and …","url":"https://courseiva.com/questions/comptia/security-plus/a-web-form-stores-a-user-s-comment-and-later-displays-it-to"},{"@type":"ListItem","position":1131,"name":"A desktop engineering team asks for the document that specifies the exact minimum encryption setting, screen-lock timer,…","url":"https://courseiva.com/questions/comptia/security-plus/a-desktop-engineering-team-asks-for-the-document-that-specifies"},{"@type":"ListItem","position":1132,"name":"An internal audit found that a procurement team uses the shared account procure-approve to approve emergency purchases. …","url":"https://courseiva.com/questions/comptia/security-plus/an-internal-audit-found-that-a-procurement-team-uses-the-shared"},{"@type":"ListItem","position":1133,"name":"A network team must manage switches from home without exposing management ports to the internet. Which two controls best…","url":"https://courseiva.com/questions/comptia/security-plus/a-network-team-must-manage-switches-from-home-without-exposing"},{"@type":"ListItem","position":1134,"name":"Based on the exhibit, what additional control is the best fit?\r\n\r\nCurrent controls on the finance share:\r\n- SMB signing …","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-additional-control-is-the-best-fit"},{"@type":"ListItem","position":1135,"name":"A user receives an SMS from 'IT Service Desk' saying their MFA enrollment expires today and includes a shortened link. F…","url":"https://courseiva.com/questions/comptia/security-plus/a-user-receives-an-sms-from-it-service-desk-saying-their-mfa"},{"@type":"ListItem","position":1136,"name":"A security analyst receives an alert that a user clicked a link in a phishing email and entered their corporate credenti…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-receives-an-alert-that-a-user-clicked-a-link"},{"@type":"ListItem","position":1137,"name":"An employee receives an email from someone claiming to be from IT. The message says the employee must read back a one-ti…","url":"https://courseiva.com/questions/comptia/security-plus/an-employee-receives-an-email-from-someone-claiming-to-be-from"},{"@type":"ListItem","position":1138,"name":"A new SIEM rule generates hundreds of alerts from a scheduled backup job that is known to be legitimate. Which two tunin…","url":"https://courseiva.com/questions/comptia/security-plus/a-new-siem-rule-generates-hundreds-of-alerts-from-a-scheduled"},{"@type":"ListItem","position":1139,"name":"Match each principle to the workplace scenario.","url":"https://courseiva.com/questions/comptia/security-plus/match-each-principle-to-the-workplace-scenario"},{"@type":"ListItem","position":1140,"name":"Based on the exhibit, what is the best change to improve accountability without removing emergency access?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-is-the-best-change-to-improve"},{"@type":"ListItem","position":1141,"name":"A Linux web server was compromised through an outdated package. The team isolated the host, captured evidence, removed a…","url":"https://courseiva.com/questions/comptia/security-plus/a-linux-web-server-was-compromised-through-an-outdated-package"},{"@type":"ListItem","position":1142,"name":"After a phishing incident, the security team wants to preserve evidence for later review. Which action is most appropria…","url":"https://courseiva.com/questions/comptia/security-plus/after-a-phishing-incident-the-security-team-wants-to-preserve"},{"@type":"ListItem","position":1143,"name":"Based on the exhibit, which access design change best reduces fraud risk without stopping the payroll process?\r\n\r\nExhibi…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-access-design-change-best-reduces"},{"@type":"ListItem","position":1144,"name":"A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud enviro…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-architect-is-designing-a-solution-to-process-highly"},{"@type":"ListItem","position":1145,"name":"HR stores scanned government IDs collected during onboarding. The retention policy says the files may be kept for 90 day…","url":"https://courseiva.com/questions/comptia/security-plus/hr-stores-scanned-government-ids-collected-during-onboarding-the"},{"@type":"ListItem","position":1146,"name":"Match each excerpt from a small enterprise security program to the correct governance artifact.","url":"https://courseiva.com/questions/comptia/security-plus/match-each-excerpt-from-a-small-enterprise-security-program-to"},{"@type":"ListItem","position":1147,"name":"A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The…","url":"https://courseiva.com/questions/comptia/security-plus/a-siem-alert-shows-a-payroll-administrator-account-signed-in-at"},{"@type":"ListItem","position":1148,"name":"Management wants to ensure a file server backed up every night can actually be restored within a 4-hour recovery time ob…","url":"https://courseiva.com/questions/comptia/security-plus/management-wants-to-ensure-a-file-server-backed-up-every-night"},{"@type":"ListItem","position":1149,"name":"NetFlow and authentication logs show one workstation opening SMB and WinRM sessions to many internal hosts within ten mi…","url":"https://courseiva.com/questions/comptia/security-plus/netflow-and-authentication-logs-show-one-workstation-opening-smb"},{"@type":"ListItem","position":1150,"name":"Based on the exhibit, which item is the strongest evidence that quarterly privileged access reviews occurred?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-item-is-the-strongest-evidence-that"},{"@type":"ListItem","position":1151,"name":"A SIEM reviews VPN authentication logs and sees 36 different usernames each receive one failed login attempt from the sa…","url":"https://courseiva.com/questions/comptia/security-plus/a-siem-reviews-vpn-authentication-logs-and-sees-36-different"},{"@type":"ListItem","position":1152,"name":"A finance portal lets one employee create a payment batch and approve it without review. Management wants to reduce frau…","url":"https://courseiva.com/questions/comptia/security-plus/a-finance-portal-lets-one-employee-create-a-payment-batch-and"}]}
Security+ SY0-701 (SY0-701) — Questions 1126–1152
1152 questions total · 16pages · All types, answers revealed
The web team is placing a public customer portal behind a control that can inspect HTTP requests, block malicious payloads such as SQL injection and cross-site scripting, and still allow legitimate application traffic without rewriting the app. Which control should they deploy?
A.An IDS placed on the same network segment as the web server.
B.A DLP appliance between users and the portal.
C.A WAF in front of the application.
D.A NAC solution on the switch ports feeding the portal.
AnswerC
A web application firewall is built to inspect HTTP and HTTPS traffic at the application layer and block common web attacks such as SQL injection and XSS. It can protect a public portal without requiring code changes, making it a practical compensating control while the application team improves secure coding. This is the best fit when the goal is to stop malicious web payloads before they reach the app.
Why this answer
A Web Application Firewall (WAF) is specifically designed to inspect HTTP/HTTPS traffic at the application layer (Layer 7), filtering out malicious payloads like SQL injection and cross-site scripting (XSS) while allowing legitimate requests to pass through. Unlike an IDS, a WAF operates inline and can actively block threats without requiring modifications to the application code, making it the ideal choice for protecting a public-facing web portal.
Exam trap
The trap here is that candidates often confuse an IDS (which only detects) with a WAF (which actively blocks), or they mistakenly think a DLP appliance can filter web application attacks, when in fact DLP focuses on data in motion or at rest, not on application-layer payload inspection.
How to eliminate wrong answers
Option A is wrong because an IDS (Intrusion Detection System) is a passive monitoring device that only alerts on suspicious traffic; it cannot block malicious payloads inline or prevent attacks without additional manual intervention. Option B is wrong because a DLP (Data Loss Prevention) appliance is designed to prevent unauthorized exfiltration of sensitive data, not to inspect and filter HTTP requests for SQL injection or XSS payloads. Option D is wrong because a NAC (Network Access Control) solution controls device access to the network at the switch port level based on compliance policies, but it does not inspect application-layer traffic or block web-based attacks.
Based on the exhibit, what should the team do next after the account has been contained?
A.Close the incident because the password reset removed the attacker from the environment.
B.Remove mailbox persistence, revoke all tokens and app consent, then monitor for reentry.
C.Reimage the user's laptop before reviewing mailbox settings.
D.Restore the mailbox from backup to remove the forwarding rule and keep the user productive.
AnswerB
The exhibit shows post-compromise persistence through a forwarding rule and unauthorized OAuth consent. After containment, the team must eradicate those artifacts, revoke any remaining tokens or sessions, and verify that no attacker-controlled application retains access. That sequence moves the response from containment into eradication and prepares the account for safe recovery and monitoring.
Why this answer
Option B is correct because after containing a compromised account (e.g., disabling it or resetting its password), the attacker may still have established persistence mechanisms such as mailbox forwarding rules, OAuth app consent grants, or session tokens that survive a password reset. Removing these artifacts and revoking all tokens and app consents ensures the attacker cannot regain access via delegated permissions or persistent mailbox rules. Monitoring for reentry is critical to detect any residual access or new compromise attempts.
Exam trap
The trap here is that candidates assume a password reset fully evicts an attacker, overlooking that OAuth tokens and mailbox rules provide persistent access independent of the account password.
How to eliminate wrong answers
Option A is wrong because a password reset alone does not remove attacker‑created mailbox forwarding rules, OAuth app grants, or session tokens; the attacker could still access the mailbox via delegated permissions or persistent rules. Option C is wrong because reimaging the user's laptop addresses local device compromise but does not remediate cloud‑based persistence like mailbox forwarding rules or app consents that exist in the tenant. Option D is wrong because restoring the mailbox from backup removes the forwarding rule but does not revoke OAuth tokens or app consents, and it may reintroduce the same rule if the backup contains the malicious configuration; it also fails to address other persistence vectors.
A financial institution updates its access control policy to require that two different system administrators must approve and execute any changes to the core transaction processing database. Which security principle is this practice primarily designed to enforce?
A.Defense in depth
B.Separation of duties
C.Least privilege
D.Need to know
AnswerB
Correct. Separation of duties ensures that no single person has exclusive authority over critical functions. By splitting approval and execution between two administrators, the risk of unauthorized or malicious changes is significantly reduced.
Why this answer
Requiring two different system administrators to approve and execute changes to the core transaction processing database enforces separation of duties. This principle ensures that no single individual has the authority to perform both the approval and execution steps, reducing the risk of fraud, error, or unauthorized modifications. In a financial institution, this is critical for maintaining the integrity of transaction data and complying with regulatory standards like SOX or PCI DSS.
Exam trap
The trap here is that candidates confuse separation of duties with least privilege, but least privilege focuses on limiting permissions per role, while separation of duties divides a critical process across multiple roles to prevent conflicts of interest.
How to eliminate wrong answers
Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a dual-approval workflow for a specific action. Option C is wrong because least privilege restricts users to the minimum permissions needed for their role, but the scenario focuses on splitting a critical task between two admins, not limiting their baseline access. Option D is wrong because need to know limits access to information based on job necessity, whereas the question describes a process control over changes, not data access restrictions.
A SOC analyst reviews an EDR alert on a Windows workstation. PowerShell was launched by a scheduled task, downloaded an encoded command from an external server, and then spawned rundll32.exe. No suspicious executable was written to disk. Which type of threat best fits this activity?
A.Trojan
B.Fileless attack
C.Rootkit
D.Worm
AnswerB
Fileless attacks often use trusted tools like PowerShell to run malicious code in memory without leaving a traditional executable behind.
Why this answer
The attack is fileless because it executes entirely in memory without writing a malicious executable to disk. PowerShell downloads an encoded command from an external server and spawns rundll32.exe to run code via DLL execution, leveraging living-off-the-land binaries (LOLBins) to evade traditional antivirus and disk-based detection.
Exam trap
The trap here is that candidates see 'downloaded an encoded command' and assume a file was written, but the key distinction is that no executable file was written to disk, making it a fileless attack rather than a Trojan or rootkit.
How to eliminate wrong answers
Option A is wrong because a Trojan is a malicious program disguised as legitimate software that typically writes a file to disk and requires user installation, whereas this attack uses a scheduled task to launch PowerShell and never writes a suspicious executable. Option C is wrong because a rootkit is designed to hide the presence of malware or maintain privileged access by modifying the operating system kernel or boot process, which is not indicated by the PowerShell-to-rundll32 chain and lack of persistence mechanisms described.
A web form stores a user's comment and later displays it to other users. A tester submits <script>alert(1)</script> and the script runs in the browser. What vulnerability is this?
A.SQL injection
B.Cross-site request forgery
C.Cross-site scripting
D.Command injection
AnswerC
The application reflects untrusted input into a page without proper encoding, allowing script execution.
Why this answer
The tester's input <script>alert(1)</script> is executed in the browser, which is the classic symptom of a stored (persistent) cross-site scripting (XSS) vulnerability. The web form fails to sanitize or encode user-supplied data before storing it and later rendering it in other users' browsers, allowing arbitrary JavaScript to run in the security context of the application's origin.
Exam trap
The trap here is that candidates may confuse XSS with SQL injection because both involve injecting malicious input, but XSS targets the browser's execution context while SQL injection targets the database query layer.
How to eliminate wrong answers
Option A is wrong because SQL injection involves injecting SQL commands into database queries (e.g., ' OR 1=1 --), not client-side script execution; the input here does not alter a database query. Option B is wrong because cross-site request forgery (CSRF) tricks a victim into performing an unintended action on an authenticated site, but the tester's input directly executes script in the browser without requiring a forged request. Option D is wrong because command injection targets server-side operating system commands (e.g., ; ls -la), not client-side JavaScript execution in the browser.
A desktop engineering team asks for the document that specifies the exact minimum encryption setting, screen-lock timer, and password length for company laptops. Which type of document should they follow?
A.Policy, because it states the organization's general intent and high-level direction.
B.Standard, because it defines mandatory uniform requirements for a specific control baseline.
C.Procedure, because it gives the organization-wide security purpose statement.
D.Guideline, because it provides optional suggestions that every laptop must obey.
AnswerB
A standard is the correct document when the organization needs a consistent, mandatory technical baseline such as encryption strength, lock timing, or password length. Standards translate policy into measurable requirements and are suitable for system configuration because they reduce ambiguity and support enforcement across similar assets.
Why this answer
A standard defines mandatory, uniform technical requirements for a specific control baseline, such as exact encryption settings (e.g., AES-256), screen-lock timer (e.g., 15 minutes), and password length (e.g., 14 characters). Unlike a policy, which states high-level intent, a standard provides the precise, enforceable configuration that the desktop engineering team must implement on company laptops.
Exam trap
The trap here is that candidates confuse 'policy' (high-level intent) with 'standard' (specific mandatory baseline), leading them to choose A when the question explicitly asks for the document that specifies exact minimum encryption, timer, and password length values.
How to eliminate wrong answers
Option A is wrong because a policy states the organization's general intent and high-level direction (e.g., 'all laptops must be secured'), but does not specify exact technical values like encryption algorithm, timer duration, or password length. Option C is wrong because a procedure describes step-by-step instructions for performing a task (e.g., how to configure BitLocker), not the mandatory baseline requirements themselves.
An internal audit found that a procurement team uses the shared account procure-approve to approve emergency purchases. The log only shows the shared account name, and managers say they cannot prove which person approved each request. Which two changes best improve accountability and nonrepudiation? Select two.
Select 2 answers
A.Replace the shared account with named user accounts and unique credentials.
B.Write approvals to an append-only, tamper-evident log with timestamps.
C.Require a longer password on the shared account.
D.Store screenshots of approval screens in a shared folder.
E.Encrypt the approval database at rest.
AnswersA, B
Named accounts make each approval attributable to one person, which is essential for accountability and later investigations. Unique credentials also prevent the common operational problem where a group can deny who actually performed an action.
Why this answer
Option A is correct because replacing the shared account with named user accounts and unique credentials ensures that each approval action is tied to a specific individual. This directly addresses the lack of accountability and nonrepudiation, as each user's unique credentials create a verifiable link between the person and the action, preventing repudiation of the approval.
Exam trap
The trap here is that candidates may think encryption (Option E) or stronger passwords (Option C) solve accountability issues, but these controls address confidentiality and authentication strength, not the fundamental need for individual identification and tamper-proof audit trails.
A network team must manage switches from home without exposing management ports to the internet. Which two controls best fit? Select two.
Select 2 answers
A.Require a VPN before allowing access to the management network.
B.Use SSH for command-line administration instead of Telnet.
C.Expose the switch web interface directly on a public IP address.
D.Use FTP to transfer configuration files because it is simple.
E.Send management passwords by email to approved admins.
AnswersA, B
A VPN creates a protected path into the management network without opening switch admin ports to the public internet. It also lets the organization control who can connect before management access is granted.
Why this answer
Requiring a VPN before allowing access to the management network ensures that all management traffic is encrypted and authenticated over the internet, effectively creating a secure tunnel that protects switch management interfaces from direct exposure. This control aligns with the principle of defense in depth by adding a layer of network segmentation and access control, preventing unauthorized external access to the switches.
Exam trap
The trap here is that candidates often confuse 'secure protocol' (SSH) with 'secure access method' (VPN), mistakenly thinking that using SSH alone is sufficient to protect management interfaces from internet exposure, when in fact SSH only encrypts the session but does not prevent the port from being reachable by attackers.
Based on the exhibit, what additional control is the best fit?
Current controls on the finance share:
- SMB signing enabled
- Weekly access review
- Nightly backups to immutable storage
- Antivirus scans at 02:00
Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive.
Goal: detect unauthorized bulk access quickly before exfiltration completes.
A.Add file access auditing with alert thresholds forwarded to the SIEM.
B.Increase the backup schedule from nightly to hourly.
C.Rename the share to a less obvious name.
D.Disable SMB signing so the file transfer runs faster.
AnswerA
Auditing is a detective control that can identify abnormal bulk reads quickly and trigger timely response.
Why this answer
File access auditing with alert thresholds forwarded to the SIEM directly addresses the goal of detecting unauthorized bulk access quickly. By monitoring for abnormal file access patterns—such as 40,000 files in 8 minutes—the SIEM can trigger an alert before exfiltration completes, enabling rapid response. This control complements the existing weekly access review by providing real-time detection.
Exam trap
The trap here is that candidates may confuse backup frequency (a recovery control) with detection controls, or think that obscuring the share name provides meaningful security, when the question specifically asks for a control to detect unauthorized bulk access quickly.
How to eliminate wrong answers
Option B is wrong because increasing backup frequency from nightly to hourly does not detect or prevent unauthorized bulk access; backups are a recovery control, not a detection control. Option C is wrong because renaming the share to a less obvious name is a form of security through obscurity that does not detect or alert on anomalous access patterns. Option D is wrong because disabling SMB signing would actually reduce security by removing integrity verification of SMB traffic, and it does not provide any detection capability for bulk file access.
A user receives an SMS from 'IT Service Desk' saying their MFA enrollment expires today and includes a shortened link. Five minutes later, the user gets a phone call from the same number asking them to read back the code shown in the authenticator app so the ticket can be closed. Which two attack channels are used in this campaign? Select two.
Select 2 answers
A.Email phishing is used because the attacker is requesting a login action.
B.Smishing is used because the first lure arrives by text message.
C.Vishing is used because the follow-up request occurs by phone call.
D.Baiting is used because the attacker offers a free reward or device.
E.Tailgating is used because the attacker follows someone into a restricted area.
AnswersB, C
Smishing is phishing delivered through SMS or another text-based mobile messaging channel. The fake IT Service Desk text with a shortened link is a classic example because it attempts to get the user to click a link and interact outside the normal support process.
Why this answer
Option B is correct because the initial attack vector is an SMS message containing a shortened link, which is the definition of smishing (SMS phishing). The attacker uses this to create urgency and lure the victim into engaging with the MFA enrollment scam.
Exam trap
The trap here is that candidates may focus on the phone call as the only attack channel and overlook the initial SMS, or they may confuse smishing with vishing, not recognizing that both channels are used sequentially in a single campaign.
A security analyst receives an alert that a user clicked a link in a phishing email and entered their corporate credentials on a fake login page. Which of the following should the analyst do FIRST to minimize further damage?
A.Run a full antivirus scan on the user's workstation
B.Reset the user's password and force re-authentication
C.Disable the user's account and block the compromised system from the network
D.Contact law enforcement and report the phishing site
AnswerC
This is the correct first step. Disabling the account and isolating the system immediately prevents the attacker from using the stolen credentials to access resources, move laterally, or exfiltrate data.
Why this answer
Option C is correct because immediately disabling the user's account and blocking the compromised system from the network stops the attacker from using the stolen credentials to authenticate to corporate resources, such as email, VPN, or file shares. This containment step is the highest priority in incident response to prevent lateral movement and further compromise, as the attacker already has valid credentials and could be actively using them.
Exam trap
The trap here is that candidates often choose to reset the password first (Option B) because it seems like a direct fix, but they fail to recognize that the compromised system itself may be under attacker control, and without network isolation, the attacker could still pivot or use other stolen credentials.
How to eliminate wrong answers
Option A is wrong because running a full antivirus scan is a remediation step that should occur after containment; the immediate threat is credential theft, not necessarily malware, and scanning does not prevent the attacker from using the stolen credentials right now. Option B is wrong because resetting the user's password and forcing re-authentication only addresses the compromised account but does not isolate the system from the network; the attacker may have already established persistence or be using other compromised accounts, and the system itself could be under attacker control, so blocking it is necessary to prevent further damage.
An employee receives an email from someone claiming to be from IT. The message says the employee must read back a one-time verification code so their mailbox can be 'repaired.' What social engineering technique is being used?
A.Tailgating, because the attacker is trying to enter a secure area physically.
B.Pretexting, because the attacker is using a fake identity and story to gain trust.
C.DDoS, because the message is designed to overwhelm the mailbox server.
D.Shoulder surfing, because the attacker is watching the screen from nearby.
AnswerB
The attacker is pretending to be IT and inventing a believable support reason to trick the victim into revealing a one-time code.
Why this answer
The attacker is using a fabricated identity (IT support) and a false scenario (mailbox repair requiring a verification code) to manipulate the employee into divulging sensitive information. This is the classic definition of pretexting, where the attacker creates a believable pretext to lower the victim's defenses and extract data or access.
Exam trap
The trap here is that candidates confuse pretexting with phishing, but pretexting specifically relies on a fabricated scenario or identity (the 'pretext') rather than a generic lure like a malicious link or attachment.
How to eliminate wrong answers
Option A is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, not a social engineering technique involving email or phone. Option C is wrong because a DDoS (Distributed Denial of Service) attack overwhelms a server with traffic to disrupt service, not to trick a user into revealing a code. Option D is wrong because shoulder surfing involves directly observing someone's screen or keyboard from close proximity to steal information, not using a remote email message.
A new SIEM rule generates hundreds of alerts from a scheduled backup job that is known to be legitimate. Which two tuning changes are the best ways to reduce noise without losing visibility into real abuse? Select two.
Select 2 answers
A.Add a targeted exception for the known backup account, host, or signed process.
B.Keep the rule but alert only when the job runs outside its expected window or from an unexpected system.
C.Disable the SIEM rule entirely because backup jobs are normal.
D.Mark every backup-related alert as harmless without review.
E.Stop logging backup systems so they no longer create noise.
AnswersA, B
A targeted exception reduces repetitive false positives while still allowing the rule to catch unexpected activity. Limiting the exception to the specific backup account, host, or signed process keeps the control narrow and prevents broader blind spots. This is a common and appropriate tuning approach when a known-benign task is repeatedly triggering an alert.
Why this answer
Option A is correct because adding a targeted exception for the known backup account, host, or signed process allows the SIEM to suppress alerts for legitimate backup activity while still monitoring for anomalies. This reduces noise without disabling detection for potential abuse, such as an attacker using a compromised backup account or executing unauthorized backup processes.
Exam trap
The trap here is that candidates may think disabling the rule or ignoring alerts is acceptable for known-good activity, but the exam emphasizes tuning to reduce noise while preserving detection of anomalous behavior, not eliminating visibility entirely.
Drag a concept onto its matching description — or click a concept then click the description.
Concepts
Matches
A user must be verified each time they request access, even from inside the network.
The organization uses layered controls such as MFA, filtering, and endpoint protection.
A contractor can view only the project files required for assigned tasks.
A support technician receives only the minimum permissions needed to close tickets.
A website stays online after one server fails because another takes over.
Why these pairings
Least privilege restricts access to necessary functions; separation of duties prevents fraud; defense in depth layers security; need to know limits data access; accountability ties actions to individuals; fail safe maintains security during failures.
Based on the exhibit, what is the best change to improve accountability without removing emergency access?
A.Keep the shared account and add more logging of the shared password.
B.Require named accounts with role-based elevation through a privileged access workflow.
C.Remove all command logging to protect administrator privacy.
D.Use a single shared account with a longer password and monthly rotation.
AnswerB
This is the best answer because the issue is accountability. Shared accounts prevent the organization from knowing which person performed the actions in the log. Named accounts plus privileged elevation preserve break-glass access while ensuring each command is tied to an individual identity. That improves accounting and auditability without removing the operational ability to maintain the system.
Why this answer
Option B is correct because implementing named accounts with role-based elevation through a privileged access workflow (PAW) ensures each administrator has a unique identity for auditing, while still allowing temporary privilege escalation for emergency tasks. This directly improves accountability by tying actions to specific users, unlike shared accounts which obscure individual responsibility. The workflow maintains emergency access by granting time-limited elevated permissions through an approval process, avoiding permanent standing privileges.
Exam trap
The trap here is that candidates may think improving logging (Option A) or password rotation (Option D) is sufficient for accountability, but CompTIA emphasizes that shared accounts inherently lack individual attribution, regardless of how much logging or rotation is applied.
How to eliminate wrong answers
Option A is wrong because simply adding more logging to a shared account does not solve the core accountability problem—multiple users still share the same credentials, making it impossible to attribute actions to a specific individual, and logging a shared password is irrelevant to user identification. Option C is wrong because removing command logging destroys the audit trail needed for accountability and incident investigation, violating the principle of non-repudiation and security best practices. Option D is wrong because using a single shared account with a longer password and monthly rotation still lacks individual accountability; password changes do not tie actions to specific users, and emergency access remains unmanaged without a privileged access workflow.
A Linux web server was compromised through an outdated package. The team isolated the host, captured evidence, removed a malicious cron job, patched the vulnerable package, and confirmed no persistence remains. Which incident response phase are they primarily in now?
A.Identification, because the team is still confirming that the event happened.
B.Containment, because the host was isolated from the network.
C.Eradication, because malicious artifacts and the underlying weakness are being removed.
D.Lessons learned, because the server has already been secured.
AnswerC
Eradication focuses on removing malware, persistence, and the cause of compromise so the attacker cannot easily return.
Why this answer
The team has already identified the compromise, isolated the host, and removed the malicious cron job. Patching the vulnerable package addresses the root cause, which is the core of the Eradication phase. Confirming no persistence remains verifies that the eradication was successful, making this the current phase.
Exam trap
The trap here is that candidates confuse the isolation step (Containment) with the overall phase, but the question emphasizes the removal of the malicious cron job and patching, which are definitive Eradication actions.
How to eliminate wrong answers
Option A is wrong because Identification is the initial phase where the incident is discovered and confirmed; here, the team has already moved past that to active remediation. Option B is wrong because Containment focuses on limiting damage (e.g., network isolation), which was already performed; the team is now addressing the root cause and removing artifacts. Option D is wrong because Lessons Learned occurs after recovery is complete and involves post-incident review and documentation, not active patching and artifact removal.
After a phishing incident, the security team wants to preserve evidence for later review. Which action is most appropriate?
A.Have the user delete the phishing email to avoid further exposure
B.Capture and save the email headers and message content
C.Forward the email to every employee as a warning
D.Change the user's office seat assignment immediately
AnswerB
Headers and message content help investigators trace delivery paths and identify indicators of compromise.
Why this answer
Option B is correct because preserving the email headers and message content is essential for forensic analysis. Email headers contain routing information, including the originating IP address, authentication results (SPF, DKIM, DMARC), and timestamps, which are critical for tracing the source of the phishing attack and understanding the attack vector. Deleting or forwarding the email would destroy this evidence, compromising the investigation.
Exam trap
The trap here is that candidates may think deleting or forwarding the email is a quick fix to prevent further harm, but the exam emphasizes that evidence preservation (via capture of headers and content) is the first priority in incident response, not containment or notification.
How to eliminate wrong answers
Option A is wrong because deleting the phishing email destroys the evidence needed for forensic analysis, including headers and metadata that could identify the attacker's infrastructure. Option C is wrong because forwarding the email to all employees increases the risk of further compromise, may violate data protection policies, and alters the original message headers, potentially invalidating the evidence. Option D is wrong because changing the user's office seat assignment has no relevance to preserving digital evidence; it is a physical security measure unrelated to incident response or evidence handling.
Based on the exhibit, which access design change best reduces fraud risk without stopping the payroll process?
Exhibit:
Payroll application roles:
- HR-Editor: can update employee records
- Payroll-Approver: can release payment batches
- Audit-Reader: can view reports only
Current assignment:
User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end."
Management wants to reduce the chance of one person creating and approving a fraudulent payment.
A.Keep both roles assigned but require a manager to review the batch after payment completes.
B.Split duties so record updates and payment approval require separate roles or separate accounts.
C.Remove the audit role and let payroll staff self-review their own work to save time.
D.Use a single shared payroll account so the workflow never pauses for approvals.
AnswerB
This is the best design because it enforces separation of duties, which directly reduces fraud risk. The same person should not be able to create a payment and approve it without independent review. Separate roles or accounts preserve workflow continuity while making collusion or abuse harder, and they provide a cleaner audit trail for accountability.
Why this answer
Option B is correct because it enforces separation of duties (SoD) by ensuring that no single user can both create and approve a payment. Splitting the HR-Editor and Payroll-Approver roles into separate accounts or requiring separate users for record updates and payment approval directly mitigates the fraud risk of a single insider creating a fake employee record and then approving a fraudulent payment batch. This aligns with the principle of least privilege and the NIST SP 800-53 AC-5 control for separation of duties, without halting the payroll workflow.
Exam trap
The trap here is that candidates may choose a detective control (like post-payment review) thinking it reduces risk, but the question specifically asks for a change that 'best reduces fraud risk' without stopping the process, and only a preventive control like separation of duties directly addresses the root cause of the conflict of interest.
How to eliminate wrong answers
Option A is wrong because requiring a manager to review the batch after payment completes is a detective control, not a preventive one; fraud could already occur before the review, and the review may be missed or bypassed. Option C is wrong because removing the audit role and letting payroll staff self-review eliminates independent oversight, increasing fraud risk rather than reducing it. Option D is wrong because using a single shared payroll account removes all individual accountability and audit trails, making it impossible to attribute actions to a specific user and actually increasing fraud risk.
A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?
A.Trusted Platform Module (TPM)
B.Hardware Security Module (HSM)
C.Secure enclave (e.g., Intel SGX)
D.UEFI Secure Boot
AnswerC
A secure enclave, such as Intel Software Guard Extensions (SGX), creates hardware-enforced encrypted regions of memory that protect code and data from access by the host OS, hypervisor, or other processes, even if those lower layers are compromised.
Why this answer
Secure enclave technology, such as Intel SGX, provides hardware-enforced isolation by creating trusted execution environments (TEEs) within the CPU. Code and data inside an enclave are encrypted in memory and decrypted only within the processor, ensuring that even a compromised hypervisor or host OS cannot access the transaction data during runtime. This meets the requirement for processor and memory isolation in a shared cloud environment.
Exam trap
The trap here is that candidates often confuse a TPM or HSM with runtime memory isolation, but those technologies focus on storage and cryptographic operations, not on protecting code and data during active execution in a compromised hypervisor environment.
How to eliminate wrong answers
Option A is wrong because a Trusted Platform Module (TPM) is a hardware chip that stores cryptographic keys and performs attestation, but it does not isolate runtime code and data in memory; it secures boot and storage, not active processing. Option B is wrong because a Hardware Security Module (HSM) is a dedicated device for managing cryptographic keys and performing cryptographic operations, but it does not isolate the processor and memory of a running application from the host OS or hypervisor. Option D is wrong because UEFI Secure Boot ensures that only signed firmware and bootloaders execute during startup, but it provides no runtime isolation for code and data after the OS has loaded.
HR stores scanned government IDs collected during onboarding. The retention policy says the files may be kept for 90 days after employment verification, then destroyed. What should security require?
A.Keep the files indefinitely in case a future audit asks for them
B.Move the files to a shared folder so more HR staff can access them
C.Store the files in an encrypted repository and securely dispose of them when retention expires
D.Print the scanned IDs and place them in a locked cabinet instead of keeping digital copies
AnswerC
This is the best answer because it matches the retention schedule and protects sensitive personal data. Encryption reduces exposure while the files are needed, and secure disposal after the retention period supports privacy, legal compliance, and data minimization. The process should also be auditable so the organization can prove it is following its handling requirements.
Why this answer
Option C is correct because it aligns with the principle of data minimization and the retention policy: storing scanned government IDs in an encrypted repository ensures confidentiality and integrity, while secure disposal after the 90-day retention period meets compliance requirements (e.g., GDPR, HIPAA) and reduces risk of data breaches. Security must enforce both protection during storage and timely destruction to prevent unauthorized access or legal liability.
Exam trap
The trap here is that candidates may choose indefinite retention (Option A) thinking it helps with audits, but security requires compliance with the stated retention policy, not hoarding data.
How to eliminate wrong answers
Option A is wrong because keeping files indefinitely violates the retention policy and increases exposure to data breaches, legal non-compliance, and storage costs without a security justification. Option B is wrong because moving files to a shared folder broadens access without need, increasing the attack surface and risk of unauthorized disclosure, while ignoring encryption and retention controls. Option D is wrong because printing scanned IDs creates physical copies that are harder to track, secure, and destroy reliably, and it introduces new risks like loss, theft, or improper disposal, while digital encryption and secure deletion are more auditable and compliant.
A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The employee says they are on vacation at home and did not travel. What should the analyst do first?
A.Immediately disable the account and wait for the employee to return.
B.Verify the login context with the user or manager and review recent authentication history.
C.Close the alert as a false positive because the user is on vacation.
D.Reimage the user’s workstation before checking any logs.
AnswerB
This is the best first step because alert triage should confirm whether the activity is truly suspicious before disruptive action is taken. Reviewing the user’s normal login patterns, recent sign-in history, and whether a VPN or travel exception exists helps distinguish a real compromise from an unusual but legitimate event. Good triage reduces unnecessary outages and focuses response effort appropriately.
Why this answer
Option B is correct because the first step in incident response is to verify the alert's validity and gather context before taking action. The analyst should review the SIEM logs for authentication details (e.g., source IP, geolocation, timestamp) and confirm with the user or manager whether the login was expected. This aligns with the NIST SP 800-61 incident response process, which emphasizes triage and validation before containment.
Exam trap
The trap here is that candidates may jump to containment (disabling the account) or dismissal (false positive) without performing the critical triage step of verifying the login context, which the exam emphasizes as the first action in the incident response process.
How to eliminate wrong answers
Option A is wrong because immediately disabling the account without verification could lock out a legitimate user and disrupt operations, violating the principle of least disruption during initial triage. Option C is wrong because closing the alert as a false positive without investigation ignores the possibility of credential theft or a compromised session, which is a common attack vector. Option D is wrong because reimaging the workstation is a drastic containment step that should only occur after confirming a compromise; it bypasses necessary log analysis and could destroy forensic evidence.
Management wants to ensure a file server backed up every night can actually be restored within a 4-hour recovery time objective after an incident. Which two actions best improve recovery confidence? Select two.
Select 2 answers
A.Perform scheduled restore tests to an isolated environment.
B.Keep at least one backup copy offline or immutable.
C.Increase retention to keep backups for two years without changing restore testing.
D.Move the backup repository onto the same always-mounted file share as production data.
E.Reduce the number of user permissions on the file server without changing backup design.
AnswersA, B
Correct because restore testing proves the backups are usable and helps measure actual recovery time. A backup that has never been restored cannot be assumed to meet the recovery objective.
Why this answer
Option A is correct because performing scheduled restore tests to an isolated environment validates that the backup data is both readable and usable without risking corruption of the production environment. This directly confirms the ability to meet the 4-hour RTO by measuring actual restore times and identifying any issues with the backup process or media before a real incident occurs.
Exam trap
The trap here is that candidates often confuse backup retention (how long backups are kept) with backup recoverability, assuming that longer retention inherently improves recovery confidence, when in fact only periodic restore testing proves that backups are viable and can meet the RTO.
NetFlow and authentication logs show one workstation opening SMB and WinRM sessions to many internal hosts within ten minutes. The same source also generates a sharp rise in Kerberos service-ticket requests and attempts to access administrative shares. Which three observations most strongly support lateral movement rather than normal admin activity? Select three.
Select 3 answers
A.A rapid burst of SMB and WinRM connections to many internal systems from one source host.
B.A sharp increase in Kerberos service-ticket requests from the same workstation.
C.Repeated attempts to access administrative shares such as ADMIN$ or C$.
D.Regular outbound DNS lookups for common internet services like time synchronization or content delivery.
E.A successful sign-in to the user's cloud email account from the employee's home network at lunchtime.
AnswersA, B, C
A sudden fan-out of administrative protocols from one workstation is a classic sign of lateral movement. Normal admin activity is usually more targeted and scheduled. A burst like this suggests an automated attempt to enumerate, authenticate, or execute remotely across the environment.
Why this answer
Option A is correct because a rapid burst of SMB and WinRM connections from a single workstation to many internal hosts is a classic indicator of lateral movement. Normal administrative activity typically involves targeted, sequential connections to specific systems for maintenance, not a broad, automated sweep. This pattern suggests an attacker using tools like PsExec or PowerShell remoting to propagate across the network.
Exam trap
The trap here is that candidates may confuse normal administrative tasks with malicious lateral movement, but the key differentiator is the rapid, broad, and automated nature of the connections, combined with the specific targeting of administrative shares and Kerberos ticket requests, which are not typical for routine admin work.
Based on the exhibit, which item is the strongest evidence that quarterly privileged access reviews occurred?
A.SIEM export of administrator logins.
B.Signed access review spreadsheet with reviewer, date, and exceptions.
C.Help desk ticket for a password reset.
D.Screenshot of the access review policy.
AnswerB
This is the strongest evidence because it directly records the review activity, who performed it, when it occurred, and what exceptions were found.
Why this answer
A signed access review spreadsheet with reviewer, date, and exceptions provides direct, non-repudiable evidence that a formal review of privileged access was completed. Unlike logs or policies, it explicitly documents the reviewer's identity, the date of review, and any exceptions, satisfying audit requirements for quarterly privileged access reviews.
Exam trap
The trap here is that candidates mistake evidence of activity (like login logs) or policy existence for evidence of a completed review process, overlooking the need for documented attestation with reviewer identity and date.
How to eliminate wrong answers
Option A is wrong because a SIEM export of administrator logins only shows that logins occurred, not that a formal review of those accounts' access rights was performed; it lacks reviewer attestation and exception documentation. Option C is wrong because a help desk ticket for a password reset is an operational event unrelated to the periodic review of privileged access entitlements. Option D is wrong because a screenshot of the access review policy only proves the policy exists, not that it was actually followed or that a review occurred.
A SIEM reviews VPN authentication logs and sees 36 different usernames each receive one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. Which attack is most likely?
A.Password spraying against many accounts with a low number of attempts per account.
B.A brute-force attack focused on a single locked account.
C.A replay attack using captured authentication data.
D.A port scan that accidentally triggered authentication failures.
AnswerA
This pattern matches low-and-slow password spraying, where one or a few common passwords are tried against many accounts to avoid lockouts.
Why this answer
The SIEM observed 36 different usernames each receiving one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. This pattern is characteristic of a password spraying attack, where an attacker tries a small number of common passwords against many accounts to avoid account lockout thresholds, and then uses a successful credential to pivot to another account. The low number of attempts per account (one each) and the wide spread of usernames distinguish it from brute-force or targeted attacks.
Exam trap
The trap here is that candidates often confuse password spraying with brute-force attacks, but the key differentiator is the distribution of attempts across many accounts versus many attempts on a single account.
How to eliminate wrong answers
Option B is wrong because a brute-force attack focused on a single locked account would show many failed attempts against that one username, not one attempt each across 36 different usernames. Option C is wrong because a replay attack would involve capturing and reusing valid authentication data (e.g., a Kerberos ticket or NTLM hash), not generating new failed login attempts from a source IP. Option D is wrong because a port scan does not generate authentication failures; it probes for open ports using TCP SYN or UDP packets, and any authentication failures would be coincidental and not follow a pattern of one attempt per username.
A finance portal lets one employee create a payment batch and approve it without review. Management wants to reduce fraud risk while keeping the workflow functional. Which two changes best achieve that goal? Select two.
Select 2 answers
A.Separate the create and approve functions into different roles or groups.
B.Require an independent approval step from a different account or manager before release.
C.Give the same user broader administrative access to avoid delays.
D.Allow the same role to perform both actions but log the activity after the fact.
E.Remove authentication so the process is faster.
AnswersA, B
Splitting duties prevents one person from both initiating and authorizing the same financial action. This is a classic role-based control that limits fraud opportunities without removing the workflow itself.
Why this answer
Option A is correct because it enforces separation of duties, a fundamental internal control that prevents a single user from both creating and approving a payment batch. By assigning the create and approve functions to different roles or groups, the organization ensures no single individual can complete a fraudulent transaction without collusion. This directly reduces fraud risk while maintaining workflow functionality by requiring two distinct actors.
Exam trap
The trap here is that candidates may mistakenly think broader administrative access streamlines workflow, but CompTIA emphasizes that separation of duties and independent approval are the correct controls to reduce fraud without sacrificing functionality.