting of the token, reducing theft risk while allowing explicit mounting if needed.

Why this answer

Option B is correct because setting automountServiceAccountToken to false in the pod spec prevents the automatic mounting of the service account token, reducing the risk of theft. Option A is incorrect because disabling the entire service account may break functionality if the pod needs API access; the goal is to prevent token exposure while still allowing explicit token mounting if necessary. Option C is incorrect because changing the container runtime does not address token mounting.

Option D is incorrect because storing the token in a secret and mounting it increases exposure rather than reducing it.

319
Multi-Selecteasy

Which TWO are key metrics used in business continuity planning?

Select 2 answers
A.Mean Time to Repair (MTTR)
B.Recovery Time Objective (RTO)
C.Recovery Point Objective (RPO)
D.Service Level Agreement (SLA)
E.Mean Time Between Failures (MTBF)
AnswersB, C

RTO is the maximum acceptable downtime.

Why this answer

Options A and B are correct. RTO defines acceptable downtime; RPO defines acceptable data loss. MTBF, MTTR, and SLA are not specifically business continuity metrics.

320
MCQeasy

A company is deploying a new cloud-based application that processes sensitive customer data. The security architect has proposed a zero-trust architecture to secure remote access. The architecture includes identity-aware proxies, microsegmentation, and continuous monitoring. During the transition, several remote users report being unable to access the application. The security architect verifies that the identity-aware proxy is correctly configured and that users are authenticated via SSO. However, access attempts are still failing. The architect suspects that the issue may be related to the microsegmentation rules. What should the security architect do FIRST to resolve the problem?

A.Deploy a VPN to provide a secure tunnel for remote users.
B.Reset the affected users' credentials and force them to re-authenticate.
C.Review the microsegmentation firewall rules to ensure that traffic to the application's subnet is permitted.
D.Increase logging verbosity on the identity-aware proxy to capture more details.
AnswerC

The architect suspects microsegmentation; reviewing rules is the logical first step.

Why this answer

Option B (Review microsegmentation firewall rules for the application's subnet) is the most direct step because the architect suspects the microsegmentation rules are blocking traffic. Option A (Deploy a VPN) would bypass zero-trust principles. Option C (Increase log verbosity) is a diagnostic step but not the first action.

Option D (Reset user credentials) is unrelated to the issue.

321
MCQmedium

A security analyst discovers that a web application is vulnerable to directory traversal. Which of the following is the MOST effective mitigation?

A.Whitelist of allowed file paths
B.Encrypting all files on the server
C.Chroot jail
D.Input validation that rejects paths containing '..'
AnswerA

A whitelist ensures only explicitly permitted files are served, regardless of traversal attempts.

Why this answer

Using a whitelist of allowed file paths ensures only intended files can be accessed, eliminating traversal attempts. Input validation rejecting '..' can be bypassed with encoding. Chroot jail limits scope but may not cover all scenarios.

Encryption does not prevent traversal.

322
MCQmedium

A security architect is designing a secure coding standard for a web application. Which of the following should be prioritized to mitigate cross-site scripting (XSS) risks?

A.Input validation
B.Output encoding
C.Secure cookies
D.Parameterized queries
AnswerB

Output encoding converts special characters to HTML entities, preventing script execution in the browser.

Why this answer

Output encoding is the most direct mitigation for XSS, as it ensures user input is rendered as data, not executable code. Input validation and parameterized queries address other vulnerabilities, while secure cookies help with session hijacking.

323
MCQeasy

An organization needs to ensure compliance with GDPR regarding data subject access requests. What is the MOST important control to implement?

A.Encrypt all personal data at rest and in transit
B.Minimize the collection of personal data
C.Implement a process to respond to access requests within one month
D.Appoint a Data Protection Officer (DPO)
AnswerC

GDPR mandates response to access requests within one month.

Why this answer

Option B is correct because GDPR requires responses to access requests within one month. Option A is wrong while encryption is important, it is not the primary control for access requests. Option C is wrong a DPO is required but not specifically for access requests.

Option D is wrong data minimization is a principle but does not directly address access requests.

324
MCQhard

During a forensic investigation, the examiner discovers that the chain of custody documentation was not properly maintained for a critical hard drive. What is the most likely consequence?

A.The evidence may be ruled inadmissible in legal proceedings
B.The investigation can continue without any impact
C.The data on the drive is automatically deleted
D.The drive must be returned to the owner immediately
AnswerA

Chain of custody ensures evidence integrity; lack of it can lead to exclusion.

Why this answer

Option A is correct because without chain of custody, evidence could be tampered, making it inadmissible in court. Option B is wrong that investigators are still admissible if procedure is followed, but chain of custody is vital. Option C is wrong that analysis is still valid but legally challenged.

Option D is wrong because return to operations is not primary concern.

325
Matchingmedium

Match each security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust relationships between identity providers

Controls and monitors admin accounts

Restricts access based on physical location

Obfuscates sensitive data in non-production environments

Replaces sensitive data with non-sensitive placeholders

Why these pairings

These features are covered in identity and access management and data protection domains.

326
Matchingmedium

Match each cloud service model to its scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software delivered over the internet

Platform for application development and deployment

Virtualized computing resources over the internet

Disaster recovery as a service

Security services delivered via the cloud

Why these pairings

Cloud service models are fundamental to cloud security architecture.

327
MCQhard

A SOC analyst notices that a containerized application is making unexpected outbound connections. The container runs with minimal privileges. Which step should the analyst take first to investigate without compromising the environment?

A.Restore the container from a trusted image and re-deploy.
B.Use `docker exec` to attach a shell and run network diagnostic commands.
C.Immediately kill the container and analyze its filesystem from a backup.
D.Capture a network packet dump from the host and correlate with container logs.
AnswerD

This approach gathers evidence without interfering with the container.

Why this answer

Option C is correct because capturing packet dumps from the host and correlating with logs provides forensic evidence without altering the container state. Option A destroys evidence. Option B may alert the attacker or change state.

Option D skips investigation entirely.

328
MCQmedium

A company is implementing a new vendor risk management program. Which of the following is the BEST approach to assess third-party security controls?

A.Check the vendor’s financial stability
B.Use a standardized security questionnaire and conduct on-site audits
C.Rely on the vendor’s self-assessment questionnaire
D.Review only public breach reports about the vendor
AnswerB

Combining a questionnaire with on-site audits provides thorough, independent verification.

Why this answer

Option C is correct because a standardized questionnaire and on-site audits provide a comprehensive assessment of vendor security practices. Option A is wrong because relying solely on vendor self-assessments may be biased and incomplete. Option B is wrong because financial stability does not guarantee security.

Option D is wrong because checking only public breaches is reactive and insufficient.

329
MCQmedium

An organization discovers that a vendor's data breach exposed customer PII. The contract with the vendor does not address breach notification. What is the BEST way to prevent this in the future?

A.Purchase cyber insurance covering vendor breaches
B.Terminate the vendor relationship immediately
C.Add a breach notification clause in vendor contracts
D.Conduct more frequent vendor risk assessments
AnswerC

Legally obligates vendor to notify

Why this answer

Adding a breach notification clause directly addresses the contractual gap that left the organization without recourse or timely notification when the vendor suffered a data breach. This contractual remedy ensures that future incidents trigger a predefined notification process, aligning with regulatory requirements such as GDPR or HIPAA that mandate breach notification obligations for data processors. Without such a clause, the organization has no enforceable mechanism to compel the vendor to report breaches, regardless of other risk management activities.

Exam trap

CompTIA often tests the distinction between preventive controls (contractual clauses) and detective/reactive controls (assessments, insurance), leading candidates to choose 'more frequent risk assessments' because it sounds proactive, but only a contract clause creates a binding obligation.

How to eliminate wrong answers

Option A is wrong because cyber insurance covers financial losses after a breach but does not prevent the breach or ensure notification; it is a reactive financial tool, not a preventive contractual control. Option B is wrong because terminating the vendor relationship immediately does not address the root cause—lack of contractual safeguards—and may disrupt operations without guaranteeing that a replacement vendor will have better terms. Option D is wrong because conducting more frequent vendor risk assessments can identify risks but cannot enforce notification obligations; without a contractual clause, the vendor has no legal duty to report breaches discovered during or after assessments.

330
Multi-Selecteasy

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. Which TWO principles should be implemented to enforce the "never trust, always verify" model?

Select 2 answers
A.Micro-segmentation between workloads
B.Trust based on network location
C.Implicit trust for internal IP ranges
D.Continuous authentication and authorization for every request
E.Use of a single VPN for all remote access
AnswersA, D

Micro-segmentation enforces least privilege.

Why this answer

Micro-segmentation and continuous authentication are core zero-trust principles. Options A and D imply implicit trust based on network location, which violates zero-trust. Option E is a technology, not a principle.

331
MCQhard

During a third-party risk assessment, an organization discovers that a cloud service provider (CSP) stores data in a jurisdiction with conflicting privacy laws. The organization's legal team advises that this could expose the organization to regulatory penalties. Which of the following contractual clauses would best address this compliance risk?

A.Insert a right-to-audit clause allowing the organization to inspect the CSP's facilities.
B.Include a Data Processing Agreement (DPA) that requires data to be stored only in approved jurisdictions.
C.Negotiate a service-level agreement (SLA) guaranteeing 99.99% uptime.
D.Require the CSP to sign a business associate agreement (BAA) under HIPAA.
AnswerB

A DPA with data residency clauses legally restricts where data can be stored, addressing the compliance risk.

Why this answer

A Data Processing Agreement (DPA) is the correct contractual mechanism to enforce data residency restrictions. By requiring the CSP to store data only in approved jurisdictions, the DPA directly addresses the compliance risk of conflicting privacy laws and potential regulatory penalties, as it legally binds the provider to specific geographic data handling requirements.

Exam trap

Cisco often tests the distinction between operational controls (audit clauses, SLAs) and legal/compliance controls (DPAs), trapping candidates who confuse visibility with enforcement or apply US-specific agreements (like BAAs) to global privacy issues.

How to eliminate wrong answers

Option A is wrong because a right-to-audit clause allows the organization to inspect the CSP's facilities and processes, but it does not proactively restrict where data is stored; it only provides visibility after the fact, not a preventive control. Option C is wrong because an SLA guaranteeing 99.99% uptime addresses availability and performance, not data residency or privacy law compliance; it is irrelevant to the jurisdictional conflict. Option D is wrong because a Business Associate Agreement (BAA) under HIPAA is specific to protected health information (PHI) in the United States and does not apply to general privacy law conflicts in other jurisdictions; it also does not restrict data storage locations.

332
Multi-Selectmedium

Which two of the following are best practices for securing container orchestration platforms (e.g., Kubernetes)? (Select two.)

Select 2 answers
A.Apply network policies to isolate workloads.
B.Use privileged containers for system services.
C.Disable all security contexts to avoid restrictions.
D.Enable Role-Based Access Control (RBAC).
AnswersA, D

Why this answer

Network policies in Kubernetes act as a firewall for pods, controlling ingress and egress traffic at the IP address or port level (OSI layer 3 or 4). By default, all pods can communicate with each other; applying network policies enforces least-privilege segmentation, which is a core security best practice for container orchestration platforms.

Exam trap

Cisco often tests the misconception that privileged containers are necessary for system services, when in fact they should be avoided and replaced with specific capability grants (e.g., CAP_NET_ADMIN) or security context constraints.

Why the other options are wrong

B

Privileged containers should be avoided as they have nearly unrestricted access to the host.

C

Security contexts enforce necessary restrictions; disabling them weakens security.

333
MCQeasy

Which of the following is the primary purpose of implementing a public key infrastructure (PKI)?

A.To store and verify password hashes for user authentication.
B.To sign software and files to verify integrity and origin.
C.To bind public keys to identities through certificates for authentication and encryption.
D.To provide a secure method for remote access via VPN.
AnswerC

PKI's main role is to create a framework of trust where certificates link public keys to entities, enabling secure communications.

Why this answer

Option A is correct because PKI provides certificate-based trust to enable authentication and encryption. Option B is wrong because VPNs use PKI but that's not the primary purpose. Option C is wrong because PKI can help with code signing but it's a subset.

Option D is wrong because password hashing is separate from PKI.

334
MCQmedium

A financial organization's SOC analysts have observed repeated failed authentication attempts from a single external IP address against multiple user accounts, followed by a successful authentication from the same IP using one of those accounts. Which type of security monitoring rule would be most effective at detecting this attack pattern in real time?

A.Alert when multiple failed logins from a single source IP are followed by a successful login from that IP within 10 minutes.
B.Alert when a user account has three failed logins within 5 minutes followed by a successful login.
C.Alert when a successful authentication occurs immediately after a password reset.
D.Alert on any single failed login attempt from an external IP.
AnswerA

This correlation rule accurately detects the credential stuffing pattern across different accounts from one IP.

Why this answer

The attack pattern involves brute-force attempts followed by a success, which is a classic credential stuffing attack. Option C is a correlation rule that combines multiple failed logins with a subsequent success for the same source IP, which directly captures this behavior. Option A only detects a single failed login, not the pattern.

Option B detects a success after failures but for a single target user, not the source IP pattern. Option D detects a single login after a reset, which is unrelated.

335
MCQeasy

A small business wants to protect endpoints from malware without incurring per-device licensing costs. Which approach is MOST cost-effective?

A.Implement network-based IPS
B.Use open-source host firewall
C.Use built-in Windows Defender and periodically scan with free tools
D.Purchase enterprise EDR suite
AnswerC

Windows Defender is free and sufficient for small business; free scanning tools supplement without cost.

Why this answer

Built-in Windows Defender is free and adequate for basic protection. Periodically scanning with free tools (e.g., Microsoft Safety Scanner) enhances security at no cost. Enterprise EDR, network IPS, and host firewalls (some free) but enterprise products incur costs.

336
Matchingmedium

Match each command-line tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS query and lookup

Display network connections and listening ports

Capture and analyze network traffic

Perform SSL/TLS cryptographic operations

Network discovery and port scanning

Why these pairings

These tools are commonly used for network troubleshooting and security assessments.

337
MCQmedium

A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?

A.Enforce a minimum password complexity policy for all users.
B.Require multi-factor authentication for all SSH logins.
C.Implement rate limiting on SSH connections per source IP.
D.Add the external IP address to the firewall deny list and implement an IP allowlist for SSH access.
AnswerD

This immediately blocks the attack and prevents any further attempts from that IP.

Why this answer

Option D is correct because the attack is a brute-force or password-spraying attempt from a single external IP. Adding that IP to a firewall deny list immediately blocks all traffic from that source, while implementing an IP allowlist for SSH access ensures only trusted IPs can reach the service. This directly prevents the attack at the network layer, regardless of password strength or authentication method.

Exam trap

The trap here is that candidates often choose rate limiting (Option C) because it seems like a direct mitigation, but they fail to realize that rate limiting only slows the attack, whereas blocking the IP and using an allowlist stops it entirely.

How to eliminate wrong answers

Option A is wrong because enforcing minimum password complexity does not prevent brute-force or password-spraying attacks; it only makes passwords harder to guess, but the attacker can still attempt many combinations. Option B is wrong because requiring multi-factor authentication (MFA) for SSH logins would stop successful authentication even if credentials are guessed, but it does not prevent the attack itself—the attacker can still flood the system with login attempts, consuming resources and generating logs. Option C is wrong because rate limiting on SSH connections per source IP reduces the speed of the attack but does not stop it entirely; the attacker can still attempt logins at a slower rate or rotate through multiple source IPs.

338
MCQhard

Refer to the exhibit. A security analyst is reviewing the Nginx configuration. Which of the following is the most critical security flaw?

A.The SSL certificate key file is readable by all users (assuming default permissions)
B.The proxy_pass uses HTTP internally, which is not encrypted
C.The /api location does not have any access restrictions, exposing internal API
D.The /admin location restricts access by IP only, which can be bypassed by IP spoofing
AnswerC

Without any allow/deny directives, the /api endpoint is accessible to anyone who can reach the server, which could include external attackers.

Why this answer

Option C is correct because the /api location has no access restrictions, potentially exposing internal API services to unauthorized external access. Option A is a concern but not directly indicated. Option B is partially true but IP restriction is a valid control; however, the lack of restriction on /api is more critical.

Option D is common for internal traffic.

339
MCQhard

During a security incident, a forensic analyst needs to acquire a memory dump from a Linux server without altering the system state. Which tool is most appropriate for this task?

A.Volatility framework
B.LiME (Linux Memory Extractor)
C.dd if=/dev/mem of=mem.dump
D.memdump utility
AnswerB

LiME captures memory safely via a kernel module, preserving forensic integrity.

Why this answer

LiME (Linux Memory Extractor) is designed to acquire memory dumps with minimal impact, loading as a kernel module and exporting memory to a file or network. dd is for disk, memdump is limited, and Volatility is for analysis, not acquisition.

340
MCQhard

A large enterprise is implementing a SOAR platform to automate incident response. The security team wants to create a playbook for handling phishing emails reported by users. The playbook should: 1) validate the reported email by checking headers and attachments, 2) automatically block the sender's domain at the email gateway if malicious, 3) create a ticket, and 4) send an automated response to the user. Which of the following describes the best approach to design this playbook?

A.Create a ticket and route it to a junior analyst for manual investigation, then close after user acknowledgement.
B.Immediately sandbox the attachment and block the sender's domain if the sandbox reports malicious behavior.
C.Use an automated triage step that extracts indicators, then present the verdict to an analyst in a manual approval step before executing blocks.
D.Automatically delete the email from all users' inboxes and send a warning to the organization.
AnswerC

This balances automation with human oversight, reducing false positives.

Why this answer

Option A is correct because a tiered approach with human approval before blocking prevents false positives and aligns with typical SOAR best practices. Option B is too risky without validation. Option C bypasses automated analysis, which defeats automation.

Option D delays response and increases workload.

341
MCQeasy

A network administrator is configuring a firewall to allow only necessary traffic to a web server. The server should be accessible from the internet on port 443 and from a management subnet on port 22. Which firewall rule ensures least privilege?

A.Allow traffic from management subnet to port 443 and any to port 22
B.Allow traffic from any source to ports 443 and 22
C.Allow all traffic to the server, then block specific ports
D.Allow traffic from any to port 443, and from management subnet to port 22; deny all else
AnswerD

This restricts SSH to only the management subnet and HTTPS to all, with a default deny.

Why this answer

Allow only specific ports from specific sources, and block all other traffic.

342
Multi-Selecthard

Which THREE of the following are required for PCI DSS compliance regarding cardholder data?

Select 3 answers
A.Maintain a vulnerability management program.
B.Store cardholder data after authorization.
C.Restrict access to cardholder data by business need-to-know.
D.Encrypt transmitted cardholder data over open networks.
E.Implement multifactor authentication for all physical access to data centers.
AnswersA, C, D

Requirements 6 and 11 require a vulnerability management program to identify and remediate vulnerabilities.

Why this answer

PCI DSS requires encryption of transmissions (Req 4), access restriction (Req 7), and vulnerability management (Req 6/11). MFA for physical access is not required; data storage after authorization is limited.

343
Multi-Selecteasy

A cloud security architect is designing a key management system for a multi-tenant SaaS application. Which TWO practices are essential for ensuring cryptographic key security? (Select TWO).

Select 2 answers
A.Separate key management from data storage
B.Store keys in plaintext configuration files for easy retrieval
C.Implement key rotation policies
D.Use a single master key for all customers
E.Audit all key access events
AnswersA, C

Logical separation ensures a breach of data storage does not reveal keys.

Why this answer

Key rotation limits exposure if a key is compromised, and separating key management from data storage reduces attack surface. Storing keys in plaintext is insecure, using a single master key increases risk, and auditing is a detective control but not as fundamental as the other two.

344
MCQeasy

A small business has a single physical server running multiple virtual machines (VMs) using Type 2 hypervisor software on a Windows Server host. The host is not joined to a domain. The VMs include an Active Directory domain controller, a file server, and a web server. The company recently suffered a ransomware attack that encrypted all data on the file server VM. The IT administrator restored the file server from a backup, but the ransomware returned within hours. Analysis shows that the ransomware is now spreading to other VMs. The administrator suspects that the hypervisor host itself may be compromised. Which of the following is the MOST effective immediate action to contain the spread and secure the environment?

A.Run a full antivirus scan on the host operating system.
B.Disconnect the physical host from the network immediately.
C.Apply the latest security patches to the hypervisor software.
D.Restore all VMs from known clean backups taken before the attack.
AnswerB

Isolating the host stops the ransomware from spreading to other systems and buys time for remediation.

Why this answer

Option B is correct because immediately disconnecting the physical host from the network is the most effective immediate action to contain the spread of ransomware. Since the host is compromised and the Type 2 hypervisor runs on top of a Windows Server OS, the attacker can pivot from the host to any VM via the virtual switch. Cutting network connectivity stops all lateral movement and outbound command-and-control traffic, buying time for forensic analysis and remediation.

Exam trap

The trap here is that candidates often choose to run antivirus scans or apply patches first, mistakenly believing these are immediate containment actions, when in reality they are slow, disruptive, and ineffective against an actively spreading ransomware outbreak on a compromised host.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan on the host OS is a reactive, time-consuming step that does not stop active ransomware propagation; the malware may already be executing in memory or have disabled the scanner. Option C is wrong because applying the latest security patches to the hypervisor software is a preventive measure, not an immediate containment action; patching requires a reboot and does not halt ongoing encryption or lateral movement. Option D is wrong because restoring all VMs from known clean backups taken before the attack is premature and dangerous if the host remains compromised; the restored VMs would be re-infected immediately via the compromised hypervisor or virtual switch.

345
MCQmedium

Refer to the exhibit. A security analyst reviews the following firewall rule on a border firewall. Which vulnerability is present?

A.HTTPS is only allowed from a single host
B.SSH access is allowed from any source
C.HTTP is allowed from the internal network
D.An implicit deny rule is missing
AnswerB

Permitting SSH from any source exposes the server to unauthorized access attempts.

Why this answer

Option A is correct because the rule permits SSH (TCP/22) from any source, increasing the risk of brute-force attacks. Option B describes a legitimate restrictive rule for HTTPS. Option C is an intended internal network rule for HTTP.

Option D is incorrect because an explicit deny all is present at the end.

346
MCQmedium

A defense contractor is developing a new secure messaging application for classified communications. The application must ensure end-to-end encryption, perfect forward secrecy, and resistance to quantum computing attacks. The development team proposes using ECDH for key exchange and AES-256-GCM for message encryption. The security architect reviews the design and identifies a weakness: the current key exchange does not authenticate the public keys, making it vulnerable to man-in-the-middle attacks. The team suggests adding digital signatures using RSA-2048. However, the architect is concerned about quantum resistance. What should the architect recommend?

A.Replace ECDH with Diffie-Hellman using 4096-bit prime modulus and use RSA-4096 signatures.
B.Implement ECDH with Edwards-curve Digital Signature Algorithm (EdDSA) using Curve25519 and hash-based signatures for long-term keys.
C.Use pre-shared keys (PSK) for both key exchange and encryption, eliminating the need for public key authentication.
D.Use ECDH with RSA-2048 signatures for authentication and plan to migrate to CRYSTALS-KYBER when standardized.
AnswerD

This hybrid approach provides immediate authentication and a clear path to quantum resistance.

Why this answer

Option A is correct because it immediately addresses the lack of authentication by using RSA-2048 signatures while also planning for quantum resistance by migrating to CRYSTALS-KYBER, a NIST-standardized post-quantum key encapsulation mechanism. This hybrid approach ensures security now and in the future. Option B is wrong because larger Diffie-Hellman parameters do not provide quantum resistance and do not solve authentication.

Option C is wrong because pre-shared keys break perfect forward secrecy and are not scalable. Option D is wrong because EdDSA with Curve25519 is not quantum-resistant, and hash-based signatures are not practical for real-time key exchange.

347
MCQhard

A mid-sized e-commerce company has recently experienced a data breach where customer payment card information was exfiltrated. The security team has identified that the breach originated from a compromised web server that was part of a PCI DSS compliant environment. The server was running outdated software and had several known vulnerabilities. Post-incident analysis reveals that the attacker exploited a SQL injection vulnerability in the order-tracking feature. The incident response team followed NIST SP 800-61 guidelines: they contained the threat, eradicated the malicious code, and restored the server from a known clean backup. However, two weeks after the restoration, the same server is again showing signs of similar malicious activity. The server is still in production and handling credit card transactions. Which of the following is the MOST effective course of action to prevent this recurring compromise?

A.Conduct a thorough code review of the order-tracking feature, implement parameterized queries, and then redeploy the application after passing a static code analysis scan.
B.Replace the web server with a new server running the latest OS and web server version, then redeploy the same web application code.
C.Implement network segmentation to isolate the web server and restrict outbound traffic to only essential services.
D.Increase logging and deploy a WAF in front of the server with rules to block common SQLi patterns.
AnswerA

Directly addresses the SQLi vulnerability at the code level.

Why this answer

The correct answer is C. The root cause is a code-level vulnerability (SQLi) that was not fixed. Just patching the OS or rebuilding with the same software will not remove the vulnerability.

The application code must be reviewed and the SQLi flaw remediated. Option A (replacing the server) does not fix the underlying code. Option B (network segmentation) only contains but does not fix the application vulnerability.

Option D (increasing monitoring) is reactive and does not prevent exploitation.

348
MCQmedium

A financial institution needs to ensure that transaction logs are tamper-proof after creation. Which solution should be implemented?

A.Cryptographic hashing with chain hashing
B.Access control lists
C.Encryption with AES
D.Digital signatures on each log entry
AnswerA

Chain hashing creates a tamper-evident log by linking entries cryptographically.

Why this answer

Cryptographic chained hashing (e.g., blockchain) links each log entry to the previous one via a hash, making tampering detectable. Encryption does not protect integrity. ACLs can be bypassed.

Digital signatures are effective but more complex to manage for every entry.

349
MCQeasy

An organization is implementing a third-party risk management program. Which of the following is the FIRST step in the vendor risk assessment process?

A.Identify the vendor and the type of data it will handle
B.Conduct an on-site audit of the vendor's facilities
C.Review the vendor's contractual security clauses
D.Determine risk treatment options
AnswerA

First step is understanding the vendor and data.

Why this answer

Option A is correct because identifying the vendor and the data it will access is foundational. Option B is wrong because a contract review comes later. Option C is wrong because on-site audits occur after initial assessment.

Option D is wrong because risk treatment is after assessment.

350
Drag & Dropmedium

Drag and drop the steps to respond to a ransomware incident in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows NIST framework: isolate, identify, contain, eradicate, recover.

351
MCQmedium

A security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?

A.L2TP/IPsec with ESP
B.SSL/TLS VPN
C.ESP in tunnel mode with null encryption
D.AH in transport mode
AnswerC

ESP can be configured with null encryption to provide integrity and authentication without confidentiality.

Why this answer

Option C is correct because ESP in tunnel mode with null encryption provides authentication and integrity via HMAC (e.g., HMAC-SHA256) while omitting encryption (ESP_NULL, RFC 2410). This satisfies the requirement for strong authentication and integrity without confidentiality for non-sensitive traffic, as the payload is authenticated but not encrypted.

Exam trap

The trap here is that candidates often assume ESP always requires encryption, but ESP_NULL (RFC 2410) explicitly allows authentication-only mode, making it ideal when confidentiality is not needed.

How to eliminate wrong answers

Option A is wrong because L2TP/IPsec with ESP typically uses encryption (e.g., AES) for confidentiality, which is unnecessary and adds overhead for non-sensitive traffic. Option B is wrong because SSL/TLS VPN inherently provides confidentiality via encryption (e.g., AES-GCM), which is not required and may be excessive. Option D is wrong because AH in transport mode provides authentication and integrity but does not support null encryption; it authenticates the entire packet (including immutable IP header fields) and cannot be used with ESP_NULL, making it unsuitable for this scenario where only payload integrity is needed.

352
MCQhard

A security team is auditing a Kubernetes cluster. They find a pod running with `securityContext`: `privileged: true` and `runAsUser: 0`. Which of the following is the most critical risk?

A.The pod cannot communicate with other pods.
B.The pod cannot mount volumes.
C.The pod can access all node resources and potentially escape to the host.
D.The pod will be killed by Kubernetes if it consumes too much memory.
AnswerC

Privileged mode grants unrestricted host access.

Why this answer

Option A is correct because a privileged container with root user can escape to the host and access all node resources. Options B and D are not necessarily true. Option C is a resource management issue, not a security risk.

353
MCQhard

A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?

A.Escrow the encryption key with a third-party and rely on legal agreements for revocation
B.Use the provider's default encryption with a customer-managed key stored in the provider's KMS
C.Use a cloud hardware security module (HSM) to generate and store keys
D.Implement bring-your-own-key (BYOK) with keys stored in a customer-controlled external KMS
AnswerD

BYOK with external KMS gives the customer full control to revoke access immediately.

Why this answer

Option D is correct because BYOK with keys stored in a customer-controlled external KMS ensures the organization retains full control over encryption keys, enabling immediate revocation of access to data at rest if the SaaS provider is compromised. This aligns with the shared responsibility model where the customer manages keys, and external KMS decouples key management from the provider's infrastructure, preventing the provider from accessing data after key revocation.

Exam trap

Cisco often tests the misconception that using a provider's KMS or HSM (even with customer-managed keys) provides sufficient separation, but the trap is that any key stored within the provider's boundary can be accessed by the provider if their security is breached, whereas BYOK with an external KMS ensures true customer-only control.

How to eliminate wrong answers

Option A is wrong because escrowing keys with a third-party and relying on legal agreements introduces latency and lacks technical immediacy for revocation; legal processes cannot guarantee instant access removal during a breach. Option B is wrong because storing a customer-managed key in the provider's KMS still places the key under the provider's control, as the provider's KMS is part of their trusted environment, allowing potential access if the provider is compromised. Option C is wrong because using a cloud HSM within the provider's ecosystem still ties key management to the provider's infrastructure; while HSMs offer hardware security, the provider retains administrative access to the HSM service, undermining customer-only revocation capability.

354
Multi-Selectmedium

A security architect is designing a network segmentation strategy for a data center to reduce the attack surface. Which TWO of the following are best practices for implementing effective network segmentation?

Select 2 answers
A.Deploy network access control (NAC) to authenticate devices before granting network access.
B.Place all external-facing services in a single shared DMZ segment.
C.Allow any-to-any communication within each security zone to avoid performance bottlenecks.
D.Use VLANs to logically isolate traffic between different security zones.
E.Implement microsegmentation using host-based firewalls or virtual networking to restrict east-west traffic.
AnswersD, E

VLANs provide Layer 2 isolation, which is a fundamental segmentation technique.

Why this answer

Option A (Use VLANs for isolation) is correct because VLANs provide logical separation at Layer 2. Option B (Implement microsegmentation with firewalls) is correct because microsegmentation uses granular firewall rules to isolate workloads. Option C is incorrect because a shared DMZ for all external services increases risk.

Option D is incorrect because NAC focuses on device authentication, not segmentation. Option E is incorrect because any-to-any traffic defeats segmentation.

355
MCQeasy

A company is implementing a microservices architecture and needs to ensure secure service-to-service communication. Which of the following BEST describes the recommended approach?

A.Basic HTTP authentication
B.Mutual TLS (mTLS) with certificate authentication
C.IP whitelisting
D.Shared API keys
AnswerB

mTLS provides mutual authentication and encryption, ideal for microservices.

Why this answer

Mutual TLS (mTLS) provides mutual authentication and encryption, making it the most secure and scalable option for microservices. Shared API keys are less secure, IP whitelisting is not scalable, and basic HTTP authentication lacks encryption.

356
Multi-Selectmedium

A company is migrating its monolithic application to a microservices architecture. The security team wants to implement controls to protect inter-service communication and ensure data integrity. Which THREE security controls should be implemented? (Select THREE.)

Select 2 answers
A.Encrypt data at rest using AES-256
B.Deploy an API gateway to enforce rate limiting and authentication
C.Implement mutual TLS (mTLS) for service-to-service authentication
D.Use a container orchestration platform to manage service discovery
E.Conduct static code analysis on all microservices
AnswersB, C

An API gateway centralizes security enforcement for microservices.

Why this answer

Mutual TLS ensures both services authenticate each other. An API gateway provides a central point for enforcing security policies. Static code analysis is a development-time control, not runtime.

Data encryption at rest protects stored data, not inter-service communication. Container orchestration is a management tool, not a direct security control for inter-service communication.

357
MCQeasy

Which of the following is the BEST practice for securely storing secrets (e.g., database passwords) in a cloud-native application?

A.Embed the secrets in the application's source code
B.Store them in environment variables
C.Use a secrets management service with encryption and access policies
D.Store them in a configuration file with restricted file permissions
AnswerC

Why this answer

Option C is correct because cloud-native applications should rely on a dedicated secrets management service (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) that encrypts secrets at rest and in transit, enforces fine-grained access policies via IAM, and supports automatic rotation. This approach decouples secrets from code and infrastructure, eliminating the risks of exposure through version control, logs, or misconfigured permissions.

Exam trap

Cisco often tests the misconception that environment variables are a secure storage method because they are not in source code, but the trap is that they are still plaintext and accessible via runtime introspection, logging, or orchestration APIs, lacking the encryption and access control of a dedicated secrets manager.

Why the other options are wrong

A

Hardcoding secrets exposes them in version control and to anyone with code access.

B

Environment variables can be leaked through debugging interfaces or process listings; they are not encrypted.

D

File permissions can be bypassed; configuration files are often not encrypted.

358
MCQhard

A security analyst observes that SSH connections to the server are failing, but HTTP and HTTPS traffic works. Based on the exhibit, what is the most likely cause?

A.The HTTPS rule is overriding the SSH rule.
B.The SSH service is being blocked by a firewall rule that drops TCP port 22 traffic.
C.The SSH service is only allowed from the 10.0.0.0/8 subnet.
D.The SSH service is misconfigured and not listening on the correct interface.
AnswerB

The DROP rule for tcp dpt:22 is blocking SSH.

Why this answer

The exhibit shows a firewall rule that explicitly drops TCP port 22 traffic, which is the default port for SSH. Since HTTP (port 80) and HTTPS (port 443) are unaffected, the issue is isolated to SSH. This rule is the most direct cause of the connection failures, as it blocks all SSH traffic regardless of source or destination.

Exam trap

The trap here is that candidates may assume SSH is failing due to a service misconfiguration (Option D) or an overly restrictive allow rule (Option C), but the exhibit clearly shows a specific drop rule for port 22, which is the definitive cause.

How to eliminate wrong answers

Option A is wrong because HTTPS (port 443) and SSH (port 22) are different protocols and ports; firewall rules are evaluated in order, and unless the HTTPS rule explicitly matches SSH traffic (which it does not), it cannot override the SSH rule. Option C is wrong because the exhibit does not show any source subnet restriction for SSH; the rule simply drops all TCP port 22 traffic without any allow condition for 10.0.0.0/8. Option D is wrong because if the SSH service were misconfigured to listen on the wrong interface, the failure would be at the application layer, but the firewall rule explicitly drops the traffic before it reaches the SSH daemon, making a misconfiguration irrelevant to the observed symptom.

359
MCQmedium

A security architect is designing a zero-trust network architecture. Which of the following is a fundamental principle of zero trust?

A.Place all resources on the internal network and rely on perimeter firewalls.
B.Authenticate and authorize every device and user for every resource access, and encrypt all communication.
C.Implement VLANs to separate traffic based on user roles.
D.Use a VPN to secure all remote access to the corporate network.
AnswerB

This is the core of zero trust: never trust, always verify, and ensure encrypted communication.

Why this answer

Option B is correct because zero trust requires all resources to be accessed securely regardless of location, and all communication should be encrypted. Option A is wrong because zero trust does not rely on network perimeter; it assumes no implicit trust. Option C is wrong because VPNs are a perimeter technology; zero trust uses micro-segmentation.

Option D is wrong because VLANs are not a primary zero-trust control; they are network segmentation.

360
MCQmedium

A company is evaluating a new cloud service provider. The provider has a SOC 2 Type II report covering the previous year. Which additional assurance should the company request to verify the provider's current security controls?

A.Accept the SOC 2 report as sufficient
B.Implement continuous monitoring of the provider
C.Request a penetration test report covering the current year
D.Request a third-party audit of the SOC 2 report
AnswerC

Provides current assessment of security posture.

Why this answer

A penetration test report provides current, independent validation of security controls. Option B relies on a historical report; Option C is duplicative; Option D is not a standard assurance method.

361
MCQeasy

A company's development team uses a CI/CD pipeline hosted in a public cloud. The pipeline builds container images, pushes them to a private registry, and deploys them to a Kubernetes cluster. A security engineer must ensure that only signed and vulnerability-scanned images are deployed. The engineer has configured the registry to require signatures and the CI/CD pipeline to scan images. However, deployments are still failing because unsigned images are being pulled. The engineer discovers that developers can push images directly to the registry bypassing the CI/CD pipeline and that Kubernetes nodes can pull images without signature verification. Which of the following should the engineer implement to enforce image signing and scanning?

A.Implement a manual approval step in the pipeline for each deployment.
B.Use network policies to block all outbound traffic from developer workstations to the container registry.
C.Restrict registry write access to the CI/CD service account and enable image signature verification via admission controller in Kubernetes.
D.Configure the CI/CD pipeline to perform vulnerability scanning after every build.
AnswerC

Restricts pushes to authorized accounts and verifies signatures at deployment time.

Why this answer

Option C is correct because it addresses both root causes: restricting registry write access to only the CI/CD service account prevents developers from bypassing the pipeline, and enabling image signature verification via an admission controller (e.g., using Kubernetes ImagePolicyWebhook or a tool like Cosign with OCI signatures) ensures that only signed and scanned images are allowed to run in the cluster. This combination enforces the security policy at both the registry and the cluster level, closing the gaps identified in the scenario.

Exam trap

The trap here is that candidates often focus only on the CI/CD pipeline (e.g., scanning or approvals) and overlook the need to restrict direct registry access and enforce signature verification at the cluster level, which are the two distinct vulnerabilities described in the scenario.

How to eliminate wrong answers

Option A is wrong because a manual approval step in the pipeline does not prevent developers from pushing unsigned images directly to the registry, nor does it enforce signature verification at the Kubernetes level; it only adds a human gate in the CI/CD process. Option B is wrong because network policies blocking outbound traffic from developer workstations to the registry would not stop developers from pushing images via other means (e.g., through a jump host or VPN), and it does not address the lack of signature verification on Kubernetes nodes. Option D is wrong because configuring the pipeline to perform vulnerability scanning after every build does not prevent unsigned images from being deployed; scanning alone does not enforce signature verification, and it does not restrict direct pushes to the registry or enforce admission control.

362
MCQmedium

Refer to the exhibit. Which of the following best describes the security constraint imposed by this policy?

A.Only allows access during business hours.
B.Only allows access from a specific IAM user.
C.Only allows access to a specific S3 bucket.
D.Only allows access from a specific VPC endpoint.
AnswerD

The condition 'aws:sourceVpce' restricts the source to a specific VPC endpoint ID.

Why this answer

Option B is correct because the condition string requires the request to originate from the specified VPC endpoint, enforcing a network-level constraint.

363
MCQmedium

During a merger, two companies need to integrate their networks securely. Company A uses RFC 1918 addresses (10.0.0.0/8) and Company B also uses 10.0.0.0/8. Which architectural solution prevents routing conflicts and maintains security?

A.Configure a site-to-site VPN with no address translation
B.Enable direct BGP peering between the two networks
C.Implement a firewall between the networks and allow all traffic
D.Deploy network address translation (NAT) on the border routers to translate one company's addresses to a unique range
AnswerD

NAT resolves IP overlap and allows secure communication.

Why this answer

NAT at the boundary translates overlapping addresses, allowing communication without conflict. Option A is wrong because it disrupts routing. Option B is wrong without NAT, traffic may not route correctly.

Option D is wrong as it does not address IP overlap.

364
MCQhard

A security engineer is writing a Python script to automate the revocation of compromised certificates using the ACME protocol. The script uses the `acme` library and requires secure credential storage. Which method is MOST appropriate for storing the ACME account private key used for authentication?

A.Store the key in the operating system's keychain (e.g., macOS Keychain, Windows Credential Manager) or a HSM
B.Store the key in a configuration file with 600 permissions
C.Embed the key directly in the script as a string variable
D.Store the key in an environment variable
AnswerA

Why this answer

The ACME account private key is a highly sensitive cryptographic credential used to authenticate against the ACME server (RFC 8555). Storing it in the OS keychain or a Hardware Security Module (HSM) provides encryption at rest, access control via OS-level permissions, and protection against accidental exposure. This aligns with the principle of least privilege and secure key management required for automation scripts handling certificate revocation.

Exam trap

Cisco often tests the misconception that file permissions (e.g., 600) or environment variables are sufficient for secure credential storage, when in fact they lack encryption at rest and are vulnerable to broader system-level access.

Why the other options are wrong

B

The key remains in plaintext on disk; even with restricted permissions, it can be read by any process running as the same user or through privilege escalation.

C

The key is exposed in source code, version control, and accessible to anyone who can read the script.

D

Environment variables are often written to logs, process dumps, and are not encrypted at rest; they are not designed for long-term cryptographic key storage.

365
Multi-Selecteasy

A risk assessment report is being prepared for senior management. Which TWO of the following should be included to effectively communicate risk?

Select 2 answers
A.Remediation deadlines
B.Risk register with scores
C.Executive summary
D.Names of employees responsible
E.Detailed control configurations
AnswersB, C

Provides detailed risk information for decision-making.

Why this answer

An executive summary provides high-level findings, and a risk register details identified risks. Other options are operational details not suitable for senior management.

366
MCQhard

A cloud security architect is designing a multi-region active-active application. The application must maintain high availability even if an entire AWS region fails. Which architecture BEST meets this requirement?

A.Active-active in one region with auto scaling
B.Deploy identical stacks in two regions with Route 53 weighted routing and DynamoDB global tables
C.Single region with multiple AZs and RDS Multi-AZ
D.Two regions with active-passive failover using Route 53 health checks
AnswerB

This provides active-active multi-region with automatic traffic distribution and data replication.

Why this answer

Active-active across two regions with Route 53 weighted routing and DynamoDB global tables provides automatic failover and data replication without human intervention. Single-region setups cannot survive a region outage. Active-passive requires manual failover.

367
Multi-Selecthard

A company is implementing a zero-trust network architecture. Which THREE of the following are critical components of this approach?

Select 3 answers
A.VPN for all remote access
B.Default-deny access policies (least privilege)
C.Continuous monitoring and authentication
D.Micro-segmentation of network resources
E.A single perimeter firewall
AnswersB, C, D

Users and devices are given only the access necessary.

Why this answer

Zero-trust requires that no entity is trusted by default, even inside the network. Micro-segmentation, continuous authentication, and least privilege are core principles.

368
MCQmedium

A company is adopting a DevOps model and wants to integrate security into CI/CD pipelines. Which of the following is the MOST effective approach?

A.Annual vulnerability scans
B.Post-deployment security testing
C.Manual security reviews before each release
D.Automated security scanning in the pipeline with fail-fast
AnswerD

Automation with fail-fast provides immediate feedback and prevents vulnerable code from progressing.

Why this answer

Automated security scanning with fail-fast ensures that vulnerabilities are caught early in the pipeline, aligning with DevOps speed. Manual reviews, annual scans, and post-deployment testing are too slow or reactive.

369
MCQhard

Refer to the exhibit. A cloud security engineer is reviewing an AWS S3 bucket policy. What security issue does the policy contain?

A.No server-side encryption is specified
B.Public read access is allowed
C.No version ID is specified in the resource
D.No logging is enabled for the bucket
AnswerB

Principal '*' with Allow effect grants anonymous access to objects, making them public.

Why this answer

The policy allows any principal ('*') to perform s3:GetObject on the bucket, making the bucket publicly readable. This exposes objects to anyone on the internet. No encryption, logging, or versioning issues are indicated by this JSON snippet.

370
Multi-Selecthard

During an incident response exercise, a company discovers that sensitive data was exfiltrated. The CIRT needs to determine the root cause and prevent recurrence. Which THREE of the following steps are part of the lessons learned process? (Choose THREE.)

Select 3 answers
A.Conduct a full forensic analysis of affected systems.
B.Identify gaps in security controls and recommend improvements.
C.Update the incident response plan based on findings.
D.Document the timeline of events and actions taken.
E.Disable the compromised accounts immediately.
AnswersB, C, D

Identifying gaps and recommending improvements is a core lesson learned activity.

Why this answer

A, C, and E are correct. Lessons learned includes updating the plan, identifying gaps, and documenting events. B is part of investigation, not lessons learned.

D is immediate containment.

371
MCQhard

An organization uses a CI/CD pipeline that builds Docker images and pushes them to a private registry. A security analyst discovers that some images contain environment variables with database credentials. Which of the following is the most effective way to prevent this in the future?

A.Use a .dockerignore file to exclude credential files.
B.Implement multi-stage builds to separate build and runtime environments.
C.Scan images with a vulnerability scanner after build.
D.Reduce the base image size to minimize attack surface.
AnswerB

Why this answer

The best approach is to use multi-stage builds: build the application in one stage, then copy only the artifact to a final, clean image. This avoids including build-time secrets in the final image. Additionally, using Docker BuildKit's --secret flag can inject secrets without persisting them.

Exam trap

Candidates often choose 'Use .dockerignore to exclude files' because it can prevent some files from being copied, but environment variables set via ENV or passed at build time are not files. Multi-stage builds address the root cause.

Why the other options are wrong

A

.dockerignore prevents copying files but does not eliminate secrets set via ENV or build args.

C

Scanning detects known vulnerabilities, not embedded secrets.

D

Size reduction does not remove secrets already embedded.

372
MCQhard

A security analyst is reviewing a third-party assessment report and notes that the vendor's encryption algorithms are outdated. The contract requires the vendor to follow industry best practices. Which of the following is the BEST response?

A.Conduct a penetration test on the vendor's system.
B.Request the vendor to upgrade encryption algorithms to current standards.
C.Terminate the contract immediately.
D.Accept the risk because the vendor is technically compliant with the contract.
AnswerB

Directly asking the vendor to comply with the contract's best-practice clause is the most appropriate first step.

Why this answer

Option A is correct because the contract establishes the requirement, and requesting an upgrade is the proper first step to remedy the deficiency.

373
MCQmedium

A multinational corporation must comply with GDPR, CCPA, and LGPD. The CISO proposes a unified data classification policy. Which approach best minimizes compliance conflicts?

A.Adopt a unified policy based on GDPR as the strictest regulation
B.Create a unified policy meeting the most stringent requirements of all three regulations
C.Use a single policy based on the company's country of incorporation
D.Implement separate policies for each regulation
AnswerB

A unified baseline using the most restrictive elements ensures compliance with all three.

Why this answer

Option B is correct because a unified policy that meets the most stringent requirements of GDPR, CCPA, and LGPD ensures baseline compliance across all jurisdictions without violating any regulation. This approach minimizes conflicts by harmonizing data classification rules, such as consent management and data subject rights, under the highest common denominator, which is GDPR for most provisions like explicit consent and 72-hour breach notification.

Exam trap

CompTIA often tests the misconception that adopting the strictest single regulation (GDPR) is sufficient, but the trap is that each regulation has unique requirements (e.g., CCPA’s right to opt out of sale, LGPD’s appointment of a DPO under Article 41) that must be explicitly addressed in a unified policy to avoid compliance gaps.

How to eliminate wrong answers

Option A is wrong because adopting a unified policy based solely on GDPR as the strictest regulation may not address CCPA-specific requirements, such as the right to opt out of the sale of personal information (California Civil Code §1798.120) or LGPD’s unique legal basis for processing (e.g., legitimate interest under Article 10), leading to non-compliance. Option C is wrong because using a single policy based on the company's country of incorporation ignores extraterritorial scope requirements of GDPR (Article 3), CCPA (California Consumer Privacy Act), and LGPD (Article 3), creating gaps for data subjects in other jurisdictions. Option D is wrong because implementing separate policies for each regulation increases administrative overhead, risks conflicting data handling procedures (e.g., different retention periods), and fails to provide a unified data classification framework, which the CISO specifically proposed to minimize conflicts.

374
MCQhard

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

A.Allow all traffic within the corporate network
B.Assume breach and verify every request
C.Trust devices based on their IP address
D.Trust but verify for all internal traffic
AnswerB

Zero trust operates on the principle of never trusting and always verifying.

Why this answer

Zero trust architecture is built on the principle of 'never trust, always verify,' which explicitly requires that every access request—regardless of origin—be authenticated, authorized, and continuously validated. Option B ('Assume breach and verify every request') captures this core tenet, as it mandates that no implicit trust is granted based on network location or device status, and every request must be treated as potentially malicious until proven otherwise.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (Option D) with zero trust, but zero trust explicitly eliminates the initial trust assumption, requiring verification before any access is granted, not after.

How to eliminate wrong answers

Option A is wrong because zero trust explicitly rejects the model of allowing all traffic within the corporate network; instead, it enforces micro-segmentation and least-privilege access, blocking all traffic by default and only permitting what is explicitly allowed. Option C is wrong because zero trust does not trust devices based on their IP address—IP addresses are easily spoofed and change frequently; trust is instead established through device identity, health posture, and continuous authentication (e.g., using certificates or device attestation). Option D is wrong because 'trust but verify' is the opposite of zero trust; zero trust assumes no trust at any point, requiring verification for every request, including internal traffic, rather than granting initial trust and then verifying.

375
Multi-Selecthard

Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)

Select 3 answers
A.Indemnification clause for breaches
B.Permitted and required uses of PHI
C.Requirement to store data in the United States
D.Safeguards to protect PHI
E.Procedures for breach notification
AnswersB, D, E

Must be specified

Why this answer

A Business Associate Agreement (BAA) must specify the permitted and required uses of Protected Health Information (PHI) by the business associate. This is a core requirement under HIPAA §164.504(e)(2)(i) to ensure the business associate does not use or disclose PHI beyond what is authorized by the covered entity or required by law.

Exam trap

Cisco often tests the distinction between mandatory BAA elements (permitted uses, safeguards, breach notification) and optional contractual terms (indemnification, data storage location) to see if candidates confuse common business contract clauses with HIPAA regulatory requirements.

Page 4

Page 5 of 7

Page 6

All pages