Security+ SY0-701 (SY0-701) — Questions 10511125

1152 questions total · 16pages · All types, answers revealed

Page 14

Page 15 of 16

Page 16
1051
Multi-Selecthard

A contractor signs in to a project portal that integrates several SaaS apps. Access should be granted only while the user is on a managed device, assigned to the project, and using a fresh second factor. The business also wants the contractor to avoid separate logins to each app. Which three controls best fit this design? Select three.

Select 3 answers
A.Use federation or SSO so the identity provider issues the session for all approved apps.
B.Use ABAC or conditional access rules that check project assignment and device compliance.
C.Require MFA and step-up authentication before the contractor reaches sensitive functions.
D.Create a shared project account so access can be revoked by changing one password.
E.Issue long-lived refresh tokens that never expire unless the user reports a problem.
AnswersA, B, C

Federation and SSO allow one trusted identity provider to authenticate the user once and then pass that identity to approved applications. That matches the business requirement to avoid separate logins to each SaaS app. It also centralizes authentication control so access can be revoked or adjusted from one place.

Why this answer

Option A is correct because federation or SSO allows the identity provider to issue a single session token (e.g., SAML assertion or OIDC ID token) that is accepted by all integrated SaaS apps. This eliminates the need for separate logins, directly meeting the requirement to avoid multiple authentication prompts while maintaining centralized session control.

Exam trap

The trap here is that candidates may think a shared account (Option D) simplifies revocation, but it actually destroys audit trails and fails to meet the requirements for per-user MFA and device compliance, which are essential for the described zero-trust architecture.

1052
MCQmedium

A scan finds two issues: a critical flaw on a lab server reachable only through VPN, and a high-severity flaw on an internet-facing file transfer appliance with active exploitation in the wild. Which should be remediated first?

A.The lab server, because critical severity is always higher than high severity.
B.The internet-facing file transfer appliance, because exploitability and exposure increase risk.
C.Both issues at the same time, because prioritization is unnecessary when two findings are present.
D.The lab server, because systems behind VPN are always more trusted than public systems.
AnswerB

The internet-facing appliance should be fixed first because it is exposed to untrusted users and already being exploited in the wild. Risk-based prioritization considers not only severity but also exposure, exploit availability, and business impact. A high-severity flaw with active exploitation on a public-facing system is usually more urgent than a critical flaw on a restricted lab server.

Why this answer

The internet-facing file transfer appliance with active exploitation in the wild presents a higher risk because it is directly exposed to untrusted networks and has a known exploit that attackers are actively using. Even though the lab server has a critical severity rating, its reachability only through VPN significantly reduces its attack surface and likelihood of exploitation. Risk is a function of both severity and exploitability/exposure, so the actively exploited, internet-facing asset should be remediated first.

Exam trap

The trap here is that candidates assume CVSS severity alone dictates remediation order, ignoring that exploitability and exposure (e.g., internet-facing vs. VPN-restricted) are critical factors in risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because severity alone does not determine remediation priority; a critical flaw on a VPN-restricted lab server is less exploitable than a high-severity flaw on an internet-facing system with active exploitation. Option C is wrong because prioritization is essential when resources are limited; remediating both simultaneously is often impractical and ignores the higher immediate risk posed by the actively exploited internet-facing appliance.

1053
Multi-Selectmedium

Which four of the following are key components of a successful security awareness and training program within an organization? (Choose four.)

Select 4 answers
.Role-based training tailored to specific job functions
.Phishing simulations to reinforce practical skills
.Annual one-time training with no follow-up assessments
.Metrics to measure effectiveness, such as click rates on simulated phishing emails
.Executive-level sponsorship and support for the program
.Outsourcing all training content development to a single vendor without internal review

Why this answer

Role-based training is correct because it ensures that employees receive security education relevant to their specific job functions, such as data handling for finance or system access for IT, which increases the practical applicability and retention of security principles. Phishing simulations are correct as they provide hands-on reinforcement of skills, allowing employees to practice identifying and reporting malicious emails in a controlled environment, which directly reduces real-world risk. Metrics like click rates on simulated phishing emails are correct because they provide quantifiable data to measure program effectiveness, identify high-risk groups, and guide continuous improvement.

Executive-level sponsorship is correct because it provides the necessary authority, resources, and organizational commitment to prioritize security awareness, ensuring the program is taken seriously across all departments.

Exam trap

Cisco often tests the misconception that a one-time annual training is sufficient for compliance, but the SY0-701 exam emphasizes that effective security awareness requires continuous, role-specific training with measurable outcomes and leadership support.

1054
MCQmedium

A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?

A.SQL injection
B.LDAP injection
C.Command injection
D.Cross-site scripting (XSS)
AnswerA

Correct. The log entries show SQL syntax such as `OR '1'='1'` and `DROP TABLE`, which are classic indicators of SQL injection attempts. This attack exploits improper input sanitization to manipulate database queries.

Why this answer

The repeated requests contain classic SQL injection payloads, such as `' OR '1'='1' --` (used to bypass authentication or extract data) and `'; DROP TABLE Users; --` (used to delete database tables). The HTTP 200 responses with unexpected data confirm that the application is vulnerable to SQL injection, as the injected SQL code is being executed against the backend database. This attack targets the SQL database layer, not LDAP directories or operating system commands.

Exam trap

The trap here is that candidates may confuse SQL injection with command injection because both use special characters like `'` and `;`, but command injection requires OS command separators and system commands, whereas SQL injection uses database-specific syntax and keywords.

How to eliminate wrong answers

Option B (LDAP injection) is wrong because the payloads contain SQL syntax (e.g., `OR '1'='1'`, `DROP TABLE`) and are appended to URLs, which is characteristic of SQL injection, not LDAP injection which uses LDAP query syntax like `(&(uid=*)(userPassword=*))`. Option C (Command injection) is wrong because the payloads do not include operating system command separators (e.g., `;`, `&&`, `|`) or system commands (e.g., `ls`, `whoami`); instead, they use SQL-specific keywords like `DROP TABLE` and `--` for comment injection.

1055
MCQmedium

A web team is moving a customer portal behind a new inspection device. They need something that can examine HTTP requests, block malicious patterns like injection attempts, and still allow normal browsing. Which control is most appropriate?

A.IDS, because it alerts on suspicious traffic without affecting application delivery.
B.WAF, because it understands web requests and can block malicious application-layer traffic.
C.DLP, because it can stop sensitive data from being posted to the portal.
D.NAC, because it verifies whether devices are allowed onto the network.
AnswerB

A web application firewall is designed to inspect HTTP and HTTPS traffic and stop common web attacks before they reach the app.

Why this answer

A WAF (Web Application Firewall) is the correct choice because it operates at Layer 7 (application layer) and is specifically designed to inspect HTTP/HTTPS traffic. It can parse web requests, identify malicious patterns such as SQL injection or XSS payloads, and block them while allowing legitimate traffic to pass through to the customer portal.

Exam trap

The trap here is that candidates often confuse an IDS with an IPS (Intrusion Prevention System) and assume an IDS can block traffic, but an IDS is passive and only generates alerts, whereas a WAF is an active, inline control that can both detect and block application-layer attacks.

How to eliminate wrong answers

Option A is wrong because an IDS (Intrusion Detection System) is a passive device that only alerts on suspicious traffic; it cannot block malicious requests inline, so it would not prevent injection attempts from reaching the portal. Option C is wrong because DLP (Data Loss Prevention) focuses on detecting and preventing unauthorized transmission of sensitive data, not on blocking web application attacks like injection attempts. Option D is wrong because NAC (Network Access Control) verifies device compliance and access rights at the network layer, but it does not inspect application-layer HTTP requests or block injection patterns.

1056
MCQmedium

A DevOps team builds container images in a CI/CD pipeline. Security wants to reduce the chance of deploying vulnerable libraries and also wants the cluster to reject images that have not been approved. Which approach best meets both requirements?

A.Increase CPU and memory limits for the containers so they run more safely.
B.Allow developers to pull images from any registry as long as the tags look familiar.
C.Disable pipeline scanning to speed releases and rely on runtime monitoring after deployment.
D.Scan images in the pipeline and enforce signature verification or admission control before deployment.
AnswerD

Build-time scanning helps identify vulnerable packages before release, while signature verification or admission control ensures only approved images can run in the cluster. Together, these controls reduce both content risk and deployment risk. This is the strongest combined answer because it addresses prevention and policy enforcement.

Why this answer

Option D is correct because it combines two essential security controls: scanning container images for known vulnerabilities (e.g., using Trivy or Clair) during the CI/CD pipeline, and enforcing signature verification (e.g., using Notary or Cosign) or admission control (e.g., using OPA/Gatekeeper or Kyverno) to ensure only signed or approved images are deployed. This directly reduces the risk of deploying vulnerable libraries and prevents unapproved images from running in the cluster.

Exam trap

The trap here is that candidates may think runtime monitoring (Option C) is sufficient, but it fails to prevent the initial deployment of vulnerable or unapproved images, which is the core requirement of the question.

How to eliminate wrong answers

Option A is wrong because increasing CPU and memory limits does not address vulnerability scanning or image approval; it only affects runtime resource allocation, not security posture. Option B is wrong because allowing images from any registry based on tag familiarity is insecure—tags can be easily spoofed or overwritten, and this bypasses any approval or integrity verification. Option C is wrong because disabling pipeline scanning removes the vulnerability detection step entirely, and relying solely on runtime monitoring cannot prevent the initial deployment of vulnerable or unapproved images.

1057
MCQhard

A help desk technician receives a call from someone claiming to be a new contractor whose MFA app failed during travel. The caller knows the company org chart, names the technician's supervisor, and says the technician should use a callback number included in a text message they just sent. What is the safest first action?

A.Reset MFA immediately, since the caller has provided enough internal details to seem credible.
B.Ask the caller to read a one-time code aloud so the technician can confirm their identity.
C.End the call and verify the request through a published help desk number or ticketing system.
D.Approve the request if the caller can name the supervisor and the contractor's project team.
AnswerC

The safest first action is to stop using information supplied by the caller and verify through a trusted, independently obtained contact path. Because the attacker already knows internal details and provided a callback number in a text, those channels cannot be trusted. Using a published help desk number or the official ticketing system preserves least risk and prevents social engineering from extending into account reset abuse.

Why this answer

Option C is correct because the safest first action when receiving an unsolicited call requesting privileged actions (like MFA reset) is to independently verify the request through official channels. The caller's knowledge of internal details (org chart, supervisor name) and the request to use a callback number from a text message are classic social engineering red flags, as the callback number could be attacker-controlled. Hanging up and calling back via a published help desk number ensures the request is legitimate and prevents MFA bypass or account takeover.

Exam trap

The trap here is that candidates may assume the caller's knowledge of internal details (supervisor name, org chart) is sufficient proof of identity, but CompTIA tests the principle that any unsolicited request for privileged actions must be independently verified through a trusted channel, not through information the caller provides.

How to eliminate wrong answers

Option A is wrong because resetting MFA immediately based on internal details alone is dangerous; attackers can gather org chart and supervisor names via OSINT or previous breaches, and MFA reset is a high-risk action that should require verified identity. Option B is wrong because asking the caller to read a one-time code aloud is insecure; a one-time code sent to the caller's device could be intercepted or the caller could be the attacker who generated the code themselves, and this method does not verify the caller's identity against a trusted source. Option D is wrong because naming a supervisor and project team is not sufficient authentication; these details are often publicly available or easily guessed, and approving the request without independent verification violates the principle of least privilege and allows unauthorized access.

1058
MCQhard

A team stores sensitive archives on cloud block storage. The provider already encrypts disks at rest, but the company wants copies of the disks to remain unreadable even if a cloud administrator can snapshot and mount the volume. Which control is best?

A.Enable provider-managed encryption at rest only and rotate the storage passwords monthly.
B.Use client-side encryption before upload and keep the keys in an external HSM or key service.
C.Place the storage account in a private subnet and block all Internet access.
D.Rely on immutable snapshots and versioning to prevent unauthorized access.
AnswerB

Client-side encryption protects the data before it reaches the provider, so copied storage remains ciphertext without the key.

Why this answer

Client-side encryption ensures data is encrypted before it ever reaches the cloud provider's storage. By keeping the encryption keys in an external HSM or key service, the cloud provider (including its administrators) never has access to the plaintext keys, so even if they snapshot and mount the volume, the data remains unreadable. This addresses the threat model where the provider's own administrators could otherwise access the data at rest.

Exam trap

The trap here is that candidates assume provider-managed encryption at rest is sufficient against insider threats, but it does not protect against a cloud administrator who has access to the underlying infrastructure and can use snapshot/mount operations to bypass the encryption layer.

How to eliminate wrong answers

Option A is wrong because provider-managed encryption at rest still gives the cloud provider access to the encryption keys (or the means to decrypt), so a cloud administrator with snapshot and mount privileges could read the data. Rotating storage passwords does not change this fundamental access issue. Option C is wrong because placing the storage account in a private subnet and blocking Internet access only restricts network-level access; it does not prevent a cloud administrator from taking a snapshot and mounting it internally, nor does it encrypt the data to protect against that insider threat.

1059
Multi-Selecteasy

Which two uses are appropriate for encryption in transit? Select two.

Select 2 answers
A.Protecting web login traffic with TLS
B.Secure remote administration with SSH
C.Storing a password as a hash
D.Comparing file integrity with a checksum
E.Sharing a symmetric key by email
AnswersA, B

TLS encrypts data while it travels between the browser and the server.

Why this answer

TLS (Transport Layer Security) encrypts web login traffic between a client and server, protecting credentials and session data from eavesdropping or tampering during transmission. This is a classic use of encryption in transit, as TLS operates at the transport layer to secure data moving across a network.

Exam trap

The trap here is that candidates confuse encryption in transit with data protection techniques used at rest (like hashing or checksums) or with key management practices, rather than focusing on protocols that actively encrypt data while it moves across a network.

1060
MCQmedium

Users on a wired subnet report intermittent outages when reaching an internal application. A packet capture shows the default gateway IP address repeatedly mapped to a different workstation MAC address, and traffic is being forwarded through that workstation. What attack is most likely occurring?

A.DNS poisoning, because the hostname is resolving to the wrong server.
B.ARP spoofing, because false Layer 2 address mappings are redirecting traffic.
C.Replay attack, because packets are being resent to the gateway.
D.Rogue DHCP service, because clients are losing access to the default gateway.
AnswerB

ARP spoofing, also called ARP poisoning, happens when a host sends forged ARP messages that associate a target IP address with the attacker’s MAC address. In this case, the gateway IP is repeatedly being mapped to a workstation MAC, and traffic is being relayed through that workstation. That is a classic man-in-the-middle setup on a local network segment.

Why this answer

B is correct because ARP spoofing (also known as ARP poisoning) involves an attacker sending forged ARP messages over a local area network. This results in the attacker's MAC address being associated with the IP address of the default gateway, causing traffic destined for the gateway to be forwarded to the attacker's workstation instead. The packet capture evidence of the default gateway IP repeatedly mapped to a different workstation MAC address is the classic signature of this attack.

Exam trap

The trap here is that candidates often confuse ARP spoofing with DNS poisoning because both involve redirecting traffic, but ARP spoofing operates at Layer 2 (MAC address manipulation) while DNS poisoning operates at Layer 7 (hostname resolution).

How to eliminate wrong answers

Option A is wrong because DNS poisoning involves corrupting the DNS resolver cache or DNS server records to map a domain name to an incorrect IP address, not manipulating Layer 2 MAC-to-IP mappings on a local subnet. Option C is wrong because a replay attack involves capturing and retransmitting valid data packets to trick the receiver, not altering ARP tables to redirect traffic through a rogue host. Option D is wrong because a rogue DHCP service would assign incorrect IP configuration (including a fake gateway IP) to clients, but the symptom described is a specific MAC-to-IP mapping conflict for the existing gateway, not a DHCP lease issue.

1061
MCQmedium

A security architect at a retail company is deploying a new e-commerce platform that processes credit card payments. The architect needs to minimize the scope of the PCI DSS assessment. The platform consists of a web server, an application server, and a database server. The cardholder data (credit card numbers) will be processed and stored only on the database server. Which of the following network architecture designs would best reduce the PCI DSS scope?

A.Place all servers in the same VLAN and apply a host-based firewall on the database server.
B.Place the database server in a separate, isolated network segment with a dedicated firewall that blocks all traffic except from the application server on the required port.
C.Encrypt all data in transit using TLS and at rest using AES-256.
D.Implement network intrusion detection systems on all network segments.
AnswerB

This design creates a clear cardholder data environment (CDE) boundary. The dedicated firewall restricts access so only the application server can communicate with the database server on a specific port. The web server and application server can be placed outside the CDE if they do not directly transmit or store cardholder data, thereby reducing the PCI DSS scope.

Why this answer

Option B is correct because isolating the database server in a separate network segment with a dedicated firewall that restricts traffic to only the application server on the required port creates a clear network segmentation boundary. This segmentation limits the cardholder data environment (CDE) to just the database server, thereby minimizing the scope of the PCI DSS assessment by excluding the web and application servers from the CDE.

Exam trap

The trap here is that candidates often confuse security controls (encryption, IDS) with architectural segmentation, mistakenly believing that encryption or monitoring alone can reduce PCI DSS scope, when only network isolation with a firewall boundary achieves that.

How to eliminate wrong answers

Option A is wrong because placing all servers in the same VLAN with only a host-based firewall on the database server does not create network segmentation; all servers remain in the same broadcast domain, which includes the web and application servers in the CDE, expanding the PCI DSS scope. Option C is wrong because encrypting data in transit with TLS and at rest with AES-256 is a security control, not a network architecture design; it does not reduce the scope of the PCI DSS assessment, as scope is determined by connectivity and access to cardholder data, not encryption alone. Option D is wrong because implementing network intrusion detection systems (NIDS) on all segments is a monitoring control that does not change the network architecture or isolate the database server; it does not reduce the CDE scope.

1062
MCQhard

A Linux server is missing expected security-agent processes, but users can still connect to the application. Local command output does not show a suspicious daemon that another monitoring tool says is listening on port 4444. A raw disk scan reveals a kernel module loaded at boot, and several files appear only when viewed outside the normal operating system tools. What malware type is most likely?

A.Trojan, because it could have introduced the suspicious service after the initial compromise.
B.Spyware, because it may collect data while leaving the application functional.
C.Rootkit, because kernel-level components are hiding processes and files from normal user-mode visibility.
D.Logic bomb, because the malware activates after startup and changes what administrators see.
AnswerC

A rootkit is the best answer because the evidence points to concealment at the operating system level. A kernel module loaded at boot, missing processes in standard listings, and files visible only through raw disk examination all indicate malicious hiding behavior. Rootkits are designed to obscure other malware or unauthorized access, making them especially dangerous and difficult to detect with normal administrative tools.

Why this answer

Option C is correct because the scenario describes a rootkit: a kernel-level rootkit can load a malicious kernel module at boot, intercept system calls (e.g., `open`, `readdir`, `netstat`), and hide processes, files, and network listeners from user-mode tools like `ps`, `ls`, or `netstat`. The raw disk scan reveals files invisible to normal OS tools, and the missing security-agent processes and hidden daemon on port 4444 are classic signs of kernel-mode hooking that bypasses standard visibility.

Exam trap

The trap here is that candidates may confuse a rootkit with a Trojan or spyware because all three can persist, but only a rootkit operates at kernel level to hide its artifacts from user-mode commands like `ps`, `ls`, and `netstat`.

How to eliminate wrong answers

Option A is wrong because a Trojan is a type of malware that disguises itself as legitimate software but does not inherently provide kernel-level hiding capabilities; the key evidence here is kernel module loading and file/process concealment, which is the hallmark of a rootkit, not a Trojan. Option B is wrong because spyware focuses on data collection and typically does not modify the kernel to hide its own processes or files; the described behavior of hiding a daemon and files from normal tools goes far beyond spyware's typical user-mode surveillance.

1063
Matchingeasy

Match each PKI term to what it does.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Issues and signs digital certificates.

Binds an identity to a public key.

Can be shared with others to encrypt data or verify signatures.

Must be kept secret and is used to decrypt or sign.

Removes trust from a certificate that should no longer be used.

Why these pairings

CA issues certificates, RA verifies identities, CRL lists revoked certificates, public key encrypts, private key decrypts, digital signature provides integrity and non-repudiation.

1064
Multi-Selecthard

A network team wants no single person to both approve and deploy a production firewall rule, and they also want the approval path to be defensible during an investigation. Which two control concepts best address the stated risk? Select two.

Select 2 answers
A.Separation of duties between the person requesting the change and the person implementing it.
B.Dual control requiring a second person to approve the rule.
C.Least privilege for the production change account.
D.Job rotation for every engineer each quarter.
E.Risk transference to the firewall vendor.
AnswersA, B

Separation of duties prevents one person from controlling every stage of a sensitive change. That reduces fraud risk and limits the chance that a single administrator can hide an unauthorized firewall rule.

Why this answer

Separation of duties ensures that no single person has the authority to both approve and deploy a production firewall rule, directly addressing the risk of unauthorized or fraudulent changes. By requiring different individuals for the request/approval and implementation steps, the organization creates a clear, auditable chain of accountability that can be defended during an investigation.

Exam trap

The trap here is that candidates often confuse dual control (Option B) with separation of duties, but dual control specifically requires two people to perform the same action (e.g., both enter a key), whereas separation of duties splits the approval and implementation into distinct steps, which is the more precise fit for the stated risk.

1065
MCQmedium

A security manager publishes a document that tells help desk staff exactly how to verify identity, reset an admin password, record the ticket number, and close out the request during a maintenance window. What type of governance artifact is this?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerC

A procedure gives detailed instructions for performing a task consistently in the correct sequence.

Why this answer

Option C is correct because a procedure is a step-by-step, ordered list of tasks required to perform a specific operational activity. The document describes exactly how to verify identity, reset an admin password, record the ticket number, and close out the request, which matches the definition of a procedure in governance frameworks.

Exam trap

The trap here is confusing a procedure with a policy or standard, where candidates often pick 'policy' because they think any security document is a policy, but the detailed step-by-step nature uniquely identifies a procedure.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent, not a detailed step-by-step instruction. Option B is wrong because a standard defines mandatory requirements or specifications (e.g., password complexity rules), not the exact sequence of actions. Option D is wrong because a guideline offers recommendations or best practices, not mandatory, prescriptive steps.

1066
Multi-Selecteasy

A user's workstation suddenly renames documents with a new extension, displays a ransom note, and blocks access to a shared drive. Which two indicators support ransomware? Select two.

Select 2 answers
A.Files are renamed or encrypted and no longer open normally
B.A ransom note demands payment for decryption or restoration
C.The mouse pointer moves slowly after long idle periods
D.The browser homepage changed after a software update
E.A new USB keyboard is detected by the operating system
AnswersA, B

Renamed or encrypted files are a strong sign of ransomware because the malware is preventing normal access to data.

Why this answer

Option A is correct because ransomware typically encrypts files and renames them with a new extension (e.g., .encrypted, .locked), making them unopenable without the decryption key. This behavior directly matches the scenario where documents are renamed and access is blocked, confirming file encryption as a core indicator of ransomware.

Exam trap

The trap here is that candidates may confuse general system performance issues (like a slow mouse) with ransomware indicators, but ransomware focuses on file encryption and ransom demands, not on input device behavior.

1067
Multi-Selectmedium

A help desk technician receives a call from someone claiming to be a contractor whose MFA device was lost during travel. The caller knows the company org chart and asks for a new device enrollment. Which three responses are appropriate? Select three.

Select 3 answers
A.Refuse to bypass identity verification requirements.
B.Use a known callback number or approved ticketing process to confirm identity.
C.Report the interaction to the security team if the call seems suspicious.
D.Read the current MFA reset code over the phone to speed up recovery.
E.Enroll the new device immediately because the caller knows company names and roles.
AnswersA, B, C

Knowing internal names is not enough; identity checks must still follow the approved process.

Why this answer

Option A is correct because bypassing identity verification for MFA device enrollment would undermine the security that MFA provides. The caller's knowledge of the org chart does not constitute proof of identity; social engineering attacks often leverage such information. Refusing to bypass verification ensures that only authorized users can enroll new MFA tokens, maintaining the integrity of the authentication process.

Exam trap

The trap here is that candidates may assume knowledge of internal details (like the org chart) is sufficient proof of identity, but social engineering attacks frequently exploit such information to bypass security controls.

1068
Multi-Selectmedium

A software supplier is adding a new subcontractor to process your company's customer data. The security team wants to understand the new exposure before allowing the change. Which three items should it request or review first? Select three.

Select 3 answers
A.A list of the subcontractor's locations and where the data will be processed.
B.The subcontractor's logo and marketing brochure.
C.A data-processing agreement that flows down security and notification obligations.
D.An independent security assessment, such as a SOC report or equivalent.
E.The supplier's quarterly sales forecast.
AnswersA, C, D

Knowing where data will be handled helps the organization evaluate jurisdictional, privacy, and regulatory implications. Location matters when customer data crosses borders or enters new legal environments.

Why this answer

Option A is correct because understanding where data will be processed and the subcontractor's physical locations is critical for assessing jurisdictional risks, data sovereignty requirements, and compliance with regulations like GDPR or CCPA. The security team needs this information to evaluate potential exposure to different legal frameworks and physical security controls before granting access to customer data.

Exam trap

The trap here is that candidates may mistakenly think marketing materials or logos are relevant for security assessments, when in fact only operational, legal, and technical documentation (like locations and DPAs) provide actionable risk information.

1069
MCQhard

Based on the exhibit, what is the BEST response by the employee? The message appears to come from a trusted internal support team, but the sender details and request do not align with normal procedures.

A.Verify the request using a known internal help desk number or portal before taking any action.
B.Reply with the six-digit code so the help desk can complete the repair quickly.
C.Open the linked repair page from the email and sign in immediately to avoid suspension.
D.Forward the message to the manager and continue using the account until the suspension occurs.
AnswerA

This message combines urgency, a mismatched reply-to address, and a request for an MFA code. Independent verification is the safest response.

Why this answer

Option A is correct because verifying the request through a known internal help desk number or portal is the standard security practice to confirm the legitimacy of any unexpected communication, especially when sender details and procedures do not align. This approach mitigates the risk of social engineering attacks, such as phishing or business email compromise (BEC), where attackers impersonate trusted entities to trick employees into revealing sensitive information or performing unauthorized actions. By using an independently verified contact method, the employee ensures they are not falling victim to a fraudulent request that could lead to account compromise or data breach.

Exam trap

The trap here is that candidates may assume the email is legitimate because it appears to come from a trusted internal source, leading them to choose an action that involves direct interaction with the email (like replying or clicking a link) rather than verifying through an independent channel, which is the core principle of social engineering defense.

How to eliminate wrong answers

Option B is wrong because replying with a six-digit code directly to the email sender could provide an attacker with a one-time passcode (OTP) or verification code, enabling them to bypass multi-factor authentication (MFA) or gain unauthorized access to the employee's account. Option C is wrong because opening a linked repair page from the email and signing in immediately could lead to a credential harvesting site that captures the employee's username and password, compromising their account. Option D is wrong because forwarding the message to the manager and continuing to use the account until suspension occurs does not prevent potential compromise; the employee remains vulnerable to further exploitation while the manager investigates, and the account could be used maliciously in the interim.

1070
Multi-Selecteasy

A security team wants to reduce the chance that employees boot unmanaged tools from removable media and wants only approved software to run on laptops. Which two controls should they use? Select two.

Select 2 answers
A.Secure Boot
B.Application control or allowlisting
C.DNS forwarding
D.Longer screen-lock timeout
E.Public DNS resolvers
AnswersA, B

Secure Boot helps ensure the device starts using trusted boot components instead of unapproved pre-boot code. That reduces the risk of tampered boot media or rogue recovery tools.

Why this answer

Secure Boot is correct because it ensures that only signed, trusted firmware and bootloaders execute during system startup, preventing unauthorized bootable media (e.g., USB drives with unmanaged OS images) from loading. This directly reduces the chance that employees can boot unmanaged tools from removable media by enforcing a chain of trust from UEFI firmware to the operating system kernel.

Exam trap

The trap here is that candidates may confuse DNS forwarding (a network service) with DNS filtering or security controls, or think that a longer screen-lock timeout improves security, when in fact it weakens physical security by extending the window of opportunity for unauthorized access.

1071
MCQmedium

A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?

A.Move all devices into one larger subnet and rely on endpoint antivirus for separation.
B.Create separate VLANs for device groups and apply inter-VLAN ACLs that permit only required traffic.
C.Place all devices behind a single proxy server and block all internal east-west traffic.
D.Enable port security on the switch and disable all VLAN tagging to reduce complexity.
AnswerB

This limits reachability between device classes while still allowing necessary business traffic such as printing and VoIP signaling.

Why this answer

Option B is correct because segmenting devices into separate VLANs (e.g., users, finance, printers, IP phones) and applying inter-VLAN ACLs restricts lateral movement by default while permitting only necessary traffic like printing (TCP 9100) and voice (RTP/UDP 16384-32767). This aligns with the principle of least privilege and zero trust segmentation, preventing malware from spreading across the flat LAN without disrupting critical services.

Exam trap

The trap here is that candidates often confuse 'limiting lateral movement' with 'blocking all east-west traffic,' forgetting that printing and voice require specific peer-to-peer flows that a proxy or full-block would break.

How to eliminate wrong answers

Option A is wrong because moving all devices into one larger subnet increases the attack surface and does nothing to limit lateral movement; endpoint antivirus alone cannot prevent east-west propagation. Option C is wrong because placing all devices behind a single proxy server blocks east-west traffic entirely, which would break local printing (direct IPP/SMB) and voice (RTP) traffic that requires direct peer-to-peer communication. Option D is wrong because enabling port security only controls MAC address flooding and disabling VLAN tagging would collapse all traffic into a single broadcast domain, eliminating segmentation and increasing lateral movement risk.

1072
MCQeasy

Several users on the same subnet report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows ARP replies that map the gateway IP to a different MAC address. What attack is most likely occurring?

A.ARP spoofing, which poisons address resolution on the local network
B.DNS amplification, which overwhelms the target with reflected DNS traffic
C.Replay attack, which resends captured authentication data
D.Port scanning, which probes hosts for open services and ports
AnswerA

ARP spoofing sends false ARP information so hosts associate the gateway IP with the attacker's MAC address.

Why this answer

ARP spoofing (also known as ARP poisoning) is the correct answer because the attacker sends forged ARP replies that associate the default gateway's IP address with the attacker's MAC address. This causes the victims' switches to update their ARP caches with the false mapping, so traffic destined for the gateway is instead sent to the attacker, leading to intermittent connectivity and misrouted packets. The symptoms—slow traffic and reaching the wrong device—are classic indicators of a man-in-the-middle (MITM) attack via ARP cache poisoning.

Exam trap

The trap here is that candidates confuse ARP spoofing with DNS-based attacks (like DNS amplification) because both involve 'redirecting' traffic, but ARP spoofing operates at Layer 2 (MAC address manipulation) on the local subnet, while DNS amplification is a Layer 3/4 volumetric attack targeting external resolvers.

How to eliminate wrong answers

Option B is wrong because DNS amplification is a volumetric DDoS attack that exploits open DNS resolvers to flood a target with large responses, not a local network attack that causes traffic to reach the wrong device on the same subnet. Option C is wrong because a replay attack involves capturing and retransmitting valid authentication data (e.g., Kerberos tickets or NTLM hashes) to gain unauthorized access, not manipulating ARP tables to redirect traffic. Option D is wrong because port scanning is a reconnaissance technique used to discover open ports and services on a host, not an attack that alters the flow of traffic or causes packets to reach the wrong MAC address.

1073
MCQmedium

After containment and eradication of malware on several laptops, the team restores the devices from known-good images and verifies that users can authenticate and access email. Which action should occur NEXT to complete the incident response lifecycle and reduce future impact?

A.Close the ticket immediately because the systems are working again
B.Perform a lessons-learned review and update playbooks, controls, or detections based on the incident
C.Reimage the laptops again even though they were already restored and tested
D.Disable all email access for the organization until the next quarterly meeting
AnswerB

A post-incident review captures what worked, what failed, and what should change so the same problem is less likely to recur.

Why this answer

Option B is correct because the incident response lifecycle includes a post-incident activity phase where the team conducts a lessons-learned review to identify gaps in security controls, update playbooks, and improve detection signatures. This step ensures that the organization reduces the likelihood and impact of similar incidents in the future, completing the lifecycle beyond just restoring operations.

Exam trap

The trap here is that candidates assume the incident response lifecycle ends once systems are restored and operational, overlooking the mandatory post-incident activity phase that ensures continuous improvement and prevents recurrence.

How to eliminate wrong answers

Option A is wrong because closing the ticket immediately after restoration skips the critical post-incident review phase, leaving vulnerabilities unaddressed and missing opportunities to improve defenses. Option C is wrong because reimaging the laptops again is redundant and wastes resources; the devices have already been restored from known-good images and verified for functionality. Option D is wrong because disabling all email access until a quarterly meeting is an extreme, unnecessary measure that disrupts business operations and does not address the root cause or improve security posture.

1074
MCQmedium

A security analyst receives an alert from the intrusion detection system indicating that a workstation in the finance department has established an outbound connection to a known malicious IP address using an encrypted protocol. The analyst verifies the alert and checks the user's activity logs, which show no legitimate business reason for the connection. According to the incident response process, what should the analyst do NEXT?

A.Begin the eradication phase by immediately reimaging the workstation.
B.Isolate the workstation from the network to contain the threat.
C.Conduct a full forensic analysis of the workstation's hard drive.
D.Update the firewall rule to block all outbound traffic to the malicious IP.
AnswerB

Isolation is a key containment step. It stops the compromised workstation from communicating with the malicious IP and prevents lateral movement within the network, limiting potential damage.

Why this answer

According to the NIST SP 800-61 incident response process, containment is the immediate priority after verification to prevent further damage or data exfiltration. Since the workstation has an active encrypted outbound connection to a known malicious IP with no legitimate business reason, isolating the network interface (e.g., disabling the port, blocking the MAC address, or unplugging the cable) stops the threat from communicating while preserving the system state for later analysis. This aligns with the containment phase, which must precede eradication or full forensic analysis.

Exam trap

Cisco often tests the order of the incident response phases (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident) and the trap here is that candidates jump to eradication or forensic analysis without first containing the active threat, which violates the fundamental priority of stopping the bleeding before cleaning up.

How to eliminate wrong answers

Option A is wrong because eradication (e.g., reimaging) should only occur after containment and a proper forensic acquisition; skipping containment risks losing volatile evidence and allows the attacker to continue lateral movement or data exfiltration. Option C is wrong because conducting a full forensic analysis before containment is premature and dangerous—the active encrypted connection could still be exfiltrating data, and the analyst must first isolate the host to stop the attack and preserve the system state for later analysis.

1075
Multi-Selecthard

A manufacturing floor uses barcode scanners and a kiosk terminal that cannot support full endpoint agents or frequent manual patching. USB storage has previously introduced malware, and the devices only need to run one approved application and reach a backend system. Which two controls best reduce risk while preserving function? Select two.

Select 2 answers
A.Isolate the scanners and kiosk terminal on a dedicated VLAN that allows only the required backend ports.
B.Place the devices on the user VLAN so patching and support tools can reach them easily.
C.Enforce kiosk mode or application allowlisting so only the approved application can run.
D.Allow USB storage so updates can be installed manually whenever needed.
E.Use local administrator accounts with shared passwords to reduce support calls.
AnswersA, C

A dedicated VLAN reduces exposure to user traffic and limits what the devices can reach if one is compromised. Allowing only the required backend ports enforces a narrow communication path and supports least privilege at the network layer. This is a practical compensating control for constrained endpoints that cannot run full enterprise security agents.

Why this answer

Option A is correct because isolating the barcode scanners and kiosk terminal on a dedicated VLAN with strict ACLs that permit only the required backend ports (e.g., TCP 443 for HTTPS or a specific application port) prevents lateral movement from infected devices and blocks unauthorized traffic, including USB-borne malware propagation. This network segmentation does not require endpoint agents or patching, preserving the devices' limited functionality while reducing the attack surface.

Exam trap

The trap here is that candidates often select 'Place the devices on the user VLAN' (Option B) thinking it simplifies management, but the exam expects you to recognize that unpatched, agentless devices must be isolated to prevent them from becoming a pivot point for lateral attacks.

1076
MCQmedium

A security manager is evaluating the effectiveness of a new security awareness training program that all employees completed last quarter. The company has been conducting monthly phishing simulation campaigns for the past year. Which of the following metrics would provide the strongest evidence that the training is achieving its intended goal of changing employee behavior?

A.95% of employees completed the training within the deadline.
B.The number of employees reporting phishing attempts to the SOC increased by 40%.
C.The percentage of employees who clicked on a simulated phishing email decreased from 18% to 6%.
D.The number of helpdesk tickets related to password resets decreased by 10%.
AnswerC

A significant drop in the click-through rate on simulated phishing emails directly demonstrates that employees are less susceptible to phishing attacks, which is the desired behavioral outcome of the training.

Why this answer

Option C directly measures the reduction in risky behavior (clicking phishing links) after training, which is the core goal of security awareness training. A drop from 18% to 6% demonstrates a measurable behavior change, not just knowledge acquisition. This aligns with the Kirkpatrick Model's 'Behavior' level of evaluation, which is the strongest indicator of training effectiveness.

Exam trap

The trap here is that candidates often choose Option B (increased reporting) because it sounds proactive, but the question specifically asks for evidence of 'changing employee behavior' away from clicking, not just improving reporting habits.

How to eliminate wrong answers

Option A is wrong because completion rate measures participation, not behavior change; an employee can complete training without retaining or applying the knowledge. Option B is wrong because increased reporting could indicate heightened awareness, but it does not directly measure whether employees are avoiding the dangerous behavior (clicking); it could also reflect a higher volume of phishing simulations or a reporting culture shift, not necessarily a reduction in successful attacks.

1077
MCQmedium

A vulnerability scan reports a critical finding on a legacy application server. The security team verifies that the flagged package is installed, but the vulnerable code path is disabled by configuration and cannot be exploited in the current deployment. The vendor will not support a patch until next quarter. What is the best next step?

A.Ignore the finding because the scanner produced a false positive
B.Request a risk exception and document compensating controls until patching is possible
C.Disable the vulnerability scanner to prevent repeated alerts
D.Immediately retire the server even though the application is still business-critical
AnswerB

This is the best response because the team has confirmed the issue cannot be immediately remediated, but the organization still needs formal risk ownership. A risk exception documents the temporary acceptance, while compensating controls capture what is being done to reduce exposure until a supported patch becomes available. That is the right balance between operational constraints and security governance.

Why this answer

Option B is correct because the vulnerability is real (the package is installed), but the risk is mitigated by a compensating control (the vulnerable code path is disabled). A risk exception formally documents this compensating control and the planned patch timeline, ensuring the finding is tracked and not forgotten. This aligns with the SY0-701 objective of managing risk through formal acceptance and compensating controls when immediate remediation is not possible.

Exam trap

The trap here is that candidates confuse a 'false positive' (scanner error) with a 'vulnerability that is mitigated by a compensating control' — the scanner is correct, but the risk is lower than the raw CVSS score suggests.

How to eliminate wrong answers

Option A is wrong because the scanner did not produce a false positive; the vulnerable package is indeed installed, and the scanner correctly identified it. The fact that the code path is disabled is a compensating control, not a false positive. Option C is wrong because disabling the vulnerability scanner would eliminate visibility into all findings, including legitimate ones, and violates security monitoring best practices.

Option D is wrong because retiring a business-critical server without a replacement or migration plan would cause unacceptable operational impact, and the risk is already mitigated by the disabled code path.

1078
MCQmedium

A security team suspects a rootkit after seeing hidden processes, boot-time persistence, and altered system files on a laptop. What is the best next step after confirming the suspicion?

A.Run a quick cleanup script and return the laptop to the user
B.Disconnect the laptop, then reimage it from a known-good source
C.Disable the user account and leave the device in place
D.Delete the suspected hidden files manually from Windows Explorer
AnswerB

A rootkit can hide deeply in the system, so reimaging from trusted media is the safest way to restore integrity.

Why this answer

Once a rootkit is confirmed, the system's integrity is compromised at the kernel or boot level, making any software-based cleanup unreliable. Reimaging from a known-good source ensures all malicious code, including bootkits and hidden processes, is completely eradicated. This aligns with the SY0-701 domain of incident response, where containment and eradication require a trusted baseline.

Exam trap

The trap here is that candidates may think a cleanup script or manual deletion is sufficient, but rootkits operate below the OS level, making reimaging the only reliable method to restore integrity.

How to eliminate wrong answers

Option A is wrong because a quick cleanup script cannot remove rootkits that operate at ring 0 or modify the Master Boot Record (MBR); the malware will persist or reinfect. Option C is wrong because disabling the user account does not remove the rootkit from the laptop, leaving the device compromised and potentially spreading to other systems on the network. Option D is wrong because manually deleting files from Windows Explorer cannot remove kernel-mode rootkits that hide their processes and files from user-mode tools, and it may trigger anti-forensic mechanisms.

1079
MCQmedium

Field technicians use company-owned tablets that also run approved personal apps. Security needs corporate email and documents isolated from personal data, selective wipe of only business content if a device is lost, and compliance checks before access is allowed. What should be deployed?

A.Full-disk encryption on the tablets with no additional device management.
B.Mobile device management with a work profile or container and conditional access.
C.A mobile VPN client with split tunneling enabled for user convenience.
D.An antivirus app with a blacklist of approved and unapproved mobile apps.
AnswerB

MDM with containerization separates corporate data from personal apps and supports selective wipe plus policy-based access checks.

Why this answer

Mobile device management (MDM) with a work profile or container (e.g., Android Work Profile or iOS Managed Open In) provides the required isolation between corporate and personal data. Conditional access enforces compliance checks (e.g., device health attestation, OS patch level) before granting access to corporate resources. This combination also enables selective wipe of only the work container without affecting personal apps or data, meeting the lost-device requirement.

Exam trap

The trap here is that candidates confuse full-disk encryption (which only protects data at rest) with the isolation and selective-wipe capabilities of a managed work profile, or they assume a VPN or antivirus alone can enforce data separation and compliance checks.

How to eliminate wrong answers

Option A is wrong because full-disk encryption protects data at rest but does not isolate corporate from personal data, nor does it support selective wipe or compliance-based access control. Option C is wrong because a mobile VPN with split tunneling only controls network routing for user convenience; it provides no data isolation, no selective wipe capability, and no compliance enforcement. Option D is wrong because an antivirus app with an app blacklist only blocks or allows specific applications; it cannot isolate corporate data, perform selective wipes, or enforce compliance checks before access.

1080
Multi-Selectmedium

A finance workflow currently lets one employee create a payment batch and approve it in the same session. Audit findings say the design increases fraud risk. Which two access architecture changes best reduce that risk while keeping the process functional? Select two.

Select 2 answers
A.Split the workflow into separate creator and approver roles.
B.Require the approver to be a different authenticated user before release.
C.Grant all finance users local administrator rights to speed up exception handling.
D.Store the payment password in a shared mailbox so the team can continue when someone is absent.
E.Remove approval steps entirely and rely on log reviews after payment runs.
AnswersA, B

Separating creator and approver responsibilities implements separation of duties and prevents one person from completing the full fraud-prone action alone. This preserves the workflow while requiring a second trusted person to review and approve the batch. It is a classic access architecture control for payment and procurement systems.

Why this answer

Option A is correct because implementing separation of duties (SoD) by splitting the payment batch creation and approval into distinct roles ensures that no single user can both create and approve a transaction. This directly mitigates the fraud risk identified in the audit by requiring collusion between two users to execute a fraudulent payment. The process remains functional because the workflow is simply reordered into two sequential steps performed by different users.

Exam trap

The trap here is that candidates may confuse 'functional efficiency' with 'security best practices' and incorrectly choose option C, thinking that local admin rights will speed up exception handling, when in fact it violates least privilege and separation of duties.

1081
MCQmedium

A customer portal runs from a primary data center. Management wants the secondary site to take over within minutes if the primary site loses power, and the secondary site should already have current systems and data ready to serve users. Which design best fits this requirement?

A.A cold site with nightly backups stored offsite
B.A hot site with synchronized data replication and automated failover
C.RAID 0 across two storage arrays in the primary data center
D.A single backup server with larger disks and more memory
AnswerB

A hot site is already prepared to operate and can receive traffic quickly when the primary site fails. Synchronized replication keeps data current, and automated failover minimizes manual intervention and recovery time. This is the best match for a near-immediate continuity requirement.

Why this answer

A hot site with synchronized data replication and automated failover is the correct choice because it maintains an exact, real-time copy of systems and data at the secondary site. Synchronous replication ensures zero data loss (RPO=0), and automated failover enables the secondary site to become operational within minutes (RTO measured in minutes), meeting the requirement for immediate takeover after a power loss at the primary site.

Exam trap

The trap here is that candidates confuse a cold site with nightly backups as sufficient for rapid recovery, failing to recognize that the RTO of minutes requires pre-staged, synchronized systems and automated failover, not manual restoration from backups.

How to eliminate wrong answers

Option A is wrong because a cold site has no pre-installed hardware or current data; it requires manual setup and restoration from nightly backups, which takes hours or days, not minutes, and cannot achieve the required RTO. Option C is wrong because RAID 0 provides striping for performance but offers no fault tolerance; if either array fails, all data is lost, and it does not address site-level failover or power loss at the primary data center.

1082
MCQmedium

Sales representatives use company-managed smartphones for email, CRM, and document access. If a phone is lost, IT must remove only the corporate apps and work data without erasing the employee's personal photos and contacts. Which control should be used?

A.Perform a full factory reset remotely as soon as any device is reported lost.
B.Use selective wipe through a mobile device management platform.
C.Disable password complexity so the user can regain access more easily after replacement.
D.Install a VPN profile and assume corporate data is safe if the network traffic is encrypted.
AnswerB

Selective wipe removes managed corporate content while preserving the user's personal data on the same device.

Why this answer

Option B is correct because Mobile Device Management (MDM) platforms support selective wipe, which uses management APIs (e.g., Android Enterprise Work Profile or iOS Managed Open In) to remove only corporate apps, accounts, and data while leaving personal content intact. This satisfies the requirement to protect corporate data without infringing on the employee's personal privacy.

Exam trap

The trap here is that candidates often confuse full factory reset (option A) with selective wipe, assuming any remote wipe will suffice, but the exam specifically tests the distinction between wiping all data versus only corporate-managed data.

How to eliminate wrong answers

Option A is wrong because a full factory reset erases all data on the device, including personal photos and contacts, which violates the requirement to preserve personal data. Option C is wrong because disabling password complexity weakens device security and does not address the need to selectively remove corporate data; it also does not help regain access after replacement. Option D is wrong because installing a VPN profile only encrypts network traffic in transit and does not provide any mechanism to remotely remove corporate data from a lost device.

1083
Multi-Selectmedium

A security team is reviewing vulnerabilities in a web application. Which three of the following are common web application vulnerabilities that should be addressed? (Choose three.)

Select 3 answers
.Cross-site scripting (XSS)
.ARP poisoning
.SQL injection
.XML external entity (XXE) injection
.DNS cache poisoning
.Evil twin attack

Why this answer

Cross-site scripting (XSS) is a common web application vulnerability where an attacker injects malicious scripts into web pages viewed by other users, often through input fields or URL parameters. SQL injection occurs when an application improperly sanitizes user input in SQL queries, allowing attackers to manipulate the database. XML external entity (XXE) injection exploits poorly configured XML parsers to process external entities, leading to data disclosure or server-side request forgery.

These three are consistently listed in the OWASP Top 10 as critical web application flaws.

Exam trap

Cisco often tests the distinction between web application vulnerabilities (like XSS, SQLi, XXE) and network-level attacks (like ARP poisoning, DNS cache poisoning, evil twin), so candidates mistakenly select network attacks because they are familiar, but they are not specific to web applications.

1084
MCQeasy

After a file server is restored from backup, users can open the share, but the business wants to be sure the recovery was successful. What should the administrator verify next?

A.Only that the restore completed without any error message.
B.That representative files open correctly and the restored data matches the required recovery point.
C.That the server has enough free disk space for future growth.
D.That the backup software icon appears green on the console.
AnswerB

This is the best answer because restore verification should confirm both data usability and recovery accuracy. A successful job status alone is not enough; the team should test sample files, confirm permissions, and ensure the data reflects the expected recovery point objective. That proves the backup can actually support operations after an outage and not just complete technically.

Why this answer

Option B is correct because verifying that representative files open correctly and match the required recovery point (RPO) confirms data integrity and completeness, not just that the restore process ran without errors. This aligns with the backup validation principle of performing a data integrity check, such as comparing file hashes or checking timestamps, to ensure the restored data is usable and meets the business's recovery objectives.

Exam trap

The trap here is that candidates assume a successful restore job status (no errors) is sufficient, but CompTIA tests the understanding that validation requires actual data verification against the recovery point, not just process completion.

How to eliminate wrong answers

Option A is wrong because a restore completing without error messages only confirms the process finished, not that the data is intact or usable; silent corruption or missing files can occur. Option C is wrong because verifying free disk space for future growth is a capacity planning task unrelated to validating the success of a specific recovery operation. Option D is wrong because a green icon on the backup software console only indicates the backup job ran, not that the restored data is correct or meets the recovery point objective.

1085
MCQmedium

An email gateway receives a macro-enabled spreadsheet from an external supplier. Signature-based scanning does not flag it, but the security team wants to observe whether it drops files, creates persistence, or contacts suspicious domains before delivery to the user. Which tool best meets this need?

A.DLP, because it prevents any document from leaving the organization.
B.Sandboxing, because it detonates the file and observes malicious behavior safely.
C.NAC, because it can block the supplier's laptop from the network.
D.A SIEM, because it can block the attachment and quarantine the message.
AnswerB

Sandboxing is designed to execute suspicious files in a controlled environment and watch what they do. That makes it ideal when signature-based tools miss a potentially malicious attachment and the team wants to see whether it drops files, modifies persistence settings, or reaches out to command-and-control infrastructure. It gives analysts behavior-based insight before the attachment reaches the end user.

Why this answer

Sandboxing is the correct choice because it detonates the file in an isolated, controlled environment to observe its runtime behavior, such as dropping files, creating persistence mechanisms, or making outbound connections to suspicious domains. Unlike signature-based scanning, sandboxing can detect unknown or zero-day malware by analyzing behavioral indicators without risking the production network.

Exam trap

CompTIA often tests the distinction between passive detection (signature-based, SIEM correlation) and active behavioral analysis (sandboxing), leading candidates to choose SIEM because they confuse log aggregation with dynamic file analysis.

How to eliminate wrong answers

Option A is wrong because DLP (Data Loss Prevention) focuses on preventing unauthorized exfiltration of sensitive data, not on analyzing file behavior for malware. Option C is wrong because NAC (Network Access Control) enforces access policies based on device compliance, not on detonating and analyzing attachments. Option D is wrong because a SIEM (Security Information and Event Management) aggregates and correlates logs for detection and alerting, but it does not actively detonate files or observe runtime behavior; it relies on data from other tools.

1086
Drag & Dropmedium

Drag and drop the steps for the RADIUS authentication process into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RADIUS uses UDP; the NAS acts as a client to the RADIUS server, which authenticates and authorizes the user.

1087
MCQmedium

A security analyst detects repeated outbound traffic from a single workstation to an IP address listed on a public threat intelligence feed as a known command-and-control server. The user reports that the workstation is behaving slowly and that antivirus software is up to date. According to incident response best practices, what should the analyst do FIRST?

A.Disconnect the workstation from the network
B.Run a full antivirus scan on the workstation
C.Notify the user that their workstation may be compromised
D.Check the firewall logs to confirm the destination IP
AnswerA

Correct. Disconnecting the network cable or disabling the network interface immediately stops the outbound communication and contains the threat, which is the primary goal in the containment phase of incident response.

Why this answer

The correct first step is to disconnect the workstation from the network to immediately contain the threat and prevent further command-and-control (C2) communication. Since the traffic is already confirmed to a known C2 server via a public threat intelligence feed, the priority is to stop data exfiltration and potential lateral movement, not to gather more evidence or notify the user. Incident response best practices emphasize containment before eradication or notification to minimize damage.

Exam trap

The trap here is that candidates often choose to gather more evidence (Option D) or run a scan (Option B) first, forgetting that containment is the immediate priority once a live C2 connection is confirmed, per the NIST SP 800-61 incident response lifecycle.

How to eliminate wrong answers

Option B is wrong because running a full antivirus scan is a remediation step that should occur after containment; the malware may already be active and bypassing AV, so scanning first wastes time and risks continued C2 communication. Option C is wrong because notifying the user before containment could cause panic, lead to evidence tampering, or alert an insider threat; communication should follow established incident response procedures after containment. Option D is wrong because checking firewall logs to confirm the destination IP is redundant—the analyst already has confirmed the IP via a public threat intelligence feed—and delays the critical containment action.

1088
Multi-Selecteasy

Company-owned tablets run both business apps and approved personal apps. Which two controls best keep company data separated and support selective wipe? Select two.

Select 2 answers
A.Mobile device management with a work profile or container for corporate data.
B.Selective remote wipe of only the managed corporate container.
C.Allow users to install any app if they promise not to open work files.
D.Store corporate files in the personal photo gallery for easier backup.
E.Disable screen locks so users can access business apps faster.
AnswersA, B

A managed work profile or container separates business content from personal apps and files. This is a standard mobile security approach when one device must support both corporate and personal use.

Why this answer

Option A is correct because Mobile Device Management (MDM) with a work profile or container creates a separate, encrypted partition on the device for corporate data. This container enforces policies (e.g., app whitelisting, VPN) and isolates business apps from personal apps, ensuring that company data remains protected even if the personal side is compromised.

Exam trap

The trap here is that candidates may confuse 'selective wipe' with a full device wipe, or assume that user promises (Option C) or convenience features (Option E) are acceptable security controls, when only containerization and managed wipe satisfy the separation and selective wipe requirements.

1089
Multi-Selecteasy

A records manager is told that some HR emails may be needed for an active investigation, while unrelated messages are still due for deletion under the retention schedule. Which two actions should the manager take? Select two.

Select 2 answers
A.Place the affected emails on legal hold
B.Delete all related records immediately to reduce storage costs
C.Keep the records until the legal team releases the hold
D.Move them into a personal archive folder
E.Rewrite the retention schedule without approval
AnswersA, C

A legal hold prevents deletion or alteration of records that may be needed for an investigation.

Why this answer

A is correct because placing the affected emails on legal hold suspends the retention schedule for those specific records, ensuring they are preserved for the active investigation without altering the deletion policy for unrelated messages. This is a standard practice under eDiscovery and legal hold procedures, often implemented via Exchange Online or similar systems using litigation hold or in-place hold.

Exam trap

The trap here is that candidates may confuse 'legal hold' with simply archiving or delaying deletion, but only a formal hold ensures compliance with legal preservation requirements and prevents spoliation.

1090
Multi-Selecteasy

A small company is deploying a public web application with a front-end server, an application server, and a database. Which two design choices best reduce exposure of the backend systems? Select two.

Select 2 answers
A.Place the web server in a DMZ that is reachable from the internet.
B.Put the database on the same subnet as the web server for faster communication.
C.Place the database on an internal subnet that is not directly reachable from the internet.
D.Allow every tier to communicate freely to simplify troubleshooting.
E.Use one flat VLAN for all three servers and rely on strong passwords.
AnswersA, C

The web server is the system that must face external traffic, so placing it in a DMZ keeps it separate from internal resources. This limits the damage if the public server is compromised.

Why this answer

Option A is correct because placing the web server in a DMZ (demilitarized zone) allows it to be reachable from the internet while isolating it from the internal network. This design ensures that even if the web server is compromised, an attacker cannot directly access the application server or database, as traffic must pass through a firewall with strict rules. The DMZ acts as a buffer zone, reducing the attack surface of backend systems.

Exam trap

CompTIA often tests the misconception that placing all servers in a single VLAN with strong passwords is sufficient security, but the trap here is that network segmentation (DMZ and internal subnets) is essential to limit lateral movement, and passwords alone cannot stop an attacker who exploits a vulnerability in the web server.

1091
MCQmedium

Following a ransomware incident, management wants proof that the organization can actually recover from its backups before declaring the backups trustworthy. What should the security team do next?

A.Check that the backup job completed successfully during the last seven days.
B.Restore a backup into an isolated test environment and validate the result.
C.Increase the backup retention period to reduce the chance of future loss.
D.Compress the backup files further so they take up less storage.
AnswerB

An isolated restore test proves the backup can be recovered and helps verify that data and services meet recovery expectations.

Why this answer

Option B is correct because the only way to prove that backups are trustworthy after a ransomware incident is to perform a full restoration into an isolated test environment and validate the integrity, completeness, and functionality of the recovered data. Simply checking that backup jobs completed successfully (Option A) does not verify that the backup data is uncorrupted, free from ransomware, or restorable in a real scenario. A controlled restore test provides tangible evidence that the recovery process works and the data is usable, which is the core requirement of management’s request for proof of recoverability.

Exam trap

The trap here is that candidates often confuse backup completion success with backup recoverability, assuming that a successful backup job log is sufficient proof, when in reality only a full restore test in an isolated environment can validate that the data is usable and free from corruption or ransomware payloads.

How to eliminate wrong answers

Option A is wrong because verifying that a backup job completed successfully only confirms that the backup process ran without errors; it does not validate that the backup data is intact, free from encryption by ransomware, or restorable to a usable state. Option C is wrong because increasing the backup retention period only retains more historical copies of data, but does not test or prove that any of those backups can actually be recovered successfully. Option D is wrong because compressing backup files further reduces storage usage but does not test the recoverability of the data; in fact, excessive compression could introduce corruption or increase restore time without providing any validation of backup trustworthiness.

1092
MCQmedium

Based on the exhibit, what should the organization do before approving this SaaS vendor to process employee HR records?

A.Approve the vendor now because admin MFA is enabled and the deadline is urgent.
B.Request a formal risk acceptance memo and sign the contract without additional review.
C.Require a security addendum and evidence review before onboarding, including notification timelines, deletion terms, subprocessors, and independent testing.
D.Move the HR data into the vendor environment first and complete the review after production cutover.
AnswerC

This is the best answer because the exhibit reveals several third-party risk gaps that matter for employee PII: no current independent assurance, vague breach notification, weak retention language, and no maintained subprocessor list. A contract addendum and evidence review provide enforceable expectations and reduce legal, privacy, and operational risk before data is shared.

Why this answer

Option C is correct because before processing sensitive employee HR records, the organization must ensure the SaaS vendor meets security and compliance requirements. This includes reviewing contractual terms like notification timelines, data deletion policies, subprocessor usage, and independent testing evidence (e.g., SOC 2 Type II or ISO 27001 certification). Without these, the organization cannot verify the vendor's security posture or contractual obligations, which is critical for protecting PII and meeting regulatory requirements like GDPR or HIPAA.

Exam trap

The trap here is that candidates may assume MFA or a risk acceptance memo alone is sufficient for compliance, but the SY0-701 exam emphasizes that contractual and evidence-based reviews are mandatory before onboarding vendors handling sensitive data.

How to eliminate wrong answers

Option A is wrong because admin MFA alone is insufficient; it does not address data protection, incident notification, deletion terms, or independent testing, and urgency does not justify bypassing due diligence. Option B is wrong because a risk acceptance memo without additional review ignores the need to verify security controls and contractual protections, effectively accepting unknown risks. Option D is wrong because moving HR data into the vendor environment before completing the review exposes sensitive data to unverified risks, violating the principle of 'trust but verify' and potentially leading to compliance violations.

1093
MCQhard

Users on a branch VLAN intermittently reach a fake login page even though DNS records have not changed. A packet capture shows the default gateway MAC address changing every 60 seconds, and the switch logs list repeated unsolicited ARP replies from one workstation. Which attack is most likely?

A.DNS poisoning, because name resolution is directing users to the wrong server.
B.ARP poisoning, because forged ARP replies are associating the gateway IP with the attacker's MAC address.
C.Replay attack, because previously captured traffic is being resent to the network.
D.Denial of service, because the branch users cannot reliably reach websites.
AnswerB

ARP poisoning is the best fit because the attacker is sending unsolicited ARP replies to rewrite the local IP-to-MAC mapping. The changing gateway MAC address and repeated ARP activity are classic signs of a man-in-the-middle setup on a switched LAN. Once traffic is redirected through the attacker, fake login pages and credential interception become possible.

Why this answer

The repeated unsolicited ARP replies from one workstation, combined with the default gateway MAC address changing every 60 seconds, directly indicate an ARP poisoning attack. The attacker is sending forged ARP replies to associate the gateway IP with its own MAC address, causing traffic destined for the gateway to be intercepted. This allows the attacker to redirect users to a fake login page without altering DNS records.

Exam trap

The trap here is that candidates see 'fake login page' and 'DNS records have not changed' and jump to DNS poisoning, but the key indicator is the MAC address changing every 60 seconds, which is a classic sign of ARP poisoning, not DNS manipulation.

How to eliminate wrong answers

Option A is wrong because DNS poisoning involves altering DNS records or cache entries to redirect name resolution, but the scenario explicitly states DNS records have not changed and the packet capture shows MAC address changes, not IP resolution changes. Option C is wrong because a replay attack resends captured legitimate traffic to impersonate a user or disrupt a session, but here the attacker is actively sending unsolicited ARP replies to redirect traffic, not replaying old packets. Option D is wrong because a denial of service attack would prevent users from reaching websites entirely, but the users intermittently reach a fake login page, indicating traffic is being redirected, not blocked.

1094
MCQmedium

A development team is moving a regulated application to a cloud platform. The security architect wants the strongest practical separation from other customers without buying and operating physical servers. Which hosting option is most appropriate?

A.A shared multi-tenant environment with no additional security configuration.
B.A dedicated host or isolated compute offering from the cloud provider.
C.Any public object storage service because the data will be encrypted by default.
D.A remote desktop service on the cheapest shared instance available.
AnswerB

A dedicated or isolated compute option provides stronger separation from other tenants while avoiding the need to manage physical hardware directly. It is a common architecture choice for regulated workloads that need enhanced tenant isolation, clearer placement controls, and a stronger compliance story than a standard shared environment.

Why this answer

A dedicated host or isolated compute offering (option B) provides the strongest practical separation because it ensures the application runs on a physical server dedicated solely to that customer, preventing any resource sharing or potential side-channel attacks from other tenants. This meets the regulatory requirement for strong isolation without the cost and operational overhead of purchasing and managing physical servers on-premises.

Exam trap

The trap here is that candidates often confuse 'dedicated host' with 'dedicated instance' or assume a shared multi-tenant environment can be secured solely with encryption, overlooking the need for physical isolation in regulated workloads.

How to eliminate wrong answers

Option A is wrong because a shared multi-tenant environment with no additional security configuration offers weak isolation, as other customers' virtual machines may run on the same hypervisor, increasing the risk of data exposure or side-channel attacks. Option C is wrong because public object storage services are not a compute hosting option; they are for storing data, not running applications, and encryption by default does not address the need for compute-level separation. Option D is wrong because a remote desktop service on the cheapest shared instance provides no dedicated hardware or strong isolation, and the instance is still shared with other tenants, failing to meet the required separation.

1095
MCQmedium

Several users on the same subnet report intermittent loss of access to the default gateway. A packet capture shows repeated unsolicited ARP replies mapping the gateway IP address to a different MAC address. Traffic is occasionally sent through an unknown workstation. What attack is most likely occurring?

A.ARP poisoning
B.DNS cache poisoning
C.Replay attack
D.Amplification attack
AnswerA

ARP poisoning forges address resolution replies so victims map the gateway IP to the attacker MAC.

Why this answer

The attack is ARP poisoning (also known as ARP spoofing). The attacker sends unsolicited ARP replies to associate the gateway's IP address with the attacker's MAC address, causing traffic destined for the gateway to be redirected through the attacker's workstation. This results in intermittent connectivity as the attacker can forward or drop packets, and the repeated unsolicited replies overwrite the legitimate ARP cache entries on the victim hosts.

Exam trap

The trap here is confusing ARP poisoning with DNS cache poisoning because both involve 'poisoning' a cache, but ARP operates at Layer 2 (MAC addresses) while DNS operates at Layer 7 (domain names), and the symptoms of intermittent gateway access and unsolicited ARP replies are unique to ARP attacks.

How to eliminate wrong answers

Option B (DNS cache poisoning) is wrong because that attack corrupts DNS resolver caches to redirect domain names to malicious IP addresses, not to manipulate Layer 2 MAC-to-IP mappings via ARP. Option C (Replay attack) is wrong because a replay attack involves capturing and retransmitting valid data packets to impersonate a user or gain unauthorized access, not sending unsolicited ARP replies to redirect traffic. Option D (Amplification attack) is wrong because amplification attacks (e.g., DNS amplification, NTP amplification) exploit stateless protocols to flood a target with large responses from many servers, not to poison ARP caches on a local subnet.

1096
MCQmedium

Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?

A.Establish SAML federation so the SaaS app trusts the corporate identity provider.
B.Enable password synchronization so the SaaS app stores the same password as the directory.
C.Create a shared local administrator account for all subsidiary users.
D.Configure MAC address filtering on company laptops to allow portal access.
AnswerA

Federation lets the SaaS app accept authentication assertions from the trusted identity provider, eliminating separate passwords.

Why this answer

SAML (Security Assertion Markup Language) federation allows the SaaS application to trust the corporate identity provider (IdP) by exchanging signed XML assertions. This enables users to authenticate against their corporate credentials without the SaaS app ever storing or managing those credentials, providing single sign-on (SSO) across domains.

Exam trap

The trap here is that candidates confuse password synchronization (a legacy or on-premises approach) with federation (SAML), thinking that syncing passwords achieves the same 'trust' without realizing it requires the SaaS app to handle credentials directly, which is less secure and not true federation.

How to eliminate wrong answers

Option B is wrong because password synchronization replicates the password hash to the SaaS app, which still requires the app to store and manage credentials, violating the principle of federated trust and increasing the attack surface. Option C is wrong because creating a shared local administrator account violates the principle of least privilege and non-repudiation, as it cannot tie actions to individual users and poses a massive security risk. Option D is wrong because MAC address filtering is a network access control mechanism that restricts which devices can connect to the network; it does not provide identity-based authentication or trust between the SaaS app and the corporate IdP.

1097
MCQeasy

A SIEM alert shows 120 failed logins for one user account from three different countries within 10 minutes, followed by a successful login. What should the analyst do first?

A.Close the alert because the login eventually succeeded.
B.Verify the activity with related logs and check whether the account owner confirms the login.
C.Immediately delete the account to stop further access.
D.Reimage the user's laptop before collecting any information.
AnswerB

The first step is to validate the alert by correlating related logs and confirming whether the activity is expected.

Why this answer

Option B is correct because the analyst must first validate the alert by correlating the SIEM data with additional logs (e.g., authentication logs, firewall logs) and contacting the account owner to confirm whether the successful login was legitimate. This follows the incident response process of verification before action, preventing unnecessary disruption if the activity is benign (e.g., the user traveling with VPN).

Exam trap

The trap here is that candidates assume a successful login after failures means the attack succeeded and jump to containment (Option C or D), but the SY0-701 emphasizes that verification with the user and additional logs is the mandatory first step in the incident response process.

How to eliminate wrong answers

Option A is wrong because a successful login after multiple failed attempts is a classic sign of a brute-force or credential-stuffing attack; closing the alert ignores the potential compromise. Option C is wrong because immediately deleting the account destroys evidence and may lock out a legitimate user without investigation, violating the principle of least disruption. Option D is wrong because reimaging the laptop is a drastic containment step that should only occur after confirming compromise and preserving forensic evidence; it also assumes the attack vector is local, which may not be the case (e.g., remote credential abuse).

1098
MCQmedium

Based on the exhibit, which action best addresses both the unsanctioned software problem and the need for consistent endpoint configuration? Exhibit: Device group: Sales-Laptops Baseline check: - Approved browser: installed - Approved EDR: installed - Unapproved remote admin tool: detected on 14 endpoints - Local administrator rights: granted to all users in group - Patch compliance: 68% Management wants to prevent unauthorized software from running and keep future builds consistent.

A.Deploy application allowlisting through centralized endpoint management and remove local administrator rights.
B.Keep users as local admins but require stronger email passwords for better overall security.
C.Disable the EDR agent during software installs to avoid false alerts from approved apps.
D.Store approved installers on a shared drive and let users choose what to install.
AnswerA

Application allowlisting is the best fit because it prevents unapproved tools from executing even if they are present on a device. Removing local administrator rights also reduces the chance that users can install or alter software outside the baseline. Combined, these controls support consistent endpoint hardening and make it much harder for risky utilities to appear across the fleet.

Why this answer

Option A is correct because application allowlisting (via AppLocker or Windows Defender Application Control) centrally enforces which software can run, directly addressing the unsanctioned remote admin tool. Removing local administrator rights prevents users from bypassing the allowlist or making unauthorized configuration changes, ensuring consistent endpoint builds and improving patch compliance by limiting user-driven modifications.

Exam trap

The trap here is that candidates may think removing admin rights alone is sufficient, but without application allowlisting, users can still run unapproved software from writable directories like AppData or Temp, so both controls are needed together.

How to eliminate wrong answers

Option B is wrong because keeping users as local admins perpetuates the root cause of unsanctioned software installation and inconsistent configurations, and stronger email passwords do not prevent unauthorized software execution. Option C is wrong because disabling the EDR agent during installs would allow malicious software to run undetected, violating the requirement to prevent unauthorized software and undermining endpoint security. Option D is wrong because storing installers on a shared drive and letting users choose what to install does not enforce any control over software execution, failing to prevent unsanctioned software and leading to inconsistent configurations.

1099
MCQeasy

A help desk technician receives a ticket asking for a password reset on a manager's account. The requester says the manager is traveling and cannot be reached. What is the best action before making any change?

A.Reset the password immediately to avoid delaying the manager's work.
B.Verify the request through an approved identity-check process before taking action.
C.Tell the requester to ask a coworker to share the manager's existing password.
D.Ignore the ticket until the manager returns from travel.
AnswerB

The best action is to verify the requester and the request using the organization's approved process before changing access. This helps prevent social engineering and unauthorized account changes. Account resets are sensitive because they can give an attacker control if the help desk relies only on a convincing story or urgent pressure.

Why this answer

Option B is correct because the principle of least privilege and proper identity verification are critical before performing any privileged action like a password reset. Without verifying the requester's identity through an approved process (e.g., out-of-band verification, knowledge-based authentication, or manager callback), the technician risks unauthorized access, which could lead to a security breach. This aligns with the CompTIA SY0-701 objective on implementing identity and access management controls.

Exam trap

The trap here is that candidates may assume urgency (Option A) is acceptable, but CompTIA emphasizes that security controls must never be bypassed for convenience, and password sharing (Option C) is always a violation of security best practices.

How to eliminate wrong answers

Option A is wrong because resetting the password immediately without verification violates security policy and could enable an impersonation attack or social engineering, potentially compromising the manager's account. Option C is wrong because sharing an existing password violates the principle of non-repudiation and password confidentiality, and it is never an acceptable practice in any secure environment.

1100
MCQhard

A tester enters a crafted search term into an internal web application and sees no error message, but the page response always delays by exactly five seconds when the input includes a single quote followed by a conditional sleep function. The returned results look normal, so the tester repeats the request several times and the timing remains consistent. Which attack is most likely being attempted?

A.Reflected cross-site scripting, because the tester's input is being echoed back into the response.
B.Command injection, because the application is pausing while executing system-level sleep commands.
C.Time-based blind SQL injection, because the attacker is inferring database behavior from delayed responses.
D.Session fixation, because the tester is manipulating how the application handles user input over time.
AnswerC

The timing pattern is the critical clue. When an application does not reveal errors or data directly, an attacker can still infer whether injected SQL changes control flow by measuring response delays. A single quote plus a conditional sleep is a classic sign of time-based blind SQL injection. The normal-looking results and consistent pauses show the query is being influenced even without visible error output.

Why this answer

The consistent five-second delay triggered by a single quote followed by a conditional sleep function (e.g., ' OR SLEEP(5)) indicates a time-based blind SQL injection. The tester is inferring database behavior from response timing because the application does not display error messages or output differences, but the database executes a sleep command when the injected SQL is syntactically valid. This technique exploits the database's ability to conditionally pause execution, allowing an attacker to extract data bit by bit based on true/false conditions.

Exam trap

The trap here is that candidates confuse a time-based delay with command injection (Option B) because both involve a pause, but the key differentiator is the single quote syntax and the database-specific sleep function, not an OS-level command.

How to eliminate wrong answers

Option A is wrong because reflected cross-site scripting requires the tester's input to be echoed back in the HTML/JavaScript context, not a server-side delay; the absence of error messages and the consistent timing point to database-level behavior, not client-side script execution. Option B is wrong because command injection would involve system-level commands (e.g., 'ping -n 5 127.0.0.1') and typically shows a delay from the OS, not a database-specific sleep function triggered by a single quote; the application is a web application, not a command shell. Option D is wrong because session fixation involves an attacker forcing a known session ID on a victim to hijack their session later, not manipulating input to cause server-side delays; the tester's repeated requests and timing analysis are unrelated to session management.

1101
MCQeasy

A security scan finds a critical patch missing on a public-facing web server. The patch has already been tested in the lab and approved for deployment. What should the operations team do next?

A.Ignore the finding because the server is already protected by a firewall
B.Deploy the patch through the normal change process as soon as possible
C.Mark the vulnerability as accepted risk without notifying the business
D.Remove the web server from the asset inventory to prevent the scanner from finding it
AnswerB

A tested and approved patch should be moved into production quickly through the standard change process to reduce exposure.

Why this answer

Option B is correct because the patch has already been tested and approved, meaning it is ready for deployment. The operations team should follow the normal change management process to deploy the patch as soon as possible, ensuring the public-facing web server is secured against the critical vulnerability without bypassing organizational controls.

Exam trap

The trap here is that candidates assume a firewall or risk acceptance can substitute for patching a known vulnerability, but the exam emphasizes that compensating controls (like firewalls) do not eliminate the need for patch management, and risk acceptance requires formal business notification and approval.

How to eliminate wrong answers

Option A is wrong because a firewall does not patch application-layer vulnerabilities; it only filters traffic at the network and transport layers, leaving the web server's software flaw exploitable if an attacker reaches the service. Option C is wrong because marking a critical vulnerability as an accepted risk without notifying the business bypasses the formal risk acceptance process, which requires documented approval from management and a clear understanding of the business impact.

1102
Drag & Dropmedium

Drag and drop the steps to configure a VPN tunnel using IPsec in tunnel mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN setup involves two phases: IKE for key exchange, then IPsec for data encryption; the crypto map ties it to an interface.

1103
MCQeasy

Based on the exhibit, which finding should the security team remediate first?

A.LAP09 because user devices are always the easiest to patch
B.WEB01 because it is internet-facing and has a critical exploitable vulnerability
C.PRN01 because firmware issues can affect many users
D.FILE02 because internal servers are always more important than public ones
AnswerB

WEB01 should be remediated first because it is public-facing, rated critical, and already has a known exploit. Exposure and exploitability greatly increase risk, so this finding has the highest immediate urgency. When patching resources are limited, internet-facing critical vulnerabilities are typically prioritized before internal or low-severity issues.

Why this answer

WEB01 is internet-facing and has a critical exploitable vulnerability, meaning an attacker can directly compromise it from the public internet with minimal effort. This represents the highest risk because it combines high likelihood (exploit available) with high impact (full compromise of a public-facing server). Remediating this first aligns with the principle of prioritizing externally exposed systems with known critical flaws over internal or less severe issues.

Exam trap

The trap here is that candidates prioritize based on ease of remediation (A) or internal importance (D) instead of applying a risk-based approach that considers both the severity of the vulnerability and the exposure of the asset.

How to eliminate wrong answers

Option A is wrong because LAP09 being 'easiest to patch' does not equate to highest risk; patching ease is irrelevant when a critical internet-facing vulnerability exists. Option C is wrong because PRN01's firmware issue, while potentially affecting many users, is internal and typically lower severity than a critical remote code execution on a public server. Option D is wrong because internal servers are not inherently more important than public ones; the criticality and exposure of the vulnerability determine priority, not a blanket rule about server location.

1104
Multi-Selectmedium

A SOC analyst confirms that a user entered corporate credentials into a fake sign-in page. Mailbox logs now show a new forwarding rule sending messages to an external address, and the attacker may still have an active session. Which two actions should the analyst take first to contain the account compromise? Select two.

Select 2 answers
A.Reset the user's password and require a fresh authentication challenge.
B.Revoke active sessions and invalidate existing refresh tokens.
C.Delete the mailbox and create a new user account.
D.Disable all external email delivery for the entire organization.
E.Wait for the user to confirm whether the message was legitimate before acting.
AnswersA, B

Correct because changing the password removes the attacker’s known credential value and helps break direct password reuse. Requiring a fresh authentication challenge also helps ensure the next login is tied to the legitimate user rather than a stolen session.

Why this answer

Resetting the user's password (Option A) immediately invalidates the credentials the attacker phished, preventing further authentication with those stolen credentials. This is a foundational first step in account containment per NIST SP 800-61 incident response guidelines.

Exam trap

Cisco often tests the misconception that a password reset alone is sufficient to terminate an attacker's access, but the trap here is that session tokens and refresh tokens can remain valid, so both password reset AND session/refresh token revocation are required for complete containment.

1105
MCQmedium

Employees sign in once to the corporate portal and then open email, the ticketing system, and an HR application without entering credentials again. The external SaaS providers should trust the company's identity provider rather than creating separate user databases. What architecture is being used?

A.Local authentication on each application with synchronized passwords
B.Federation with single sign-on using the corporate identity provider
C.Network access control using 802.1X authentication
D.Role-based access control on the file server
AnswerB

Federation allows one organization to trust authentication performed by another identity provider. When combined with single sign-on, the user signs in once and then accesses multiple applications without repeated logins. This is exactly what the scenario describes, especially across separate SaaS services.

Why this answer

This scenario describes federation with single sign-on (SSO), where the corporate identity provider (IdP) authenticates the user once and issues a security token (e.g., SAML assertion or OIDC token) that external SaaS providers trust. This eliminates the need for separate user databases in each application and allows seamless access across multiple services without re-entering credentials.

Exam trap

The trap here is that candidates confuse 'single sign-on' with 'synchronized passwords' (Option A) or think that any centralized authentication mechanism (like 802.1X) can replace federated identity for external SaaS trust.

How to eliminate wrong answers

Option A is wrong because local authentication with synchronized passwords still requires each application to maintain its own user database and credential verification, which does not achieve the 'trust the company's identity provider' requirement and introduces password synchronization complexity. Option C is wrong because 802.1X network access control is a port-based authentication mechanism for network access (e.g., wired or Wi-Fi), not for web application SSO or federated identity across SaaS providers. Option D is wrong because role-based access control (RBAC) on the file server governs authorization (what a user can do) after authentication, not the authentication architecture or federated trust between an IdP and external applications.

1106
Multi-Selecteasy

A user forwards an email that says a shared document is available and must be reviewed within 10 minutes. The display name looks like a trusted vendor, but the Reply-To address points to a free webmail account. Which two details are strongest indicators that this is a phishing attempt? Select two.

Select 2 answers
A.The message creates a short deadline and pressures the user to act quickly.
B.The Reply-To address uses a free webmail domain instead of the vendor's corporate domain.
C.The message includes the company's logo and professional-looking formatting.
D.The email refers to a shared document that the user should review.
E.The message was received during normal business hours.
AnswersA, B

Urgency is a classic phishing tactic because it pushes recipients to react before verifying the request. A short deadline increases the chance that the user clicks a link or shares credentials without checking the sender or context.

Why this answer

Option A is correct because phishing attacks frequently use urgency and time pressure to bypass the victim's rational analysis, exploiting the psychological principle of scarcity to trigger impulsive clicks. The 10-minute deadline is a classic social engineering tactic to prevent the user from verifying the email's legitimacy through normal channels.

Exam trap

CompTIA often tests the distinction between easily spoofed visual elements (logos, formatting) and verifiable technical indicators (Reply-To domain mismatch, urgency cues) to catch candidates who rely on superficial appearance rather than email authentication mechanisms.

1107
MCQeasy

A security manager wants to require that all company laptops use at least a 14-character password and lock after 10 minutes of inactivity. Which document should define these mandatory settings?

A.Policy, because it is the broad statement of security intent only.
B.Standard, because it defines specific required technical values the company must follow.
C.Guideline, because it gives optional recommendations for device security.
D.Memo, because it is the normal formal document for security baselines.
AnswerB

A standard is the right document when the organization wants specific, mandatory technical requirements. Password length and screen-lock timeout are measurable settings, so they belong in a standard rather than a general policy. Standards make implementation consistent across systems and help administrators configure devices to the same baseline.

Why this answer

Option B is correct because a standard is the document type that defines mandatory, specific technical requirements, such as a minimum 14-character password length and a 10-minute inactivity lock. Policies are high-level statements of intent, while standards provide the enforceable, measurable parameters that implement that intent. In this scenario, the security manager needs a binding baseline, which is precisely the role of a standard.

Exam trap

The trap here is confusing a policy (broad intent) with a standard (specific, mandatory technical values), leading candidates to choose Option A because they think all security rules are policies, when in fact standards define the enforceable numbers.

How to eliminate wrong answers

Option A is wrong because a policy is a broad statement of security intent and does not include specific technical values like password length or lockout timers; it would reference a standard for those details. Option C is wrong because a guideline offers optional recommendations, not mandatory settings, so it cannot enforce a required 14-character password or 10-minute lock. Option D is wrong because a memo is an informal communication tool, not a formal document type for defining security baselines; it lacks the authority and structure of a standard.

1108
Multi-Selecteasy

A customer portal must stay online if one application server fails. Which two design choices improve availability? Select two.

Select 2 answers
A.Use load balancing across multiple application servers.
B.Add a redundant standby server or failover target.
C.Store the application logs on a larger disk.
D.Increase the password length requirement for portal users.
E.Place all traffic on a single high-performance server.
AnswersA, B

Load balancing spreads traffic across more than one server, so the portal can keep working if one node becomes unavailable. It is one of the most common availability designs for web applications.

Why this answer

Option A is correct because load balancing distributes incoming traffic across multiple application servers. If one server fails, the load balancer automatically redirects traffic to the remaining healthy servers, ensuring the portal remains online. This design eliminates a single point of failure and provides fault tolerance through redundancy.

Exam trap

The trap here is that candidates confuse improving storage capacity (a scalability or performance concern) with improving availability, which requires redundancy and failover mechanisms, not just more resources.

1109
MCQmedium

After a workstation reboot, users see many files renamed with random extensions. A ransom note demands cryptocurrency, and Volume Shadow Copies were deleted from the machine. What malware type is most likely?

A.Trojan, because the malware may have been disguised as a legitimate application.
B.Worm, because the malware likely spread automatically to other systems.
C.Ransomware, because the files were encrypted and payment was demanded.
D.Rootkit, because the attacker would want to hide persistence on the system.
AnswerC

Ransomware commonly encrypts files, deletes recovery options, and leaves a ransom note demanding payment. The random extensions and removed shadow copies are classic clues that the attacker wants to block restoration until payment is made.

Why this answer

The scenario describes files renamed with random extensions (indicating encryption), a ransom note demanding cryptocurrency, and deletion of Volume Shadow Copies (VSS) to prevent file recovery. These are hallmark behaviors of ransomware, specifically a crypto-ransomware variant that encrypts user data and removes backup copies to maximize extortion pressure.

Exam trap

The trap here is that candidates see 'files renamed' and 'ransom note' but may confuse the delivery method (Trojan) or propagation (Worm) with the actual malware type, which is defined by its payload—encryption for extortion—not how it arrived or spread.

How to eliminate wrong answers

Option A is wrong because a Trojan is a type of malware that disguises itself as legitimate software, but the core behavior here is file encryption and ransom demand, not just deception. Option B is wrong because a Worm self-replicates and spreads automatically across networks without user interaction, but the question focuses on the post-reboot encryption and ransom note, not propagation. Option D is wrong because a Rootkit is designed to hide its presence and maintain stealthy persistence, but the visible symptoms are encrypted files and a ransom demand, not hidden processes or stealth.

1110
MCQmedium

An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?

A.Shut the laptop down immediately to prevent further encryption activity.
B.Isolate the laptop from the network while keeping it powered on for volatile evidence collection.
C.Ask the user to close all open applications and log off normally.
D.Start deleting suspicious files to reduce the impact of the ransomware.
AnswerB

The best first action is to contain the threat without destroying live evidence. Disconnecting network access limits further spread or command-and-control activity, while keeping the system powered on preserves memory, running processes, and other volatile artifacts that may be critical to the investigation. This balances containment with evidence preservation, which is exactly what responders need at the start of an incident.

Why this answer

Option B is correct because the immediate priority is to contain the ransomware while preserving volatile evidence (e.g., memory contents, running processes, network connections) that could be critical for forensic analysis. Powering off the laptop (Option A) would destroy volatile data and may allow the ransomware to persist or trigger additional encryption on reboot. Isolating the network connection stops the ransomware from communicating with its command-and-control server or spreading laterally, while keeping the system powered on allows a responder to capture memory with tools like FTK Imager or LiME before performing a controlled shutdown.

Exam trap

Cisco often tests the misconception that shutting down a compromised system is the safest immediate action, but the trap here is that volatile evidence is lost and the ransomware may have anti-forensic shutdown triggers, making network isolation the correct first step.

How to eliminate wrong answers

Option A is wrong because immediately shutting down the laptop destroys volatile evidence (RAM, running processes, network connections) that could reveal the ransomware variant, encryption keys, or attacker infrastructure; it may also trigger a destructive payload on shutdown. Option C is wrong because asking the user to close applications and log off normally could trigger additional encryption, overwrite evidence in memory, or allow the ransomware to complete its encryption cycle; logging off may also terminate critical forensic artifacts like open network connections or process handles.

1111
MCQmedium

A critical vulnerability is discovered on an internet-facing VPN appliance that cannot be patched for six weeks because the vendor has not released a fix. The VPN service must remain available. What is the best operational response?

A.Leave the appliance unchanged until the vendor releases a patch.
B.Apply compensating controls such as restricting source IPs and increasing monitoring.
C.Disable all logging so the appliance performs better under load.
D.Replace the VPN with a less secure remote access method to avoid the vulnerability.
AnswerB

When a patch is unavailable, risk should be reduced through compensating controls. Limiting who can reach the VPN and closely monitoring access attempts lowers exposure while maintaining service availability until remediation is possible.

Why this answer

Option B is correct because when a vulnerability cannot be patched immediately, compensating controls such as restricting source IPs via ACLs and increasing monitoring (e.g., enabling detailed logging and alerting on anomalous traffic) reduce the attack surface and improve detection of exploitation attempts. This approach maintains service availability while mitigating risk until the vendor releases a fix.

Exam trap

The trap here is that candidates may think leaving the appliance unchanged (Option A) is acceptable if no patch exists, but the exam expects proactive risk reduction through compensating controls rather than passive acceptance of the vulnerability.

How to eliminate wrong answers

Option A is wrong because leaving the appliance unchanged without any mitigation leaves the organization fully exposed to exploitation of the known vulnerability, which is unacceptable for a critical internet-facing device. Option C is wrong because disabling logging reduces visibility into potential attacks, making it harder to detect and respond to exploitation, and does not address the vulnerability itself. Option D is wrong because replacing the VPN with a less secure remote access method introduces new risks and likely violates security policies, whereas the goal is to maintain security while keeping the service available.

1112
MCQmedium

A security operations center (SOC) analyst is overwhelmed by the volume of alerts. The management wants to implement a solution that can automatically respond to common threats, such as blocking an IP address or isolating a compromised endpoint, without requiring human intervention. Which of the following technologies best meets this requirement?

A.Security Information and Event Management (SIEM)
B.Security Orchestration, Automation, and Response (SOAR)
C.Endpoint Detection and Response (EDR)
D.Cloud Access Security Broker (CASB)
AnswerB

SOAR platforms are built to orchestrate workflows, automate repetitive tasks, and respond to incidents without human intervention. This directly addresses the need described in the scenario.

Why this answer

SOAR is the correct choice because it is specifically designed to automate response actions to common security incidents, such as blocking an IP address via firewall APIs or isolating an endpoint through EDR integration, without requiring human intervention. This directly addresses the SOC analyst's alert fatigue by enabling playbook-driven, automated remediation.

Exam trap

The trap here is that candidates confuse SIEM's alerting capability with automated response, forgetting that SIEMs require a separate SOAR or custom scripting to perform actions, while SOAR is the dedicated solution for orchestrated, automated remediation.

How to eliminate wrong answers

Option A is wrong because a SIEM is primarily a log aggregation and correlation platform that generates alerts but does not natively execute automated response actions; it lacks the orchestration and playbook execution capabilities to block IPs or isolate endpoints without additional tools. Option C is wrong because EDR focuses on monitoring and detecting threats on endpoints, and while it can perform automated actions like isolating a host, it does not orchestrate multi-system responses (e.g., updating a firewall and ticketing system) across the entire security stack, which is the core requirement for automated response to common threats.

1113
MCQmedium

A systems administrator says the backup software reports success every night, but no one has restored a server from backup in over a year. The business wants confidence that a file server can be recovered within the agreed recovery window. What is the best next action?

A.Trust the success status because completed jobs prove the backups are usable.
B.Perform a scheduled restore test in an isolated environment and measure the recovery time.
C.Delete older backups so that only the most recent set remains.
D.Extend retention indefinitely to avoid ever losing a recoverable copy.
AnswerB

Restore testing validates backup integrity and confirms the organization can meet recovery expectations.

Why this answer

Option B is correct because the only way to validate that backups are both restorable and meet the recovery time objective (RTO) is to perform a scheduled restore test in an isolated environment. Backup success logs only confirm that data was copied, not that the data is intact or that the restoration process completes within the agreed window. This aligns with the 3-2-1 backup rule and the principle of 'trust but verify' in backup validation.

Exam trap

The trap here is that candidates assume backup success logs are sufficient proof of recoverability, but CompTIA emphasizes that only a documented restore test can verify the backup's usability and adherence to the RTO.

How to eliminate wrong answers

Option A is wrong because backup success status only indicates that the backup job completed without errors, not that the backup data is restorable or that the recovery process will meet the RTO; data corruption, missing files, or incomplete snapshots can still occur. Option C is wrong because deleting older backups reduces the number of recovery points and increases the risk of data loss, especially if the most recent backup is corrupted or fails to restore. Option D is wrong because extending retention indefinitely does not address the core issue of verifying recoverability and can lead to storage bloat, increased costs, and compliance violations without proving that a restore is possible within the RTO.

1114
MCQeasy

A user reports that their laptop is suddenly encrypting files and showing a ransom note. What should the incident response team do first?

A.Immediately restore the laptop from backup before collecting any information.
B.Isolate the laptop from the network to limit spread and preserve evidence.
C.Return the laptop to the user and monitor for additional alerts.
D.Apply all pending software updates to the laptop while it remains online.
AnswerB

Containment comes first to stop further damage while keeping the system available for analysis.

Why this answer

When a laptop suddenly encrypts files and displays a ransom note, it indicates an active ransomware infection. The incident response team's first priority is to isolate the laptop from the network to prevent the ransomware from spreading laterally to other systems and to preserve volatile evidence (e.g., memory contents, running processes) that could be lost if the system is powered off or reconnected. This aligns with the NIST SP 800-61 incident response guidelines, which emphasize containment before eradication or recovery.

Exam trap

The trap here is that candidates may confuse incident response phases and choose a recovery action (like restoring from backup) before containment, or they may mistakenly think applying updates is a valid response to an active infection, when in fact isolation is the mandatory first step per the NIST framework.

How to eliminate wrong answers

Option A is wrong because immediately restoring from backup without first isolating the system could allow the ransomware to re-encrypt the restored files if the infection is still active, and it destroys volatile evidence needed for forensic analysis. Option C is wrong because returning the laptop to the user and monitoring for additional alerts would allow the ransomware to continue encrypting files and potentially spread to other network resources, violating the containment principle. Option D is wrong because applying pending software updates while the laptop remains online does not stop the active encryption process and could trigger additional malicious activity; updates are a preventive measure, not an incident response containment step.

1115
MCQhard

Based on the exhibit, which malware type best explains the behavior?

A.Trojan
B.Rootkit
C.Logic bomb
D.Spyware
AnswerB

The exhibit shows a hidden listener associated with PID 4, an unsigned driver, and a mismatch between user-mode process enumeration and kernel telemetry. Those are classic rootkit indicators because rootkits operate at a low level to conceal processes, ports, or files from standard tools. The suspicious driver name and kernel-level inconsistency are especially strong clues that the malware is trying to hide itself from the operating system and defenders.

Why this answer

A rootkit is designed to hide its presence and the presence of other malware by modifying the operating system's kernel or system calls, allowing it to evade detection by security tools. The exhibit likely shows behavior such as file hiding, process concealment, or system call interception, which are hallmarks of rootkit activity. This aligns with the SY0-701 objective on understanding malware types and their characteristics.

Exam trap

The trap here is that candidates often confuse a rootkit's stealth capabilities with a Trojan's deceptive delivery method, failing to recognize that the exhibit's focus on hiding and persistence at the OS level is unique to rootkits, not general malware types.

How to eliminate wrong answers

Option A (Trojan) is wrong because a Trojan disguises itself as legitimate software to trick users into installing it, but it does not inherently hide its presence or modify the kernel to evade detection; the exhibit's behavior of stealth and system-level concealment is not typical of a Trojan. Option C (Logic bomb) is wrong because a logic bomb is a piece of code that executes a malicious payload when specific conditions are met (e.g., a date or user action), but it does not actively hide itself or its processes; the exhibit's ongoing stealth behavior is inconsistent with a dormant trigger-based mechanism. Option D (Spyware) is wrong because spyware focuses on covertly collecting user data (e.g., keystrokes, browsing habits) and sending it to an attacker, but it does not typically modify the OS kernel or hide its own files and processes at the rootkit level; the exhibit's system-level concealment goes beyond spyware's typical user-space monitoring.

1116
MCQmedium

Based on the exhibit, which control should be enabled so corporate data stays separated from personal data on company-owned tablets?

A.Perform a full-device wipe any time a tablet is lost or reassigned.
B.Deploy mobile threat defense scanning on every tablet.
C.Enable a work profile or container with selective wipe for corporate data.
D.Disable Bluetooth and the camera on all tablets to stop data leakage.
AnswerC

A work profile separates business apps and data from personal content and allows targeted removal of corporate data only.

Why this answer

Option C is correct because a work profile or container (e.g., Android Work Profile or iOS Managed Open In) creates a separate, encrypted partition for corporate data on the device. This allows IT to perform a selective wipe of only the corporate data without affecting the user's personal apps, photos, or settings, ensuring data separation while preserving user privacy.

Exam trap

The trap here is that candidates confuse security controls like full-device wipe or threat scanning with data separation mechanisms, failing to recognize that only containerization or work profiles provide the granular isolation needed to keep corporate and personal data separate on the same device.

How to eliminate wrong answers

Option A is wrong because performing a full-device wipe on loss or reassignment destroys both corporate and personal data, violating the requirement to keep corporate data separated from personal data; it does not enable ongoing separation. Option B is wrong because mobile threat defense scanning detects malware or suspicious activity but does not isolate corporate data into a separate container; it provides security monitoring, not data separation. Option D is wrong because disabling Bluetooth and the camera reduces data leakage vectors but does not create any logical separation between corporate and personal data; it is a restrictive control that does not address the core requirement of maintaining separate data stores.

1117
Multi-Selectmedium

An organization is migrating its on-premises infrastructure to a hybrid cloud model. Which three of the following considerations are most important for maintaining a secure security architecture? (Choose three.)

Select 3 answers
.Ensuring consistent identity and access management across on-premises and cloud environments.
.Using a shared secret for all cloud API calls to simplify authentication.
.Implementing a secure VPN or dedicated connection for data in transit between environments.
.Storing encryption keys for cloud data in the same cloud tenant for convenience.
.Establishing a clear shared responsibility model for security between the organization and the cloud provider.
.Disabling all logging in the cloud to reduce storage costs.

Why this answer

Ensuring consistent identity and access management (IAM) across on-premises and cloud environments is critical because it prevents privilege escalation and unauthorized access. In a hybrid cloud, a unified IAM system (e.g., using Active Directory Federation Services or Azure AD Connect) enforces the same policies, roles, and multi-factor authentication for all resources, eliminating blind spots. Without this, attackers could exploit inconsistent permissions to move laterally between environments.

Exam trap

The trap here is that candidates often confuse 'convenience' with 'security' and select the shared secret or same-tenant key storage options, failing to recognize that these violate fundamental security principles like separation of duties and defense in depth.

1118
MCQeasy

An employee receives an email that says, 'This is the CEO. Buy gift cards now and reply with the codes before the meeting starts.' What should the employee do?

A.Reply with the codes because the request appears urgent
B.Verify the request through an approved channel and report the message
C.Forward the email to coworkers so they can watch for similar messages
D.Delete the email and ignore it without telling anyone
AnswerB

Verifying through a trusted channel and reporting the email protects the organization from a likely fraud attempt.

Why this answer

Option B is correct because the email exhibits classic social engineering indicators—spoofed authority, urgency, and a request for non-standard financial transactions (gift cards). The employee must verify the request through an approved communication channel (e.g., a phone call to the CEO's known number) and report the message to the security team for incident response. This aligns with security policy for phishing and business email compromise (BEC) prevention, as per NIST SP 800-61 and organizational security awareness training.

Exam trap

The trap here is that candidates may mistake the urgency and authority in the email as legitimate, choosing Option A, but CompTIA tests the principle that any request for sensitive actions (gift cards, wire transfers, credential changes) must be verified through a separate, trusted channel regardless of apparent sender identity.

How to eliminate wrong answers

Option A is wrong because replying with gift card codes without verification directly enables a BEC attack, violating the principle of least trust and bypassing standard financial controls. Option C is wrong because forwarding the email to coworkers could propagate the phishing link or attachment, increasing the attack surface and potentially bypassing email security filters. Option D is wrong because deleting the email without reporting it prevents the security team from analyzing the threat, updating detection rules, and protecting other users from the same attack.

1119
MCQeasy

EDR shows encoded PowerShell launched by a word processor and an outbound connection to a rare domain. What is the best immediate containment action?

A.Isolate the endpoint from the network using the EDR console.
B.Uninstall the word processor from every workstation.
C.Wait to see whether more alerts appear before responding.
D.Send a notice to all users reminding them not to open attachments.
AnswerA

Network isolation through EDR quickly limits attacker access and prevents further command-and-control communication. It also preserves the host for investigation while stopping spread to other systems. This is a standard first containment step when behavior strongly suggests active compromise.

Why this answer

Isolating the endpoint from the network using the EDR console is the best immediate containment action because it stops the outbound connection to the rare domain, preventing potential command-and-control (C2) communication or data exfiltration. The encoded PowerShell launched by a word processor strongly suggests a malicious macro or exploit, and isolating the host contains the threat without disrupting the entire network. This aligns with the incident response priority of containment before eradication or recovery.

Exam trap

The trap here is that candidates may choose a broad administrative action (like uninstalling software or sending user notices) instead of the precise, immediate technical containment step that stops the active threat at the network level.

How to eliminate wrong answers

Option B is wrong because uninstalling the word processor from every workstation is a broad, disruptive action that does not address the immediate threat on the affected host and may remove legitimate software needed for business operations. Option C is wrong because waiting for more alerts allows the potential C2 channel to remain active, increasing the risk of lateral movement or data theft. Option D is wrong because sending a user notice is a preventive or awareness measure, not an immediate containment action, and it does not stop the active malicious process or network connection.

1120
MCQmedium

Based on the exhibit, which hardening change best prevents a laptop from booting unapproved tools from external media? Exhibit: UEFI Setup - Secure Boot: Disabled - Boot order: USB, External NIC, Internal SSD - Firmware admin password: Not configured - BitLocker status: Enabled Incident note: A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.

A.Enable Secure Boot and change the firmware boot order so only the internal SSD is allowed first.
B.Extend the Windows login timeout so users have more time to notice suspicious activity.
C.Turn off BitLocker so recovery tools can boot without errors.
D.Install a host firewall rule to block USB storage devices from the network.
AnswerA

This is the best control because Secure Boot validates that the bootloader is trusted, and restricting the boot order reduces the chance of booting from unapproved removable media. Together, these changes stop many pre-boot attacks and unauthorized recovery tools before the operating system starts. BitLocker helps protect data at rest, but it does not by itself prevent booting alternate media.

Why this answer

Enabling Secure Boot ensures that only signed, trusted firmware and bootloaders can execute, preventing unauthorized tools like USB recovery sticks from loading. Changing the boot order to prioritize the internal SSD over USB media stops the system from even attempting to boot from external devices, directly addressing the incident where the laptop bypassed corporate login via a USB stick.

Exam trap

CompTIA often tests the misconception that host firewall rules can control local device access, but firewalls operate at the network layer and cannot block USB storage devices, which are managed by hardware or OS-level policies.

How to eliminate wrong answers

Option B is wrong because extending the Windows login timeout does not prevent booting from external media; it only affects the login screen after the OS has already loaded, leaving the boot process vulnerable. Option C is wrong because turning off BitLocker would actually make it easier for unauthorized tools to boot and access data, as BitLocker protects against offline attacks and does not cause boot errors for legitimate recovery tools when properly configured. Option D is wrong because a host firewall rule blocks network traffic, not local USB storage devices; USB storage is controlled by hardware policies or Group Policy, not firewall rules.

1121
MCQmedium

A manufacturer wants to give partner-company users access to a procurement portal. The partner wants to authenticate its own users, and the manufacturer does not want to create separate local passwords for them. What is the best solution?

A.Create shared portal accounts and distribute credentials to the partner's staff.
B.Federate access with the partner's identity provider and map claims or attributes to portal roles.
C.Issue one VPN account for the partner organization and let them share it internally.
D.Require each partner user to create a password directly in the procurement portal.
AnswerB

Federation lets the partner authenticate its own users while the manufacturer trusts identity assertions from the partner identity provider. Claims or attributes can then be mapped to portal roles so access stays controlled without local password management. This is a strong fit for business-to-business access because it preserves administrative separation while still supporting centralized authorization decisions in the portal.

Why this answer

Federation with the partner's identity provider (IdP) using standards like SAML 2.0 or OIDC allows the partner to authenticate their own users while the manufacturer's portal trusts those assertions. Claims or attributes from the IdP (e.g., group membership) are mapped to portal roles, eliminating the need for local passwords and enabling single sign-on (SSO). This is the best solution because it maintains security boundaries and offloads authentication management to the partner.

Exam trap

The trap here is that candidates confuse federation with simple shared accounts or VPN-based access, failing to recognize that federation is the only option that delegates authentication to the partner while preserving individual accountability and eliminating local password management.

How to eliminate wrong answers

Option A is wrong because shared portal accounts violate the principle of least privilege and non-repudiation—multiple users sharing one set of credentials makes auditing impossible and increases the risk of credential leakage. Option C is wrong because a single VPN account shared internally provides no individual accountability, bypasses proper access controls, and does not solve the authentication delegation requirement; it also introduces a VPN dependency that is unnecessary for a web-based procurement portal.

1122
MCQmedium

Based on the exhibit, which security issue should the analyst report first?

A.Outdated component, because the scan did not list software version details.
B.Exposed service, because VNC and the web admin interface are reachable from untrusted networks.
C.Weak permissions, because SSH requires password login only.
D.Default credentials, because the server is in the DMZ.
AnswerB

The most important issue is the exposed service because remote management interfaces are reachable from any source network, and VNC authentication is disabled. That combination creates a high-risk attack surface, especially for a server in the DMZ that stores sensitive customer information.

Why this answer

Option B is correct because the scan reveals that VNC (port 5900) and a web admin interface (port 443 or 8080) are exposed to untrusted networks, such as the internet. This violates the principle of least exposure, as these services are known attack vectors for remote code execution and credential theft. The analyst should prioritize this issue because an exposed service directly increases the attack surface and risk of unauthorized access, whereas other findings may be less immediately critical.

Exam trap

The trap here is that candidates often focus on missing version details (Option A) or default credentials (Option D) as the most critical finding, but CompTIA emphasizes that exposed services on untrusted networks pose the highest immediate risk because they are directly exploitable without requiring prior access.

How to eliminate wrong answers

Option A is wrong because the absence of software version details in the scan does not necessarily indicate an outdated component; it may simply mean the scanner could not fingerprint the version due to banner hiding or firewall restrictions. Option C is wrong because SSH requiring password login only is not inherently a weak permission; weak permissions refer to file or directory access controls, not authentication methods, and password-based SSH is still common in many environments. Option D is wrong because default credentials are not indicated by the server being in the DMZ; the scan does not show any evidence of default username/password usage, and the DMZ placement alone does not confirm this vulnerability.

1123
MCQhard

Based on the exhibit, which security principle does the organization appear to be using most clearly?

A.Zero trust, because all access is denied until a user proves identity again.
B.Defense in depth, because several different controls stop or limit the attack at different stages.
C.Least privilege, because the attachment was blocked from having administrator rights.
D.Need-to-know, because only the security team should be aware of the incident.
AnswerB

Defense in depth is demonstrated by multiple layers: email filtering, application control, EDR containment, MFA, and backup recovery. The attack is not stopped by one control alone. Instead, each layer provides a separate barrier or recovery path, reducing the chance that a single failure becomes a full compromise.

Why this answer

The exhibit shows multiple security controls—an email filter blocking the attachment, a web filter blocking the download link, and an endpoint detection and response (EDR) tool blocking execution—each acting at a different stage of the attack chain. This layered approach, where no single control is relied upon to stop the threat, is the hallmark of defense in depth. The correct answer is B because the scenario clearly demonstrates overlapping controls that provide redundancy and mitigate risk at various points.

Exam trap

The trap here is that candidates often confuse defense in depth with zero trust because both involve multiple controls, but zero trust specifically requires explicit verification for every access request, whereas defense in depth focuses on layered, independent safeguards without necessarily re-verifying identity at each layer.

How to eliminate wrong answers

Option A is wrong because zero trust requires continuous verification of identity and device posture for every access request, not just a one-time re-authentication; the exhibit shows no evidence of such per-request validation. Option C is wrong because least privilege restricts user permissions to the minimum necessary for their role, but the attachment was blocked by an email filter before any user could execute it, not by limiting the attachment's administrator rights. Option D is wrong because need-to-know restricts information access to only those who require it for their duties, but the exhibit focuses on technical controls blocking the attack, not on who is informed about the incident.

1124
MCQeasy

Before contracting with a cloud-based payroll provider, the security team requests a security questionnaire, proof of controls, and an independent audit report. What activity is this?

A.Business continuity testing, because the team is checking recovery procedures.
B.Third-party due diligence, because the team is evaluating vendor risk before onboarding.
C.Security awareness training, because the vendor is being taught safe behavior.
D.Data classification, because the team is labeling the payroll data type.
AnswerB

Third-party due diligence is the process of reviewing a vendor’s security posture, controls, and supporting evidence before trusting them with business data or services. The questionnaire and audit report are classic inputs for that review.

Why this answer

The security team's request for a security questionnaire, proof of controls, and an independent audit report before contracting with a cloud-based payroll provider is a classic example of third-party due diligence. This process evaluates the vendor's security posture, compliance, and risk level before onboarding, ensuring that sensitive payroll data is protected. It is a proactive risk management activity, not a reactive test or training exercise.

Exam trap

The trap here is that candidates confuse third-party due diligence with business continuity testing, because both involve reviewing documentation, but due diligence is pre-contractual risk evaluation, not post-incident recovery verification.

How to eliminate wrong answers

Option A is wrong because business continuity testing focuses on verifying recovery procedures and system resilience, not on evaluating a vendor's security controls before contracting. Option C is wrong because security awareness training is an internal program to educate employees on safe behavior, not a vendor assessment activity. Option D is wrong because data classification involves labeling data by sensitivity level, not requesting audit reports or control evidence from a third party.

1125
Multi-Selecthard

After employees transfer departments, they keep access to old SaaS applications because app-specific accounts are removed only after a manual cleanup ticket. Which two changes best close the lifecycle gap? Select two.

Select 2 answers
A.Use automated provisioning and deprovisioning tied to HR events through SCIM or an equivalent interface.
B.Keep app accounts manually managed so each app owner can decide independently.
C.Map entitlements to IdP groups or roles based on job function.
D.Share a generic help desk password for quick access restoration.
E.Require password changes every 30 days for all users.
AnswersA, C

Automated lifecycle integration reduces delay and human error when employees change roles or leave. When HR events drive account updates, access can be removed or adjusted promptly across connected applications.

Why this answer

Option A is correct because automating provisioning and deprovisioning via SCIM (System for Cross-domain Identity Management) ties account lifecycle directly to HR events (e.g., termination, transfer). This eliminates the manual cleanup ticket gap by instantly removing or modifying access when an employee changes departments, ensuring no stale SaaS accounts remain.

Exam trap

The trap here is that candidates confuse password policies (Option E) with account lifecycle management, failing to recognize that frequent password changes do not remove orphaned accounts or close the provisioning gap.

Page 14

Page 15 of 16

Page 16