Security+ SY0-701 (SY0-701) — Questions 151225

1152 questions total · 16pages · All types, answers revealed

Page 2

Page 3 of 16

Page 4
151
MCQmedium

A security analyst receives reports that several employees are being redirected to a fraudulent login page after typing the correct URL for a company application into their browser. Further investigation reveals that the company's internal DNS server has been compromised. Which type of attack best describes this scenario?

A.Phishing
B.Spear phishing
C.Pharming
D.Vishing
AnswerC

Pharming redirects users to fraudulent websites by compromising DNS servers or host files, even when the correct URL is entered. The DNS server compromise in this scenario is a classic pharming technique.

Why this answer

Pharming is correct because the attack redirects users from a legitimate website to a fraudulent one without their knowledge or interaction, typically by compromising the DNS resolution process. In this scenario, the internal DNS server has been compromised, so when employees type the correct URL, the DNS server returns the IP address of a fake login page instead of the real one. This is a classic example of DNS poisoning, a form of pharming.

Exam trap

The trap here is that candidates often confuse pharming with phishing because both involve fake login pages, but pharming does not require the user to click a link—it subverts the DNS resolution process, making it a technical infrastructure attack rather than a social engineering one.

How to eliminate wrong answers

Option A is wrong because phishing relies on deceptive messages (e.g., emails or texts) that trick users into clicking a malicious link or providing credentials, not on compromising the DNS resolution infrastructure. Option B is wrong because spear phishing is a targeted form of phishing that uses personalized messages to deceive a specific individual or group, but it still requires user interaction with a link or attachment, not the manipulation of DNS records.

152
MCQmedium

An investigator must collect data from a suspected insider-threat laptop so the evidence could be used in an HR and legal review. Which action best preserves admissibility?

A.Boot the laptop normally and browse the user's files for clues
B.Create a forensic image through a write blocker and record hashes before and after acquisition
C.Copy the user's documents to a USB drive and continue the investigation later
D.Take screenshots of the desktop and delete the original drive contents afterward
AnswerB

This is the correct preservation method because it avoids altering the original disk and creates verifiable integrity checks. Using a write blocker prevents writes to the source media, and hashes document that the image matches the evidence. Detailed chain-of-custody records then support admissibility in HR, disciplinary, or legal proceedings.

Why this answer

Option B is correct because creating a forensic image through a write blocker ensures the original evidence is not altered, preserving its integrity for admissibility in HR and legal proceedings. Recording hashes before and after acquisition allows verification that the image is an exact, unmodified copy, which is critical for chain of custody and meeting legal standards such as Daubert or Federal Rules of Evidence.

Exam trap

The trap here is that candidates may think booting normally or copying files is sufficient for evidence collection, but the exam emphasizes that any action that modifies the original media breaks the chain of custody and makes evidence inadmissible in legal proceedings.

How to eliminate wrong answers

Option A is wrong because booting the laptop normally modifies the system (e.g., writes to the page file, updates timestamps, and alters registry keys), which can destroy volatile evidence and render the data inadmissible due to lack of integrity. Option C is wrong because copying user documents to a USB drive without using a write blocker or imaging tool alters file metadata (e.g., last access times) and does not capture deleted files or slack space, breaking the forensic soundness required for legal review. Option D is wrong because taking screenshots only captures a superficial view and does not preserve the full disk state, while deleting the original drive contents destroys the primary evidence, making it impossible to verify or challenge the screenshots later.

153
MCQeasy

Based on the exhibit, what wireless threat is most likely occurring?

A.Evil twin access point
B.Bluetooth pairing abuse
C.NFC skimming
D.DNS poisoning
AnswerA

Two access points are broadcasting the same SSID, but one has a much stronger signal and triggers a suspicious captive portal. That pattern fits an evil twin access point, which imitates a legitimate network to lure users into connecting. The attacker can then intercept traffic or harvest credentials.

Why this answer

The exhibit shows a legitimate access point (SSID: 'CorpNet') with a second, rogue access point broadcasting the same SSID but with a stronger signal. This is the classic behavior of an evil twin attack, where an attacker sets up a fraudulent AP to intercept client connections and capture credentials or sensitive data. The victim's device automatically associates with the stronger signal, believing it is the legitimate network.

Exam trap

The trap here is that candidates confuse an evil twin with a rogue access point—a rogue AP is an unauthorized device plugged into the wired network, while an evil twin is a standalone attacker AP that mimics a legitimate SSID over the air.

How to eliminate wrong answers

Option B is wrong because Bluetooth pairing abuse involves exploiting Bluetooth connections (e.g., Bluejacking, Bluesnarfing), not Wi-Fi SSID spoofing or signal strength manipulation. Option C is wrong because NFC skimming targets contactless payment or data exchange via near-field communication, which operates at a range of ~4 cm and does not involve Wi-Fi access points or SSIDs. Option D is wrong because DNS poisoning corrupts DNS resolver caches to redirect traffic to malicious sites, but the exhibit shows no DNS server manipulation or altered IP resolution—only two APs with the same SSID.

154
MCQeasy

A laptop repeatedly starts with an unapproved bootloader, and the security team wants the firmware to refuse boot code that is not signed by a trusted key. Which feature should be used?

A.Secure Boot.
B.BitLocker full-disk encryption.
C.A DHCP reservation.
D.A local administrator password policy.
AnswerA

This is the best answer because Secure Boot verifies that boot components are signed by trusted keys before allowing them to load. That helps prevent bootkits and other pre-boot tampering from taking control before the operating system starts. It is a core platform hardening feature on modern systems and directly addresses trust in the boot process.

Why this answer

Secure Boot is a UEFI firmware feature that verifies the digital signature of bootloaders and kernel code against a database of trusted keys before allowing execution. By configuring Secure Boot to only accept boot code signed by a trusted key, the firmware will reject any unapproved bootloader, preventing unauthorized code from running during the boot process.

Exam trap

The trap here is that candidates often confuse Secure Boot with BitLocker, thinking that disk encryption also verifies boot integrity, but BitLocker only protects data after the OS loads and does not validate the bootloader's signature.

How to eliminate wrong answers

Option B is wrong because BitLocker full-disk encryption protects data at rest by encrypting the entire drive, but it does not validate the integrity or signature of boot code before execution. Option C is wrong because a DHCP reservation assigns a fixed IP address to a device based on its MAC address and has no role in verifying bootloader signatures or firmware-level security. Option D is wrong because a local administrator password policy controls password complexity and expiration for local user accounts, but it does not enforce cryptographic verification of boot components.

155
MCQmedium

During morning SIEM review, an analyst sees 37 failed SSH logins followed by a successful login to a Linux server from a jump host. The account belongs to a configuration-management service account, and the activity occurred inside the normal maintenance window. What should the analyst do next to determine whether the alert is a true positive or a false positive?

A.Immediately isolate the Linux server from the network and begin recovery.
B.Correlate the event with the approved maintenance ticket and automation job logs.
C.Reset the service account password before reviewing any additional evidence.
D.Disable SSH on the server until the next patch cycle is complete.
AnswerB

Matching the authentication pattern to a change ticket and automation logs is the best validation step. It confirms whether the repeated failures and successful login were produced by an approved task rather than malicious activity. This is the most efficient way to distinguish a true positive from an expected operational event without disrupting a legitimate maintenance process.

Why this answer

Option B is correct because the analyst should correlate the failed SSH logins with the approved maintenance ticket and automation job logs to verify if the activity is expected. The failed logins followed by a successful login from a jump host during a maintenance window are consistent with a configuration-management tool (e.g., Ansible, Puppet) retrying authentication. This correlation confirms whether the alert is a true positive (unauthorized access) or a false positive (routine automation).

Exam trap

The trap here is that candidates assume any failed logins followed by a success indicate a brute-force attack, but the context of a maintenance window and a service account points to legitimate automation retries, not malicious activity.

How to eliminate wrong answers

Option A is wrong because immediately isolating the Linux server is premature and disruptive; the activity occurred during a maintenance window and may be legitimate automation, so isolation should only occur after confirming malicious intent. Option C is wrong because resetting the service account password without reviewing evidence could break legitimate automation jobs and does not address the need to determine if the alert is a true or false positive. Option D is wrong because disabling SSH on the server is an overreaction that would block all remote administration, including legitimate maintenance, and is not a diagnostic step.

156
MCQeasy

A department identifies a low-likelihood software risk that would be expensive to fix right now. Leadership decides the business can live with the exposure for now, but wants it documented and reviewed later. What risk treatment is this?

A.Mitigate the risk by applying a technical control immediately
B.Accept the risk with documented approval and periodic review
C.Transfer the risk to an insurer or third party
D.Avoid the risk by stopping the business activity entirely
AnswerB

Acceptance is appropriate when leadership decides the current risk level is tolerable and the cost or disruption of fixing it is not justified right away.

Why this answer

The scenario describes a low-likelihood, high-cost software risk that leadership chooses to tolerate rather than fix immediately. This is the definition of risk acceptance, which requires documented approval and periodic review to ensure the risk remains acceptable over time. The correct risk treatment is to formally accept the exposure with a record of the decision and a schedule for reassessment.

Exam trap

The trap here is that candidates often confuse risk acceptance with risk mitigation, thinking that documenting a risk means a control is applied, but acceptance explicitly means no control is implemented and the exposure is tolerated with formal sign-off.

How to eliminate wrong answers

Option A is wrong because mitigation would require applying a technical control immediately, which contradicts the scenario's premise that the fix is too expensive and the business can live with the exposure. Option C is wrong because transferring the risk would involve shifting the financial impact to an insurer or third party via a contract or insurance policy, not simply documenting and reviewing the risk internally. Option D is wrong because avoidance means stopping the business activity entirely, which is not what leadership wants; they want to continue the activity while accepting the residual risk.

157
MCQeasy

Based on the exhibit, which governance artifact is the security team reviewing?

A.Policy, because it describes the organization's overall intent and direction.
B.Standard, because it sets mandatory technical requirements for systems.
C.Baseline, because it defines the approved minimum configuration for a system type.
D.Procedure, because it gives step-by-step instructions for completing a task.
AnswerC

A baseline is the correct term when a document defines the minimum approved configuration for a class of systems. The exhibit shows a named configuration for all production Linux servers, includes specific required settings, and is approved for consistent use. That matches the purpose of a baseline much better than a policy, guideline, or procedure.

Why this answer

The exhibit shows a list of approved operating systems, software versions, and patches for a specific system type (e.g., Windows 10 22H2 with specific security updates). This is a baseline, which defines the minimum acceptable configuration for a system type. Option C is correct because a baseline establishes a known good state that systems must meet, not just intent (policy), mandatory technical requirements (standard), or step-by-step instructions (procedure).

Exam trap

The trap here is that candidates confuse a baseline with a standard, but a standard is broader (e.g., 'use HTTPS') while a baseline is specific (e.g., 'TLS 1.2 with these cipher suites'), so the detailed version list in the exhibit points to a baseline, not a standard.

How to eliminate wrong answers

Option A is wrong because a policy describes high-level intent and direction (e.g., 'All systems must be secured'), not the specific approved configuration list shown. Option B is wrong because a standard sets mandatory technical requirements (e.g., 'All systems must use AES-256 encryption'), but the exhibit lists exact versions and patches, which is a baseline, not a broad requirement. Option D is wrong because a procedure provides step-by-step instructions (e.g., 'How to apply the baseline'), whereas the exhibit itself is the configuration list, not the steps to implement it.

158
MCQeasy

A supplier tells your company it wants to use a new subcontractor to process customer data. What is the BEST contract control to reduce this risk?

A.Require the vendor to notify the company before adding subcontractors
B.Allow subcontractors without review if the vendor remains responsible
C.Only require a verbal promise that the subcontractor is secure
D.Remove all contract language related to third parties
AnswerA

Notification requirements help the company know when the supplier changes its processing model, especially when customer data may move to a new organization. This gives security, legal, and privacy teams a chance to review the new arrangement, confirm acceptable terms, and decide whether additional controls or approval are needed before the change takes effect.

Why this answer

Requiring the vendor to notify the company before adding subcontractors is the best contract control because it ensures the company retains visibility and approval authority over any third party that will process customer data. This aligns with the principle of due diligence and third-party risk management, as the company can assess the subcontractor's security posture before data is shared. Without such a clause, the vendor could unilaterally introduce a subcontractor with inadequate security controls, increasing the risk of a data breach or compliance violation.

Exam trap

The trap here is that candidates may assume 'vendor remains responsible' (Option B) is sufficient, but the exam tests the understanding that contractual responsibility does not eliminate the need for proactive risk assessment and notification controls to prevent unauthorized data exposure.

How to eliminate wrong answers

Option B is wrong because allowing subcontractors without review, even if the vendor remains responsible, removes the company's ability to vet the subcontractor's security practices, which could lead to a breach that the vendor may not be able to remediate effectively. Option C is wrong because a verbal promise is not enforceable and provides no documented evidence of security compliance, making it impossible to audit or hold the vendor accountable. Option D is wrong because removing all contract language related to third parties eliminates any contractual safeguards, leaving the company with no legal recourse or control over how customer data is handled by the vendor or its subcontractors.

159
Multi-Selecthard

An architect reviews a design where an internet-facing reverse proxy in a DMZ forwards HTTPS to a web application tier, and the web tier queries a database on a protected internal subnet. The current firewall plan allows the DMZ subnet to reach the database subnet on any TCP port, and the admins want to manage the proxy without exposing it to the user VLAN. Which two changes best improve the design? Select two.

Select 2 answers
A.Collapse the DMZ and internal database into the same VLAN so firewall rules are simpler.
B.Place the public reverse proxy in a DMZ separated from the internal network by a firewall.
C.Allow the database subnet to accept inbound connections from the internet for easier scaling.
D.Restrict DMZ-to-database access to only the required application port and source host.
E.Disable stateful inspection on the firewall so return traffic is automatically trusted.
AnswersB, D

This isolates the exposed service from internal resources and keeps internet-facing traffic in a controlled zone. A DMZ is appropriate for systems that must accept inbound requests from untrusted networks. It reduces the blast radius if the proxy is compromised and allows the organization to apply stricter internal controls behind the perimeter firewall.

Why this answer

Option B is correct because placing the public reverse proxy in a DMZ separated from the internal network by a firewall enforces a layered security model. The DMZ acts as a buffer zone, ensuring that even if the proxy is compromised, the attacker cannot directly access the internal web or database tiers without traversing another firewall. This aligns with defense-in-depth principles for internet-facing services.

Exam trap

The trap here is that candidates may think collapsing VLANs simplifies management (Option A) or that disabling stateful inspection improves performance (Option E), but both weaken security; the exam tests understanding that segmentation and least-privilege access are critical for protecting internal assets.

160
MCQhard

Based on the exhibit, which security principle is the proposed access model most aligned with?

A.Least privilege, because users are being limited to only the finance application they need.
B.Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN.
C.Defense in depth, because the company is adding multiple security layers around the finance app.
D.Need-to-know, because users should only see the finance data required for their jobs.
AnswerB

Zero trust is the best answer because the proposal removes implicit trust based on VPN membership or internal network location. Instead, access is evaluated repeatedly using device posture, MFA, and transaction context. That means the environment assumes every request may be risky until verified, which is the core idea behind zero trust architecture and conditional access.

Why this answer

The proposed access model aligns with Zero Trust because it continuously evaluates access based on real-time conditions (e.g., device posture, user identity) rather than implicitly trusting the VPN connection. In Zero Trust, network location alone is insufficient for granting access; every request is authenticated and authorized regardless of the source. This contrasts with traditional perimeter-based models where VPN access implies trust.

Exam trap

The trap here is that candidates confuse Zero Trust with least privilege or need-to-know, but Zero Trust specifically addresses the assumption of implicit trust based on network location (e.g., VPN), which is the key differentiator in this scenario.

How to eliminate wrong answers

Option A is wrong because least privilege restricts users to only the permissions necessary for their role, but the exhibit focuses on continuous evaluation of access rather than limiting permissions to a specific application. Option C is wrong because defense in depth involves multiple overlapping security layers (e.g., firewall, IDS, encryption), whereas the exhibit describes a single access control mechanism that evaluates trust continuously. Option D is wrong because need-to-know restricts data access based on job requirements, but the exhibit emphasizes dynamic access decisions based on device and user context, not static data classification.

161
MCQmedium

A procurement team is evaluating a payroll SaaS vendor. They want independent evidence that the vendor's controls were designed and operating effectively over the last six months, not just at a single point in time. Which report should they request?

A.SOC 1 Type I report
B.SOC 2 Type II report
C.Non-disclosure agreement
D.Network penetration test letter
AnswerB

A Type II report covers a period of time and evaluates whether controls operated effectively during that period.

Why this answer

A SOC 2 Type II report provides independent assurance that a vendor's controls related to security, availability, processing integrity, confidentiality, or privacy were designed and operating effectively over a period of time (typically 6–12 months). This matches the procurement team's requirement for evidence of sustained control effectiveness, not just a point-in-time snapshot.

Exam trap

The trap here is that candidates often confuse Type I (point-in-time design) with Type II (operating effectiveness over time), or mistakenly think a SOC 1 report covers security controls when it is actually focused on financial reporting controls.

How to eliminate wrong answers

Option A is wrong because a SOC 1 Type I report evaluates the design of controls at a single point in time, not their operating effectiveness over a period, and it focuses on controls relevant to financial reporting rather than the broader security and privacy controls needed for a payroll SaaS vendor. Option C is wrong because a non-disclosure agreement is a legal contract to protect confidential information, not an audit report that provides evidence of control design and operating effectiveness.

162
MCQmedium

A small company is deploying a public web application with a front-end server, an API server, and a database. The web server must be reachable from the internet, the API must be reachable only from the web server, and the database must never be accessible from user subnets. Which design best meets the requirement?

A.Place all three servers on the same internal VLAN and use host firewalls only.
B.Place the web server in a DMZ, the API server in an internal subnet, and the database in a separate restricted subnet.
C.Place the database in the DMZ so the web server can connect to it with fewer firewall rules.
D.Use a single NAT gateway for all servers and rely on public IP filtering at the edge.
AnswerB

This creates clear trust boundaries and limits exposure. Only the web server is internet-facing, the API stays internal, and the database can be isolated behind strict filtering rules.

Why this answer

Option B is correct because it implements a layered security architecture: the web server resides in a DMZ (demilitarized zone) to be publicly accessible, the API server is placed in an internal subnet with firewall rules allowing only traffic from the web server, and the database is isolated in a restricted subnet with no access from user subnets. This design enforces the principle of least privilege and prevents direct internet exposure of the API and database, which is critical for protecting sensitive data.

Exam trap

The trap here is that candidates often think placing the database in the DMZ simplifies connectivity, but they overlook that the DMZ is inherently less secure and directly violates the requirement that the database must never be accessible from user subnets.

How to eliminate wrong answers

Option A is wrong because placing all three servers on the same internal VLAN with only host firewalls fails to isolate the database from the web server and API, and does not prevent direct internet access to the API or database if the web server is compromised. Option C is wrong because placing the database in the DMZ exposes it to the internet and increases the attack surface, violating the requirement that the database must never be accessible from user subnets. Option D is wrong because relying on a single NAT gateway and public IP filtering at the edge does not provide subnet-level segmentation; all servers would share the same public IP, making it impossible to restrict API access to only the web server and database access to internal subnets.

163
MCQmedium

A SOC analyst is investigating an alert triggered when a user clicked a link in an email. The email appeared to be from a trusted vendor and included a PDF attachment with a macro, but the user did not run the macro. Upon reviewing the email headers, the analyst notices that the sender's domain is a common misspelling of the vendor's legitimate domain. Which of the following is the most direct indicator that this email is a phishing attempt?

A.The macro embedded in the PDF attachment
B.The misspelled sender domain in the email headers
C.The alert generated by the user clicking the link
D.The email appeared to be from a known vendor
AnswerB

This is the strongest indicator because it directly shows the email's origin is fraudulent. Attackers register domains that are visually similar to legitimate ones to trick users. The domain mismatch confirms the email is not from the vendor.

Why this answer

The misspelled sender domain in the email headers is the most direct indicator of a phishing attempt because it reveals the attacker's use of domain spoofing or a lookalike domain to impersonate a trusted vendor. This is a classic social engineering technique that bypasses the user's visual inspection, and since the user did not run the macro, the macro itself is not an active threat. The email headers provide forensic evidence of the domain mismatch, which is a definitive sign of phishing regardless of user actions.

Exam trap

CompTIA often tests the distinction between a potential threat (like an unexecuted macro) and an actual indicator of an attack (like a spoofed domain in headers), trapping candidates who focus on the payload rather than the evidence of impersonation.

How to eliminate wrong answers

Option A is wrong because the macro was not executed by the user, so it posed no active risk and is not a direct indicator of phishing—it is merely a potential payload that could have been triggered. Option C is wrong because the alert was generated by the user clicking the link, which is a reactive event; the alert itself does not indicate phishing—it only indicates that an action occurred, and the link could be benign or malicious. Option D is wrong because the email only appeared to be from a known vendor; appearance alone is not an indicator of phishing—attackers often forge the display name or use social engineering to make emails look legitimate, but the true indicator is the domain mismatch in the headers.

164
Multi-Selecthard

A team is deploying a containerized API to a public cloud. The service must be reachable only by internal corporate applications, and secrets must not be embedded in images or readable as plaintext by administrators of the underlying host. Which two actions best fit the design? Select two.

Select 2 answers
A.Place the API in a private subnet and expose it only through an internal load balancer or private endpoint.
B.Give each container a public IP and restrict access by source IP allowlist.
C.Store secrets in a managed vault and retrieve them at runtime with short-lived IAM permissions.
D.Bake database passwords into the container image so deployment is simpler.
E.Assume the cloud provider's tenant isolation alone is enough to protect secrets from misuse.
AnswersA, C

Private subnets and internal endpoints keep the service off the public internet while still allowing controlled access from trusted corporate systems. This reduces exposure, simplifies firewall policy, and supports the requirement that only internal applications can reach the API. It is a common secure cloud architecture pattern for internal services.

Why this answer

Option A is correct because placing the API in a private subnet and exposing it only through an internal load balancer or private endpoint ensures that the service is reachable only by internal corporate applications, as traffic never traverses the public internet. This design leverages network segmentation and private IP addressing to enforce access control at the network layer, aligning with the requirement for internal-only reachability.

Exam trap

The trap here is that candidates often confuse network-level access control (public IP with allowlist) with true private connectivity, or they underestimate the risk of host administrators reading secrets from container images or environment variables, assuming that tenant isolation or encryption at rest alone is sufficient.

165
MCQeasy

A workstation is suspected of malware infection, and it is still powered on and connected to the network. Which action best preserves volatile evidence before the system is shut down?

A.Immediately power off the workstation to stop any malicious activity.
B.Capture memory and note running processes before taking further action.
C.Run a full antivirus scan before documenting anything.
D.Delete temporary files to reduce the chance of reinfection.
AnswerB

Volatile data such as memory, active network connections, and running processes can disappear if the system is powered down. Capturing that information first preserves evidence that may show malware behavior, injected code, or command-and-control activity. This is a core incident-response practice when the system is still live.

Why this answer

Option B is correct because volatile evidence, such as the contents of RAM (running processes, network connections, open files), is lost when the system is powered off. Capturing a memory dump and recording running processes preserves this critical data for forensic analysis, allowing investigators to identify malware artifacts (e.g., injected code, hidden processes) that exist only in memory. This aligns with the NIST SP 800-86 forensic procedure of prioritizing volatile data collection before system shutdown.

Exam trap

CompTIA often tests the misconception that immediate shutdown stops malware activity, but the trap here is that volatile evidence is lost on power-off, and the correct forensic priority is to capture memory and process data first.

How to eliminate wrong answers

Option A is wrong because immediately powering off the workstation destroys volatile evidence (RAM contents, network state, running processes) and may cause malware to lose its in-memory footprint, hindering forensic analysis. Option C is wrong because running a full antivirus scan modifies the system state (e.g., quarantining files, altering file timestamps) and can overwrite or destroy volatile evidence before it is captured. Option D is wrong because deleting temporary files actively destroys potential evidence (e.g., malware droppers, logs) and does not preserve volatile data like memory or process lists.

166
MCQhard

Based on the exhibit, which system should be restored first after a total site outage?

A.Payroll, because it has the shortest maximum tolerable downtime and the strongest compliance impact.
B.Customer portal, because it produces the largest daily revenue loss and has the shortest RPO.
C.Email, because restoring communication always takes precedence over all other services.
D.Dev test lab, because lower business impact means it is easiest to restore first.
AnswerA

Payroll must be restored first because its maximum tolerable downtime is only eight hours, which is tighter than every other system listed. The exhibit also notes regulatory penalties if a payroll cycle is missed, making this system both time-sensitive and business-critical. In a recovery sequence, the system with the most restrictive business requirement generally receives priority.

Why this answer

Payroll should be restored first because it has the shortest maximum tolerable downtime (MTD) and the strongest compliance impact. In disaster recovery, systems with the lowest MTD must be prioritized to avoid exceeding the recovery time objective (RTO), and compliance-driven systems like payroll often carry legal or regulatory penalties for extended outages.

Exam trap

The trap here is that candidates often prioritize systems based solely on revenue loss or a general assumption (like communication first), ignoring the critical role of MTD and compliance impact in determining restoration order.

How to eliminate wrong answers

Option B is wrong because while the customer portal produces the largest daily revenue loss, its RPO (recovery point objective) is not the primary factor for restoration order—MTD and business impact criticality are. Option C is wrong because restoring communication (email) does not always take precedence; prioritization is based on MTD, compliance, and revenue impact, not a blanket rule. Option D is wrong because the dev test lab has lower business impact, meaning it should be restored last, not first, as it is not critical to core operations.

167
MCQmedium

Leadership wants to compare two controls for protecting a customer portal. Option A costs $40,000 and reduces annual loss expectancy from $120,000 to $30,000. Option B costs $15,000 and reduces annual loss expectancy to $70,000. Which analysis method best supports this decision?

A.Qualitative risk analysis
B.Quantitative risk analysis
C.Business impact analysis
D.Risk acceptance
AnswerB

Quantitative analysis uses numeric estimates such as annual loss expectancy and control cost to compare options financially.

Why this answer

Quantitative risk analysis uses monetary values and numerical data to calculate risk, making it the best method to compare the cost-benefit of Option A (ALE reduction from $120,000 to $30,000 with a $40,000 cost) versus Option B (ALE reduction to $70,000 with a $15,000 cost). By computing the annualized loss expectancy (ALE) and comparing the cost of each control against the reduction in expected loss, leadership can determine which option provides a better return on investment. This approach directly supports the decision because it provides objective, dollar-based metrics for comparison.

Exam trap

The trap here is that candidates may choose qualitative risk analysis because it is simpler and more common, but the presence of specific monetary values in the question explicitly requires quantitative analysis to make a data-driven comparison.

How to eliminate wrong answers

Option A is wrong because qualitative risk analysis uses subjective ratings (e.g., high, medium, low) rather than monetary values, so it cannot precisely compare the cost-effectiveness of two controls with specific dollar amounts. Option C is wrong because business impact analysis (BIA) focuses on identifying critical business functions and their recovery priorities, not on comparing the cost-benefit of different security controls. Option D is wrong because risk acceptance is a risk response strategy where the organization acknowledges the risk and chooses not to implement a control, which does not involve comparing multiple control options.

168
Multi-Selectmedium

Users on one VLAN report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows unsolicited ARP replies claiming to be the gateway. Which two actions are the best mitigations on managed switches? Select two.

Select 2 answers
A.enable DHCP snooping so trusted IP-to-MAC bindings can be validated
B.enable dynamic ARP inspection to block forged ARP replies
C.change the default gateway IP address on the subnet
D.disable spanning tree protocol to reduce switching delays
E.replace private addressing with NAT on every endpoint
AnswersA, B

DHCP snooping builds a trusted binding table that helps security controls distinguish valid host mappings from forged ones. On many managed switches, that table is used to support protections against spoofed layer 2 traffic. It is a standard companion control for preventing local network poisoning attacks.

Why this answer

Option A is correct because DHCP snooping creates a trusted database of IP-to-MAC bindings by monitoring DHCP messages. This database is then used by Dynamic ARP Inspection (DAI) to validate ARP packets, ensuring that only legitimate gateway addresses are accepted. Without DHCP snooping, DAI has no reliable source of truth to compare against, making it ineffective against ARP spoofing attacks.

Exam trap

CompTIA often tests the dependency between DHCP snooping and Dynamic ARP Inspection, so candidates may incorrectly select DAI alone without realizing that DHCP snooping must be enabled first to populate the binding table.

169
MCQmedium

An attacker calls the service desk claiming to be a traveling contractor whose phone was stolen. They know the contractor's manager name and ask for an MFA reset to a new number 'just for today.' Which control would best reduce the success of this attack?

A.Trust any caller who can provide a manager's name and employee ID.
B.Require a callback to a previously verified number and ticket approval before reset.
C.Remove MFA so users are less likely to get locked out while traveling.
D.Use caller ID alone to confirm the person is legitimate.
AnswerB

A callback to a known-good number, combined with ticket validation and approval workflow, forces the request to be verified through independent channels. This defeats the attacker’s ability to rely on stolen or guessed details during the call. It is a practical anti-pretexting control because it reduces trust in information provided by the caller alone.

Why this answer

Option B is correct because it introduces two verification factors that directly counter the social engineering vector: a callback to a previously verified number ensures the requestor is reachable at a known trusted contact point, and ticket approval creates an audit trail and requires secondary authorization. This combination prevents an attacker from simply claiming an identity and requesting a change without independent confirmation, which is the core weakness the attacker exploits.

Exam trap

The trap here is that candidates may think providing a manager's name and employee ID is sufficient proof of identity, but the exam tests that these are easily obtained via reconnaissance and do not constitute multi-factor authentication or out-of-band verification.

How to eliminate wrong answers

Option A is wrong because trusting any caller who provides a manager's name and employee ID is exactly the social engineering trap—the attacker has already demonstrated they possess that information (likely from OSINT or a prior breach), so it provides no real authentication. Option C is wrong because removing MFA entirely weakens security posture and increases the risk of account compromise; the problem is not MFA itself but the process for resetting it, and removing MFA would make all accounts more vulnerable. Option D is wrong because caller ID can be spoofed (e.g., via VoIP or trunk manipulation) and is not a reliable authentication factor; it provides no cryptographic or out-of-band verification.

170
MCQeasy

After installing a free utility from an unofficial website, a user's laptop starts quietly sending browsing data to an unknown server. What type of malware is most likely present?

A.Spyware
B.Ransomware
C.Worm
D.Rootkit
AnswerA

Spyware secretly monitors user activity and sends collected information to a remote attacker. Quietly harvesting browsing data fits this behavior very well.

Why this answer

Spyware is designed to covertly collect user data, such as browsing habits, and transmit it to a remote server without consent. The scenario describes a free utility from an unofficial website that quietly exfiltrates browsing data, which is the classic behavior of spyware. Unlike other malware types, spyware focuses on surveillance and data theft rather than system damage or self-replication.

Exam trap

The trap here is that candidates may confuse spyware with a rootkit because both can operate stealthily, but the key differentiator is the primary objective: spyware focuses on data theft, while a rootkit focuses on hiding other malware or maintaining persistent access.

How to eliminate wrong answers

Option B is wrong because ransomware encrypts files or locks the system to demand a ransom, not to quietly exfiltrate browsing data. Option C is wrong because a worm self-replicates across networks without user interaction, whereas this infection required manual installation of a utility. Option D is wrong because a rootkit hides its presence by subverting OS-level functions (e.g., hooking system calls), but the described symptom—data exfiltration—is not the defining trait; spyware is the more direct classification for data theft.

171
Multi-Selectmedium

After isolating an infected endpoint and collecting volatile memory, the team identifies a malicious browser extension and a scheduled task used for persistence. Which two actions belong in the eradication phase before returning the system to service? Select two.

Select 2 answers
A.Remove the malicious extension and delete the persistence mechanism.
B.Reimage the host from a trusted gold image after evidence collection.
C.Restore user files from the most recent backup and reconnect the host immediately.
D.Announce the incident to users without changing the host configuration.
E.Leave the browser extension in place and only change the user password.
AnswersA, B

Correct because eradication requires eliminating the malware components that let the attacker survive reboots or user logoff. Removing the extension and scheduled task directly breaks persistence.

Why this answer

Option A is correct because removing the malicious browser extension and deleting the scheduled task directly eliminates the identified persistence mechanism and the active threat vector. In the eradication phase, the goal is to remove all traces of the malware from the system, which includes disabling or deleting scheduled tasks and uninstalling malicious extensions. This ensures the attacker cannot regain access through these specific footholds before the system is returned to service.

Exam trap

CompTIA often tests the distinction between eradication and recovery, where candidates mistakenly choose backup restoration (Option C) as an eradication step, but eradication must occur before any recovery actions like reimaging or restoring data.

172
MCQmedium

After three months of phishing awareness training, the security team wants a metric that best shows whether employees are becoming harder to trick. Which metric is MOST useful?

A.The total number of phishing simulation emails sent to employees.
B.The percentage of users who report suspicious messages before clicking links.
C.The number of new usernames created in the email system.
D.The average screen resolution used by employees during the campaign.
AnswerB

Reporting rate is a strong indicator of awareness and response behavior because it measures whether employees recognize and escalate suspicious emails instead of interacting with them. A higher reporting rate generally shows improved vigilance and faster detection, which is more valuable than simply counting how many simulated messages were delivered.

Why this answer

Option B is correct because the percentage of users who report suspicious messages before clicking links directly measures the effectiveness of phishing awareness training in changing user behavior. A higher reporting rate indicates that employees are recognizing phishing indicators and using the reporting mechanism (e.g., an integrated phishing report button or email forwarding to a security mailbox) instead of falling for the trick. This metric focuses on the desired outcome—reducing successful phishing—rather than activity volume.

Exam trap

CompTIA often tests the distinction between activity metrics (e.g., number of emails sent) and outcome metrics (e.g., reporting rate), and the trap here is assuming that more training or more simulations automatically means better security, when the real measure is behavioral change.

How to eliminate wrong answers

Option A is wrong because the total number of phishing simulation emails sent is a measure of campaign scale, not employee susceptibility; sending more simulations does not indicate whether users are harder to trick. Option C is wrong because the number of new usernames created in the email system is unrelated to phishing awareness; it reflects account provisioning or turnover, not security behavior. Option D is wrong because average screen resolution has no bearing on phishing detection; it is a display setting with no connection to email security or user vigilance.

173
MCQmedium

An external auditor asks for proof that firewall rule changes were reviewed and approved before being implemented during the last quarter. Which evidence is MOST appropriate to provide?

A.A screenshot of the firewall management homepage showing that the system is online.
B.Change tickets showing requester, reviewer approval, implementation date, and rollback plan.
C.An email from the network team stating they remember reviewing the changes.
D.A list of the firewall vendor's product features from the company website.
AnswerB

Change tickets are strong audit evidence because they show who requested the change, who approved it, when it was implemented, and how the organization planned to reverse it if needed. That level of documentation demonstrates governance, traceability, and control over configuration changes, which is exactly what an auditor is trying to verify.

Why this answer

Change tickets provide a formal, auditable record of the entire change management process, including requester identification, reviewer approval, implementation date, and rollback plan. This directly satisfies the auditor's requirement for proof that firewall rule changes were reviewed and approved before implementation, aligning with the principle of separation of duties and change control.

Exam trap

The trap here is that candidates may choose Option C, mistakenly believing that a verbal or informal email confirmation is sufficient evidence, when auditors require documented, formal approval records with a clear audit trail.

How to eliminate wrong answers

Option A is wrong because a screenshot of the firewall management homepage showing the system is online only proves the firewall is operational, not that specific rule changes were reviewed and approved. Option C is wrong because an email from the network team stating they remember reviewing the changes is anecdotal and lacks the formal, timestamped, and auditable evidence required for compliance. Option D is wrong because a list of the firewall vendor's product features from the company website is irrelevant to the change management process and provides no evidence of review or approval.

174
MCQmedium

A company wants employees to use one corporate login for multiple SaaS applications, require MFA when users sign in from unmanaged devices, and centralize account lifecycle management. Which design best meets these requirements?

A.Create separate local usernames and passwords in each SaaS application.
B.Use shared accounts for each department and keep one password vault for the team.
C.Implement federated single sign-on through a central identity provider with MFA and conditional access policies.
D.Require all users to connect through a VPN before any SaaS login and remove identity federation.
AnswerC

Federated SSO lets the identity provider authenticate users once and pass trusted assertions to multiple SaaS apps. MFA can be enforced centrally, and conditional access can require additional controls based on device trust or location. This also simplifies account creation, removal, and policy management.

Why this answer

Option C is correct because federated single sign-on (SSO) through a central identity provider (IdP) like Azure AD or Okta allows employees to use one corporate login across multiple SaaS applications via protocols such as SAML 2.0 or OIDC. The IdP enforces MFA for unmanaged devices through conditional access policies (e.g., device compliance checks) and centralizes account lifecycle management by provisioning/deprovisioning users from a single directory (e.g., LDAP or SCIM).

Exam trap

The trap here is that candidates may confuse 'shared accounts' (Option B) with SSO, not realizing that shared accounts lack individual accountability and cannot enforce per-user MFA or conditional access policies.

How to eliminate wrong answers

Option A is wrong because creating separate local usernames and passwords in each SaaS application violates the requirement for a single corporate login, does not enforce MFA based on device trust, and fragments account lifecycle management across silos. Option B is wrong because shared accounts for each department break non-repudiation and audit trails, password vaults do not provide SSO or conditional access, and they fail to centralize lifecycle management per user.

175
MCQeasy

A project team needs to use a temporary file-sharing service for two weeks because the approved platform is under maintenance. The security manager wants the exception to be reviewed, time-limited, and documented with the business reason. Which governance document should be created?

A.A guideline, because it provides optional best practices for users to follow.
B.An exception request, because it records a deviation from the normal security requirement.
C.A standard, because it defines the mandatory company-wide rule for file sharing.
D.A procedure, because it gives step-by-step instructions for employees to follow.
AnswerB

An exception request documents a specific deviation from policy or standard, including the business justification, approval path, and expiration date. That is exactly what is needed when a team must temporarily use an alternative service. It keeps the deviation visible, reviewed, and accountable instead of silently bypassing security controls.

Why this answer

Option B is correct because an exception request is the formal governance document used to record, review, and time-limit a deviation from the organization's security baseline. In this scenario, the temporary use of an unapproved file-sharing service for two weeks requires documented authorization, including the business reason, to ensure the risk is accepted and tracked until the approved platform returns.

Exam trap

The trap here is that candidates confuse an exception request with a standard or procedure, thinking any documented change to security controls requires a new policy document, rather than recognizing that an exception is a temporary, authorized waiver of an existing rule.

How to eliminate wrong answers

Option A is wrong because a guideline offers optional best practices, not a mechanism to formally authorize a temporary deviation from a mandatory security requirement. Option C is wrong because a standard defines a mandatory company-wide rule; creating a new standard would permanently change the policy rather than document a time-limited exception. Option D is wrong because a procedure provides step-by-step instructions for routine tasks, not a record of a specific, temporary deviation from approved tools.

176
MCQhard

An analyst on the HR application team needs access to a production database replica only long enough to verify a column-mapping issue. The analyst should not be able to browse salary fields, export tables, or keep access after the task ends. Which principle best matches the desired access model?

A.Least privilege
B.Need-to-know
C.Separation of duties
D.Defense in depth
AnswerB

The analyst only needs a narrow slice of information for a specific task and should not be able to see unrelated sensitive fields. That is need-to-know. It focuses on limiting data visibility to what is required for the assignment. Least privilege is related, but the clue about salary fields and specific data exposure makes need-to-know the best answer.

Why this answer

The need-to-know principle restricts access to only the information required to perform a specific task. In this scenario, the analyst needs access to verify a column-mapping issue but must not see salary fields, export tables, or retain access afterward. Need-to-know ensures access is limited to the exact data and duration necessary, which aligns with granting temporary, scoped access to a production database replica without broader data exposure.

Exam trap

The trap here is confusing least privilege with need-to-know: least privilege limits permissions (e.g., read-only vs. write), while need-to-know limits the specific data content (e.g., excluding salary fields) and duration, which is the precise requirement in this question.

How to eliminate wrong answers

Option A is wrong because least privilege limits access rights to the minimum necessary to perform a job function, but it does not inherently restrict access to specific data fields (like salary) or enforce time-bound access; it focuses on permissions, not data scope. Option C is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error, but this scenario involves a single analyst needing temporary access, not splitting responsibilities. Option D is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, IDS), not a model for granular, task-specific data access.

177
MCQeasy

A security team wants to know whether a workstation has drifted away from the approved hardened configuration after several months of changes. What should they use to compare the current state against the approved setup?

A.A file compression tool
B.A configuration baseline
C.A password vault
D.A network cable tester
AnswerB

A baseline defines the approved secure configuration and serves as the reference for drift checks.

Why this answer

A configuration baseline is the approved hardened state of a system, typically captured as a snapshot of settings, registry keys, file permissions, and installed software. By comparing the current workstation state against this baseline using tools like Microsoft Security Compliance Toolkit or CIS-CAT, the team can detect drift—unauthorized changes that deviate from the secure configuration. This is the standard method for maintaining compliance and security posture over time.

Exam trap

The trap here is that candidates confuse a configuration baseline with a backup or recovery tool, thinking a file compression tool could somehow 'compare' states, when in fact baselines are specifically designed for compliance drift analysis.

How to eliminate wrong answers

Option A is wrong because a file compression tool (e.g., WinRAR, gzip) only reduces file size for storage or transfer; it cannot compare system configurations or detect drift from a security baseline. Option C is wrong because a password vault (e.g., KeePass, LastPass) securely stores credentials but has no capability to assess system hardening or compare configuration states.

178
MCQmedium

A caller claims to be from the company's SaaS provider and says a tenant migration will fail unless the help desk reads back a one-time verification code sent to an administrator's phone. The caller knows the admin's name and ticket number. What attack technique is being used?

A.Pretexting, because the attacker is inventing a believable support story to gain trust.
B.Watering hole, because the attacker is targeting a trusted web service used by employees.
C.Tailgating, because the attacker is attempting to bypass a physical security barrier.
D.Whaling, because the attacker is targeting a high-value executive account directly.
AnswerA

The attacker is using a fabricated identity and a credible business scenario to manipulate the help desk into revealing a verification code. That is classic pretexting. The known name and ticket number are used to increase legitimacy, but the key behavior is the false story intended to bypass normal trust checks.

Why this answer

The attacker is using pretexting by fabricating a plausible scenario (a tenant migration requiring a verification code) to manipulate the help desk into divulging sensitive information. This social engineering technique relies on building false trust through invented details like the admin's name and ticket number, rather than exploiting technical vulnerabilities. The goal is to obtain the one-time verification code, which could be used for unauthorized access or account takeover.

Exam trap

The trap here is that candidates may confuse pretexting with whaling because both involve impersonation, but whaling targets high-level executives directly, while pretexting uses a fabricated scenario to trick any employee into performing an action or revealing information.

How to eliminate wrong answers

Option B is wrong because a watering hole attack involves compromising a website or service that the target group frequently uses to infect them with malware, not a direct phone call requesting information. Option C is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, not a remote social engineering attempt. Option D is wrong because whaling specifically targets high-profile executives (like CEOs) with personalized phishing, whereas this attack targets a help desk employee using a fabricated support story, not a direct executive account compromise.

179
Multi-Selectmedium

Which three of the following are commonly used to enforce separation of duties? (Choose three.)

Select 3 answers
.Requiring two different people to authorize a financial transaction
.Splitting the ability to create user accounts and assign privileges to different roles
.Using a dual-control process where two keys are needed to access a safe
.Allowing a single administrator to both approve and implement system changes
.Giving one person full responsibility for both IT security audits and daily operations
.Configuring a single user to manage both backup and restoration of data

Why this answer

Separation of duties is a security principle that prevents any single individual from having excessive control over critical processes. Requiring two different people to authorize a financial transaction ensures that no one person can both initiate and approve a payment, reducing fraud risk. Splitting the ability to create user accounts and assign privileges to different roles ensures that a single administrator cannot grant themselves unauthorized access.

Using a dual-control process where two keys are needed to access a safe physically enforces that two people must be present, preventing unilateral access to sensitive assets.

Exam trap

The trap here is that candidates may confuse separation of duties with least privilege or fail to recognize that combining authorization and implementation in one role is a direct violation, even if it seems efficient.

180
Multi-Selectmedium

A SaaS vendor hosts a customer relationship platform for multiple organizations. Your company wants to know which two responsibilities typically remain with the customer rather than the SaaS provider. Select two.

Select 2 answers
A.Assigning user roles and approving access within the tenant.
B.Protecting the organization's data classification and sharing rules.
C.Patching the provider's underlying database engine.
D.Maintaining the vendor's physical data center power and cooling.
E.Replacing the provider's hypervisors during maintenance windows.
AnswersA, B

Customer organizations usually remain responsible for deciding who gets access and what role each user receives inside the SaaS tenant. The provider supplies the platform, but the customer controls business authorization decisions. This is a core shared responsibility item because access mistakes often come from tenant configuration rather than provider infrastructure.

Why this answer

Option A is correct because in a SaaS model, the customer retains administrative control over user identities, roles, and access permissions within their own tenant. The SaaS provider manages the underlying application and infrastructure, but the customer must configure role-based access control (RBAC) to enforce least privilege and approve access requests. This aligns with the shared responsibility model where identity and access management (IAM) at the application layer falls to the customer.

Exam trap

The trap here is that candidates often confuse infrastructure maintenance tasks (like patching databases or replacing hypervisors) with customer responsibilities, but in SaaS, the provider handles all underlying infrastructure while the customer only manages tenant-specific configurations and data governance.

181
MCQmedium

A SIEM alert shows 300 failed logins against the same VPN account from one source IP over 12 minutes, followed by a successful login from that same IP and a spike in mailbox access. The user says they did not initiate the session. What is the most likely cause?

A.A brute-force attack that eventually guessed the correct password
B.A password-spraying attempt against many different accounts
C.A normal VPN reconnect after a brief network outage
D.A false positive caused by email synchronization
AnswerA

This pattern fits repeated attempts against one account from one source, followed by success and suspicious post-login activity. The mailbox spike strengthens the case for compromised credentials.

Why this answer

The sequence of 300 failed logins from a single source IP against one VPN account, followed by a successful login and abnormal mailbox access, is the classic pattern of a brute-force attack. The attacker systematically tried many passwords until they guessed the correct one, then used the compromised credentials to access the user's mailbox. The user's denial confirms the session was unauthorized, ruling out legitimate reconnection or synchronization.

Exam trap

The trap here is that candidates may confuse a brute-force attack with password spraying, but the key differentiator is the single target account versus many accounts, and the high volume of failures against that one account.

How to eliminate wrong answers

Option B is wrong because password spraying targets many different accounts with a few common passwords, not 300 attempts against a single account. Option C is wrong because a normal VPN reconnect after a brief network outage would not generate 300 failed logins; it would typically succeed on the first or second attempt after the outage resolves. Option D is wrong because email synchronization does not cause failed logins against a VPN account; it uses existing authenticated sessions and would not produce a spike in mailbox access from a new IP.

182
Multi-Selectmedium

After restoring a virtual file server from backup, users can log in and browse shares, but finance says the last day's edits are missing. Which two steps should the administrator take before declaring recovery complete? Select two.

Select 2 answers
A.Verify the restore point meets the required recovery point objective and the business expects the data loss window.
B.Check whether application transaction logs or application-consistent snapshots need to be replayed.
C.Rebuild the server from scratch without checking the backup timestamp.
D.Disable all backup jobs until the next maintenance window.
E.Change the DNS records so users point to a different server name.
AnswersA, B

This is important because a restore can technically succeed while still missing more data than the business can tolerate. The RPO defines how much data loss is acceptable. Confirming the restore point against that expectation helps determine whether the backup strategy met recovery requirements or whether additional recovery work is needed.

Why this answer

Option A is correct because the Recovery Point Objective (RPO) defines the maximum acceptable data loss. If the restore point is from before the last day's edits, the administrator must confirm that this data loss window is acceptable to the business. Option B is correct because application-consistent backups often require replaying transaction logs (e.g., SQL Server VSS writer logs) to bring the database to the latest committed state; skipping this step leaves the data incomplete.

Exam trap

The trap here is that candidates may assume a successful file-level restore is complete, overlooking the need to verify RPO alignment and replay application-specific transaction logs for consistency.

183
MCQhard

A supplier portal is browser-based and used by external partner companies. Each partner already has its own identity provider. The portal must trust assertions from those IdPs and avoid creating separate local passwords for each partner. Which integration is best?

A.Use LDAP directory synchronization for all partner users.
B.Use SAML 2.0 federation with trust relationships to the partner identity providers.
C.Use NTLM pass-through authentication to each partner account.
D.Use PAP over TLS so the portal can collect partner passwords securely.
AnswerB

SAML is well suited to browser-based federation and signed assertions from external identity providers.

Why this answer

SAML 2.0 federation is the correct choice because it enables the supplier portal to trust assertions from multiple external identity providers (IdPs) without creating local passwords. SAML uses XML-based tokens signed by the partner's IdP, allowing the portal to accept authentication claims via a trust relationship, which directly meets the requirement of avoiding separate local credentials for each partner.

Exam trap

The trap here is that candidates may confuse LDAP synchronization (which replicates accounts) with federation (which avoids storing accounts), or mistakenly think NTLM can be extended across organizational boundaries, when in fact NTLM is a legacy challenge-response protocol limited to a single Windows domain.

How to eliminate wrong answers

Option A is wrong because LDAP directory synchronization would require the supplier to replicate partner user directories into a local LDAP store, which still creates local accounts and passwords, violating the requirement to avoid separate local passwords. Option C is wrong because NTLM pass-through authentication is a Windows-specific protocol designed for on-premises Active Directory environments and cannot be used to federate with external partner identity providers over the internet.

184
MCQmedium

A company is evaluating a new payroll SaaS provider that will store employee tax and bank details. Before signing the contract, which action BEST supports vendor due diligence?

A.Ask the vendor for a marketing brochure describing platform features and uptime claims.
B.Review a current independent security attestation and verify contractual security obligations.
C.Accept the vendor’s assurance that its customers have never experienced incidents.
D.Wait until after go-live and then review the security posture during the first annual audit.
AnswerB

Independent assurance reports, such as a recent SOC 2 Type II, help show whether the vendor’s controls were operating over time, and contract terms can require breach notification, data handling, and security responsibilities. Together, these steps give the organization evidence-based due diligence before sensitive payroll data is entrusted to the provider.

Why this answer

Option B is correct because vendor due diligence for a SaaS provider handling sensitive employee data (tax and bank details) requires verifying independent security attestations (e.g., SOC 2 Type II, ISO 27001 certification) and ensuring contractual security obligations (e.g., data encryption, breach notification, right to audit) are explicitly defined. This provides objective, audited evidence of the vendor's security posture rather than relying on marketing claims or unverified assurances.

Exam trap

The trap here is that candidates may choose Option A because marketing brochures appear to provide relevant information, but they fail to recognize that due diligence requires objective, third-party verified evidence rather than vendor-provided promotional materials.

How to eliminate wrong answers

Option A is wrong because a marketing brochure is a promotional document that may contain exaggerated uptime claims and lacks independent verification of security controls; it does not provide audited evidence of data protection practices. Option C is wrong because accepting a vendor's assurance that its customers have never experienced incidents is an unverifiable, self-serving statement that ignores the possibility of undisclosed breaches or the lack of incident detection capabilities; it does not constitute due diligence.

185
MCQmedium

A team hosts a confidential document repository on an IaaS virtual machine. The provider secures the datacenter, hardware, and hypervisor. The organization wants to control who can decrypt the files and be able to revoke that access without changing providers. Which control is best?

A.Use the provider's default managed encryption keys for the storage service.
B.Rely on security groups and network ACLs to protect the document contents.
C.Use customer-managed encryption keys in the cloud KMS or HSM.
D.Enable automated snapshots so deleted files can be restored later.
AnswerC

Customer-managed keys give the organization direct control over encryption and key revocation, even while using the provider's infrastructure.

Why this answer

Customer-managed encryption keys (CMEK) in a cloud KMS or HSM allow the organization to retain control over key material, enabling them to decrypt files and revoke access independently of the cloud provider. This meets the requirement to control decryption and revocation without changing providers, as the provider cannot access the keys. In contrast, provider-managed keys do not offer the same level of tenant-controlled revocation.

Exam trap

The trap here is that candidates often confuse network access controls (security groups/ACLs) with encryption-based access control, failing to recognize that only cryptographic controls can enforce decryption revocation independently of the provider.

How to eliminate wrong answers

Option A is wrong because provider-managed default encryption keys give the organization no ability to independently revoke access to the encrypted files; the provider retains control over the key lifecycle. Option B is wrong because security groups and network ACLs are network-layer controls that protect access to the VM but do not encrypt the document contents or control decryption; they cannot enforce file-level decryption revocation. Option D is wrong because automated snapshots provide backup and recovery capabilities but do not control decryption or enable revocation of access to encrypted files.

186
Multi-Selecteasy

A team is moving a workload to infrastructure as a service (IaaS). Which two items are usually the customer's responsibility? Select two.

Select 2 answers
A.Patch the guest operating system running on the cloud virtual machine.
B.Replace failed power supplies in the cloud provider's data center.
C.Configure the application's user permissions and access settings.
D.Maintain the cloud provider's hypervisor firmware.
E.Manage the physical firewall blades inside the provider's facility.
AnswersA, C

In IaaS, the customer typically manages the guest operating system, including security updates and configuration. Unpatched operating systems remain a common path to compromise.

Why this answer

In an IaaS model, the customer is responsible for managing the guest operating system, including applying security patches and updates. This is because the cloud provider only manages the underlying physical infrastructure and hypervisor, while the customer controls the OS and applications running on the virtual machine.

Exam trap

The trap here is that candidates often confuse IaaS with PaaS or SaaS, mistakenly thinking the provider handles all OS-level patching, but in IaaS, the customer retains full control and responsibility for the guest OS and application configuration.

187
MCQmedium

An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?

A.Place all three servers on the same private subnet and control access only with strong passwords.
B.Put the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone.
C.Put the database in the public zone so the web tier can query it directly from the internet.
D.Use a single reverse proxy for all three servers and disable network segmentation to simplify management.
AnswerB

This tiered placement supports a classic defense-in-depth design. The web server is internet-facing, the application tier is not directly exposed, and the database is placed in the most restricted zone. Network rules then allow only the necessary north-south and east-west traffic between tiers.

Why this answer

Option B is correct because it implements a classic three-tier architecture with network segmentation. The web server in a public zone (DMZ) accepts internet traffic, the application server in a private zone is isolated from direct internet access and only reachable by the web tier, and the database server in an isolated internal zone is only reachable by the application tier. This design enforces the principle of least privilege and minimizes the attack surface by using firewalls or security groups to restrict traffic between tiers.

Exam trap

The trap here is that candidates often confuse 'private subnet' with 'security' and fail to recognize that without network segmentation, a single compromised server can lead to full lateral access, or they mistakenly think placing the database in a public zone is acceptable for direct queries.

How to eliminate wrong answers

Option A is wrong because placing all three servers on the same private subnet with only strong passwords fails to provide network segmentation; if the web server is compromised, an attacker can directly access the application and database servers without any network-level barriers. Option C is wrong because placing the database in the public zone exposes it directly to the internet, violating the requirement that the database server can only be reached by the application tier and creating a severe security risk. Option D is wrong because using a single reverse proxy for all three servers and disabling network segmentation eliminates the isolation between tiers, allowing an attacker who compromises the proxy to reach all servers directly, contradicting the design requirement.

188
Multi-Selecteasy

A developer finds a critical bug in a customer portal on Friday afternoon. The fix must be released quickly, but the team needs a way to reverse the change if testing reveals a problem and wants the release to follow the normal approval process. Which two practices should be used? Select two.

Select 2 answers
A.Deploy the fix directly to production without approval
B.Create a documented rollback plan
C.Skip testing to meet the deadline
D.Follow the normal change approval and testing process
E.Rename the release package to reduce risk
AnswersB, D

A rollback plan allows the team to restore the previous stable version if the hotfix causes trouble.

Why this answer

Option B is correct because a documented rollback plan ensures that if the emergency fix introduces new issues during testing, the team can quickly and safely revert to the previous stable state. This aligns with the principle of change management, which requires a recovery procedure for any emergency change to minimize downtime and risk.

Exam trap

The trap here is that candidates may assume speed is the only priority in an emergency fix, overlooking the requirement for a controlled reversal mechanism and the need to follow the normal approval process even under time pressure.

189
MCQmedium

A help desk analyst can reset passwords in the ticketing portal but cannot view payroll records, edit user profiles, or access other HR functions. Which security principle is the organization applying?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Zero trust
AnswerA

The analyst is given only the permissions needed to perform password resets and nothing beyond that task.

Why this answer

The help desk analyst is granted only the permissions necessary to perform their job function—resetting passwords—while all other HR functions are explicitly denied. This is the core definition of least privilege: each user or system component receives the minimum set of access rights needed to complete their tasks. By restricting the analyst’s account to password reset operations only, the organization reduces the attack surface and limits potential damage from compromised credentials or insider misuse.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'separation of duties' because both involve restricting access, but separation of duties specifically requires dividing a single sensitive process among multiple people, whereas least privilege simply limits the scope of permissions for any one person or process.

How to eliminate wrong answers

Option B (Defense in depth) is wrong because that principle involves layering multiple independent security controls (e.g., firewall, IDS, encryption) to protect assets, not restricting individual user permissions. Option C (Separation of duties) is wrong because that principle requires splitting critical tasks among multiple people to prevent fraud (e.g., one person requests a purchase, another approves it), whereas this scenario is about limiting a single user’s access scope. Option D (Zero trust) is wrong because zero trust is a broader architectural model that assumes no implicit trust and continuously verifies every request regardless of origin, not simply a policy of assigning minimal permissions to a help desk role.

190
MCQmedium

A security analyst notices that several employees have received an email with the subject line 'Urgent: Password Reset Required'. The email contains a link to a website that mimics the company's internal login portal. The email was sent from an external domain and addresses recipients by 'Dear Employee' rather than their actual names. Which type of social engineering attack is being described?

A.Spear phishing
B.Phishing
C.Vishing
D.Tailgating
AnswerB

Phishing is a broad social engineering technique that uses mass emails to trick users into divulging credentials or clicking malicious links. The generic greeting and external sender domain are consistent with a typical phishing attempt.

Why this answer

The email is sent to multiple employees, uses a generic greeting ('Dear Employee'), and originates from an external domain, which are hallmarks of a broad, untargeted phishing campaign. Spear phishing would involve personalized details (e.g., the recipient's actual name) and targeting specific individuals. Vishing is voice-based, not email.

Therefore, this is a standard phishing attack.

Exam trap

The trap here is that candidates confuse 'phishing' with 'spear phishing' because both use email and fake login pages, but the key differentiator is the level of personalization—generic vs. targeted—which the 'Dear Employee' greeting explicitly reveals.

How to eliminate wrong answers

Option A is wrong because spear phishing requires the attacker to research and personalize the email with the recipient's actual name, job title, or other specific details, whereas this email uses the generic 'Dear Employee'. Option C is wrong because vishing (voice phishing) is conducted over phone calls or VoIP, not through email with a link to a fake login portal.

191
Multi-Selecthard

During a workstation review, analysts find a process injecting into explorer.exe and reading keyboard and clipboard events. They also see repeated outbound HTTPS beacons to a domain registered two days ago. The host is not renaming files or displaying a ransom note. Which two findings are most consistent with spyware? Select two.

Select 2 answers
A.A process injects into explorer.exe and monitors keyboard and clipboard activity.
B.The host sends repeated HTTPS beacons to a domain registered two days ago.
C.User files are renamed with a new extension and a ransom note appears.
D.CPU usage spikes only during a scheduled operating system update.
E.The browser certificate store was refreshed after applying a patch.
AnswersA, B

Process injection into a user shell process combined with keyboard and clipboard monitoring is highly consistent with spyware. Those behaviors are designed to silently capture sensitive information such as credentials, messages, and copied data while blending into normal desktop activity. That stealthy information-gathering focus is a hallmark of spyware.

Why this answer

Option A is correct because process injection into a trusted system process like explorer.exe, combined with monitoring keyboard and clipboard events, is a classic spyware technique. Spyware aims to covertly capture sensitive user input (keystrokes and clipboard data) for exfiltration, without causing immediate system damage or displaying a ransom note.

Exam trap

The trap here is that candidates may confuse spyware with ransomware (option C) or mistake normal system maintenance (options D and E) for malicious activity, failing to recognize that spyware's defining characteristics are stealthy data capture and covert C2 communication without overt file encryption or ransom demands.

192
MCQeasy

Threat intelligence shows an attacker changes the domain name every day, but the malware file hash stays the same across incidents. What should defenders prioritize for blocking?

A.The daily domain names, because they are the easiest indicator to find.
B.The malware file hash, because it remains consistent across incidents.
C.The color of the phishing email, because visual style is unique to the attacker.
D.The user's browser homepage, because attackers often change it after infection.
AnswerB

A consistent file hash is a stable indicator of the malicious sample and is easier to block or detect across multiple cases.

Why this answer

Option B is correct because the malware file hash (e.g., MD5, SHA-1, or SHA-256) is a static, deterministic value derived from the malware's binary content. Since the attacker reuses the same malware across incidents, the hash remains consistent, making it a reliable indicator of compromise (IOC) for blocking via hash-based allow/deny lists in endpoint protection or network security controls. In contrast, domain names change daily (fast flux), so blocking them is less sustainable and requires constant updates.

Exam trap

The trap here is that candidates may assume domain names are the easiest to block because they are visible in logs, but the question tests the principle of prioritizing stable, consistent indicators over ephemeral ones, and CompTIA often tests this by contrasting static hashes with dynamic domains in fast-flux scenarios.

How to eliminate wrong answers

Option A is wrong because daily domain names are volatile and require frequent updates to block lists, making them less efficient than a static hash; they are not the 'easiest' indicator to find in practice, as they often use fast-flux DNS to evade detection. Option C is wrong because the color of a phishing email is a superficial, non-unique attribute that can be easily altered by the attacker and is not a reliable technical IOC for blocking. Option D is wrong because the user's browser homepage is a post-infection artifact that varies by user and system, not a consistent attacker-controlled indicator; attackers may change it, but it is not a primary blocking target.

193
MCQeasy

Paper onboarding forms have reached the end of their retention period, and no legal hold applies. What should happen next?

A.Store them indefinitely in case the company needs them later.
B.Destroy them using an approved secure disposal method.
C.Scan them to a personal cloud account so they are not lost.
D.Mail copies to every manager for review before disposal.
AnswerB

This is correct because once retention requirements are satisfied and no legal hold exists, the records should be securely destroyed. Secure disposal reduces the chance of unauthorized disclosure and supports compliance with the retention schedule. For paper records, approved shredding or other secure destruction methods are appropriate.

Why this answer

Once paper onboarding forms have reached the end of their retention period and no legal hold applies, the organization must destroy them using an approved secure disposal method (e.g., cross-cut shredding, pulping, or incineration) to prevent unauthorized access to personally identifiable information (PII) and comply with data protection regulations such as GDPR or HIPAA. Retaining data beyond its required lifecycle violates the data minimization principle and increases breach risk.

Exam trap

The trap here is that candidates may think indefinite storage (Option A) is safer or that scanning to a personal cloud (Option C) preserves data, but the exam tests that data must be destroyed when retention expires and no legal hold exists, not retained or migrated.

How to eliminate wrong answers

Option A is wrong because storing forms indefinitely violates data retention policies and regulations like GDPR's storage limitation principle, exposing the organization to unnecessary legal and security risks. Option C is wrong because scanning forms to a personal cloud account bypasses corporate data governance controls, creates an unauthorized copy of sensitive data, and likely violates data classification and access control policies. Option D is wrong because mailing copies to every manager before disposal unnecessarily proliferates sensitive data, increases the attack surface, and contradicts the principle of least privilege—only authorized personnel should handle disposal, not all managers.

194
Multi-Selecthard

A development team runs multiple customer workloads in a shared Kubernetes cluster. Security wants to reduce the risk that one compromised container can read another team's data or deploy an altered image. Which three actions best improve the design? Select three.

Select 3 answers
A.Require signed, scanned images from an approved registry before deployment.
B.Run each container as root so file permissions inside the container do not block apps.
C.Use namespaces and network policies to separate the workloads by trust zone.
D.Mount the host filesystem into every pod so support staff can troubleshoot more quickly.
E.Run containers with the minimum Linux capabilities and a read-only root filesystem where possible.
AnswersA, C, E

Image signing and scanning help ensure the cluster only deploys trusted builds that have been checked for known vulnerabilities. Using an approved registry adds supply-chain control and reduces the chance of pulling tampered or unreviewed images. This directly addresses the risk of altered or unsafe container content entering production.

Why this answer

Requiring signed, scanned images from an approved registry ensures that only trusted, vulnerability-free images are deployed. Image signing (e.g., using Docker Content Trust or Notary) verifies the image's integrity and origin, preventing tampered images from being deployed. Scanning catches known vulnerabilities before runtime, reducing the attack surface.

This directly addresses the risk of deploying an altered image.

Exam trap

The trap here is that candidates often think running containers as root is necessary for app functionality, but Kubernetes security best practices (and the CIS Benchmark for Kubernetes) explicitly require running containers with non-root users and read-only root filesystems to limit damage from a compromise.

195
MCQmedium

A security architect is designing the wireless network for a new branch office. The branch will have two types of users: employees who need access to internal corporate resources, and guests who need internet-only access. The architect plans to use WPA3-Enterprise for the employee SSID and WPA3-SAE for the guest SSID. Which of the following additional configurations is MOST critical to prevent guests from accessing internal corporate resources?

A.Implement MAC address filtering on the guest SSID to allow only authorized guest devices.
B.Place the guest wireless network on a separate VLAN with a firewall rule blocking inbound traffic to the corporate VLAN.
C.Disable SSID broadcast for the guest network to make it less discoverable.
D.Require guests to accept a captive portal agreement before gaining internet access.
AnswerB

This is the most critical configuration because it enforces network segmentation at Layer 3. The guest VLAN is isolated from the corporate VLAN by the firewall, preventing any direct access to internal resources.

Why this answer

The most critical configuration is to isolate the guest network from the corporate network. Placing the guest SSID on a separate VLAN and implementing a firewall rule that blocks inbound traffic from the guest VLAN to the corporate VLAN ensures that even if a guest device is compromised or malicious, it cannot initiate connections to internal corporate resources. This leverages network segmentation and access control lists (ACLs) to enforce the principle of least privilege.

Exam trap

The trap here is that candidates focus on wireless security protocols (WPA3-SAE vs. Enterprise) or SSID hiding, but the exam tests the understanding that network segmentation and firewall rules are the critical controls for preventing unauthorized access between different trust zones, regardless of the wireless encryption method used.

How to eliminate wrong answers

Option A is wrong because MAC address filtering is a weak security control that can be easily bypassed by MAC spoofing and does not prevent a guest device from accessing internal resources once connected; it only restricts which devices can associate with the SSID. Option C is wrong because disabling SSID broadcast (cloaking) only hides the network name from beacon frames, which is a trivial security-through-obscurity measure that does not prevent a connected guest from accessing internal corporate resources; it does not provide any access control or segmentation.

196
MCQmedium

Finance staff receive an email from the 'CFO' using a lookalike domain. The message requests an urgent gift-card purchase, says the recipient must keep it confidential, and pressures them to skip normal approval steps. What attack is this most likely?

A.Watering-hole attack targeting employees through a compromised website.
B.Smishing attempt delivered through a text message to a mobile phone.
C.Business email compromise using executive impersonation and urgency.
D.Credential stuffing against the CFO's mailbox using previously leaked passwords.
AnswerC

The attacker is impersonating a senior leader, using a lookalike domain, and pressuring the target to bypass normal controls. That combination is typical of business email compromise and executive impersonation. The request for secrecy and urgency is designed to defeat verification and approval workflows, which makes this attack especially effective in finance-related fraud attempts.

Why this answer

Option C is correct because this scenario describes a business email compromise (BEC) attack where the threat actor impersonates an executive (the CFO) using a lookalike domain to trick a finance employee into making an unauthorized gift-card purchase. The use of urgency, confidentiality, and pressure to bypass normal approval processes are classic BEC social engineering tactics, not technical exploits.

Exam trap

The trap here is that candidates may confuse BEC with credential stuffing (option D) because both involve email accounts, but BEC relies on social engineering to trick the recipient into taking action, not on stealing credentials to access the CFO's mailbox.

How to eliminate wrong answers

Option A is wrong because a watering-hole attack involves compromising a website that the target group frequently visits to deliver malware, not sending a direct email impersonating an executive. Option B is wrong because smishing is a phishing attack delivered via SMS/text messages, not email; this scenario explicitly describes an email from a lookalike domain. Option D is wrong because credential stuffing uses previously leaked usernames and passwords to gain unauthorized access to an account, not social engineering via email to request a gift-card purchase.

197
Multi-Selectmedium

A company wants employees to sign in once to several SaaS apps, while the security team also wants to require extra verification when users sign in from unmanaged devices or unusual locations. Which two architecture changes best satisfy both requirements? Select two.

Select 2 answers
A.Federate authentication to a central identity provider.
B.Enable conditional access policies based on device posture and sign-in risk.
C.Create separate passwords for each SaaS app so compromise is contained.
D.Turn off MFA because single sign-on already reduces logins.
E.Use shared generic accounts for contractors to simplify onboarding.
AnswersA, B

Federation allows the organization to centralize authentication and give users a single identity across multiple SaaS applications. That is the architectural foundation for single sign-on because the SaaS apps trust the central identity provider instead of storing separate credentials. It also makes access governance easier because one identity system can enforce stronger controls and lifecycle management.

Why this answer

Option A is correct because federating authentication to a central identity provider (IdP) enables single sign-on (SSO) across multiple SaaS apps using standards like SAML 2.0 or OIDC. This allows employees to sign in once, while the IdP becomes a centralized point to enforce additional security controls.

Exam trap

The trap here is that candidates may think SSO eliminates the need for MFA or that separate passwords improve security, but the question specifically requires both single sign-on and extra verification for risky scenarios, which only federation plus conditional access can deliver.

198
MCQmedium

A vulnerability scan reports three findings: a critical remote code execution issue on an internet-facing VPN appliance with a public exploit, a high-severity local privilege escalation on an isolated lab PC, and a medium-severity outdated browser plug-in on a workstation used for training. Which finding should be remediated first?

A.The isolated lab PC, because local privilege escalation is always the highest technical severity.
B.The internet-facing VPN appliance, because it combines critical severity, exposure, and public exploit availability.
C.The training workstation, because browser plug-ins are common entry points for attackers.
D.None of them, because all vulnerability findings should wait for the next planned maintenance cycle.
AnswerB

The VPN appliance should be first because it is exposed to the internet, has a critical vulnerability, and has known exploit code available. That combination significantly increases the likelihood and impact of compromise, making it the most urgent remediation target.

Why this answer

The internet-facing VPN appliance should be remediated first because it combines a critical severity rating, direct exposure to the internet, and a publicly available exploit. This creates an immediate and high-probability risk of remote code execution, which could lead to full compromise of the network perimeter. In contrast, the other findings are isolated or lower severity, making them less urgent.

Exam trap

The trap here is that candidates may prioritize based solely on severity score or common attack vectors (like browser plug-ins) without considering the combination of exposure, exploit availability, and the critical nature of the vulnerability.

How to eliminate wrong answers

Option A is wrong because local privilege escalation on an isolated lab PC, while serious, does not have the same risk as a critical remote code execution on an internet-facing device; the lab PC is not exposed to external threats and requires prior access. Option C is wrong because a medium-severity outdated browser plug-in on a training workstation is a lower priority than a critical vulnerability with a public exploit on an internet-facing system; browser plug-ins are common entry points but the severity and exposure are lower. Option D is wrong because waiting for the next planned maintenance cycle for a critical, internet-facing vulnerability with a public exploit is unacceptable; such issues require immediate remediation to prevent exploitation.

199
MCQmedium

Based on the exhibit, which control should be enabled to mitigate this issue?

A.DNSSEC, because it validates DNS records and would stop local address-to-MAC spoofing.
B.Port forwarding, because it can direct traffic to the correct internal host more reliably.
C.Load balancing, because it would distribute traffic and reduce the impact of connectivity issues.
D.Dynamic ARP inspection with DHCP snooping, because it validates ARP replies against trusted bindings.
AnswerD

Dynamic ARP inspection is designed to block forged ARP messages by checking them against trusted information, usually built from DHCP snooping bindings. Since the switch logs show both DHCP snooping and ARP inspection disabled, enabling these controls is the most appropriate mitigation for the poisoning behavior described.

Why this answer

Dynamic ARP inspection (DAI) with DHCP snooping validates ARP packets against a trusted binding database, preventing man-in-the-middle attacks where an attacker spoofs the MAC address of a legitimate host (e.g., the default gateway) to intercept traffic. The exhibit likely shows a scenario of ARP spoofing or cache poisoning, which DAI directly mitigates by dropping invalid ARP replies. DHCP snooping builds the trusted binding table by recording which IP address is assigned to which MAC address on which port.

Exam trap

The trap here is that candidates confuse DNSSEC (which secures DNS) with ARP security mechanisms, or they assume port forwarding or load balancing can mitigate Layer 2 spoofing attacks, when in fact only DAI with DHCP snooping directly validates ARP integrity.

How to eliminate wrong answers

Option A is wrong because DNSSEC validates DNS records (using digital signatures) to prevent DNS spoofing/cache poisoning, not local address-to-MAC spoofing (ARP attacks). Option B is wrong because port forwarding is a NAT technique to map external ports to internal hosts, and it does not inspect or validate Layer 2 ARP traffic. Option C is wrong because load balancing distributes network or application traffic across multiple servers to improve performance and availability, but it does not enforce ARP security or prevent spoofing at the data link layer.

200
MCQeasy

A vulnerability scan finds an administrative SSH service listening on 0.0.0.0 on a server that should be managed only from the internal network. What is the main security issue?

A.Exposed management service
B.Default credentials
C.Outdated component
D.Weak permissions
AnswerA

This is the correct answer because the admin SSH service is reachable on all interfaces instead of being limited to the internal management network. That increases attack surface and allows unauthorized internet exposure if firewall rules are weak or missing. The problem is the service placement and exposure, not the SSH protocol itself.

Why this answer

The SSH service binding to 0.0.0.0 means it is listening on all network interfaces, including external-facing ones. This exposes the administrative management interface to potentially untrusted networks, violating the principle of least privilege and increasing the attack surface. The main security issue is that a service intended for internal management only is accessible from outside the trusted internal network.

Exam trap

The trap here is that candidates may focus on the SSH service itself (e.g., thinking of weak passwords or outdated versions) rather than recognizing that the binding to 0.0.0.0 is a network exposure misconfiguration.

How to eliminate wrong answers

Option B is wrong because the question does not mention any use of default usernames or passwords; the core issue is network exposure, not authentication weakness. Option C is wrong because there is no indication that the SSH version or component is outdated; the vulnerability is about misconfiguration, not patch level. Option D is wrong because weak permissions refer to file system or registry access controls, not network-level binding; the SSH service itself may have correct file permissions but still be exposed on the network.

201
Multi-Selecteasy

A manager asks how to decide whether a new security issue is worth spending money on. Which two factors should be reviewed first? Select two.

Select 2 answers
A.Likelihood that the issue will be exploited
B.Business impact if the issue is successful
C.The color used on the vulnerability report
D.The number of users in the IT department
E.The age of the server name in inventory
AnswersA, B

Likelihood estimates how probable the event is, which helps determine whether the organization is facing a realistic threat.

Why this answer

Option A is correct because the likelihood of exploitation is a fundamental factor in risk assessment. Without understanding how probable it is that a threat actor will exploit a vulnerability, an organization cannot prioritize remediation efforts effectively. This is a core component of risk calculation (Risk = Likelihood × Impact).

Exam trap

The trap here is that candidates may confuse severity indicators (like color-coded CVSS scores) with the primary decision factors, or they may incorrectly assume that administrative metrics (like user count or asset age) are relevant to risk-based spending decisions.

202
MCQmedium

Based on the exhibit, which malware type is most likely involved?

A.Trojan, because the malware was likely disguised as a legitimate file.
B.Spyware, because the attacker is trying to monitor user activity quietly.
C.Ransomware, because files were encrypted and recovery options were intentionally removed.
D.Rootkit, because the attacker is hiding from the operating system.
AnswerC

This is ransomware. The file extensions changed, a ransom note was dropped into folders, and Volume Shadow Copy data was deleted to hinder recovery. Those are classic signs that the attacker intends to deny access to data and pressure the victim into payment. The visible symptom is loss of file availability, not stealthy monitoring or simple corruption.

Why this answer

The exhibit shows that files have been encrypted with a '.locked' extension and that recovery options like System Restore and Volume Shadow Copy have been removed or disabled. This is a classic indicator of ransomware, which encrypts user data and then demands payment for decryption, often deleting backup files to prevent recovery without the attacker's key.

Exam trap

The trap here is that candidates may confuse the removal of recovery options with a rootkit's stealth techniques, but ransomware's goal is to deny access to data (not hide), and the overt encryption and backup deletion are the key differentiators.

How to eliminate wrong answers

Option A is wrong because a trojan is malware disguised as legitimate software, but the exhibit shows file encryption and removal of recovery options, not just deception. Option B is wrong because spyware focuses on stealthy monitoring of user activity (e.g., keylogging or screen capture), not on encrypting files and deleting backups. Option D is wrong because a rootkit hides its presence from the operating system (e.g., by hooking system calls), whereas the exhibit shows overt file encryption and system recovery tampering, not stealth.

203
MCQmedium

A monthly scan finds a critical remote-code-execution vulnerability on an internet-facing VPN appliance. The vendor has not released a patch for six weeks, but the service must stay online. Which short-term action is the best risk treatment?

A.Accept the risk and wait for the next scheduled scan cycle.
B.Apply compensating controls such as strict access filtering, MFA, enhanced logging, and alerting.
C.Disable all logging so the appliance performs better under load.
D.Ignore the issue until the vendor confirms the vulnerability is being actively exploited.
AnswerB

When a patch is unavailable, the best short-term treatment is to reduce exposure and add monitoring. Tight access control, MFA, and logging do not remove the vulnerability, but they can meaningfully lower the likelihood of exploitation and improve detection. This is the correct operational response when the service must remain online and a permanent fix is not yet available.

Why this answer

Option B is correct because when a patch is unavailable for a critical vulnerability, compensating controls reduce risk without taking the service offline. For an internet-facing VPN appliance, strict access filtering (e.g., limiting source IPs via ACLs), enforcing MFA, and enabling enhanced logging/alerting can mitigate exploitation attempts while maintaining availability. This aligns with the risk treatment strategy of risk reduction through controls rather than acceptance, avoidance, or transfer.

Exam trap

The trap here is that candidates may think accepting risk (Option A) is acceptable for a critical vulnerability, but CompTIA expects you to recognize that compensating controls are the appropriate short-term treatment when a patch is unavailable and the service must remain online.

How to eliminate wrong answers

Option A is wrong because accepting the risk and waiting for the next scan cycle leaves the organization exposed to active exploitation of a critical RCE vulnerability, which is unacceptable for an internet-facing service. Option C is wrong because disabling logging removes visibility into potential attacks, hindering incident detection and response, and does not address the vulnerability itself. Option D is wrong because ignoring the issue until active exploitation is confirmed violates the principle of proactive security; waiting for proof of exploitation increases the likelihood of a breach and potential damage.

204
MCQmedium

A help desk technician receives a phone call from someone who claims to be the CFO. The caller knows the executive team structure, says they are traveling, and insists the technician reset MFA to 'avoid delaying a wire transfer.' Which social engineering technique is the caller primarily using?

A.Pretexting, because the caller builds a believable story to manipulate the employee
B.Baiting, because the caller is offering something valuable in exchange for action
C.Vishing, because the attack happens by voice call
D.Smishing, because the attacker is using a mobile device
AnswerA

Pretexting is the best fit because the attacker invents a convincing scenario, uses insider details, and pressures the technician to bypass normal verification. The goal is not just to trick someone into clicking a link, but to create a false identity and narrative that makes the request seem legitimate. This is a common tactic in help desk fraud and account takeover attempts.

Why this answer

The caller is using pretexting because they have fabricated a scenario (the CFO traveling and needing an urgent wire transfer) and assumed a false identity to manipulate the help desk technician into resetting MFA. Pretexting relies on a crafted story or pretext to gain trust and bypass security controls, which is exactly what the caller is doing here.

Exam trap

The trap here is that candidates often confuse the delivery method (voice call = vishing) with the underlying social engineering technique (pretexting), but the question specifically asks for the primary technique being used, not the channel.

How to eliminate wrong answers

Option B is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to trick the victim, not creating a false identity or story. Option C is wrong because vishing is a social engineering technique that uses voice calls, but the question asks for the primary technique being used, not the delivery method; the core technique here is pretexting, not vishing. Option D is wrong because smishing specifically refers to SMS-based phishing attacks, and while the caller may be using a mobile device, the attack is carried out via a phone call, not text messages.

205
MCQeasy

A security team stores employee passwords in a database. Which method best protects the passwords if the database is stolen?

A.Store the passwords in plain text so users can recover them easily.
B.Hash the passwords with a unique salt for each account.
C.Encrypt the passwords and keep the decryption key in the same database.
D.Compress the passwords before storing them to make them smaller.
AnswerB

Hashing with a unique salt makes password data much harder to reuse or crack at scale. If the database is stolen, the attacker cannot directly read the passwords, and identical passwords will not produce the same stored value when salts differ.

Why this answer

Option B is correct because hashing with a unique salt per account ensures that even if two users have the same password, their hashes will differ, and precomputed rainbow table attacks are rendered ineffective. The salt is stored alongside the hash, but the one-way nature of the hash function means an attacker cannot reverse the hash to recover the original password without performing an expensive brute-force search for each salted hash individually.

Exam trap

The trap here is that candidates may confuse encryption with hashing, thinking that encrypting passwords is sufficient, but they overlook that reversible encryption with the key stored alongside the data provides no real protection in a database theft scenario.

How to eliminate wrong answers

Option A is wrong because storing passwords in plain text violates fundamental security principles; if the database is stolen, all passwords are immediately exposed, compromising every user account. Option C is wrong because encryption is a reversible process, and keeping the decryption key in the same database means that if the database is stolen, the attacker also has the key, making the encryption useless. Option D is wrong because compression is not a security measure; it merely reduces storage size and can be easily reversed by an attacker, providing no protection against password disclosure.

206
MCQmedium

Based on the exhibit, which logging capability should be enabled first to create an audit trail for cloud administration changes? Exhibit: 2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.

A.Enable cloud control-plane audit logging such as CloudTrail or the provider equivalent.
B.Install a rootkit detector on each workload and ignore management-plane activity.
C.Capture only DNS traffic, because it reveals all admin changes indirectly.
D.Rely on manual change tickets in a spreadsheet because cloud platforms do not record useful logs.
AnswerA

This is the best choice because the exhibit shows API-level changes to identity, networking, and storage policies. Control-plane audit logging records who made those changes, what action was taken, and when it occurred. That creates the most useful evidence for investigations, change tracking, and compliance in a cloud environment.

Why this answer

Option A is correct because cloud control-plane audit logging (e.g., AWS CloudTrail, Azure Monitor, or GCP Cloud Audit Logs) captures all management-plane API calls—such as IAM role attachments, security group rule changes, and bucket policy modifications—as shown in the exhibit. This directly meets the requirement to track configuration changes across cloud resources, providing a tamper-proof audit trail for security and compliance.

Exam trap

The trap here is that candidates may confuse data-plane logging (e.g., VPC Flow Logs or DNS logs) with management-plane logging, or assume manual processes are sufficient, when the exhibit clearly shows API-level events that only a control-plane audit service can capture.

How to eliminate wrong answers

Option B is wrong because rootkit detectors focus on workload-level threats (e.g., malware in virtual machines) and do not log management-plane API calls or configuration changes; they ignore the control plane entirely. Option C is wrong because DNS traffic only reveals domain resolution queries, not the specific API calls or resource modifications made by administrators; it cannot reconstruct an audit trail of cloud administration changes. Option D is wrong because manual change tickets are error-prone, lack automation, and cannot capture the granular, timestamped API calls that cloud platforms natively log; relying on spreadsheets violates the principle of automated audit trails required for compliance.

207
Multi-Selecteasy

A company wants guest laptops on Wi-Fi to reach the internet, but not internal file servers or printers. Which two changes best support that design? Select two.

Select 2 answers
A.Place guest devices in a separate VLAN or subnet from employee devices.
B.Add ACL or firewall rules that block guest traffic from reaching internal private networks.
C.Put guests on the same VLAN as employees and rely on stronger Wi-Fi passwords.
D.Disable SSID broadcast so guests cannot discover the network name.
E.Allow guest devices to use the same DHCP scope as internal endpoints.
AnswersA, B

A separate VLAN or subnet creates a distinct trust zone for guests, which helps keep their traffic isolated from internal corporate systems. It is a standard first step in secure network segmentation and makes later filtering easier.

Why this answer

Placing guest devices in a separate VLAN or subnet (Option A) is a fundamental network segmentation technique that isolates guest traffic from the internal corporate network at Layer 2 and Layer 3. This ensures that guest laptops cannot directly communicate with internal file servers or printers unless explicitly routed, and it allows the administrator to apply distinct security policies to the guest subnet.

Exam trap

The trap here is that candidates often confuse hiding the SSID (Option D) with actual access control, or they mistakenly believe that a strong Wi-Fi password (Option C) is sufficient to protect internal resources from authenticated guests, when in fact network segmentation via VLANs and ACLs is required.

208
MCQeasy

A SOC analyst notices that log timestamps from different servers do not line up during an investigation. What should be implemented to improve event correlation?

A.A more aggressive password policy for all users.
B.Network Time Protocol time synchronization across systems.
C.Longer user account names to make records easier to read.
D.Disabling centralized logging to reduce duplication.
AnswerB

Time synchronization is essential for reliable logging because incident responders need events to appear in the correct order. If servers use different clocks, correlations can become misleading and slow the investigation. NTP keeps system time aligned so SIEM alerts, authentication records, and host logs can be compared accurately across multiple systems.

Why this answer

Network Time Protocol (NTP) synchronizes clocks across systems to a common time source, ensuring log timestamps align for accurate event correlation. Without NTP, timestamps from different servers can drift, making it impossible to reconstruct the sequence of events during an investigation. This is a foundational requirement for effective security monitoring and incident response.

Exam trap

The trap here is that candidates may confuse operational security controls (like password policies or naming conventions) with the technical infrastructure needed for accurate log correlation, overlooking NTP as a fundamental prerequisite for time-based analysis.

How to eliminate wrong answers

Option A is wrong because a more aggressive password policy (e.g., complexity, expiration) addresses authentication security, not time synchronization or log correlation. Option C is wrong because longer user account names improve readability but have no effect on timestamp alignment or event correlation. Option D is wrong because disabling centralized logging would eliminate the single repository where logs are aggregated, making correlation even harder and increasing duplication of analysis effort.

209
MCQeasy

Based on the exhibit, which change best improves secure administration for the scheduled task?

A.Keep the Administrator account and leave the task running only when a user is logged on.
B.Move the script to the desktop so it is easier for technicians to monitor manually.
C.Use a dedicated service account with only the required permissions and allow the task to run whether or not anyone is logged on.
D.Disable the task and have staff run the script manually whenever they remember to do it.
AnswerC

A dedicated service account with least privilege reduces the risk of credential misuse and limits what the task can access if it is abused. Allowing the task to run whether a user is logged on or not makes the automation reliable for scheduled maintenance. This is a common secure-administration improvement for repeatable scripts.

Why this answer

Option C is correct because using a dedicated service account with minimal required permissions follows the principle of least privilege, reducing the attack surface. Allowing the task to run whether or not anyone is logged on ensures the scheduled task executes reliably without depending on a user session, which is essential for automated administrative tasks. This approach also avoids the security risks of using the built-in Administrator account, which has excessive privileges and is a common target for attackers.

Exam trap

The trap here is that candidates may think making the script easier to access (Option B) or using the built-in Administrator account (Option A) are acceptable, but CompTIA tests the principle of least privilege and the importance of dedicated service accounts for automated tasks to avoid credential theft and ensure reliable execution.

How to eliminate wrong answers

Option A is wrong because keeping the Administrator account violates least privilege and leaving the task to run only when a user is logged on introduces a dependency on an interactive session, which can cause the task to fail if no user is logged in at the scheduled time. Option B is wrong because moving the script to the desktop does not improve security; it actually increases risk by placing the script in a user-accessible location where it could be modified or executed by unauthorized users, and it does not address the need for secure, automated execution. Option D is wrong because disabling the task and relying on manual execution defeats the purpose of automation, introduces human error, and increases the likelihood of missed or delayed administrative actions, which is not a secure or reliable administration practice.

210
MCQeasy

Based on the exhibit, what should management implement next?

A.Role-based security awareness training with recurring phishing simulations and reporting practice.
B.Disable all email attachments for every user in the company.
C.Replace all passwords with longer usernames.
D.Move all users to a single shared mailbox for easier monitoring.
AnswerA

This is the best choice because the exhibit shows both low reporting and ongoing click rates across several groups. Role-based training helps target the people most affected, and repeated simulations measure whether behavior improves over time. Training should reinforce how to spot suspicious messages and how to report them correctly, which directly supports the management goal.

Why this answer

The exhibit shows a user who clicked a phishing link and entered credentials, indicating a need for improved security awareness. Role-based training with phishing simulations directly addresses this human risk by teaching users to recognize and report such attacks, which is the most effective next step. This aligns with the Security Program Management domain's focus on continuous improvement through user education and testing.

Exam trap

CompTIA often tests the misconception that technical controls alone (like disabling attachments or changing passwords) can solve human-centric security issues, when in fact user training and awareness are the primary mitigations for phishing risks.

How to eliminate wrong answers

Option B is wrong because disabling all email attachments is an extreme, impractical measure that would severely disrupt business operations and is not a standard security control; instead, organizations use attachment filtering and sandboxing. Option C is wrong because replacing passwords with longer usernames does not improve authentication security—usernames are not secrets, and this would not prevent phishing or credential theft. Option D is wrong because moving all users to a single shared mailbox eliminates accountability, violates the principle of least privilege, and makes monitoring and auditing impossible, increasing security risk rather than reducing it.

211
Multi-Selecthard

A cloud support team is replacing separate logins for several internal apps. The new design must support one sign-in, reduce the chance that a stolen session remains valid too long, and let the identity team revoke access centrally after termination. Which three controls best fit? Select three.

Select 3 answers
A.Implement SSO through federation with the identity provider as the source of truth.
B.Configure short idle and absolute session timeouts with reauthentication for sensitive actions.
C.Use MFA so the initial authentication requires something the user has or is.
D.Keep app-specific local accounts so each application can manage sessions independently.
E.Disable centralized logout so active sessions are never interrupted during maintenance.
AnswersA, B, C

Federation and SSO let one identity provider authenticate the user and then assert that identity to connected applications. This eliminates repeated logins while keeping authentication centralized. It also makes termination and access changes easier because the identity team controls the authoritative account.

Why this answer

Option A is correct because implementing SSO through federation with the identity provider (IdP) as the source of truth allows users to sign in once and access multiple internal apps without separate logins. This design centralizes authentication, so when the identity team revokes access after termination, the IdP denies all subsequent token requests, effectively invalidating sessions across all apps. Federation typically uses SAML 2.0 or OIDC, where the IdP issues signed assertions or ID tokens that apps trust, eliminating the need for app-specific credentials.

Exam trap

The trap here is that candidates may think MFA alone (Option C) satisfies the requirement to reduce stolen session validity, but MFA only strengthens initial authentication and does not control session duration or enable centralized revocation after termination.

212
MCQmedium

A firewall ACL must be modified in production to allow a vendor update server. The team wants to minimize the chance of accidentally blocking payroll traffic. Which change-management step is best before applying the rule?

A.Apply the rule immediately and monitor the help desk for complaints.
B.Test the proposed rule in a staged policy set and keep a rollback plan ready.
C.Remove all deny rules temporarily so the vendor traffic can pass cleanly.
D.Disable logging during the change to avoid slowing down the firewall.
AnswerB

Testing the rule in a staged or cloned policy set helps confirm that the ACL logic, rule order, and source and destination matching behave as intended before production exposure. A rollback plan provides a fast recovery path if the change still causes an unexpected impact. Together, these practices reduce the likelihood of disrupting payroll traffic and align with safe, controlled change management in operational environments.

Why this answer

Option B is correct because testing the proposed rule in a staged policy set allows the team to verify that the new ACL entry does not inadvertently match and drop payroll traffic before it is applied to the production firewall. Keeping a rollback plan ready ensures that if the rule causes unexpected blocking, the previous ACL can be restored immediately, minimizing downtime. This aligns with the change-management principle of validating changes in a controlled environment to prevent service disruption.

Exam trap

Cisco often tests the misconception that immediate application with monitoring is sufficient, but the trap is that this reactive approach ignores the risk of silently blocking critical traffic until complaints arise, which is unacceptable in a production environment.

How to eliminate wrong answers

Option A is wrong because applying the rule immediately without prior testing or rollback planning violates change-management best practices and risks accidentally blocking payroll traffic if the ACL logic is flawed; monitoring the help desk is reactive, not proactive. Option C is wrong because removing all deny rules temporarily would expose the network to unauthorized traffic, defeating the purpose of the firewall and violating the principle of least privilege; it does not address the specific need to allow vendor traffic while protecting payroll.

213
MCQmedium

A billing application has an RTO of 2 hours and an RPO of 30 minutes. The current recovery method requires rebuilding the VM from scratch and then restoring last night's backup, which takes over six hours. Which solution best meets the stated recovery objectives?

A.Keep the current backup schedule and shorten the documentation for the restore procedure.
B.Switch to weekly full backups and manually verify them after business hours.
C.Store backups on the same production host so restores are faster.
D.Use a warm standby replica with frequent log shipping or near-continuous replication.
AnswerD

A warm standby with frequent log shipping is the best fit because it reduces both data loss and restoration time. The standby already has the operating system and application environment in place, so failover is much faster than rebuilding from scratch. Frequent log shipping narrows the recovery point to within the required 30 minutes, making the design aligned with both business objectives.

Why this answer

Option D is correct because a warm standby replica with frequent log shipping or near-continuous replication can achieve an RPO of 30 minutes or less by minimizing data loss, and an RTO of 2 hours by allowing rapid failover to the replica. This directly addresses the current recovery method's failure to meet the RTO (6+ hours vs. 2 hours) and RPO (last night's backup vs. 30 minutes). Technologies like SQL Server log shipping or VMware vSphere replication provide near-continuous data synchronization, enabling recovery within the stated objectives.

Exam trap

The trap here is that candidates may think faster backups or better documentation (Option A or C) can solve the RTO/RPO gap, but they fail to recognize that the core issue is the recovery method itself—rebuilding from scratch—which cannot be fixed by incremental improvements to backup speed or storage location.

How to eliminate wrong answers

Option A is wrong because shortening documentation does not reduce the actual time to rebuild the VM and restore the backup, so it cannot meet the 2-hour RTO. Option B is wrong because weekly full backups increase the RPO to up to 7 days, far exceeding the required 30 minutes, and manual verification after hours does not improve recovery speed. Option C is wrong because storing backups on the same production host creates a single point of failure and does not address the fundamental issue of slow rebuild and restore times; it also violates the 3-2-1 backup rule.

214
MCQmedium

A security auditor is reviewing the access controls for a payroll application. The auditor discovers that a single user, the payroll manager, has permissions to both create new employee records and then approve and process salary payments for those records. The company's security policy requires that no single individual should be able to execute both the creation and the approval of a payment for the same employee. Which of the following security principles is the company's policy attempting to enforce?

A.Least privilege
B.Separation of duties
C.Defense in depth
D.Mandatory access control
AnswerB

Separation of duties ensures that no single individual has control over all phases of a critical transaction, reducing the risk of fraud or error.

Why this answer

The company's policy prohibits a single user from both creating employee records and approving payments for them, which is a classic application of separation of duties. This principle ensures that no single individual has the authority to execute two conflicting or sensitive tasks that could lead to fraud or error, such as creating a fictitious employee and then approving a salary payment to that employee. In the context of a payroll application, separation of duties requires distinct roles or users for record creation and payment approval to enforce checks and balances.

Exam trap

The trap here is that candidates often confuse separation of duties with least privilege, but the key distinction is that separation of duties focuses on dividing conflicting tasks among multiple users to prevent fraud, while least privilege focuses on limiting permissions to the minimum needed for a single user's role.

How to eliminate wrong answers

Option A is wrong because least privilege restricts users to only the permissions necessary for their job function, but it does not prevent a single user from having both create and approve permissions if those are required for their role; the policy here is specifically about splitting conflicting tasks, not minimizing permissions. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a principle that governs how tasks are divided among users to prevent fraud.

215
Multi-Selecthard

A branch office reports intermittent failures reaching internal sites. DHCP logs show clients receiving leases from an unknown MAC address, and DNS responses for intranet.example resolve to an address owned by the same device. Which two attacks best match the evidence? Select two.

Select 2 answers
A.A rogue DHCP server is issuing unauthorized lease information.
B.DNS spoofing or poisoning is directing users to the wrong host.
C.A SYN flood is exhausting the DHCP service.
D.A port scan is enumerating exposed services on the branch subnet.
E.Password spraying is attempting many logins with common passwords.
AnswersA, B

Clients are receiving leases from an unknown MAC address, which strongly suggests an unauthorized DHCP server on the network. A rogue server can hand out incorrect gateway, DNS, or lease settings and quickly disrupt connectivity. That makes it a direct match for the observed lease behavior.

Why this answer

A rogue DHCP server on the network can issue unauthorized lease information, causing clients to receive IP configurations from an unknown MAC address. This matches the DHCP log evidence and can lead to intermittent connectivity issues as clients receive conflicting or incorrect network settings.

Exam trap

The trap here is that candidates may confuse DHCP starvation (which exhausts the legitimate pool) with a rogue DHCP server, but the evidence of unknown MAC addresses in leases directly points to an unauthorized server, not resource exhaustion.

216
MCQmedium

Based on the exhibit, which change would best reduce the attack surface of the public web server while preserving remote administration from the internal network?

A.Assign WEB01 a public IP address directly and remove the firewall rules.
B.Move WEB01 into a DMZ and allow only the reverse proxy or load balancer to reach it on HTTPS, with admin access limited to the jump host.
C.Place WEB01 on the same VLAN as user workstations so the firewall can inspect traffic more easily.
D.Keep the server where it is and add outbound web filtering to stop exploitation attempts.
AnswerB

A DMZ creates a separate trust boundary for the internet-facing service, limiting blast radius if the web server is compromised. Restricting inbound access to a proxy or load balancer reduces direct exposure, and allowing administration only from a jump host preserves controlled remote management. This is the strongest architectural improvement in the scenario.

Why this answer

Moving WEB01 into a DMZ and restricting inbound HTTPS traffic to only the reverse proxy or load balancer minimizes the server's exposure to the internet while still allowing external users to access the web application. Admin access from the internal network is preserved by limiting it to a jump host, which provides a controlled, audited entry point. This architecture follows the principle of least privilege and network segmentation, reducing the attack surface without sacrificing necessary functionality.

Exam trap

The trap here is that candidates often think placing a server on a separate VLAN or adding filtering is sufficient, but the key is using a DMZ with a reverse proxy to eliminate direct inbound connections and a jump host to control administrative access.

How to eliminate wrong answers

Option A is wrong because assigning a public IP directly to WEB01 and removing firewall rules would expose the server directly to the internet, vastly increasing the attack surface and eliminating all network-layer protection. Option C is wrong because placing WEB01 on the same VLAN as user workstations would bypass the firewall's ability to segment traffic, exposing the server to lateral movement from compromised workstations and violating the principle of network segregation. Option D is wrong because keeping the server in its current location and adding outbound web filtering does not reduce the inbound attack surface; it only attempts to mitigate exploitation after traffic reaches the server, leaving it directly accessible from the internet.

217
MCQhard

A scan of a web server hosting an internal help-desk portal reports these findings: `/var/www/uploads` is world-writable by the application account, PHP files in that directory are executed by Apache, and the app allows users to upload images without content-type validation. Which issue should be remediated first to most reduce the chance of remote code execution?

A.Outdated browser plug-in on an admin workstation, because it may expose users to drive-by attacks.
B.Default SNMP community string on a printer in a separate VLAN, because it weakens network monitoring.
C.World-writable executable upload path, because an attacker could upload or modify server-executable code in a web-accessible directory.
D.Missing disk encryption on a help-desk laptop, because stolen devices are a common breach source.
AnswerC

The world-writable, web-executable upload path is the most urgent issue because it creates a direct path to remote code execution. If an attacker can place or alter files in a directory that Apache executes, they may be able to run arbitrary server-side code. The lack of content-type validation increases the chance that a malicious payload will be accepted as a harmless file upload.

Why this answer

Option C is correct because the combination of a world-writable upload directory, PHP execution in that directory, and no content-type validation allows an attacker to upload a malicious PHP file (e.g., a web shell) and execute it via the web server, achieving remote code execution. This directly exploits the server's trust in user-supplied files and the execution context of Apache, making it the most immediate and severe risk.

Exam trap

The trap here is that candidates may focus on the 'world-writable' aspect alone, but the critical chain is the combination of writable upload path, PHP execution, and lack of content-type validation, which together enable direct remote code execution; other options are valid security concerns but do not address the immediate RCE risk.

How to eliminate wrong answers

Option A is wrong because an outdated browser plug-in on an admin workstation is a client-side vulnerability that requires user interaction (e.g., visiting a malicious site) and does not directly enable remote code execution on the web server itself. Option B is wrong because a default SNMP community string on a printer in a separate VLAN primarily exposes network configuration data and could allow information disclosure or denial of service, but it does not provide a path to execute arbitrary code on the help-desk portal server. Option D is wrong because missing disk encryption on a help-desk laptop addresses data-at-rest protection against physical theft, which is a different threat vector (confidentiality breach) and does not mitigate remote code execution on the live web server.

218
Matchingmedium

Match each vendor-risk concern to the contractual control that best addresses it. 1. The company wants the right to review the vendor's controls and supporting records after the contract is signed. 2. The company wants to know when the vendor will use subcontractors that may touch its data. 3. The company wants written notice within 24 hours if the vendor suffers an incident affecting company data. 4. The company wants assurance that the vendor's controls are independently assessed each year.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Right-to-audit clause

Subprocessor disclosure requirement

Breach-notification clause

SOC 2 Type II report

Why these pairings

Right to audit allows reviewing controls; subcontractor clause requires notification; incident clause mandates timely breach notification; independent assessment ensures annual audits; DPA covers data protection; SLA defines service levels.

219
MCQmedium

A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?

A.Place the CDE servers on a separate subnet within the same VLAN as the corporate network, and rely on host-based firewalls on each server to deny all traffic except from specific administrative IP addresses.
B.Deploy a dedicated firewall that connects the corporate network to an isolated CDE segment. Configure firewall rules to allow only SSH and RDP from a specific jump box in the corporate network to the CDE servers, and deny all other inbound traffic from the corporate network.
C.Place the CDE servers on a separate VLAN with a Layer 3 switch that uses ACLs to allow only ICMP traffic from the corporate network to the CDE for monitoring, and require administrators to physically connect to the CDE network via a dedicated console server.
D.Connect the CDE servers directly to the internet through a web application firewall (WAF), and require all management access to occur through a cloud-based VPN with two-factor authentication.
AnswerB

A dedicated firewall provides strong network-level segmentation between the corporate network and the CDE. Using a jump box (bastion host) as the sole admin entry point limits exposure and allows for centralized logging and auditing. This design meets both isolation and authorized access requirements.

Why this answer

Option B is correct because it uses a dedicated firewall to create a true network isolation boundary between the corporate network and the CDE, which is a core PCI DSS requirement for reducing scope. By allowing only SSH and RDP from a specific jump box, it enforces strict least-privilege administrative access while preventing any direct or uncontrolled traffic from the corporate network. This design ensures that the CDE is a separate, protected segment with a single controlled entry point, meeting both isolation and authorized access needs.

Exam trap

The trap here is that candidates often think VLANs with ACLs (Option C) provide sufficient isolation, but PCI DSS requires a clear network segmentation boundary enforced by a firewall, not just Layer 3 ACLs or host-based controls.

How to eliminate wrong answers

Option A is wrong because placing CDE servers on a separate subnet within the same VLAN as the corporate network does not provide true isolation; VLANs share the same broadcast domain and rely on host-based firewalls, which are not sufficient for PCI DSS network segmentation and can be bypassed if the host is compromised. Option C is wrong because allowing only ICMP traffic from the corporate network does not enable the required administrative access (updates and monitoring typically need SSH, RDP, or similar protocols), and requiring physical console server access is impractical for routine remote administration. Option D is wrong because connecting CDE servers directly to the internet, even with a WAF and cloud VPN, violates PCI DSS requirements for network segmentation and exposes the cardholder data environment to external threats, increasing attack surface and scope.

220
MCQeasy

Based on the exhibit, what type of malware is most likely present?

A.Logic bomb
B.Worm
C.Spyware
D.Rootkit
AnswerA

The malicious action is set to occur only when a specific condition is met, in this case a date trigger and a username check. That makes it a logic bomb. Logic bombs stay hidden until a trigger event occurs, then they execute destructive or unauthorized actions such as deleting files.

Why this answer

The exhibit shows a script that checks for a specific employee name and, if the condition is met, deletes critical system files. This is a classic logic bomb: malicious code embedded in a legitimate program that executes when predefined conditions (e.g., a specific user, date, or event) are satisfied. Logic bombs do not self-replicate or continuously spy; they lie dormant until triggered.

Exam trap

The trap here is that candidates confuse a logic bomb with a worm because both can cause damage, but they fail to recognize that a logic bomb requires a specific trigger condition and does not self-replicate, unlike a worm which spreads automatically.

How to eliminate wrong answers

Option B (Worm) is wrong because a worm self-replicates and spreads across networks without user interaction, whereas this script requires manual execution and does not propagate. Option C (Spyware) is wrong because spyware covertly collects user data (e.g., keystrokes, browsing habits) and sends it to an attacker, but this script destroys files without exfiltrating information. Option D (Rootkit) is wrong because a rootkit hides its presence and provides persistent privileged access by modifying OS kernel or system calls, whereas this script is a simple conditional deletion routine with no stealth or persistence mechanisms.

221
MCQhard

Based on the exhibit, which indicator should the security team prioritize for endpoint detection and hunting? The attacker rotates infrastructure frequently, but one artifact has remained consistent across recent investigations.

A.The current source IP addresses hosting the payloads
B.The unique mutex name created by the malware on infected endpoints
C.The exact wording of the latest phishing email lure
D.The filename of the attachment used in the most recent incident
AnswerB

The mutex is a host-based artifact that the malware consistently creates, making it a stronger and more durable detection point than rotating domains or repacked hashes.

Why this answer

Option B is correct because a mutex (mutual exclusion object) is a unique artifact created by malware to prevent multiple instances of itself from running on the same endpoint. Since the attacker rotates infrastructure frequently (IPs, domains, filenames), the consistent mutex name provides a stable indicator of compromise (IoC) that can be used for endpoint detection and hunting across different incidents. This makes it a reliable signature for identifying the same malware family or variant even when other indicators change.

Exam trap

The trap here is that candidates focus on easily changed artifacts (IPs, filenames, email content) rather than recognizing that mutexes are often hardcoded in malware binaries and persist across infrastructure changes, making them a more stable indicator for detection.

How to eliminate wrong answers

Option A is wrong because source IP addresses hosting payloads are frequently rotated by attackers (e.g., using fast-flux DNS or cloud instances), making them unreliable for persistent detection. Option C is wrong because the exact wording of phishing email lures can be easily altered by attackers in subsequent campaigns, and email content is often filtered or modified by security gateways, reducing its forensic value. Option D is wrong because filenames of attachments are trivial to change (e.g., using random or polymorphic naming), and attackers often use different filenames in each wave to evade signature-based detection.

222
MCQeasy

A user downloads a company software update and wants to verify it really came from the vendor and was not changed in transit. Which cryptographic feature should they check?

A.A digital signature from the vendor
B.A longer filename with the vendor name in it
C.A larger file size than the previous update
D.A password protected ZIP file
AnswerA

A digital signature lets the user verify both the source and the integrity of the update. If the signature is valid, the file was signed by the expected private key holder and has not been altered since signing.

Why this answer

A digital signature from the vendor provides cryptographic proof of both authenticity (the file originated from the claimed vendor) and integrity (the file has not been altered in transit). The vendor signs the file with their private key, and the user verifies the signature using the vendor's public key; if the signature is valid, the file is genuine and unchanged.

Exam trap

The trap here is that candidates confuse file properties (name, size) or simple access controls (password protection) with cryptographic verification, overlooking that only a digital signature provides non-repudiation and tamper evidence.

How to eliminate wrong answers

Option B is wrong because a longer filename containing the vendor name is trivial to forge and provides no cryptographic assurance of origin or integrity. Option C is wrong because a larger file size does not prove authenticity; an attacker can easily modify the update and increase its size. Option D is wrong because a password-protected ZIP file only restricts access via the password; it does not cryptographically bind the file to a specific vendor or protect against tampering in transit.

223
MCQmedium

A SOC analyst reviews an alert on a workstation where PowerShell launched from a scheduled task, downloaded an encoded command from a remote server, and then spawned rundll32.exe. Traditional antivirus did not flag any files on disk, and the activity stops after rebooting the host. Which type of malware behavior best fits this event?

A.Worm behavior that is spreading through SMB shares
B.Fileless attack using trusted system tools to run malicious code in memory
C.Rootkit that is hiding itself by modifying kernel drivers
D.Trojan that can only run after a user manually opens a malicious attachment
AnswerB

This matches a fileless attack because the malicious activity relies on built-in tools like PowerShell and rundll32 rather than an obvious executable on disk. The alert shows code being fetched and executed from memory, which often evades traditional file-based antivirus detection. The fact that the behavior disappears after reboot further supports a memory-resident, fileless technique.

Why this answer

The attack uses PowerShell to download and execute an encoded command directly in memory, then spawns rundll32.exe—both are trusted Microsoft binaries. No files are written to disk, and the activity ceases after reboot, which are hallmarks of a fileless malware attack that operates entirely in volatile memory.

Exam trap

The trap here is that candidates may associate any scheduled task or PowerShell activity with a worm or Trojan, but the key differentiator is the absence of disk writes and the use of memory-only execution, which is the defining characteristic of a fileless attack.

How to eliminate wrong answers

Option A is wrong because worm behavior spreading through SMB shares typically involves file-based replication and network scanning (e.g., EternalBlue), not a scheduled task launching PowerShell to download an encoded command and spawn rundll32.exe. Option C is wrong because a rootkit that modifies kernel drivers would persist across reboots and often evade detection by hiding processes or files, but here the activity stops after reboot and no kernel-level modification is indicated. Option D is wrong because a Trojan requiring manual user attachment opening does not match the automated scheduled task trigger and the use of encoded remote commands; the attack is initiated by a scheduled task, not user interaction.

224
MCQhard

To reduce fraud, a finance system requires one user to create a payment batch, a different user to approve it, and a third role to release it to the bank. An audit recommends adding a "super-user" who can perform all three steps to speed month-end close. Which principle would that recommendation most directly weaken?

A.Least privilege
B.Separation of duties
C.Need-to-know
D.Defense in depth
AnswerB

Keeping creation, approval, and release in different roles reduces the chance that one compromised account or one dishonest employee can move money without oversight. The recommended super-user would concentrate those powers into one role and remove the control that forces independent review. That is a direct violation of separation of duties, which is designed to reduce fraud and abuse.

Why this answer

The recommendation to create a super-user who can create, approve, and release payment batches directly violates the separation of duties principle. This principle requires that critical tasks be divided among multiple individuals to prevent any single person from having the ability to commit fraud without collusion. By allowing one user to perform all three steps, the system loses the fraud-prevention control that requires independent actors for each stage of the payment lifecycle.

Exam trap

The trap here is that candidates may confuse least privilege with separation of duties, because both involve limiting access, but separation of duties specifically addresses the division of conflicting tasks to prevent fraud, while least privilege focuses on minimizing permissions for a single role.

How to eliminate wrong answers

Option A is wrong because least privilege is about granting only the minimum permissions necessary to perform a job function, not about dividing tasks among multiple users; the super-user would actually violate least privilege by having excessive permissions, but the question asks which principle is most directly weakened by the recommendation. Option C is wrong because need-to-know controls access to specific data based on job requirements, not the sequence of operational steps; the super-user would still need to know payment details to perform the steps, so this principle is not directly impacted. Option D is wrong because defense in depth is a layered security strategy using multiple controls, and while adding a super-user reduces one layer, the core principle being undermined is the division of critical functions, not the layering of defenses.

225
MCQmedium

A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?

A.Spear phishing
B.Vishing
C.Pretexting
D.Tailgating
AnswerB

Vishing (voice phishing) is a social engineering attack conducted over the phone. The attacker impersonates a trusted entity to trick the victim into revealing sensitive information such as passwords and MFA codes.

Why this answer

B is correct because vishing (voice phishing) is a social engineering attack conducted over the phone, where the attacker impersonates a trusted entity (IT support) to trick the victim into revealing sensitive information such as credentials and MFA codes. The request for the current MFA code is a key indicator, as it would allow the attacker to bypass multi-factor authentication in real time.

Exam trap

The trap here is confusing vishing with pretexting, as both involve deception, but vishing specifically uses voice (phone) as the attack vector, while pretexting is a broader category that can occur through any communication channel.

How to eliminate wrong answers

Option A is wrong because spear phishing is a targeted email-based attack that uses deceptive messages to trick the recipient into clicking a malicious link or opening an attachment, not a phone call. Option C is wrong because pretexting involves creating a fabricated scenario (pretext) to obtain information, but it is not limited to phone calls and often occurs in person or via email; the question specifically describes a phone call, which is the hallmark of vishing. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not a phone-based social engineering attempt.

Page 2

Page 3 of 16

Page 4