Security+ SY0-701 (SY0-701) — Questions 175

1152 questions total · 16pages · All types, answers revealed

Page 1 of 16

Page 2
1
MCQmedium

A security analyst reviews authentication logs and discovers hundreds of failed login attempts from a single external IP address within a five-minute window. All attempts target the same username 'jsmith' but use different passwords. Which type of password attack does this pattern most likely indicate?

A.Password spraying
B.Brute force
C.Credential stuffing
D.Dictionary attack
AnswerB

Correct. A brute force attack systematically tries many passwords against a single account. The log pattern of hundreds of different passwords for the same username matches this method.

Why this answer

The pattern of hundreds of failed login attempts from a single external IP address targeting the same username 'jsmith' with different passwords is characteristic of a brute force attack. In a brute force attack, the attacker systematically tries many password guesses against a single account to eventually find the correct credential. This contrasts with password spraying, where a few common passwords are tried against many usernames, and credential stuffing, which uses previously compromised username/password pairs from other breaches.

Exam trap

The trap here is confusing brute force with password spraying: candidates often pick password spraying because they see 'different passwords,' but the key differentiator is the single target username versus multiple usernames, which defines the attack vector.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a small number of common passwords (e.g., 'Password123', 'Welcome1') against many different usernames to avoid account lockouts, not hundreds of different passwords against a single username. Option C is wrong because credential stuffing uses known username/password combinations from previous data breaches, not random or systematically generated passwords, and would typically show a mix of successes and failures rather than all failures with varying passwords.

2
Matchingmedium

Match each scenario from a security design review to the principle it best demonstrates.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Least privilege

Need-to-know

Zero trust

Defense in depth

Availability

Why these pairings

Each scenario demonstrates a distinct security principle: encryption adds depth, MFA enforces least privilege, segmentation supports separation of duties, logging ensures accountability, combining IDS with firewalls provides layered security, and disabling services reduces the attack surface.

3
MCQmedium

Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?

A.Add more allow rules from VLAN 10 to VLAN 30 for SMB and RDP so restore jobs stay flexible.
B.Move the backup server into the user VLAN to avoid routing and ACL complexity.
C.Remove direct user access to the backup VLAN and allow only the dedicated backup path.
D.Increase the DHCP lease time so backup jobs run less often during business hours.
AnswerC

Limiting backup access to dedicated systems preserves segmentation and protects recovery data from workstation compromise.

Why this answer

Option C is correct because removing direct user access to the backup VLAN and allowing only the dedicated backup path enforces network segmentation, which limits lateral movement. If a workstation in VLAN 10 is compromised, an attacker cannot pivot directly to the backup server in VLAN 30, reducing the blast radius. This aligns with the principle of least privilege and defense-in-depth for backup infrastructure.

Exam trap

The trap here is that candidates may think adding more allow rules (Option A) improves flexibility, but in security architecture, reducing unnecessary access paths is key to minimizing blast radius, not increasing connectivity.

How to eliminate wrong answers

Option A is wrong because adding more allow rules from VLAN 10 to VLAN 30 for SMB and RDP increases the attack surface, allowing a compromised workstation to directly access backup servers, which expands rather than reduces the blast radius. Option B is wrong because moving the backup server into the user VLAN eliminates network segmentation entirely, exposing the backup server to any compromised workstation in the same broadcast domain and defeating the purpose of isolation. Option D is wrong because increasing the DHCP lease time does not affect network access controls or segmentation; it only delays IP address renewal and has no impact on blast radius reduction.

4
MCQhard

A Java web service accepts a Base64-encoded `profile` object from the browser. During testing, changing a serialized field from `role=user` to `role=admin` causes a deserialization error unless the original signed blob is reused. When a captured valid blob is modified only slightly, the application reconstructs a different class and then exposes an internal admin page. Which attack pattern is most likely?

A.Insecure deserialization, because untrusted serialized data is being reconstructed into server-side objects.
B.SQL injection, because the attacker is changing a field to access a different page.
C.Cross-site request forgery, because the browser is sending a forged request to the application.
D.Cross-site scripting, because the modified object exposes an internal admin page.
AnswerA

Insecure deserialization is the best fit because the application accepts a serialized object from an untrusted source and turns it back into live server-side data. The fact that a small modification changes object behavior shows the server is trusting attacker-controlled serialized content. That can lead to authorization bypass, object confusion, or even code execution depending on the framework and validation controls.

Why this answer

The correct answer is A because the scenario describes a classic insecure deserialization attack. The Java web service accepts a Base64-encoded serialized object from the browser and reconstructs it into server-side objects without integrity verification. When the attacker modifies a serialized field (role=user to role=admin), the application deserializes the tampered data, which causes a deserialization error unless the original signed blob is reused, but a slight modification reconstructs a different class and exposes an internal admin page.

This directly matches the OWASP Top 10 insecure deserialization pattern where untrusted data is deserialized, leading to object injection and privilege escalation.

Exam trap

The trap here is that candidates may confuse the symptom (accessing an admin page) with a web-based attack like XSS or CSRF, but the root cause is the insecure deserialization of untrusted serialized data, not client-side script injection or request forgery.

How to eliminate wrong answers

Option B is wrong because SQL injection involves injecting malicious SQL queries into input fields to manipulate a database, not modifying serialized object fields to change server-side class behavior or access pages. Option C is wrong because cross-site request forgery (CSRF) relies on tricking a user's browser into sending an authenticated request to a target application, not on manipulating serialized data to alter server-side object reconstruction. Option D is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not modifying serialized objects to cause server-side deserialization of a different class.

5
MCQmedium

A help desk technician reviews a ticket where a user says they logged out of the payroll portal, but another employee who found the session cookie in a browser debug log could still access the account until the session expired. Which attack best matches this behavior?

A.Session hijacking, because a stolen session token was reused to impersonate the user.
B.Pretexting, because the attacker pretended to be an authorized employee on a phone call.
C.CSRF, because the victim was tricked into sending unwanted requests from their browser.
D.Insecure deserialization, because serialized objects were accepted without validation.
AnswerA

If a valid session cookie can be reused by someone else, the attacker is effectively taking over the active session without knowing the password.

Why this answer

Option A is correct because the described behavior—where a session cookie stolen from a browser debug log is reused by another employee to access the payroll portal—is a classic session hijacking attack. Session hijacking occurs when an attacker captures a valid session token (e.g., a cookie containing a session ID) and uses it to impersonate the authenticated user, bypassing the need for credentials. In this case, the session cookie was not invalidated upon logout, allowing the attacker to reuse it until the session's expiration time.

Exam trap

The trap here is that candidates may confuse session hijacking with CSRF, but the key distinction is that session hijacking involves stealing and reusing an existing session token, whereas CSRF tricks the victim's browser into performing actions using the victim's own active session.

How to eliminate wrong answers

Option B is wrong because pretexting involves fabricating a scenario (e.g., a phone call) to trick a victim into divulging information, but the question describes a technical attack using a stolen session cookie, not social engineering. Option C is wrong because Cross-Site Request Forgery (CSRF) tricks a victim's browser into sending unwanted requests while the victim is authenticated, but here the attacker directly reuses a stolen session token without involving the victim's browser.

6
MCQmedium

A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?

A.Capture a full memory dump of the server
B.Shut down the server to prevent further damage
C.Create a forensic disk image of the hard drive
D.Run a full antivirus scan on the system
AnswerA

Correct. Memory is the most volatile data and should be captured first to preserve evidence such as running processes, network connections, and malware in memory. Any delay or system shutdown may cause this data to be lost.

Why this answer

The order of volatility dictates that the most volatile data (memory) must be captured first because it contains critical evidence like running processes, network connections, and encryption keys that will be lost when the system is powered off. A full memory dump preserves this volatile data before any other actions that could alter the system state.

Exam trap

The trap here is that candidates often think shutting down the server is the safest first step to contain damage, but CompTIA tests the forensic principle that volatile data must be preserved before any containment or remediation actions.

How to eliminate wrong answers

Option B is wrong because shutting down the server destroys volatile memory data and may trigger ransomware encryption routines or anti-forensic mechanisms. Option C is wrong because creating a forensic disk image is a lower-priority step that should occur after capturing memory, as disk data is less volatile. Option D is wrong because running a full antivirus scan modifies file access times, writes logs, and can alter the very evidence you are trying to preserve, violating forensic integrity.

7
MCQmedium

A security analyst receives an alert about a user account attempting to access multiple network shares in rapid succession within a short time frame. The analyst reviews the logs and sees that the IP address originates from the internal network, but the user is currently on leave. Which type of attack is most likely occurring?

A.Pass-the-hash attack
B.Brute-force attack
C.Credential stuffing attack
D.Internal reconnaissance
AnswerD

Internal reconnaissance involves an attacker who has already compromised a system and is now scanning internal resources to identify valuable data or further targets. The rapid access to multiple network shares aligns with this activity.

Why this answer

The correct answer is D because the behavior—an internal IP address rapidly querying multiple network shares—is characteristic of internal reconnaissance, where an attacker who has already gained a foothold maps out available resources. The user being on leave indicates the account is compromised, and the rapid succession of share access attempts is a classic sign of automated enumeration (e.g., using `net view` or SMB queries) rather than a direct credential attack.

Exam trap

The trap here is that candidates confuse the rapid enumeration of network shares with a brute-force or credential-based attack, failing to recognize that the attacker is already authenticated and is simply mapping the network for further exploitation.

How to eliminate wrong answers

Option A is wrong because a pass-the-hash attack uses captured NTLM hashes to authenticate without knowing the plaintext password, but the alert describes rapid share access, not a lateral movement technique that reuses a hash. Option B is wrong because a brute-force attack tries many passwords against a single account or service, whereas this scenario shows a single account attempting many shares, not repeated login failures. Option C is wrong because credential stuffing uses previously breached username/password pairs against multiple services, but the logs show a single internal IP accessing multiple shares, not login attempts across different applications or websites.

8
MCQmedium

A manufacturer identifies a rare but very costly ransomware risk. Executives decide not to eliminate the activity, but to purchase cyber insurance and formally acknowledge the remaining exposure. Which risk treatment is being used?

A.Avoidance
B.Transfer
C.Mitigation
D.Acceptance
AnswerB

Transfer shifts some financial impact to another party, such as an insurer, while the organization keeps operating.

Why this answer

The correct answer is B (Transfer) because purchasing cyber insurance shifts the financial risk of the ransomware incident to the insurer. The executives formally acknowledge the remaining exposure, which confirms they are not simply accepting the risk but are actively transferring the monetary impact through a contractual agreement.

Exam trap

The trap here is that candidates confuse 'acceptance' with 'acknowledgment' — the phrase 'formally acknowledge the remaining exposure' is a red herring; true acceptance requires no further action, but purchasing insurance proves the risk is being transferred, not accepted.

How to eliminate wrong answers

Option A (Avoidance) is wrong because avoidance would require discontinuing the activity that introduces the ransomware risk, such as shutting down the affected systems or processes. Option C (Mitigation) is wrong because mitigation involves implementing technical controls (e.g., endpoint detection, backups, patching) to reduce the likelihood or impact of ransomware, not purchasing insurance. Option D (Acceptance) is wrong because acceptance means the organization consciously retains the risk without transferring or mitigating it; purchasing insurance demonstrates a transfer, not passive acceptance.

9
MCQmedium

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

A.Place both the web server and the database server in the same DMZ segment and rely on host-based firewalls for protection.
B.Place the web server in the DMZ and the database server on the internal network. Configure the firewall to allow inbound traffic from the web server to the database server on the required port only.
C.Connect both servers to a single internal VLAN and use a reverse proxy to forward external traffic to the web server.
D.Use a site-to-site VPN to connect the web server and database server, and place both behind a single NAT gateway.
AnswerB

This architecture follows the principle of defense in depth. The DMZ provides an additional security layer for the web server, while the database is isolated on the internal network with a restrictive firewall rule that limits access to only the web server, reducing the attack surface.

Why this answer

Option B is correct because it implements a tiered network architecture where the web server resides in the DMZ (a semi-trusted zone) and the database server is placed on the internal network, isolated from direct internet access. The firewall is configured with a stateful rule that permits only the web server's IP and the specific database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL), preventing any direct inbound connections from the internet to the database. This minimizes the attack surface by ensuring that even if the web server is compromised, the database is not directly reachable from external hosts.

Exam trap

The trap here is that candidates often assume placing both servers in the DMZ is sufficient because they think the DMZ itself provides isolation, but they overlook that the DMZ is still a single security zone where lateral movement between hosts is not restricted, making the database vulnerable if the web server is breached.

How to eliminate wrong answers

Option A is wrong because placing both servers in the same DMZ segment exposes the database server to the same untrusted network as the web server, and host-based firewalls alone are insufficient to stop a determined attacker who compromises the web server from pivoting laterally to the database. Option C is wrong because connecting both servers to a single internal VLAN places the database server on the same Layer 2 domain as the web server, and a reverse proxy only protects the web server from direct external access but does not isolate the database from internal threats or lateral movement. Option D is wrong because a site-to-site VPN and a single NAT gateway treat both servers as peers on the same logical network, offering no segmentation between the web and database tiers, and the NAT gateway does not enforce application-layer filtering between them.

10
MCQmedium

After completing a vulnerability scan, a security analyst discovers that a legacy customer-facing application running on an unsupported operating system contains a critical remote code execution vulnerability. The application is essential to daily operations and cannot be patched or upgraded in the near term. Management has approved the purchase of a hardware-based network firewall that will be placed in front of the application to restrict inbound traffic to only authorized source IP addresses and port numbers. Which risk management strategy does this action primarily represent?

A.Risk acceptance
B.Risk mitigation
C.Risk avoidance
D.Risk transference
AnswerB

Correct. By deploying a firewall to restrict access, the organization is reducing the likelihood that the vulnerability can be exploited. This is a risk mitigation strategy using a compensating control.

Why this answer

The security team is implementing a hardware-based network firewall to restrict inbound traffic to only authorized source IP addresses and port numbers. This directly reduces the likelihood of exploitation by limiting the attack surface, which is the essence of risk mitigation — applying controls to reduce the risk to an acceptable level. Patching or upgrading is not feasible, so compensating controls like network segmentation and access control lists (ACLs) are used to mitigate the vulnerability.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk avoidance' because they think blocking traffic is 'avoiding' the vulnerability, but avoidance means eliminating the risk entirely (e.g., decommissioning the app), whereas mitigation reduces the likelihood or impact while the risk still exists.

How to eliminate wrong answers

Option A is wrong because risk acceptance would mean formally acknowledging the risk and taking no action to reduce it, which contradicts the purchase and deployment of a firewall. Option C is wrong because risk avoidance would require removing the application or discontinuing its use entirely, not adding a protective control. Option D is wrong because risk transference involves shifting the financial impact of a risk to a third party (e.g., cyber insurance or outsourcing), not deploying a technical control like a firewall.

11
MCQmedium

During malware response on a finance workstation, the system is still powered on and connected. The manager asks whether you can just reboot it to stop the issue. What is the best next step?

A.Reboot immediately to prevent any further damage from the suspected malware.
B.Capture volatile evidence and document the system state before containment actions.
C.Copy suspicious files to a shared drive and continue normal operations.
D.Run a full disk cleanup to remove temporary files and reduce risk.
AnswerB

This is the correct next step because evidence preservation comes before intrusive remediation when a system is still live. Memory, running processes, active network connections, and logged-on sessions may reveal malware behavior and scope. Documenting the time, state, and actions taken also supports the incident response process and helps preserve the integrity of later findings if the case requires internal review or legal action.

Why this answer

Option B is correct because in incident response, the first priority when a system is still powered on is to capture volatile evidence (e.g., memory contents, running processes, network connections) before any containment actions like rebooting. Rebooting would destroy this critical data, which may be essential for forensic analysis and understanding the malware's behavior. The order of volatility (RFC 3227) dictates that volatile data must be collected first to preserve evidence integrity.

Exam trap

The trap here is that candidates may think rebooting is a quick fix to stop malware, but CompTIA emphasizes that preserving volatile evidence is the critical first step before any containment action, as rebooting destroys that evidence.

How to eliminate wrong answers

Option A is wrong because rebooting immediately destroys volatile evidence (e.g., RAM contents, active network connections, running processes) that could be crucial for forensic analysis and determining the malware's origin and impact. Option C is wrong because copying suspicious files to a shared drive could spread the malware to other systems on the network, violating containment principles and increasing risk. Option D is wrong because running a full disk cleanup would delete temporary files that might contain malware artifacts or evidence, and it does nothing to stop the active malware or preserve forensic data.

12
MCQmedium

An organization's file server contains sensitive HR data. The security team discovers that permissions on a confidential folder have been altered. Which of the following security controls would MOST likely help determine the account responsible for this change?

A.Data loss prevention (DLP) system
B.Mandatory access control (MAC)
C.Audit logging
D.Host-based intrusion prevention system (HIPS)
AnswerC

Audit logging records user actions such as file access, modification, and permission changes. It provides a detailed trail that can be reviewed to identify the account responsible for altering permissions and the exact time of the change.

Why this answer

Audit logging is the correct answer because it records detailed information about who made changes to files and folders, including the account name, timestamp, and the specific permission alteration. By reviewing audit logs, the security team can trace the unauthorized permission change back to the responsible user account. This is a detective control that directly supports accountability and forensic investigation.

Exam trap

The trap here is that candidates often confuse a preventive control like MAC or HIPS with a detective control like audit logging, failing to recognize that only audit logs provide the specific account attribution needed for this scenario.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) system is designed to monitor and prevent unauthorized data exfiltration, not to track permission changes on a file server. Option B is wrong because Mandatory Access Control (MAC) enforces access policies based on labels and clearances, but it does not inherently log or identify the account that altered permissions. Option D is wrong because a Host-based Intrusion Prevention System (HIPS) focuses on detecting and blocking malicious activity such as malware or exploits, not on recording file permission modifications.

13
Multi-Selecteasy

A Linux administrator must run a weekly maintenance script on 40 servers without giving technicians interactive root access. Which two practices best support secure administration? Select two.

Select 2 answers
A.Use a dedicated service account with only the required commands.
B.Run the job through a scheduler or automation tool instead of manually logging in.
C.Share one root password across the whole team.
D.Embed the account password directly in the script.
E.Disable logging so the maintenance job runs faster.
AnswersA, B

A dedicated service account limits access to only the tasks the script needs.

Why this answer

Option A is correct because a dedicated service account with only the required commands implements the principle of least privilege. By using sudo or RBAC to restrict the account to exactly the commands needed for the maintenance script, the administrator avoids granting full root access while still allowing the script to execute with elevated privileges. This minimizes the attack surface and prevents unauthorized actions.

Exam trap

The trap here is that candidates may think sharing a root password is acceptable for team efficiency, but CompTIA emphasizes that shared credentials break accountability and violate security best practices, especially when interactive root access must be avoided.

14
MCQeasy

A SIEM correlation rule alerts when a single user account fails to authenticate 20 times in 5 minutes and then succeeds from the same source IP. What is the most likely reason the team should investigate this event?

A.The account was probably being used normally because the password was changed
B.The pattern may indicate password guessing or credential stuffing
C.The SIEM is misconfigured because all failed logons are false positives
D.The account is definitely malicious and should be deleted immediately
AnswerB

Repeated failures followed by a success can show automated guessing, and it is worth investigating for compromise.

Why this answer

The pattern of 20 rapid failed authentication attempts followed by a successful authentication from the same source IP is a classic indicator of a password guessing or credential stuffing attack. The attacker likely used a list of common passwords or previously compromised credentials, and the final success suggests they found a valid password. SIEM correlation rules are designed to detect such brute-force or spraying behaviors, and this event warrants immediate investigation to determine if the account is compromised.

Exam trap

The trap here is that candidates may dismiss the alert as a false positive due to a user forgetting their password, but the specific combination of rapid failures followed by success from the same IP is a textbook sign of a successful brute-force or credential stuffing attack, not normal user behavior.

How to eliminate wrong answers

Option A is wrong because a password change would not cause 20 rapid failures followed by a success from the same IP; normal usage does not exhibit this pattern, and password changes typically generate a single failure if the old password is used, not a burst of failures. Option C is wrong because failed logons are not inherently false positives; they are legitimate security events that can indicate attacks, and a properly configured SIEM should alert on such patterns to detect credential abuse.

15
Multi-Selecthard

A platform team runs production, staging, and developer containers on the same Kubernetes cluster. After a staging compromise, the team wants to reduce the chance of access to production secrets or lateral movement to other namespaces. Which two architecture changes are most effective? Select two.

Select 2 answers
A.Move production workloads into a separate cluster or dedicated node pool with stricter tenancy boundaries.
B.Run all namespaces on the same privileged worker nodes so scaling is easier.
C.Apply network policies or microsegmentation so staging pods cannot talk freely to production services.
D.Store secrets as plain environment variables because container images are already isolated.
E.Grant every service account cluster-admin so deployments fail less often.
AnswersA, C

Separating production from less trusted workloads reduces the blast radius of a compromise and keeps sensitive workloads away from shared resources. A dedicated cluster or node pool also makes it easier to apply stricter controls, monitoring, and change management to production. This is an effective way to limit cross-environment impact.

Why this answer

Option A is correct because moving production workloads to a separate cluster or dedicated node pool enforces stronger tenancy boundaries, preventing a compromise in staging from directly accessing production secrets or pods. Kubernetes namespaces alone do not provide strong isolation, as a single cluster shares the same control plane and node resources, making lateral movement possible. This architectural change reduces the attack surface by physically or logically separating production from staging and development environments.

Exam trap

CompTIA often tests the misconception that Kubernetes namespaces provide sufficient security isolation, but the trap here is that namespaces share the same control plane and node resources, so without separate clusters or node pools, a compromise in one namespace can lead to lateral movement to others.

16
Multi-Selectmedium

Which four of the following are essential elements of an effective business continuity plan (BCP) that a security manager should oversee? (Choose four.)

Select 4 answers
.Identification of critical business functions and their dependencies
.Defined recovery time objectives (RTOs) and recovery point objectives (RPOs)
.A single, centralized backup location to simplify management
.Regular testing and exercises to validate plan effectiveness
.Documented communication and escalation procedures during an incident
.Automatic failover to a hot site without any human notification

Why this answer

Identification of critical business functions and their dependencies is correct because a BCP must prioritize which systems and processes are essential for survival, ensuring that recovery efforts focus on the most vital operations first. Without this mapping, the plan lacks direction and may waste resources on non-critical assets during a disaster.

Exam trap

The trap here is that candidates confuse a BCP with a disaster recovery plan (DRP) and assume that automatic failover without notification is a best practice, when in fact BCPs require human-in-the-loop communication to coordinate response and avoid cascading failures.

17
MCQmedium

Based on the exhibit, which improvement best aligns the current backup design with the stated recovery targets?

A.Keep the same design but extend backup retention from 30 days to 90 days.
B.Switch to frequent incremental or snapshot backups stored in a separate, immutable location with routine restore tests.
C.Share the backup administrator password in a team chat so any engineer can restore data during an outage.
D.Remove backup encryption so restores run faster during an emergency.
AnswerB

The business needs a much smaller RPO and a faster RTO than the current design can deliver. More frequent backups reduce the amount of data lost, while a separate immutable repository improves resilience against ransomware and storage failures. Regular restore tests confirm that the chosen method actually meets the recovery objective in practice, not just on paper.

Why this answer

Option B is correct because the current backup design lacks off-site, immutable storage and routine restore testing, which are critical to meet recovery point and time objectives (RPO/RTO). Frequent incremental or snapshot backups in a separate, immutable location protect against ransomware and ensure data integrity, while routine restore tests verify that backups are actually recoverable when needed.

Exam trap

CompTIA often tests the misconception that simply extending retention or making backups faster (e.g., removing encryption) improves recovery, when in reality the key gaps are off-site immutability and restore testing to ensure recoverability against ransomware and operational errors.

How to eliminate wrong answers

Option A is wrong because extending retention to 90 days does not address the lack of off-site or immutable storage, nor does it improve recovery speed or reliability; it only keeps more data in the same vulnerable location. Option C is wrong because sharing the backup administrator password in a team chat violates the principle of least privilege and introduces a massive security risk, potentially allowing unauthorized access to backup systems. Option D is wrong because removing backup encryption would expose sensitive data in transit and at rest, violating confidentiality requirements and potentially compliance mandates, while any performance gain is negligible compared to the security loss.

18
MCQmedium

After a facilities outage, multiple employees report that their phones automatically joined a network named "CorpWiFi" in the lobby even though the legitimate access point was offline. A nearby attacker device then captured the captive portal login traffic. What attack is most likely?

A.Rogue access point
B.Evil twin
C.Bluetooth bluejacking
D.NFC relay attack
AnswerB

An evil twin mimics a trusted wireless network name and often a stronger signal to lure devices into connecting to it.

Why this answer

The correct answer is B, Evil twin. In this scenario, the attacker set up a rogue access point with the same SSID ("CorpWiFi") as the legitimate network, which was offline. When employees' phones automatically attempted to reconnect to a known SSID, they associated with the attacker's device, which then presented a fake captive portal to capture login credentials.

This is the classic definition of an evil twin attack: a fraudulent AP that mimics a legitimate one to intercept traffic.

Exam trap

The trap here is confusing an evil twin with a rogue access point; candidates often pick 'rogue access point' because both involve unauthorized APs, but the key distinction is that an evil twin mimics a legitimate SSID to intercept traffic, while a rogue AP is physically connected to the internal network.

How to eliminate wrong answers

Option A is wrong because a rogue access point is an unauthorized AP plugged into the corporate network, not a fake AP set up to mimic an offline legitimate AP; here the attacker's device is not connected to the corporate LAN. Option C is wrong because Bluetooth bluejacking involves sending unsolicited messages over Bluetooth, not capturing Wi-Fi captive portal traffic or spoofing an SSID. Option D is wrong because an NFC relay attack extends the range of an NFC transaction (e.g., contactless payment) by relaying signals between two devices, and does not involve Wi-Fi SSID spoofing or captive portal interception.

19
MCQmedium

After a suspicious laptop is imaged with a write blocker, the original drive is sealed and stored. Before a second analyst examines the image, what is the most important next step to preserve admissibility?

A.Mount the image read/write so the analyst can browse faster.
B.Copy the image to a USB drive for easier transport.
C.Document the transfer in the chain-of-custody log and verify the image hash still matches the acquisition value.
D.Rename the evidence file to match the case number.
AnswerC

Chain-of-custody documentation shows who handled the evidence, when it changed hands, and why. Verifying the image hash against the acquisition hash proves the data has not changed since collection. Together, these steps support integrity and admissibility in administrative, HR, or legal reviews. A well-maintained log plus matching hashes is the standard way to show the evidence remained untampered during transfer and analysis.

Why this answer

Option C is correct because before a second analyst accesses the image, the most critical step is to update the chain-of-custody log to document the transfer of custody and to verify the integrity of the image by comparing its current hash value against the original acquisition hash. This ensures that the evidence has not been altered or corrupted since it was first imaged, which is essential for maintaining admissibility in legal proceedings under rules such as the Federal Rules of Evidence.

Exam trap

CompTIA often tests the misconception that renaming or copying evidence is a valid step for preservation, when in fact the core legal requirement is maintaining integrity verification and chain-of-custody documentation before any further handling.

How to eliminate wrong answers

Option A is wrong because mounting the image read/write would modify the file system metadata (e.g., last access timestamps) and potentially alter the image, breaking the hash integrity and rendering the evidence inadmissible. Option B is wrong because copying the image to a USB drive without first verifying the hash and documenting the transfer in the chain-of-custody log introduces a gap in the custody trail and risks integrity loss; the copy must be verified against the original hash, not just moved. Option D is wrong because renaming the evidence file to match the case number is a procedural convenience but does not address the legal requirements of chain-of-custody documentation or hash verification, and could cause confusion if the original filename is needed for forensic tool compatibility.

20
MCQmedium

After a server rebuild, an administrator notices that Remote Desktop, SMBv1, and Print Spooler are still enabled on a Windows file server even though the server only stores department documents. The security team also wants to know if future changes drift away from the approved build. What should be implemented?

A.Apply the approved secure baseline and enable configuration drift monitoring against it.
B.Keep the server as-is and rely on the antivirus console to stop misuse.
C.Move the server into a different VLAN and leave the operating system settings unchanged.
D.Schedule a monthly reboot to clear temporary settings and reduce attack surface.
AnswerA

A secure baseline defines the expected hardened state, and drift monitoring detects unauthorized or accidental changes over time. This directly addresses both the current unnecessary services and the need to catch future deviations. It is the most complete and operationally useful response.

Why this answer

Option A is correct because applying an approved secure baseline (e.g., via Group Policy or Security Compliance Toolkit) ensures that unnecessary services like Remote Desktop, SMBv1, and Print Spooler are explicitly disabled. Enabling configuration drift monitoring (e.g., using Azure Policy, DSC, or a SIEM) allows the security team to detect and alert on any unauthorized changes that deviate from the baseline, addressing both the immediate risk and the long-term compliance requirement.

Exam trap

The trap here is that candidates often think network segmentation (VLAN) or periodic reboots are sufficient to mitigate service-level vulnerabilities, but the question specifically asks for a solution that prevents future drift from an approved build, which requires a baseline and monitoring, not just isolation or temporary fixes.

How to eliminate wrong answers

Option B is wrong because relying solely on an antivirus console does not disable or prevent the exploitation of enabled services like SMBv1 (which is vulnerable to EternalBlue) or Print Spooler (which has known privilege escalation flaws); antivirus is not a substitute for reducing the attack surface. Option C is wrong because moving the server to a different VLAN does not disable the enabled services; it only segments network traffic, leaving the server still vulnerable to lateral movement if an attacker gains access to that VLAN. Option D is wrong because scheduling a monthly reboot does not permanently disable services or prevent drift; it only clears temporary settings, and the unwanted services would remain enabled after each reboot.

21
MCQmedium

An IT manager wants a document that defines the mandatory minimum requirements for all company laptops, including full-disk encryption, password length, and screen-lock timing. The help desk also needs a separate document that shows exactly how to enroll a laptop in management software. Which document type should contain the mandatory laptop requirements?

A.Policy, because it gives broad direction without technical detail.
B.Standard, because it defines the required technical settings that must be followed.
C.Procedure, because it gives step-by-step instructions for completing a task.
D.Guideline, because it offers flexible recommendations for administrators.
AnswerB

A standard is the correct document type for mandatory, measurable technical requirements. In this case, the organization needs exact minimum settings for encryption, password length, and screen-lock timing, which are all enforceable specifications. The procedure for enrolling devices would be a separate document that explains how to carry out the requirement, but the baseline technical requirements belong in the standard.

Why this answer

Option B is correct because a standard defines mandatory, specific technical requirements that must be uniformly applied, such as full-disk encryption (e.g., AES-256), minimum password length (e.g., 14 characters), and screen-lock timeout (e.g., 5 minutes). Unlike a policy, which provides high-level direction, a standard enforces precise configuration baselines that all laptops must meet, ensuring compliance and security consistency.

Exam trap

The trap here is confusing a standard with a policy, where candidates mistakenly think a policy can contain technical specifics, but CompTIA tests that a policy is always high-level and a standard provides the mandatory technical details.

How to eliminate wrong answers

Option A is wrong because a policy provides broad, high-level direction without specifying technical details like encryption algorithms or password lengths, so it cannot define mandatory minimum requirements. Option C is wrong because a procedure gives step-by-step instructions for completing a task (e.g., enrolling a laptop in management software), not the mandatory technical settings themselves. Option D is wrong because a guideline offers flexible recommendations, not mandatory requirements, and administrators are not required to follow them.

22
MCQmedium

A server room is located next to a chilled-water pipe, and facilities staff want the earliest possible warning if moisture starts leaking under the raised floor. Which control is the best fit?

A.Install water leak sensors tied into the environmental monitoring system.
B.Replace the badge reader with a biometric lock.
C.Add a security camera pointing at the server racks.
D.Move the servers onto a separate VLAN.
AnswerA

Water leak sensors provide early detection and alerting so staff can respond before equipment damage becomes severe.

Why this answer

Water leak sensors are specifically designed to detect the presence of moisture, and when integrated into an environmental monitoring system, they provide immediate alerts (e.g., SNMP traps or email notifications) at the earliest sign of a leak. This allows facilities staff to respond before water damages server equipment under the raised floor, meeting the requirement for earliest possible warning.

Exam trap

The trap here is that candidates may confuse physical security controls (like cameras or biometric locks) with environmental monitoring controls, failing to recognize that only a dedicated moisture sensor provides the earliest automated detection of a water leak.

How to eliminate wrong answers

Option B is wrong because a biometric lock controls physical access to the server room but does not detect moisture or provide any warning about water leaks. Option C is wrong because a security camera pointed at server racks can visually confirm a leak only after it has occurred and become visible, which is not the earliest possible warning and lacks automated alerting.

23
MCQeasy

Based on the exhibit, what should the employee do first?

A.Reply with the code because the request appears to come from payroll support.
B.Report the message through the company’s phishing-report process and do not share the code.
C.Forward the email to coworkers so they can watch for the same request.
D.Open the attached file to see whether it contains the payroll fix details.
AnswerB

The message is a social engineering attempt that tries to pressure the user into revealing an MFA code. Reporting it quickly helps the security team investigate, warn others, and block related messages. The employee should never provide the code, even if the sender claims to be from payroll or support.

Why this answer

Option B is correct because the message exhibits classic social engineering indicators: an unsolicited request for a sensitive code, urgency, and a spoofed sender address. The employee must report it via the company's phishing-report process to alert the security team and must not share the code, as that would compromise the account. This aligns with security awareness training that emphasizes verifying requests out-of-band and never providing credentials or codes in response to email requests.

Exam trap

The trap here is that candidates may assume the email is legitimate because it appears to come from an internal department (payroll support) and uses urgent language, leading them to choose Option A or D, when in fact any unsolicited request for sensitive information or action should be treated as a potential phishing attempt.

How to eliminate wrong answers

Option A is wrong because replying with the code would directly compromise the employee's account, as the request is a phishing attempt, not a legitimate payroll support request. Option C is wrong because forwarding the email to coworkers could propagate the phishing attack and increase the number of compromised accounts, violating the principle of containment. Option D is wrong because opening an attached file from an unsolicited email could execute malware or trigger a credential-harvesting payload, even if the attachment appears to be a payroll fix document.

24
MCQeasy

After building a new file server, an administrator reviews the security baseline and notices that a remote desktop service is enabled even though no one uses it. What is the best hardening action?

A.Keep the service enabled in case someone needs it later
B.Disable the unnecessary service
C.Change the server name to make it harder to find
D.Increase disk space on the server
AnswerB

Removing unused services reduces attack surface and aligns the server with the secure baseline.

Why this answer

The best hardening action is to disable the unnecessary remote desktop service because it reduces the attack surface. An enabled but unused service, such as Remote Desktop Protocol (RDP) on TCP/3389, is a common vector for brute-force attacks and exploits (e.g., BlueKeep, CVE-2019-0708). Disabling it eliminates this risk without affecting legitimate operations.

Exam trap

The trap here is that candidates may confuse 'security through obscurity' (e.g., renaming the server) with a proper hardening action, or they may assume that keeping a service enabled 'just in case' is acceptable, when the correct approach is to disable any unnecessary service to minimize the attack surface.

How to eliminate wrong answers

Option A is wrong because keeping an unused service enabled violates the principle of least functionality and needlessly exposes the server to potential exploitation. Option C is wrong because changing the server name does not mitigate the risk of the service being discovered or attacked; RDP can still be scanned and targeted regardless of the hostname. Option D is wrong because increasing disk space does not address the security risk of an unnecessary service; it is a resource management action, not a hardening measure.

25
MCQmedium

A financial institution is implementing a new policy for all remote access to its payment processing system. The system will generate a unique digital signature for each administrative action, and all actions will be recorded in a tamper-evident audit log that is replicated to an immutable storage location. The primary objective of this policy is to ensure that administrators who perform sensitive operations cannot later deny having executed them. Which security goal is this policy primarily intended to enforce?

A.Authorization
B.Non-repudiation
C.Authentication
D.Availability
AnswerB

Non-repudiation provides proof of the origin and integrity of data, ensuring that an individual cannot falsely deny having taken an action. The use of digital signatures and tamper-evident logs directly supports this goal.

Why this answer

The policy's use of unique digital signatures for each administrative action, combined with a tamper-evident audit log replicated to immutable storage, directly enforces non-repudiation. Non-repudiation ensures that an administrator cannot deny having performed a specific action because the digital signature cryptographically binds the action to the administrator's identity, and the immutable log prevents any subsequent alteration or deletion of the record. This is the primary security goal when the objective is to prevent denial of responsibility for sensitive operations.

Exam trap

The trap here is that candidates often confuse authentication (proving identity at login) with non-repudiation (proving identity for a specific action after the fact), but the question's focus on digital signatures and tamper-evident logs clearly points to non-repudiation, not just authentication.

How to eliminate wrong answers

Option A is wrong because authorization determines what actions an authenticated user is permitted to perform (e.g., via access control lists or role-based permissions), but it does not provide cryptographic proof that a specific action was taken by a specific user. Option C is wrong because authentication verifies the identity of a user (e.g., via passwords, certificates, or biometrics) at the time of login, but it does not bind that identity to subsequent actions in a way that prevents later denial; non-repudiation requires additional mechanisms like digital signatures and audit logs.

26
Multi-Selecteasy

A help desk team needs to reset passwords on servers during incidents, but they should not keep standing administrator rights all day. Which two controls best support this requirement? Select two.

Select 2 answers
A.Use privileged access management (PAM) to control and audit elevated access.
B.Grant time-limited or just-in-time elevation only when the task is approved.
C.Share one permanent domain administrator account with the whole team.
D.Use a regular user account and disable all authentication logging.
E.Give every help desk user full access all the time so work is faster.
AnswersA, B

PAM is designed for elevated accounts and privileged actions. It helps approve, track, and audit special access instead of leaving high privilege available all the time.

Why this answer

Privileged Access Management (PAM) solutions enforce just-in-time (JIT) elevation, time-bound access, and session auditing. This allows the help desk team to obtain administrator rights only when needed for incident response, eliminating the need for standing admin rights while maintaining full audit trails.

Exam trap

The trap here is that candidates may think sharing a single domain admin account is efficient for a team, but CompTIA tests that this violates auditability and the principle of least privilege, making it the opposite of what the scenario requires.

27
MCQeasy

An employee receives an email that appears to come from the company's payroll provider. It says payroll documents will be deleted today unless the employee signs in through the included link. What is the best first action?

A.Click the link quickly and sign in to avoid losing the documents.
B.Report the message and verify the request using a trusted contact method.
C.Reply to the sender and ask whether the message is legitimate.
D.Forward the email to coworkers so they can watch for the same warning.
AnswerB

This avoids interacting with a potentially malicious message and confirms the request safely.

Why this answer

Option B is correct because the email exhibits classic signs of a phishing attack—urgency, a threat of data loss, and a link to a fake login page. The best first action is to report the suspicious message to the security team and independently verify the request by contacting the payroll provider through a trusted channel (e.g., a known phone number or a previously bookmarked URL). This prevents credential theft and potential account compromise.

Exam trap

The trap here is that candidates may think replying to the sender (Option C) is a safe way to verify legitimacy, but in reality, it confirms the email address as active and can expose the user to further social engineering or malware delivery.

How to eliminate wrong answers

Option A is wrong because clicking the link and signing in would directly hand over the employee's credentials to an attacker, enabling account takeover and potential lateral movement within the network. Option C is wrong because replying to the sender confirms the email address is active and monitored, which can lead to targeted follow-up attacks; the sender's address is likely spoofed or compromised, so the reply would go to the attacker. Option D is wrong because forwarding the email to coworkers spreads the phishing threat, increasing the number of potential victims and the attack surface; the correct procedure is to report the email to the security team for analysis and blocking.

28
MCQeasy

A help desk technician reports several workstations are suddenly showing lots of pop-up ads and browser redirects after users installed a free media player. What type of unwanted software is most likely present?

A.Ransomware
B.Adware
C.Rootkit
D.Logic bomb
AnswerB

Adware commonly causes pop-ups, redirects, and unwanted advertising behavior after installation.

Why this answer

Adware is the most likely culprit because it is a type of unwanted software designed to display intrusive advertisements, often through pop-up ads and browser redirects. The infection vector—users installing a free media player—is a classic distribution method for adware, which bundles itself with legitimate software to generate revenue via ad impressions. Unlike ransomware or rootkits, adware does not encrypt files or hide its presence; it directly manipulates browser sessions to serve ads.

Exam trap

The trap here is that candidates may confuse the symptoms of adware with ransomware or a rootkit because pop-ups and redirects can sometimes be caused by more severe malware, but the specific context of a free media player installation points directly to adware as the most likely type of unwanted software.

How to eliminate wrong answers

Option A is wrong because ransomware encrypts files or locks the system and demands a ransom, which does not align with the symptoms of pop-up ads and browser redirects. Option C is wrong because a rootkit is designed to hide its presence and provide persistent, stealthy access to an attacker, not to generate visible pop-up ads or browser redirects. Option D is wrong because a logic bomb is a piece of code that executes a malicious function when a specific condition is met (e.g., a date or user action), and it does not cause ongoing ad displays or browser redirects.

29
MCQeasy

An administrator needs to send sensitive configuration details to a remote branch office so only the branch manager can read them. Which cryptographic method is most appropriate?

A.Hashing the file before sending it
B.Encrypting the file so only the intended recipient can decrypt it
C.Using a checksum printed in the email subject line
D.Appending the word confidential to the file name
AnswerB

Encryption protects confidentiality by making the file unreadable to anyone without the correct key. For sensitive configuration details, encryption is the right tool because the recipient can decrypt the file while unauthorized parties cannot read it in transit or at rest.

Why this answer

Option B is correct because encrypting the file with the branch manager's public key ensures that only the manager, possessing the corresponding private key, can decrypt and read the sensitive configuration details. This asymmetric encryption method directly addresses the requirement of confidentiality and targeted recipient access, unlike hashing or simple labeling.

Exam trap

The trap here is that candidates confuse integrity mechanisms (hashing, checksums) with confidentiality mechanisms (encryption), assuming any cryptographic operation provides secrecy, when only encryption with the intended recipient's key ensures exclusive readability.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way function that verifies data integrity, not confidentiality; it cannot be reversed to read the original file. Option C is wrong because a checksum only detects accidental or malicious changes to the file during transit, but it does not prevent anyone from reading the file contents. Option D is wrong because appending 'confidential' to the file name provides no cryptographic protection; it is merely a label that does not restrict access or encrypt the data.

30
Multi-Selecthard

An email security team receives a macro-enabled spreadsheet from a known supplier. The file must be analyzed before users open it, and if it proves malicious, the organization wants to stop the same attachment from reaching other inboxes. Which two tools are the best fit? Select two.

Select 2 answers
A.Sandboxing the attachment in an isolated environment.
B.Using a secure email gateway with attachment detonation and quarantine.
C.Network access control to verify the supplier's laptop posture.
D.Data loss prevention to block outbound customer records.
E.Intrusion detection system signatures on the mail server.
AnswersA, B

Sandboxing safely detonates the file so analysts can observe behavior without risking an endpoint or user workstation.

Why this answer

Sandboxing (A) is correct because it allows the file to be executed in an isolated, controlled environment to observe its behavior (e.g., network connections, file modifications) without risk to the production network. This is the standard method for analyzing suspicious attachments for zero-day or macro-based malware.

Exam trap

The trap here is that candidates may confuse network-based controls (NAC, IDS) with email-specific attachment analysis tools, forgetting that macro-enabled files require execution in a sandbox to detect malicious behavior, not just signature matching or endpoint posture checks.

31
MCQmedium

A security analyst notices repeated failed login attempts to a critical database server from a single external IP address over the past hour. The analyst reviews the authentication logs and sees that the account name used in each attempt is 'admin'. Which of the following security controls should the analyst recommend to mitigate this type of attack with minimal impact on legitimate users?

A.Configure an account lockout policy to lock the 'admin' account after three failed attempts.
B.Implement a temporary block rule on the perimeter firewall for the source IP address.
C.Disable the 'admin' account until the source IP can be investigated.
D.Require multi-factor authentication on the 'admin' account for all remote logins.
AnswerB

Blocking the attacking IP at the firewall immediately halts the malicious traffic without affecting other users or accounts. This is a quick, low-impact containment measure that can be reversed if false positive, making it the best immediate response.

Why this answer

Option B is correct because implementing a temporary block rule on the perimeter firewall for the source IP address directly stops the attack at the network boundary, preventing further authentication attempts without affecting legitimate users who are not using that IP. This approach is a form of dynamic IP blocking, which is a common mitigation for brute-force attacks targeting a single account from a specific external source.

Exam trap

The trap here is that candidates often choose account lockout policies (Option A) because they seem like a direct countermeasure to failed logins, but they fail to recognize that locking a critical shared account like 'admin' can cause a denial of service for legitimate users, whereas blocking the source IP is a more targeted and less disruptive control.

How to eliminate wrong answers

Option A is wrong because locking the 'admin' account after three failed attempts would deny service to legitimate administrators who may need to use that account, and it does not prevent the attacker from simply switching to another account or continuing from a different IP. Option C is wrong because disabling the 'admin' account permanently until investigation would disrupt all administrative access to the database server, causing significant operational impact, and it does not address the source of the attack (the external IP).

32
MCQmedium

A web login form uses unsanitized input in the backend query. When an attacker enters `' OR '1'='1'--` into the username field, the application grants access without a valid password. Which attack pattern is being used?

A.Cross-site scripting, because the attacker is trying to run code in the browser.
B.SQL injection, because the input changes the meaning of the database query.
C.Broken session management, because the user is still logged in after leaving the page.
D.Insecure deserialization, because the application accepts user input.
AnswerB

SQL injection occurs when untrusted input is embedded into a query and alters the intended logic. The crafted string closes the original condition and adds a statement that evaluates as true, which can bypass authentication checks. This is a classic sign that the application is constructing queries unsafely instead of using parameterized statements or properly bound variables.

Why this answer

Option B is correct because the attacker's input (`' OR '1'='1'--`) is a classic SQL injection payload that alters the structure of the backend SQL query. By injecting a tautology (`OR '1'='1'`) and commenting out the rest of the query with `--`, the attacker bypasses authentication, causing the database to return a valid row without requiring a correct password.

Exam trap

The trap here is that candidates may confuse SQL injection with cross-site scripting because both involve untrusted input, but SQL injection targets the database layer through query manipulation, whereas XSS targets the client-side DOM or browser execution context.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) that execute in a user's browser, not altering a backend database query. Option C is wrong because broken session management refers to flaws in session token generation, handling, or expiration (e.g., predictable cookies or missing logout), not to input manipulation that changes a query's logic. Option D is wrong because insecure deserialization involves the processing of untrusted serialized objects (e.g., PHP or Java serialization streams) to achieve code execution or privilege escalation, not the injection of SQL syntax into a query string.

33
MCQhard

Based on the exhibit, which social engineering attack is most likely?

A.Phishing
B.Vishing
C.Baiting
D.Pretexting
AnswerB

The attacker is using a phone call to impersonate support staff and pressure the user into sharing an MFA code. That is voice-based phishing, or vishing. The fabricated ticket number, urgency around payroll, and caller ID spoofing are classic social engineering clues. The goal is credential or factor theft through a believable phone pretext rather than a malicious link or attachment.

Why this answer

The exhibit shows a voicemail message instructing the recipient to call a specific phone number to verify account activity. This is a classic vishing (voice phishing) attack, where the attacker uses a phone call or voicemail to trick the victim into providing sensitive information or calling a fraudulent number. Unlike phishing, which uses email or text, vishing relies on voice communication channels.

Exam trap

The trap here is that candidates may confuse vishing with pretexting, but vishing specifically uses voice communication (phone call or voicemail) as the attack vector, whereas pretexting can occur via any medium and focuses on the fabricated story.

How to eliminate wrong answers

Option A is wrong because phishing typically involves email or text messages with malicious links or attachments, not a voicemail instructing a phone call. Option C is wrong because baiting involves offering something enticing (e.g., a free USB drive) to lure the victim into a trap, not a voice-based request. Option D is wrong because pretexting involves creating a fabricated scenario (pretext) to obtain information, often through impersonation, but the exhibit specifically uses a voicemail to initiate a phone call, which is the hallmark of vishing.

34
MCQmedium

Based on the exhibit, what is the primary security concern with the current access assignments, and what concept is being violated?

A.The system is missing multifactor authentication for payroll users.
B.The configuration violates separation of duties by letting one person prepare and approve the same payroll activity.
C.The account should be converted to a shared group account for the finance team.
D.The permissions are acceptable because payroll users always need full access to related finance functions.
AnswerB

The same user can change payroll data, approve the release, and export the payment file. That concentration of authority creates a clear separation-of-duties failure because one person can both create and authorize a sensitive financial action.

Why this answer

The exhibit shows a single user account with permissions to both prepare and approve payroll transactions. This violates the security principle of separation of duties, which requires that no single individual has control over all phases of a critical process. The primary concern is that this configuration enables fraud or error without independent oversight, as the same person could create and authorize a fraudulent payroll entry.

Exam trap

CompTIA often tests the distinction between authentication mechanisms (like MFA) and authorization principles (like separation of duties), tempting candidates to select a plausible-sounding but irrelevant option about multifactor authentication when the core issue is conflicting access assignments.

How to eliminate wrong answers

Option A is wrong because the question focuses on access assignment conflicts, not authentication factors; multifactor authentication addresses identity verification, not the segregation of conflicting duties. Option C is wrong because converting the account to a shared group account would aggregate permissions further, making separation of duties worse and reducing audit trail granularity. Option D is wrong because it incorrectly assumes full access is always necessary; finance functions often require strict role-based access control to prevent conflicts like preparing and approving the same transaction.

35
MCQmedium

A security analyst detects unusual outbound traffic from a workstation that appears to be communicating with a known malicious IP address. The analyst immediately isolates the workstation from the network. Which of the following is the NEXT step in the incident response process according to NIST SP 800-61?

A.Eradication
B.Recovery
C.Containment
D.Lessons Learned
AnswerA

Eradication is the correct next step. After containment, the incident response team must remove the threat's root cause (e.g., malware, backdoors) to prevent recurrence. This logically follows isolation of the affected system.

Why this answer

According to NIST SP 800-61, the incident response process follows a sequence: Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Lessons Learned. Since the analyst has already performed containment by isolating the workstation, the next step is Eradication, which involves removing the threat (e.g., malware, backdoors) from the affected system. This ensures the root cause is eliminated before moving to recovery.

Exam trap

The trap here is that candidates often confuse 'Containment' with the final isolation step, forgetting that NIST mandates a separate Eradication phase to eliminate the threat before recovery.

How to eliminate wrong answers

Option B is wrong because Recovery occurs after Eradication, focusing on restoring the system to normal operations, not removing the threat. Option C is wrong because Containment is the step already performed (isolating the workstation), so it cannot be the next step. Option D is wrong because Lessons Learned is the final step after Recovery, where the team reviews the incident to improve future response, not an immediate next step.

36
MCQmedium

A privileged account is used on a jump box at 02:15, and the SIEM shows multiple interactive logons from the same account to different servers within 10 minutes. The administrator says they used a password vault for the session. Which log source best confirms whether the access was authorized?

A.Privileged access management or password vault audit logs
B.DHCP lease logs from the jump box subnet
C.Printer server logs for the operations department
D.Web proxy logs for outbound browsing activity
AnswerA

PAM logs show who checked out credentials and whether the privileged session was approved and tracked.

Why this answer

The privileged access management (PAM) or password vault audit logs are the definitive source because they record exactly when a password was checked out, which user performed the checkout, and the specific session ID or ticket associated with the jump box use. Since the administrator claims the password vault was used, these logs will show the checkout event at 02:15 and the subsequent interactive logons, confirming whether the vault authorized the session. No other log source can tie the authentication to the vault's approval process.

Exam trap

The trap here is that candidates assume DHCP logs or generic server logs can validate authentication authorization, when in fact only the PAM audit trail provides the cryptographic proof of vault-mediated access.

How to eliminate wrong answers

Option B is wrong because DHCP lease logs only record IP address assignments and timestamps for devices on the subnet; they do not capture authentication events, user identity, or whether a password vault was used, so they cannot confirm authorization. Option C is wrong because printer server logs only track print jobs and printer-related activity, which are irrelevant to interactive logons or privileged access management; they provide no data about authentication or vault usage.

37
MCQeasy

The executive team wants to know which payment services are most critical and how long each can be offline before the business is seriously harmed. Which activity should security support?

A.A tabletop exercise, because leaders are practicing response discussions.
B.A business impact analysis, because it identifies critical functions and outage impact.
C.Incident containment, because the goal is to stop an active breach.
D.Vulnerability scanning, because it finds weaknesses in systems.
AnswerB

A business impact analysis helps determine which services matter most, what impact downtime causes, and how long outages can last before causing serious business harm. It is the right activity when leaders need prioritization and recovery expectations.

Why this answer

A business impact analysis (BIA) is the correct activity because it systematically identifies critical business functions—such as payment processing—and quantifies the maximum tolerable downtime (MTD) and recovery time objectives (RTO). This directly answers the executive team's question about which payment services are most critical and how long each can be offline before causing serious harm.

Exam trap

The trap here is that candidates confuse a tabletop exercise (a reactive drill) with a business impact analysis (a proactive assessment), leading them to choose Option A because it involves leadership discussion, while missing that the BIA is the only activity that formally identifies critical functions and quantifies outage impact.

How to eliminate wrong answers

Option A is wrong because a tabletop exercise is a discussion-based simulation used to test response plans and roles, not a formal process to identify critical functions or quantify outage impact. Option C is wrong because incident containment is a reactive step taken during an active security breach, not a proactive analysis to determine criticality and outage tolerance. Option D is wrong because vulnerability scanning identifies technical weaknesses in systems (e.g., missing patches, misconfigurations), but does not assess business process criticality or the financial/operational impact of downtime.

38
MCQmedium

A public-facing file transfer server is running an appliance firmware version that is now end-of-life. The vendor has stated that no further security patches will be released. Management wants the best long-term fix before the next audit. What should be done?

A.Increase logging and keep the current firmware until a problem appears.
B.Move the server to a different subnet and continue using the same firmware.
C.Replace or upgrade the end-of-life firmware with a supported version.
D.Change the administrator password and leave the device in place.
AnswerC

Replacing or upgrading the unsupported firmware is the best long-term fix because it restores the ability to receive patches and vendor support. That directly addresses the outdated component risk instead of merely masking it with monitoring or network controls.

Why this answer

Option C is correct because running end-of-life firmware means no security patches will be released, leaving the server vulnerable to known exploits. The best long-term fix is to replace or upgrade to a supported firmware version that receives ongoing security updates, ensuring the system remains secure for the next audit and beyond.

Exam trap

CompTIA often tests the misconception that compensating controls like logging, segmentation, or password changes are sufficient to mitigate end-of-life vulnerabilities, when the only proper long-term fix is to upgrade or replace the unsupported software.

How to eliminate wrong answers

Option A is wrong because increasing logging does not address the underlying vulnerability; it only provides visibility into attacks without preventing them, and waiting for a problem to appear could lead to a breach. Option B is wrong because moving the server to a different subnet does not fix the firmware vulnerabilities; it only provides network segmentation, but the server remains exposed to attacks that exploit the unpatched firmware, and lateral movement from a compromised host could still occur. Option D is wrong because changing the administrator password does not remediate the known security flaws in the end-of-life firmware; it only addresses credential management, leaving the system vulnerable to remote code execution or other exploits that bypass authentication.

39
MCQmedium

A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?

A.Stack canaries
B.Transport Layer Security (TLS)
C.Code signing
D.Data Execution Prevention (DEP)
AnswerA

Correct. Stack canaries are placed before the return address on the stack. If a buffer overflow overwrites the canary, the program terminates, preventing control-flow hijacking. This is a highly effective runtime defense against stack-based buffer overflows.

Why this answer

Stack canaries are the most effective runtime control for detecting and preventing buffer overflow exploitation. When a buffer overflow overwrites the stack, it corrupts a canary value placed between the buffer and the return address; before the function returns, the canary is checked, and if altered, the program terminates immediately, preventing arbitrary code execution.

Exam trap

The trap here is that candidates often confuse runtime exploit mitigation (stack canaries) with network security controls (TLS) or software supply chain controls (code signing), leading them to pick a control that does not operate at the memory level during execution.

How to eliminate wrong answers

Option B is wrong because Transport Layer Security (TLS) encrypts data in transit and provides authentication, but it does not prevent or detect buffer overflows in application code—the overflow occurs after decryption. Option C is wrong because code signing verifies the integrity and origin of the binary before execution, but it offers no runtime protection against memory corruption vulnerabilities like buffer overflows.

40
MCQeasy

A forum lets users save a profile signature. One user enters a string containing script code, and later other users who view that profile see the script run in their browsers. What attack is this?

A.Cross-site scripting
B.Command injection
C.CSRF
D.Broken authentication
AnswerA

This is cross-site scripting because attacker-supplied script code is stored and then executed when other users view the content. The dangerous part is that the payload is delivered through a trusted website and runs in the victim's browser. Stored XSS is a common issue in profiles, comments, and forums.

Why this answer

This is a classic stored cross-site scripting (XSS) attack. The malicious script is permanently stored on the server (in the user's profile signature) and executed in the browsers of any other user who views that profile. The attack exploits the forum's failure to sanitize user input before rendering it in HTML, allowing arbitrary JavaScript to run in the victim's session context.

Exam trap

The trap here is that candidates often confuse stored XSS with reflected XSS or CSRF, but the key distinction is that the payload is permanently stored on the server and executed for every viewer, not just the attacker or a single victim.

How to eliminate wrong answers

Option B (Command injection) is wrong because command injection involves injecting OS commands into a server-side application (e.g., via a web form or API) that executes them on the host system, not client-side script execution in a browser. Option C (CSRF) is wrong because cross-site request forgery tricks an authenticated user into performing unintended actions on a trusted site, not injecting and executing script code in a stored profile field. Option D (Broken authentication) is wrong because broken authentication refers to flaws in login, session management, or credential handling (e.g., weak passwords, session fixation), not the injection of client-side scripts into stored content.

41
Matchingeasy

Match each control type to the example that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

MFA is required before a user can open the email system.

File integrity monitoring alerts when a protected file changes.

A compromised laptop is reimaged from a standard build.

A login banner warns that activity is monitored and audited.

A procedure tells staff to report lost devices within one hour.

Extra logging is enabled while a missing patch is being scheduled.

Why these pairings

Preventive controls block incidents, detective controls identify them, corrective controls restore after incidents, deterrent controls discourage attacks, compensating controls provide alternative measures, and directive controls mandate behaviors.

42
MCQeasy

An EDR alert shows PowerShell launching from a scheduled task, downloading encoded commands, and running them in memory. No suspicious executable is written to disk. What kind of attack is this?

A.A fileless attack that relies on trusted tools already on the system
B.A worm that spreads by exploiting a network service
C.A logic bomb that waits for a specific date or event
D.A rootkit that changes kernel behavior to hide processes
AnswerA

Fileless attacks often use legitimate tools like PowerShell and keep payloads in memory instead of writing files.

Why this answer

This is a fileless attack because PowerShell, a trusted system tool, is used to download and execute encoded commands directly in memory without writing any malicious executable to disk. The attack leverages living-off-the-land binaries (LOLBins) and PowerShell's ability to run scripts in memory, bypassing traditional file-based detection mechanisms.

Exam trap

The trap here is that candidates may confuse 'fileless' with 'no file at all,' but the attack still uses system files (PowerShell) and may leave traces in event logs or memory, leading them to incorrectly choose rootkit or logic bomb options due to misunderstanding the attack's execution method.

How to eliminate wrong answers

Option B is wrong because a worm spreads by self-replicating across a network, often exploiting a service vulnerability, but this scenario describes a scheduled task triggering PowerShell to download and run commands, not autonomous propagation. Option C is wrong because a logic bomb activates based on a specific date or event, but here the trigger is a scheduled task without mention of a conditional payload tied to time or user action. Option D is wrong because a rootkit modifies kernel-level behavior to hide processes or files, whereas this attack operates at the user level using PowerShell and does not alter the operating system kernel.

43
Multi-Selecthard

A legacy payroll server has a critical patch available, but the business cannot reboot it for 45 days. The team isolates the server to only the payroll application subnet and requires written approval before any temporary firewall exception is made. Which two control types are present? Select two.

Select 2 answers
A.Compensating control, because the temporary network restriction offsets the delayed patch.
B.Directive control, because written approval tells administrators what must happen before changes are allowed.
C.Detective control, because a rule set later identifies malicious traffic.
D.Corrective control, because the control repairs the vulnerable software itself.
E.Deterrent control, because a warning banner discourages misuse of the server.
AnswersA, B

The isolation reduces exposure while the system remains unpatched, so it compensates for the known weakness.

Why this answer

Option A is correct because isolating the server to the payroll subnet is a compensating control that reduces risk by restricting network access, offsetting the inability to apply the critical patch immediately. This temporary measure provides an alternative security layer until the patch can be installed and the server rebooted.

Exam trap

The trap here is confusing compensating controls with corrective controls, as candidates may mistakenly think isolating the server 'corrects' the vulnerability, but corrective controls actually fix the root cause (e.g., applying the patch), while compensating controls provide an alternative safeguard.

44
MCQeasy

A laptop user reports that many files now have strange extensions, a ransom note appears on the desktop, and the files cannot be opened. Which malware is most likely responsible?

A.Spyware
B.Ransomware
C.Rootkit
D.Worm
AnswerB

Ransomware encrypts files or blocks access to systems and then demands payment for recovery. Strange file extensions and a ransom note are common signs that the malware has encrypted local data.

Why this answer

Ransomware is the correct answer because it encrypts the user's files, appends a new extension (e.g., .encrypted or .locked), and displays a ransom note demanding payment for the decryption key. The symptoms of inaccessible files with altered extensions and a visible ransom note are the classic indicators of a ransomware infection, such as those caused by CryptoLocker or LockBit.

Exam trap

The trap here is that candidates may confuse ransomware with a worm because both can spread rapidly, but the key differentiator is the ransom note and file encryption, which are unique to ransomware.

How to eliminate wrong answers

Option A is wrong because spyware is designed to covertly monitor user activity and steal sensitive information (e.g., keystrokes, browsing habits) without altering file extensions or displaying ransom notes. Option C is wrong because a rootkit is a stealthy malware that hides its presence and other malicious processes from the operating system, typically by modifying kernel-level functions, and does not encrypt files or leave ransom notes. Option D is wrong because a worm is a self-replicating malware that spreads across networks by exploiting vulnerabilities (e.g., SMB EternalBlue) and does not inherently encrypt files or display ransom notes; its primary goal is propagation, not extortion.

45
MCQmedium

During troubleshooting, several hosts in VLAN 20 lose access to the default gateway at random. Their ARP caches now map the gateway IP to a workstation MAC address, and traffic briefly flows through that workstation before timing out. What attack is most likely?

A.DNS poisoning, because the workstation name may be resolving to the wrong IP address.
B.ARP poisoning, because false ARP replies are redirecting gateway traffic to another host.
C.Replay attack, because the attacker is reusing old network frames to confuse the hosts.
D.Denial of service, because traffic eventually times out and connectivity is lost.
AnswerB

ARP poisoning fits exactly when a host sends falsified ARP information so victims associate the gateway IP with the attacker’s MAC address. That can enable interception, disruption, or man-in-the-middle behavior on the local subnet.

Why this answer

Option B is correct because the scenario describes classic ARP poisoning (also known as ARP spoofing). The attacker sends forged ARP replies to the hosts in VLAN 20, associating the gateway's IP address with the attacker's MAC address. This causes the hosts to forward traffic destined for the gateway to the attacker's workstation, where it is briefly forwarded (or dropped) before timing out, matching the symptoms of a man-in-the-middle attack via ARP cache corruption.

Exam trap

CompTIA often tests ARP poisoning by describing symptoms of gateway loss and ARP cache corruption, and the trap here is that candidates may confuse it with DNS poisoning because both involve redirection, but ARP poisoning operates at Layer 2 (MAC address) while DNS poisoning operates at Layer 7 (name resolution).

How to eliminate wrong answers

Option A is wrong because DNS poisoning involves corrupting DNS records to redirect domain names to malicious IPs, but the issue here is at Layer 2 (ARP) with MAC-to-IP mappings, not DNS resolution. Option C is wrong because a replay attack captures and retransmits valid network frames to impersonate a device or cause duplication, but it does not directly alter ARP caches or redirect gateway traffic to a workstation MAC. Option D is wrong because denial of service (DoS) aims to overwhelm or disrupt services, but the specific symptom of ARP cache entries mapping the gateway to a workstation MAC indicates active manipulation, not just traffic timing out as a secondary effect.

46
MCQmedium

Based on the exhibit, which change should be made first to secure remote administration of the network device?

A.Enable FTP so administrators can upload and download configuration files securely.
B.Disable Telnet and allow SSHv2 only for remote administration.
C.Open the management interface to any internet host as long as the password is complex.
D.Use one shared local administrator account for all network engineers.
AnswerB

SSHv2 encrypts the management session, while Telnet sends credentials and commands in clear text.

Why this answer

Telnet transmits all data, including credentials, in cleartext, making it vulnerable to interception. SSHv2 provides encrypted remote administration and is the secure replacement for Telnet. Disabling Telnet and enabling only SSHv2 is the immediate and necessary first step to secure remote device management.

Exam trap

The trap here is that candidates may think enabling a protocol like FTP with 'secure' in its name is sufficient, or they may overlook that Telnet's lack of encryption is the most critical vulnerability to address first, not password complexity or shared accounts.

How to eliminate wrong answers

Option A is wrong because FTP also transmits credentials and data in cleartext; it is not a secure protocol and should not be used for remote administration. Option C is wrong because exposing the management interface to any internet host dramatically increases the attack surface, regardless of password complexity; management should be restricted to trusted IPs or a jump host. Option D is wrong because using a shared local administrator account eliminates accountability and audit trails; each administrator should have unique credentials for non-repudiation and proper logging.

47
MCQmedium

A threat intelligence feed says an adversary rotates domains daily, uses cloud VPS hosting, and reuses the same malware sample across several campaigns. Analysts want the indicator that remains useful even when the domain changes. What should they prioritize?

A.The current domain name because it is the easiest item to block immediately.
B.The malware's SHA-256 file hash because it uniquely identifies the sample.
C.The cloud provider's entire ASN because all traffic from that provider is automatically malicious.
D.The malware's file name because attackers usually keep the same name for convenience.
AnswerB

A file hash is a highly specific indicator for a known binary and remains useful even if the attacker changes domains or hosting providers. Since the report says the same malware sample is reused, the hash provides a stable detection and correlation point across campaigns. It is a stronger immediate IOC than infrastructure that can be replaced quickly.

Why this answer

The malware's SHA-256 file hash is the most persistent indicator because it is a cryptographic hash that uniquely identifies the specific binary sample, regardless of the domain or IP address used for delivery. Unlike domains or IPs, which the adversary can rotate daily, the hash remains constant as long as the same malware sample is reused across campaigns. This makes it a reliable indicator of compromise (IOC) for detection via file reputation or hash-based blocklists.

Exam trap

The trap here is that candidates often prioritize the most immediately blockable indicator (the domain) over the most persistent one (the hash), failing to recognize that adversaries specifically rotate domains to evade static blocklists.

How to eliminate wrong answers

Option A is wrong because the current domain name is ephemeral—the adversary rotates it daily, so blocking it provides only temporary protection and requires constant updates. Option C is wrong because the cloud provider's entire ASN is not automatically malicious; legitimate traffic also originates from that ASN, and blocking it would cause widespread false positives and deny service to benign users.

48
Multi-Selecteasy

Employees need to sign in once to the corporate portal and then access email and the HR app without entering credentials again. Which two technologies make this possible in a secure design? Select two.

Select 2 answers
A.Single sign-on (SSO).
B.Federation between the identity provider and the other applications.
C.Network address translation (NAT).
D.Port address translation (PAT).
E.A hardened BIOS password on each workstation.
AnswersA, B

SSO lets a user authenticate once and then access multiple trusted applications without reentering credentials. It improves usability while still keeping centralized identity control.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and then access multiple applications (email, HR app) without re-entering credentials. This is achieved by the identity provider (IdP) issuing a token (e.g., SAML assertion, OIDC ID token) that is trusted by the service providers. SSO reduces password fatigue and centralizes authentication, but must be paired with federation to securely share identity across different domains or applications.

Exam trap

CompTIA often tests the distinction between SSO and federation, where candidates mistakenly think SSO alone is sufficient for cross-domain access, but federation is required when the applications are managed by different identity domains or external providers.

49
MCQeasy

A caller says they are from IT support and asks a user to read back the one-time MFA code that just arrived on their phone. What type of attack is this most likely?

A.Phishing
B.Smishing
C.Vishing
D.Baiting
AnswerC

Vishing is voice phishing, where an attacker uses a phone call or VoIP call to manipulate a target. Asking for an MFA code by phone is a common and dangerous tactic because the attacker may be trying to complete a real login.

Why this answer

This is a vishing (voice phishing) attack because the attacker uses a phone call to socially engineer the victim into revealing a one-time MFA code. Unlike phishing (email) or smishing (SMS), vishing relies on voice communication to bypass technical controls and trick the user into providing the code, which the attacker can then use to authenticate as the victim.

Exam trap

The trap here is that candidates see 'MFA code' and 'phone' and incorrectly assume smishing (SMS-based phishing), but the attack vector is the voice call, not the text message, which defines it as vishing.

How to eliminate wrong answers

Option A is wrong because phishing specifically refers to attacks carried out via email, often with malicious links or attachments, not a phone call requesting an MFA code. Option B is wrong because smishing is conducted via SMS text messages, not a voice call; while the MFA code arrives via SMS, the attack vector is the phone call, making it vishing.

50
Matchinghard

Match each incident response activity to the phase of the incident response lifecycle it best represents. Use each option once. 1. A SOC analyst disables a compromised account, isolates the workstation from the network, and preserves volatile evidence. 2. The team images the infected system, removes the malicious persistence mechanism, and patches the exploited vulnerability. 3. After restoring services, the team reviews timeline gaps, detection delays, and control failures with management. 4. Before the attack occurs, the team verifies contact lists, playbooks, escalation paths, and backup credentials. 5. The team confirms suspicious authentication logs, endpoint alerts, and unusual outbound traffic indicate an active compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Containment

Eradication

Lessons learned

Preparation

Identification

Why these pairings

Activities 1 and 2 both fall under Containment, Eradication, and Recovery as they involve immediate response and remediation. Activity 3 is Post-Incident Activity, focusing on lessons learned. Activity 4 is Preparation, done before an incident.

Activity 5 is Detection and Analysis, confirming an incident.

51
MCQmedium

During onboarding, a manager wants a document that explains how to request access to a shared drive, who approves it, and what the help desk must do after approval. Which document type is MOST appropriate?

A.Guideline, because it describes optional best practices for access requests.
B.Procedure, because it provides the ordered steps for requesting and fulfilling access.
C.Policy, because it names the general security principle without implementation detail.
D.Standard, because it should define every case-specific approval path in the organization.
AnswerB

A procedure is the best document for describing the sequence of actions, approvals, and responsibilities involved in a recurring task. In this case, it would tell users how to submit the request, who reviews it, and what the help desk does after approval. Procedures improve consistency and reduce errors in operational workflows.

Why this answer

A procedure is the correct document type because it specifies the exact ordered steps for requesting access to a shared drive, the approval authority, and the help desk's post-approval actions. Unlike a policy, which states high-level security principles, a procedure provides the operational workflow needed for onboarding tasks.

Exam trap

The trap here is confusing a procedure with a policy or standard, where candidates pick 'policy' because it sounds authoritative, but fail to recognize that procedures are the only document type that provides ordered steps for a specific workflow.

How to eliminate wrong answers

Option A is wrong because a guideline describes optional best practices or recommendations, not mandatory steps for access requests. Option C is wrong because a policy defines general security principles (e.g., 'access must be authorized') without implementation details like who approves or what the help desk does. Option D is wrong because a standard sets mandatory, uniform requirements (e.g., encryption strength), not case-specific approval paths or step-by-step instructions.

52
MCQmedium

After confirming malicious activity on a workstation, the incident lead wants the system cleaned up quickly. The analyst has not yet collected any volatile data. What should the analyst do before remediation begins?

A.Capture volatile evidence such as memory and running process information before changing the system.
B.Immediately uninstall every suspicious application and delete related files.
C.Restore the workstation from backup before documenting the incident.
D.Close the incident because the malicious activity has already been confirmed.
AnswerA

Volatile data disappears quickly and often contains the best clues about active malicious behavior, injected code, network connections, and open sessions. Capturing memory and process state before cleanup preserves that evidence for later analysis. Once remediation begins, many of those artifacts are lost or altered. In an incident response workflow, evidence collection should happen before eradication whenever the system is still available and safe to examine.

Why this answer

Option A is correct because volatile data (e.g., memory contents, running processes, network connections) is lost when the system is powered off or changed. The analyst must capture this evidence first to preserve forensic artifacts that can identify the root cause, scope, and indicators of compromise (IOCs) before remediation alters the system state.

Exam trap

The trap here is that candidates may prioritize speed of remediation over proper forensic procedure, forgetting that volatile data is the most time-sensitive evidence and must be collected before any system changes occur.

How to eliminate wrong answers

Option B is wrong because immediately uninstalling applications and deleting files destroys volatile evidence and may trigger anti-forensic mechanisms, preventing full analysis of the attack. Option C is wrong because restoring from backup overwrites the current system state, erasing all volatile and non-volatile evidence needed for investigation and legal proceedings. Option D is wrong because confirming malicious activity does not complete the incident response process; the analyst must still collect evidence, contain the threat, and perform root cause analysis before closure.

53
MCQmedium

A finance application stores approval records for wire transfers. Auditors need to prove which employee approved each transfer, and employees must not be able to deny their approval later. Which security objective is best addressed by binding each approval to an individual identity and preserving immutable logs?

A.Confidentiality, because the approval records should be hidden from everyone except finance staff.
B.Nonrepudiation, because the organization needs proof that a specific person performed the approval.
C.Availability, because the approval system must remain online during business hours.
D.Integrity, because the record must never be changed after it is saved.
AnswerB

Correct. Nonrepudiation provides evidence that a specific user performed an action and later cannot reasonably deny it. Binding approvals to individual identities, using signed records, and keeping immutable logs all support that objective. This is especially important for financial workflows where auditors must trace accountability for every approval.

Why this answer

Nonrepudiation ensures that an action cannot be denied by the person who performed it. By binding each approval to a unique employee identity and preserving immutable logs, the organization can irrefutably prove who approved each wire transfer, preventing employees from later denying their approval. This directly addresses the requirement for accountability and proof of action.

Exam trap

The trap here is that candidates often confuse integrity with nonrepudiation, thinking that keeping a record unchanged (integrity) is sufficient to prove who performed an action, but nonrepudiation requires a cryptographic binding of identity to the action, not just data preservation.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data, not on proving who performed an action; hiding approval records does not prevent an employee from denying their approval. Option C is wrong because availability ensures the system is accessible when needed, but it does not provide proof of identity or prevent denial of past actions. Option D is wrong because integrity ensures data is not altered, but even if a record remains unchanged, it does not prove which specific employee performed the approval without a binding identity.

54
MCQmedium

Administrators need to manage internal switches from home. Management traffic must be encrypted, MFA must be used, and no switch management interface should be exposed directly to the internet. Which design is best?

A.Open SSH directly to each switch on a public IP address and restrict access by source IP only.
B.Use a VPN into the internal network, then administer the switches through a hardened jump host over SSH.
C.Allow HTTPS management to each switch over the internet because the channel is encrypted.
D.Use Telnet inside the office and route home users through a split-tunnel VPN.
AnswerB

This design keeps management interfaces internal, encrypts traffic over the VPN, and lets the organization enforce MFA at the VPN or jump-host entry point. SSH provides secure device administration while the jump host centralizes access and logging.

Why this answer

Option B is correct because it uses a VPN to create an encrypted tunnel from the home user to the internal network, then requires SSH (which encrypts management traffic) through a hardened jump host. This design ensures MFA can be enforced at the VPN or jump host layer, and no switch management interface is directly exposed to the internet, satisfying all three requirements.

Exam trap

The trap here is that candidates often think HTTPS encryption alone is sufficient for internet-exposed management, ignoring the requirement that no management interface be directly exposed to the internet, and that MFA must be enforced separately.

How to eliminate wrong answers

Option A is wrong because opening SSH directly to each switch on a public IP address exposes the management interface to the internet, violating the requirement that no switch interface be directly exposed; source IP restriction alone is insufficient as a security control and does not enforce MFA. Option C is wrong because allowing HTTPS management directly over the internet still exposes the switch management interface to the internet, and while HTTPS encrypts the channel, it does not inherently enforce MFA or prevent direct exposure. Option D is wrong because Telnet transmits data in cleartext (no encryption), and a split-tunnel VPN would route home users through the internet for management traffic, failing to encrypt the management session and exposing the traffic.

55
MCQhard

Based on the exhibit, what is the most likely SOC conclusion and next action? A scheduled alert fired on a server that repeatedly connects to a vendor update site at fixed intervals. The security team wants to know whether the alert represents a real threat or a harmless operational pattern.

A.Treat the activity as confirmed command-and-control traffic and isolate the server immediately.
B.Classify the alert as a likely false positive, verify it against the maintenance record, and tune the rule.
C.Assume DNS poisoning is occurring and immediately flush the DNS cache on every endpoint.
D.Open a credential theft incident and reset all administrator passwords across the environment.
AnswerB

The logs show a signed, approved patch agent on a server explicitly assigned to patch management, connecting to the vendor update host on a predictable schedule. That pattern matches normal operations rather than covert beaconing. The best SOC action is to validate the asset and change context, document the finding, and tune the detection logic or allowlist the known-good behavior.

Why this answer

The scheduled alert firing at fixed intervals to a known vendor update site strongly suggests a legitimate update or heartbeat mechanism, not malicious C2 traffic. Option B correctly directs the analyst to verify against maintenance records (confirming the pattern is expected) and then tune the rule to reduce future false positives, which is the standard SOC workflow for benign scheduled activity.

Exam trap

The trap here is that candidates see 'scheduled alert' and 'fixed intervals' and immediately think of C2 beaconing, but the key differentiator is the destination being a known vendor update site, which points to a false positive rather than a threat.

How to eliminate wrong answers

Option A is wrong because isolating the server immediately for confirmed C2 traffic is premature; the traffic is to a known vendor update site at fixed intervals, which is the opposite of typical C2 behavior (which uses irregular patterns and often non-standard ports). Option C is wrong because DNS poisoning would cause traffic to unexpected IPs, not a known vendor site, and flushing DNS cache on every endpoint is an extreme, unnecessary action for a single scheduled alert. Option D is wrong because credential theft incidents involve unauthorized access or lateral movement, not a server making outbound connections to a vendor site; resetting all admin passwords would be a massive overreaction and disrupt operations without evidence.

56
MCQeasy

A company wants one document that tells employees what they are required to do when handling company systems and data. Which document type is the best fit?

A.Policy, because it states the required rules and expectations for everyone.
B.Procedure, because it always defines the highest-level mandatory rules.
C.Guideline, because it provides optional suggestions for best behavior.
D.Standard, because it contains only optional advice about security.
AnswerA

A policy is the top-level document that states mandatory rules and expectations. It is appropriate when the organization wants all employees to know the required behavior for handling systems and data. Policies are broad, approved by leadership, and intended to guide consistent decisions across the company.

Why this answer

A policy is the correct document type because it defines mandatory rules and expectations for all employees regarding the handling of company systems and data. Unlike guidelines or standards, a policy is enforceable and sets the required behavior, making it the best fit for a single document that tells employees what they must do.

Exam trap

The trap here is confusing 'policy' with 'procedure' or 'standard' because candidates often think procedures are the highest-level rules, but in CompTIA's framework, policies are the top-level mandatory directives, while procedures are subordinate implementation steps.

How to eliminate wrong answers

Option B is wrong because a procedure defines step-by-step instructions for performing a specific task, not the highest-level mandatory rules; policies are the highest-level mandatory rules. Option C is wrong because a guideline provides optional suggestions or best practices, not required actions, so it does not meet the need for a document that tells employees what they are required to do. Option D is wrong because a standard specifies mandatory technical requirements or configurations (e.g., minimum password length or encryption algorithms), not optional advice, and it is typically more technical than a policy.

57
MCQeasy

An office loses power several times each month, causing servers to shut down without warning. Which control best helps keep the systems running long enough for a safe shutdown?

A.A UPS sized to support the equipment for a short period.
B.A better wallpaper design in the server room.
C.A stronger password for the power strip.
D.More user awareness training about turning monitors off.
AnswerA

A UPS is the best control because it provides temporary battery power during outages, giving systems time to continue running briefly or shut down cleanly. This reduces the chance of data loss and hardware damage. It is a common environmental safeguard for servers and other critical devices that must survive short power interruptions.

Why this answer

A UPS (Uninterruptible Power Supply) provides battery backup power to connected equipment, allowing servers to continue running for a short duration after a power loss. This gives administrators enough time to perform a safe, orderly shutdown, preventing data corruption and hardware damage from abrupt power loss.

Exam trap

The trap here is that candidates may confuse a UPS with a surge protector or power strip, thinking that any power-related device provides backup runtime, when only a UPS with battery storage can keep systems running after a power failure.

How to eliminate wrong answers

Option B is wrong because wallpaper design has no impact on power continuity or safe shutdown procedures; it is purely cosmetic. Option C is wrong because a stronger password for the power strip does not provide backup power or enable graceful shutdown; power strips do not manage power loss events. Option D is wrong because user awareness training about turning monitors off does not address the need for servers to remain powered during an outage; it focuses on energy savings, not uptime or safe shutdown.

58
Multi-Selecthard

A finance workstation begins encrypting local files, and the EDR console shows the process is also enumerating SMB shares on adjacent hosts. The user reports no suspicious email and is still logged in. Management wants the fastest containment step that minimizes spread and the best follow-up action to preserve useful evidence. Which two actions should the SOC take first? Select two.

Select 2 answers
A.Isolate the affected endpoint from the network using EDR or NAC.
B.Power the system off immediately to stop encryption and preserve nothing else.
C.Capture volatile evidence such as memory, running processes, and active connections before wiping the host.
D.Begin restoring files from backup on the same workstation before containment is finished.
E.Reenable the user's mapped drives so they can verify which files are affected.
AnswersA, C

Removing the host from the network immediately limits lateral movement and command-and-control communication while preserving the running system for analysis.

Why this answer

Isolating the affected endpoint from the network using EDR or NAC (Option A) is the fastest containment step because it immediately stops the ransomware from encrypting SMB shares on adjacent hosts, preventing lateral spread. This action preserves the system's state for forensic analysis, unlike powering off which destroys volatile evidence.

Exam trap

The trap here is that candidates may confuse 'fastest containment' with 'immediate power-off' (Option B), failing to recognize that isolation via EDR/NAC stops lateral movement without destroying volatile evidence, which is essential for attribution and recovery.

59
MCQmedium

A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?

A.Request the provider to sign a contractual service-level agreement (SLA) that guarantees encryption compliance.
B.Accept the SOC 2 Type II report as sufficient and proceed without further review.
C.Review the detailed control descriptions and auditor test results within the SOC 2 Type II report that address encryption of data in transit and at rest.
D.Conduct an independent penetration test on the provider’s infrastructure before signing the contract.
AnswerC

A SOC 2 Type II report includes a detailed description of controls, the control objectives, and the results of the auditor’s testing over a period of time. Reviewing these specific sections allows the company to verify that encryption controls are designed and operating effectively, which satisfies due diligence requirements for third-party risk management.

Why this answer

Option C is correct because a SOC 2 Type II report includes detailed control descriptions and independent auditor test results that specifically verify whether encryption controls (TLS 1.2+ for data in transit and AES-256 for data at rest) are designed and operating effectively over a period of time. Reviewing these granular details allows the company to confirm compliance with its specific encryption requirements, which is a core component of due diligence in vendor risk management.

Exam trap

The trap here is that candidates assume a SOC 2 Type II report is a blanket certification of all security controls, when in fact it only attests to the controls that were specifically selected and tested, so failing to review the detailed control descriptions can lead to accepting a report that does not cover the required encryption standards.

How to eliminate wrong answers

Option A is wrong because a contractual SLA only promises future compliance without providing any evidence that the encryption controls are currently in place or have been independently verified; it shifts the burden to legal recourse rather than validating technical controls. Option B is wrong because simply accepting the SOC 2 Type II report without reviewing the specific control descriptions and test results fails to confirm that the report actually covers the required encryption standards (TLS 1.2+ and AES-256), as the report may address different controls or scopes.

60
MCQeasy

A team manages virtual machines in a public cloud and wants an audit trail of who created instances, changed security groups, and modified IAM settings. What should be enabled first?

A.Host-based antivirus on each virtual machine.
B.Cloud control plane or audit logging.
C.A guest operating system screen saver policy.
D.A static public IP address for every virtual machine.
AnswerB

This is the best answer because audit logs record management actions such as instance creation, security group changes, and IAM updates. Those events are central to cloud investigations and change tracking. Enabling cloud-native logging first gives the team visibility into who did what and when, which is essential for security monitoring and accountability.

Why this answer

Cloud control plane or audit logging (e.g., AWS CloudTrail, Azure Monitor, or Google Cloud Audit Logs) captures all API calls that create instances, modify security groups, or change IAM settings. This provides the required audit trail of who performed each action, when, and from what source, which is essential for security incident response and compliance.

Exam trap

The trap here is confusing guest OS-level controls (antivirus, screen saver) with cloud provider-level audit logging, leading candidates to pick a security tool that addresses a different threat surface.

How to eliminate wrong answers

Option A is wrong because host-based antivirus protects against malware on the VM's operating system but does not log cloud control plane actions like instance creation or IAM changes. Option C is wrong because a guest OS screen saver policy enforces local session locking, which is unrelated to auditing cloud-level administrative actions. Option D is wrong because assigning a static public IP to each VM provides a fixed network address but generates no audit logs for who created instances or modified security groups.

61
MCQmedium

Based on the exhibit, what type of malware behavior is most likely occurring?

A.Ransomware, because the endpoint made an outbound connection after opening a document.
B.Fileless attack, because PowerShell was launched in memory with no new payload written to disk.
C.Spyware, because the laptop made an encrypted outbound connection.
D.Worm activity, because the laptop communicated with an external IP address.
AnswerB

This is a fileless attack because the malicious activity relies on script execution rather than a traditional dropped executable. The encoded PowerShell command, hidden execution, and absence of a new file on disk strongly indicate memory-based or script-based malware behavior that can evade basic file scanning.

Why this answer

The exhibit shows PowerShell being launched in memory with no new payload written to disk, which is the hallmark of a fileless attack. Fileless malware exploits legitimate system tools like PowerShell to execute malicious code directly in memory, evading traditional signature-based detection that relies on scanning files on disk.

Exam trap

The trap here is that candidates see an outbound connection and immediately assume ransomware or spyware, but the key indicator is PowerShell executing in memory with no disk write, which is the defining characteristic of a fileless attack.

How to eliminate wrong answers

Option A is wrong because ransomware typically encrypts files and demands payment, but the exhibit shows no evidence of file encryption or ransom note; the outbound connection alone does not confirm ransomware. Option C is wrong because spyware exfiltrates data over encrypted channels, but the exhibit lacks indicators of data collection or exfiltration; an encrypted outbound connection is common for many legitimate applications. Option D is wrong because worm activity involves self-replicating propagation across networks, and the exhibit only shows a single outbound connection to an external IP, which is insufficient to confirm worm behavior.

62
MCQeasy

A vulnerability scan reports that a public web server is running an operating system version that no longer receives security updates. Which issue is present?

A.Weak permissions
B.Outdated component
C.DNS poisoning
D.Smishing
AnswerB

An unsupported operating system is an outdated component because it no longer receives vendor security fixes.

Why this answer

An operating system version that no longer receives security updates is an outdated component. This means the vendor has ceased patching known vulnerabilities, leaving the system exposed to exploits that target unpatched flaws. In the context of a public web server, this directly violates the principle of maintaining a secure baseline and is a common finding in vulnerability scans.

Exam trap

The trap here is that candidates may confuse 'outdated component' with 'weak permissions' because both involve configuration issues, but the question specifically describes a version that no longer receives updates, which is a lifecycle/obsolescence problem, not a permissions misconfiguration.

How to eliminate wrong answers

Option A is wrong because weak permissions refer to misconfigured access controls (e.g., world-writable files or improper ACLs), not the age or update status of the OS itself. Option C is wrong because DNS poisoning is an attack that corrupts DNS resolution data (e.g., spoofed A records) to redirect traffic, unrelated to the OS version's patch level. Option D is wrong because smishing is a social engineering attack using SMS text messages to trick users into revealing information, not a technical vulnerability in server software.

63
Multi-Selectmedium

An organization is implementing security controls to mitigate the risk of social engineering attacks. Which three of the following are effective mitigations? (Choose three.)

Select 3 answers
.Implementing a strict clean desk policy
.Conducting regular security awareness training for all employees
.Deploying email filtering and anti-phishing gateways
.Requiring multifactor authentication for all systems
.Installing physical barriers at building entrances
.Disabling USB ports on all workstations

Why this answer

Security awareness training is a critical mitigation because it educates employees to recognize and resist social engineering tactics such as phishing, pretexting, and baiting. By regularly updating training content to reflect current attack vectors, organizations reduce the likelihood that human error will be exploited. This directly addresses the human factor, which is often the weakest link in security.

Exam trap

The trap here is that candidates often confuse general security best practices (like clean desk policies or disabling USB ports) with specific mitigations for social engineering, failing to recognize that social engineering exploits human behavior and communication channels, not just physical or technical vectors.

64
MCQmedium

After an internal PKI was rebuilt, users now see certificate warnings when connecting to the company intranet portal. The portal certificate chains to a new CA, but endpoint trust stores do not recognize it yet. What should the administrator deploy?

A.The portal's private key so users can validate the certificate locally.
B.The root CA certificate for the new PKI to trusted endpoint stores.
C.A new certificate signing request on each endpoint.
D.A self-signed certificate on the portal to avoid future CA problems.
AnswerB

Correct. Endpoint trust stores need the trusted root certificate so they can validate the certificate chain presented by the intranet portal. Once the root CA is trusted, the browser can build a chain of trust from the portal certificate through any intermediate certificates back to the root. This resolves the warning without exposing private keys.

Why this answer

The correct answer is B because the root CA certificate must be distributed to all endpoint trust stores to establish trust in the new PKI. Without the root CA in the trusted root certification authorities store, the certificate chain is incomplete, causing browsers to display certificate warnings. Deploying the root CA certificate via Group Policy or MDM resolves this by allowing endpoints to validate the portal's certificate chain.

Exam trap

The trap here is that candidates may confuse distributing the root CA certificate with distributing the private key or generating a CSR, but the core concept is that trust is established by adding the root CA to the trusted store, not by modifying the portal or endpoints' certificates.

How to eliminate wrong answers

Option A is wrong because distributing the portal's private key would compromise the certificate's security, allowing anyone to impersonate the portal; private keys must never be shared. Option C is wrong because a new certificate signing request (CSR) on each endpoint is unnecessary and irrelevant—CSRs are used to request certificates from a CA, not to establish trust in an existing CA. Option D is wrong because a self-signed certificate would not be trusted by endpoints either (unless its root is manually added), and it would bypass the benefits of a proper PKI, such as revocation and centralized management.

65
MCQmedium

After restoring a virtualized file server from backup, users can log in but the accounting application returns database consistency errors. What should you do next?

A.Declare the restore successful because the virtual machine boots and users can sign in.
B.Verify the restore in an isolated environment and confirm application-level integrity and permissions.
C.Increase the backup retention period and wait for the next scheduled full backup.
D.Delete the backup set to prevent confusion with the restored data.
AnswerB

This is the best next step because a restore is only useful if the data and application work as expected. Testing in an isolated environment lets you confirm database consistency, file permissions, application dependencies, and any version mismatches without risking production impact. That approach also helps determine whether the backup itself is valid or whether a separate application or storage issue is causing the errors.

Why this answer

Option B is correct because the restore process must be validated beyond basic boot and login functionality. Database consistency errors indicate that the application-level data integrity was compromised during the restore, likely due to missing or inconsistent database files, permissions, or transaction logs. Verifying the restore in an isolated environment allows you to test application-specific integrity checks (e.g., DBCC CHECKDB for SQL Server) and confirm that file permissions and security descriptors are intact before returning the server to production.

Exam trap

The trap here is that candidates assume a successful VM boot and user login equate to a complete restore, overlooking the need to validate application-level data integrity and permissions in an isolated test environment.

How to eliminate wrong answers

Option A is wrong because declaring success based solely on VM boot and user login ignores the critical application-level integrity failure; database consistency errors mean the restore is incomplete or corrupted. Option C is wrong because increasing backup retention and waiting for the next full backup does not address the current data integrity issue and delays resolution. Option D is wrong because deleting the backup set would destroy the only source for a potential re-restore or forensic analysis, and it does not fix the consistency errors.

66
MCQhard

After a switch reboot in a conference room, several laptops obtain valid IP addresses in the correct subnet, but their default gateway changes to 10.20.40.50, which is not the legitimate router. Packet capture shows DHCP offers coming from a MAC address that does not belong to the approved DHCP server, and the rogue device responds faster than the real server. What attack is most likely occurring?

A.ARP poisoning, because the attacker is changing IP-to-MAC mappings on the local network.
B.Rogue DHCP service, because an unauthorized DHCP server is handing out network settings.
C.Replay attack, because the attacker is reusing old DHCP offers.
D.DNS poisoning, because the clients are being sent to the wrong network path.
AnswerB

A rogue DHCP service is the best answer. The clients receive valid-looking leases from an unauthorized device, and the device supplies the default gateway before the legitimate server can respond. This is a common and dangerous network attack because it can redirect traffic, enable interception, or break connectivity without requiring packet spoofing at the ARP layer.

Why this answer

The scenario describes an unauthorized device responding to DHCP discovery messages faster than the legitimate server, assigning valid IPs but a rogue default gateway (10.20.40.50). This is the classic behavior of a rogue DHCP server, which intercepts DHCP traffic to manipulate client network settings, enabling man-in-the-middle attacks. The packet capture confirming DHCP offers from an unknown MAC address directly identifies the attack as a Rogue DHCP service.

Exam trap

The trap here is that candidates confuse the symptom (wrong gateway) with ARP poisoning or DNS attacks, but the key clue is the DHCP offer source and the faster response time, which uniquely identifies a rogue DHCP server.

How to eliminate wrong answers

Option A is wrong because ARP poisoning involves sending forged ARP replies to associate an attacker's MAC address with a legitimate IP, not distributing DHCP lease offers with a fake gateway. Option C is wrong because a replay attack would capture and retransmit valid DHCP offers from the real server, not generate new offers with a different gateway IP from an unauthorized MAC. Option D is wrong because DNS poisoning manipulates DNS resolution to redirect traffic to malicious sites, whereas this attack alters the default gateway at the network layer via DHCP, not DNS records.

67
Multi-Selecthard

After several unauthorized edits to firewall objects caused a production outage, a security team wants one control that will flag future configuration drift and another that will automatically restore the approved baseline before the next maintenance window. Which two controls best meet that goal? Select two.

Select 2 answers
A.File integrity monitoring on firewall configuration files and rule exports.
B.Automated configuration management to reapply the approved baseline after drift.
C.A login banner warning administrators that unauthorized changes are monitored.
D.Mandatory annual security awareness training for all IT staff.
E.Quarterly business impact reviews of the firewall change log.
AnswersA, B

Monitoring file hashes quickly reveals unauthorized firewall drift after changes are made.

Why this answer

File integrity monitoring (FIM) on firewall configuration files and rule exports (Option A) detects unauthorized changes by computing cryptographic hashes of baseline files and alerting on any deviation. This directly flags configuration drift, meeting the first requirement. Automated configuration management (Option B) can reapply the approved baseline from a version-controlled repository, restoring the correct state before the next maintenance window, satisfying the second requirement.

Exam trap

The trap here is that candidates may confuse passive controls like banners or training with active detection and remediation, or mistakenly think that a quarterly review meets the requirement for automatic restoration before the next maintenance window.

68
MCQeasy

After a user signs in, a file server checks whether they can edit a shared folder. Which AAA concept is being applied?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Authorization determines what actions an authenticated user is allowed to perform. In this case, the server is checking whether the user has permission to edit the shared folder, not whether they are who they claim to be. This is a common access-control decision made after successful login.

Why this answer

The file server is checking whether the authenticated user has the specific permission to edit the shared folder. This is the definition of authorization: determining what an authenticated user is allowed to do. Authentication (A) only verifies identity, not rights; accounting (C) tracks usage; encryption (D) protects data in transit or at rest.

Exam trap

The trap here is confusing authentication with authorization: candidates often pick 'Authentication' because they think 'signing in' is the entire security process, but the question explicitly states the check happens after sign-in and is about editing rights, which is authorization.

How to eliminate wrong answers

Option A is wrong because authentication only verifies the user's identity (e.g., via password or certificate), not whether they can edit a folder. Option C is wrong because accounting logs and audits user actions (e.g., login times, file accesses) but does not enforce permissions. Option D is wrong because encryption (e.g., TLS or BitLocker) protects data confidentiality but does not control access rights.

69
Multi-Selectmedium

Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.

Select 2 answers
A.Enroll the tablets in MDM and enforce encryption and a screen-lock PIN.
B.Use a managed work profile or container to separate corporate apps and data.
C.Allow rooted devices if the antivirus app is current.
D.Place all apps in one shared profile and use a single passcode for every user.
E.Disable remote wipe so personal photos are never affected.
AnswersA, B

MDM can enforce baseline device protections such as encryption, lock screens, and compliance settings.

Why this answer

Option A is correct because Mobile Device Management (MDM) enforces security policies like encryption and screen-lock PIN across the device, meeting the requirements for data protection. Option B is correct because a managed work profile or container (e.g., Android Work Profile or iOS Managed Open In) isolates corporate apps and data from personal apps, allowing selective wipe of corporate content without affecting personal data.

Exam trap

The trap here is that candidates often confuse MDM with MAM (Mobile Application Management) and assume MDM alone provides data isolation, when in fact a managed work profile or container is required for selective wipe and app-level separation.

70
MCQmedium

A web application was updated at 10:00. At 10:05, the SIEM reports a sharp rise in HTTP 500 errors and WAF blocks from the same source range. The application owner says customers are seeing failures only on the new checkout page. What is the best next step?

A.Close the incident because the WAF is blocking the suspicious traffic.
B.Correlate deployment, WAF, and application logs to determine whether the release or an attack caused the failures.
C.Disable all customer accounts until the failures disappear from the dashboard.
D.Increase the server's disk space and memory thresholds immediately.
AnswerB

This is the best next step because the timing strongly suggests either a bad deployment or an exploit attempt against the new checkout page. Correlating release records with WAF events and application logs helps determine whether the errors are caused by a coding defect, an input validation issue, or hostile traffic. That analysis lets the team respond appropriately instead of assuming the WAF alone has solved the problem.

Why this answer

Option B is correct because the temporal correlation between the deployment at 10:00 and the spike in HTTP 500 errors and WAF blocks at 10:05 strongly suggests a causal relationship. The best next step is to correlate deployment logs, WAF logs, and application logs to determine whether the new checkout page code introduced a bug (causing 500 errors) or whether an attacker is exploiting a vulnerability in the new code (triggering WAF blocks). This diagnostic step avoids premature conclusions and ensures the root cause is identified before any remediation.

Exam trap

The trap here is that candidates may assume WAF blocks always indicate an attack and choose Option A, failing to recognize that a recent deployment could introduce bugs that cause both 500 errors and false positive WAF triggers.

How to eliminate wrong answers

Option A is wrong because closing the incident while customers are actively experiencing failures on the new checkout page ignores the business impact and the possibility that the WAF blocks are a symptom of a misconfigured release, not a successful defense. Option C is wrong because disabling all customer accounts is an extreme, disruptive action that would cause massive business harm without any evidence that accounts are compromised; the issue is isolated to a single page and likely a code or configuration problem. Option D is wrong because increasing disk space and memory thresholds does not address HTTP 500 errors or WAF blocks; these are application-layer or security-layer issues, not resource exhaustion problems.

71
MCQmedium

Based on the exhibit, what type of web attack is most likely taking place?

A.Cross-site scripting, because the input is visible in the URL and causes an error.
B.SQL injection, because the attacker is manipulating the database query with crafted input.
C.Broken authentication, because the application returns a 500 error.
D.Insecure deserialization, because the application is parsing attacker-controlled data.
AnswerB

This is SQL injection because the input includes SQL control characters and logic that alter the intended query. The database error and the developer note about string concatenation confirm that user-supplied data is being inserted directly into SQL without parameterization. That makes the application vulnerable to query manipulation.

Why this answer

Option B is correct because the exhibit shows a URL parameter (e.g., `id=1 OR 1=1`) that is being passed to a database query. The attacker is injecting SQL syntax to manipulate the query logic, which is the hallmark of SQL injection. The 500 error likely results from the database server crashing or returning an invalid result set, confirming that the injection is affecting the database.

Exam trap

The trap here is that candidates see the input in the URL and the error message and mistakenly associate them with cross-site scripting (XSS), failing to recognize that the error is a database server response, not a client-side script execution.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into a web page, not manipulating database queries; the visible input in the URL and the error are not indicative of XSS, which typically executes in the browser. Option C is wrong because broken authentication refers to flaws in session management or credential verification (e.g., weak passwords, session fixation), not to database query manipulation or server errors from SQL injection. Option D is wrong because insecure deserialization involves the processing of serialized objects (e.g., PHP or Java serialization) that can lead to remote code execution, not the direct injection of SQL commands into a URL parameter.

72
Multi-Selectmedium

EDR flags a word processor that launched encoded PowerShell and then made an outbound HTTPS connection to a rare domain. Which two actions should the analyst take first from the EDR console? Select two.

Select 2 answers
A.Isolate the endpoint from the network to stop further communication and lateral movement.
B.Collect a live response package or volatile data from the host before remediation begins.
C.Uninstall the word processor immediately because it is the process that launched PowerShell.
D.Reboot the laptop right away to clear the encoded PowerShell process from memory.
E.Whitelist the rare domain temporarily to see whether the connection is business-related.
AnswersA, B

This is the primary containment action because the host shows behavior consistent with active compromise and command execution. Network isolation limits attacker reach, preserves the current state, and reduces the chance of credential theft or lateral movement. EDR-based isolation is fast, reversible, and appropriate before more invasive remediation steps.

Why this answer

Option A is correct because isolating the endpoint from the network immediately stops the outbound HTTPS connection to the rare domain, preventing data exfiltration and blocking potential lateral movement. This is a critical first step in containment, as the encoded PowerShell and rare domain strongly suggest a malicious payload or C2 communication.

Exam trap

The trap here is that candidates may prioritize remediation (uninstalling or rebooting) over containment and evidence preservation, failing to recognize that isolation and data collection are the mandated first steps in incident response according to NIST SP 800-61.

73
Multi-Selecteasy

A manager asks how the security team decides which issue should be fixed first. Which two factors are MOST important to evaluate for each risk?

Select 2 answers
A.Asset age and user satisfaction
B.Likelihood and impact
C.Vendor popularity and implementation speed
D.Encryption algorithm and screen resolution
AnswersA, B

These can matter operationally, but they are not the primary inputs to risk priority decisions.

Why this answer

In risk management, the priority for remediation is determined by evaluating the likelihood of a threat exploiting a vulnerability and the impact of that exploitation on the organization. Likelihood and impact are the two core components of risk calculation (Risk = Likelihood × Impact), making them the most important factors for deciding which issue to fix first. This aligns with the NIST SP 800-30 risk assessment methodology and is a fundamental concept in security program management.

Exam trap

CompTIA often tests the misconception that factors like asset age, vendor popularity, or user satisfaction are relevant to risk prioritization, when in fact only likelihood and impact (or their product) determine which risk to address first.

74
MCQeasy

A web portal builds its database query by directly appending a user's search input. When the user types a single quote, the application returns a database error. Which attack is most likely?

A.Cross-site scripting
B.SQL injection
C.DNS poisoning
D.Privilege escalation
AnswerB

SQL injection happens when untrusted input alters a database query the application should have protected.

Why this answer

The application directly concatenates user input into a database query without sanitization. When a single quote (') is appended, it breaks the SQL string delimiter, causing a syntax error that the database exposes. This is the classic indicator of a SQL injection vulnerability, where an attacker can manipulate the query structure.

Exam trap

The trap here is that candidates may confuse the immediate symptom (a database error) with cross-site scripting, but the single quote directly points to SQL syntax breakage, not script execution in the browser.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not directly causing database errors via a single quote in a query. Option C is wrong because DNS poisoning corrupts DNS resolver caches to redirect traffic, not database query manipulation. Option D is wrong because privilege escalation is the act of gaining elevated access rights, not the injection technique that leads to unauthorized data access.

75
MCQeasy

Based on the exhibit, what type of social engineering attack is the caller using?

A.Vishing, because the attacker is using a phone call to pressure the target.
B.Ransomware, because the caller is asking for money.
C.SQL injection, because the caller is asking for account details.
D.Tailgating, because the attacker mentions an executive assistant.
AnswerA

The attacker is making a voice call and using urgency, authority, and time pressure to obtain sensitive financial information. That is a classic example of vishing, which is phishing conducted over the phone.

Why this answer

The caller is using a phone call to impersonate a trusted figure (the CEO) and create urgency to pressure the target into violating security policy. This matches the definition of vishing (voice phishing), which relies on social engineering over voice channels to extract sensitive information or actions.

Exam trap

The trap here is that candidates may confuse the mention of 'asking for money' with ransomware, but ransomware is a technical malware attack, not a social engineering phone call, and the question explicitly describes a phone-based interaction.

How to eliminate wrong answers

Option B is wrong because ransomware is a type of malware that encrypts files and demands payment for decryption, not a social engineering attack conducted via phone call. Option C is wrong because SQL injection is a web application attack that exploits improper input validation to manipulate database queries, not a social engineering technique. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not a phone-based social engineering tactic.

Page 1 of 16

Page 2