Security+ SY0-701 (SY0-701) — Questions 9761050

1152 questions total · 16pages · All types, answers revealed

Page 13

Page 14 of 16

Page 15
976
MCQhard

An access point connected to a switch suddenly lets guest Wi-Fi users reach an internal printer VLAN, but only on the new wiring closet. The AP uplink is configured as a trunk with dynamic negotiation enabled, native VLAN 1, and allowed VLANs 10, 20, and 30. Guest traffic should be VLAN 40 and must not transit to internal segments. Which change best fixes the issue?

A.Convert the AP uplink to an access port in VLAN 40 and leave the AP to handle all traffic untagged.
B.Disable dynamic trunk negotiation, configure a static trunk, allow only VLANs 40 and 99, and move the native VLAN to an unused value.
C.Add the internal printer VLAN to the allowed list so the AP can filter client traffic itself.
D.Keep the trunk settings and add a layer 3 ACL between the guest and internal networks.
AnswerB

This prevents unintended trunk formation, limits the VLANs that can traverse the link, and reduces risk from the native VLAN.

Why this answer

The issue is that guest traffic (VLAN 40) is not in the allowed list, so the trunk is dropping it; however, the native VLAN 1 is being used for management and may leak traffic. By disabling dynamic trunk negotiation (DTP), configuring a static trunk, allowing only VLANs 40 and 99 (a management VLAN), and changing the native VLAN to an unused value, you ensure guest traffic is properly tagged and isolated from internal VLANs. This prevents the guest VLAN from being inadvertently trunked to internal segments and eliminates the risk of VLAN hopping via the native VLAN.

Exam trap

The trap here is that candidates think adding an ACL or allowing more VLANs will solve the problem, but the root cause is that VLAN 40 is not allowed on the trunk, and the native VLAN 1 introduces a security risk; the correct fix is to explicitly permit only the necessary VLANs and secure the native VLAN.

How to eliminate wrong answers

Option A is wrong because converting the AP uplink to an access port in VLAN 40 would force all traffic from the AP to be untagged in VLAN 40, but the AP typically sends multiple VLANs (e.g., management, guest) as tagged frames; an access port cannot carry multiple VLANs and would drop tagged frames, breaking management and other services. Option C is wrong because adding the internal printer VLAN to the allowed list would explicitly permit guest traffic to reach the printer VLAN, which is the opposite of the security requirement to isolate guest traffic from internal segments. Option D is wrong because keeping the current trunk settings means VLAN 40 is not allowed on the trunk, so guest traffic is already being dropped; adding a Layer 3 ACL would not fix the missing VLAN 40 on the trunk, and ACLs cannot compensate for a Layer 2 misconfiguration that prevents guest traffic from even reaching the switch.

977
MCQeasy

Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?

A.Run a full antivirus scan first and wait for the results before taking any other action.
B.Isolate FIN-LT-22 from the network to contain the suspected malware activity.
C.Reboot the laptop to clear the malicious process from memory.
D.Reset the user's password and close the ticket after confirming they can log in again.
AnswerB

Network isolation is the best immediate containment step when an endpoint shows signs of active malicious behavior. It limits further command-and-control traffic, prevents lateral movement, and buys time for investigation. In incident response, containment comes before eradication and recovery when the threat is still active.

Why this answer

Option B is correct because isolating FIN-LT-22 from the network immediately stops the suspected malware from communicating with command-and-control servers or spreading laterally to other hosts. This containment step aligns with the NIST incident response framework's containment phase, which prioritizes limiting damage before eradication or recovery. In a suspected compromise, network isolation (e.g., disabling the switch port or using a host-based firewall rule) is the fastest way to cut off malicious traffic without destroying volatile evidence in memory.

Exam trap

The trap here is that candidates often choose to run an antivirus scan first (Option A) because they assume detection must precede containment, but the SY0-701 exam emphasizes that containment is the immediate priority to limit impact, even before identifying the specific malware.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan first wastes critical time and may alert the attacker or trigger destructive actions before containment; antivirus also relies on signatures and may miss unknown malware. Option C is wrong because rebooting clears volatile memory (RAM), destroying evidence of the malicious process and potentially allowing persistence mechanisms to re-establish on startup, which violates forensic best practices. Option D is wrong because resetting the user's password does not address the active malware on the endpoint; the attacker could still maintain access via a backdoor or keylogger, and closing the ticket prematurely ignores the need for containment and eradication.

978
MCQhard

Based on the exhibit, what is the best improvement to reduce the impact if one backup server is compromised?

A.Keep the same key file but rename it so attackers cannot find it easily.
B.Replace AES with SHA-256 so the backups are harder to read.
C.Store encryption keys in a centralized KMS or HSM and use distinct keys with rotation.
D.Email the key file to backup operators so they can restore data quickly.
AnswerC

This is the best improvement because the current design places the same key on every backup server, creating a large blast radius if one host is compromised. Centralized key management through a KMS or HSM improves control, auditing, rotation, and separation of duties. Distinct keys also limit how much data exposure results from one server compromise.

Why this answer

Option C is correct because using a centralized Key Management System (KMS) or Hardware Security Module (HSM) with distinct, rotated keys ensures that compromising one backup server does not expose the encryption keys for all backups. This isolates the impact to only the data encrypted with that specific key, and key rotation further limits the window of exposure. In contrast, sharing a single key file across servers creates a single point of failure, as compromising one server reveals the key for all backups.

Exam trap

The trap here is that candidates may think renaming or hiding the key file (Option A) is a valid security measure, but CompTIA tests the principle that security through obscurity (hiding files) is not a substitute for proper key management and isolation.

How to eliminate wrong answers

Option A is wrong because renaming the key file does not change the underlying cryptographic material; an attacker who compromises the server can still locate and use the key file regardless of its name, as file enumeration or registry searches can find it. Option B is wrong because SHA-256 is a hashing algorithm, not an encryption algorithm; it is one-way and cannot be used to encrypt or decrypt backups, making backups unrecoverable. Option D is wrong because emailing the key file to backup operators exposes the key in transit and at rest in email systems, violating security best practices and increasing the risk of interception or unauthorized access.

979
MCQhard

Based on the exhibit, what should the administrator do next?

A.Install the update because a longer hash means the file is newer.
B.Re-download the update from the trusted source and verify the hash again.
C.Rename the file to match the vendor’s naming convention and retry installation.
D.Disable SHA-256 verification because patch files often change after download.
AnswerB

A hash mismatch means the local file does not match the vendor-published value. The safest next step is to obtain a fresh copy from a trusted source and compare the hash again. That helps determine whether the original download was corrupted in transit or tampered with before deployment.

Why this answer

Option B is correct because if the hash of a downloaded file does not match the vendor-published hash, the file is likely corrupted or tampered with. The administrator should delete the corrupted file, re-download it from the trusted source, and recompute the hash to ensure integrity before installation. This follows the principle of verifying file integrity via cryptographic hashing (e.g., SHA-256) before applying updates.

Exam trap

The trap here is confusing hash length or file naming with file integrity, leading candidates to think a longer hash means a newer file or that renaming fixes hash mismatches, when in fact only re-downloading and re-verifying the hash ensures the file is authentic and uncorrupted.

How to eliminate wrong answers

Option A is wrong because hash length (e.g., SHA-256 vs SHA-512) is unrelated to file version or freshness; a longer hash does not indicate a newer file. Option C is wrong because renaming a file does not change its content or hash, so it will not resolve a hash mismatch. Option D is wrong because disabling SHA-256 verification would bypass integrity checks, allowing potentially malicious or corrupted files to be installed, which violates security best practices.

980
MCQmedium

A security analyst is reviewing authentication logs and observes multiple failed login attempts for a single user account occurring within a short timeframe, followed by a successful login from an IP address located in a country where the user has never traveled. The failed attempts originate from various IP addresses and use different passwords. Which type of attack has most likely occurred?

A.Brute-force attack
B.Credential stuffing
C.Password spraying
D.Dictionary attack
AnswerA

Correct. A brute-force attack is characterized by systematically trying many different passwords against a single account until the correct one is found. The log pattern of multiple failed attempts followed by a success aligns with this method.

Why this answer

The correct answer is A (Brute-force attack) because the log shows multiple failed login attempts from various IP addresses using different passwords, followed by a successful login from an unfamiliar country. This pattern indicates a distributed brute-force attack where the attacker systematically tries many passwords against a single account, often using a botnet or proxy rotation to evade IP-based rate limiting. The successful login from a foreign IP confirms the attacker eventually guessed the correct password.

Exam trap

The trap here is that candidates confuse 'multiple failed attempts from various IPs' with credential stuffing, but the key differentiator is that credential stuffing uses known credential pairs, not systematically generated passwords against a single account.

How to eliminate wrong answers

Option B (Credential stuffing) is wrong because credential stuffing uses previously breached username/password pairs from other services, not different passwords generated on the fly; the log shows varied passwords, not reused credentials. Option C (Password spraying) is wrong because password spraying targets many usernames with a single common password, whereas this attack focuses on one user account with many different passwords. Option D (Dictionary attack) is wrong because a dictionary attack uses a predefined list of likely passwords (e.g., from a wordlist), but the description of 'various IP addresses' and 'different passwords' suggests a brute-force approach rather than a limited dictionary set.

981
Drag & Dropmedium

Drag and drop the steps for the SSH key exchange process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSH key exchange establishes a secure channel; the server's host key is used to verify identity, and Diffie-Hellman generates a shared secret.

982
MCQmedium

A software supplier used by your organization begins subcontracting a critical part of its service to an unknown hosting company. Which contractual control would BEST help manage this supply chain risk?

A.Require the supplier to send monthly sales updates to the procurement team.
B.Require advance notice and approval for subcontractor changes, plus right-to-audit and security obligations.
C.Ask the supplier to place all responsibility for the subcontractor on the customer.
D.Disable all vendor access immediately without reviewing the change.
AnswerB

This is the strongest contractual approach because it gives the organization visibility into changes, authority to review added risk, and leverage to enforce security requirements. When a supplier introduces a new subcontractor, advance notice, approval rights, and auditability help prevent hidden dependencies from undermining security expectations or compliance obligations.

Why this answer

Option B is correct because it establishes a contractual control that requires the supplier to notify and obtain approval before subcontracting critical services, while also imposing right-to-audit and security obligations. This directly addresses supply chain risk by ensuring the organization can vet and monitor the subcontractor's security posture, as recommended by NIST SP 800-161 for supply chain risk management.

Exam trap

The trap here is that candidates confuse operational reporting (Option A) with security governance, or they assume immediate termination (Option D) is a valid risk response without considering contractual due process and business continuity.

How to eliminate wrong answers

Option A is wrong because monthly sales updates are a financial or operational reporting requirement, not a security control; they provide no visibility into the subcontractor's security practices or compliance with the organization's security policies. Option C is wrong because shifting all responsibility for the subcontractor to the customer defeats the purpose of contractual controls—it removes the supplier's accountability and leaves the organization without any enforceable security requirements on the subcontractor. Option D is wrong because immediately disabling all vendor access without reviewing the change is a reactive, disruptive response that violates change management best practices; it should be preceded by a risk assessment and coordinated with the supplier to avoid unnecessary service disruption.

983
MCQmedium

Based on the exhibit, which action should the incident response team take next to eradicate the threat?

A.Return the workstation to the user since the outbound connection was blocked.
B.Delete only the scheduled task and reconnect the host to monitor for more alerts.
C.Reimage the endpoint from a known-good build and reset potentially exposed credentials.
D.Close the incident because memory capture has already preserved the evidence.
AnswerC

The logs show a likely malicious macro, encoded PowerShell, a dropped script, and persistence through a scheduled task. That combination indicates a high-confidence compromise with uncertain scope. Reimaging removes hidden persistence more reliably than piecemeal cleanup, and credential resets are appropriate because finance activity occurred on the device and credentials may have been captured.

Why this answer

Option C is correct because the exhibit indicates a confirmed compromise (e.g., a scheduled task establishing outbound C2 traffic). Eradication requires removing all traces of the attacker's foothold, which is best achieved by reimaging the endpoint from a known-good build. Additionally, any credentials that may have been exposed during the compromise must be reset to prevent lateral movement or re-entry.

Exam trap

The trap here is that candidates may think deleting the scheduled task (Option B) is sufficient for eradication, but CompTIA emphasizes that any confirmed compromise requires full reimaging to ensure no hidden persistence remains.

How to eliminate wrong answers

Option A is wrong because simply returning the workstation to the user after blocking an outbound connection does not remove the underlying threat (e.g., the scheduled task or persistence mechanism) and assumes the attacker cannot adapt or use alternate C2 channels. Option B is wrong because deleting only the scheduled task leaves other potential persistence mechanisms (e.g., registry run keys, services, or WMI subscriptions) intact, and reconnecting the host without full remediation risks re-infection or continued attacker access. Option D is wrong because closing the incident after memory capture ignores the need for eradication; evidence preservation does not eliminate the active threat, and the host remains compromised.

984
MCQmedium

A help desk team manages 300 Windows laptops. A legacy accounting app sometimes fails after updates, so the company wants to reduce patch risk while still preventing long-term exposure. Which patching strategy is the best balance?

A.Apply updates manually to each laptop as soon as they are released.
B.Use a pilot group and phased rollout process before wider deployment.
C.Postpone all updates until the legacy accounting app is replaced.
D.Disable automatic updates permanently and patch only after a security incident.
AnswerB

A pilot-to-broad rollout strategy lets the organization validate patches on a small set of representative devices before deploying them widely. That reduces the chance of a widespread compatibility problem while still keeping systems updated on a reasonable schedule. It is a practical balance between security, reliability, and operational risk.

Why this answer

A phased rollout with a pilot group is the most balanced approach. It allows the team to test new patches on a few systems that reflect the production environment before exposing the entire fleet to possible compatibility issues. That lowers operational risk while still ensuring the organization patches regularly, which is essential for reducing exposure to known vulnerabilities and maintaining a secure baseline.

Why others are wrong: Option A is too labor-intensive and still lacks controlled validation. Option C accepts avoidable risk by deferring all updates indefinitely. Option D is reactive and leaves the fleet exposed until an incident occurs. The correct answer is the only one that preserves security and operational stability at the same time.

985
MCQeasy

A company laptop is collected as evidence in a suspected theft case. Which action best supports chain of custody?

A.Place the laptop on a desk until the investigator is available.
B.Record each transfer with date, time, handler name, and signatures.
C.Reset the laptop so the legal team can access it more easily.
D.Remove the hard drive and connect it to a personal workstation.
AnswerB

Chain of custody requires a documented record of who handled the evidence, when it changed hands, and under what conditions. These records help prove integrity and admissibility later. Accurate transfer documentation is one of the most important parts of evidence handling in a forensic case.

Why this answer

Option B is correct because chain of custody requires documenting every transfer of evidence with date, time, handler name, and signatures to maintain a verifiable record of who had possession of the laptop at all times. This ensures the evidence is admissible in court by proving it has not been tampered with or altered since collection. Without this documentation, the defense could argue the evidence was compromised, undermining the entire case.

Exam trap

CompTIA often tests the misconception that preserving evidence means making it easier to access (like resetting or removing components), when in fact the priority is maintaining the original state and documenting every touchpoint to ensure legal admissibility.

How to eliminate wrong answers

Option A is wrong because leaving the laptop on a desk unattended violates the principle of secure evidence handling, as it creates an unaccounted gap in custody where the device could be tampered with or accessed by unauthorized individuals. Option C is wrong because resetting the laptop destroys all data, including potential evidence such as logs, files, and user activity, which is irreversible and violates forensic best practices that require preserving the original state of evidence. Option D is wrong because removing the hard drive and connecting it to a personal workstation risks altering the drive's contents (e.g., timestamps, metadata) and introduces potential contamination from the workstation's operating system, breaking the chain of custody and compromising forensic integrity.

986
MCQmedium

A finance analyst receives an email that appears to come from the CFO. It references a real project, asks for an urgent wire transfer to a "new vendor account," and says to avoid the normal approval workflow because the deal is time-sensitive. What is the best immediate response?

A.Reply to the email asking for additional payment details and wait for a response.
B.Process the transfer quickly because the message appears to come from an executive.
C.Verify the request using a known-good contact method and report the message as suspicious.
D.Forward the email to another finance employee so someone else can confirm the request.
AnswerC

The safest response is to independently verify the request through a trusted channel already on file, such as a known phone number or internal messaging system. That breaks the attacker’s control of the conversation and prevents a rushed financial error. Reporting the message also helps security staff search for related phishing attempts and protect other employees from a similar business email compromise attempt.

Why this answer

The best response is to verify the request through a known, trusted communication path and then report it. In a spear phishing or business email compromise scenario, the attacker relies on urgency, authority, and familiarity to bypass normal controls. A separate phone call, chat message, or in-person confirmation using an existing contact list provides stronger assurance than any reply to the suspicious email itself.

Why others are wrong: Replying, processing the transfer, or forwarding the message all keep the workflow inside the attacker’s channel and increase the chance of fraud. None of those actions independently validate the sender’s identity or the payment change request. The key security habit is to stop, verify outside the email thread, and escalate the suspicious communication.

987
MCQmedium

A security analyst notices that a phishing campaign is targeting employees with emails that appear to be from the company's IT support team. The emails contain a link to a website that mimics the corporate password reset portal. Which of the following controls would be MOST effective in preventing users from reaching the malicious website, assuming the link uses HTTPS?

A.Implement a URL filtering policy on the company's web proxy.
B.Deploy an email security gateway that performs sandboxing of attachments.
C.Enable multi-factor authentication on all corporate accounts.
D.Conduct a security awareness training session on phishing.
AnswerA

Correct. URL filtering on a web proxy can block access to known malicious or lookalike domains, preventing users from even reaching the phishing site, regardless of the link's HTTPS status.

Why this answer

A URL filtering policy on the company's web proxy is the most effective control because it can block access to the malicious website based on its domain, category, or reputation, regardless of whether the link uses HTTPS. Since the proxy can perform SSL/TLS inspection (decrypting the HTTPS traffic) or use domain reputation lists, it prevents users from even reaching the phishing site. This directly addresses the core issue of users navigating to a known or suspicious URL.

Exam trap

The trap here is that candidates assume HTTPS encryption makes URL filtering impossible, but the exam expects you to know that web proxies can inspect or block HTTPS traffic using SSL/TLS decryption or domain-based filtering, making URL filtering still effective.

How to eliminate wrong answers

Option B is wrong because an email security gateway that performs sandboxing of attachments is designed to analyze malicious file attachments, not to block links to external websites; the phishing email contains a link, not an attachment, so sandboxing would not prevent users from clicking the link. Option C is wrong because multi-factor authentication (MFA) protects accounts after credentials are compromised, but it does not prevent users from reaching the malicious website or entering their credentials on the fake portal; MFA is a defense-in-depth layer, not a preventive control for URL access.

988
MCQmedium

A finance team deploys a regulated workload to a public cloud. They want operating system login events, process activity, and network flow metadata to be retained in one central place for detection and investigation. Which action best supports this requirement with the least operational overhead?

A.Rely on the cloud provider to automatically secure all guest operating systems and collect every log type by default.
B.Enable cloud-native logging and forward guest telemetry from the workload into a centralized security logging service or SIEM.
C.Move the workload to a private data center so the cloud provider can no longer access any telemetry.
D.Disable host logging and rely only on perimeter firewall logs to reduce storage costs.
AnswerB

This is the best approach because it uses cloud-native controls to capture logs close to the workload and centralizes them for correlation and retention. It supports visibility across identity, host, and network activity without building a separate logging stack from scratch. It also aligns with the shared responsibility model by keeping customer-controlled telemetry under the organization’s management.

Why this answer

Option B is correct because it directly addresses the requirement to centralize OS login events, process activity, and network flow metadata from a public cloud workload. Cloud-native logging (e.g., AWS CloudTrail, Azure Monitor) can capture guest OS telemetry via agents (e.g., Amazon CloudWatch Agent, Azure Log Analytics agent) and forward it to a centralized security logging service or SIEM, minimizing operational overhead by leveraging built-in cloud services rather than custom infrastructure.

Exam trap

The trap here is that candidates may assume cloud providers automatically handle all guest OS logging under the shared responsibility model, leading them to choose Option A, but in reality, the customer must explicitly configure and forward guest telemetry to a centralized service.

How to eliminate wrong answers

Option A is wrong because cloud providers do not automatically secure guest operating systems or collect every log type by default; they operate under a shared responsibility model where the customer is responsible for guest OS security and log collection, and default logging typically covers only control-plane events (e.g., API calls), not guest OS login events or process activity. Option C is wrong because moving the workload to a private data center increases operational overhead (e.g., managing physical infrastructure, maintaining on-premises logging tools) and does not inherently centralize telemetry; it also contradicts the premise of using a public cloud for the workload.

989
MCQeasy

After reviewing a risk memo, the operations director signs off on continuing to use an older application because the cost of replacement is too high right now. Which risk management action did the director take?

A.Risk transfer, because the risk was moved to another company.
B.Risk acceptance, because management chose to live with the remaining risk.
C.Risk avoidance, because the application is still being used.
D.Risk mitigation, because the replacement cost was too high.
AnswerB

Risk acceptance is the correct term when management knowingly approves continued operation despite identified risk. The director is not eliminating the issue or moving it elsewhere; instead, they are choosing to tolerate the residual risk for business reasons such as cost or timing. This is a normal part of risk management when the risk is understood and documented.

Why this answer

The operations director chose to continue using the older application despite the identified risk, explicitly because the cost of replacement was too high. This is the definition of risk acceptance: management acknowledges the risk and decides to tolerate the residual risk without implementing additional controls. The director did not transfer, avoid, or mitigate the risk; they accepted it as a cost of business.

Exam trap

The trap here is confusing 'acceptance' with 'avoidance' — candidates often think that continuing to use the application means avoiding the risk, but avoidance requires stopping the risky activity entirely, not just living with it.

How to eliminate wrong answers

Option A is wrong because risk transfer would involve shifting the financial impact of the risk to a third party (e.g., purchasing cyber insurance or outsourcing the application), not simply continuing to use it. Option C is wrong because risk avoidance means ceasing the activity that generates the risk (e.g., decommissioning the application), but the director explicitly chose to keep using it. Option D is wrong because risk mitigation would involve implementing controls to reduce the likelihood or impact of the risk (e.g., patching or adding a WAF), not rejecting mitigation due to cost.

990
MCQmedium

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

A.Deploy a VPN concentrator and require all administrators to connect to the VPN before initiating SSH sessions directly to the servers.
B.Deploy a jump server (bastion host) in a management subnet and require all administrative SSH connections to originate from the jump server, with the jump server accessible only via the corporate VPN.
C.Replace SSH with a web-based console proxy that uses HTTPS and multi-factor authentication, and allow direct internet access to the console proxy on port 443.
D.Configure each Linux server with a public IP address but restrict inbound SSH to the known public IP addresses of the administrators' corporate laptops.
AnswerB

This is the correct architecture. The jump server acts as a secure intermediary. No SSH traffic from the internet reaches the target servers; all connections must first authenticate to the VPN, then to the jump server, and finally the jump server initiates outbound SSH to the target servers. This eliminates direct inbound SSH and provides a centralized audit point.

Why this answer

Option B is correct because it eliminates direct inbound SSH from the internet by placing a jump server (bastion host) in a management subnet that is only accessible via the corporate VPN. Administrators must first connect to the VPN, then SSH to the jump server, and from there initiate SSH sessions to the target Linux servers. This architecture ensures no SSH port is exposed to the public internet, meeting the primary security goal.

Exam trap

The trap here is that candidates may think a VPN alone (Option A) is sufficient to eliminate direct inbound SSH, but the VPN still allows direct SSH from the VPN client to the server, which does not remove the server’s SSH exposure from the internet—it only adds a layer of encryption and authentication, not a true bastion architecture.

How to eliminate wrong answers

Option A is wrong because deploying a VPN concentrator alone still allows administrators to initiate direct SSH sessions to the servers after connecting to the VPN, meaning the SSH ports on the servers remain exposed to the VPN network and potentially to the internet if the VPN is misconfigured or compromised. Option C is wrong because it replaces SSH with a web-based console proxy accessible directly on port 443 from the internet, which still exposes a management interface to the public internet, failing to eliminate direct inbound connections and introducing a new attack surface.

991
MCQeasy

A server room is sometimes left open while technicians carry equipment in and out. Which control best helps detect and discourage unauthorized entry?

A.A written reminder poster on the wall
B.A CCTV camera covering the entrance
C.A brighter color for the server room door
D.A larger monitor in the nearby office
AnswerB

Video surveillance helps deter misuse and provides records if access must be reviewed later.

Why this answer

A CCTV camera covering the entrance provides continuous monitoring and recording of activity, which both detects unauthorized entry in real time and creates a deterrent effect through the awareness of surveillance. Unlike passive measures, it offers forensic evidence and can be integrated with access control systems to alert security personnel of breaches.

Exam trap

The trap here is that candidates may confuse administrative controls like signage with detective controls, overlooking that only active surveillance (CCTV) provides both detection and deterrence for an unsecured physical entry point.

How to eliminate wrong answers

Option A is wrong because a written reminder poster is a passive administrative control that relies on voluntary compliance and provides no detection or deterrence against intentional unauthorized entry. Option C is wrong because a brighter color for the door is purely cosmetic and has no impact on security monitoring, access control, or deterring unauthorized individuals.

992
MCQeasy

A SIEM alert shows one workstation connecting to many internal systems over SMB in a short period of time, followed by attempts to access administrative shares. What is the best response?

A.Ignore the alert because SMB is a normal file-sharing protocol
B.Isolate the workstation to stop possible lateral movement
C.Increase the workstation's monitor brightness to help the user notice alerts
D.Disable all SMB traffic across the entire company immediately
AnswerB

Rapid SMB connections to multiple hosts are a strong sign of spread or lateral movement, so isolation is the safest immediate action.

Why this answer

Option B is correct because the SIEM alert describes classic indicators of lateral movement using SMB, often associated with ransomware or worm-like malware. Isolating the workstation immediately stops the attacker from spreading to other systems via administrative shares (e.g., ADMIN$, C$), which are commonly abused for remote execution. This containment step is the highest priority before any forensic analysis.

Exam trap

The trap here is that candidates may dismiss the alert as normal SMB traffic (Option A) because SMB is common, failing to recognize that the combination of rapid connections and administrative share access is a textbook lateral movement indicator.

How to eliminate wrong answers

Option A is wrong because while SMB is a normal file-sharing protocol, the specific pattern of rapid connections to many internal systems followed by administrative share access is highly anomalous and indicative of malicious lateral movement, not legitimate use. Option C is wrong because increasing monitor brightness has no security function and does not address the alert; it is a nonsensical response that confuses physical display settings with security operations. Option D is wrong because disabling all SMB traffic company-wide is an overly drastic and disruptive response that would break critical business operations, and it should only be considered after proper investigation and with targeted controls like firewall rules or GPO changes.

993
MCQeasy

A user forwards an email that says their payroll account will be disabled today unless they click a link and verify their password. The message uses the company logo, but the sender address is from a free webmail domain and the link goes to a look-alike login page. What type of attack is this?

A.Baiting, because the attacker is offering something attractive to lure the user.
B.Phishing, because the attacker is using a fraudulent message to steal credentials.
C.Vishing, because the attacker is trying to trick the user into revealing information.
D.Impersonation, because the attacker is pretending to be someone from the company.
AnswerB

Phishing is the best match because the attacker is sending a deceptive message that impersonates a trusted source and directs the user to a fake login page. The goal is credential theft, and the urgency plus look-alike site are common signs. The sender address and request to verify a password are strong indicators of a phishing attempt.

Why this answer

This is a classic phishing attack because the attacker uses a fraudulent email that mimics a legitimate company to trick the user into clicking a link to a look-alike login page, with the goal of stealing their payroll credentials. The key indicators are the spoofed company logo, the free webmail sender address, and the fake login page, all of which are hallmarks of credential harvesting via phishing.

Exam trap

The trap here is that candidates may confuse phishing with vishing or baiting because all involve social engineering, but the specific use of email with a fraudulent link to a fake login page is the defining characteristic of phishing, not voice calls (vishing) or physical lures (baiting).

How to eliminate wrong answers

Option A is wrong because baiting involves offering something attractive (e.g., a free USB drive or download) to lure the victim into a trap, not sending a deceptive email requesting credential verification. Option C is wrong because vishing (voice phishing) uses phone calls or voice messages to trick victims, not email with a link to a fake login page. Option D is wrong because impersonation is a broader social engineering tactic that can be part of phishing, but the specific attack described—using a fraudulent email with a malicious link—is precisely defined as phishing, not impersonation alone.

994
MCQmedium

A support portal searches customers by last name using a parameter called q. After one user enters a single quote, the app returns a SQL syntax error. A tester then submits `test' OR '1'='1` and sees every customer record. Which control most directly prevents this issue?

A.Parameterize the database queries with prepared statements
B.Encode all output returned to the browser
C.Add CSRF tokens to the login form
D.Move the application to a separate VLAN
AnswerA

Prepared statements separate code from data, so attacker-controlled input cannot change the intended SQL query structure.

Why this answer

The vulnerability is SQL injection, which occurs when user input is directly concatenated into a SQL query. Parameterized queries (prepared statements) separate SQL logic from data by using placeholders, ensuring user input is treated as data only and never executed as code. This directly prevents the attacker from injecting malicious SQL fragments like `' OR '1'='1`.

Exam trap

The trap here is that candidates often confuse output encoding (XSS prevention) with input handling (SQL injection prevention), or they think network controls like VLANs can fix application-layer code flaws.

How to eliminate wrong answers

Option B is wrong because encoding output prevents cross-site scripting (XSS), not SQL injection; the attack occurs on the database backend, not in the browser. Option C is wrong because CSRF tokens prevent cross-site request forgery, which tricks a user into submitting unintended requests, but does not stop an attacker from directly crafting malicious input in the search parameter. Option D is wrong because moving the application to a separate VLAN is a network segmentation control that limits lateral movement but does not fix the insecure database query code; the SQL injection would still succeed from the application server.

995
MCQmedium

A company stores customer documents in cloud object storage. The provider already offers encryption at rest and physical security. Which action most directly reduces the risk of unauthorized access to the stored files?

A.Assume the provider's default settings are sufficient because encryption at rest is already enabled.
B.Move the documents to a public bucket so users can access them without friction.
C.Configure least-privilege IAM roles, bucket policies, and object permissions for approved users only.
D.Disable encryption at rest so administrators can troubleshoot access problems more easily.
AnswerC

Access control is the customer's main responsibility here, and least-privilege permissions directly limit who can retrieve the files.

Why this answer

Option C is correct because, even with encryption at rest and physical security, unauthorized access can occur if IAM policies, bucket policies, and object permissions are overly permissive. Configuring least-privilege access ensures that only approved users can read or modify the stored files, directly reducing the attack surface. Encryption at rest protects data if storage media is compromised, but it does not prevent authorized users with excessive permissions from accessing files they shouldn't.

Exam trap

The trap here is that candidates confuse encryption at rest with access control, assuming that encryption alone prevents unauthorized access, when in fact it only protects against physical theft of storage media, not against API-level access by users with excessive permissions.

How to eliminate wrong answers

Option A is wrong because assuming default settings are sufficient ignores the principle of least privilege; default IAM roles and bucket policies are often overly permissive (e.g., public read access) and must be explicitly hardened. Option B is wrong because moving documents to a public bucket would expose them to anyone on the internet, directly increasing the risk of unauthorized access. Option D is wrong because disabling encryption at rest would leave data vulnerable if an attacker gains physical access to the storage media or if the provider suffers a breach, and it does not solve access control issues.

996
Multi-Selecteasy

A company wants controls that rely on people and documented direction rather than technology. Which two are administrative controls? Select two.

Select 2 answers
A.Security awareness training program
B.Badge reader at the server room door
C.Password policy requiring minimum length
D.Host-based firewall on laptops
E.Encryption of data on the hard drive
AnswersA, C

This is an administrative control because it teaches users expected behavior and security responsibilities.

Why this answer

Security awareness training program (A) is an administrative control because it relies on people following documented procedures and policies rather than technology. It educates employees on security risks and expected behaviors, such as recognizing phishing attempts, which is a directive-based measure without hardware or software enforcement.

Exam trap

The trap here is that candidates confuse physical controls (like badge readers) or technical controls (like firewalls and encryption) with administrative controls, because they involve human action (swiping a badge) or are documented in policies, but the key distinction is whether the control relies on technology enforcement or human compliance with documented direction.

997
Matchingeasy

Match each principle to the scenario that best illustrates it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A database account can update records but cannot approve purchases.

A contractor can view only the log source tied to the assigned ticket.

One person prepares a wire transfer and another authorizes it.

The portal checks the device and user again before each sensitive action.

The application is protected by MFA, filtering, and endpoint controls.

Why these pairings

Least privilege limits access rights; separation of duties divides critical tasks; defense in depth uses multiple security layers; need to know restricts data access; accountability tracks actions; fail safe ensures security on failure.

998
MCQhard

Based on the exhibit, which attack is most likely occurring on the local network?

A.DNS cache poisoning
B.ARP spoofing
C.Replay attack
D.Amplification denial-of-service
AnswerB

The host receives repeated ARP replies claiming the gateway IP belongs to a different MAC address, and the same MAC appears on multiple switch ports. That combination indicates ARP spoofing or poisoning, which can redirect traffic through an attacker for interception or disruption. The brief forwarding to another IP is consistent with a man-in-the-middle attempt built on forged ARP replies.

Why this answer

ARP spoofing is the most likely attack because the exhibit shows an attacker sending forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. This poisons the ARP cache of the victim, causing all traffic destined for the gateway to be sent to the attacker instead, enabling man-in-the-middle interception.

Exam trap

The trap here is that candidates confuse ARP spoofing with DNS cache poisoning because both involve 'poisoning' a cache, but ARP operates at Layer 2 (MAC addresses) while DNS operates at Layer 7 (domain name resolution).

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning involves corrupting a DNS resolver's cache with false DNS records, not manipulating ARP tables at Layer 2. Option C is wrong because a replay attack captures and retransmits valid data packets to trick the receiver, but the exhibit shows direct manipulation of MAC-to-IP mappings, not packet replay. Option D is wrong because an amplification denial-of-service attack uses small queries to generate large responses (e.g., DNS amplification), overwhelming a target with traffic, whereas the exhibit depicts local network ARP manipulation.

999
MCQmedium

An organization is evaluating a payroll SaaS provider after the procurement team asks for evidence that the vendor's security controls were designed and operating effectively during the past year. Which document should the security team review first?

A.Memorandum of understanding
B.SOC 2 Type II report
C.Software license agreement
D.Network diagram of the vendor's data center
AnswerB

A SOC 2 Type II report provides an independent assessment of control design and operating effectiveness over a defined period.

Why this answer

A SOC 2 Type II report provides an independent auditor's assessment of a service organization's controls over a period of time (typically 6–12 months), confirming that security controls were not only designed but also operating effectively. This directly meets the procurement team's need for evidence of the vendor's security posture over the past year, as required for evaluating a SaaS provider handling sensitive payroll data.

Exam trap

The trap here is that candidates may confuse a SOC 2 Type I report (which only tests control design at a point in time) with a Type II report (which tests operating effectiveness over a period), or they may mistakenly think a network diagram or legal agreement provides evidence of control effectiveness.

How to eliminate wrong answers

Option A is wrong because a Memorandum of Understanding (MOU) is a non-binding agreement outlining mutual intentions and responsibilities, not an audited report of control effectiveness. Option C is wrong because a Software License Agreement defines usage rights, fees, and legal terms, but does not provide evidence of security control design or operational effectiveness. Option D is wrong because a network diagram shows the vendor's data center architecture but offers no proof that security controls were actually implemented or operating effectively over the past year.

1000
MCQeasy

A company wants to reduce the chance that a stolen password can be used to access employee email. Which control is the best fit?

A.Password complexity requirements only
B.Multi-factor authentication
C.Daily backup verification
D.Security awareness posters
AnswerB

Multi-factor authentication adds another verification step beyond the password, so an attacker who steals only a password still cannot easily log in. It is a practical preventive control for reducing account takeover risk, especially for email and other internet-facing services where passwords may be phished, reused, or exposed in breaches.

Why this answer

Multi-factor authentication (MFA) requires at least two different authentication factors (e.g., something you know like a password and something you have like a time-based one-time password from an authenticator app). Even if an attacker steals the password, they cannot access the email without the second factor, directly reducing the risk of credential theft leading to account compromise.

Exam trap

The trap here is that candidates often choose password complexity (A) thinking stronger passwords prevent theft, but the question explicitly states the password is already stolen, so only a second factor like MFA can block its use.

How to eliminate wrong answers

Option A is wrong because password complexity requirements only make passwords harder to guess or crack, but they do nothing to prevent a stolen password from being reused by an attacker who already possesses it. Option C is wrong because daily backup verification ensures data recoverability in case of loss or ransomware, but it does not prevent unauthorized access to email accounts. Option D is wrong because security awareness posters educate users about threats but provide no technical enforcement to block an attacker using a stolen password.

1001
MCQeasy

An employee receives a phone call from someone claiming to be IT and asking for a one-time verification code to "fix" the employee's account. What is the best response?

A.Provide the code quickly so the support call can be completed without delay.
B.Refuse to share the code and report the call through the company's security process.
C.Reply to the caller by email with the code and ask them to confirm receipt.
D.Change the password immediately and then tell the caller the new password.
AnswerB

The safest response is to refuse the request and report it through the organization’s approved security process. One-time codes should never be shared because they can be used to bypass MFA and hijack the account. Reporting the call helps the security team warn others, investigate the attempt, and reduce the chance of a successful attack.

Why this answer

Option B is correct because it follows the principle of never sharing authentication factors, especially one-time verification codes, with anyone over the phone. This scenario is a classic social engineering attack (vishing) where the attacker attempts to bypass multi-factor authentication (MFA) by tricking the employee into revealing a time-based one-time password (TOTP) or similar code. Reporting the call through the company's security process allows the incident to be investigated and mitigates further risk.

Exam trap

The trap here is that candidates may think providing the code is harmless because it is 'one-time' or that changing the password is a proactive security measure, but both actions directly hand over authentication secrets to an unverified caller.

How to eliminate wrong answers

Option A is wrong because providing the code directly enables the attacker to authenticate as the employee, compromising the account and any MFA-protected resources. Option C is wrong because replying by email with the code still shares the secret with an unverified caller, and email is not a secure channel for transmitting authentication factors; it also does not verify the caller's identity. Option D is wrong because changing the password and then telling the caller the new password gives the attacker direct access to the account, bypassing any security controls; the employee should never share credentials with anyone.

1002
Multi-Selecteasy

A company wants its laptop fleet to start from a known configuration before shipping to users and to reduce exposure to newly discovered vulnerabilities over time. Which two actions are best? Select two.

Select 2 answers
A.Build the laptops from a secure baseline image.
B.Apply security patches on a regular schedule.
C.Install extra consumer applications by default.
D.Allow users to disable endpoint protection whenever they want.
E.Delay firmware updates until devices fail.
AnswersA, B

A secure baseline ensures every device starts with approved settings and reduced unnecessary exposure. It makes the fleet easier to manage and more consistent to secure.

Why this answer

Building laptops from a secure baseline image ensures that every device starts with a known, hardened configuration, eliminating any pre-existing vulnerabilities or misconfigurations. This directly supports the requirement to begin from a known good state before shipping to users.

Exam trap

The trap here is that candidates may think installing extra applications is helpful for user productivity, but the question specifically asks for actions that reduce vulnerability exposure and ensure a known configuration, making such additions counterproductive.

1003
MCQeasy

A finance manager can view only the reports needed for monthly budgeting and cannot see payroll details. Which principle is being applied?

A.Need-to-know, because access is limited to information required for the job.
B.Zero trust, because the manager uses a password to sign in.
C.Separation of duties, because the manager is part of finance.
D.Defense in depth, because only one report system is being used.
AnswerA

Need-to-know limits access to information based on business need. The finance manager can view budgeting reports, but payroll details are withheld because they are not required for the role.

Why this answer

The principle of need-to-know restricts access to only the information necessary for an individual to perform their job duties. In this scenario, the finance manager can view only monthly budgeting reports and is explicitly blocked from payroll details, which aligns directly with need-to-know. This is typically enforced through access control lists (ACLs) or role-based access control (RBAC) policies that limit data visibility based on job function.

Exam trap

The trap here is confusing need-to-know with least privilege, as both limit access, but need-to-know specifically restricts data visibility rather than system permissions or actions.

How to eliminate wrong answers

Option B is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request, not simply using a password to sign in. Option C is wrong because separation of duties divides critical tasks among multiple people to prevent fraud or error, not to limit data visibility based on job role. Option D is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption), not restricting access to a single report system.

1004
Matchinghard

Match each awareness-program metric or pattern to the best interpretation. Use each interpretation once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Improved phishing resistance

Better escalation culture

Faster detection and triage

Targeted refresher coaching needed

Why these pairings

Phishing click rate measures susceptibility, reporting rate indicates vigilance, training completion rate shows participation, repeat offender rate identifies high-risk users, time to report reflects responsiveness, and knowledge assessment score measures understanding.

1005
Matchingmedium

Match each incident response action to its primary purpose during a suspected endpoint compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Contain the incident and limit spread to other systems

Preserve evidence that could disappear after power-off

Eradicate persistence and return the system to a trusted state

Recover business operations and return service to normal

Complete lessons learned and improve future response

Why these pairings

Incident response actions are sequenced to contain, preserve, analyze, remove, and learn from the incident. Isolating prevents spread; volatile data capture is time-sensitive; imaging preserves evidence; log analysis reveals details; eradication cleans the system; lessons learned improve processes.

1006
MCQmedium

A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?

A.The DNS server logs showing the queried domains and subdomains.
B.The workstation's process creation logs showing which process initiated the DNS queries.
C.A full packet capture of the network traffic from the workstation showing the complete DNS messages.
D.The firewall logs showing outbound connections from the workstation to the external DNS server on port 53.
AnswerC

A full packet capture includes the entire DNS query packet, including the complete subdomain portion. The analyst can extract and decode the base64-encoded subdomain data and compare it directly to the contents of a sensitive file on the workstation to definitively confirm data exfiltration.

Why this answer

Option C is correct because a full packet capture (PCAP) contains the complete DNS query and response messages, including the raw payload of the subdomain fields. This allows the analyst to extract the base64-encoded data from the subdomains and decode it to verify that it matches the contents of the suspected sensitive file. DNS server logs (option A) typically only record the queried domain names, not the full DNS message payload, and may truncate long subdomains.

Process creation logs (option B) show which executable made the queries but not the data being sent. Firewall logs (option D) only show connection metadata (source, destination, port) and never the DNS query content.

Exam trap

The trap here is that candidates assume DNS server logs contain the full query payload, but in practice they often log only the resolved domain name and may truncate long subdomains, making packet capture the only definitive source for reconstructing exfiltrated data.

How to eliminate wrong answers

Option A is wrong because DNS server logs usually store only the queried domain name and response code, not the full DNS message payload; base64-encoded subdomains may be truncated or omitted entirely. Option B is wrong because process creation logs (e.g., Event ID 4688 in Windows) reveal the parent process and command line but do not capture the actual DNS query data transmitted over the network. Option D is wrong because firewall logs record only connection-level details (IP addresses, ports, timestamps) and never include the application-layer payload of DNS queries.

1007
Multi-Selectmedium

A regulated analytics workload must run in a public cloud with the strongest practical tenant isolation while avoiding management of physical servers. The workload should also remain off the public internet. Which two deployment choices best fit? Select two.

Select 2 answers
A.Run the workload on a dedicated host or dedicated instance.
B.Place the workload in a private subnet without a public IP address.
C.Use shared tenancy with security groups only.
D.Assign an elastic IP so administrators can reach the workload directly from anywhere.
E.Expose the workload through a public load balancer to simplify connectivity.
AnswersA, B

Dedicated compute placement provides stronger tenant isolation than shared hardware and is appropriate when a regulated workload needs a higher separation level. It also keeps the organization in a cloud model without requiring ownership of physical servers.

Why this answer

A dedicated host or dedicated instance provides the strongest practical tenant isolation in a public cloud by ensuring that the underlying physical server is not shared with any other customer. This meets the regulatory requirement for strong isolation while avoiding the need to manage physical servers, as the cloud provider still handles hardware maintenance. The dedicated instance model (e.g., AWS Dedicated Instances) offers hardware-level isolation at the instance level, while a dedicated host gives you visibility and control over the physical server, both without requiring you to manage the server itself.

Exam trap

The trap here is that candidates often confuse network isolation (private subnet) with tenant isolation (physical hardware separation), or they assume that a public load balancer can be used without exposing the workload to the internet, forgetting that the load balancer itself has a public endpoint.

1008
Matchinghard

Match each business situation to the best risk treatment. Use each treatment once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Accept risk

Mitigate risk

Transfer risk

Avoid risk

Why these pairings

Risk treatment decisions are based on likelihood and impact: accept low risks, avoid high-high risks, mitigate medium risks, and transfer risks that are high likelihood but low impact or low likelihood but high impact.

1009
MCQmedium

A Java-based internal portal accepts a serialized object during profile import. After a recent test upload, the server made outbound LDAP calls and created a new local account. What attack pattern best explains this behavior?

A.SQL injection, because the attacker likely altered a database query.
B.Cross-site scripting, because the attacker could have injected script into the portal.
C.Insecure deserialization, because a crafted object triggered unexpected server-side actions.
D.CSRF, because the attacker may have forced an administrator to submit a form.
AnswerC

Insecure deserialization occurs when an application accepts untrusted serialized data and rebuilds it unsafely. That can allow an attacker to trigger code paths, remote lookups, or even command execution, which matches the LDAP activity and account creation.

Why this answer

Option C is correct because the scenario describes a Java application accepting a serialized object during profile import, which is a classic vector for insecure deserialization attacks. By crafting a malicious serialized object, an attacker can trigger arbitrary code execution on the server, leading to outbound LDAP calls and local account creation—actions that are not part of normal profile import logic. This attack exploits the trust placed in serialized data without proper validation or integrity checks.

Exam trap

The trap here is that candidates may confuse insecure deserialization with other injection attacks (SQLi or XSS) because all involve untrusted input, but only deserialization directly allows server-side object reconstruction and arbitrary method invocation without proper validation.

How to eliminate wrong answers

Option A is wrong because SQL injection involves manipulating database queries through input fields, not through serialized objects; the described behavior (LDAP calls and account creation) is not typical of SQL injection, which primarily targets data extraction or modification. Option B is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not server-side object deserialization; XSS cannot directly cause the server to make outbound LDAP calls or create local accounts.

1010
MCQmedium

A security manager at a financial services company is evaluating the effectiveness of a newly deployed security awareness training program. The program included modules on recognizing phishing emails, password security, and tailgating. One month after the training, the manager wants to assess whether employees are applying the learned behaviors to reduce the risk of phishing attacks. Which of the following metrics would provide the most valid indication of the training's behavioral impact?

A.The percentage of employees who completed the training modules.
B.The average score on the post-training knowledge quiz.
C.The number of reported phishing incidents to the security team.
D.The reduction in the employee click-through rate on simulated phishing campaigns.
AnswerD

Simulated phishing campaigns provide a controlled test of employee behavior. Comparing pre-training and post-training click-through rates directly measures whether employees are applying the training to avoid clicking malicious links.

Why this answer

Option D is correct because the reduction in the employee click-through rate on simulated phishing campaigns directly measures a change in behavior—specifically, whether employees are applying the training to avoid clicking malicious links. Unlike knowledge scores or completion rates, this metric captures real-world application of the learned behavior in a controlled, measurable environment.

Exam trap

The trap here is that candidates confuse knowledge assessment (quiz scores) or participation metrics (completion rates) with behavioral metrics, but the exam specifically tests the distinction between measuring 'knowing' versus 'doing' in security awareness programs.

How to eliminate wrong answers

Option A is wrong because completion rates only measure participation, not whether employees actually learned or changed their behavior; a 100% completion rate could still result in no reduction in phishing susceptibility. Option B is wrong because post-training quiz scores measure knowledge retention, not behavioral application; an employee can ace a quiz yet still click a phishing link in practice. Option C is wrong because the number of reported phishing incidents can increase due to improved reporting behavior, which is a positive outcome, but it does not directly measure whether employees are avoiding phishing clicks—it measures reporting, not click reduction.

1011
Matchingeasy

Match each control type to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stops a threat before it succeeds.

Identifies an event after or while it is happening.

Fixes a problem after it has occurred.

Discourages an attacker from trying.

Provides an alternate safeguard when the preferred control is not possible.

Why these pairings

Control types are categorized by nature: administrative involves rules, technical involves technology, physical involves tangible barriers, logical involves software-based access, operational involves processes, and legal/regulatory involves compliance.

1012
MCQhard

Based on the exhibit, which change best improves recovery resilience against a repeat ransomware incident?

A.Keep the current design and add more NAS storage capacity.
B.Move the NAS to the same subnet as the file server for faster backups.
C.Use an immutable or offline backup copy that production credentials cannot modify.
D.Shorten the backup retention period to reduce storage use.
AnswerC

The incident showed that the attacker could encrypt both production and the backup share because the backup target stayed online and writable. An immutable or offline copy breaks that dependency and prevents the same credentials from destroying recovery data. In ransomware recovery, backup survivability matters more than convenience, so this change gives the strongest resilience improvement.

Why this answer

Option C is correct because ransomware often encrypts or deletes accessible backups. An immutable or offline backup copy (e.g., using S3 Object Lock, Write Once Read Many (WORM) storage, or air-gapped tape) ensures that even if production credentials are compromised, the backup data cannot be modified or deleted by the attacker. This directly preserves a clean recovery point after a ransomware incident.

Exam trap

The trap here is that candidates often assume faster backups (Option B) or more capacity (Option A) improve resilience, but they overlook the fundamental requirement that backups must be protected from modification by the attacker, which only immutability or an air gap provides.

How to eliminate wrong answers

Option A is wrong because adding more NAS storage capacity does not protect existing backups from being encrypted or deleted by ransomware; it only increases the volume of data at risk. Option B is wrong because moving the NAS to the same subnet as the file server exposes the backup storage to the same network-based attacks and lateral movement, making it easier for ransomware to reach and corrupt the backups. Option D is wrong because shortening the backup retention period reduces the number of available recovery points, increasing the risk of data loss and potentially eliminating the last clean backup before the ransomware attack.

1013
MCQmedium

A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?

A.Move finance devices to the guest Wi-Fi network so they are separated from employees.
B.Create separate VLANs for finance and user devices, then apply inter-VLAN ACLs to allow only required application and printer traffic.
C.Keep the flat LAN but require stronger passwords on finance PCs and shared folders.
D.Place all devices in one VLAN and rely on endpoint antivirus to stop spread.
AnswerB

Separate VLANs provide segmentation, and inter-VLAN ACLs enforce which systems may communicate. This limits lateral movement while still allowing the finance team to reach approved shared resources such as the finance application and printer.

Why this answer

Option B is correct because creating separate VLANs segments the flat LAN into isolated broadcast domains, preventing lateral movement from compromised user workstations to finance systems. Inter-VLAN ACLs then act as a stateful firewall, permitting only the specific traffic (e.g., TCP 1433 for SQL-based finance app, TCP 9100 for printer) while blocking all other inter-VLAN communication. This aligns with the principle of least privilege and network segmentation, directly addressing the requirement to isolate finance workstations without disrupting their needed access.

Exam trap

The trap here is that candidates may think stronger passwords or guest Wi-Fi solve the isolation problem, but CompTIA tests the understanding that network segmentation via VLANs and ACLs is the only method that both prevents lateral movement and preserves specific required access.

How to eliminate wrong answers

Option A is wrong because moving finance devices to the guest Wi-Fi network would isolate them from the internal LAN, but guest networks typically have no access to internal resources like the central finance application or network printer, breaking the required connectivity. Option C is wrong because keeping the flat LAN with stronger passwords does not prevent lateral movement; a compromised user workstation on the same broadcast domain can still directly attack finance PCs via ARP spoofing, SMB relay, or other Layer 2 attacks, regardless of password strength.

1014
MCQmedium

Based on the exhibit, which attack is most likely being attempted against the application?

A.Cross-site scripting, because the attacker is trying to inject script into the victim's browser session.
B.Server-side request forgery, because the application is being tricked into making internal requests on the attacker's behalf.
C.Cross-site request forgery, because the attacker is forcing an authenticated user to submit an unwanted request.
D.SQL injection, because the attacker is manipulating a query parameter to expose backend data.
AnswerB

The application accepts a URL parameter and then makes outbound requests to internal resources, including the cloud metadata endpoint. That is the hallmark of SSRF. The attacker is causing the server to reach addresses that should not normally be accessible through a public request path.

Why this answer

The exhibit shows an attacker manipulating a URL parameter (e.g., `?url=http://169.254.169.254/latest/meta-data/`) to make the application fetch an internal resource. This is a classic Server-Side Request Forgery (SSRF) attack, where the application is tricked into making requests to internal services (like cloud metadata endpoints) on the attacker's behalf, bypassing network segmentation.

Exam trap

CompTIA often tests SSRF by showing a URL parameter like `?url=` or `?file=` pointing to an internal IP (e.g., 127.0.0.1 or 169.254.169.254), and candidates confuse it with CSRF because both involve 'forged requests,' but SSRF is server-side while CSRF is client-side.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into a victim's browser, not manipulating server-side requests to internal resources. Option C is wrong because cross-site request forgery (CSRF) forces an authenticated user to submit an unwanted request (e.g., via a forged HTTP POST), but the exhibit shows the attacker directly controlling the request URL, not relying on a victim's session. Option D is wrong because SQL injection targets database queries via input fields (e.g., `' OR 1=1--`), not URL parameters that trigger server-side HTTP requests to internal IPs.

1015
Multi-Selectmedium

EDR flags encoded PowerShell launched by a spreadsheet application and an outbound HTTPS connection to a rare domain. Which two response actions are best to take from the EDR console first? Select two.

Select 2 answers
A.Isolate the endpoint from the network through the EDR platform
B.Collect a triage package or memory snapshot before remediation, if supported
C.Uninstall the spreadsheet application immediately
D.Reboot the endpoint to clear the suspicious script
E.Wait for a second alert before taking any action
AnswersA, B

Isolation limits lateral movement and command-and-control traffic while preserving the host for investigation.

Why this answer

Isolating the endpoint from the network (A) is correct because it immediately stops the outbound HTTPS connection to the rare domain, preventing potential command-and-control (C2) data exfiltration or further payload download. Collecting a triage package or memory snapshot (B) is correct because the encoded PowerShell script and suspicious process chain are volatile artifacts that may be lost on reboot or remediation, and capturing them preserves forensic evidence for analysis.

Exam trap

CompTIA often tests the misconception that rebooting or uninstalling the application is a valid first response, when in fact both destroy volatile evidence and fail to contain the active threat.

1016
Multi-Selectmedium

A company wants to detect unauthorized changes to production server configurations before users notice an outage. Which two controls best fit this goal? Select two.

Select 2 answers
A.File integrity monitoring on critical system files
B.Centralized alerting on configuration-change events from the SIEM
C.Full-disk encryption on the server volumes
D.Multifactor authentication for remote administrators
E.Network segmentation between user VLANs and server VLANs
AnswersA, B

This detects unexpected changes to protected files and configuration artifacts after they occur.

Why this answer

File integrity monitoring (FIM) on critical system files is correct because it detects unauthorized changes by comparing current file hashes against a known-good baseline. When a change occurs, FIM generates an alert, enabling the security team to investigate before users notice an outage. This directly addresses the goal of detecting configuration tampering proactively.

Exam trap

The trap here is that candidates often confuse preventive controls (like encryption or MFA) with detective controls (like FIM and SIEM alerting), leading them to select options that prevent access but do not detect changes after they happen.

1017
Multi-Selecteasy

A company wants employees to sign in once with corporate credentials and access multiple SaaS apps without creating separate passwords for each service. Which two features best support this goal? Select two.

Select 2 answers
A.Federation trust between the corporate identity provider and the SaaS provider.
B.Single sign-on so users authenticate once and reuse that session across apps.
C.Shared generic accounts for each department.
D.Storing the same password inside every SaaS application.
E.Disabling MFA so the sign-in process is faster.
AnswersA, B

Federation lets the SaaS application accept authentication from the company’s identity provider. This avoids local account sprawl and supports centralized control of user sign-in.

Why this answer

Option A is correct because federation trust, typically implemented via standards like SAML 2.0 or OpenID Connect, establishes a trust relationship between the corporate identity provider (IdP) and each SaaS provider. This allows the SaaS app to accept authentication assertions from the corporate IdP, enabling users to sign in with their corporate credentials without needing separate passwords for each service.

Exam trap

The trap here is that candidates may confuse SSO (Option B) with federation (Option A) as being redundant, but they are complementary—federation establishes the trust relationship, while SSO provides the seamless session reuse—so both are required to meet the goal of signing in once with corporate credentials across multiple SaaS apps.

1018
MCQeasy

A login form sends user input directly into a database query. When a tester enters a single quote character, the application returns a database error. What attack is most likely?

A.Cross-site scripting
B.SQL injection
C.Session hijacking
D.Insecure deserialization
AnswerB

This is SQL injection because the application appears to concatenate unsanitized input into a database query. A single quote often breaks query syntax and reveals that user input is being interpreted as part of the SQL command. That is a common sign the application is vulnerable to injection attacks.

Why this answer

The application directly concatenates user input into a database query without sanitization. Entering a single quote breaks the SQL syntax, causing a database error, which is a classic indicator of SQL injection (SQLi). This vulnerability allows an attacker to manipulate the query structure and potentially extract or modify database contents.

Exam trap

The trap here is that candidates may confuse the immediate error response with cross-site scripting (XSS), but the database error clearly indicates the injection is targeting the SQL layer, not the browser's DOM.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not directly into database queries, and a single quote would not typically trigger a database error in an XSS context. Option C is wrong because session hijacking targets an authenticated user's session token (e.g., via theft or fixation) and does not involve injecting characters into a login form to cause a database error. Option D is wrong because insecure deserialization exploits the processing of serialized objects (e.g., PHP or Java serialization) to execute arbitrary code or manipulate application logic, not by sending a single quote into a database query.

1019
MCQmedium

A monthly scan finds a critical remote-code-execution issue on an internet-facing VPN appliance. The vendor has released a fix, but the appliance can only be rebooted during the weekend maintenance window in five days. What is the BEST immediate action to lower risk until patching can occur?

A.Apply a compensating control such as restricting access to trusted source IPs and disabling nonessential remote access features
B.Wait for the weekend because the exploit is not confirmed
C.Remove logging from the appliance to improve performance during the wait
D.Run another scan every hour and do nothing else
AnswerA

A compensating control lowers exposure right away when the patch cannot be installed immediately, which is the safest short-term option.

Why this answer

Option A is correct because applying a compensating control—such as restricting access to trusted source IPs via an ACL and disabling nonessential remote access features like unused VPN protocols or administrative interfaces—immediately reduces the attack surface. This mitigates the risk of exploitation of the remote-code-execution vulnerability on the internet-facing VPN appliance until the vendor patch can be applied during the scheduled maintenance window. The key is to implement network-layer controls that block untrusted sources from reaching the vulnerable service, buying time without requiring a reboot.

Exam trap

The trap here is that candidates may think waiting for the maintenance window is acceptable because the vulnerability is unconfirmed, but the exam expects proactive risk reduction through compensating controls rather than passive delay.

How to eliminate wrong answers

Option B is wrong because waiting for the weekend assumes the exploit is not confirmed, but a critical remote-code-execution vulnerability on an internet-facing appliance is inherently high-risk; the scan finding indicates a real issue, and delaying action without compensating controls leaves the organization exposed to active exploitation. Option C is wrong because removing logging from the appliance does not lower risk; it actually reduces visibility into potential attacks and may violate compliance requirements, while doing nothing to prevent exploitation of the vulnerability. Option D is wrong because running another scan every hour and doing nothing else provides no risk reduction; scanning repeatedly does not block or mitigate the vulnerability, and it wastes resources without addressing the immediate threat.

1020
Matchinghard

Match each design requirement to the best security architecture control. Use each control once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DMZ

Bastion host

Microsegmentation

Zero Trust Network Access (ZTNA)

Load balancer

Why these pairings

Defense in depth uses layered controls, least privilege minimizes risk, separation of duties prevents fraud, fail secure avoids insecure states, secure defaults reduce misconfiguration, and complete mediation ensures consistent enforcement.

1021
MCQmedium

An HR system marks employees as hired, transferred, or terminated. The security team wants those changes to create, update, or disable accounts in multiple SaaS apps automatically after the user authenticates through the company identity provider. Which capability should be added?

A.SAML federation alone, with no additional account lifecycle automation.
B.Password synchronization between every application.
C.SCIM provisioning integrated with the SSO platform.
D.Local administrator groups on each SaaS application.
AnswerC

SCIM automates user and group lifecycle changes, so account creation, updates, and disablement can follow HR events centrally.

Why this answer

SCIM (System for Cross-domain Identity Management) is the correct choice because it provides a standardized protocol for automating the creation, update, and deletion of user accounts across multiple SaaS applications. When integrated with an SSO platform (like SAML), SCIM handles the lifecycle events (hire, transfer, terminate) by sending RESTful API calls to each SaaS app, ensuring accounts are created, updated, or disabled without manual intervention. SAML alone only handles authentication, not account provisioning, making SCIM essential for the described automation.

Exam trap

The trap here is that candidates often confuse SAML federation (which only handles authentication) with full identity lifecycle management, leading them to pick option A, but the question explicitly requires automated account creation, update, and disablement—a capability only SCIM provides.

How to eliminate wrong answers

Option A is wrong because SAML federation alone only handles authentication (single sign-on) and does not include any account lifecycle management—it cannot create, update, or disable accounts automatically. Option B is wrong because password synchronization between applications is a legacy approach that does not automate account provisioning or deprovisioning; it only keeps passwords consistent and introduces security risks without addressing the core requirement of lifecycle automation. Option D is wrong because local administrator groups on each SaaS application are a manual, per-application access control mechanism that does not provide any automated account lifecycle management or integration with the identity provider.

1022
MCQmedium

A company moved an internal application to a cloud virtual machine. The security team wants operating system login events, process activity, and network flow metadata to be available in the SIEM for investigations. Which action best supports that goal?

A.Rely only on the cloud provider's service health dashboard and billing alerts.
B.Enable guest OS audit logging and cloud-native flow logs, then forward the data to the SIEM.
C.Encrypt the virtual machine disks and disable all logging to reduce exposure.
D.Install only a web application firewall because that covers server log collection.
AnswerB

This combines host-level visibility with cloud network telemetry. Audit logs capture logons and system activity inside the virtual machine, while flow logs show network connections. Forwarding both to a SIEM gives analysts the context needed to correlate suspicious behavior across layers.

Why this answer

Option B is correct because it directly addresses the requirement to collect operating system login events, process activity, and network flow metadata. Enabling guest OS audit logging (e.g., via Windows Event Log or syslog) captures login and process events, while cloud-native flow logs (e.g., AWS VPC Flow Logs or Azure NSG flow logs) provide network flow metadata. Forwarding both data streams to the SIEM ensures centralized visibility for investigations.

Exam trap

The trap here is that candidates may think cloud provider dashboards or encryption are sufficient for security monitoring, but they fail to recognize that the specific data types required (OS events and network flows) must be explicitly enabled and forwarded from the guest OS and network layer, not inferred from provider-level metrics.

How to eliminate wrong answers

Option A is wrong because relying solely on the cloud provider's service health dashboard and billing alerts provides only infrastructure-level availability and cost data, not the required OS login events, process activity, or network flow metadata. Option C is wrong because encrypting disks and disabling all logging would eliminate the very data needed for investigations, directly contradicting the goal of making that data available in the SIEM.

1023
Multi-Selecthard

An accounts payable clerk receives an email that appears to come from a long-time vendor. The message asks for an urgent change to bank routing information, says the CFO is traveling, and requests that no one call back because the matter is confidential. The display name looks legitimate, but the reply-to address is different from the sender identity. Which three findings most strongly indicate a pretexting or business email compromise attempt? Select three.

Select 3 answers
A.The message requests a payment change outside the normal approval workflow.
B.The reply-to address does not match the claimed sender identity.
C.The recipient is told to keep the request confidential and avoid calling back.
D.The email contains a professional logo and a consistent signature block.
E.The email uses correct spelling and grammar throughout.
AnswersA, B, C

Unauthorized changes to payment instructions are a classic business email compromise tactic. This bypasses established controls and tries to exploit urgency. It is one of the strongest indicators because legitimate vendors normally accept verification through established channels, not a one-off email request.

Why this answer

Option A is correct because the request for a payment change outside the normal approval workflow is a classic indicator of business email compromise (BEC). Attackers exploit the absence of standard verification steps, such as dual authorization or manager sign-off, to redirect funds fraudulently. This bypass of established procedures directly aligns with the social engineering technique of pretexting, where the attacker fabricates a scenario (urgent, confidential, CFO traveling) to pressure the victim into violating policy.

Exam trap

CompTIA often tests the misconception that surface-level professionalism (logos, grammar) indicates legitimacy, when in fact these are easily replicated and the true red flags are procedural violations and header mismatches.

1024
MCQeasy

Field staff use company-owned tablets that also run approved personal apps. Security wants corporate email and documents separated from personal data, with the ability to wipe only the work data if a device is lost. What is the best control?

A.Use a work profile or container managed by a mobile device management platform.
B.Disable all personal apps by removing internet access from the tablet.
C.Install only a screen lock and require a longer PIN for the tablet.
D.Use a USB cable lock so the tablet cannot be physically moved.
AnswerA

A managed work profile or container is the best answer because it separates corporate data from personal applications on the same mobile device. That allows the organization to enforce policies on work data, protect corporate email and documents, and selectively remove only the business container if the tablet is lost or the user leaves. It supports a practical BYOD or COPE style deployment without wiping the user's personal content.

Why this answer

A work profile or container managed by a mobile device management (MDM) platform creates a separate, encrypted partition on the device for corporate data. This allows the organization to enforce policies and perform a selective wipe of only the work container without affecting personal apps or data, meeting the requirement for separation and targeted remote wipe.

Exam trap

The trap here is that candidates may think a screen lock or disabling internet is sufficient for data separation, but the exam specifically tests the concept of containerization and selective wipe as the only method that meets both separation and targeted data removal requirements.

How to eliminate wrong answers

Option B is wrong because disabling internet access on the tablet would block all network connectivity, preventing both personal and corporate apps from functioning, and does not provide any data separation or selective wipe capability. Option C is wrong because a screen lock and longer PIN only protect the device from unauthorized access at rest; they do not separate corporate data from personal data, nor do they enable a selective wipe of work data only.

1025
MCQmedium

An organization is redesigning access for a finance application. Employees should be able to approve expense reports only within their assigned job roles, and every approval must be traceable to the individual user who performed it. Which access model best fits this requirement?

A.Mandatory access control, because a central authority labels each expense report by sensitivity.
B.Role-based access control, because permissions are assigned by job function and tied to named users.
C.Discretionary access control, because individual employees decide who can approve expenses.
D.Rule-based access control, because approval rights are determined only by the time of day.
AnswerB

RBAC matches a finance workflow where users inherit permissions based on job roles such as approver, reviewer, or auditor. It is easy to administer, supports least privilege, and works well when access should be consistent for groups with similar duties. The requirement to trace approvals to individuals is also satisfied when each person uses a unique account and actions are logged.

Why this answer

Role-based access control (RBAC) is the correct choice because it assigns permissions based on job functions (e.g., 'Finance Approver') and links those permissions to named user accounts. This ensures that only employees in the appropriate role can approve expense reports, and each approval action is logged against the specific user, providing non-repudiation and traceability.

Exam trap

The trap here is that candidates often confuse 'rule-based access control' (which uses condition-based rules like time-of-day) with 'role-based access control' (which uses job functions), leading them to select option D despite the question's clear focus on job roles and user traceability.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) uses system-enforced labels (e.g., classification levels) to control access, not job roles, and it does not inherently tie approvals to named users for traceability. Option C is wrong because discretionary access control (DAC) allows individual data owners to set permissions, which would violate the requirement that approvals be restricted to assigned job roles and would not guarantee centralized traceability. Option D is wrong because rule-based access control (RBAC is often confused with rule-based, but here the option describes time-of-day rules only, which is a specific attribute-based condition, not a model that assigns permissions by job function or ensures user-level traceability.

1026
MCQmedium

Based on the exhibit, what type of attack is most likely being used against the accounts payable team?

A.Phishing, because the message asks recipients to open a file and respond quickly.
B.Spear phishing, because the email is tailored to a specific team, project, and recipient.
C.Pretexting, because the sender claims to have spoken with the recipient before.
D.Baiting, because the attacker offers a useful file related to the project.
AnswerB

This is spear phishing because the attacker uses personalized details such as the recipient's name, the internal project name, and a plausible business deadline. Those details are meant to increase trust and pressure the victim into taking action. The goal is to trick a specific target or group, not to send an indiscriminate message to everyone.

Why this answer

B is correct because spear phishing is a targeted attack where the email is customized for a specific individual or group, using personal details like the recipient's name, team, and project to increase credibility. The exhibit shows the email addresses the recipient by name, references the 'Acme Corp Q3 audit' project, and is sent to the accounts payable team, which matches the tailored nature of spear phishing. This makes it more convincing than generic phishing, as the attacker has researched the target to craft a relevant lure.

Exam trap

The trap here is that candidates confuse spear phishing with generic phishing because both involve email, but the key differentiator is the level of personalization—spear phishing uses specific details like the recipient's name and project, while phishing uses generic greetings like 'Dear Customer'.

How to eliminate wrong answers

Option A is wrong because phishing is a broad, untargeted attack sent to many recipients, while the email in the exhibit is specifically addressed to a named individual on the accounts payable team and references a specific project, indicating it is tailored. Option C is wrong because pretexting involves creating a fabricated scenario (e.g., impersonating a colleague or authority figure) to gain trust, but the email does not establish a false identity or backstory beyond claiming a prior conversation, which is a common spear phishing tactic, not a full pretext. Option D is wrong because baiting typically offers a physical item (e.g., a USB drive) or a digital download (e.g., a free file) to lure victims, but the email asks the recipient to open an attached file related to the project, which is a delivery mechanism for malware, not the core attack type—spear phishing better describes the targeted social engineering.

1027
MCQmedium

A vulnerability scan finds that an old print server still has SMBv1 enabled. The business says the vendor will not support a patch for at least two months, but the server must stay online. What is the best temporary mitigation?

A.Move the server to a restricted network segment and allow SMB access only from required hosts.
B.Turn off endpoint logging to reduce performance impact until the vendor releases a patch.
C.Increase the password length requirement for all users and keep the server on the same network.
D.Schedule a weekly reboot to clear any malicious sessions and reduce the chance of exploitation.
AnswerA

This is a strong temporary control because it directly limits who can reach the vulnerable service. Reducing reachable hosts is a standard way to lower risk when remediation must be delayed.

Why this answer

Option A is correct because network segmentation is the most effective temporary mitigation when a patch is unavailable. By moving the print server to a restricted VLAN or firewall zone and applying an access control list (ACL) that permits SMB traffic only from known, required hosts, you reduce the attack surface and prevent widespread exploitation of SMBv1 vulnerabilities (e.g., EternalBlue). This approach follows the principle of least privilege and containment, buying time until the vendor releases a patch.

Exam trap

The trap here is that candidates may choose a reactive measure like rebooting or a non-technical control like password changes, failing to recognize that containment via network segmentation is the only proactive defense that directly limits the exploit's reach without requiring a patch.

How to eliminate wrong answers

Option B is wrong because turning off endpoint logging reduces visibility into potential attacks, making it harder to detect exploitation of SMBv1; it does not address the vulnerability. Option C is wrong because increasing password length does not mitigate the SMBv1 protocol-level flaws (e.g., lack of pre-authentication integrity checks, susceptibility to relay attacks); it only strengthens authentication, which is irrelevant to the unpatched service. Option D is wrong because scheduling a weekly reboot does not prevent exploitation; attackers can re-establish malicious sessions quickly after reboot, and the vulnerability remains fully exploitable between reboots.

1028
MCQmedium

A Linux host is patched, but the scanner still flags the package as vulnerable. The vendor advisory says the distribution backported the fix, so the package version did not change. What should the analyst do before closing the ticket?

A.Verify the vendor advisory and package metadata, then document evidence of the fixed build.
B.Close the ticket immediately because the patch was installed successfully.
C.Raise the severity of the finding because the scanner still reports it.
D.Disable the scanner until the next maintenance window to avoid repeated alerts.
AnswerA

A version number alone can be misleading when a vendor backports a fix without changing the upstream version. The analyst should confirm the remediation using vendor notes, package release metadata, or other authoritative evidence. That ensures the finding is truly remediated before the ticket is closed and prevents a false assumption based only on a scanner result.

Why this answer

Option A is correct because when a vendor backports a security fix to an older package version without incrementing the version number, the vulnerability scanner may still flag the package based on its version string. The analyst must verify the vendor advisory and package metadata (e.g., using `rpm -q --changelog` or `dpkg --status`) to confirm the fix is present, then document this evidence to close the ticket with proper justification.

Exam trap

The trap here is that candidates assume a patched system always has a newer package version, but CompTIA tests the understanding that backported fixes keep the same version string, requiring manual verification of the changelog or vendor advisory.

How to eliminate wrong answers

Option B is wrong because closing the ticket without verification ignores the scanner's alert and the need for evidence that the backported fix is actually installed. Option C is wrong because raising the severity is inappropriate; the package is not vulnerable, and the scanner's false positive does not warrant escalation. Option D is wrong because disabling the scanner avoids the issue rather than resolving it, and the scanner should be tuned or the finding documented as a false positive.

1029
Multi-Selectmedium

After restoring a virtual file server from backup, users can open shares, but the accounting application shows the previous day's transactions are missing. Which two steps should the administrator take next? Select two.

Select 2 answers
A.Verify whether the backup included application-consistent data and transaction logs
B.Restore the missing records from the latest pre-incident application backup or log backup
C.Leave the server as is because file shares are accessible
D.Delete the current backup set to avoid restoring the wrong version again
E.Reimage the server immediately without checking the restore point
AnswersA, B

This checks whether the backup captured enough application state to recover recent transactions.

Why this answer

Option A is correct because the accounting application's missing transactions indicate the backup may not have captured application-consistent data, such as open transaction logs or database writes. Without application consistency (e.g., using Volume Shadow Copy Service or a database-aware backup agent), the restore point may reflect a crash-consistent state where recent transactions were lost. Verifying the backup type ensures the administrator understands whether the data is recoverable from transaction logs or requires a separate application-level restore.

Exam trap

The trap here is that candidates assume file share accessibility equals full data recovery, overlooking the distinction between file-level and application-consistent backups, which is a core concept in CompTIA SY0-701 Domain 3.0 (Security Operations).

1030
MCQmedium

A company manages 300 laptops and wants to reduce risk from missed patches while avoiding a widespread outage if an update has compatibility issues. Which patching approach is the best choice?

A.Install patches manually on each laptop after users report problems.
B.Deploy all patches to every laptop immediately with no testing.
C.Use a phased rollout with a pilot group, then expand deployment after validation, while keeping a standard baseline configuration.
D.Wait for annual maintenance windows so all changes happen at once.
AnswerC

A phased or ring-based rollout balances speed and stability. A pilot group catches compatibility issues early, and the baseline keeps endpoint settings consistent across the fleet. This approach reduces risk from vulnerabilities without creating unnecessary operational disruption.

Why this answer

Option C is correct because a phased rollout with a pilot group allows the IT team to validate patches on a small subset of laptops before full deployment, reducing the risk of widespread outages from compatibility issues. Maintaining a standard baseline configuration ensures consistency across all 300 laptops, which simplifies patch management and reduces the likelihood of missed patches. This approach balances risk mitigation with operational continuity, aligning with best practices for enterprise patch management.

Exam trap

The trap here is that candidates may choose Option B (immediate deployment) because they prioritize speed and simplicity over risk management, failing to recognize that unvalidated patches can cause cascading failures that negate any security benefits.

How to eliminate wrong answers

Option A is wrong because installing patches manually only after users report problems is a reactive approach that leaves laptops vulnerable to known exploits for extended periods, increasing the risk of security breaches. Option B is wrong because deploying all patches to every laptop immediately with no testing ignores the potential for compatibility issues that could cause widespread outages, application failures, or system instability across the entire fleet.

1031
MCQmedium

A file server is actively renaming documents and generating ransom notes. The server hosts a shared drive used by finance, and users are still online. What is the best immediate action?

A.Shut the server down immediately to stop all activity as fast as possible.
B.Isolate the server from the network to contain the spread while preserving evidence.
C.Restore the file server from backup before checking whether the infection is still active.
D.Run a full antivirus scan and wait for the results before taking any other action.
AnswerB

Network isolation is the best immediate containment step because it limits lateral movement and reduces the chance that ransomware spreads to other systems or continues encrypting shared data. It is also less destructive than a hard shutdown, which can interfere with evidence collection. In incident response, containment should stop the impact while preserving the ability to investigate what happened.

Why this answer

Option B is correct because isolating the server from the network stops the ransomware from encrypting more files or spreading laterally, while preserving volatile evidence (e.g., running processes, memory contents) needed for forensic analysis. In a live incident, immediate disconnection (not shutdown) is the standard containment step per NIST SP 800-61 and SANS incident response guidelines, as it halts the attack without destroying data in memory or logs.

Exam trap

The trap here is that candidates confuse 'stopping the attack' with 'shutting down the system,' but CompTIA emphasizes that isolation (disconnecting the network cable or disabling the port) is the first step in containment to preserve evidence and avoid data loss.

How to eliminate wrong answers

Option A is wrong because shutting down the server destroys volatile evidence (e.g., active network connections, running ransomware processes in RAM) and may trigger the ransomware to delete or further encrypt files on shutdown, as many modern ransomware variants have persistence mechanisms that activate on system halt. Option C is wrong because restoring from backup before confirming the infection is neutralized risks re-infection if the backup itself is compromised or if the ransomware is still active on the network, and it bypasses the need for forensic preservation. Option D is wrong because running a full antivirus scan while the server is still online allows the ransomware to continue encrypting files and spreading to other systems, and signature-based scans often miss polymorphic or zero-day ransomware strains.

1032
Multi-Selectmedium

A SIEM alert shows a workstation making repeated outbound HTTPS connections every 15 minutes to the same cloud IP address. The host belongs to the patch-management group, and the security team suspects an approved agent may be responsible. Which two checks best validate whether this is a false positive? Select two.

Select 2 answers
A.Verify that the destination domain and IP match the vendor's documented update service.
B.Compare the running process, parent process, and digital signature to the approved agent baseline.
C.Immediately isolate the workstation from the network without reviewing any other evidence.
D.Suppress every future alert from that subnet permanently.
E.Assume the traffic is benign because it occurs at a regular interval.
AnswersA, B

Correct because matching the observed destination to an approved vendor endpoint strongly supports legitimate automated behavior. It helps confirm that the traffic pattern aligns with expected patch-agent communications.

Why this answer

Option A is correct because verifying that the destination domain and IP match the vendor's documented update service directly confirms whether the outbound HTTPS traffic is legitimate patch-management activity. This step uses threat intelligence or vendor documentation to correlate the observed destination with the expected update infrastructure, which is a standard validation technique for reducing false positives in SIEM alerts.

Exam trap

The trap here is that candidates may choose immediate isolation (C) or permanent suppression (D) as quick fixes, but the exam tests the principle of validating evidence before taking irreversible actions and the importance of maintaining visibility for future threats.

1033
MCQmedium

After imaging laptops, the security team wants to ensure screen-lock timeouts, local admin restrictions, and USB storage controls remain consistent on every device even after users make changes. What is the best approach?

A.Rely on users to follow the build sheet during setup and avoid future changes.
B.Enforce a hardened baseline with configuration management and compliance checks.
C.Increase antivirus scan frequency so policy settings do not change.
D.Apply full disk encryption only, since it covers all endpoint hardening needs.
AnswerB

Correct. A hardened baseline defines the approved secure settings, and configuration management helps enforce those settings consistently across all laptops. Compliance checks detect drift after deployment, which is important when users or software might change security-related options. This approach directly supports secure configuration and repeatability at scale.

Why this answer

Option B is correct because configuration management tools (e.g., Microsoft Intune, Group Policy, or Ansible) can enforce a hardened baseline by applying settings like screen-lock timeouts, local admin restrictions, and USB storage controls. These tools also perform compliance checks to detect and remediate any drift caused by user changes, ensuring consistency across all devices.

Exam trap

The trap here is that candidates may confuse security controls like antivirus or encryption with configuration management, thinking they can prevent or revert policy changes, when in fact only a dedicated configuration management and compliance solution can enforce and remediate baseline settings.

How to eliminate wrong answers

Option A is wrong because relying on users to follow a build sheet is not enforceable; users can intentionally or accidentally change settings, leading to configuration drift and security gaps. Option C is wrong because increasing antivirus scan frequency does not prevent or revert changes to screen-lock, admin, or USB policies; antivirus focuses on malware detection, not configuration enforcement. Option D is wrong because full disk encryption protects data at rest but does not enforce screen-lock timeouts, local admin restrictions, or USB storage controls; it addresses only one aspect of endpoint hardening.

1034
MCQmedium

A finance application works normally for weeks after a contractor leaves the company. On the first business day of the quarter, a hidden task runs, deletes archived reports, and then removes itself from the scheduled task list. What type of malware behavior is this?

A.Worm
B.Logic bomb
C.Rootkit
D.Spyware
AnswerB

A logic bomb triggers on a condition such as a date, event, or account status to execute harmful actions.

Why this answer

The malware behavior described is a logic bomb because it lies dormant for a specific period (weeks) and triggers on a predefined condition (the first business day of the quarter) to execute a malicious payload (deleting archived reports) and then self-destructs by removing itself from the scheduled task list. This matches the definition of a logic bomb: malicious code that executes when a logical condition is met, often used for sabotage or delayed attacks.

Exam trap

The trap here is that candidates confuse a logic bomb with a worm because both can execute code automatically, but they fail to recognize that a worm's defining characteristic is self-propagation across networks, not a delayed, condition-based trigger.

How to eliminate wrong answers

Option A is wrong because a worm is self-replicating malware that spreads automatically across networks without user intervention, whereas this scenario involves a hidden task that does not replicate or spread. Option C is wrong because a rootkit is designed to hide the presence of malware or unauthorized processes by modifying the operating system kernel or using hooking techniques, not to trigger a delayed destructive action based on a date. Option D is wrong because spyware is focused on covertly collecting and exfiltrating user data (e.g., keystrokes, browsing habits) without the user's knowledge, not on deleting files or self-removal after a time-based trigger.

1035
MCQmedium

Employees use several SaaS applications, and the security team wants one corporate login, MFA for unmanaged devices, and centralized account provisioning. Which architecture should be used?

A.Create separate usernames and passwords for each SaaS application.
B.Use federated single sign-on with the corporate identity provider and conditional access policies.
C.Share one generic account for the team so access is easier to audit.
D.Put all users on a VPN and let each SaaS application trust the internal network automatically.
AnswerB

Federation and SSO centralize authentication, while conditional access can require MFA or other controls based on device trust.

Why this answer

Federated single sign-on (SSO) with a corporate identity provider (IdP) allows users to authenticate once using their corporate credentials and access multiple SaaS applications without separate logins. Conditional access policies can enforce MFA specifically for unmanaged devices, and centralized account provisioning (e.g., via SCIM) ensures accounts are created, updated, and deprovisioned from a single directory. This architecture meets all three requirements: single corporate login, MFA for unmanaged devices, and centralized provisioning.

Exam trap

The trap here is that candidates confuse network-level controls (VPN) with identity-level controls (federation), assuming that a VPN provides the same authentication and authorization granularity as SSO with conditional access.

How to eliminate wrong answers

Option A is wrong because creating separate usernames and passwords for each SaaS application violates the requirement for a single corporate login, increases password fatigue, and makes centralized provisioning impossible. Option C is wrong because sharing one generic account eliminates individual accountability, violates the principle of least privilege, and makes auditing impossible since actions cannot be traced to a specific user. Option D is wrong because VPNs only provide network-level access and do not integrate with SaaS application authentication; SaaS apps cannot 'trust the internal network automatically' without federation, and VPNs do not enforce MFA or provide centralized account provisioning.

1036
MCQmedium

A security analyst at a financial firm detects an unusual spike in outbound network traffic from a database server that normally only communicates with internal web servers. The traffic is directed to numerous external IP addresses in various countries. According to established incident response procedures, what should be the analyst's immediate next step?

A.Disconnect the server from the network at the switch level.
B.Run a comprehensive antivirus scan on the server.
C.Notify the Chief Information Security Officer (CISO) of the incident.
D.Power off the server to prevent further damage.
AnswerA

Correct. Network isolation is a containment measure that stops the ongoing data exfiltration while preserving the server's state for later investigation. This aligns with the containment step in the NIST incident response framework.

Why this answer

Disconnecting the server at the switch level (e.g., shutting down the switch port or placing it in a quarantine VLAN) is the immediate containment step per incident response procedures. This stops the outbound data exfiltration without risking data loss or corruption that could occur from a hard power-off, and it preserves volatile memory evidence for forensic analysis.

Exam trap

The trap here is that candidates confuse 'immediate containment' with 'immediate notification' or 'immediate remediation,' but the SY0-701 incident response framework prioritizes stopping the active threat (containment) over escalation or scanning.

How to eliminate wrong answers

Option B is wrong because running an antivirus scan is a slower, non-immediate step that does not stop ongoing data exfiltration; the traffic spike indicates active compromise, not just a dormant infection. Option C is wrong because notifying the CISO is a notification step that should occur after containment, not as the immediate action; delaying containment allows further data loss. Option D is wrong because powering off the server destroys volatile evidence (e.g., memory-resident malware, active network connections) and can cause data corruption, whereas disconnecting at the switch level stops the traffic while preserving the system state for investigation.

1037
MCQhard

During routine checks, configuration management finds several branch firewalls drifted from the approved baseline because a contractor changed settings locally. An automation job now compares each device nightly and automatically reapplies the approved configuration without waiting for a human ticket. Which control type is the automation?

A.Directive control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerC

The automation runs after drift is detected and restores the approved baseline, which means it is correcting the affected system back to a known-good state. It does more than report the problem; it remediates the configuration. That is why the best answer is corrective control rather than detective or preventive control.

Why this answer

The automation job corrects a detected drift by automatically reapplying the approved configuration, which is a classic corrective control. Corrective controls are designed to remediate or reverse an unwanted change or security event after it has been detected. In this scenario, the nightly comparison is detective, but the automatic reapplication is the corrective action.

Exam trap

The trap here is that candidates see 'compares each device nightly' and mistakenly classify the entire process as detective, ignoring that the automatic reapplication is the corrective action that distinguishes the control type.

How to eliminate wrong answers

Option A is wrong because directive controls are policies, standards, or guidelines that define acceptable behavior (e.g., 'firewalls must use the approved baseline'), not automated remediation actions. Option B is wrong because detective controls identify or log a deviation (e.g., the nightly comparison itself), but the automation goes further by actively fixing the drift. Option D is wrong because deterrent controls discourage unwanted behavior through fear of consequences (e.g., warning banners or audit trails), not by automatically correcting configuration changes.

1038
MCQmedium

A branch office uses a NAS for nightly backups, but the NAS is joined to the same domain as the production servers. After ransomware encrypted both production data and backups, management wants the most effective change to reduce the chance of backup tampering without a major redesign. Which control should be implemented?

A.Increase the retention period so deleted files can be recovered for longer.
B.Move backups to a larger NAS with more available storage capacity.
C.Keep one backup copy offline or immutable and outside the production domain.
D.Run backups more frequently to the same NAS so newer files are captured sooner.
AnswerC

An offline or immutable copy is the strongest practical protection against ransomware that can reach the network backup target. Separating that copy from the production domain also reduces the chance that compromised admin credentials can alter it. This improves resilience without requiring a full redesign, and it gives the organization a trusted recovery source even if online backups are encrypted or deleted.

Why this answer

Option C is correct because keeping one backup copy offline or immutable and outside the production domain ensures that even if ransomware compromises the domain, it cannot encrypt or tamper with that isolated copy. This breaks the chain of trust between the production environment and the backup storage, directly addressing the root cause of the incident.

Exam trap

The trap here is that candidates often choose more frequent backups or larger storage, thinking that having more copies or more space provides protection, when the real vulnerability is the shared domain trust that allows ransomware to access and encrypt backups.

How to eliminate wrong answers

Option A is wrong because increasing the retention period only keeps deleted files longer, but does not prevent ransomware from encrypting or deleting the backups themselves on the same domain-joined NAS. Option B is wrong because moving to a larger NAS with more storage capacity does not change the fact that the NAS is still joined to the same domain, leaving backups vulnerable to the same ransomware attack. Option D is wrong because running backups more frequently to the same NAS only creates more copies that are all equally susceptible to encryption or deletion by ransomware that has domain access.

1039
MCQhard

Based on the exhibit, which principle should the organization enforce to reduce fraud risk while keeping the business process functional?

A.Least privilege, because each employee should only have the fewest permissions needed for the shared account.
B.Separation of duties, because no single user should be able to complete every high-risk finance step alone.
C.Need-to-know, because only employees with confidential financial data should see the workflow details.
D.Defense in depth, because the organization should add more security layers around the finance process.
AnswerB

Separation of duties is the best answer because the workflow shows one shared identity can create vendors, enter invoices, approve payments, and change bank details. That concentration enables fraud without a second set of eyes. Splitting those tasks across different roles prevents one person from controlling the entire transaction chain and creates accountability for each critical step.

Why this answer

Separation of duties (SoD) is the correct principle because it prevents any single employee from completing all steps in a high-risk financial transaction alone. By requiring at least two people to authorize and execute critical actions—such as initiating a payment and approving it—the organization reduces the risk of internal fraud without blocking the business workflow. This directly addresses the scenario where a single user could otherwise create, approve, and release a fraudulent payment.

Exam trap

The trap here is that candidates confuse least privilege (which limits permissions for a single user) with separation of duties (which splits a process across multiple users), even though the exhibit clearly shows a sequential workflow where a single user could perform all steps.

How to eliminate wrong answers

Option A is wrong because least privilege limits permissions for a shared account, but the core fraud risk here is not about excessive permissions on a shared account—it is about a single user being able to complete an entire high-risk process alone. Option C is wrong because need-to-know restricts access to confidential data based on job role, but the exhibit shows a workflow where the risk is sequential task completion, not data visibility. Option D is wrong because defense in depth adds multiple security layers (e.g., firewalls, IDS), but it does not specifically address the procedural control of splitting critical financial steps among different users.

1040
MCQhard

Based on the exhibit, what is the MOST likely explanation for the network traffic? The affected host is not showing a large amount of internet-bound traffic, but its DNS behavior is highly unusual.

A.DNS tunneling used for command-and-control or data transfer
B.ARP poisoning causing the host to redirect traffic to a rogue gateway
C.A browser cache synchronization feature repeatedly polling a cloud service
D.A misconfigured static route sending all web traffic to the wrong subnet
AnswerA

The long random-looking subdomains, repeated NXDOMAIN responses, and lack of normal web traffic are consistent with malicious DNS-based communication.

Why this answer

The exhibit shows a host with minimal internet-bound traffic but highly unusual DNS behavior, such as frequent queries to a single domain or large DNS query sizes. This pattern is characteristic of DNS tunneling, where data is encoded in DNS queries and responses to bypass network controls, often used for command-and-control (C2) communication or covert data exfiltration. The lack of other traffic indicates the host is not performing normal web browsing or data transfers, making DNS tunneling the most likely explanation.

Exam trap

The trap here is that candidates may overlook the significance of 'unusual DNS behavior' and minimal internet traffic, instead focusing on common attacks like ARP poisoning or benign browser features, which would produce different traffic patterns (e.g., high traffic or periodic HTTP requests).

How to eliminate wrong answers

Option B is wrong because ARP poisoning would cause the host to redirect traffic to a rogue gateway, resulting in a large amount of internet-bound traffic as the host communicates through the attacker's system, not minimal traffic with unusual DNS behavior. Option C is wrong because a browser cache synchronization feature repeatedly polling a cloud service would generate consistent, periodic HTTP/HTTPS traffic to a known cloud provider, not the highly unusual DNS queries (e.g., high query rates, large TXT records) seen in the exhibit, and would not explain the lack of other internet-bound traffic.

1041
MCQeasy

A department wants to keep using a cloud printing service even though the vendor has not yet completed the company's security questionnaire. The business owner agrees to add extra log monitoring until the review is finished. What is the best term for the added monitoring?

A.A compensating control, because it reduces risk while the normal control is unavailable.
B.Residual risk, because all risk is eliminated once monitoring is added.
C.Risk acceptance, because the business owner has approved continued use of the service.
D.Due diligence, because the company is actively reviewing the vendor.
AnswerA

A compensating control is an alternative safeguard used when the preferred control is missing, delayed, or not fully effective. Extra log monitoring helps reduce exposure while the vendor review is still in progress. It does not eliminate the underlying vendor risk, but it is a reasonable temporary measure to reduce likelihood of missing suspicious activity.

Why this answer

The added log monitoring is a compensating control because it provides an alternative security measure to mitigate risk while the primary control (the vendor's completed security questionnaire) is not yet in place. Compensating controls are temporary or alternative safeguards that reduce risk exposure when the preferred control cannot be implemented immediately. In this scenario, the monitoring does not eliminate the need for the questionnaire but reduces the risk of undetected malicious activity until the vendor's security posture is formally assessed.

Exam trap

The trap here is that candidates confuse risk acceptance (which involves no new controls) with risk mitigation (which involves implementing a compensating control), leading them to pick Option C despite the clear action of adding monitoring.

How to eliminate wrong answers

Option B is wrong because residual risk is the risk that remains after controls are applied, not the control itself; adding monitoring reduces but does not eliminate all risk, so the statement 'all risk is eliminated' is incorrect. Option C is wrong because risk acceptance is a management decision to acknowledge and tolerate a risk without implementing additional controls, but here the business owner is actively adding extra log monitoring, which is a risk mitigation action, not pure acceptance. Option D is wrong because due diligence refers to the ongoing investigation and review process (like completing the security questionnaire), not the specific technical control (log monitoring) implemented to reduce risk during that review.

1042
MCQeasy

A development team wants to skip testing and deploy a major application change directly to production to meet a release date. What should the security team require?

A.Disable logging temporarily so the release is less likely to fail.
B.Require change approval and testing in a nonproduction environment first.
C.Deploy only to one server and monitor from there before deciding.
D.Let developers decide without review because they understand the code best.
AnswerB

Change approval and testing in a separate environment are basic controls that reduce the chance of introducing defects or security issues into production. This approach supports safe deployment while still allowing the project to move forward in a controlled way.

Why this answer

Option B is correct because security policy requires that all changes to production systems undergo formal change management, including approval and testing in a nonproduction environment first. Skipping testing violates the principle of change control and could introduce vulnerabilities or misconfigurations that compromise confidentiality, integrity, or availability. The security team must enforce this process to ensure the change is reviewed for security impact and validated before deployment.

Exam trap

The trap here is that candidates may think a phased rollout (Option C) is an acceptable compromise, but the SY0-701 exam emphasizes that change approval and testing in a nonproduction environment are mandatory before any production deployment, regardless of scale.

How to eliminate wrong answers

Option A is wrong because disabling logging would remove the audit trail needed to detect and investigate security incidents, violating compliance requirements and best practices. Option C is wrong because deploying to a single server without prior testing still bypasses the required change approval and nonproduction validation, and monitoring alone cannot catch all security flaws or configuration errors. Option D is wrong because developers may not have full visibility into security implications, and bypassing review undermines segregation of duties and the change management process.

1043
Multi-Selectmedium

An external auditor asks for proof that emergency firewall changes were reviewed and approved before implementation last quarter. Which two artifacts are the best evidence? Select two.

Select 2 answers
A.An approved change ticket that shows the reviewer, approver, and timestamps.
B.A screenshot of the firewall's current rule base after the change.
C.CAB or workflow approval records documenting the decision.
D.A technician's memory of getting permission over the phone.
E.The organization's general information security policy.
AnswersA, C

A change ticket with approval details is strong evidence because it shows the request was reviewed before implementation and by whom. It also creates an auditable record that can be tied to the actual change event.

Why this answer

An approved change ticket with reviewer, approver, and timestamps directly documents the required pre-approval workflow for emergency firewall changes. This artifact provides an auditable trail showing that the change was reviewed and approved before implementation, which is the exact evidence the auditor is requesting.

Exam trap

The trap here is confusing evidence of the change's outcome (screenshot of the rule base) with evidence of the change's approval process, or mistaking a high-level policy document for a specific, auditable record of a particular change event.

1044
Drag & Dropmedium

Drag and drop the steps to implement a new firewall rule in an iptables-based Linux firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After adding a rule, it's important to verify it appears in the list, then save permanently, and test to ensure functionality.

1045
Multi-Selecteasy

A security team wants to verify that a server has not drifted from its approved hardened configuration after several months of changes. Which two actions help most? Select two.

Select 2 answers
A.Compare the current configuration against the approved baseline.
B.Run a configuration compliance or hardening scan.
C.Restart the server and wait for users to report problems.
D.Increase the storage capacity on the server.
E.Change the desktop wallpaper to remind users of the policy.
AnswersA, B

A baseline comparison directly shows whether the server still matches the secure standard that was originally approved. It is one of the clearest ways to identify configuration drift.

Why this answer

Comparing the current configuration against the approved baseline (Option A) is a direct method to identify any deviations from the hardened state. This process, often performed manually or with scripts, checks each setting against the known-good values defined in the baseline document, such as those from CIS Benchmarks or DISA STIGs. It is the most straightforward way to detect drift after months of changes.

Exam trap

The trap here is that candidates may think restarting a server (Option C) is a valid troubleshooting or verification step, confusing operational recovery with security compliance validation, which requires direct comparison against a baseline.

1046
MCQmedium

A help desk lead notices that several support technicians have broad administrator access across every department's systems so they can resolve tickets faster. After a phishing incident, management wants to reduce the damage if one technician account is compromised. What is the best security principle to apply when redesigning access?

A.Defense in depth
B.Least privilege
C.Need-to-know
D.Zero trust
AnswerB

Least privilege means each user receives only the access required to perform assigned duties. Reducing broad administrative rights lowers the impact of credential theft, malware, or accidental misuse. It is especially effective for support staff because their daily tasks usually need access to a limited set of systems rather than full administrative control across the environment.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. By applying least privilege, each technician would receive access only to the specific systems and resources required for their role, rather than broad administrator access across all departments. This containment directly limits the blast radius of a compromised account, preventing an attacker from moving laterally to other departmental systems.

Exam trap

CompTIA often tests the distinction between least privilege and need-to-know, where candidates mistakenly choose need-to-know because it sounds similar, but least privilege is the correct principle for limiting system-level access rights and permissions.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy that combines multiple controls (e.g., firewalls, antivirus, intrusion detection) to protect assets; it does not specifically address the reduction of individual user permissions. Option C is wrong because need-to-know is a principle for data classification and access based on the necessity of information for a specific task, but it is typically applied to information access rather than administrative system privileges; least privilege is the more precise principle for limiting system-level permissions.

1047
MCQeasy

A small internal reporting server has a low-severity vulnerability. Fixing it now would require several hours of downtime, while the business impact of exploitation is considered low. What is the BEST risk treatment for this situation?

A.Transfer the risk to a third party
B.Accept the risk after documenting the decision
C.Avoid the risk by shutting down the server permanently
D.Mitigate the risk by immediately replacing the server
AnswerB

When both likelihood and impact are low, and remediation would create more disruption than benefit, accepting the risk can be the most practical choice. The key is to document the rationale, obtain the appropriate approval, and revisit the decision later if the system or threat landscape changes.

Why this answer

The best risk treatment is to accept the risk because the vulnerability is low-severity, the business impact of exploitation is low, and the cost of remediation (several hours of downtime) exceeds the potential loss. Documenting the acceptance ensures auditability and informed management approval, which is a standard practice in risk management frameworks like NIST SP 800-37.

Exam trap

The trap here is that candidates may confuse 'accepting risk' with ignoring it, or they may overestimate the need to transfer or avoid risk, failing to recognize that documented acceptance is a valid and often optimal treatment for low-impact, high-remediation-cost scenarios.

How to eliminate wrong answers

Option A is wrong because transferring the risk to a third party (e.g., purchasing cyber insurance or outsourcing) is unnecessary and cost-ineffective for a low-severity, low-impact vulnerability; it would introduce additional expense and administrative overhead without proportional benefit. Option C is wrong because avoiding the risk by permanently shutting down the server is an extreme measure that would disrupt internal reporting functions entirely, causing greater business harm than the vulnerability itself, and is disproportionate to the low severity and low exploitation impact.

1048
Multi-Selecteasy

A manager needs to send a spreadsheet containing employee names, salaries, and performance notes to an external auditor. Which two actions best support proper data handling? Select two.

Select 2 answers
A.Apply the correct classification label before sending
B.Upload the file to a personal cloud account
C.Remove the salary columns and send the rest by email
D.Use the organization's approved encrypted sharing method
E.Print the file and leave it on a shared desk
AnswersA, D

Classification labels help users apply the right handling requirements and sharing restrictions.

Why this answer

Option A is correct because applying the correct classification label (e.g., 'Confidential' or 'Internal Use Only') ensures that the data is properly identified and handled according to the organization's data classification policy. This is a foundational step in data handling, as it triggers appropriate security controls such as encryption, access restrictions, and handling procedures. Without a classification label, the sensitivity of the data may be overlooked, leading to potential mishandling.

Exam trap

CompTIA often tests the misconception that partial redaction (e.g., removing salary columns) is sufficient to protect sensitive data, when in fact any remaining PII or performance data still requires proper classification and secure transmission.

1049
MCQmedium

A security analyst is reviewing logs after a successful phishing attack. The attacker used a fake login page that mimicked the company's single sign-on portal to harvest usernames and passwords. The attacker then used the stolen credentials to access the corporate email system. Which type of attack best describes the initial compromise?

A.On-path attack
B.Credential harvesting via phishing
C.Brute-force attack
D.Password spraying
AnswerB

Correct. The attacker used a deceptive email or website to trick users into voluntarily entering their credentials. This is the defining characteristic of phishing-based credential harvesting. The stolen credentials were then reused to access the corporate email system.

Why this answer

The initial compromise was achieved by luring the victim to a fake login page that mimicked the company's single sign-on portal, which is a classic phishing technique. The attacker harvested the credentials directly from the user's submission, making this a credential harvesting attack via phishing. This aligns with the definition of phishing as a social engineering attack that uses deception to obtain sensitive information, distinct from brute-force or password spraying which rely on guessing or trying multiple passwords.

Exam trap

The trap here is that candidates may confuse credential harvesting via phishing with an on-path attack, because both involve intercepting credentials, but phishing relies on user deception to voluntarily submit credentials, whereas an on-path attack captures them transparently during an existing session.

How to eliminate wrong answers

Option A is wrong because an on-path attack (formerly man-in-the-middle) intercepts and potentially modifies communications between two parties in real time, whereas here the attacker used a fake page to collect credentials directly from the user, not by intercepting an existing session. Option C is wrong because a brute-force attack systematically tries all possible password combinations against a known username, which is not what occurred; the attacker harvested valid credentials from the user, not guessed them. Option D is wrong because password spraying attempts a few common passwords against many usernames to avoid lockouts, but in this scenario the attacker obtained the exact credentials from the victim via a deceptive login page, not by guessing passwords across accounts.

1050
MCQhard

Administrators must manage network switches from home. Requirements: encrypted management traffic, MFA for users, no management ports exposed to the Internet, and centralized logging of admin sessions. Which solution best meets the requirements?

A.Open SSH directly on each switch and allow access from the entire Internet.
B.Use a VPN with MFA that terminates on a hardened jump host, then reach switches over SSH or HTTPS.
C.Use port forwarding through the firewall to RDP on each switch.
D.Build an IPSec tunnel only between office routers and share a common admin password on the switches.
AnswerB

The VPN protects remote access, MFA strengthens authentication, and the jump host centralizes logging and control of management sessions.

Why this answer

Option B is correct because it satisfies all requirements: a VPN with MFA encrypts management traffic, the hardened jump host provides a secure intermediary that keeps switch management ports off the Internet, and centralized logging can be implemented on the jump host to record all admin sessions. This architecture aligns with the principle of defense-in-depth by combining encrypted tunnels, strong authentication, and network segmentation.

Exam trap

The trap here is that candidates may think a VPN alone is sufficient, forgetting that the jump host is necessary to avoid exposing switch management ports and to enable centralized logging and MFA enforcement.

How to eliminate wrong answers

Option A is wrong because opening SSH directly on each switch from the entire Internet exposes management ports to the public, violating the requirement that no management ports be exposed to the Internet, and it lacks MFA. Option C is wrong because port forwarding RDP to each switch exposes management ports (RDP uses port 3389) to the Internet, and RDP is not the native management protocol for network switches (switches typically use SSH or HTTPS), nor does it inherently provide MFA or centralized logging. Option D is wrong because an IPSec tunnel between office routers does not address MFA (it uses a shared common password, which is weak), and it does not provide centralized logging of admin sessions.

Page 13

Page 14 of 16

Page 15