CompTIA SecurityX CAS-004 (CAS-004) — Questions 376450

510 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Matchingmedium

Match each error code or HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Forbidden

Not Found

Internal Server Error

Bad Gateway

Unauthorized

Why these pairings

HTTP status codes are important for web security and troubleshooting.

377
MCQhard

During a security assessment, a tester finds that a web application accepts user input and directly uses it in an LDAP query without sanitization. Which of the following attacks is most likely to be successful?

A.Cross-site scripting
B.SQL injection
C.Remote file inclusion
D.LDAP injection
AnswerD

LDAP injection occurs when user input is improperly concatenated into LDAP queries.

Why this answer

Option C is correct because unsanitized input in an LDAP query leads to LDAP injection. Option A (SQL injection) applies to SQL queries. Option B (XSS) applies to output in web pages.

Option D (remote file inclusion) is for file inclusion vulnerabilities.

378
Multi-Selectmedium

A DevOps engineer is automating the deployment of a web application using containers. Which of the following security practices should be implemented to reduce the attack surface of the containers? (Select TWO.)

Select 2 answers
A.Run containers as a non-root user
B.Build images with embedded database credentials
C.Use minimal base images like Alpine or distroless
D.Expose port 22 for SSH debugging
E.Grant all Linux capabilities to the container
AnswersA, C

Why this answer

Running containers as a non-root user (option A) is a fundamental security best practice because it limits the privileges available to processes inside the container. If an attacker compromises the application, they will not have root access to the host or the container runtime, reducing the potential for privilege escalation or host-level damage. This aligns with the principle of least privilege, which is critical for container security.

Exam trap

CompTIA often tests the misconception that containers are inherently secure because they are isolated, but the trap here is that default root execution and bloated base images are common misconfigurations that dramatically increase the attack surface, and candidates may overlook the need to explicitly drop privileges and minimize image content.

Why the other options are wrong

B

Embedding secrets in images is insecure; they should be injected at runtime.

D

Exposing SSH adds an attack vector and is unnecessary in production.

E

Granting all capabilities weakens isolation; should drop all unnecessary capabilities.

379
MCQeasy

A small business wants to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Which of the following is an essential requirement they must implement?

A.Implement logging and monitoring of all access to cardholder data
B.Encrypt all cardholder data at rest
C.Conduct vulnerability scans on a monthly basis
D.Perform continuous penetration testing
AnswerA

PCI DSS Requirement 10 requires logging and monitoring.

Why this answer

Option A is correct because PCI DSS Requirement 10 mandates logging and monitoring of access to cardholder data. Option B is wrong because encryption in transit is required, not at rest by all merchants. Option C is wrong because quarterly scans are required, not monthly.

Option D is wrong because penetration testing is required annually, not continuously.

380
MCQmedium

A company has implemented a hardware security module (HSM) to manage cryptographic keys for a payment processing system. Which of the following best describes an advantage of using an HSM over software-based key storage?

A.Easier key rotation
B.Tamper-resistant key storage
C.Faster cryptographic operations
D.Lower implementation cost
AnswerB

HSMs provide physical and logical protections to prevent key extraction and tampering.

Why this answer

HSMs are tamper-resistant devices that protect keys from physical and logical attacks, offering a higher level of security than software-based storage. While HSMs can be costly and may have slower key generation, their primary advantage is physical security.

381
Multi-Selectmedium

A security architect is designing a risk mitigation strategy for a critical application. Which TWO of the following are examples of risk acceptance? (Select TWO.)

Select 2 answers
A.Outsourcing the application hosting to a third party.
B.Obtaining senior management sign-off to accept the risk without additional controls.
C.Purchasing cyber insurance to cover potential losses.
D.Formally acknowledging the residual risk after controls are implemented.
E.Implementing an intrusion prevention system to reduce the likelihood of attacks.
AnswersB, D

Management sign-off is a documented acceptance.

Why this answer

Risk acceptance involves acknowledging the risk and taking no further action, or obtaining a formal waiver. Insurance transfers risk, not accepts. Implementing controls reduces risk.

Outsourcing transfers risk.

382
MCQeasy

Which security issue is addressed by this configuration?

A.Enables server-side includes
B.Prevents directory listing
C.Blocks access to all files
D.Enables CGI execution
AnswerB

`-Indexes` explicitly disables directory listing.

Why this answer

The `-Indexes` option disables directory listing, preventing visitors from seeing the contents of a directory if no index file is present. `AllowOverride None` disables .htaccess overrides, and `Allow from all` permits access.

383
MCQhard

A global e-commerce company processes payment card data and is required to comply with PCI DSS. During a quarterly vulnerability scan, the security team discovers that a web application firewall (WAF) rule is blocking legitimate traffic, causing transaction failures. The WAF is a critical compensating control for a known vulnerability in the application that cannot be patched for 90 days. The compliance officer is concerned about maintaining PCI DSS compliance while ensuring business continuity. The security team proposes temporarily disabling the WAF to restore service while they fine-tune the rules. Which of the following is the BEST action?

A.Segment the affected application from the rest of the network and remove the WAF from the data path.
B.Disable the WAF immediately to restore service and document the decision as a risk acceptance.
C.Accept the risk of transaction failures and keep the WAF in place until the rules are fully tested.
D.Temporarily modify the WAF rule set to allow legitimate traffic while maintaining security, and schedule a permanent fix within 24 hours.
AnswerD

Fine-tuning rules restores service without compromising the compensating control.

Why this answer

Option B is correct because fine-tuning the WAF rules quickly is the best approach to restore service while maintaining security. Option A is wrong because disabling the WAF would remove the compensating control and violate PCI DSS requirement 6.6. Option C is wrong because relying solely on network segmentation may not provide equivalent protection.

Option D is wrong because accepting risk without a compensating control is not permitted under PCI DSS.

384
MCQhard

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

A.It provides deep packet inspection to detect malicious traffic.
B.It enforces multi-factor authentication for every session.
C.It reduces latency by establishing direct peer-to-peer connections.
D.It prevents unauthorized users from discovering the application infrastructure.
AnswerD

SDP uses a 'black cloud' approach where the application server is invisible until the user is authenticated and authorized, reducing the attack surface.

Why this answer

In a zero trust architecture, the primary security benefit of a software-defined perimeter (SDP) over a traditional VPN is that it hides the application infrastructure from unauthorized users. SDP uses a controller-based model where devices must authenticate and be authorized before they can even see the application servers, effectively creating a 'black cloud' that prevents discovery and reduces the attack surface. This aligns with the zero trust principle of 'never trust, always verify' and eliminates the network-level visibility that VPNs inherently provide to any connected client.

Exam trap

The trap here is that candidates confuse the 'direct' connection behavior of some SDP implementations with a security benefit, when in fact the core advantage is hiding infrastructure from unauthorized users, not reducing latency or enabling peer-to-peer connections.

How to eliminate wrong answers

Option A is wrong because deep packet inspection is a feature of next-generation firewalls or intrusion prevention systems, not a core or defining benefit of SDP; SDP focuses on access control and visibility hiding, not traffic inspection. Option B is wrong because multi-factor authentication is a common requirement in both SDP and modern VPN solutions; it is not unique to SDP and does not represent the primary security benefit over VPN. Option C is wrong because SDP typically uses a controller to broker connections and often routes traffic through a gateway or proxy, not direct peer-to-peer connections; reducing latency is not a primary security benefit, and direct connections can actually introduce security risks in a zero trust model.

385
Multi-Selecthard

Which TWO of the following are effective defenses against Server-Side Request Forgery (SSRF) attacks? (Select TWO.)

Select 2 answers
A.Whitelist allowed outbound IP addresses and domains
B.Use a web application firewall (WAF) to block SSRF signatures
C.Enforce strict referrer headers on requests
D.Disable unused URL schemes (e.g., file://, dict://)
E.Implement input validation on all user-supplied URLs
AnswersA, D

Restricting outbound connections to known safe destinations prevents the server from making requests to internal or malicious hosts.

Why this answer

Options A and B are correct. Whitelisting allowed outbound destinations (A) and disabling unused URL schemes (B) are direct defenses. Option C (input validation) is helpful but can be bypassed.

Option D (WAF) is signature-based and not a primary defense. Option E (referrer headers) is not specific to SSRF.

386
Multi-Selecteasy

Which two are best practices for securing Docker container images? (Select TWO.)

Select 2 answers
A.Use multi-stage builds to reduce image size
B.Store images on a public registry for easy sharing
C.Use the latest tag for base images
D.Run containers as a non-root user
E.Scan images for known vulnerabilities before deployment
AnswersD, E

Non-root containers limit the impact of a compromise.

Why this answer

Options B (Run containers as non-root) and C (Scan images for vulnerabilities) are correct. Option A (Use latest tag) is insecure as it can change unexpectedly. Option D (Store on public registry) exposes images.

Option E (Multi-stage builds) is a good practice but not primarily about security; however, it reduces attack surface, so it could be considered. But to align with standard best practices, B and C are more direct. Option E reduces attack surface but is often considered a build optimization that also helps security.

However, the most common security best practices are run as non-root and vulnerability scanning. So I'll stick with B and C.

387
MCQmedium

After a security incident, the IR team identifies that the attacker used a spear-phishing email with an attached malicious macro. Which log source would be MOST crucial to determine the scope of the compromise?

A.Endpoint detection and response (EDR) telemetry
B.Windows Event Logs (Event ID 4688)
C.Proxy server logs
D.Email server logs
AnswerC

Proxy logs reveal connections to C2 servers and data exfiltration attempts.

Why this answer

Option C is correct because proxy logs show outbound HTTP/HTTPS connections, which malware often uses for C2 and data exfiltration. Option A shows email from/to but not system activity. Option B shows local process execution but may not show network connections.

Option D shows endpoint network connections but may not capture all outbound traffic if it's not forwarded.

388
Multi-Selecteasy

An organization is implementing a public key infrastructure (PKI). Which THREE of the following are essential components?

Select 3 answers
A.Key escrow agent
B.Certificate authority (CA)
C.Certificate database and CRL
D.Registration authority (RA)
E.Time-stamping authority (TSA)
AnswersB, C, D

The CA signs and issues certificates.

Why this answer

A CA issues certificates, a RA verifies identity before certificate issuance, and the certificate database stores issued certificates and CRLs.

389
MCQeasy

An organization needs to demonstrate compliance with the General Data Protection Regulation (GDPR) for processing personal data of EU citizens. Which of the following is a mandatory requirement under GDPR?

A.Obtain explicit consent for all data processing
B.Notify supervisory authority of a breach within 24 hours
C.Implement data protection by design and default
D.Store all personal data within the EU
AnswerC

GDPR requires data protection by design and default.

Why this answer

Option A is correct because GDPR mandates that data protection must be integrated into processing activities (Data Protection by Design and Default). Option B is wrong because data localization is not a blanket requirement. Option C is wrong because breach notification is within 72 hours, not 24.

Option D is wrong because consent is not always required; other lawful bases exist.

390
Multi-Selecthard

A CSIRT is developing a threat hunting hypothesis based on the MITRE ATT&CK framework. Which THREE of the following are techniques that threat hunters would commonly investigate for initial access? (Choose three.)

Select 3 answers
A.Exploit public-facing application
B.Spear-phishing attachment
C.Valid accounts
D.Remote services
E.Boot or logon autostart execution
AnswersA, B, C

Exploiting vulnerabilities in internet-facing applications is another common technique.

Why this answer

Options A, B, and D are correct. Spear-phishing, exploitation of public-facing applications, and valid accounts are common initial access techniques. Option C is for lateral movement, and Option E is for persistence.

391
Multi-Selecthard

A security team is automating incident response using playbooks. Which two of the following are critical considerations when designing automated response actions? (Select two.)

Select 2 answers
A.Execute all actions immediately to minimize damage.
B.Include a manual approval step for high-impact actions.
C.Ensure automated actions are reversible.
D.Use the same playbook for all incident types.
AnswersB, C

Why this answer

Option B is correct because high-impact automated actions, such as blocking a critical server or deleting user accounts, can cause significant collateral damage if triggered by a false positive. Including a manual approval step ensures a human verifies the alert before irreversible or disruptive actions are taken, aligning with the principle of least privilege and incident response best practices.

Exam trap

CompTIA often tests the misconception that speed is always the priority in automation, tempting candidates to select 'execute all actions immediately' without considering the need for validation and reversibility in high-stakes environments.

Why the other options are wrong

A

Immediate execution without validation can cause collateral damage.

D

Different incidents require tailored responses; one-size-fits-all is ineffective.

392
MCQeasy

A network architect is designing a DMZ for a web application. Which of the following is the MOST appropriate placement for a reverse proxy?

A.In the management network
B.In the DMZ
C.In the database tier
D.Inside the internal network
AnswerB

The DMZ is the appropriate security zone for externally facing services.

Why this answer

A reverse proxy should be placed in the DMZ to handle external requests and provide an additional layer of security by buffering the internal web servers. Placing it inside the internal network, database tier, or management network would defeat its purpose.

393
MCQmedium

A financial services company is implementing a risk management framework. The security team has identified that the current encryption algorithm for customer data in transit is deprecated. According to NIST SP 800-53, which of the following is the MOST appropriate step to address this finding?

A.Implement compensating controls such as network segmentation
B.Update the encryption algorithm to a FIPS 140-2 validated one
C.Accept the risk because the algorithm is still functional
D.Transfer the risk by purchasing cyber insurance
AnswerB

Updating aligns with NIST SP 800-53 cryptographic controls.

Why this answer

Option C is correct because updating the encryption algorithm aligns with NIST SP 800-53 controls for cryptographic protection. Option A is wrong because accepting risk without mitigation is not appropriate for a deprecated algorithm. Option B is wrong because compensating controls do not address the root cause.

Option D is wrong because transferring risk via cyber insurance does not fix the technical issue.

394
Multi-Selecthard

A DevOps team is automating server configuration using configuration management tools. Which THREE principles should be followed to ensure secure automation? (Choose three.)

Select 3 answers
A.Store secrets in encrypted variables or vaults
B.Implement least privilege for automation agents
C.Use idempotent scripts to ensure consistent state
D.Hardcode credentials in automation scripts
E.Perform unit testing on scripts
AnswersA, B, C

Encrypting secrets prevents exposure in scripts or logs.

Why this answer

Storing secrets encrypted, ensuring idempotency, and applying least privilege to automation agents are key security practices. Hardcoding credentials is insecure. While unit testing is good, it is not specifically a security principle.

395
Drag & Dropmedium

Drag and drop the steps to perform a secure code review for a web application into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure code review: understand code, automated scan, manual review, document, and communicate findings.

396
MCQmedium

You are a security consultant for a law firm that handles highly confidential client data. The firm wants to implement a data loss prevention (DLP) solution to prevent sensitive data from leaving the network via email. The firm's email system is Microsoft 365. The DLP policy must comply with the firm's data classification policy, which identifies 'Legal Strategy' as top secret and 'Client Contact Info' as confidential. The firm also wants to allow attorneys to send confidential information to clients with a business justification. Which of the following DLP rule configurations best meets these requirements?

A.Encrypt all emails containing any sensitive data and allow delivery
B.Block both top secret and confidential content with no override
C.Block top secret content and allow confidential content with an audit log
D.Block top secret content and allow confidential content with an override requiring a business justification
AnswerD

Balances security and usability

Why this answer

Option D is correct because it aligns with the firm's data classification policy by blocking top-secret 'Legal Strategy' content outright, while allowing 'Client Contact Info' (confidential) to be sent with a business justification override. This balances security with operational needs, as Microsoft 365 DLP supports policy tips and override options with justification for lower-sensitivity data, ensuring compliance without disrupting attorney-client communication.

Exam trap

The trap here is that candidates often confuse 'allow with audit log' (passive monitoring) with 'allow with override requiring justification' (active enforcement), overlooking the specific business requirement for a justification workflow.

How to eliminate wrong answers

Option A is wrong because encrypting all emails containing sensitive data does not prevent data leakage; it only protects data in transit, and the firm requires blocking top-secret content, not just encrypting it. Option B is wrong because blocking both top-secret and confidential content with no override is too restrictive; it would prevent attorneys from sending confidential client contact info even with a legitimate business need, violating the requirement to allow such communication with justification. Option C is wrong because allowing confidential content with only an audit log provides no enforcement mechanism; the firm explicitly requires a business justification override for confidential data, not just passive logging.

397
MCQhard

A security analyst reviews the syslog messages from the company's ASA firewall. Based on the exhibit, which of the following is the MOST likely cause of the denied traffic?

A.The external server is trying to initiate connections to the internal host on port 80.
B.Network address translation (NAT) is not configured correctly for the internal host.
C.The access-group "OUTSIDE_IN" is applied to the wrong interface or direction, blocking legitimate outbound traffic.
D.The internal host is attempting a port scan against the external server.
AnswerC

The access list name suggests it is meant for inbound traffic on the outside interface, but it is blocking outbound traffic, indicating a misapplication.

Why this answer

The syslog message shows traffic from the internal host (10.10.10.10) to the external server (209.165.200.225) on port 80 being denied by the access-group "OUTSIDE_IN" applied to the outside interface. Since the traffic is outbound (source inside, destination outside), an inbound access-list on the outside interface would block this legitimate outbound traffic because it evaluates packets entering the interface from the outside, not leaving it. The correct configuration would be to apply the access-group to the inside interface in the inbound direction or to the outside interface in the outbound direction.

Exam trap

CompTIA often tests the concept that an access-list applied inbound on the outside interface filters traffic entering from the outside, not traffic leaving the inside, causing candidates to mistakenly think the ACL blocks inbound traffic when it actually blocks outbound traffic.

How to eliminate wrong answers

Option A is wrong because the denied traffic is from the internal host to the external server on port 80, not the reverse; the syslog shows source 10.10.10.10 and destination 209.165.200.225, so the external server is not initiating connections. Option B is wrong because NAT misconfiguration would typically result in translation failures or asymmetric routing, not a deny by an access-list named "OUTSIDE_IN"; the syslog explicitly shows the deny is due to the access-group, not a NAT issue. Option D is wrong because there is no evidence of a port scan in the single syslog entry; a port scan would generate multiple denied packets to different ports or sequential IPs, and the log shows only a single TCP SYN to port 80, which is normal web traffic.

398
MCQmedium

A company is designing a secure web application that processes credit card payments. The architect needs to ensure that the application is resilient against SQL injection attacks. Which of the following is the most effective defense?

A.Use stored procedures exclusively for database access.
B.Deploy a web application firewall (WAF) with SQL injection rules.
C.Use parameterized queries or prepared statements for all database interactions.
D.Implement client-side input validation and sanitize all user input.
AnswerC

Parameterized queries ensure data is treated as data, effectively preventing SQL injection.

Why this answer

Parameterized queries (prepared statements) are the most effective defense against SQL injection because they separate SQL logic from user-supplied data at the database driver level. This ensures that user input is always treated as a literal value, never as executable SQL code, regardless of any malicious content. This approach directly prevents the attacker from altering the query structure, which is the root cause of SQL injection.

Exam trap

The trap here is that candidates often choose stored procedures (Option A) thinking they are inherently safe, but Cisco tests the nuance that stored procedures are only safe if they use parameterized queries internally, not if they concatenate input into dynamic SQL.

How to eliminate wrong answers

Option A is wrong because stored procedures alone do not prevent SQL injection if they are called with dynamically concatenated SQL strings or if the stored procedure itself uses dynamic SQL without parameterization. Option B is wrong because a WAF is a reactive, signature-based defense that can be bypassed with encoding variations or novel attack patterns; it does not fix the underlying vulnerability in the application code. Option D is wrong because client-side validation is easily bypassed (e.g., by disabling JavaScript or using tools like Burp Suite), and server-side sanitization is error-prone and often insufficient against all injection vectors.

399
Multi-Selectmedium

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a critical e-commerce site. Which TWO settings should be enabled to defend against SQL injection attacks? (Select TWO.)

Select 2 answers
A.Enable SQL injection signature rules.
B.Enable input validation for all query parameters.
C.Enable rate limiting on login endpoints.
D.Enable IP reputation blocking.
E.Enable SSL/TLS inspection for all traffic.
AnswersA, B

Signature rules detect known SQL injection patterns.

Why this answer

Option A is correct because enabling SQL injection signature rules allows the WAF to inspect HTTP requests for known SQL injection patterns, such as UNION, OR 1=1, or comment sequences like '--', using a predefined rule set. Option B is correct because input validation for all query parameters ensures that user-supplied data is sanitized or rejected before reaching the application, preventing malicious SQL syntax from being interpreted by the database. Together, these controls provide both signature-based detection and behavioral prevention against SQL injection attacks.

Exam trap

The trap here is that candidates often confuse rate limiting or IP reputation as general security measures that would stop SQL injection, but these controls address different attack vectors (DoS and network-layer filtering) and do not inspect the content of requests for malicious SQL syntax.

400
Multi-Selecteasy

An organization is creating a data classification policy. Which THREE of the following are common classification levels used in government and defense? (Select THREE.)

Select 3 answers
A.Top Secret
B.Private
C.Secret
D.Confidential
E.Public
AnswersA, C, D

Top Secret is a standard classification.

Why this answer

Common government classification levels are Unclassified, Confidential, Secret, and Top Secret. Private and Public are common in commercial but not standard in government classification.

401
MCQmedium

A DevOps team uses Ansible to automate server configuration. They need to ensure that sensitive variables like passwords are not exposed in playbook logs or version control. What is the recommended approach?

A.Use Ansible Vault to encrypt sensitive variables
B.Use environment variables only
C.Store secrets in plain text within the playbook
D.Encrypt the entire playbook file
AnswerA

Ansible Vault encrypts specific variables or files, protecting secrets.

Why this answer

Ansible Vault encrypts sensitive data, preventing exposure. Storing in plain text is insecure, environment variables can leak in logs, and encrypting the whole playbook is unnecessary and hampers readability.

402
MCQeasy

What is the primary benefit of using infrastructure as code (IaC) tools like Terraform for cloud resource provisioning?

A.It reduces cloud costs by optimizing resource usage.
B.It eliminates the need for manual configuration management.
C.It provides a declarative language to define resources, enabling version control and repeatability.
D.It automatically applies security patches to resources.
AnswerC

Declarative IaC ensures consistent and tracked deployments.

Why this answer

Option B is correct because IaC allows declarative definition of resources, enabling version control, repeatability, and consistency. Option A is exaggerated; manual configuration is still needed. Option C is not automatic.

Option D is not a primary benefit.

403
MCQeasy

Refer to the exhibit. A security review is being conducted on the Python application configuration. Which of the following security issues is present?

A.The DB_CONNECTION environment variable is missing a default value
B.The default database connection is SQLite, which is insecure for production
C.The code does not handle the case where API_KEY is not set, potentially causing an error
D.The API key is stored in an environment variable, which is insecure
AnswerC

Using os.environ with no default will raise an exception if the variable is missing, which can lead to information disclosure or denial of service.

Why this answer

Option D is correct because os.environ['API_KEY'] will raise a KeyError if the environment variable is not set, causing the application to crash and potentially reveal error messages. Option A (environment variables are insecure) is false; they are a standard method. Option B (missing default) is false because getenv provides a default.

Option C (SQLite insecure) is not necessarily true and not the immediate issue.

404
MCQmedium

A company deploys a web application behind a WAF. The security team discovers that the WAF allows traffic from a known malicious IP. After investigating, they find the WAF is configured to allow all traffic from a specific country for business reasons. Which of the following is the BEST course of action?

A.Deploy an additional IPS device to block the IP.
B.Remove the country-based allow rule immediately.
C.Add a specific deny rule for the malicious IP within the country allow rule, using an exception list.
D.Change the WAF from detection mode to blocking mode.
AnswerC

This allows legitimate traffic from the country while blocking the known malicious IP, addressing the threat without disrupting business.

Why this answer

Option C is correct because creating a geo-IP exception list for the malicious IP within the allowed country maintains business requirements while blocking the threat. Option A is wrong because removing the entire country block may disrupt business and is too broad. Option B is wrong because an IPS is a different control; adjusting WAF rules is more direct.

Option D is wrong because changing the WAF to block mode may cause false positives and is a drastic change.

405
MCQmedium

A threat hunter hypothesizes that a sophisticated attacker is using DNS tunneling for command and control. Which data source would most likely confirm this activity?

A.Network flow data (NetFlow)
B.DNS query logs from authoritative/internal DNS servers
C.Endpoint antivirus alerts
D.Web proxy logs
AnswerB

DNS logs contain query names and types; tunneling leaves unusual patterns.

Why this answer

Option B is correct because DNS logs contain queries and responses; anomalous patterns like large TXT records or high frequency indicate tunneling. Option A is wrong because firewall logs may show traffic but not DNS content. Option C is wrong because antivirus may not detect tunneling.

Option D is wrong because web proxy logs show HTTP traffic.

406
MCQhard

A security team needs to automate the enforcement of cloud security policies across multiple accounts in AWS. They want a solution that uses code to define policies and automatically remediate violations. Which approach best meets these requirements?

A.Write Python boto3 scripts that run on a schedule to check and update security groups.
B.Use AWS Config with managed rules and custom Lambda functions for auto-remediation.
C.Enable AWS GuardDuty and rely on its threat detection alerts.
D.Deploy a third-party cloud security posture management (CSPM) tool like Prisma Cloud.
AnswerB

AWS Config rules are defined in code (JSON) and remediation via Lambda automates enforcement.

Why this answer

AWS Config Rules with custom Lambda functions can automate remediation. Option C is correct. Option A is manual.

Option B is a separate tool. Option D is reactive, not automated.

407
MCQeasy

A company wants to automate the creation of IAM roles and policies in AWS using infrastructure as code. Which tool is specifically designed for provisioning cloud infrastructure across multiple providers?

A.Terraform
B.Jenkins
C.Docker
D.Ansible
AnswerA

Terraform is a declarative IaC tool for cloud provisioning.

Why this answer

Terraform is a IaC tool focused on provisioning resources across cloud providers. Docker handles containers, Ansible is configuration management, and Jenkins is CI/CD.

408
MCQmedium

A security analyst at a large enterprise notices that several servers have missing security patches that are critical. The patch management process requires approval from the change advisory board (CAB) which meets weekly. The next meeting is in three days, but the vulnerability is being actively exploited. What should the analyst do?

A.Implement temporary compensating controls until the CAB approves.
B.Apply the patches immediately without waiting for CAB approval.
C.Notify the system owners and leave the decision to them.
D.Document the issue and wait for the CAB meeting.
AnswerA

Compensating controls mitigate risk while following the change management process.

Why this answer

C is correct. Implementing compensating controls reduces immediate risk while awaiting formal approval. Immediate patching bypasses change control and may cause instability.

Waiting is too slow. Leaving decision to owners abdicates responsibility.

409
MCQmedium

A security architect is designing a zero-trust network architecture for a hybrid cloud environment. The company uses on-premises servers and AWS. Which of the following best implements the principle of least privilege for inter-component communication?

A.Deploy an SD-WAN with dynamic path selection and encryption for all inter-site traffic.
B.Implement micro-segmentation with stateful firewalls and explicit allow rules between each workload.
C.Use network ACLs on the cloud VPC and on-premises routers to deny all traffic by default, then allow required ports.
D.Deploy a site-to-site VPN and route all inter-component traffic through a VPN concentrator.
AnswerB

Micro-segmentation with explicit allow rules ensures only necessary traffic is permitted, adhering to least privilege.

Why this answer

Option B is correct because micro-segmentation with stateful firewalls and explicit allow rules enforces least privilege at the workload level, ensuring that only explicitly permitted inter-component traffic is allowed. This approach is fundamental to zero-trust architectures, as it reduces the attack surface by preventing lateral movement, even within the same subnet or VPC.

Exam trap

Cisco often tests the misconception that network-layer controls like ACLs or VPNs are sufficient for zero-trust least privilege, when in fact they lack the workload-level granularity and stateful enforcement required for true micro-segmentation.

How to eliminate wrong answers

Option A is wrong because SD-WAN with dynamic path selection and encryption focuses on optimizing and securing inter-site connectivity, not on granular per-workload access control; it does not enforce least privilege between individual components. Option C is wrong because network ACLs and on-premises routers operate at the subnet or network layer, not at the workload level, and they lack stateful inspection, making them insufficient for fine-grained, per-component allow rules required for zero-trust. Option D is wrong because a site-to-site VPN with a concentrator creates a tunnel for all inter-component traffic but does not provide per-workload segmentation or explicit allow rules; it merely encrypts traffic without controlling which specific components can communicate.

410
MCQeasy

A company wants to ensure that only authorized code runs on its point-of-sale (POS) terminals. Which technology should be implemented?

A.Application whitelisting
B.Code signing
C.Trusted Platform Module (TPM)
D.Secure Boot
AnswerB

Code signing digitally signs executables, and the system validates the signature before allowing execution.

Why this answer

Code signing ensures that executables are digitally signed by a trusted publisher, and the system verifies the signature before execution. TPM is for attestation, application whitelisting is a policy, and secure boot focuses on boot-time integrity.

411
MCQmedium

An incident responder notices that a compromised host is sending encrypted C2 traffic over TCP port 443. The existing firewall rule allows outbound HTTPS (443) to any destination. Which change to the security architecture would best detect this behavior while minimizing impact on legitimate traffic?

A.Deploy a forward proxy with SSL/TLS inspection
B.Block outbound TCP 443 and require users to use a VPN
C.Enable logging on the firewall for all outbound 443 traffic
D.Install a network-based IDS on the internal side of the firewall
AnswerA

A proxy can decrypt, inspect, and re-encrypt traffic to detect malicious payloads.

Why this answer

An SSL/TLS inspection proxy can decrypt outbound traffic for inspection, allowing detection of malicious content while still allowing legitimate HTTPS. Option A is wrong because blocking all outbound 443 breaks functionality. Option B is wrong because increasing logging does not detect encrypted content.

Option D is wrong because IDS cannot inspect encrypted traffic without decryption.

412
MCQhard

A large enterprise is designing a disaster recovery site that must support rapid failover with minimal data loss. The primary data center is 50 miles away. The RPO is 1 minute, and RTO is 15 minutes. Which replication strategy best meets these requirements?

A.Log shipping with a 5-minute delay.
B.Synchronous replication over dedicated low-latency fiber links.
C.Scheduled snapshot-based replication every 30 minutes.
D.Asynchronous replication with continuous data protection.
AnswerB

Synchronous replication ensures zero data loss and can meet the required RPO and RTO if latency is low enough.

Why this answer

Synchronous replication writes data to both the primary and secondary sites simultaneously before acknowledging the write to the application, ensuring zero data loss at the storage layer. With dedicated low-latency fiber links over 50 miles, the round-trip time can be kept under 1 ms, meeting the 1-minute RPO and enabling rapid failover within the 15-minute RTO. This strategy guarantees transactional consistency and immediate availability at the DR site.

Exam trap

The trap here is that candidates often choose asynchronous replication (Option D) thinking 'continuous data protection' implies zero data loss, but they overlook that asynchronous replication inherently introduces a write acknowledgment delay, which can still result in data loss during a failure, and the recovery process may not meet the aggressive RTO.

How to eliminate wrong answers

Option A is wrong because log shipping with a 5-minute delay introduces a recovery point of at least 5 minutes, exceeding the 1-minute RPO, and failover requires applying logs, which can take longer than 15 minutes. Option C is wrong because scheduled snapshot-based replication every 30 minutes creates a maximum data loss of 30 minutes, far exceeding the 1-minute RPO, and snapshots do not support rapid failover without additional recovery steps. Option D is wrong because asynchronous replication with continuous data protection (CDP) may reduce data loss to seconds but still risks some data loss due to the asynchronous write acknowledgment, and the recovery process for CDP can be complex and time-consuming, potentially exceeding the 15-minute RTO.

413
MCQhard

During a security assessment, the engineer discovers that a network appliance's firmware updates are signed using a 1024-bit RSA key. The appliance was manufactured in 2015. What is the primary security concern?

A.The key length is insufficient against modern attacks
B.The firmware is not encrypted
C.The signature algorithm is obsolete
D.The signing key is not rotated
AnswerA

1024-bit RSA can be broken by determined attackers; NIST recommends at least 2048 bits.

Why this answer

1024-bit RSA keys are considered weak because they can be factored with moderate computational resources, allowing an attacker to forge firmware updates. While the signature algorithm (RSA) is not obsolete, the key length is insufficient. Firmware encryption is not required for integrity; signing key rotation is secondary.

414
MCQmedium

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

A.Place all three services in the same DMZ subnet and use host-based firewalls to restrict traffic.
B.Create two DMZ subnets: one for the web server and API gateway, and another for the database server.
C.Place the web server in a DMZ subnet, the API gateway in a separate DMZ subnet, and the database server on the internal network.
D.Create three separate DMZ subnets: one for the web server, one for the API gateway, and one for the database server, with firewall rules allowing only required traffic.
AnswerD

This provides defense in depth; each tier is isolated, and only specific ports/protocols are allowed between them.

Why this answer

Option D is correct because it implements the principle of least privilege through network segmentation. By placing each service in its own DMZ subnet with firewall rules that allow only the required traffic (e.g., HTTP/HTTPS from web to API, SQL from API to database), the attack surface is minimized. This prevents lateral movement if one service is compromised, as an attacker cannot directly reach the database from the web server or the API gateway from the internet.

Exam trap

CompTIA often tests the misconception that placing the database server on the internal network (Option C) is acceptable, but in a DMZ design, any server that must be accessed from a DMZ should remain in the DMZ to avoid exposing internal network resources to potential compromise.

How to eliminate wrong answers

Option A is wrong because placing all three services in the same subnet allows unrestricted lateral movement; host-based firewalls can be bypassed if the host is compromised, and this approach does not provide network-level isolation. Option B is wrong because placing the web server and API gateway in the same subnet still exposes the API gateway to direct attack from the web server if the web server is compromised, and the database subnet is not isolated from the API gateway with sufficient granularity. Option C is wrong because placing the database server on the internal network violates the DMZ principle; the API gateway must traverse the internal firewall to reach the database, which increases the attack surface and exposes internal resources to DMZ traffic.

415
Multi-Selectmedium

A company is adopting a serverless architecture using AWS Lambda. Which of the following are security concerns specific to serverless functions? (Select TWO.)

Select 2 answers
A.Insecure deserialization of function input
B.Event injection via malformed input
C.Container escape vulnerabilities
D.Overly permissive IAM roles assigned to the function
E.SQL injection in the database
AnswersB, D

Why this answer

Event injection via malformed input (B) is a specific serverless security concern because AWS Lambda functions are triggered by events from sources like API Gateway, S3, or DynamoDB Streams. An attacker can craft malicious input that exploits the function's event-handling logic, leading to unintended execution paths or data corruption. This differs from traditional injection attacks because the event structure itself can be manipulated to bypass validation.

Exam trap

CompTIA often tests the misconception that serverless functions are immune to injection attacks because they are 'stateless' or 'event-driven,' but the trap here is that event injection is a distinct attack vector where the event structure itself is the injection surface, not just the data within it.

Why the other options are wrong

A

A general web vulnerability, not specific to serverless.

C

Serverless functions run in isolated containers, but escape is more relevant to traditional containers.

E

A general web vulnerability, not specific to serverless.

416
MCQmedium

The Docker container `myservice` has the mount configuration shown. What is the most significant security implication of this configuration?

A.The container can modify files on the host at /data/config.
B.The container has full access to the host's filesystem.
C.The container can read host files at /data/config, but not write.
D.The container can mount additional filesystems using the bind mount.
AnswerC

Read-only bind mount allows reading, no writing.

Why this answer

Option B is correct because the mount is read-only (ro), so the container can read host files but not write. Option A is false. Options C and D are incorrect as the mount is a bind mount, not allowing additional mounts or full filesystem access.

417
MCQeasy

An organization wants to reduce the attack surface of its web servers by ensuring only necessary modules are enabled. Which practice directly supports this goal?

A.Patch management
B.Application whitelisting and module disablement
C.Regular backups
D.Multi-factor authentication
AnswerB

Whitelisting and disabling unnecessary modules reduce attack surface.

Why this answer

Option A is correct because hardening includes disabling unnecessary services and modules. Option B is about patching, not reducing attack surface directly. Option C is backup strategy.

Option D is about authentication, not module reduction.

418
MCQhard

A security architect is evaluating a web application that uses JSON Web Tokens (JWTs) for authentication. The application uses an RSA256 asymmetric signing algorithm. The architect discovers that the JWT library accepts tokens with the algorithm set to 'none' if the public key is not provided during verification. Which of the following attacks is most likely to succeed if the application does not enforce algorithm validation?

A.Algorithm confusion (key confusion) attack where the attacker uses the public key as an HMAC secret
B.Signature exclusion attack using the 'none' algorithm
C.Timing attack to brute-force the private key
D.Header injection attack to modify the JWT header
AnswerB

Why this answer

Option B is correct because the JWT library accepts tokens with the algorithm set to 'none' when the public key is not provided during verification. This allows an attacker to forge a JWT with the 'none' algorithm, bypassing signature verification entirely. The attack succeeds because the application fails to enforce a whitelist of allowed algorithms, as recommended by RFC 7518.

Exam trap

Cisco often tests the distinction between algorithm confusion attacks (which involve key reuse) and signature exclusion attacks (which exploit the 'none' algorithm), and the trap here is that candidates confuse the 'none' algorithm vulnerability with the more complex key confusion attack described in option A.

Why the other options are wrong

A

This attack targets libraries that use the same key for both HMAC and RSA, but the scenario describes a library that accepts 'none' algorithm, not HMAC.

C

Timing attacks target side-channel leakage, not algorithm validation bypass.

D

Header injection is about modifying headers in requests, not exploiting JWT algorithm handling.

419
MCQhard

During a penetration test, a tester finds that an application uses server-side sessions with predictable session IDs. Which attack is this vulnerability most likely to facilitate?

A.Session fixation
B.Clickjacking
C.Session hijacking
D.CSRF
AnswerC

With predictable session IDs, an attacker can obtain a valid session and impersonate the user.

Why this answer

Predictable session IDs allow an attacker to guess or brute-force valid session tokens, leading to session hijacking. Session fixation requires the attacker to set a known session ID, not predict. CSRF and clickjacking exploit user actions, not session prediction.

420
MCQhard

After containing a confirmed security incident, the incident response team must plan for eradication. What must be done before eradication begins?

A.Conduct a full forensic analysis of all systems
B.Determine the root cause of the incident
C.Begin eradication immediately to minimize dwell time
D.Notify law enforcement agencies
AnswerB

Root cause analysis ensures eradication addresses the entry point and method.

Why this answer

Option C is correct because understanding the root cause ensures complete removal of the threat and prevents re-infection. Option A is wrong that eradication is the next step after containment; root cause analysis is critical. Option B is wrong because forensics can be done during or after eradication.

Option D is wrong because notifying law enforcement is optional and not a prerequisite.

421
MCQmedium

A security analyst is reviewing the results of a vulnerability scan and identifies a critical vulnerability in a legacy application that cannot be patched because it is no longer supported by the vendor. The application is critical for business operations. Which of the following risk treatment strategies should the organization implement?

A.Risk transfer by purchasing cyber insurance to cover potential losses.
B.Risk mitigation by applying a vendor-supplied patch.
C.Risk avoidance by decommissioning the application and migrating to a new system.
D.Risk acceptance with compensating controls such as network segmentation and strict access controls.
AnswerD

Acceptance acknowledges the residual risk, and compensating controls reduce likelihood/impact.

Why this answer

Option D is correct because when a legacy application cannot be patched due to vendor end-of-life, the organization must accept the residual risk while implementing compensating controls. Network segmentation (e.g., VLANs, ACLs) and strict access controls (e.g., least privilege, MFA) reduce the attack surface and contain potential exploitation, aligning with the risk acceptance strategy under the NIST SP 800-37 risk management framework.

Exam trap

The trap here is that candidates often confuse risk acceptance with doing nothing, but in CAS-004, risk acceptance requires documented compensating controls to reduce residual risk to an acceptable level, not simply ignoring the vulnerability.

How to eliminate wrong answers

Option A is wrong because risk transfer via cyber insurance does not reduce the likelihood or impact of a vulnerability being exploited; it only provides financial reimbursement after a breach, leaving the technical exposure unaddressed. Option B is wrong because a vendor-supplied patch is unavailable by definition (the application is no longer supported), making risk mitigation via patching impossible. Option C is wrong because risk avoidance by decommissioning the application would halt critical business operations, which is not feasible; the question explicitly states the application is critical for business operations.

422
Multi-Selecteasy

A security engineer is hardening a Linux server. Which TWO of the following are best practices for preventing privilege escalation attacks?

Select 2 answers
A.Disable all user accounts except root
B.Apply kernel hardening with sysctl
C.Enable SELinux in enforcing mode
D.Remove the SUID bit from all binaries
E.Restrict cron jobs to root only
AnswersB, C

Kernel hardening parameters (e.g., disabling IP forwarding) reduce attack surface.

Why this answer

Options B and E are correct. SELinux (B) provides mandatory access control that restricts processes, and kernel hardening with sysctl (E) reduces the attack surface. Option A is incorrect because removing all SUID bits may break essential system functionality.

Option C is incorrect because disabling all non-root user accounts is impractical and violates least privilege. Option D is incorrect because restricting cron jobs to root only is not directly related to privilege escalation prevention.

423
MCQhard

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

A.Client credentials grant
B.Authorization code grant
C.Resource owner password credentials grant
D.Implicit grant
AnswerD

Implicit grant does not support scope parameter; scopes are typically fixed in client configuration.

Why this answer

The implicit grant flow in OAuth 2.0 does not require the client to include the scope parameter in the authorization request; the access token is returned directly in the URL fragment without a separate token endpoint call. When the scope parameter is missing, the authorization server may issue a token with a default or limited scope, causing users to be unable to access resources that require a specific scope. This matches the described symptom, making the implicit grant the most likely flow in use.

Exam trap

Cisco often tests the misconception that the scope parameter is always mandatory in all OAuth flows, but the implicit grant allows it to be optional, leading candidates to incorrectly select the authorization code grant.

How to eliminate wrong answers

Option A is wrong because the client credentials grant is used for server-to-server communication without user involvement, and the scope parameter is typically required and validated; missing scope would result in an error, not a token with insufficient scope. Option B is wrong because the authorization code grant requires the client to include the scope parameter in the authorization request, and the authorization server validates it before issuing the code; a missing scope would cause the request to fail or return an error. Option C is wrong because the resource owner password credentials grant requires the client to send the scope parameter along with the username and password; omitting it would lead to a token with default scope or an error, not the described behavior.

424
MCQmedium

In a CI/CD pipeline, a security gate fails because a high-severity vulnerability is found in the base image of a container. The pipeline is configured to block deployment on such findings. What is the appropriate remediation step?

A.Update the base image to a patched version
B.Override the security gate and proceed with deployment
C.Rebuild the image using the same base image
D.Add the vulnerability to an exception list
AnswerA

Using a patched base image resolves the vulnerability.

Why this answer

Updating the base image to a patched version ensures the vulnerability is fixed. Overriding the gate or adding exceptions bypasses security, and rebuilding with the same base retains the issue.

425
MCQhard

The engineer needs to prevent brute-force attacks while allowing legitimate access. Which security control is MOST effective?

A.Disable root login
B.Change SSH port to 2222
C.Implement fail2ban with a threshold of 5 attempts per minute
D.Implement IP whitelist for 10.0.0.0/8
AnswerC

Fail2ban automatically blocks offending IPs after exceeding the threshold, allowing legitimate traffic.

Why this answer

Fail2ban dynamically blocks IP addresses after a configurable number of failed attempts, stopping brute-force while allowing legitimate users (e.g., 10.0.0.50) to connect. Disabling root login only prevents root access but not attacks on other users. Changing the SSH port is security by obscurity.

IP whitelisting for 10.0.0.0/8 would block all other legitimate users and is not flexible.

426
MCQeasy

A security architect reviews this Cisco router ACL configuration. The web server at 192.168.1.100 is accessible from the internet. What additional security measure should be implemented to protect the internal network (10.0.0.0/24)?

A.Remove the log statement from the deny rules to improve performance
B.Add an ACL on GigabitEthernet0/1 to limit outbound traffic to web ports only
C.Replace the ACLs with a stateful firewall that inspects connection states
D.Apply the same OUTSIDE_IN ACL to GigabitEthernet0/1 inbound
AnswerC

A stateful firewall provides deeper inspection and can prevent various attacks.

Why this answer

The INSIDE_OUT ACL allows all traffic from the internal network to any destination, including potentially malicious outbound connections. Implementing a stateful firewall would track connection states and provide better inspection. Egress filtering could be added, but stateful inspection is more comprehensive.

The OUTSIDE_IN ACL only allows inbound web traffic, which is good. The missing piece is stateful awareness to prevent internal hosts from initiating connections to malicious external hosts.

427
MCQmedium

Refer to the exhibit. A security engineer is reviewing an X.509 certificate used for TLS. Which security concern should the engineer identify?

A.The certificate uses the SHA-1 hash algorithm
B.The RSA key length is 2048 bits
C.The certificate is self-signed
D.The validity period is only one year
AnswerA

SHA-1 is considered broken and should not be used for digital signatures.

Why this answer

The certificate uses SHA-1 as the signature algorithm, which is cryptographically weak and deprecated by major browsers and industry standards. Self-signed would show issuer == subject, key length 2048 is acceptable, and one-year validity is normal.

428
MCQhard

An OpenVPN configuration file is shown. A security auditor recommends replacing the cipher and auth directives. Which of the following is the BEST replacement pair from a security engineering perspective?

A.cipher AES-256-GCM and auth SHA256
B.cipher AES-128-GCM and auth SHA384
C.cipher 3DES-168 and auth MD5
D.cipher Blowfish-128 and auth SHA1
AnswerA

AES-256-GCM is an AEAD cipher that includes authentication, so the auth directive becomes unnecessary; however, OpenVPN allows both. This is a secure modern combination.

Why this answer

Option C is correct because AES-256-GCM is an AEAD cipher that provides both encryption and authentication, and TLS 1.3 uses AEAD. Option A is wrong because the configuration already uses SHA256 for auth; adding HMAC is redundant but not best. Option B is wrong because Blowfish is outdated and DES is weak.

Option D is wrong because 3DES is weak and MD5 is deprecated.

429
MCQhard

A company's security team is reviewing the integration of a legacy application that only supports NTLM authentication. The infrastructure must be updated to meet modern security standards. Which of the following is the BEST approach to mitigate the risk of using NTLM?

A.Place the application on an isolated network segment and restrict access with IP whitelisting.
B.Deploy an authentication federation service that translates modern Kerberos/SAML to NTLM for the legacy application.
C.Apply vendor patches to upgrade NTLM to NTLMv2 and enable extended protection for authentication.
D.Disable NTLM and force the application to use Kerberos directly.
AnswerB

A federation service (e.g., ADFS with NTLM fallback) allows the application to use modern authentication while the broker handles the legacy protocol, reducing risk.

Why this answer

Option D is correct because extending the application's authentication to support Kerberos or modern SSO via a federation service like ADFS or SAML proxy allows the legacy app to use modern authentication without modifying the app. Option A is wrong because network isolation does not address the weakness of NTLM in the authentication protocol. Option B is wrong because disabling NTLM would break the application.

Option C is wrong because applying patches may not be possible if the application is no longer supported, and NTLMv2 is still vulnerable.

430
Multi-Selecteasy

Which TWO of the following are examples of compensating controls for a security control deficiency?

Select 2 answers
A.Increasing logging and monitoring.
B.Implementing stricter access controls.
C.Accepting the risk.
D.Purchasing cyber insurance.
E.Re-architecting the network.
AnswersA, B

Enhanced monitoring can detect unauthorized activities that a deficient control might not prevent.

Why this answer

Compensating controls are alternative measures that mitigate the risk from a primary control failure; stricter access and enhanced monitoring are good examples.

431
MCQmedium

A company runs a containerized application in a Kubernetes cluster. After a penetration test, the security team found that several containers are running with root privileges and have unnecessary packages installed. To reduce the attack surface, the team wants to enforce least privilege and minimize the software footprint. Which action should be taken first to address these findings?

A.Apply SELinux labels to restrict container capabilities
B.Rebuild the container images using minimal base images and remove unnecessary packages
C.Configure the containers to run as non-root user and use read-only filesystems
D.Implement network policies to limit lateral movement between pods
AnswerB

Minimal images reduce attack surface by eliminating unnecessary components.

Why this answer

Using minimal base images (e.g., Alpine or distroless) reduces the attack surface by removing unnecessary tools and libraries. Option B is incorrect because running containers as non-root is important but does not address unnecessary packages. Option C is incorrect because read-only filesystems improve security but do not reduce the number of packages.

Option D is incorrect because network policies control traffic but not container privileges or packages.

432
Multi-Selectmedium

A security team is developing a data classification policy. Which TWO of the following elements should be included in the policy to ensure effective data governance?

Select 2 answers
A.Handling requirements for each classification level, including storage and transmission
B.Data retention and disposal schedules
C.Encryption algorithms to be used for data at rest
D.Data loss prevention (DLP) rules
E.Criteria for classifying data into categories such as public, internal, confidential
AnswersA, E

Specifies how data should be protected based on classification.

Why this answer

Option A is correct because a data classification policy must define handling requirements for each classification level, specifying how data should be stored, transmitted, and accessed. This ensures consistent protection controls are applied based on sensitivity, which is a core governance principle. Without these requirements, data may be mishandled, leading to compliance violations or data breaches.

Exam trap

CompTIA often tests the distinction between policy elements (what the policy should contain) and derived controls (e.g., DLP rules, encryption algorithms), leading candidates to confuse operational implementation details with foundational policy components.

433
Multi-Selectmedium

A security architect is designing a cloud-native application that must comply with GDPR data residency requirements. Which TWO of the following measures should the architect implement? (Choose two.)

Select 2 answers
A.Deploy the application in a single region to simplify compliance
B.Store data only in approved geographical locations
C.Use data loss prevention (DLP) policies to monitor data transfers
D.Encrypt data at rest and in transit
E.Implement data classification and labeling
AnswersB, D

Ensuring data is stored only in approved regions directly enforces data residency.

Why this answer

Encrypting data at rest and in transit (C) and storing data only in approved geographical locations (E) are direct controls for GDPR data residency. DLP (A) is detective, single-region deployment (B) may affect availability, and data classification (D) is not specific to residency.

434
Multi-Selectmedium

A security architect is designing a secure wireless network for a government facility. Which TWO of the following measures should be implemented to ensure the highest level of security? (Select TWO.)

Select 2 answers
A.Use WPA2-PSK with a strong pre-shared key
B.Implement a captive portal with social login
C.Disable SSID broadcast on the access points
D.Use WPA3-Enterprise with EAP-TLS for authentication
E.Enable MAC address filtering on the access points
AnswersC, D

Disabling SSID broadcast can deter casual discovery, though it is not a primary control.

Why this answer

WPA3-Enterprise with EAP-TLS is the most secure for authentication and encryption, and disabling SSID broadcast hides the network from casual scanning, though it is not a strong security measure. MAC filtering is easily spoofed. WPA2-PSK is less secure.

Captive portals do not provide strong access control.

435
MCQmedium

A developer is using a third-party library with a known vulnerability. The vulnerability has a CVSS score of 9.8 and an exploit is publicly available. Which of the following is the most immediate course of action?

A.Update the library to the patched version if available
B.Contact the vendor for a patch
C.Remove the library and rewrite functionality
D.Implement a WAF rule to block exploitation
AnswerA

Updating to the latest patched version directly removes the vulnerability.

Why this answer

Option D is correct because updating to the patched version is the most immediate and effective fix. Option A (WAF rule) is a workaround, not a fix. Option B (contact vendor) delays, and a patch may already exist.

Option C (rewrite) is too drastic if a patch is available.

436
MCQmedium

Based on the exhibit, what vulnerability is present in the firewall rule?

A.Overly permissive service specification
B.Source IP range is too broad
C.No logging is enabled
D.Missing application ID control
AnswerA

Allowing 'any' service gives full access to all ports and protocols.

Why this answer

Option D is correct because allowing 'any' service is overly permissive. Option A is wrong a /24 is a specific range, not too broad. Option B is wrong logging is not shown but not a vulnerability.

Option C is wrong application ID is not relevant to the rule.

437
MCQhard

A security engineer needs to deploy a host-based intrusion detection system (HIDS) on a critical Linux server without impacting performance. Which configuration is MOST appropriate?

A.Install OSSEC agent with file integrity monitoring and log analysis only.
B.Install Snort in inline mode on the server.
C.Enable Windows Defender on the Linux server.
D.Deploy ClamAV with real-time scanning and OSSEC.
AnswerA

OSSEC is a well-known HIDS that can be configured minimally for performance.

Why this answer

Option A is correct because OSSEC with file integrity monitoring and log analysis is lightweight and suitable for critical servers. Option B uses a network-based tool not host-based. Option C includes antivirus which is resource-intensive.

Option D is a SIEM, not a HIDS agent.

438
MCQhard

Based on the exhibit, which type of attack is most likely occurring?

A.Pass-the-hash attack
B.Account lockout attack
C.Replay attack
D.Brute force password guessing
AnswerD

The rapid succession of authentication failures for the root user indicates an attempt to guess the password.

Why this answer

The exhibit shows a high number of failed authentication attempts (e.g., Event ID 4625) from a single source IP against multiple user accounts over a short period. This pattern is characteristic of a brute force password guessing attack, where an attacker systematically tries common passwords against many accounts to gain unauthorized access. The absence of successful logins or account lockouts further supports this conclusion.

Exam trap

Cisco often tests the distinction between a brute force attack (many passwords, one account) and a password spraying attack (one password, many accounts), and the trap here is confusing the high volume of failed logins with a replay or pass-the-hash attack, which would show successful authentication or token reuse instead of repeated failures.

How to eliminate wrong answers

Option A is wrong because a pass-the-hash attack uses captured NTLM or Kerberos hashes to authenticate without knowing the plaintext password, and the exhibit shows failed logins with incorrect passwords, not hash reuse. Option B is wrong because an account lockout attack would trigger Event ID 4740 (account locked out) after exceeding the lockout threshold, but the exhibit shows only failed logins without lockout events. Option C is wrong because a replay attack involves capturing and retransmitting valid authentication tokens (e.g., Kerberos TGT or NTLM challenge-response), not repeated failed password attempts.

439
Multi-Selecteasy

Which TWO of the following are primary goals of security operations monitoring? (Choose two.)

Select 2 answers
A.Automate patch deployment
B.Maintain situational awareness of the security posture
C.Conduct vulnerability scans
D.Ensure compliance with regulatory standards
E.Detect security incidents in near real-time
AnswersB, E

Situational awareness is a key outcome of monitoring.

Why this answer

Options A and D are correct. Detection of security incidents and maintaining situational awareness are core monitoring goals. Compliance (B) is a secondary benefit, and vulnerability scanning (C) is a separate process.

440
MCQeasy

A developer is writing a mobile app that stores sensitive user data locally on the device. Which is the best practice for protecting the data at rest?

A.Use SQLite without encryption
B.Use the device's keychain/keystore with encryption
C.Store data in a remote database only
D.Store data in plain XML files
AnswerB

Keychain/keystore uses hardware-backed encryption for secure local storage.

Why this answer

Option A is correct because using the device's keychain/keystore provides encrypted storage. Option B (plain XML) is insecure; Option C (SQLite without encryption) exposes data; Option D (remote database only) prevents offline access and may not be feasible.

441
MCQhard

A financial institution manages customer data through a web application built on a LAMP stack. The application uses a third-party library for PDF generation that was patched last year. Recently, the security team discovered that an attacker exploited an unpatched vulnerability in the library to execute arbitrary code on the server. The library vendor has released an update, but the development team is concerned that updating the library will break several custom features that rely on its internal API. The CIO wants to minimize risk while maintaining business continuity. The application is critical to daily operations, and any downtime would result in significant revenue loss. Which course of action should the security analyst recommend?

A.Disable the PDF generation feature entirely until the library can be updated in the next quarterly release
B.Deploy a virtual private network (VPN) for all access to the server and restrict input to only trusted IPs
C.Implement a web application firewall (WAF) with a custom rule to block known attack patterns against the library, and then schedule the patch for the next maintenance window
D.Immediately apply the vendor's patch and then test all features in a staging environment for a month before production rollout
AnswerC

WAF provides virtual patching to block exploits while the team tests the update.

Why this answer

Option C is correct because deploying a WAF with custom rules provides virtual patching, reducing risk immediately while allowing time for thorough testing of the library update. Option A (immediate patch) could break features without adequate testing. Option B (VPN) does not address the vulnerability.

Option D (disable PDF generation) removes functionality, impacting business operations.

442
MCQeasy

Refer to the exhibit. A security architect is reviewing this S3 bucket policy. Which of the following security concerns is MOST evident?

A.The policy denies all write access
B.The policy allows public read access
C.The policy uses an outdated version
D.The policy lacks encryption
AnswerB

The wildcard principal '*' allows any anonymous user to read objects.

Why this answer

The policy allows anonymous principals ('*') to perform 's3:GetObject' on all objects in the bucket, making the bucket publicly readable. This is a serious data exposure risk. The policy version is 2012-10-17 which is current, and encryption is not addressed in this policy.

443
MCQeasy

A SOC analyst receives an alert indicating that a workstation has been making outbound connections to a known command-and-control (C2) IP address. The analyst initiates the incident response process. Which of the following should be the FIRST action taken?

A.Run a full antivirus scan on the affected workstation.
B.Notify the organization's management and legal team.
C.Delete the suspicious files identified by the antivirus.
D.Isolate the workstation from the network.
AnswerD

Isolation stops the immediate threat and prevents spread.

Why this answer

The first priority in incident response is to contain the threat to prevent further damage. Option D, isolating the workstation, stops the C2 communication and limits lateral movement. Option A (notifying management) is important but not first.

Option B (deleting files) is premature without analysis. Option C (running AV) is reactive and may alert the attacker.

444
MCQhard

A security auditor reviews this Kubernetes pod configuration. Which security vulnerability is most critical?

A.The container image is from a public registry and should use a private one.
B.The container runs as non-root, but root access is required for certain operations.
C.The container allows privilege escalation, which should be disabled.
D.The hostPath volume mount provides direct filesystem access to the host, enabling potential container escape.
AnswerD

HostPath mounts give the container access to the host filesystem; if compromised, the attacker can manipulate host files.

Why this answer

The pod mounts a hostPath volume, which allows the container to access and potentially modify host filesystem, leading to container escape. Option C is correct. Options A and B are mitigated by the security context.

Option D is false.

445
MCQmedium

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a public-facing e-commerce site. The site has been experiencing intermittent false positives that block legitimate customers during checkout. The WAF is deployed in blocking mode with a rule set that includes SQL injection and cross-site scripting (XSS) signatures. The engineer notices that legitimate credit card numbers containing the string 'OR' are being blocked. The site uses HTTPS and input validation on the server side. Which of the following actions would BEST resolve the false positives while maintaining security?

A.Remove the WAF and rely on server-side input validation alone.
B.Disable the specific signature that matches the string 'OR' in the SQL injection rule set.
C.Change the WAF from blocking mode to detection mode.
D.Add a custom rule to allow all traffic to the checkout page.
AnswerB

This targets the exact cause of false positives while keeping other protections active.

Why this answer

Option B is correct because the false positive is caused by a specific SQL injection signature that matches the string 'OR' within legitimate credit card numbers. Disabling only that signature preserves the WAF's protection against actual SQL injection and XSS attacks while eliminating the false positive. The server-side input validation and HTTPS provide additional layers of defense, so removing the entire rule or switching to detection mode would unnecessarily weaken security.

Exam trap

CompTIA often tests the misconception that switching to detection mode or disabling the entire rule set is a safe compromise, but the correct approach is to surgically disable only the offending signature to balance security and usability.

How to eliminate wrong answers

Option A is wrong because removing the WAF entirely eliminates a critical defense layer, leaving the site vulnerable to attacks that server-side input validation might miss (e.g., bypasses via encoding or logic flaws). Option C is wrong because changing to detection mode would log but not block attacks, failing to protect the site during checkout and violating the requirement to maintain security. Option D is wrong because adding a custom rule to allow all traffic to the checkout page disables all WAF protections for that endpoint, exposing it to SQL injection, XSS, and other threats.

446
Multi-Selecteasy

Which THREE components are essential for a fully functional Security Operations Center (SOC)? (Select exactly 3.)

Select 3 answers
A.Incident response team
B.VPN concentrator
C.Security Information and Event Management (SIEM) system
D.Firewall
E.Standard operating procedures and playbooks
AnswersA, C, E

People are essential for investigation and response.

Why this answer

Options A, C, and E are correct because SIEM for correlation, incident response team, and playbooks are core. Option B is a security control but not a SOC component. Option D is network infrastructure.

447
MCQhard

An organization is evaluating its cloud service provider's security posture as part of third-party risk management. Which regulatory framework requires the organization to ensure that the provider has appropriate technical and organizational measures to protect personal data?

A.PCI DSS
B.SOX
C.GDPR
D.HIPAA
AnswerC

GDPR requires data processors to have appropriate measures.

Why this answer

GDPR Article 28 explicitly requires data processors to implement appropriate technical and organizational measures. PCI DSS focuses on cardholder data, SOX on financial controls, and HIPAA on healthcare data.

448
MCQeasy

A security architect needs to protect sensitive data in use within a server's memory from other processes. Which technology should be implemented?

A.Secure Boot
B.Trusted Platform Module (TPM)
C.Intel Software Guard Extensions (SGX)
D.Hardware Security Module (HSM)
AnswerC

SGX creates secure enclaves in memory, protecting data in use from other processes and the host OS.

Why this answer

Intel SGX provides hardware-based memory encryption that isolates code and data in enclaves, protecting data in use from other processes. TPM is for attestation and key storage, HSM for dedicated cryptographic operations, and Secure Boot for boot integrity.

449
MCQeasy

Refer to the exhibit. The security team has been asked to remediate the vulnerability before the next PCI DSS audit. Which of the following is the MOST appropriate action?

A.Move the host to a separate VLAN
B.Disable TLS 1.0 and enable TLS 1.2 only
C.Apply a compensating control such as an API gateway
D.Accept the risk because the CVSS score is below 8.0
AnswerB

Eliminates the vulnerability and achieves compliance.

Why this answer

Disabling TLS 1.0 and enabling TLS 1.2 directly addresses the vulnerability and PCI DSS requirement. Compensating controls may not satisfy the audit; accepting risk is not allowed for high severity; moving the host does not fix the issue.

450
MCQmedium

A security engineer is writing a Python script to parse system logs and alert on suspicious patterns. What is the best practice to ensure the script remains secure when handling log data?

A.Store all logs in a database and query directly.
B.Use `eval()` to dynamically evaluate log content.
C.Sanitize log input and use safe parsing functions like `json.loads()` for structured logs.
D.Run the script with root privileges to access all logs.
AnswerC

Safe parsing prevents injection and handles data securely.

Why this answer

Option B is correct because sanitizing input and using safe parsing functions like `json.loads()` prevents injection attacks. Option A (`eval()`) is dangerous. Option C is not a scripting best practice.

Option D runs with excessive privileges.

Page 5

Page 6 of 7

Page 7

All pages