CCNA Security Engineering Questions

75 of 97 questions · Page 1/2 · Security Engineering · Answers revealed

1
MCQhard

A network administrator is troubleshooting connectivity issues. Based on the exhibit, which of the following is true about the iptables rules?

A.New connections from the internet to 10.0.1.0/24 are allowed.
B.All traffic is allowed by default because the policy is ACCEPT.
C.Traffic from 10.0.1.0/24 to the internet is allowed, but return traffic is only allowed if it is part of an established connection.
D.The rules apply to incoming traffic on the firewall itself.
AnswerC

The first rule matches new and established traffic from 10.0.1.0/24; the second matches only established traffic back.

Why this answer

Option C is correct because the iptables rules show a default FORWARD policy of ACCEPT, but the INPUT chain has a default policy of DROP. The rule '-A FORWARD -s 10.0.1.0/24 -j ACCEPT' allows outbound traffic from the 10.0.1.0/24 subnet to the internet. The rule '-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT' ensures that only return traffic belonging to an existing connection is permitted back, while new inbound connections from the internet are implicitly dropped by the FORWARD chain's default policy.

Exam trap

The trap here is that candidates often confuse the FORWARD chain with the INPUT chain, assuming that rules in the FORWARD chain apply to traffic destined for the firewall itself, or they overlook that the default policy for the FORWARD chain is DROP (not ACCEPT) unless explicitly set to ACCEPT in the exhibit.

How to eliminate wrong answers

Option A is wrong because the FORWARD chain's default policy is DROP (not shown but implied by the rules), and there is no rule allowing new connections from the internet to 10.0.1.0/24; only ESTABLISHED,RELATED traffic is allowed back. Option B is wrong because the policy shown is ACCEPT only for the FORWARD chain, but the INPUT chain has a default policy of DROP, and the FORWARD chain's default policy is also DROP (as no default ACCEPT is listed for FORWARD in the exhibit); thus, not all traffic is allowed by default. Option D is wrong because the rules shown are in the FORWARD chain, which applies to traffic being routed through the firewall, not to incoming traffic destined for the firewall itself (which would be handled by the INPUT chain).

2
Multi-Selectmedium

A security engineer is evaluating options for securing firmware updates on IoT devices. Which TWO methods provide integrity verification of the update?

Select 2 answers
A.Obfuscation of the firmware code
B.AES encryption of the firmware
C.Hash-based message authentication code (HMAC)
D.Digital signature verification
E.Secure Boot
AnswersC, D

HMAC uses a shared key to create a tag that verifies integrity and authenticity.

Why this answer

Correct: Digital signature verification and HMAC. Digital signatures use asymmetric cryptography to ensure authenticity and integrity. HMAC uses a shared secret to verify integrity.

AES encryption alone does not provide integrity, obfuscation is not security, and secure boot is about boot-time integrity, not update verification.

3
Multi-Selectmedium

Which TWO of the following are considered secure design principles for cryptographic systems?

Select 2 answers
A.Implement custom encryption algorithms designed in-house
B.Use the same key for encryption and authentication to reduce complexity
C.Use well-vetted, standard cryptographic algorithms
D.Rely on secrecy of the algorithm for security
E.Generate cryptographic keys using a cryptographically secure random number generator
AnswersC, E

Standard algorithms have been analyzed for weaknesses.

Why this answer

Option C is correct because using well-vetted, standard cryptographic algorithms (e.g., AES, RSA, ECDSA) ensures the system benefits from years of public scrutiny, rigorous cryptanalysis, and proven security properties. Proprietary or custom algorithms often contain undiscovered vulnerabilities, making them unsuitable for secure systems.

Exam trap

CompTIA often tests the misconception that 'custom algorithms' or 'security through obscurity' can be acceptable in secure design, when in fact they are explicitly rejected in favor of open, peer-reviewed standards and key separation.

4
MCQmedium

A security engineer is deploying a wireless network for a high-security facility. Which protocol should be used to provide the strongest authentication and encryption for client devices?

A.WEP with 128-bit key
B.WPA2-PSK with AES
C.WPA3-Enterprise with 802.1X
D.WPA3-Personal with SAE
AnswerC

WPA3-Enterprise uses individual credentials and stronger encryption than WPA2.

Why this answer

WPA3-Enterprise with 802.1X provides per-user authentication using EAP and the strongest encryption (GCMP-256). WPA2-PSK uses a shared passphrase, WPA3-Personal also uses SAE but for personal use, and WEP is obsolete.

5
Multi-Selectmedium

A security architect is evaluating web application firewall (WAF) features to protect against common attacks. Which TWO of the following attacks can a WAF most effectively prevent?

Select 2 answers
A.Session hijacking
B.Cross-site scripting (XSS)
C.SQL injection
D.Distributed denial-of-service (DDoS)
E.Cross-site request forgery (CSRF)
AnswersB, C

WAFs can detect and block reflected/stored XSS.

Why this answer

SQL injection and XSS are application-layer attacks that a WAF can detect and block based on signatures or heuristics. CSRF requires tokens, and session hijacking is often at the network layer.

6
MCQeasy

An organization wants to implement a solution that ensures data cannot be read if a storage device is physically stolen. Which encryption approach BEST meets this requirement?

A.Transport Layer Security (TLS) for network traffic
B.File-level encryption on sensitive documents
C.Database column-level encryption for stored data
D.Full disk encryption (FDE) on the storage device
AnswerD

Encrypts all data on the device, protecting against physical theft.

Why this answer

Full disk encryption (FDE) encrypts the entire storage device at the block level, including the operating system, applications, and all data. If the device is physically stolen, the data remains unreadable without the decryption key or passphrase, as the encryption is transparent and covers all sectors of the drive. This directly addresses the requirement of protecting data at rest on a stolen storage device.

Exam trap

Cisco often tests the distinction between encryption of data in transit (TLS) and encryption of data at rest (FDE), leading candidates to mistakenly choose a network encryption solution when the question explicitly involves a stolen storage device.

How to eliminate wrong answers

Option A is wrong because Transport Layer Security (TLS) encrypts data in transit over a network, not data at rest on a storage device; it does not protect against physical theft of the device. Option B is wrong because file-level encryption only encrypts individual files or folders, leaving metadata, temporary files, and the operating system unencrypted, which can expose sensitive data if the device is stolen. Option C is wrong because database column-level encryption protects specific columns within a database, but it does not encrypt the underlying storage device, leaving other data (e.g., logs, swap files, or the database engine itself) exposed upon physical theft.

7
MCQeasy

A large financial organization is migrating its on-premises authentication infrastructure to a cloud-based identity provider (IdP) to support a hybrid workforce. Currently, on-premises Active Directory is used with smart cards for authentication. The cloud IdP will support SAML 2.0 and OAuth 2.0. The security team requires that all authentication to cloud applications be protected by hardware-backed keys and that user credentials never leave the on-premises network. The solution must also support FIDO2 authentication for passwordless logins. During a pilot, users report that after authenticating to the cloud IdP using their smart cards, they are prompted again for credentials when accessing certain cloud applications. The logs show that the cloud IdP is issuing multiple authentication requests to the on-premises AD Federation Services (AD FS). The CISO is concerned about performance and security of repeated authentication. As a security architect, what is the best course of action?

A.Deploy a hardware security module (HSM) on-premises and integrate it with AD FS to perform certificate-based authentication and issue short-lived tokens.
B.Implement a reverse proxy to cache authentication tokens and replay them to cloud applications.
C.Implement a conditional access policy in the cloud IdP to skip authentication for trusted devices based on device compliance.
D.Configure AD FS to pass through the smart card certificate to the cloud IdP and enable seamless SSO by using the certificate as a security token.
AnswerD

Passing the certificate allows the cloud IdP to directly authenticate the user without additional prompts, leveraging hardware-backed keys.

Why this answer

Option B is correct because it solves the repeated authentication issue by having AD FS pass the smart card certificate to the cloud IdP, allowing the cloud IdP to accept the certificate as a valid security token for seamless SSO. This keeps credentials on-premises and leverages hardware-backed keys. Option A is wrong because caching authentication tokens on a reverse proxy introduces security risks and does not solve the fundamental issue of token trust.

Option C is wrong because although HSM integration improves key security, it still may not eliminate re-prompting if the cloud IdP does not trust the AD FS token. Option D is wrong because conditional access policies based on device compliance do not address the authentication chaining problem.

8
MCQhard

A security engineer is tasked with designing a cryptographic solution to protect data at rest in a multi-tenant cloud storage system. Each tenant's data must be encrypted with a unique key, and the system must support key rotation with minimal performance impact. Which of the following is the BEST approach?

A.Generate a unique key per tenant and encrypt each key with a master key, then store both in the same database column.
B.Implement envelope encryption: generate a unique data encryption key (DEK) per tenant, encrypt each DEK with a key encryption key (KEK) stored in an HSM, and store the wrapped DEK alongside the data.
C.Use a single master key for all tenants and store the key in a hardware security module (HSM) with access controls.
D.Implement a periodic key rotation schedule that rotates all tenant keys every month manually.
AnswerB

Envelope encryption allows per-tenant isolation, easy key rotation (by rewrapping DEKs with new KEKs), and minimal performance impact since data is not re-encrypted on rotation.

Why this answer

Option D is correct because envelope encryption with a unique data key per tenant allows independent rotation and minimizes performance impact by only wrapping new data keys. Option A is wrong because storing keys in the same database violates separation. Option B is wrong because a single master key for all tenants violates isolation; if compromised, all data is at risk.

Option C is wrong because a monthly rotation of a single master key does not provide per-tenant isolation; also key synchronization can be complex.

9
MCQmedium

A security analyst is reviewing an AppArmor profile for an application. Based on the exhibit, which action would the application be denied?

A.Send a UDP packet to a remote server
B.Override discretionary access controls
C.Write to /var/log/app.log
D.Write to a file in /etc/config/
AnswerD

Only read is allowed on /etc/config/*; write is denied.

Why this answer

AppArmor profiles restrict applications by path and capability. The profile shown does not include any rule allowing write access to /etc/config/, so any write attempt to that directory or its files would be denied. This is because AppArmor enforces mandatory access control based on the profile's explicit allow rules.

Exam trap

CompTIA often tests the misconception that AppArmor denies all actions not explicitly allowed, but candidates may overlook that network and capability rules are separate from file path rules, leading them to incorrectly assume a default allow for network or capability operations.

How to eliminate wrong answers

Option A is wrong because the profile does not restrict network access via UDP; AppArmor uses network rules (e.g., 'network udp') to deny such traffic, and none are present. Option B is wrong because overriding discretionary access controls (DAC) is a capability (e.g., CAP_DAC_OVERRIDE) that must be explicitly granted in the profile; the profile shown does not include any capability entries, so it is not denied by default—AppArmor denies capabilities only if they are not listed. Option C is wrong because the profile includes a rule allowing write access to /var/log/app.log (e.g., '/var/log/app.log rw'), so the application can write to that file.

10
MCQeasy

A security engineer must select a cryptographic algorithm to ensure non-repudiation for digitally signed documents. Which algorithm is most appropriate?

A.RSA with SHA-256
B.HMAC-SHA256
C.AES-256 in GCM mode
D.Elliptic Curve Diffie-Hellman (ECDH)
AnswerA

RSA is an asymmetric algorithm, and combined with SHA-256, it produces a digital signature that binds the signer's identity, providing non-repudiation.

Why this answer

Option D is correct because RSA with SHA-256 provides asymmetric encryption and hashing for digital signatures, ensuring non-repudiation. Option A is wrong because AES is symmetric and does not provide non-repudiation. Option B is wrong because HMAC is symmetric and does not provide non-repudiation.

Option C is wrong because ECDH is a key exchange algorithm, not a signature algorithm.

11
MCQeasy

A security engineer needs to implement a solution that provides both confidentiality and integrity for data at rest. Which cryptographic method BEST meets these requirements?

A.AES-256-GCM
B.SHA-256
C.Diffie-Hellman
D.RSA-2048
AnswerA

AES-256-GCM provides both encryption and authentication, satisfying confidentiality and integrity requirements.

Why this answer

AES-256-GCM is an authenticated encryption mode that provides both confidentiality (encryption) and integrity (authentication) in a single algorithm. RSA-2048 is asymmetric and does not provide data integrity directly. SHA-256 is a hash function only.

Diffie-Hellman is a key exchange protocol.

12
MCQeasy

A company is deploying a wireless network for guests. Which security measure is most important to prevent unauthorized users from accessing internal resources?

A.Use WPA2-Enterprise with 802.1X
B.Disable SSID broadcast
C.Implement MAC address filtering
D.Place the guest network on a separate VLAN with no access to internal subnets
AnswerD

VLAN segmentation restricts traffic between guest and internal networks.

Why this answer

Network segmentation ensures guests cannot reach internal systems even if they are on the same physical infrastructure.

13
MCQmedium

A security engineer is evaluating the use of AES-256-GCM for encrypting sensitive data in transit. They note that the Additional Authenticated Data (AAD) field is empty. What is the security implication?

A.The cipher is secure, but the missing AAD may allow an attacker to replace the ciphertext with another valid ciphertext from a different context, causing a potential mix-and-match attack.
B.The cipher is still secure, but missing AAD offers no additional protection against man-in-the-middle attacks.
C.The encryption provides no authentication because AAD is missing.
D.The cipher becomes vulnerable to key recovery attacks because AAD is missing.
AnswerA

Without AAD, an attacker could take a valid ciphertext from one session and insert it into another, if the same key is used, leading to potential data confusion.

Why this answer

Option D is correct because AAD provides context binding; without it, an attacker could potentially substitute ciphertexts from different contexts. Option A is wrong because AES-256-GCM provides authentication even without AAD. Option B is wrong because the IV is not derived from the key; missing AAD does not affect key recovery.

Option C is wrong because AAD is optional but recommended; the cipher is still secure, just less context bound.

14
MCQeasy

A security architect is designing a web application that handles sensitive customer data. The application must ensure that if one server is compromised, the attacker cannot access the private keys used for TLS termination. Which of the following approaches best meets this requirement?

A.Store the private keys in an encrypted database on a separate database server.
B.Use a software-based key vault that runs on the same operating system as the web server.
C.Use a hardware security module (HSM) to generate and store the private keys, performing TLS termination on the HSM.
D.Store the private keys in a local file with restricted permissions on the application server.
AnswerC

HSM provides tamper-resistant storage and performs cryptographic operations without exposing keys.

Why this answer

Option C is correct because a Hardware Security Module (HSM) provides a dedicated, tamper-resistant cryptographic processor that generates, stores, and manages private keys in hardware, never exposing them to the application server's memory or filesystem. By performing TLS termination directly on the HSM, the private keys remain isolated even if the web server is compromised, meeting the requirement for key confidentiality.

Exam trap

The trap here is that candidates often assume encrypting keys at rest (Option A) or using OS-level permissions (Option D) is sufficient, but the CAS-004 exam emphasizes that any software-based storage, even if encrypted, still exposes the key during runtime operations like TLS termination.

How to eliminate wrong answers

Option A is wrong because storing private keys in an encrypted database on a separate server still exposes the keys to the application server during decryption (the keys must be loaded into memory to terminate TLS), and a compromised server could extract them from memory or intercept the decryption process. Option B is wrong because a software-based key vault running on the same OS as the web server shares the same attack surface; if the OS is compromised, the vault's memory and files can be accessed, allowing key extraction. Option D is wrong because storing private keys in a local file with restricted permissions relies solely on OS-level access controls, which are bypassed if the attacker gains root or equivalent privileges on the compromised server.

15
MCQeasy

An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?

A.Faster key generation than software
B.Reduced network latency for encryption
C.Automatic cloud backup of keys
D.Tamper-resistant key storage
AnswerD

HSMs are designed to protect keys from physical and logical attacks.

Why this answer

An HSM provides tamper-resistant key storage by using physical and logical safeguards, such as tamper switches, epoxy potting, and zeroization circuits, that destroy cryptographic keys if an attacker attempts to access the hardware. This ensures that private keys remain secure even if the device is compromised, which is a primary requirement for compliance with standards like FIPS 140-2 Level 3 or 4. Software-based storage cannot offer the same level of physical protection against extraction attacks.

Exam trap

The trap here is that candidates confuse the security benefit of tamper-resistant storage with performance improvements like faster key generation or reduced latency, which are not primary HSM advantages and are often worse than software alternatives.

How to eliminate wrong answers

Option A is wrong because HSMs typically have slower key generation than optimized software implementations due to hardware constraints and the overhead of tamper-proofing mechanisms; software can leverage CPU cryptographic instructions (e.g., AES-NI) for faster generation. Option B is wrong because an HSM does not reduce network latency for encryption; it may actually increase latency due to the need for network communication to the HSM (e.g., via PKCS#11 or KMIP) compared to local software encryption. Option C is wrong because automatic cloud backup of keys is not a built-in HSM feature; cloud backup would require additional configuration and introduces security risks that HSMs are designed to mitigate, and many compliance frameworks prohibit exporting keys from an HSM.

16
MCQeasy

A security engineer is designing a secure communication channel between two internal systems over an untrusted network. Which protocol should be used to ensure both confidentiality and integrity of data in transit?

A.SSH
B.TLS
C.HTTPS
D.IPsec
AnswerB

TLS provides encryption (confidentiality) and MAC (integrity), suitable for any TCP-based communication.

Why this answer

TLS provides encryption for confidentiality and MAC for integrity, making it the best choice for secure communication over an untrusted network.

17
Multi-Selectmedium

A security engineer is designing a secure wireless network for a corporate office. Which TWO configurations should be implemented to maximize security?

Select 2 answers
A.WPA2-PSK
B.WPA3-Enterprise
C.MAC address filtering
D.802.1X with EAP-TLS
E.Disable SSID broadcast
AnswersB, D

WPA3-Enterprise provides stronger encryption and authentication than WPA2.

Why this answer

WPA3-Enterprise provides the strongest encryption and authentication. 802.1X with EAP-TLS allows certificate-based authentication, further enhancing security. WPA2-PSK is vulnerable to brute force attacks. Disabling SSID broadcast and MAC filtering are security-through-obscurity measures and do not provide real protection.

18
MCQmedium

A company is deploying IoT sensors in a remote area with limited connectivity. The sensors must be able to securely transmit data using minimal bandwidth. Which protocol should the engineer choose?

A.SNMPv3
B.HTTPS
C.MQTT with TLS
D.SSH
AnswerC

MQTT is designed for low-bandwidth, high-latency networks and TLS provides security.

Why this answer

MQTT with TLS is a lightweight publish-subscribe protocol that uses minimal bandwidth and provides security through TLS. HTTPS has higher overhead. SSH is not designed for many-to-one telemetry.

SNMPv3 is for network management, not general IoT data.

19
MCQhard

During a security review, it is discovered that a critical application uses hardcoded cryptographic keys. The development team refactors the code to retrieve keys from a centralized key management system (KMS) using role-based access control. Which additional practice should be implemented to minimize the risk of key compromise?

A.Log every key access without rotation
B.Use a single, long key to reduce management overhead
C.Implement key expiration and automated rotation
D.Store keys in a hardware security module only
AnswerC

Regularly rotating keys limits the time an attacker can use a compromised key.

Why this answer

Rotation reduces the window of exposure if a key is compromised, and automating it ensures consistency.

20
Multi-Selectmedium

A security architect is designing a secure software development pipeline. The organization wants to ensure that code is thoroughly analyzed before deployment. Which TWO of the following should be integrated into the pipeline to identify vulnerabilities early? (Select TWO.)

Select 2 answers
A.Static application security testing (SAST)
B.Software composition analysis (SCA)
C.Fuzz testing
D.Dynamic application security testing (DAST)
E.Penetration testing
AnswersA, B

SAST analyzes source code without executing it, identifying vulnerabilities early.

Why this answer

SAST (Static Application Security Testing) analyzes source code, bytecode, or binary code without executing it, scanning for vulnerabilities like SQL injection, buffer overflows, and insecure cryptographic functions. Integrating SAST early in the pipeline (shift-left) allows developers to fix issues before compilation, reducing remediation cost and risk. SCA (Software Composition Analysis) identifies known vulnerabilities in third-party libraries and open-source components by comparing dependency versions against databases like the National Vulnerability Database (NVD).

Both tools are non-intrusive and can be automated in CI/CD pipelines to catch flaws before deployment.

Exam trap

Cisco often tests the distinction between static and dynamic analysis by presenting SAST and DAST as equally valid early-stage options, but the trap is that DAST requires a running application and cannot be integrated before deployment, making SAST and SCA the only correct choices for early vulnerability identification.

21
MCQeasy

An organization is deploying a new application that processes sensitive user data. The security team recommends using a dedicated cryptographic module. Which standard should the module comply with to ensure it is validated for security?

A.ISO 27001
B.PCI DSS
C.NIST SP 800-53
D.FIPS 140-2
AnswerD

FIPS 140-2 is the standard for cryptographic module validation, ensuring hardware and software meet security requirements.

Why this answer

FIPS 140-2 (or its successor 140-3) is the U.S. government standard for validating cryptographic modules. NIST SP 800-53 is for security controls, PCI DSS for payment card data, and ISO 27001 for management systems.

22
MCQmedium

An organization is deploying hardware security modules (HSMs) to protect cryptographic keys used for digital signatures. Which attack vector is most effectively mitigated by using an HSM compared to storing keys in software?

A.Side-channel attacks on the host CPU
B.Key extraction from memory dumps
C.Man-in-the-middle attacks on cryptographic operations
D.Brute-force attacks on key strength
AnswerB

HSMs keep keys in hardware, so even if an attacker gains access to the host, keys cannot be extracted from memory.

Why this answer

HSMs protect keys from extraction even if the host system is compromised, making them resistant to key extraction attacks.

23
MCQeasy

An organization wants to implement a zero-trust architecture for remote access. Which of the following is the MOST important component?

A.RAID 5
B.Syslog server
C.VPN concentrator
D.Micro-segmentation
AnswerD

Micro-segmentation enforces granular access controls and limits lateral movement, a core zero-trust concept.

Why this answer

Micro-segmentation is fundamental to zero-trust because it restricts lateral movement by dividing the network into small, isolated segments. VPN concentrators are traditional perimeter controls. RAID 5 is storage redundancy.

Syslog is logging.

24
MCQmedium

The security engineer notices that SSH login attempts to 192.168.1.1 from the untrust zone are being blocked. Which policy misconfiguration is MOST likely causing this?

A.The application is incorrect
B.The source zone is not permitted
C.The log setting prevents connections
D.The destination address is incorrect
AnswerB

The policy only allows source zone vpn; untrust is not allowed, causing the block.

Why this answer

The Remote-Admin policy only permits traffic from the vpn zone, not untrust. Therefore, SSH attempts from untrust are implicitly denied by the firewall's default deny policy. The destination address and application are correctly specified.

The log setting does not affect access. A policy for SSH from untrust is missing.

25
Drag & Dropmedium

Drag and drop the steps to implement a DLP policy to prevent credit card data exfiltration via email into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DLP implementation: classify data, create policy, define match condition, set action, then enable and test.

26
MCQeasy

Refer to the exhibit. A security analyst is reviewing the firewall rule set for a corporate network. Which misconfiguration is present?

A.No default deny rule present
B.Overly permissive source IP addresses
C.Unnecessary allowed ports
D.Missing logging on permit rules
AnswerA

A deny rule should be the last rule to drop all other traffic; otherwise, it may be implicitly allowed.

Why this answer

The rule set lacks an explicit deny rule at the end. Without a default deny, traffic that does not match any rule may be implicitly permitted depending on the firewall platform. Most security best practices require a deny-all trailing rule to ensure only explicitly allowed traffic passes.

27
MCQmedium

A data loss prevention (DLP) solution is being implemented to prevent sensitive data from leaving the corporate network. Which of the following is the most effective approach for detecting structured data like credit card numbers in outbound traffic?

A.Keyword matching
B.Regular expression matching
C.Machine learning classification
D.Exact file hash matching
AnswerB

Regular expressions can accurately match patterns like credit card number formats.

Why this answer

Regular expressions can match patterns like credit card numbers, while other methods are less precise or suited for different data types.

28
MCQmedium

An administrator runs the above iptables command on a Linux server. The server is directly connected to the internet. Which of the following is the MOST significant security issue with this configuration?

A.The INPUT chain default policy is DROP, which will block legitimate traffic
B.The OUTPUT chain default policy is ACCEPT, allowing any outbound traffic
C.SSH (port 22) is allowed from any source, which is overly permissive
D.ICMP echo requests are allowed, which could be used for network reconnaissance
AnswerB

This could allow data exfiltration or command and control traffic.

Why this answer

The most significant security issue is that the OUTPUT chain default policy is ACCEPT, allowing any outbound traffic from the server. Since the server is directly connected to the internet, this means that if the server is compromised, an attacker can freely exfiltrate data, initiate outbound connections to command-and-control servers, or perform other malicious activities without any firewall restriction. A default DROP policy on the OUTPUT chain would require explicit rules for allowed outbound traffic, providing defense in depth.

Exam trap

The trap here is that candidates focus on inbound rules (like SSH or ICMP) because they are more familiar, but the exam tests understanding that a default ACCEPT on the OUTPUT chain is a critical security gap that enables data exfiltration and is often overlooked in firewall configurations.

How to eliminate wrong answers

Option A is wrong because the INPUT chain default policy is DROP, which is a security best practice to block unsolicited inbound traffic; legitimate traffic is explicitly allowed by rules (e.g., SSH on port 22, ICMP echo requests), so it does not block legitimate traffic. Option C is wrong because while allowing SSH from any source is overly permissive, it is less significant than the OUTPUT chain default ACCEPT, as SSH can be restricted to specific source IPs or a jump box, whereas a default ACCEPT on OUTPUT is a fundamental architectural flaw that enables data exfiltration. Option D is wrong because allowing ICMP echo requests is a common and generally acceptable practice for network troubleshooting; while it can aid reconnaissance, it is not the most significant issue compared to unrestricted outbound traffic.

29
MCQhard

A large enterprise recently migrated its critical applications to a hybrid cloud environment. The security team is concerned about the risk of privileged account abuse. They have implemented a privileged access management (PAM) solution that rotates passwords for service accounts after each use. However, during a incident response drill, the team discovers that an attacker who compromised a jump server was able to access multiple administrative consoles without re-authentication. Investigation reveals that the PAM solution uses session recording but does not enforce session termination; instead, it relies on the lifecycle of the token issued during initial authentication. The attacker captured a valid token and reused it from a different machine. Which of the following is the most effective remediation?

A.Implement token-binding by including the client's TLS certificate in the token
B.Require multi-factor authentication at each console access
C.Shorten the token lifetime to 30 seconds
D.Deploy a host-based intrusion detection system on the jump server
AnswerA

Token-binding binds the token to the device, ensuring it cannot be used elsewhere.

Why this answer

Token-binding ties the token to the client device, preventing its reuse from other machines. Option B only addresses after compromise, not prevention. Option C breaks functionality.

Option D doesn't address token theft.

30
MCQeasy

A small business uses an on-premises Active Directory for user authentication. They want to enable employees to use their corporate credentials to access a SaaS application that supports SAML 2.0. The security administrator needs to set up a federation between the on-premises AD and the SaaS provider. Which of the following components must be deployed on-premises to act as a bridge between AD and the SAML identity provider?

A.RADIUS server
B.Active Directory Federation Services (AD FS)
C.Kerberos key distribution center (KDC)
D.Azure AD Connect
AnswerB

AD FS is a SAML 2.0 IdP that authenticates against AD.

Why this answer

Active Directory Federation Services (AD FS) is Microsoft's solution for federated identity and can act as the SAML IdP, integrating with AD.

31
MCQhard

During a security assessment, a penetration tester discovers that a web application uses a custom encryption algorithm to protect session tokens. According to secure engineering principles, what is the primary concern?

A.Performance overhead of the custom algorithm
B.Insufficient key length used in the algorithm
C.Incompatibility with modern browsers
D.Lack of peer review and cryptanalysis
AnswerD

Custom algorithms have not been scrutinized by the cryptographic community, making them vulnerable to undiscovered weaknesses.

Why this answer

Custom cryptographic algorithms often lack peer review and may contain subtle flaws that compromise security. The primary concern is the absence of public cryptanalysis, not performance, key length (assuming sufficient), or browser compatibility.

32
Multi-Selecthard

Which THREE of the following are common vulnerabilities in IoT devices? (Select THREE.)

Select 3 answers
A.Large storage capacity
B.Hardcoded credentials
C.Lack of secure boot
D.High compute power
E.Unencrypted communications
AnswersB, C, E

Many IoT devices ship with default or hardcoded credentials that cannot be changed.

Why this answer

Hardcoded credentials (Option B) are a common IoT vulnerability because manufacturers often embed default usernames and passwords (e.g., 'admin/admin') into device firmware for ease of deployment. Attackers can exploit these static credentials via SSH, Telnet, or web interfaces to gain unauthorized access, as seen in Mirai botnet attacks. This violates the principle of least privilege and secure credential management.

Exam trap

CompTIA often tests the misconception that hardware features like storage or compute power are vulnerabilities, when in fact the risks stem from insecure design choices (e.g., hardcoded credentials, lack of encryption) rather than raw capability.

33
Multi-Selecthard

Which THREE of the following are common techniques to mitigate side-channel attacks?

Select 3 answers
A.Disable CPU caching to prevent cache timing attacks
B.Implement constant-time algorithms for cryptographic operations
C.Add noise to power consumption or electromagnetic emissions
D.Ensure memory access patterns are independent of secret data
E.Use random delays in code execution paths
AnswersB, C, D

Constant-time execution prevents timing variations based on secret data.

Why this answer

Option B is correct because constant-time algorithms ensure that the execution time of cryptographic operations does not depend on secret data, such as keys. By avoiding conditional branches or variable-time instructions (e.g., multiplication or memory accesses) that vary with input, these algorithms prevent attackers from inferring secrets through timing measurements. This is a fundamental mitigation against timing side-channel attacks, as specified in standards like FIPS 140-3 and NIST SP 800-56B.

Exam trap

CompTIA often tests the misconception that adding random delays (Option E) is a valid side-channel mitigation, but candidates must recognize that statistical averaging defeats such noise, whereas constant-time algorithms (Option B) and noise injection (Option C) are standard, effective techniques.

34
MCQmedium

A network administrator is configuring a firewall rule set. The requirement is to allow inbound HTTPS traffic from the internet to a web server at 10.1.1.10, and to allow the web server to respond. All other inbound traffic should be blocked. Which rule set accomplishes this?

A.Allow inbound TCP 80 to 10.1.1.10; allow outbound TCP from 10.1.1.10; deny all inbound
B.Allow inbound TCP 443 to 10.1.1.10; allow outbound TCP from 10.1.1.10; deny all inbound
C.Deny all inbound; allow inbound TCP 443 to 10.1.1.10; allow outbound TCP from 10.1.1.10
D.Allow inbound TCP 22 to 10.1.1.10; allow outbound TCP from 10.1.1.10; deny all inbound
AnswerB

Correctly permits HTTPS and related responses.

Why this answer

Option B is correct because HTTPS uses TCP port 443, and the rule set correctly allows inbound TCP 443 to the web server at 10.1.1.10, permits the server's outbound responses (stateful or explicit), and then denies all other inbound traffic. This matches the requirement to allow only HTTPS traffic from the internet while blocking everything else.

Exam trap

The trap here is that candidates often overlook rule order and choose Option C, thinking a 'deny all' at the top is safe, but it actually blocks the intended traffic before the allow rule is processed.

How to eliminate wrong answers

Option A is wrong because it allows inbound TCP port 80 (HTTP), not HTTPS (TCP 443), so it does not meet the requirement for HTTPS traffic. Option C is wrong because the order of rules matters: placing 'deny all inbound' first would block all inbound traffic, including the intended HTTPS traffic, before the allow rule is evaluated. Option D is wrong because it allows inbound TCP port 22 (SSH), which is not HTTPS and would permit unauthorized administrative access, violating the requirement to block all other inbound traffic.

35
MCQhard

An organization is migrating to a hybrid cloud model. The security policy mandates that all keys used for data encryption must be managed on-premises. Which key management solution should be used?

A.Cloud KMS with BYOK
B.HSM on-premises with key escrow
C.Software-based key store on-premises
D.Cloud HSM
AnswerB

On-premises HSM keeps keys locally, satisfying the policy; key escrow provides backup.

Why this answer

An on-premises Hardware Security Module (HSM) ensures keys never leave the local environment. BYOK still involves key material being processed in the cloud. Cloud HSM is managed by the provider.

Software key stores lack physical security.

36
MCQhard

A security analyst reviews logs from a web application firewall (WAF) and notices that an attacker is bypassing the WAF by encoding malicious payloads using base64 and then sending them in HTTP headers. Which WAF configuration change would BEST detect and block such attacks?

A.Enable geoblocking to restrict traffic from the attacker's country
B.Implement strict HTTP protocol validation to reject malformed requests
C.Add custom signatures to detect base64-encoded patterns in headers
D.Increase the rate limiting threshold to allow more requests per second
AnswerC

Custom signatures can identify known encoded attack patterns.

Why this answer

Option C is correct because base64-encoded payloads in HTTP headers are a known evasion technique that bypasses signature-based WAF rules designed for plaintext attacks. By adding custom signatures that specifically match base64-encoded patterns (e.g., detecting long strings of base64 characters or known malicious base64 strings), the WAF can decode and inspect the payload before applying detection logic. This directly addresses the attacker's encoding method without relying on generic protocol or rate controls.

Exam trap

The trap here is that candidates confuse protocol-level validation (Option B) with content inspection, assuming strict RFC compliance would catch encoded payloads, but base64 is perfectly valid HTTP header content and requires application-layer decoding logic to detect.

How to eliminate wrong answers

Option A is wrong because geoblocking restricts traffic based on source IP country, which does not detect or block the encoded payload itself; the attacker can use proxies or VPNs to bypass geolocation filters. Option B is wrong because strict HTTP protocol validation (RFC 7230) rejects malformed requests (e.g., invalid headers or method), but base64-encoded payloads in headers are syntactically valid HTTP; the WAF would not reject them based on protocol alone. Option D is wrong because increasing the rate limiting threshold allows more requests per second, which does not inspect or block the malicious content; it only prevents volumetric attacks, not payload-level evasion.

37
MCQmedium

A financial institution is required to comply with PCI DSS and uses a mix of legacy and modern applications. The security architect proposes to segment the network so that the cardholder data environment (CDE) is isolated. However, a legacy application in a non-CDE segment must send data to a database in the CDE. The legacy application cannot be modified and communicates via clear-text protocols. Which of the following is the most secure solution that maintains compliance?

A.Replace the legacy application immediately
B.Use a bastion host to terminate TLS on behalf of the legacy application and forward via a one-way replication
C.Place the legacy application in the CDE and isolate it with a firewall
D.Install a network-based DLP sensor to monitor traffic
AnswerB

Encrypts traffic and limits the legacy application's direct access.

Why this answer

A bastion host with TLS termination can wrap clear-text traffic in encryption, and strict firewall rules prevent direct access.

38
MCQhard

An organization wants to implement a zero-trust architecture for remote access. Which component is most critical for enforcing least-privilege access to internal applications?

A.Virtual private network (VPN) concentrator
B.Software-defined perimeter (SDP)
C.Next-generation firewall (NGFW)
D.Intrusion detection system (IDS)
AnswerB

SDP creates a micro-perimeter around each application, authenticating and authorizing per session.

Why this answer

A software-defined perimeter (SDP) uses a controller to authenticate users and devices before granting access to specific applications, hiding the network from unauthorized users. VPNs extend network access, IDS only detects, and firewalls enforce network-level rules but not user/device granularity.

39
MCQeasy

An engineer reviews the TLS configuration for a web server. Which of the following is a security concern present in this configuration?

A.The cipher suite does not include perfect forward secrecy (PFS).
B.The configuration supports outdated TLS 1.2 protocols.
C.The private key is stored in an accessible location.
D.The server does not require client certificates for authentication.
AnswerD

With ssl_verify_client = optional, clients can skip certificate authentication, weakening mutual authentication.

Why this answer

Option A is correct because mutual TLS (mTLS) is not enforced; ssl_verify_client is set to optional, allowing clients to connect without a certificate. Option B is wrong because TLS 1.2 and 1.3 are strong protocols. Option C is wrong because the key path is outside document root and is typical.

Option D is wrong because the cipher suite uses strong ciphers.

40
Multi-Selecthard

A security engineer is designing a secure enclave for processing sensitive personally identifiable information (PII). The enclave must protect data at rest and in use, and must support attestation to verify its integrity. Which THREE technologies should the engineer incorporate? (Choose three.)

Select 3 answers
A.Trusted Platform Module (TPM)
B.AMD Secure Encrypted Virtualization (SEV)
C.ARM TrustZone
D.Intel Software Guard Extensions (SGX)
E.Hardware Security Module (HSM)
AnswersB, C, D

Encrypts memory for VMs, supports attestation.

Why this answer

AMD Secure Encrypted Virtualization (SEV) encrypts the memory of virtual machines, protecting data in use from the hypervisor and other VMs. It also supports attestation via the AMD Secure Processor, which generates a signed measurement of the VM's initial state, allowing a remote party to verify integrity. This makes SEV a valid choice for a secure enclave that must protect data at rest and in use and support attestation.

Exam trap

CompTIA often tests the distinction between hardware roots of trust (TPM, HSM) and actual secure enclave technologies (SGX, SEV, TrustZone), so candidates mistakenly choose TPM or HSM because they associate them with 'trust' and 'security' without understanding that enclaves require isolated memory regions for processing data in use.

41
MCQmedium

A company is deploying a new web application that handles sensitive customer data. The application is built using a microservices architecture running in containers on a Kubernetes cluster. The security team wants to implement mutual TLS (mTLS) for service-to-service communication. However, they are concerned about the operational overhead of certificate management. Which approach minimizes management overhead while still ensuring strong authentication?

A.Generate self-signed certificates for each service and manually distribute them
B.Use a service mesh that provides automatic mTLS and certificate rotation
C.Use a single certificate for all services with Subject Alternative Names
D.Implement TLS termination at the ingress and use plaintext inside the cluster
AnswerB

Service mesh handles lifecycle automatically.

Why this answer

A service mesh like Istio automates mTLS certificate issuance and rotation with minimal manual effort.

42
Multi-Selecthard

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC) to ensure security engineering? (Select exactly 3.)

Select 3 answers
A.Dynamic application security testing (DAST) and penetration testing before release.
B.User acceptance testing (UAT) to validate business requirements.
C.Static application security testing (SAST) in the development phase.
D.Daily stand-up meetings for developers.
E.Threat modeling during design phase.
AnswersA, C, E

DAST and pentesting find runtime vulnerabilities that may be missed by static analysis.

Why this answer

Options A, C, and E are correct. Threat modeling, static analysis, and penetration testing are core SSDLC activities. Option B is wrong because daily stand-ups are project management, not security specific.

Option D is wrong because user acceptance testing focuses on functionality, not security.

43
MCQhard

A financial company is expanding its hybrid cloud architecture. They have an AWS VPC connected to an on-premises network via an IPsec VPN using IKEv2. The on-premises firewall is a Cisco ASA. Recently, users report intermittent connectivity to cloud resources. The security team reviews logs and finds the following message on the ASA: 'no matching crypto map entry for traffic from on-prem to cloud'. The team also suspects potential data leakage due to occasional unencrypted traffic. The corporate policy requires all traffic between environments to be encrypted. The engineer has verified that the IKEv2 proposals match on both sides. The cloud side uses a virtual private gateway with a static route to the on-premises network. Which of the following should the engineer do FIRST to resolve the issue?

A.Check the crypto map configuration on the Cisco ASA and ensure it matches the peer IP and proxy IDs
B.Disable NAT traversal on both VPN endpoints
C.Reconfigure the IKEv2 policies on both sides to use different encryption algorithms
D.Replace the VPN connection with AWS Direct Connect for dedicated bandwidth
AnswerA

The 'no matching crypto map entry' error is resolved by correcting the crypto map.

Why this answer

Option B is correct because the error message directly indicates a crypto map mismatch. Checking and adjusting the crypto map on the ASA to match the peer IP and proxy IDs will resolve the issue. Option A is incorrect because IKEv2 policies already match.

Option C is too drastic and not the first step. Option D could actually cause connectivity issues if NAT traversal is required.

44
MCQmedium

A virtualization administrator needs to ensure that virtual machines (VMs) from different customers cannot communicate with each other unless explicitly allowed. Which network security control should be implemented on the hypervisor?

A.Patch the hypervisor regularly
B.Assign each VM to a different physical server
C.Use a virtual firewall to create per-VM security groups
D.Enable hypervisor memory overcommitment
AnswerC

Virtual firewalls can apply policies to individual VMs, isolating them.

Why this answer

Micro-segmentation (e.g., NSX) allows fine-grained control over VM-to-VM traffic at the virtual switch level.

45
MCQeasy

A security analyst reviews this configuration and identifies a vulnerability. What is the MOST critical issue?

A.The grant type is authorization_code
B.The client secret is hardcoded
C.The redirect URI uses HTTP
D.The token endpoint uses HTTPS
AnswerC

HTTP transmits the authorization code in plaintext, making it vulnerable to interception.

Why this answer

The redirect URI uses HTTP (plaintext), which could allow an attacker to intercept the authorization code returned by the OAuth provider. Hardcoded secrets are a problem but can be mitigated with secrets management. The grant type and token endpoint are correct.

46
Multi-Selecthard

A security engineer is hardening a Linux web server. The team requires that the web server process cannot run with root privileges and that any file it writes must have minimal permissions. Which two controls should be implemented together? (Select TWO).

Select 2 answers
A.Run the web server process under a dedicated non-privileged user account
B.Place the web server in a chroot jail
C.Enable SELinux in enforcing mode with a targeted policy for the web server
D.Apply mandatory access control (MAC) to restrict file permissions
E.Use file capability bounding sets to limit the web server's capabilities
AnswersA, D

This ensures the process does not run as root.

Why this answer

Running the web server process under a dedicated non-privileged user account (Option A) ensures that even if the process is compromised, the attacker does not gain root privileges. This is a fundamental principle of least privilege, typically implemented by creating a system user (e.g., 'www-data' or 'httpd') with no login shell and assigning ownership of web directories to that user.

Exam trap

The trap here is that candidates often confuse chroot jails (Option B) or SELinux (Option C) as substitutes for running the process as a non-root user, but neither addresses the core requirement of preventing root-level execution; the question explicitly requires the process to not run with root privileges, which only a dedicated non-privileged user account achieves.

47
Multi-Selectmedium

Which TWO of the following are valid techniques to mitigate the risk of side-channel attacks on cryptographic implementations? (Select exactly 2.)

Select 2 answers
A.Obfuscating the source code of the cryptographic library.
B.Using a cryptographically secure random number generator for key generation.
C.Implementing constant-time algorithms to avoid timing variations.
D.Increasing the key length to 4096 bits.
E.Adding noise to power consumption or using power analysis resistant logic.
AnswersC, E

Constant-time code ensures that execution time does not depend on secret data, preventing timing attacks.

Why this answer

Options B and E are correct. Constant-time operations and power analysis protection are direct mitigations. Option A is wrong because longer keys do not prevent side-channel leakage.

Option C is wrong because using a CSPRNG is about key generation, not execution. Option D is wrong because obfuscation is not a cryptographic defense against side channels.

48
Multi-Selecthard

Which THREE of the following are key components of a zero-trust security architecture? (Select THREE).

Select 3 answers
A.VPN concentrator
B.Micro-segmentation
C.Implicit trust for internal network traffic
D.Least privilege access control
E.Continuous monitoring of user and device behavior
AnswersB, D, E

Micro-segmentation divides the network into isolated zones to contain threats.

Why this answer

Zero trust requires micro-segmentation to limit lateral movement, continuous monitoring to verify every session, and least privilege access to enforce minimal permissions. VPN is a perimeter technology, and implicit trust violates zero trust principles.

49
MCQmedium

A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?

A.deny ip 192.168.1.0 0.0.0.255 any
B.deny ip 192.168.1.0 0.0.0.0 any
C.deny ip 192.168.1.0 0.0.0.127 any
D.deny ip 192.168.1.0 255.255.255.0 any
AnswerA

Wildcard 0.0.0.255 matches the entire /24 subnet.

Why this answer

Option A is correct because in Cisco ACL syntax, the wildcard mask 0.0.0.255 matches all addresses in the 192.168.1.0/24 network. The 'deny ip 192.168.1.0 0.0.0.255 any' entry blocks any IP traffic from the source subnet 192.168.1.0 through 192.168.1.255 to any destination.

Exam trap

The trap here is that candidates often confuse subnet masks with wildcard masks, selecting option D (255.255.255.0) instead of the correct wildcard mask 0.0.0.255.

How to eliminate wrong answers

Option B is wrong because the wildcard mask 0.0.0.0 matches only the single host 192.168.1.0, not the entire /24 subnet. Option C is wrong because the wildcard mask 0.0.0.127 matches only the first 128 addresses (192.168.1.0–192.168.1.127), which is a /25 range, not the full /24. Option D is wrong because 255.255.255.0 is a subnet mask, not a wildcard mask; ACLs require inverse (wildcard) masks, so this entry would be syntactically invalid or misinterpreted.

50
Multi-Selecteasy

A security team is implementing controls to meet PCI DSS requirements for cardholder data. Which THREE controls are required?

Select 3 answers
A.Encrypt cardholder data at rest
B.Implement multi-factor authentication for remote access
C.Regularly update antivirus software
D.Use unique IDs for each person with access
E.Perform quarterly vulnerability scans
AnswersA, B, D

Requirement 3.4 mandates encryption of stored cardholder data.

Why this answer

PCI DSS requires encryption of cardholder data at rest (Requirement 3.4), unique user IDs (Requirement 8.1.1), and quarterly vulnerability scans (Requirement 11.2). Regular antivirus updates (Requirement 5) are also required but many organizations also use MFA for remote access (Requirement 8.3); however, the three listed are undeniably mandatory per the current version.

51
MCQmedium

A security analyst reviews the ACL rules above. A host at 10.0.1.5 attempts to SSH (port 22) to a server at 10.0.2.10. What is the result?

A.The connection is denied by Rule 3.
B.The connection is permitted by Rule 4.
C.The connection is permitted by the implicit permit.
D.The connection is denied by Rule 1.
AnswerD

Rule 1 explicitly denies SSH from the 10.0.1.0/24 subnet.

Why this answer

Rule 1 denies all traffic from 10.0.1.0/24 to 10.0.2.0/24. Since the source (10.0.1.5) and destination (10.0.2.10) fall within these subnets, the SSH attempt is denied by Rule 1, regardless of any later rules. ACLs are processed top-down, and the first matching rule determines the action.

Exam trap

Cisco often tests the first-match principle in ACLs, where candidates mistakenly think a later permit rule (like Rule 3 or 4) can override an earlier deny rule, but the order of evaluation is sequential and stops at the first match.

How to eliminate wrong answers

Option A is wrong because Rule 3 permits TCP traffic from 10.0.1.0/24 to 10.0.2.0/24 on port 80, not port 22, so it does not apply to SSH. Option B is wrong because Rule 4 permits traffic from 10.0.1.0/24 to 10.0.2.0/24 on port 443, not port 22, so it does not permit SSH. Option C is wrong because an implicit deny (not permit) exists at the end of all ACLs; there is no implicit permit, so traffic not explicitly permitted is denied.

52
MCQmedium

A security engineer needs to implement a solution that will detect and block command-and-control (C2) traffic from malware on the internal network. The solution must be able to inspect encrypted traffic and operate at the network layer. Which of the following is the BEST choice?

A.Implement a web application firewall (WAF) to filter outbound HTTP/HTTPS traffic.
B.Install a network-based intrusion detection/prevention system (IDS/IPS) with signature updates.
C.Use endpoint detection and response (EDR) agents on all workstations and servers.
D.Deploy a next-generation firewall (NGFW) with SSL/TLS inspection and application-level filtering.
AnswerD

NGFW can decrypt SSL/TLS traffic and inspect it for C2 patterns, then block malicious flows.

Why this answer

A next-generation firewall (NGFW) with SSL/TLS inspection and application-level filtering is the best choice because it can decrypt and inspect encrypted C2 traffic at the network layer, then apply application-aware rules to block malicious communications. This directly addresses the requirement to detect and block C2 traffic that uses encryption to evade traditional inspection.

Exam trap

The trap here is that candidates often choose a network-based IDS/IPS (Option B) thinking it can inspect encrypted traffic, but without SSL/TLS decryption, it can only see encrypted payloads and cannot detect C2 commands hidden inside the encrypted tunnel.

How to eliminate wrong answers

Option A is wrong because a web application firewall (WAF) is designed to protect web servers from application-layer attacks (e.g., SQL injection, XSS) and typically filters inbound HTTP/HTTPS traffic, not outbound C2 traffic from internal malware. Option B is wrong because a network-based IDS/IPS with signature updates can detect known C2 patterns but cannot inspect encrypted traffic without decryption, so it would miss C2 traffic tunneled over TLS/SSL. Option C is wrong because endpoint detection and response (EDR) agents operate at the host/endpoint layer, not the network layer, and the question specifically requires a solution that operates at the network layer.

53
MCQeasy

A security architect is designing a secure enclave for a high-value application. Which of the following is the BEST approach to isolate the application from the rest of the network?

A.Deploy the application in a DMZ behind a stateful firewall with least-privilege rules.
B.Install an intrusion detection system (IDS) on the application subnet.
C.Configure a jump box with two-factor authentication to access the application.
D.Place the application on a separate VLAN with an ACL.
AnswerA

A DMZ enclave with a stateful firewall ensures strict network isolation and policy enforcement, which is the best practice for high-value applications.

Why this answer

Option B is correct because an enclave uses a DMZ with strict firewall rules to isolate the application. Option A is wrong because VLANs alone do not provide the same level of isolation; they can be misconfigured or bypassed. Option C is wrong because jump boxes are for administrative access, not isolation.

Option D is wrong because IDS/IPS is detection, not isolation.

54
Multi-Selectmedium

Which TWO of the following are advantages of using a hardware security module (HSM) over a software-based cryptographic module? (Select exactly 2.)

Select 2 answers
A.Easier to deploy in cloud environments than software.
B.Automatically receive security patches without manual intervention.
C.Physical tamper resistance and protection against key extraction.
D.Lower cost than software modules.
E.Faster cryptographic operations due to dedicated hardware accelerators.
AnswersC, E

HSMs are designed to resist physical attacks, making them more secure for key storage.

Why this answer

Options B and D are correct. HSM provides tamper resistance and dedicated hardware acceleration. Option A is wrong because HSMs are generally more expensive.

Option C is wrong because HSMs can be integrated into cloud environments. Option E is wrong because HSMs are managed by the organization or provider, not automatically patched.

55
MCQhard

During a security assessment, a penetration tester discovers that a web application's session tokens are predictable. The application uses a custom session management system. Which of the following is the MOST effective remediation to ensure secure session tokens?

A.Generate session tokens using a cryptographically secure random number generator (CSPRNG) with at least 128 bits of entropy.
B.Regenerate the session token on each page request.
C.Implement a short session timeout of 5 minutes.
D.Generate tokens using HMAC-SHA256 of a timestamp and a secret key.
AnswerA

CSPRNGs produce unpredictable values resistant to analysis, ensuring that session tokens cannot be guessed.

Why this answer

Option C is correct because using a cryptographically secure random number generator (CSPRNG) ensures unpredictability. Option A is wrong because a short timeout does not address the predictability issue; tokens must be random. Option B is wrong because HMAC of a timestamp offers some unpredictability but is not as robust as a CSPRNG; if the key is known, tokens can be predicted.

Option D is wrong because regenerating on each request is inefficient and does not fix root cause.

56
Multi-Selectmedium

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

Select 2 answers
A.LDAP binds
B.OAuth 2.0 tokens
C.API keys
D.SAML assertions
E.Kerberos tickets
AnswersB, C

OAuth 2.0 is widely used for API authorization.

Why this answer

OAuth 2.0 tokens (B) are a standard method for securing REST APIs by providing delegated, scoped access without exposing user credentials. The client presents a bearer token (typically a JSON Web Token) in the Authorization header, which the API server validates to authorize the request. This aligns with RFC 6749 and is widely adopted for stateless, scalable API security.

Exam trap

Cisco often tests the distinction between authentication and authorization protocols, leading candidates to select Kerberos or SAML because they are 'secure,' but they fail to recognize that REST APIs require stateless, lightweight token-based mechanisms like OAuth 2.0 or API keys.

57
Matchingmedium

Match each cloud service model to its scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Software delivered over the internet

Platform for application development and deployment

Virtualized computing resources over the internet

Disaster recovery as a service

Security services delivered via the cloud

Why these pairings

Cloud service models are fundamental to cloud security architecture.

58
MCQeasy

Which of the following is the primary purpose of implementing a public key infrastructure (PKI)?

A.To store and verify password hashes for user authentication.
B.To sign software and files to verify integrity and origin.
C.To bind public keys to identities through certificates for authentication and encryption.
D.To provide a secure method for remote access via VPN.
AnswerC

PKI's main role is to create a framework of trust where certificates link public keys to entities, enabling secure communications.

Why this answer

Option A is correct because PKI provides certificate-based trust to enable authentication and encryption. Option B is wrong because VPNs use PKI but that's not the primary purpose. Option C is wrong because PKI can help with code signing but it's a subset.

Option D is wrong because password hashing is separate from PKI.

59
MCQeasy

A small business wants to protect endpoints from malware without incurring per-device licensing costs. Which approach is MOST cost-effective?

A.Implement network-based IPS
B.Use open-source host firewall
C.Use built-in Windows Defender and periodically scan with free tools
D.Purchase enterprise EDR suite
AnswerC

Windows Defender is free and sufficient for small business; free scanning tools supplement without cost.

Why this answer

Built-in Windows Defender is free and adequate for basic protection. Periodically scanning with free tools (e.g., Microsoft Safety Scanner) enhances security at no cost. Enterprise EDR, network IPS, and host firewalls (some free) but enterprise products incur costs.

60
Matchingmedium

Match each command-line tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DNS query and lookup

Display network connections and listening ports

Capture and analyze network traffic

Perform SSL/TLS cryptographic operations

Network discovery and port scanning

Why these pairings

These tools are commonly used for network troubleshooting and security assessments.

61
MCQhard

During a security incident, a forensic analyst needs to acquire a memory dump from a Linux server without altering the system state. Which tool is most appropriate for this task?

A.Volatility framework
B.LiME (Linux Memory Extractor)
C.dd if=/dev/mem of=mem.dump
D.memdump utility
AnswerB

LiME captures memory safely via a kernel module, preserving forensic integrity.

Why this answer

LiME (Linux Memory Extractor) is designed to acquire memory dumps with minimal impact, loading as a kernel module and exporting memory to a file or network. dd is for disk, memdump is limited, and Volatility is for analysis, not acquisition.

62
MCQeasy

A network administrator is configuring a firewall to allow only necessary traffic to a web server. The server should be accessible from the internet on port 443 and from a management subnet on port 22. Which firewall rule ensures least privilege?

A.Allow traffic from management subnet to port 443 and any to port 22
B.Allow traffic from any source to ports 443 and 22
C.Allow all traffic to the server, then block specific ports
D.Allow traffic from any to port 443, and from management subnet to port 22; deny all else
AnswerD

This restricts SSH to only the management subnet and HTTPS to all, with a default deny.

Why this answer

Allow only specific ports from specific sources, and block all other traffic.

63
Multi-Selecteasy

A cloud security architect is designing a key management system for a multi-tenant SaaS application. Which TWO practices are essential for ensuring cryptographic key security? (Select TWO).

Select 2 answers
A.Separate key management from data storage
B.Store keys in plaintext configuration files for easy retrieval
C.Implement key rotation policies
D.Use a single master key for all customers
E.Audit all key access events
AnswersA, C

Logical separation ensures a breach of data storage does not reveal keys.

Why this answer

Key rotation limits exposure if a key is compromised, and separating key management from data storage reduces attack surface. Storing keys in plaintext is insecure, using a single master key increases risk, and auditing is a detective control but not as fundamental as the other two.

64
MCQeasy

A small business has a single physical server running multiple virtual machines (VMs) using Type 2 hypervisor software on a Windows Server host. The host is not joined to a domain. The VMs include an Active Directory domain controller, a file server, and a web server. The company recently suffered a ransomware attack that encrypted all data on the file server VM. The IT administrator restored the file server from a backup, but the ransomware returned within hours. Analysis shows that the ransomware is now spreading to other VMs. The administrator suspects that the hypervisor host itself may be compromised. Which of the following is the MOST effective immediate action to contain the spread and secure the environment?

A.Run a full antivirus scan on the host operating system.
B.Disconnect the physical host from the network immediately.
C.Apply the latest security patches to the hypervisor software.
D.Restore all VMs from known clean backups taken before the attack.
AnswerB

Isolating the host stops the ransomware from spreading to other systems and buys time for remediation.

Why this answer

Option B is correct because immediately disconnecting the physical host from the network is the most effective immediate action to contain the spread of ransomware. Since the host is compromised and the Type 2 hypervisor runs on top of a Windows Server OS, the attacker can pivot from the host to any VM via the virtual switch. Cutting network connectivity stops all lateral movement and outbound command-and-control traffic, buying time for forensic analysis and remediation.

Exam trap

The trap here is that candidates often choose to run antivirus scans or apply patches first, mistakenly believing these are immediate containment actions, when in reality they are slow, disruptive, and ineffective against an actively spreading ransomware outbreak on a compromised host.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan on the host OS is a reactive, time-consuming step that does not stop active ransomware propagation; the malware may already be executing in memory or have disabled the scanner. Option C is wrong because applying the latest security patches to the hypervisor software is a preventive measure, not an immediate containment action; patching requires a reboot and does not halt ongoing encryption or lateral movement. Option D is wrong because restoring all VMs from known clean backups taken before the attack is premature and dangerous if the host remains compromised; the restored VMs would be re-infected immediately via the compromised hypervisor or virtual switch.

65
MCQmedium

Refer to the exhibit. A security analyst reviews the following firewall rule on a border firewall. Which vulnerability is present?

A.HTTPS is only allowed from a single host
B.SSH access is allowed from any source
C.HTTP is allowed from the internal network
D.An implicit deny rule is missing
AnswerB

Permitting SSH from any source exposes the server to unauthorized access attempts.

Why this answer

Option A is correct because the rule permits SSH (TCP/22) from any source, increasing the risk of brute-force attacks. Option B describes a legitimate restrictive rule for HTTPS. Option C is an intended internal network rule for HTTP.

Option D is incorrect because an explicit deny all is present at the end.

66
MCQmedium

A defense contractor is developing a new secure messaging application for classified communications. The application must ensure end-to-end encryption, perfect forward secrecy, and resistance to quantum computing attacks. The development team proposes using ECDH for key exchange and AES-256-GCM for message encryption. The security architect reviews the design and identifies a weakness: the current key exchange does not authenticate the public keys, making it vulnerable to man-in-the-middle attacks. The team suggests adding digital signatures using RSA-2048. However, the architect is concerned about quantum resistance. What should the architect recommend?

A.Replace ECDH with Diffie-Hellman using 4096-bit prime modulus and use RSA-4096 signatures.
B.Implement ECDH with Edwards-curve Digital Signature Algorithm (EdDSA) using Curve25519 and hash-based signatures for long-term keys.
C.Use pre-shared keys (PSK) for both key exchange and encryption, eliminating the need for public key authentication.
D.Use ECDH with RSA-2048 signatures for authentication and plan to migrate to CRYSTALS-KYBER when standardized.
AnswerD

This hybrid approach provides immediate authentication and a clear path to quantum resistance.

Why this answer

Option A is correct because it immediately addresses the lack of authentication by using RSA-2048 signatures while also planning for quantum resistance by migrating to CRYSTALS-KYBER, a NIST-standardized post-quantum key encapsulation mechanism. This hybrid approach ensures security now and in the future. Option B is wrong because larger Diffie-Hellman parameters do not provide quantum resistance and do not solve authentication.

Option C is wrong because pre-shared keys break perfect forward secrecy and are not scalable. Option D is wrong because EdDSA with Curve25519 is not quantum-resistant, and hash-based signatures are not practical for real-time key exchange.

67
MCQmedium

A financial institution needs to ensure that transaction logs are tamper-proof after creation. Which solution should be implemented?

A.Cryptographic hashing with chain hashing
B.Access control lists
C.Encryption with AES
D.Digital signatures on each log entry
AnswerA

Chain hashing creates a tamper-evident log by linking entries cryptographically.

Why this answer

Cryptographic chained hashing (e.g., blockchain) links each log entry to the previous one via a hash, making tampering detectable. Encryption does not protect integrity. ACLs can be bypassed.

Digital signatures are effective but more complex to manage for every entry.

68
Drag & Dropmedium

Drag and drop the steps to respond to a ransomware incident in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows NIST framework: isolate, identify, contain, eradicate, recover.

69
MCQmedium

A security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?

A.L2TP/IPsec with ESP
B.SSL/TLS VPN
C.ESP in tunnel mode with null encryption
D.AH in transport mode
AnswerC

ESP can be configured with null encryption to provide integrity and authentication without confidentiality.

Why this answer

Option C is correct because ESP in tunnel mode with null encryption provides authentication and integrity via HMAC (e.g., HMAC-SHA256) while omitting encryption (ESP_NULL, RFC 2410). This satisfies the requirement for strong authentication and integrity without confidentiality for non-sensitive traffic, as the payload is authenticated but not encrypted.

Exam trap

The trap here is that candidates often assume ESP always requires encryption, but ESP_NULL (RFC 2410) explicitly allows authentication-only mode, making it ideal when confidentiality is not needed.

How to eliminate wrong answers

Option A is wrong because L2TP/IPsec with ESP typically uses encryption (e.g., AES) for confidentiality, which is unnecessary and adds overhead for non-sensitive traffic. Option B is wrong because SSL/TLS VPN inherently provides confidentiality via encryption (e.g., AES-GCM), which is not required and may be excessive. Option D is wrong because AH in transport mode provides authentication and integrity but does not support null encryption; it authenticates the entire packet (including immutable IP header fields) and cannot be used with ESP_NULL, making it unsuitable for this scenario where only payload integrity is needed.

70
MCQmedium

A security architect is designing a zero-trust network architecture. Which of the following is a fundamental principle of zero trust?

A.Place all resources on the internal network and rely on perimeter firewalls.
B.Authenticate and authorize every device and user for every resource access, and encrypt all communication.
C.Implement VLANs to separate traffic based on user roles.
D.Use a VPN to secure all remote access to the corporate network.
AnswerB

This is the core of zero trust: never trust, always verify, and ensure encrypted communication.

Why this answer

Option B is correct because zero trust requires all resources to be accessed securely regardless of location, and all communication should be encrypted. Option A is wrong because zero trust does not rely on network perimeter; it assumes no implicit trust. Option C is wrong because VPNs are a perimeter technology; zero trust uses micro-segmentation.

Option D is wrong because VLANs are not a primary zero-trust control; they are network segmentation.

71
MCQeasy

A company's development team uses a CI/CD pipeline hosted in a public cloud. The pipeline builds container images, pushes them to a private registry, and deploys them to a Kubernetes cluster. A security engineer must ensure that only signed and vulnerability-scanned images are deployed. The engineer has configured the registry to require signatures and the CI/CD pipeline to scan images. However, deployments are still failing because unsigned images are being pulled. The engineer discovers that developers can push images directly to the registry bypassing the CI/CD pipeline and that Kubernetes nodes can pull images without signature verification. Which of the following should the engineer implement to enforce image signing and scanning?

A.Implement a manual approval step in the pipeline for each deployment.
B.Use network policies to block all outbound traffic from developer workstations to the container registry.
C.Restrict registry write access to the CI/CD service account and enable image signature verification via admission controller in Kubernetes.
D.Configure the CI/CD pipeline to perform vulnerability scanning after every build.
AnswerC

Restricts pushes to authorized accounts and verifies signatures at deployment time.

Why this answer

Option C is correct because it addresses both root causes: restricting registry write access to only the CI/CD service account prevents developers from bypassing the pipeline, and enabling image signature verification via an admission controller (e.g., using Kubernetes ImagePolicyWebhook or a tool like Cosign with OCI signatures) ensures that only signed and scanned images are allowed to run in the cluster. This combination enforces the security policy at both the registry and the cluster level, closing the gaps identified in the scenario.

Exam trap

The trap here is that candidates often focus only on the CI/CD pipeline (e.g., scanning or approvals) and overlook the need to restrict direct registry access and enforce signature verification at the cluster level, which are the two distinct vulnerabilities described in the scenario.

How to eliminate wrong answers

Option A is wrong because a manual approval step in the pipeline does not prevent developers from pushing unsigned images directly to the registry, nor does it enforce signature verification at the Kubernetes level; it only adds a human gate in the CI/CD process. Option B is wrong because network policies blocking outbound traffic from developer workstations to the registry would not stop developers from pushing images via other means (e.g., through a jump host or VPN), and it does not address the lack of signature verification on Kubernetes nodes. Option D is wrong because configuring the pipeline to perform vulnerability scanning after every build does not prevent unsigned images from being deployed; scanning alone does not enforce signature verification, and it does not restrict direct pushes to the registry or enforce admission control.

72
MCQhard

A cloud security architect is designing a multi-region active-active application. The application must maintain high availability even if an entire AWS region fails. Which architecture BEST meets this requirement?

A.Active-active in one region with auto scaling
B.Deploy identical stacks in two regions with Route 53 weighted routing and DynamoDB global tables
C.Single region with multiple AZs and RDS Multi-AZ
D.Two regions with active-passive failover using Route 53 health checks
AnswerB

This provides active-active multi-region with automatic traffic distribution and data replication.

Why this answer

Active-active across two regions with Route 53 weighted routing and DynamoDB global tables provides automatic failover and data replication without human intervention. Single-region setups cannot survive a region outage. Active-passive requires manual failover.

73
Multi-Selecthard

A company is implementing a zero-trust network architecture. Which THREE of the following are critical components of this approach?

Select 3 answers
A.VPN for all remote access
B.Default-deny access policies (least privilege)
C.Continuous monitoring and authentication
D.Micro-segmentation of network resources
E.A single perimeter firewall
AnswersB, C, D

Users and devices are given only the access necessary.

Why this answer

Zero-trust requires that no entity is trusted by default, even inside the network. Micro-segmentation, continuous authentication, and least privilege are core principles.

74
MCQhard

Refer to the exhibit. A cloud security engineer is reviewing an AWS S3 bucket policy. What security issue does the policy contain?

A.No server-side encryption is specified
B.Public read access is allowed
C.No version ID is specified in the resource
D.No logging is enabled for the bucket
AnswerB

Principal '*' with Allow effect grants anonymous access to objects, making them public.

Why this answer

The policy allows any principal ('*') to perform s3:GetObject on the bucket, making the bucket publicly readable. This exposes objects to anyone on the internet. No encryption, logging, or versioning issues are indicated by this JSON snippet.

75
MCQhard

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

A.Allow all traffic within the corporate network
B.Assume breach and verify every request
C.Trust devices based on their IP address
D.Trust but verify for all internal traffic
AnswerB

Zero trust operates on the principle of never trusting and always verifying.

Why this answer

Zero trust architecture is built on the principle of 'never trust, always verify,' which explicitly requires that every access request—regardless of origin—be authenticated, authorized, and continuously validated. Option B ('Assume breach and verify every request') captures this core tenet, as it mandates that no implicit trust is granted based on network location or device status, and every request must be treated as potentially malicious until proven otherwise.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (Option D) with zero trust, but zero trust explicitly eliminates the initial trust assumption, requiring verification before any access is granted, not after.

How to eliminate wrong answers

Option A is wrong because zero trust explicitly rejects the model of allowing all traffic within the corporate network; instead, it enforces micro-segmentation and least-privilege access, blocking all traffic by default and only permitting what is explicitly allowed. Option C is wrong because zero trust does not trust devices based on their IP address—IP addresses are easily spoofed and change frequently; trust is instead established through device identity, health posture, and continuous authentication (e.g., using certificates or device attestation). Option D is wrong because 'trust but verify' is the opposite of zero trust; zero trust assumes no trust at any point, requiring verification for every request, including internal traffic, rather than granting initial trust and then verifying.

Page 1 of 2 · 97 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Engineering questions.