CCNA Security Engineering Questions

22 of 97 questions · Page 2/2 · Security Engineering topic · Answers revealed

76
MCQmedium

A company has implemented a hardware security module (HSM) to manage cryptographic keys for a payment processing system. Which of the following best describes an advantage of using an HSM over software-based key storage?

A.Easier key rotation
B.Tamper-resistant key storage
C.Faster cryptographic operations
D.Lower implementation cost
AnswerB

HSMs provide physical and logical protections to prevent key extraction and tampering.

Why this answer

HSMs are tamper-resistant devices that protect keys from physical and logical attacks, offering a higher level of security than software-based storage. While HSMs can be costly and may have slower key generation, their primary advantage is physical security.

77
Multi-Selecteasy

An organization is implementing a public key infrastructure (PKI). Which THREE of the following are essential components?

Select 3 answers
A.Key escrow agent
B.Certificate authority (CA)
C.Certificate database and CRL
D.Registration authority (RA)
E.Time-stamping authority (TSA)
AnswersB, C, D

The CA signs and issues certificates.

Why this answer

A CA issues certificates, a RA verifies identity before certificate issuance, and the certificate database stores issued certificates and CRLs.

78
MCQhard

A security analyst reviews the syslog messages from the company's ASA firewall. Based on the exhibit, which of the following is the MOST likely cause of the denied traffic?

A.The external server is trying to initiate connections to the internal host on port 80.
B.Network address translation (NAT) is not configured correctly for the internal host.
C.The access-group "OUTSIDE_IN" is applied to the wrong interface or direction, blocking legitimate outbound traffic.
D.The internal host is attempting a port scan against the external server.
AnswerC

The access list name suggests it is meant for inbound traffic on the outside interface, but it is blocking outbound traffic, indicating a misapplication.

Why this answer

The syslog message shows traffic from the internal host (10.10.10.10) to the external server (209.165.200.225) on port 80 being denied by the access-group "OUTSIDE_IN" applied to the outside interface. Since the traffic is outbound (source inside, destination outside), an inbound access-list on the outside interface would block this legitimate outbound traffic because it evaluates packets entering the interface from the outside, not leaving it. The correct configuration would be to apply the access-group to the inside interface in the inbound direction or to the outside interface in the outbound direction.

Exam trap

CompTIA often tests the concept that an access-list applied inbound on the outside interface filters traffic entering from the outside, not traffic leaving the inside, causing candidates to mistakenly think the ACL blocks inbound traffic when it actually blocks outbound traffic.

How to eliminate wrong answers

Option A is wrong because the denied traffic is from the internal host to the external server on port 80, not the reverse; the syslog shows source 10.10.10.10 and destination 209.165.200.225, so the external server is not initiating connections. Option B is wrong because NAT misconfiguration would typically result in translation failures or asymmetric routing, not a deny by an access-list named "OUTSIDE_IN"; the syslog explicitly shows the deny is due to the access-group, not a NAT issue. Option D is wrong because there is no evidence of a port scan in the single syslog entry; a port scan would generate multiple denied packets to different ports or sequential IPs, and the log shows only a single TCP SYN to port 80, which is normal web traffic.

79
MCQmedium

A company deploys a web application behind a WAF. The security team discovers that the WAF allows traffic from a known malicious IP. After investigating, they find the WAF is configured to allow all traffic from a specific country for business reasons. Which of the following is the BEST course of action?

A.Deploy an additional IPS device to block the IP.
B.Remove the country-based allow rule immediately.
C.Add a specific deny rule for the malicious IP within the country allow rule, using an exception list.
D.Change the WAF from detection mode to blocking mode.
AnswerC

This allows legitimate traffic from the country while blocking the known malicious IP, addressing the threat without disrupting business.

Why this answer

Option C is correct because creating a geo-IP exception list for the malicious IP within the allowed country maintains business requirements while blocking the threat. Option A is wrong because removing the entire country block may disrupt business and is too broad. Option B is wrong because an IPS is a different control; adjusting WAF rules is more direct.

Option D is wrong because changing the WAF to block mode may cause false positives and is a drastic change.

80
MCQeasy

A company wants to ensure that only authorized code runs on its point-of-sale (POS) terminals. Which technology should be implemented?

A.Application whitelisting
B.Code signing
C.Trusted Platform Module (TPM)
D.Secure Boot
AnswerB

Code signing digitally signs executables, and the system validates the signature before allowing execution.

Why this answer

Code signing ensures that executables are digitally signed by a trusted publisher, and the system verifies the signature before execution. TPM is for attestation, application whitelisting is a policy, and secure boot focuses on boot-time integrity.

81
MCQhard

During a security assessment, the engineer discovers that a network appliance's firmware updates are signed using a 1024-bit RSA key. The appliance was manufactured in 2015. What is the primary security concern?

A.The key length is insufficient against modern attacks
B.The firmware is not encrypted
C.The signature algorithm is obsolete
D.The signing key is not rotated
AnswerA

1024-bit RSA can be broken by determined attackers; NIST recommends at least 2048 bits.

Why this answer

1024-bit RSA keys are considered weak because they can be factored with moderate computational resources, allowing an attacker to forge firmware updates. While the signature algorithm (RSA) is not obsolete, the key length is insufficient. Firmware encryption is not required for integrity; signing key rotation is secondary.

82
Multi-Selecteasy

A security engineer is hardening a Linux server. Which TWO of the following are best practices for preventing privilege escalation attacks?

Select 2 answers
A.Disable all user accounts except root
B.Apply kernel hardening with sysctl
C.Enable SELinux in enforcing mode
D.Remove the SUID bit from all binaries
E.Restrict cron jobs to root only
AnswersB, C

Kernel hardening parameters (e.g., disabling IP forwarding) reduce attack surface.

Why this answer

Options B and E are correct. SELinux (B) provides mandatory access control that restricts processes, and kernel hardening with sysctl (E) reduces the attack surface. Option A is incorrect because removing all SUID bits may break essential system functionality.

Option C is incorrect because disabling all non-root user accounts is impractical and violates least privilege. Option D is incorrect because restricting cron jobs to root only is not directly related to privilege escalation prevention.

83
MCQhard

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

A.Client credentials grant
B.Authorization code grant
C.Resource owner password credentials grant
D.Implicit grant
AnswerD

Implicit grant does not support scope parameter; scopes are typically fixed in client configuration.

Why this answer

The implicit grant flow in OAuth 2.0 does not require the client to include the scope parameter in the authorization request; the access token is returned directly in the URL fragment without a separate token endpoint call. When the scope parameter is missing, the authorization server may issue a token with a default or limited scope, causing users to be unable to access resources that require a specific scope. This matches the described symptom, making the implicit grant the most likely flow in use.

Exam trap

Cisco often tests the misconception that the scope parameter is always mandatory in all OAuth flows, but the implicit grant allows it to be optional, leading candidates to incorrectly select the authorization code grant.

How to eliminate wrong answers

Option A is wrong because the client credentials grant is used for server-to-server communication without user involvement, and the scope parameter is typically required and validated; missing scope would result in an error, not a token with insufficient scope. Option B is wrong because the authorization code grant requires the client to include the scope parameter in the authorization request, and the authorization server validates it before issuing the code; a missing scope would cause the request to fail or return an error. Option C is wrong because the resource owner password credentials grant requires the client to send the scope parameter along with the username and password; omitting it would lead to a token with default scope or an error, not the described behavior.

84
MCQhard

The engineer needs to prevent brute-force attacks while allowing legitimate access. Which security control is MOST effective?

A.Disable root login
B.Change SSH port to 2222
C.Implement fail2ban with a threshold of 5 attempts per minute
D.Implement IP whitelist for 10.0.0.0/8
AnswerC

Fail2ban automatically blocks offending IPs after exceeding the threshold, allowing legitimate traffic.

Why this answer

Fail2ban dynamically blocks IP addresses after a configurable number of failed attempts, stopping brute-force while allowing legitimate users (e.g., 10.0.0.50) to connect. Disabling root login only prevents root access but not attacks on other users. Changing the SSH port is security by obscurity.

IP whitelisting for 10.0.0.0/8 would block all other legitimate users and is not flexible.

85
MCQmedium

Refer to the exhibit. A security engineer is reviewing an X.509 certificate used for TLS. Which security concern should the engineer identify?

A.The certificate uses the SHA-1 hash algorithm
B.The RSA key length is 2048 bits
C.The certificate is self-signed
D.The validity period is only one year
AnswerA

SHA-1 is considered broken and should not be used for digital signatures.

Why this answer

The certificate uses SHA-1 as the signature algorithm, which is cryptographically weak and deprecated by major browsers and industry standards. Self-signed would show issuer == subject, key length 2048 is acceptable, and one-year validity is normal.

86
MCQhard

An OpenVPN configuration file is shown. A security auditor recommends replacing the cipher and auth directives. Which of the following is the BEST replacement pair from a security engineering perspective?

A.cipher AES-256-GCM and auth SHA256
B.cipher AES-128-GCM and auth SHA384
C.cipher 3DES-168 and auth MD5
D.cipher Blowfish-128 and auth SHA1
AnswerA

AES-256-GCM is an AEAD cipher that includes authentication, so the auth directive becomes unnecessary; however, OpenVPN allows both. This is a secure modern combination.

Why this answer

Option C is correct because AES-256-GCM is an AEAD cipher that provides both encryption and authentication, and TLS 1.3 uses AEAD. Option A is wrong because the configuration already uses SHA256 for auth; adding HMAC is redundant but not best. Option B is wrong because Blowfish is outdated and DES is weak.

Option D is wrong because 3DES is weak and MD5 is deprecated.

87
MCQhard

A company's security team is reviewing the integration of a legacy application that only supports NTLM authentication. The infrastructure must be updated to meet modern security standards. Which of the following is the BEST approach to mitigate the risk of using NTLM?

A.Place the application on an isolated network segment and restrict access with IP whitelisting.
B.Deploy an authentication federation service that translates modern Kerberos/SAML to NTLM for the legacy application.
C.Apply vendor patches to upgrade NTLM to NTLMv2 and enable extended protection for authentication.
D.Disable NTLM and force the application to use Kerberos directly.
AnswerB

A federation service (e.g., ADFS with NTLM fallback) allows the application to use modern authentication while the broker handles the legacy protocol, reducing risk.

Why this answer

Option D is correct because extending the application's authentication to support Kerberos or modern SSO via a federation service like ADFS or SAML proxy allows the legacy app to use modern authentication without modifying the app. Option A is wrong because network isolation does not address the weakness of NTLM in the authentication protocol. Option B is wrong because disabling NTLM would break the application.

Option C is wrong because applying patches may not be possible if the application is no longer supported, and NTLMv2 is still vulnerable.

88
MCQmedium

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a public-facing e-commerce site. The site has been experiencing intermittent false positives that block legitimate customers during checkout. The WAF is deployed in blocking mode with a rule set that includes SQL injection and cross-site scripting (XSS) signatures. The engineer notices that legitimate credit card numbers containing the string 'OR' are being blocked. The site uses HTTPS and input validation on the server side. Which of the following actions would BEST resolve the false positives while maintaining security?

A.Remove the WAF and rely on server-side input validation alone.
B.Disable the specific signature that matches the string 'OR' in the SQL injection rule set.
C.Change the WAF from blocking mode to detection mode.
D.Add a custom rule to allow all traffic to the checkout page.
AnswerB

This targets the exact cause of false positives while keeping other protections active.

Why this answer

Option B is correct because the false positive is caused by a specific SQL injection signature that matches the string 'OR' within legitimate credit card numbers. Disabling only that signature preserves the WAF's protection against actual SQL injection and XSS attacks while eliminating the false positive. The server-side input validation and HTTPS provide additional layers of defense, so removing the entire rule or switching to detection mode would unnecessarily weaken security.

Exam trap

CompTIA often tests the misconception that switching to detection mode or disabling the entire rule set is a safe compromise, but the correct approach is to surgically disable only the offending signature to balance security and usability.

How to eliminate wrong answers

Option A is wrong because removing the WAF entirely eliminates a critical defense layer, leaving the site vulnerable to attacks that server-side input validation might miss (e.g., bypasses via encoding or logic flaws). Option C is wrong because changing to detection mode would log but not block attacks, failing to protect the site during checkout and violating the requirement to maintain security. Option D is wrong because adding a custom rule to allow all traffic to the checkout page disables all WAF protections for that endpoint, exposing it to SQL injection, XSS, and other threats.

89
MCQeasy

A security architect needs to protect sensitive data in use within a server's memory from other processes. Which technology should be implemented?

A.Secure Boot
B.Trusted Platform Module (TPM)
C.Intel Software Guard Extensions (SGX)
D.Hardware Security Module (HSM)
AnswerC

SGX creates secure enclaves in memory, protecting data in use from other processes and the host OS.

Why this answer

Intel SGX provides hardware-based memory encryption that isolates code and data in enclaves, protecting data in use from other processes. TPM is for attestation and key storage, HSM for dedicated cryptographic operations, and Secure Boot for boot integrity.

90
MCQmedium

A security engineer is designing a secure boot process for embedded devices. Which component is responsible for verifying the signature of the bootloader before execution?

A.Secure Boot
B.Root of trust (RoT)
C.Trusted Platform Module (TPM)
D.UEFI firmware
AnswerB

RoT is the immutable hardware or code that establishes the first link in the chain of trust by verifying the bootloader.

Why this answer

The root of trust (RoT), typically implemented as a small section of immutable code in ROM or a dedicated microcontroller, checks the bootloader's signature using a public key stored in fuses. The TPM can store measurements but is not the verifier. UEFI is a firmware interface, and Secure Boot is the process itself.

91
MCQhard

A security engineer is reviewing an S3 bucket policy for a bucket named 'corporate-data'. The policy is shown. Which of the following describes a vulnerability in this configuration?

A.The Deny statement allows anonymous uploads over HTTP
B.The Deny statement allows any anonymous user to upload objects to the bucket
C.The Allow statement's IP address condition uses a private IP range, which is ineffective for internet-facing buckets
D.The Allow statement permits access over insecure HTTP
AnswerC

Private IP ranges (10.0.0.0/8) are not source IPs from the internet; thus the condition never matches, making the Allow statement useless.

Why this answer

Option C is correct because the Allow statement in the S3 bucket policy restricts access to a private IP address range (e.g., 10.0.0.0/8 or 192.168.0.0/16), which is non-routable on the public internet. Since the bucket is internet-facing, this condition is ineffective—any request from a public IP will fail the condition, effectively denying all external access, but the real vulnerability is that the policy relies on a private IP range that cannot be enforced for internet traffic, leaving the bucket either inaccessible or misconfigured. This misconfiguration can lead to unintended access if the condition is bypassed or if the bucket is intended to be public.

Exam trap

CompTIA often tests the misconception that private IP ranges can be used to restrict access to internet-facing S3 buckets, when in fact S3 only evaluates public source IPs, making such conditions ineffective or overly restrictive.

How to eliminate wrong answers

Option A is wrong because the Deny statement does not allow anonymous uploads over HTTP; it explicitly denies all anonymous access, and the vulnerability is not about HTTP vs. HTTPS but about the Allow statement's IP condition. Option B is wrong because the Deny statement explicitly blocks anonymous uploads, so it does not allow any anonymous user to upload objects; the vulnerability lies in the Allow statement, not the Deny.

Option D is wrong because the Allow statement does not permit access over insecure HTTP—it specifies HTTPS (via the aws:SecureTransport condition), and the vulnerability is the private IP range, not the protocol.

92
MCQmedium

During a penetration test, an engineer discovers that the application uses client-side JavaScript to validate input before submission. What is the MOST significant vulnerability?

A.Server-side validation is missing
B.Cross-site scripting
C.Insecure direct object reference
D.Weak session management
AnswerA

The lack of server-side validation allows any client-side validation to be bypassed, creating a serious vulnerability.

Why this answer

Client-side validation can be easily bypassed by disabling JavaScript or sending crafted HTTP requests. Without server-side validation, attackers can submit malicious payloads, leading to injection attacks. XSS and IDOR are separate issues; weak session management is unrelated to input validation.

93
MCQmedium

A security engineer is implementing a solution to securely store and manage cryptographic keys for a fleet of IoT devices. The devices have limited processing power and cannot perform asymmetric operations. Which of the following is the BEST approach?

A.Use a cloud-based Hardware Security Module (HSM) to generate and store keys, and provision them to devices during manufacturing.
B.Install a Trusted Platform Module (TPM) in each device to store keys on the device.
C.Use a cloud KMS to generate and wrap keys, then store the wrapped key in the device.
D.Store keys in obfuscated form in the device firmware and use a custom algorithm for encryption.
AnswerA

A cloud HSM provides secure key generation, storage, and lifecycle management; provisioning keys during manufacturing ensures they are not exposed.

Why this answer

Option A is correct because a cloud HSM offers secure key management and offloads cryptographic operations, suitable for simple symmetric operations on IoTs. Option B is wrong because TPM is typically used for device identity and limited storage, not scalable for fleet management. Option C is wrong because storing keys in firmware is insecure; they can be extracted.

Option D is wrong because key wrapping via KMS still requires the IoT to store keys, which is insecure.

94
Multi-Selecthard

An organization is deploying a new cloud-based application that processes personally identifiable information (PII). The security team must ensure data at rest is encrypted. Which THREE of the following controls should be implemented to protect the data? (Select THREE.)

Select 3 answers
A.Use tokenization for all PII fields in the database.
B.Implement a key management system (KMS) with automatic key rotation.
C.Enable transparent data encryption (TDE) on the database.
D.Use AES-256 encryption for all stored data.
E.Configure TLS 1.3 for all data connections.
AnswersB, C, D

Proper key management and rotation are critical to maintaining encryption security.

Why this answer

Option B is correct because a key management system (KMS) with automatic key rotation ensures that encryption keys are securely stored, rotated, and managed, which is essential for protecting data at rest. Without proper key management, encryption can be rendered ineffective if keys are compromised or stale. This control directly supports the confidentiality of PII stored in the cloud.

Exam trap

Cisco often tests the distinction between encryption for data at rest (e.g., TDE, AES-256, KMS) and encryption for data in transit (e.g., TLS), so candidates mistakenly select TLS as a data-at-rest control.

95
MCQmedium

A company is designing a new data center with high availability requirements. The network team proposes using virtualized network functions (VNFs) on commodity hardware to reduce costs. Which security consideration is MOST important when implementing this design?

A.Isolate VNFs to prevent lateral movement if one VNF is compromised
B.Ensure VNFs are deployed across multiple physical hosts for redundancy
C.Encrypt all traffic between VNFs to prevent eavesdropping
D.Implement quality of service (QoS) to guarantee bandwidth for critical VNFs
AnswerA

Isolation is critical because VNFs share hypervisor; a compromise could spread.

Why this answer

Isolating VNFs is the most important security consideration because VNFs share the same hypervisor and commodity hardware, so a compromise in one VNF could allow an attacker to move laterally to other VNFs or the underlying host. Without proper isolation (e.g., using VLANs, VXLANs, or micro-segmentation), the entire multi-tenant environment is at risk, undermining the high-availability design.

Exam trap

The trap here is that candidates confuse operational requirements (redundancy, QoS, encryption) with security controls, overlooking that isolation is the foundational security measure in a shared virtualized environment.

How to eliminate wrong answers

Option B is wrong because deploying VNFs across multiple physical hosts for redundancy is a high-availability design requirement, not a security consideration; it does not address the risk of lateral movement or compromise. Option C is wrong because encrypting traffic between VNFs (e.g., with IPsec or TLS) protects data in transit but does not prevent a compromised VNF from attacking other VNFs on the same host; isolation is a prerequisite for security. Option D is wrong because QoS guarantees bandwidth for critical VNFs, which is a performance and availability concern, not a security control; it does not mitigate the risk of a VNF being compromised and used to pivot within the network.

96
MCQhard

A company is implementing single sign-on using SAML 2.0. A security architect is reviewing the authentication flow and notices that the identity provider (IdP) does not digitally sign the SAML assertions. Which of the following is the most significant security risk?

A.The assertion could be modified in transit
B.The assertion could be intercepted and read
C.The IdP could be spoofed
D.The assertion could be replayed
AnswerA

Without a signature, the service provider cannot verify that the assertion was not tampered with, allowing attribute or identity changes.

Why this answer

Without signing, an attacker can modify the assertion in transit, potentially impersonating a user or altering attributes, leading to unauthorized access.

97
Multi-Selecthard

An incident responder is analyzing a compromised server. Which THREE indicators are MOST likely to confirm a successful attack?

Select 3 answers
A.Corrupted system files
B.Unusual outbound network connections
C.Multiple failed login attempts
D.High CPU usage due to legitimate processes
E.New unauthorized administrative accounts
AnswersA, B, E

Corrupted files can result from malware or unauthorized modification.

Why this answer

New unauthorized accounts indicate adversary persistence. Unusual outbound connections suggest command-and-control or data exfiltration. Corrupted system files are a sign of malware or unauthorized changes.

High CPU usage can be from legitimate loads, and failed logins are not proof of success.

← PreviousPage 2 of 2 · 97 questions total

Ready to test yourself?

Try a timed practice session using only Security Engineering questions.