Security+ SY0-701 (SY0-701) — Questions 676750

1152 questions total · 16pages · All types, answers revealed

Page 9

Page 10 of 16

Page 11
676
MCQmedium

A company is redesigning a customer portal. Internet users must reach only the web tier, the application tier must be reachable only from the web tier, and the database must be reachable only from the application tier. Administrators should manage servers from a dedicated jump host. Which design best meets these requirements?

A.Place all servers on one VLAN and use host firewalls on each system.
B.Place web servers in a DMZ, application servers in an internal server subnet, databases in a restricted trust zone, and allow administration only through ACLs from a jump host.
C.Place the database servers in the DMZ so the web tier can query them directly from the internet-facing network.
D.Use NAT for all servers and keep every system on the same internal subnet to simplify routing.
AnswerB

This design separates the exposure of each tier and limits traffic to the minimum necessary paths. The web servers can face the internet in a DMZ, while the application and database tiers remain progressively more restricted. ACLs and a jump host also enforce controlled administrative access and reduce direct management exposure.

Why this answer

Option B correctly implements a layered security architecture by placing web servers in a DMZ (accessible from the internet), application servers in an internal subnet (accessible only from the DMZ), and databases in a restricted trust zone (accessible only from the application tier). Administration is restricted to a dedicated jump host, enforcing strict network segmentation and least-privilege access control via ACLs.

Exam trap

The trap here is that candidates may think host firewalls alone are sufficient for segmentation, ignoring that VLANs and network ACLs are required to prevent lateral movement and enforce tier-to-tier access restrictions at the network layer.

How to eliminate wrong answers

Option A is wrong because placing all servers on a single VLAN with host firewalls violates the requirement for network segmentation; host firewalls can be misconfigured or bypassed, and a single VLAN allows lateral movement between tiers if any host is compromised. Option C is wrong because placing database servers in the DMZ exposes them directly to the internet, contradicting the requirement that the database be reachable only from the application tier and creating a severe security risk.

677
MCQeasy

A help desk team wants users to be unable to install unsanctioned browser extensions or freeware on corporate Windows laptops, while approved business apps still run. Which endpoint control is best?

A.Full-disk encryption on every laptop.
B.Application allowlisting or application control.
C.A remote access VPN.
D.A desktop wallpaper policy.
AnswerB

This is the best choice because allowlisting permits only approved software and blocks unapproved tools, extensions, and installers. It is a strong way to reduce malware risk and limit user-driven software sprawl. Approved business applications can still run because they are explicitly allowed, which preserves usability while enforcing a controlled endpoint environment.

Why this answer

Application allowlisting (or application control) is the correct endpoint control because it explicitly defines which software executables, scripts, and installers are permitted to run on the system. By default, all unapproved applications—including unsanctioned browser extensions and freeware—are blocked, while approved business apps are allowed to execute. This directly addresses the requirement to prevent unauthorized installations while maintaining normal operations for sanctioned software.

Exam trap

The trap here is that candidates often confuse data protection controls (like encryption) or network controls (like VPN) with application execution controls, failing to recognize that only allowlisting directly governs what software can run on the endpoint.

How to eliminate wrong answers

Option A is wrong because full-disk encryption protects data at rest from unauthorized access if the laptop is lost or stolen, but it does not control which applications or extensions a user can install or run. Option C is wrong because a remote access VPN secures network communications between the laptop and corporate resources, but it has no ability to block local software installations or enforce application policies. Option D is wrong because a desktop wallpaper policy is a visual configuration setting that cannot enforce any security controls over application execution or installation.

678
MCQmedium

A team deploys an e-commerce application on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. The company wants to reduce the chance that attackers exploit outdated software on the VM itself. Which responsibility remains with the company?

A.Replace the cloud provider’s physical security controls with on-site guards.
B.Patch and harden the guest operating system and application running on the VM.
C.Install new firmware on the physical host server maintained by the provider.
D.Set the data center’s perimeter access badge policy.
AnswerB

In IaaS, the organization is responsible for the guest OS and everything above it, including applications and configuration. If attackers may exploit outdated software on the VM, the company must handle patching, hardening, and secure configuration of that environment.

Why this answer

In an IaaS model, the cloud provider is responsible for the security of the cloud (datacenter, hardware, hypervisor), while the customer is responsible for security in the cloud. This includes patching and hardening the guest OS and application on the VM. The company must manage vulnerabilities in the software stack it controls to prevent exploitation of outdated components.

Exam trap

The trap here is confusing the shared responsibility model: candidates often assume the provider handles all security (including OS patching) because they secure the hypervisor, but in IaaS, the customer retains full responsibility for the guest OS and applications.

How to eliminate wrong answers

Option A is wrong because physical security controls (e.g., on-site guards) are the provider's responsibility under the shared responsibility model; the company cannot replace them. Option C is wrong because firmware updates for the physical host server are the provider's responsibility, not the customer's, as the customer has no access to the hypervisor or host hardware. Option D is wrong because setting data center perimeter access badge policies is a physical security task owned by the provider, not the company using the IaaS VM.

679
MCQmedium

Help desk staff must restart one Windows service and read its event logs on 150 servers, but they should not have local administrator rights or interactive logon to the systems. Which approach best supports this requirement?

A.Create one shared local administrator account for the entire help desk team.
B.Add the staff to the local Administrators group on every server.
C.Use a Just Enough Administration constrained endpoint for the allowed tasks.
D.Run the maintenance job under each technician's personal account on a schedule.
AnswerC

JEA lets administrators define narrowly scoped remote management rights, which is ideal for limited service control and log access.

Why this answer

Just Enough Administration (JEA) allows you to create constrained PowerShell endpoints that delegate specific administrative tasks—such as restarting a service and reading event logs—without granting full local administrator rights or interactive logon. By defining role capabilities that limit cmdlets and parameters, help desk staff can perform only the required operations on all 150 servers via a constrained endpoint, meeting the security requirement precisely.

Exam trap

The trap here is that candidates often assume that adding users to the local Administrators group or using a shared admin account is the simplest way to delegate tasks, overlooking that JEA provides a secure, auditable, and least-privilege alternative that specifically prevents interactive logon and limits command scope.

How to eliminate wrong answers

Option A is wrong because a shared local administrator account violates the principle of least privilege and non-repudiation, as it cannot audit individual actions and provides full administrative access. Option B is wrong because adding staff to the local Administrators group grants them interactive logon rights and unrestricted control over each server, which directly contradicts the requirement to avoid local admin rights and interactive logon. Option D is wrong because running maintenance jobs under each technician's personal account on a schedule does not prevent interactive logon or grant administrative rights, but it fails to provide the on-demand, constrained access needed for ad-hoc restarts and log reading, and it introduces scheduling complexity without addressing the delegation requirement.

680
MCQmedium

Several employees in a branch office report that their laptops automatically connected to a network named "CorpWiFi" even though they were away from the office. Shortly afterward, a few users saw a captive portal asking them to re-enter company credentials. Which threat best explains this situation?

A.Evil twin access point impersonating the legitimate wireless network
B.Bluetooth pairing abuse from a nearby device
C.DNS poisoning caused by a compromised resolver
D.NFC relay attack against the laptops' login process
AnswerA

An evil twin is a rogue access point configured to look like the trusted wireless network, often using the same or a very similar SSID. Because clients may auto-connect, attackers can capture credentials or inspect traffic through the fake network. The captive portal and automatic connection away from the office strongly suggest a malicious wireless impersonation setup.

Why this answer

The scenario describes an evil twin attack where a rogue access point broadcasts the SSID "CorpWiFi" to trick laptops into automatically connecting. Once connected, the attacker presents a fake captive portal to harvest credentials. This exploits the fact that client devices often prioritize known SSIDs without verifying the authenticity of the access point, relying solely on the network name.

Exam trap

The trap here is that candidates may confuse an evil twin with a rogue AP that requires manual connection, but the key detail is the automatic connection, which exploits the client's saved network profile, not just the presence of a malicious AP.

How to eliminate wrong answers

Option B is wrong because Bluetooth pairing abuse requires active pairing or discovery, not automatic connection to a Wi-Fi network, and does not involve a captive portal for credential harvesting. Option C is wrong because DNS poisoning would redirect traffic to malicious sites after connection, but it does not explain why laptops automatically connected to a network named "CorpWiFi" away from the office. Option D is wrong because NFC relay attacks require physical proximity (typically centimeters) and are used for contactless payment or access card cloning, not for connecting to Wi-Fi networks or presenting a captive portal.

681
MCQeasy

Which action is the best example of accounting in AAA?

A.The system checks a password and a one-time code before allowing access.
B.The system records the username, timestamp, and files opened during the session.
C.The system grants access to the finance folder after the user is approved.
D.The system forces the user to change their password after 90 days.
AnswerB

Accounting is the tracking and logging part of AAA. Recording the username, timestamp, and accessed files creates an audit trail that can be reviewed later for investigations, compliance, or troubleshooting. Good accounting data helps organizations understand who did what, when it happened, and what resources were affected.

Why this answer

Accounting in AAA (Authentication, Authorization, and Accounting) focuses on tracking user activities and resource usage. Option B correctly describes this by specifying the recording of username, timestamp, and files accessed, which are typical audit log entries used for monitoring and compliance.

Exam trap

The trap here is that candidates confuse Accounting with Authentication or Authorization, especially when options involve access control or credential management, but Accounting is strictly about logging and tracking usage, not granting or verifying access.

How to eliminate wrong answers

Option A is wrong because checking a password and one-time code is a multi-factor authentication process, which falls under Authentication, not Accounting. Option C is wrong because granting access to a folder after approval is Authorization, which determines what resources a user can access. Option D is wrong because forcing a password change after 90 days is a password policy enforcement mechanism, which relates to Authentication or security policy, not Accounting.

682
MCQmedium

Based on the exhibit, which capability should be added so the SaaS app automatically creates, updates, and disables user accounts as directory changes occur?

A.Require MFA on the SaaS login page and leave account provisioning manual.
B.Add SCIM provisioning between the directory and the SaaS application.
C.Change the password rotation interval to every 30 days for all users.
D.Store credentials in a shared spreadsheet so the help desk can disable access faster.
AnswerB

SCIM automates user lifecycle events so account changes in the directory propagate to the application quickly.

Why this answer

SCIM (System for Cross-domain Identity Management) is the standard protocol designed to automate user provisioning and deprovisioning between an identity provider (like a directory) and a service provider (like a SaaS app). By adding SCIM provisioning, the SaaS app can automatically create, update, and disable user accounts in response to changes in the directory, eliminating the need for manual account management.

Exam trap

The trap here is that candidates may confuse authentication mechanisms (like MFA) or password policies with identity lifecycle management, failing to recognize that SCIM is the specific protocol designed for automated provisioning and deprovisioning.

How to eliminate wrong answers

Option A is wrong because requiring MFA only adds an authentication layer and does not automate account lifecycle management; manual provisioning remains, which does not address the requirement. Option C is wrong because changing the password rotation interval to 30 days is a password policy change that does not automate the creation, update, or disabling of user accounts based on directory changes. Option D is wrong because storing credentials in a shared spreadsheet introduces security risks and does not provide automated provisioning; it only offers a manual, insecure method for disabling access.

683
MCQeasy

Based on the exhibit, which supply-chain threat is most likely?

A.Dependency compromise
B.Brute-force attack
C.SQL injection
D.Privilege escalation
AnswerA

The application began contacting an unfamiliar domain immediately after a dependency update, and the package came from a newly created repository account. That strongly suggests dependency compromise, a supply-chain issue where a trusted library has been replaced or altered with malicious behavior.

Why this answer

The exhibit shows a dependency on a third-party library (e.g., a JavaScript package from a CDN or a software component from an external repository). A dependency compromise occurs when an attacker injects malicious code into that trusted third-party component, which is then pulled into the organization's environment during updates or builds. This is the most likely supply-chain threat because it directly exploits the trust placed in external dependencies.

Exam trap

Cisco often tests the distinction between supply-chain attacks (compromising a trusted third-party component) and direct attacks on the organization's own systems; the trap here is that candidates may confuse a dependency compromise with a brute-force attack or SQL injection because they all involve unauthorized access, but the key difference is the vector—the dependency is externally sourced and trusted.

How to eliminate wrong answers

Option B (Brute-force attack) is wrong because it targets authentication mechanisms (e.g., SSH, RDP) by guessing credentials, not the integrity of third-party components in the supply chain. Option C (SQL injection) is wrong because it exploits improper input validation in database queries, not the trust relationship with external dependencies. Option D (Privilege escalation) is wrong because it involves gaining elevated access within a system after initial compromise, not the initial infiltration via a compromised dependency.

684
Multi-Selectmedium

A security manager is writing baseline requirements for all corporate laptops. Which three statements belong in the standard rather than in a policy or guideline? Select three.

Select 3 answers
A.Full-disk encryption must be enabled using approved encryption software.
B.The screen must lock after 10 minutes of inactivity.
C.Users should consider keeping their devices updated whenever convenient.
D.Local administrator rights are not allowed on standard user laptops.
E.Employees must follow the company's acceptable use policy at all times.
AnswersA, B, D

Standards define mandatory technical requirements, and this statement specifies an enforceable configuration.

Why this answer

Option A is correct because it is a mandatory, enforceable requirement that specifies exactly what must be done (enable full-disk encryption) and with what (approved encryption software). This level of specificity and obligation belongs in a standard, which defines compulsory technical controls, unlike a policy (high-level intent) or guideline (suggested best practice).

Exam trap

The trap here is that candidates confuse the permissive language of a guideline ('should consider') with the mandatory language of a standard ('must'), leading them to incorrectly select option C as a valid standard statement.

685
MCQmedium

The CIO wants to compare two mitigation options for a payment system outage and justify the budget request in dollars. The team already knows the likely downtime window, annual incident frequency, and estimated revenue loss per hour. Which approach would best support the decision?

A.Qualitative risk analysis
B.Quantitative risk analysis
C.Risk avoidance
D.Risk acceptance
AnswerB

Quantitative analysis uses measurable values like frequency, downtime, and financial loss to compare options and justify spending in monetary terms.

Why this answer

Quantitative risk analysis (Option B) is correct because it uses numerical data—such as the likely downtime window, annual incident frequency, and estimated revenue loss per hour—to calculate a monetary value (e.g., Annualized Loss Expectancy). This directly supports the CIO's need to compare mitigation options in dollars and justify a budget request with hard numbers, unlike qualitative methods that rely on subjective ratings.

Exam trap

The trap here is that candidates confuse qualitative risk analysis with quantitative risk analysis, assuming that any risk assessment involving 'analysis' can produce dollar figures, but qualitative methods only yield ordinal rankings, not monetary values.

How to eliminate wrong answers

Option A is wrong because qualitative risk analysis uses subjective ratings (e.g., high/medium/low) rather than hard dollar figures, so it cannot provide the precise monetary comparison the CIO needs for budget justification. Option C is wrong because risk avoidance means eliminating the activity causing the risk (e.g., discontinuing the payment system), which is not a comparison of mitigation options but a drastic measure that would halt business operations. Option D is wrong because risk acceptance means acknowledging the risk without taking action, which does not involve comparing mitigation options or justifying a budget request—it simply accepts the potential loss.

686
MCQmedium

A hospital's claims portal has two open risks. Risk A is an internet-facing login page with a low-severity software flaw, but monitoring shows a steady increase in automated login attempts. Risk B is an internal file share with a medium-severity patch gap, but only a small admin group can access it and no exploitation is observed. Leadership can fund only one remediation this month. Which risk should be prioritized first?

A.Prioritize Risk A because it is exposed to the internet and already shows active attack interest.
B.Prioritize Risk B because a medium-severity flaw is always more important than a low-severity flaw.
C.Accept Risk A because no confirmed compromise has occurred yet.
D.Transfer Risk A to an insurer because public-facing exposure cannot be reduced.
AnswerA

Risk A has the higher overall business risk because exposure and observed attack activity raise the likelihood of exploitation. Even if the flaw is rated low severity, an internet-facing system is more likely to be targeted quickly and broadly. Prioritization should consider both impact and likelihood, not severity alone. Addressing the public login page first reduces the chance of a successful compromise across a high-value service.

Why this answer

Risk A should be prioritized because the internet-facing login page is exposed to the public attack surface, and the steady increase in automated login attempts indicates active reconnaissance or credential-stuffing attacks. Even though the software flaw is low severity, the combination of internet exposure and active attacker interest significantly elevates the likelihood of exploitation, making it a higher priority than an internal file share with no observed exploitation.

Exam trap

The trap here is that candidates fixate on severity ratings (low vs. medium) without considering the risk equation, especially the critical factor of active attack interest and internet exposure, which the SY0-701 exam emphasizes in the context of threat intelligence and attack surface management.

How to eliminate wrong answers

Option B is wrong because it incorrectly assumes severity alone determines priority; in risk management, likelihood (internet exposure, active attack interest) and impact must be weighed together, and a medium-severity flaw with no exploitation and limited access is less urgent than a low-severity flaw under active attack. Option C is wrong because accepting a risk without remediation is only appropriate when the residual risk is within the organization's tolerance, but here the active attack interest and internet exposure create an unacceptable level of risk that requires immediate action.

687
Multi-Selectmedium

Several corporate laptops occasionally boot from a removable drive containing an untrusted recovery tool before Windows loads. The security team wants to reduce the chance of pre-boot tampering and unauthorized boot media use. Which two controls are most effective? Select two.

Select 2 answers
A.Enable UEFI Secure Boot.
B.Disable booting from external media or protect the firmware setup with a password.
C.Keep local administrator rights so users can recover faster.
D.Turn off disk encryption because it slows startup.
E.Move the laptops to a different subnet.
AnswersA, B

Secure Boot helps ensure that only trusted boot components load during startup. It reduces the chance that a malicious or untrusted bootloader can run before the operating system takes control.

Why this answer

UEFI Secure Boot ensures that only signed, trusted bootloaders and drivers are executed during the boot process. By verifying the digital signature of each component against a database of trusted keys, it prevents unauthorized boot media (such as an untrusted recovery tool) from loading before the operating system starts. This directly reduces the risk of pre-boot tampering and unauthorized boot media use.

Exam trap

The trap here is that candidates often confuse disk encryption (like BitLocker) with boot integrity controls, thinking encryption alone prevents unauthorized boot media, when in fact encryption protects data at rest but does not validate the trustworthiness of the boot process itself.

688
MCQhard

An online retailer is moving its public web app, internal API, and database into separate zones. Public users must reach only the web tier. The web tier must contact the app tier, and only the app tier may query the database. Admins should manage all servers from a hardened jump host. Which design best meets these goals and minimizes lateral movement?

A.Place all servers in one VLAN and rely on host-based firewalls to block unwanted traffic.
B.Create separate DMZ, application, and database zones with default-deny east-west rules and use a jump host for administration.
C.Put the database in the DMZ so the web tier can connect to it without extra firewall rules.
D.Expose the application tier to the Internet and use NAT to hide the database subnet.
AnswerB

This design limits exposure at each layer, prevents direct user-to-database access, and gives administrators a controlled management path.

Why this answer

Option B is correct because it implements a multi-tier network architecture with separate DMZ, application, and database zones, enforcing default-deny east-west traffic rules. This ensures that public users can only reach the web tier, the web tier can only communicate with the app tier, and only the app tier can query the database, while all administrative access is funneled through a hardened jump host, which minimizes lateral movement by restricting inter-zone traffic to only what is explicitly required.

Exam trap

The trap here is that candidates often assume placing the database in the DMZ simplifies connectivity, but this violates the principle of defense in depth by removing network segmentation between the web tier and sensitive data storage.

How to eliminate wrong answers

Option A is wrong because placing all servers in one VLAN with host-based firewalls does not provide network-level segmentation; a compromised host could still potentially bypass host firewalls or exploit misconfigurations, allowing lateral movement across all tiers. Option C is wrong because putting the database in the DMZ exposes it to the same network segment as the web tier, violating the principle of least privilege and increasing the attack surface, as the database should never be directly accessible from the DMZ. Option D is wrong because exposing the application tier to the Internet directly exposes internal logic and APIs to potential attacks, and NAT alone does not enforce access control between tiers, leaving the database vulnerable to lateral movement if the app tier is compromised.

689
MCQeasy

A file contains employee Social Security numbers and bank account details. The company uses the labels Public, Internal, Confidential, and Restricted. Which label is most appropriate?

A.Public, because employees may need to share it with outside vendors
B.Internal, because only company staff should see it
C.Confidential, because the information is sensitive but not highly regulated
D.Restricted, because it contains highly sensitive personal and financial information
AnswerD

Restricted is the best fit when the data includes highly sensitive personal and financial details needing strict access control.

Why this answer

Social Security numbers and bank account details are classified as personally identifiable information (PII) and financial data, which are subject to strict regulatory requirements (e.g., GDPR, PCI DSS). The 'Restricted' label is designed for the most sensitive data that requires the highest level of access control and encryption, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may confuse 'Confidential' with 'Restricted', assuming any sensitive data fits the 'Confidential' label, but 'Restricted' is specifically reserved for data that is both highly sensitive and subject to regulatory compliance requirements.

How to eliminate wrong answers

Option A is wrong because labeling this data as 'Public' would allow unrestricted access, violating data privacy regulations and exposing the company to legal penalties. Option B is wrong because 'Internal' is typically used for data that is not sensitive but should not be shared externally, whereas SSNs and bank details require more stringent controls. Option C is wrong because 'Confidential' is often used for sensitive business data (e.g., trade secrets), but it does not imply the highest level of protection needed for highly regulated personal financial information; 'Restricted' is the appropriate label for such data.

690
MCQeasy

A development team updates a third-party software library used by its web application. After the release, new deployments begin making unexpected outbound connections to an unfamiliar domain. What type of threat is most likely?

A.Dependency compromise
B.Phishing
C.Rootkit infection
D.Password spraying
AnswerA

Dependency compromise happens when a trusted third-party library, package, or component is altered to include malicious behavior. The unusual outbound connections after an update are a strong sign that the dependency may have been tampered with.

Why this answer

The correct answer is A, dependency compromise. This scenario describes a supply chain attack where a third-party library has been maliciously altered or replaced, causing the web application to make unauthorized outbound connections to an attacker-controlled domain. Such compromises often occur when developers unknowingly integrate a tampered version of a library from a compromised repository or via a typosquatting attack, leading to data exfiltration or command-and-control (C2) communication.

Exam trap

The trap here is that candidates may confuse a dependency compromise with a rootkit infection (Option C) because both involve stealthy, unauthorized behavior, but a rootkit specifically targets the OS kernel, not a web application's third-party library.

How to eliminate wrong answers

Option B is wrong because phishing is a social engineering attack that tricks users into revealing credentials or installing malware via deceptive emails or messages, not a technical compromise of a software library. Option C is wrong because a rootkit infection is a type of malware that hides its presence and provides persistent, stealthy access to an operating system, not a supply chain attack on a web application's dependencies. Option D is wrong because password spraying is a brute-force attack that attempts a few common passwords against many accounts, not a method to alter a third-party library's behavior.

691
MCQmedium

During testing, entering ' OR '1'='1 into a login field returns all user records instead of rejecting the input. What is the best fix to address this flaw?

A.Add client-side JavaScript validation to block quote characters
B.Use parameterized queries or prepared statements for database access
C.Store passwords in a stronger hash format
D.Change the login page to HTTPS
AnswerB

Parameterized queries separate code from data, which prevents SQL injection even when attackers supply special characters.

Why this answer

Option B is correct because the flaw is a classic SQL injection vulnerability, where unsanitized user input is concatenated directly into a SQL query. Parameterized queries (prepared statements) separate SQL logic from data, ensuring that input like ' OR '1'='1 is treated as a literal string value, not executable code. This is the industry-standard mitigation per OWASP and effectively prevents injection attacks.

Exam trap

The trap here is that candidates often confuse input validation (like blocking quotes) with the proper defense of parameterized queries, not realizing that blacklisting characters is ineffective and that the correct fix is to use prepared statements to separate code from data.

How to eliminate wrong answers

Option A is wrong because client-side JavaScript validation can be easily bypassed by disabling JavaScript or using tools like Burp Suite to send raw HTTP requests, so it provides no real security against SQL injection. Option C is wrong because stronger password hashing (e.g., bcrypt, Argon2) addresses credential storage security, not the SQL injection vulnerability that allows an attacker to extract all records without needing passwords. Option D is wrong because HTTPS encrypts data in transit but does not prevent the server from executing malicious SQL commands; the injection occurs after decryption on the server side.

692
MCQmedium

A team runs a confidential document repository on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. Which task remains the organization’s responsibility?

A.Patching the physical hosts inside the cloud provider's datacenter.
B.Replacing the provider's hypervisor when a new version is released.
C.Hardening the guest operating system and controlling access to the repository application.
D.Managing the cloud provider's physical badge access for the server room.
AnswerC

In IaaS, the organization is responsible for what it deploys on the virtual machine, including the guest operating system, its configuration, patching, and application-level access controls. Those tasks directly affect who can use the document repository and how securely the workload runs. Shared responsibility means the provider handles the platform, while the customer secures the OS and data-layer usage.

Why this answer

In an IaaS model, the cloud provider is responsible for the security of the cloud (physical datacenter, hardware, hypervisor), while the customer is responsible for security in the cloud. This includes hardening the guest OS, configuring firewalls, managing access controls, and patching the operating system and applications. Option C correctly identifies the organization's duty to secure the guest OS and the repository application.

Exam trap

The trap here is confusing the IaaS shared responsibility model with PaaS or SaaS, where the provider handles more of the stack; candidates often assume the provider patches the guest OS or manages application access, but in IaaS those are customer responsibilities.

How to eliminate wrong answers

Option A is wrong because patching physical hosts is the cloud provider's responsibility under the shared responsibility model; the customer has no access to the physical infrastructure. Option B is wrong because replacing the hypervisor is a provider-managed task; the customer only interacts with the virtual machine and its guest OS. Option D is wrong because managing physical badge access to the server room is a physical security control that falls entirely on the cloud provider, not the customer.

693
MCQhard

Based on the exhibit, which security principle is the proposed workflow most directly enforcing?

A.Least privilege, because each person gets only the minimum access needed for the task.
B.Defense in depth, because multiple layers of security are added around firewall changes.
C.Separation of duties, because no single person can create, approve, and implement the same production change.
D.Need-to-know, because the ticket is visible only to assigned people.
AnswerC

This is the correct principle because the redesign intentionally splits the workflow among different roles. One person drafts the change, another approves it, and a third implements it. That reduces fraud and mistakes by preventing one individual from controlling every step. The limited ticket visibility also supports the same idea, but the central security principle is separation of duties.

Why this answer

The proposed workflow enforces separation of duties by requiring three distinct roles—requester, approver, and implementer—to complete a single firewall change. No single person can both create and approve the change, nor can they implement it without prior approval. This directly prevents any one individual from having end-to-end control over a production change, which is the core of separation of duties.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege because both involve limiting actions, but separation of duties specifically divides a process across multiple people, whereas least privilege limits the scope of permissions per person.

How to eliminate wrong answers

Option A is wrong because least privilege focuses on granting only the minimum permissions needed for a role, not on dividing a process into multiple roles; the workflow does not specify access levels or permissions. Option B is wrong because defense in depth involves multiple overlapping security controls (e.g., firewall, IDS, encryption), not a procedural separation of tasks within a single change process.

694
MCQhard

Based on the exhibit, what should the records manager do next?

A.Delete the records on schedule because the retention period is still the primary rule.
B.Move the records to long-term archive and continue the normal deletion schedule.
C.Print the records, delete the digital copies, and keep the paper copies instead.
D.Suspend deletion and preserve all related records until the legal hold is formally lifted.
AnswerD

A legal hold takes precedence over the routine retention schedule. Because counsel explicitly instructed the organization to preserve all related communications and prevent deletion or alteration, the records manager must stop auto-deletion and ensure the data remains intact. This supports legal defensibility and audit readiness while avoiding accidental spoliation of evidence.

Why this answer

Option D is correct because when a legal hold is in effect, it overrides any standard retention or deletion policies. The records manager must suspend all deletion activities and preserve all related records until the legal hold is formally lifted, as failure to do so could result in spoliation of evidence and legal penalties.

Exam trap

The trap here is that candidates may assume retention schedules are absolute, but legal holds are a higher-priority legal obligation that overrides standard data lifecycle policies.

How to eliminate wrong answers

Option A is wrong because it ignores the legal hold, which supersedes the retention period as the primary rule when litigation is pending. Option B is wrong because moving records to long-term archive does not satisfy the legal hold requirement; the hold requires preservation of all records, not just a change in storage location, and continuing a normal deletion schedule could destroy relevant data. Option C is wrong because printing digital copies and deleting the originals would destroy metadata and potentially violate the legal hold, as the original digital records may be required for e-discovery in their native format.

695
MCQmedium

After a new search feature goes live, logs show requests containing `UNION SELECT` and the application returns database error messages. Security testing confirms attackers can retrieve rows from other tables by modifying the query string. Which fix is best?

A.Rewrite the database access layer to use parameterized queries or prepared statements.
B.Encode special characters in the browser before submitting the search form.
C.Disable detailed error messages so attackers cannot see the database name.
D.Increase password complexity requirements for all application users.
AnswerA

Parameterized queries separate user input from SQL code, which prevents attacker-controlled strings from changing the query structure. That directly addresses the injection flaw rather than only hiding symptoms. Because the app is already returning database errors and leaking data, the safest fix is to eliminate dynamic SQL construction at the source of the problem.

Why this answer

The attack described is SQL injection, where the attacker uses `UNION SELECT` to extract data from other tables. The most effective and industry-standard fix is to use parameterized queries or prepared statements, which separate SQL logic from user input, preventing the database from interpreting malicious input as executable code. This directly addresses the root cause by ensuring user-supplied data is treated as data, not as part of the SQL command.

Exam trap

The trap here is that candidates often choose to hide error messages (Option C) thinking it stops the attack, but this only obscures the information leakage without fixing the underlying SQL injection flaw, which can still be exploited via blind techniques.

How to eliminate wrong answers

Option B is wrong because encoding special characters in the browser is a client-side measure that can be easily bypassed by attackers sending raw HTTP requests, and it does not prevent server-side SQL injection. Option C is wrong because disabling detailed error messages only hides the symptoms (e.g., database name exposure) but does not prevent the attacker from exploiting the SQL injection vulnerability; they can still extract data via blind SQL injection techniques. Option D is wrong because increasing password complexity does nothing to address the SQL injection vulnerability in the search feature; it is a security control for authentication, not input validation.

696
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. Which three of the following indicators are most commonly associated with a data exfiltration attack? (Choose three.)

Select 3 answers
.Unusual outbound network traffic, especially during non-business hours
.Multiple failed login attempts from a single user account
.Large volumes of data being transferred to an external IP address
.A sudden increase in DNS queries to a known malicious domain
.A spike in CPU usage on a database server
.An employee receiving a phishing email with a malicious attachment

Why this answer

Unusual outbound network traffic, especially during non-business hours, is a classic indicator of data exfiltration because attackers often schedule transfers when monitoring is less active. Large volumes of data being transferred to an external IP address directly suggests that sensitive data is being moved outside the organization. A sudden increase in DNS queries to a known malicious domain can indicate DNS tunneling, where data is encoded in DNS requests to bypass traditional network controls.

Exam trap

Cisco often tests the distinction between indicators of an active exfiltration event (like data transfer or unusual traffic patterns) and indicators of a precursor attack (like failed logins), so candidates mistakenly select the latter as a direct exfiltration indicator.

697
MCQmedium

Sales staff use company laptops on public Wi-Fi and travel frequently. The company wants the disk contents unreadable if a laptop is stolen, even if the drive is removed and placed in another system. Which control is the best fit?

A.Require a screen lock after five minutes of inactivity.
B.Enable full-disk encryption with a hardware-backed key store such as a TPM, preferably with a pre-boot PIN.
C.Encrypt only the most sensitive folders with file-level encryption.
D.Rely on remote wipe because the device will usually connect to the internet again.
AnswerB

Full-disk encryption protects data at rest, and hardware-backed keys prevent the drive from being read outside the original device.

Why this answer

Full-disk encryption (FDE) with a hardware-backed key store like a TPM ensures that the entire disk contents are encrypted at rest. Even if the drive is removed and placed in another system, the decryption key remains bound to the original TPM, and a pre-boot PIN adds an additional authentication factor, making the data unreadable without both the TPM and the correct PIN.

Exam trap

The trap here is that candidates often choose remote wipe (Option D) because it sounds proactive, but they overlook the critical requirement that the device must be online for remote wipe to work, which is not guaranteed for a stolen laptop that may never connect to the internet.

How to eliminate wrong answers

Option A is wrong because a screen lock after five minutes of inactivity only protects the device while it is locked; it does not encrypt the disk, so if the drive is removed and placed in another system, the data is fully readable. Option C is wrong because file-level encryption only protects specific folders, leaving other areas of the disk (e.g., system files, temp files, and unencrypted user data) exposed when the drive is removed. Option D is wrong because remote wipe relies on the device connecting to the internet; if the laptop is stolen and never reconnects, or if the thief immediately removes the drive, the wipe command cannot execute, leaving the data accessible.

698
Multi-Selecthard

An organization stores full payment card numbers, analysts need the last four digits for investigation, and the backup team is worried about ransomware and stolen backup media. Which three controls best address these requirements? Select three.

Select 3 answers
A.Tokenize primary account numbers before they reach analytics, reporting, or test systems.
B.Store backups on the same production storage array to simplify restore operations.
C.Encrypt backup sets with keys managed outside the backup repository itself.
D.Use simple masking only in spreadsheets while leaving the source database unchanged.
E.Keep one immutable or air-gapped backup copy to resist ransomware and theft.
AnswersA, C, E

Tokenization replaces sensitive values with nonusable substitutes while preserving business usefulness for many workflows. Analysts can still correlate records, but exposed reports and test data no longer reveal the true card number. This is especially valuable for payment data because it reduces the number of environments that ever handle the actual secret value.

Why this answer

Tokenization replaces the full primary account number (PAN) with a unique token that retains the last four digits for analytics, so analysts can perform investigations without exposing sensitive cardholder data. This directly satisfies PCI DSS requirements for minimizing the use of full PANs in non-production environments, while preserving the utility needed for fraud analysis or reporting.

Exam trap

The trap here is that candidates often confuse tokenization with masking or encryption, assuming any obfuscation technique is sufficient, but tokenization is the only option that irreversibly removes the full PAN from analytics systems while preserving the last four digits for investigation.

699
MCQmedium

A security manager issues a mandatory document that requires all corporate laptops to use full-disk encryption, automatic screen lock after 10 minutes, and approved endpoint protection software. The document will be checked during compliance reviews. Which governance artifact is this?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerB

A standard defines mandatory, measurable requirements such as required encryption, timeout values, and approved tools.

Why this answer

The document is a mandatory requirement that must be followed and is enforced through compliance reviews, which aligns with the definition of a policy. Policies are high-level, mandatory directives that set the overall security stance of an organization, such as requiring full-disk encryption (e.g., AES-256) and automatic screen lock after 10 minutes. This document is not a standard because it does not provide specific technical configurations or baselines, nor is it a procedure or guideline, as it lacks step-by-step instructions or optional recommendations.

Exam trap

The trap here is confusing a policy (high-level mandate) with a standard (specific mandatory technical baseline), as many candidates assume any mandatory document is automatically a policy, but the level of detail (e.g., exact timeout values, encryption type) indicates a standard.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level mandatory directive, but the question describes a document that mandates specific technical controls (full-disk encryption, screen lock timeout, endpoint protection), which is more prescriptive than a typical policy. Option C is wrong because a procedure provides step-by-step instructions on how to implement a control, not a mandatory requirement for what controls must be in place. Option D is wrong because a guideline offers recommendations or best practices that are not mandatory, whereas this document is explicitly mandatory and checked during compliance reviews.

700
Multi-Selecthard

A packet capture from a branch office shows the default gateway IP mapped to a MAC address that does not belong to the router. The same suspicious MAC also answers for the DNS server IP, and gratuitous ARP replies appear every 30 seconds. Which two attacks best match this evidence? Select two.

Select 2 answers
A.ARP spoofing or poisoning is occurring on the local network.
B.A man-in-the-middle interception is likely happening between clients and internal services.
C.The network is experiencing a SYN flood against the gateway.
D.An external host is performing broad port scanning on public services.
E.A password-spraying campaign is targeting remote logins.
AnswersA, B

The evidence fits ARP poisoning because an unauthorized MAC address is associating itself with trusted IP addresses such as the gateway and DNS server. Gratuitous ARP replies reinforce the cache manipulation and allow the attacker to redirect traffic at the layer 2 level. This is the classic setup for a local network spoofing attack.

Why this answer

Option A is correct because the evidence shows the default gateway IP is mapped to a MAC address that does not belong to the router, and the same suspicious MAC also answers for the DNS server IP. This is a classic indicator of ARP spoofing or poisoning, where an attacker sends forged ARP replies to associate their MAC address with the IP addresses of critical network devices, such as the gateway and DNS server. Gratuitous ARP replies every 30 seconds further confirm an active ARP poisoning attack, as the attacker repeatedly broadcasts these unsolicited replies to maintain the poisoned ARP cache entries on victim hosts.

Exam trap

The trap here is that candidates may confuse ARP spoofing with a SYN flood or other denial-of-service attacks, failing to recognize that the specific evidence of a mismatched MAC address and gratuitous ARP replies directly points to ARP cache poisoning, not a network-level flood.

701
MCQmedium

After seizing a suspected insider's laptop, a responder makes a bit-for-bit image of the drive. The legal team asks what step most directly proves the image was not altered after acquisition. What should be done?

A.Record the laptop's hostname and the user who last logged in.
B.Compute and document cryptographic hashes of the source media and the forensic image.
C.Copy the most recent files to a USB drive for quick review.
D.Return the laptop to the user once the image is saved.
AnswerB

Matching hashes provide strong integrity verification and are a standard way to show the acquired evidence has not changed.

Why this answer

Option B is correct because computing and documenting cryptographic hashes (e.g., SHA-256 or MD5) of both the source media and the forensic image immediately after acquisition creates a verifiable digital fingerprint. If the hash values match, it proves that the image is an exact, unaltered copy of the original drive. This step is foundational to maintaining the chain of custody and ensuring data integrity in forensic investigations.

Exam trap

The trap here is that candidates may confuse documentation steps (like recording hostnames) with integrity verification, or think that copying files to a USB drive is a valid forensic preservation method, when only cryptographic hashing provides mathematical proof of non-alteration.

How to eliminate wrong answers

Option A is wrong because recording the hostname and last logged-in user is part of documentation but does not provide any cryptographic verification that the image was not altered after acquisition. Option C is wrong because copying the most recent files to a USB drive for quick review introduces a separate copy that is not a bit-for-bit duplicate and does not prove the integrity of the original forensic image. Option D is wrong because returning the laptop to the user after imaging violates chain of custody and could allow tampering with the original evidence, but it does not directly prove the image was unaltered.

702
MCQeasy

An HR assistant should be able to view employee records, but should not have access to payroll administration or IT server tools. Which access model is best for assigning permissions by job role?

A.Role-based access control
B.Shared local administrator accounts
C.Open access for all employees
D.Biometric authentication
AnswerA

RBAC assigns permissions based on job functions, which fits users like HR assistants very well.

Why this answer

Role-based access control (RBAC) is the correct model because it assigns permissions based on job functions rather than individual users. In this scenario, the HR assistant role would be granted read/write access to employee records, while being explicitly denied access to payroll administration and IT server tools, ensuring least privilege and separation of duties. RBAC simplifies administration by grouping permissions into roles, which can be easily assigned or revoked as job responsibilities change.

Exam trap

The trap here is that candidates confuse authentication (biometrics) with authorization (access control), or assume that shared accounts or open access can be secured by policy alone, ignoring the fundamental need for role-based permission segregation.

How to eliminate wrong answers

Option B is wrong because shared local administrator accounts provide unrestricted, non-repudiable access to all system resources, which violates the principle of least privilege and would grant the HR assistant full control over payroll and IT tools. Option C is wrong because open access for all employees would allow every user, including the HR assistant, to view and modify payroll and IT server data, directly contradicting the requirement to restrict access. Option D is wrong because biometric authentication is an identity verification method (something you are), not an authorization model; it controls who logs in, not what permissions they have after authentication.

703
MCQmedium

Threat intelligence reports that an adversary changes domains daily and uses disposable cloud hosting, but the malware binary hash and a unique mutex name remain unchanged across incidents. Which indicator is the best candidate for immediate detection rule creation?

A.The daily domain names, because they are the easiest items to collect.
B.The malware file hash, because it directly identifies the reused sample.
C.The cloud provider name, because the attacker uses disposable infrastructure.
D.The time of day the campaign was observed, because the attacker is consistent.
AnswerB

The file hash is the strongest immediate IOC here because the same malware sample is being reused across incidents. If the binary remains unchanged, the hash will match exactly and can be used for fast blocking or hunting. Volatile infrastructure such as domains and cloud hosting changes too frequently to serve as the primary detection point.

Why this answer

Option B is correct because the malware file hash (e.g., SHA-256) provides a static, deterministic identifier for the exact binary sample. Since the adversary reuses the same malware binary across incidents, the hash remains unchanged and can be used to create a precise detection rule (e.g., a YARA rule or hash-based IOC blocklist) that will reliably match the malicious file regardless of network-level churn like domain or IP changes.

Exam trap

The trap here is that candidates often choose the 'easiest' or most visible indicator (domain names) without considering stability and false-positive risk, whereas the exam tests the principle that static, unique artifacts (like file hashes) are superior for detection rule creation.

How to eliminate wrong answers

Option A is wrong because daily domain names are highly volatile and ephemeral; they change every 24 hours, making them poor candidates for a stable detection rule and requiring constant updates. Option C is wrong because the cloud provider name (e.g., AWS, Azure, GCP) is a generic attribute shared by millions of legitimate services; using it as a detection indicator would cause massive false positives and does not uniquely identify the adversary's infrastructure. Option D is wrong because the time of day the campaign was observed is not a reliable or unique indicator; attackers can easily shift their activity window, and time-based rules lack specificity and are prone to false positives.

704
MCQhard

A Windows file server was built from a gold image, but six months later a scan shows Remote Desktop enabled, SMBv1 re-enabled, and Print Spooler running. The same drift appears on several other servers after emergency troubleshooting. Security wants to return the environment to the approved baseline and prevent the changes from coming back. What is the best solution?

A.Document the deviations and rely on manual checks after each maintenance window
B.Deploy configuration management that enforces the hardened baseline continuously
C.Run a vulnerability scan more often and close the findings in the ticketing system
D.Increase storage capacity so the image can be rebuilt faster next time
AnswerB

Continuous configuration management is the best answer because it can reapply the approved baseline and correct drift across many systems automatically. This approach does more than detect the problem; it helps prevent the same insecure settings from persisting after troubleshooting or emergency changes. It is the most effective way to standardize hardening at scale and keep the environment aligned to policy.

Why this answer

Configuration management tools like Ansible, DSC, or Group Policy can continuously enforce a hardened baseline by reverting unauthorized changes (e.g., disabling SMBv1, stopping Print Spooler, disabling RDP) at a defined interval or on a trigger. This prevents configuration drift without relying on manual intervention or reactive scanning, directly addressing the root cause of the problem.

Exam trap

The trap here is that candidates confuse reactive vulnerability scanning (Option C) with proactive configuration enforcement, or mistakenly think manual documentation (Option A) or faster rebuilds (Option D) address the continuous drift problem.

How to eliminate wrong answers

Option A is wrong because documenting deviations and relying on manual checks is reactive and does not prevent drift from recurring, especially after emergency troubleshooting. Option C is wrong because running vulnerability scans more often only detects drift after it occurs, and closing findings in a ticketing system does not enforce the baseline or prevent re-enabling of services. Option D is wrong because increasing storage capacity to rebuild images faster does not prevent configuration drift; it only reduces recovery time after a rebuild, which is not a proactive solution.

705
MCQmedium

A help desk analyst receives a phone call from someone claiming to be the CFO, who says their phone was lost while traveling and requests an immediate MFA reset and temporary bypass for payroll access. The caller knows the CFO's last name and the company name, but cannot answer the callback verification question. What attack technique is most likely being used?

A.Phishing
B.Vishing
C.Baiting
D.Watering hole attack
AnswerB

Vishing is voice-based social engineering over a phone call. The attacker is using urgency, authority, and a fabricated story to pressure the analyst into changing authentication controls.

Why this answer

The caller is using voice communication to impersonate a high-level executive (CFO) and manipulate the help desk analyst into bypassing security controls, which is the defining characteristic of vishing (voice phishing). The request for an MFA reset and temporary bypass is a social engineering tactic to exploit the analyst's authority bias and urgency, and the inability to pass callback verification confirms the caller is not legitimate.

Exam trap

The trap here is that candidates may confuse vishing with phishing because both involve social engineering, but vishing is specifically voice-based, and the question's context of a phone call and callback verification failure directly points to vishing, not email-based phishing.

How to eliminate wrong answers

Option A (Phishing) is wrong because phishing typically involves deceptive emails, text messages, or websites to steal credentials or deliver malware, not a direct phone call requesting an MFA bypass. Option C (Baiting) is wrong because baiting relies on offering something enticing (e.g., a free USB drive or download) to trick a victim into performing an action, not impersonating an executive over the phone. Option D (Watering hole attack) is wrong because it compromises a website frequently visited by the target group to infect them with malware, not a direct social engineering call to a help desk.

706
Multi-Selecteasy

A small company can only remediate two findings this week. Which two should be fixed first based on risk to the business? Select two.

Select 2 answers
A.An internet-facing VPN appliance with a critical vulnerability and a public exploit
B.An internal training VM used by one student with a medium vulnerability and no sensitive data
C.A production print server that still uses the default administrator password and is accessible to finance users
D.A discontinued server already removed from the network but still listed in inventory
E.A low-severity cosmetic issue on a noncritical dashboard page
AnswersA, C

An exposed system with a known exploit creates both high likelihood and high impact, so it should be handled immediately.

Why this answer

Option A is correct because an internet-facing VPN appliance with a critical vulnerability and a public exploit represents an immediate, high-impact risk. Attackers can leverage the public exploit to gain unauthorized remote access to the internal network, potentially compromising all connected systems and data. The combination of internet exposure and known exploit makes this the highest priority for remediation.

Exam trap

The trap here is that candidates may prioritize based on severity alone (e.g., medium vs. critical) without considering exposure and business context, or they may mistakenly think a decommissioned server still poses a risk when it is already offline.

707
MCQmedium

A security analyst is reviewing the results of a dynamic application security test (DAST) on a new e-commerce application. The report indicates that the application's product search functionality is vulnerable to blind SQL injection. The analyst is tasked with recommending a remediation to the development team. The developers currently concatenate user input directly into SQL queries. Which of the following recommendations would most effectively and permanently mitigate this vulnerability?

A.Implement a web application firewall (WAF) rule to block suspicious SQL keywords in search parameters.
B.Sanitize user input by escaping single quotes and other special characters before concatenation.
C.Replace dynamic SQL queries with parameterized prepared statements.
D.Encode all user input using HTML entity encoding before database operations.
AnswerC

Parameterized prepared statements ensure that user input is always treated as data, not executable code. The database compiles the SQL statement with parameter placeholders, and the actual values are bound separately. This completely prevents SQL injection because the input cannot alter the query structure. This is the industry-standard permanent fix.

Why this answer

Option C is correct because parameterized prepared statements separate SQL logic from user input, ensuring that input is always treated as data, not executable code. This permanently prevents SQL injection by design, regardless of the input content, unlike input filtering or WAF rules which can be bypassed.

Exam trap

The trap here is that candidates often choose input sanitization (Option B) because they confuse escaping with proper parameterization, not realizing that escaping is a fragile, context-dependent workaround that fails against advanced injection techniques like time-based blind SQLi or multi-byte character attacks.

How to eliminate wrong answers

Option A is wrong because a WAF rule that blocks suspicious SQL keywords is a reactive, bypassable control; attackers can encode or obfuscate payloads to evade pattern matching. Option B is wrong because escaping special characters is error-prone and insufficient; it does not prevent second-order injection or attacks that exploit character set mismatches. Option D is wrong because HTML entity encoding is designed for output encoding to prevent XSS, not for SQL query construction; it does not alter how the database interprets the input.

708
MCQmedium

A public-facing web service suddenly becomes very slow. NetFlow shows a high volume of small DNS queries leaving attacker-controlled systems and much larger DNS responses arriving at the victim's IP address from many different resolvers. Which attack is taking place?

A.DNS amplification DDoS
B.Replay attack
C.ARP poisoning
D.Session fixation
AnswerA

DNS amplification uses small spoofed queries to elicit much larger responses toward the victim.

Why this answer

This is a DNS amplification DDoS attack. The attacker sends small DNS queries with a spoofed source IP (the victim's IP) to open DNS resolvers, which then send large DNS responses to the victim. The high volume of small queries and much larger responses from many resolvers is the classic signature of an amplification attack, exploiting the UDP protocol's lack of source verification.

Exam trap

The trap here is that candidates may confuse the high volume of DNS traffic with a normal DNS flood or a reflection attack, but the key differentiator is the amplification ratio—small queries generating large responses—which is unique to amplification DDoS, not a simple reflection or volumetric flood.

How to eliminate wrong answers

Option B is wrong because a replay attack involves capturing and retransmitting valid network traffic (e.g., authentication packets) to impersonate a user or gain unauthorized access, not generating high-volume DNS traffic from multiple resolvers. Option C is wrong because ARP poisoning is a local network attack that manipulates ARP tables to intercept traffic on a LAN, not a distributed attack using DNS queries and responses across the internet.

709
MCQeasy

A user's laptop starts renaming many documents, and a ransom note appears on the desktop. What is the best immediate action for the help desk to recommend?

A.Shut down the laptop immediately and leave it on the desk.
B.Disconnect the laptop from the network to contain the infection.
C.Delete the ransom note and continue working until the next reboot.
D.Install a new browser extension to block the attacker.
AnswerB

Removing network access helps prevent the malware from reaching file shares, backup systems, or other hosts while preserving the running state for later analysis.

Why this answer

Disconnecting the laptop from the network immediately stops the ransomware from communicating with its command-and-control (C2) server, preventing further encryption of network shares and lateral movement. This containment step is critical before any remediation, as it isolates the threat and preserves evidence for forensic analysis.

Exam trap

The trap here is that candidates confuse immediate containment with system shutdown, mistakenly believing that powering off stops the attack, when in fact network isolation is the correct first step to halt both encryption and lateral spread.

How to eliminate wrong answers

Option A is wrong because shutting down the laptop may allow the ransomware to complete its encryption process during shutdown and could destroy volatile evidence (e.g., memory-resident encryption keys). Option C is wrong because deleting the ransom note does not stop the encryption process; the ransomware continues to encrypt files in the background, and working normally risks further damage and potential spread to network resources. Option D is wrong because installing a browser extension does not address the active ransomware infection; it is an irrelevant and potentially harmful action that could introduce additional vulnerabilities.

710
MCQhard

Based on the exhibit, what should the security team add before approving the vendor's requested change?

A.A broader employee awareness training requirement for the vendor's staff.
B.A contract clause requiring prior written approval for new subprocessors and flow-down security obligations.
C.A larger cyber insurance policy to cover possible losses if the vendor is breached.
D.A request for the vendor to send monthly screenshots of its backup jobs.
AnswerB

This is the strongest control because the risk comes from an unapproved change in the supply chain. Prior approval gives the customer visibility into who will process the data, and flow-down obligations ensure the subcontractor must meet the same security requirements. That directly addresses third-party risk, unlike insurance or generic training.

Why this answer

The exhibit shows the vendor requesting a change to use a new subprocessor for data storage. The security team must ensure that the vendor's contract includes a clause requiring prior written approval for new subprocessors and that security obligations flow down to them. This directly addresses the risk of unauthorized data handling by third parties, which is a key concern in vendor risk management.

Exam trap

CompTIA often tests the distinction between reactive controls (like insurance or monitoring) and proactive contractual controls (like approval clauses) in vendor change management scenarios, leading candidates to pick a monitoring or financial solution instead of the correct governance measure.

How to eliminate wrong answers

Option A is wrong because broader employee awareness training for the vendor's staff does not address the specific risk of a new subprocessor being introduced without oversight; training is a general control, not a contractual safeguard for subprocessor changes. Option C is wrong because a larger cyber insurance policy covers financial losses after a breach but does not prevent the unauthorized use of a subprocessor or enforce security obligations proactively. Option D is wrong because monthly screenshots of backup jobs provide only a point-in-time verification of backups, not a mechanism to control or approve changes to subprocessors or ensure security requirements are met.

711
MCQmedium

A SOC analyst receives an alert from the VPN appliance and identity platform. In the last 10 minutes, a user account had 14 failed VPN logons from one country, then one successful login from a different country. The user calls the help desk and says they have not used their account today. What should the analyst do first?

A.Block the foreign IP address at the firewall and wait for more alerts before acting.
B.Disable the user account and revoke active sessions or tokens while escalating the event as a suspected account compromise.
C.Reset the user password and close the alert because the new password will stop the attack.
D.Reimage the user’s laptop immediately to remove any possible malware before taking other steps.
AnswerB

The successful login after repeated failures, combined with the user’s confirmation that they were not active, strongly suggests compromise. The fastest effective containment is to disable the account and invalidate existing sessions or tokens so the attacker cannot continue using stolen credentials. This preserves the ability to investigate while stopping ongoing access. It is a stronger first action than a password reset alone, which may leave active tokens usable.

Why this answer

Option B is correct because the combination of multiple failed logins from one country followed by a successful login from a different country, combined with the user's denial of activity, is a classic indicator of account compromise (e.g., credential stuffing or token theft). Disabling the account and revoking active sessions/tokens immediately stops the attacker's access, preventing further lateral movement or data exfiltration, while escalation ensures proper incident response. This aligns with the CompTIA incident response process: identification, containment, eradication, and recovery.

Exam trap

The trap here is that candidates may think resetting the password (Option C) is sufficient, but they overlook that active sessions and tokens must be explicitly revoked to fully contain the compromise, as per CompTIA's emphasis on session management in incident response.

How to eliminate wrong answers

Option A is wrong because blocking the foreign IP address alone is insufficient—the attacker may use multiple IPs or proxies, and waiting for more alerts delays containment, allowing the attacker to continue malicious activity. Option C is wrong because resetting the password without revoking active sessions or tokens leaves existing authenticated sessions intact; the attacker could still use a stolen session token or OAuth refresh token to maintain access. Option D is wrong because reimaging the laptop is premature and unnecessary—the compromise is likely credential-based, not malware-based, and the user's laptop may not be involved; this wastes time and resources before proper investigation.

712
MCQmedium

A user reports that a shared department drive is rapidly renaming files and creating ransom notes on a Windows file server. The SOC confirms suspicious activity is still occurring on that server. What should the incident responder do first?

A.Shut down the server immediately to stop all malicious activity.
B.Isolate the server from the network while keeping it powered on if possible.
C.Restore the drive from backup before collecting any evidence.
D.Inform users to continue working until the forensic team arrives.
AnswerB

Network isolation contains the spread while preserving memory and other volatile evidence for analysis.

Why this answer

Option B is correct because the immediate priority is to contain the ransomware outbreak by isolating the server from the network, which stops the malicious activity from spreading to other systems while preserving volatile evidence (e.g., running processes, memory contents) for forensic analysis. Powering off the server (Option A) would destroy this critical evidence and may not stop the encryption process if it is already in memory. Isolation via network disconnection (e.g., disabling the NIC or unplugging the cable) is the standard first step in incident response for active ransomware.

Exam trap

The trap here is that candidates assume immediate shutdown (Option A) is the safest action, but CompTIA emphasizes containment without destroying evidence, making network isolation the correct first step in active ransomware incidents.

How to eliminate wrong answers

Option A is wrong because shutting down the server immediately destroys volatile evidence (e.g., memory-resident malware, active network connections) and may allow the ransomware to complete encryption on disk before the OS halts. Option C is wrong because restoring from backup before collecting evidence can overwrite forensic artifacts and may reintroduce the vulnerability if the root cause is not identified. Option D is wrong because informing users to continue working risks further data loss and lateral movement of the ransomware across the network.

713
MCQmedium

After a successful phishing attempt, the security team adds MFA, email sandboxing, endpoint isolation, and immutable backups so that one failed safeguard does not expose the company. Which principle does this best illustrate?

A.Defense in depth
B.Need-to-know
C.Availability
D.Compensating control
AnswerA

Multiple layered controls are added so that if one control fails, other controls still reduce the risk.

Why this answer

Defense in depth is the best fit because the organization is using several independent safeguards across different layers: user authentication, email inspection, endpoint containment, and backup recovery. The idea is that a single compromise, such as one successful phishing email, should not lead directly to full compromise. Security+ expects you to recognize layered protection as a strategy, not just list individual tools.

Why others are wrong: Need-to-know concerns restricting information to only those who require it for their job. Availability is one of the CIA triad objectives, but it is not a layered security strategy. Compensating control refers to an alternative measure used because the preferred control is unavailable or impractical; here the organization is not replacing one missing control, but strengthening multiple defenses at once.

714
Matchingmedium

Match each security monitoring artifact from the SOC alert queue to the best investigation focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Investigate possible script-based malware execution launched through a document

Check for suspicious domain lookups that may indicate command-and-control activity

Look for beaconing behavior from a potentially compromised endpoint

Assess for stolen credentials or credential-stuffing activity

Why these pairings

Each alert type suggests a specific investigation focus: phishing requires email analysis; malware needs file/behavior analysis; brute force focuses on auth logs; data exfiltration looks at outbound traffic; privileged misuse examines user activity; ransomware involves encryption events.

715
MCQmedium

A digital forensics analyst is investigating a suspected insider threat. The analyst has acquired a laptop used by the suspect. The analyst needs to obtain a forensic image of the hard drive without altering any data. The laptop is running and logged into the suspect's user account. Which of the following is the most appropriate first step for the analyst to take?

A.Pull the power cord from the laptop to immediately shut down the system and prevent any further system writes.
B.Boot the laptop from a forensic boot CD that loads a write-blocker driver and then create a forensic image.
C.Perform a live acquisition of the hard drive using a network forensic tool while the system is still running.
D.Ask the suspect to log off and shut down the laptop normally, then remove the hard drive and image it using a write-blocker.
AnswerA

This is correct because powering off by unplugging immediately stops the operating system from writing any additional data to the hard drive, preserving the current state. After the system is off, the analyst can safely remove the drive and image it using a hardware write-blocker.

Why this answer

Option A is correct because immediately removing power (hard shutdown) stops all system writes and preserves the current state of the hard drive without any further changes. This is critical in forensic acquisition to maintain data integrity and avoid altering evidence, especially when the system is logged in and actively writing to the disk.

Exam trap

The trap here is that candidates often choose live acquisition (Option C) thinking it preserves volatile data, but the question specifically asks for a forensic image of the hard drive without altering data, and a hard shutdown is the only method that guarantees no further writes to the disk.

How to eliminate wrong answers

Option B is wrong because booting from a forensic CD would require a reboot, which alters the system state (e.g., writes to memory, changes page files, and may trigger TRIM on SSDs), potentially destroying volatile evidence and violating forensic best practices. Option C is wrong because performing a live acquisition while the system is running risks modifying the disk (e.g., file system metadata updates, journal writes, and background processes) and may not capture a bit-for-bit accurate image due to active writes during the acquisition process.

716
MCQeasy

An HR department wants each employee to access only the systems required for their job. A new hire should receive the same permissions as other HR specialists, and changes to the role should update access centrally. Which access model should be used?

A.Role-based access control (RBAC)
B.Attribute-based access control (ABAC)
C.Multi-factor authentication (MFA)
D.Privileged access management (PAM)
AnswerA

RBAC assigns permissions to job roles, which makes onboarding and access changes easier to manage centrally.

Why this answer

Role-based access control (RBAC) is the correct model because it assigns permissions based on job roles (e.g., HR specialist), ensuring that a new hire automatically inherits the same access as others in that role. Centralized role management allows changes to the role's permissions to propagate to all members, meeting the requirement for centralized updates.

Exam trap

The trap here is that candidates often confuse ABAC with RBAC because both can use attributes, but RBAC relies on static role assignments, whereas ABAC evaluates dynamic attributes at runtime, making RBAC the correct choice for role-based inheritance and centralized updates.

How to eliminate wrong answers

Option B (ABAC) is wrong because it evaluates access based on attributes (e.g., time, location, department) rather than a predefined role, which would require complex policy rules for each user and does not inherently support role-based inheritance. Option C (MFA) is wrong because it is an authentication mechanism, not an access control model; it verifies identity but does not define what resources a user can access. Option D (PAM) is wrong because it is designed to manage and monitor privileged accounts (e.g., administrators), not to assign standard user permissions based on job roles.

717
MCQmedium

A security analyst receives a phone call from an individual claiming to be a member of the IT help desk. The caller states that an emergency security update requires the analyst's password immediately, and the request sounds urgent. The analyst notices the caller's voice is unfamiliar and the background noise is inconsistent with an office environment. Which type of social engineering attack is being attempted?

A.Phishing
B.Vishing
C.Spear phishing
D.Pretexting
AnswerB

Vishing (voice phishing) is the correct answer because the attack uses a phone call to impersonate a legitimate entity and trick the victim into providing sensitive information, such as a password. The urgency and caller ID spoofing are common vishing tactics.

Why this answer

This is a vishing (voice phishing) attack because the threat actor uses a phone call to impersonate IT help desk personnel and pressures the analyst into disclosing sensitive credentials. Vishing specifically leverages voice communication to bypass email-based security controls and exploit human trust through urgency and authority.

Exam trap

The trap here is that candidates confuse pretexting with vishing, but CompTIA distinguishes vishing as a subtype of social engineering that specifically uses voice technology, whereas pretexting is the broader act of fabricating an identity or scenario regardless of the communication channel.

How to eliminate wrong answers

Option A is wrong because phishing refers to broad, mass-distributed fraudulent emails or messages that trick users into clicking malicious links or attachments, not a direct phone call. Option C is wrong because spear phishing is a targeted email attack customized for a specific individual or organization, using personal details to increase credibility, not a voice call. Option D is wrong because pretexting is a broader social engineering technique where the attacker fabricates a scenario (pretext) to obtain information; while the call involves a pretext, the specific use of voice communication makes vishing the correct classification under the CompTIA SY0-701 framework.

718
MCQeasy

A development team needs a centralized service to store, rotate, and control access to encryption keys for applications. Which solution best fits?

A.Key management service, because it centralizes key storage and rotation controls.
B.Port forwarding rule, because it allows applications to reach the encryption system.
C.Load balancer, because it distributes encryption requests across servers.
D.Web application firewall, because it protects the keys from injection attacks.
AnswerA

A key management service is designed to store, manage, rotate, and control access to cryptographic keys. It helps reduce the risk of hardcoded or poorly protected keys and gives administrators a central place to enforce lifecycle management. This is the best fit when multiple applications need secure, organized key handling.

Why this answer

A key management service (KMS) centralizes the lifecycle of cryptographic keys, including secure storage, automated rotation, and fine-grained access control via IAM policies. This directly meets the requirement for a centralized service to store, rotate, and control access to encryption keys for applications, as KMS is purpose-built for these tasks.

Exam trap

The trap here is that candidates may confuse a general security appliance (like a WAF or load balancer) with a specialized cryptographic service, or mistakenly think network-level controls (port forwarding) can manage key lifecycles, when only a dedicated key management service provides centralized storage, rotation, and access control for encryption keys.

How to eliminate wrong answers

Option B is wrong because a port forwarding rule is a network address translation (NAT) mechanism that redirects traffic from one IP/port to another; it does not store, rotate, or control access to encryption keys. Option C is wrong because a load balancer distributes incoming network traffic across multiple servers to ensure availability and performance; it has no capability to manage cryptographic key lifecycles or enforce access policies on keys. Option D is wrong because a web application firewall (WAF) inspects and filters HTTP/HTTPS traffic to block web-based attacks like SQL injection or XSS; it does not provide centralized key storage, rotation, or access control for encryption keys.

719
MCQmedium

A security analyst is investigating a web application that allows users to input a filename to view its contents. The application passes the user input directly to a system command without sanitization. An attacker submits the input 'file.txt; cat /etc/passwd' and successfully retrieves the contents of the password file. Which type of attack occurred?

A.Cross-site scripting (XSS)
B.SQL injection
C.Command injection
D.Directory traversal
AnswerC

Command injection allows an attacker to execute arbitrary system commands by exploiting unsanitized input passed to system calls. The use of a semicolon to chain commands is a classic indicator of this attack.

Why this answer

The application passes user input directly to a system command without sanitization. The attacker's input 'file.txt; cat /etc/passwd' uses a semicolon to terminate the intended command and execute a second command, which retrieves the password file. This is a classic command injection attack, where arbitrary system commands are executed via the vulnerable interface.

Exam trap

Cisco often tests the distinction between command injection and directory traversal by using a payload that includes both a path and a command separator, leading candidates to mistakenly choose directory traversal when the core exploit is command execution via shell metacharacters.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not executing system commands on the server. Option B is wrong because SQL injection targets database queries by manipulating SQL syntax, not operating system commands. Option D is wrong because directory traversal exploits path manipulation to access files outside the web root, but it does not execute arbitrary system commands; the attack here uses command chaining with a semicolon, not path traversal.

720
MCQmedium

A security team discovers that several laptops occasionally boot from a removable drive before Windows loads, allowing unapproved recovery tools to run. Management wants to prevent this with the least impact on normal users. Which control is the best fit?

A.Disable all USB ports permanently on every laptop.
B.Enable secure boot and restrict the firmware boot order so only the approved internal boot path is allowed.
C.Uninstall the endpoint protection agent and replace it with manual inspections.
D.Move user data to cloud storage so rogue boot media can no longer access it.
AnswerB

Secure boot helps ensure the platform loads trusted boot components, while boot-order restrictions prevent users from starting the system from unapproved removable media. Together, they address the problem at the pre-OS layer and preserve normal daily use. This is a targeted hardening change that is less disruptive than disabling all external ports.

Why this answer

Secure Boot ensures that only signed, trusted firmware and bootloaders execute during the startup process. By restricting the firmware boot order to the internal drive only, the laptop will ignore removable media during boot, preventing unapproved recovery tools from running before Windows loads. This has minimal impact on normal users because they can still use USB devices after the OS has booted.

Exam trap

The trap here is that candidates may think disabling USB ports entirely is the simplest solution, but the question specifically asks for the control with the least impact on normal users, and Secure Boot with boot order restriction targets only the pre-boot phase without affecting post-boot USB functionality.

How to eliminate wrong answers

Option A is wrong because disabling all USB ports permanently would prevent legitimate use of USB peripherals (e.g., mice, keyboards, external storage) after boot, causing significant disruption to normal users. Option C is wrong because uninstalling the endpoint protection agent and replacing it with manual inspections removes automated threat detection and response, increasing security risk and administrative overhead without addressing the boot-time attack vector.

721
Multi-Selecteasy

A SOC analyst reviews one user account and sees several failed logins from a single IP, then a successful login from the same IP, followed by a new inbox forwarding rule to an external address. Which two findings most strongly suggest account compromise? Select two.

Select 2 answers
A.Repeated failed logins followed by a successful login from the same source IP.
B.The user authenticated during normal business hours.
C.A new inbox forwarding rule sends mail to an external address.
D.The user accessed email from a corporate laptop.
E.The password age is 89 days.
AnswersA, C

This pattern matches credential guessing or spraying followed by a successful sign-in.

Why this answer

Option A is correct because a brute-force attack pattern—multiple failed logins followed by a successful authentication from the same external IP—strongly indicates credential compromise. This sequence suggests the attacker guessed or obtained the password and then successfully logged in. The single source IP ties the failed attempts to the eventual successful session, making it a classic indicator of account takeover.

Exam trap

Cisco often tests the concept that a single successful login after failures is not enough—candidates must recognize that the forwarding rule is the second critical indicator, not the timing of the login.

722
MCQeasy

A security team can patch only one system today. Which asset should be remediated first?

A.An internal print server with a high-severity finding and no direct user access
B.A lab workstation with a critical finding and no sensitive data
C.An internet-facing application server with a critical vulnerability and a known exploit
D.A user laptop with a medium-severity issue that requires local access
AnswerC

An internet-facing system with a critical vulnerability and a known exploit has the highest immediate risk. Attackers can reach it easily, and public exploit code increases the chance of compromise, so it should be patched first.

Why this answer

Option C is correct because an internet-facing application server with a critical vulnerability and a known exploit represents the highest risk: it is exposed to external threats, the vulnerability is critical, and a known exploit means attackers can reliably compromise it. Patching this system first reduces the likelihood of a remote breach that could lead to data exfiltration or service disruption, aligning with the principle of prioritizing assets with the greatest attack surface and exploitability.

Exam trap

CompTIA often tests the misconception that the highest CVSS score (critical vs. high/medium) alone dictates remediation priority, but the trap here is that asset exposure and exploitability—specifically an internet-facing server with a known exploit—override internal assets with higher severity but lower risk.

How to eliminate wrong answers

Option A is wrong because an internal print server with a high-severity finding and no direct user access has a lower attack surface (internal network only) and no direct user interaction, making it less urgent than an internet-facing system with a critical vulnerability and known exploit. Option B is wrong because a lab workstation with a critical finding and no sensitive data, while serious, is typically isolated or used for testing, so the impact of compromise is limited compared to an externally reachable server. Option D is wrong because a user laptop with a medium-severity issue that requires local access is less critical—medium severity and local access requirement reduce the likelihood of remote exploitation, and user laptops can often be mitigated temporarily with user awareness or endpoint controls.

723
MCQmedium

A sysadmin is preparing a dedicated database server for production. The server will not host web services, print services, or file sharing. Which action best follows least privilege and secure defaults?

A.Enable every management service so support can connect easily.
B.Use the domain admin account to run the database service.
C.Disable unused services and run the database under a dedicated least-privilege service account.
D.Share the same account with backup software to simplify troubleshooting.
AnswerC

Correct. Removing unnecessary services reduces the attack surface, and a dedicated service account limits the damage if the database process is compromised. This is a direct application of least privilege and secure defaults. It also supports cleaner auditing because the service activity is separated from administrator activity and unrelated functions are not exposed.

Why this answer

Option C is correct because disabling unused services reduces the attack surface, and running the database under a dedicated least-privilege service account ensures the account has only the permissions necessary for the database to function. This aligns with the principles of least privilege and secure defaults, as the server is dedicated to database services and should not have extraneous services or overly permissive accounts.

Exam trap

The trap here is that candidates may think using a domain admin account is acceptable for a database server to simplify management, but CompTIA tests the understanding that least privilege requires a dedicated service account with minimal permissions, not a highly privileged account.

How to eliminate wrong answers

Option A is wrong because enabling every management service violates least privilege by increasing the attack surface and potential for unauthorized access; a dedicated database server should only have necessary management interfaces enabled. Option B is wrong because using the domain admin account to run the database service violates least privilege by granting excessive privileges; if the database is compromised, an attacker could gain domain-wide control. Option D is wrong because sharing the same account with backup software violates least privilege by coupling database and backup permissions, increasing the risk of lateral movement if either service is compromised.

724
MCQhard

Based on the exhibit, which risk treatment should the security manager recommend first?

A.Accept the risk and document it for the next quarterly review.
B.Avoid the risk by permanently shutting down the file transfer service.
C.Mitigate the risk by replacing or isolating the appliance and removing direct internet exposure.
D.Transfer the risk by purchasing cyber insurance and keeping the current configuration.
AnswerC

Mitigation is best because the asset is unsupported, internet-facing, and processes sensitive tax data. The cost to replace is manageable compared with the exposure. A WAF alone does not adequately protect an unsupported service, so the manager should reduce the vulnerability and exposure directly.

Why this answer

The exhibit shows a legacy file transfer appliance with direct internet exposure and known unpatched vulnerabilities. The most immediate and effective risk treatment is to mitigate the risk by replacing or isolating the appliance and removing its direct internet exposure. This directly reduces the likelihood of exploitation by eliminating the attack surface, which aligns with the principle of defense-in-depth and is the first step before considering acceptance, avoidance, or transfer.

Exam trap

The trap here is that candidates may confuse 'transfer the risk' (Option D) with a proactive security measure, when in fact cyber insurance is a financial risk transfer that does not address the technical vulnerability, whereas mitigation (Option C) directly reduces the likelihood of exploitation.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any compensating controls would leave a vulnerable, internet-facing appliance actively exploitable, which is irresponsible and violates the principle of due care. Option B is wrong because permanently shutting down the file transfer service would disrupt business operations and likely violate service-level agreements, making it an overly drastic and unnecessary first step when isolation and patching are feasible. Option D is wrong because transferring the risk via cyber insurance does not reduce the likelihood or impact of a breach; it only provides financial compensation after an incident, leaving the vulnerable appliance exposed and operational.

725
MCQhard

Based on the exhibit, what is the most important next IR action?

A.Change the password again and monitor the mailbox for a few days.
B.Revoke active sessions and OAuth consent grants for the account.
C.Restore the deleted inbox rule from backup to preserve evidence.
D.Close the incident because the forwarding rule was removed.
AnswerB

The password has already been changed and the inbox rule removed, but the audit trail shows an OAuth consent grant and a refresh token issued from an unfamiliar IP. Those tokens can continue to authorize access even after a password reset. Revoking active sessions and removing the malicious consent closes the persistent access path.

Why this answer

The exhibit shows a compromised account with a suspicious inbox rule forwarding emails externally. The most critical next step is to revoke active sessions and OAuth consent grants to immediately terminate the attacker's access and prevent further data exfiltration, as changing the password alone does not invalidate existing OAuth tokens or active sessions.

Exam trap

The trap here is that candidates assume changing the password is sufficient to stop an attacker, but they overlook that OAuth tokens and active sessions persist independently of password changes, allowing continued unauthorized access.

How to eliminate wrong answers

Option A is wrong because changing the password again does not revoke existing OAuth tokens or active sessions, so the attacker could maintain access via cached credentials or token-based authentication. Option C is wrong because restoring the deleted inbox rule from backup is not the most important next action; preserving evidence is secondary to stopping active compromise, and the rule may have already been removed by the attacker. Option D is wrong because closing the incident after removing the forwarding rule ignores the fact that the attacker still has active sessions and OAuth grants, leaving the account vulnerable to further abuse.

726
MCQeasy

A security team configures the SIEM to alert when a user account has several failed logins followed by a successful login from a new location. What type of control is this?

A.Preventive control, because it blocks the login attempt before it occurs.
B.Detective control, because it identifies suspicious activity after the event has started.
C.Corrective control, because it automatically fixes the account after the login succeeds.
D.Deterrent control, because it discourages attackers from trying to sign in.
AnswerB

This is a detective control because the SIEM is observing activity and generating an alert when a suspicious pattern appears. It does not stop the login by itself, but it helps security staff notice possible compromise quickly. Detection is important for investigation and response, especially when an attacker has already obtained valid credentials.

Why this answer

This is a detective control because the SIEM is configured to monitor and analyze log data after events have occurred, specifically identifying a pattern of several failed logins followed by a successful login from a new location. The alert does not prevent or block the login; it only notifies the security team of potentially suspicious activity that has already taken place, allowing them to investigate further.

Exam trap

The trap here is that candidates confuse the SIEM's alerting capability with a preventive action, mistakenly thinking that because the alert is configured 'before' the successful login in the rule logic, it somehow blocks the event, when in fact the SIEM only detects and reports on completed events.

How to eliminate wrong answers

Option A is wrong because a preventive control would actively block the login attempt before it occurs (e.g., account lockout policy or conditional access rule), whereas the SIEM alert only detects the pattern after the successful login. Option C is wrong because a corrective control would automatically remediate the issue after detection (e.g., disabling the account or resetting the password), but the SIEM alert does not perform any automated fix; it simply generates an alert. Option D is wrong because a deterrent control is designed to discourage attackers from attempting an action (e.g., warning banners or visible surveillance), not to detect or alert on activity that has already happened.

727
MCQhard

Based on the exhibit, what is the best data-handling action before sharing the file with the third party?

A.Send the full spreadsheet encrypted and let the vendor filter out the extra columns.
B.Redact the unnecessary sensitive fields and provide only the minimum necessary extract after approval.
C.Mark the spreadsheet as internal and share it through the benefits contractor's cloud portal.
D.Send the file unchanged because the contractor signed a nondisclosure agreement.
AnswerB

This follows data minimization and handling requirements. The third party only needs names, email addresses, and benefits selections, so bank and government-ID fields should be removed before sharing. Encryption alone is not enough because the recipient would still receive more data than needed. This approach reduces privacy exposure and aligns with the policy note in the exhibit.

Why this answer

Option B is correct because data minimization and the principle of least privilege require that only the minimum necessary sensitive data be shared with a third party. Redacting unnecessary sensitive fields and obtaining approval ensures compliance with data protection policies and reduces the risk of unauthorized exposure, even if the recipient has signed an NDA.

Exam trap

CompTIA often tests the misconception that a signed NDA or encryption alone is sufficient to share all data, when in fact data minimization and formal approval are required to meet security and compliance standards.

How to eliminate wrong answers

Option A is wrong because sending the full spreadsheet with extra columns still exposes sensitive data that the vendor does not need, violating data minimization and increasing breach risk. Option C is wrong because marking the spreadsheet as 'internal' and sharing via the contractor's cloud portal does not remove sensitive fields and may bypass proper access controls, as the portal may not enforce data redaction. Option D is wrong because a nondisclosure agreement does not justify sharing all data unchanged; it does not eliminate the need to limit data to the minimum necessary for the task.

728
MCQmedium

A security analyst notices a sudden increase in outbound traffic from a database server that normally only communicates with internal application servers. The server is running a standard OS with no recent changes. Which of the following actions should the analyst take FIRST to determine if the server is compromised?

A.Run a full antivirus scan on the server.
B.Check the server's running processes for unknown executables.
C.Block all outbound traffic from the server at the firewall.
D.Review the server's event logs for failed login attempts.
AnswerB

Reviewing running processes is a fast, direct way to identify suspicious programs that might be generating the unusual traffic. Unfamiliar processes are a classic indicator of compromise.

Why this answer

Checking the server's running processes for unknown executables is the first and most direct step to identify if an attacker has established a foothold. A sudden outbound traffic spike without recent configuration changes strongly suggests a malicious process (e.g., a reverse shell or data exfiltration tool) is running. Examining running processes allows the analyst to spot suspicious executables or command-line arguments before taking more disruptive actions like blocking traffic or running a scan.

Exam trap

The trap here is that candidates often jump to blocking traffic (Option C) as a quick fix, but the FIRST action must be to gather evidence by inspecting running processes, as blocking prematurely destroys forensic data and violates the principle of 'do no harm' during incident response.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan is a reactive, signature-based step that may miss custom or fileless malware, and it can take significant time, delaying the immediate investigation of the anomalous traffic. Option C is wrong because blocking all outbound traffic at the firewall is a containment action that should be taken after confirming compromise, not first, as it could disrupt legitimate business operations and alert the attacker prematurely. Option D is wrong because reviewing event logs for failed login attempts focuses on authentication anomalies, which is less relevant when the traffic spike is already occurring and the server has no recent changes; the priority is to identify currently running malicious processes.

729
MCQmedium

A company is enhancing its network security posture. The security team deploys a system that passively monitors network traffic, analyzes packets for signs of malicious activity, and generates alerts when suspicious patterns are detected. This system does not actively block or modify any traffic. Which type of security control does this system BEST represent?

A.Preventive control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerB

Correct. A detective control identifies and logs security events after they happen or in real time. The described system passively monitors and generates alerts, which is the hallmark of a detective control like an IDS.

Why this answer

This system is a detective control because it passively monitors network traffic, analyzes packets for signs of malicious activity, and generates alerts without actively blocking or modifying traffic. Detective controls are designed to identify and report security incidents after they occur or as they happen, which aligns with the described behavior of an Intrusion Detection System (IDS). Unlike preventive controls, it does not enforce policy or stop threats in real time.

Exam trap

The trap here is that candidates often confuse an Intrusion Detection System (IDS) with an Intrusion Prevention System (IPS), mistakenly selecting 'preventive control' because they think any security tool that detects threats also blocks them, but the question explicitly states the system does not block or modify traffic.

How to eliminate wrong answers

Option A is wrong because preventive controls actively block or mitigate threats (e.g., a firewall denying traffic based on rules), whereas this system only monitors and alerts. Option C is wrong because corrective controls are applied after an incident to restore normal operations (e.g., patching a vulnerability or restoring from backup), not to passively monitor traffic. Option D is wrong because deterrent controls aim to discourage malicious behavior through visible warnings or threats of consequences (e.g., security cameras or warning banners), not through passive packet analysis and alerting.

730
MCQeasy

An employee receives a text message that says, "Your MFA enrollment expired. Tap here now to re-activate access or your account will be locked." What should the employee do first?

A.Tap the link and complete the MFA reset immediately
B.Verify the request using a known company contact method and report the text
C.Forward the text to coworkers so they can watch for it too
D.Reply to the sender and ask for more details
AnswerB

This is the best first step because the employee should not trust a security-related request delivered through an unexpected text message. Using a known internal help desk number, portal, or security reporting process confirms whether the request is legitimate. It also helps the organization investigate the suspicious message quickly.

Why this answer

Option B is correct because the message is a classic phishing attempt designed to harvest MFA credentials or session tokens. The employee must first verify the request through a trusted company channel (e.g., calling the IT help desk or checking the official security portal) and then report the text to the security team. This prevents falling for social engineering that could bypass MFA protections.

Exam trap

The trap here is that candidates assume MFA is unbreakable and rush to re-enroll, not realizing that phishing kits can intercept MFA tokens in real time via reverse proxy attacks.

How to eliminate wrong answers

Option A is wrong because tapping the link could lead to a fake MFA portal that captures the employee's credentials or session tokens, compromising their account. Option C is wrong because forwarding the text to coworkers risks spreading the phishing attempt and may cause others to fall for it before the threat is contained. Option D is wrong because replying to the sender confirms the phone number is active and may expose the employee to further targeted attacks or malware delivery.

731
Multi-Selectmedium

An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which two practices should be used? Select two.

Select 2 answers
A.Use a hardware or software write blocker during acquisition
B.Record SHA-256 hashes of the source and the image to verify integrity
C.Mount the drive read/write so hidden files are easier to access
D.Defragment the drive first to improve imaging speed
E.Install triage tools directly on the suspect laptop
AnswersA, B

A write blocker prevents the acquisition tool from modifying the source drive.

Why this answer

A hardware or software write blocker is essential because it intercepts and blocks any write commands from the operating system to the suspect drive, ensuring that no data is altered during acquisition. This preserves the original drive's contents in a forensically sound state, which is a fundamental requirement for evidence admissibility.

Exam trap

The trap here is that candidates often confuse 'verifying integrity after acquisition' (option B) with 'preventing alteration during acquisition' (option A), or they mistakenly think that mounting a drive read/write is acceptable if done carefully, not realizing that even read-only mounting by the OS can write metadata.

732
Multi-Selecteasy

A system administrator is creating a secure baseline for a new Linux application server. Which two actions are appropriate hardening steps? Select two.

Select 2 answers
A.Disable services that the server does not need to perform its job.
B.Close unused listening ports with the host firewall or service configuration.
C.Install extra administrative tools on the server for convenience.
D.Enable passwordless remote shell access for faster troubleshooting.
E.Leave sample accounts and default demo content in place for testing.
AnswersA, B

Turning off unnecessary services reduces the number of programs that could be exploited. A hardened baseline should keep only the functions required for the server's role.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for exploitation. In a Linux server baseline, services like Telnet, FTP, or unused web servers should be disabled using systemctl or by removing the associated packages. This aligns with the principle of least functionality, ensuring only required processes run.

Exam trap

The trap here is that candidates may think convenience tools or default content are harmless, but the SY0-701 exam emphasizes that any unnecessary service, port, or account is a security risk that must be eliminated in a secure baseline.

733
MCQmedium

Based on the exhibit, which backup protection change best improves ransomware resilience and protects the backup media if it is stolen?

A.Enable backup encryption only, because encrypted backups cannot be read if stolen.
B.Add an immutable offline or air-gapped copy with separate backup credentials and regular restore testing.
C.Move the USB drive into a different cabinet inside the same server room.
D.Reduce the retention period so backups consume less storage space.
AnswerB

An immutable or offline copy protects backups from tampering, ransomware, and accidental deletion because the attacker cannot easily modify it. Separate credentials reduce the chance that compromised domain admin accounts can reach every backup copy. Regular restore testing ensures the organization can actually recover when needed. This is the strongest improvement in the exhibit.

Why this answer

Option B is correct because implementing an immutable, offline or air-gapped backup copy with separate credentials ensures that even if an attacker compromises the primary backup system or steals the media, they cannot modify or delete the backups. Regular restore testing verifies the integrity and recoverability of the data, which is critical for ransomware resilience. This approach aligns with the 3-2-1 backup rule and NIST SP 800-184 guidance for cyber recovery.

Exam trap

The trap here is that candidates often assume encryption alone (Option A) is sufficient for ransomware protection, overlooking that encryption does not prevent backup corruption or deletion, and that an immutable, air-gapped copy with separate credentials is the only option that addresses both theft and ransomware attack scenarios.

How to eliminate wrong answers

Option A is wrong because backup encryption alone does not prevent ransomware from encrypting or deleting the backup files themselves; encryption only protects data confidentiality if the media is stolen, but the attacker could still corrupt or destroy the backups before encryption is applied. Option C is wrong because moving the USB drive to a different cabinet in the same server room does not create an air gap or offline copy; the drive remains accessible to the same network and threats, and physical theft of the cabinet would still compromise the backups. Option D is wrong because reducing the retention period only frees storage space and does not improve resilience against ransomware; it actually increases the risk of data loss by shortening the recovery window, and it does not protect backups from being encrypted or deleted.

734
MCQmedium

Based on the exhibit, which missing control best improves oversight of the supplier?

A.Right-to-audit clause.
B.Allow the supplier to choose any encryption algorithm it wants.
C.Disable all contract reviews after signature.
D.Require the vendor to use employee badges for all facilities.
AnswerA

This is the best missing control because it allows the organization to verify security claims, inspect evidence, and validate subcontractor oversight when needed.

Why this answer

A right-to-audit clause is the missing control that best improves oversight of the supplier because it grants the organization contractual authority to examine the supplier's security controls, processes, and compliance evidence. Without this clause, the organization has no formal mechanism to verify that the supplier is adhering to agreed-upon security requirements, leaving oversight entirely dependent on trust.

Exam trap

The trap here is that candidates often confuse operational controls (like physical badges) with governance controls (like audit rights), failing to recognize that oversight requires a contractual mechanism to verify compliance, not just a procedural requirement.

How to eliminate wrong answers

Option B is wrong because allowing the supplier to choose any encryption algorithm it wants removes control over cryptographic strength and compliance with standards (e.g., FIPS 140-2), potentially permitting weak or deprecated algorithms like DES or RC4. Option C is wrong because disabling all contract reviews after signature eliminates the ability to reassess terms, update security requirements, or address changing risks, which is essential for ongoing oversight. Option D is wrong because requiring the vendor to use employee badges for all facilities addresses physical access control but does not provide oversight of the supplier's broader security practices, such as data handling, incident response, or subcontractor management.

735
Multi-Selectmedium

A records manager confirms that paper onboarding forms containing government IDs are past retention, no legal hold exists, and the files are no longer needed. Which three actions should happen next? Select three.

Select 3 answers
A.Destroy the forms using approved secure disposal methods.
B.Record the destruction according to retention and disposal procedures.
C.Verify that no legal hold or regulatory exception applies.
D.Store the forms in a desk drawer for another quarter just in case.
E.Email scans of the forms to managers so they can keep a copy.
AnswersA, B, C

Secure destruction ensures sensitive personal information cannot be recovered after the retention period ends.

Why this answer

Option A is correct because once records are past their retention period, no legal hold exists, and they are no longer needed, the organization must destroy them using approved secure disposal methods (e.g., cross-cut shredding, incineration, or pulping) to prevent unauthorized access to sensitive PII. This aligns with the principle of data minimization and compliance with privacy regulations like GDPR or HIPAA.

Exam trap

The trap here is that candidates may think 'just in case' retention (Option D) is a safe fallback, but CompTIA emphasizes that records past retention with no legal hold must be destroyed immediately to avoid non-compliance and security risks.

736
MCQeasy

A company uses several SaaS applications and wants employees to sign in once with a corporate account instead of maintaining separate passwords for each app. Which architecture is best?

A.Shared generic accounts for each department.
B.Federated single sign-on with a central identity provider.
C.A separate username and password database in every SaaS application.
D.A site-to-site VPN for every SaaS vendor.
AnswerB

This is the best choice because a central identity provider can authenticate the user once and then issue trusted access to multiple SaaS applications. It reduces password sprawl, simplifies account provisioning, and supports faster deprovisioning when an employee leaves. Federation also improves control because the business can manage identity from one place.

Why this answer

Federated single sign-on (SSO) with a central identity provider (IdP) allows users to authenticate once using their corporate account (e.g., via SAML 2.0 or OIDC) and then access multiple SaaS applications without re-entering credentials. The IdP issues a token that each SaaS app trusts, eliminating the need for separate passwords while maintaining centralized control over authentication policies.

Exam trap

The trap here is that candidates confuse network-level VPN connectivity with identity-level federation, assuming a VPN can provide SSO, when in fact VPNs only secure the transport layer and do not address authentication across separate application domains.

How to eliminate wrong answers

Option A is wrong because shared generic accounts violate the principle of least privilege and non-repudiation, as multiple users share the same credentials, making it impossible to audit individual actions. Option C is wrong because maintaining a separate username and password database in every SaaS application directly contradicts the requirement to eliminate separate passwords and introduces redundant identity silos. Option D is wrong because a site-to-site VPN provides network-layer connectivity, not identity federation; it does not solve the problem of authenticating users across different SaaS applications without separate credentials.

737
MCQmedium

A security analyst is reviewing network flow logs and notices a series of outbound connections from a single internal workstation to an external IP address on TCP port 443. The connections occur every 5 minutes, each lasting about 2 seconds, and the amount of data transferred per connection is consistently around 1 KB. The workstation's user reports no unusual activity. The analyst checks the host's EDR logs and sees no malicious processes or known indicators. Which type of activity is this pattern most consistent with?

A.Beaconing to a command-and-control server
B.Normal software update check
C.DNS tunneling
D.Data exfiltration via HTTPS
AnswerA

Correct. Beaconing is characterized by regular, periodic connections with small data transfers, used by malware to maintain a persistent command-and-control channel. The fixed 5-minute interval and ~1 KB payload strongly match this pattern.

Why this answer

This pattern is most consistent with beaconing to a command-and-control (C2) server because the connections are periodic (every 5 minutes), short-lived (2 seconds), and consistently transfer a small amount of data (~1 KB) over HTTPS (TCP 443). These characteristics—regular intervals, low data volume, and stealthy use of encrypted channels—are hallmarks of C2 beaconing used by malware to maintain persistence and receive instructions without raising immediate suspicion.

Exam trap

The trap here is that candidates confuse periodic HTTPS connections with normal software updates, but the key differentiator is the extremely consistent timing and tiny data size—updates are rarely this regular or this small, while C2 beaconing is designed to be minimal and predictable to evade detection.

How to eliminate wrong answers

Option B is wrong because normal software update checks typically occur at irregular intervals (e.g., daily or weekly) or on system startup, not every 5 minutes, and they often transfer larger payloads (e.g., several MB) or involve multiple connections to CDNs, not a consistent 1 KB every 2 seconds. Option C is wrong because DNS tunneling uses UDP port 53 (or TCP 53 for large queries) to encapsulate data in DNS requests/responses, not TCP port 443, and would show unusual DNS query patterns (e.g., long subdomains, high query rates) rather than consistent HTTPS connections. Option D is wrong because data exfiltration via HTTPS typically involves larger data transfers (e.g., multiple MB or GB) or sustained throughput, not a tiny 1 KB every 5 minutes, and would likely show anomalous outbound data volumes or unusual destination IPs, not a fixed, low-bandwidth pattern.

738
MCQmedium

A regulated analytics workload must run in the cloud with the strongest isolation from other customers, but the company does not want to manage its own physical server room. Which placement is most appropriate?

A.A public subnet with an internet gateway so the workload can be reached directly.
B.A shared-tenancy virtual machine in the provider's default compute pool.
C.A dedicated host or equivalent single-tenant compute placement in the provider's environment.
D.A serverless function because it removes all underlying infrastructure concerns.
AnswerC

Single-tenant placement offers the best isolation from other customers while still letting the provider manage the physical infrastructure.

Why this answer

Option C is correct because a dedicated host or single-tenant compute placement ensures that the physical server is not shared with any other customer, providing the strongest isolation required for regulated workloads. This model meets the compliance need for physical separation while still being a cloud service, so the company avoids managing its own server room.

Exam trap

The trap here is that candidates often confuse logical isolation (e.g., VPCs, private subnets) with physical isolation, and mistakenly choose a shared-tenancy option like a private subnet VM, thinking it provides the strongest separation.

How to eliminate wrong answers

Option A is wrong because a public subnet with an internet gateway exposes the workload directly to the internet, which weakens security and does not provide any physical isolation from other customers. Option B is wrong because a shared-tenancy virtual machine runs on hardware shared with other customers, offering only logical isolation and failing the requirement for the strongest physical isolation. Option D is wrong because serverless functions run on shared infrastructure managed by the provider, with no guarantee of single-tenant physical isolation, and they do not meet the explicit need for the strongest isolation from other customers.

739
MCQhard

Company-owned tablets are used by field staff for both corporate email and approved personal apps. Security must isolate company data from personal data, allow remote wipe of only the corporate workspace, and block access if the device is rooted or encryption is disabled. Which approach best fits?

A.Use a consumer anti-malware app and perform a full-device wipe if the tablet is lost.
B.Use MDM or UEM with a managed work profile or container, compliance checks, and selective wipe.
C.Install a VPN app on the tablets and let users choose their own lock-screen settings.
D.Use application allowlisting alone and avoid enrolling the tablets in a management platform.
AnswerB

This meets the isolation, selective wipe, and posture-check requirements while preserving approved personal use on the device.

Why this answer

Option B is correct because Mobile Device Management (MDM) or Unified Endpoint Management (UEM) with a managed work profile (e.g., Android Work Profile or iOS Managed Open In) creates a separate, encrypted container for corporate data. This allows compliance checks to detect rooted devices or disabled encryption, and enables a selective wipe that removes only the corporate workspace without affecting personal apps or data.

Exam trap

The trap here is that candidates often confuse a full-device wipe (which destroys personal data) with a selective wipe (which only removes the corporate container), or assume that a VPN or anti-malware app alone can provide the required isolation and compliance enforcement.

How to eliminate wrong answers

Option A is wrong because a consumer anti-malware app cannot enforce containerization or selective wipe; a full-device wipe destroys all personal data, violating the requirement to isolate and preserve personal data. Option C is wrong because a VPN app alone does not provide work profile isolation, compliance checks for root/encryption, or selective wipe capabilities; letting users choose lock-screen settings undermines security policy enforcement. Option D is wrong because application allowlisting without a management platform cannot create a separate corporate workspace, enforce encryption or root detection, or perform a selective wipe; it only controls which apps can run, not data isolation or remote wipe.

740
MCQmedium

A vulnerability scan reports that a Windows file share has SMB signing disabled and anonymous read access is permitted to one directory containing payroll exports. No exploitation has been observed yet. Which action best reduces exposure with minimal business impact?

A.Remove all backup jobs until the scan is cleared.
B.Disable the file server and rebuild it from scratch immediately.
C.Enable SMB signing and remove anonymous access to the share.
D.Increase the directory quota so the share cannot overflow.
AnswerC

This is the best targeted remediation because it directly addresses both weaknesses identified by the scan. SMB signing helps protect integrity for SMB traffic, and removing anonymous read access prevents unauthorized users from viewing sensitive payroll data. Together, these changes reduce exposure without taking the entire server offline. In vulnerability management, the best choice is often a precise configuration fix that closes the finding while preserving business continuity and avoiding more disruptive action than necessary.

Why this answer

Option C is correct because enabling SMB signing prevents man-in-the-middle attacks that could tamper with file transfers, and removing anonymous read access eliminates unauthorized visibility into sensitive payroll data. These changes directly address the two vulnerabilities (SMB signing disabled and anonymous read access) without disrupting legitimate file-sharing operations, thus minimizing business impact.

Exam trap

The trap here is that candidates may overreact by choosing extreme remediation (like rebuilding the server) or irrelevant actions (like adjusting quotas), instead of recognizing that targeted configuration changes (enabling SMB signing and removing anonymous access) are the proportional, low-impact fix.

How to eliminate wrong answers

Option A is wrong because removing backup jobs does not address the SMB signing or anonymous access vulnerabilities; it would only increase data loss risk without reducing exposure. Option B is wrong because immediately disabling and rebuilding the file server is an extreme, unnecessary measure that causes significant business disruption; the vulnerabilities can be fixed with configuration changes. Option D is wrong because increasing the directory quota prevents overflow but does not mitigate the security issues of disabled SMB signing or anonymous read access.

741
MCQmedium

A scanner reports a critical vulnerability on an internal Linux server. The administrator confirms the vulnerable package is installed, but the affected feature is only enabled when an optional module is loaded, and that module is currently disabled. The server also requires downtime for patching. What is the best next step?

A.Immediately accept the risk and leave the server unchanged
B.Verify whether the vulnerable function is reachable, then apply a compensating control or schedule remediation
C.Mark the finding as a false positive and close the ticket
D.Remove the server from production immediately and rebuild it from scratch
AnswerB

Risk-based remediation starts by confirming exploitability, then choosing the least disruptive control that reduces exposure.

Why this answer

Option B is correct because even though the vulnerable module is disabled, the administrator must first verify that the vulnerable function is not reachable through other means (e.g., via a different service or misconfiguration). If it is unreachable, applying a compensating control (like a firewall rule or SELinux policy) can mitigate risk without immediate downtime, allowing patching to be scheduled. This aligns with the principle of defense-in-depth and proper risk management.

Exam trap

The trap here is that candidates assume a disabled module means the vulnerability is automatically not exploitable, ignoring that the vulnerable code is still present and could be enabled through other vectors or misconfiguration.

How to eliminate wrong answers

Option A is wrong because immediately accepting risk without verifying reachability or applying a compensating control is premature; the vulnerability may still be exploitable if the module can be enabled remotely or if the package has other attack surfaces. Option C is wrong because marking the finding as a false positive is incorrect—the vulnerability is real (the package is installed and vulnerable), even if the optional module is disabled; a false positive would mean the scanner reported a vulnerability that does not exist, which is not the case here.

742
MCQmedium

A workstation starts failing security checks. The antivirus service no longer appears in the running process list, a known driver's hash does not match the vendor's value, and a task manager view shows fewer processes than expected. The user also reports that local admin tools behave inconsistently. What type of malware is most likely present?

A.Spyware
B.Rootkit
C.Trojan
D.Logic bomb
AnswerB

A rootkit is designed to hide malicious activity and maintain stealth by manipulating operating system internals, drivers, or kernel components. Missing processes and hash mismatches support that conclusion.

Why this answer

The symptoms—antivirus service missing from the process list, a known driver's hash mismatch, fewer processes in Task Manager, and inconsistent admin tool behavior—are classic indicators of a rootkit. Rootkits operate at kernel or driver level, allowing them to hide processes, files, and registry keys from standard system tools, and they often tamper with driver hashes to evade integrity checks.

Exam trap

The trap here is that candidates often confuse a rootkit with a trojan because both can be stealthy, but the specific clues—driver hash mismatch and hidden processes—point to kernel-level manipulation unique to rootkits, not the user-level deception of a trojan.

How to eliminate wrong answers

Option A is wrong because spyware typically focuses on data theft and monitoring (e.g., keylogging, screen captures) and does not hide its processes or alter driver hashes at the kernel level. Option C is wrong because a trojan masquerades as legitimate software to gain initial access but does not inherently possess the capability to hide processes or modify driver hashes post-infection. Option D is wrong because a logic bomb is a dormant piece of code triggered by a specific condition (e.g., date or event) and does not actively hide processes or alter system drivers.

743
MCQeasy

Based on the exhibit, what should the team do next to confirm the backups can actually be used during an outage?

A.Increase the retention period before making any restore attempts.
B.Perform a test restore to a nonproduction location and verify the recovered files.
C.Delete older backup sets so the backup window is shorter.
D.Convert the backups to full backups only so the status report is simpler.
AnswerB

A test restore is the best way to validate that backups are usable during recovery. Successful backup jobs alone do not guarantee that data can be restored quickly, completely, or without corruption. Restoring to a nonproduction location confirms the files open correctly and helps the team measure recovery readiness before an actual incident.

Why this answer

Option B is correct because the only way to confirm that backups are usable during an outage is to perform a test restore to a nonproduction location and verify the recovered files. This validates the integrity of the backup data, the restore process, and that the files are complete and functional, which is a core principle of backup validation (often called a 'restore test' or 'disaster recovery drill'). Simply reviewing backup status reports or increasing retention does not prove that the data can be successfully restored.

Exam trap

The trap here is that candidates often assume a successful backup job (green status) guarantees recoverability, but the exam tests the distinction between backup completion and restore validation—CompTIA often tests this by making 'increase retention' or 'simplify backup type' seem like proactive steps, when only a test restore confirms usability.

How to eliminate wrong answers

Option A is wrong because increasing the retention period only keeps more historical copies of backups; it does not test whether those backups are actually restorable or contain valid data. Option C is wrong because deleting older backup sets to shorten the backup window does not validate the usability of the remaining backups and may actually reduce recovery point objectives (RPO) unnecessarily. Option D is wrong because converting to full backups only simplifies the status report but does not test the restore process; full backups can still be corrupt or incomplete without a restore verification.

744
MCQmedium

A legacy finance application cannot yet support multifactor authentication. The security team still wants administrators to use separate privileged accounts, receive elevated access only when a ticket is approved, and have those privileges removed automatically after the maintenance window ends. Which solution best fits?

A.Create one shared administrator account and rotate its password every week.
B.Assign permanent administrator rights through role-based access control and rely on audit logs afterward.
C.Use privileged access management with separate admin accounts and time-bound elevation approvals.
D.Move the application behind a federation service so all users can sign in with a single password.
AnswerC

Privileged access management is designed for this situation. Separate admin accounts preserve accountability, while time-bound elevation reduces standing privilege and limits exposure when the elevated rights are not needed. Approval workflows also support operational control and can be tied to maintenance tickets for traceability.

Why this answer

Option C is correct because Privileged Access Management (PAM) solutions are specifically designed to enforce just-in-time (JIT) privileged access. They allow administrators to request time-bound elevation of rights for a specific maintenance window, with automatic revocation after the window expires. This directly meets the requirements of separate privileged accounts, ticket-based approval, and automatic removal of privileges, even when the legacy application itself cannot support MFA.

Exam trap

The trap here is that candidates may confuse federation (SSO) with privileged access management, thinking that a single sign-on solution can enforce time-bound elevation, when in fact federation only centralizes authentication and does not manage granular, time-limited privilege escalation.

How to eliminate wrong answers

Option A is wrong because a shared administrator account violates the principle of least privilege and non-repudiation; rotating the password weekly does not provide time-bound, ticket-approved elevation or automatic removal of privileges. Option B is wrong because permanent administrator rights through RBAC contradict the requirement for elevated access only when a ticket is approved and automatic removal after the maintenance window; audit logs alone do not enforce time-bound access. Option D is wrong because placing the application behind a federation service with a single password does not provide separate privileged accounts, ticket-based approval, or time-bound elevation; it also introduces a single point of failure and does not address the need for privileged access management.

745
Multi-Selecthard

A hybrid cloud portal first checks device health at the identity provider, then requires MFA, then enforces a per-application authorization decision before each sensitive action. Network access is also limited by a gateway, and a WAF sits in front of the app. Which two principles are best demonstrated? Select two.

Select 2 answers
A.Zero trust, because access is continuously verified instead of assumed after one login.
B.Defense in depth, because several independent layers protect the workload from different angles.
C.Least privilege, because users are granted no access at all until the app is offline.
D.Separation of duties, because administrators and users must approve each other's actions.
E.Need-to-know, because the system hides all information until the user requests it.
AnswersA, B

The portal keeps re-evaluating trust through identity, device, and application-layer checks.

Why this answer

Option A is correct because the scenario describes continuous verification of device health, MFA, and per-application authorization before each sensitive action, which aligns with the Zero Trust principle of 'never trust, always verify.' Unlike traditional perimeter-based security, Zero Trust assumes no implicit trust after initial authentication and requires ongoing validation at every access attempt.

Exam trap

CompTIA often tests the distinction between Zero Trust (continuous verification) and Defense in depth (layered controls), and the trap here is confusing 'least privilege' with 'continuous verification' or assuming that any multi-step authentication automatically implies separation of duties.

746
MCQmedium

A security architect is designing the network security posture for a new branch office. The plan includes a next-generation firewall at the perimeter, an intrusion prevention system on the internal network, mandatory multi-factor authentication for all remote access, and quarterly security awareness training for employees. The architect explains that these controls are independent of each other so that a failure in any single control does not leave the entire network unprotected. Which security concept is the architect primarily implementing?

A.Least privilege
B.Defense in depth
C.Zero trust
D.Separation of duties
AnswerB

Defense in depth uses multiple overlapping and independent security controls to protect an environment, ensuring that if one control fails, others continue to provide protection. The architect's design directly implements this principle.

Why this answer

The architect is implementing defense in depth by layering multiple independent security controls—a next-generation firewall (NGFW) at the perimeter, an intrusion prevention system (IPS) on the internal network, mandatory multi-factor authentication (MFA) for remote access, and quarterly security awareness training. The key phrase 'independent of each other so that a failure in any single control does not leave the entire network unprotected' directly describes the principle of layered defenses, where no single point of failure compromises overall security. This approach ensures that if an attacker bypasses the NGFW, the IPS or MFA may still prevent or detect the breach.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'zero trust' because both involve multiple controls, but zero trust specifically requires continuous authentication and micro-segmentation, not just independent layers.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user and process access to only what is necessary for their role, which is not about layering independent controls but about minimizing permissions. Option C is wrong because zero trust assumes no implicit trust and requires continuous verification of every request, often using micro-segmentation and identity-based policies, whereas the described controls are independent layers without explicit per-request verification. Option D is wrong because separation of duties divides critical tasks among multiple people to prevent fraud or error, not to create redundant technical security layers.

747
MCQmedium

A SOC analyst receives an alert that a domain admin account authenticated to a file server at 02:14 from a jump host that is normally used only by the infrastructure team. The Windows logs also show a scheduled task launching a backup script at the same time, and the backup team says the task was created during yesterday's change window. What is the best next step to determine whether this is a false positive?

A.Disable the domain admin account immediately and wait for the backup team to respond.
B.Correlate the authentication event with the change ticket and the scheduled task details.
C.Escalate the alert as confirmed compromise because the login occurred after hours.
D.Delete the scheduled task so it cannot be used again.
AnswerB

This directly verifies whether the login and task were expected parts of an approved maintenance activity.

Why this answer

Option B is correct because the alert involves a domain admin authentication from a jump host at an unusual time, but the scheduled task was created during a change window. Correlating the authentication event with the change ticket and the scheduled task details allows the SOC analyst to verify if the activity was authorized, preventing unnecessary incident response. This step aligns with the incident response process of validating alerts before taking action.

Exam trap

The trap here is that candidates assume any after-hours admin login is malicious, but the scheduled task created during a change window provides a legitimate explanation that must be verified through correlation.

How to eliminate wrong answers

Option A is wrong because disabling the domain admin account immediately without investigation could disrupt legitimate operations and is premature; the activity may be authorized. Option C is wrong because escalating as a confirmed compromise based solely on after-hours login ignores the possibility of scheduled maintenance or authorized changes, leading to false positives. Option D is wrong because deleting the scheduled task destroys evidence and could break legitimate business processes; the task should be analyzed, not removed.

748
MCQhard

Based on the exhibit, what is the BEST immediate containment action? The workstation is still powered on, and the user reports that files are being renamed and the system is running very slowly. The security analyst confirms malicious activity is in progress.

A.Immediately isolate the endpoint from the network using EDR containment or switch quarantine.
B.Power off the workstation immediately to prevent any further file changes.
C.Uninstall Microsoft Office so the malicious spreadsheet cannot launch again.
D.Block the destination IP address at the firewall and wait for the user to log off.
AnswerA

The device is actively exhibiting ransomware-like behavior, and isolation stops lateral spread and additional command-and-control traffic while preserving the powered-on system for later review.

Why this answer

Option A is correct because the immediate priority is to stop the active malicious activity (file renaming, system slowdown) by severing the workstation's network connectivity. EDR containment or switch quarantine isolates the endpoint at Layer 2, preventing the attacker from exfiltrating data, communicating with command-and-control servers, or spreading laterally, while preserving volatile memory for forensic analysis. This is faster and more controlled than powering off, which destroys evidence and may trigger destructive payloads.

Exam trap

CompTIA often tests the distinction between containment (stopping the spread) and eradication (removing the threat), tempting candidates to choose power-off or uninstall actions that destroy evidence or fail to stop active malicious processes.

How to eliminate wrong answers

Option B is wrong because powering off the workstation destroys volatile evidence (e.g., running processes, network connections, memory-resident malware) and may trigger destructive payloads designed to activate on shutdown. Option C is wrong because uninstalling Microsoft Office is a remediation step, not an immediate containment action; it does not stop the ongoing malicious activity and may take too long while the attacker continues to rename files. Option D is wrong because blocking the destination IP at the firewall does not stop the local malicious process already running on the workstation, and waiting for the user to log off allows further damage; containment must be applied directly to the endpoint.

749
MCQmedium

A legal department sends a confidential contract to an outside partner without first exchanging a shared secret. The sender encrypts the document with the partner's public key so that only the partner can decrypt it with the matching private key. Which cryptographic approach is being used?

A.Symmetric encryption
B.Asymmetric encryption
C.Hashing
D.Digital signatures
AnswerB

Asymmetric encryption uses a public key to encrypt data and a corresponding private key to decrypt it. That makes it ideal when two parties have not yet shared a secret. In this scenario, the sender uses the partner's public key so only the partner's private key can open the contract, preserving confidentiality across an untrusted network.

Why this answer

B is correct because the scenario describes encrypting a document with the recipient's public key, which can only be decrypted by the recipient's private key. This is the defining characteristic of asymmetric encryption (also known as public-key cryptography), where two different but mathematically related keys are used for encryption and decryption.

Exam trap

The trap here is that candidates may confuse the use of a public key for encryption with a digital signature, which uses the private key for signing, or mistakenly think that any use of a key pair is symmetric encryption.

How to eliminate wrong answers

Option A is wrong because symmetric encryption uses a single shared secret key for both encryption and decryption, but the scenario explicitly states that no shared secret was exchanged beforehand. Option C is wrong because hashing is a one-way function that produces a fixed-size digest for integrity verification, not for encryption or decryption of data. Option D is wrong because digital signatures use the sender's private key to sign a message for non-repudiation and integrity, not the recipient's public key to encrypt a document.

750
Multi-Selecthard

A router interface connects the DMZ subnet 10.10.10.0/24 to the internal network. A web server at 10.10.10.25 must reach an application server at 10.10.20.20 on TCP 8443, and all other DMZ-to-internal traffic must be blocked. Which two ACL entries should be applied inbound on the DMZ-facing interface? Select two.

Select 2 answers
A.permit tcp 10.10.10.25 host 10.10.20.20 eq 8443
B.permit tcp host 10.10.20.20 any eq 8443
C.deny ip 10.10.10.0/24 10.10.20.0/24
D.permit ip any any
E.permit udp 10.10.10.0/24 host 10.10.20.20 eq 8443
AnswersA, C

This rule allows only the required web-server-to-application-server connection on the specified port. It uses a very narrow source and destination definition, which is the safest way to permit the business flow. The ACL should allow the needed application traffic and nothing broader than that.

Why this answer

Option A is correct because it permits TCP traffic from the specific web server (10.10.10.25) to the application server (10.10.20.20) on destination port 8443, which is the only allowed DMZ-to-internal communication. This entry uses the 'host' keyword to specify the exact source IP and the 'eq' keyword to match the required destination port, implementing the principle of least privilege.

Exam trap

Cisco often tests the misconception that a single permit statement is sufficient, but candidates forget that an explicit deny entry is needed to block all other traffic when the requirement specifies 'all other traffic must be blocked', as the implicit deny alone does not satisfy the explicit blocking requirement in the question.

Page 9

Page 10 of 16

Page 11