Security+ SY0-701 (SY0-701) — Questions 376450

1152 questions total · 16pages · All types, answers revealed

Page 5

Page 6 of 16

Page 7
376
MCQhard

Based on the exhibit, what is the best conclusion about the signed document?

A.The invoice is confidential because the signature encrypts the document contents.
B.The invoice was not changed after signing and the signer’s certificate chain validated correctly.
C.The invoice can be edited if the timestamp is still within business hours.
D.The sender’s private key is now public because the certificate verified successfully.
AnswerB

A valid digital signature confirms that the document digest still matches the signed value and that the certificate chain was trusted by the verifier. That means the invoice has not been altered since signing, and the signature can be associated with the trusted certificate identity shown in the exhibit.

Why this answer

Option B is correct because a valid digital signature provides both integrity (the document was not altered after signing) and authentication (the signer's certificate chain validates to a trusted root). The exhibit shows a successful signature validation, which cryptographically proves that the invoice has not been modified since signing and that the signing certificate is trusted.

Exam trap

The trap here is confusing digital signatures with encryption — candidates often think signing encrypts the document, but signing only provides integrity and non-repudiation, not confidentiality.

How to eliminate wrong answers

Option A is wrong because a digital signature does not encrypt the document; it only creates a hash signed with the private key, leaving the contents readable. Option C is wrong because a valid digital signature is independent of time of day; business hours have no effect on cryptographic validity. Option D is wrong because certificate validation proves the signer's identity, not that the private key is public; the private key remains secret and is never revealed by a successful verification.

377
MCQmedium

A public web server becomes unreachable during an outage. Netflow shows a large number of DNS responses arriving from many open resolvers, while the server itself only sent tiny spoofed DNS queries with the victim's address as the source. What type of attack is this?

A.DNS zone transfer abuse against the organization.
B.DNS amplification reflection denial-of-service.
C.A replay attack against a web application session token.
D.ARP poisoning inside the local network segment.
AnswerB

This is DNS amplification reflection because the attacker spoofs the victim's IP address in small requests to open resolvers, causing large responses to be sent to the victim instead. The result is a bandwidth flood that can make the server unreachable even though the victim never initiated the traffic. The key clues are tiny queries, spoofed source addresses, many resolvers, and a high volume of unsolicited responses. This is a classic distributed denial-of-service pattern.

Why this answer

This is a classic DNS amplification reflection DDoS attack. The attacker sends small DNS queries with a spoofed source IP (the victim's address) to open resolvers, which then send large DNS responses to the victim, overwhelming its bandwidth. The NetFlow data shows the server receiving many large DNS responses while only sending tiny spoofed queries, confirming the amplification and reflection vectors.

Exam trap

The trap here is confusing the direction of traffic: candidates may think the server is the attacker because it sends queries, but the spoofed source IP and large incoming responses reveal it is the victim of a reflection attack.

How to eliminate wrong answers

Option A is wrong because DNS zone transfer abuse involves an unauthorized request for a full zone file from a DNS server, not a flood of responses from open resolvers. Option C is wrong because a replay attack captures and retransmits a valid session token to impersonate a user, which does not involve DNS traffic or bandwidth exhaustion.

378
MCQmedium

After implementing MFA and stronger monitoring, a department still has a small chance of account misuse that could affect a low-value internal tool. The business owner reviews the remaining exposure and agrees it is within tolerance. What should happen next?

A.Escalate the issue to legal because all residual risk must be eliminated.
B.Document the residual risk and obtain formal acceptance from the risk owner.
C.Remove MFA because the remaining risk is already low.
D.Treat the issue as resolved because monitoring alone eliminates all risk.
AnswerB

When controls have reduced the likelihood and impact but some exposure remains, the remaining risk should be documented and formally accepted by the appropriate risk owner. This creates accountability, supports governance, and shows that the organization knowingly approved the remaining exposure after considering business value, cost, and tolerance.

Why this answer

Option B is correct because after implementing MFA and stronger monitoring, the remaining exposure is residual risk that must be formally documented and accepted by the risk owner (the business owner). This aligns with the risk management process in Security Program Management, where residual risk that falls within the organization's risk appetite is accepted rather than eliminated. The business owner's agreement indicates formal acceptance, which should be recorded for audit and compliance purposes.

Exam trap

The trap here is that candidates may think all risk must be eliminated or that monitoring alone suffices, but CompTIA tests the understanding that residual risk can be accepted when it falls within the organization's risk appetite, especially for low-value assets.

How to eliminate wrong answers

Option A is wrong because it states that all residual risk must be eliminated, which contradicts the principle of risk acceptance—organizations accept residual risk that is within tolerance, especially for low-value assets. Option C is wrong because removing MFA would increase the risk exposure, not reduce it, and the remaining risk is already deemed acceptable by the business owner. Option D is wrong because monitoring alone does not eliminate all risk; it only detects misuse, and residual risk remains even with monitoring in place.

379
MCQmedium

A web service begins experiencing severe latency. Netflow shows thousands of short DNS queries leaving the attacker network, while a much larger volume of DNS responses is arriving at the victim’s public IP address from many open resolvers. Which attack is most likely occurring?

A.Replay attack using previously captured packets
B.DNS reflection and amplification denial-of-service attack
C.ARP poisoning that redirects local traffic on a LAN
D.Session hijacking through stolen authentication cookies
AnswerB

This is the best match. The attacker sends small DNS requests that cause open resolvers to send much larger responses to the victim's IP address. Because the victim receives the responses, the attack uses reflection; because the responses are much larger than the requests, it also uses amplification. The result is bandwidth exhaustion and severe latency, which are common symptoms of a volumetric DDoS attack.

Why this answer

The attack described is a DNS reflection and amplification denial-of-service attack. The attacker sends thousands of short DNS queries with a spoofed source IP (the victim's IP) to many open resolvers, which then send large DNS responses to the victim, overwhelming its bandwidth. NetFlow shows a small volume of queries leaving the attacker and a much larger volume of responses arriving at the victim, which is the hallmark of amplification (small request, large response) combined with reflection (responses from third-party resolvers).

Exam trap

The trap here is that candidates may confuse the high volume of responses arriving at the victim with a simple volumetric attack, missing the key indicators of reflection (responses from many different IPs) and amplification (small queries generating large responses), which uniquely identify a DNS reflection/amplification DDoS.

How to eliminate wrong answers

Option A is wrong because a replay attack involves capturing and retransmitting valid packets to impersonate a user or repeat a transaction, not generating massive traffic from open resolvers to a victim. Option C is wrong because ARP poisoning is a local network attack that manipulates ARP tables to intercept traffic on a LAN, not a volumetric DDoS attack using DNS over the internet. Option D is wrong because session hijacking through stolen cookies targets a user's authenticated session, not the network-level flooding of a victim with DNS responses.

380
Multi-Selectmedium

A security analyst is reviewing incident response procedures. Which three of the following activities are typically performed during the 'Containment, Eradication, and Recovery' phase of the incident response process? (Choose three.)

Select 3 answers
.Isolating affected systems from the network to prevent further damage
.Removing malicious files and restoring systems from known good backups
.Rebuilding compromised servers from a secure baseline image
.Conducting a lessons-learned meeting with the incident response team
.Escalating the incident to law enforcement agencies
.Performing forensic imaging of all systems before any action is taken

Why this answer

The 'Containment, Eradication, and Recovery' phase focuses on stopping the spread of an incident, removing the root cause, and restoring normal operations. Isolating affected systems (containment), removing malicious files and restoring from backups (eradication/recovery), and rebuilding from a secure baseline (recovery) are all core activities in this phase, as defined by NIST SP 800-61 Rev. 2 and CompTIA's incident response framework.

Exam trap

The trap here is that candidates confuse the 'Containment, Eradication, and Recovery' phase with the 'Detection and Analysis' phase, mistakenly selecting forensic imaging or escalation as part of containment when they are actually pre-containment steps to preserve evidence and notify stakeholders.

381
MCQmedium

A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?

A.Disable the software updater immediately to prevent further registry modifications.
B.Create an exception rule in the EDR to suppress future alerts for this process.
C.Investigate the user's recent activity and check for signs of process hollowing or DLL injection.
D.Isolate the workstation from the network and reimage the system immediately.
AnswerC

This is the correct next step. The analyst should examine the process's behavior in depth, including checking for anomalies such as unexpected command-line arguments, suspicious parent processes, or indicators of code injection, before concluding whether the alert is a false positive.

Why this answer

Option C is correct because the EDR alert indicates a legitimate process (Updater.exe) modifying a critical persistence registry key (Run). Even with a known good hash, the process could be compromised via process hollowing or DLL injection, where malicious code runs under the guise of a trusted executable. Investigating user activity and checking for these attack techniques is the appropriate next step to confirm whether the behavior is benign or indicative of a threat.

Exam trap

The trap here is that candidates assume a matching file hash guarantees the process is safe, overlooking that attackers can subvert a legitimate process at runtime through memory-based attacks that do not alter the file on disk.

How to eliminate wrong answers

Option A is wrong because disabling the software updater without evidence of malicious activity would disrupt legitimate updates and potentially cause system instability or security gaps. Option B is wrong because creating an exception rule would suppress all future alerts for this process, blinding the SOC to potential compromises that reuse the same executable name or hash. Option D is wrong because isolating and reimaging the workstation is an extreme, resource-intensive response that is not justified when the process hash matches a known legitimate file and there are no confirmed indicators of compromise.

382
MCQeasy

A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?

A.Install endpoint protection updates on the laptop right away.
B.Capture volatile evidence such as running processes and memory contents.
C.Delete suspicious files so the malware can no longer spread.
D.Reboot the laptop immediately to clear the suspected malware.
AnswerB

This is the best action because volatile data can disappear when the system is powered off or rebooted. Running processes, network connections, logged-on users, and memory contents may contain the strongest clues about active malware and attacker activity. Preserving this information first supports later investigation and helps responders understand what happened before they take more disruptive containment steps.

Why this answer

Option B is correct because volatile evidence, such as running processes, network connections, and memory contents, is lost when the system is powered off. Capturing this data first preserves critical forensic artifacts that can reveal the malware's behavior, persistence mechanisms, and indicators of compromise (IOCs). In a live incident, the responder must follow the order of volatility (RFC 3227) to collect the most ephemeral data before it disappears.

Exam trap

The trap here is that candidates mistakenly think immediate containment (e.g., deleting files or rebooting) is the priority, but the SY0-701 exam emphasizes preserving volatile evidence first to support forensic analysis and legal proceedings.

How to eliminate wrong answers

Option A is wrong because installing endpoint protection updates could alter the system state, overwrite evidence, or trigger anti-forensic behavior by the malware. Option C is wrong because deleting suspicious files destroys evidence and may not stop the malware, which could be running in memory or have persistence mechanisms. Option D is wrong because rebooting clears volatile memory (RAM), losing critical evidence like running processes, network connections, and injected code, and may allow malware to evade detection.

383
MCQeasy

An employee notices that a contractor left a printed report containing customer data on a conference room table. What should the employee do first?

A.Take a photo of the report and post it in the team chat as a warning.
B.Secure the report and report the incident through the company's approved process.
C.Leave the report where it is so the contractor can collect it later.
D.Shred the report immediately without telling anyone.
AnswerB

The best first action is to protect the sensitive document from further exposure and then report it through the proper process. This limits privacy impact, preserves accountability, and allows the organization to handle the issue according to policy. It also teaches safe behavior without unnecessarily spreading the data.

Why this answer

Option B is correct because the immediate priority is to protect the sensitive customer data from further unauthorized access by securing the report, and then to follow the organization's incident response policy. This aligns with the principle of data breach containment and the requirement to report security incidents through official channels to ensure proper investigation and compliance with regulations like GDPR or HIPAA.

Exam trap

The trap here is that candidates may think immediate destruction (shredding) is the best way to protect data, but they overlook the legal and procedural requirement to preserve evidence and report the incident through official channels.

How to eliminate wrong answers

Option A is wrong because taking a photo and posting it in a team chat would further expose the sensitive customer data to unauthorized individuals, violating data privacy and potentially escalating the breach. Option C is wrong because leaving the report unattended continues to expose the data to anyone who enters the conference room, failing to contain the incident. Option D is wrong because shredding the report without reporting destroys potential evidence needed for an investigation into how the data was exposed and whether other data was compromised, violating incident response procedures.

384
MCQmedium

Users in a warehouse report an SMS claiming a missed delivery. The link opens a login page that closely matches the company portal, and several users later receive unauthorized password reset emails. What attack is most likely?

A.Smishing, because the malicious lure is delivered through text messaging.
B.Vishing, because the attackers are likely trying to get a callback from the victims.
C.Spear phishing, because the message appears customized for warehouse employees.
D.Baiting, because the fake delivery notice tempts users to click for a reward.
AnswerA

Smishing is SMS-based phishing. The deceptive text message and fake portal are both strong indicators that the attacker is targeting users through mobile text communication.

Why this answer

The attack is smishing because the initial lure is delivered via SMS (Short Message Service), directing victims to a fraudulent login page. This aligns with the definition of smishing, a form of phishing that uses text messages to trick recipients into revealing sensitive information. The subsequent unauthorized password reset emails confirm credential compromise, which is the typical goal of smishing attacks.

Exam trap

CompTIA often tests the distinction between attack vectors (SMS vs. email vs. voice) rather than the content of the lure, so candidates may confuse smishing with spear phishing if they focus on the customized delivery notice instead of the delivery method.

How to eliminate wrong answers

Option B is wrong because vishing (voice phishing) relies on voice calls or voicemail prompts to elicit a callback, not an SMS with a link. Option C is wrong because spear phishing involves highly targeted, personalized emails, not SMS messages, and the scenario does not indicate the message was customized beyond a generic delivery notice. Option D is wrong because baiting involves offering a physical or digital lure (e.g., a free USB drive or download) to entice action, not a deceptive SMS link to a fake login page.

385
MCQmedium

A vendor-supported legacy application can run only with a deprecated browser plug-in on two engineering workstations for 30 days while a replacement is tested. Management wants to allow the exception without weakening the security program. What is the best action?

A.Approve the exception informally by email and revisit it if problems appear.
B.Document a time-bound exception, record the risk, apply compensating controls, and schedule review before expiration.
C.Disable all monitoring on the workstations so the application will function normally.
D.Publish the exception as a permanent guideline so other teams can follow it.
AnswerB

This is the best governance practice because the exception is controlled, documented, time-limited, and formally reviewed.

Why this answer

Option B is correct because it follows the formal exception process required by a mature security program: documenting the exception with a specific time bound (30 days), recording the associated risk, applying compensating controls (such as network segmentation or host-based firewall rules to isolate the deprecated plug-in), and scheduling a review before expiration ensures the risk is managed and the exception does not become permanent. This aligns with the SY0-701 objective of implementing risk management processes, where time-bound exceptions with compensating controls are the standard way to handle legacy dependencies without weakening the overall security posture.

Exam trap

The trap here is that candidates often choose Option A (informal approval) because it seems quick and pragmatic, but the SY0-701 exam emphasizes that any exception must be formally documented, risk-assessed, and time-bound to maintain a defensible security program.

How to eliminate wrong answers

Option A is wrong because an informal email approval lacks documentation, risk recording, and compensating controls, which violates the security program's requirement to track and manage exceptions; it also creates an audit trail gap that could lead to uncontrolled risk. Option C is wrong because disabling all monitoring on the workstations removes visibility into security events, directly weakening the security program and violating the principle of defense in depth; the application only needs the deprecated plug-in, not the elimination of monitoring. Option D is wrong because publishing the exception as a permanent guideline would institutionalize a temporary risk, contradicting the 30-day replacement timeline and potentially encouraging other teams to adopt insecure practices without proper risk assessment.

386
MCQmedium

A scan keeps reporting the same medium-severity TLS configuration issue on a public web server. The application owner says the vendor software cannot be changed until next quarter, but they can place the service behind a reverse proxy that enforces stronger cipher settings. How should the issue be handled in the vulnerability management process?

A.Close the finding as fixed because the reverse proxy reduces the risk
B.Record an exception, document the compensating control, and set a review or remediation date
C.Mark the finding as a false positive and remove it from future scans
D.Ignore the finding until the vendor releases a new version
AnswerB

An exception with documented mitigation and follow-up keeps the risk visible and tracked until the underlying issue can be remediated.

Why this answer

Option B is correct because the vulnerability management process requires that when a vulnerability cannot be immediately remediated, compensating controls must be formally documented as an exception with a scheduled remediation date. In this scenario, the reverse proxy enforces stronger cipher settings, effectively mitigating the TLS misconfiguration at the network edge, which is a valid compensating control. Recording the exception ensures auditability and prevents the finding from being prematurely closed while the vendor software remains vulnerable.

Exam trap

The trap here is that candidates assume a compensating control automatically closes the finding, when in fact vulnerability management requires an exception process with documentation and a future remediation date to ensure the root cause is eventually addressed.

How to eliminate wrong answers

Option A is wrong because simply placing a reverse proxy does not fix the underlying TLS configuration on the origin server; the finding should not be closed as 'fixed' since the vulnerability still exists on the server itself. Option C is wrong because the TLS configuration issue is a real vulnerability, not a false positive, and removing it from scans would bypass proper risk tracking and violate vulnerability management best practices.

387
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

388
MCQeasy

Employees in a lobby report that their phones automatically connected to a wireless network named "CorpWiFi." Soon after, they were prompted to sign in through a web page that did not look like the normal company portal. What attack is most likely?

A.Bluetooth pairing attack
B.Evil twin
C.NFC relay attack
D.MAC flooding
AnswerB

An evil twin is a rogue wireless access point that imitates a legitimate SSID so victims connect to it by mistake. The fake network name and suspicious sign-in page strongly suggest a malicious clone of the real Wi-Fi.

Why this answer

The scenario describes an evil twin attack, where a rogue access point (AP) broadcasts a SSID identical to the legitimate corporate network ("CorpWiFi"). When employees' devices automatically connect to the stronger signal of the rogue AP, they are served a fake captive portal designed to capture credentials or other sensitive data. This attack exploits the lack of mutual authentication in standard 802.11 Wi-Fi associations.

Exam trap

The trap here is that candidates may confuse an evil twin with a simple misconfiguration or a phishing attack, but the key indicator is the automatic connection to a network with the same SSID followed by a suspicious login page, which directly points to a rogue AP impersonating the legitimate network.

How to eliminate wrong answers

Option A is wrong because a Bluetooth pairing attack requires active pairing initiation and does not involve a web-based sign-in prompt or automatic Wi-Fi connection. Option C is wrong because an NFC relay attack extends the range of an NFC transaction (e.g., contactless payment) and does not create a fake Wi-Fi network or captive portal. Option D is wrong because MAC flooding is a Layer 2 attack that floods a switch's CAM table to force it into hub mode, enabling packet sniffing; it does not involve a rogue wireless network or a sign-in page.

389
MCQeasy

An operations manager states that the customer portal may be unavailable for no more than 15 minutes in a month before the issue must be escalated to executives. Which risk management concept does this statement describe?

A.Risk appetite, because it describes the organization’s overall willingness to take risk.
B.Risk tolerance, because it sets a specific measurable threshold for acceptable impact.
C.Risk transfer, because the business is moving the outage risk to another party.
D.Risk avoidance, because the organization is eliminating the portal risk completely.
AnswerB

Risk tolerance is the specific, measurable limit an organization is willing to accept for a particular risk or service. In this case, the 15-minute outage threshold is a clear boundary that triggers escalation, so it is a tolerance statement.

Why this answer

Option B is correct because risk tolerance defines the specific, measurable deviation from risk appetite that an organization is willing to accept. The operations manager's statement sets a precise threshold—15 minutes of unavailability per month—before escalation is required, which is a classic example of risk tolerance in IT service management.

Exam trap

CompTIA often tests the distinction between risk appetite (broad willingness) and risk tolerance (specific measurable threshold), causing candidates to confuse the two when a numeric value is given.

How to eliminate wrong answers

Option A is wrong because risk appetite is the broad, high-level willingness to accept risk (e.g., 'we accept some downtime'), not a specific numeric threshold like 15 minutes. Option C is wrong because risk transfer involves shifting risk to a third party (e.g., via insurance or outsourcing), not setting an internal escalation policy. Option D is wrong because risk avoidance means eliminating the risk entirely (e.g., taking the portal offline permanently), not defining a tolerance for acceptable downtime.

390
MCQmedium

The security team configures the badge system so employees must present both a badge and a PIN before entering the data center. The access logs are reviewed weekly for failed attempts. Which pair of control types best describes these measures?

A.Preventive and detective, because one measure blocks access and the other identifies suspicious activity.
B.Corrective and recovery, because the logs can restore access after a badge failure.
C.Deterrent and compensating, because the PIN discourages attackers and the logs replace the badge reader.
D.Administrative and physical, because the weekly review and the badge reader are both physical measures.
AnswerA

Requiring a badge and PIN is preventive because it attempts to stop unauthorized entry before it happens. Reviewing access logs is detective because it helps identify misuse or attempted misuse after the fact. Together, these controls reduce the likelihood of unauthorized entry while also giving the security team visibility into failed or unusual access attempts. This is a practical layered approach.

Why this answer

Option A is correct because the badge and PIN requirement is a preventive control that blocks unauthorized access to the data center, while the weekly review of access logs is a detective control that identifies suspicious activity after the fact. Preventive controls stop incidents before they occur, and detective controls discover violations that have already happened, making this pair the best fit for the described measures.

Exam trap

The trap here is confusing detective controls (which identify past events) with corrective controls (which fix issues), or misclassifying administrative controls (like policy reviews) as physical controls, leading candidates to pick option D.

How to eliminate wrong answers

Option B is wrong because corrective and recovery controls are designed to fix or restore systems after an incident (e.g., restoring access after a badge failure), but the logs are used for review, not for restoration. Option C is wrong because deterrent controls discourage attackers (e.g., warning signs), not PINs that actively block access, and compensating controls provide alternative protection when a primary control fails, not logs that replace a badge reader. Option D is wrong because the weekly review is an administrative control (policy/procedure), not a physical measure, and the badge reader is a physical control, not an administrative one.

391
MCQmedium

Based on the exhibit, what is the best security change to address the exposed management access on the cloud VM?

A.Ask the provider to patch the guest operating system on the VM.
B.Move SSH to a public IP on the VM so administrators can reach it more easily.
C.Restrict SSH through a bastion host or VPN and remove direct internet access to the VM.
D.Enable object storage versioning to protect the VM from unauthorized logins.
AnswerC

In IaaS, the customer owns network controls. A bastion or VPN keeps management traffic private and limited to approved admins.

Why this answer

Option C is correct because exposing SSH directly to the internet on a cloud VM creates a significant attack surface, allowing brute-force and credential-stuffing attacks. A bastion host (jump box) or VPN provides a controlled, authenticated entry point, while removing direct internet access to the VM ensures management traffic is isolated and audited. This aligns with the principle of defense in depth and the AWS/cloud best practice of using a bastion host for administrative access.

Exam trap

CompTIA often tests the misconception that patching (Option A) or moving the service to a public IP (Option B) solves exposure issues, when the real security flaw is the lack of network segmentation and a controlled access point like a bastion host or VPN.

How to eliminate wrong answers

Option A is wrong because patching the guest OS addresses software vulnerabilities but does not eliminate the exposed SSH management interface on the public internet; the core issue is network exposure, not missing patches. Option B is wrong because moving SSH to a public IP makes the management access even more exposed, increasing the attack surface and violating the principle of least privilege. Option D is wrong because object storage versioning is a data protection feature for recovering from accidental deletion or overwrite of objects; it has no relevance to securing VM management access or preventing unauthorized logins.

392
MCQeasy

A desktop engineering team needs the document that sets the mandatory minimum password length and screen-lock timeout for all company laptops. Which document type should they use?

A.Policy
B.Standard
C.Guideline
D.Procedure
AnswerB

A standard defines mandatory, specific requirements such as exact password length, timeout values, or encryption settings. In this case, the team needs a document that tells them the minimum baseline every laptop must meet. Standards are enforceable and precise, which makes them the right fit for organization-wide technical requirements.

Why this answer

A standard specifies mandatory technical requirements, such as minimum password length and screen-lock timeout, that must be implemented on all company laptops. Unlike a policy, which is high-level and states management intent, a standard provides the specific, enforceable configuration settings. This aligns with the desktop engineering team's need for a document that dictates exact technical parameters.

Exam trap

The trap here is confusing a policy (the 'what' and 'why') with a standard (the 'how much' or 'how many'), leading candidates to choose 'Policy' because they think it sets rules, but policies lack the specific, measurable technical thresholds that standards provide.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent and goals, not a document that sets specific technical values like 'minimum password length of 8 characters' or 'screen-lock timeout of 15 minutes'. Option C is wrong because a guideline offers recommendations and best practices, not mandatory requirements; the team needs a document that enforces compliance, not just suggests. Option D is wrong because a procedure provides step-by-step instructions on how to perform a task (e.g., how to configure a password policy in Group Policy), not the actual mandatory values themselves.

393
MCQhard

An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?

A.Run one server and keep nightly backups in cloud object storage.
B.Use two servers in one site behind a load balancer and maintain an asynchronously replicated warm standby site.
C.Deploy active-active multi-region capacity with identical production load in both regions.
D.Add RAID 1 and a spare power supply to the database server.
AnswerB

This provides local redundancy for server failure and a lower-cost secondary site for failover if the primary site is lost.

Why this answer

Option B is correct because it combines a load-balanced active-passive pair at the primary site with an asynchronously replicated warm standby at a secondary site. This design meets the requirement for automatic failover and continued service after a single server failure or primary site outage, while avoiding the cost of fully active multi-region capacity. Asynchronous replication ensures the standby site is ready to take over without requiring synchronous writes that would add latency or require identical production load.

Exam trap

The trap here is that candidates often confuse high availability (local redundancy) with disaster recovery (site-level failover), and incorrectly assume that RAID or backups alone satisfy the requirement for automatic failover after a site outage.

How to eliminate wrong answers

Option A is wrong because nightly backups in cloud object storage provide only point-in-time recovery, not automatic failover or near-continuous availability; a server failure would cause extended downtime while restoring from backup. Option C is wrong because active-active multi-region capacity with identical production load in both regions directly contradicts management's requirement to avoid paying for fully active production capacity in two regions. Option D is wrong because RAID 1 and a spare power supply protect only against local hardware failures (disk or power supply) within a single server, not against a server failure or a full site outage.

394
MCQeasy

A SOC analyst sees 38 failed logins for a finance user account from one public IP address over 4 minutes, followed by one successful login. What should the analyst do first?

A.Immediately delete the account to stop any further access attempts.
B.Correlate the authentication logs with user activity and VPN records to verify whether the login pattern is expected.
C.Assume the account is compromised and notify all users to change their passwords.
D.Close the alert because one successful login means the activity was normal.
AnswerB

Correlating related logs is the best first step because it helps determine whether the event is a real attack or an expected user behavior pattern. Authentication logs, VPN records, and account activity can show whether the source IP, timing, and device match a legitimate session. Good triage focuses on confirmation before disruptive response actions.

Why this answer

Option B is correct because the analyst must first verify whether the failed logins followed by a successful login represent a brute-force attack or legitimate behavior, such as a user mistyping their password and then succeeding. Correlating authentication logs with user activity and VPN records helps confirm if the public IP belongs to a known remote user or VPN endpoint, which is a standard first step in incident response to avoid false positives.

Exam trap

The trap here is that candidates assume a successful login after many failures always indicates compromise, but the question tests the critical first step of verification through log correlation before taking any action.

How to eliminate wrong answers

Option A is wrong because immediately deleting the account disrupts business operations and destroys forensic evidence; account deletion should only occur after thorough investigation and confirmation of compromise. Option C is wrong because assuming compromise without verification leads to unnecessary panic and password fatigue; the analyst must first correlate logs to determine if the activity is expected before initiating a password reset. Option D is wrong because one successful login after many failures does not indicate normal activity—it could indicate a successful brute-force attack, and closing the alert without investigation violates security operations procedures.

395
Multi-Selecthard

A SIEM analyst reviews the following sequence from a VPN and email platform over 15 minutes: 47 failed logins against different accounts from one public IP, one successful VPN login from that same IP, a new inbox forwarding rule to an external address, and a mailbox sign-in from a device never seen before. Which three findings most strongly support a password-spraying-to-compromise scenario? Select three.

Select 3 answers
A.Many failed logins across different usernames from the same source IP in a short time window.
B.A successful VPN login from the same source IP after the burst of failures.
C.An inbox forwarding rule sending messages to an external address.
D.A workstation patch installation completed earlier that day.
E.The mailbox server reported normal disk utilization during the same hour.
AnswersA, B, C

That pattern strongly matches password spraying because one attacker tries a small number of guesses across many accounts.

Why this answer

Option A is correct because a high volume of failed logins against multiple accounts from a single public IP within a short time window is the hallmark of a password-spraying attack, where the attacker tries a few common passwords across many usernames to avoid account lockout. This pattern is distinct from a brute-force attack, which targets a single account with many passwords.

Exam trap

The trap here is that candidates may think a single successful login or a forwarding rule alone is suspicious, but the question asks for findings that most strongly support the password-spraying-to-compromise scenario, which requires the combination of the spray pattern, the successful login from the same source, and the post-compromise persistence action.

396
Multi-Selectmedium

After several password-reset incidents, the security team wants one document that sets mandatory minimum controls for privileged accounts and another that tells the help desk the exact steps to verify identity and reset access. Which two document types should they use? Select two.

Select 2 answers
A.Policy, because it explains the organization's overall security intent in broad terms.
B.Standard, because it defines the mandatory minimum requirements that everyone must follow.
C.Procedure, because it gives the exact step-by-step actions for help desk staff.
D.Guideline, because it provides recommended practices that staff may ignore if needed.
E.Baseline, because it is mainly used as a casual reference document for analysts.
AnswersB, C

A standard is the right document for mandatory baseline requirements, such as minimum password length, MFA requirements, or privileged account rules. It converts policy intent into specific, measurable requirements that can be enforced consistently across the organization.

Why this answer

Option B is correct because a standard defines mandatory minimum requirements that must be followed, such as password length, complexity, and MFA enforcement for privileged accounts. This ensures consistent security controls across the organization without ambiguity, unlike a policy which is high-level intent.

Exam trap

The trap here is confusing a policy (high-level intent) with a standard (mandatory minimums), and a guideline (optional) with a procedure (step-by-step), leading candidates to pick A and D instead of B and C.

397
MCQmedium

During a conference, several employees connect to a wireless network named the same as the hotel's guest Wi-Fi. Shortly after connecting, they receive certificate warnings when accessing the company portal, and packet capture shows a nearby laptop advertising the same SSID and relaying traffic. What type of attack is most likely?

A.Rogue access point or evil twin attack, because a fake wireless network impersonates a legitimate one.
B.Replay attack, because previously captured wireless frames are being resent to the network.
C.DNS poisoning, because users are being sent to the wrong website through altered name resolution.
D.Denial of service, because users are simply unable to connect reliably.
AnswerA

An evil twin duplicates the SSID of a trusted network to lure clients into connecting to an attacker-controlled access point.

Why this answer

The attack described is an evil twin (a type of rogue access point) because the attacker sets up a laptop broadcasting the same SSID as the hotel's legitimate guest Wi-Fi. When employees connect to this fake network, the attacker can intercept traffic and present a fraudulent certificate for the company portal, triggering certificate warnings. The packet capture confirming the laptop is relaying traffic proves it is acting as a man-in-the-middle, not merely a passive listener.

Exam trap

The trap here is that candidates confuse an evil twin with a simple rogue access point, but the key differentiator is that the evil twin specifically impersonates a legitimate SSID to trick users, while a rogue AP might use a different SSID; the certificate warning and relayed traffic confirm the man-in-the-middle role, not just unauthorized access.

How to eliminate wrong answers

Option B is wrong because a replay attack involves capturing and retransmitting valid wireless frames (e.g., authentication or data packets) to impersonate a user or gain unauthorized access, but here the attacker is actively advertising a fake SSID and relaying live traffic, not replaying old frames. Option C is wrong because DNS poisoning alters DNS resolution to redirect users to a malicious site, but the scenario describes certificate warnings on the company portal and a laptop relaying traffic, not a manipulated DNS response. Option D is wrong because a denial of service attack would prevent connectivity or degrade performance, whereas users are successfully connecting to the fake network and receiving certificate warnings, indicating active interception rather than service disruption.

398
MCQmedium

A SOC analyst investigates a host after an employee opens an invoice attachment. The endpoint shows PowerShell running in a hidden window, no new executable files are created on disk, and the same suspicious activity returns after a reboot. What is the most likely attack type?

A.Fileless attack, because the malicious activity is operating primarily in memory and using native tools.
B.Ransomware, because the user opened an email attachment.
C.Worm, because PowerShell is a common scripting tool.
D.Rootkit, because the attacker is hiding the process from normal tools.
AnswerA

Fileless attacks rely on legitimate scripting engines and memory-resident techniques instead of dropping obvious executable files. Hidden PowerShell activity, repeated behavior after reboot, and the absence of a new binary are strong signs that the attacker is leveraging trusted operating system components. This approach often helps malware evade traditional file-based scanning while still achieving persistence or command execution.

Why this answer

The correct answer is A because the attack is fileless: it runs PowerShell in a hidden window without writing new executables to disk, and persistence after reboot indicates the malicious code is stored in the registry or a script that loads into memory at startup. Fileless attacks leverage native tools like PowerShell, WMI, or .NET to execute payloads entirely in memory, bypassing traditional file-based detection.

Exam trap

The trap here is that candidates confuse 'fileless' with 'no persistence' or assume any attachment-based attack is ransomware, but the key indicators—hidden PowerShell, no new executables, and post-reboot persistence—point directly to a fileless attack using native Windows tools.

How to eliminate wrong answers

Option B is wrong because ransomware typically encrypts files and demands payment, but the scenario describes no encryption, no ransom note, and no new executables—only persistent in-memory PowerShell activity. Option C is wrong because a worm self-replicates across networks without user interaction, while this attack requires the user to open an invoice attachment and shows no lateral movement or self-propagation.

399
MCQeasy

An employee receives a text message saying their payroll account is locked and asks them to tap a link and enter a one-time passcode. What type of attack is this?

A.Phishing
B.Smishing
C.Vishing
D.Baiting
AnswerB

Smishing is phishing delivered by SMS or another text messaging service. The attacker uses urgency and a fake account-lock message to trick the user into clicking a malicious link and giving away a one-time code.

Why this answer

Smishing (SMS phishing) is the correct classification because the attack vector is a text message (SMS) that lures the recipient into tapping a link and entering a one-time passcode. Unlike generic phishing which uses email, smishing specifically exploits SMS trust and the limited screen real estate of mobile devices to bypass security awareness.

Exam trap

The trap here is that candidates confuse smishing with generic phishing because both involve a link and credential theft, but the exam specifically tests the delivery method (SMS vs. email) as the distinguishing factor.

How to eliminate wrong answers

Option A (Phishing) is wrong because phishing specifically refers to email-based social engineering, not SMS/text messaging. Option C (Vishing) is wrong because vishing uses voice calls or voicemail, not text messages. Option D (Baiting) is wrong because baiting involves offering a physical or digital lure (e.g., a free USB drive or download) to trick the victim, not a direct message requesting credentials.

400
MCQeasy

System administrators need to manage internal switches from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. What should be used?

A.Telnet over port 23 with an allow list on the firewall.
B.A VPN into the internal network, then SSH or HTTPS for administration.
C.RDP directly to the switch management interface from the public IP address.
D.Open the management port to the internet and rely on a long password.
AnswerB

This is the best answer because it keeps management interfaces off the public internet while still allowing secure remote administration. The VPN provides encrypted transport and can enforce strong user authentication, and SSH or HTTPS protects the device management session itself. This layered approach matches common best practice for remote admin access and reduces exposure of sensitive management services.

Why this answer

Option B is correct because a VPN creates an encrypted tunnel over the internet, protecting management traffic in transit. Once connected to the internal network, SSH (for CLI) or HTTPS (for web GUI) provides strong authentication and encryption for switch administration. This approach avoids exposing management ports directly to the internet, reducing the attack surface.

Exam trap

The trap here is that candidates may think Telnet with a firewall allow list is sufficient, overlooking that Telnet provides no encryption, or they may confuse RDP as a valid switch management protocol, when switches typically use SSH or HTTPS for administration.

How to eliminate wrong answers

Option A is wrong because Telnet transmits all data, including credentials, in cleartext (no encryption), violating the encryption requirement. Option C is wrong because RDP is designed for remote desktop access to workstations, not for switch management interfaces, and exposing it directly to the internet bypasses the requirement to avoid direct exposure. Option D is wrong because opening the management port to the internet violates the requirement to avoid direct exposure, and relying solely on a long password does not provide strong authentication (e.g., no multi-factor or certificate-based authentication) and leaves the system vulnerable to brute-force attacks.

401
Multi-Selecthard

After a ransomware incident, management says backups are available but will not approve closure until the team proves the restore process works without risking production data. Which two actions best validate recoverability? Select two.

Select 2 answers
A.Restore a recent backup to an isolated test system that mirrors production.
B.Verify file integrity and application functionality after the restore completes.
C.Increase backup retention without testing the restore process.
D.Keep the original ransomware-affected server online until the backup is approved.
E.Use the backup job report as proof that the data can be recovered.
AnswersA, B

A test restore proves the backup can be read and expanded into a usable system without impacting live production.

Why this answer

Restoring to an isolated test system that mirrors production (Option A) is correct because it validates the backup's integrity and the restore process without any risk to the live production environment. This approach ensures the backup data is readable and the restoration steps are documented and repeatable, directly addressing management's requirement to prove recoverability without endangering production data.

Exam trap

CompTIA often tests the misconception that a backup job report or increased retention alone proves recoverability, when in fact only a successful restore to a test environment with validation steps can confirm that the data is usable and the process works.

402
Multi-Selectmedium

Which three of the following are characteristics of the principle of least privilege? (Choose three.)

Select 3 answers
.Users are granted only the permissions necessary to perform their job functions
.Administrative accounts are used only for administrative tasks, not daily work
.Privileges are reviewed and revoked when no longer needed
.All users have equal access to all system resources
.Privileges are granted permanently once assigned
.Users are given full control over all shared folders

Why this answer

The principle of least privilege dictates that users should only have the minimum permissions necessary to complete their job functions, which reduces the attack surface and limits potential damage from compromised accounts. Administrative accounts should be reserved exclusively for administrative tasks to prevent accidental or malicious misuse of elevated privileges. Regularly reviewing and revoking privileges ensures that access rights remain aligned with current job requirements, preventing privilege creep.

Exam trap

The trap here is that candidates may confuse the principle of least privilege with the concept of 'zero trust' or mistakenly think that permanent privilege grants are acceptable if initially assigned correctly, ignoring the need for ongoing review and revocation.

403
Multi-Selecthard

A SOC analyst reviews a suspicious email about an overdue invoice. The display name matches a known supplier, but the envelope sender is from a free webmail domain, and the Reply-To address uses a look-alike domain with one swapped letter. The message also includes a company logo and a PDF attachment. Which two findings are the strongest indicators of a phishing attempt? Select two.

Select 2 answers
A.The display name matches the supplier, but the envelope sender is from a free webmail provider.
B.The message was transmitted over TLS to the recipient's mail gateway.
C.The Reply-To address uses a look-alike domain with one swapped letter in the brand name.
D.The email contains a PDF invoice attachment with a normal business filename.
E.The message includes the supplier's logo and a standard-looking signature block.
AnswersA, C

A familiar display name can be copied easily, so it is not trustworthy by itself. An envelope sender using a free webmail provider is inconsistent with a legitimate supplier invoice workflow and strongly suggests impersonation. Attackers often rely on this mismatch to bypass casual review while making the message appear routine.

Why this answer

Option A is correct because the envelope sender (the actual origin address in the SMTP MAIL FROM command) being from a free webmail domain while the display name matches a known supplier is a classic phishing red flag. Legitimate business invoices are almost never sent from free webmail providers like Gmail or Yahoo, as organizations use their own domains for official correspondence. This mismatch between the visible display name and the actual sender address indicates spoofing.

Exam trap

CompTIA often tests the distinction between the visible display name and the actual envelope sender, as candidates may mistakenly focus on the attachment or logo as phishing indicators rather than the sender address mismatch.

404
Multi-Selecthard

A finance app uses the corporate IdP for authentication. A user who moved out of finance can still approve invoices until the browser session expires, and the app caches local roles. Which two changes best make access changes take effect faster without storing app passwords? Select two.

Select 2 answers
A.Shorten token and session lifetimes, and require reauthentication for high-risk actions.
B.Increase password complexity but keep session duration unchanged.
C.Use current IdP group claims for authorization instead of cached local roles.
D.Disable SSO and email one-time passwords for every login.
E.Keep long-lived sessions to reduce help desk tickets.
AnswersA, C

Shorter sessions reduce how long stale access remains usable after a role change. Step-up reauthentication for sensitive actions adds an extra check before invoice approval, which is appropriate for financial operations.

Why this answer

Option A is correct because shortening token and session lifetimes reduces the window during which stale permissions remain active, and requiring reauthentication for high-risk actions (like approving invoices) ensures that the user's current authorization status is verified before sensitive operations. This directly addresses the problem of cached roles persisting beyond the user's actual group membership changes.

Exam trap

The trap here is that candidates may think increasing password complexity or disabling SSO improves security, but the question specifically asks for changes that make access changes take effect faster without storing app passwords, so the focus must be on session/token lifetimes and authorization source, not authentication strength.

405
MCQmedium

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

A.Implement a next-generation firewall and require all remote traffic to pass through it with strict rules.
B.Deploy a secure web gateway and require all remote users to browse through a proxy.
C.Use a software-defined perimeter that authenticates each user and device before granting access only to specific applications.
D.Enable multi-factor authentication for VPN and implement a VPN concentrator with split tunneling.
AnswerC

A software-defined perimeter (SDP) or zero trust network access (ZTNA) solution authenticates and authorizes each connection request individually, creating an encrypted tunnel only to the requested application. This prevents lateral movement because the user never receives a network-level address on the internal LAN.

Why this answer

Option C is correct because a software-defined perimeter (SDP) implements zero trust by authenticating both the user and device before granting access to specific applications, not the entire network. This prevents lateral movement by ensuring that even after authentication, the endpoint can only reach the allowed application, not the full LAN. This aligns with the zero trust principle of 'never trust, always verify' and micro-segmentation.

Exam trap

The trap here is that candidates often confuse 'stronger authentication' (MFA) or 'better firewalling' (NGFW) with zero trust, but zero trust requires eliminating implicit trust at the network layer by granting access only to specific applications, not the entire LAN.

How to eliminate wrong answers

Option A is wrong because a next-generation firewall (NGFW) with strict rules still provides network-layer access to the LAN after authentication, allowing lateral movement if the endpoint is compromised; it does not enforce per-application access. Option B is wrong because a secure web gateway (SWG) only proxies web traffic, not all remote access traffic, and does not restrict network-layer access to internal applications or prevent lateral movement. Option D is wrong because enabling MFA and split tunneling for a traditional VPN still grants full network-layer LAN access after authentication, allowing a compromised endpoint to move laterally; split tunneling actually increases risk by allowing direct internet access.

406
MCQmedium

A security architect is designing a defense strategy for a database containing sensitive customer records. The architect implements a network firewall to restrict inbound traffic to only the application server, enforces file-level encryption for the database files, requires multi-factor authentication for all administrative access, and deploys a database activity monitoring system to alert on unusual queries. Which security principle is the architect primarily applying?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Fail safe
AnswerB

This is correct. Defense in depth uses multiple independent layers of security controls (firewall, encryption, MFA, monitoring) so that if one layer fails, others still provide protection. The architect's strategy clearly exemplifies this principle.

Why this answer

The architect is applying defense in depth by layering multiple independent security controls: a network firewall, file-level encryption, multi-factor authentication, and database activity monitoring. This strategy ensures that if one control fails, others still provide protection, which is the core principle of defense in depth. Each layer addresses a different attack vector, making it significantly harder for an attacker to compromise the database.

Exam trap

The trap here is that candidates often confuse defense in depth with least privilege because both involve multiple controls, but defense in depth is about layering different types of controls, not just restricting permissions.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user permissions to the minimum necessary, but the scenario describes multiple layers of controls, not a specific access restriction. Option C is wrong because separation of duties divides critical tasks among different people to prevent fraud, whereas this scenario focuses on technical controls, not role-based task division. Option D is wrong because fail safe ensures a system defaults to a secure state on failure (e.g., a firewall denying all traffic if it crashes), but the scenario does not describe any failover or default behavior.

407
Multi-Selecthard

A customer portal must stay online if an entire site fails, and the company must also be able to recover if data is corrupted or encrypted by ransomware. Which two design choices best satisfy both requirements? Select two.

Select 2 answers
A.Use active-active or automatic failover between two sites with health checks.
B.Keep only RAID 1 inside each server, because mirroring alone handles site outages.
C.Maintain immutable offsite backups and test restores on a regular schedule.
D.Store nightly backups on the same storage array as the production data.
E.Replace the load balancer with a static DNS record for each server.
AnswersA, C

A second site with automatic failover or active-active traffic handling preserves availability when one location goes offline. Health checks let the load balancer or orchestration layer stop sending traffic to a failed site quickly. This directly addresses the requirement to keep the portal online during a total site outage.

Why this answer

Option A is correct because active-active or automatic failover between two sites with health checks ensures that if an entire site fails, traffic is automatically redirected to the surviving site, maintaining availability. This design satisfies the first requirement of staying online during a site failure by using redundant infrastructure and health monitoring to detect and react to outages.

Exam trap

The trap here is that candidates often assume RAID or local backups provide sufficient protection against site outages and ransomware, but RAID only handles disk failure and same-site backups are vulnerable to the same ransomware attack, so both requirements demand geographically separate, immutable backups and multi-site failover.

408
Multi-Selectmedium

Which four of the following are common indicators of a phishing attack? (Choose four.)

Select 4 answers
.Urgent or threatening language demanding immediate action
.Spoofed sender email address that mimics a legitimate domain
.Unsolicited attachment or link that prompts credential entry
.Presence of a digital signature from a trusted certificate authority
.Grammatical errors and poor formatting in the message body
.A request for sensitive information via a secure web portal

Why this answer

These four options are correct because they represent classic hallmarks of phishing attacks. Urgent or threatening language is a social engineering tactic to bypass rational thought. Spoofed sender addresses exploit trust in familiar domains.

Unsolicited attachments or links are the primary delivery mechanism for phishing payloads. Grammatical errors and poor formatting often indicate a lack of professional quality control typical of legitimate organizations.

Exam trap

Cisco often tests the misconception that technical security features like digital signatures or HTTPS encryption automatically indicate legitimacy, when in fact attackers can obtain valid certificates or bypass signature verification through social engineering.

409
MCQmedium

A security analyst in the SOC observes a sudden spike in failed authentication attempts from a single external IP address targeting multiple user accounts over the last 30 minutes. After confirming the logs are accurate, which of the following actions should the analyst take FIRST according to standard incident response procedures?

A.Block the IP address at the firewall immediately.
B.Disable all user accounts that were targeted.
C.Escalate the incident to the incident response team.
D.Capture a memory dump of all affected servers.
AnswerC

Escalation is the first step after detection. The incident response team will follow the organization's plan to analyze, contain, eradicate, and recover from the incident. This ensures a coordinated and controlled response.

Why this answer

Option C is correct because, according to standard incident response procedures (NIST SP 800-61), the first step after confirming an anomaly is to escalate the incident to the incident response team. This ensures that a coordinated, documented, and legally defensible response is initiated, rather than taking unilateral action that could destroy evidence or disrupt legitimate services. The SOC analyst's role is to detect and validate, not to independently execute containment measures without authorization.

Exam trap

The trap here is that candidates often confuse 'immediate containment' with 'first action,' forgetting that escalation and validation must precede any technical countermeasure to ensure proper evidence preservation and coordinated response.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP address at the firewall could be an overreaction—the IP might be a legitimate proxy or VPN used by multiple users, and blocking it could disrupt business operations and destroy forensic evidence of the attack chain. Option B is wrong because disabling all targeted user accounts without investigation could lock out legitimate users who were not compromised, and it does not address the root cause (the external attacker), potentially allowing the attacker to pivot to other accounts or methods.

410
Multi-Selectmedium

After several near-miss phishing attempts, leadership wants to reduce mistakes quickly without disrupting daily work. Which three measures are the best balance of security and usability? Select three.

Select 3 answers
A.Run short role-based phishing training for higher-risk user groups.
B.Add a simple report-phishing button and encourage immediate reporting.
C.Require out-of-band verification for payment changes and wire requests.
D.Disable email for all staff until phishing activity stops.
E.Block all external senders permanently.
AnswersA, B, C

Focused training improves awareness where exposure is highest without overwhelming the entire workforce.

Why this answer

Option A is correct because targeted, role-based phishing training focuses on users who handle sensitive data or financial transactions, reducing the attack surface without overwhelming the entire workforce. This approach leverages the principle of least privilege in security awareness, ensuring that training is relevant and immediately applicable to the specific phishing tactics those roles face, thus minimizing disruption while improving detection rates.

Exam trap

CompTIA often tests the balance between security and usability, where candidates mistakenly choose overly restrictive options like disabling email or blocking all external senders, failing to recognize that such measures violate the core principle of maintaining business operations while improving security posture.

411
MCQmedium

A security analyst notices repeated attempts to copy large amounts of data to USB drives from a user's workstation. The analyst suspects the user may be exfiltrating company proprietary data. The company wants to implement a technical control that can both detect and block such data exfiltration without completely disabling all USB ports, as some users require USB for authorized work. Which of the following would best meet this requirement?

A.Implement a host-based intrusion detection system (HIDS) that alerts on USB insertion events.
B.Deploy a data loss prevention (DLP) agent configured with rules to monitor and block unauthorized data transfers to removable media.
C.Enable BitLocker encryption on all USB drives to prevent unauthorized data access.
D.Configure the local group policy to disable all USB ports on all workstations.
AnswerB

A DLP agent can inspect data in real time, apply policies to classify sensitive content, and block transfers that violate company rules. This meets the need to both detect and block exfiltration while still permitting authorized USB use.

Why this answer

Option B is correct because a Data Loss Prevention (DLP) agent can be configured with granular rules to monitor and block unauthorized data transfers to removable media (e.g., USB drives) based on content inspection, file type, or volume thresholds. This allows authorized USB usage while preventing exfiltration of proprietary data, meeting the requirement for both detection and blocking without disabling all USB ports.

Exam trap

The trap here is that candidates often confuse detection-only controls (like HIDS alerts) with prevention controls, or they assume encryption (BitLocker) can stop data exfiltration, when in fact encryption only protects data at rest and does not prevent copying from the host.

How to eliminate wrong answers

Option A is wrong because a host-based intrusion detection system (HIDS) can only alert on USB insertion events but cannot block data transfers, so it fails to meet the requirement for blocking exfiltration. Option C is wrong because BitLocker encryption protects data at rest on USB drives from unauthorized access if the drive is lost, but it does not monitor or block the act of copying data to the drive from the workstation. Option D is wrong because disabling all USB ports via group policy would block all USB usage, including authorized work, which directly contradicts the requirement to allow some users to use USB for legitimate purposes.

412
MCQeasy

An auditor asks for evidence that the new workstation hardening baseline is actually applied across all finance laptops. Which evidence is the best to provide?

A.A copy of the hardening policy that says all laptops must be secured.
B.A manager’s email confirming that the baseline was announced to the team.
C.Screenshots from one finance laptop showing the baseline settings.
D.An automated compliance report from the configuration management tool showing baseline status across all devices.
AnswerD

An automated compliance report is the strongest evidence because it is repeatable, covers the full population, and shows whether the baseline is actually enforced. Auditors generally prefer objective evidence that can be validated across multiple systems rather than isolated screenshots or statements.

Why this answer

Option D is correct because an automated compliance report from a configuration management tool (e.g., Microsoft Intune, SCCM, or Ansible) provides verifiable, centralized evidence that the hardening baseline is applied across all finance laptops. Unlike manual screenshots or policy documents, this report shows real-time or historical compliance status for every device, proving enforcement at scale.

Exam trap

The trap here is that candidates often choose Option C (screenshots) because it shows actual settings, but they overlook the requirement for evidence across all devices, not just one sample.

How to eliminate wrong answers

Option A is wrong because a copy of the hardening policy only states the requirement; it does not provide evidence that the baseline was actually applied to any device. Option B is wrong because a manager’s email confirming an announcement is hearsay and does not demonstrate technical enforcement or verification of settings. Option C is wrong because screenshots from a single laptop only prove compliance for that one device, not for the entire fleet of finance laptops, and can be easily staged or falsified.

413
Multi-Selecteasy

A records clerk finds paper forms containing customer identifiers. The retention period has expired, and no legal hold applies. Which two actions are appropriate next? Select two.

Select 2 answers
A.Verify that the retention schedule has been satisfied and no hold exists
B.Destroy the forms using the organization's approved disposal method
C.Keep the forms in a personal desk drawer until someone asks for them
D.Take the papers home for safe keeping before shredding later
E.Refile the forms in an archive cabinet because they are old records
AnswersA, B

Before destruction, the clerk should confirm that the records are truly eligible to be disposed of under the retention policy.

Why this answer

Option A is correct because before disposing of any records, the records clerk must confirm that the retention period has fully elapsed and that no legal hold (such as a litigation hold or regulatory hold) is active. This verification step ensures compliance with organizational data governance policies and avoids spoliation of evidence. Option B is correct because once verification is complete, the approved disposal method (e.g., cross-cut shredding, incineration, or secure shredding service) must be used to render the customer identifiers irrecoverable, aligning with data minimization and privacy requirements.

Exam trap

The trap here is that candidates may assume that simply because the retention period has expired, immediate destruction is always the correct next step, overlooking the critical verification step to ensure no legal hold is in place.

414
MCQeasy

Guest tablets in a conference room use the same physical switches as employee devices. The security team wants guests to have internet access only, with no route to internal subnets. Which design best meets the goal?

A.Keep guests on the same VLAN and rely on a separate Wi-Fi password.
B.Place guests on a separate VLAN and block internal access with ACLs.
C.Use stronger WPA3 encryption on the wireless network and leave the network flat.
D.Enable MAC address filtering on the switch and allow all ports to remain in the default network.
AnswerB

A separate VLAN creates logical segmentation, and ACLs enforce which networks the guests can reach.

Why this answer

Option B is correct because placing guest tablets on a separate VLAN segments traffic at Layer 2, and applying ACLs on the Layer 3 interface (SVI or router) blocks all routes to internal subnets while permitting internet access. This design ensures that even though guests share the same physical switches, their traffic is isolated from employee VLANs and cannot reach internal resources.

Exam trap

The trap here is that candidates confuse authentication/encryption methods (password, WPA3, MAC filtering) with network segmentation, failing to recognize that only Layer 2 VLAN separation combined with Layer 3 ACLs can enforce routing restrictions between subnets.

How to eliminate wrong answers

Option A is wrong because relying on a separate Wi-Fi password does not provide network segmentation; devices on the same VLAN can still communicate at Layer 2, and a guest could potentially discover and access internal hosts. Option C is wrong because stronger WPA3 encryption protects wireless traffic from eavesdropping but does not prevent a guest device from routing to internal subnets if the network is flat (no VLAN segmentation). Option D is wrong because MAC address filtering only controls which devices can connect to the switch port, but it does not restrict traffic between VLANs or subnets; leaving all ports in the default network allows guests to reach internal resources directly.

415
Multi-Selecteasy

A business unit keeps a low-priority legacy tool but adds extra monitoring and patching. The company also buys cyber insurance to reduce the financial effect of a loss. Which two risk treatment strategies are being used? Select two.

Select 2 answers
A.Acceptance
B.Mitigation
C.Avoidance
D.Transfer
E.Deterrent
AnswersB, D

Mitigation reduces risk by adding controls such as monitoring, patching, or other protective measures.

Why this answer

Adding extra monitoring and patching to a legacy tool is a classic example of risk mitigation, as it reduces the likelihood or impact of a security incident without removing the asset. Purchasing cyber insurance transfers the financial risk of a loss to a third party, which is a risk transference strategy. The question asks for two strategies, and mitigation is one of them; the other is transference, which is not listed as an option here, but the correct choices from the given set are mitigation and acceptance (since the business unit keeps the low-priority legacy tool, accepting the residual risk).

Exam trap

The trap here is that candidates confuse risk acceptance (keeping the asset without additional controls) with risk mitigation (adding controls), or they fail to recognize that cyber insurance is a transference strategy, not mitigation or acceptance.

416
MCQmedium

A data center has repeated tailgating incidents at the entry to the server room. Management wants a control that forces one person to pass after badge authentication and prevents two people from entering together. What should be installed?

A.A mantrap between the outer door and the server room entrance
B.A CCTV camera focused on the doorway
C.A motion sensor inside the server room
D.A standard badge reader with no additional controls
AnswerA

A mantrap is designed to prevent tailgating by allowing only one person to pass through at a time after authentication. It is the best control for physically enforcing single-person entry.

Why this answer

A mantrap is a physical security control with two interlocking doors that enforces one-person entry. After badge authentication at the outer door, the inner door will not unlock until the outer door closes and locks, preventing two people from entering together. This directly addresses tailgating by creating a small vestibule that can only hold one authenticated person at a time.

Exam trap

Cisco often tests the distinction between passive monitoring (CCTV) and active prevention (mantrap), leading candidates to mistakenly choose CCTV because they think recording alone will deter tailgating.

How to eliminate wrong answers

Option B is wrong because a CCTV camera only provides passive monitoring and does not physically prevent two people from entering together; it records incidents but does not enforce access control. Option C is wrong because a motion sensor inside the server room detects movement after entry but cannot stop tailgating at the door; it might even trigger false alarms from authorized occupants. Option D is wrong because a standard badge reader with no additional controls allows anyone to follow an authenticated user through the door without any physical barrier or detection mechanism to prevent tailgating.

417
Matchingeasy

Match each cryptographic action to the most appropriate use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protect the data if the laptop is stolen.

Check that the file was not changed during download.

Make identical passwords produce different hash values.

Confirm the file came from the expected sender and stayed intact.

Replace an encryption key on a planned schedule.

Why these pairings

Encryption ensures confidentiality, hashing ensures integrity, digital signatures provide authentication and non-repudiation, key exchange enables secure key distribution, certificate signing establishes trust, and random numbers are essential for key generation.

418
MCQeasy

A SOC analyst wants to make sure logs from multiple servers can be compared accurately during an incident review. What should be configured on those systems?

A.A local administrator account with the same password on every server
B.Time synchronization using the same trusted time source
C.A larger disk size on the log server
D.A separate VLAN for each application server
AnswerB

Consistent timestamps are essential for correlating events from different systems during investigation.

Why this answer

Time synchronization using a trusted time source (e.g., NTP) ensures that all servers share the same clock. During incident review, accurate log correlation depends on timestamps being consistent across systems; even a few seconds of drift can misalign event sequences. Without synchronized time, comparing logs from multiple servers becomes unreliable, potentially obscuring the true timeline of an attack.

Exam trap

The trap here is that candidates may confuse administrative convenience (same password) or storage capacity with the fundamental need for temporal consistency, overlooking that log correlation depends on synchronized clocks, not identical credentials or disk space.

How to eliminate wrong answers

Option A is wrong because using a local administrator account with the same password on every server violates the principle of least privilege and creates a massive security risk—if one server is compromised, all servers are exposed. It does nothing to ensure log timestamps are consistent. Option C is wrong because increasing disk size on the log server only addresses storage capacity, not the accuracy of timestamp comparisons across servers; logs can still have misaligned times even if storage is abundant.

419
MCQeasy

A web login form returns access after a tester enters `' OR '1'='1'--` into the username field. What type of attack is this?

A.Cross-site scripting
B.SQL injection
C.Session hijacking
D.Insecure deserialization
AnswerB

SQL injection happens when attacker input changes the meaning of a database query. The payload forces the login check to evaluate as true, which can bypass authentication.

Why this answer

The input `' OR '1'='1'--` is a classic SQL injection payload that manipulates the SQL query logic. By injecting a single quote to break out of the string context, the `OR '1'='1'` condition makes the WHERE clause always true, and the `--` comments out the rest of the query. This bypasses authentication because the database returns a valid row, granting access without a correct password.

Exam trap

The trap here is that candidates may confuse SQL injection with cross-site scripting because both involve injecting malicious input, but SQL injection targets the database layer via SQL syntax, while XSS targets the browser via HTML/JavaScript.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not manipulating database queries to bypass authentication. Option C is wrong because session hijacking involves stealing or predicting a valid session token (e.g., via packet sniffing or session fixation) to impersonate an authenticated user, not altering the login query logic.

420
MCQmedium

An accounts payable clerk receives an email that continues a real vendor conversation from last week. The sender domain is only one character different from the vendor's real address. The message says the invoice is overdue and asks the clerk to update the payment account before the end of the day. What is the best next action?

A.Reply to the email asking for confirmation of the new bank details.
B.Verify the request using a known phone number or portal from previous records before taking action.
C.Forward the email to the vendor's entire contact list to warn them immediately.
D.Open the attached invoice to check whether the payment information matches past records.
AnswerB

Using a known out-of-band contact method confirms whether the request is legitimate without trusting the suspicious email path.

Why this answer

Option B is correct because the email exhibits classic signs of a business email compromise (BEC) attack: a spoofed sender domain (typosquatting) and urgent payment redirection. The best next action is to verify the request out-of-band using a trusted phone number or portal from previous records, as this bypasses any compromised email channels and confirms the legitimacy of the request before any financial loss occurs.

Exam trap

The trap here is that candidates may think opening the attachment to check payment details is a safe verification step, but in reality, attachments in phishing emails are a common vector for malware delivery, and the correct action is always to verify through a trusted, independent channel.

How to eliminate wrong answers

Option A is wrong because replying to the email could reach the attacker if the sender domain is spoofed or the account is compromised, and asking for confirmation via email does not provide any security verification. Option C is wrong because forwarding the email to the vendor's entire contact list could spread phishing links or malware, and it may cause unnecessary panic or further compromise other recipients. Option D is wrong because opening the attached invoice could execute malware or lead to credential harvesting, and checking payment information against past records does not verify the authenticity of the sender or the request.

421
Matchingeasy

Match each cryptographic primitive to its main purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Producing a fixed-length value used to detect changes.

Using the same secret key to encrypt and decrypt data.

Using a public key and private key pair for encryption or decryption.

Proving who signed something and showing it was not changed.

Creating, storing, rotating, and retiring cryptographic keys safely.

Why these pairings

Symmetric encryption is efficient for large data, asymmetric encryption enables key exchange and signatures, hash functions ensure integrity, MACs combine integrity and authenticity, digital signatures add non-repudiation, and KDFs strengthen passwords for key use.

422
MCQmedium

An engineering team requests a 30-day exception to use an unsupported browser plug-in on two workstations so a customer deliverable can be finished. Security agrees the business need is legitimate, but wants to reduce exposure. What must be included before the exception is approved?

A.A verbal approval from the engineering manager and no additional documentation.
B.A documented exception with an end date, compensating controls, and approval by the risk owner.
C.A standing waiver that remains in place until the project finishes, with no review date.
D.A guideline reminding the team to avoid risky behavior when practical.
AnswerB

A proper exception should be documented, time-limited, and tied to risk ownership so the organization knows who accepted the exposure and when it must be reviewed again. Compensating controls help reduce the danger while the exception is active. This keeps the exception controlled rather than allowing an open-ended deviation from security requirements.

Why this answer

A documented exception with a defined end date, compensating controls, and risk-owner approval is the correct approach. Security exceptions should be controlled, reviewable, and temporary whenever possible. That structure shows the business need was acknowledged while ensuring someone has formally accepted the residual risk and the organization can reassess the exception before it becomes indefinite.

Why others are wrong: A verbal approval is not enough for auditability or accountability. A standing waiver without a review date can quietly become permanent and increase exposure. A guideline does not authorize deviation from policy or provide the controls required for an exception process. The question is about formal exception handling, not informal advice.

423
MCQmedium

A security analyst detects real-time data exfiltration from a critical production database that supports customer transactions. The exfiltration appears to be occurring via a compromised application service account. Which containment strategy should the analyst implement FIRST to minimize damage while preserving forensic data?

A.Disconnect the database server from the network.
B.Shut down the database server.
C.Implement network segmentation to isolate the server.
D.Block the IP address of the suspected attacker.
AnswerA

Correct. Disconnecting the server immediately stops the data flow to the attacker, preserving the database state and forensic data without crashing the server.

Why this answer

Disconnecting the database server from the network (Option A) immediately stops the active data exfiltration by severing all network communication, including the compromised service account's outbound connections. This preserves the server's volatile memory, running processes, and disk state for forensic analysis, unlike a shutdown which would destroy critical evidence. It is the fastest containment action that minimizes data loss while maintaining the integrity of forensic artifacts.

Exam trap

Cisco often tests the misconception that shutting down a server is the safest containment action, but the trap here is that shutdown destroys volatile forensic data (e.g., active network connections, memory-resident malware) that is critical for attribution and root cause analysis.

How to eliminate wrong answers

Option B is wrong because shutting down the database server would terminate all processes, clear volatile memory (RAM), and potentially destroy evidence of the exfiltration (e.g., active network connections, malicious processes, or in-memory payloads), making forensic analysis impossible. Option C is wrong because implementing network segmentation takes time to configure and deploy, during which the exfiltration continues; it is a longer-term containment measure, not a first-response action to stop an active breach.

424
MCQmedium

A security analyst receives an alert from the email security gateway about a message sent to an employee. The email has an attachment named 'Invoice_Q4_2024.exe'. The employee claims they did not open the attachment, and the email appears to come from a known vendor's domain but the sender address has a slight typo. Which type of attack is most likely being attempted?

A.Spear phishing
B.Phishing
C.Smishing
D.Vishing
AnswerB

Phishing is a social engineering attack that uses deceptive emails and malicious attachments to trick recipients into executing malware or revealing sensitive information. The typo-squatted sender address and executable attachment are classic indicators of a phishing attempt.

Why this answer

The email contains a malicious executable attachment ('Invoice_Q4_2024.exe') and uses a spoofed sender address with a typo to impersonate a known vendor. This is a classic phishing attack because it is a broad, unsolicited attempt to trick the recipient into executing malware, without any personalized targeting beyond the generic invoice lure. The slight typo in the sender domain indicates domain spoofing, a common phishing technique that exploits the lack of SPF/DKIM validation.

Exam trap

CompTIA often tests the distinction between phishing and spear phishing by including a generic lure (like 'Invoice_Q4_2024.exe') that lacks personalization, which immediately disqualifies spear phishing even if the sender appears to be a known entity.

How to eliminate wrong answers

Option A is wrong because spear phishing requires the attacker to research and personalize the message for a specific individual or role, whereas this email uses a generic 'Invoice' subject line and attachment name, indicating a mass-distributed campaign. Option C is wrong because smishing (SMS phishing) uses text messages (SMS) as the attack vector, not email with an executable attachment. Option D is wrong because vishing (voice phishing) uses phone calls or voicemail to deceive victims, not email attachments.

425
MCQmedium

A company wants employees to sign in once to access several SaaS applications, but it also wants to require MFA only when users connect from unmanaged devices or outside the corporate network. Which architecture best supports this goal?

A.Create separate usernames and passwords for each SaaS application and disable browser-based token sharing.
B.Implement federated identity with single sign-on and conditional access policies tied to device posture and network location.
C.Use local accounts in each SaaS application and rotate passwords every 30 days.
D.Grant all employees the same access role to simplify authentication and reduce support tickets.
AnswerB

Federation lets the organization use one identity provider for multiple SaaS applications, which enables single sign-on. Conditional access then adds policy-based decisions such as requiring MFA for unmanaged devices or external access. This combination is both more secure and more user-friendly than separate credentials or blanket MFA for every sign-in.

Why this answer

Option B is correct because federated identity with single sign-on (SSO) allows users to authenticate once and access multiple SaaS applications, while conditional access policies evaluate device posture (e.g., compliance status, managed vs. unmanaged) and network location (e.g., corporate IP range vs. external) to enforce MFA only when risk conditions are met. This architecture leverages standards like SAML 2.0 or OpenID Connect for SSO and integrates with device management systems (e.g., MDM) to assess device health before granting access.

Exam trap

The trap here is that candidates often confuse 'federated identity' with simple password synchronization or think that SSO alone handles MFA, missing the critical role of conditional access policies that dynamically enforce MFA based on device and network context.

How to eliminate wrong answers

Option A is wrong because creating separate usernames and passwords for each SaaS application eliminates SSO, forcing users to sign in repeatedly, and disabling browser-based token sharing does not address MFA requirements based on device or network context. Option C is wrong because using local accounts in each SaaS application with 30-day password rotation increases administrative overhead, fails to provide SSO, and does not support conditional MFA enforcement tied to device posture or network location. Option D is wrong because granting all employees the same access role violates the principle of least privilege, does not enable SSO, and provides no mechanism to enforce MFA based on device or network conditions.

426
MCQmedium

A SOC analyst sees many login attempts against one SaaS account from hundreds of IPs over 20 minutes. Most passwords are valid-looking, but only a few result in successful logons, and the successful attempts use a password pattern that was exposed in a public breach list. What is the best mitigation to reduce this attack?

A.Increase password length requirements only.
B.Implement breached-password screening plus MFA.
C.Disable account lockouts to avoid user inconvenience.
D.Allow unlimited retries so legitimate users are never blocked.
AnswerB

This attack is consistent with credential stuffing, where attackers reuse passwords taken from prior breaches across many accounts. Breached-password screening helps stop users from choosing known-compromised passwords, and MFA adds a second barrier if a password is guessed or reused. Together, these controls reduce the chance that stolen credentials will work at scale. The scenario's pattern of many IPs and a small number of successful logins is exactly the kind of activity these controls are meant to disrupt.

Why this answer

Option B is correct because the attack uses passwords from a public breach list, so breached-password screening would block those known compromised passwords. Additionally, MFA would stop the attacker even if they use a valid breached password, as they lack the second factor. This combination directly addresses the two key weaknesses: reused breached passwords and the lack of additional authentication.

Exam trap

The trap here is that candidates often focus on preventing brute-force attempts (e.g., lockouts) rather than recognizing that the attack uses valid breached passwords, making password screening and MFA the correct defense.

How to eliminate wrong answers

Option A is wrong because increasing password length requirements does not prevent the use of passwords that are already exposed in a breach list; attackers can still use long but compromised passwords. Option C is wrong because disabling account lockouts would allow the attacker to continue brute-force attempts indefinitely without triggering any defense, increasing the risk of successful logons.

427
MCQmedium

A server room uses raised flooring and sits below a chilled-water pipe. Facilities wants the earliest warning if water starts accumulating under the floor tiles. Which control should be added?

A.Add more motion detectors near the racks.
B.Use badge readers on the server room door.
C.Install smoke detectors only.
D.Install leak-detection sensors or a moisture detection cable tied to alerts.
AnswerD

Leak-detection sensors placed under the floor can detect water as soon as it appears, which is exactly what facilities wants here. Early warning lets staff respond before equipment is damaged or a larger outage occurs. For a room below a chilled-water pipe, environmental monitoring is more effective than access control or motion detection because the hazard is liquid intrusion rather than unauthorized entry.

Why this answer

Option D is correct because leak-detection sensors or moisture-detection cables are specifically designed to detect water accumulation under raised floors, providing the earliest possible warning. These sensors trigger alerts when moisture is present, allowing facilities to respond before water damages equipment or causes downtime. This directly addresses the risk of a chilled-water pipe leak in a server room environment.

Exam trap

The trap here is that candidates may confuse environmental monitoring controls (like leak detection) with physical security controls (like motion detectors or badge readers), or assume smoke detectors are sufficient for all hazard detection, when they are specific to fire only.

How to eliminate wrong answers

Option A is wrong because motion detectors detect movement (e.g., people or objects) and cannot sense water or moisture, so they provide no warning of a water leak. Option B is wrong because badge readers control physical access to the server room but do not detect environmental hazards like water accumulation. Option C is wrong because smoke detectors are designed to detect smoke or fire, not water; they would not activate until a fire occurs, missing the water leak entirely.

428
Multi-Selectmedium

A security manager is designing a security program to align with business goals. Which three of the following are essential components of a security program that directly support governance and oversight? (Choose three.)

Select 3 answers
.Establishing a security steering committee with executive sponsorship
.Implementing a vulnerability scanning tool across all endpoints
.Developing and maintaining security policies, standards, and procedures
.Conducting periodic risk assessments to inform decision-making
.Deploying a next-generation firewall to segment the network
.Installing endpoint detection and response agents on all workstations

Why this answer

A security steering committee with executive sponsorship ensures that security initiatives have top-down support and alignment with business objectives, which is a core governance function. Developing and maintaining security policies, standards, and procedures provides the formal framework for enforcing security controls and ensuring compliance, directly supporting oversight. Conducting periodic risk assessments informs decision-making by identifying and prioritizing risks, which is essential for governance and resource allocation.

Exam trap

The trap here is confusing operational security tools (like vulnerability scanners and firewalls) with governance components, which are about oversight, policy, and strategic alignment rather than specific technical implementations.

429
MCQmedium

A firewall analyst reviews logs and sees one external IP address sending connection attempts to TCP ports 22, 80, 139, 445, and 3389 on dozens of internal hosts every few seconds. No payloads are delivered and no sessions are established. What is the most likely activity?

A.Port scanning, because the source is systematically probing many ports and hosts for exposed services.
B.Reflection-based denial-of-service, because the attacker is using third-party systems to amplify traffic.
C.Man-in-the-middle, because the attacker is intercepting communications between internal hosts.
D.Protocol abuse, because the attacker is sending malformed traffic to crash services.
AnswerA

This is a classic port scanning pattern. The attacker is checking multiple ports across many systems with short, repeated attempts and no real session establishment. That behavior is consistent with reconnaissance before exploitation.

Why this answer

The observed behavior—a single external IP sending connection attempts to multiple TCP ports (22, 80, 139, 445, 3389) across many internal hosts at regular intervals—is the hallmark of a port scan. The absence of payload delivery or session establishment confirms the attacker is only probing for open services, not attempting exploitation or data transfer. This matches the definition of a reconnaissance activity, specifically a horizontal port scan targeting common service ports.

Exam trap

The trap here is that candidates may confuse a port scan with a denial-of-service attack because of the high frequency of connection attempts, but the key distinction is that no sessions are established and no payloads are delivered, which rules out DoS and exploitation.

How to eliminate wrong answers

Option B is wrong because reflection-based denial-of-service (e.g., NTP amplification) relies on spoofed source IPs and large response payloads from third-party servers, not direct connection attempts from a single external IP with no sessions established. Option C is wrong because man-in-the-middle attacks require the attacker to position themselves between communicating hosts (e.g., via ARP spoofing or rogue access points), not to send unsolicited connection probes from an external address. Option D is wrong because protocol abuse involves sending malformed or non-compliant traffic to trigger crashes or vulnerabilities, whereas this traffic is standard TCP SYN packets with no payload, and no sessions are established to deliver malformed data.

430
MCQmedium

After several employees clicked on a realistic phishing email, management wants a control that both improves user behavior and gives the security team a way to measure improvement over time. Which approach is best?

A.Send a company-wide reminder not to open suspicious emails
B.Run simulated phishing campaigns with immediate feedback and follow-up training
C.Block all external email messages at the gateway
D.Require employees to change passwords every week
AnswerB

Simulated phishing with feedback and training improves behavior and provides measurable results across multiple campaign rounds.

Why this answer

Simulated phishing campaigns with immediate feedback and follow-up training directly address user behavior by providing a safe, controlled environment where employees can learn to recognize phishing attempts. This approach also gives the security team measurable metrics (e.g., click rates over time) to track improvement, aligning with the goal of both behavioral change and quantifiable assessment.

Exam trap

CompTIA often tests the distinction between administrative controls (like policies or reminders) and technical controls that provide both behavioral change and measurable outcomes, leading candidates to choose a simple policy reminder (Option A) instead of a proactive, data-driven approach like simulated phishing.

How to eliminate wrong answers

Option A is wrong because a company-wide reminder is a one-time, passive communication that does not provide measurable data or actively change user behavior through practice and reinforcement. Option C is wrong because blocking all external email is an overly restrictive technical control that disrupts legitimate business communication and does not improve user awareness or provide a metric for behavioral improvement. Option D is wrong because requiring weekly password changes does not address phishing susceptibility, can lead to weaker password practices (e.g., predictable patterns), and provides no direct feedback or measurement of phishing awareness.

431
Multi-Selecthard

After a server rebuild, a Linux database host still has several unnecessary services enabled, including a graphical desktop, Telnet, and a printer service. The operations team wants a secure baseline that prevents the same drift from happening again after future maintenance. Which two actions best address the issue? Select two.

Select 2 answers
A.Remove the unused packages and disable the unnecessary services and ports.
B.Document the approved build and enforce it with configuration management or drift detection.
C.Allow administrators to enable any service they need without approval during maintenance windows.
D.Keep the default installation profile so vendor updates are easier to apply.
E.Open the firewall broadly and rely only on strong passwords.
AnswersA, B

Removing unused packages and disabling unneeded services directly reduces the server attack surface. Fewer active services means fewer listening ports, fewer vulnerabilities, and fewer opportunities for misuse. This is the most immediate hardening step when a server contains features that are not required for its role.

Why this answer

Removing unused packages and disabling unnecessary services directly reduces the attack surface by eliminating potential entry points like Telnet (which transmits credentials in cleartext) and unused printer services. This aligns with the principle of least functionality, ensuring only required services run on the Linux database host.

Exam trap

The trap here is that candidates may think removing services is sufficient without also enforcing the baseline via configuration management, or they may mistakenly believe that strong passwords alone can compensate for insecure services like Telnet.

432
Multi-Selecteasy

After collecting a suspect laptop, the responder makes a bit-for-bit image of the drive. Which two actions best support chain of custody? Select two.

Select 2 answers
A.Calculate and record a cryptographic hash of the image.
B.Document every evidence transfer with date, time, and handler names.
C.Browse the original drive on a normal office laptop.
D.Rename files to make them easier for later review.
E.Store the image on a shared folder without access controls.
AnswersA, B

A hash provides a repeatable way to show the image changed or stayed the same.

Why this answer

Option A is correct because calculating and recording a cryptographic hash (e.g., SHA-256) of the bit-for-bit image creates a digital fingerprint that can later be used to verify the image has not been altered. This ensures data integrity, a core requirement for maintaining chain of custody in digital forensics.

Exam trap

The trap here is that candidates may think browsing the original drive is acceptable if done carefully, but any direct access to the original evidence modifies it and breaks the forensic integrity chain.

433
Multi-Selecthard

A contractor is brought in to investigate a single alert on an ERP system. The contractor gets read-only access to one log source through a jump host, cannot see user payroll records, and the account expires automatically at shift end. Which two principles are being applied? Select two.

Select 2 answers
A.Least privilege, because the contractor receives only the access needed for one investigation.
B.Need-to-know, because the contractor sees only the log source required for the job.
C.Separation of duties, because one person cannot both request and approve the access.
D.Defense in depth, because multiple layers of security tools are deployed around the server.
E.Zero trust, because every request is automatically denied until proven safe.
AnswersA, B

The account is restricted to the minimum permissions needed to complete the assigned task.

Why this answer

Least privilege is applied because the contractor's access is strictly limited to what is necessary for the single investigation: read-only access to one log source via a jump host, with the account expiring automatically at shift end. This ensures the contractor cannot perform any actions beyond the scope of the task, minimizing the attack surface and potential for accidental or malicious changes.

Exam trap

The trap here is that candidates confuse 'need-to-know' with 'least privilege' or incorrectly apply 'separation of duties' when the scenario only describes access restrictions for a single individual, not a division of responsibilities between multiple people.

434
Multi-Selecthard

The exhibit shows a weekly risk register for a small enterprise. Which three findings should be remediated first based on likelihood of exploitation and business impact? Select three.

Select 3 answers
A.Finding 1, because the customer portal is internet-facing and protects a high-value administrative path.
B.Finding 2, because any default setting should always outrank all other issues automatically.
C.Finding 3, because broad payroll permissions can create both fraud and lateral-movement risk.
D.Finding 4, because a default printer password can be used as an easy foothold on the internal network.
E.Finding 5, because any outdated software should be fixed before higher-impact business systems.
AnswersA, C, D

Internet exposure plus high impact makes this one of the highest-priority risks in the register.

Why this answer

Finding 1 is correct because the customer portal is internet-facing and protects a high-value administrative path. An unpatched or misconfigured portal could allow an attacker to bypass authentication and directly access administrative functions, leading to a full system compromise. The combination of external exposure and high business impact makes this the highest priority for remediation.

Exam trap

The trap here is that candidates may assume all default settings or outdated software are equally critical, ignoring the risk assessment matrix that weighs both likelihood and business impact.

435
Multi-Selecthard

An analyst receives a disk image and the original hash from a response team member. Before any examination begins, the analyst must be able to show the image is unchanged and that the evidence handling process is defensible. Which two actions are most important? Select two.

Select 2 answers
A.Recompute the SHA-256 hash of the received image and compare it to the acquisition record.
B.Mount the original disk read/write so the file system can repair itself before analysis.
C.Record the transfer, date, time, and handler names in the chain-of-custody log.
D.Convert the image to another format before hashing so the tool can open it.
E.Rename evidence files to match the case number and avoid confusion.
AnswersA, C

Hash verification proves the image bytes match what was originally collected and have not changed in transit.

Why this answer

Recomputing the SHA-256 hash of the received image and comparing it to the original acquisition record is essential to verify data integrity. SHA-256 is a cryptographic hash function that produces a unique fixed-size output; if even one bit of the image changes, the hash will differ. This comparison proves the image has not been altered during transit or storage, which is a foundational requirement for maintaining forensic soundness.

Exam trap

The trap here is that candidates may think mounting the image read/write (Option B) is acceptable for file system repair, but any write operation violates forensic integrity principles and invalidates the hash comparison.

436
Drag & Dropmedium

Drag and drop the steps to implement a backup strategy following the 3-2-1 rule into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The 3-2-1 rule ensures redundancy: three copies, two different media, one offsite. Testing is crucial to verify recoverability.

437
MCQeasy

An employee gets a text message saying their mobile carrier will suspend service unless they tap a link and verify their account details. What type of attack is this?

A.Smishing, because the attacker is using SMS messages to trick the user
B.Vishing, because the attacker is using a voice call to pressure the user
C.Baiting, because the attacker is offering a free service upgrade
D.Tailgating, because the attacker is trying to enter a building behind someone else
AnswerA

Smishing is phishing delivered through text messages, often with urgent account or delivery claims.

Why this answer

This is smishing because the attacker uses SMS (Short Message Service) as the delivery vector to send a fraudulent message that tricks the recipient into clicking a malicious link. Smishing is a form of social engineering that exploits the trust users place in text-based communications from known entities like mobile carriers, often leading to credential theft or malware installation.

Exam trap

The trap here is that candidates may confuse smishing with vishing because both involve phishing via telecommunications, but the key differentiator is the medium: SMS (text) versus voice call.

How to eliminate wrong answers

Option B is wrong because vishing (voice phishing) relies on voice calls, not SMS text messages, to deceive the victim. Option C is wrong because baiting involves offering something enticing (e.g., a free download or USB drive) to lure the victim into an action, not sending a threatening SMS about service suspension. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, which has no relation to SMS-based deception.

438
Multi-Selecthard

A company is redesigning a three-tier customer portal. Internet users must reach only the web tier, the application tier must never be directly reachable from the internet, database traffic must flow only from the app tier, and administrators need a protected path to manage servers. Which two design choices best meet these requirements? Select two.

Select 2 answers
A.Place the public web tier in a DMZ behind a reverse proxy or WAF so the internet never reaches application or database hosts directly.
B.Put all three tiers on the same VLAN and depend on host-based firewalls to separate them.
C.Use a bastion host on a dedicated management network for all administrative access to the servers.
D.Allow administrators to SSH or RDP from the standard employee VLAN for faster troubleshooting.
E.Expose the database listener to the internet and require strong passwords for application connections.
AnswersA, C

A DMZ places the internet-facing web tier in a controlled network segment that can be tightly filtered and monitored. A reverse proxy or WAF further reduces exposure by terminating client connections and filtering malicious requests before they reach internal tiers. This design supports the requirement that only the web tier is reachable from the internet while preserving separation from the app and database layers.

Why this answer

Option A is correct because placing the public web tier in a DMZ behind a reverse proxy or WAF ensures that internet traffic is terminated at the proxy layer, which inspects and filters requests before forwarding them to the web servers. This architecture prevents direct internet access to the application or database tiers, enforcing the required isolation. The reverse proxy or WAF can also provide SSL/TLS termination, load balancing, and application-layer attack mitigation, aligning with the principle of defense in depth.

Exam trap

The trap here is that candidates often assume host-based firewalls are sufficient for network segmentation, but the SY0-701 exam emphasizes that proper network segmentation requires separate VLANs, ACLs, or firewall rules at the network layer, not just software-based filters on each host.

439
MCQeasy

An HR spreadsheet contains employee names, Social Security numbers, and bank account numbers. Which label is most appropriate under a Public, Internal, Confidential, and Restricted scheme?

A.Public, because it is used by the HR department and not shared externally.
B.Internal, because only employees should see it.
C.Confidential, because the information should be kept private but not tightly controlled.
D.Restricted, because it contains highly sensitive personal and financial data.
AnswerD

This is correct because Social Security numbers and bank account numbers are highly sensitive identifiers and financial data. Restricted labels are used for information that needs the strongest handling controls, limited access, and careful sharing rules. If exposed, this data could cause identity theft, fraud, and regulatory issues, so the strictest label is appropriate.

Why this answer

A spreadsheet containing employee names, Social Security numbers, and bank account numbers includes personally identifiable information (PII) and financial account data, which are subject to strict regulatory controls (e.g., GDPR, GLBA, or state breach notification laws). Under a Public/Internal/Confidential/Restricted classification scheme, 'Restricted' is the most appropriate label because it indicates the highest level of sensitivity and requires access control mechanisms such as encryption at rest (e.g., AES-256), strict least-privilege permissions, and audit logging to prevent unauthorized disclosure or modification.

Exam trap

The trap here is that candidates confuse 'Confidential' with 'Restricted' because both imply privacy, but 'Restricted' is the correct label for data that requires the highest level of control, such as PII and financial account numbers, whereas 'Confidential' is often used for less sensitive internal data like salary ranges or performance reviews.

How to eliminate wrong answers

Option A is wrong because 'Public' classification means data can be freely shared with anyone, but this spreadsheet contains highly sensitive personal and financial data that must never be exposed externally. Option B is wrong because 'Internal' classification allows access to all employees, but not all employees should have access to Social Security numbers and bank account numbers; this violates the principle of least privilege and could lead to data breaches. Option C is wrong because 'Confidential' typically implies moderate sensitivity with some access controls, but the presence of Social Security numbers and bank account numbers demands the highest level of protection, including mandatory encryption and strict access logging, which aligns with 'Restricted' rather than 'Confidential'.

440
MCQmedium

A software supplier used by your company is adding a new library to its product and says the change is "internal only." Your security team wants better visibility into future component risks before the next renewal. What requirement would BEST support supply chain due diligence?

A.Require the supplier to provide a marketing summary of its development process.
B.Require an updated software bill of materials and a notification process for material component changes.
C.Ask the supplier to promise that future vulnerabilities will never affect the product.
D.Approve the change if the new library is open source and widely used.
AnswerB

This is the best requirement because it improves transparency and ongoing risk awareness. An updated software bill of materials helps the organization understand what is inside the product, while a formal notification process ensures material changes are communicated before they create surprise exposure. Together, these controls support continuous supply chain due diligence rather than a one-time review at purchase time.

Why this answer

A Software Bill of Materials (SBOM) provides a detailed inventory of all components in a product, enabling the security team to assess risks from new libraries. Requiring an SBOM plus a notification process for material changes gives proactive visibility into component risks, directly supporting supply chain due diligence as recommended by frameworks like NIST SP 800-161.

Exam trap

The trap here is that candidates may think a marketing summary or a promise of no vulnerabilities is sufficient for due diligence, but CompTIA emphasizes that only a verifiable, technical artifact like an SBOM with change notifications provides the visibility required for ongoing risk management.

How to eliminate wrong answers

Option A is wrong because a marketing summary is a high-level, non-technical document that omits specific component details and version information needed for risk assessment. Option C is wrong because no supplier can guarantee zero future vulnerabilities; this is an unrealistic and unenforceable promise that bypasses due diligence. Option D is wrong because open-source and widely used libraries can still contain critical vulnerabilities (e.g., Log4j), and approval without vetting the specific version and its dependencies ignores supply chain risk.

441
Multi-Selecteasy

A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.

Select 2 answers
A.Use parameterized queries or prepared statements for all database access.
B.Validate and constrain user input before it reaches the database layer.
C.Store the database password in the page source so the app can connect faster.
D.Disable TLS so the application can inspect requests more easily.
E.Allow the application to build SQL statements by concatenating raw user input.
AnswersA, B

Parameterized queries keep user input separate from the SQL command structure, which blocks injection attacks effectively.

Why this answer

Option A is correct because parameterized queries and prepared statements separate SQL logic from user-supplied data, ensuring that input is treated as a literal value rather than executable code. This prevents attackers from injecting malicious SQL commands into the query string, as the database driver automatically escapes or binds parameters safely. This is the most effective defense against SQL injection attacks.

Exam trap

The trap here is that candidates may think input validation alone is sufficient, but the exam emphasizes that parameterized queries are the definitive mitigation, while validation is a secondary defense-in-depth layer.

442
MCQmedium

A help desk technician receives an alert that an unmanaged laptop was plugged into a conference room network jack and was automatically placed into a restricted network segment until it passed a security check. Which control is responsible for that behavior?

A.Network access control (NAC).
B.Data loss prevention (DLP).
C.Intrusion prevention system (IPS).
D.Sandboxing gateway.
AnswerA

NAC can authenticate devices, check posture, and place noncompliant systems into a limited or quarantine network segment.

Why this answer

Network Access Control (NAC) is the correct answer because it is specifically designed to enforce security policies on devices attempting to connect to a network. When an unmanaged laptop is plugged into a network jack, NAC evaluates the device's compliance (e.g., antivirus status, patch level) and, if it fails, automatically places it into a restricted segment (e.g., a quarantine VLAN) until it passes a security check. This behavior is a core function of NAC solutions like Cisco ISE or Aruba ClearPass, which use 802.1X or MAC authentication bypass to dynamically assign VLANs based on device posture.

Exam trap

The trap here is that candidates often confuse NAC with an IPS or firewall because both can block traffic, but NAC specifically controls access at the point of network entry (Layer 2) based on device identity and compliance, not by inspecting packet payloads.

How to eliminate wrong answers

Option B is wrong because Data Loss Prevention (DLP) focuses on monitoring and preventing unauthorized transmission of sensitive data, not on controlling network access or quarantining devices. Option C is wrong because an Intrusion Prevention System (IPS) inspects network traffic for malicious patterns and blocks attacks, but it does not enforce pre-admission security checks or dynamically segment devices based on compliance. Option D is wrong because a sandboxing gateway detonates suspicious files in an isolated environment to analyze behavior, but it does not manage network access or quarantine endpoints at the switch port level.

443
MCQmedium

A security manager is preparing a quarterly report for the board of directors on the effectiveness of the organization's security program. The manager has access to detailed technical data, including firewall log statistics, patch compliance percentages, and number of phishing simulation clicks. Which of the following would be the most appropriate way to present this information to the board?

A.Provide a list of all firewall rule changes made during the quarter.
B.Show a trend chart of the number of security incidents categorized by severity, along with average time to resolve.
C.Include raw logs of the top 10 most frequent alerts from the SIEM.
D.Describe the technical architecture of the intrusion prevention system.
AnswerB

This option provides a high-level, actionable summary that demonstrates the security program's effectiveness. Incident trends by severity and resolution time are key performance indicators that the board can use to assess risk reduction and operational maturity.

Why this answer

Option B is correct because it presents security program effectiveness in a business-relevant format: trend charts of incidents by severity and resolution times directly address risk reduction and operational efficiency, which board members need for strategic oversight. Unlike raw technical data, this aggregated, visualized information enables non-technical stakeholders to assess whether the security program is improving over time.

Exam trap

The trap here is that candidates mistake operational granularity (firewall changes, raw logs) for meaningful board-level metrics, failing to recognize that executives need summarized, trend-based data that ties security activities to business outcomes like risk reduction and efficiency.

How to eliminate wrong answers

Option A is wrong because listing all firewall rule changes provides granular operational detail that is irrelevant for board-level oversight; it does not convey the overall security posture or effectiveness of the program. Option C is wrong because including raw SIEM alert logs overwhelms the audience with unprocessed, high-volume data that lacks context and trend analysis, failing to communicate the program's impact on risk reduction or incident response maturity.

444
Multi-Selecteasy

A help desk team is writing a procedure for resetting MFA after a user loses a phone. Which two details belong in the procedure rather than in the policy? Select two.

Select 2 answers
A.The exact step-by-step verification process the technician must follow
B.The specific screen clicks or tool used to reset the MFA device
C.A statement that all employees must use MFA to access company systems
D.A general goal of protecting accounts from unauthorized access
E.A broad rule that users should protect company credentials
AnswersA, B

Procedures should describe the specific actions to perform so technicians can follow the same process every time.

Why this answer

Option A is correct because a procedure must contain the exact step-by-step verification process the technician follows to confirm the user's identity before resetting MFA. This operational detail ensures consistency and security, whereas a policy would only state the high-level requirement (e.g., 'verify identity'). Without precise steps, technicians might skip critical checks, leading to unauthorized MFA resets.

Exam trap

The trap here is confusing policy (broad rules and goals) with procedure (specific, actionable steps), leading candidates to select high-level statements like 'all employees must use MFA' instead of the detailed verification and tool-specific steps that actually belong in a procedure.

445
Multi-Selecthard

A records room has repeated tailgating after hours and occasional door propping during deliveries. Management wants one control that prevents follow-on entry and another that immediately alerts security if the door is forced open or left ajar. Which two controls best meet the need? Select two.

Select 2 answers
A.Install a mantrap at the room entrance.
B.Add a door position sensor tied to an alarm or SIEM alert.
C.Place a larger warning sign on the wall beside the door.
D.Mount a visible camera over the door only.
E.Replace the mechanical lock with the same type of lock and no monitoring.
AnswersA, B

A mantrap allows only one person or credentialed entry at a time, which directly reduces tailgating.

Why this answer

A mantrap (option A) prevents tailgating by requiring one door to close before the next can open, effectively stopping follow-on entry. A door position sensor (option B) detects when the door is forced open or left ajar and triggers an immediate alert to security via an alarm or SIEM integration, meeting the requirement for real-time notification.

Exam trap

The trap here is that candidates often choose a camera (option D) thinking it provides real-time alerting, but a standard visible camera without integrated analytics does not automatically alert on door status—it only records footage for later review.

446
MCQmedium

A vulnerability scan identifies four issues across a small company. Which item should the operations team remediate first?

A.A critical flaw on a disconnected training laptop that is used only in the lab
B.A high-severity flaw on an internet-facing customer portal with public exploit code available
C.A medium-severity flaw on an internal print server that stores no sensitive data
D.A low-severity flaw on an archive server scheduled for retirement next month
AnswerB

This is the best choice because risk is driven by both likelihood and impact. An internet-facing system with public exploit code has a much higher chance of being attacked, and a customer portal can affect sensitive data and business operations. Even if another issue has a higher severity label, exposure and active exploitability make this item the most urgent business risk.

Why this answer

Option B is correct because the internet-facing customer portal with a high-severity flaw and public exploit code presents the highest risk to the organization. The combination of high attack surface (exposed to the internet), high severity, and readily available exploit code means an attacker can easily compromise the system, leading to data breach, financial loss, or reputational damage. Remediation prioritization should follow risk-based principles, where likelihood and impact are both high.

Exam trap

The trap here is that candidates often focus solely on the severity score (critical vs. high) without considering the attack surface and exploitability, leading them to pick the critical flaw on the isolated laptop instead of the high-severity flaw on the internet-facing system.

How to eliminate wrong answers

Option A is wrong because a disconnected training laptop used only in a lab has no network connectivity, so the critical flaw cannot be exploited remotely; the risk is effectively zero until it is reconnected, making it a lower priority. Option C is wrong because a medium-severity flaw on an internal print server that stores no sensitive data has limited impact and a lower attack surface (internal only), so it does not warrant immediate remediation over an internet-facing high-severity issue. Option D is wrong because a low-severity flaw on an archive server scheduled for retirement next month poses minimal risk, and the server's impending decommissioning means the flaw will be eliminated soon without active remediation.

447
MCQmedium

A security analyst is investigating a data integrity incident where an attacker exploited a vulnerability in a web application to alter customer account balance records in the database. The analyst identifies the exact records that were modified and restores those records from a verified read-only backup taken prior to the attack. Which security goal is the analyst primarily addressing by restoring the records from backup?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data is accurate and has not been improperly altered. By restoring the database to a state before the unauthorized modifications, the analyst is directly correcting a breach of integrity.

Why this answer

Restoring the altered customer account balance records from a verified read-only backup directly addresses the integrity security goal. Integrity ensures that data is accurate and has not been modified by unauthorized parties. By reverting the records to their pre-attack state, the analyst is correcting the unauthorized modifications, thereby restoring the trustworthiness of the data.

Exam trap

The trap here is that candidates may confuse restoring data from backup with ensuring availability, but the primary goal in this scenario is to correct unauthorized modifications, which is a core integrity function.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized disclosure of data, not on correcting unauthorized modifications. Option C is wrong because availability ensures that systems and data are accessible when needed, which is not the primary concern when restoring altered records. Option D is wrong because non-repudiation provides proof of the origin or authenticity of data or actions, typically through digital signatures or logs, and is not achieved by restoring data from a backup.

448
MCQmedium

A small company is moving its public web app to a new network. The front-end server must be reachable from the internet, the application server should only accept traffic from the front end, and the database must never be reachable from the internet or user VLANs. Which design best meets these requirements with the least exposure?

A.Place all three servers in the same server VLAN and use host-based firewalls to separate them.
B.Place the web server in a DMZ, the application server in an internal subnet, and the database in a separate restricted subnet with firewall rules between each tier.
C.Place the database in the DMZ so the web and application servers can access it directly without extra firewall rules.
D.Place the web server on the user VLAN and use NAT to hide the database server from the internet.
AnswerB

This is the strongest design because each tier is isolated according to exposure. The web server is the only internet-facing system, the application tier only receives approved traffic from the web tier, and the database is protected behind internal filtering. That layout limits attack paths and supports least privilege between network zones.

Why this answer

Option B is correct because it implements a classic three-tier architecture with network segmentation. The web server in the DMZ is isolated from internal networks but accessible from the internet, the application server in an internal subnet is protected by firewall rules that only allow traffic from the DMZ, and the database in a separate restricted subnet is further isolated with firewall rules that only permit traffic from the application server. This design minimizes exposure by enforcing least privilege and defense in depth, using network-layer segmentation rather than relying solely on host-based controls.

Exam trap

The trap here is that candidates may think host-based firewalls are sufficient for isolation (Option A) or that placing the database in the DMZ simplifies access (Option C), but the exam expects you to recognize that network segmentation with separate subnets and firewall rules is the most secure and least exposure approach for multi-tier applications.

How to eliminate wrong answers

Option A is wrong because placing all three servers in the same VLAN with host-based firewalls violates the principle of network segmentation; a single compromised host could pivot laterally to other servers within the same broadcast domain, and host-based firewalls are more easily misconfigured or bypassed than network-layer ACLs. Option C is wrong because placing the database in the DMZ directly exposes it to the internet, which contradicts the requirement that the database must never be reachable from the internet; this design also increases the attack surface by allowing the web and application servers to access the database without intermediate firewall enforcement.

449
MCQeasy

A critical patch must be applied to a production server next week. What is the best way to reduce the risk of downtime if the patch causes a problem?

A.Apply the patch during business hours so users can report issues quickly
B.Create a rollback plan before installing the patch
C.Skip testing because critical patches are always safe
D.Disable logging during the patch to improve performance
AnswerB

A rollback plan allows the team to return to a known good state if the patch fails.

Why this answer

Option B is correct because creating a rollback plan before installing a patch ensures that if the patch causes unexpected issues, the system can be restored to its previous stable state quickly, minimizing downtime. A rollback plan typically includes steps to revert the patch, restore from a backup, or switch to a failover system, which is a fundamental change management practice in security operations.

Exam trap

The trap here is that candidates may assume applying a patch during business hours allows for quick user feedback, but this overlooks the higher risk of widespread disruption and the importance of a controlled maintenance window.

How to eliminate wrong answers

Option A is wrong because applying a patch during business hours increases the risk of disrupting users and operations; patches should be applied during maintenance windows to minimize impact. Option C is wrong because skipping testing is dangerous even for critical patches, as they can still introduce compatibility issues or break existing functionality; testing in a non-production environment is essential. Option D is wrong because disabling logging during a patch removes the ability to audit changes and troubleshoot problems, which could lead to undetected issues and longer downtime.

450
Multi-Selecteasy

A data center wants to reduce tailgating at a sensitive room entrance. Which two controls are most effective? Select two.

Select 2 answers
A.A mantrap that allows only one person through at a time.
B.A turnstile or other one-person entry control.
C.A standard badge reader without anti-passback.
D.A motion sensor in the hallway.
E.A visitor sign-in sheet at the front desk.
AnswersA, B

A mantrap forces one person through at a time and blocks piggybacking.

Why this answer

A mantrap is a small room with two interlocking doors that allows only one person to enter at a time, physically preventing tailgating by trapping unauthorized individuals between the doors. This control enforces strict one-person entry and is highly effective against tailgating in high-security areas.

Exam trap

The trap here is that candidates may confuse administrative controls like sign-in sheets or detection controls like motion sensors with physical deterrents, failing to recognize that only physical barriers like mantraps and turnstiles actively prevent tailgating.

Page 5

Page 6 of 16

Page 7