CompTIA SecurityX CAS-004 (CAS-004) — Questions 451510

510 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQeasy

During a tabletop exercise, the CSIRT discovers that the organization lacks a clear chain of command for decision-making during incidents. Which document should be updated to address this gap?

A.Incident response plan
B.Business continuity plan
C.Security awareness training material
D.Network topology diagram
AnswerA

The IR plan outlines the chain of command and communication structure.

Why this answer

Option A is correct because the incident response plan should define roles, responsibilities, and escalation paths. Option B is for regular operations. Option C is for network architecture.

Option D is for user training.

452
MCQmedium

A security engineer is designing a secure boot process for embedded devices. Which component is responsible for verifying the signature of the bootloader before execution?

A.Secure Boot
B.Root of trust (RoT)
C.Trusted Platform Module (TPM)
D.UEFI firmware
AnswerB

RoT is the immutable hardware or code that establishes the first link in the chain of trust by verifying the bootloader.

Why this answer

The root of trust (RoT), typically implemented as a small section of immutable code in ROM or a dedicated microcontroller, checks the bootloader's signature using a public key stored in fuses. The TPM can store measurements but is not the verifier. UEFI is a firmware interface, and Secure Boot is the process itself.

453
MCQmedium

Refer to the exhibit. Which of the following best describes the effect of this ACL?

A.Blocks all traffic to the 10.0.0.0/24 network.
B.Blocks all traffic from the 10.0.0.0/24 network.
C.Permits all traffic to the 10.0.0.0/24 network.
D.Permits all traffic from the 10.0.0.0/24 network.
AnswerA

The 'deny ip any 10.0.0.0 0.0.0.255' denies any source IP to destination network 10.0.0.0/24.

Why this answer

Option B is correct because the ACL explicitly denies all traffic destined to the 10.0.0.0/24 network.

454
MCQeasy

A company is implementing a risk management framework and needs to prioritize remediation of vulnerabilities based on potential impact. Which of the following is the MOST appropriate approach?

A.Focus on vulnerabilities with the highest CVSS score regardless of asset value
B.Remediate all vulnerabilities within 30 days of discovery
C.Perform a quantitative risk assessment using asset value and loss expectancy
D.Address vulnerabilities in order of ease of exploitation
AnswerC

This approach combines asset value and potential loss to prioritize risks effectively.

Why this answer

A quantitative risk assessment uses asset value and loss expectancy to prioritize risks based on impact. Option A ignores asset criticality; Option B considers only likelihood; Option D is not prioritization.

455
Multi-Selecthard

During an incident response, the team must perform containment actions. Which TWO actions are considered proper containment? (Select exactly 2.)

Select 2 answers
A.Isolate affected systems from the network
B.Notify law enforcement
C.Disable compromised user accounts
D.Back up the affected systems
E.Patch all vulnerabilities on affected systems
AnswersA, C

Isolation stops lateral movement.

Why this answer

Options B and D are correct because isolating affected systems and disabling compromised accounts prevent further spread. Option A is recovery, not containment. Option C is notification after containment.

Option E is eradication.

456
MCQhard

During an audit, a compliance officer finds that the organization has not conducted a risk assessment in over two years. Which of the following is the MOST significant risk?

A.Inability to prioritize security investments.
B.Loss of customer trust.
C.Non-compliance with regulatory fines.
D.Increased likelihood of successful attacks.
AnswerC

Many regulations require periodic risk assessments; failure to conduct them can result in significant fines and penalties.

Why this answer

Option C is correct because regulatory fines can be substantial and are directly tied to compliance requirements, making it the most significant risk.

457
MCQhard

A company is designing a hybrid cloud architecture with AWS and an on-premises data center. They need to ensure that all data transmitted between environments is encrypted and that the connection is resilient. Which design should the architect choose?

A.Deploy a single MPLS connection with network-based encryption
B.Set up a single AWS Direct Connect connection and rely on the provider's encryption
C.Establish multiple redundant IPsec VPN tunnels to the VPC
D.Use an SSL VPN tunnel from the on-premises firewall to the VPC
AnswerC

Redundant IPsec tunnels provide both encryption and resilience.

Why this answer

A VPN tunnel using IPsec with IKEv2 provides encryption and authentication; redundant tunnels ensure failover. Direct Connect is private but often requires separate encryption. SSL tunnel would work but typically for web traffic.

MPLS is a carrier service, not inherently encrypted.

458
MCQhard

A security engineer is reviewing an S3 bucket policy for a bucket named 'corporate-data'. The policy is shown. Which of the following describes a vulnerability in this configuration?

A.The Deny statement allows anonymous uploads over HTTP
B.The Deny statement allows any anonymous user to upload objects to the bucket
C.The Allow statement's IP address condition uses a private IP range, which is ineffective for internet-facing buckets
D.The Allow statement permits access over insecure HTTP
AnswerC

Private IP ranges (10.0.0.0/8) are not source IPs from the internet; thus the condition never matches, making the Allow statement useless.

Why this answer

Option C is correct because the Allow statement in the S3 bucket policy restricts access to a private IP address range (e.g., 10.0.0.0/8 or 192.168.0.0/16), which is non-routable on the public internet. Since the bucket is internet-facing, this condition is ineffective—any request from a public IP will fail the condition, effectively denying all external access, but the real vulnerability is that the policy relies on a private IP range that cannot be enforced for internet traffic, leaving the bucket either inaccessible or misconfigured. This misconfiguration can lead to unintended access if the condition is bypassed or if the bucket is intended to be public.

Exam trap

CompTIA often tests the misconception that private IP ranges can be used to restrict access to internet-facing S3 buckets, when in fact S3 only evaluates public source IPs, making such conditions ineffective or overly restrictive.

How to eliminate wrong answers

Option A is wrong because the Deny statement does not allow anonymous uploads over HTTP; it explicitly denies all anonymous access, and the vulnerability is not about HTTP vs. HTTPS but about the Allow statement's IP condition. Option B is wrong because the Deny statement explicitly blocks anonymous uploads, so it does not allow any anonymous user to upload objects; the vulnerability lies in the Allow statement, not the Deny.

Option D is wrong because the Allow statement does not permit access over insecure HTTP—it specifies HTTPS (via the aws:SecureTransport condition), and the vulnerability is the private IP range, not the protocol.

459
MCQmedium

Refer to the exhibit. A security analyst reviews this pod specification. Which attack surface is most increased by the added capabilities?

A.The container can modify network settings
B.The container can kill other processes
C.The container can read all host files
D.The container can install new kernel modules
AnswerD

SYS_ADMIN capability allows loading kernel modules, potentially compromising the host.

Why this answer

SYS_ADMIN grants many powerful privileges including loading kernel modules, which can lead to host compromise. NET_ADMIN allows network configuration but is less critical. The combination significantly increases attack surface.

460
MCQmedium

A security engineer is configuring a web application firewall (WAF) for an e-commerce site. The application uses JSON APIs for all transactions. Which WAF mode provides the best protection against injection attacks while minimizing false positives?

A.Anomaly detection and learning mode
B.Positive security model with strict API schema validation
C.Passive mode for monitoring only
D.Negative security model with a large rule set
AnswerB

Only allows traffic that matches expected schema, effectively preventing injections.

Why this answer

Option C (Positive security model) is correct because it whitelists allowed inputs, reducing false positives. Option A (Negative) blocks known attacks but can generate false positives. Option B (Learning) helps but may not be fully protective.

Option D (Off) provides no protection.

461
MCQmedium

During a penetration test, an engineer discovers that the application uses client-side JavaScript to validate input before submission. What is the MOST significant vulnerability?

A.Server-side validation is missing
B.Cross-site scripting
C.Insecure direct object reference
D.Weak session management
AnswerA

The lack of server-side validation allows any client-side validation to be bypassed, creating a serious vulnerability.

Why this answer

Client-side validation can be easily bypassed by disabling JavaScript or sending crafted HTTP requests. Without server-side validation, attackers can submit malicious payloads, leading to injection attacks. XSS and IDOR are separate issues; weak session management is unrelated to input validation.

462
Multi-Selectmedium

Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)

Select 2 answers
A.Require users to change passwords every 30 days.
B.Use single sign-on (SSO) for all applications.
C.Implement the principle of least privilege for all user roles.
D.Enable multi-factor authentication (MFA) for all administrative accounts.
E.Create default admin accounts for each department.
AnswersC, D

Limiting privileges reduces the attack surface and potential damage.

Why this answer

The principle of least privilege (C) ensures that users and roles are granted only the permissions necessary to perform their job functions, reducing the attack surface and limiting potential damage from compromised accounts. Enabling multi-factor authentication (D) for administrative accounts adds a critical layer of security beyond passwords, mitigating risks from credential theft or brute-force attacks. Both are foundational controls in cloud IAM frameworks like AWS IAM, Azure AD, or GCP IAM.

Exam trap

CompTIA often tests the misconception that frequent password changes (A) are a security best practice, when in fact modern standards advise against them, and that SSO (B) alone is a security control, whereas it is primarily a convenience feature that requires additional safeguards like MFA.

463
Multi-Selecteasy

Which TWO of the following are best practices for securing a database that stores personally identifiable information (PII)? (Select TWO.)

Select 2 answers
A.Encrypt data at rest using AES-256
B.Use default admin credentials for easy access
C.Enable audit logging for all queries
D.Store all data in plaintext for performance
E.Implement role-based access control (RBAC)
AnswersA, E

Encryption protects data confidentiality even if storage media is compromised.

Why this answer

Options A and C are correct. Encrypting data at rest (A) and implementing role-based access control (C) are fundamental security controls. Option B (default admin credentials) is insecure.

Option D (plaintext storage) is prohibited by regulations. Option E (audit logging) is important but not as directly focused on data protection as encryption and access control.

464
MCQmedium

Refer to the exhibit. This clause is a requirement of which of the following?

A.PCI DSS.
B.GDPR Article 32.
C.ISO 27001.
D.HIPAA Security Rule.
AnswerB

Article 32 of the GDPR details the security of processing, including pseudonymization, encryption, and resilience.

Why this answer

Option B is correct because the text is a direct excerpt from the GDPR, Article 32, which mandates security measures for personal data processing.

465
Drag & Dropmedium

Drag and drop the steps to configure a site-to-site IPsec VPN on a firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN configuration follows a logical order: first define IKE policy, then IPsec policy, create tunnel, permit traffic, and finally apply crypto map.

466
MCQeasy

A company is deploying a RESTful API that handles sensitive financial data. Which of the following should be implemented to ensure data integrity during transmission?

A.TLS 1.3
B.Input validation
C.JSON Web Token (JWT) authentication
D.API rate limiting
AnswerA

TLS encrypts the entire session and ensures data integrity via MACs.

Why this answer

Option C is correct because TLS 1.3 provides encryption and integrity for data in transit. Option A (input validation) is for application-level input. Option B (rate limiting) protects against DoS.

Option D (JWT) is for authentication, not transmission integrity.

467
MCQmedium

A financial services company is implementing a zero-trust architecture. The security architect needs to ensure that all network traffic between application tiers is inspected and logged regardless of source location. Which of the following should be implemented?

A.Implement microsegmentation using a next-generation firewall
B.Deploy a site-to-site VPN across all tiers
C.Use a single, centralized firewall for all traffic
D.Place all application servers in a DMZ
AnswerA

Microsegmentation enables fine-grained security policies between individual workloads, supporting inspection and logging.

Why this answer

Microsegmentation enforces granular security policies between workloads, allowing full inspection and logging of east-west traffic, which aligns with zero-trust principles. A VPN concentrates traffic but does not provide per-application inspection. A DMZ is perimeter-oriented.

A firewall is necessary but microsegmentation provides a more refined control.

468
Multi-Selecthard

Which TWO are required by PCI DSS for all merchants?

Select 2 answers
A.Implement network segmentation
B.Maintain a vulnerability management program
C.Store CVV codes
D.Encrypt cardholder data at rest
E.Use only tokenization
AnswersB, D

PCI DSS requirement 6 requires a vulnerability management program.

Why this answer

Options A and B are correct. PCI DSS requires encryption of cardholder data at rest (requirement 3) and a vulnerability management program (requirement 6). Tokenization is optional, CVV storage is prohibited, and network segmentation is a recommended control but not a requirement for all merchants.

469
Multi-Selecteasy

Which TWO of the following are essential characteristics of a hardware security module (HSM)? (Select TWO.)

Select 2 answers
A.Hardware acceleration of cryptographic operations.
B.Tamper-resistant key storage.
C.Virtualization of the hardware root of trust.
D.Integration with public key infrastructure (PKI) to replace certificate authorities.
E.User authentication and authorization.
AnswersA, B

HSMs offload cryptographic processing from the main CPU.

Why this answer

Option A is correct because HSMs are dedicated hardware appliances that offload cryptographic operations from the main CPU, providing hardware acceleration for algorithms such as AES, RSA, and ECC. This acceleration is critical for high-throughput environments like TLS termination or code signing, where software-based cryptography would create a performance bottleneck.

Exam trap

Cisco often tests the distinction between 'essential characteristics' and 'common but non-essential features' — the trap here is that candidates confuse optional integration capabilities (like PKI support or user authentication) with the fundamental purpose of an HSM, which is tamper-resistant key storage and cryptographic acceleration.

470
Multi-Selectmedium

A network administrator is troubleshooting connectivity to a server at 192.168.1.100. The ACL shown is applied inbound on GigabitEthernet0/0. Which THREE statements are true regarding this ACL configuration? (Choose three.)

Select 3 answers
A.The ACL will block all traffic from the 192.168.1.0/24 network to 10.0.0.0/24
B.Traffic sourced from 192.168.1.100 going to the 10.0.0.0/24 network will be permitted
C.Traffic from the 10.0.0.0/24 network to 192.168.1.100 is not affected by this ACL
D.The implicit deny at the end of the ACL will block all other traffic not explicitly permitted
E.The ACL blocks SSH and RDP access to 192.168.1.100 from any source
AnswersB, C, E

The ACL does not filter traffic sourced from 192.168.1.100; it filters based on destination.

Why this answer

Option B is correct because the ACL, when applied inbound on GigabitEthernet0/0, evaluates traffic entering the interface. The permit statement allows traffic sourced from host 192.168.1.100 destined to the 10.0.0.0/24 network, so that specific traffic is explicitly permitted.

Exam trap

The trap here is that candidates often confuse the direction of ACL application, assuming an inbound ACL on an interface affects traffic destined to that interface's IP address, when in fact it only filters traffic entering the interface from the outside.

471
MCQeasy

A small business uses a single on-premise server running a custom application and a SQL database. The IT manager is concerned about data loss due to hardware failure. The company has a backup tape drive but often forgets to change tapes. The RTO is 24 hours and RPO is 4 hours. Which of the following is the BEST improvement to meet the RPO/RTO requirements?

A.Purchase a second identical server and set up failover clustering.
B.Switch to daily differential backups and store tapes offsite.
C.Implement a RAID 1 mirroring for the server's hard drives.
D.Use a cloud-based backup service with hourly incremental backups.
AnswerD

Hourly backups meet RPO of 4 hours; cloud restore can meet RTO of 24 hours.

Why this answer

D is correct. Hourly cloud backups meet the 4-hour RPO and likely achieve 24-hour RTO. RAID protects against disk failure but not other hardware failures.

Daily backups may miss the RPO. Failover clustering is expensive and complex for a small business.

472
Multi-Selectmedium

Which three options are best practices for writing secure scripts? (Choose three.)

Select 3 answers
A.Log all errors and warnings for debugging.
B.Use parameterized inputs to prevent injection attacks.
C.Validate all external input before processing.
D.Hardcode sensitive credentials in the script.
E.Run scripts with the least privilege necessary.
AnswersB, C, E

Parameterization separates code from data.

Why this answer

Options A, C, and D are correct. Parameterized inputs prevent injection, least privilege limits damage, and input validation stops malformed data. B is insecure.

E is a good general practice but not specifically a security best practice.

473
MCQeasy

A company's internal audit found that employees often share passwords. Which policy change would BEST address this?

A.Implement multi-factor authentication
B.Increase password complexity requirements
C.Require password changes every 30 days
D.Provide security awareness training on password sharing
AnswerA

MFA provides an additional layer, making password sharing less effective for unauthorized access.

Why this answer

Option A is correct because multi-factor authentication reduces reliance on passwords alone. Option B is wrong increasing complexity may not stop sharing. Option C is wrong periodic changes do not prevent sharing.

Option D is wrong training helps but MFA is a technical control.

474
Multi-Selecthard

Which three measures should be implemented to secure a RESTful API? (Select THREE.)

Select 3 answers
A.Use JSONP for cross-origin requests
B.Implement proper error handling that does not expose stack traces
C.Disable rate limiting to ensure availability
D.Validate all input against a strict schema
E.Use OAuth2 with scopes for authorization
AnswersB, D, E

Generic error messages prevent information leakage.

Why this answer

Options A (OAuth2 with scopes), C (Validate all input), and E (Proper error handling without stack traces) are correct. Option B (Disable rate limiting) lowers security. Option D (Use JSONP) introduces cross-origin risks.

475
MCQhard

A security engineer is reviewing a Kubernetes deployment where the pod spec includes `securityContext: { privileged: true }`. What is the primary security concern of this configuration?

A.The container can access host resources like the filesystem
B.The container can run as root
C.The container has unrestricted network access
D.The container can modify the host's kernel
AnswerD

Privileged mode grants direct access to host kernel functions and devices.

Why this answer

Privileged containers have almost all capabilities of the host, including access to host devices and kernel modules. This significantly increases the attack surface compared to running as root alone.

476
MCQhard

A security audit reveals that Docker containers are built with multiple unnecessary layers and utilities. Which practice reduces the attack surface of the container image?

A.Use multi-stage builds
B.Use a base image with only the required packages
C.Combine multiple RUN commands into one
D.Delete the apt cache in the Dockerfile
AnswerB

Minimizing installed packages reduces the attack surface.

Why this answer

Using a minimal base image with only required packages reduces the number of potential vulnerabilities. Multi-stage builds help but don't directly reduce the base image size.

477
MCQeasy

A security manager is reviewing the company's vendor risk management program. Which of the following should be included as a mandatory step BEFORE entering into a contract with a new cloud service provider?

A.Establishing an incident response plan
B.Performing a penetration test of the vendor's infrastructure
C.Conducting a third-party security assessment
D.Requesting monthly vulnerability reports
AnswerC

Pre-contract assessment ensures vendor meets security requirements.

Why this answer

Option C is correct because a third-party security assessment is a mandatory due diligence step before entering into a contract with a new cloud service provider. This assessment evaluates the vendor's security controls, compliance posture, and risk profile against the organization's requirements, ensuring that the vendor meets minimum security standards before any data or systems are entrusted to them. Without this pre-contract assessment, the organization would be accepting unknown risks that could lead to data breaches or compliance violations.

Exam trap

The trap here is that candidates often confuse post-contract operational activities (like incident response planning or vulnerability reporting) with pre-contract due diligence, leading them to select options that are important but not mandatory before signing a contract.

How to eliminate wrong answers

Option A is wrong because establishing an incident response plan is an operational step that should occur after the contract is signed and the service is being integrated, not before entering into the contract; it is not a prerequisite for vendor selection. Option B is wrong because performing a penetration test of the vendor's infrastructure is typically not feasible or allowed before a contract is in place, as it requires legal agreements and access permissions that do not exist pre-contract; such testing is usually conducted post-contract as part of ongoing validation. Option D is wrong because requesting monthly vulnerability reports is a post-contract monitoring activity, not a pre-contract due diligence step; the vendor may not even have such reports available before the business relationship is established.

478
MCQmedium

A multinational corporation is deploying a new application that will be accessed by employees, partners, and customers. The security architecture must support single sign-on (SSO) across different identity providers (IdPs) while maintaining strict access control based on user attributes such as role, location, and device posture. The company uses Active Directory for employees, a cloud IdP for partners, and self-registration for customers. The architect needs to design a centralized policy enforcement point that can evaluate access requests from multiple IdPs and enforce dynamic access policies before granting access to the application. Which of the following is the BEST architectural approach?

A.Deploy a SAML/WS-Federation federation server that authenticates users and then passes the identity to the application for authorization
B.Have each IdP enforce its own access policies and pass the authorization decision via SAML assertions
C.Configure a reverse proxy to authenticate users from any IdP and pass their identity to the application
D.Implement an externalized authorization management system (e.g., OAuth 2.0 with OpenID Connect) using a policy decision point (PDP) and a policy enforcement point (PEP) at the application gateway
AnswerD

This separates authentication from authorization, allows centralized attribute-based policy, and works across IdPs.

Why this answer

A Policy Enforcement Point (PEP) integrated with a Policy Decision Point (PDP) can abstract authentication from authorization, allowing unified policy regardless of IdP. Option A is wrong because relying on each IdP for authorization leads to policy fragmentation. Option B is wrong because a SAML federation server handles authentication but not authorization.

Option D is wrong because a proxy alone does not provide the policy decision capabilities.

479
MCQhard

A company is merging with another company that has a different security posture. The CISO wants to integrate the two security programs quickly. Which of the following is the MOST critical first step?

A.Establish a joint governance committee
B.Align security policies and standards
C.Implement the same security tools across the enterprise
D.Conduct a joint risk assessment
AnswerA

Governance provides strategic oversight for integration.

Why this answer

Establishing a joint governance committee provides oversight and direction for integration. Options A, B, and C are tactical steps that should follow governance.

480
MCQeasy

Based on the exhibit, what type of attack is indicated?

A.Brute-force attack
B.Man-in-the-middle
C.Denial of service
D.Replay attack
AnswerA

Multiple failed attempts then success is characteristic of brute-force.

Why this answer

Option C is correct because repeated failed logins followed by a success indicates a brute-force attack. Option A is wrong MITM involves interception. Option B is wrong replay involves capturing and retransmitting.

Option D is wrong DoS involves overwhelming resources.

481
MCQeasy

A compliance officer is reviewing logs from a web application and finds multiple failed login attempts from a single IP address. Which type of control should be implemented to reduce the risk of brute-force attacks?

A.Account lockout policy
B.Network firewall
C.Password hashing
D.Encryption of traffic
AnswerA

Account lockout limits the number of attempts, reducing brute-force risk.

Why this answer

Account lockout policies prevent brute-force attacks by locking accounts after a number of failed attempts. Encryption, firewalls, and hashing do not directly address brute-force login attempts.

482
MCQeasy

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

A.Include security requirements in contracts and conduct periodic audits
B.Require vendors to obtain ISO 27001 certification
C.Send annual self-assessment questionnaires
D.Perform quarterly penetration tests on vendor networks
AnswerA

Legally binding and verifiable

Why this answer

Including security requirements in contracts and conducting periodic audits is the most effective method because it creates a legally binding obligation for vendors to adhere to the organization's security policies, and audits provide direct, verifiable evidence of compliance. Unlike self-assessments or certifications, audits allow the organization to actively inspect controls, configurations, and processes, ensuring ongoing adherence rather than relying on a point-in-time assertion. This approach aligns with the NIST SP 800-53 continuous monitoring framework and is a core principle of third-party risk management (TPRM) in the CAS-004 domain.

Exam trap

Cisco often tests the misconception that a one-time certification or a technical test like a penetration test is sufficient to ensure ongoing compliance, when in reality, continuous contractual obligations and independent audits are required to enforce and verify policy adherence over time.

How to eliminate wrong answers

Option B is wrong because requiring ISO 27001 certification only proves that a vendor had a compliant Information Security Management System (ISMS) at the time of certification, but it does not guarantee ongoing compliance with the organization's specific security policies, nor does it provide a mechanism for the organization to verify current controls or address unique contractual requirements. Option C is wrong because annual self-assessment questionnaires rely on the vendor's self-reported data, which is subjective, lacks independent verification, and can easily miss critical security gaps or misconfigurations, making it unreliable for ensuring compliance. Option D is wrong because quarterly penetration tests on vendor networks only assess technical vulnerabilities at a point in time and do not evaluate the vendor's adherence to security policies, processes, or administrative controls, nor do they cover all aspects of compliance such as data handling, access management, or incident response procedures.

483
Matchingmedium

Match each port number to its associated protocol.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RDP

SSH

HTTPS

LDAP

LDAPS

Why these pairings

These are well-known port assignments for common protocols.

484
MCQmedium

Refer to the exhibit. Which security issue does this S3 bucket policy present?

A.The bucket allows anonymous GET operations from any IP
B.The bucket policy is too restrictive
C.The bucket allows anonymous PUT operations from any source
D.The bucket is not encrypted
AnswerC

The second statement permits any principal to put objects without an IP condition.

Why this answer

Option A is correct because the second statement allows anonymous PUT without any IP restriction, meaning anyone can upload objects to the bucket. Option B is incorrect because the GET action is restricted to the specified IP range. Options C and D are not indicated by the policy.

485
Multi-Selecthard

An organization is automating cloud security group management across AWS, Azure, and GCP. Which TWO approaches provide centralized, auditable control? (Select TWO.)

Select 2 answers
A.Leverage infrastructure as code tools (e.g., Terraform) to define and enforce security group rules.
B.Require manual approval for every security group change through a ticketing system.
C.Disable logging on security group changes to reduce performance impact.
D.Use cloud provider CLI commands (e.g., AWS CLI, Azure CLI) in scripts to update security groups.
E.Store service account credentials directly in automation scripts for simplicity.
AnswersA, D

IaC provides a single source of truth and automates enforcement across multiple clouds.

Why this answer

Cloud provider CLI scripts (A) can automate changes, and IaC (C) enforces security baselines as code. Storing credentials in scripts (D) is insecure, and manual review (E) defeats automation. Disabling logging (B) is prohibited.

486
Multi-Selecthard

A security administrator is reviewing a Python script used to automate compliance checks across cloud resources. The script uses environment variables for API tokens. Which of the following are secure coding practices that should be implemented in this script? (Select TWO.)

Select 2 answers
A.Use try-except blocks to handle exceptions gracefully
B.Use os.system() to run shell commands for resource management
C.Hardcode API tokens as fallback if environment variables are missing
D.Validate that required environment variables exist before proceeding
E.Log the API tokens for troubleshooting purposes
AnswersA, D

Why this answer

Option A is correct because using try-except blocks in Python allows the script to catch and handle exceptions (e.g., missing environment variables, API call failures) gracefully without crashing. This is a fundamental secure coding practice that prevents unhandled errors from exposing sensitive information or causing unpredictable behavior in automated compliance checks.

Exam trap

Cisco often tests the misconception that hardcoding fallback values or logging sensitive data is acceptable for troubleshooting, but the trap here is that both practices directly violate secure coding principles by exposing secrets, while os.system() is a known anti-pattern for command execution in Python.

Why the other options are wrong

B

os.system is vulnerable to injection; prefer subprocess with parameterized commands.

C

Hardcoding tokens is insecure and defeats the purpose of using environment variables.

E

Logging credentials exposes them in logs, which is a security risk.

487
MCQmedium

An organization wants to ensure that its supply chain vendors are compliant with its security policies. Which of the following is the MOST effective approach?

A.Conduct on-site audits of all vendors.
B.Include security requirements in contracts and rely on legal remedies.
C.Require vendors to complete a self-assessment questionnaire.
D.Implement a continuous monitoring program using automated tools.
AnswerD

Continuous monitoring provides ongoing visibility into vendor security and reduces manual effort.

Why this answer

Option C is correct because continuous monitoring offers real-time visibility and is scalable for a large vendor base, aligning with best practices for third-party risk management.

488
MCQeasy

Which of the following is a primary purpose of using code signing for application deployment?

A.To encrypt the application code
B.To verify the integrity and authenticity of the code
C.To prevent reverse engineering
D.To speed up application deployment
AnswerB

Why this answer

Code signing uses a digital signature (typically RSA or ECDSA) to bind the publisher's identity to the code. The primary purpose is to verify both the integrity (the code has not been tampered with) and the authenticity (the code comes from a trusted source) before deployment. This is achieved by hashing the code and signing the hash with the publisher's private key; the recipient verifies the signature using the publisher's public certificate.

Exam trap

Cisco often tests the misconception that code signing provides encryption or obfuscation, when in fact it only provides integrity and authenticity verification without hiding the code content.

Why the other options are wrong

A

Encryption is for confidentiality; code signing does not encrypt the code.

C

Code signing does not prevent reverse engineering; obfuscation or other techniques are used for that.

D

Code signing adds overhead, not speed.

489
MCQhard

Given the exhibit, what is the MOST likely scenario?

A.A misconfigured application is sending malformed data to a server.
B.An external attacker is scanning the internal network.
C.An internal host is compromised and attacking an external web server.
D.A web vulnerability scanner is performing authorized tests.
AnswerC

The host adapts to firewall rules and launches SQL injection attack.

Why this answer

Option C is correct. The internal host 10.0.1.100 initially tried to connect to port 80 (HTTP) but was denied, then used port 443 (HTTPS) which was allowed, and then performed SQL injection on the web server. This suggests the host is compromised and attempting to attack an external server via HTTPS to bypass firewall rules.

Option A is wrong because the traffic is outward, not inbound. Option B is wrong because SQL injection is detected, and the pattern is deliberate. Option D is wrong because host is active.

490
Multi-Selecteasy

A security architect is designing a secure remote access solution for contractors who need temporary access to a few internal applications. Which THREE of the following are best practices for controlling contractor access? (Select THREE.)

Select 3 answers
A.Allow contractors to use a shared account for simplicity
B.Implement just-in-time (JIT) temporary privilege elevation
C.Create time-limited accounts that expire automatically
D.Provide full network-level VPN access
E.Use a VPN with application-level access control
AnswersB, C, E

JIT provides access only when needed, reducing the risk of unused standing privileges.

Why this answer

Time-limited accounts enforce temporary access, application-level VPNs restrict access to specific applications, and just-in-time (JIT) privileges reduce standing access. Full VPN access provides too much network access, shared accounts lack accountability, and permanent accounts are against least privilege.

491
Multi-Selecthard

A company is implementing a hardware security module (HSM) to protect cryptographic keys. The security architect must ensure the solution meets FIPS 140-2 Level 3 requirements. Which TWO of the following features are required for Level 3?

Select 2 answers
A.Role-based authentication only
B.Tamper-evident coatings and seals
C.Identity-based authentication for operators
D.Ability to export keys in plaintext
E.Tamper resistance with automatic zeroization
AnswersB, C

Level 3 requires tamper evidence.

Why this answer

FIPS 140-2 Level 3 requires tamper-evident coatings or seals and identity-based authentication, along with physical security. Tamper resistance with zeroization is more Level 4. Role-based authentication is Level 3 but identity-based is more specific.

Plaintext key export is disallowed at Level 3.

492
MCQhard

A multinational organization is adopting a zero trust architecture and needs to align its network segmentation with regulatory requirements. The compliance team has identified that certain data must be isolated to meet PCI DSS scope reduction. Which of the following design approaches BEST supports both zero trust and PCI DSS compliance?

A.Deploying VLANs to separate cardholder data from other traffic
B.Implementing microsegmentation with software-defined networking
C.Using network access control (NAC) to enforce endpoint compliance
D.Placing all systems that process cardholder data in a DMZ
AnswerB

Microsegmentation enables fine-grained, dynamic isolation and aligns with zero trust.

Why this answer

Microsegmentation with software-defined networking (SDN) enables granular, identity-aware isolation of workloads at the virtual network layer, which directly supports zero trust's 'never trust, always verify' principle by restricting lateral movement. For PCI DSS scope reduction, microsegmentation allows the organization to create a logical, auditable boundary around cardholder data environment (CDE) assets without relying on physical network topology, thereby reducing the scope of PCI DSS compliance assessments. This approach is superior because it provides dynamic, policy-driven segmentation that can adapt to regulatory changes while maintaining strict least-privilege access.

Exam trap

CompTIA often tests the misconception that VLANs are sufficient for security segmentation, but the trap here is that VLANs lack the identity-aware, dynamic policy enforcement and east-west traffic control required by zero trust, and they do not provide the auditable, scope-reducing isolation that PCI DSS demands.

How to eliminate wrong answers

Option A is wrong because VLANs operate at Layer 2 and provide only coarse, static segmentation that can be bypassed via VLAN hopping attacks (e.g., double tagging per IEEE 802.1Q) and do not enforce identity-based access controls required by zero trust. Option C is wrong because NAC (e.g., 802.1X) focuses on pre-admission endpoint compliance and posture assessment, not on isolating workloads or reducing PCI DSS scope; it does not provide the granular east-west traffic control needed for zero trust segmentation. Option D is wrong because placing all CDE systems in a DMZ violates the principle of least privilege by exposing them to untrusted networks, increases attack surface, and does not achieve scope reduction—PCI DSS requires isolation of CDE from untrusted networks, not exposure.

493
MCQhard

An organization is implementing a secure software development lifecycle. Which of the following practices BEST ensures that security requirements are addressed early in the development process?

A.Security training for developers
B.Code analysis after development
C.Threat modeling during design phase
D.Penetration testing before release
AnswerC

Threat modeling identifies threats early, allowing mitigation in design.

Why this answer

Threat modeling during the design phase identifies potential security issues before development, shifting security left. Penetration testing and code analysis are later activities, and training is important but does not directly address requirements early.

494
MCQmedium

Refer to the exhibit. A security analyst notices that users from the internet can reach the web server at 10.0.1.100 on port 443, but they cannot reach it on port 8443. What is the most likely cause?

A.The ACL only permits traffic from specific source IPs
B.The firewall rule order is incorrect
C.The web server is not listening on port 8443
D.The firewall is blocking all traffic on port 8443
AnswerC

If the server is not configured for port 8443, it will not respond.

Why this answer

The firewall ACL permits both ports, so the firewall is not the issue. The most likely cause is that the web server is not listening on port 8443. Option A is incorrect because the ACL permits it.

Option C is incorrect because the ACL order is fine. Option D is incorrect because the ACL permits any source.

495
MCQmedium

An application uses a relational database and constructs SQL queries by concatenating user input. Which secure coding practice should be implemented to mitigate SQL injection?

A.Use stored procedures exclusively
B.Escape all user input with a database-specific escaping function
C.Implement parameterized queries / prepared statements
D.Use an ORM (Object-Relational Mapping) framework
AnswerC

Why this answer

Parameterized queries (prepared statements) separate SQL logic from user data by using placeholders (e.g., `?` in MySQLi or `:param` in PDO). The database driver automatically escapes the input values, ensuring they are treated as data, not executable code. This directly prevents SQL injection because the query structure is fixed before user input is bound.

Exam trap

Cisco often tests the misconception that stored procedures or ORMs are inherently safe, but the trap is that both can still be vulnerable if they allow dynamic SQL construction or raw query execution without parameterization.

Why the other options are wrong

A

Stored procedures can still be vulnerable if dynamic SQL is used within them.

B

Escaping is error-prone and not as reliable as parameterized queries.

D

ORMs can reduce risk but may still generate dynamic SQL if not used carefully.

496
Multi-Selecteasy

An analyst wants to automate incident response tasks in a SOC environment. Which THREE scripting languages are commonly used for automation? (Choose three.)

Select 3 answers
A.Python
B.PowerShell
C.Java
D.COBOL
E.Bash
AnswersA, B, E

Python is popular for its rich libraries and cross-platform support.

Why this answer

Python, Bash, and PowerShell are widely used for security automation due to cross-platform support, extensive libraries, and native system integration. Java is less common for quick automation, and COBOL is obsolete.

497
MCQhard

Refer to the exhibit. A web server is unable to connect to a local database socket. Which of the following actions would MOST likely resolve this issue?

A.Disable SELinux entirely
B.Restart the httpd service
C.Change the SELinux enforcing mode to permissive
D.Add an SELinux policy module to allow httpd_t to connectto unconfined_t
AnswerD

This creates a targeted policy rule to allow the specific connection while maintaining enforcement.

Why this answer

The SELinux denial indicates that the httpd process (in httpd_t domain) is not allowed to connect to a socket with context unconfined_t. Adding a custom SELinux policy module to allow this specific connection is the proper fix. Temporarily permissive mode or disabling SELinux is not a secure long-term solution.

Restarting the service will not change the policy.

498
MCQmedium

A security engineer is implementing a solution to securely store and manage cryptographic keys for a fleet of IoT devices. The devices have limited processing power and cannot perform asymmetric operations. Which of the following is the BEST approach?

A.Use a cloud-based Hardware Security Module (HSM) to generate and store keys, and provision them to devices during manufacturing.
B.Install a Trusted Platform Module (TPM) in each device to store keys on the device.
C.Use a cloud KMS to generate and wrap keys, then store the wrapped key in the device.
D.Store keys in obfuscated form in the device firmware and use a custom algorithm for encryption.
AnswerA

A cloud HSM provides secure key generation, storage, and lifecycle management; provisioning keys during manufacturing ensures they are not exposed.

Why this answer

Option A is correct because a cloud HSM offers secure key management and offloads cryptographic operations, suitable for simple symmetric operations on IoTs. Option B is wrong because TPM is typically used for device identity and limited storage, not scalable for fleet management. Option C is wrong because storing keys in firmware is insecure; they can be extracted.

Option D is wrong because key wrapping via KMS still requires the IoT to store keys, which is insecure.

499
MCQhard

During a security review, a developer discovers that a containerized application runs with root privileges. Which of the following is the most secure approach to mitigate this risk while maintaining functionality?

A.Set the container to run as a non-root user and drop all unnecessary capabilities
B.Disable root login inside the container by modifying /etc/passwd
C.Use a read-only root filesystem for the container
D.Enable SELinux or AppArmor on the host
AnswerA

Why this answer

Running a container as a non-root user with dropped capabilities is the most secure approach because it follows the principle of least privilege. By default, containers run as root, which grants unnecessary kernel capabilities that could be exploited for privilege escalation. Setting a non-root user and using `--cap-drop=ALL` with selective `--cap-add` ensures the application retains only required permissions, reducing the attack surface without breaking functionality.

Exam trap

Cisco often tests the misconception that disabling root login or using filesystem restrictions (read-only) is sufficient, when the real risk is the container process running as UID 0 with full capabilities, which requires explicit user context and capability dropping to mitigate.

Why the other options are wrong

B

Disabling root login does not prevent the container process from running as root; the process still has root privileges.

C

A read-only filesystem limits writes but does not reduce privileges; the container still runs as root.

D

These are mandatory access control mechanisms that can confine a process, but they do not directly address the root privilege issue; combining with non-root user is better.

500
Multi-Selecthard

An organization is deploying a new cloud-based application that processes personally identifiable information (PII). The security team must ensure data at rest is encrypted. Which THREE of the following controls should be implemented to protect the data? (Select THREE.)

Select 3 answers
A.Use tokenization for all PII fields in the database.
B.Implement a key management system (KMS) with automatic key rotation.
C.Enable transparent data encryption (TDE) on the database.
D.Use AES-256 encryption for all stored data.
E.Configure TLS 1.3 for all data connections.
AnswersB, C, D

Proper key management and rotation are critical to maintaining encryption security.

Why this answer

Option B is correct because a key management system (KMS) with automatic key rotation ensures that encryption keys are securely stored, rotated, and managed, which is essential for protecting data at rest. Without proper key management, encryption can be rendered ineffective if keys are compromised or stale. This control directly supports the confidentiality of PII stored in the cloud.

Exam trap

Cisco often tests the distinction between encryption for data at rest (e.g., TDE, AES-256, KMS) and encryption for data in transit (e.g., TLS), so candidates mistakenly select TLS as a data-at-rest control.

501
MCQmedium

A company is designing a new data center with high availability requirements. The network team proposes using virtualized network functions (VNFs) on commodity hardware to reduce costs. Which security consideration is MOST important when implementing this design?

A.Isolate VNFs to prevent lateral movement if one VNF is compromised
B.Ensure VNFs are deployed across multiple physical hosts for redundancy
C.Encrypt all traffic between VNFs to prevent eavesdropping
D.Implement quality of service (QoS) to guarantee bandwidth for critical VNFs
AnswerA

Isolation is critical because VNFs share hypervisor; a compromise could spread.

Why this answer

Isolating VNFs is the most important security consideration because VNFs share the same hypervisor and commodity hardware, so a compromise in one VNF could allow an attacker to move laterally to other VNFs or the underlying host. Without proper isolation (e.g., using VLANs, VXLANs, or micro-segmentation), the entire multi-tenant environment is at risk, undermining the high-availability design.

Exam trap

The trap here is that candidates confuse operational requirements (redundancy, QoS, encryption) with security controls, overlooking that isolation is the foundational security measure in a shared virtualized environment.

How to eliminate wrong answers

Option B is wrong because deploying VNFs across multiple physical hosts for redundancy is a high-availability design requirement, not a security consideration; it does not address the risk of lateral movement or compromise. Option C is wrong because encrypting traffic between VNFs (e.g., with IPsec or TLS) protects data in transit but does not prevent a compromised VNF from attacking other VNFs on the same host; isolation is a prerequisite for security. Option D is wrong because QoS guarantees bandwidth for critical VNFs, which is a performance and availability concern, not a security control; it does not mitigate the risk of a VNF being compromised and used to pivot within the network.

502
MCQmedium

A security analyst is writing a script to scan container images for known vulnerabilities before deployment. Which of the following best practices should the analyst implement to ensure the script runs securely?

A.Hardcode API keys into the script for simplicity
B.Use parameterized queries or input sanitization for any user-supplied data
C.Run the script with root privileges to ensure it has access to all images
D.Store credentials in a world-readable configuration file
AnswerB

Why this answer

Option B is correct because input sanitization and parameterized queries prevent injection attacks when the script processes user-supplied data, such as image names or tags. In the context of container scanning, unsanitized input could lead to command injection or SQL injection if the script queries a vulnerability database. This aligns with secure coding practices for automation scripts, ensuring that the script does not inadvertently execute malicious commands or expose sensitive data.

Exam trap

Cisco often tests the principle of least privilege and secure credential handling in automation contexts, and the trap here is that candidates may choose root privileges (Option C) thinking it ensures full access to all images, overlooking the security risk of excessive permissions.

Why the other options are wrong

A

Hardcoding credentials is a major security risk; they can be exposed in version control.

C

Running with least privilege is a security best practice; root access increases the attack surface.

D

Credentials should be stored securely (e.g., vault, environment variables), not world-readable.

503
MCQeasy

A security architect is evaluating a new identity management solution. The requirement is to allow users to authenticate using their existing social media accounts while maintaining corporate control over access policies. Which architecture best meets this requirement?

A.Privileged access management (PAM) solution
B.Single sign-on (SSO) using a corporate LDAP directory
C.Public Key Infrastructure (PKI) with digital signatures
D.Federated identity management using Security Assertion Markup Language (SAML)
AnswerD

Federation allows external IdPs like social media, while the enterprise controls policies.

Why this answer

Federated identity management allows external identity providers (e.g., social media) to be used, while the enterprise retains policy control through a federation server. Option A is wrong because it refers to non-repudiation. Option B is wrong because it describes SSO without federation.

Option D is wrong because it describes credential management.

504
MCQeasy

An organization needs to ensure consistent configuration across multiple Linux servers. They want to automate this process with a solution that requires minimal agent installation and uses push-based communication. Which approach is most appropriate?

A.Use PowerShell Desired State Configuration (DSC) with Linux extensions.
B.Use Ansible playbooks to define and enforce server configurations.
C.Run a Docker container on each server with a configuration management tool inside.
D.Deploy Puppet with a master server and agents on each system.
AnswerB

Ansible is agentless, uses SSH for push, and is widely used for configuration management.

Why this answer

Ansible is agentless and push-based via SSH. Option A is correct. Option B (Puppet) is pull-based and requires agents.

Option C (Docker) is for containers, not direct server config. Option D (PowerShell DSC) works well in Windows but is less common for Linux.

505
MCQhard

A company is implementing single sign-on using SAML 2.0. A security architect is reviewing the authentication flow and notices that the identity provider (IdP) does not digitally sign the SAML assertions. Which of the following is the most significant security risk?

A.The assertion could be modified in transit
B.The assertion could be intercepted and read
C.The IdP could be spoofed
D.The assertion could be replayed
AnswerA

Without a signature, the service provider cannot verify that the assertion was not tampered with, allowing attribute or identity changes.

Why this answer

Without signing, an attacker can modify the assertion in transit, potentially impersonating a user or altering attributes, leading to unauthorized access.

506
Multi-Selecthard

An incident responder is analyzing a compromised server. Which THREE indicators are MOST likely to confirm a successful attack?

Select 3 answers
A.Corrupted system files
B.Unusual outbound network connections
C.Multiple failed login attempts
D.High CPU usage due to legitimate processes
E.New unauthorized administrative accounts
AnswersA, B, E

Corrupted files can result from malware or unauthorized modification.

Why this answer

New unauthorized accounts indicate adversary persistence. Unusual outbound connections suggest command-and-control or data exfiltration. Corrupted system files are a sign of malware or unauthorized changes.

High CPU usage can be from legitimate loads, and failed logins are not proof of success.

507
Multi-Selecthard

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

Select 3 answers
A.Using signature-based intrusion detection systems (IDS) to match known attack patterns.
B.Conducting behavioral analysis of endpoint and network activity to detect unusual patterns.
C.Integrating threat intelligence feeds to correlate indicators of compromise (IOCs) with internal logs.
D.Implementing anomaly-based network traffic analysis to identify deviations from baseline behavior.
E.Deploying honeypots to attract and analyze attacker behavior.
AnswersB, C, D

Behavioral analysis can uncover APT activities such as lateral movement and data exfiltration.

Why this answer

Behavioral analysis (option B) is effective against APTs because it establishes a baseline of normal activity and flags deviations, such as unusual lateral movement or data exfiltration patterns, which APTs often exhibit. Unlike signature-based methods, behavioral analysis can detect novel or zero-day attack techniques that do not match known signatures, making it a critical component of an advanced threat detection strategy.

Exam trap

Cisco often tests the distinction between detection techniques that rely on known indicators (signature-based) versus those that detect unknown threats (behavioral/anomaly-based), and candidates may mistakenly think signature-based IDS is sufficient for APTs because they focus on the 'advanced' aspect rather than the 'persistent' and 'unknown' nature of the threat.

508
MCQmedium

A security architect is reviewing the network segmentation of a healthcare organization that must comply with HIPAA. The current flat network allows all devices to communicate. Which segmentation approach provides the best balance of security and manageability?

A.Create a physical air gap between all systems
B.Assign each device its own VLAN with no inter-VLAN routing
C.Segment using VLANs and ACLs to limit traffic to necessary flows
D.Place all critical systems in a single DMZ subnet
AnswerC

VLANs with ACLs provide logical isolation, reducing attack surface while maintaining manageability.

Why this answer

Implementing VLANs with access control lists (ACLs) to restrict communication between segments provides logical isolation without requiring new hardware. Air gaps are impractical. DMZ for all systems is not appropriate.

Full 1:1 VLAN per device is unmanageable.

509
MCQhard

A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?

A.The agency no longer needs to conduct any risk assessments
B.The CSP guarantees 100% security
C.The system automatically complies with all international regulations
D.The CSP's authorization can be reused, reducing the agency's assessment burden
AnswerD

Leverages existing authorization

Why this answer

The primary benefit of using a FedRAMP Authorized CSP is that the CSP has already undergone a rigorous third-party assessment and continuous monitoring process. This allows the agency to reuse the existing authorization (via the 'JAB' or agency Provisional Authorization), significantly reducing the time, cost, and effort required for the agency's own assessment and authorization (ATO) process. It does not eliminate the agency's responsibility for risk management or compliance with FedRAMP Moderate controls, but it leverages the CSP's proven security posture.

Exam trap

Cisco often tests the misconception that FedRAMP authorization absolves the agency of all compliance work, when in fact the agency must still perform a system-specific risk assessment and maintain its own ATO for the overall system.

How to eliminate wrong answers

Option A is wrong because the agency is still required to conduct its own risk assessments, including a system-specific risk assessment for the overall system and the CSP's inherited controls; FedRAMP authorization does not eliminate the agency's risk management responsibilities. Option B is wrong because no CSP or system can guarantee 100% security; FedRAMP authorization indicates a baseline of security controls have been implemented and assessed, but residual risk always remains. Option C is wrong because FedRAMP is a U.S. federal program and does not automatically confer compliance with international regulations such as GDPR, ISO 27001, or the EU Cloud Code of Conduct; separate assessments are needed for international frameworks.

510
Multi-Selecthard

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC)?

Select 3 answers
A.Continuous deployment
B.Static application security testing (SAST)
C.Code signing
D.Threat modeling
E.Penetration testing
AnswersB, D, E

SAST analyzes source code for vulnerabilities during the development phase.

Why this answer

Threat modeling identifies risks early; SAST automates code scanning for vulnerabilities; penetration testing validates security controls. Code signing ensures integrity but is not a core SSDLC process; continuous deployment is a DevOps practice, not a security activity.

Page 6

Page 7 of 7

All pages