Security+ SY0-701 (SY0-701) — Questions 826900

1152 questions total · 16pages · All types, answers revealed

Page 11

Page 12 of 16

Page 13
826
MCQmedium

In a virtualized environment, several workloads share the same physical host and the same IP subnet. After one payroll VM is compromised, the security team wants to prevent that VM from freely scanning or reaching the other workloads on the host. Which control best addresses this lateral-movement risk?

A.Microsegmentation with policy rules applied per workload or per VM
B.Expanding the subnet mask so all workloads are easier to reach
C.Creating a shared administrator account for all virtual machines
D.Disabling DHCP and forcing every VM to use a static IP address
AnswerA

Microsegmentation creates fine-grained trust boundaries between workloads, even when they share the same subnet or host. This limits east-west traffic and reduces the ability of a compromised VM to discover or attack neighboring systems. It is the most direct control for this risk.

Why this answer

Microsegmentation allows granular security policies to be applied per workload or per VM, even within the same subnet and on the same hypervisor. By enforcing firewall rules at the virtual switch or hypervisor level, it prevents a compromised payroll VM from scanning or communicating laterally with other VMs on the same host, directly addressing the lateral-movement risk.

Exam trap

The trap here is that candidates often confuse subnetting or IP addressing changes (like expanding the subnet mask or using static IPs) with actual network security controls, failing to realize that only policy-based segmentation at the hypervisor or virtual switch layer can block lateral traffic within the same broadcast domain.

How to eliminate wrong answers

Option B is wrong because expanding the subnet mask (e.g., from /24 to /16) actually increases the broadcast domain and makes more IP addresses reachable, which would facilitate lateral movement rather than prevent it. Option C is wrong because creating a shared administrator account for all VMs would reduce accountability and provide an attacker with a single set of credentials to compromise all workloads, increasing lateral-movement risk. Option D is wrong because disabling DHCP and forcing static IPs does not restrict network communication between VMs; it only changes how IP addresses are assigned, leaving all traffic unblocked and the VM free to scan the subnet.

827
Multi-Selecteasy

A company wants employees to use their normal login from managed devices but require extra verification when they sign in from an unmanaged laptop or a new location. Which two controls should the team use? Select two.

Select 2 answers
A.Conditional access
B.Multi-factor authentication
C.DNS filtering
D.Disk encryption
E.Port security
AnswersA, B

Conditional access lets the organization change sign-in rules based on device, location, or risk. It is the best control for requiring different access conditions in different situations.

Why this answer

Conditional access (A) is correct because it allows the company to define policies that grant or block access based on conditions such as device compliance (managed vs. unmanaged) and location (trusted vs. new). Multi-factor authentication (B) is correct because it provides the extra verification step required when the conditional access policy detects an unmanaged laptop or a new location, ensuring the user proves their identity beyond just a password.

Exam trap

The trap here is that candidates often pick MFA alone, forgetting that MFA is only enforced when a conditional access policy triggers it based on device or location conditions, so both controls are needed together.

828
MCQmedium

A security analyst is reviewing the source code of a custom authentication service. The service uses a function that compares a user-supplied password to the stored password hash by iterating through each byte and returning false immediately upon the first mismatch. The analyst measures the function's execution time and discovers it varies measurably depending on how many initial bytes match. Which type of attack is this vulnerability most likely to facilitate?

A.Brute-force attack
B.Dictionary attack
C.Replay attack
D.Timing attack
AnswerD

A timing attack exploits measurable variations in the time it takes to execute a cryptographic operation. In this case, the early-exit comparison enables an attacker to deduce the correct secret byte by byte, making it the correct classification.

Why this answer

The vulnerability is a timing attack because the comparison function returns false immediately upon the first mismatched byte, causing execution time to vary based on how many initial bytes match. An attacker can measure these timing differences to iteratively guess each byte of the password hash, effectively reducing the search space from exponential to linear. This is a classic side-channel attack that exploits observable timing variations in cryptographic or authentication operations.

Exam trap

The trap here is that candidates may confuse a timing attack with a brute-force or dictionary attack, not realizing that the key clue is the measurable variation in execution time due to early exit on mismatch, which is a classic side-channel indicator.

How to eliminate wrong answers

Option A is wrong because a brute-force attack tries all possible password combinations without leveraging timing differences; it relies on computational power, not side-channel information. Option B is wrong because a dictionary attack uses a precomputed list of common passwords or hashes, not timing measurements of the comparison function. Option C is wrong because a replay attack captures and retransmits valid authentication data (e.g., a token or hash) to impersonate a user; it does not involve analyzing execution time of a comparison function.

829
MCQmedium

A security manager is creating a company-wide requirement that all Windows laptops must have full-disk encryption, screen lock after 10 minutes, and approved antivirus enabled. Administrators can choose the exact implementation details, but the minimum settings must be mandatory across the fleet. Which governance artifact should the manager update?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerB

A standard defines mandatory, specific requirements such as minimum security settings that must be followed consistently across systems.

Why this answer

A policy is a high-level management directive that mandates specific security outcomes (e.g., 'all laptops must have full-disk encryption, screen lock after 10 minutes, and approved antivirus enabled') without prescribing the exact technical implementation. The security manager is setting mandatory minimum requirements, which is the defining characteristic of a policy. Standards, by contrast, provide the specific technical configurations or baselines (e.g., 'use BitLocker with AES-256'), which the administrators will choose later.

Exam trap

CompTIA often tests the distinction between policy and standard by presenting a scenario where the manager sets mandatory outcomes but leaves implementation choices to administrators, leading candidates to incorrectly select 'Standard' because they associate 'mandatory settings' with technical baselines.

How to eliminate wrong answers

Option A is wrong because a policy is exactly the artifact the manager should update—it sets mandatory requirements without dictating implementation details, which matches the scenario. Option C is wrong because a procedure is a step-by-step guide (e.g., 'click Start > Settings > Update & Security > Device encryption') that describes how to implement a standard or policy, not the artifact that defines the mandatory minimum settings themselves.

830
MCQmedium

Several employees report receiving SMS messages that appear to come from the corporate service desk. The text says, 'Your password expires today. Review the notice here,' followed by a shortened link that opens a fake sign-in page on a phone browser. Which type of attack is this?

A.Smishing
B.Pretexting
C.Tailgating
D.Spoofing
AnswerA

Smishing is phishing delivered through SMS or other text messaging platforms. The message uses urgency and a link to a fake login page to steal credentials.

Why this answer

This is smishing because the attack uses SMS messages to deliver a phishing link that directs recipients to a fake sign-in page, attempting to steal their credentials. Smishing is a form of social engineering that exploits the trust in text messaging and the urgency of a password expiration notice to bypass email security filters.

Exam trap

CompTIA often tests the distinction between smishing and spoofing, where candidates mistakenly choose spoofing because the SMS appears to come from the service desk, but the core attack vector is the social engineering via SMS, not just the falsified sender information.

How to eliminate wrong answers

Option B is wrong because pretexting involves fabricating a scenario (pretext) to obtain information or access, often through voice calls or impersonation, not through SMS with a malicious link. Option C is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, not a digital or messaging-based attack. Option D is wrong because spoofing refers to falsifying data (e.g., IP address, email header, caller ID) to impersonate a trusted source, but the attack described is specifically a social engineering technique using SMS, which is classified as smishing, not just spoofing.

831
MCQeasy

A vendor-supported application cannot be patched for 30 days, but the business must keep it online. What is the best short-term risk treatment?

A.Accept the risk without any additional controls
B.Apply a compensating control, such as restricting access and monitoring traffic
C.Delete the application so the vulnerability no longer exists
D.Transfer the risk by telling users to work faster
AnswerB

A compensating control reduces the risk while the permanent fix is unavailable and the system must remain online.

Why this answer

Option B is correct because when a known vulnerability cannot be patched immediately, applying a compensating control—such as restricting network access via firewall rules (e.g., allowing only specific source IPs) and enabling deep packet inspection (DPI) or an intrusion prevention system (IPS) to monitor for exploit attempts—reduces the risk to an acceptable level without taking the application offline. This approach aligns with the principle of defense in depth, buying time until the vendor patch is available.

Exam trap

The trap here is that candidates often confuse 'risk acceptance' (Option A) as a valid short-term treatment, but the question explicitly requires the best treatment when the business must keep the application online, making compensating controls the correct choice over passive acceptance.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any additional controls ignores the active threat and leaves the organization exposed to exploitation of the unpatched vulnerability, which is not a prudent short-term treatment. Option C is wrong because deleting the application is an extreme measure that eliminates the vulnerability but also removes the business functionality entirely, failing the requirement to keep the application online. Option D is wrong because transferring risk by telling users to work faster is not a valid risk treatment; risk transfer involves insurance or outsourcing, not a behavioral directive, and does nothing to mitigate the technical vulnerability.

832
Multi-Selectmedium

A customer portal must keep serving users if one application server fails and also remain available if the primary site becomes unreachable. Management prefers automatic recovery over manual intervention. Which two design choices best satisfy the goal? Select two.

Select 2 answers
A.Deploy multiple application servers behind a load balancer across separate availability zones.
B.Use a single high-end server with RAID 10 and a larger power supply.
C.Keep only nightly backups and restore manually after an outage.
D.Store the database on a local disk array attached to the primary server.
E.Replicate the database to a standby site with automatic failover.
AnswersA, E

Load balancing across multiple instances removes the single server failure point and supports automatic failover.

Why this answer

Deploying multiple application servers behind a load balancer across separate availability zones (A) provides redundancy at the application tier: if one server fails, traffic is automatically redirected to healthy servers. Replicating the database to a standby site with automatic failover (E) ensures that if the primary site becomes unreachable, the database can be promoted to active without manual intervention, meeting the requirement for automatic recovery.

Exam trap

CompTIA often tests the misconception that hardware redundancy (like RAID 10) alone is sufficient for high availability, but it ignores site-level failures and automatic recovery requirements.

833
MCQmedium

A security analyst discovers that an attacker maintained persistent access to a corporate network for six months, moving laterally between systems and exfiltrating sensitive data. The attacker used custom malware that evaded antivirus and established multiple backdoors. Which of the following best describes this type of threat actor and their campaign?

A.Insider threat
B.Advanced persistent threat (APT)
C.Zero‑day exploit
D.Denial of service (DoS) attack
AnswerB

APT correctly describes a threat actor that establishes a long‑term presence, uses custom malware, and conducts lateral movement and data exfiltration—all of which are present in the scenario. APTs are designed to remain undetected while achieving strategic goals over months or years.

Why this answer

The scenario describes a threat actor that maintained stealthy, long-term access to a network, moved laterally, and exfiltrated data over six months using custom malware that evaded antivirus. This aligns with the definition of an Advanced Persistent Threat (APT), which is a sophisticated, well-resourced adversary that conducts prolonged, targeted campaigns to achieve specific objectives, often espionage or data theft.

Exam trap

The trap here is that candidates may confuse 'advanced persistent threat' with a specific exploit technique like a zero-day, or assume any long-term access is an insider threat, but the key differentiator is the external, resource-intensive, and stealthy nature of the campaign described.

How to eliminate wrong answers

Option A is wrong because an insider threat originates from within the organization (e.g., a disgruntled employee or contractor) and typically does not require custom malware that evades antivirus or multiple backdoors for lateral movement over six months; the scenario describes external-style persistence and evasion. Option C is wrong because a zero-day exploit refers to a specific, previously unknown vulnerability used in an attack, not the overall campaign or threat actor type; the question asks for the description of the threat actor and their campaign, not the exploit method. Option D is wrong because a Denial of Service (DoS) attack aims to disrupt availability of services, not to maintain persistent access, move laterally, or exfiltrate data; it is a different attack objective entirely.

834
MCQeasy

After a phishing simulation, many users still nearly entered credentials on the fake page. Security wants the fastest improvement without scheduling long training sessions. What is the best response?

A.Require a full-day classroom course for every employee immediately.
B.Ignore the results because no actual breach occurred.
C.Send a short targeted awareness message with examples, warning signs, and reporting steps.
D.Reset every employee password as the main way to prevent future clicks.
AnswerC

This is the best option because it provides immediate reinforcement with minimal disruption. Targeted communication can quickly remind users what phishing looks like, what clues to watch for, and how to report suspicious messages. It is practical, timely, and easier to absorb than a long training event when the goal is rapid behavior improvement.

Why this answer

Option C is correct because a short targeted awareness message directly addresses the observed risky behavior with minimal time investment, providing immediate reinforcement of warning signs and reporting procedures. This approach leverages just-in-time training, which is proven to improve retention and behavior change more effectively than lengthy sessions, aligning with the goal of fastest improvement without disrupting operations.

Exam trap

CompTIA often tests the misconception that immediate technical controls (like password resets) are the fastest fix, when in reality, behavioral reinforcement through targeted communication yields quicker and more sustainable improvement in user vigilance.

How to eliminate wrong answers

Option A is wrong because requiring a full-day classroom course is time-intensive and contradicts the requirement for fastest improvement; it also risks overwhelming employees with information that may not be retained. Option B is wrong because ignoring the results ignores a clear security gap—users nearly entered credentials, indicating a need for awareness improvement to prevent future real attacks. Option D is wrong because resetting every employee password does not address the root cause (user behavior) and is an administrative burden that does not prevent future clicks on phishing pages.

835
MCQmedium

A nightly backup job shows "Completed successfully" in the backup console, but a test restore fails with an authentication error after the backup service account password was rotated last week. What is the best next step?

A.Increase the retention period so the backup console will keep more copies.
B.Update the backup application with the current service account credentials and rerun a restore validation test.
C.Disable the backup software firewall rule and try the restore again later.
D.Delete and recreate all protected files because the backup repository is probably corrupt.
AnswerB

This action resolves the likely credential mismatch and confirms the backup process is actually usable during recovery. Backup success alone is not enough if restore fails.

Why this answer

The backup job succeeded because the service account had cached credentials or the backup process itself didn't require re-authentication at that point. However, the restore operation failed because the backup application's stored credentials for accessing the backup repository are now stale after the password rotation. Updating the backup application with the current service account credentials (Option B) directly resolves the authentication error and allows a proper restore validation test.

Exam trap

The trap here is that candidates assume a 'Completed successfully' backup job means all related processes are healthy, but the exam tests the distinction between backup success and restore success, highlighting that credential rotation can break restore without affecting backup.

How to eliminate wrong answers

Option A is wrong because increasing the retention period only keeps more backup copies; it does not fix the underlying authentication issue caused by stale credentials. Option C is wrong because disabling a firewall rule is unrelated to an authentication error; the error indicates a credentials mismatch, not a network connectivity or firewall block. Option D is wrong because deleting and recreating files is a destructive action that assumes corruption, but the backup repository is likely intact; the problem is purely an authentication failure during restore, not data corruption.

836
Multi-Selectmedium

Which three of the following are examples of defense-in-depth security controls? (Choose three.)

Select 3 answers
.A firewall at the network perimeter
.Mandatory access controls on sensitive files
.Regular security awareness training for employees
.A single password policy for all users
.Using only one antivirus solution for all endpoints
.Disabling all logging to save storage space

Why this answer

Defense-in-depth is a layered security strategy that uses multiple, independent controls to protect assets. A firewall at the network perimeter provides network-level filtering (e.g., stateful inspection, ACLs) as the first line of defense. Mandatory access controls (MAC) on sensitive files enforce system-enforced restrictions based on labels (e.g., Bell-LaPadula model), adding a host-level layer.

Regular security awareness training addresses the human factor, reducing social engineering and phishing risks, which is a critical administrative control.

Exam trap

The trap here is that candidates often confuse 'multiple controls' with 'multiple instances of the same control' (e.g., using two firewalls or one AV everywhere), but defense-in-depth requires diverse, independent layers across different domains (network, host, administrative).

837
MCQhard

Based on the exhibit, which vulnerability is being exploited?

A.Cross-site scripting (XSS)
B.Cross-site request forgery (CSRF)
C.Authentication bypass
D.Command injection
AnswerC

The backend is trusting client-influenced headers and a forwarded path value to reach an administrative endpoint. The logs show a normal analyst account reaching /admin/export after supplying X-Original-URL, which indicates the application or proxy is failing to enforce access controls consistently. That is an authentication or authorization bypass caused by trusting data the client can manipulate.

Why this answer

The exhibit shows a URL parameter `?admin=false` being changed to `?admin=true`, which directly toggles an administrative access control flag. This is a classic authentication bypass vulnerability because the application trusts client-supplied input to determine authorization status, allowing an attacker to escalate privileges without valid credentials.

Exam trap

The trap here is that candidates confuse parameter manipulation for privilege escalation with CSRF, but CSRF requires an authenticated victim to unknowingly submit a request, whereas this attack directly alters the authorization flag without needing another user's session.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) requires injecting malicious scripts into web pages, not manipulating URL parameters to gain admin access. Option B is wrong because cross-site request forgery (CSRF) tricks a user into performing unintended actions using their existing session, but does not involve directly modifying a parameter to bypass authentication. Option D is wrong because command injection involves injecting OS commands into input fields that are executed by the server, not altering a boolean parameter in a URL to change authorization state.

838
Multi-Selectmedium

A team deploys a Linux virtual machine in IaaS and stores documents in a managed cloud object storage service. The provider secures datacenters, hardware, and the storage platform, but the organization still wants to reduce exposure. Which two tasks remain the organization's responsibility? Select two.

Select 2 answers
A.Patch and harden the Linux virtual machine operating system.
B.Replace the provider's datacenter controls with a customer-owned firewall appliance.
C.Assume the provider will apply tenant-specific application permissions automatically.
D.Configure IAM roles, bucket policies, and least-privilege access for the customer's resources.
E.Rely on the cloud provider to classify the company's documents for compliance.
AnswersA, D

In IaaS, the customer still manages the guest OS and must reduce vulnerabilities on the VM itself.

Why this answer

Option A is correct because in an IaaS model, the customer is responsible for securing the operating system of the virtual machine, including applying patches and hardening configurations. The cloud provider secures the underlying hypervisor and physical infrastructure, but the customer must manage the OS-level security controls.

Exam trap

The trap here is that candidates often assume the cloud provider handles all security for managed services, but the shared responsibility model clearly places OS patching and access control configuration on the customer, even for IaaS and object storage.

839
MCQmedium

An EDR alert shows a Windows workstation used certutil.exe to download an encoded script, then created a scheduled task named UpdateCheck that runs every 15 minutes. The machine is also making short HTTPS connections to the same external IP. What is the best description of what the attacker is doing?

A.A buffer overflow exploit is likely corrupting memory in the operating system.
B.Living-off-the-land abuse with persistence through a scheduled task is occurring.
C.The evidence most strongly suggests a drive-by download from a compromised browser session.
D.A man-in-the-middle attack is intercepting and modifying the TLS session.
AnswerB

The attacker is using legitimate system utilities, such as certutil.exe and the Windows task scheduler, to download, execute, and persist malicious code. That pattern strongly suggests living-off-the-land abuse rather than a custom malware loader. The recurring outbound HTTPS traffic to a single external host also fits command-and-control activity. This combination is common when attackers want to blend in with normal administrative behavior and survive reboots without dropping obvious binaries.

Why this answer

Option B is correct because the attacker is using certutil.exe, a native Windows tool, to download an encoded script (living-off-the-land), and then creating a scheduled task named UpdateCheck to maintain persistence by running every 15 minutes. This combination of abusing trusted binaries and establishing a recurring task is a classic indicator of LOTL abuse with persistence.

Exam trap

The trap here is that candidates may confuse the use of a native tool like certutil.exe with a buffer overflow or drive-by download, failing to recognize the living-off-the-land technique and persistence via scheduled tasks as the core indicators.

How to eliminate wrong answers

Option A is wrong because a buffer overflow exploit corrupts memory to execute arbitrary code, but the evidence shows no memory corruption or exploitation—just the use of certutil.exe and scheduled tasks. Option C is wrong because a drive-by download typically involves a browser exploit or malicious script executed via a compromised website, whereas here the attacker actively used certutil.exe to download a script and created a scheduled task, indicating post-exploitation activity rather than initial infection. Option D is wrong because a man-in-the-middle attack would intercept or modify TLS sessions, but the evidence only shows short HTTPS connections to an external IP, which is consistent with command-and-control traffic, not TLS interception or modification.

840
MCQmedium

An engineering firm backs up its file server every night to a NAS that is always mounted to the production domain. After a ransomware event, management asks for the most effective improvement to reduce the chance that backups are encrypted along with production data. What should be recommended?

A.Increase the backup frequency but leave the NAS always online
B.Keep an offline or immutable backup copy that is not continuously reachable from production
C.Store backups in the same server room for faster restore times
D.Use only local snapshots on the file server because they are simpler to manage
AnswerB

Offline or immutable backups resist encryption by ransomware because the attacker cannot easily modify or destroy them from the compromised environment.

Why this answer

Option B is correct because an offline or immutable backup copy that is not continuously reachable from the production domain prevents ransomware from encrypting it. Since the NAS is always mounted to the production domain, it is vulnerable to lateral movement and encryption by ransomware. An offline backup (e.g., tape or disconnected disk) or an immutable backup (e.g., using S3 Object Lock or a write-once file system) ensures that even if production data is compromised, the backup remains intact and recoverable.

Exam trap

The trap here is that candidates may think increasing backup frequency or keeping backups local improves security, but the core issue is that the backup must be isolated from the production domain to survive a ransomware attack that encrypts all reachable data.

How to eliminate wrong answers

Option A is wrong because increasing backup frequency while leaving the NAS always online does not protect against encryption; ransomware can encrypt both the live data and the mounted backup during the same attack window. Option C is wrong because storing backups in the same server room does not address the security issue; it only improves restore speed but still leaves the backup accessible to ransomware that has compromised the production network. Option D is wrong because local snapshots on the file server are stored on the same volume or system that is being attacked, so they can be encrypted or deleted by ransomware just like the original data.

841
MCQeasy

Threat intelligence shows an attacker changes domains every day, but the malware file itself stays the same across incidents. Which indicator would be the best to block immediately if you find it in your environment?

A.The current weather in the city where the attack was observed
B.The malware file hash from the shared sample
C.The logo used on the phishing email
D.The time zone used by the help desk
AnswerB

A file hash can directly identify the same malware sample even when the attacker rotates domains and hosting infrastructure.

Why this answer

The malware file hash (e.g., MD5, SHA-1, or SHA-256) is a unique fingerprint of the file's binary content. Since the malware file itself remains unchanged across incidents, its hash is a static, reliable indicator of compromise (IoC) that can be immediately blocked via file reputation or hash-based detection rules, regardless of domain changes.

Exam trap

The trap here is that candidates may focus on the attacker's changing domains (a dynamic indicator) and overlook the static file hash, which is the most reliable and immediately actionable indicator when the malware binary is unchanged.

How to eliminate wrong answers

Option A is wrong because the current weather is an environmental variable unrelated to the malware's identity or behavior; it has no forensic value as a static indicator. Option C is wrong because a phishing email logo is a visual element that can be easily altered or reused by different threat actors, and it does not uniquely identify the malware file itself. Option D is wrong because the help desk time zone is an operational parameter of the organization, not an indicator of compromise; it provides no information about the attacker's tools or tactics.

842
MCQmedium

A monthly vulnerability scan identifies a critical vulnerability on a public-facing VPN appliance, but the vendor says no patch is available yet. The service must remain online for remote workers. What is the best compensating control to reduce risk right away?

A.Ignore the finding until the next quarterly review because there is no patch available.
B.Move the appliance to a less critical VLAN and leave all access rules unchanged.
C.Apply virtual patching or traffic filtering to block exploit attempts until remediation is possible.
D.Disable logging so that attackers cannot learn the appliance version from log data.
AnswerC

Filtering malicious traffic is a practical compensating control when a permanent fix is not yet available.

Why this answer

Option C is correct because virtual patching or traffic filtering (e.g., via an IPS or WAF) provides immediate, compensating protection by inspecting and blocking exploit traffic targeting the vulnerability, without requiring the vendor to release a patch. This allows the VPN appliance to remain online for remote workers while reducing the risk of exploitation until a permanent fix is available.

Exam trap

The trap here is that candidates may assume a missing patch means no action is possible, or that VLAN segmentation alone is sufficient, when in fact compensating controls like virtual patching are the correct immediate response for unpatched critical vulnerabilities on internet-facing systems.

How to eliminate wrong answers

Option A is wrong because ignoring a critical vulnerability until the next quarterly review leaves the organization exposed to active exploitation, especially on a public-facing appliance; risk does not disappear just because no patch exists. Option B is wrong because moving the appliance to a less critical VLAN without changing access rules does not prevent an attacker from reaching the vulnerability—VLANs provide logical separation but do not filter application-layer exploit attempts, and the same access rules would still allow malicious traffic to the device.

843
MCQmedium

A security manager at a healthcare organization is reviewing the results of a third-party vendor risk assessment for a cloud-based email service that will store protected health information (PHI). The assessment reveals that the vendor encrypts data at rest using AES-256 but does not support customer-managed encryption keys. The vendor's data center is located in a country that is not subject to HIPAA jurisdiction. The vendor's previous penetration test report is over 18 months old. Which of the following is the most appropriate risk management action for the security manager to take?

A.Accept the risk because the vendor uses strong encryption.
B.Request the vendor to obtain a current SOC 2 Type II report and review the findings before making a decision.
C.Terminate the contract immediately and select a different vendor.
D.Require the vendor to implement customer-managed keys and provide a new penetration test report within 30 days.
AnswerB

A SOC 2 Type II report provides an independent assessment of a service organization's controls over a period of time, including security, availability, and confidentiality. This is directly relevant for a cloud email service handling PHI. Reviewing this report gives the manager sufficient evidence to decide whether the vendor's current controls meet organizational and regulatory requirements.

Why this answer

Option B is correct because a SOC 2 Type II report provides an independent assessment of a vendor's controls over security, availability, processing integrity, confidentiality, and privacy over a period of time. Given the vendor's lack of customer-managed keys and outdated penetration test, the security manager needs a current, comprehensive audit report to evaluate whether compensating controls adequately mitigate the risks of storing PHI outside HIPAA jurisdiction. This action allows an informed risk acceptance or mitigation decision without prematurely terminating a potentially compliant service.

Exam trap

The trap here is that candidates may assume strong encryption (AES-256) alone is sufficient for HIPAA compliance, ignoring the broader context of jurisdictional risk, key management, and the need for current third-party audit evidence.

How to eliminate wrong answers

Option A is wrong because accepting risk solely based on AES-256 encryption ignores other critical factors: the vendor's data center is outside HIPAA jurisdiction, the penetration test is stale, and the lack of customer-managed keys reduces the organization's control over PHI. Option C is wrong because immediate contract termination is an extreme and premature action without first evaluating the vendor's current security posture through a SOC 2 Type II report; the vendor may still meet HIPAA requirements through other controls. Option D is wrong because requiring the vendor to implement customer-managed keys and provide a new penetration test within 30 days is likely infeasible and outside the security manager's authority to unilaterally impose contractual changes; a more measured approach is to first request an existing audit report.

844
MCQmedium

Based on the exhibit, which authentication method best meets the stated remote-admin requirement?

A.SMS one-time code, because it is widely supported and easy for users to adopt.
B.Email one-time link, because it can be delivered to any mailbox quickly.
C.Authenticator app TOTP code, because it adds a second factor without special hardware.
D.FIDO2 hardware security key, because it resists phishing and does not depend on SMS or email delivery.
AnswerD

The requirement explicitly calls for a phishing-resistant factor that does not depend on text messages or email. A FIDO2 hardware security key meets that need and is well suited for privileged administrator authentication because it strongly binds the login to the legitimate site.

Why this answer

The remote-admin requirement emphasizes phishing resistance and independence from SMS or email delivery, which are vulnerable to interception or social engineering. FIDO2 hardware security keys use public-key cryptography and origin-bound credentials, making them phishing-resistant and eliminating reliance on potentially compromised communication channels. This aligns with the stated requirement better than the other options.

Exam trap

The trap here is that candidates often choose TOTP (Option C) because it is a common second factor, but they overlook that the question specifically requires phishing resistance, which TOTP does not provide against modern adversary-in-the-middle attacks, whereas FIDO2 does.

How to eliminate wrong answers

Option A is wrong because SMS one-time codes are susceptible to SIM swapping, SS7 attacks, and phishing, and they rely on the mobile carrier network, which does not meet a requirement for phishing resistance. Option B is wrong because email one-time links can be intercepted via mailbox compromise or man-in-the-middle attacks, and they depend on email delivery, which is not phishing-resistant. Option C is wrong because authenticator app TOTP codes, while more secure than SMS, are still vulnerable to real-time phishing attacks (e.g., adversary-in-the-middle) where the user is tricked into entering the code on a fake site, and they do not provide the same level of phishing resistance as FIDO2.

845
MCQeasy

Employees in a lobby say their phones automatically connected to a wireless network named CorpWiFi, even though the legitimate access point was offline. They were then shown a fake sign-in page. What threat is this?

A.An evil twin access point impersonating the real corporate wireless network
B.A Bluetooth replay attack that reuses captured pairing data
C.A cloud misconfiguration exposing a storage bucket to the internet
D.A dependency compromise in a software library used by the company portal
AnswerA

An evil twin is a rogue access point that copies a trusted SSID to lure users into connecting.

Why this answer

This is an evil twin attack. The attacker sets up a rogue access point broadcasting the same SSID (CorpWiFi) as the legitimate network. When the real access point goes offline, client devices automatically connect to the stronger signal of the rogue AP, allowing the attacker to present a fake captive portal to harvest credentials.

Exam trap

The trap here is that candidates may confuse an evil twin with a rogue access point, but the key distinction is that an evil twin specifically impersonates a legitimate SSID to trick clients into connecting, whereas a rogue AP is simply an unauthorized device on the network.

How to eliminate wrong answers

Option B is wrong because a Bluetooth replay attack involves capturing and retransmitting Bluetooth pairing packets to gain unauthorized access, not connecting to a Wi-Fi network or presenting a fake sign-in page. Option C is wrong because a cloud misconfiguration exposing a storage bucket would allow unauthorized data access via the internet, not cause phones to auto-connect to a rogue Wi-Fi network. Option D is wrong because a dependency compromise in a software library would affect the company portal's code execution or data integrity, not involve wireless network impersonation or captive portal phishing.

846
Multi-Selecteasy

Which two documents are typically mandatory and organization-wide rather than optional guidance? Select two.

Select 2 answers
A.Security policy
B.Standard
C.Guideline
D.Personal preference note
E.Architecture diagram
AnswersA, B

Policies set mandatory organization-wide direction and expectations for behavior.

Why this answer

Security policies are mandatory, high-level documents that define management's intent and direction for security, establishing rules that all employees must follow. They are organization-wide and enforceable, unlike guidelines which are optional. Standards are also mandatory and specify uniform technical controls or configurations (e.g., requiring AES-256 encryption) that must be implemented across the organization to comply with the security policy.

Exam trap

The trap here is that candidates often confuse 'guidelines' with 'standards' because both provide technical details, but guidelines are optional while standards are mandatory, and the exam expects you to distinguish between enforceable documents (policy/standard) and advisory ones (guideline).

847
MCQmedium

A regulated workload must run in the cloud with the strongest possible isolation from other tenants, and the company wants to avoid managing its own physical hardware. Which placement is the best fit?

A.Use a dedicated host so the underlying hardware is allocated to one customer only.
B.Use a shared tenancy instance with tighter security groups and a private subnet.
C.Move the workload into a public subnet so the provider can inspect traffic more easily.
D.Use a container within a shared platform because containers always isolate tenants completely.
AnswerA

A dedicated host provides the highest level of tenant isolation without requiring the organization to own or maintain the physical server. It is a strong fit for regulated workloads where the business wants reduced sharing at the hardware layer.

Why this answer

A dedicated host provides the strongest possible isolation by ensuring that the physical server is not shared with any other tenant. This meets the requirement for a regulated workload without the company managing its own hardware, as the cloud provider still handles maintenance and patching.

Exam trap

The trap here is that candidates often confuse logical isolation (like security groups or private subnets) with physical isolation, assuming that network controls alone satisfy the requirement for the strongest possible isolation from other tenants.

How to eliminate wrong answers

Option B is wrong because shared tenancy instances, even with tighter security groups and a private subnet, still share the underlying physical hardware with other tenants, which does not meet the requirement for the strongest possible isolation. Option C is wrong because moving the workload into a public subnet exposes it directly to the internet and does not enhance isolation; the provider inspecting traffic does not prevent resource sharing at the hardware level.

848
Multi-Selectmedium

A security analyst is reviewing the organization’s security awareness program. Which three of the following are key metrics that demonstrate the effectiveness of the program? (Choose three.)

Select 3 answers
.Percentage of employees who complete annual security training
.Number of phishing simulation clicks before and after training
.Total count of security incidents reported by employees
.Average time to patch critical vulnerabilities in production systems
.Number of firewall rule changes approved per quarter
.Percentage of servers with full disk encryption enabled

Why this answer

The percentage of employees who complete annual security training is a key metric because it measures participation in the foundational awareness activity. The number of phishing simulation clicks before and after training directly quantifies behavioral change, showing whether training reduces susceptibility to social engineering. The total count of security incidents reported by employees indicates whether the program has successfully fostered a culture of reporting, which is critical for early threat detection.

Exam trap

The trap here is that candidates confuse operational security metrics (like patch time or encryption coverage) with human-centric awareness metrics, leading them to select technical controls that do not measure employee behavior or program effectiveness.

849
MCQhard

An accounts payable clerk receives an email that appears to continue an existing thread with a shipping vendor. The sender name, signature block, and invoice number all match a real open order, and the message asks the clerk to use a "new payment portal" and confirm bank details before 3 PM to avoid delayed shipment. The email contains no attachments and only one URL. Which attack type is most likely?

A.Spear phishing, because the email uses targeted business context and time pressure.
B.Pretexting, because the attacker is impersonating a trusted vendor to create a believable reason for the request.
C.Smishing, because the attacker is using a text message to reach the victim.
D.Baiting, because the attacker is offering a portal link that appears helpful to the recipient.
AnswerB

Pretexting is the best fit because the attacker builds a believable story around a trusted vendor relationship and asks for a sensitive business action. The value is in the fabricated scenario, not just the delivery channel. The realistic invoice details and urgency support the pretext, which is a common pattern in payment-change scams and business email compromise.

Why this answer

Option B is correct because the attacker is not just sending a generic targeted email but is actively impersonating a trusted vendor and fabricating a scenario (the need to use a new payment portal to avoid shipment delay) to manipulate the victim into divulging sensitive bank details. This aligns with pretexting, where the attacker creates a false pretext (a believable reason) to obtain information, rather than relying on malicious attachments or links alone. The email's use of an existing thread, matching sender details, and time pressure all support the pretext, making it a classic impersonation-based social engineering attack.

Exam trap

The trap here is that candidates often confuse pretexting with spear phishing because both involve targeted emails, but the key distinction is that pretexting relies on a fabricated scenario to manipulate the victim into action, whereas spear phishing typically uses a malicious link or attachment to compromise the system directly.

How to eliminate wrong answers

Option A is wrong because spear phishing typically involves a targeted email with a malicious payload (e.g., a link to a credential-harvesting site or an attachment with malware), but here the attack relies on the fabricated scenario and impersonation to trick the victim into voluntarily providing bank details, not on exploiting a technical vulnerability via a link. Option C is wrong because smishing specifically refers to SMS text message attacks, not email-based attacks. Option D is wrong because baiting involves offering something enticing (e.g., a free download or USB drive) to lure the victim into a trap, whereas this attack uses a fabricated reason (pretext) to request sensitive information, not an offer of a helpful portal link.

850
MCQmedium

A file-conversion API accepts a URL to generate a preview image. An attacker submits a URL for the cloud metadata service at 169.254.169.254 and receives instance credentials in the preview output. What attack is this?

A.SQL injection
B.Server-side request forgery
C.Cross-site request forgery
D.Command injection
AnswerB

Server-side request forgery occurs when an attacker tricks a server into making an unintended request to an internal or privileged resource.

Why this answer

The attack is Server-Side Request Forgery (SSRF) because the attacker manipulates the file-conversion API into making an outbound HTTP request to an internal IP address (169.254.169.254, the cloud metadata service). The API then returns the metadata (including instance credentials) in the generated preview image, exploiting the server's trust to access internal resources that are not directly accessible from the internet.

Exam trap

The trap here is that candidates confuse SSRF with CSRF because both involve 'request forgery,' but SSRF targets server-side requests to internal resources, while CSRF targets user-side requests to perform unauthorized actions.

How to eliminate wrong answers

Option A is wrong because SQL injection involves injecting malicious SQL queries into input fields to manipulate a database, not making the server request internal URLs. Option C is wrong because Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into performing unwanted actions on a trusted site, not exploiting server-side URL fetching. Option D is wrong because command injection involves injecting operating system commands into input that is executed by the server, not manipulating URL requests to internal services.

851
MCQeasy

After a phishing account compromise has been contained and the attacker’s mailbox forwarding rule was removed, what should the team do next?

A.Stop the investigation because the forwarding rule was deleted.
B.Reset credentials and verify there are no other persistence methods before recovery.
C.Close the ticket and tell the user to be more careful next time.
D.Wait one week before taking any action so the attacker does not notice.
AnswerB

Eradication requires removing attacker access and checking for additional changes before returning to normal operations.

Why this answer

After removing a mailbox forwarding rule, the team must reset the compromised account's credentials and verify that no other persistence mechanisms (e.g., additional forwarding rules, OAuth app grants, or mailbox delegation) remain. This ensures the attacker cannot regain access using cached credentials or alternate backdoors, which is critical before returning the account to production.

Exam trap

The trap here is that candidates assume removing the visible persistence mechanism (the forwarding rule) is sufficient, but CompTIA tests the understanding that attackers often deploy multiple backdoors, and credential reset plus full verification is mandatory before recovery.

How to eliminate wrong answers

Option A is wrong because stopping the investigation after deleting a single forwarding rule ignores other potential persistence methods like hidden inbox rules, OAuth tokens, or SMTP auth compromises. Option C is wrong because closing the ticket without remediation leaves the account vulnerable and fails to address the root cause of the compromise. Option D is wrong because waiting a week allows the attacker to re-establish persistence or exfiltrate more data, violating the principle of timely incident response.

852
MCQmedium

A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?

A.Use server-side encryption with a cloud-managed key (SSE-S3) and restrict access with bucket policies.
B.Use client-side encryption with a customer-managed key stored in a hardware security module (HSM) and restrict access with IAM roles.
C.Use default encryption with a cloud-managed key (SSE-S3) and enable bucket logging.
D.Use server-side encryption with a customer-provided key (SSE-C) and require MFA for delete operations on the bucket.
AnswerB

Client-side encryption encrypts the data before it is uploaded, so the cloud provider never sees plaintext. The customer retains sole control of the encryption key in an HSM. Even if the bucket is made publicly accessible, an attacker can only retrieve encrypted ciphertext, which is indecipherable without the key. This provides the strongest defense in depth against accidental public exposure.

Why this answer

Option B is correct because client-side encryption ensures data is encrypted before it ever leaves the client, so even if the bucket is accidentally made publicly accessible, the ciphertext remains unreadable without the customer-managed key stored in the HSM. This provides defense in depth by combining encryption at the application layer with IAM role restrictions, which control access at the AWS API level. Server-side encryption alone (as in the other options) only protects data at rest on the server side, leaving it vulnerable if the bucket policy or ACLs are misconfigured to allow public read access.

Exam trap

The trap here is that candidates often assume server-side encryption (SSE) alone is sufficient to protect data in a publicly accessible bucket, but they overlook that SSE only protects data at rest on the server side and does not prevent an authorized (or public) user from downloading the encrypted object and then decrypting it using the keys that the server automatically provides to any authenticated requester.

How to eliminate wrong answers

Option A is wrong because server-side encryption with SSE-S3 encrypts data at rest on the server side, but if the bucket is publicly accessible, the decryption keys are managed by AWS and the encrypted objects can still be retrieved by anyone who can read the bucket; the encryption does not prevent unauthorized viewing of the data once the object is downloaded. Option C is wrong because default encryption with SSE-S3 similarly only protects data at rest, and bucket logging merely records access events—it does not prevent unauthorized viewing of the data if the bucket is misconfigured as public. Option D is wrong because server-side encryption with SSE-C encrypts data at rest using a customer-provided key, but if the bucket is publicly accessible, an attacker who can read the bucket can still download the encrypted objects and, if they also obtain the SSE-C key (e.g., via a separate breach), decrypt them; requiring MFA for delete operations does not protect against unauthorized read access.

853
MCQmedium

A security manager wants every corporate laptop to use the same mandatory settings, including disk encryption, a 10-minute screen lock, and removal of local administrator rights. Which document should define these specific requirements?

A.Policy
B.Standard
C.Guideline
D.Procedure
AnswerB

A standard is the correct document for exact, mandatory configuration requirements. It provides specific, consistent rules such as encryption requirements, lock timers, and privilege restrictions so administrators can implement the same baseline across all laptops. Standards translate policy intent into enforceable technical expectations and make compliance measurable.

Why this answer

A standard defines mandatory, specific technical requirements that must be uniformly applied across all systems, such as enforcing AES-256 disk encryption, a 600-second screen lock timeout, and removal of local administrator rights. Unlike a policy, which is high-level and goal-oriented, a standard provides the precise configuration settings that implement the policy's intent. This aligns with the CompTIA SY0-701 domain of Security Program Management and Oversight, where standards bridge the gap between policy and technical implementation.

Exam trap

The trap here is confusing the broad, principle-based nature of a policy with the specific, mandatory technical requirements of a standard, leading candidates to choose 'Policy' when the question explicitly asks for a document that defines 'specific requirements'.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent and security goals (e.g., 'all laptops must be secured'), not a document that specifies mandatory technical settings like disk encryption algorithms or exact timeout values. Option C is wrong because a guideline is a set of recommended practices or suggestions that are not mandatory, whereas the question explicitly requires 'mandatory settings' that must be enforced on every corporate laptop.

854
Multi-Selecteasy

An employee reports a suspicious email that appears to be from the help desk. Which two details are the strongest signs of phishing? Select two.

Select 2 answers
A.The message creates urgency and threatens account suspension within 15 minutes.
B.The sender address uses a look-alike domain with one letter changed.
C.The email signature includes the company logo and a professional font.
D.The message was delivered during normal business hours.
E.The subject line includes the employee's department name.
AnswersA, B

Urgent pressure is a common social engineering tactic used to stop the user from verifying the request carefully.

Why this answer

Option A is correct because creating a false sense of urgency, such as threatening account suspension within 15 minutes, is a classic social engineering tactic used in phishing to bypass rational thinking and prompt immediate action. This exploits the recipient's fear of losing access, which is a psychological trigger rather than a technical indicator, but it is one of the strongest behavioral signs of a phishing attempt.

Exam trap

The trap here is that candidates often focus on technical indicators like sender address or domain spoofing (Option B) as the strongest sign, but the exam emphasizes that urgency and threats are equally strong behavioral red flags, and both A and B are correct in this question.

855
Matchingmedium

Match each change-management practice to the best description for reducing patching risk in production.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use a phased rollout to catch compatibility issues early

Provide a rollback or backout plan if the patch fails

Place the work inside a maintenance window

Create a baseline that supports recovery and comparison

Apply change control and obtain approval

Why these pairings

These change-management practices reduce patching risk by ensuring proper review, scheduling, rollback capability, pre-testing, documentation, and automation to minimize errors.

856
MCQeasy

EDR flags a workstation because a word processor launched an unusual script and then contacted a rare external domain. What is the best immediate action?

A.Isolate the workstation from the network using the EDR tool.
B.Wait for another alert before taking any action.
C.Delete the word processor immediately.
D.Reboot the workstation to see if the behavior happens again.
AnswerA

This is the best immediate containment step because it stops the workstation from communicating with a possible attacker while preserving the system for further analysis. EDR isolation is designed for exactly this type of suspicious endpoint behavior. It limits lateral movement, reduces data exfiltration risk, and gives responders time to investigate before deciding on cleanup or reboot actions.

Why this answer

Isolating the workstation with the EDR tool is the best immediate action because it contains the potential compromise by cutting off network communication, preventing lateral movement or data exfiltration while preserving forensic evidence. The combination of an unusual script execution from a word processor and a connection to a rare external domain strongly suggests a possible malware infection or remote access trojan (RAT) that requires immediate containment.

Exam trap

The trap here is that candidates may think rebooting (Option D) is a safe first step, but it can destroy volatile evidence and does not contain the threat, whereas isolation via EDR is the correct containment action per incident response best practices.

How to eliminate wrong answers

Option B is wrong because waiting for another alert could allow the threat to spread or exfiltrate data, violating the principle of timely containment in incident response. Option C is wrong because deleting the word processor does not address the underlying malicious script or process that may still be running, and it destroys potential forensic evidence. Option D is wrong because rebooting the workstation may terminate the suspicious process but does not prevent the system from being re-infected or the attacker from re-establishing access, and it could also clear volatile memory evidence.

857
MCQhard

Based on the exhibit, which document type should the service desk use for the locked-account workflow?

A.Policy, because it states broad rules for account access.
B.Standard, because it defines the minimum password requirements for all users.
C.Procedure, because it lists the exact steps analysts must follow in sequence.
D.Guideline, because it gives flexible suggestions for handling locked accounts.
AnswerC

A procedure is the correct document when management wants analysts to perform a task exactly the same way every time. The exhibit contains sequential steps for identity verification, password reset, ticket recording, and user confirmation. That is operational guidance, not a broad policy statement or an optional guideline.

Why this answer

A procedure document is the correct choice because it provides a step-by-step sequence of actions that service desk analysts must follow to unlock an account. The locked-account workflow requires precise, ordered steps (e.g., verifying identity, checking lockout status, resetting the account) to ensure consistency and security, which aligns with the definition of a procedure.

Exam trap

The trap here is confusing a procedure with a policy or standard, as candidates often think 'rules for account access' (policy) or 'password requirements' (standard) apply to the workflow, but only a procedure provides the exact sequential steps needed for operational tasks.

How to eliminate wrong answers

Option A is wrong because a policy states high-level rules and objectives (e.g., 'accounts must be locked after 3 failed attempts') but does not provide the specific steps for unlocking. Option B is wrong because a standard defines mandatory requirements like minimum password length or complexity, not the workflow for handling locked accounts. Option D is wrong because a guideline offers flexible suggestions or best practices, whereas the locked-account workflow requires strict adherence to a defined sequence to avoid security gaps.

858
MCQmedium

A company uses a third-party expense application and wants employees to sign in with their corporate identity once, then automatically lose access in the expense app when they are terminated in the HR system. Which solution best meets both requirements?

A.Create separate local usernames in the expense app and synchronize passwords weekly.
B.Implement federated single sign-on and automated user provisioning and deprovisioning.
C.Require a VPN connection before users can open the expense app.
D.Use a shared generic account for all employees and rotate the password monthly.
AnswerB

Federation provides single sign-on with corporate credentials, and automated lifecycle sync removes access promptly when status changes.

Why this answer

Federated single sign-on (SSO) allows users to authenticate once using their corporate identity (e.g., via SAML or OIDC), and automated provisioning/deprovisioning (often via SCIM) ensures that when an employee is terminated in the HR system, their access to the expense app is automatically revoked. This meets both requirements: seamless sign-in and immediate loss of access upon termination.

Exam trap

The trap here is that candidates may think VPN or password synchronization provides adequate access control, but they fail to recognize that only federated SSO combined with automated provisioning/deprovisioning ensures both seamless authentication and immediate revocation tied to the corporate identity lifecycle.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and synchronizing passwords weekly does not provide single sign-on (users still need separate credentials) and weekly sync introduces a delay, so terminated employees could retain access for up to a week. Option C is wrong because requiring a VPN connection controls network access but does not address authentication or automated deprovisioning; a terminated employee could still sign in if their credentials are valid. Option D is wrong because a shared generic account violates the principle of individual accountability, cannot tie access to a specific employee's termination, and monthly password rotation does not automatically revoke access upon termination.

859
MCQhard

Based on the exhibit, which additional control best reduces the risk of tailgating at the entrance while preserving normal employee flow?

A.Post a security guard at the entrance during business hours.
B.Install a mantrap or anti-passback turnstile that admits one person per badge authorization.
C.Add more CCTV cameras in the lobby and at the parking lot entrance.
D.Send quarterly emails reminding employees not to hold doors open.
AnswerB

This is the best fit because the current controls detect the problem but do not stop it. A mantrap or turnstile is a preventive physical control that enforces single-person entry and directly addresses tailgating while keeping normal employee movement efficient. It reduces reliance on people noticing and reacting in real time.

Why this answer

A mantrap or anti-passback turnstile enforces one-person-per-badge authorization, physically preventing tailgating by only allowing a single individual to pass per valid credential. This preserves normal employee flow because authorized users can enter quickly without manual intervention, unlike guards or awareness campaigns that rely on human compliance.

Exam trap

CompTIA often tests the distinction between preventive controls (mantraps/turnstiles) and detective or administrative controls (CCTV, emails, guards), leading candidates to choose a familiar but ineffective option like CCTV or security guards.

How to eliminate wrong answers

Option A is wrong because posting a security guard is a deterrent, not a technical control; guards can be bypassed or overwhelmed during peak hours and do not scale to maintain normal flow without causing bottlenecks. Option C is wrong because CCTV cameras are detective controls that record incidents after they occur, not preventive controls that stop tailgating in real time. Option D is wrong because quarterly email reminders are administrative controls that rely on employee behavior change; they are ineffective against intentional tailgating and do not enforce physical access restrictions.

860
MCQmedium

A SOC analyst receives a SIEM alert for a possible brute-force attack against a remote access portal. The alert shows 240 failed logins from the same source IP over 4 minutes, followed by one successful login. Before escalating as an incident, what is the BEST evidence to check to determine whether the alert is a false positive caused by approved activity?

A.Whether the source IP belongs to the company help desk
B.Whether there is a change ticket or test plan for the access portal and the activity matches the approved maintenance window
C.Whether the user account has MFA enabled
D.Whether the firewall is in inline mode
AnswerB

A documented change, test plan, and matching maintenance window provide the strongest evidence that the alert reflects approved work rather than malicious activity.

Why this answer

A change ticket or test plan that matches the observed activity (240 failed logins followed by a successful login during an approved maintenance window) would indicate that the alert is a false positive caused by authorized testing or maintenance, not a malicious brute-force attack. This is the best evidence because it directly ties the SIEM alert to approved, scheduled activity, which is a standard operational control for change management.

Exam trap

The trap here is that candidates may assume a help desk IP or MFA automatically validates the activity, but only a documented change ticket or test plan provides the necessary evidence to classify the alert as a false positive under standard incident response procedures.

How to eliminate wrong answers

Option A is wrong because the source IP belonging to the company help desk does not automatically make the activity approved; help desk staff could still be performing unauthorized or malicious actions, and the IP alone does not provide evidence of a change ticket or test plan. Option C is wrong because MFA being enabled on the user account does not explain the 240 failed logins from a single source IP; MFA is a security control that would mitigate the impact of a successful login but does not prove the activity was approved or that the alert is a false positive.

861
MCQmedium

An HR portal has three job functions: HR staff update employee records, managers approve leave requests, and payroll views salary data. The security team wants to prevent any one role from having all capabilities. Which access design is the best fit?

A.Use a single superuser account for the entire department so tasks can be completed quickly.
B.Create role-based access groups aligned to each job function and grant only the permissions needed for that role.
C.Give every employee access to all portal features and depend on audit logs to catch mistakes later.
D.Require the payroll team to share one common password and use it only from the office network.
AnswerB

Role-based access control is the right design because it maps permissions to job responsibilities. HR, managers, and payroll each receive only the access they need, which supports separation of duties and makes access reviews easier. It also reduces the chance that one user or one account can perform every sensitive action in the portal.

Why this answer

Role-based access control (RBAC) is the correct design because it enforces the principle of least privilege by granting each job function only the permissions necessary for its tasks. This prevents any single role from accumulating all capabilities (e.g., HR staff cannot approve leave or view salary data), directly addressing the security team's requirement to separate duties. RBAC aligns with NIST SP 800-53 AC-6 and is a standard access control model for multi-role enterprise applications.

Exam trap

The trap here is that candidates may confuse 'role-based access control' with 'discretionary access control' (DAC) or think that audit logs alone are sufficient for security, but the SY0-701 exam emphasizes that preventive controls (like RBAC) are superior to detective controls (like logging) for enforcing separation of duties.

How to eliminate wrong answers

Option A is wrong because a single superuser account violates separation of duties and least privilege, granting all capabilities to one user and increasing the risk of insider threats or credential compromise. Option C is wrong because giving every employee full access to all portal features removes all access controls, making the system reliant solely on audit logs for detection rather than prevention, which is a security anti-pattern. Option D is wrong because shared passwords eliminate non-repudiation and accountability, and restricting access by network location (e.g., office network) does not prevent a single role from having all capabilities; it only adds a weak perimeter control.

862
MCQhard

Based on the exhibit, which change best improves both recovery time and recovery point for the ERP database? A mid-sized company has a two-hour RTO and a 30-minute RPO, but its current backup design cannot meet either objective during restore testing.

A.Add a second nightly full backup at 23:30 to the same NAS device.
B.Move the NAS to a different VLAN but keep the backup schedule unchanged.
C.Implement frequent transaction log backups and a pre-staged standby or automated recovery image.
D.Increase backup retention from one month to one year.
AnswerC

Transaction log backups reduce the amount of data lost between full backups, improving the RPO. A pre-staged standby or automated recovery image shortens rebuild time, improving the RTO. Together, these changes directly address both recovery objectives instead of simply storing the same backups more safely or for longer. The test results show that the current restore approach is far too slow and too coarse.

Why this answer

Option C is correct because implementing frequent transaction log backups (e.g., every 5–10 minutes) allows point-in-time recovery, reducing the recovery point objective (RPO) to minutes. A pre-staged standby or automated recovery image reduces recovery time objective (RTO) by eliminating the need to restore from scratch, enabling near-instant failover. This directly addresses the company's inability to meet its 30-minute RPO and 2-hour RTO during restore testing.

Exam trap

The trap here is that candidates confuse backup frequency (e.g., more full backups) with recovery point improvement, failing to recognize that only transaction log backups or incremental changes can reduce RPO below the full backup interval, and that pre-staging is required to meet aggressive RTOs.

How to eliminate wrong answers

Option A is wrong because adding a second nightly full backup to the same NAS device does not reduce the recovery point window (still up to 24 hours of data loss) and does not improve recovery time (restore still takes hours from a full backup). Option B is wrong because moving the NAS to a different VLAN addresses network segmentation or security, not backup performance or recovery objectives; it has no impact on RTO or RPO. Option D is wrong because increasing retention from one month to one year only extends how far back data can be restored, not how quickly or with how little data loss; it does not improve RTO or RPO.

863
MCQmedium

An HR portal has three groups: HR staff can edit employee records, managers can approve leave, and payroll can view salary data. No one should have all functions. Which access model should the engineer implement?

A.Role-based access control with separate groups mapped to each business function.
B.A single shared admin account so all tasks can be completed quickly.
C.Mandatory access control with all users assigned the same clearance level.
D.Local account creation on the portal for each user, with permissions assigned manually one by one.
AnswerA

RBAC fits business duties well and keeps access aligned to job functions instead of individual exceptions.

Why this answer

Option A is correct because Role-Based Access Control (RBAC) allows the engineer to define three distinct roles (HR staff, managers, payroll) with granular permissions mapped to specific business functions, ensuring no single user inherits all privileges. This model enforces the principle of least privilege by separating duties across groups, preventing any user from having full access to the portal's sensitive operations.

Exam trap

The trap here is that candidates may confuse RBAC with MAC or DAC, assuming that any access control model can enforce separation of duties, but only RBAC with distinct role groups directly addresses the requirement of mapping business functions to permissions without granting overlapping privileges.

How to eliminate wrong answers

Option B is wrong because a single shared admin account violates the principle of least privilege and separation of duties, as it would grant all three functions to anyone using the account, making auditing and accountability impossible. Option C is wrong because Mandatory Access Control (MAC) with all users assigned the same clearance level would not differentiate between HR, managers, and payroll functions; MAC relies on labels and clearances, not job roles, so it cannot enforce the required separation of business functions. Option D is wrong because local account creation with manual permissions is not scalable, introduces administrative overhead, and lacks the centralized, role-based grouping needed to enforce consistent separation of duties across the portal.

864
MCQmedium

A vulnerability scan finds that an administrative SSH service on a Linux server is listening on 0.0.0.0 and is reachable from the internet. The server is meant to be managed only from the internal admin subnet. What is the best remediation?

A.Patch the SSH client on administrator laptops so the server cannot be reached externally.
B.Restrict SSH to the management network and block public access with firewall or host-based rules.
C.Enable a captive portal on the public interface so only authenticated users see the service.
D.Replace SSH with FTP because FTP can be configured to allow administrative access more easily.
AnswerB

Limiting the service to the internal management subnet removes unnecessary exposure and aligns with least exposure and secure administration practices.

Why this answer

Option B is correct because the vulnerability is that SSH is exposed to the internet on 0.0.0.0, which violates the principle of least privilege and exposes the administrative interface to unauthorized access. The best remediation is to restrict SSH to the internal management subnet using firewall rules (e.g., iptables, security group ACLs) or host-based rules (e.g., tcpwrappers, /etc/hosts.allow), ensuring only trusted internal IPs can reach the service. This directly addresses the exposure without changing the protocol or client configuration.

Exam trap

The trap here is that candidates may think patching the client (Option A) or adding authentication (Option C) solves the exposure, but the core issue is network-level access control—no amount of client-side patching or portal authentication can prevent an attacker from reaching the open SSH port from the internet.

How to eliminate wrong answers

Option A is wrong because patching the SSH client on administrator laptops does nothing to prevent external attackers from reaching the server; the server is still listening on 0.0.0.0 and accessible from the internet. Option C is wrong because a captive portal is a web-based authentication mechanism typically used for guest networks, not for securing an SSH service; SSH does not support captive portal redirection, and this would not prevent direct TCP access to port 22. Option D is wrong because FTP transmits credentials and data in cleartext by default, which is far less secure than SSH; replacing SSH with FTP would increase the attack surface and violate security best practices for administrative access.

865
MCQhard

Based on the exhibit, what is the best next request before approving the vendor?

A.Ask for a fresh marketing brochure that describes the vendor's security controls in detail.
B.Accept the internal penetration test summary because it proves the controls were tested recently.
C.Request only the shared responsibility matrix again, since it covers all security responsibilities.
D.Request a current SOC 2 Type II report or equivalent independent operating-effectiveness attestation.
AnswerD

The business specifically wants independent evidence that controls operated effectively during a recent period. A SOC 2 Type II report is designed for that purpose, whereas a Type I report only addresses control design at a point in time. Because the current packet lacks both timely independent assurance and contractual safeguards, the SOC 2 Type II request is the most defensible next step.

Why this answer

Option D is correct because a SOC 2 Type II report provides an independent, third-party attestation of the effectiveness of a vendor's security controls over a period of time (typically 6–12 months). This is the most reliable evidence for verifying that the vendor's operational security controls are working as intended, which is critical before approving a vendor. The internal penetration test summary (Option B) lacks independence and may not cover all relevant controls, while a marketing brochure (Option A) is not a verifiable audit artifact.

The shared responsibility matrix (Option C) defines roles but does not attest to control effectiveness.

Exam trap

The trap here is that candidates may think an internal penetration test summary (Option B) is sufficient because it 'proves the controls were tested recently,' but the exam emphasizes that independence and sustained operational effectiveness (as shown in a SOC 2 Type II) are required for vendor approval, not just a point-in-time internal test.

How to eliminate wrong answers

Option A is wrong because a marketing brochure is a self-promotional document with no independent verification or audit rigor; it cannot substitute for a formal attestation report like SOC 2. Option B is wrong because an internal penetration test summary is not independent—it was performed by the vendor's own team or a hired firm without the objectivity of a third-party auditor, and it only tests a snapshot in time rather than sustained operational effectiveness. Option C is wrong because a shared responsibility matrix only clarifies which party is responsible for which security controls; it does not provide any evidence that those controls are actually implemented or operating effectively.

866
MCQeasy

A vulnerability scan finds a critical flaw on a public-facing server and a medium flaw on a lab system that is not connected to the production network. Which issue should be fixed first?

A.The medium flaw on the isolated lab system, because all vulnerabilities should be fixed in alphabetical order.
B.The critical flaw on the public-facing server, because it has higher business risk.
C.Both systems can wait until the next quarterly patch cycle.
D.The lab system, because internal systems always outrank external systems.
AnswerB

Public exposure and critical severity make this issue more likely to be exploited and more impactful.

Why this answer

The critical flaw on the public-facing server should be fixed first because it presents a higher business risk. A public-facing server is directly accessible from the internet, making it a prime target for attackers. Exploiting a critical vulnerability could lead to data breaches, service disruption, or unauthorized access, with immediate and severe business impact.

In contrast, the medium flaw on an isolated lab system poses no direct threat to production operations or sensitive data.

Exam trap

The trap here is that candidates may assume all vulnerabilities must be fixed in order of severity alone, ignoring the crucial factor of asset exposure and business context, or they may mistakenly believe that internal systems are always more critical than external ones.

How to eliminate wrong answers

Option A is wrong because fixing vulnerabilities in alphabetical order is not a valid prioritization method; risk-based prioritization based on severity and exposure is the industry standard. Option C is wrong because delaying remediation of a critical flaw on a public-facing server until the next quarterly patch cycle could leave the organization exposed to exploitation for an unacceptable period; critical vulnerabilities often require immediate patching or compensating controls. Option D is wrong because internal systems do not always outrank external systems; in fact, public-facing systems typically have higher risk due to internet exposure, and isolated lab systems have minimal business risk.

867
MCQmedium

Based on the exhibit, which wireless security change best addresses both unauthorized device access and the risk of a lost laptop connecting to corporate resources?

A.Increase the PSK length and rotate it every 30 days.
B.Move the SSID to WPA2-Enterprise or WPA3-Enterprise with 802.1X, device certificates, and MDM-based compliance checks.
C.Hide the SSID and enable MAC address filtering on the access points.
D.Keep the current wireless design and rely on a VPN client for all remote access.
AnswerB

Enterprise Wi-Fi uses individual authentication instead of a shared passphrase, so access can be tied to a specific user or device. Device certificates and MDM compliance checks strengthen control over enrolled endpoints and make it easier to revoke access for lost or noncompliant devices. This is the most secure and manageable architecture shown by the exhibit.

Why this answer

Option B is correct because WPA2-Enterprise or WPA3-Enterprise with 802.1X, device certificates, and MDM-based compliance checks provides mutual authentication and per-user, per-session encryption. This eliminates the risk of a lost laptop connecting to corporate resources (since device certificates can be revoked) and prevents unauthorized device access through certificate-based authentication and MDM compliance enforcement, unlike shared PSK which cannot be individually revoked.

Exam trap

The trap here is that candidates often think hiding the SSID or MAC filtering provides meaningful security, but these are easily bypassed and do not address revocation or per-device authentication, while PSK rotation seems proactive but fails to solve the lost-laptop revocation problem.

How to eliminate wrong answers

Option A is wrong because increasing PSK length and rotating it every 30 days still uses a shared pre-shared key, which cannot be individually revoked if a laptop is lost; any device with the current PSK can connect, and rotating the PSK requires reconfiguring all authorized devices, causing operational overhead. Option C is wrong because hiding the SSID and enabling MAC address filtering are trivial security measures: SSID hiding is easily defeated by passive monitoring (the SSID is broadcast in probe requests and beacons), and MAC addresses can be spoofed, so neither prevents a lost laptop from connecting nor stops unauthorized devices. Option D is wrong because relying solely on a VPN client without changing the wireless security leaves the network open to unauthorized devices connecting directly to the wireless LAN; a lost laptop with VPN credentials could still connect to the corporate network via the wireless SSID before the VPN is established, and there is no per-device revocation mechanism.

868
MCQmedium

A business-critical internal reporting portal is exposed to all employees. A scan finds a high-severity vulnerability, but the vendor says a fix will not be available for 30 days. The application is only used by finance once a month, and the business can tolerate a brief outage if needed. Which risk treatment is the BEST immediate action?

A.Accept the risk because the application is used infrequently and the impact is limited.
B.Apply compensating controls, such as restricting access and adding a temporary control, until the vendor patch is available.
C.Transfer the risk by purchasing cyber insurance for the application.
D.Avoid the risk by permanently decommissioning the reporting portal.
AnswerB

This is the best choice because it reduces the likelihood of exploitation while the patch is unavailable. Restricting access to only the users who truly need the system, adding temporary network or application-layer controls, and documenting the residual risk are practical mitigation steps. The scenario shows the business can tolerate a short interruption, so a short-term reduction in exposure is more appropriate than doing nothing or permanently shutting the system down.

Why this answer

Option B is correct because applying compensating controls—such as restricting access to only the finance team and implementing a temporary web application firewall (WAF) rule—immediately reduces the attack surface while the vendor develops a patch. This aligns with the risk treatment of mitigation, as it lowers the likelihood of exploitation without requiring a full fix. The business can tolerate a brief outage, so a temporary access control list (ACL) or IP whitelist is a practical, immediate measure.

Exam trap

The trap here is that candidates may choose 'Accept the risk' (Option A) because the app is used infrequently, but they overlook that a high-severity vulnerability in an internal portal still poses a significant risk of lateral movement or data exposure, making acceptance inappropriate without compensating controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk ignores the high-severity nature of the vulnerability; even infrequent use can lead to a data breach if exploited, and the impact may be greater than assumed. Option C is wrong because transferring risk via cyber insurance does not prevent the vulnerability from being exploited; it only provides financial reimbursement after an incident, which is not an immediate security control. Option D is wrong because permanently decommissioning the portal is an extreme measure that would disrupt the monthly finance reporting, and the business only tolerates a brief outage, not permanent loss of the application.

869
MCQeasy

During a disaster recovery test, what is the most important thing to confirm about the backup?

A.That the backup files exist in storage.
B.That the data can be restored and is usable after recovery.
C.That the backup system uses encryption.
D.That the backup is stored on tape instead of disk.
AnswerB

The real purpose of a backup is successful recovery. During testing, the team should verify that the data restores correctly and that applications or users can actually use it afterward. This confirms the backup supports business continuity and is not merely sitting in storage as an unreadable copy.

Why this answer

The most important thing to confirm about a backup during a disaster recovery test is that the data can be restored and is usable after recovery. This validates the integrity and completeness of the backup, ensuring that the recovery point objective (RPO) and recovery time objective (RTO) can be met. Simply verifying that backup files exist does not guarantee they are not corrupted or that the restoration process will succeed, which is why a full restore test is critical.

Exam trap

The trap here is that candidates often confuse backup existence with backup usability, assuming that if the backup file is present and encrypted, it must be restorable, but CompTIA emphasizes that only a successful restore test confirms recoverability.

How to eliminate wrong answers

Option A is wrong because merely confirming that backup files exist in storage does not validate their integrity, consistency, or ability to be restored; a backup file could be present but corrupted or incomplete. Option C is wrong because encryption protects data at rest or in transit but has no bearing on whether the backup can be successfully restored and used; encryption is a security control, not a recovery validation. Option D is wrong because the storage medium (tape vs. disk) is irrelevant to the core requirement of recoverability; both media can hold valid or invalid backups, and the choice depends on factors like speed, cost, and retention, not on the ability to restore.

870
MCQmedium

A security analyst discovers that an organization's web application is vulnerable to SQL injection. The application uses a legacy database driver that does not support parameterized queries. Which of the following is the BEST mitigation to prevent this vulnerability?

A.Implement a web application firewall (WAF) to filter malicious input.
B.Update the database driver to a version that supports parameterized queries.
C.Encode all user input using HTML encoding.
D.Disable error messages that reveal database schema.
AnswerB

Parameterized queries ensure that user input is treated as data, not executable code, which is the definitive prevention for SQL injection. Updating the driver to support this is the best long-term mitigation.

Why this answer

Option B is correct because the root cause of the SQL injection vulnerability is the legacy database driver that does not support parameterized queries. Updating the driver to a modern version that supports parameterized queries (also known as prepared statements) allows the application to separate SQL logic from user-supplied data, effectively preventing SQL injection at the database layer. This addresses the fundamental flaw rather than relying on external filtering or encoding.

Exam trap

The trap here is that candidates often choose a WAF (Option A) as a quick fix, overlooking that it only mitigates symptoms rather than eliminating the root cause, which is the lack of parameterized query support in the database driver.

How to eliminate wrong answers

Option A is wrong because implementing a web application firewall (WAF) is a compensating control that filters malicious input based on signatures or heuristics, but it can be bypassed with obfuscated payloads and does not fix the underlying insecure code. Option C is wrong because HTML encoding is designed to prevent cross-site scripting (XSS) by neutralizing HTML special characters, not SQL injection; it does not prevent an attacker from injecting SQL commands into database queries.

871
Multi-Selecthard

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Select 3 answers
A.The TLS certificate fingerprint reused by multiple samples.
B.The mutex name created by the malware on infected endpoints.
C.The JA3 client fingerprint observed in outbound TLS sessions.
D.The current domain name used by the command-and-control server.
E.The public IP address currently hosting the malware sample.
AnswersA, B, C

A reused certificate fingerprint is harder for attackers to change quickly than a daily domain. It can identify infrastructure or tooling reused across campaigns. Because it appears across multiple samples, it is a durable hunting and blocking indicator compared with short-lived hostnames.

Why this answer

The TLS certificate fingerprint is a reliable indicator because it is derived from the certificate's public key and metadata, which remain static even when the malware's domain or IP address changes. Since the threat intelligence report states the same fingerprint is reused across multiple samples, this provides a stable, immutable identifier that can be used to detect or block malicious TLS handshakes regardless of domain rotation.

Exam trap

CompTIA often tests the concept that dynamic indicators like domains and IPs are less reliable for persistent detection compared to static artifacts such as cryptographic fingerprints or mutex names, which remain constant despite infrastructure changes.

872
MCQmedium

Based on the exhibit, what is the best response to the facilities manager's request?

A.Provide the export because the requester is a manager with a legitimate business relationship to employees.
B.Deny the request and direct the manager to use an approved work-contact list or seek privacy review.
C.Send the data to the manager if the manager promises not to share it externally.
D.Store the export in a shared drive so multiple teams can use it for convenience.
AnswerB

The privacy notice clearly limits home addresses and personal phone numbers to defined HR and payroll purposes. The facilities request exceeds that purpose, so the correct action is to deny the export unless a formal privacy review approves another use. Where possible, use a work-contact list that contains less sensitive information.

Why this answer

The facilities manager's request to export employee contact information for a separate system likely violates data privacy policies and potentially regulations like GDPR or CCPA. Option B is correct because the proper procedure is to deny the ad-hoc export and direct the manager to use an approved work-contact list or seek a privacy review, ensuring data handling complies with organizational data governance and privacy requirements.

Exam trap

The trap here is that candidates may assume a manager's role and business relationship automatically grant data access, overlooking the need for formal privacy review and approved data handling procedures.

How to eliminate wrong answers

Option A is wrong because being a manager with a legitimate business relationship does not automatically authorize bulk export of employee personal data; privacy policies and data classification require a formal review. Option C is wrong because a verbal promise not to share data externally is not a security control; data handling must be enforced through technical and policy mechanisms, not trust. Option D is wrong because storing the export in a shared drive increases exposure risk and violates the principle of least privilege; convenience does not override data protection requirements.

873
MCQhard

Based on the exhibit, which awareness control best addresses the observed failure pattern?

A.Replace the phone-call simulation with longer monthly policy newsletters.
B.Run targeted vishing exercises and teach a callback verification procedure.
C.Disable MFA so users are not asked for one-time codes.
D.Tell users to ignore all requests from anyone outside the company.
AnswerB

This is the best fit because the failures occurred during a phone-based social engineering attack that asked for one-time codes. Targeted vishing drills train users to recognize voice-based pressure tactics, and a callback verification procedure gives them a safe way to confirm legitimacy without relying on the caller. That directly addresses the observed failure pattern.

Why this answer

The exhibit shows a pattern where users are falling for phone-based social engineering (vishing), not email or general phishing. Option B directly addresses this by running targeted vishing exercises to simulate the real threat and teaching a callback verification procedure, which is a specific technical control to verify the identity of callers before taking action. This is the most effective awareness control because it trains users to recognize and respond to the exact attack vector observed.

Exam trap

The trap here is that candidates may choose Option A (longer newsletters) because they think more information is always better, but the question specifically tests the ability to match the awareness control to the observed attack vector (vishing), not general security awareness.

How to eliminate wrong answers

Option A is wrong because replacing phone-call simulations with longer monthly policy newsletters does not address the specific vishing failure pattern; newsletters are passive and less effective for hands-on behavioral change. Option C is wrong because disabling MFA would actually increase security risk by removing a critical authentication layer, and it does not address the social engineering vector at all. Option D is wrong because telling users to ignore all requests from anyone outside the company is impractical and overly broad; legitimate external communications (e.g., from vendors, customers) would be disrupted, and it does not teach a verifiable procedure.

874
MCQeasy

Analysts see a malware campaign that changes its command-and-control domain every day, but the executable hash and a unique registry value remain the same across incidents. Which indicator is the best candidate for hunting?

A.The daily domain name used for command and control.
B.The executable hash from the malware sample.
C.The employee's home city where the alert was observed.
D.The brand of the user's keyboard and mouse.
AnswerB

A stable hash is a strong, specific indicator when the malware file itself remains unchanged.

Why this answer

Option B is correct because the executable hash (e.g., SHA-256) and the unique registry value are static, immutable artifacts that persist across every incident, regardless of the daily domain rotation. These indicators are far more reliable for hunting since they directly identify the malware binary itself, whereas the domain changes frequently and may be blocked or sinkholed after detection.

Exam trap

The trap here is that candidates focus on the changing domain (a dynamic indicator) because it is directly observable in network traffic, but the exam tests the understanding that static indicators (like the hash) are more persistent and effective for hunting across multiple incidents.

How to eliminate wrong answers

Option A is wrong because the daily domain name is a volatile indicator that changes every day, making it unreliable for long-term hunting; it would require constant updates and may already be taken down by the time it is used. Option C is wrong because the employee's home city is a geographic attribute unrelated to the malware's technical characteristics and cannot be used to identify or track the specific malware campaign. Option D is wrong because the brand of the user's keyboard and mouse is a hardware peripheral detail that has no bearing on the malware's behavior or persistence, and it is not a valid indicator of compromise.

875
MCQmedium

An administrator notices that a finance file share remained normal for weeks after a former contractor left the company. This morning, multiple PDFs and spreadsheets were deleted, and a scheduled task created months ago is now executing a script that wipes files in the shared folder. Which malware type is most consistent with this behavior?

A.Logic bomb triggered by a time or condition after being planted earlier
B.Worm that is automatically propagating to other endpoints
C.Spyware that is secretly collecting keystrokes and screenshots
D.Rootkit that is hiding itself in the kernel to maintain stealth
AnswerA

A logic bomb is the best fit because malicious code was planted earlier and remained dormant until a trigger condition caused it to execute. The scheduled task and delayed destructive action are classic signs of a hidden payload designed to activate later, sometimes after a user departure, date, or system event. The time gap strongly supports this interpretation.

Why this answer

The behavior matches a logic bomb: malicious code planted in advance (the scheduled task created months ago) that remains dormant until triggered by a specific condition (the passage of time or a date). The file share was normal for weeks because the logic bomb had not yet met its trigger condition; once triggered, it executed the script to delete files. This contrasts with other malware types that require active propagation, continuous monitoring, or kernel-level hiding.

Exam trap

The trap here is that candidates may confuse a logic bomb with a worm because both can cause widespread damage, but the key distinction is the pre-planted, dormant nature of the logic bomb versus the active self-propagation of a worm.

How to eliminate wrong answers

Option B is wrong because a worm self-propagates across networks without user intervention, but here the malware was planted as a scheduled task months ago and only activated recently, with no evidence of lateral movement or replication. Option C is wrong because spyware focuses on covert data collection (keystrokes, screenshots) and does not typically delete files or execute destructive scripts via scheduled tasks. Option D is wrong because a rootkit hides its presence by modifying the OS kernel or system calls, whereas the described behavior involves a visible scheduled task and file deletion without any stealth mechanisms.

876
Matchingeasy

Match each traffic control to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tracks connection state and allows return traffic for approved sessions

Allows or denies traffic using source, destination, port, and protocol rules without tracking sessions

Blocks traffic unless a rule explicitly permits it

Limits traffic moving between internal subnets or tiers

Why these pairings

ACLs filter based on IPs/ports; QoS prioritizes traffic; shaping controls rate; policing drops excess; NAT translates addresses; port security limits MACs per port.

877
MCQmedium

An EDR console reports possible beaconing from a workstation because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The workstation belongs to the patch-management team, and the destination resolves to a vendor update service. Which evidence best supports closing the alert as a false positive?

A.The workstation user says the activity looks normal and no files were encrypted.
B.The source IP appears on a blocklist, so the alert must be malicious.
C.Process lineage and signed agent logs show the patch client initiated the traffic on schedule.
D.The workstation has antivirus installed, which means outbound beaconing is impossible.
AnswerC

Process lineage and agent logs provide strong proof that the traffic came from the approved patch client. When the destination is a known vendor service and the timing matches the expected update schedule, the repeated connections are likely normal behavior. This is exactly the kind of evidence analysts should use to validate a detection instead of escalating a benign operational pattern.

Why this answer

Option C is correct because it provides verifiable evidence that the outbound HTTPS connections are legitimate: the process lineage and signed agent logs confirm the patch-management client initiated the traffic on its scheduled update cycle. This aligns with the expected behavior of a patch-management tool, which often uses HTTPS to a vendor update service at regular intervals. The EDR's beaconing detection is a false positive because the traffic is not malicious but rather a routine, authorized activity.

Exam trap

The trap here is that candidates may assume any periodic outbound connection is malicious beaconing, ignoring that legitimate software update services often use scheduled HTTPS connections to the same IP, and that process lineage and signed logs are the definitive evidence to validate the traffic's legitimacy.

How to eliminate wrong answers

Option A is wrong because user testimony and the absence of file encryption are subjective and do not provide technical proof that the network traffic is legitimate; beaconing can occur without immediate encryption events. Option B is wrong because the source IP appearing on a blocklist does not automatically make the alert malicious—blocklists often include legitimate services, and the destination is a known vendor update service. Option D is wrong because having antivirus installed does not prevent outbound beaconing; antivirus software does not block legitimate HTTPS connections initiated by authorized processes, and beaconing can still occur even with AV present.

878
MCQmedium

An API log shows repeated requests such as `GET /api/orders?orderId=105%20OR%201=1--` followed by responses containing many customers' order records instead of one record. Which attack is most likely?

A.SQL injection, because the attacker is altering the database query through crafted input.
B.Cross-site scripting, because malicious code is being reflected in the browser.
C.Cross-site request forgery, because the request appears to be an unauthorized action.
D.Broken access control, because the API is not validating the user role correctly.
AnswerA

The injected condition `OR 1=1--` is a classic indicator that user input is being interpreted as part of a database query. The application returns too much data because the attacker has manipulated the SQL logic.

Why this answer

The request includes `%20OR%201=1--`, which URL-decodes to ` OR 1=1--`. This is a classic SQL injection payload that appends a tautology (`OR 1=1`) and comments out the rest of the query (`--`). The API log shows that instead of returning a single order record, the response contains many customers' order records, confirming that the injected condition bypassed the intended WHERE clause and returned all rows from the orders table.

Exam trap

The trap here is that candidates may see the word 'API' and assume the attack is related to access control or CSRF, but the presence of SQL comment syntax (`--`) and the tautology (`OR 1=1`) in the request parameter is the definitive indicator of SQL injection.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into a web page viewed by other users, not altering database queries to retrieve unauthorized data. Option C is wrong because cross-site request forgery (CSRF) tricks an authenticated user into performing an unintended action, but the log shows direct crafted input in the API request, not a forged request from another site. Option D is wrong because broken access control would involve missing or flawed authorization checks on the API endpoint, but the attack here exploits a database-level injection vulnerability, not a failure to validate user roles or permissions.

879
MCQhard

A SaaS dashboard invalidates passwords after a forced reset, but a stolen bearer token from a browser cookie still works from a VPN exit node for several hours. SIEM logs show the same token value used from two countries within five minutes, and no MFA prompt appears because the token is already accepted. What attack is most likely?

A.Session hijacking, because a valid session token is being replayed from a different location.
B.Credential stuffing, because the attacker used many passwords against the portal.
C.Cross-site request forgery, because the attacker is making requests on behalf of the user.
D.Phishing, because the attacker likely stole the user's password first.
AnswerA

Session hijacking is the best answer because the attacker is reusing a valid authenticated token rather than logging in normally. The token continues to work after a password reset, and the same token appears from different geographies in a short window. That strongly suggests the session itself was stolen and replayed, which bypasses authentication controls that only protect the login step.

Why this answer

Option A is correct because the scenario describes a stolen bearer token (session token) being reused from a different geographic location (VPN exit node) without re-authentication. This is classic session hijacking, where an attacker captures a valid session token (e.g., from a browser cookie) and replays it to impersonate the authenticated user. The fact that the token works even after a password reset and bypasses MFA confirms the attack is session hijacking, not credential theft or request forgery.

Exam trap

The trap here is that candidates confuse session hijacking with CSRF, but CSRF requires the victim's browser to send the request, whereas session hijacking involves the attacker directly using the stolen token from their own machine.

How to eliminate wrong answers

Option B is wrong because credential stuffing involves using many stolen username/password pairs against a login portal, but here the attacker already has a valid bearer token and does not need to guess passwords. Option C is wrong because cross-site request forgery (CSRF) tricks a user's browser into making unintended requests using their existing session, but the attacker here is directly using a stolen token from a different location, not exploiting the user's active session.

880
MCQmedium

A security manager is leading a risk assessment for the organization. The team identifies a legacy application that contains a known critical vulnerability. The vendor has discontinued support and no patch is available. The manager calculates that the annualized loss expectancy (ALE) for exploiting this vulnerability is $50,000. Implementing a third-party web application firewall (WAF) as a compensating control would cost $80,000 per year. The organization's leadership decides that accepting the risk is the most cost-effective approach. Which of the following documents should the security manager update to formally record this risk acceptance decision and obtain the necessary sign-off?

A.Business impact analysis (BIA)
B.Risk register
C.Security baseline configuration document
D.Incident response plan
AnswerB

Correct. The risk register is used to track identified risks, their characteristics, and the chosen treatment. Updating it with the acceptance decision, rationale, and approval is essential for risk governance.

Why this answer

The risk register is the correct document to update because it formally tracks identified risks, their assessed impact, and the chosen risk response (acceptance). Recording the decision to accept the $50,000 ALE risk and obtaining sign-off ensures auditability and accountability, which is a key requirement in risk management frameworks like NIST SP 800-37.

Exam trap

The trap here is that candidates confuse the risk register with the BIA, mistakenly thinking the BIA is used to document risk acceptance decisions, when in fact the BIA only quantifies impact and does not track risk treatment or sign-off.

How to eliminate wrong answers

Option A is wrong because a business impact analysis (BIA) identifies critical business functions and quantifies the impact of disruptions, but it does not track risk treatment decisions or obtain sign-off for risk acceptance. Option C is wrong because a security baseline configuration document defines secure configuration standards for systems (e.g., CIS benchmarks), not risk acceptance decisions or sign-off processes.

881
MCQeasy

The help desk needs a document that describes the exact steps for verifying a caller and resetting a password. What type of document should they use?

A.Policy
B.Procedure
C.Standard
D.Guideline
AnswerB

A procedure is the correct document because it gives step-by-step instructions for completing a task in a consistent way. In this case, the help desk needs a repeatable method for identity verification, password reset, and ticket documentation. Procedures help reduce errors and ensure staff follow the same approved process each time.

Why this answer

A procedure provides the exact, step-by-step instructions needed for a specific task, such as verifying a caller's identity and resetting a password. This is distinct from a policy, which states high-level rules, or a standard, which defines mandatory technical requirements. The help desk needs a documented sequence of actions, which is the definition of a procedure.

Exam trap

The trap here is confusing a procedure (the 'how') with a policy (the 'what'), as candidates often think a policy document contains step-by-step instructions, but policies only set the rules, not the exact steps.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent (e.g., 'passwords must be reset securely'), not a step-by-step guide. Option C is wrong because a standard defines mandatory technical specifications (e.g., 'passwords must be at least 12 characters'), not the exact steps to perform a task. Option D is wrong because a guideline offers general advice or recommendations (e.g., 'consider using multi-factor authentication'), not the precise, mandatory steps required for a consistent process.

882
MCQmedium

Based on the exhibit, users report that the new payment portal opens only after they bypass a browser warning. Which remediation best restores secure access without weakening certificate validation?

A.Install the same certificate on every client so the browser warning is suppressed.
B.Reissue the server certificate so the subject or SAN matches pay.example.net and chain it to the trusted CA.
C.Disable certificate name checking in the browser until the certificate expires.
D.Replace TLS with a shared symmetric key configured on the web server and all users.
AnswerB

A valid server certificate must match the hostname users are connecting to, and it must chain to a trusted issuing authority. Reissuing the certificate for pay.example.net resolves the mismatch shown in the exhibit while preserving proper certificate validation.

Why this answer

The browser warning indicates a hostname mismatch or untrusted CA. Reissuing the server certificate with the correct subject or SAN (Subject Alternative Name) matching pay.example.net and chaining it to a trusted CA resolves the warning while maintaining full certificate validation. This ensures the browser can verify both the identity and trustworthiness of the server without weakening security.

Exam trap

The trap here is that candidates may think installing the same certificate on clients (Option A) is a valid fix, but this violates certificate security by exposing the private key and does not address the root cause of the hostname mismatch.

How to eliminate wrong answers

Option A is wrong because installing the same certificate on every client does not fix the server-side hostname mismatch; it would also require distributing the private key, which breaks certificate security and is not a valid remediation. Option C is wrong because disabling certificate name checking in the browser bypasses a critical security validation, leaving the connection vulnerable to man-in-the-middle attacks and does not restore secure access. Option D is wrong because replacing TLS with a shared symmetric key eliminates certificate-based authentication entirely, removing identity verification and introducing key distribution and management risks, which weakens security rather than restoring it.

883
MCQeasy

A technician restores a file server from backup, but the business wants confidence that the recovery process will work during an outage. What should the team do most often to validate the backups?

A.Review the backup vendor brochure for proof that recovery will work.
B.Perform regular restore tests using sample files or systems.
C.Increase the backup retention period without testing restores.
D.Change the backup password every day and skip verification.
AnswerB

Restore testing proves backups are readable, complete, and usable when recovery is needed.

Why this answer

Option B is correct because the only way to gain confidence that backups can be successfully restored during an actual outage is to perform regular, documented restore tests. This validates the integrity of the backup media, the correctness of the restoration procedure, and the recoverability of data within the required recovery time objective (RTO). Without testing, assumptions about backup reliability remain unverified, which can lead to catastrophic data loss when a real disaster occurs.

Exam trap

The trap here is that candidates assume that simply having backups or extending retention is sufficient, but CompTIA emphasizes that only actual restore testing provides verifiable proof of recoverability, not the presence of backup files or vendor claims.

How to eliminate wrong answers

Option A is wrong because a vendor brochure only describes theoretical capabilities under ideal conditions, not the actual performance or compatibility of the backup solution with the specific server hardware, software, and data sets in use. Option C is wrong because increasing retention without testing does nothing to validate that the stored backup files are not corrupt, incomplete, or incompatible with the current restore environment. Option D is wrong because changing the backup password daily adds unnecessary administrative overhead and skipping verification removes the only automated check for backup integrity, making it impossible to detect silent data corruption or failed backup jobs.

884
MCQeasy

A person wearing a contractor badge asks reception to let them into the office because they forgot their access card and say they are expected for a server maintenance visit. What social engineering technique is most likely?

A.Pretexting
B.Baiting
C.Smishing
D.Ransomware
AnswerA

Pretexting uses a fabricated story or identity to gain trust and access. In this case, the person invents a maintenance visit and forgotten badge story to convince reception to grant entry.

Why this answer

Pretexting is correct because the attacker creates a fabricated scenario (the 'pretext') of being a contractor on a server maintenance visit to gain unauthorized physical access. The use of a contractor badge and the claim of a forgotten access card are designed to exploit the receptionist's trust and willingness to help, bypassing security controls without technical hacking.

Exam trap

Cisco often tests the distinction between pretexting (fabricated scenario) and baiting (offering a lure), where candidates mistakenly choose baiting because they associate the 'forgotten card' with a 'bait' like a free item, but the core technique is the false identity and story.

How to eliminate wrong answers

Option B (Baiting) is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to trick a victim into performing an action, not fabricating a story for access. Option C (Smishing) is wrong because smishing is a form of phishing conducted via SMS text messages, not an in-person social engineering technique involving a badge and verbal request.

885
MCQmedium

A SIEM reports a successful sign-in to a SaaS admin portal from a new country, followed three minutes later by multiple configuration changes to mailbox forwarding rules. The account owner says they were in the office and did not approve any changes. What should the analyst check next?

A.The identity provider and MFA logs to confirm whether the session was legitimately authenticated or hijacked.
B.The office printer logs to see whether the user printed the mailbox rules.
C.The antivirus signature version on the user’s laptop only.
D.The DNS cache on the user’s laptop to find the forwarding rule target.
AnswerA

Because the sign-in succeeded and configuration changes followed quickly, the key question is whether the session was legitimately established or taken over. Identity provider logs, MFA approvals, token issuance, and session details can confirm whether the login came from the owner or from a stolen credential/session. This is the most direct way to validate the alert before taking disruptive action.

Why this answer

Option A is correct because the SIEM alert shows a successful sign-in from a new country followed by suspicious configuration changes, which is a classic indicator of session hijacking or credential theft. Checking the identity provider (IdP) and MFA logs allows the analyst to verify if the authentication was legitimate (e.g., from a known device/IP) or if the session token was stolen and reused, as MFA can be bypassed via token replay or consent phishing. This step directly addresses the core question of whether the session was authorized or compromised.

Exam trap

The trap here is that candidates may focus on endpoint indicators (antivirus, DNS) or unrelated logs (printer) instead of recognizing that the core issue is authentication integrity, which must be verified through identity provider and MFA logs.

How to eliminate wrong answers

Option B is wrong because office printer logs are irrelevant to mailbox forwarding rule changes; they record print jobs, not authentication or email configuration events. Option C is wrong because antivirus signature versions on the user's laptop only indicate whether malware definitions are up to date, but they do not provide evidence of session hijacking or unauthorized configuration changes in a cloud SaaS portal. Option D is wrong because the DNS cache on the user's laptop stores domain-to-IP mappings, not the target address of mailbox forwarding rules; forwarding rule targets are stored in the email server's transport rules or mailbox settings, not in local DNS.

886
Multi-Selecthard

A web server should accept traffic only from a load balancer and a management jump host. The current host firewall allows all inbound ports, and the web service runs as a domain administrator. Which two changes most improve hardening without breaking the required access pattern? Select two.

Select 2 answers
A.Restrict host firewall rules to required source addresses and ports.
B.Run the service under a dedicated nonadministrative service account.
C.Leave SSH open to every subnet and rely on strong passwords.
D.Give the service account local administrator rights so it can restart itself.
E.Disable patching during business hours permanently.
AnswersA, B

Restricting the firewall to only the needed sources and ports reduces the attack surface immediately. It enforces the trust boundary around the server and prevents unnecessary inbound exposure from other networks.

Why this answer

Option A is correct because restricting host firewall rules to only the load balancer and management jump host's source IP addresses and required ports (e.g., HTTP/HTTPS for the load balancer, SSH/RDP for the jump host) enforces the principle of least privilege. This eliminates the risk of exposing unnecessary services to the entire network, which is a common attack vector. The current 'allow all inbound ports' configuration violates basic network segmentation and access control best practices.

Exam trap

The trap here is that candidates often focus on password strength or patching schedules while ignoring the critical need for network segmentation and least-privilege service accounts, which are the foundational controls tested in this question.

887
Multi-Selecteasy

A workstation is suspected of running malware and contacting an unknown host. Which two actions belong in the containment phase? Select two.

Select 2 answers
A.Isolate the workstation from the network.
B.Block the malicious IP or domain at the firewall or proxy.
C.Reimage the workstation immediately before collecting evidence.
D.Tell the user to keep working until tomorrow.
E.Delete recent logs to reduce noise.
AnswersA, B

Isolating the workstation stops spread while keeping the system available for analysis.

Why this answer

Isolating the workstation from the network (A) immediately stops the malware's ability to communicate with the command-and-control (C2) server, preventing data exfiltration and further propagation. Blocking the malicious IP or domain at the firewall or proxy (B) is a containment action that prevents any system on the network from reaching the known malicious host, even if other hosts are already compromised. Both actions align with the NIST SP 800-61 containment strategy of stopping the spread and impact of an incident.

Exam trap

The trap here is that candidates confuse the containment phase with the eradication phase, mistakenly thinking that reimaging (Option C) is a containment action when it is actually an eradication step that should only occur after evidence collection and analysis.

888
MCQmedium

A development team deploys a Linux web server on an IaaS cloud VM. The cloud provider secures the datacenter, hardware, and hypervisor. Which control remains the organization's responsibility?

A.Monitor physical badge access at the provider facility.
B.Apply OS patches and harden services running inside the virtual machine.
C.Replace the provider's network backbone with a private carrier circuit.
D.Ensure the hypervisor is updated before every release cycle.
AnswerB

In IaaS, the customer still manages the guest operating system and applications, including patching and hardening.

Why this answer

In an IaaS model, the provider handles the physical infrastructure, storage, networking foundation, and hypervisor layer. The customer remains responsible for what runs on the VM, including the guest operating system, services, configuration, and application patching. Hardening the server inside the VM is therefore the correct answer because it is one of the core customer responsibilities in this cloud model.

Why others are wrong: Physical badge access and hypervisor patching are provider duties in IaaS, so the customer cannot rely on those as their own control. Replacing the provider backbone is outside the scope of the customer’s operational responsibility and is not how shared responsibility works. The question asks for the organization’s remaining duty, which is securing the guest OS and its applications.

889
Multi-Selectmedium

Which four of the following are key principles of secure network architecture design that help enforce defense-in-depth? (Choose four.)

Select 4 answers
.Implementing a demilitarized zone (DMZ) for externally facing services
.Segmenting internal networks using VLANs and firewalls
.Using a single, unified security appliance at the network perimeter
.Deploying network access control (NAC) to authenticate devices before granting access
.Placing all servers on the same flat subnet for ease of management
.Utilizing virtual private networks (VPNs) for secure remote access

Why this answer

Implementing a DMZ isolates externally facing services (e.g., web, email) from the internal network, ensuring that if an attacker compromises a public-facing server, they cannot directly pivot to internal resources. This is a foundational defense-in-depth layer that enforces traffic inspection and access controls between zones.

Exam trap

The trap here is that candidates often think a single perimeter appliance is sufficient for security, but CompTIA emphasizes that defense-in-depth requires multiple, diverse controls—not a single device—to avoid a single point of failure.

890
Multi-Selecteasy

An employee receives a text message claiming their email password expired and asks them to tap a link and confirm a one-time code. Which two responses are appropriate? Select two.

Select 2 answers
A.Do not tap the link or share the one-time code
B.Report the message through the company's approved security channel
C.Reply to the sender and ask them to prove they are legitimate
D.Enter the code to see whether the message is real
E.Forward the text to coworkers so they can compare it
AnswersA, B

The safest response is to avoid interacting with the message, because the attacker is trying to steal credentials or MFA access.

Why this answer

Option A is correct because tapping the link or sharing the one-time code would allow an attacker to complete a credential harvesting or MFA bypass attack. The message is a classic phishing attempt designed to trick the recipient into providing a one-time code that the attacker can use to authenticate as the victim. The correct response is to never interact with the link or code.

Exam trap

The trap here is that candidates may think entering the code or replying to the sender is a safe way to verify the message, not realizing that the one-time code is a real authentication token that the attacker is actively trying to intercept.

891
MCQeasy

After a phishing-awareness campaign, which metric best shows that employees are becoming more resistant to phishing attempts?

A.The number of spam emails received by the mail gateway
B.The average length of employee passwords
C.The count of antivirus alerts on endpoints
D.The percentage of users who click phishing test links
AnswerD

A lower click rate on phishing simulations is a direct and practical indicator that training is improving user resistance and awareness.

Why this answer

Option D is correct because the percentage of users who click phishing test links directly measures behavioral change in response to simulated phishing attacks. A decreasing click rate indicates that employees are better at recognizing and avoiding phishing attempts, which is the primary goal of a phishing-awareness campaign.

Exam trap

The trap here is that candidates may confuse security awareness metrics with technical controls (e.g., spam filtering or antivirus), but the question specifically asks for a metric showing employee behavioral change, not infrastructure effectiveness.

How to eliminate wrong answers

Option A is wrong because the number of spam emails received by the mail gateway reflects external threat volume, not employee behavior or resistance to phishing. Option B is wrong because password length is a measure of authentication strength, not phishing resistance; phishing bypasses passwords by stealing them directly. Option C is wrong because antivirus alerts on endpoints indicate malware detection, which may result from many causes (e.g., drive-by downloads) and does not specifically measure employee susceptibility to phishing links.

892
MCQmedium

A systems administrator downloads a patch and a SHA-256 checksum file from the vendor. The administrator hashes the patch locally and the values match. What does the matching hash primarily confirm?

A.The file has not been altered since the vendor published the checksum.
B.The file remains confidential during transmission.
C.The vendor's private key was used to encrypt the patch.
D.The patch will definitely install successfully on every system.
AnswerA

A matching hash strongly indicates the file's contents stayed unchanged from the vendor's published version.

Why this answer

A SHA-256 checksum is a cryptographic hash that acts as a fingerprint for the file. When the locally computed hash matches the vendor-published checksum, it confirms the file's integrity — that the patch has not been modified or corrupted since the vendor generated the checksum. This does not verify confidentiality, authenticity of the signer, or installation success.

Exam trap

The trap here is that candidates confuse integrity (hash matching) with authenticity (digital signature) or confidentiality (encryption), leading them to incorrectly select options about private keys or secure transmission.

How to eliminate wrong answers

Option B is wrong because a hash match confirms integrity, not confidentiality; the file could have been transmitted in plaintext and still produce the same hash. Option C is wrong because the hash is computed from the file content, not from a private key; the vendor's private key would be used for a digital signature, not for a checksum. Option D is wrong because a matching hash only verifies the file is unchanged, not that it will install correctly on every system — installation depends on hardware, OS version, dependencies, and other factors.

893
MCQmedium

A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?

A.Increase the failed attempt threshold to 20 attempts within the same 5-minute window.
B.Modify the rule to trigger only when the failed attempts originate from multiple distinct source IP addresses.
C.Modify the rule to trigger only when the failed attempts are against multiple distinct user accounts.
D.Add an exception to suppress alerts for any user account that has a valid password reset request within the same time period.
AnswerB

This is correct because a genuine brute-force attack often uses a distributed set of source IPs to evade rate limiting, whereas a legitimate user mistyping typically connects from a single IP. This change filters out most false positives while still detecting distributed attacks.

Why this answer

Option B is correct because brute-force attacks often distribute failed attempts across multiple source IP addresses to evade detection, while legitimate users typically mistype from a single IP. By requiring failed attempts from multiple distinct source IPs, the rule filters out accidental mistypes (single IP) and still catches distributed brute-force attacks, which is a common evasion technique.

Exam trap

The trap here is that candidates may focus on adjusting numeric thresholds (Option A) as a quick fix, overlooking the behavioral pattern of source IP diversity that distinguishes accidental mistypes from coordinated brute-force attacks.

How to eliminate wrong answers

Option A is wrong because simply increasing the threshold to 20 attempts may reduce false positives but also allows a brute-force attacker to make more attempts before detection, increasing the risk of a successful compromise. Option C is wrong because requiring failed attempts against multiple distinct user accounts would detect a password spraying attack, not a single-user brute-force attack, and would miss targeted brute-force attempts against one account. Option D is wrong because a valid password reset request does not guarantee that subsequent failed attempts are benign; an attacker could still be brute-forcing the same account after a reset, and suppressing alerts based on this would create a dangerous blind spot.

894
MCQeasy

A company has two security issues to address this week. One is a public-facing login portal that uses default administrator credentials. The other is an internal lab system used only by one tester. Which issue should be prioritized first?

A.The internal lab system, because it is easier to fix quickly
B.The public-facing login portal, because it has a higher likelihood and impact
C.Both issues have the same priority because they are both vulnerabilities
D.Neither issue should be addressed until the next annual review
AnswerB

This system is exposed to untrusted users and already has default credentials, which greatly raises both likelihood and impact.

Why this answer

The public-facing login portal with default administrator credentials is a critical risk because it is exposed to the internet, making it easily discoverable and exploitable by attackers. Default credentials are widely known and often targeted in automated attacks, leading to a high likelihood of compromise and potential impact such as data breach or system takeover. This aligns with risk management principles where priority is given to vulnerabilities with the highest risk score (likelihood × impact).

Exam trap

The trap here is that candidates mistakenly prioritize based on ease of fix or treat all vulnerabilities as equal, rather than applying a formal risk assessment that weighs likelihood and impact to determine priority.

How to eliminate wrong answers

Option A is wrong because prioritizing based on ease of fix ignores risk assessment; the internal lab system is isolated and used by one tester, so its likelihood and impact are low, making it a lower priority. Option C is wrong because not all vulnerabilities have equal priority; risk is calculated by likelihood and impact, and the public-facing portal clearly has higher values in both dimensions. Option D is wrong because delaying remediation until the next annual review violates the principle of timely risk mitigation, especially for an internet-exposed system with default credentials that can be exploited immediately.

895
MCQmedium

Based on the exhibit, which change best meets the requirement that guest devices can reach the internet but must not reach any internal subnets or printer VLANs?

A.Add more allow rules for the printer VLAN so guests can print without changing routing.
B.Move guests into a dedicated guest zone with outbound NAT and default-deny rules to internal networks.
C.Place guest and corporate devices on the same VLAN and rely on the wireless password for separation.
D.Allow guest traffic to reach internal DNS and DHCP servers across all RFC1918 subnets.
AnswerB

A dedicated guest zone with outbound-only internet access enforces least privilege and keeps guests isolated from internal VLANs.

Why this answer

Option B is correct because placing guest devices in a dedicated guest zone with outbound NAT allows them to access the internet while default-deny rules to internal subnets and printer VLANs enforce network segmentation. This approach uses firewall policies to explicitly block RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from guest traffic, ensuring no Layer 3 connectivity to internal resources.

Exam trap

The trap here is that candidates may think adding more allow rules (Option A) or using a shared VLAN with a password (Option C) provides sufficient isolation, but they fail to recognize that network-layer segmentation via dedicated zones and firewall rules is required to prevent guest-to-internal communication at both Layer 2 and Layer 3.

How to eliminate wrong answers

Option A is wrong because adding more allow rules for the printer VLAN would permit guest traffic to reach printers, directly violating the requirement that guests must not reach printer VLANs; it also does not address blocking access to other internal subnets. Option C is wrong because placing guest and corporate devices on the same VLAN eliminates Layer 2 segmentation, and relying solely on a wireless password provides no network-layer isolation, allowing guests to potentially communicate with corporate hosts via ARP or broadcast traffic. Option D is wrong because allowing guest traffic to internal DNS and DHCP servers across all RFC1918 subnets would create a pathway to internal networks, breaking the requirement that guests must not reach any internal subnets.

896
Multi-Selectmedium

A help desk technician receives a phone call from someone claiming to be the VP of Finance. The caller says they are in an airport, forgot their phone, and need a password reset immediately. They also ask the technician to skip callback verification because a meeting starts in five minutes. Which two details are the strongest indicators of a pretexting or vishing attempt? Select two.

Select 2 answers
A.the caller claims an executive title and uses authority to pressure the technician
B.the call is routed through the company ticketing system with an approved change record
C.the caller asks the technician to bypass identity verification and callback procedures
D.the caller answers all security questions correctly after being prompted for them
E.the call occurs after normal business hours on a holiday weekend
AnswersA, C

Impersonating a senior executive is a common social engineering tactic because it creates authority pressure and makes the target more likely to comply quickly. In a help desk context, attackers often borrow a title that sounds urgent and important. That pressure is a strong sign the call may be a pretext rather than a legitimate request.

Why this answer

Option A is correct because the caller's use of an executive title (VP of Finance) and urgent authority pressure is a classic social engineering tactic known as pretexting. In a vishing (voice phishing) attack, the attacker fabricates a scenario to manipulate the technician into bypassing standard security procedures. This aligns with the SY0-701 domain on threats, vulnerabilities, and mitigations, specifically social engineering techniques.

Exam trap

The trap here is that candidates may confuse a successful security question response (Option D) as a sign of legitimacy, but in vishing attacks, attackers often gather personal data from OSINT or data breaches to answer such questions, making it a weak indicator compared to the direct authority pressure and request to bypass verification.

897
MCQhard

Based on the exhibit, what is the best-supported conclusion for the SOC analyst?

A.The traffic is normal web browsing to a content delivery network.
B.The host is likely using DNS tunneling or DNS-based command and control.
C.The issue is most likely ARP spoofing on the local switch port.
D.The evidence most strongly indicates a password spraying campaign.
AnswerB

The repeated TXT queries, predictable timing, small UDP payloads, and absence of proxy traffic strongly suggest data or commands are being carried over DNS. The unique subdomains and steady beacon interval are classic indicators of DNS tunneling or DNS-based command-and-control. The signed PDF reader only shows how the activity may have started, not that it is benign.

Why this answer

The exhibit shows a high volume of DNS queries to multiple unusual domains with long subdomain strings, which is a classic indicator of DNS tunneling or DNS-based command and control (C2). DNS tunneling encodes data in DNS queries and responses, allowing attackers to exfiltrate data or communicate with a C2 server while bypassing traditional network controls. The SOC analyst should recognize this pattern as anomalous DNS activity rather than normal web browsing.

Exam trap

The trap here is that candidates may confuse DNS tunneling with normal DNS resolution for CDN services, but the key differentiator is the abnormal volume and structure of the DNS queries, not the destination IP addresses.

How to eliminate wrong answers

Option A is wrong because normal web browsing to a content delivery network (CDN) would generate HTTP/HTTPS traffic to known CDN domains, not an excessive number of DNS queries to obscure, randomly generated subdomains. Option C is wrong because ARP spoofing operates at Layer 2 and would manifest as duplicate IP addresses or unusual ARP traffic, not as a high volume of DNS queries. Option D is wrong because a password spraying campaign involves repeated login attempts across multiple accounts, which would appear as authentication logs (e.g., Windows Event ID 4625) rather than DNS query patterns.

898
Multi-Selecteasy

After a ransomware event, management wants proof that backups can actually be used before trusting them. Which two activities best validate recoverability? Select two.

Select 2 answers
A.Restore a sample file or folder into an isolated test environment.
B.Compare restored data with hashes or known-good source copies.
C.Trust a backup because the job status shows completed successfully.
D.Increase backup retention without testing restore ability.
E.Keep backups on production servers for quicker access during incidents.
AnswersA, B

A test restore shows whether the backup can actually bring data back.

Why this answer

Restoring a sample file or folder into an isolated test environment (Option A) directly validates that the backup data is readable, the restore process works, and the data can be accessed in a clean environment. This is the most practical way to prove recoverability without risking production systems, as it tests the actual restore workflow end-to-end.

Exam trap

The trap here is that candidates often assume a successful backup job status (Option C) guarantees recoverability, but the exam emphasizes that only actual restore testing and integrity verification (Options A and B) provide true validation.

899
Multi-Selecthard

A server room sits below a chilled-water line, and occasional condensation is forming on the pipe during humid afternoons. Facilities wants the earliest warning before water reaches equipment and a way to get an alert even if no one is onsite. Which two controls should be implemented? Select two.

Select 2 answers
A.Install a networked water-leak detection cable beneath the raised floor near the chilled-water line.
B.Add monitored environmental alerts that notify the NOC or building management system when the sensor trips.
C.Replace standard doors with mantraps to prevent tailgating at the room entrance.
D.Increase firewall logging on the server VLAN to spot moisture-related outages.
E.Use temperature-only sensors because condensation always raises heat first.
AnswersA, B

A leak-detection cable gives direct, early warning when moisture appears near the highest-risk area.

Why this answer

A networked water-leak detection cable is the correct choice because it provides continuous, real-time monitoring for moisture along the length of the cable. When condensation drips onto the cable, it completes a circuit between two conductors, triggering an immediate alert. This gives the earliest possible warning before water reaches server equipment, even in an unattended facility.

Exam trap

The trap here is that candidates may confuse environmental monitoring with network or access controls, selecting options like mantraps or firewall logging that address different security domains but do not solve the specific water-detection and alerting requirement.

900
MCQmedium

A security analyst detects that multiple workstations in the finance department are displaying ransom notes and files are being encrypted. The analyst has disconnected the affected workstations from the network. Which of the following should the analyst do next according to the incident response procedure?

A.Reimage all affected workstations immediately to restore operations.
B.Isolate the entire finance department network segment and preserve forensic evidence.
C.Run a full antivirus scan on the workstations to remove the ransomware.
D.Restore the encrypted files from the latest backup without further investigation.
AnswerB

Isolating the segment prevents lateral movement of the ransomware. Preserving forensic evidence allows for a thorough investigation to identify the initial infection vector and prevent future incidents.

Why this answer

Option B is correct because the immediate next step in the incident response procedure after containment (disconnecting affected workstations) is to isolate the affected network segment to prevent lateral movement and preserve forensic evidence. This aligns with the NIST SP 800-61 incident response framework, which prioritizes containment, eradication, and recovery in that order, and emphasizes evidence preservation before any remediation actions.

Exam trap

The trap here is that candidates often jump to recovery actions (reimaging or restoring backups) too early, forgetting that the incident response process requires containment and evidence preservation before eradication and recovery.

How to eliminate wrong answers

Option A is wrong because reimaging destroys volatile forensic evidence (e.g., memory contents, encryption keys, malware artifacts) that is critical for root cause analysis and attribution. Option C is wrong because running an antivirus scan on an actively encrypting system can trigger further encryption or destroy evidence, and antivirus tools are ineffective against modern ransomware that uses polymorphic code or fileless techniques. Option D is wrong because restoring from backup without investigation may reintroduce the infection vector or miss indicators of compromise (IoCs) that could prevent future attacks.

Page 11

Page 12 of 16

Page 13