Security+ SY0-701 (SY0-701) — Questions 301375

1152 questions total · 16pages · All types, answers revealed

Page 4

Page 5 of 16

Page 6
301
MCQeasy

Based on the exhibit, what type of threat is the security team most likely seeing on the workstation?

A.Trojan
B.Fileless malware
C.Worm
D.Rootkit
AnswerB

The alert shows PowerShell launching with encoded commands, hidden execution, and no suspicious file written to disk. That behavior strongly suggests fileless malware, which relies on built-in tools and memory rather than dropping a traditional executable. The registry change also indicates persistence without a visible file-based payload.

Why this answer

The security team is most likely seeing fileless malware because the exhibit shows a PowerShell command that injects malicious code directly into memory (e.g., using Invoke-Mimikatz or a reflective DLL injection technique) without writing a persistent executable to disk. Fileless malware operates in-memory, leveraging legitimate system tools like PowerShell, WMI, or .NET to evade traditional signature-based antivirus detection, which matches the scenario described.

Exam trap

The trap here is that candidates often confuse fileless malware with a Trojan because both can use PowerShell, but the key distinction is that fileless malware avoids writing to disk, while a Trojan relies on a dropped executable file.

How to eliminate wrong answers

Option A is wrong because a Trojan is a malicious program disguised as legitimate software that typically writes itself to disk and requires user execution, whereas the exhibit shows code running in memory without a persistent file. Option C is wrong because a worm is a self-replicating malware that spreads across networks by exploiting vulnerabilities, not by executing in-memory scripts on a single workstation. Option D is wrong because a rootkit is designed to hide its presence and maintain privileged access by modifying the operating system kernel or boot process, not by running transient in-memory scripts via PowerShell.

302
MCQmedium

A web application needs to be internet-facing. The web tier must accept public traffic, the application tier should be reachable only from the web tier, and the database must be reachable only from the application tier. Which design best supports this?

A.Put all three tiers on one private subnet and rely on host firewalls.
B.Use a three-tier layout with a DMZ, an application zone, and a database zone separated by firewalls.
C.Place the database in the DMZ so the web tier has lower latency.
D.Use NAT for the database server and allow inbound access from the internet.
AnswerB

This design creates clear trust boundaries and lets each tier communicate only with the next tier as required.

Why this answer

Option B is correct because it implements a classic three-tier architecture with separate security zones (DMZ, application zone, database zone) each protected by firewalls. This ensures that only the web tier in the DMZ accepts public traffic, the application tier is isolated and reachable only from the web tier via firewall rules, and the database tier is further isolated and reachable only from the application tier. This layered defense aligns with the principle of defense in depth and minimizes the attack surface by enforcing strict east-west traffic segmentation.

Exam trap

The trap here is that candidates may assume a single subnet with host firewalls is sufficient for segmentation, but CompTIA tests the understanding that network-level firewalls are required to enforce strict traffic flow between tiers and prevent lateral movement in a multi-tier architecture.

How to eliminate wrong answers

Option A is wrong because placing all three tiers on a single private subnet with only host firewalls fails to provide network-level segmentation; a compromise of the web server would allow direct lateral movement to the application and database servers, bypassing the intended access controls. Option C is wrong because placing the database in the DMZ exposes it directly to public traffic, violating the requirement that the database be reachable only from the application tier and increasing the risk of data exfiltration. Option D is wrong because using NAT for the database server and allowing inbound access from the internet directly contradicts the requirement that the database be reachable only from the application tier; this would expose the database to external threats.

303
Multi-Selecthard

In the finance workflow, one employee can create a payment batch but cannot approve it, and the same person also cannot view employee records that are unrelated to the task. Which two principles are being enforced? Select two.

Select 2 answers
A.Separation of duties, because creation and approval are split between different roles.
B.Need-to-know, because the employee sees only records relevant to the assigned finance task.
C.Least privilege, because every user should have no more than one permission overall.
D.Defense in depth, because multiple security technologies are layered around the finance system.
E.Zero trust, because the employee must always be treated as untrusted by the network.
AnswersA, B

Splitting initiation and approval reduces the chance that one person can commit fraud alone.

Why this answer

Option A is correct because separation of duties is enforced by splitting the payment creation and approval functions between different roles, preventing a single employee from committing fraud by creating and approving a payment without oversight. This principle reduces the risk of unauthorized or malicious actions by requiring collusion for abuse.

Exam trap

The trap here is confusing 'need-to-know' with 'least privilege' — need-to-know limits access to specific data based on job necessity, while least privilege limits the overall permissions (e.g., read vs. write) a user has, and candidates often pick least privilege when the scenario describes data restriction rather than permission minimization.

304
Multi-Selecteasy

During business impact analysis interviews, the team needs two inputs that help determine which business services must recover first after an outage. Which two inputs are the most useful? Select two.

Select 2 answers
A.Recovery Time Objective (RTO)
B.Annualized Loss Expectancy (ALE)
C.Mean Time Between Failures (MTBF)
D.Recovery Point Objective (RPO)
E.Control self-assessment score
AnswersA, D

RTO identifies how quickly a service must be restored to avoid unacceptable business disruption.

Why this answer

Recovery Time Objective (RTO) defines the maximum acceptable downtime for a business service, directly indicating the urgency of recovery. Recovery Point Objective (RPO) defines the maximum acceptable data loss, which influences the recovery strategy and priority. Together, they provide the two critical inputs needed to sequence recovery efforts after an outage.

Exam trap

CompTIA often tests the confusion between RTO/RPO as recovery metrics versus ALE/MTBF as risk or reliability metrics, leading candidates to select ALE because it involves financial loss, when the question specifically asks for inputs to determine recovery priority.

305
MCQmedium

A support agent notices that changing `invoiceId=8842` to `invoiceId=8843` in a portal URL returns another customer's invoice PDF without any additional login prompt. The user is already authenticated to the application. Which vulnerability is most likely present?

A.Cross-site scripting
B.Broken access control
C.SQL injection
D.Cross-site request forgery
AnswerB

Broken access control occurs when the application fails to properly verify whether an authenticated user is allowed to access a specific object or resource. Changing the invoice ID reveals that authorization is missing or weak.

Why this answer

The vulnerability is broken access control (B) because the application fails to verify that the authenticated user is authorized to access the resource identified by `invoiceId=8843`. By simply changing a numeric parameter in the URL, the user can view another customer's invoice PDF without any additional authentication or authorization check. This is a classic insecure direct object reference (IDOR) flaw, which falls under the broader category of broken access control.

Exam trap

The trap here is that candidates often confuse IDOR with SQL injection because both involve manipulating input parameters, but IDOR is about missing authorization checks, not database query injection.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not manipulating URL parameters to access unauthorized resources. Option C is wrong because SQL injection requires the attacker to inject SQL commands into input fields to manipulate the database, whereas here the parameter change directly accesses a different resource without any database manipulation. Option D is wrong because cross-site request forgery (CSRF) tricks an authenticated user into performing unintended actions on a web application, but the scenario describes the user directly changing a URL parameter, not being tricked into submitting a forged request.

306
MCQmedium

Based on the exhibit, what should the security team recommend for the finance workstation pilot?

A.Approve the pilot because the workstations are limited to read-only data and the application is signed.
B.Require the vendor to provide the missing supply-chain documentation or an approved compensating-control plan before approval.
C.Disable segmentation so the pilot can access more systems if troubleshooting is needed.
D.Let the finance director sign an informal email and skip the security review.
AnswerB

The exhibit shows a supply-chain transparency gap, so the organization should not approve based only on convenience. Requiring the missing documentation or a documented compensating-control plan supports informed risk management and reduces the chance of approving software that cannot be adequately assessed.

Why this answer

Option B is correct because the exhibit indicates missing supply-chain documentation for the finance workstation pilot. Without this documentation, the security team cannot verify the integrity and provenance of the hardware and software, which is critical for a pilot involving sensitive financial data. Requiring the vendor to provide the missing documentation or an approved compensating-control plan ensures compliance with supply-chain risk management policies before approval.

Exam trap

The trap here is that candidates may focus on the application being signed or read-only data access (Option A) as sufficient security, overlooking that supply-chain documentation is a foundational requirement for verifying the trustworthiness of the entire workstation, not just the application.

How to eliminate wrong answers

Option A is wrong because read-only data access and signed applications do not eliminate supply-chain risks; missing documentation means the hardware/software origin and integrity are unverified, which could introduce backdoors or tampered components. Option C is wrong because disabling segmentation would violate the principle of least privilege and expose the pilot to unnecessary lateral movement risks, increasing the attack surface for potential threats. Option D is wrong because bypassing the security review via an informal email undermines the entire security program and violates policy, leaving the organization exposed to unvetted risks.

307
MCQmedium

A security manager at a financial services company is proposing a new policy that would require annual background checks for all employees with access to sensitive customer payment data. The proposed policy, if implemented, would increase the organization's operational costs by approximately $200,000 per year. The manager needs to obtain formal approval to implement this policy. Which of the following groups is MOST likely to have the authority to approve this policy and allocate the necessary budget?

A.Board of directors
B.Chief Information Security Officer (CISO)
C.IT steering committee
D.Security operations team
AnswerA

The board of directors has the fiduciary responsibility and ultimate authority to approve significant policy changes that require a substantial budget allocation, such as a $200,000 annual expense for background checks. This is correct because the policy crosses functional areas (security, HR, finance) and requires formal governance approval.

Why this answer

The board of directors holds the ultimate fiduciary responsibility and authority over significant financial commitments and strategic policy changes. A $200,000 annual cost increase requires approval at the highest governance level, as it impacts the organization's budget and risk posture. The board is the only group with the formal power to allocate such a substantial operational expense and approve a new policy affecting all employees with access to sensitive payment data.

Exam trap

The trap here is that candidates often confuse operational authority (CISO) with financial governance authority (board), assuming the CISO can approve any security-related budget without recognizing that large, recurring costs require board-level approval.

How to eliminate wrong answers

Option B is wrong because the CISO typically manages cybersecurity strategy and operations but does not have the authority to approve a $200,000 budget increase or a company-wide policy change; that requires executive or board-level sign-off. Option C is wrong because the IT steering committee focuses on prioritizing IT projects and resource allocation within existing budgets, not on approving new policies with significant financial implications outside their scope. Option D is wrong because the security operations team handles day-to-day incident response and monitoring, not financial approvals or policy ratification at the organizational level.

308
MCQmedium

A company is publishing an internet-facing customer portal that must also query an internal database containing order history. Security wants to reduce the chance that a compromise of the portal exposes the database directly. Which design is the best choice?

A.Place the database in the same subnet as the web server and rely on host-based antivirus.
B.Place the portal in a DMZ and keep the database on an internal network with firewall rules allowing only required traffic.
C.Use NAT so the internal database does not have a public IP address.
D.Move both systems behind a VPN and require users to authenticate before visiting the portal.
AnswerB

This creates a clear trust boundary, limits exposure of the database, and restricts traffic to only the necessary application flow.

Why this answer

Option B is correct because placing the portal in a DMZ and keeping the database on an internal network with firewall rules that permit only required traffic (e.g., specific ports like 1433/TCP for SQL Server or 3306/TCP for MySQL) creates a defense-in-depth architecture. This design ensures that even if the web server is compromised, the attacker cannot directly access the database from the internet, as the internal network is isolated by the firewall and only allows traffic from the DMZ to the database on necessary ports.

Exam trap

The trap here is that candidates often confuse NAT with a security control, thinking it hides the database from attackers, but NAT alone provides no access control or network segmentation, so a compromised portal can still reach the database if they share a network.

How to eliminate wrong answers

Option A is wrong because placing the database in the same subnet as the web server eliminates network segmentation, meaning a compromise of the portal would give an attacker direct Layer 2 access to the database, and host-based antivirus is insufficient to prevent lateral movement or database exploitation. Option C is wrong because NAT only translates private IP addresses to public ones; it does not provide security isolation or prevent an attacker from reaching the database if the portal is compromised, as the database still resides on the same network segment. Option D is wrong because moving both systems behind a VPN and requiring user authentication does not isolate the database from the portal; once authenticated, users (or an attacker who compromises the portal) would have direct network access to the database, violating the principle of least privilege and network segmentation.

309
MCQmedium

After a user installs a free PDF converter from an unofficial site, the browser homepage changes, the endpoint protection agent stops launching, and the system begins making periodic outbound connections to the same unfamiliar IP address. No exploit was used during installation, and the installer appeared legitimate. What type of malware best matches this behavior?

A.Worm, because the infection is spreading automatically across the network.
B.Trojan, because it masquerades as useful software while delivering hidden malicious functionality.
C.Rootkit, because the attacker must have hidden files in the kernel.
D.Spyware, because the main symptom is that the browser homepage changed.
AnswerB

A trojan is designed to look legitimate so users willingly install it, which matches the fake PDF converter. The changed homepage, disabled security tool, and recurring outbound connections are classic signs that the program is not behaving like the advertised utility. Trojans often install additional payloads, create persistence, or open remote access without the user realizing the original software was malicious.

Why this answer

B is correct because the software masquerades as a legitimate PDF converter while secretly performing malicious actions—changing the browser homepage, disabling endpoint protection, and making unauthorized outbound connections. This is the classic definition of a Trojan horse: it appears useful but contains hidden, harmful functionality. The lack of an exploit and the user's voluntary installation further confirm it is a Trojan, not a self-replicating worm or a kernel-hiding rootkit.

Exam trap

The trap here is that candidates may confuse a Trojan with a worm because both can cause network activity, but the key differentiator is that a worm spreads autonomously without user action, whereas a Trojan requires the user to intentionally run the malicious file.

How to eliminate wrong answers

Option A is wrong because a worm self-replicates and spreads automatically across a network without user interaction, whereas this infection required the user to manually install the software. Option C is wrong because a rootkit specifically hides its presence by modifying kernel-level structures (e.g., hooking system calls or hiding processes/files), but the described symptoms—homepage change, disabled endpoint protection, and outbound connections—do not indicate kernel-level concealment. Option D is wrong because spyware primarily focuses on covert data collection (e.g., keystrokes, browsing habits), and while a changed homepage can be a side effect, the core behavior here includes disabling security software and establishing persistent C2 connections, which is more characteristic of a Trojan.

310
MCQmedium

The SOC has contained a mailbox compromise by resetting the password and revoking active sessions. Investigation shows the attacker created an automatic forwarding rule and added an OAuth consent grant. What should happen next to eradicate the threat?

A.Notify all employees to be more careful with email before taking any technical steps.
B.Delete the mailbox and create a new account for the user immediately.
C.Remove the malicious forwarding rule and review or revoke suspicious OAuth app grants.
D.Restore the user's messages from backup and reopen access without further review.
AnswerC

Eradication means removing the adversary's persistence mechanisms and closing the foothold they created. In a mailbox compromise, forwarding rules and unauthorized OAuth consents are common persistence methods. Removing those artifacts, then confirming no other malicious rules or delegated access remain, is the correct next step before returning the account to normal use and monitoring for recurrence.

Why this answer

Option C is correct because the immediate next step after containment is to remove the attacker's persistence mechanisms. The malicious forwarding rule (which exfiltrates emails via SMTP) and the OAuth consent grant (which provides persistent API access) must be removed to fully eradicate the threat. Simply resetting the password and revoking sessions does not remove these backdoors, as OAuth grants persist independently of user credentials.

Exam trap

The trap here is that candidates assume a password reset and session revocation fully remediate the compromise, overlooking the fact that OAuth consent grants and mailbox forwarding rules are independent persistence mechanisms that must be explicitly removed.

How to eliminate wrong answers

Option A is wrong because notifying employees to be more careful is a general awareness step, not a technical eradication action, and it delays removing the attacker's active persistence mechanisms. Option B is wrong because deleting the mailbox and creating a new account is an overly destructive step that destroys forensic evidence and disrupts business operations; the correct approach is to surgically remove the malicious rules and grants while preserving the mailbox for investigation. Option D is wrong because restoring from backup and reopening access without reviewing or removing the forwarding rule and OAuth grant would re-introduce the same persistence mechanisms, leaving the compromise active.

311
MCQhard

Based on the exhibit, which control type best describes the jump host requirement?

A.Preventive control, because the jump host blocks unauthorized access before it reaches the payroll server.
B.Detective control, because session recording helps the team discover misuse after the fact.
C.Compensating control, because the jump host provides an alternate safeguard when the application cannot enforce MFA directly.
D.Directive control, because the administrators are being instructed to use a specific access path.
AnswerC

The jump host is a compensating control because it reduces risk by providing an alternate security measure when the original control cannot be implemented on the legacy payroll application. MFA, logging, and session recording on the jump host help offset the application's limitation without requiring a risky replacement. The goal is risk reduction through a substitute safeguard.

Why this answer

The jump host is implemented as a compensating control because the payroll server's application cannot natively enforce multi-factor authentication (MFA). Instead of leaving the server unprotected, the jump host provides an alternative security layer by requiring MFA at the jump host level, thereby compensating for the application's limitation. This aligns with the NIST definition of compensating controls as alternative safeguards that mitigate risks when primary controls are infeasible.

Exam trap

The trap here is that candidates confuse the jump host's session recording (a detective feature) with the primary reason for its deployment, which is to compensate for the lack of MFA on the payroll server.

How to eliminate wrong answers

Option A is wrong because a jump host does not block unauthorized access directly; it enforces authentication and session control, but it is not a preventive control like a firewall ACL or network segmentation that denies traffic before it reaches the target. Option B is wrong because session recording is a detective control, but the question asks about the jump host requirement itself, not the recording feature; the jump host's primary purpose is to enforce MFA, not to discover misuse after the fact. Option D is wrong because a directive control is a policy or instruction (e.g., a written security policy), not a technical mechanism; the jump host is a technical implementation, not a written directive.

312
MCQmedium

Based on the exhibit, which change best helps the company meet its recovery objectives after a ransomware event?

A.Increase the retention period on the existing NAS backups to one year.
B.Move backups to an immutable, offline or logically isolated repository and test restores regularly.
C.Store the backup administrator password in a shared team spreadsheet so more staff can restore data quickly.
D.Replace the nightly full backup with a longer full backup window to capture more data each day.
AnswerB

An isolated, immutable backup target reduces the chance that ransomware can encrypt or delete backups. Regular restore testing confirms that the company can actually recover within the stated RTO and RPO. Because the current repository is domain-joined and reachable over SMB, it is too exposed. Isolation and tested recovery provide the strongest practical resilience improvement.

Why this answer

Option B is correct because ransomware often encrypts or deletes accessible backups. An immutable, offline, or logically isolated repository prevents attackers from modifying or deleting backup data, ensuring a clean recovery point. Regularly testing restores validates that the backups are functional and meet recovery objectives (RTO/RPO).

This aligns with the 3-2-1 backup rule and NIST SP 800-184 guidance for ransomware recovery.

Exam trap

The trap here is that candidates often assume longer retention or more frequent backups alone improve recovery, but they overlook the need for isolation and immutability to protect against ransomware's ability to target accessible backup data.

How to eliminate wrong answers

Option A is wrong because increasing the retention period on existing NAS backups does not protect them from being encrypted or deleted by ransomware if the NAS is network-accessible; retention alone does not provide immutability or isolation. Option C is wrong because storing the backup administrator password in a shared team spreadsheet violates the principle of least privilege and introduces a security risk; it does not improve recovery speed or integrity and could lead to unauthorized access or credential theft. Option D is wrong because replacing the nightly full backup with a longer full backup window does not inherently improve recovery objectives; it may increase the backup window and data captured but does not address ransomware resilience, and longer backups can increase exposure to corruption or encryption during the backup window.

313
MCQeasy

A customer portal must continue operating if one application server fails. The business wants a simple, cost-conscious design that improves availability. What is the best approach?

A.Add a second application server behind a load balancer.
B.Schedule nightly backups to a different storage account.
C.Buy a larger server with more CPU and memory.
D.Move the portal to a different subnet without changing the servers.
AnswerA

This is the best answer because it adds redundancy and allows traffic to continue flowing if one application server goes down. A load balancer can route users to the healthy server, which improves availability without requiring a much more expensive architecture. For a simple portal, this is a practical fault-tolerance upgrade that reduces the impact of a single server failure.

Why this answer

Adding a second application server behind a load balancer creates an active-passive or active-active cluster that provides redundancy. If one server fails, the load balancer automatically redirects traffic to the healthy server, ensuring continuous operation. This design is cost-conscious because it uses commodity servers rather than expensive vertical scaling, and it directly improves availability by eliminating the single point of failure.

Exam trap

The trap here is that candidates often confuse data protection (backups) with high availability (redundancy), or they think vertical scaling (bigger server) is a simpler solution, but the exam specifically tests the concept of eliminating a single point of failure through horizontal scaling and load balancing.

How to eliminate wrong answers

Option B is wrong because nightly backups to a different storage account protect against data loss but do not provide real-time failover or maintain service availability during a server failure. Option C is wrong because buying a larger server (vertical scaling) still leaves a single point of failure; if that one server fails, the portal goes down regardless of its size. Option D is wrong because moving the portal to a different subnet changes the network topology but does not add redundancy or failover capability; the same single server remains the sole point of failure.

314
MCQeasy

A vulnerability scan finds a critical flaw on an internet-facing SFTP gateway with public exploit code, and a high-severity flaw on an internal lab server that is only reachable from a restricted subnet. Which should be remediated first?

A.The internal lab server, because every high-severity finding should be fixed first.
B.The internet-facing SFTP gateway, because it has higher immediate risk.
C.Both systems can wait until the next scheduled maintenance window.
D.Neither system needs urgent action because the lab server is isolated.
AnswerB

Public exposure and known exploit code make the gateway the more urgent business risk.

Why this answer

The internet-facing SFTP gateway has a critical vulnerability with public exploit code, meaning it is exposed to the entire internet and can be directly attacked without any network restrictions. This creates an immediate and high-likelihood risk of remote code execution or data breach, whereas the internal lab server is isolated to a restricted subnet, significantly reducing its attack surface and exploitability. Remediation priority should be based on risk severity (likelihood × impact), not just CVSS score, making the SFTP gateway the correct first choice.

Exam trap

The trap here is that candidates fixate on the CVSS severity score (high vs. critical) without factoring in exposure, exploitability, and network segmentation, leading them to incorrectly prioritize the internal server over the internet-facing gateway.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes that all high-severity findings should be fixed first regardless of exposure; in reality, a critical flaw on an internet-facing system with public exploit code poses far greater immediate risk than a high-severity flaw on an isolated internal server. Option C is wrong because delaying remediation for a critical, internet-exposed vulnerability with known exploit code until the next scheduled maintenance window is unacceptable; such flaws require immediate action to prevent likely compromise.

315
MCQhard

Based on the exhibit, what is the most likely conclusion after correlating the logs? A configuration-management task ran from a jump host and generated repeated login alerts on target servers. The SOC wants to determine whether this is malicious activity or approved automation.

A.This is a true brute-force attack because any failed login must be malicious.
B.This is a likely false positive caused by approved automation, so the alert should be correlated with the change window.
C.This indicates DNS poisoning because both servers were contacted from the same source IP.
D.This is proof of ransomware spreading laterally over SMB.
AnswerB

The alert lines up with an approved maintenance window, a known jump host, and a documented configuration-management account that should only be used by automation. The mixed failed-and-successful logins are consistent with scripts negotiating authentication rather than an intruder guessing passwords. The SOC should confirm the change record, document the benign cause, and adjust correlation rules if this pattern recurs.

Why this answer

Option B is correct because the logs show repeated login attempts from a jump host, which is a common pattern for configuration-management tools (e.g., Ansible, Puppet) that execute tasks across multiple servers. The SOC should correlate these events with the approved change window to confirm they are part of legitimate automation, not malicious activity. Failed logins alone do not indicate a brute-force attack, as automation scripts may retry connections or use cached credentials that occasionally fail due to network latency or credential rotation.

Exam trap

The trap here is that candidates assume any failed login attempt is malicious, but the SY0-701 exam tests the ability to correlate logs with operational context (e.g., change windows, known source IPs) to identify false positives from legitimate automation.

How to eliminate wrong answers

Option A is wrong because it assumes any failed login is malicious, ignoring that automation tools often generate failed login events due to transient issues (e.g., credential caching, network timeouts) and that a true brute-force attack would show a high volume of rapid, sequential attempts from an external or unexpected source IP. Option C is wrong because DNS poisoning involves manipulating DNS responses to redirect traffic to malicious IPs, which is unrelated to repeated login alerts from a jump host; the same source IP contacting multiple servers is normal for centralized management. Option D is wrong because ransomware spreading laterally over SMB would show evidence of file writes, encryption activity, or SMB session enumeration (e.g., using tools like PsExec or EternalBlue), not simply repeated login alerts from a jump host.

316
MCQmedium

A help desk technician receives a phone call from someone who claims to be the CFO. The caller says they are traveling, cannot access their MFA app, and needs the technician to reset the account immediately. They also ask the technician to read back the one-time code sent to the executive's phone so they can "verify identity." What type of attack is this most likely?

A.Pretexting
B.Vishing
C.Smishing
D.Baiting
AnswerB

Vishing is voice-based phishing, and this attack uses a phone call to pressure the technician.

Why this answer

This is vishing (voice phishing) because the attacker uses a phone call to impersonate a trusted executive (the CFO) and manipulates the technician into bypassing MFA controls. The request to read back the one-time code is a classic social engineering tactic to capture a valid OTP, which the attacker can then use to authenticate as the CFO.

Exam trap

The trap here is that candidates may confuse vishing with pretexting, but vishing is the specific attack vector (voice call) while pretexting is the broader deception technique—the question asks for the type of attack, which is vishing.

How to eliminate wrong answers

Option A is wrong because pretexting is a broader category of fabricating a scenario to obtain information, but vishing is the specific delivery method (voice call) used here. Option C is wrong because smishing uses SMS/text messages, not a phone call. Option D is wrong because baiting involves offering something enticing (like a free USB drive) to trick a victim, not impersonating an authority figure over the phone.

317
MCQeasy

After a server rebuild, a Windows administrator notices several unneeded services are still enabled, including Remote Registry and Print Spooler on a server that only hosts a database. What should the administrator do to reduce attack surface and keep the build consistent?

A.Install additional endpoint monitoring agents to compensate for the extra services.
B.Apply the approved secure baseline and disable unnecessary services.
C.Increase the disk encryption key size to protect the running services.
D.Move the server to a different subnet and leave the configuration unchanged.
AnswerB

A secure baseline defines the required hardened configuration and removes services that are not needed.

Why this answer

Applying an approved secure baseline and disabling unnecessary services (Option B) directly reduces the attack surface by removing potential entry points like Remote Registry (which allows remote modification of the registry) and Print Spooler (which has known privilege escalation vulnerabilities, e.g., CVE-2021-34527). This also ensures build consistency by enforcing a standardized configuration across all servers, which is critical for compliance and manageability in a Windows environment.

Exam trap

The trap here is that candidates may think adding monitoring or moving subnets compensates for insecure configurations, but the SY0-701 exam emphasizes that reducing attack surface requires removing unnecessary services, not just detecting or isolating them.

How to eliminate wrong answers

Option A is wrong because installing additional endpoint monitoring agents does not reduce the attack surface; it only adds detection capability for threats that exploit the unneeded services, leaving the vulnerabilities in place. Option C is wrong because increasing disk encryption key size (e.g., from AES-128 to AES-256 for BitLocker) protects data at rest but does not affect running services or reduce the attack surface from enabled network-facing services. Option D is wrong because moving the server to a different subnet does not disable the unnecessary services; it only changes network segmentation, and the services remain enabled and exploitable if an attacker gains access to that subnet.

318
MCQmedium

Based on the exhibit, which document type should define the exact encryption algorithm and minimum key length for all company laptops?

A.Policy
B.Standard
C.Procedure
D.Guideline
AnswerB

A standard is the correct document for mandatory technical requirements, such as approved algorithms and minimum key lengths, because it sets measurable baselines.

Why this answer

A Standard defines mandatory, specific technical requirements such as the exact encryption algorithm (e.g., AES-256) and minimum key length (e.g., 256 bits) that must be enforced on all company laptops. Policies are high-level statements of intent, while Standards provide the measurable, enforceable criteria to implement that intent. In this context, the encryption algorithm and key length are precise technical specifications, not general guidance or step-by-step instructions.

Exam trap

The trap here is that candidates confuse Policy (the 'what') with Standard (the 'how specific'), thinking a high-level statement is sufficient to define exact technical parameters, when in fact Standards are the only document type that mandates precise, measurable technical specifications.

How to eliminate wrong answers

Option A is wrong because a Policy is a broad, high-level statement of management intent (e.g., 'All laptops must be encrypted') and does not specify exact algorithms or key lengths. Option C is wrong because a Procedure is a detailed step-by-step sequence of actions to perform a task (e.g., 'How to enable BitLocker on a laptop'), not a document that defines technical parameters like encryption algorithms. Option D is wrong because a Guideline offers non-mandatory recommendations or best practices (e.g., 'Consider using AES-256'), whereas the question requires a document that defines exact, enforceable requirements.

319
MCQmedium

A company uses four cloud applications and wants employees to sign in once with corporate credentials. The applications should trust the company’s identity platform, and disabling a user in the directory should remove access everywhere without separate password resets. Which architecture should the team implement?

A.Create separate local accounts in each cloud application and synchronize passwords manually.
B.Use federation with single sign-on through the corporate identity provider, such as SAML or OpenID Connect.
C.Configure RADIUS authentication directly on each cloud application so users can reuse one password.
D.Store one shared administrator password for all users in a password vault.
AnswerB

Federation with SSO lets the company authenticate users centrally while each cloud application trusts assertions from the identity provider. That supports one login experience, faster deprovisioning, and consistent enforcement of corporate authentication controls across all apps.

Why this answer

Option B is correct because federation with single sign-on (SSO) using the corporate identity provider (IdP) via SAML or OpenID Connect allows users to authenticate once with their corporate credentials. The cloud applications trust the IdP, so disabling a user in the corporate directory immediately revokes access across all applications without requiring separate password resets. This architecture decouples authentication from the applications and centralizes identity management.

Exam trap

The trap here is that candidates confuse RADIUS (a network access protocol) with web SSO protocols like SAML or OpenID Connect, mistakenly thinking RADIUS can provide centralized web authentication and access revocation across cloud applications.

How to eliminate wrong answers

Option A is wrong because creating separate local accounts in each cloud application with manual password synchronization does not provide single sign-on, does not centralize identity management, and disabling a user in the directory would not automatically remove access everywhere—each application would need separate account management. Option C is wrong because RADIUS is a protocol for network access control (e.g., VPN, Wi-Fi) and is not designed for web application authentication; configuring RADIUS directly on each cloud application would not enable SSO with the corporate identity platform and would require separate password management per application.

320
MCQeasy

Which document tells all employees what they are allowed and not allowed to do when using company systems?

A.Policy
B.Procedure
C.Standard
D.Guideline
AnswerA

A policy states the organization’s high-level rules and expectations for behavior. It tells employees what is permitted, prohibited, or required when using company systems, such as acceptable use, data handling, or password rules. Policies are approved by management and guide the rest of the security program.

Why this answer

A policy is a high-level document that defines mandatory rules and expectations for employee behavior when using company systems. It specifies what is allowed and prohibited, such as acceptable use of email, internet browsing, and data handling, and is enforceable with consequences for non-compliance.

Exam trap

The trap here is that candidates confuse 'policy' with 'procedure' or 'guideline,' thinking that step-by-step instructions or recommendations define allowed versus prohibited actions, but only a policy sets mandatory, enforceable rules for employee conduct.

How to eliminate wrong answers

Option B is wrong because a procedure provides step-by-step instructions for completing a specific task, not a broad set of rules about allowed and disallowed actions. Option C is wrong because a standard defines mandatory technical specifications or configurations (e.g., requiring AES-256 encryption), not behavioral rules for employees. Option D is wrong because a guideline offers recommendations or best practices that are not mandatory, whereas a policy is enforceable and binding.

321
MCQmedium

Based on the exhibit, which social engineering attack is most likely?

A.Phishing, because the message is a broad email that tries to trick the recipient.
B.Spear phishing, because the email is tailored to a specific employee and business context.
C.Vishing, because the attacker is using a phone call to pressure the victim.
D.Baiting, because the attacker is offering a document that the user wants to open.
AnswerB

This is spear phishing because the message is customized for a particular recipient and business process. It references an internal project, uses an invoice theme, and pressures the target to change payment details quickly. That combination of personalization and urgency is designed to increase trust and bypass normal caution.

Why this answer

Option B is correct because spear phishing involves crafting a message that is personalized to a specific individual or role within an organization, often referencing internal processes or names to increase credibility. In the exhibit, the email is addressed to a specific employee and mentions a legitimate-sounding business context (e.g., an internal document or procedure), which is the hallmark of spear phishing rather than a generic blast.

Exam trap

CompTIA often tests the distinction between generic phishing and spear phishing by including a message that appears personalized but still uses broad language, so candidates must look for specific contextual clues like the recipient's name or internal references to identify the targeted nature.

How to eliminate wrong answers

Option A is wrong because phishing typically refers to a mass, untargeted email sent to many recipients, whereas the exhibit shows a message tailored to a specific employee and business context. Option C is wrong because vishing (voice phishing) uses a phone call, not an email, to pressure the victim; the exhibit shows an email message. Option D is wrong because baiting involves offering an enticing item (e.g., a free USB drive or download) to trick the user, not a personalized email requesting action.

322
MCQhard

A security analyst is reviewing firewall logs and notices repeated connection attempts from a single external IP address to multiple internal IP addresses on TCP port 22 (SSH). Each attempt uses a different username but the same password: 'Spring2024!'. The attempts occur sporadically over a 12-hour period. Which type of attack is most likely being observed?

A.Brute-force attack
B.Dictionary attack
C.Password spraying attack
D.Man-in-the-middle attack
AnswerC

Correct. Password spraying involves an attacker trying a small number of commonly used passwords against many different accounts to avoid lockout and evade detection. The use of a single password against many usernames exactly matches this technique.

Why this answer

This is a password spraying attack because the attacker uses a single common password ('Spring2024!') against multiple usernames across different internal IP addresses, attempting to avoid account lockout by spreading attempts over time and targets. Unlike brute-force or dictionary attacks that focus many passwords against a single account, password spraying targets many accounts with a few weak passwords, making it harder to detect via failed login thresholds.

Exam trap

The trap here is that candidates confuse 'multiple passwords against one user' (brute-force/dictionary) with 'one password against multiple users' (password spraying), especially when the scenario mentions 'different username' and 'same password' — a classic sign of a spraying attack.

How to eliminate wrong answers

Option A is wrong because a brute-force attack tries many passwords against a single username, not a single password against many usernames. Option B is wrong because a dictionary attack uses a list of possible passwords against one account, not a single password across multiple accounts. Option D is wrong because a man-in-the-middle attack intercepts or relays communications between two parties, which is not indicated by repeated SSH connection attempts from an external IP.

323
MCQmedium

A project team identifies a new risk with a high likelihood of minor data exposure during a pilot rollout. The impact is low, but the issue would become harder to address after production launch. The business owner wants the project to proceed. What should the risk owner do NEXT?

A.Ignore the issue because the impact is low.
B.Document the risk, assign an owner, and escalate for acceptance or treatment before launch.
C.Wait until after production launch to see whether the issue actually occurs.
D.Transfer the risk by moving the pilot to a different business unit.
AnswerB

This is the best next step because the risk is both identified and still manageable during the pilot. Recording it in the risk register, assigning accountability, and escalating it for acceptance or treatment ensures management makes an informed decision. Since the issue will be harder to fix after production launch, early action is important. This is classic risk governance: identify, document, assign, and decide before exposure expands.

Why this answer

Option B is correct because the risk owner must follow the formal risk management process: document the risk, assign an owner, and escalate it to the business owner for a decision on acceptance or treatment before the pilot launch. Even though the impact is low, the high likelihood and the fact that the issue becomes harder to address post-production mean the risk cannot be ignored or deferred; it requires a documented acceptance or a mitigation plan before proceeding.

Exam trap

The trap here is that candidates assume low impact means the risk can be ignored or deferred, but the high likelihood and the worsening condition post-launch force a formal risk response before proceeding, not after.

How to eliminate wrong answers

Option A is wrong because ignoring a risk with high likelihood, even if impact is low, violates the principle of due care and could lead to cumulative data exposure or compliance issues; risk acceptance must be a conscious, documented decision by the business owner, not a unilateral dismissal. Option C is wrong because waiting until after production launch to see if the issue occurs is reactive and contradicts the proactive risk management approach required by frameworks like NIST SP 800-37, especially when the issue becomes harder to address later. Option D is wrong because transferring the risk by moving the pilot to a different business unit does not eliminate the underlying vulnerability; it merely shifts the exposure to another group without proper risk treatment or acceptance, and the original risk owner remains accountable.

324
MCQmedium

An HR analyst needs to send a payroll reconciliation file to an external auditor. The file contains employee names, SSNs, bank account numbers, and salary details, but the auditor only needs employee IDs, payment totals, and a control total. What should the analyst do first?

A.Encrypt the full spreadsheet and send it without changing the contents.
B.Redact or remove unnecessary sensitive fields before sharing the minimum required data.
C.Compress the file into a password-protected archive and email the password separately.
D.Copy the file to a personal cloud storage account to make sharing easier.
AnswerB

This is the best privacy practice because it follows data minimization and limits exposure to only what is needed.

Why this answer

Option B is correct because the principle of data minimization requires that only the necessary data (employee IDs, payment totals, control total) be shared with the external auditor. Redacting or removing unnecessary sensitive fields (SSNs, bank account numbers, salary details) reduces the risk of exposure and complies with privacy regulations. This step should occur before any encryption or transmission to ensure the auditor never receives data they do not need.

Exam trap

The trap here is that candidates may focus on securing the file (encryption, password protection) rather than on the fundamental security principle of data minimization, leading them to choose options that protect the data in transit but still expose unnecessary sensitive information to the recipient.

How to eliminate wrong answers

Option A is wrong because encrypting the full spreadsheet still exposes all sensitive fields to the auditor, violating the principle of least privilege and potentially breaching data protection policies. Option C is wrong because password-protecting the archive does not remove the unnecessary sensitive data; the auditor would still receive SSNs and bank details, and the password must be transmitted separately, creating additional risk. Option D is wrong because copying the file to a personal cloud storage account bypasses organizational security controls, introduces shadow IT, and does not address the need to limit data shared with the auditor.

325
MCQmedium

An HR analyst must send a compensation spreadsheet to an external auditor. The auditor only needs employee names, departments, and salary totals; Social Security numbers and bank account fields are not required. What should the analyst do before sharing the file?

A.Encrypt the spreadsheet and send the full file as-is to preserve all records.
B.Remove or redact the fields the auditor does not need, then share only the minimum necessary data.
C.Store the file in a shared cloud folder and grant the auditor read-only access.
D.Convert the file to PDF so the sensitive information is harder to edit.
AnswerB

Data minimization is the best practice here. The analyst should provide only the information required for the audit and redact SSNs and bank details that are not needed. This reduces the amount of sensitive data exposed to an external party and lowers the impact of any accidental disclosure. It is the most privacy-conscious and operationally sound choice.

Why this answer

Option B is correct because the principle of data minimization requires sharing only the information necessary for the task. By removing or redacting the Social Security numbers and bank account fields, the analyst reduces the risk of exposing sensitive personally identifiable information (PII) to the external auditor, aligning with least privilege and need-to-know principles.

Exam trap

The trap here is that candidates may focus on security controls like encryption or access restrictions (options A, C, D) without recognizing that the core issue is data minimization—removing unnecessary sensitive data before sharing, not just protecting the file in transit or at rest.

How to eliminate wrong answers

Option A is wrong because encrypting the full file does not address the unnecessary exposure of sensitive fields; the auditor would still receive Social Security numbers and bank account data, violating data minimization. Option C is wrong because storing the file in a shared cloud folder with read-only access still exposes the full dataset, including unnecessary sensitive fields, to the auditor. Option D is wrong because converting to PDF only restricts editing, but the sensitive fields remain visible in the document, failing to remove or redact them.

326
MCQhard

Based on the exhibit, what is the best immediate action for the SOC or IR team? A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.

A.Isolate the host from the network and revoke its remote access to stop further spread.
B.Restore the workstation from backup immediately before preserving any evidence.
C.Run a vulnerability scan against the subnet to see whether the malware exploited an unpatched service.
D.Notify users to ignore the issue until the next maintenance window because the incident is likely self-limiting.
AnswerA

The workstation shows active compromise with file encryption behavior and outbound lateral movement. Immediate containment should stop additional SMB propagation and protect neighboring systems before deeper analysis begins.

Why this answer

The exhibit shows a macro-launched script, file renaming, and lateral SMB traffic to two other hosts, indicating active lateral movement. Isolating the host (e.g., via network access control or disabling the switch port) immediately stops the spread of the malware to other systems, preserving the ability to investigate without further compromise. This aligns with the first step in incident response: containment before eradication or recovery.

Exam trap

The trap here is that candidates may choose Option C (vulnerability scan) because they think identifying the root cause is the priority, but in an active incident with lateral movement, containment (isolation) must come first per the NIST SP 800-61 incident response framework.

How to eliminate wrong answers

Option B is wrong because restoring from backup before preserving evidence destroys volatile data and artifacts (e.g., memory, logs, renamed files) that are critical for forensic analysis and understanding the attack vector. Option C is wrong because running a vulnerability scan is a slow, passive step that does not address the immediate active threat of lateral movement; it also risks alerting the attacker or consuming network resources during an active incident. Option D is wrong because the incident is not self-limiting—macro-launched scripts and SMB lateral movement indicate an active, potentially spreading threat that requires immediate action, not deferral to a maintenance window.

327
MCQmedium

Procurement is reviewing a new payroll SaaS provider. The business wants independent evidence that the vendor's controls were designed and operating effectively over the last six months. Which document should the security team request?

A.A SOC 2 Type II report from an independent auditor.
B.A software patch list showing recent updates installed on the vendor's servers.
C.A penetration test screenshot showing one web application vulnerability was fixed.
D.An internal email from the vendor's security manager stating that controls are mature.
AnswerA

A SOC 2 Type II report is designed to show both the design and operating effectiveness of controls over a period of time. That makes it especially useful for assessing an ongoing SaaS provider relationship. It gives procurement and security an independent assurance artifact that can support vendor due diligence and third-party risk review.

Why this answer

A SOC 2 Type II report provides independent assurance that a service organization's controls are not only designed appropriately (Type I) but also operating effectively over a specified period, typically six to twelve months. This aligns directly with the procurement team's requirement for evidence of control effectiveness over the last six months, making it the correct choice for evaluating a SaaS vendor's security posture.

Exam trap

The trap here is that candidates may confuse a SOC 2 Type I (design only) with Type II (design and operating effectiveness over time), or mistakenly think a patch list or pentest result provides equivalent assurance for ongoing control effectiveness.

How to eliminate wrong answers

Option B is wrong because a software patch list shows only that updates were applied, not that the vendor's overall controls (e.g., access management, data encryption, incident response) were designed and operating effectively over time. Option C is wrong because a penetration test screenshot showing one vulnerability fixed is a point-in-time snapshot, not a comprehensive, independent assessment of control effectiveness over a six-month period. Option D is wrong because an internal email from the vendor's security manager is self-attestation and lacks the independence and rigor of an external audit; it provides no verifiable evidence of control operation.

328
MCQmedium

A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?

A.Immediately block the IP address at the perimeter firewall.
B.Investigate whether any of the attempted accounts correspond to actual domain users.
C.Run a full antivirus scan on the domain controller.
D.Notify the company's legal department for law enforcement involvement.
AnswerB

This is the correct first step. If any of the random account names match legitimate domain accounts, it indicates a targeted attack and possible credential compromise. Even if no failures are logged, a successful authentication might have been recorded separately. This investigation guides subsequent containment and remediation.

Why this answer

Option B is correct because the analyst must first determine if any of the randomly generated account names match existing domain user accounts. If a match is found, it indicates a targeted password-spraying or brute-force attack against valid accounts, requiring immediate account lockdown and credential reset. This investigation step aligns with the incident response process of identification before containment or escalation.

Exam trap

The trap here is that candidates may jump to immediate blocking (Option A) as a reflexive security action, but the SY0-701 emphasizes following the incident response process—identify and analyze before containing.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the perimeter firewall without confirming the attack's success or impact may disrupt legitimate traffic and bypasses proper incident response procedures. Option C is wrong because a full antivirus scan on the domain controller addresses malware, not authentication-based attacks like brute-force or password spraying; the logs show failed logon attempts, not signs of infection. Option D is wrong because notifying the legal department for law enforcement involvement is premature before confirming the attack's effectiveness or scope; this step typically occurs after containment and evidence collection.

329
MCQmedium

You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?

A.Browse the drive directly on the original laptop to identify the most relevant files.
B.Create a forensic image using a write blocker and record hash values.
C.Email the user asking them to return any copies they may have made.
D.Mount the drive read-write so searching and exporting data will be faster.
AnswerB

A forensic image taken through a write blocker is the best choice because it preserves the original media and reduces the chance of accidental modification. Recording cryptographic hash values before and after acquisition helps prove integrity and supports chain of custody. That combination is standard practice when evidence might be examined in a disciplinary, regulatory, or legal setting.

Why this answer

Option B is correct because creating a forensic image with a write blocker ensures the original evidence remains unaltered, preserving its integrity for court admissibility. Recording hash values (e.g., SHA-256) provides a cryptographic fingerprint that can later verify the image is an exact copy, meeting legal standards for chain of custody and authenticity.

Exam trap

The trap here is that candidates may think direct browsing or read-write mounting is faster and acceptable, but they fail to recognize that any write access—even unintentional—breaks forensic integrity and admissibility in legal proceedings.

How to eliminate wrong answers

Option A is wrong because directly browsing the drive on the original laptop modifies file metadata (e.g., last access time) and risks accidental alteration, which can break the chain of custody and render evidence inadmissible. Option C is wrong because emailing the user does not preserve evidence; it may alert the suspect, leading to data destruction, and provides no forensic integrity or verifiable chain of custody. Option D is wrong because mounting the drive read-write allows write operations that alter the original data, destroying its forensic integrity and making it inadmissible in court.

330
Multi-Selecthard

A Windows file server was rebuilt from a gold image, but later troubleshooting re-enabled Remote Desktop, SMBv1, and the Print Spooler. The security team wants to harden the host and catch the same configuration changes early in the future. Which three actions are the best fit? Select three.

Select 3 answers
A.Disable unnecessary services and remove legacy protocols that are not required.
B.Enforce the approved build with configuration management and drift alerts.
C.Limit administrative access to a dedicated management subnet or jump host.
D.Leave all management ports open so technicians can troubleshoot from anywhere.
E.Turn off logging to reduce the chance that attackers can see the server.
AnswersA, B, C

Disabling Remote Desktop, SMBv1, and the Print Spooler when they are not needed directly reduces attack surface. Legacy protocols and extra services are frequent entry points for attackers. A hardened file server should expose only the functions required for its role and nothing more.

Why this answer

Option A is correct because disabling unnecessary services like the Print Spooler and removing legacy protocols such as SMBv1 directly reduces the attack surface. SMBv1 is known for vulnerabilities like EternalBlue (MS17-010), and the Print Spooler has been exploited in PrintNightmare attacks. This aligns with the principle of least functionality, a core security architecture concept.

Exam trap

The trap here is that candidates may think leaving management ports open (D) is necessary for troubleshooting, but the question asks for hardening and early detection, not convenience, and turning off logging (E) is always a security anti-pattern.

331
MCQmedium

A company is implementing network segmentation to isolate the guest wireless network from the internal corporate network. Which of the following technologies is most appropriate to enforce this separation at Layer 2?

A.VLANs
B.ACLs
C.DMZ
D.VPN
AnswerA

Correct. VLANs create separate broadcast domains at Layer 2, effectively isolating traffic between the guest and corporate networks on the same switch infrastructure.

Why this answer

VLANs (Virtual Local Area Networks) are the correct technology because they operate at Layer 2 (Data Link layer) of the OSI model, allowing network administrators to logically segment a physical switch into multiple isolated broadcast domains. By assigning the guest wireless network to a separate VLAN (e.g., VLAN 100) and the internal corporate network to another (e.g., VLAN 10), traffic between them is blocked at Layer 2 unless explicitly routed through a Layer 3 device with appropriate firewall rules. This directly enforces separation without requiring additional hardware, making VLANs the most appropriate and efficient choice for isolating guest traffic at Layer 2.

Exam trap

The trap here is that candidates often confuse ACLs as a Layer 2 solution because they are commonly used for filtering, but ACLs operate at Layer 3/4 and cannot create broadcast domain isolation; VLANs are the only Layer 2 mechanism listed that directly segments traffic at the Data Link layer.

How to eliminate wrong answers

Option B (ACLs) is wrong because ACLs (Access Control Lists) operate at Layer 3 (Network layer) or higher, filtering traffic based on IP addresses, ports, or protocols, not at Layer 2; they are applied on routers or Layer 3 switches to control routing decisions, not to create isolated broadcast domains. Option C (DMZ) is wrong because a DMZ (Demilitarized Zone) is a network architecture design used to host public-facing services (e.g., web servers) with controlled access from both internal and external networks, not a Layer 2 segmentation technology; it relies on VLANs or firewalls for isolation and does not inherently separate guest and internal traffic at Layer 2.

332
Multi-Selecteasy

A web application must keep running if one application server fails. Management wants the simplest design that automatically switches traffic to a healthy server. Which two choices support that goal? Select two.

Select 2 answers
A.Place the application behind a load balancer with health checks.
B.Run the application on a single server with nightly backups.
C.Deploy at least two application servers in the same service pool.
D.Disable health checks to avoid false failovers.
E.Put the database on the public internet for easier access.
AnswersA, C

A load balancer can send traffic away from a failed server and toward healthy ones. Health checks are important because they let the platform detect when an instance should stop receiving requests.

Why this answer

Option A is correct because a load balancer with health checks can automatically detect a failed application server and redirect traffic to healthy servers, ensuring continuous availability. This is the simplest design that meets the requirement for automatic failover without manual intervention. Health checks typically use HTTP/HTTPS probes or TCP port checks to verify server responsiveness.

Exam trap

The trap here is that candidates may think a single server with backups (Option B) provides high availability, but backups only protect data, not uptime, and failover requires redundant servers and automatic traffic switching.

333
MCQhard

A vendor distributes a Linux package through multiple mirrors. Security wants to verify that the package really came from the vendor and was not altered after publication, even if a mirror or CDN is compromised. Which cryptographic mechanism should be checked?

A.A hash value published on the mirror site alone
B.A digital signature created with the vendor's private key
C.Symmetric encryption of the package with a shared secret
D.Key stretching with a slow password algorithm
AnswerB

A digital signature provides authenticity and integrity. If the package was signed with the vendor's private key, anyone with the matching public certificate can verify that the package came from the vendor and has not been altered since signing. This works even if the download is mirrored or relayed by an untrusted CDN, because verification does not depend on trusting the transport path.

Why this answer

A digital signature created with the vendor's private key provides both authentication (proving the package came from the vendor) and integrity (detecting any alteration after signing). Even if a mirror or CDN is compromised, the signature verification will fail if the package has been tampered with, because only the vendor's corresponding public key can validate the signature. This is the standard mechanism used by package managers like APT (with signed Release files) and RPM (with GPG signatures).

Exam trap

The trap here is that candidates confuse a simple hash (which provides integrity only if the hash source is trusted) with a digital signature (which provides both integrity and authentication even when the distribution channel is untrusted).

How to eliminate wrong answers

Option A is wrong because a hash value published on the mirror site alone provides integrity only if the hash itself is trusted; if the mirror is compromised, an attacker can replace both the package and its hash, making the verification useless. Option C is wrong because symmetric encryption with a shared secret protects confidentiality but does not provide non-repudiation or integrity verification against a compromised mirror; the shared secret would need to be distributed securely, and any party with the key could modify the package undetected. Option D is wrong because key stretching (e.g., PBKDF2, bcrypt) is a technique to slow down brute-force attacks on passwords, not a mechanism for verifying package authenticity or integrity.

334
MCQeasy

A development team stores container images in a registry before deployment. Security wants to reduce the chance of shipping vulnerable libraries or packages inside the image. What should the team do before release?

A.Run the container as root so startup problems are less likely.
B.Scan the image and rebuild it from an approved base image.
C.Open the container port on the host firewall so the image can be reached faster.
D.Add more CPU and memory to the cluster to improve image security.
AnswerB

Scanning and using approved base images helps catch vulnerable packages before deployment.

Why this answer

Scanning the image for known vulnerabilities (CVEs) and rebuilding it from an approved, hardened base image ensures that only trusted, patched libraries and packages are included. This directly reduces the attack surface by eliminating vulnerable components before the image is deployed to production.

Exam trap

The trap here is that candidates may confuse operational practices (like running as root or opening ports) with security controls that directly address software supply chain risks, or mistakenly think that adding resources can compensate for insecure image content.

How to eliminate wrong answers

Option A is wrong because running containers as root violates the principle of least privilege and increases the risk of privilege escalation if the container is compromised. Option C is wrong because opening a container port on the host firewall does not affect the security of the image's contents; it only changes network accessibility and may increase exposure. Option D is wrong because adding CPU and memory resources does not address software vulnerabilities; resource allocation has no impact on the security of libraries or packages within the image.

335
MCQmedium

A security analyst is reviewing the session management implementation of a web application. The application generates session tokens by computing the MD5 hash of the concatenation of the username and the current server timestamp rounded to the nearest hour. An attacker has obtained a valid session token for her own account and discovers that she can forge tokens for other users by simply substituting the username in the hash calculation with a known target username. Which type of attack is the web application most vulnerable to?

A.Session hijacking via cross-site scripting (XSS)
B.Session replay attack
C.Session prediction
D.Session fixation
AnswerC

The session token is generated using the username and a timestamp with low granularity, making it possible for an attacker who knows the algorithm to calculate valid tokens for any user. This is a classic session prediction vulnerability.

Why this answer

The session token is generated using MD5(username + timestamp rounded to the nearest hour). Since the attacker knows her own token and can compute the hash for any username with the same timestamp, she can predict tokens for other users. This is a classic session prediction vulnerability, as the token generation lacks sufficient entropy and relies on predictable inputs.

Exam trap

The trap here is confusing session prediction with session hijacking via XSS or session replay, but the key clue is that the attacker can compute the token herself by substituting the username, which directly indicates a predictable token generation scheme.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into a web page to steal session tokens, but here the attacker already has a valid token and can forge tokens without needing to execute scripts in another user's browser. Option B is wrong because a session replay attack involves capturing and reusing a valid session token, but the attacker is not replaying a captured token; she is forging new tokens by altering the username in the hash calculation. Option D is wrong because session fixation requires the attacker to set a known session ID for the victim (e.g., via a link or cookie injection), but here the attacker is generating tokens independently, not fixing a session ID for the victim.

336
MCQmedium

After seizing a suspect's laptop, a responder creates a bit-for-bit disk image using a write blocker. The legal team wants the next step that most directly supports evidence integrity for later review. What should the responder do?

A.Open the image file and browse folders to confirm the contents look normal.
B.Compute and document cryptographic hash values for the source and the image.
C.Rename the image file with the case number and store it on a desktop.
D.Run a full antivirus scan on the image before logging it in.
AnswerB

Matching hash values provide a verifiable record that the acquired image has not been altered since collection.

Why this answer

Computing and documenting cryptographic hash values (e.g., SHA-256 or MD5) for both the source drive and the bit-for-bit image creates a digital fingerprint. If the hashes match, it proves the image is an exact, unaltered copy of the original evidence, directly supporting integrity for later review. This step is foundational in forensic acquisition to meet legal standards for admissibility.

Exam trap

The trap here is that candidates may think browsing the image is harmless or that antivirus scans are always safe, but the exam tests the strict forensic requirement to never modify original evidence and to use hashing as the sole direct integrity check.

How to eliminate wrong answers

Option A is wrong because opening the image file to browse folders modifies metadata (e.g., last accessed timestamps) and risks altering the evidence, violating forensic best practices. Option C is wrong because renaming the file and storing it on a desktop does not provide any integrity verification; it only aids organization and may expose the image to accidental modification. Option D is wrong because running an antivirus scan on the image can modify the image file (e.g., by quarantining or deleting detected files), breaking the bit-for-bit integrity, and should only be done on a copy, not the original image.

337
MCQeasy

A customer portal must keep serving requests if one application server stops responding. The team wants traffic to be sent to whichever healthy server is available. Which design should they implement?

A.A load balancer in front of multiple application servers
B.A RAID 1 array in the application server
C.A snapshot of the application server before each update
D.A longer password policy for the portal administrators
AnswerA

A load balancer distributes requests across healthy servers and can stop sending traffic to failed nodes.

Why this answer

A load balancer distributes incoming traffic across multiple application servers and performs health checks (e.g., HTTP GET requests to a /health endpoint) to detect failures. If one server stops responding, the load balancer automatically routes requests only to the remaining healthy servers, ensuring continuous availability. This design directly meets the requirement for fault tolerance and active traffic distribution.

Exam trap

The trap here is that candidates confuse high availability (multiple servers with a load balancer) with data redundancy (RAID) or backup strategies (snapshots), thinking any form of redundancy solves the uptime requirement, but only a load balancer with health checks can actively reroute traffic away from a failed server.

How to eliminate wrong answers

Option B is wrong because RAID 1 (mirroring) provides disk-level redundancy for a single server, not application-level failover across multiple servers; it cannot route traffic away from a failed application server. Option C is wrong because a snapshot captures the state of a server at a point in time for backup or recovery, but it does not provide real-time traffic distribution or automatic failover when a server becomes unresponsive. Option D is wrong because a longer password policy improves authentication security for administrators but has no effect on server availability or traffic routing.

338
Multi-Selecthard

A baseline review found that standard developer accounts are local administrators, unsigned tools can run from user profile folders, and reimaged systems still end up with unauthorized persistence. Which two changes best improve hardening while preserving developer work? Select two.

Select 2 answers
A.Remove local administrator rights from standard user accounts.
B.Enforce application allowlisting for approved executables and scripts.
C.Turn off logging to preserve disk space.
D.Allow unrestricted browser extension installs.
E.Merge all developer and production systems into one VLAN.
AnswersA, B

Removing local admin rights blocks many common persistence and privilege escalation paths. It also reduces the damage a user mistake or malicious script can do on an otherwise managed workstation.

Why this answer

Option A is correct because removing local administrator rights from standard developer accounts enforces the principle of least privilege (PoLP). This prevents developers from making unauthorized system-wide changes, such as installing unsigned tools or creating persistence mechanisms, while still allowing them to perform their work with standard user permissions. This directly addresses the baseline review finding that standard developer accounts are local administrators, which is a common security misconfiguration.

Exam trap

The trap here is that candidates may think removing admin rights alone is sufficient, but the question requires two changes that best improve hardening while preserving developer work, and application allowlisting (Option B) is the second critical control to block unsigned tools from running in user profile folders, which removal of admin rights alone does not address.

339
Matchingmedium

Match each governance need to the document type that best fits. 1. All employees must follow rules for acceptable use of company systems. 2. Every company laptop must use full-disk encryption and a 14-character screen-lock PIN. 3. The service desk follows these exact steps to verify a caller before resetting MFA. 4. Admins are encouraged to place non-production test data in approved folders when practical.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Policy

Standard

Procedure

Guideline

Why these pairings

AUP is a policy for acceptable use; standards are mandatory requirements; procedures are step-by-step instructions; guidelines are recommendations; policy is a high-level directive; baseline defines minimum configurations.

340
Multi-Selecthard

A virtual file server was restored from last night’s backup. The service is online, but some finance users report missing spreadsheet changes and a few files show a 'recovered copy' timestamp. Which two checks should be completed before the team accepts the restore as successful? Select two.

Select 2 answers
A.Compare restored data against backup hashes or a manifest to verify that the copy is complete and uncorrupted.
B.Run an application-level validation test with finance users or sample transactions to confirm the data is usable.
C.Assume the restore is acceptable because the file server is online and users can browse shares.
D.Delete the previous night’s backup so the team will not accidentally restore it again.
E.Expose the restored server directly to the internet so remote users can test it faster.
AnswersA, B

Hash or manifest comparison confirms that the restored files match what was backed up and were not corrupted during storage or recovery. This is a direct integrity check and is more reliable than simply seeing that the server starts. It helps identify silent partial restores.

Why this answer

Option A is correct because comparing restored data against backup hashes or a manifest ensures the data integrity and completeness of the restore process. Even though the file server is online, missing spreadsheet changes and 'recovered copy' timestamps suggest possible corruption or incomplete restoration. Verifying hashes (e.g., SHA-256) against a known-good manifest confirms that every file was restored without bit-rot or truncation, which is a standard post-restore validation step in backup and recovery procedures.

Exam trap

The trap here is that candidates may assume a service being online and shares browsable is sufficient proof of a successful restore, ignoring the need for data integrity verification and application-level validation.

341
MCQmedium

After a new MFA policy rollout, the SIEM generates an alert for five failed logins to a SaaS admin portal from one IP, followed by a successful login to the same account from an IP in another country. The account owner says they were in meetings all day. What should the analyst do first?

A.Disable the account immediately without checking any other logs.
B.Correlate identity provider, VPN, and endpoint logs to validate whether the activity matches the user's normal pattern.
C.Delete the alert because MFA was enabled and the login eventually succeeded.
D.Reimage the user's laptop to remove any possible malware right away.
AnswerB

This is the best first step because triage should validate the alert and establish context before disruptive containment. Correlating identity provider, VPN, and endpoint telemetry can show whether the login came from an expected corporate path, a known remote-access method, or a likely compromise. The analyst can then decide whether account disablement, password resets, or escalation is warranted based on evidence rather than a single suspicious event.

Why this answer

Option B is correct because the alert shows a successful login after five failures from a different country, which is a classic indicator of a potential account takeover. The analyst must correlate identity provider logs (e.g., Okta, Azure AD) for authentication details, VPN logs for network origination, and endpoint logs for device posture to determine if the successful login matches the user's normal behavior. This step validates whether the activity is legitimate or malicious before taking any irreversible action.

Exam trap

The trap here is that candidates assume MFA is infallible and ignore the geographic anomaly, leading them to delete the alert (Option C) or take premature action (Option A or D) without performing proper log correlation.

How to eliminate wrong answers

Option A is wrong because disabling the account immediately without checking other logs could disrupt legitimate access and ignores the possibility of a false positive or a misconfigured MFA policy. Option C is wrong because deleting the alert simply because MFA was enabled and the login succeeded overlooks the fact that MFA can be bypassed (e.g., via session hijacking, token replay, or social engineering), and the geographic anomaly warrants investigation. Option D is wrong because reimaging the laptop is a drastic, premature step that assumes compromise without evidence; the analyst must first confirm whether the successful login originated from the user's device or an attacker's system.

342
Multi-Selectmedium

An organization is developing a business continuity and disaster recovery (BC/DR) plan. Which three of the following are essential elements that should be included to ensure proper management and oversight? (Choose three.)

Select 3 answers
.A list of prioritized critical business functions and their recovery time objectives (RTOs)
.Detailed diagrams of the network topology with IP addresses and firewall rules
.Defined roles and responsibilities for the BC/DR team during an incident
.Procedures for regular testing, such as tabletop exercises or full-scale drills
.A single backup copy stored on the primary server to minimize restoration time
.An inventory of all employee personal devices used for remote work

Why this answer

A list of prioritized critical business functions with their RTOs is essential because it directly drives recovery strategy and resource allocation. Without this, the BC/DR plan lacks measurable recovery targets and cannot ensure that the most vital operations are restored first, which is a core requirement of NIST SP 800-34 and ISO 22301.

Exam trap

Cisco often tests the distinction between operational documentation (like network diagrams) and essential BC/DR governance elements (like RTOs, roles, and testing), tricking candidates into selecting detailed technical artifacts that are not core to plan oversight.

343
MCQmedium

Based on the exhibit, what is the best next control to prevent noncompliant mobile devices from accessing corporate email while still allowing IT to wipe company data from lost phones?

A.Enforce conditional access so only compliant MDM-enrolled devices can reach email and enable selective wipe for corporate data.
B.Require users to set a longer password on the email app and keep the current access policy.
C.Disable email on all mobile devices and force users to use desktop computers only.
D.Rely on a remote full factory reset whenever a device is lost or reported stolen.
AnswerA

Conditional access stops noncompliant or compromised devices from using corporate email even if they have valid credentials. Selective wipe is especially important for BYOD because it removes work data without erasing personal content. Together, these controls support both access control and privacy, which is the correct architectural balance for the scenario.

Why this answer

Option A is correct because it combines conditional access policies (e.g., Azure AD Conditional Access or Intune compliance policies) to block noncompliant devices from accessing corporate email, while using MDM selective wipe to remove only corporate data (e.g., email, documents) without affecting personal data on the device. This approach enforces security without requiring a full device wipe, preserving user privacy and IT control.

Exam trap

The trap here is that candidates often confuse full device wipe with selective wipe, assuming any remote wipe is acceptable, or they underestimate the importance of conditional access to enforce compliance before granting access.

How to eliminate wrong answers

Option B is wrong because requiring a longer password on the email app does not prevent noncompliant devices (e.g., jailbroken, missing patches) from accessing email, and it does not provide selective wipe capability. Option C is wrong because disabling email on all mobile devices is overly restrictive, reduces productivity, and fails to address the need for secure mobile access. Option D is wrong because a remote full factory reset wipes all personal data, violating user privacy and potentially causing data loss, whereas selective wipe targets only corporate data.

344
Multi-Selectmedium

A security architect is evaluating a zero trust architecture (ZTA) for a remote workforce. Which three of the following components are essential to the implementation? (Choose three.)

Select 3 answers
.A policy engine that continuously evaluates trust based on user identity, device health, and context.
.A single, static firewall rule that allows all traffic from the corporate VPN IP range.
.Microsegmentation to limit lateral movement even after initial access is granted.
.A mandatory VPN for all remote users before accessing any resource.
.Encryption of all traffic, including internal east-west communications.
.Implicit trust for all devices that are connected to the internal network.

Why this answer

A policy engine is essential in zero trust architecture (ZTA) because it continuously evaluates trust based on user identity, device health, and context, dynamically granting or denying access. Microsegmentation is critical as it enforces granular access controls between workloads, preventing lateral movement even after an initial breach. Encrypting all traffic, including east-west communications, ensures data confidentiality and integrity across the network, aligning with the ZTA principle of never trusting and always verifying.

Exam trap

Cisco often tests the misconception that a VPN is a core component of zero trust, but ZTA actually replaces VPNs with more granular, identity-based access controls that do not assume network-level trust.

345
MCQmedium

A security analyst at a hospital is reviewing user permissions in the electronic health record (EHR) system. The analyst discovers that all nursing staff accounts are members of the 'Administrators' group, which grants full read and write access to all patient records, as well as the ability to modify system configuration settings. The nursing staff's job responsibilities only require viewing and updating records for patients currently assigned to them. Which security principle is most directly violated by this configuration?

A.Defense in depth
B.Least privilege
C.Non-repudiation
D.Availability
AnswerB

The principle of least privilege dictates that users should have only the minimum permissions needed to perform their duties. Granting nursing staff full administrative rights violates this principle because the staff only need limited, role-specific access to patient records.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. In this case, nursing staff only need read and write access to records of currently assigned patients, but membership in the 'Administrators' group grants full read/write access to all patient records and the ability to modify system configuration settings, which far exceeds their job requirements. This directly violates least privilege by providing excessive, unnecessary privileges that increase the risk of unauthorized access or accidental misconfiguration.

Exam trap

The trap here is that candidates may confuse 'least privilege' with 'defense in depth' because both are security principles, but defense in depth is about multiple layers of protection, not about limiting user permissions to the minimum necessary.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets; it is not directly about user permission levels. Option C is wrong because non-repudiation ensures that a user cannot deny an action, typically through digital signatures or audit logs; it does not address the scope of permissions granted. Option D is wrong because availability ensures that systems and data are accessible when needed, often through redundancy and fault tolerance; while excessive permissions could indirectly affect availability (e.g., accidental misconfiguration), the core violation here is about privilege scope, not uptime or access reliability.

346
MCQmedium

A legacy payroll application cannot support multifactor authentication yet, but the business still needs to reduce risk while the application is being modernized. The security team limits access to a hardened jump host, requires manager approval for access requests, and adds extra logging until the application can be upgraded. What type of control is this?

A.Corrective control
B.Compensating control
C.Deterrent control
D.Preventive control
AnswerB

A compensating control is an alternative safeguard used when the preferred or required control cannot be implemented yet. Here, MFA is not supported by the legacy application, so the team reduces risk using a hardened jump host, approval workflow, and enhanced logging. Those measures do not replace MFA completely, but they provide a reasonable temporary risk reduction until the system is upgraded.

Why this answer

Compensating controls are alternative security measures implemented when primary controls (like MFA) cannot be applied due to technical limitations. In this scenario, the jump host restriction, manager approval, and enhanced logging serve as compensating controls to reduce risk until the legacy payroll application can be modernized to support MFA.

Exam trap

The trap here is that candidates may confuse compensating controls with preventive controls, mistakenly thinking that the jump host and approval process are directly preventing unauthorized access, when in fact they are alternative measures compensating for the missing MFA capability.

How to eliminate wrong answers

Option A is wrong because corrective controls are designed to remediate or reverse the effects of an incident after it has occurred (e.g., restoring from backup), not to reduce risk proactively while awaiting modernization. Option C is wrong because deterrent controls aim to discourage potential attackers through visible warnings or threats (e.g., security cameras, warning banners), not to provide alternative access restrictions and logging. Option D is wrong because preventive controls are intended to block security violations outright (e.g., firewalls, access control lists), but here the legacy application cannot support MFA, so a direct preventive control is not feasible; compensating controls are used instead.

347
MCQhard

Based on the exhibit, which cryptographic mechanism provides proof that the update came from the vendor and was not altered?

A.Hashing, because matching SHA-256 values alone prove the file came from the vendor.
B.Symmetric encryption, because only the vendor and the customer share the secret key.
C.Digital signature, because only the vendor's private key can produce the verified signature.
D.Salting, because adding random data makes the update file easier to trust.
AnswerC

Digital signature is correct because the signature check proves both integrity and authenticity. The vendor signs the update with a private key, and anyone with the matching public key can verify that the file has not changed and that the signer possessed the private key. That is exactly the proof of origin the audit note is asking for.

Why this answer

Option C is correct because a digital signature uses the vendor's private key to sign the update, and the customer verifies it using the vendor's public key. This asymmetric cryptographic mechanism ensures both authenticity (the update came from the vendor) and integrity (the update was not altered), as only the vendor's private key can produce a signature that validates with the corresponding public key.

Exam trap

The trap here is that candidates confuse hashing with digital signatures, thinking that a hash match alone proves the source, when in fact hashing only verifies integrity, not authenticity or non-repudiation.

How to eliminate wrong answers

Option A is wrong because hashing alone provides integrity (detecting changes) but does not prove the source; an attacker could replace both the file and its hash, and SHA-256 values matching only show the file hasn't changed, not that it came from the vendor. Option B is wrong because symmetric encryption uses a shared secret key, which does not provide non-repudiation or proof of origin; both the vendor and customer possess the same key, so the customer cannot prove the update came specifically from the vendor. Option D is wrong because salting adds random data to passwords or hashes to prevent rainbow table attacks, but it does not provide any mechanism for authentication or integrity verification of an update file.

348
MCQmedium

A cloud-hosted application allows users to submit a URL for image processing. Logs show repeated requests such as `http://169.254.169.254/latest/meta-data/` and `http://localhost/admin`. The server is making outbound requests on behalf of the user input. What is the best defensive control to implement?

A.Allow any URL that returns a valid HTTP status code
B.Use a strict allowlist for outbound destinations and block link-local metadata addresses
C.Escape all quotation marks before sending the request
D.Require users to change their passwords after each upload
AnswerB

This is the best defense because the application is making server-side requests based on user input. A strict allowlist limits which external destinations the service may reach, and blocking link-local or internal addresses prevents access to sensitive metadata services and localhost resources. This directly reduces the risk of server-side request forgery in cloud environments.

Why this answer

The requests target the AWS EC2 instance metadata service (169.254.169.254) and localhost, which are classic Server-Side Request Forgery (SSRF) attacks. By using a strict allowlist for outbound destinations and explicitly blocking link-local metadata addresses, the application prevents the server from making unauthorized requests to internal or cloud metadata endpoints, thereby mitigating SSRF.

Exam trap

The trap here is that candidates may confuse SSRF with injection attacks and choose a sanitization option like escaping quotation marks, but the real vulnerability is the server's ability to make outbound requests to arbitrary destinations, which requires network-level controls.

How to eliminate wrong answers

Option A is wrong because allowing any URL that returns a valid HTTP status code would permit SSRF attacks, as attackers can craft URLs that reach internal services (e.g., metadata endpoints) that respond with a valid status. Option C is wrong because escaping quotation marks is a defense against injection attacks like SQL injection or XSS, but it does not prevent the server from making outbound requests to arbitrary destinations, which is the core issue in SSRF.

349
MCQmedium

A branch office has users, finance workstations, printers, and IP phones on one flat network. The security team wants to reduce lateral movement if one user PC is compromised, but printers still need to receive print jobs from users. What is the best design change?

A.Keep one flat network and increase endpoint antivirus scanning frequency.
B.Place finance systems and user devices in separate VLANs and allow only the necessary print and business application traffic through filtering rules.
C.Move all printers into the finance VLAN to avoid managing inter-VLAN rules.
D.Disable printing so user workstations cannot communicate with any other device.
AnswerB

This design reduces lateral movement by separating high-value systems from general user devices. VLANs create logical segmentation, and targeted filtering permits only the traffic required for printing and approved business flows. It preserves functionality while sharply reducing the number of systems reachable after a compromise.

Why this answer

Option B is correct because segmenting the flat network into separate VLANs for finance systems and user devices enforces network segmentation, which limits lateral movement. By using VLANs and firewall rules to allow only necessary traffic (e.g., print jobs via IPP or SMB, and business application traffic), the organization reduces the attack surface while maintaining required functionality. This aligns with the principle of least privilege and zero trust architecture.

Exam trap

The trap here is that candidates often choose Option C, mistakenly thinking that consolidating printers into the finance VLAN simplifies management, but they overlook that printers are notoriously insecure and would become a bridge for lateral movement into the finance segment.

How to eliminate wrong answers

Option A is wrong because increasing endpoint antivirus scanning frequency does not prevent lateral movement on a flat network; once a user PC is compromised, the attacker can still freely move to other devices (including finance workstations) on the same broadcast domain. Option C is wrong because moving all printers into the finance VLAN would expose printers to finance systems without proper isolation, and printers often have weak security (e.g., default credentials, unpatched firmware), creating a pivot point for attackers to reach finance assets; it also fails to address the need for inter-VLAN rules to allow user print jobs.

350
Multi-Selectmedium

Which four of the following are effective mitigations against SQL injection attacks? (Choose four.)

Select 4 answers
.Using parameterized queries or prepared statements
.Implementing input validation and sanitization
.Enforcing least privilege for database accounts
.Disabling error messages that reveal database structure
.Blocking all user input containing the word 'SELECT'
.Using client-side JavaScript validation exclusively

Why this answer

Parameterized queries and prepared statements are effective because they separate SQL logic from user input, ensuring that input is treated as data rather than executable code. This prevents attackers from injecting malicious SQL commands into query strings, as the database engine compiles the query structure before parameters are bound.

Exam trap

The trap here is that all four options are correct, so candidates must recognize that the question expects them to select all four, rather than being misled into thinking one is incorrect due to common misconceptions about input validation being insufficient alone.

351
MCQmedium

Based on the exhibit, which cloud deployment choice best satisfies the workload requirements? Exhibit: Workload requirements: - Processes regulated customer records - Should not share underlying compute with other tenants if avoidable - Team wants provider-managed hardware maintenance - Application will run in a public cloud Which deployment choice is the best fit?

A.Shared public tenancy on standard virtual machines.
B.Community cloud shared with other regulated organizations.
C.Public cloud with a dedicated host or equivalent single-tenant compute placement.
D.On-premises private cloud with company-owned servers and full hardware management.
AnswerC

This is the best match because it gives the organization stronger tenant isolation while still using provider-managed cloud infrastructure. A dedicated host or similar single-tenant placement reduces exposure to neighboring tenants and is well suited for regulated data without requiring the customer to buy and maintain physical servers. It balances security and operational convenience.

Why this answer

Option C is correct because a dedicated host or single-tenant compute placement in a public cloud ensures the workload does not share underlying physical hardware with other tenants, meeting the 'should not share underlying compute' requirement. It also provides provider-managed hardware maintenance and runs in a public cloud, aligning with all stated workload requirements for processing regulated customer records.

Exam trap

The trap here is that candidates may confuse 'community cloud' (Option B) as meeting isolation needs, but it still involves multi-tenant compute sharing unless explicitly configured with dedicated hosts, which is not stated in the option.

How to eliminate wrong answers

Option A is wrong because shared public tenancy on standard virtual machines inherently shares the underlying physical server with other tenants, violating the requirement to avoid sharing compute if possible. Option B is wrong because a community cloud, while shared with other regulated organizations, still involves multi-tenant compute sharing and does not guarantee single-tenant isolation; it also may not offer provider-managed hardware maintenance in the same way as a public cloud dedicated host. Option D is wrong because an on-premises private cloud with company-owned servers requires the team to manage hardware maintenance themselves, contradicting the requirement for provider-managed hardware maintenance.

352
MCQmedium

A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?

A.Deploying a stronger email spam filter that blocks all emails from unrecognized domains
B.Requiring multi-factor authentication (MFA) for all corporate email accounts
C.Implementing a policy that all financial transfers over a certain threshold must be verbally verified via a known phone number before execution
D.Enabling Transport Layer Security (TLS) encryption for all outgoing email communications
AnswerC

An out-of-band verification procedure, such as calling the requester on a known phone number, directly addresses the impersonation risk by confirming the request through an independent communication channel.

Why this answer

Option C is correct because the attack is a business email compromise (BEC) using a lookalike domain. A policy requiring verbal verification via a known phone number adds a human out-of-band check that bypasses the email channel entirely, preventing the fraudulent transfer even if the email appears legitimate. This control directly addresses the social engineering aspect of the attack, which technical controls alone cannot fully mitigate.

Exam trap

The trap here is that candidates often choose a technical control like MFA or spam filters, overlooking that the attack exploits human trust and domain spoofing rather than account compromise, so the most effective control is a procedural one that bypasses the email channel entirely.

How to eliminate wrong answers

Option A is wrong because a stronger spam filter would not block the email if the lookalike domain 'cornpany.com' is a registered domain that passes SPF/DKIM checks; the filter would only block unrecognized domains if explicitly configured, but attackers often use domains that appear similar to trusted ones. Option B is wrong because MFA protects against credential theft or unauthorized access to email accounts, but in this scenario the attacker spoofed the CEO's email address without compromising the account, so MFA does not prevent the spoofed email from being sent or received. Option D is wrong because TLS encryption secures the communication channel between mail servers, preventing eavesdropping or tampering in transit, but it does not authenticate the sender's identity or prevent spoofed emails from being delivered.

353
MCQmedium

A security analyst is reviewing authentication logs from a corporate web application. The logs show that over a span of two hours, a single external IP address attempted to log in with 500 different usernames, each using the same password 'Spring2024!'. Only a few of these attempts succeeded. Which type of attack is most likely being observed?

A.Brute force attack
B.Password spraying attack
C.Credential stuffing attack
D.Dictionary attack
AnswerB

Correct. Password spraying involves trying a small number of common passwords against many accounts to avoid detection and lockout. The single password used across numerous usernames is the hallmark of this attack.

Why this answer

This is a password spraying attack because the attacker uses a single common password ('Spring2024!') against many different usernames. This technique avoids account lockout policies that typically trigger after multiple failed attempts on a single account, and the few successful logins indicate valid credentials were found.

Exam trap

The trap here is confusing password spraying with brute force: candidates see 'same password' and think brute force, but the key distinction is the attacker targets many usernames with one password, not one username with many passwords.

How to eliminate wrong answers

Option A is wrong because a brute force attack tries many passwords against a single username, not one password against many usernames. Option C is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a single password tested across many accounts.

354
MCQmedium

A firewall rule change was implemented directly in production to allow a new vendor IP range. Within minutes, several internal services became unreachable because the rule order changed unexpectedly. Which change-management practice would have most likely prevented this outage?

A.Testing the change in a staging environment and approving it through a peer-reviewed change process before production.
B.Applying the rule during business hours so the team can respond faster if something breaks.
C.Making the change first in production because that is the only environment that matters.
D.Documenting the outage after the vendor confirms their IP range is valid.
AnswerA

A tested, peer-reviewed change process helps catch rule-order problems, dependency issues, and unintended access impacts before production is affected. Firewall changes can alter traffic flow in subtle ways, so validating them in a nonproduction environment and having a formal approval path reduces the chance of service disruption. A backout plan also gives the team a quick recovery path if the production change behaves differently than expected.

Why this answer

Option A is correct because implementing the change in a staging environment first allows validation of the rule order and its impact on traffic flow without affecting production. A peer-reviewed change process ensures that the rule insertion point (e.g., before a deny-all or after a permit statement) is verified, preventing the accidental reordering that caused the outage. This aligns with the change-management principle of testing in a representative environment before production deployment.

Exam trap

The trap here is that candidates may confuse 'change management' with 'incident response' or 'documentation,' leading them to choose options that address symptoms (e.g., faster response or post-hoc documentation) rather than the root cause of unvalidated rule order changes.

How to eliminate wrong answers

Option B is wrong because applying the rule during business hours does not address the root cause—unexpected rule reordering—and may increase risk if the change breaks services during peak usage. Option C is wrong because making the change directly in production bypasses all validation and review, which is precisely the practice that led to the outage. Option D is wrong because documenting the outage after the fact does nothing to prevent it; proactive change management requires testing and approval before implementation.

355
MCQmedium

A branch office's network closet has repeated unauthorized access issues after staff badge in and hold the door for others. Management wants a control that allows one person through after valid badge use and helps prevent tailgating. Which control is best?

A.Closed-circuit television cameras, because they record the doorway for later review.
B.A mantrap, because it physically restricts entry to one person at a time.
C.A motion sensor, because it can detect movement inside the room.
D.A door closer, because it ensures the door automatically shuts after use.
AnswerB

A mantrap creates a controlled entry space that helps block tailgating and enforces single-person access after authentication.

Why this answer

A mantrap is a physical security control consisting of a small space with two interlocking doors, typically requiring authentication to enter and exit. It ensures that only one person can pass through at a time, effectively preventing tailgating by trapping unauthorized individuals between the doors if they attempt to follow an authorized user.

Exam trap

Cisco often tests the distinction between preventive and detective controls, leading candidates to choose CCTV because it is a common security measure, even though it does not actively prevent tailgating.

How to eliminate wrong answers

Option A is wrong because closed-circuit television cameras are a detective control, not a preventive one; they record incidents for later review but do not physically stop tailgating in real time. Option C is wrong because a motion sensor detects movement inside the room but does not control entry or prevent multiple people from passing through a door simultaneously.

356
Matchingeasy

Match each security control type to the best example in a small office environment.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A firewall blocks inbound remote desktop traffic from the internet.

A SIEM alert notifies analysts after multiple failed logins occur.

A clean backup is restored after malware is removed from a laptop.

A visible warning sign says the area is under video surveillance.

A policy requires users to lock their screens when stepping away.

A jump host is used temporarily until direct administration is safely allowed.

Why these pairings

These matches classify security controls by type: administrative involves policies, technical uses technology, physical secures premises, deterrent discourages violations, preventive stops incidents, and detective identifies occurrences.

357
MCQeasy

A sales manager's laptop is often taken home and may contain customer pricing spreadsheets and contract drafts. Which control best protects the files if the laptop is stolen?

A.Hashing the files
B.Full-disk encryption
C.Using TLS on the office Wi-Fi
D.File compression
AnswerB

Full-disk encryption protects data at rest, so stolen storage is unreadable without the correct key.

Why this answer

Full-disk encryption (FDE) protects all data on the laptop's storage drive by encrypting the entire volume, including the operating system, applications, and files. If the laptop is stolen, the thief cannot access the customer pricing spreadsheets and contract drafts without the decryption key (e.g., a pre-boot PIN or TPM-based key). This renders the data unreadable even if the drive is removed and attached to another system, directly addressing the risk of physical theft.

Exam trap

The trap here is that candidates confuse confidentiality controls (encryption) with integrity controls (hashing) or network protection (TLS), mistakenly thinking hashing or TLS can protect data at rest on a stolen device.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way cryptographic function used for integrity verification (e.g., detecting file tampering), not for confidentiality; it does not prevent an attacker from reading the files. Option C is wrong because TLS (Transport Layer Security) protects data in transit over the office Wi-Fi, but once the laptop is stolen, the files are at rest on the local drive and TLS offers no protection against offline access. Option D is wrong because file compression (e.g., ZIP) only reduces file size and optionally adds a weak password, but it does not provide strong encryption; modern compression tools are not designed to resist forensic attacks on a stolen device.

358
Multi-Selecthard

A file server used by a shared service account begins renaming documents, deleting shadow copies, and creating outbound SMB connections to many internal hosts. The SOC suspects the malware may be spreading while also encrypting data. Which two actions are the best immediate containment steps? Select two.

Select 2 answers
A.Isolate the affected server from the network through EDR or switch controls.
B.Disable or reset the compromised service account and revoke active sessions.
C.Restore the server from backup before taking any containment action.
D.Delete the suspicious files from the server to stop the encryption process.
E.Inform users that the incident is likely a false positive and continue monitoring.
AnswersA, B

Isolation is the fastest way to stop further encryption and prevent the suspected spread from reaching more systems. When a server is actively affecting files and reaching out to other hosts, limiting its network access is the most effective containment measure available immediately.

Why this answer

Isolating the affected server from the network via EDR or switch controls is correct because it immediately stops the malware from spreading to other hosts through SMB connections and prevents further encryption of network-accessible files. This containment step breaks the lateral movement and data exfiltration channels without relying on potentially compromised credentials or incomplete cleanup.

Exam trap

The trap here is that candidates may think deleting files or restoring from backup is an immediate containment step, but in reality, containment must first stop the active threat (network isolation and credential revocation) before any recovery actions are taken.

359
MCQeasy

An EDR alert shows a user workstation launching an unfamiliar executable from the Downloads folder and then making repeated outbound connections to an IP address in another country. What is the best first response by the security team?

A.Wait for more alerts before taking any action to avoid disrupting the user
B.Isolate the workstation from the network and begin incident triage
C.Immediately reinstall the operating system without collecting evidence
D.Disable the user's account in the directory service and close the ticket
AnswerB

This contains the suspected threat quickly while preserving enough evidence for triage and next steps.

Why this answer

Option B is correct because isolating the workstation from the network immediately stops the potential command-and-control (C2) communication and prevents lateral movement, which is the priority first response in incident triage. The EDR alert indicates a suspicious executable from the Downloads folder making repeated outbound connections to a foreign IP, which strongly suggests malware or a trojan. Isolating the host preserves volatile evidence (e.g., memory, network connections) for forensic analysis while containing the threat.

Exam trap

The trap here is that candidates may confuse incident response phases (e.g., jumping to eradication or recovery before containment) or think that disabling the user account is sufficient, when in fact the running process must be contained first to stop active network communication.

How to eliminate wrong answers

Option A is wrong because waiting for more alerts allows the malware to continue exfiltrating data or spreading to other systems, violating the containment-first principle of incident response. Option C is wrong because immediately reinstalling the OS destroys all volatile evidence (e.g., memory, running processes, network artifacts) needed for root cause analysis and attribution, and may miss persistence mechanisms. Option D is wrong because disabling the user account does not stop the already-running malicious process from making outbound connections or executing further payloads; the host must be contained first.

360
Multi-Selecteasy

A company wants visibility into who changed settings in its cloud account and what commands ran on a cloud VM. Which two log sources should the team enable first? Select two.

Select 2 answers
A.Cloud provider audit or API logs
B.Guest operating system event logs
C.Printer spooler logs
D.Browser history from employees' home PCs
E.DHCP lease logs from the office router
AnswersA, B

Audit and API logs record control-plane actions such as configuration changes, role updates, and security group edits. They are essential for tracking who changed cloud settings.

Why this answer

Cloud provider audit or API logs (Option A) capture all changes made to the cloud account via the provider's management plane, including who modified settings and when. Guest operating system event logs (Option B) record commands executed within the VM itself, such as PowerShell or bash commands, providing visibility into runtime activities. Together, these two sources cover both the control plane (account-level changes) and data plane (VM-level commands) for comprehensive monitoring.

Exam trap

The trap here is that candidates often confuse guest OS logs with hypervisor logs or assume cloud provider logs alone are sufficient, missing that VM-level command execution requires OS-level logging.

361
MCQmedium

Based on the exhibit, which change would most improve the security of the stored password data?

A.Store the passwords in encrypted form so they can be recovered later if needed.
B.Add a unique salt per password and use a slow password hashing algorithm.
C.Replace the hash with a plain SHA-256 digest because it is modern and widely supported.
D.Append the application name to each password before hashing to make the hashes unique.
AnswerB

A unique salt defeats precomputed rainbow tables and ensures identical passwords do not produce identical stored values. Using a slow, purpose-built password hashing algorithm also increases the cost of offline cracking attempts.

Why this answer

Option B is correct because adding a unique salt per password prevents precomputed rainbow table attacks, and using a slow password hashing algorithm (like bcrypt, PBKDF2, or Argon2) increases the computational cost of brute-force attacks. This combination ensures that even if the password hashes are compromised, attackers cannot efficiently crack them. Salting also ensures that identical passwords produce different hashes, eliminating the ability to detect shared passwords across accounts.

Exam trap

The trap here is that candidates often confuse hashing with encryption or assume that a 'modern' hash like SHA-256 is sufficient for password storage, overlooking the critical need for salting and key stretching to defend against brute-force and rainbow table attacks.

How to eliminate wrong answers

Option A is wrong because storing passwords in encrypted form (reversible) violates the fundamental security principle that passwords should never be recoverable; encryption keys can be compromised, exposing all passwords. Option C is wrong because plain SHA-256 is a fast, general-purpose hash designed for integrity checks, not password storage; it lacks salting and is vulnerable to GPU-accelerated brute-force attacks. Option D is wrong because appending the application name is a weak, predictable form of salting that does not provide per-password uniqueness and does not slow down hashing; it offers minimal protection against rainbow tables or targeted attacks.

362
MCQmedium

A security architect proposes adding endpoint protection, network segmentation, multifactor authentication, email filtering, and immutable backups so that one failed safeguard does not expose the entire organization. What security strategy is being described?

A.Defense in depth
B.Least privilege
C.Need-to-know
D.Zero trust
AnswerA

Defense in depth uses multiple independent controls so that if one layer fails, others still reduce the chance of compromise or limit the damage. The mix of endpoint, network, identity, email, and recovery controls in the scenario is a textbook layered approach. It is especially useful because attackers rarely defeat every safeguard at once.

Why this answer

Defense in depth is a layered security strategy where multiple, independent controls (endpoint protection, network segmentation, MFA, email filtering, immutable backups) are deployed so that if one safeguard fails, others continue to protect the organization. This approach ensures no single point of failure can compromise the entire environment, aligning directly with the scenario described.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'least privilege' because both involve multiple controls, but defense in depth specifically requires overlapping, independent layers rather than just restricting permissions.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on restricting user permissions to the minimum necessary for their role, not on deploying multiple overlapping safeguards. Option C (Need-to-know) is wrong because it is a subset of least privilege that limits access to data based on job necessity, not a strategy for layering protective controls.

363
MCQeasy

A workstation suddenly begins making SMB connections to many internal servers within a few minutes. What is the best immediate response?

A.Allow the traffic because SMB is a normal file-sharing protocol.
B.Isolate the workstation from the network for containment.
C.Delete the local event logs to reduce alert noise.
D.Disable all SMB services on every server immediately.
AnswerB

Network isolation limits possible lateral movement and helps stop a compromised host from touching additional systems while the event is investigated.

Why this answer

Option B is correct because the workstation's sudden SMB connections to many internal servers strongly indicate compromise, such as ransomware or worm propagation. Isolating the workstation immediately contains the threat, preventing lateral movement and further damage while preserving forensic evidence.

Exam trap

The trap here is that candidates may think SMB traffic is always benign because it is a legitimate protocol, failing to recognize that a sudden spike in SMB connections to multiple internal servers is a red flag for active lateral movement.

How to eliminate wrong answers

Option A is wrong because allowing the traffic ignores the anomalous behavior; SMB is normal for file sharing, but a sudden burst of connections to many servers is a classic sign of automated malicious activity like ransomware encryption or worm spread. Option C is wrong because deleting event logs destroys critical forensic evidence needed to investigate the incident, and it does not stop the malicious activity. Option D is wrong because disabling all SMB services on every server is an overly drastic, disruptive response that would break legitimate business operations and is not a targeted containment step.

364
MCQmedium

A finance laptop is powered on, the user is still logged in, and it remains connected to Wi-Fi after a malware alert. What should the responder do first to preserve volatile evidence?

A.Power the laptop off immediately to stop any further attacker activity.
B.Collect volatile data such as memory, running processes, and active network connections.
C.Run a full antimalware scan before touching any other data.
D.Disconnect the power cable and remove the battery to prevent changes.
AnswerB

Volatile evidence is the first thing to lose when a machine shuts down or is rebooted, so collecting it immediately is the best move. Memory, process lists, open sockets, and logged-in sessions can reveal malware injection, command-and-control activity, or stolen credentials in use. Preserving that state before containment actions or shutdown gives investigators a better picture of what happened on the system.

Why this answer

Option B is correct because the laptop is powered on, the user is logged in, and it is connected to the network, meaning volatile data (memory contents, running processes, active network connections) is at immediate risk of being lost if the system is shut down or tampered with. The responder must collect this data first to preserve evidence of the malware's current state, including any malicious processes, network connections, and in-memory artifacts that would disappear on power loss.

Exam trap

The trap here is that candidates mistakenly believe immediate shutdown (Option A) stops attacker activity, but in forensic practice, preserving volatile evidence by capturing memory and network state is always the priority before any power-down action.

How to eliminate wrong answers

Option A is wrong because powering off the laptop immediately destroys all volatile data (RAM, process lists, network connection states) and may trigger anti-forensic mechanisms in malware that wipe traces on shutdown; the correct first step is to capture volatile data before any power state change. Option C is wrong because running a full antimalware scan modifies the system state (reads files, creates logs, may quarantine or delete files) and overwrites or destroys volatile evidence in memory and active connections, violating forensic preservation principles.

365
MCQhard

Based on the exhibit, what is the best eradication decision for the server compromise?

A.Restart sshd and monitor the system for another login attempt.
B.Manually delete the cron entry and reverse the SSH change on the live server.
C.Rebuild the server from a trusted image and restore only known-good data after evidence is preserved.
D.Increase the SIEM retention period and keep the current server online.
AnswerC

The server shows multiple signs of compromise: unauthorized key-based access, script download, cron persistence, and SSH configuration tampering. Those indicators make simple cleanup too risky. A rebuild from a trusted image is the most reliable eradication step, especially once the host is isolated. Evidence should be preserved first, then the service should be restored from validated data and a hardened baseline.

Why this answer

Option C is correct because a server compromise implies that the attacker may have achieved persistence through modified binaries, kernel modules, or rootkits that cannot be reliably removed by simple remediation steps. Rebuilding from a trusted image ensures that all malicious artifacts are eliminated, and restoring only known-good data from backups (after forensic preservation) prevents reintroduction of compromised files. This aligns with the CompTIA incident response process, where eradication must remove all traces of the threat, and rebuilding is the safest approach for a confirmed compromise.

Exam trap

The trap here is that candidates may think manual remediation (Option B) is sufficient because they underestimate the attacker's ability to hide persistence mechanisms, or they confuse containment (e.g., isolating the server) with eradication (completely removing the threat).

How to eliminate wrong answers

Option A is wrong because restarting sshd does not remove the attacker's persistence mechanism (e.g., modified SSH configuration or cron job) and only temporarily disrupts access; the attacker could simply log in again. Option B is wrong because manually deleting a cron entry and reversing an SSH change on a live server is unreliable—the attacker may have installed a rootkit, backdoor, or modified system binaries that cannot be fully reversed, leaving the system still compromised. Option D is wrong because increasing SIEM retention does not address the existing compromise; keeping the compromised server online continues to expose the network to data exfiltration or lateral movement.

366
MCQeasy

A vulnerability scan finds a critical flaw on an internet-facing VPN appliance and says public exploit code is already available. Which issue should be remediated first?

A.A low-severity finding on an internal test server with no network access
B.A critical flaw on an internet-facing VPN appliance with known exploit code
C.A cosmetic configuration warning on a printer management interface
D.A medium-severity issue on a device that is powered off and not in service
AnswerB

This finding is both severe and exposed, which makes exploitation much more likely and business impact potentially high.

Why this answer

The critical flaw on an internet-facing VPN appliance with known public exploit code represents the highest risk because it combines a severe vulnerability, direct exposure to the internet, and immediate weaponization potential. VPN appliances are common attack vectors for initial access, and an exploit in the wild means attackers can compromise the device without advanced skills, leading to potential network breach and lateral movement.

Exam trap

The trap here is that candidates may prioritize by severity alone without factoring in exploitability, exposure, or asset criticality—leading them to choose a medium or low finding that is technically less urgent but appears more manageable.

How to eliminate wrong answers

Option A is wrong because a low-severity finding on an internal test server with no network access poses negligible risk—it is isolated and lacks connectivity, so exploitation is practically impossible. Option C is wrong because a cosmetic configuration warning on a printer management interface is not a security vulnerability; it is a non-functional issue that does not affect confidentiality, integrity, or availability. Option D is wrong because a medium-severity issue on a device that is powered off and not in service cannot be exploited—the device is not operational, so the finding has zero current risk.

367
Multi-Selecteasy

A company uses a SaaS email platform. The provider manages the servers and application code. Which two tasks remain the company's responsibility? Select two.

Select 2 answers
A.Configuring who can access company mailboxes and administrative roles.
B.Applying security patches to the provider's mail servers.
C.Deciding what data may be stored in the service and how it is classified.
D.Replacing failed provider storage disks.
E.Hardening the provider's hypervisor.
AnswersA, C

Identity and access configuration is usually the customer’s responsibility in SaaS. The company must decide who gets access, what roles they receive, and how privileges are approved.

Why this answer

Option A is correct because in a SaaS model, the customer retains administrative control over user access and role-based permissions. This includes configuring mailbox permissions, setting up multi-factor authentication, and managing administrative roles within the provider's interface. The provider handles the underlying infrastructure, but identity and access management (IAM) remains the customer's responsibility.

Exam trap

Cisco often tests the misconception that 'patching' is always the customer's job, but in SaaS the provider handles all infrastructure patching, while the customer's responsibility is limited to configuration and data governance.

368
MCQmedium

A records manager is preparing to delete old HR emails next week under the retention schedule. Legal notifies the team that those messages may be needed for an active investigation. What should the records manager do first?

A.Delete the emails on schedule and archive only the subject lines.
B.Place the emails on legal hold and suspend normal deletion for those records.
C.Move the emails to a shared folder so legal can review them later.
D.Compress the emails into an encrypted file and continue with deletion.
AnswerB

A legal hold is the correct action when records might be needed for an investigation, audit, or litigation. It overrides the normal retention schedule and requires the organization to preserve relevant data until legal or compliance staff releases the hold. This protects evidence integrity and avoids accidental destruction of records that could be important to the case.

Why this answer

When legal notifies that emails may be needed for an active investigation, the records manager must immediately suspend normal deletion and place a legal hold on those records. This preserves the data in its original state, preventing spoliation and ensuring compliance with e-discovery obligations. Deleting or moving the emails could destroy metadata or chain of custody, violating legal hold requirements.

Exam trap

The trap here is that candidates think moving emails to a shared folder is a safe preservation step, but it actually breaks the formal legal hold process and can compromise metadata and chain of custody, which is why the correct first action is to suspend deletion via a legal hold.

How to eliminate wrong answers

Option A is wrong because deleting the emails and archiving only subject lines destroys the body content and metadata (e.g., headers, timestamps, attachments) that are critical for legal discovery; this would likely constitute spoliation. Option C is wrong because moving the emails to a shared folder alters their original location and may break retention policies or audit trails, and it does not formally suspend the retention schedule—legal hold requires a documented, tamper-proof preservation process, not just relocation.

369
MCQhard

EDR on a workstation shows winword.exe spawning powershell.exe with hidden, no-profile, and encoded arguments. No new executable is written to disk. Minutes later, a scheduled task creation is blocked, but the same host continues making HTTPS requests to a cloud IP address. Which malware category best fits this behavior?

A.Trojan, because the malicious activity likely started from a user-opening event.
B.Worm, because the host is making repeated outbound network connections.
C.Rootkit, because the process is using hidden commands and network connections.
D.Fileless attack, because the payload is executed in memory using legitimate scripting tools and leaves little on disk.
AnswerD

Fileless attack is the best fit because the sequence uses trusted built-in tools, encoded PowerShell, and no obvious executable drop on disk. The suspicious behavior happens in memory and through script interpretation, which makes detection harder than with traditional malware files. The blocked scheduled task and later HTTPS beaconing are consistent with in-memory execution and persistence attempts after initial delivery.

Why this answer

The correct answer is D because the attack uses legitimate tools (winword.exe spawning powershell.exe) with hidden, no-profile, and encoded arguments to execute a payload entirely in memory, never writing a new executable to disk. This is the hallmark of a fileless attack, which relies on in-memory execution and living-off-the-land binaries (LOLBins) to evade traditional antivirus and disk-based detection. The subsequent scheduled task creation block and persistent HTTPS connections to a cloud IP further indicate a fileless malware that establishes command-and-control (C2) without dropping files.

Exam trap

The trap here is that candidates see 'hidden commands' and 'network connections' and incorrectly associate them with a rootkit, but the 'hidden' refers to PowerShell's `-WindowStyle Hidden` parameter, not kernel-level hiding, and the network connections are standard HTTPS C2 traffic, not a rootkit's stealthy communication.

How to eliminate wrong answers

Option A is wrong because a Trojan typically requires a user to execute a malicious file that is written to disk, but here no new executable is written to disk and the activity starts from a legitimate Office process spawning PowerShell in memory. Option B is wrong because a Worm self-replicates and spreads automatically across networks, often exploiting vulnerabilities; the repeated outbound HTTPS connections here are for C2 communication, not for self-propagation. Option C is wrong because a Rootkit is designed to hide its presence by modifying the operating system kernel or drivers, whereas this attack uses hidden PowerShell arguments (a command-line flag) and does not involve kernel-level concealment or driver installation.

370
MCQhard

Based on the exhibit, which security principle should the team strengthen to reduce the chance that stolen credentials alone provide access to sensitive data?

A.Least privilege, because the user should only have the minimum file permissions needed.
B.Zero trust, because every request should be re-evaluated instead of relying on the earlier VPN login.
C.Need-to-know, because all finance data should be hidden from anyone outside the department.
D.Defense in depth, because multiple layers are always better than one control.
AnswerB

Zero trust fits the exhibit because access is being allowed based on an earlier authentication event and network location alone. A zero-trust design would re-evaluate each request using factors such as device health, identity, and context instead of assuming the session is safe for 12 hours.

Why this answer

The exhibit shows a scenario where a VPN session grants persistent access to sensitive data without re-authentication. Zero trust is correct because it mandates continuous verification of every request, not just the initial VPN login, so stolen credentials alone would not provide ongoing access to sensitive data. This principle enforces micro-segmentation and per-request authorization, directly addressing the vulnerability of credential theft.

Exam trap

The trap here is that candidates confuse zero trust with defense in depth, assuming multiple security layers automatically verify every request, when in fact defense in depth can still rely on a single persistent trust decision (like a VPN session) that stolen credentials can exploit.

How to eliminate wrong answers

Option A is wrong because least privilege limits the scope of access (e.g., file permissions) but does not prevent a stolen credential from being reused across sessions; it reduces blast radius but not the risk of credential reuse. Option C is wrong because need-to-know restricts data access based on role, but it still relies on the initial authentication and does not require re-evaluation of each request, so stolen credentials would still grant access to permitted data. Option D is wrong because defense in depth adds multiple controls (e.g., firewalls, IDS), but without a zero-trust architecture, a single stolen credential can bypass all layers if the VPN session remains trusted; it does not specifically address the re-evaluation gap.

371
MCQmedium

A security engineer writes a script that computes SHA-256 hashes of critical server configuration files every night and sends an alert if any hash value has changed since the previous night. Which security goal is this control primarily designed to protect?

A.Confidentiality
B.Integrity
C.Availability
D.Authentication
AnswerB

Integrity ensures that data has not been tampered with or altered by unauthorized parties. Comparing hashes allows the engineer to detect any unauthorized changes to the configuration files, directly supporting the integrity goal. This is the correct answer.

Why this answer

The script computes SHA-256 hashes of configuration files and compares them nightly to detect any unauthorized or accidental changes. This directly protects the integrity of the files by ensuring they have not been modified, which is the core security goal of integrity. Confidentiality and availability are not addressed by hash comparison.

Exam trap

The trap here is confusing integrity with confidentiality because hashing involves cryptographic algorithms, leading candidates to mistakenly think it protects secrecy rather than detecting unauthorized modification.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized disclosure of data, not detecting changes; hashing does not encrypt or hide the file contents. Option C is wrong because availability ensures systems and data are accessible when needed, whereas hash monitoring does not prevent denial of service or ensure uptime.

372
MCQeasy

A file server suddenly renames documents with a new extension and displays a note demanding payment in cryptocurrency to restore access. What type of malware is most likely involved?

A.Ransomware
B.Spyware
C.Worm
D.Rootkit
AnswerA

This is the classic symptom pattern for ransomware. Files are renamed or encrypted, access is disrupted, and the attacker demands payment for recovery. The ransom note and the sudden file changes together make ransomware the best answer.

Why this answer

Ransomware is designed to encrypt files on a system, making them inaccessible, and then demand a ransom—typically in cryptocurrency—to restore access. The sudden renaming of documents with a new extension is a hallmark of ransomware encryption, as it appends a custom extension to indicate the files have been locked. The displayed note demanding payment confirms the extortion motive, which is unique to ransomware among the given options.

Exam trap

The trap here is that candidates may confuse ransomware with other malware types that alter files or display messages, but only ransomware specifically encrypts files and demands a ransom for decryption.

How to eliminate wrong answers

Option B (Spyware) is wrong because spyware is designed to covertly monitor user activity and collect sensitive information, not to encrypt or rename files or demand ransom. Option C (Worm) is wrong because a worm is a self-replicating malware that spreads across networks without requiring user interaction, and it typically does not encrypt files or display ransom notes. Option D (Rootkit) is wrong because a rootkit is a type of malware that hides its presence and provides persistent privileged access to a system, but it does not perform file encryption or extortion.

373
MCQeasy

A branch office loses power briefly several times each month. Which control best helps keep network equipment running long enough for an orderly shutdown?

A.A UPS
B.A badge reader
C.A locked filing cabinet
D.A fire extinguisher
AnswerA

A UPS provides temporary battery power so systems can stay up briefly or shut down safely.

Why this answer

A UPS (Uninterruptible Power Supply) provides battery backup power to network equipment during a power outage, allowing enough time for an orderly shutdown to prevent data corruption or hardware damage. Unlike surge protectors, a UPS actively supplies clean, regulated power from its batteries when the mains fail, making it the correct control for this scenario.

Exam trap

The trap here is that candidates might confuse a UPS with a surge protector or power strip, thinking any power-related device provides backup runtime, whereas only a UPS contains batteries to sustain power after an outage.

How to eliminate wrong answers

Option B is wrong because a badge reader is an access control mechanism used to restrict physical entry to a facility or room, not a device that provides backup power. Option C is wrong because a locked filing cabinet is a physical security control for protecting sensitive documents, not for maintaining power to network equipment during an outage.

374
Multi-Selectmedium

A business unit wants to keep using a customer portal even though a low-likelihood, high-impact dependency risk was identified. Leadership does not want to stop the service, but it does want to lower exposure and formally document the remaining risk. Which two actions best fit that approach? Select two.

Select 2 answers
A.Implement compensating controls to reduce the chance or impact of the event.
B.Immediately shut down the portal until the dependency risk is completely eliminated.
C.Formally accept the remaining residual risk at the appropriate management level.
D.Ignore the finding until the next annual audit cycle.
E.Transfer the issue to the help desk by opening a routine support ticket.
AnswersA, C

This is the most direct way to reduce exposure while keeping the service running. Compensating controls, such as extra monitoring, rate limiting, or alternate processing steps, lower either likelihood or impact without requiring the business to stop operations. That matches the stated goal of continuing service while reducing risk.

Why this answer

Option A is correct because implementing compensating controls is a standard risk mitigation strategy that reduces the likelihood or impact of a dependency risk without stopping the service. For a customer portal, this could include adding web application firewall (WAF) rules, rate limiting, or failover mechanisms to lower exposure while keeping the portal operational.

Exam trap

The trap here is confusing risk acceptance with ignoring the risk or deferring it operationally, leading candidates to pick options like D or E instead of recognizing that formal acceptance requires documented management approval and that compensating controls are a valid mitigation strategy.

375
MCQmedium

A SOC analyst reviews email platform logs for a finance user account. At 08:12, the user successfully signs in from Denver. At 08:15, the same account signs in from a residential ISP in another state. At 08:16, the mailbox creates a new external forwarding rule and deletes the original alert message. The user says they did not set up forwarding. What is the best assessment?

A.False positive caused by normal mailbox synchronization behavior across devices.
B.True positive indicating likely account compromise and unauthorized mailbox abuse.
C.Benign activity because the user successfully authenticated with valid credentials and no malware was detected.
D.A denial-of-service event because the attacker is attempting to overwhelm the mail system.
AnswerB

The sequence of impossible travel, an unexpected sign-in source, and creation of an external forwarding rule strongly indicates unauthorized access. Deleting the alert email suggests the attacker is trying to hide evidence. The most likely conclusion is that the account is compromised and requires immediate response actions.

Why this answer

The rapid succession of logins from geographically distant locations (Denver and a different state via a residential ISP) within three minutes, followed immediately by creation of an external forwarding rule and deletion of the original alert message, is a classic indicator of account takeover. The user's denial of setting up forwarding confirms the activity is unauthorized. This pattern aligns with attacker behavior: after compromising credentials, they establish persistence (forwarding) and cover tracks (deleting alerts).

Exam trap

The trap here is that candidates mistakenly equate valid authentication with legitimate activity, ignoring the strong circumstantial evidence of impossible travel and unauthorized rule creation that clearly indicates compromise.

How to eliminate wrong answers

Option A is wrong because normal mailbox synchronization across devices would not create an external forwarding rule or delete an alert message; synchronization only replicates existing folder/item changes, not administrative rule creation. Option C is wrong because successful authentication with valid credentials does not rule out compromise—attackers often use stolen or phished credentials, and the subsequent anomalous actions (geographic impossibility, rule creation) override any assumption of benign activity. Option D is wrong because a denial-of-service event would involve overwhelming the mail system with traffic, not a single account's specific configuration changes and message deletion.

Page 4

Page 5 of 16

Page 6