` into a public forum signature field. Later, other users who view that…","url":"https://courseiva.com/questions/comptia/security-plus/a-customer-enters-alert-test-into-a-public-forum-signature-field"},{"@type":"ListItem","position":539,"name":"To discourage unauthorized entry into a records room, facilities installs a large warning sign, a visible camera over th…","url":"https://courseiva.com/questions/comptia/security-plus/to-discourage-unauthorized-entry-into-a-records-room-facilities"},{"@type":"ListItem","position":540,"name":"Based on the exhibit, which principle is most directly being violated by the current share permissions?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-principle-is-most-directly-being"},{"@type":"ListItem","position":541,"name":"A SIEM alert shows a workstation connecting to the same unknown internet address every 15 minutes, even after business h…","url":"https://courseiva.com/questions/comptia/security-plus/a-siem-alert-shows-a-workstation-connecting-to-the-same-unknown"},{"@type":"ListItem","position":542,"name":"An employee receives an email that appears to come from payroll and asks them to open a link to \"confirm direct deposit …","url":"https://courseiva.com/questions/comptia/security-plus/an-employee-receives-an-email-that-appears-to-come-from-payroll"},{"@type":"ListItem","position":543,"name":"A web application must be reachable from the internet, but its database should be isolated from direct internet access. …","url":"https://courseiva.com/questions/comptia/security-plus/a-web-application-must-be-reachable-from-the-internet-but-its"},{"@type":"ListItem","position":544,"name":"A help desk technician receives an email that appears to come from the payroll provider. The message says the employee's…","url":"https://courseiva.com/questions/comptia/security-plus/a-help-desk-technician-receives-an-email-that-appears-to-come"},{"@type":"ListItem","position":545,"name":"Based on the exhibit, which indicator should defenders prioritize for detecting future activity from this campaign?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-indicator-should-defenders-prioritize"},{"@type":"ListItem","position":546,"name":"A security manager wants one document that states employees must protect company laptops and another that defines exact …","url":"https://courseiva.com/questions/comptia/security-plus/a-security-manager-wants-one-document-that-states-employees-must"},{"@type":"ListItem","position":547,"name":"Match each requirement or instruction to the correct governance document type. Use each document type once.","url":"https://courseiva.com/questions/comptia/security-plus/match-each-requirement-or-instruction-to-the-correct-governance"},{"@type":"ListItem","position":548,"name":"An office wants finance workstations separated from general user PCs, but employees still need to print to a shared prin…","url":"https://courseiva.com/questions/comptia/security-plus/an-office-wants-finance-workstations-separated-from-general-user"},{"@type":"ListItem","position":549,"name":"Based on the exhibit, which control option provides the greatest net annual financial benefit for the organization?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-control-option-provides-the-greatest"},{"@type":"ListItem","position":550,"name":"Users on the same VLAN report that their browser occasionally reaches a fake internal portal, and packet captures show o…","url":"https://courseiva.com/questions/comptia/security-plus/users-on-the-same-vlan-report-that-their-browser-occasionally"},{"@type":"ListItem","position":551,"name":"Facilities sees occasional water droplets forming above the cable trays in a data room during humid afternoons. The team…","url":"https://courseiva.com/questions/comptia/security-plus/facilities-sees-occasional-water-droplets-forming-above-the"},{"@type":"ListItem","position":552,"name":"An enterprise is moving from on-prem identity to a SaaS HR platform. Employees should sign in with corporate credentials…","url":"https://courseiva.com/questions/comptia/security-plus/moving-from-on-prem-identity-to-a-saas-hr-platform-employees"},{"@type":"ListItem","position":553,"name":"A Linux operations team has a standing need to restart services and edit protected configuration files on production ser…","url":"https://courseiva.com/questions/comptia/security-plus/a-linux-operations-team-has-a-standing-need-to-restart-services"},{"@type":"ListItem","position":554,"name":"A SIEM correlates the following: 17 failed logons against the same VPN account from one IP in 9 minutes, a successful lo…","url":"https://courseiva.com/questions/comptia/security-plus/a-siem-correlates-the-following-17-failed-logons-against-the"},{"@type":"ListItem","position":555,"name":"A developer requests a 45-day exception to use an unsupported browser plug-in on two engineering workstations so a legac…","url":"https://courseiva.com/questions/comptia/security-plus/a-developer-requests-a-45-day-exception-to-use-an-unsupported"},{"@type":"ListItem","position":556,"name":"The help desk needs a document that tells analysts exactly how to verify a caller, reset a password, and record the tick…","url":"https://courseiva.com/questions/comptia/security-plus/the-help-desk-needs-a-document-that-tells-analysts-exactly-how"},{"@type":"ListItem","position":557,"name":"Several company laptops were found to boot from a removable drive containing an untrusted pre-boot utility before the op…","url":"https://courseiva.com/questions/comptia/security-plus/several-company-laptops-were-found-to-boot-from-a-removable"},{"@type":"ListItem","position":558,"name":"A project team must share a spreadsheet containing customer names, account numbers, and purchase history with an externa…","url":"https://courseiva.com/questions/comptia/security-plus/a-project-team-must-share-a-spreadsheet-containing-customer"},{"@type":"ListItem","position":559,"name":"A company wants guest Wi-Fi to reach only the internet, employee laptops to reach internal apps, and payment servers to …","url":"https://courseiva.com/questions/comptia/security-plus/a-company-wants-guest-wi-fi-to-reach-only-the-internet-employee"},{"@type":"ListItem","position":560,"name":"A payment processor stores full card numbers in its transaction database, but developers and analysts should never see t…","url":"https://courseiva.com/questions/comptia/security-plus/a-payment-processor-stores-full-card-numbers-in-its-transaction"},{"@type":"ListItem","position":561,"name":"An organization is placing its public-facing website behind a new security design. The site must be reachable from the i…","url":"https://courseiva.com/questions/comptia/security-plus/placing-its-public-facing-website-behind-a-new-security-design"},{"@type":"ListItem","position":562,"name":"A development team needs to release an urgent fix for a customer portal on Friday evening. The business wants the change…","url":"https://courseiva.com/questions/comptia/security-plus/a-development-team-needs-to-release-an-urgent-fix-for-a-customer"},{"@type":"ListItem","position":563,"name":"An accounts payable specialist receives a reply inside an existing vendor email thread. The message uses the real invoic…","url":"https://courseiva.com/questions/comptia/security-plus/an-accounts-payable-specialist-receives-a-reply-inside-an"},{"@type":"ListItem","position":564,"name":"A scan reports a critical remote code execution vulnerability on an internet-facing VPN appliance with public proof-of-c…","url":"https://courseiva.com/questions/comptia/security-plus/a-scan-reports-a-critical-remote-code-execution-vulnerability-on"},{"@type":"ListItem","position":565,"name":"Based on the exhibit, what is the best next step before the marketing SaaS platform goes live?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-is-the-best-next-step-before-the-2"},{"@type":"ListItem","position":566,"name":"A ransomware incident encrypted a file share and the attached NAS backups because the NAS stayed mounted to production a…","url":"https://courseiva.com/questions/comptia/security-plus/a-ransomware-incident-encrypted-a-file-share-and-the-attached"},{"@type":"ListItem","position":567,"name":"Based on the exhibit, which key management improvement best preserves recoverability if the primary backup server is los…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-key-management-improvement-best"},{"@type":"ListItem","position":568,"name":"An EDR alert shows winword.exe launching powershell.exe with an encoded command after a user opened an invoice attachmen…","url":"https://courseiva.com/questions/comptia/security-plus/an-edr-alert-shows-winword-exe-launching-powershell-exe-with-an"},{"@type":"ListItem","position":569,"name":"Drag and drop the steps for the TLS 1.3 handshake process into the correct order.","url":"https://courseiva.com/questions/comptia/security-plus/drag-and-drop-the-steps-for-the-tls-1-3-handshake-process-in-pcrjd"},{"@type":"ListItem","position":570,"name":"An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary tota…","url":"https://courseiva.com/questions/comptia/security-plus/an-hr-analyst-must-send-a-salary-file-to-an-external-auditor-the"},{"@type":"ListItem","position":571,"name":"Match each procurement or oversight need to the best vendor due diligence artifact or clause. Use each item once.","url":"https://courseiva.com/questions/comptia/security-plus/match-each-procurement-or-oversight-need-to-the-best-vendor-due"},{"@type":"ListItem","position":572,"name":"A legacy production scanner cannot support MFA, but it must remain available for six months until replacement hardware a…","url":"https://courseiva.com/questions/comptia/security-plus/a-legacy-production-scanner-cannot-support-mfa-but-it-must"},{"@type":"ListItem","position":573,"name":"At 10:15, a file server begins renaming documents and creating payment notes. The SOC confirms the server is also making…","url":"https://courseiva.com/questions/comptia/security-plus/at-10-15-a-file-server-begins-renaming-documents-and-creating"},{"@type":"ListItem","position":574,"name":"An organization is implementing a Security Information and Event Management (SIEM) system to enhance its security monito…","url":"https://courseiva.com/questions/comptia/security-plus/an-organization-is-implementing-a-security-information-and-event-management-siem-ul9s45jh"},{"@type":"ListItem","position":575,"name":"Which two are common warning signs of phishing messages? Select two.","url":"https://courseiva.com/questions/comptia/security-plus/which-two-are-common-warning-signs-of-phishing-messages-select"},{"@type":"ListItem","position":576,"name":"A contractor connects a personal tablet to a lobby Ethernet jack. The network team wants the device blocked from interna…","url":"https://courseiva.com/questions/comptia/security-plus/a-contractor-connects-a-personal-tablet-to-a-lobby-ethernet-jack"},{"@type":"ListItem","position":577,"name":"Based on the exhibit, which data protection control best allows analysts to work with the records without exposing full …","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-data-protection-control-best-allows"},{"@type":"ListItem","position":578,"name":"Based on the exhibit, which artifact is the strongest evidence that the firewall change was reviewed and approved before…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-artifact-is-the-strongest-evidence"},{"@type":"ListItem","position":579,"name":"A customer portal must keep operating if one application server fails and also remain available if an entire site goes o…","url":"https://courseiva.com/questions/comptia/security-plus/a-customer-portal-must-keep-operating-if-one-application-server"},{"@type":"ListItem","position":580,"name":"A company wants to make sure only approved administrators can view and rotate a shared encryption secret used by several…","url":"https://courseiva.com/questions/comptia/security-plus/make-sure-only-approved-administrators-can-view-and-rotate-a"},{"@type":"ListItem","position":581,"name":"A manager can access the HR portal normally from a managed laptop, but if they sign in from an unmanaged tablet, the sys…","url":"https://courseiva.com/questions/comptia/security-plus/a-manager-can-access-the-hr-portal-normally-from-a-managed"},{"@type":"ListItem","position":582,"name":"Which four of the following are essential considerations when designing a secure cloud architecture in a hybrid environm…","url":"https://courseiva.com/questions/comptia/security-plus/which-four-of-the-following-are-essential-considerations-when-designing-a-secure-a48vyx65"},{"@type":"ListItem","position":583,"name":"A project team needs to use an unapproved file-sharing application for two weeks because the approved platform cannot su…","url":"https://courseiva.com/questions/comptia/security-plus/a-project-team-needs-to-use-an-unapproved-file-sharing"},{"@type":"ListItem","position":584,"name":"A developer reports that a search field returns all customer records when they enter a single quote followed by OR 1=1. …","url":"https://courseiva.com/questions/comptia/security-plus/a-search-field-returns-all-customer-records-when-they-enter-a"},{"@type":"ListItem","position":585,"name":"A hospital has clinical workstations, badge readers, and building cameras all connected to the same switching infrastruc…","url":"https://courseiva.com/questions/comptia/security-plus/a-hospital-has-clinical-workstations-badge-readers-and-building"},{"@type":"ListItem","position":586,"name":"A help desk receives an email from an employee asking to urgently reset MFA because they are traveling and locked out. T…","url":"https://courseiva.com/questions/comptia/security-plus/a-help-desk-receives-an-email-from-an-employee-asking-to"},{"@type":"ListItem","position":587,"name":"Several employees reported a text message that looked like it came from the VPN support team and linked to a fake sign-i…","url":"https://courseiva.com/questions/comptia/security-plus/several-employees-reported-a-text-message-that-looked-like-it"},{"@type":"ListItem","position":588,"name":"After a ransomware event, management wants proof that last night's backups can actually support business operations befo…","url":"https://courseiva.com/questions/comptia/security-plus/after-a-ransomware-event-management-wants-proof-that-last-night"},{"@type":"ListItem","position":589,"name":"Match each risk-register description to the correct risk term. Use each term once.","url":"https://courseiva.com/questions/comptia/security-plus/match-each-risk-register-description-to-the-correct-risk-term"},{"@type":"ListItem","position":590,"name":"A vulnerability scan identifies a critical patch for a fleet of internet-facing servers. The operations lead wants to ap…","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scan-identifies-a-critical-patch-for-a-fleet-of"},{"@type":"ListItem","position":591,"name":"Based on the exhibit, which contract change would most directly reduce the organization's third-party response risk?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-contract-change-would-most-directly"},{"@type":"ListItem","position":592,"name":"A defense contractor is deploying a new document management system that will store classified military intelligence. The…","url":"https://courseiva.com/questions/comptia/security-plus/a-defense-contractor-is-deploying-a-new-document-management"},{"@type":"ListItem","position":593,"name":"A SIEM alert shows a successful VPN login for an executive account from an unusual country, followed 3 minutes later by …","url":"https://courseiva.com/questions/comptia/security-plus/a-siem-alert-shows-a-successful-vpn-login-for-an-executive"},{"@type":"ListItem","position":594,"name":"A VPN concentrator shows that an authentication request from a user was accepted twice, even though the user insists the…","url":"https://courseiva.com/questions/comptia/security-plus/a-vpn-concentrator-shows-that-an-authentication-request-from-a"},{"@type":"ListItem","position":595,"name":"A SOC analyst reviews an EDR alert on a finance workstation. The alert shows powershell.exe launched with an encoded com…","url":"https://courseiva.com/questions/comptia/security-plus/a-soc-analyst-reviews-an-edr-alert-on-a-finance-workstation-the"},{"@type":"ListItem","position":596,"name":"An office is replacing WPA2-PSK. The new design must ensure only company-managed laptops can join the wireless network, …","url":"https://courseiva.com/questions/comptia/security-plus/an-office-is-replacing-wpa2-psk-the-new-design-must-ensure-only"},{"@type":"ListItem","position":597,"name":"A security team downloads a software update package signed by the vendor. The team verifies the signature using the vend…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-team-downloads-a-software-update-package-signed-by"},{"@type":"ListItem","position":598,"name":"A user's laptop suddenly starts renaming many files and showing a ransom note. The laptop is still connected to Wi-Fi. W…","url":"https://courseiva.com/questions/comptia/security-plus/a-user-s-laptop-suddenly-starts-renaming-many-files-and-showing"},{"@type":"ListItem","position":599,"name":"Based on the exhibit, which change best reduces exposure for the public web application while keeping the backend tiers …","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-change-best-reduces-exposure-for-the"},{"@type":"ListItem","position":600,"name":"A security analyst is reviewing the source code of a custom web application. The application receives JSON data from use…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-is-reviewing-the-source-code-of-a-custom-web"}]}
Security+ SY0-701 (SY0-701) — Questions 526–600
1152 questions total · 16pages · All types, answers revealed
A file-sharing portal uses a download URL like /download?file=12345. A tester changes the value to 12346 and can access another department's document without logging in again. Which control most directly prevents this issue?
A.Implement server-side authorization checks for every object request.
B.Make the identifier longer so users cannot guess nearby values.
C.Move the portal to HTTPS so request parameters cannot be intercepted.
D.Store the document name in a hidden field and validate it in JavaScript.
AnswerA
Server-side authorization ensures the application verifies that the current user is allowed to access the specific object requested. This directly stops insecure direct object reference issues because changing the identifier alone no longer grants access. The check must happen on the server for every request, not in the browser.
Why this answer
The issue is that the server trusts the file identifier in the URL without verifying that the authenticated user is authorized to access the requested resource. Implementing server-side authorization checks for every object request ensures that before serving any file, the server validates whether the current session or user has explicit permission to access that specific document. This directly prevents the IDOR (Insecure Direct Object Reference) vulnerability demonstrated by the tester.
Exam trap
The trap here is that candidates often confuse confidentiality controls (like HTTPS or longer identifiers) with authorization controls, failing to recognize that the core flaw is the lack of server-side permission verification for each object request.
How to eliminate wrong answers
Option B is wrong because making the identifier longer (e.g., using a UUID) only makes guessing harder but does not eliminate the authorization gap; if the server still trusts any identifier without checking permissions, a user who obtains or guesses a valid identifier can still access unauthorized documents. Option C is wrong because HTTPS encrypts the request in transit to prevent interception, but it does not address the server-side authorization flaw; the tester in this scenario is already authenticated and simply changes the parameter value in their own browser. Option D is wrong because storing the document name in a hidden field and validating it in JavaScript is client-side validation, which can be easily bypassed by disabling JavaScript or manipulating the hidden field value using browser developer tools; server-side authorization is required.
A records manager discovers 18-month-old paper onboarding forms stored in a cabinet. The retention schedule says the forms must be destroyed after 12 months unless legal hold applies, and no hold has been issued. What is the best next step?
A.Keep the forms indefinitely in case a future audit asks for them.
B.Scan the forms into a shared folder and then throw away the paper.
C.Destroy the forms using an approved secure disposal method and document the action.
D.Return the forms to HR so they can be reused for new hires.
AnswerC
This is correct because the retention period has expired and no legal hold exists, so secure disposal is required.
Why this answer
Option C is correct because the retention schedule explicitly requires destruction after 12 months with no legal hold. An approved secure disposal method (e.g., cross-cut shredding or incineration) ensures the sensitive PII on onboarding forms is irrecoverable, and documenting the action provides an audit trail for compliance with data protection regulations like GDPR or HIPAA.
Exam trap
The trap here is that candidates may choose Option B (scanning) thinking digital preservation is safer, but the question tests the principle that retention schedules mandate destruction—not conversion—and that scanning without secure disposal still leaves the paper intact, violating policy.
How to eliminate wrong answers
Option A is wrong because indefinite retention violates the defined retention schedule and could expose the organization to non-compliance penalties for holding data longer than permitted. Option B is wrong because scanning into a shared folder without access controls or encryption creates a security risk and does not constitute destruction; the paper must still be securely disposed of, and the digital copy may itself require deletion per the schedule. Option D is wrong because reusing forms for new hires would mix old personal data with new, causing data integrity issues and violating privacy principles like data minimization.
The SOC is writing step-by-step instructions for responding to a suspected malware infection on a laptop. The document should tell analysts exactly what to do first, second, and third during triage and containment. Which governance artifact should they create?
A.Policy, because it states the organization's broad security intent.
B.Procedure, because it gives a repeatable sequence of actions for a specific task.
C.Guideline, because it offers optional advice that analysts may choose to follow.
D.Standard, because it defines the organization's security goals at a high level.
AnswerB
A procedure is the right artifact when the team needs exact, repeatable instructions. In incident response, analysts need a consistent sequence for triage, containment, escalation, and evidence handling so that actions are predictable and auditable. Procedures support operational consistency and reduce confusion during stressful events, which is why they fit this scenario better than policies or guidelines.
Why this answer
A procedure is the correct governance artifact because it provides a detailed, step-by-step sequence of actions for a specific task—in this case, triaging and containing a suspected malware infection on a laptop. Unlike policies or standards, which set high-level intent or goals, a procedure ensures repeatable and consistent execution by analysts during incident response.
Exam trap
Cisco often tests the distinction between high-level governance documents (policies, standards) and operational documents (procedures, guidelines), and the trap here is that candidates confuse a procedure with a guideline because both provide instructions, but a procedure is mandatory and ordered, while a guideline is advisory and flexible.
How to eliminate wrong answers
Option A is wrong because a policy states the organization's broad security intent (e.g., 'All endpoints must be protected from malware'), not the specific step-by-step instructions needed for triage and containment. Option C is wrong because a guideline offers optional advice or best practices that analysts may choose to follow, but the question requires mandatory, ordered steps for a repeatable process. Option D is wrong because a standard defines mandatory security goals or requirements at a high level (e.g., 'All laptops must have antivirus software'), not the precise sequence of actions for a specific incident response task.
A SOC analyst reviews an EDR alert showing powershell.exe launched with an encoded command, then immediately connected to an unfamiliar IP address and spawned rundll32.exe. The user is still logged in and the machine may still contain evidence needed for investigation. Which two actions should the analyst take first to contain the incident while preserving evidence? Select two.
Select 2 answers
A.Isolate the endpoint using EDR network containment or a quarantine policy.
B.Disable the user account and revoke active sessions or tokens for that identity.
C.Reboot the workstation immediately to clear any malicious process from memory.
D.Run a full vulnerability scan before taking any other action.
E.Delete the suspicious email from the mailbox to remove the original payload.
AnswersA, B
This stops the suspected malware from communicating or spreading while preserving the disk and volatile evidence for later analysis.
Why this answer
Option A is correct because isolating the endpoint via EDR network containment or quarantine policy immediately stops the malicious process from communicating with the command-and-control (C2) server at the unfamiliar IP address, preventing data exfiltration and lateral movement. This action preserves the volatile evidence in memory (e.g., the spawned rundll32.exe process) and on disk, allowing forensic analysis without the risk of the attacker destroying evidence remotely.
Exam trap
The trap here is that candidates often choose to reboot the workstation (Option C) thinking it will 'clean' the system, but this destroys volatile evidence and does not contain the incident, whereas disabling the user account (Option B) is a valid containment step to prevent further access via that identity.
An EDR alert shows a finance workstation launching rundll32 from %AppData%, creating a scheduled task, and making repeated HTTPS beacons to a rare domain. The user still has open accounting files, and the SOC wants to slow spread without losing evidence. What two actions should be taken first? Select two.
Select 2 answers
A.Isolate the workstation from the network using EDR or NAC containment.
B.Immediately wipe and reimage the workstation before collecting anything else.
C.Capture volatile evidence such as memory contents, running processes, and active network connections.
D.Power the workstation off immediately to stop the malware process.
E.Disable every user account in the finance department to prevent further compromise.
AnswersA, C
Isolating the host immediately stops most outbound command-and-control traffic and reduces the chance of lateral spread. It is the best first containment step when malware is still active. It preserves the system state better than power loss, which can destroy volatile evidence.
Why this answer
Isolating the workstation (A) stops the malware from communicating with its C2 server via HTTPS beacons and prevents lateral movement, while preserving the evidence on disk. Capturing volatile evidence (C) before any shutdown or isolation ensures that memory-resident artifacts, active network connections, and running processes are preserved, which are critical for forensic analysis and understanding the attack chain.
Exam trap
The trap here is that candidates may choose to power off the workstation (D) thinking it stops the malware, but this destroys volatile evidence and can trigger anti-forensic mechanisms, whereas isolation and memory capture are the correct first steps in incident response.
A legacy application server has a critical vulnerability, but the vendor will not release a fix for 30 days. Which two compensating controls are the best short-term risk reduction steps? Select two.
Select 2 answers
A.Restrict access to the server to known admin IPs or a jump host.
B.Place a web application firewall or IPS rule in front of the exposed service.
C.Document the issue and wait for the vendor patch without making any changes.
D.Open the service to more networks so monitoring tools can see it better.
E.Disable logging to reduce the performance overhead caused by the vulnerability.
AnswersA, B
Correct because limiting who can reach the server reduces exposure while the vulnerability remains unpatched. Fewer reachable sources means fewer opportunities for exploitation.
Why this answer
Option A is correct because restricting access to the server to known admin IPs or a jump host reduces the attack surface by limiting who can reach the vulnerable service. This network-layer control (e.g., using ACLs or firewall rules) prevents exploitation from untrusted sources while the vendor patch is pending. It is a classic compensating control that buys time without modifying the application itself.
Exam trap
The trap here is that candidates may think documenting the issue (Option C) is sufficient or that increasing monitoring (Option D) is a control, but CompTIA expects active risk reduction measures like access restriction and virtual patching, not passive or counterproductive actions.
An IDS raises an alert for a possible SQL injection attack against an internal reporting portal. The web server logs show the source IP belongs to the company's vulnerability scanner, and the requests match the scanner's normal test pattern. What is the most appropriate analyst action?
A.Treat the alert as a confirmed breach and begin password resets for all portal users.
B.Mark the alert as a likely false positive after verifying the scanner schedule and source IP.
C.Block the scanner IP permanently to prevent future alerts from the same host.
D.Quarantine the reporting server because IDS alerts always indicate active exploitation.
AnswerB
Authorized scanners often resemble attacks, so confirming the source and schedule is the right validation step.
Why this answer
Option B is correct because the IDS alert matches the known behavior of the company's vulnerability scanner, which is a legitimate and scheduled security tool. Verifying the scanner schedule and source IP confirms the traffic is authorized, making the alert a false positive. Analysts should correlate IDS alerts with asset inventories and change management records to avoid unnecessary incident response actions.
Exam trap
The trap here is that candidates may assume any SQL injection pattern in IDS logs is malicious, overlooking the possibility that the traffic originates from an authorized internal security tool.
How to eliminate wrong answers
Option A is wrong because treating the alert as a confirmed breach without verification wastes resources and causes unnecessary user disruption; IDS alerts require validation before escalation. Option C is wrong because permanently blocking the scanner IP would disrupt legitimate security testing and vulnerability management processes. Option D is wrong because quarantining the server based solely on an IDS alert ignores the context that the traffic is from an authorized scanner; IDS alerts can be false positives and do not always indicate active exploitation.
A company wants guest laptops on Wi-Fi to reach the internet but not internal printers or servers. Which two changes best support this design? Select two.
Select 2 answers
A.Assign guest access points to a separate VLAN with its own subnet.
B.Allow guests on the same VLAN as employee devices for simpler routing.
C.Use firewall rules to deny guest traffic to internal RFC1918 address ranges.
D.Enable WPA2-Enterprise on employee wireless only, and reuse that on guest devices.
E.Put printers on the guest VLAN so guests can print directly.
AnswersA, C
A separate VLAN and subnet keep guest devices logically isolated from corporate systems. This is a common first step in segmentation because it limits what guest traffic can reach and makes firewall policy easier to enforce.
Why this answer
Assigning guest access points to a separate VLAN with its own subnet isolates guest traffic at Layer 2, preventing direct communication with internal devices like printers and servers. This segmentation is a foundational step for enforcing access control policies without relying solely on higher-layer filtering.
Exam trap
The trap here is that candidates often think VLAN separation alone is sufficient, forgetting that a Layer 3 gateway (router/firewall) can still route between VLANs unless explicit ACLs or firewall rules block RFC1918 destinations.
Based on the exhibit, which tool should the security team use to safely observe the attachment's behavior before delivery to users?
A.Sandboxing, so the file can execute in a controlled environment before release.
B.DLP, so the gateway can block sensitive data from leaving the organization.
C.NAC, so the sender's device can be checked before the message is accepted.
D.SIEM, so the team can store the attachment and review alerts later.
AnswerA
Sandboxing is designed to detonate suspicious files safely and observe their behavior. Because the attachment is a macro-enabled spreadsheet and static scanning did not find a known signature, dynamic analysis is the right next step. This helps confirm whether the file tries to drop malware, contact an external server, or modify the system.
Why this answer
Sandboxing allows the security team to execute the attachment in a controlled, isolated environment to observe its behavior (e.g., network connections, file modifications) without risking the production network. This is the correct approach because it safely detonates the file before delivery, enabling detection of malicious activity such as ransomware or trojans. Other tools like DLP, NAC, or SIEM do not provide the dynamic analysis needed to assess the attachment's runtime behavior.
Exam trap
The trap here is that candidates may confuse sandboxing with DLP or SIEM, thinking that blocking data exfiltration or reviewing logs after delivery is sufficient, when the question specifically requires observing behavior before delivery.
How to eliminate wrong answers
Option B (DLP) is wrong because Data Loss Prevention focuses on monitoring and blocking sensitive data exfiltration, not on analyzing the behavior of an attachment for malware. Option C (NAC) is wrong because Network Access Control checks the security posture of a device before granting network access, not the content or behavior of an attachment in an email. Option D (SIEM) is wrong because a Security Information and Event Management system aggregates and correlates logs for analysis, but it cannot safely execute or observe the runtime behavior of an attachment before delivery.
The service desk needs a document that tells analysts exactly how to verify a caller and reset a password for a locked account. Which document type should they use?
A.Policy, because it states the organization's high-level security expectations
B.Guideline, because it offers helpful suggestions that staff may choose to follow
C.Procedure, because it provides exact steps staff must follow in order
D.Standard, because it defines a general topic without operational detail
AnswerC
A procedure is the best choice when staff need a repeatable, detailed sequence of actions for a task such as caller verification and password reset.
Why this answer
A procedure is the correct document type because it provides a step-by-step sequence of actions that staff must follow to complete a specific operational task, such as verifying a caller's identity and resetting a password. Unlike policies or standards, procedures are mandatory and detail the exact commands, verification checks, and escalation paths required to ensure consistent and secure execution of the task.
Exam trap
The trap here is confusing a procedure with a policy or standard, as candidates often think a high-level policy is sufficient for operational tasks, but the exam requires recognizing that procedures are the only document type that mandates exact, ordered steps for a specific task.
How to eliminate wrong answers
Option A is wrong because a policy states high-level security expectations and principles (e.g., 'passwords must be reset securely'), but does not provide the specific steps for verifying a caller or performing the reset. Option B is wrong because a guideline offers suggestions or best practices that staff may choose to follow, not the exact mandatory steps required for a consistent and secure password reset process. Option D is wrong because a standard defines a general topic or baseline requirement (e.g., 'passwords must be at least 8 characters') without the operational detail needed to execute a specific procedure.
Based on the exhibit, what is the best next step before onboarding the vendor?
A.Approve the vendor because it already passed a penetration test.
B.Require a security addendum with breach-notification timing, subprocessor approval, and audit rights.
C.Ask the vendor to provide source code so developers can review it.
D.Move the workload to an internal shared drive until the vendor is ready.
AnswerB
This is the best action because the exhibit shows governance gaps that should be fixed before onboarding. Contractual controls can enforce notification, oversight, and accountability across the vendor and its subprocessors.
Why this answer
The exhibit indicates the vendor has not yet provided a security addendum, which is a critical contractual document that defines security obligations such as breach-notification timing, subprocessor approval, and audit rights. Without this addendum, the organization lacks enforceable guarantees for data protection and incident response, making onboarding premature. Option B directly addresses this gap by requiring the addendum before proceeding.
Exam trap
The trap here is that candidates may assume a penetration test is sufficient due diligence, overlooking that contractual security terms are legally binding and address ongoing compliance, not just a one-time technical check.
How to eliminate wrong answers
Option A is wrong because passing a penetration test does not replace the need for contractual security terms; a pen test is a point-in-time assessment, not a binding agreement for ongoing compliance. Option C is wrong because requesting source code is impractical and unnecessary for most vendor relationships—developers cannot realistically review proprietary code, and this does not address legal or operational security requirements. Option D is wrong because moving the workload to an internal shared drive introduces data exposure risks and does not resolve the missing vendor security addendum; it bypasses proper governance.
A hardening script is pushed to a production web server and, within minutes, the application stops accepting secure connections. The team discovers the script disabled a required TLS setting that the legacy application still needs. What should have been in place to reduce the impact of this change?
A.A documented change window with testing in a staging environment and a rollback plan.
B.A longer password policy for administrators so they can log in after the outage.
C.Disabling all logging during the change so the application can restart faster.
D.Replacing the web server hardware to ensure the TLS settings are applied correctly.
AnswerA
This is the best control because it reduces operational risk before a production change is made. Testing and rollback planning are standard safeguards when security hardening may affect availability.
Why this answer
Option A is correct because a documented change window with testing in a staging environment and a rollback plan ensures that changes are validated before production deployment. In this scenario, the hardening script disabled a required TLS setting (e.g., TLS 1.0 or a specific cipher suite) that the legacy application depended on. Testing in staging would have caught the incompatibility, and a rollback plan would allow reverting the change quickly, minimizing downtime.
Exam trap
The trap here is that candidates might think the issue is about authentication (Option B) or hardware (Option D), but the core problem is a configuration change that broke TLS compatibility, which requires proper change management and testing, not hardware or password policies.
How to eliminate wrong answers
Option B is wrong because a longer password policy for administrators does not address the technical issue of a misconfigured TLS setting; it only affects authentication, not the secure connection failure. Option C is wrong because disabling logging during the change does not help the application restart faster or prevent the TLS misconfiguration; logging is unrelated to the TLS stack or service recovery. Option D is wrong because replacing the web server hardware does not affect TLS settings; TLS configuration is software-based (e.g., in the web server's config files or registry), and hardware replacement would not resolve a misapplied script.
A customer enters `<script>alert('test')</script>` into a public forum signature field. Later, other users who view that signature see the script execute in their browsers. What attack is this?
A.SQL injection
B.Cross-site scripting
C.Session replay
D.Directory traversal
AnswerB
Cross-site scripting stores or reflects script code that executes in another user's browser.
Why this answer
This is a classic stored cross-site scripting (XSS) attack. The malicious script is injected into a persistent data store (the forum signature field) and later served to other users without proper sanitization, causing the browser to execute the script in the context of the trusted site.
Exam trap
The trap here is confusing client-side injection (XSS) with server-side injection (SQL injection) because both involve untrusted input, but XSS targets the browser's rendering engine while SQL injection targets the database query parser.
How to eliminate wrong answers
Option A is wrong because SQL injection targets database queries by manipulating input to alter SQL commands, not client-side script execution in a user's browser. Option C is wrong because session replay attacks involve capturing and reusing session tokens (e.g., via packet sniffing or XSS), not injecting scripts into a forum signature. Option D is wrong because directory traversal exploits file system paths to access restricted files (e.g., using '../' sequences), not injecting client-side code into web pages.
To discourage unauthorized entry into a records room, facilities installs a large warning sign, a visible camera over the door, and a turnstile staffed by a guard during business hours. Which control category is the warning sign intended to support most directly?
A.Deterrent
B.Detective
C.Preventive
D.Corrective
AnswerA
The sign is meant to discourage people from attempting unauthorized entry in the first place.
Why this answer
The warning sign is a physical security control designed to discourage unauthorized entry by making potential intruders aware of the risks and consequences. This directly supports the deterrent control category, which aims to reduce the likelihood of a security incident by influencing behavior through fear of detection or punishment. Unlike detective controls that identify incidents after they occur, or preventive controls that physically block access, the sign's primary function is psychological deterrence.
Exam trap
The trap here is that candidates confuse the warning sign's purpose with a preventive control, mistakenly thinking that any security measure that stops entry must be preventive, when in fact the sign only discourages rather than physically or logically blocks access.
How to eliminate wrong answers
Option B is wrong because detective controls, such as motion sensors or audit logs, are designed to identify and record security events after they happen, not to discourage entry beforehand. Option C is wrong because preventive controls, like locks or access control systems, physically or logically block unauthorized access, whereas a sign only warns without enforcing a barrier. Option D is wrong because corrective controls, such as backup restoration or incident response procedures, are applied after a security incident to mitigate damage or restore operations, not to prevent or deter initial unauthorized entry.
Based on the exhibit, which principle is most directly being violated by the current share permissions?
A.Least privilege, because the broad Finance Dept access exceeds what many users require.
B.Need-to-know, because only the people working on valuation models should access them.
C.Zero trust, because the share should refuse access until every file request is reauthenticated.
D.Defense in depth, because the folder should have several separate layers of encryption.
AnswerB
Need-to-know applies because the exhibit says only three deal leads require the valuation models, while other finance staff only need unrelated invoice-tracking files. The principle focuses on restricting access to information based on necessity, even when users are part of a broader trusted group.
Why this answer
The exhibit shows share permissions granting 'Finance Dept' full control over a folder containing valuation models. The need-to-know principle restricts access to only those individuals who require the information to perform their job functions. Since not all Finance Dept members work on valuation models, granting the entire department access violates need-to-know, as only the specific users building those models should have access.
Exam trap
The trap here is confusing least privilege (which limits permission levels) with need-to-know (which limits data access based on job function), leading candidates to choose A when the real violation is granting access to users who have no business need for the data.
How to eliminate wrong answers
Option A is wrong because least privilege focuses on granting the minimum rights (e.g., Read vs. Full Control) to perform a task, not on restricting access based on job role necessity; the violation here is about who gets access, not the level of permissions. Option C is wrong because zero trust requires continuous verification of every access request, but the share permissions are static and do not involve reauthentication per file request; the question is about permission scope, not authentication architecture.
Option D is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, encryption, IDS), not the granularity of share permissions; the folder lacks encryption layers, but the core violation is unauthorized access to sensitive data, not insufficient encryption depth.
A SIEM alert shows a workstation connecting to the same unknown internet address every 15 minutes, even after business hours. The device belongs to an employee who is on vacation. What is the best next step for the analyst?
A.Dismiss the alert because periodic connections are always normal for workstations.
B.Treat the alert as potentially malicious and check endpoint and proxy logs for more context.
C.Immediately delete the workstation account from the directory service.
D.Shut down the entire office network until the analyst can review the alert.
AnswerB
Unknown periodic outbound traffic can indicate beaconing, so additional log review is the right next step.
Why this answer
Option B is correct because the alert describes a persistent outbound connection to an unknown external IP address at regular intervals, which is a classic indicator of beaconing behavior often associated with malware command-and-control (C2) traffic. The fact that the connection occurs after business hours and the workstation's user is on vacation increases suspicion, as legitimate scheduled tasks or updates would typically not run under those conditions. Checking endpoint and proxy logs provides the necessary context to determine if the traffic is benign (e.g., a misconfigured service) or malicious (e.g., C2 communication).
Exam trap
The trap here is that candidates may assume periodic connections are always benign (e.g., Windows Update or NTP sync) and dismiss the alert, failing to recognize that the regularity, unknown destination, and user-on-vacation context are red flags for malicious C2 activity.
How to eliminate wrong answers
Option A is wrong because periodic connections are not always normal; beaconing at fixed intervals to an unknown external address is a well-known indicator of compromise (IoC) in security monitoring, and dismissing it outright violates standard incident response procedures. Option C is wrong because immediately deleting the workstation account from the directory service is a drastic, irreversible action that could disrupt legitimate operations and destroy forensic evidence; the proper first step is to gather additional context before taking containment actions.
An employee receives an email that appears to come from payroll and asks them to open a link to "confirm direct deposit details". The link goes to a site with a slightly misspelled company name. What should the employee do first?
A.Click the link and sign in quickly before the account is locked
B.Reply to the email and ask payroll whether the message is real
C.Use the company's known payroll portal or help desk contact to verify the request
D.Forward the message to co-workers so they can compare it with similar emails
AnswerC
Verifying through a trusted, separate channel avoids the suspicious link and helps confirm whether the request is legitimate.
Why this answer
Option C is correct because the safest first step when receiving a suspicious email is to verify its legitimacy through a trusted, independent channel—such as the company's known payroll portal or the help desk. This avoids interacting with the potentially malicious link or sender, which could lead to credential theft or malware installation. The email exhibits classic phishing indicators: a spoofed sender, a request for sensitive action, and a URL with a misspelled domain.
Exam trap
The trap here is that candidates may think replying to the email (Option B) is a safe verification method, but in reality, it engages the attacker and confirms the email address as active, which is a common social engineering tactic.
How to eliminate wrong answers
Option A is wrong because clicking the link and signing in would directly submit credentials to a phishing site, compromising the employee's account. Option B is wrong because replying to the email confirms the employee's address as active and may reach the attacker, not the legitimate payroll department, increasing the risk of targeted follow-up attacks. Option D is wrong because forwarding the message to co-workers could spread the phishing attempt and potentially expose others to the same threat, violating security best practices that require reporting to the security team instead.
A web application must be reachable from the internet, but its database should be isolated from direct internet access. Which two placements or controls are most appropriate? Select two.
Select 2 answers
A.Place the web server in a DMZ.
B.Keep the database on an internal network segment and restrict access to the web server only.
C.Place both the web server and the database on the same internet-facing subnet.
D.Expose the database port to the internet so administrators can connect faster.
E.Use the guest wireless VLAN for both systems.
AnswersA, B
A DMZ is a screened network segment designed for systems that must be reachable from outside while still being separated from the internal network. It is a standard place for public-facing web servers.
Why this answer
Placing the web server in a DMZ (Option A) allows it to be reachable from the internet while the internal firewall restricts inbound traffic to only necessary ports (e.g., TCP 80/443). Keeping the database on an internal network segment (Option B) and configuring firewall rules to allow traffic only from the web server’s IP address ensures the database is isolated from direct internet access, preventing external attacks on the database service.
Exam trap
The trap here is that candidates often think placing both systems in the DMZ is acceptable, but they overlook that the database must be on an internal segment with strict access controls, not just any segment with internet exposure.
A help desk technician receives an email that appears to come from the payroll provider. The message says the employee's direct deposit will be suspended unless they verify their account through a link. What type of attack is this?
A.Phishing
B.Baiting
C.Vishing
D.Pretexting
AnswerA
Correct because the message uses a fake urgent request to steal credentials through a link. It impersonates a trusted organization and pressures the user to act quickly. That combination is a classic phishing pattern, even if the wording seems professional and the logo looks real.
Why this answer
This is a classic phishing attack because the email impersonates a trusted entity (the payroll provider) and uses social engineering to trick the recipient into clicking a malicious link. Phishing specifically involves fraudulent electronic communications, such as email, to deceive victims into revealing sensitive information or installing malware. The attack vector here is email-based, which aligns directly with the definition of phishing in the SY0-701 domain of threats and vulnerabilities.
Exam trap
The trap here is that candidates may confuse phishing with pretexting because both involve deception, but phishing is specifically electronic (email, SMS, or instant message), while pretexting relies on a fabricated story delivered through any medium, often requiring direct interaction.
How to eliminate wrong answers
Option B (Baiting) is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to lure a victim into a trap, not sending a deceptive email requesting verification. Option C (Vishing) is wrong because vishing uses voice communication (e.g., phone calls or VoIP) to extract information, not email. Option D (Pretexting) is wrong because pretexting involves fabricating a scenario or identity to gain trust and obtain information, often through direct interaction (e.g., a phone call or in-person), not through an unsolicited email with a link.
Based on the exhibit, which indicator should defenders prioritize for detecting future activity from this campaign?
A.The daily-changing domain names used by the campaign.
B.The executable file hash that remains constant across samples.
C.The TLS certificate fingerprint that remains constant across samples.
D.The changing user agent string seen on each host.
AnswerC
A stable TLS certificate fingerprint is a strong indicator because it can survive daily domain changes and still identify the same infrastructure or campaign. It is especially useful for network detection when other indicators rotate frequently, as shown in the exhibit.
Why this answer
Option C is correct because a TLS certificate fingerprint that remains constant across samples provides a stable, attacker-controlled indicator that is difficult for adversaries to change without incurring cost or operational friction. Unlike domain names or user agents, which can be rotated easily, TLS certificates require the attacker to generate or compromise a new private key and certificate, making the fingerprint a persistent and reliable detection signature for defenders.
Exam trap
The trap here is that candidates mistakenly prioritize easily changed artifacts like file hashes or domain names, overlooking the operational friction that makes TLS certificate fingerprints a more stable and attacker-resistant indicator.
How to eliminate wrong answers
Option A is wrong because daily-changing domain names are designed to evade domain-based blocklists and are inherently unstable as indicators; defenders would struggle to keep up with the rapid rotation. Option B is wrong because while an executable file hash may remain constant across samples, it can be trivially altered by recompiling or appending junk data to the binary, making it a weak long-term indicator. Option D is wrong because user agent strings are easily spoofed or randomized by the malware, and they often vary per host or session, providing no reliable consistency for detection.
A security manager wants one document that states employees must protect company laptops and another that defines exact required settings such as disk encryption and a 10-minute screen lock. Which two document types are the best fit? Select two.
Select 2 answers
A.Policy
B.Standard
C.Guideline
D.Procedure
E.Exception
AnswersA, B
A policy gives the organization’s high-level rule and management intent, such as requiring employees to protect laptops and company data.
Why this answer
A policy is a high-level statement of management intent, such as requiring employees to protect company laptops. A standard defines mandatory, specific technical settings, like requiring disk encryption (e.g., AES-256) and a 10-minute screen lock timeout. Together, they provide the overarching directive (policy) and the enforceable configuration baseline (standard).
Exam trap
The trap here is confusing 'policy' with 'guideline' or 'procedure'—candidates often pick 'guideline' for the technical settings because they think it's a recommendation, but standards are the only document type that mandates exact technical configurations.
Match each requirement or instruction to the correct governance document type. Use each document type once.
Drag a concept onto its matching description — or click a concept then click the description.
Concepts
Matches
Policy
Standard
Procedure
Guideline
Why these pairings
These matches align with common governance document types in IT security frameworks: policy provides high-level direction, standard sets mandatory rules, procedure gives step-by-step instructions, guideline offers non-mandatory recommendations, baseline defines minimum configurations, and framework provides a structured approach.
An office wants finance workstations separated from general user PCs, but employees still need to print to a shared printer and access one accounting application. Which change best supports this?
A.Place all systems on one VLAN and rely on strong passwords.
B.Move finance systems to a separate VLAN or subnet and allow only required traffic through filtering rules.
C.Put the printer in a different building to make it more secure.
D.Enable screen lock timers on the finance PCs and keep the network flat.
AnswerB
This is the best choice because it separates finance systems from general users while still allowing approved services like printing and application access. VLANs or subnets reduce lateral movement, and firewall or ACL rules limit communication to only what is needed. That supports least privilege at the network layer.
Why this answer
Option B is correct because placing finance systems on a separate VLAN or subnet with a Layer 3 boundary enforces network segmentation, which limits broadcast domains and restricts lateral movement. By configuring access control lists (ACLs) or firewall rules to permit only the required traffic (e.g., SMB/CIFS for printer sharing and specific TCP/UDP ports for the accounting application), the organization achieves a least-privilege network architecture. This approach aligns with the principle of defense-in-depth, reducing the attack surface while maintaining necessary business functionality.
Exam trap
The trap here is that candidates often confuse physical separation (Option C) with logical network segmentation, or assume that strong passwords (Option A) or endpoint controls (Option D) are sufficient substitutes for network-layer isolation, when in fact VLANs and ACLs are required to enforce least-privilege access between different security zones.
How to eliminate wrong answers
Option A is wrong because placing all systems on one VLAN with strong passwords only provides authentication security but fails to segment traffic; a single VLAN allows any compromised general user PC to directly communicate with finance workstations via Layer 2, bypassing any network-level controls. Option C is wrong because moving the printer to a different building does not change the logical network topology—if the printer remains on the same flat network, it still exposes a shared resource without addressing segmentation, and physical relocation adds no security benefit against network-based attacks. Option D is wrong because enabling screen lock timers on finance PCs only addresses local physical access risks, while keeping the network flat (no VLANs or subnets) means all devices share the same broadcast domain, allowing potential attackers on general user PCs to perform ARP spoofing or sniff traffic destined for the printer or accounting application.
Based on the exhibit, which control option provides the greatest net annual financial benefit for the organization?
A.Option A, because it reduces loss enough to justify the control cost better than the smaller controls.
B.Option B, because its large reduction in annual loss outweighs the higher implementation cost.
C.Option C, because transferring the risk is always cheaper than engineering a technical fix.
D.Option D, because low upfront cost makes it the most economical option regardless of residual loss.
AnswerB
Option B reduces annual loss expectancy from $260,000 to $40,000, creating $220,000 in annual savings before cost. After subtracting the $120,000 control cost, it still delivers the highest net benefit among the choices. Quantitative risk decisions should compare expected loss reduction against implementation cost, and this option provides the strongest financial return.
Why this answer
Option B is correct because it provides the greatest net annual financial benefit. The annual loss reduction of $150,000 minus the annual implementation cost of $75,000 yields a net benefit of $75,000, which is higher than any other option. This demonstrates that a larger upfront investment can be justified when the reduction in annualized loss expectancy (ALE) significantly outweighs the control cost.
Exam trap
The trap here is that candidates often choose the option with the lowest implementation cost (Option D) or the highest loss reduction (Option A) without calculating the net benefit, failing to recognize that the greatest net financial benefit comes from the optimal balance between cost and loss reduction, not from minimizing cost or maximizing reduction alone.
How to eliminate wrong answers
Option A is wrong because although it reduces loss, its net benefit ($50,000 reduction - $25,000 cost = $25,000) is lower than Option B's net benefit of $75,000, so it does not provide the greatest net annual financial benefit. Option C is wrong because transferring risk (e.g., cyber insurance) is not always cheaper; in this scenario, the net benefit of Option C ($100,000 reduction - $60,000 cost = $40,000) is still less than Option B's net benefit, and risk transfer often involves premiums, deductibles, and residual risk that can make it less economical than a technical control. Option D is wrong because low upfront cost does not guarantee the greatest net benefit; its net benefit ($30,000 reduction - $10,000 cost = $20,000) is the lowest among all options, and ignoring residual loss can lead to underestimating long-term financial impact.
Users on the same VLAN report that their browser occasionally reaches a fake internal portal, and packet captures show one host sending forged ARP replies that claim to be the default gateway. Traffic from nearby systems begins flowing through that host. Which attack is occurring?
A.DNS poisoning
B.ARP spoofing
C.MAC flooding
D.SYN flood
AnswerB
ARP spoofing, also called ARP poisoning, uses false ARP messages to bind the attacker's MAC address to the gateway IP address and redirect local traffic.
Why this answer
B is correct because the scenario describes ARP spoofing (also known as ARP poisoning). The attacker sends forged ARP replies to associate their MAC address with the default gateway's IP address, causing traffic from other hosts on the same VLAN to be redirected through the attacker's machine. This allows the attacker to intercept, modify, or redirect traffic to a fake internal portal, which is a classic man-in-the-middle (MITM) attack leveraging the stateless nature of ARP.
Exam trap
The trap here is that candidates confuse ARP spoofing with DNS poisoning because both can redirect traffic to a fake portal, but the key differentiator is the protocol layer: ARP operates at Layer 2 (MAC address manipulation) while DNS operates at Layer 7 (name resolution).
How to eliminate wrong answers
Option A is wrong because DNS poisoning involves corrupting DNS resolver caches or zone data to redirect domain names to malicious IPs, but the packet captures show forged ARP replies, not DNS queries or responses. Option C is wrong because MAC flooding overwhelms a switch's CAM table with fake MAC addresses to force it into fail-open mode (hub-like behavior), but the attack here is targeted and uses spoofed ARP replies, not flooding. Option D is wrong because a SYN flood is a denial-of-service (DoS) attack that exhausts server resources by sending incomplete TCP handshake requests; it does not involve ARP manipulation or traffic redirection.
Facilities sees occasional water droplets forming above the cable trays in a data room during humid afternoons. The team wants the earliest possible warning before equipment is damaged. Which control should be added?
A.Motion detectors connected to the alarm panel.
B.Water leak sensors tied to environmental monitoring.
C.Badge readers on the room entrance only.
D.Fire suppression tests scheduled more frequently.
AnswerB
Leak or moisture sensors provide early detection of water intrusion so staff can respond before equipment is harmed.
Why this answer
Water leak sensors tied to environmental monitoring provide the earliest possible warning by detecting moisture directly on or near the cable trays. Unlike motion detectors or badge readers, these sensors are specifically designed to alert before water reaches sensitive equipment, enabling proactive remediation.
Exam trap
The trap here is that candidates may confuse physical security controls (motion detectors, badge readers) with environmental monitoring controls, overlooking that water damage requires specific moisture detection rather than access or motion sensing.
How to eliminate wrong answers
Option A is wrong because motion detectors detect movement, not water, and would not provide any warning about condensation or leaks. Option C is wrong because badge readers control physical access to the room but cannot detect environmental conditions like humidity or water. Option D is wrong because fire suppression tests are unrelated to water detection and do not address the condensation issue; they focus on fire safety, not moisture monitoring.
An enterprise is moving from on-prem identity to a SaaS HR platform. Employees should sign in with corporate credentials, and terminated users must lose access quickly without manually creating or deleting SaaS passwords. Which solution best fits?
A.Create a shared HR password for all employees and change it quarterly.
B.Use LDAP bind accounts directly against the SaaS platform for every login.
C.Implement federated SSO with the corporate identity provider and automated provisioning and deprovisioning.
D.Require each user to create a separate local SaaS account and store the credentials in a vault.
AnswerC
Federated SSO lets users authenticate through the corporate identity provider while lifecycle automation removes access quickly when HR changes occur.
Why this answer
Federated SSO with the corporate identity provider (IdP) allows employees to sign in using their existing corporate credentials via standards like SAML 2.0 or OIDC, eliminating the need for separate SaaS passwords. Automated provisioning and deprovisioning (e.g., via SCIM) ensures that when a user is terminated in the HR platform, their access to the SaaS application is revoked immediately without manual intervention, meeting the requirement for rapid access removal.
Exam trap
The trap here is that candidates often confuse LDAP bind (Option B) with federated SSO, thinking that LDAP can directly authenticate against SaaS platforms, but LDAP is a directory access protocol that requires a gateway or federation service to work with cloud apps, and it lacks automated provisioning capabilities.
How to eliminate wrong answers
Option A is wrong because a shared HR password violates the principle of non-repudiation and individual accountability, and changing it quarterly does not provide immediate revocation of access for terminated users. Option B is wrong because LDAP bind accounts are designed for on-premises directory authentication and are not natively supported by most modern SaaS platforms; they would require a complex LDAP-to-SAML bridge and do not support automated deprovisioning. Option D is wrong because requiring each user to create a separate local SaaS account and store credentials in a vault introduces manual password management, contradicts the goal of using corporate credentials, and does not enable automated deprovisioning upon termination.
A Linux operations team has a standing need to restart services and edit protected configuration files on production servers, but administrators should not keep root privileges all day. Every elevation must be approved through a ticket and logged centrally. Which solution best meets this requirement?
A.Create one shared root password and rotate it weekly
B.Use privileged access management with just-in-time elevation and session logging
C.Assign each administrator the server local administrator role permanently
D.Use single sign-on so administrators only authenticate once each morning
AnswerB
PAM with just-in-time elevation is the best match because it grants administrative rights only when needed and only after approval. Central session logging provides accountability, and the regular user account remains the default for normal work. This reduces standing privilege, limits misuse, and gives auditors a clear record of who elevated, when, and why.
Why this answer
Privileged Access Management (PAM) with just-in-time (JIT) elevation and session logging meets the requirement because it grants temporary, request-based root privileges that are automatically revoked after the task, and it centrally logs all commands executed during the elevated session. This ensures every elevation is approved via a ticket and auditable, without administrators retaining permanent root access.
Exam trap
The trap here is that candidates often confuse 'single sign-on' (SSO) with 'privilege elevation control,' assuming SSO's convenience implies security control, when in fact SSO only handles authentication, not authorization or session auditing.
How to eliminate wrong answers
Option A is wrong because a shared root password rotated weekly violates the principle of non-repudiation (no individual accountability) and does not enforce per-elevation approval or logging. Option C is wrong because permanently assigning the local administrator role (e.g., sudoers membership) gives continuous root-equivalent privileges, contradicting the requirement that administrators should not keep root privileges all day. Option D is wrong because single sign-on (SSO) only simplifies initial authentication; it does not control or log privilege elevation events, nor does it enforce ticket-based approval for each root action.
A SIEM correlates the following: 17 failed logons against the same VPN account from one IP in 9 minutes, a successful login from that IP, creation of a new API token in the SaaS tenant, and a large export job started two minutes later. Which two interpretations are best supported? Select two.
Select 2 answers
A.The attacker is likely performing a brute-force password attack against a single account.
B.The pattern is most consistent with password spraying across many accounts.
C.The account is likely compromised and being used for token abuse or persistence.
D.The events primarily indicate a volumetric denial-of-service attack.
E.Token creation proves the account password was never exposed.
AnswersA, C
Repeated failures focused on one account from one source fit brute-force guessing against a specific target.
Why this answer
A is correct because 17 failed logons against a single VPN account from one IP in 9 minutes is a classic brute-force pattern—repeated authentication attempts targeting one username. The subsequent successful login, API token creation, and data export indicate the attacker gained access and then established persistence (via the token) to exfiltrate data, confirming the account was compromised.
Exam trap
The trap here is confusing a single-account brute-force with password spraying—candidates often misidentify the pattern because they see multiple failed logons and assume many accounts are targeted, but the key is the same account and same IP over a short window.
A developer requests a 45-day exception to use an unsupported browser plug-in on two engineering workstations so a legacy design tool can finish a customer deliverable. Which three conditions should be required before approving the exception? Select three.
Select 3 answers
A.Document a business justification that explains why the plug-in is required for the deliverable.
B.Convert the exception into a permanent waiver to avoid repeated review overhead.
C.Set a defined end date and require review before the exception expires.
D.Apply compensating controls, such as host isolation, restricted user access, or limiting use to named workstations.
E.Allow the requestor to self-approve the exception if the project deadline is urgent.
AnswersA, C, D
A justified exception must tie the request to a real business need, not convenience or preference.
Why this answer
Option A is correct because documenting a business justification provides a formal record of why the exception is necessary, ensuring that the risk of using an unsupported browser plug-in is understood and accepted by management. This aligns with the principle of risk acceptance, where the business need outweighs the security risk for a limited time. Without a clear justification, the exception could be granted without proper oversight, potentially leading to unchecked vulnerabilities.
Exam trap
The trap here is that candidates may mistakenly think converting an exception to a permanent waiver reduces administrative overhead, but CompTIA emphasizes that exceptions must remain temporary and reviewed, as permanent waivers bypass the risk management process and can lead to unmanaged security gaps.
The help desk needs a document that tells analysts exactly how to verify a caller, reset a password, and record the ticket when a user is locked out. What type of document is this?
A.Procedure
B.Policy
C.Standard
D.Guideline
AnswerA
A procedure is the right document when staff need exact step-by-step instructions. In this situation, the help desk needs a repeatable process for identity verification, password reset actions, and documentation requirements. Procedures reduce mistakes because they tell employees what to do in sequence rather than leaving the process open to interpretation.
Why this answer
A procedure is the correct type of document because it provides step-by-step instructions for performing a specific task, such as verifying a caller's identity, resetting a password, and recording a ticket. Unlike a policy, which states high-level rules, a procedure details the exact actions to take in a given scenario, making it ideal for help desk operations.
Exam trap
The trap here is that candidates often confuse 'procedure' with 'policy' because both are security documents, but a policy sets the 'what' and 'why' (e.g., 'passwords must be reset securely'), while a procedure defines the 'how' (e.g., 'call the user back at their verified phone number before resetting').
How to eliminate wrong answers
Option B is wrong because a policy defines high-level rules and objectives (e.g., 'passwords must be reset securely') but does not provide the step-by-step instructions needed for the help desk to execute the task. Option C is wrong because a standard specifies mandatory technical requirements or baselines (e.g., 'passwords must be at least 12 characters') but does not describe the process of verification, reset, and ticket recording. Option D is wrong because a guideline offers general advice or best practices (e.g., 'consider using multi-factor authentication') but lacks the precise, mandatory steps required for consistent execution in a help desk workflow.
Several company laptops were found to boot from a removable drive containing an untrusted pre-boot utility before the operating system loaded. The security team wants to prevent unsigned or tampered boot code from starting. Which control is the best fit?
A.Enable Secure Boot in firmware and block external boot devices where possible.
B.Turn on screen lock after ten minutes of inactivity.
C.Increase the password complexity policy for user accounts.
D.Disable Windows Defender notifications on the endpoints.
AnswerA
Secure Boot checks boot components against trusted signatures before they are allowed to run, which directly addresses tampered or untrusted pre-boot code. Disabling external boot adds another layer by reducing the chance of unauthorized removable media being used to bypass protections.
Why this answer
Secure Boot is a UEFI firmware feature that verifies the digital signature of boot code against a trusted database before execution. By enabling Secure Boot and blocking external boot devices, the security team ensures that only signed, trusted bootloaders and drivers can run, preventing untrusted pre-boot utilities from loading. This directly addresses the scenario where laptops boot from a removable drive containing unsigned or tampered boot code.
Exam trap
The trap here is that candidates may confuse endpoint security controls (like screen lock or password policies) with boot-time integrity mechanisms, failing to recognize that Secure Boot is the only option that validates code before the OS loads.
How to eliminate wrong answers
Option B is wrong because screen lock after inactivity addresses unauthorized physical access to an already-booted OS, not the pre-boot execution of untrusted code. Option C is wrong because password complexity policies protect user account credentials but have no effect on boot-time code integrity or device boot order. Option D is wrong because disabling Windows Defender notifications only suppresses security alerts; it does not prevent unsigned boot code from executing.
A project team must share a spreadsheet containing customer names, account numbers, and purchase history with an external auditor. The auditor only needs account numbers and totals. What is the best privacy control?
A.Send the full spreadsheet through regular email to avoid delaying the audit
B.Redact unneeded personal data and transfer only the minimum necessary information through an approved encrypted channel
C.Upload the spreadsheet to a public file-sharing site and protect it with a password
D.Compress the file with a password and reuse the same password for all auditors
AnswerB
This is the best privacy control because it applies data minimization and secure transmission together. The auditor receives only what is needed to complete the review, which reduces exposure of personal information and limits the blast radius if the file is mishandled. Using an approved encrypted channel also helps protect the data in transit and supports governance requirements.
Why this answer
Option B is correct because it applies the principle of data minimization and secure transmission. Redacting unneeded personal data (customer names) ensures only the minimum necessary information (account numbers and totals) is shared, reducing exposure. Transferring via an approved encrypted channel (e.g., SFTP, HTTPS, or encrypted email) protects data in transit from interception, which is required for compliance with regulations like GDPR or PCI DSS.
Exam trap
The trap here is that candidates may think password-protecting a file or using a public sharing site is sufficient, but the exam tests the understanding that data minimization and approved encrypted channels are required for privacy compliance, not just any form of access control.
How to eliminate wrong answers
Option A is wrong because sending the full spreadsheet through regular email exposes all customer personal data in transit and at rest, violating data minimization and encryption requirements (email is often unencrypted or uses opportunistic TLS). Option C is wrong because uploading to a public file-sharing site, even with a password, relies on the security of the third-party service and the password alone, which does not guarantee encryption at rest or proper access controls, and the file may be cached or indexed. Option D is wrong because compressing with a password and reusing the same password for all auditors violates the principle of unique credentials per user, lacks audit trails, and does not ensure encryption of the file in transit or at rest (ZIP encryption is weak and can be cracked).
A company wants guest Wi-Fi to reach only the internet, employee laptops to reach internal apps, and payment servers to remain isolated from both. What is the best design approach?
A.Place all systems on one flat network and rely on antivirus.
B.Use separate network segments with firewall rules between guest, employee, and payment zones.
C.Put all systems behind a single VPN so every device is treated the same.
D.Use a larger internet circuit so the payment servers are harder to attack.
AnswerB
This is the best choice because segmentation limits what each group can reach and reduces the impact of a compromise. Guest users are confined to internet access, employee systems can be limited to approved internal services, and payment servers can be placed in a tightly controlled zone with only required ports open. That design supports least privilege at the network layer and makes monitoring and containment easier.
Why this answer
Option B is correct because network segmentation using separate VLANs or subnets with firewall rules enforces isolation between guest Wi-Fi, employee laptops, and payment servers. This design ensures that guest traffic can only reach the internet, employee traffic can access internal apps, and payment servers are completely isolated from both, meeting the principle of least privilege and reducing the attack surface.
Exam trap
The trap here is that candidates may think a VPN provides isolation, but a VPN only encrypts traffic and does not inherently segment networks; without separate firewall rules, all VPN clients share the same network access.
How to eliminate wrong answers
Option A is wrong because placing all systems on one flat network with antivirus only provides endpoint protection and does not prevent lateral movement; an attacker on the guest Wi-Fi could directly access payment servers or internal apps. Option C is wrong because putting all systems behind a single VPN treats every device identically, removing the ability to enforce different access policies; it would allow guest devices to reach internal apps and payment servers, violating isolation requirements.
A payment processor stores full card numbers in its transaction database, but developers and analysts should never see the real numbers in nonproduction reports or troubleshooting tools. The business still needs to correlate the same card across multiple records. Which technique is the best fit?
A.Tokenization, because it replaces the real value with a surrogate token for business use.
B.Hashing, because the output can always be reversed by the application later.
C.Data masking, because it permanently deletes the sensitive record from the database.
D.Compression, because reducing file size also hides the payment information from users.
AnswerA
Tokenization preserves referential value for transactions while keeping the original card number out of ordinary views and reports.
Why this answer
Tokenization is the best fit because it replaces the full card number with a unique, non-reversible surrogate token that retains the ability to correlate records (the same card always produces the same token). This allows the business to perform analytics and troubleshooting without exposing the actual sensitive data, as the token has no mathematical relationship to the original PAN and cannot be reversed.
Exam trap
The trap here is that candidates confuse tokenization with hashing, assuming both are irreversible, but hashing is reversible for small input spaces like credit card numbers and does not provide a controlled surrogate for business correlation without exposing the original data.
How to eliminate wrong answers
Option B is wrong because hashing, while one-way, is deterministic and can be reversed via brute-force or rainbow tables if the input space is small (e.g., credit card numbers); it also does not provide a controlled surrogate for business use and may expose the original value if the hash is cracked. Option C is wrong because data masking dynamically obscures data (e.g., showing only last four digits) but does not permanently delete records; it still allows the real value to exist in the database and can be bypassed in nonproduction tools. Option D is wrong because compression reduces file size for storage or transmission but does not hide or protect sensitive data; the original card numbers remain fully visible after decompression.
An organization is placing its public-facing website behind a new security design. The site must be reachable from the internet, but the database and file servers must stay isolated from direct external access. What design should the architect use?
A.Place the web server on the internal user subnet so it can reach the database directly.
B.Create a demilitarized zone (DMZ) for the public web server.
C.Use a VPN concentrator so the website can be accessed securely from outside.
D.Use network address translation (NAT) on the web server to hide its IP address.
AnswerB
A DMZ places internet-facing services in a separate network segment, reducing exposure of trusted internal systems.
Why this answer
A demilitarized zone (DMZ) is a network segment that isolates public-facing services, such as a web server, from the internal network. By placing the web server in the DMZ, the organization allows internet traffic to reach the website while keeping the database and file servers on the internal network, which are not directly accessible from the internet. This design enforces a security boundary where only necessary traffic (e.g., HTTP/HTTPS) is permitted through firewall rules, preventing direct external access to sensitive backend systems.
Exam trap
The trap here is that candidates often confuse NAT or VPN as security controls for isolation, when in fact they do not provide network segmentation; the DMZ is the only design that creates a physical or logical boundary to isolate public-facing servers from internal resources.
How to eliminate wrong answers
Option A is wrong because placing the web server on the internal user subnet would expose the internal network to direct internet traffic, violating the isolation requirement for the database and file servers. Option C is wrong because a VPN concentrator is designed for secure remote access by authenticated users, not for hosting a public website that must be reachable by anonymous internet clients. Option D is wrong because network address translation (NAT) on the web server only hides its IP address but does not isolate the database and file servers from direct external access; NAT alone provides no security boundary or segmentation.
A development team needs to release an urgent fix for a customer portal on Friday evening. The business wants the change to be reversible if something breaks, and security does not want the team to skip release controls. Which requirement should be part of the change process?
A.Deploy directly to production as soon as the patch compiles successfully.
B.Require a documented test in a lower environment and a rollback plan before production approval.
C.Turn off logging during deployment to avoid filling the disk with change records.
D.Allow the release only if the developer verbally confirms the code is safe.
AnswerB
Testing in a lower environment and documenting a rollback plan are core secure change-management practices. They reduce the chance of introducing an outage and make recovery faster if the fix has unexpected side effects. This approach supports controlled release, accountability, and operational resilience while still allowing urgent changes to move forward in a safe way.
Why this answer
Option B is correct because it enforces a documented test in a lower environment and a rollback plan, which satisfies both the business requirement for reversibility and the security requirement to maintain release controls. This aligns with the change management process in the SY0-701 domain of Security Program Management and Oversight, ensuring that changes are validated before production deployment and can be undone if issues arise.
Exam trap
The trap here is that candidates may think an urgent fix justifies skipping controls (Option A) or that disabling logging is acceptable to avoid disk issues (Option C), but the exam emphasizes that security controls and reversibility must be maintained even for emergency changes.
How to eliminate wrong answers
Option A is wrong because deploying directly to production as soon as the patch compiles skips all release controls, such as testing and approval, which violates security policy and increases risk of unplanned downtime. Option C is wrong because turning off logging during deployment would disable audit trails and monitoring, making it impossible to detect or investigate security incidents or deployment failures, which contradicts security best practices and compliance requirements.
An accounts payable specialist receives a reply inside an existing vendor email thread. The message uses the real invoice number, matches the vendor's usual tone, and asks the specialist to change payment instructions to a new bank account before the end of the day. The vendor later confirms its mailbox was compromised. What type of attack is most likely?
A.Spear phishing, because the attacker targeted one employee with a convincing message.
B.Business email compromise through conversation hijacking, because the attacker used a compromised mailbox to alter a trusted thread.
C.Baiting, because the attacker tried to tempt the user with urgency and financial pressure.
D.Vishing, because the attacker is trying to persuade the user to change banking details.
AnswerB
This is best described as business email compromise via conversation hijacking. The attacker did not just spoof a sender; they gained access to a real vendor mailbox and inserted fraudulent payment instructions into an existing thread. That makes the message much more believable, often bypassing simple awareness checks. The key clues are the real invoice number, familiar tone, and later confirmation of mailbox compromise.
Why this answer
This is a business email compromise (BEC) attack specifically using conversation hijacking. The attacker gained access to the vendor's legitimate email account and inserted a fraudulent reply into an existing, trusted email thread, leveraging the compromised mailbox to bypass the specialist's suspicion. This differs from standard spear phishing because the attacker did not craft a new email from a spoofed address but instead hijacked an ongoing, authenticated conversation.
Exam trap
CompTIA often tests the distinction between spear phishing (a crafted email from a fake sender) and BEC conversation hijacking (using a compromised legitimate account to reply within an existing thread), where candidates mistakenly choose spear phishing because they focus on the targeted nature of the attack rather than the method of compromise.
How to eliminate wrong answers
Option A is wrong because spear phishing involves sending a crafted email from a spoofed or lookalike domain to a specific target, not hijacking an existing thread from a compromised legitimate mailbox. Option C is wrong because baiting relies on offering something enticing (e.g., a free USB drive) to trick the user, not on urgency or financial pressure within a compromised email thread. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages to deceive the target, not email-based manipulation of a trusted conversation.
A scan reports a critical remote code execution vulnerability on an internet-facing VPN appliance with public proof-of-concept exploit code available. It also reports a critical local privilege escalation on an isolated lab workstation. Patch windows are limited this week. Which should be remediated first?
A.The internet-facing VPN appliance because it has higher exposure and exploitability.
B.The isolated lab workstation because all critical findings must be patched in numerical order.
C.The internal printer because peripheral devices are often overlooked and therefore most dangerous.
D.The lab workstation because local privilege escalation is always more dangerous than remote code execution.
AnswerA
An externally reachable device with a known exploit and remote code execution risk presents a much larger immediate threat than an isolated lab workstation. Prioritization should consider exposure, exploit maturity, and business impact, not severity score alone. Because the VPN appliance is publicly reachable, compromise could lead directly to remote access into the environment and broader organizational impact.
Why this answer
The internet-facing VPN appliance presents a higher risk because it is exposed to the public internet and has a known remote code execution vulnerability with public exploit code. This combination of high exposure (attack surface) and high exploitability (availability of proof-of-concept code) significantly increases the likelihood of a successful attack, making it the priority for remediation despite limited patch windows.
Exam trap
The trap here is that candidates may assume all critical vulnerabilities are equal and must be patched in order of severity score, ignoring the critical factor of asset exposure and the presence of public exploit code, which dramatically increases the real-world risk.
How to eliminate wrong answers
Option B is wrong because patching in numerical order is not a valid security prioritization method; risk-based prioritization (e.g., CVSS score combined with environmental factors like exposure) is the correct approach. Option C is wrong because the internal printer is not mentioned in the scan report, and introducing an unlisted asset distracts from the actual findings; peripheral devices are not inherently more dangerous than a critical RCE on an internet-facing system. Option D is wrong because local privilege escalation is not always more dangerous than remote code execution; RCE on an internet-facing device allows an attacker to gain initial access from anywhere, while local privilege escalation requires existing access to the isolated lab workstation, which is already low risk due to network isolation.
Based on the exhibit, what is the best next step before the marketing SaaS platform goes live?
A.Proceed only after the business owner formally accepts the remaining risk in writing.
B.Ignore the residual risk because the vendor has a current SOC report.
C.Require the security team to approve the launch verbally so the project does not slow down.
D.Cancel the contract immediately because any medium risk rating is unacceptable.
AnswerA
The exhibit already shows compensating controls and a measured residual risk rating. When the remaining risk is understood and the business impact of delay is significant, the proper next step is a formal acceptance by the appropriate risk owner. That creates accountability and preserves an auditable record of the decision.
Why this answer
The exhibit shows a residual risk rating of 'Medium' after the vendor's SOC report was reviewed. In the SY0-701 risk management framework, the business owner is the risk owner who must formally accept any residual risk before a system goes live, as they are accountable for the business impact. Proceeding without documented acceptance violates the principle of risk acceptance and could lead to unapproved exposure.
Exam trap
The trap here is that candidates assume a vendor SOC report fully transfers risk to the vendor, but CompTIA emphasizes that residual risk always remains and must be formally accepted by the business owner, not just the security team.
How to eliminate wrong answers
Option B is wrong because a current SOC report only provides a point-in-time assurance of the vendor's controls; it does not eliminate residual risk, which must still be formally accepted by the business owner. Option C is wrong because verbal approval bypasses the required documented risk acceptance process and audit trail, violating governance and compliance requirements. Option D is wrong because a 'Medium' risk rating is not automatically unacceptable; risk acceptance decisions are based on the organization's risk appetite, and cancellation is an extreme response without considering mitigation or acceptance.
A ransomware incident encrypted a file share and the attached NAS backups because the NAS stayed mounted to production and was reachable over SMB. Which two design changes would have reduced the blast radius most effectively? Select two.
Select 2 answers
A.Keep at least one backup copy offline or immutable.
B.Use a separate backup account and a restricted backup network segment.
C.Mount the backup share permanently so restores are always faster.
D.Join the NAS to the same administrative group used by production servers.
E.Disable restore testing to avoid risking the backup environment.
AnswersA, B
Correct because an offline or immutable backup cannot be encrypted or deleted as easily by ransomware. It preserves a clean recovery point even if the production environment is fully compromised.
Why this answer
Option A is correct because keeping at least one backup copy offline or immutable ensures that even if the primary storage and network-attached backups are compromised, the offline or immutable copy remains intact and recoverable. In this scenario, the NAS was mounted and reachable over SMB, allowing ransomware to encrypt both the production share and the backup target. An immutable backup (e.g., using WORM storage or object lock) cannot be modified or deleted by the ransomware, breaking the encryption chain and preserving a clean recovery point.
Exam trap
Cisco often tests the misconception that mounting backups permanently improves recovery speed without considering the security trade-off, leading candidates to choose Option C instead of recognizing that offline or immutable backups are the primary defense against ransomware propagation.
Based on the exhibit, which key management improvement best preserves recoverability if the primary backup server is lost?
A.Store the private key on the same backup server so recovery is faster.
B.Replace AES with hashing so the archive no longer needs a key.
C.Keep the private key in an HSM or secure escrow with tested recovery procedures.
D.Send the private key to backup operators by email so they can restore data quickly.
AnswerC
The private key must be protected separately from the primary backup server so the encrypted AES key can still be recovered if the server is lost. An HSM or secure escrow improves key protection while preserving recoverability, especially when paired with tested restoration procedures and restricted access controls.
Why this answer
Option C is correct because storing the private key in a Hardware Security Module (HSM) or secure escrow ensures it remains available even if the primary backup server is lost. HSMs provide tamper-resistant key storage and support tested recovery procedures, which is critical for decrypting backups and maintaining recoverability. This approach separates the key from the backup data, preventing a single point of failure.
Exam trap
The trap here is that candidates may assume storing the key with the backup data (Option A) is efficient, but they overlook that it destroys recoverability when the server is lost, which is the exact failure scenario the question describes.
How to eliminate wrong answers
Option A is wrong because storing the private key on the same backup server creates a single point of failure; if the server is lost, both the backup data and the key are gone, making recovery impossible. Option B is wrong because hashing is a one-way function that cannot be reversed to recover original data, so replacing AES with hashing would make the archive permanently unreadable and unrecoverable. Option D is wrong because sending the private key by email exposes it to interception, violates security best practices (e.g., NIST SP 800-57), and does not guarantee tested, reliable recovery procedures.
An EDR alert shows winword.exe launching powershell.exe with an encoded command after a user opened an invoice attachment. No new executable file was written to disk, and the host is still online. Which two actions should the SOC analyst take first to validate the alert and collect usable evidence? Select two.
Select 2 answers
A.Review the parent-child process chain and the full PowerShell command line in EDR.
B.Compare the endpoint's outbound connections with its normal baseline and approved destinations.
C.Reimage the workstation immediately to eliminate any possible persistence.
D.Ask the user to delete the suspicious email and clear the recycle bin.
E.Check PowerShell script block logs, AMSI detections, and related event records on the endpoint.
AnswersA, E
This shows whether the alert is truly a suspicious macro-to-PowerShell execution chain and reveals the exact command arguments used.
Why this answer
Option A is correct because reviewing the parent-child process chain (winword.exe → powershell.exe) and the full PowerShell command line in the EDR allows the analyst to immediately validate whether the alert is a true positive by confirming the process lineage and decoding the encoded command. This step is critical for understanding the attacker's intent without relying on disk artifacts, as the attack is fileless and memory-resident.
Exam trap
The trap here is that candidates may think reimaging or deleting the email is a valid containment step, but the question specifically asks for actions to validate the alert and collect usable evidence, not to contain or remediate.
An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary totals, not Social Security numbers or bank account details. Which two actions should the analyst take first? Select two.
Select 2 answers
A.Remove unnecessary sensitive fields before sharing
B.Use an approved encrypted transfer method
C.Upload the file to a public link and send the URL by email
D.Rename the file to a less obvious name and send it normally
E.Save the file locally on a USB drive and hand-deliver it
AnswersA, B
Data minimization reduces exposure by ensuring the auditor receives only the information needed for the stated business purpose.
Why this answer
Option A is correct because removing unnecessary sensitive fields (like Social Security numbers and bank account details) before sharing the file reduces the risk of exposing personally identifiable information (PII) and aligns with the principle of data minimization. This step ensures that only the required data (names, departments, salary totals) is transmitted, which is a foundational security control before any data transfer occurs.
Exam trap
The trap here is that candidates may think renaming a file (Option D) or using a USB drive (Option E) provides sufficient security, when in fact these methods lack encryption and proper access controls, which are essential for protecting sensitive data in transit.
Match each procurement or oversight need to the best vendor due diligence artifact or clause. Use each item once.
Drag a concept onto its matching description — or click a concept then click the description.
Concepts
Matches
SOC 2 Type II report
Data processing agreement (DPA)
Software bill of materials (SBOM)
Right-to-audit clause
Disaster recovery test report
Why these pairings
These artifacts support vendor due diligence: questionnaires assess controls, SOC 2 reports provide independent assurance, audit clauses enable customer verification, DPAs govern data handling, BCPs ensure resilience, and pen tests validate security.
A legacy production scanner cannot support MFA, but it must remain available for six months until replacement hardware arrives. What is the best security response?
A.Permanently waive MFA for the scanner and leave the exception open-ended.
B.Approve a time-bound exception with compensating controls and a review date.
C.Shut down the scanner immediately until MFA can be enabled.
D.Create a shared administrator account so operators can sign in more easily.
AnswerB
A time-bound exception allows the business to keep operating while security reduces risk through other controls such as network restriction, monitoring, or limited access. Adding a review date keeps the exception temporary and accountable, which is the best governance practice.
Why this answer
Option B is correct because it balances security with operational necessity by implementing a time-bound exception with compensating controls (e.g., network segmentation, strict access logging, or IP whitelisting) and a mandatory review date. This ensures the legacy scanner remains available for six months while mitigating the risk of unauthorized access, aligning with the principle of least privilege and security program oversight.
Exam trap
The trap here is that candidates may choose Option C (immediate shutdown) thinking it is the only secure choice, but the question explicitly states the scanner must remain available, making a risk-accepted, time-bound exception with compensating controls the correct security program management response.
How to eliminate wrong answers
Option A is wrong because permanently waiving MFA for the scanner leaves an open-ended exception with no expiration or review, violating security policy and increasing long-term risk. Option C is wrong because immediately shutting down the scanner disrupts production operations unnecessarily, as a time-bound exception with compensating controls can safely bridge the six-month gap. Option D is wrong because creating a shared administrator account bypasses accountability and audit trails, directly contradicting MFA's purpose of ensuring non-repudiation and secure authentication.
At 10:15, a file server begins renaming documents and creating payment notes. The SOC confirms the server is also making SMB connections to other internal hosts, but users can still access shared folders. What should the incident handler do FIRST?
A.Disconnect the server from the network or isolate it through EDR containment while preserving power
B.Shut down the server immediately to stop all malicious activity
C.Restore the server from backup before taking any other action
D.Wait for users to report more symptoms before responding
AnswerA
Immediate containment stops lateral movement and further encryption while preserving the system for investigation and evidence collection.
Why this answer
The correct first step is to contain the incident by disconnecting the server from the network or using EDR containment while preserving power. This stops the spread of malicious SMB connections and prevents further damage, while keeping the system powered on to preserve volatile evidence (e.g., memory, running processes) for forensic analysis. Immediate containment aligns with the NIST incident response framework's containment phase, prioritizing isolation over eradication or recovery.
Exam trap
The trap here is that candidates may choose to shut down the server (Option B) thinking it stops the attack, but CompTIA emphasizes preserving power and evidence for forensic analysis, making isolation the correct first step.
How to eliminate wrong answers
Option B is wrong because shutting down the server destroys volatile evidence (e.g., memory contents, active network connections) and may allow malware to persist or trigger destructive payloads on reboot. Option C is wrong because restoring from backup before containment could re-infect the network if the backup is compromised, and it skips the critical step of preserving evidence. Option D is wrong because waiting for more symptoms allows the attacker to move laterally via SMB, encrypt more files, or exfiltrate data, violating the principle of rapid containment.
An organization is implementing a Security Information and Event Management (SIEM) system to enhance its security monitoring capabilities. Which four of the following are primary functions of a SIEM? (Choose four.)
Select 4 answers
.Correlation of log data from multiple sources
.Real-time alerting on security events
.Centralized log storage and retention
.Automated threat intelligence feed integration
.Vulnerability scanning and patch management
.In-line network traffic blocking
Why this answer
A SIEM's primary functions include correlation of log data from multiple sources to identify patterns and anomalies, real-time alerting on security events to enable immediate response, centralized log storage and retention for compliance and forensic analysis, and automated threat intelligence feed integration to enrich event data with known indicators of compromise (IOCs). These capabilities collectively provide comprehensive security monitoring and incident detection.
Exam trap
Cisco often tests the misconception that a SIEM can actively block traffic or perform vulnerability scanning, but in reality, a SIEM is a passive monitoring and analysis tool that does not execute remediation actions or network-level blocking.
Which two are common warning signs of phishing messages? Select two.
Select 2 answers
A.Urgent threat that the account will be locked in 15 minutes
B.Unexpected attachment from an unknown sender
C.Message sent from a trusted internal help desk portal
D.Correct spelling and matching domain name
E.Email signed with a known employee's regular signature block
AnswersA, B
Urgency and threats are classic pressure tactics used in phishing attempts.
Why this answer
Option A is correct because phishing messages often create a false sense of urgency, such as claiming an account will be locked in 15 minutes, to pressure the recipient into acting without verifying the source. This tactic exploits the human tendency to react quickly to threats, bypassing rational checks like inspecting the sender's email address or hovering over links.
Exam trap
The trap here is that candidates may confuse common phishing tactics (like urgency or unexpected attachments) with indicators of legitimacy (like correct spelling or a known signature block), leading them to select options that describe normal email behavior rather than warning signs.
A contractor connects a personal tablet to a lobby Ethernet jack. The network team wants the device blocked from internal resources until it passes posture checks and only guest access is allowed meanwhile. Which control best fits?
A.A data loss prevention platform that inspects file transfers.
B.Network access control that verifies the device before granting access.
C.A network intrusion detection system placed inline at the switch.
D.A VPN concentrator that encrypts remote traffic back to headquarters.
AnswerB
NAC is designed to admit, deny, or segment devices based on identity, posture, and policy before they reach internal resources.
Why this answer
Network Access Control (NAC) is the correct solution because it enforces security policies by checking a device's compliance (e.g., antivirus, patch level) before granting access to internal resources. In this scenario, the contractor's tablet is initially placed on a guest VLAN with internet-only access until posture checks pass, which is a core NAC function (e.g., using 802.1X or MAC authentication bypass).
Exam trap
The trap here is confusing NAC with a NIDS or DLP, because candidates often think 'blocking' requires an inline security appliance, but NAC uses switch-level VLAN assignment and 802.1X to enforce policy without inspecting content.
How to eliminate wrong answers
Option A is wrong because a Data Loss Prevention (DLP) platform inspects data in motion or at rest to prevent leaks, not to enforce pre-admission posture checks or VLAN assignment. Option C is wrong because a Network Intrusion Detection System (NIDS) monitors traffic for malicious patterns but does not block or quarantine devices based on compliance status; it is passive and cannot enforce guest-only access. Option D is wrong because a VPN concentrator encrypts remote traffic but does not perform device posture assessment or control local network segmentation before access is granted.
Based on the exhibit, which data protection control best allows analysts to work with the records without exposing full card numbers?
A.Encrypt the entire analytics database and give the team the decryption key.
B.Tokenize the card numbers and keep the token mapping in a secured vault.
C.Hash the card numbers with SHA-256 so the analytics team can reverse them later if needed.
D.Delete all but the last four digits from the production database immediately.
AnswerB
Tokenization replaces sensitive card numbers with non-sensitive substitutes that can still support joins and repeated reporting without revealing the original values. Keeping the mapping in a secured vault protects the real numbers while allowing the analytics team to work with consistent placeholders. This fits the business need much better than simple encryption or masking alone.
Why this answer
Tokenization replaces sensitive card numbers with non-sensitive placeholders (tokens) that retain the format and length of the original data but have no exploitable value. The analytics team can work with the tokens for reporting and analysis, while the actual card numbers remain securely stored in a separate token vault, preventing exposure even if the analytics database is compromised.
Exam trap
CompTIA often tests the misconception that encryption is always the best data protection control, but the trap here is that encryption still exposes the data to anyone with the key, whereas tokenization removes the sensitive data from the working environment entirely, making it the correct choice for analytics without exposure.
How to eliminate wrong answers
Option A is wrong because encrypting the entire database and giving the team the decryption key would expose the full card numbers to anyone with the key, defeating the purpose of protecting the data during analysis. Option C is wrong because SHA-256 is a one-way hash function that cannot be reversed; the claim that the team can 'reverse them later' is technically impossible, and hashing does not preserve the format needed for analytics. Option D is wrong because deleting all but the last four digits from the production database is a destructive action that permanently loses data and does not allow the team to work with the full card numbers for any legitimate analysis that requires the complete value.
Based on the exhibit, which artifact is the strongest evidence that the firewall change was reviewed and approved before implementation?
A.The engineer's post-implementation email, because it confirms someone checked the change.
B.The firewall logs, because they show the rule was applied successfully on the device.
C.The change request record with CAB approval timestamp and implementation time.
D.The vendor's maintenance notice, because it explains why the rule was needed.
AnswerC
This is the best evidence because it shows formal review and approval occurred before the change was implemented. Auditors want controlled, time-stamped proof of authorization, not just technical confirmation that the firewall rule changed or an informal email afterward. The change record directly supports compliance with change management requirements.
Why this answer
Option C is correct because the change request record with a CAB approval timestamp and implementation time provides a clear, auditable trail that the firewall change was formally reviewed and authorized by the Change Advisory Board before it was executed. This aligns with the change management process required for security program oversight, ensuring that changes are not implemented without proper governance.
Exam trap
The trap here is that candidates often confuse post-implementation verification (Option A) or technical success logs (Option B) with the governance requirement for pre-approval, which is the core of change management oversight.
How to eliminate wrong answers
Option A is wrong because a post-implementation email only confirms that someone checked the change after it was made, not that it was reviewed and approved before implementation. Option B is wrong because firewall logs show the rule was applied successfully on the device, but they do not provide any evidence of pre-approval or review by a change board. Option D is wrong because a vendor's maintenance notice explains the technical need for the rule but does not document any internal review or approval process.
A customer portal must keep operating if one application server fails and also remain available if an entire site goes offline. Management is willing to pay more for automatic failover and the shortest possible interruption. Which design is best?
A.An active-active deployment across two sites with load balancing and replicated data.
B.A cold site that restores from nightly backups after a failure.
C.A single active site with one standby server in the same rack.
D.RAID 1 on the database server with no additional redundancy.
AnswerA
Active-active across sites offers the highest availability and the fastest automatic failover, though it is more complex and costly.
Why this answer
An active-active deployment across two sites with load balancing and replicated data ensures continuous operation if one application server fails and also if an entire site goes offline. Load balancers distribute traffic to healthy servers, and synchronous data replication keeps both sites consistent, enabling automatic failover with minimal interruption. This design meets the requirement for the shortest possible interruption because failover is instantaneous and does not require manual intervention or data restoration.
Exam trap
The trap here is that candidates often confuse high availability within a single site (like a standby server in the same rack) with disaster recovery across sites, failing to recognize that site-level failures require geographic redundancy, not just server-level redundancy.
How to eliminate wrong answers
Option B is wrong because a cold site that restores from nightly backups after a failure introduces significant downtime (hours or days) for restoration and does not provide automatic failover or the shortest possible interruption. Option C is wrong because a single active site with one standby server in the same rack cannot survive an entire site outage, as both servers are in the same physical location and share the same site-level risks (e.g., power failure, natural disaster). Option D is wrong because RAID 1 on the database server provides only local disk redundancy within a single server, not application-level failover or site-level availability, and does not address server or site failures.
A company wants to make sure only approved administrators can view and rotate a shared encryption secret used by several applications. What is the best way to manage that secret?
A.Store it in a shared spreadsheet
B.Put it directly in application source code
C.Use a centralized secrets vault or key management system
D.Email the secret only to trusted administrators
AnswerC
A centralized secrets vault or key management system is the best choice because it stores sensitive keys in a controlled place with restricted access, auditing, and rotation support. That makes it easier to limit who can view the secret, track use, and update it safely across multiple applications. It is far more secure than embedding the secret in code or sharing it manually.
Why this answer
A centralized secrets vault or key management system (KMS) like HashiCorp Vault or AWS KMS provides role-based access control (RBAC), audit logging, and automatic rotation of secrets. This ensures only approved administrators can view and rotate the shared encryption secret, while applications retrieve it via secure APIs without exposing it in code or files.
Exam trap
The trap here is that candidates may think a spreadsheet or source code is acceptable for small teams, but CompTIA emphasizes that any secret shared across applications must be centrally managed with access controls and rotation capabilities to meet security best practices.
How to eliminate wrong answers
Option A is wrong because storing a shared encryption secret in a shared spreadsheet offers no access controls, no audit trail, and no rotation mechanism, making it vulnerable to unauthorized access and leakage. Option B is wrong because putting the secret directly in application source code exposes it to anyone with code access, violates the principle of least privilege, and makes rotation impossible without redeploying the application.
A manager can access the HR portal normally from a managed laptop, but if they sign in from an unmanaged tablet, the system should require extra verification before granting access. Which control best fits?
A.Conditional access based on device trust or risk.
B.A longer password expiration interval.
C.A separate VLAN for each manager.
D.Data encryption at rest on the HR database.
AnswerA
This is the best answer because conditional access can change authentication requirements depending on the device or sign-in context. A managed laptop can be allowed normally, while an unmanaged tablet can trigger extra verification such as MFA or access restrictions. That lets the organization balance usability and security instead of using the same rule for every login.
Why this answer
Conditional access policies evaluate device trust (e.g., compliance with security baselines, domain membership) and risk signals (e.g., location, sign-in behavior) to enforce step-up authentication. This directly matches the requirement: allow normal access from a managed laptop, but require extra verification from an unmanaged tablet. Other options like password expiration, VLAN segmentation, or encryption do not dynamically adjust authentication requirements based on device trust.
Exam trap
The trap here is that candidates often confuse data protection controls (encryption, VLANs) with access control mechanisms, failing to recognize that conditional access is the only option that dynamically adjusts authentication requirements based on device trust or risk.
How to eliminate wrong answers
Option B is wrong because a longer password expiration interval does not differentiate between managed and unmanaged devices; it applies uniformly to all users regardless of device trust. Option C is wrong because a separate VLAN for each manager provides network segmentation but does not enforce extra verification based on device trust or risk at the authentication layer. Option D is wrong because data encryption at rest protects stored data on the HR database but does not control access decisions or require additional authentication based on the device used to sign in.
Which four of the following are essential considerations when designing a secure cloud architecture in a hybrid environment? (Choose four.)
Select 4 answers
.Ensuring data encryption both at rest and in transit between cloud and on-premises resources
.Using a shared secret key for all API authentication to simplify integration
.Implementing a cloud access security broker (CASB) to enforce security policies
.Configuring identity federation with single sign-on (SSO) for centralized access control
.Placing all cloud resources in a single availability zone to reduce latency
.Applying least privilege principles to IAM roles and policies
Why this answer
Ensuring data encryption both at rest and in transit is critical in a hybrid environment to protect sensitive data from exposure during movement between cloud and on-premises resources and while stored. This includes using TLS 1.2/1.3 for data in transit and AES-256 for data at rest, addressing compliance requirements and mitigating interception risks.
Exam trap
The trap here is that candidates may think a shared secret key simplifies integration and is secure, but the SY0-701 exam emphasizes that shared secrets lack granularity and rotation capabilities, making them a security risk in hybrid environments.
A project team needs to use an unapproved file-sharing application for two weeks because the approved platform cannot support an external client collaboration feature. What is the best security action?
A.Deny the request permanently and avoid discussing the business need
B.Approve a documented temporary exception with compensating controls and a review date
C.Immediately rewrite the policy so all users may use the unapproved application
D.Ask the team to create a detailed step-by-step procedure for using the application
AnswerB
A temporary exception is the best choice when a business need exists and the risk can be managed. Document the reason, identify compensating controls such as encryption or restricted access, assign an owner, and set an expiration date. That approach preserves governance, keeps the risk visible, and avoids turning a temporary deviation into an indefinite shadow process.
Why this answer
Option B is correct because it follows the principle of risk acceptance through a formal exception process. By documenting a temporary exception with compensating controls (e.g., data encryption, access logging, and usage monitoring) and setting a review date, the organization maintains security oversight while addressing the legitimate business need. This approach aligns with the SY0-701 domain of Security Program Management, which emphasizes balancing security with operational requirements through managed risk.
Exam trap
The trap here is that candidates may choose Option D, thinking that a detailed procedure mitigates risk, but CompTIA tests the understanding that procedures without compensating controls do not reduce the inherent risk of using an unapproved application.
How to eliminate wrong answers
Option A is wrong because it ignores the business need entirely, which can lead to shadow IT or unauthorized workarounds that bypass security controls entirely. Option C is wrong because immediately rewriting policy for a temporary, isolated need creates unnecessary risk exposure for all users and violates change management principles. Option D is wrong because a detailed procedure does not address the underlying security risk of using an unapproved application; it only documents how to use it unsafely.
A developer reports that a search field returns all customer records when they enter a single quote followed by OR 1=1. Security confirms the web app concatenates user input directly into SQL statements. Which remediation is best?
A.Deploy only a web application firewall and keep the code unchanged.
B.Use parameterized queries or prepared statements in the application code.
C.Store the database password as a salted hash in the application configuration.
D.Disable HTTPS so the request body is easier to inspect by network tools.
AnswerB
Parameterized queries separate code from user-supplied data, which prevents injected input from being interpreted as SQL instructions. That directly addresses the flaw described in the scenario and is the most reliable long-term fix. It also scales better than trying to block every malicious pattern with filtering or a perimeter tool. In secure development, fixing the query construction is preferred because it removes the root cause instead of only reducing symptoms at the edge.
Why this answer
Option B is correct because parameterized queries or prepared statements separate SQL logic from user input, preventing the concatenation that allows SQL injection. By using placeholders (e.g., `?` or `:param`) and binding user input as data, the database engine treats the single quote and `OR 1=1` as literal string values, not executable SQL code. This directly remediates the root cause—dynamic SQL construction—without relying on external filters or insecure workarounds.
Exam trap
The trap here is that candidates may think a WAF (Option A) is sufficient because it blocks common payloads like `' OR 1=1`, but the exam emphasizes that security must be implemented at the code level, not just at the network perimeter.
How to eliminate wrong answers
Option A is wrong because a web application firewall (WAF) only filters known attack patterns and can be bypassed with obfuscation or novel payloads; it does not fix the insecure code, leaving the application vulnerable to SQL injection variants. Option C is wrong because storing the database password as a salted hash in the configuration is irrelevant—passwords are used for authentication, not for preventing SQL injection, and hashing a password would make it unusable for database login. Option D is wrong because disabling HTTPS exposes the entire request body in plaintext, increasing the risk of eavesdropping and session hijacking, and does nothing to prevent SQL injection.
A hospital has clinical workstations, badge readers, and building cameras all connected to the same switching infrastructure. After a workstation infection, the security team wants to prevent those endpoints from laterally reaching the badge readers while still allowing the cameras to report to a recording server. What should be implemented first?
A.Create separate VLANs and apply ACLs between device groups based on business need.
B.Increase the DHCP lease time so devices keep the same IP addresses longer.
C.Replace the switches with unmanaged models to simplify configuration.
D.Disable the cameras' encryption so the recording server can process traffic faster.
AnswerA
Separate VLANs establish different trust zones, and ACLs limit only the necessary traffic between them.
Why this answer
Creating separate VLANs segments the network into distinct broadcast domains, preventing workstations from directly reaching badge readers at Layer 2. Applying ACLs between VLANs then enforces granular access control, allowing only the cameras to communicate with the recording server while blocking lateral movement from infected endpoints. This aligns with the principle of least privilege and is the foundational step for network segmentation.
Exam trap
The trap here is that candidates often overlook the need for Layer 2 segmentation (VLANs) as a prerequisite for Layer 3/4 ACLs, mistakenly thinking ACLs alone on a flat network can block lateral movement between devices in the same subnet.
How to eliminate wrong answers
Option B is wrong because increasing DHCP lease time does not provide any security controls; it only reduces IP address churn and does not prevent lateral movement between devices. Option C is wrong because replacing managed switches with unmanaged models removes the ability to configure VLANs, ACLs, or any traffic filtering, making segmentation impossible. Option D is wrong because disabling encryption on cameras would expose video traffic to eavesdropping and does not address the need to restrict workstation-to-badge-reader access; it also violates security best practices.
A help desk receives an email from an employee asking to urgently reset MFA because they are traveling and locked out. The sender address matches the employee's name but uses a slightly different domain. What is the best action for the help desk agent?
A.Reset MFA immediately because the request appears to come from the employee.
B.Reply to the email and ask the employee to confirm the request in writing.
C.Use a separate, known-good contact method to verify the request before making any change.
D.Forward the message to everyone in IT so another technician can decide what to do.
AnswerC
The safest response is to verify the request through a trusted channel that is independent of the suspicious email, such as a known phone number or established ticketing workflow. This helps prevent account takeover through impersonation or domain spoofing. After verification, the help desk can follow normal reset procedures and record the event for accountability. This is a practical anti-social-engineering habit.
Why this answer
Option C is correct because the email's domain mismatch is a classic indicator of a phishing or social engineering attempt. The help desk must verify the request through a separate, known-good communication channel (e.g., a phone call to the employee's official number or an in-person verification) before resetting MFA, as MFA reset bypasses a critical authentication control. This aligns with the principle of out-of-band verification to prevent unauthorized account takeover.
Exam trap
The trap here is that candidates assume a matching display name and a plausible story (urgent travel) are sufficient for trust, overlooking the domain mismatch as the primary red flag that demands out-of-band verification.
How to eliminate wrong answers
Option A is wrong because resetting MFA immediately based on an email with a mismatched domain ignores the clear red flag of domain spoofing, which could allow an attacker to gain unauthorized access. Option B is wrong because replying to the same email thread does not provide independent verification; the attacker may control the compromised email account and could simply confirm the request, defeating the purpose of verification. Option D is wrong because forwarding the message to everyone in IT wastes time, creates confusion, and does not follow a proper verification procedure; it also risks spreading potentially malicious content or causing unnecessary panic.
Several employees reported a text message that looked like it came from the VPN support team and linked to a fake sign-in page. Management wants to reduce future success of these attacks and improve how quickly users report suspicious messages. What should the security team implement?
A.Send one annual lecture to all staff and close the ticket
B.Run role-based smishing simulations and provide a simple reporting workflow
C.Disable text messaging for every employee mobile device
D.Require managers to approve every external message before users open it
AnswerB
Simulations plus an easy reporting path build recognition habits and give the team measurable improvement data.
Why this answer
Option B is correct because smishing simulations train users to recognize phishing SMS attacks in a controlled environment, directly reducing susceptibility. A simple reporting workflow (e.g., a dedicated email address or button in the messaging app) lowers the friction for users to report suspicious messages, enabling faster incident response. This combination addresses both the reduction of attack success and the improvement of reporting speed.
Exam trap
The trap here is that candidates may choose Option C (disable text messaging) because it seems like a definitive technical control, but the question specifically asks to reduce future success and improve reporting speed, which requires user training and a streamlined reporting process, not a blanket ban that breaks business functionality.
How to eliminate wrong answers
Option A is wrong because a single annual lecture provides no ongoing reinforcement or practical testing, and closing the ticket without further action leaves the organization vulnerable to evolving smishing tactics. Option C is wrong because disabling text messaging for all employees is impractical and would disrupt legitimate business communications, violating the principle of least privilege and operational continuity. Option D is wrong because requiring managers to approve every external message before users open it creates an unsustainable bottleneck, delays response, and does not scale; it also fails to address the root cause of user susceptibility to social engineering.
After a ransomware event, management wants proof that last night's backups can actually support business operations before they declare recovery complete. What is the best action?
A.Perform a test restore into an isolated environment and validate the files or application work correctly.
B.Increase the backup retention period without testing the backups.
C.Copy the backup set to a new storage bucket and assume it is usable.
D.Run a vulnerability scan against the backup server.
AnswerA
A test restore is the only option that proves the backup can actually be recovered and used. By restoring into an isolated environment, the team avoids contaminating production while still confirming that data, permissions, and the application behave as expected. This also helps validate recovery objectives and exposes problems such as corrupted backups, missing dependencies, or failed restore procedures before a real outage occurs.
Why this answer
Option A is correct because performing a test restore into an isolated environment directly validates that the backup data is intact, the restore process works, and the restored files or applications function as expected. This provides management with the proof they need to confirm business operations can resume, which is the core requirement after a ransomware event.
Exam trap
The trap here is that candidates may confuse backup management tasks (like retention or copying) with actual recovery validation, or think that security scanning proves backup usability, when only a functional test restore provides the required proof of operability.
How to eliminate wrong answers
Option B is wrong because merely increasing the backup retention period does not verify the usability or integrity of the backups; it only stores more data without any validation. Option C is wrong because copying the backup set to a new storage bucket and assuming it is usable ignores the need to test the restore process and verify data integrity; backups are useless if they cannot be restored correctly. Option D is wrong because running a vulnerability scan against the backup server checks for security weaknesses but does not test whether the backup data can be restored and support business operations.
Match each risk-register description to the correct risk term. Use each term once.
Drag a concept onto its matching description — or click a concept then click the description.
Concepts
Matches
Likelihood
Impact
Inherent risk
Residual risk
Risk appetite
Why these pairings
Each term is paired with its standard definition from risk management frameworks, ensuring clarity on the differences between inherent, residual, appetite, and tolerance.
A vulnerability scan identifies a critical patch for a fleet of internet-facing servers. The operations lead wants to apply it immediately during peak business hours because the exploit is public. What is the BEST next step?
A.Install the patch on all servers immediately without testing
B.Use the emergency change process with testing, approval, and a rollback plan
C.Wait until the next quarterly maintenance window to avoid any risk
D.Patch only one production server and assume the rest will be fine
AnswerB
An emergency change still needs controlled validation so the organization reduces risk without creating avoidable outages.
Why this answer
The correct answer is B because an emergency change process allows the critical patch to be applied quickly while still incorporating essential steps like testing, approval, and a rollback plan. This balances the urgency of a public exploit with the need to avoid unintended service disruptions during peak business hours, aligning with change management best practices in Security Operations.
Exam trap
The trap here is that candidates may choose option A, thinking speed is the only priority, but the exam tests the balance between urgency and risk management through formal change control processes.
How to eliminate wrong answers
Option A is wrong because installing the patch on all servers immediately without testing risks introducing compatibility issues or system instability, which could cause widespread outages during peak hours. Option C is wrong because waiting until the next quarterly maintenance window ignores the critical nature of a public exploit, leaving systems vulnerable to active attacks in the interim. Option D is wrong because patching only one production server and assuming the rest will be fine does not address the fleet-wide vulnerability and provides a false sense of security, as the unpatched servers remain exposed.
Based on the exhibit, which contract change would most directly reduce the organization's third-party response risk?
A.Add a breach notification timeframe and a right-to-review assurance clause in the contract.
B.Ask the vendor to provide a color logo and updated marketing brochure for the pilot.
C.Allow the vendor to start first and decide later whether to add security terms.
D.Replace the pilot with a purely internal spreadsheet process to avoid any contract review.
AnswerA
These clauses directly improve the organization's ability to respond if the vendor is compromised. Notification timing reduces delay in containment and response, while assurance review rights support ongoing third-party oversight and risk evaluation.
Why this answer
Adding a breach notification timeframe and a right-to-review assurance clause directly reduces third-party response risk by ensuring the vendor must promptly report security incidents and allow the organization to audit their security posture. This contractual change enforces accountability and timely action, which is critical for minimizing the impact of a breach originating from the third party.
Exam trap
The trap here is that candidates may confuse operational or marketing changes (like logos or starting without terms) with actual risk-reducing security controls, or they may think avoiding the third party entirely is the only safe option, missing that contractual security clauses are the standard way to manage third-party risk.
How to eliminate wrong answers
Option B is wrong because requesting a color logo and updated marketing brochure is a branding or marketing request, not a security control, and does nothing to address third-party response risk. Option C is wrong because allowing the vendor to start first and decide later whether to add security terms eliminates any contractual leverage, leaving the organization exposed to unmitigated risks during the pilot. Option D is wrong because replacing the pilot with a purely internal spreadsheet process avoids the contract review but also abandons the business need for the third-party service, which is not a practical risk reduction strategy and may introduce other operational risks.
A defense contractor is deploying a new document management system that will store classified military intelligence. The security policy requires that user access to each document is strictly determined by the document's classification label (e.g., Confidential, Secret, Top Secret) and the user's verified security clearance level. Furthermore, system administrators must not be able to change these access rules or grant themselves access to documents above their clearance. Which access control model is best suited for this requirement?
A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerC
MAC is the correct model. It uses system-enforced security labels (clearance for users, classification for documents) and prevents any user, including administrators, from overriding the access rules.
Why this answer
Mandatory Access Control (MAC) is the correct choice because it enforces access decisions based on security labels (e.g., classification levels) and user clearances, which are centrally managed and cannot be overridden by users or administrators. In this scenario, the system must strictly enforce that a user's clearance level matches or exceeds the document's classification label, and administrators cannot modify these rules or elevate their own access—a core property of MAC systems like SELinux or those implementing Bell-LaPadula.
Exam trap
The trap here is that candidates often confuse RBAC with MAC because both use roles or labels, but RBAC lacks the mandatory, non-overridable enforcement of classification labels and administrator restrictions that MAC provides.
How to eliminate wrong answers
Option A is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, which would permit administrators to change access rules or grant themselves access, violating the policy. Option B is wrong because Role-Based Access Control (RBAC) assigns permissions based on job roles, but it does not inherently enforce mandatory classification labels or prevent administrators from modifying role assignments or permissions. Option D is wrong because Attribute-Based Access Control (ABAC) evaluates attributes (e.g., user, resource, environment) to make access decisions, but it does not guarantee that administrators cannot alter the rules or grant themselves access unless specifically configured with mandatory enforcement, which is not a default property of ABAC.
A SIEM alert shows a successful VPN login for an executive account from an unusual country, followed 3 minutes later by large downloads from a file share the user rarely accesses. Which log source should the analyst review next to determine whether the session came from the user's assigned laptop or an unmanaged device?
A.VPN concentrator logs
B.Endpoint detection and response telemetry from the user's laptop
C.DNS query logs from the internal resolver
D.Email gateway logs for the executive mailbox
AnswerB
EDR telemetry can confirm the device identity, user activity, and whether the endpoint was trusted and healthy.
Why this answer
B is correct because endpoint detection and response (EDR) telemetry from the user's laptop provides granular process-level and network-level data, including the source IP of the VPN session, the device's hostname, and whether the VPN client software was initiated from the managed laptop's operating system. This allows the analyst to confirm if the VPN session originated from the assigned corporate device or from an unmanaged device using stolen credentials.
Exam trap
Cisco often tests the misconception that VPN concentrator logs alone can identify the device type, but they only show authentication and external IP, not whether the session originated from the assigned managed laptop.
How to eliminate wrong answers
Option A is wrong because VPN concentrator logs only show the external IP address and authentication details, not whether the session came from the user's assigned laptop or an unmanaged device—they lack device-level identifiers like hostname or EDR agent presence. Option C is wrong because DNS query logs from the internal resolver only show domain name resolution requests, not the source device identity or VPN client origin, so they cannot differentiate between a managed and unmanaged device.
A VPN concentrator shows that an authentication request from a user was accepted twice, even though the user insists they approved only one login. Packet analysis reveals that the second successful attempt reused the same authentication blob and arrived shortly after the first. Which attack is the best fit?
A.Replay attack, because a captured valid authentication message was resent to gain access again.
B.ARP poisoning, because the attacker redirected traffic by altering local address resolution.
C.Phishing, because the user was tricked into entering credentials on a fake page.
D.Denial of service, because the attacker is overwhelming the VPN gateway with requests.
AnswerA
Replay attacks work by capturing a legitimate authentication message and submitting it later, often before it expires or is invalidated.
Why this answer
The scenario describes a captured authentication blob being reused to gain a second successful authentication. This is the hallmark of a replay attack, where an attacker intercepts a valid authentication message (e.g., a Kerberos TGT, RADIUS Access-Accept, or a VPN pre-shared key hash) and retransmits it to the VPN concentrator to impersonate the user. The VPN concentrator accepted the duplicate because it lacked proper replay protection mechanisms such as timestamps, sequence numbers, or one-time-use nonces.
Exam trap
The trap here is confusing a replay attack with a phishing attack, because both involve capturing authentication data, but replay attacks reuse the captured blob directly without tricking the user, while phishing requires the user to voluntarily submit credentials.
How to eliminate wrong answers
Option B is wrong because ARP poisoning involves manipulating ARP tables to redirect traffic on a local network, not reusing an authentication blob to bypass VPN authentication. Option C is wrong because phishing tricks a user into revealing credentials on a fake page, but here the attacker reused a captured authentication blob without needing the user's credentials. Option D is wrong because a denial of service attack aims to overwhelm the VPN gateway with requests to disrupt service, not to gain unauthorized access by replaying a single authentication message.
A SOC analyst reviews an EDR alert on a finance workstation. The alert shows powershell.exe launched with an encoded command, downloaded a payload into memory, and then spawned rundll32.exe. No new executable was written to disk, but the process later created a scheduled task for persistence. Which two findings most strongly support a fileless attack? Select two.
Select 2 answers
A.powershell.exe launched with an encoded command and executed the payload in memory
B.rundll32.exe was spawned by a script-based process during the attack chain
C.a new portable executable was written to the user's temporary folder before being run
D.the endpoint antivirus quarantined the payload after a signature match
E.a USB storage device was inserted shortly before the alert fired
AnswersA, B
Encoded PowerShell is a common fileless technique because the malicious instructions can be hidden inside a command line and run directly in memory. This reduces obvious disk artifacts and can bypass simple file-based detection. In a Security+ scenario, that combination strongly suggests living-off-the-land abuse rather than a traditional dropped executable.
Why this answer
Option A is correct because executing a PowerShell encoded command that downloads and runs a payload entirely in memory, without writing to disk, is a hallmark of fileless malware. This technique avoids traditional file-based detection by leveraging PowerShell's ability to load and execute scripts directly in memory, bypassing disk-based antivirus scans.
Exam trap
The trap here is that candidates may confuse fileless attacks with any attack that uses PowerShell or scripting, but the key distinction is the absence of writing any executable to disk, which is why options involving disk writes or signature-based quarantine are distractors.
An office is replacing WPA2-PSK. The new design must ensure only company-managed laptops can join the wireless network, and any device that falls out of compliance must be blocked or quarantined until remediated. Which two controls best meet the requirement? Select two.
Select 2 answers
A.Deploy 802.1X with EAP-TLS so devices prove possession of a unique certificate.
B.Use a single WPA3-Personal passphrase printed in the lobby for all managed devices.
C.Rely on MAC address allow lists because they cannot be forged easily.
D.Enforce NAC posture checks and move noncompliant devices to a remediation VLAN.
E.Hide the SSID and disable client isolation to reduce discovery by attackers.
AnswersA, D
EAP-TLS uses device certificates to authenticate the endpoint, which is far stronger than a shared password. Because each managed laptop has its own certificate, access can be tied to the device identity rather than a static secret. This is a common enterprise wireless control for preventing unmanaged devices from joining corporate Wi-Fi.
Why this answer
802.1X with EAP-TLS is correct because it requires each device to present a unique client certificate issued by the company's PKI. This ensures only company-managed laptops (which have the certificate) can authenticate, and it ties directly into the requirement for device-specific identity rather than a shared secret.
Exam trap
The trap here is that candidates often confuse WPA3-Personal's improved encryption with authentication control, but it still relies on a shared passphrase and cannot enforce per-device identity or compliance checks.
A security team downloads a software update package signed by the vendor. The team verifies the signature using the vendor's public key before approving deployment. What does this verification primarily confirm?
A.The package can only be decrypted by the vendor's private key
B.The package was likely created by the vendor and was not altered after signing
C.The package is encrypted with the vendor's public key
D.The vendor's certificate has not expired
AnswerB
Digital signature verification checks that the signed data matches what the signer produced and that the signer controlled the corresponding private key. This gives the team confidence in authenticity and integrity. If the file had been modified after signing, verification would fail. That is why signatures are commonly used for software updates and trusted releases.
Why this answer
Digital signature verification using the vendor's public key confirms that the package was signed with the vendor's private key, which only the vendor possesses. This provides authentication of the signer's identity and integrity of the data, ensuring the package has not been modified since signing. It does not provide confidentiality, as the package itself is not encrypted.
Exam trap
The trap here is confusing digital signatures with encryption: candidates often think the public key decrypts the package itself, when in fact it only decrypts the hash, and the package remains unencrypted.
How to eliminate wrong answers
Option A is wrong because digital signatures do not involve decryption of the package; the signature is verified, not the package content. The vendor's private key is used to create the signature, not to decrypt the package. Option C is wrong because the package is not encrypted with the vendor's public key; the signature is created with the vendor's private key, and verification uses the vendor's public key.
Encryption with a public key would provide confidentiality, which is not the purpose of a digital signature.
A user's laptop suddenly starts renaming many files and showing a ransom note. The laptop is still connected to Wi-Fi. What is the best immediate action?
A.Reboot the laptop to stop the malicious process.
B.Disconnect the laptop from the network immediately.
C.Delete the ransom note and continue working.
D.Change the user's password and wait for more details.
AnswerB
This limits spread to shared systems and helps contain the suspected ransomware activity quickly.
Why this answer
Option B is correct because ransomware actively encrypts files and may communicate with a command-and-control (C2) server over the network to exfiltrate data or receive encryption keys. Disconnecting the Wi-Fi immediately stops further C2 communication, prevents lateral movement to other devices, and halts any ongoing data exfiltration. This containment step is critical before any remediation like system imaging or forensic analysis.
Exam trap
The trap here is that candidates may think rebooting (Option A) will stop the malicious process, but ransomware often persists across reboots via registry run keys or scheduled tasks, and the immediate priority is containment by disconnecting the network.
How to eliminate wrong answers
Option A is wrong because rebooting the laptop may allow the ransomware to continue its encryption process on startup or trigger additional payloads, and it does not stop network-based propagation or C2 communication. Option C is wrong because deleting the ransom note does not reverse file encryption or stop the malicious process; the ransomware remains active and can continue encrypting or spreading. Option D is wrong because changing the user's password does not affect the running ransomware process, and waiting for more details allows the attack to progress, potentially encrypting more files or spreading to other systems.
Based on the exhibit, which change best reduces exposure for the public web application while keeping the backend tiers protected?
The current design is:
Internet -> Firewall -> DMZ VLAN 10: reverse proxy
Private App VLAN 20: application server 10.10.20.20
Private DB VLAN 30: database server 10.10.30.30
User VLAN 40: internal workstations
ACL summary:
1. permit tcp any -> 10.10.10.10 eq 443
2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443
3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433
4. deny ip any -> 10.10.30.30
A.Move the database server into the DMZ so the public proxy can reach it directly.
B.Keep the reverse proxy in the DMZ and place the application and database servers in private subnets behind it.
C.Allow inbound Internet access directly to the application server on 8443, but restrict the database.
D.Collapse all servers into one VLAN and rely on strong passwords for protection.
AnswerB
This is the best design because it limits Internet exposure to the reverse proxy while keeping the application and database tiers segmented behind internal controls. The proxy can forward only approved traffic to the app tier, and the app tier can talk to the database through tightly defined rules. That preserves function while reducing the attack surface of the more sensitive backend systems.
Why this answer
Option B is correct because it maintains the defense-in-depth architecture: the reverse proxy in the DMZ (VLAN 10) terminates external HTTPS (TCP/443) and forwards only necessary traffic to the application server in a private VLAN (VLAN 20) over TCP/8443, while the database server remains isolated in a separate private VLAN (VLAN 30) with strict ACLs. This layered segmentation ensures that the public web application's exposure is limited to the reverse proxy, and backend tiers (app and DB) are not directly reachable from the internet, reducing the attack surface while preserving functional separation.
Exam trap
The trap here is that candidates often think moving a server to the DMZ simplifies access (Option A) or that direct internet access to the app server is acceptable (Option C), failing to recognize that the reverse proxy is the only component designed to handle untrusted traffic and that network segmentation is critical for protecting backend tiers from pivot attacks.
How to eliminate wrong answers
Option A is wrong because moving the database server into the DMZ exposes it directly to the reverse proxy without the protection of a private VLAN, violating the principle of least privilege and increasing the risk of lateral movement if the proxy is compromised. Option C is wrong because allowing inbound internet access directly to the application server on TCP/8443 bypasses the reverse proxy's security controls (e.g., SSL termination, request filtering) and exposes the application server to direct external attacks, negating the DMZ's purpose. Option D is wrong because collapsing all servers into one VLAN eliminates network segmentation entirely, making it trivial for an attacker who compromises any tier to pivot laterally to the database or application server, and strong passwords alone cannot mitigate network-level threats like ARP spoofing or VLAN hopping.
A security analyst is reviewing the source code of a custom web application. The application receives JSON data from users, which includes a 'type' field. The application uses the 'type' field to determine which Java class to instantiate, and then calls a method on that object. The application does not validate or sanitize the 'type' field. An attacker sends a crafted JSON payload that causes the application to instantiate an unexpected class, leading to remote code execution. Which type of vulnerability does this example describe?
A.SQL injection
B.Cross-site scripting (XSS)
C.Insecure deserialization
D.Directory traversal
AnswerC
Correct. Insecure deserialization occurs when an application deserializes untrusted data, allowing an attacker to control serialized objects or, as in this case, the class name to be instantiated. This can lead to remote code execution, denial of service, or privilege escalation.
Why this answer
Option C is correct because the application deserializes untrusted JSON data and uses the 'type' field to dynamically instantiate a Java class without validation. This is a classic insecure deserialization vulnerability, where an attacker can supply a malicious class name (e.g., a gadget class like `Runtime` or a custom class) that, when instantiated and its method called, executes arbitrary code on the server. The lack of input sanitization on the 'type' field directly enables remote code execution via object instantiation.
Exam trap
The trap here is that candidates may confuse insecure deserialization with injection attacks (SQLi or XSS) because the attacker is 'injecting' a class name, but the core mechanism is the unsafe deserialization of untrusted data to instantiate objects, not injecting code into a query or script context.
How to eliminate wrong answers
Option A is wrong because SQL injection involves injecting malicious SQL queries into input fields that are concatenated into database queries, not dynamically instantiating classes from JSON data. Option B is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not server-side object instantiation leading to remote code execution.